summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2007-04-12 20:30:08 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2007-04-12 20:30:08 +0000
commitb0d8ed94fe9e74afb49fdf5f11e4add29879c65c (patch)
treeb20167235628771046e940a82a906a6d0991ee4a /src/pluto
parentea939d07c84d2a8e51215458063fc05e9c399290 (diff)
downloadvyos-strongswan-b0d8ed94fe9e74afb49fdf5f11e4add29879c65c.tar.gz
vyos-strongswan-b0d8ed94fe9e74afb49fdf5f11e4add29879c65c.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.1.1)
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am140
-rw-r--r--src/pluto/Makefile.in878
-rw-r--r--src/pluto/TODO129
-rw-r--r--src/pluto/ac.c1018
-rw-r--r--src/pluto/ac.h103
-rw-r--r--src/pluto/adns.c615
-rw-r--r--src/pluto/adns.h75
-rw-r--r--src/pluto/alg/ike_alg_aes.c68
-rw-r--r--src/pluto/alg/ike_alg_blowfish.c52
-rw-r--r--src/pluto/alg/ike_alg_serpent.c70
-rw-r--r--src/pluto/alg/ike_alg_sha2.c634
-rw-r--r--src/pluto/alg/ike_alg_twofish.c85
-rw-r--r--src/pluto/alg/ike_alginit.c7
-rw-r--r--src/pluto/alg_info.c1205
-rw-r--r--src/pluto/alg_info.h85
-rw-r--r--src/pluto/asn1.c770
-rw-r--r--src/pluto/asn1.h141
-rw-r--r--src/pluto/ca.c694
-rw-r--r--src/pluto/ca.h70
-rw-r--r--src/pluto/certs.c287
-rw-r--r--src/pluto/certs.h80
-rw-r--r--src/pluto/connections.c4406
-rw-r--r--src/pluto/connections.h367
-rw-r--r--src/pluto/constants.c1353
-rw-r--r--src/pluto/constants.h1269
-rw-r--r--src/pluto/cookie.c67
-rw-r--r--src/pluto/cookie.h24
-rw-r--r--src/pluto/crl.c763
-rw-r--r--src/pluto/crl.h87
-rw-r--r--src/pluto/crypto.c627
-rw-r--r--src/pluto/crypto.h108
-rw-r--r--src/pluto/db_ops.c439
-rw-r--r--src/pluto/db_ops.h56
-rw-r--r--src/pluto/defs.c374
-rw-r--r--src/pluto/defs.h145
-rw-r--r--src/pluto/demux.c2499
-rw-r--r--src/pluto/demux.h93
-rw-r--r--src/pluto/dnskey.c1962
-rw-r--r--src/pluto/dnskey.h84
-rw-r--r--src/pluto/dsa.c476
-rw-r--r--src/pluto/dsa.h32
-rw-r--r--src/pluto/elgamal.c613
-rw-r--r--src/pluto/elgamal.h35
-rw-r--r--src/pluto/fetch.c1081
-rw-r--r--src/pluto/fetch.h79
-rw-r--r--src/pluto/foodgroups.c462
-rw-r--r--src/pluto/foodgroups.h24
-rw-r--r--src/pluto/gcryptfix.c283
-rw-r--r--src/pluto/gcryptfix.h111
-rw-r--r--src/pluto/id.c509
-rw-r--r--src/pluto/id.h67
-rw-r--r--src/pluto/ike_alg.c592
-rw-r--r--src/pluto/ike_alg.h94
-rw-r--r--src/pluto/ipsec.secrets.5175
-rw-r--r--src/pluto/ipsec_doi.c5630
-rw-r--r--src/pluto/ipsec_doi.h104
-rw-r--r--src/pluto/kameipsec.h47
-rw-r--r--src/pluto/kernel.c2995
-rw-r--r--src/pluto/kernel.h198
-rw-r--r--src/pluto/kernel_alg.c775
-rw-r--r--src/pluto/kernel_alg.h46
-rw-r--r--src/pluto/kernel_netlink.c1219
-rw-r--r--src/pluto/kernel_netlink.h20
-rw-r--r--src/pluto/kernel_noklips.c126
-rw-r--r--src/pluto/kernel_noklips.h19
-rw-r--r--src/pluto/kernel_pfkey.c926
-rw-r--r--src/pluto/kernel_pfkey.h23
-rw-r--r--src/pluto/keys.c1514
-rw-r--r--src/pluto/keys.h113
-rw-r--r--src/pluto/lex.c213
-rw-r--r--src/pluto/lex.h52
-rw-r--r--src/pluto/linux26/netlink.h90
-rw-r--r--src/pluto/linux26/rtnetlink.h562
-rw-r--r--src/pluto/linux26/xfrm.h233
-rw-r--r--src/pluto/log.c841
-rw-r--r--src/pluto/log.h236
-rw-r--r--src/pluto/md2.c237
-rw-r--r--src/pluto/md2.h72
-rw-r--r--src/pluto/md5.c385
-rw-r--r--src/pluto/md5.h75
-rw-r--r--src/pluto/modecfg.c1078
-rw-r--r--src/pluto/modecfg.h47
-rw-r--r--src/pluto/mp_defs.c70
-rw-r--r--src/pluto/mp_defs.h36
-rw-r--r--src/pluto/nat_traversal.c866
-rw-r--r--src/pluto/nat_traversal.h154
-rw-r--r--src/pluto/ocsp.c1568
-rw-r--r--src/pluto/ocsp.h85
-rw-r--r--src/pluto/oid.c197
-rw-r--r--src/pluto/oid.h78
-rw-r--r--src/pluto/oid.pl123
-rw-r--r--src/pluto/oid.txt184
-rw-r--r--src/pluto/packet.c1244
-rw-r--r--src/pluto/packet.h655
-rw-r--r--src/pluto/pem.c463
-rw-r--r--src/pluto/pem.h18
-rw-r--r--src/pluto/pgp.c647
-rw-r--r--src/pluto/pgp.h54
-rw-r--r--src/pluto/pkcs1.c674
-rw-r--r--src/pluto/pkcs1.h88
-rw-r--r--src/pluto/pkcs7.c862
-rw-r--r--src/pluto/pkcs7.h51
-rw-r--r--src/pluto/pluto.81649
-rw-r--r--src/pluto/plutomain.c655
-rw-r--r--src/pluto/primegen.c593
-rw-r--r--src/pluto/rcv_whack.c685
-rw-r--r--src/pluto/rcv_whack.h17
-rw-r--r--src/pluto/rnd.c250
-rw-r--r--src/pluto/rnd.h21
-rw-r--r--src/pluto/rsaref/pkcs11.h299
-rw-r--r--src/pluto/rsaref/pkcs11f.h912
-rw-r--r--src/pluto/rsaref/pkcs11t.h1685
-rw-r--r--src/pluto/rsaref/unix.h24
-rw-r--r--src/pluto/server.c996
-rw-r--r--src/pluto/server.h58
-rw-r--r--src/pluto/sha1.c193
-rw-r--r--src/pluto/sha1.h16
-rw-r--r--src/pluto/smallprime.c122
-rw-r--r--src/pluto/smartcard.c1956
-rw-r--r--src/pluto/smartcard.h100
-rw-r--r--src/pluto/spdb.c2314
-rw-r--r--src/pluto/spdb.h112
-rw-r--r--src/pluto/state.c1012
-rw-r--r--src/pluto/state.h273
-rw-r--r--src/pluto/timer.c532
-rw-r--r--src/pluto/timer.h34
-rw-r--r--src/pluto/vendor.c528
-rw-r--r--src/pluto/vendor.h131
-rw-r--r--src/pluto/virtual.c334
-rw-r--r--src/pluto/virtual.h31
-rw-r--r--src/pluto/x509.c2241
-rw-r--r--src/pluto/x509.h138
-rw-r--r--src/pluto/xauth.c79
-rw-r--r--src/pluto/xauth.h41
134 files changed, 70586 insertions, 0 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
new file mode 100644
index 000000000..b1b848c76
--- /dev/null
+++ b/src/pluto/Makefile.am
@@ -0,0 +1,140 @@
+# Makefile.am was ported from the old Makefile the most
+# painless way. Only the most important options are included,
+# further work may be necessary here...
+
+ipsec_PROGRAMS = pluto _pluto_adns
+
+pluto_SOURCES = \
+ac.c ac.h \
+alg_info.c alg_info.h \
+asn1.c asn1.h \
+ca.c ca.h \
+certs.c certs.h \
+connections.c connections.h \
+constants.c constants.h \
+cookie.c cookie.h \
+crl.c crl.h \
+crypto.c crypto.h \
+db_ops.c db_ops.h \
+defs.c defs.h \
+demux.c demux.h \
+dnskey.c dnskey.h \
+dsa.c dsa.h \
+elgamal.c elgamal.h \
+fetch.c fetch.h \
+foodgroups.c foodgroups.h \
+gcryptfix.c gcryptfix.h \
+id.c id.h \
+ike_alg.c ike_alg.h \
+ipsec_doi.c ipsec_doi.h \
+kameipsec.h \
+kernel.c kernel.h \
+kernel_alg.c kernel_alg.h \
+kernel_netlink.c kernel_netlink.h \
+kernel_noklips.c kernel_noklips.h \
+kernel_pfkey.c kernel_pfkey.h \
+keys.c keys.h \
+lex.c lex.h \
+log.c log.h \
+md2.c md2.h \
+md5.c md5.h \
+modecfg.c modecfg.h \
+mp_defs.c mp_defs.h \
+nat_traversal.c nat_traversal.h \
+ocsp.c ocsp.h \
+oid.c oid.h \
+packet.c packet.h \
+pem.c pem.h \
+pgp.c pgp.h \
+pkcs1.c pkcs1.h \
+pkcs7.c pkcs7.h \
+plutomain.c \
+primegen.c smallprime.c \
+rcv_whack.c rcv_whack.h \
+rnd.c rnd.h \
+server.c server.h \
+sha1.c sha1.h \
+smartcard.c smartcard.h \
+spdb.c spdb.h \
+state.c state.h \
+timer.c timer.h \
+vendor.c vendor.h \
+virtual.c virtual.h \
+xauth.c xauth.h \
+x509.c x509.h \
+alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
+alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
+linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
+rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
+
+_pluto_adns_SOURCES = adns.c adns.h
+
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\" \
+-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
+-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
+-DPLUTO -DKLIPS -DDEBUG -DTHREADS
+
+pluto_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+$(top_srcdir)/src/libcrypto/libcrypto.a \
+-lgmp -lresolv -lpthread -ldl
+
+_pluto_adns_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+-lresolv -ldl
+
+dist_man_MANS = pluto.8 ipsec.secrets.5
+EXTRA_DIST = oid.pl oid.txt
+BUILT_SOURCES = oid.c oid.h
+MAINTAINERCLEANFILES = oid.c oid.h
+
+oid.c: oid.txt oid.pl
+ $(PERL) oid.pl
+
+oid.h: oid.txt oid.pl
+ $(PERL) oid.pl
+
+# This compile option activates the sending of a strongSwan VID
+if USE_VENDORID
+ AM_CFLAGS += -DVENDORID
+endif
+
+# This compile option activates the support of the Cisco VPN client
+if USE_CISCO_QUIRKS
+ AM_CFLAGS += -DCISCO_QUIRKS
+endif
+
+# This compile option activates NAT traversal with IPSec transport mode
+if USE_NAT_TRANSPORT
+ AM_CFLAGS += -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+endif
+
+# This compile option activates dynamic URL fetching using libcurl
+if USE_LIBCURL
+ pluto_LDADD += -lcurl
+endif
+
+# This compile option activates dynamic LDAP CRL fetching
+if USE_LIBLDAP
+ pluto_LDADD += -lldap -llber
+endif
+
+install-exec-local :
+ mkdir -p -m 755 $(confdir)/ipsec.d
+ mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/certs
+ mkdir -p -m 755 $(confdir)/ipsec.d/acerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/crls
+ mkdir -p -m 755 $(confdir)/ipsec.d/reqs
+ mkdir -p -m 700 $(confdir)/ipsec.d/private
+
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
new file mode 100644
index 000000000..1f996a065
--- /dev/null
+++ b/src/pluto/Makefile.in
@@ -0,0 +1,878 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# Makefile.am was ported from the old Makefile the most
+# painless way. Only the most important options are included,
+# further work may be necessary here...
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
+
+# This compile option activates the sending of a strongSwan VID
+@USE_VENDORID_TRUE@am__append_1 = -DVENDORID
+
+# This compile option activates the support of the Cisco VPN client
+@USE_CISCO_QUIRKS_TRUE@am__append_2 = -DCISCO_QUIRKS
+
+# This compile option activates NAT traversal with IPSec transport mode
+@USE_NAT_TRANSPORT_TRUE@am__append_3 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+
+# This compile option activates dynamic URL fetching using libcurl
+@USE_LIBCURL_TRUE@am__append_4 = -lcurl
+
+# This compile option activates dynamic LDAP CRL fetching
+@USE_LIBLDAP_TRUE@am__append_5 = -lldap -llber
+subdir = src/pluto
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in TODO
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
+ "$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am__pluto_adns_OBJECTS = adns.$(OBJEXT)
+_pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
+_pluto_adns_DEPENDENCIES = \
+ $(top_srcdir)/src/libfreeswan/libfreeswan.a
+am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) asn1.$(OBJEXT) \
+ ca.$(OBJEXT) certs.$(OBJEXT) connections.$(OBJEXT) \
+ constants.$(OBJEXT) cookie.$(OBJEXT) crl.$(OBJEXT) \
+ crypto.$(OBJEXT) db_ops.$(OBJEXT) defs.$(OBJEXT) \
+ demux.$(OBJEXT) dnskey.$(OBJEXT) dsa.$(OBJEXT) \
+ elgamal.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
+ gcryptfix.$(OBJEXT) id.$(OBJEXT) ike_alg.$(OBJEXT) \
+ ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) kernel_alg.$(OBJEXT) \
+ kernel_netlink.$(OBJEXT) kernel_noklips.$(OBJEXT) \
+ kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) lex.$(OBJEXT) \
+ log.$(OBJEXT) md2.$(OBJEXT) md5.$(OBJEXT) modecfg.$(OBJEXT) \
+ mp_defs.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \
+ oid.$(OBJEXT) packet.$(OBJEXT) pem.$(OBJEXT) pgp.$(OBJEXT) \
+ pkcs1.$(OBJEXT) pkcs7.$(OBJEXT) plutomain.$(OBJEXT) \
+ primegen.$(OBJEXT) smallprime.$(OBJEXT) rcv_whack.$(OBJEXT) \
+ rnd.$(OBJEXT) server.$(OBJEXT) sha1.$(OBJEXT) \
+ smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
+ timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
+ xauth.$(OBJEXT) x509.$(OBJEXT) ike_alg_aes.$(OBJEXT) \
+ ike_alg_blowfish.$(OBJEXT) ike_alg_twofish.$(OBJEXT) \
+ ike_alg_serpent.$(OBJEXT) ike_alg_sha2.$(OBJEXT) \
+ ike_alginit.$(OBJEXT)
+pluto_OBJECTS = $(am_pluto_OBJECTS)
+am__DEPENDENCIES_1 =
+pluto_DEPENDENCIES = $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+ $(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+pluto_SOURCES = \
+ac.c ac.h \
+alg_info.c alg_info.h \
+asn1.c asn1.h \
+ca.c ca.h \
+certs.c certs.h \
+connections.c connections.h \
+constants.c constants.h \
+cookie.c cookie.h \
+crl.c crl.h \
+crypto.c crypto.h \
+db_ops.c db_ops.h \
+defs.c defs.h \
+demux.c demux.h \
+dnskey.c dnskey.h \
+dsa.c dsa.h \
+elgamal.c elgamal.h \
+fetch.c fetch.h \
+foodgroups.c foodgroups.h \
+gcryptfix.c gcryptfix.h \
+id.c id.h \
+ike_alg.c ike_alg.h \
+ipsec_doi.c ipsec_doi.h \
+kameipsec.h \
+kernel.c kernel.h \
+kernel_alg.c kernel_alg.h \
+kernel_netlink.c kernel_netlink.h \
+kernel_noklips.c kernel_noklips.h \
+kernel_pfkey.c kernel_pfkey.h \
+keys.c keys.h \
+lex.c lex.h \
+log.c log.h \
+md2.c md2.h \
+md5.c md5.h \
+modecfg.c modecfg.h \
+mp_defs.c mp_defs.h \
+nat_traversal.c nat_traversal.h \
+ocsp.c ocsp.h \
+oid.c oid.h \
+packet.c packet.h \
+pem.c pem.h \
+pgp.c pgp.h \
+pkcs1.c pkcs1.h \
+pkcs7.c pkcs7.h \
+plutomain.c \
+primegen.c smallprime.c \
+rcv_whack.c rcv_whack.h \
+rnd.c rnd.h \
+server.c server.h \
+sha1.c sha1.h \
+smartcard.c smartcard.h \
+spdb.c spdb.h \
+state.c state.h \
+timer.c timer.h \
+vendor.c vendor.h \
+virtual.c virtual.h \
+xauth.c xauth.h \
+x509.c x509.h \
+alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
+alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
+linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
+rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
+
+_pluto_adns_SOURCES = adns.c adns.h
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
+ -DIPSEC_PIDDIR=\"${piddir}\" \
+ -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
+ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
+ -DKLIPS -DDEBUG -DTHREADS $(am__append_1) $(am__append_2) \
+ $(am__append_3)
+pluto_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+ $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp -lresolv \
+ -lpthread -ldl $(am__append_4) $(am__append_5)
+_pluto_adns_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+-lresolv -ldl
+
+dist_man_MANS = pluto.8 ipsec.secrets.5
+EXTRA_DIST = oid.pl oid.txt
+BUILT_SOURCES = oid.c oid.h
+MAINTAINERCLEANFILES = oid.c oid.h
+all: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/pluto/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ if test -f $$p \
+ || test -f $$p1 \
+ ; then \
+ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+ else :; fi; \
+ done
+
+uninstall-ipsecPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+ done
+
+clean-ipsecPROGRAMS:
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f $$p $$f"; \
+ rm -f $$p $$f ; \
+ done
+_pluto_adns$(EXEEXT): $(_pluto_adns_OBJECTS) $(_pluto_adns_DEPENDENCIES)
+ @rm -f _pluto_adns$(EXEEXT)
+ $(LINK) $(_pluto_adns_LDFLAGS) $(_pluto_adns_OBJECTS) $(_pluto_adns_LDADD) $(LIBS)
+pluto$(EXEEXT): $(pluto_OBJECTS) $(pluto_DEPENDENCIES)
+ @rm -f pluto$(EXEEXT)
+ $(LINK) $(pluto_LDFLAGS) $(pluto_OBJECTS) $(pluto_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adns.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alg_info.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connections.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constants.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cookie.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/db_ops.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/elgamal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcryptfix.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_aes.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_blowfish.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_serpent.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_sha2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_twofish.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alginit.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_noklips.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/modecfg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mp_defs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nat_traversal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/primegen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rnd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smallprime.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smartcard.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spdb.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/state.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+ike_alg_aes.o: alg/ike_alg_aes.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.o -MD -MP -MF "$(DEPDIR)/ike_alg_aes.Tpo" -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_aes.Tpo" "$(DEPDIR)/ike_alg_aes.Po"; else rm -f "$(DEPDIR)/ike_alg_aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_aes.c' object='ike_alg_aes.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c
+
+ike_alg_aes.obj: alg/ike_alg_aes.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.obj -MD -MP -MF "$(DEPDIR)/ike_alg_aes.Tpo" -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_aes.Tpo" "$(DEPDIR)/ike_alg_aes.Po"; else rm -f "$(DEPDIR)/ike_alg_aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_aes.c' object='ike_alg_aes.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`
+
+ike_alg_blowfish.o: alg/ike_alg_blowfish.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.o -MD -MP -MF "$(DEPDIR)/ike_alg_blowfish.Tpo" -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_blowfish.Tpo" "$(DEPDIR)/ike_alg_blowfish.Po"; else rm -f "$(DEPDIR)/ike_alg_blowfish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c
+
+ike_alg_blowfish.obj: alg/ike_alg_blowfish.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.obj -MD -MP -MF "$(DEPDIR)/ike_alg_blowfish.Tpo" -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_blowfish.Tpo" "$(DEPDIR)/ike_alg_blowfish.Po"; else rm -f "$(DEPDIR)/ike_alg_blowfish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`
+
+ike_alg_twofish.o: alg/ike_alg_twofish.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.o -MD -MP -MF "$(DEPDIR)/ike_alg_twofish.Tpo" -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_twofish.Tpo" "$(DEPDIR)/ike_alg_twofish.Po"; else rm -f "$(DEPDIR)/ike_alg_twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_twofish.c' object='ike_alg_twofish.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c
+
+ike_alg_twofish.obj: alg/ike_alg_twofish.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.obj -MD -MP -MF "$(DEPDIR)/ike_alg_twofish.Tpo" -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_twofish.Tpo" "$(DEPDIR)/ike_alg_twofish.Po"; else rm -f "$(DEPDIR)/ike_alg_twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_twofish.c' object='ike_alg_twofish.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`
+
+ike_alg_serpent.o: alg/ike_alg_serpent.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.o -MD -MP -MF "$(DEPDIR)/ike_alg_serpent.Tpo" -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_serpent.Tpo" "$(DEPDIR)/ike_alg_serpent.Po"; else rm -f "$(DEPDIR)/ike_alg_serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_serpent.c' object='ike_alg_serpent.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c
+
+ike_alg_serpent.obj: alg/ike_alg_serpent.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.obj -MD -MP -MF "$(DEPDIR)/ike_alg_serpent.Tpo" -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_serpent.Tpo" "$(DEPDIR)/ike_alg_serpent.Po"; else rm -f "$(DEPDIR)/ike_alg_serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_serpent.c' object='ike_alg_serpent.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`
+
+ike_alg_sha2.o: alg/ike_alg_sha2.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.o -MD -MP -MF "$(DEPDIR)/ike_alg_sha2.Tpo" -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_sha2.Tpo" "$(DEPDIR)/ike_alg_sha2.Po"; else rm -f "$(DEPDIR)/ike_alg_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_sha2.c' object='ike_alg_sha2.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c
+
+ike_alg_sha2.obj: alg/ike_alg_sha2.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.obj -MD -MP -MF "$(DEPDIR)/ike_alg_sha2.Tpo" -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alg_sha2.Tpo" "$(DEPDIR)/ike_alg_sha2.Po"; else rm -f "$(DEPDIR)/ike_alg_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alg_sha2.c' object='ike_alg_sha2.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`
+
+ike_alginit.o: alg/ike_alginit.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.o -MD -MP -MF "$(DEPDIR)/ike_alginit.Tpo" -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alginit.Tpo" "$(DEPDIR)/ike_alginit.Po"; else rm -f "$(DEPDIR)/ike_alginit.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alginit.c' object='ike_alginit.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c
+
+ike_alginit.obj: alg/ike_alginit.c
+@am__fastdepCC_TRUE@ if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.obj -MD -MP -MF "$(DEPDIR)/ike_alginit.Tpo" -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/ike_alginit.Tpo" "$(DEPDIR)/ike_alginit.Po"; else rm -f "$(DEPDIR)/ike_alginit.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='alg/ike_alginit.c' object='ike_alginit.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+distclean-libtool:
+ -rm -f libtool
+uninstall-info-am:
+install-man5: $(man5_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+ @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.5*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+ else file=$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 5*) ;; \
+ *) ext='5' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
+ done
+uninstall-man5:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.5*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 5*) ;; \
+ *) ext='5' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
+ rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
+ done
+install-man8: $(man8_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+ else file=$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+ rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+ list='$(DISTFILES)'; for file in $$list; do \
+ case $$file in \
+ $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+ $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+ esac; \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+ dir="/$$dir"; \
+ $(mkdir_p) "$(distdir)$$dir"; \
+ else \
+ dir=''; \
+ fi; \
+ if test -d $$d/$$file; then \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+ for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+ test -z "$$dir" || $(mkdir_p) "$$dir"; \
+ done
+install: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+ -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+ -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am: install-exec-local
+
+install-info: install-info-am
+
+install-man: install-man5 install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man5 uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-ipsecPROGRAMS clean-libtool ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-exec \
+ install-exec-am install-exec-local install-info \
+ install-info-am install-ipsecPROGRAMS install-man install-man5 \
+ install-man8 install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+ uninstall-am uninstall-info-am uninstall-ipsecPROGRAMS \
+ uninstall-man uninstall-man5 uninstall-man8
+
+
+oid.c: oid.txt oid.pl
+ $(PERL) oid.pl
+
+oid.h: oid.txt oid.pl
+ $(PERL) oid.pl
+
+install-exec-local :
+ mkdir -p -m 755 $(confdir)/ipsec.d
+ mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/certs
+ mkdir -p -m 755 $(confdir)/ipsec.d/acerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
+ mkdir -p -m 755 $(confdir)/ipsec.d/crls
+ mkdir -p -m 755 $(confdir)/ipsec.d/reqs
+ mkdir -p -m 700 $(confdir)/ipsec.d/private
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/pluto/TODO b/src/pluto/TODO
new file mode 100644
index 000000000..7db4a9ebc
--- /dev/null
+++ b/src/pluto/TODO
@@ -0,0 +1,129 @@
+Pluto TODO list
+===============
+RCSID $Id: TODO,v 1.1 2004/03/15 20:35:28 as Exp $
+
+- should all log entries that are for errors say ERROR?
+
+- Add a "plug-in" facility so that others can add features without
+ changing the mainline code. This is how X509/LDAP/biometric stuff
+ might be added.
+
+- (internal change only) routines for outputting payloads should plug
+ "np" into the previous payload so that a payload generating routine
+ need not know what the next payload will be. This may be more bother
+ than it is worth.
+
+- notifications, in and out
+ + delete
+ + first contact
+ + last contact? (not part of drafts, but would be nice)
+
+- Make DNS usage for asynchronous (non-blocking)
+ + looking up KEY and TXT records during negotiation
+ + perhaps not for whack command arguments and ipsec.secrets since the
+ library code uses gethostbyname
+
+- check that ipsec auto and whack to agree on what is worth reporting
+
+- Should Pluto (rather than ipsec manual) install %passthrough conns?
+ That way Pluto would know of them.
+
+- For responding to Road Warriors, how can we decide if the RW has
+ gone away? The rekeying event is perhaps too imprecise. Even if
+ rekeying event is good enough, how do we know if the route should be
+ torn down? Perhaps limiting a Phase 1 ID to one IP address would
+ help (limiting a client subnet to one peer already helps). Perhaps
+ (in some rate-limited way) we can take an ICMP host unreachable
+ as a hint to do some authenticated and reliable probe.
+
+- it is annoying that Pluto and auto have different models for public keys.
+ + auto specifies one per connection
+ + Pluto allows one to be specified per id
+ Two connections with the same id are going to use the same key:
+ the one of the last conn to be added!
+
+ I think auto ought to be fixed. It is hard for Pluto to warn when
+ there is a conflict since the deletion of a connection doesn't
+ prompt auto to tell pluto to delete the public key.
+
+- different connections with the same host IP addresses are randomly
+ interchangeable until the ID payload is received. At least for the
+ Responder case (and eventually for the opportunistic Initiator).
+ Worse, all Road Warriors must be considered to have the
+ indistinguishable IP addresses. This affects ISAKMP SA negotiation.
+ Currently, there is little flexibility in this negotiation, so the
+ problem is limited to the specification of acceptable authentication
+ method(s). Correct, but more work than seems worthwhile, would be
+ to select the conn based on what is proposed.
+
+ Warning about such confusion at connection definition time isn't great
+ because there is no confusion when explicitly initiated (a particular
+ conn is specified). Warning for a Road Warrior conn is possible
+ since it cannot be initiated (and has been implemented).
+
+- characterize and ameliorate DOS attacks. Lots of rate limiting.
+
+- look at John Denker's wish list: http://www.quintillion.com/moat/wish.list
+
+- use of random numbers needs to be audited.
+
+- unknown (not just unimplemented) transforms cause a negotiation to
+ fail. Only the transform should be rejected.
+
+- we need better policy control. Our present flags need to be
+ modulated (forbid, allow, offer, require)
+
+- HS will specify how --copyright and --version should behave
+
+- HS will initiate project-wide terminology replacing ISAKMP SA, IPSEC
+ SA, Protection Suite, Phase 1, Main Mode, Phase 2, Quick Mode, ...
+ Simplicity and clarity will be a goal.
+
+- interface discovery ought to match what is specified in ipsec.conf.
+ This probably means grokking /proc/net/ipsec_tncfg. Documented in
+ ipsec_tncfg(5). This won't do for Hugh's debugging setup.
+
+
+Protocol Issues
+===============
+
+Notification and delete payloads seem to be "escape hatches" for the
+protocols. As such, anything implemented using them seems to be
+kludged without being well designed or well situated or well
+constrained in the protocols. Often the precise meaning (if any) or
+usage is under specified. An implementation is allowed to ignore
+them, so they cannot really matter (but they too often do). Their
+specification ought to be scrutinized by a protocol guru.
+
+Any extra payload in last main mode message is not protected (not
+authenticated by hash).
+
+Should notification payloads be interpreted before or after the normal
+payloads (i.e. understood in the context of, executed in the context of).
+
+What is the precise result of an INITIAL_CONNECTION? What is a
+"system" (eg. does Phase 1 Identity count)? What is "earlier" or
+"before" (simultaneous negotiation is possible, with time being only a
+partial order)? Could it be used for FINAL_CONTACT (needed too)?
+
+Blasting out a pile of UDP messages, especially to a particular
+destination, is likely to provoke message loss. The exchanges are
+just that, so they individually are self-throttling. But what about
+multiple exchanges simultaneously? What about notifications (example:
+when shutting down, a flurry of delete notifications are likely).
+Should the RFCs be designed to protect against this problem?
+
+draft-jenkins-ipsec-rekeying-03.txt rekeying is way too complicated.
+Our solution looks sound and simple (we have the Responder install the
+incoming IPSEC SA before sending its first reply). In "2.2.1.4
+Responder Pre-Set-up Security Hole", the draft claims that setting up
+the IPSEC SA early leaves the Responder open to replay attacks. I
+think that this is wrong: the Message Id, since it must not be reused,
+serves to prove that this isn't a replay.
+
+The details for notification messages suggested by
+draft-ietf-ipsec-notifymsg-02.txt are over-complicated, just to make
+them machine-comprehensible. I think this is over-engineering,
+justified only if another level of negotiation is contemplated (ugh!).
+Plain text is probably sufficient for informing humans (I admit that
+there is a problem with I18N).
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
new file mode 100644
index 000000000..bcf5f80d1
--- /dev/null
+++ b/src/pluto/ac.c
@@ -0,0 +1,1018 @@
+/* Support of X.509 attribute certificates
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ac.c,v 1.12 2005/12/06 22:49:32 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <time.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "asn1.h"
+#include "oid.h"
+#include "ac.h"
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "certs.h"
+#include "log.h"
+#include "whack.h"
+#include "fetch.h"
+
+/* chained list of X.509 attribute certificates */
+
+static x509acert_t *x509acerts = NULL;
+
+/* chained list of ietfAttributes */
+
+static ietfAttrList_t *ietfAttributes = NULL;
+
+/* ASN.1 definition of ietfAttrSyntax */
+
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+ { 0, "ietfAttrSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "policyAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_BODY }, /* 1 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
+ { 1, "values", ASN1_SEQUENCE, ASN1_LOOP }, /* 3 */
+ { 2, "octets", ASN1_OCTET_STRING, ASN1_OPT |
+ ASN1_BODY }, /* 4 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
+ { 2, "oid", ASN1_OID, ASN1_OPT |
+ ASN1_BODY }, /* 6 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+ { 2, "string", ASN1_UTF8STRING, ASN1_OPT |
+ ASN1_BODY }, /* 8 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
+ { 1, "end loop", ASN1_EOC, ASN1_END } /* 10 */
+};
+
+#define IETF_ATTR_OCTETS 4
+#define IETF_ATTR_OID 6
+#define IETF_ATTR_STRING 8
+#define IETF_ATTR_ROOF 11
+
+/* ASN.1 definition of roleSyntax */
+
+static const asn1Object_t roleSyntaxObjects[] =
+{
+ { 0, "roleSyntax", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "roleAuthority", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_OBJ }, /* 1 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
+ { 1, "roleName", ASN1_CONTEXT_C_1, ASN1_OBJ } /* 3 */
+};
+
+#define ROLE_ROOF 4
+
+/* ASN.1 definition of an X509 attribute certificate */
+
+static const asn1Object_t acObjects[] =
+{
+ { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
+ { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
+ { 2, "version", ASN1_INTEGER, ASN1_DEF |
+ ASN1_BODY }, /* 2 */
+ { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
+ { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */
+ { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
+ { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */
+ { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
+ ASN1_BODY }, /* 7 */
+ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
+ { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT |
+ ASN1_OBJ }, /* 10 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
+ { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */
+ { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13*/
+ { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
+ ASN1_BODY }, /* 14 */
+ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15*/
+ { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */
+ { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */
+ { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT |
+ ASN1_OBJ }, /* 19 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
+ { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */
+ { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
+ { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */
+ { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */
+ { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT |
+ ASN1_BODY }, /* 25 */
+ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */
+ { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */
+ { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */
+ { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */
+ { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT |
+ ASN1_BODY }, /* 31 */
+ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */
+ { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */
+ { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */
+ { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */
+ { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+ { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+ { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */
+ { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */
+ { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */
+ { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */
+ { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */
+ { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */
+ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */
+ { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */
+ { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */
+ { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 49 */
+ { 4, "critical", ASN1_BOOLEAN, ASN1_DEF |
+ ASN1_BODY }, /* 50 */
+ { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 51 */
+ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 52 */
+ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 53 */
+ { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 54 */
+};
+
+#define AC_OBJ_CERTIFICATE 0
+#define AC_OBJ_CERTIFICATE_INFO 1
+#define AC_OBJ_VERSION 2
+#define AC_OBJ_HOLDER_ISSUER 5
+#define AC_OBJ_HOLDER_SERIAL 6
+#define AC_OBJ_ENTITY_NAME 10
+#define AC_OBJ_ISSUER_NAME 19
+#define AC_OBJ_ISSUER 23
+#define AC_OBJ_SIG_ALG 35
+#define AC_OBJ_SERIAL_NUMBER 36
+#define AC_OBJ_NOT_BEFORE 38
+#define AC_OBJ_NOT_AFTER 39
+#define AC_OBJ_ATTRIBUTE_TYPE 42
+#define AC_OBJ_ATTRIBUTE_VALUE 44
+#define AC_OBJ_EXTN_ID 49
+#define AC_OBJ_CRITICAL 50
+#define AC_OBJ_EXTN_VALUE 51
+#define AC_OBJ_ALGORITHM 53
+#define AC_OBJ_SIGNATURE 54
+#define AC_OBJ_ROOF 55
+
+const x509acert_t empty_ac = {
+ NULL , /* *next */
+ 0 , /* installed */
+ { NULL, 0 }, /* certificate */
+ { NULL, 0 }, /* certificateInfo */
+ 1 , /* version */
+ /* holder */
+ /* baseCertificateID */
+ { NULL, 0 }, /* holderIssuer */
+ { NULL, 0 }, /* holderSerial */
+ /* entityName */
+ { NULL, 0 }, /* generalNames */
+ /* v2Form */
+ { NULL, 0 }, /* issuerName */
+ /* signature */
+ OID_UNKNOWN, /* sigAlg */
+ { NULL, 0 }, /* serialNumber */
+ /* attrCertValidityPeriod */
+ 0 , /* notBefore */
+ 0 , /* notAfter */
+ /* attributes */
+ NULL , /* charging */
+ NULL , /* groups */
+ /* extensions */
+ { NULL, 0 }, /* authKeyID */
+ { NULL, 0 }, /* authKeySerialNumber */
+ FALSE , /* noRevAvail */
+ /* signatureAlgorithm */
+ OID_UNKNOWN, /* algorithm */
+ { NULL, 0 }, /* signature */
+};
+
+
+/* compare two ietfAttributes, returns zero if a equals b
+ * negative/positive if a is earlier/later in the alphabet than b
+ */
+static int
+cmp_ietfAttr(ietfAttr_t *a,ietfAttr_t *b)
+{
+ int cmp_len, len, cmp_value;
+
+ /* cannot compare OID with STRING or OCTETS attributes */
+ if (a->kind == IETF_ATTRIBUTE_OID && b->kind != IETF_ATTRIBUTE_OID)
+ return 1;
+
+ cmp_len = a->value.len - b->value.len;
+ len = (cmp_len < 0)? a->value.len : b->value.len;
+ cmp_value = memcmp(a->value.ptr, b->value.ptr, len);
+
+ return (cmp_value == 0)? cmp_len : cmp_value;
+}
+
+/*
+ * add an ietfAttribute to the chained list
+ */
+static ietfAttr_t*
+add_ietfAttr(ietfAttr_t *attr)
+{
+ ietfAttrList_t **listp = &ietfAttributes;
+ ietfAttrList_t *list = *listp;
+ int cmp = -1;
+
+ while (list != NULL)
+ {
+ cmp = cmp_ietfAttr(attr, list->attr);
+ if (cmp <= 0)
+ break;
+ listp = &list->next;
+ list = *listp;
+ }
+
+ if (cmp == 0)
+ {
+ /* attribute already exists, increase count */
+ pfree(attr);
+ list->attr->count++;
+ return list->attr;
+ }
+ else
+ {
+ ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
+
+ /* new attribute, unshare value */
+ attr->value.ptr = clone_bytes(attr->value.ptr, attr->value.len
+ , "attr value");
+ attr->count = 1;
+ time(&attr->installed);
+
+ el->attr = attr;
+ el->next = list;
+ *listp = el;
+
+ return attr;
+ }
+}
+
+/*
+ * decodes a comma separated list of group attributes
+ */
+void
+decode_groups(char *groups, ietfAttrList_t **listp)
+{
+ if (groups == NULL)
+ return;
+
+ while (strlen(groups) > 0)
+ {
+ char *end;
+ char *next = strchr(groups, ',');
+
+ if (next == NULL)
+ end = next = groups + strlen(groups);
+ else
+ end = next++;
+
+ /* eat preceeding whitespace */
+ while (groups < end && *groups == ' ')
+ groups++;
+
+ /* eat trailing whitespace */
+ while (end > groups && *(end-1) == ' ')
+ end--;
+
+ if (groups < end)
+ {
+ ietfAttr_t *attr = alloc_thing(ietfAttr_t, "ietfAttr");
+ ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
+
+ attr->kind = IETF_ATTRIBUTE_STRING;
+ attr->value.ptr = groups;
+ attr->value.len = end - groups;
+ attr->count = 0;
+
+ el->attr = add_ietfAttr(attr);
+ el->next = *listp;
+ *listp = el;
+ }
+
+ groups = next;
+ }
+}
+
+static bool
+same_attribute(const ietfAttr_t *a, const ietfAttr_t *b)
+{
+ return (a->kind == b->kind && a->value.len == b->value.len
+ && memcmp(a->value.ptr, b->value.ptr, b->value.len) == 0);
+}
+
+bool
+group_membership(const ietfAttrList_t *peer_list
+ , const char *conn
+ , const ietfAttrList_t *conn_list)
+{
+ if (conn_list == NULL)
+ return TRUE;
+
+ while (peer_list != NULL)
+ {
+ const ietfAttr_t *peer_attr = peer_list->attr;
+ const ietfAttrList_t *list = conn_list;
+
+ while (list != NULL)
+ {
+ ietfAttr_t *conn_attr = list->attr;
+
+ if (same_attribute(conn_attr, peer_attr))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("%s: peer matches group '%.*s'"
+ , conn
+ , (int)peer_attr->value.len, peer_attr->value.ptr)
+ )
+ return TRUE;
+ }
+ list = list->next;
+ }
+ peer_list = peer_list->next;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("%s: peer doesn't match any group", conn)
+ )
+ return FALSE;
+}
+
+
+void
+unshare_ietfAttrList(ietfAttrList_t **listp)
+{
+ ietfAttrList_t *list = *listp;
+
+ while (list != NULL)
+ {
+ ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
+
+ el->attr = list->attr;
+ el->attr->count++;
+ el->next = NULL;
+ *listp = el;
+ listp = &el->next;
+ list = list->next;
+ }
+}
+
+/*
+ * parses ietfAttrSyntax
+ */
+static ietfAttrList_t*
+parse_ietfAttrSyntax(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ ietfAttrList_t *list = NULL;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < IETF_ATTR_ROOF)
+ {
+ if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx))
+ return NULL;
+
+ switch (objectID)
+ {
+ case IETF_ATTR_OCTETS:
+ case IETF_ATTR_OID:
+ case IETF_ATTR_STRING:
+ {
+ ietfAttr_t *attr = alloc_thing(ietfAttr_t, "ietfAttr");
+ ietfAttrList_t *el = alloc_thing(ietfAttrList_t, "ietfAttrList");
+
+ attr->kind = (objectID - IETF_ATTR_OCTETS) / 2;
+ attr->value = object;
+ attr->count = 0;
+
+ el->attr = add_ietfAttr(attr);
+ el->next = list;
+ list = el;
+ }
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+ return list;
+}
+/*
+ * parses roleSyntax
+ */
+static void
+parse_roleSyntax(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < ROLE_ROOF)
+ {
+ if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx))
+ return;
+
+ switch (objectID) {
+ default:
+ break;
+ }
+ objectID++;
+ }
+}
+
+/*
+ * Parses an X.509 attribute certificate
+ */
+bool
+parse_ac(chunk_t blob, x509acert_t *ac)
+{
+ asn1_ctx_t ctx;
+ bool critical;
+ chunk_t object;
+ u_int level;
+ u_int type = OID_UNKNOWN;
+ u_int extn_oid = OID_UNKNOWN;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
+
+ while (objectID < AC_OBJ_ROOF) {
+
+ if (!extract_object(acObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ /* those objects which will parsed further need the next higher level */
+ level++;
+
+ switch (objectID)
+ {
+ case AC_OBJ_CERTIFICATE:
+ ac->certificate = object;
+ break;
+ case AC_OBJ_CERTIFICATE_INFO:
+ ac->certificateInfo = object;
+ break;
+ case AC_OBJ_VERSION:
+ ac->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
+ DBG(DBG_PARSING,
+ DBG_log(" v%d", ac->version);
+ )
+ if (ac->version != 2)
+ {
+ plog("v%d attribute certificates are not supported"
+ , ac->version);
+ return FALSE;
+ }
+ break;
+ case AC_OBJ_HOLDER_ISSUER:
+ ac->holderIssuer = get_directoryName(object, level, FALSE);
+ break;
+ case AC_OBJ_HOLDER_SERIAL:
+ ac->holderSerial = object;
+ break;
+ case AC_OBJ_ENTITY_NAME:
+ ac->entityName = get_directoryName(object, level, TRUE);
+ break;
+ case AC_OBJ_ISSUER_NAME:
+ ac->issuerName = get_directoryName(object, level, FALSE);
+ break;
+ case AC_OBJ_SIG_ALG:
+ ac->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case AC_OBJ_SERIAL_NUMBER:
+ ac->serialNumber = object;
+ break;
+ case AC_OBJ_NOT_BEFORE:
+ ac->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case AC_OBJ_NOT_AFTER:
+ ac->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case AC_OBJ_ATTRIBUTE_TYPE:
+ type = known_oid(object);
+ break;
+ case AC_OBJ_ATTRIBUTE_VALUE:
+ {
+ switch (type) {
+ case OID_AUTHENTICATION_INFO:
+ DBG(DBG_PARSING,
+ DBG_log(" need to parse authenticationInfo")
+ )
+ break;
+ case OID_ACCESS_IDENTITY:
+ DBG(DBG_PARSING,
+ DBG_log(" need to parse accessIdentity")
+ )
+ break;
+ case OID_CHARGING_IDENTITY:
+ ac->charging = parse_ietfAttrSyntax(object, level);
+ break;
+ case OID_GROUP:
+ ac->groups = parse_ietfAttrSyntax(object, level);
+ break;
+ case OID_ROLE:
+ parse_roleSyntax(object, level);
+ break;
+ default:
+ break;
+ }
+ }
+ break;
+ case AC_OBJ_EXTN_ID:
+ extn_oid = known_oid(object);
+ break;
+ case AC_OBJ_CRITICAL:
+ critical = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(critical)?"TRUE":"FALSE");
+ )
+ break;
+ case AC_OBJ_EXTN_VALUE:
+ {
+ switch (extn_oid) {
+ case OID_CRL_DISTRIBUTION_POINTS:
+ DBG(DBG_PARSING,
+ DBG_log(" need to parse crlDistributionPoints")
+ )
+ break;
+ case OID_AUTHORITY_KEY_ID:
+ parse_authorityKeyIdentifier(object, level
+ , &ac->authKeyID, &ac->authKeySerialNumber);
+ break;
+ case OID_TARGET_INFORMATION:
+ DBG(DBG_PARSING,
+ DBG_log(" need to parse targetInformation")
+ )
+ break;
+ case OID_NO_REV_AVAIL:
+ ac->noRevAvail = TRUE;
+ break;
+ default:
+ break;
+ }
+ }
+ break;
+ case AC_OBJ_ALGORITHM:
+ ac->algorithm = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case AC_OBJ_SIGNATURE:
+ ac->signature = object;
+ break;
+
+ default:
+ break;
+ }
+ objectID++;
+ }
+ time(&ac->installed);
+ return TRUE;
+}
+
+/*
+ * compare two X.509 attribute certificates by comparing their signatures
+ */
+static bool
+same_x509acert(x509acert_t *a, x509acert_t *b)
+{
+ return a->signature.len == b->signature.len &&
+ memcmp(a->signature.ptr, b->signature.ptr, b->signature.len) == 0;
+}
+
+/*
+ * release an ietfAttribute, free it if count reaches zero
+ */
+static void
+release_ietfAttr(ietfAttr_t* attr)
+{
+ if (--attr->count == 0)
+ {
+ ietfAttrList_t **plist = &ietfAttributes;
+ ietfAttrList_t *list = *plist;
+
+ while (list->attr != attr)
+ {
+ plist = &list->next;
+ list = *plist;
+ }
+ *plist = list->next;
+
+ pfree(attr->value.ptr);
+ pfree(attr);
+ pfree(list);
+ }
+}
+
+/*
+ * free an ietfAttrList
+ */
+void
+free_ietfAttrList(ietfAttrList_t* list)
+{
+ while (list != NULL)
+ {
+ ietfAttrList_t *el = list;
+
+ release_ietfAttr(el->attr);
+ list = list->next;
+ pfree(el);
+ }
+}
+
+/*
+ * free a X.509 attribute certificate
+ */
+void
+free_acert(x509acert_t *ac)
+{
+ if (ac != NULL)
+ {
+ free_ietfAttrList(ac->charging);
+ free_ietfAttrList(ac->groups);
+ pfreeany(ac->certificate.ptr);
+ pfree(ac);
+ }
+}
+
+/*
+ * free first X.509 attribute certificate in the chained list
+ */
+static void
+free_first_acert(void)
+{
+ x509acert_t *first = x509acerts;
+ x509acerts = first->next;
+ free_acert(first);
+}
+
+/*
+ * Free all attribute certificates in the chained list
+ */
+void
+free_acerts(void)
+{
+ while (x509acerts != NULL)
+ free_first_acert();
+}
+
+/*
+ * get a X.509 attribute certificate for a given holder
+ */
+x509acert_t*
+get_x509acert(chunk_t issuer, chunk_t serial)
+{
+ x509acert_t *ac = x509acerts;
+ x509acert_t *prev_ac = NULL;
+
+ while (ac != NULL)
+ {
+ if (same_dn(issuer, ac->holderIssuer)
+ && same_serial(serial, ac->holderSerial))
+ {
+ if (ac!= x509acerts)
+ {
+ /* bring the certificate up front */
+ prev_ac->next = ac->next;
+ ac->next = x509acerts;
+ x509acerts = ac;
+ }
+ return ac;
+ }
+ prev_ac = ac;
+ ac = ac->next;
+ }
+ return NULL;
+}
+
+/*
+ * add a X.509 attribute certificate to the chained list
+ */
+static void
+add_acert(x509acert_t *ac)
+{
+ x509acert_t *old_ac = get_x509acert(ac->holderIssuer, ac->holderSerial);
+
+ if (old_ac != NULL)
+ {
+ if (ac->notBefore >old_ac->notBefore)
+ {
+ /* delete the old attribute cert */
+ free_first_acert();
+ DBG(DBG_CONTROL,
+ DBG_log("attribute cert is newer - existing cert deleted")
+ )
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("attribute cert is not newer - existing cert kept");
+ )
+ free_acert(ac);
+ return;
+ }
+ }
+ plog("attribute cert added");
+
+ /* insert new attribute cert at the root of the chain */
+ ac->next = x509acerts;
+ x509acerts = ac;
+}
+
+/* verify the validity of an attribute certificate by
+ * checking the notBefore and notAfter dates
+ */
+static err_t
+check_ac_validity(const x509acert_t *ac)
+{
+ time_t current_time;
+
+ time(&current_time);
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log(" not before : %s", timetoa(&ac->notBefore, TRUE));
+ DBG_log(" current time: %s", timetoa(&current_time, TRUE));
+ DBG_log(" not after : %s", timetoa(&ac->notAfter, TRUE));
+ )
+
+ if (current_time < ac->notBefore)
+ return "attribute certificate is not valid yet";
+ if (current_time > ac->notAfter)
+ return "attribute certificate has expired";
+ else
+ return NULL;
+}
+
+/*
+ * verifies a X.509 attribute certificate
+ */
+bool
+verify_x509acert(x509acert_t *ac, bool strict)
+{
+ u_char buf[BUF_LEN];
+ x509cert_t *aacert;
+ err_t ugh = NULL;
+ time_t valid_until = ac->notAfter;
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, ac->entityName);
+ DBG_log("holder: '%s'",buf);
+ dntoa(buf, BUF_LEN, ac->issuerName);
+ DBG_log("issuer: '%s'",buf);
+ )
+
+ ugh = check_ac_validity(ac);
+
+ if (ugh != NULL)
+ {
+ plog("%s", ugh);
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("attribute certificate is valid")
+ )
+
+ lock_authcert_list("verify_x509acert");
+ aacert = get_authcert(ac->issuerName, ac->authKeySerialNumber
+ , ac->authKeyID, AUTH_AA);
+ unlock_authcert_list("verify_x509acert");
+
+ if (aacert == NULL)
+ {
+ plog("issuer aacert not found");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("issuer aacert found")
+ )
+
+ if (!check_signature(ac->certificateInfo, ac->signature
+ , ac->algorithm, ac->algorithm, aacert))
+ {
+ plog("attribute certificate signature is invalid");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("attribute certificate signature is valid");
+ )
+
+ return verify_x509cert(aacert, strict, &valid_until);
+}
+
+/*
+ * Loads X.509 attribute certificates
+ */
+void
+load_acerts(void)
+{
+ u_char buf[BUF_LEN];
+
+ /* change directory to specified path */
+ u_char *save_dir = getcwd(buf, BUF_LEN);
+
+ if (!chdir(A_CERT_PATH))
+ {
+ struct dirent **filelist;
+ int n;
+
+ plog("Changing to directory '%s'",A_CERT_PATH);
+ n = scandir(A_CERT_PATH, &filelist, file_select, alphasort);
+
+ if (n > 0)
+ {
+ while (n--)
+ {
+ chunk_t blob = empty_chunk;
+ bool pgp = FALSE;
+
+ if (load_coded_file(filelist[n]->d_name, NULL, "acert", &blob, &pgp))
+ {
+ x509acert_t *ac = alloc_thing(x509acert_t, "x509acert");
+
+ *ac = empty_ac;
+
+ if (parse_ac(blob, ac)
+ && verify_x509acert(ac, FALSE))
+ add_acert(ac);
+ else
+ free_acert(ac);
+ }
+ free(filelist[n]);
+ }
+ free(filelist);
+ }
+ }
+ /* restore directory path */
+ chdir(save_dir);
+}
+
+/*
+ * lists group attributes separated by commas on a single line
+ */
+void
+format_groups(const ietfAttrList_t *list, char *buf, int len)
+{
+ bool first_group = TRUE;
+
+ while (list != NULL && len > 0)
+ {
+ ietfAttr_t *attr = list->attr;
+
+ if (attr->kind == IETF_ATTRIBUTE_OCTETS
+ || attr->kind == IETF_ATTRIBUTE_STRING)
+ {
+ int written = snprintf(buf, len, "%s%.*s"
+ , (first_group)? "" : ", "
+ , (int)attr->value.len, attr->value.ptr);
+
+ first_group = FALSE;
+
+ /* return value of snprintf() up to glibc 2.0.6 */
+ if (written < 0)
+ break;
+
+ buf += written;
+ len -= written;
+ }
+ list = list->next;
+ }
+}
+
+/*
+ * list all X.509 attribute certificates in the chained list
+ */
+void
+list_acerts(bool utc)
+{
+ x509acert_t *ac = x509acerts;
+ time_t now;
+
+ /* determine the current time */
+ time(&now);
+
+ if (ac != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of X.509 Attribute Certificates:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (ac != NULL)
+ {
+ u_char buf[BUF_LEN];
+
+ whack_log(RC_COMMENT, "%s",timetoa(&ac->installed, utc));
+ if (ac->entityName.ptr != NULL)
+ {
+ dntoa(buf, BUF_LEN, ac->entityName);
+ whack_log(RC_COMMENT, " holder: '%s'", buf);
+ }
+ if (ac->holderIssuer.ptr != NULL)
+ {
+ dntoa(buf, BUF_LEN, ac->holderIssuer);
+ whack_log(RC_COMMENT, " hissuer: '%s'", buf);
+ }
+ if (ac->holderSerial.ptr != NULL)
+ {
+ datatot(ac->holderSerial.ptr, ac->holderSerial.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " hserial: %s", buf);
+ }
+ if (ac->groups != NULL)
+ {
+ format_groups(ac->groups, buf, BUF_LEN);
+ whack_log(RC_COMMENT, " groups: %s", buf);
+ }
+ dntoa(buf, BUF_LEN, ac->issuerName);
+ whack_log(RC_COMMENT, " issuer: '%s'", buf);
+ datatot(ac->serialNumber.ptr, ac->serialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " serial: %s", buf);
+ whack_log(RC_COMMENT, " validity: not before %s %s",
+ timetoa(&ac->notBefore, utc),
+ (ac->notBefore < now)?"ok":"fatal (not valid yet)");
+ whack_log(RC_COMMENT, " not after %s %s",
+ timetoa(&ac->notAfter, utc),
+ check_expiry(ac->notAfter, ACERT_WARNING_INTERVAL, TRUE));
+ if (ac->authKeyID.ptr != NULL)
+ {
+ datatot(ac->authKeyID.ptr, ac->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (ac->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(ac->authKeySerialNumber.ptr, ac->authKeySerialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+
+ ac = ac->next;
+ }
+}
+
+/*
+ * list all group attributes in alphabetical order
+ */
+void
+list_groups(bool utc)
+{
+ ietfAttrList_t *list = ietfAttributes;
+
+ if (list != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of Group Attributes:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (list != NULL)
+ {
+ ietfAttr_t *attr = list->attr;
+
+ whack_log(RC_COMMENT, "%s, count: %d", timetoa(&attr->installed, utc),
+ attr->count);
+
+ switch (attr->kind)
+ {
+ case IETF_ATTRIBUTE_OCTETS:
+ case IETF_ATTRIBUTE_STRING:
+ whack_log(RC_COMMENT, " %.*s", (int)attr->value.len, attr->value.ptr);
+ break;
+ case IETF_ATTRIBUTE_OID:
+ whack_log(RC_COMMENT, " OID");
+ break;
+ default:
+ break;
+ }
+
+ list = list->next;
+ }
+}
diff --git a/src/pluto/ac.h b/src/pluto/ac.h
new file mode 100644
index 000000000..3913d745d
--- /dev/null
+++ b/src/pluto/ac.h
@@ -0,0 +1,103 @@
+/* Support of X.509 attribute certificates
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ac.h,v 1.8 2005/02/17 20:56:04 as Exp $
+ */
+
+#ifndef _AC_H
+#define _AC_H
+
+/* definition of ietfAttribute kinds */
+
+typedef enum {
+ IETF_ATTRIBUTE_OCTETS = 0,
+ IETF_ATTRIBUTE_OID = 1,
+ IETF_ATTRIBUTE_STRING = 2
+} ietfAttribute_t;
+
+/* access structure for an ietfAttribute */
+
+typedef struct ietfAttr ietfAttr_t;
+
+struct ietfAttr {
+ time_t installed;
+ int count;
+ ietfAttribute_t kind;
+ chunk_t value;
+};
+
+typedef struct ietfAttrList ietfAttrList_t;
+
+struct ietfAttrList {
+ ietfAttrList_t *next;
+ ietfAttr_t *attr;
+};
+
+
+/* access structure for an X.509 attribute certificate */
+
+typedef struct x509acert x509acert_t;
+
+struct x509acert {
+ x509acert_t *next;
+ time_t installed;
+ chunk_t certificate;
+ chunk_t certificateInfo;
+ u_int version;
+ /* holder */
+ /* baseCertificateID */
+ chunk_t holderIssuer;
+ chunk_t holderSerial;
+ chunk_t entityName;
+ /* v2Form */
+ chunk_t issuerName;
+ /* signature */
+ int sigAlg;
+ chunk_t serialNumber;
+ /* attrCertValidityPeriod */
+ time_t notBefore;
+ time_t notAfter;
+ /* attributes */
+ ietfAttrList_t *charging;
+ ietfAttrList_t *groups;
+ /* extensions */
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+ bool noRevAvail;
+ /* signatureAlgorithm */
+ int algorithm;
+ chunk_t signature;
+};
+
+/* used for initialization */
+extern const x509acert_t empty_ac;
+
+extern void unshare_ietfAttrList(ietfAttrList_t **listp);
+extern void free_ietfAttrList(ietfAttrList_t *list);
+extern void decode_groups(char *groups, ietfAttrList_t **listp);
+extern bool group_membership(const ietfAttrList_t *my_list
+ , const char *conn, const ietfAttrList_t *conn_list);
+extern bool parse_ac(chunk_t blob, x509acert_t *ac);
+extern bool verify_x509acert(x509acert_t *ac, bool strict);
+extern x509acert_t* get_x509acert(chunk_t issuer, chunk_t serial);
+extern void load_acerts(void);
+extern void free_acert(x509acert_t *ac);
+extern void free_acerts(void);
+extern void list_acerts(bool utc);
+extern void list_groups(bool utc);
+extern void format_groups(const ietfAttrList_t *list, char *buf, int len);
+
+
+#endif /* _AH_H */
diff --git a/src/pluto/adns.c b/src/pluto/adns.c
new file mode 100644
index 000000000..c5977d23c
--- /dev/null
+++ b/src/pluto/adns.c
@@ -0,0 +1,615 @@
+/* Pluto Asynchronous DNS Helper Program -- for internal use only!
+ * Copyright (C) 2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: adns.c,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#ifndef USE_LWRES /* whole file! */
+
+/* This program executes as multiple processes. The Master process
+ * receives queries (struct adns_query messages) from Pluto and distributes
+ * them amongst Worker processes. These Worker processes are created
+ * by the Master whenever a query arrives and no existing Worker is free.
+ * At most MAX_WORKERS will be created; after that, the Master will queue
+ * queries until a Worker becomes free. When a Worker has an answer from
+ * the resolver, it sends the answer as a struct adns_answer message to the
+ * Master. The Master then forwards the answer to Pluto, noting that
+ * the Worker is free to accept another query.
+ *
+ * The protocol is simple: Pluto sends a sequence of queries and receives
+ * a sequence of answers. select(2) is used by Pluto and by the Master
+ * process to decide when to read, but writes are done without checking
+ * for readiness. Communications is via pipes. Since only one process
+ * can write to each pipe, messages will not be interleaved. Fixed length
+ * records are used for simplicity.
+ *
+ * Pluto needs a way to indicate to the Master when to shut down
+ * and the Master needs to indicate this to each worker. EOF on the pipe
+ * signifies this.
+ *
+ * The interfaces between these components are considered private to
+ * Pluto. This allows us to get away with less checking. This is a
+ * reason to use pipes instead of TCP/IP.
+ *
+ * Although the code uses plain old UNIX processes, it could be modified
+ * to use threads. That might reduce resource requirements. It would
+ * preclude running on systems without thread-safe resolvers.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h> /* ??? for h_errno */
+
+#include <freeswan.h>
+
+/* GCC magic! */
+#ifdef GCC_LINT
+# define UNUSED __attribute__ ((unused))
+#else
+# define UNUSED /* ignore */
+#endif
+
+#include "constants.h"
+#include "adns.h" /* needs <resolv.h> */
+
+/* shared by all processes */
+
+static const char *name; /* program name, for messages */
+
+static bool debug = FALSE;
+
+/* Read a variable-length record from a pipe (and no more!).
+ * First bytes must be a size_t containing the length.
+ * HES_CONTINUE if record read
+ * HES_OK if EOF
+ * HES_IO_ERROR_IN if errno tells the tale.
+ * Others are errors.
+ */
+static enum helper_exit_status
+read_pipe(int fd, unsigned char *stuff, size_t minlen, size_t maxlen)
+{
+ size_t n = 0;
+ size_t goal = minlen;
+
+ do {
+ ssize_t m = read(fd, stuff + n, goal - n);
+
+ if (m == -1)
+ {
+ if (errno != EINTR)
+ {
+ syslog(LOG_ERR, "Input error on pipe: %s", strerror(errno));
+ return HES_IO_ERROR_IN;
+ }
+ }
+ else if (m == 0)
+ {
+ return HES_OK; /* treat empty message as EOF */
+ }
+ else
+ {
+ n += m;
+ if (n >= sizeof(size_t))
+ {
+ goal = *(size_t *)(void *)stuff;
+ if (goal < minlen || maxlen < goal)
+ {
+ if (debug)
+ fprintf(stderr, "%lu : [%lu, %lu]\n"
+ , (unsigned long)goal
+ , (unsigned long)minlen, (unsigned long)maxlen);
+ return HES_BAD_LEN;
+ }
+ }
+ }
+ } while (n < goal);
+
+ return HES_CONTINUE;
+}
+
+/* Write a variable-length record to a pipe.
+ * First bytes must be a size_t containing the length.
+ * HES_CONTINUE if record written
+ * Others are errors.
+ */
+static enum helper_exit_status
+write_pipe(int fd, const unsigned char *stuff)
+{
+ size_t len = *(const size_t *)(const void *)stuff;
+ size_t n = 0;
+
+ do {
+ ssize_t m = write(fd, stuff + n, len - n);
+
+ if (m == -1)
+ {
+ /* error, but ignore and retry if EINTR */
+ if (errno != EINTR)
+ {
+ syslog(LOG_ERR, "Output error from master: %s", strerror(errno));
+ return HES_IO_ERROR_OUT;
+ }
+ }
+ else
+ {
+ n += m;
+ }
+ } while (n != len);
+ return HES_CONTINUE;
+}
+
+/**************** worker process ****************/
+
+/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
+ * so we build some of our own :-(
+ */
+
+/* Support deprecated interface to allow for older releases of the resolver.
+ * Fake new interface!
+ * See resolver(3) bind distribution (should be in RHL6.1, but isn't).
+ * __RES was 19960801 in RHL6.2, an old resolver.
+ */
+
+#if (__RES) <= 19960801
+# define OLD_RESOLVER 1
+#endif
+
+#ifdef OLD_RESOLVER
+
+# define res_ninit(statp) res_init()
+# define res_nquery(statp, dname, class, type, answer, anslen) \
+ res_query(dname, class, type, answer, anslen)
+# define res_nclose(statp) res_close()
+
+static struct __res_state *statp = &_res;
+
+#else /* !OLD_RESOLVER */
+
+static struct __res_state my_res_state /* = { 0 } */;
+static res_state statp = &my_res_state;
+
+#endif /* !OLD_RESOLVER */
+
+static int
+worker(int qfd, int afd)
+{
+ {
+ int r = res_ninit(statp);
+
+ if (r != 0)
+ {
+ syslog(LOG_ERR, "cannot initialize resolver");
+ return HES_RES_INIT;
+ }
+#ifndef OLD_RESOLVER
+ statp->options |= RES_ROTATE;
+#endif
+ statp->options |= RES_DEBUG;
+ }
+
+ for (;;)
+ {
+ struct adns_query q;
+ struct adns_answer a;
+
+ enum helper_exit_status r = read_pipe(qfd, (unsigned char *)&q
+ , sizeof(q), sizeof(q));
+
+ if (r != HES_CONTINUE)
+ return r; /* some kind of exit */
+
+ if (q.qmagic != ADNS_Q_MAGIC)
+ {
+ syslog(LOG_ERR, "error in input from master: bad magic");
+ return HES_BAD_MAGIC;
+ }
+
+ a.amagic = ADNS_A_MAGIC;
+ a.serial = q.serial;
+
+ a.result = res_nquery(statp, q.name_buf, C_IN, q.type, a.ans, sizeof(a.ans));
+ a.h_errno_val = h_errno;
+
+ a.len = offsetof(struct adns_answer, ans) + (a.result < 0? 0 : a.result);
+
+#ifdef DEBUG
+ if (((q.debugging & IMPAIR_DELAY_ADNS_KEY_ANSWER) && q.type == T_KEY)
+ || ((q.debugging & IMPAIR_DELAY_ADNS_TXT_ANSWER) && q.type == T_TXT))
+ sleep(30); /* delay the answer */
+#endif
+
+ /* write answer, possibly a bit at a time */
+ r = write_pipe(afd, (const unsigned char *)&a);
+
+ if (r != HES_CONTINUE)
+ return r; /* some kind of exit */
+ }
+}
+
+/**************** master process ****************/
+
+bool eof_from_pluto = FALSE;
+#define PLUTO_QFD 0 /* queries come on stdin */
+#define PLUTO_AFD 1 /* answers go out on stdout */
+
+#ifndef MAX_WORKERS
+# define MAX_WORKERS 10 /* number of in-flight queries */
+#endif
+
+struct worker_info {
+ int qfd; /* query pipe's file descriptor */
+ int afd; /* answer pipe's file descriptor */
+ pid_t pid;
+ bool busy;
+ void *continuation; /* of outstanding request */
+};
+
+static struct worker_info wi[MAX_WORKERS];
+static struct worker_info *wi_roof = wi;
+
+/* request FIFO */
+
+struct query_list {
+ struct query_list *next;
+ struct adns_query aq;
+};
+
+static struct query_list *oldest_query = NULL;
+static struct query_list *newest_query; /* undefined when oldest == NULL */
+static struct query_list *free_queries = NULL;
+
+static bool
+spawn_worker(void)
+{
+ int qfds[2];
+ int afds[2];
+ pid_t p;
+
+ if (pipe(qfds) != 0 || pipe(afds) != 0)
+ {
+ syslog(LOG_ERR, "pipe(2) failed: %s", strerror(errno));
+ exit(HES_PIPE);
+ }
+
+ wi_roof->qfd = qfds[1]; /* write end of query pipe */
+ wi_roof->afd = afds[0]; /* read end of answer pipe */
+
+ p = fork();
+ if (p == -1)
+ {
+ /* fork failed: ignore if at least one worker exists */
+ if (wi_roof == wi)
+ {
+ syslog(LOG_ERR, "fork(2) error creating first worker: %s", strerror(errno));
+ exit(HES_FORK);
+ }
+ close(qfds[0]);
+ close(qfds[1]);
+ close(afds[0]);
+ close(afds[1]);
+ return FALSE;
+ }
+ else if (p == 0)
+ {
+ /* child */
+ struct worker_info *w;
+
+ close(PLUTO_QFD);
+ close(PLUTO_AFD);
+ /* close all master pipes, including ours */
+ for (w = wi; w <= wi_roof; w++)
+ {
+ close(w->qfd);
+ close(w->afd);
+ }
+ exit(worker(qfds[0], afds[1]));
+ }
+ else
+ {
+ /* parent */
+ struct worker_info *w = wi_roof++;
+
+ w->pid = p;
+ w->busy = FALSE;
+ close(qfds[0]);
+ close(afds[1]);
+ return TRUE;
+ }
+}
+
+static void
+send_eof(struct worker_info *w)
+{
+ pid_t p;
+ int status;
+
+ close(w->qfd);
+ w->qfd = NULL_FD;
+
+ close(w->afd);
+ w->afd = NULL_FD;
+
+ /* reap child */
+ p = waitpid(w->pid, &status, 0);
+ /* ignore result -- what could we do with it? */
+}
+
+static void
+forward_query(struct worker_info *w)
+{
+ struct query_list *q = oldest_query;
+
+ if (q == NULL)
+ {
+ if (eof_from_pluto)
+ send_eof(w);
+ }
+ else
+ {
+ enum helper_exit_status r
+ = write_pipe(w->qfd, (const unsigned char *) &q->aq);
+
+ if (r != HES_CONTINUE)
+ exit(r);
+
+ w->busy = TRUE;
+
+ oldest_query = q->next;
+ q->next = free_queries;
+ free_queries = q;
+ }
+}
+
+static void
+query(void)
+{
+ struct query_list *q = free_queries;
+ enum helper_exit_status r;
+
+ /* find an unused queue entry */
+ if (q == NULL)
+ {
+ q = malloc(sizeof(*q));
+ if (q == NULL)
+ {
+ syslog(LOG_ERR, "malloc(3) failed");
+ exit(HES_MALLOC);
+ }
+ }
+ else
+ {
+ free_queries = q->next;
+ }
+
+ r = read_pipe(PLUTO_QFD, (unsigned char *)&q->aq
+ , sizeof(q->aq), sizeof(q->aq));
+
+ if (r == HES_OK)
+ {
+ /* EOF: we're done, except for unanswered queries */
+ struct worker_info *w;
+
+ eof_from_pluto = TRUE;
+ q->next = free_queries;
+ free_queries = q;
+
+ /* Send bye-bye to unbusy processes.
+ * Note that if there are queued queries, there won't be
+ * any non-busy workers.
+ */
+ for (w = wi; w != wi_roof; w++)
+ if (!w->busy)
+ send_eof(w);
+ }
+ else if (r != HES_CONTINUE)
+ {
+ exit(r);
+ }
+ else if (q->aq.qmagic != ADNS_Q_MAGIC)
+ {
+ syslog(LOG_ERR, "error in query from Pluto: bad magic");
+ exit(HES_BAD_MAGIC);
+ }
+ else
+ {
+ struct worker_info *w;
+
+ /* got a query */
+
+ /* add it to FIFO */
+ q->next = NULL;
+ if (oldest_query == NULL)
+ oldest_query = q;
+ else
+ newest_query->next = q;
+ newest_query = q;
+
+ /* See if any worker available */
+ for (w = wi; ; w++)
+ {
+ if (w == wi_roof)
+ {
+ /* no free worker */
+ if (w == wi + MAX_WORKERS)
+ break; /* no more to be created */
+ /* make a new one */
+ if (!spawn_worker())
+ break; /* cannot create one at this time */
+ }
+ if (!w->busy)
+ {
+ /* assign first to free worker */
+ forward_query(w);
+ break;
+ }
+ }
+ }
+ return;
+}
+
+static void
+answer(struct worker_info *w)
+{
+ struct adns_answer a;
+ enum helper_exit_status r = read_pipe(w->afd, (unsigned char *)&a
+ , offsetof(struct adns_answer, ans), sizeof(a));
+
+ if (r == HES_OK)
+ {
+ /* unexpected EOF */
+ syslog(LOG_ERR, "unexpected EOF from worker");
+ exit(HES_IO_ERROR_IN);
+ }
+ else if (r != HES_CONTINUE)
+ {
+ exit(r);
+ }
+ else if (a.amagic != ADNS_A_MAGIC)
+ {
+ syslog(LOG_ERR, "Input from worker error: bad magic");
+ exit(HES_BAD_MAGIC);
+ }
+ else if (a.continuation != w->continuation)
+ {
+ /* answer doesn't match query */
+ syslog(LOG_ERR, "Input from worker error: continuation mismatch");
+ exit(HES_SYNC);
+ }
+ else
+ {
+ /* pass the answer on to Pluto */
+ enum helper_exit_status r
+ = write_pipe(PLUTO_AFD, (const unsigned char *) &a);
+
+ if (r != HES_CONTINUE)
+ exit(r);
+ w->busy = FALSE;
+ forward_query(w);
+ }
+}
+
+/* assumption: input limited; accept blocking on output */
+static int
+master(void)
+{
+ for (;;)
+ {
+ fd_set readfds;
+ int maxfd = PLUTO_QFD; /* approximate lower bound */
+ int ndes = 0;
+ struct worker_info *w;
+
+ FD_ZERO(&readfds);
+ if (!eof_from_pluto)
+ {
+ FD_SET(PLUTO_QFD, &readfds);
+ ndes++;
+ }
+ for (w = wi; w != wi_roof; w++)
+ {
+ if (w->busy)
+ {
+ FD_SET(w->afd, &readfds);
+ ndes++;
+ if (maxfd < w->afd)
+ maxfd = w->afd;
+ }
+ }
+
+ if (ndes == 0)
+ return HES_OK; /* done! */
+
+ do {
+ ndes = select(maxfd + 1, &readfds, NULL, NULL, NULL);
+ } while (ndes == -1 && errno == EINTR);
+ if (ndes == -1)
+ {
+ syslog(LOG_ERR, "select(2) error: %s", strerror(errno));
+ exit(HES_IO_ERROR_SELECT);
+ }
+ else if (ndes > 0)
+ {
+ if (FD_ISSET(PLUTO_QFD, &readfds))
+ {
+ query();
+ ndes--;
+ }
+ for (w = wi; ndes > 0 && w != wi_roof; w++)
+ {
+ if (w->busy && FD_ISSET(w->afd, &readfds))
+ {
+ answer(w);
+ ndes--;
+ }
+ }
+ }
+ }
+}
+
+/* Not to be invoked by strangers -- user hostile.
+ * Mandatory args: query-fd answer-fd
+ * Optional arg: -d, signifying "debug".
+ */
+
+static void
+adns_usage(const char *fmt, const char *arg)
+{
+ const char **sp = ipsec_copyright_notice();
+
+ fprintf(stderr, "INTERNAL TO PLUTO: DO NOT EXECUTE\n");
+
+ fprintf(stderr, fmt, arg);
+ fprintf(stderr, "\n%s\n", ipsec_version_string());
+
+ for (; *sp != NULL; sp++)
+ fprintf(stderr, "%s\n", *sp);
+
+ syslog(LOG_ERR, fmt, arg);
+ exit(HES_INVOCATION);
+}
+
+int
+main(int argc UNUSED, char **argv)
+{
+ int i = 1;
+
+ name = argv[0];
+
+ while (i < argc)
+ {
+ if (streq(argv[i], "-d"))
+ {
+ i++;
+ debug = TRUE;
+ }
+ else
+ {
+ adns_usage("unexpected argument \"%s\"", argv[i]);
+ /*NOTREACHED*/
+ }
+ }
+
+ return master();
+}
+
+#endif /* !USE_LWRES */
diff --git a/src/pluto/adns.h b/src/pluto/adns.h
new file mode 100644
index 000000000..00fc4ad07
--- /dev/null
+++ b/src/pluto/adns.h
@@ -0,0 +1,75 @@
+/* Pluto Asynchronous DNS Helper Program's Header
+ * Copyright (C) 2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: adns.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#ifndef USE_LWRES /* whole file! */
+
+/* The interface in RHL6.x and BIND distribution 8.2.2 are different,
+ * so we build some of our own :-(
+ */
+
+# ifndef NS_MAXDNAME
+# define NS_MAXDNAME MAXDNAME /* I hope this is long enough for IPv6 */
+# endif
+
+# ifndef NS_PACKETSZ
+# define NS_PACKETSZ PACKETSZ
+# endif
+
+/* protocol version */
+
+#define ADNS_Q_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 4)
+#define ADNS_A_MAGIC (((((('d' << 8) + 'n') << 8) + 's') << 8) + 128 + 4)
+
+/* note: both struct adns_query and struct adns_answer must start with
+ * size_t len;
+ */
+
+struct adns_query {
+ size_t len;
+ unsigned int qmagic;
+ unsigned long serial;
+ lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
+ u_char name_buf[NS_MAXDNAME + 2];
+ int type; /* T_KEY or T_TXT */
+};
+
+struct adns_answer {
+ size_t len;
+ unsigned int amagic;
+ unsigned long serial;
+ struct adns_continuation *continuation;
+ int result;
+ int h_errno_val;
+ u_char ans[NS_PACKETSZ * 10]; /* very probably bigger than necessary */
+};
+
+enum helper_exit_status {
+ HES_CONTINUE = -1, /* not an exit */
+ HES_OK = 0, /* all's well that ends well (perhaps EOF) */
+ HES_INVOCATION, /* improper invocation */
+ HES_IO_ERROR_SELECT, /* IO error in select() */
+ HES_MALLOC, /* malloc failed */
+ HES_IO_ERROR_IN, /* error reading pipe */
+ HES_IO_ERROR_OUT, /* error reading pipe */
+ HES_PIPE, /* pipe(2) failed */
+ HES_SYNC, /* answer from worker doesn't match query */
+ HES_FORK, /* fork(2) failed */
+ HES_RES_INIT, /* resolver initialization failed */
+ HES_BAD_LEN, /* implausible .len field */
+ HES_BAD_MAGIC, /* .magic field wrong */
+};
+
+#endif /* !USE_LWRES */
diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
new file mode 100644
index 000000000..44de09b4c
--- /dev/null
+++ b/src/pluto/alg/ike_alg_aes.c
@@ -0,0 +1,68 @@
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "libaes/aes_cbc.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+
+#define AES_CBC_BLOCK_SIZE (128/BITS_PER_BYTE)
+#define AES_KEY_MIN_LEN 128
+#define AES_KEY_DEF_LEN 128
+#define AES_KEY_MAX_LEN 256
+
+static void
+do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+{
+ aes_context aes_ctx;
+ char iv_bak[AES_CBC_BLOCK_SIZE];
+ char *new_iv = NULL; /* logic will avoid copy to NULL */
+
+ aes_set_key(&aes_ctx, key, key_size, 0);
+
+ /*
+ * my AES cbc does not touch passed IV (optimization for
+ * ESP handling), so I must "emulate" des-like IV
+ * crunching
+ */
+ if (!enc)
+ memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE
+ , AES_CBC_BLOCK_SIZE);
+
+ AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
+
+ if (enc)
+ new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
+
+ memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE);
+}
+
+struct encrypt_desc algo_aes =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_AES_CBC,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(aes_context),
+ enc_blocksize: AES_CBC_BLOCK_SIZE,
+ keyminlen: AES_KEY_MIN_LEN,
+ keydeflen: AES_KEY_DEF_LEN,
+ keymaxlen: AES_KEY_MAX_LEN,
+ do_crypt: do_aes,
+};
+
+int ike_alg_aes_init(void);
+
+int
+ike_alg_aes_init(void)
+{
+ int ret = ike_alg_register_enc(&algo_aes);
+ return ret;
+}
+/*
+IKE_ALG_INIT_NAME: ike_alg_aes_init
+*/
diff --git a/src/pluto/alg/ike_alg_blowfish.c b/src/pluto/alg/ike_alg_blowfish.c
new file mode 100644
index 000000000..2bbef051b
--- /dev/null
+++ b/src/pluto/alg/ike_alg_blowfish.c
@@ -0,0 +1,52 @@
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "libblowfish/blowfish.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+
+#define BLOWFISH_CBC_BLOCK_SIZE 8 /* block size */
+#define BLOWFISH_KEY_MIN_LEN 128
+#define BLOWFISH_KEY_MAX_LEN 448
+
+
+static void
+do_blowfish(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+{
+ BF_KEY bf_ctx;
+
+ BF_set_key(&bf_ctx, key_size , key);
+ BF_cbc_encrypt(buf, buf, buf_len, &bf_ctx, iv, enc);
+}
+
+struct encrypt_desc algo_blowfish =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_BLOWFISH_CBC,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(BF_KEY),
+ enc_blocksize: BLOWFISH_CBC_BLOCK_SIZE,
+ keyminlen: BLOWFISH_KEY_MIN_LEN,
+ keydeflen: BLOWFISH_KEY_MIN_LEN,
+ keymaxlen: BLOWFISH_KEY_MAX_LEN,
+ do_crypt: do_blowfish,
+};
+
+int ike_alg_blowfish_init(void);
+
+int
+ike_alg_blowfish_init(void)
+{
+ int ret = ike_alg_register_enc(&algo_blowfish);
+
+ return ret;
+}
+/*
+IKE_ALG_INIT_NAME: ike_alg_blowfish_init
+*/
diff --git a/src/pluto/alg/ike_alg_serpent.c b/src/pluto/alg/ike_alg_serpent.c
new file mode 100644
index 000000000..fb01caa41
--- /dev/null
+++ b/src/pluto/alg/ike_alg_serpent.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "libserpent/serpent_cbc.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+
+#define SERPENT_CBC_BLOCK_SIZE (128/BITS_PER_BYTE)
+#define SERPENT_KEY_MIN_LEN 128
+#define SERPENT_KEY_DEF_LEN 128
+#define SERPENT_KEY_MAX_LEN 256
+
+static void
+do_serpent(u_int8_t *buf, size_t buf_size, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+{
+ serpent_context serpent_ctx;
+ char iv_bak[SERPENT_CBC_BLOCK_SIZE];
+ char *new_iv = NULL; /* logic will avoid copy to NULL */
+
+
+ serpent_set_key(&serpent_ctx, key, key_size);
+ /*
+ * my SERPENT cbc does not touch passed IV (optimization for
+ * ESP handling), so I must "emulate" des-like IV
+ * crunching
+ */
+ if (!enc)
+ memcpy(new_iv=iv_bak,
+ (char*) buf + buf_size-SERPENT_CBC_BLOCK_SIZE,
+ SERPENT_CBC_BLOCK_SIZE);
+
+ serpent_cbc_encrypt(&serpent_ctx, buf, buf, buf_size, iv, enc);
+
+ if (enc)
+ new_iv = (char*) buf + buf_size-SERPENT_CBC_BLOCK_SIZE;
+
+ memcpy(iv, new_iv, SERPENT_CBC_BLOCK_SIZE);
+}
+
+struct encrypt_desc encrypt_desc_serpent =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_SERPENT_CBC,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(struct serpent_context),
+ enc_blocksize: SERPENT_CBC_BLOCK_SIZE,
+ keyminlen: SERPENT_KEY_MIN_LEN,
+ keydeflen: SERPENT_KEY_DEF_LEN,
+ keymaxlen: SERPENT_KEY_MAX_LEN,
+ do_crypt: do_serpent,
+};
+
+int ike_alg_serpent_init(void);
+
+int
+ike_alg_serpent_init(void)
+{
+ int ret = ike_alg_register_enc(&encrypt_desc_serpent);
+
+ return ret;
+}
+/*
+IKE_ALG_INIT_NAME: ike_alg_serpent_init
+*/
diff --git a/src/pluto/alg/ike_alg_sha2.c b/src/pluto/alg/ike_alg_sha2.c
new file mode 100644
index 000000000..6b7c8438c
--- /dev/null
+++ b/src/pluto/alg/ike_alg_sha2.c
@@ -0,0 +1,634 @@
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "libsha2/sha2.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+
+static void
+sha256_hash_final(u_char *hash, sha256_context *ctx)
+{
+ sha256_final(ctx);
+ memcpy(hash, ctx->sha_out, SHA2_256_DIGEST_SIZE);
+}
+
+static void
+sha384_hash_final(u_char *hash, sha512_context *ctx)
+{
+ sha512_final(ctx);
+ memcpy(hash, ctx->sha_out, SHA2_384_DIGEST_SIZE);
+}
+
+static void
+sha512_hash_final(u_char *hash, sha512_context *ctx)
+{
+ sha512_final(ctx);
+ memcpy(hash, ctx->sha_out, SHA2_512_DIGEST_SIZE);
+}
+
+/* SHA-256 hash test vectors
+ * from "The Secure Hash Algorithm Validation System (SHAVS)"
+ * July 22, 2004, Lawrence E. Bassham III, NIST
+ */
+
+static const u_char sha256_short2_msg[] = {
+ 0x19
+};
+
+static const u_char sha256_short2_msg_digest[] = {
+ 0x68, 0xaa, 0x2e, 0x2e, 0xe5, 0xdf, 0xf9, 0x6e,
+ 0x33, 0x55, 0xe6, 0xc7, 0xee, 0x37, 0x3e, 0x3d,
+ 0x6a, 0x4e, 0x17, 0xf7, 0x5f, 0x95, 0x18, 0xd8,
+ 0x43, 0x70, 0x9c, 0x0c, 0x9b, 0xc3, 0xe3, 0xd4
+};
+
+static const u_char sha256_short4_msg[] = {
+ 0xe3, 0xd7, 0x25, 0x70, 0xdc, 0xdd, 0x78, 0x7c,
+ 0xe3, 0x88, 0x7a, 0xb2, 0xcd, 0x68, 0x46, 0x52
+};
+
+static const u_char sha256_short4_msg_digest[] = {
+ 0x17, 0x5e, 0xe6, 0x9b, 0x02, 0xba, 0x9b, 0x58,
+ 0xe2, 0xb0, 0xa5, 0xfd, 0x13, 0x81, 0x9c, 0xea,
+ 0x57, 0x3f, 0x39, 0x40, 0xa9, 0x4f, 0x82, 0x51,
+ 0x28, 0xcf, 0x42, 0x09, 0xbe, 0xab, 0xb4, 0xe8
+};
+
+static const u_char sha256_long2_msg[] = {
+ 0x83, 0x26, 0x75, 0x4e, 0x22, 0x77, 0x37, 0x2f,
+ 0x4f, 0xc1, 0x2b, 0x20, 0x52, 0x7a, 0xfe, 0xf0,
+ 0x4d, 0x8a, 0x05, 0x69, 0x71, 0xb1, 0x1a, 0xd5,
+ 0x71, 0x23, 0xa7, 0xc1, 0x37, 0x76, 0x00, 0x00,
+ 0xd7, 0xbe, 0xf6, 0xf3, 0xc1, 0xf7, 0xa9, 0x08,
+ 0x3a, 0xa3, 0x9d, 0x81, 0x0d, 0xb3, 0x10, 0x77,
+ 0x7d, 0xab, 0x8b, 0x1e, 0x7f, 0x02, 0xb8, 0x4a,
+ 0x26, 0xc7, 0x73, 0x32, 0x5f, 0x8b, 0x23, 0x74,
+ 0xde, 0x7a, 0x4b, 0x5a, 0x58, 0xcb, 0x5c, 0x5c,
+ 0xf3, 0x5b, 0xce, 0xe6, 0xfb, 0x94, 0x6e, 0x5b,
+ 0xd6, 0x94, 0xfa, 0x59, 0x3a, 0x8b, 0xeb, 0x3f,
+ 0x9d, 0x65, 0x92, 0xec, 0xed, 0xaa, 0x66, 0xca,
+ 0x82, 0xa2, 0x9d, 0x0c, 0x51, 0xbc, 0xf9, 0x33,
+ 0x62, 0x30, 0xe5, 0xd7, 0x84, 0xe4, 0xc0, 0xa4,
+ 0x3f, 0x8d, 0x79, 0xa3, 0x0a, 0x16, 0x5c, 0xba,
+ 0xbe, 0x45, 0x2b, 0x77, 0x4b, 0x9c, 0x71, 0x09,
+ 0xa9, 0x7d, 0x13, 0x8f, 0x12, 0x92, 0x28, 0x96,
+ 0x6f, 0x6c, 0x0a, 0xdc, 0x10, 0x6a, 0xad, 0x5a,
+ 0x9f, 0xdd, 0x30, 0x82, 0x57, 0x69, 0xb2, 0xc6,
+ 0x71, 0xaf, 0x67, 0x59, 0xdf, 0x28, 0xeb, 0x39,
+ 0x3d, 0x54, 0xd6
+};
+
+static const u_char sha256_long2_msg_digest[] = {
+ 0x97, 0xdb, 0xca, 0x7d, 0xf4, 0x6d, 0x62, 0xc8,
+ 0xa4, 0x22, 0xc9, 0x41, 0xdd, 0x7e, 0x83, 0x5b,
+ 0x8a, 0xd3, 0x36, 0x17, 0x63, 0xf7, 0xe9, 0xb2,
+ 0xd9, 0x5f, 0x4f, 0x0d, 0xa6, 0xe1, 0xcc, 0xbc
+};
+
+static const hash_testvector_t sha256_hash_testvectors[] = {
+ { sizeof(sha256_short2_msg), sha256_short2_msg, sha256_short2_msg_digest },
+ { sizeof(sha256_short4_msg), sha256_short4_msg, sha256_short4_msg_digest },
+ { sizeof(sha256_long2_msg), sha256_long2_msg, sha256_long2_msg_digest },
+ { 0, NULL, NULL }
+};
+
+/* SHA-384 hash test vectors
+ * from "The Secure Hash Algorithm Validation System (SHAVS)"
+ * July 22, 2004, Lawrence E. Bassham III, NIST
+ */
+
+static const u_char sha384_short2_msg[] = {
+ 0xb9
+};
+
+static const u_char sha384_short2_msg_digest[] = {
+ 0xbc, 0x80, 0x89, 0xa1, 0x90, 0x07, 0xc0, 0xb1,
+ 0x41, 0x95, 0xf4, 0xec, 0xc7, 0x40, 0x94, 0xfe,
+ 0xc6, 0x4f, 0x01, 0xf9, 0x09, 0x29, 0x28, 0x2c,
+ 0x2f, 0xb3, 0x92, 0x88, 0x15, 0x78, 0x20, 0x8a,
+ 0xd4, 0x66, 0x82, 0x8b, 0x1c, 0x6c, 0x28, 0x3d,
+ 0x27, 0x22, 0xcf, 0x0a, 0xd1, 0xab, 0x69, 0x38
+};
+
+static const u_char sha384_short4_msg[] = {
+ 0xa4, 0x1c, 0x49, 0x77, 0x79, 0xc0, 0x37, 0x5f,
+ 0xf1, 0x0a, 0x7f, 0x4e, 0x08, 0x59, 0x17, 0x39
+};
+
+static const u_char sha384_short4_msg_digest[] = {
+ 0xc9, 0xa6, 0x84, 0x43, 0xa0, 0x05, 0x81, 0x22,
+ 0x56, 0xb8, 0xec, 0x76, 0xb0, 0x05, 0x16, 0xf0,
+ 0xdb, 0xb7, 0x4f, 0xab, 0x26, 0xd6, 0x65, 0x91,
+ 0x3f, 0x19, 0x4b, 0x6f, 0xfb, 0x0e, 0x91, 0xea,
+ 0x99, 0x67, 0x56, 0x6b, 0x58, 0x10, 0x9c, 0xbc,
+ 0x67, 0x5c, 0xc2, 0x08, 0xe4, 0xc8, 0x23, 0xf7
+};
+
+static const u_char sha384_long2_msg[] = {
+ 0x39, 0x96, 0x69, 0xe2, 0x8f, 0x6b, 0x9c, 0x6d,
+ 0xbc, 0xbb, 0x69, 0x12, 0xec, 0x10, 0xff, 0xcf,
+ 0x74, 0x79, 0x03, 0x49, 0xb7, 0xdc, 0x8f, 0xbe,
+ 0x4a, 0x8e, 0x7b, 0x3b, 0x56, 0x21, 0xdb, 0x0f,
+ 0x3e, 0x7d, 0xc8, 0x7f, 0x82, 0x32, 0x64, 0xbb,
+ 0xe4, 0x0d, 0x18, 0x11, 0xc9, 0xea, 0x20, 0x61,
+ 0xe1, 0xc8, 0x4a, 0xd1, 0x0a, 0x23, 0xfa, 0xc1,
+ 0x72, 0x7e, 0x72, 0x02, 0xfc, 0x3f, 0x50, 0x42,
+ 0xe6, 0xbf, 0x58, 0xcb, 0xa8, 0xa2, 0x74, 0x6e,
+ 0x1f, 0x64, 0xf9, 0xb9, 0xea, 0x35, 0x2c, 0x71,
+ 0x15, 0x07, 0x05, 0x3c, 0xf4, 0xe5, 0x33, 0x9d,
+ 0x52, 0x86, 0x5f, 0x25, 0xcc, 0x22, 0xb5, 0xe8,
+ 0x77, 0x84, 0xa1, 0x2f, 0xc9, 0x61, 0xd6, 0x6c,
+ 0xb6, 0xe8, 0x95, 0x73, 0x19, 0x9a, 0x2c, 0xe6,
+ 0x56, 0x5c, 0xbd, 0xf1, 0x3d, 0xca, 0x40, 0x38,
+ 0x32, 0xcf, 0xcb, 0x0e, 0x8b, 0x72, 0x11, 0xe8,
+ 0x3a, 0xf3, 0x2a, 0x11, 0xac, 0x17, 0x92, 0x9f,
+ 0xf1, 0xc0, 0x73, 0xa5, 0x1c, 0xc0, 0x27, 0xaa,
+ 0xed, 0xef, 0xf8, 0x5a, 0xad, 0x7c, 0x2b, 0x7c,
+ 0x5a, 0x80, 0x3e, 0x24, 0x04, 0xd9, 0x6d, 0x2a,
+ 0x77, 0x35, 0x7b, 0xda, 0x1a, 0x6d, 0xae, 0xed,
+ 0x17, 0x15, 0x1c, 0xb9, 0xbc, 0x51, 0x25, 0xa4,
+ 0x22, 0xe9, 0x41, 0xde, 0x0c, 0xa0, 0xfc, 0x50,
+ 0x11, 0xc2, 0x3e, 0xcf, 0xfe, 0xfd, 0xd0, 0x96,
+ 0x76, 0x71, 0x1c, 0xf3, 0xdb, 0x0a, 0x34, 0x40,
+ 0x72, 0x0e ,0x16, 0x15, 0xc1, 0xf2, 0x2f, 0xbc,
+ 0x3c, 0x72, 0x1d, 0xe5, 0x21, 0xe1, 0xb9, 0x9b,
+ 0xa1, 0xbd, 0x55, 0x77, 0x40, 0x86, 0x42, 0x14,
+ 0x7e, 0xd0, 0x96
+};
+
+static const u_char sha384_long2_msg_digest[] = {
+ 0x4f, 0x44, 0x0d, 0xb1, 0xe6, 0xed, 0xd2, 0x89,
+ 0x9f, 0xa3, 0x35, 0xf0, 0x95, 0x15, 0xaa, 0x02,
+ 0x5e, 0xe1, 0x77, 0xa7, 0x9f, 0x4b, 0x4a, 0xaf,
+ 0x38, 0xe4, 0x2b, 0x5c, 0x4d, 0xe6, 0x60, 0xf5,
+ 0xde, 0x8f, 0xb2, 0xa5, 0xb2, 0xfb, 0xd2, 0xa3,
+ 0xcb, 0xff, 0xd2, 0x0c, 0xff, 0x12, 0x88, 0xc0
+};
+
+static const hash_testvector_t sha384_hash_testvectors[] = {
+ { sizeof(sha384_short2_msg), sha384_short2_msg, sha384_short2_msg_digest },
+ { sizeof(sha384_short4_msg), sha384_short4_msg, sha384_short4_msg_digest },
+ { sizeof(sha384_long2_msg), sha384_long2_msg, sha384_long2_msg_digest },
+ { 0, NULL, NULL }
+};
+
+/* SHA-512 hash test vectors
+ * from "The Secure Hash Algorithm Validation System (SHAVS)"
+ * July 22, 2004, Lawrence E. Bassham III, NIST
+ */
+
+static const u_char sha512_short2_msg[] = {
+ 0xd0
+};
+
+static const u_char sha512_short2_msg_digest[] = {
+ 0x99, 0x92, 0x20, 0x29, 0x38, 0xe8, 0x82, 0xe7,
+ 0x3e, 0x20, 0xf6, 0xb6, 0x9e, 0x68, 0xa0, 0xa7,
+ 0x14, 0x90, 0x90, 0x42, 0x3d, 0x93, 0xc8, 0x1b,
+ 0xab, 0x3f, 0x21, 0x67, 0x8d, 0x4a, 0xce, 0xee,
+ 0xe5, 0x0e, 0x4e, 0x8c, 0xaf, 0xad, 0xa4, 0xc8,
+ 0x5a, 0x54, 0xea, 0x83, 0x06, 0x82, 0x6c, 0x4a,
+ 0xd6, 0xe7, 0x4c, 0xec, 0xe9, 0x63, 0x1b, 0xfa,
+ 0x8a, 0x54, 0x9b, 0x4a, 0xb3, 0xfb, 0xba, 0x15
+};
+
+static const u_char sha512_short4_msg[] = {
+ 0x8d, 0x4e, 0x3c, 0x0e, 0x38, 0x89, 0x19, 0x14,
+ 0x91, 0x81, 0x6e, 0x9d, 0x98, 0xbf, 0xf0, 0xa0
+};
+
+static const u_char sha512_short4_msg_digest[] = {
+ 0xcb, 0x0b, 0x67, 0xa4, 0xb8, 0x71, 0x2c, 0xd7,
+ 0x3c, 0x9a, 0xab, 0xc0, 0xb1, 0x99, 0xe9, 0x26,
+ 0x9b, 0x20, 0x84, 0x4a, 0xfb, 0x75, 0xac, 0xbd,
+ 0xd1, 0xc1, 0x53, 0xc9, 0x82, 0x89, 0x24, 0xc3,
+ 0xdd, 0xed, 0xaa, 0xfe, 0x66, 0x9c, 0x5f, 0xdd,
+ 0x0b, 0xc6, 0x6f, 0x63, 0x0f, 0x67, 0x73, 0x98,
+ 0x82, 0x13, 0xeb, 0x1b, 0x16, 0xf5, 0x17, 0xad,
+ 0x0d, 0xe4, 0xb2, 0xf0, 0xc9, 0x5c, 0x90, 0xf8
+};
+
+static const u_char sha512_long2_msg[] = {
+ 0xa5, 0x5f, 0x20, 0xc4, 0x11, 0xaa, 0xd1, 0x32,
+ 0x80, 0x7a, 0x50, 0x2d, 0x65, 0x82, 0x4e, 0x31,
+ 0xa2, 0x30, 0x54, 0x32, 0xaa, 0x3d, 0x06, 0xd3,
+ 0xe2, 0x82, 0xa8, 0xd8, 0x4e, 0x0d, 0xe1, 0xde,
+ 0x69, 0x74, 0xbf, 0x49, 0x54, 0x69, 0xfc, 0x7f,
+ 0x33, 0x8f, 0x80, 0x54, 0xd5, 0x8c, 0x26, 0xc4,
+ 0x93, 0x60, 0xc3, 0xe8, 0x7a, 0xf5, 0x65, 0x23,
+ 0xac, 0xf6, 0xd8, 0x9d, 0x03, 0xe5, 0x6f, 0xf2,
+ 0xf8, 0x68, 0x00, 0x2b, 0xc3, 0xe4, 0x31, 0xed,
+ 0xc4, 0x4d, 0xf2, 0xf0, 0x22, 0x3d, 0x4b, 0xb3,
+ 0xb2, 0x43, 0x58, 0x6e, 0x1a, 0x7d, 0x92, 0x49,
+ 0x36, 0x69, 0x4f, 0xcb, 0xba, 0xf8, 0x8d, 0x95,
+ 0x19, 0xe4, 0xeb, 0x50, 0xa6, 0x44, 0xf8, 0xe4,
+ 0xf9, 0x5e, 0xb0, 0xea, 0x95, 0xbc, 0x44, 0x65,
+ 0xc8, 0x82, 0x1a, 0xac, 0xd2, 0xfe, 0x15, 0xab,
+ 0x49, 0x81, 0x16, 0x4b, 0xbb, 0x6d, 0xc3, 0x2f,
+ 0x96, 0x90, 0x87, 0xa1, 0x45, 0xb0, 0xd9, 0xcc,
+ 0x9c, 0x67, 0xc2, 0x2b, 0x76, 0x32, 0x99, 0x41,
+ 0x9c, 0xc4, 0x12, 0x8b, 0xe9, 0xa0, 0x77, 0xb3,
+ 0xac, 0xe6, 0x34, 0x06, 0x4e, 0x6d, 0x99, 0x28,
+ 0x35, 0x13, 0xdc, 0x06, 0xe7, 0x51, 0x5d, 0x0d,
+ 0x73, 0x13, 0x2e, 0x9a, 0x0d, 0xc6, 0xd3, 0xb1,
+ 0xf8, 0xb2, 0x46, 0xf1, 0xa9, 0x8a, 0x3f, 0xc7,
+ 0x29, 0x41, 0xb1, 0xe3, 0xbb, 0x20, 0x98, 0xe8,
+ 0xbf, 0x16, 0xf2, 0x68, 0xd6, 0x4f, 0x0b, 0x0f,
+ 0x47, 0x07, 0xfe, 0x1e, 0xa1, 0xa1, 0x79, 0x1b,
+ 0xa2, 0xf3, 0xc0, 0xc7, 0x58, 0xe5, 0xf5, 0x51,
+ 0x86, 0x3a, 0x96, 0xc9, 0x49, 0xad, 0x47, 0xd7,
+ 0xfb, 0x40, 0xd2
+};
+
+static const u_char sha512_long2_msg_digest[] = {
+ 0xc6, 0x65, 0xbe, 0xfb, 0x36, 0xda, 0x18, 0x9d,
+ 0x78, 0x82, 0x2d, 0x10, 0x52, 0x8c, 0xbf, 0x3b,
+ 0x12, 0xb3, 0xee, 0xf7, 0x26, 0x03, 0x99, 0x09,
+ 0xc1, 0xa1, 0x6a, 0x27, 0x0d, 0x48, 0x71, 0x93,
+ 0x77, 0x96, 0x6b, 0x95, 0x7a, 0x87, 0x8e, 0x72,
+ 0x05, 0x84, 0x77, 0x9a, 0x62, 0x82, 0x5c, 0x18,
+ 0xda, 0x26, 0x41, 0x5e, 0x49, 0xa7, 0x17, 0x6a,
+ 0x89, 0x4e, 0x75, 0x10, 0xfd, 0x14, 0x51, 0xf5
+};
+
+static const hash_testvector_t sha512_hash_testvectors[] = {
+ { sizeof(sha512_short2_msg), sha512_short2_msg, sha512_short2_msg_digest },
+ { sizeof(sha512_short4_msg), sha512_short4_msg, sha512_short4_msg_digest },
+ { sizeof(sha512_long2_msg), sha512_long2_msg, sha512_long2_msg_digest },
+ { 0, NULL, NULL }
+};
+
+/* SHA-256, SHA-384, and SHA-512 hmac test vectors
+ * from RFC 4231 "Identifiers and Test Vectors for HMAC-SHA-224,
+ * HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512"
+ * December 2005, M. Nystrom, RSA Security
+ */
+
+static const u_char sha2_hmac1_key[] = {
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b
+};
+
+static const u_char sha2_hmac1_msg[] = {
+ 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+};
+
+static const u_char sha2_hmac1_256[] = {
+ 0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53,
+ 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b,
+ 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7,
+ 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7
+};
+
+static const u_char sha2_hmac1_384[] = {
+ 0xaf, 0xd0, 0x39, 0x44, 0xd8, 0x48, 0x95, 0x62,
+ 0x6b, 0x08, 0x25, 0xf4, 0xab ,0x46, 0x90, 0x7f,
+ 0x15, 0xf9, 0xda, 0xdb, 0xe4, 0x10, 0x1e, 0xc6,
+ 0x82, 0xaa, 0x03, 0x4c, 0x7c, 0xeb, 0xc5, 0x9c,
+ 0xfa, 0xea, 0x9e, 0xa9, 0x07, 0x6e, 0xde, 0x7f,
+ 0x4a, 0xf1, 0x52, 0xe8, 0xb2, 0xfa, 0x9c, 0xb6
+};
+
+static const u_char sha2_hmac1_512[] = {
+ 0x87, 0xaa, 0x7c, 0xde, 0xa5, 0xef, 0x61, 0x9d,
+ 0x4f, 0xf0, 0xb4, 0x24, 0x1a, 0x1d, 0x6c, 0xb0,
+ 0x23, 0x79, 0xf4, 0xe2, 0xce, 0x4e, 0xc2, 0x78,
+ 0x7a, 0xd0, 0xb3, 0x05, 0x45, 0xe1, 0x7c, 0xde,
+ 0xda, 0xa8, 0x33, 0xb7, 0xd6, 0xb8, 0xa7, 0x02,
+ 0x03, 0x8b, 0x27, 0x4e, 0xae, 0xa3, 0xf4, 0xe4,
+ 0xbe, 0x9d, 0x91, 0x4e, 0xeb, 0x61, 0xf1, 0x70,
+ 0x2e, 0x69, 0x6c, 0x20, 0x3a, 0x12, 0x68, 0x54
+};
+
+static const u_char sha2_hmac2_key[] = {
+ 0x4a, 0x65, 0x66, 0x65
+};
+
+static const u_char sha2_hmac2_msg[] = {
+ 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
+ 0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
+ 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
+ 0x69, 0x6e, 0x67, 0x3f
+};
+
+static const u_char sha2_hmac2_256[] = {
+ 0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e,
+ 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7,
+ 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83,
+ 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43
+};
+
+static const u_char sha2_hmac2_384[] = {
+ 0xaf, 0x45, 0xd2, 0xe3, 0x76, 0x48, 0x40, 0x31,
+ 0x61, 0x7f, 0x78, 0xd2, 0xb5, 0x8a, 0x6b, 0x1b,
+ 0x9c, 0x7e, 0xf4, 0x64, 0xf5, 0xa0, 0x1b, 0x47,
+ 0xe4, 0x2e, 0xc3, 0x73, 0x63, 0x22, 0x44, 0x5e,
+ 0x8e, 0x22, 0x40, 0xca, 0x5e, 0x69, 0xe2, 0xc7,
+ 0x8b, 0x32, 0x39, 0xec, 0xfa, 0xb2, 0x16, 0x49
+};
+
+static const u_char sha2_hmac2_512[] = {
+ 0x16, 0x4b, 0x7a, 0x7b, 0xfc, 0xf8, 0x19, 0xe2,
+ 0xe3, 0x95, 0xfb, 0xe7, 0x3b, 0x56, 0xe0, 0xa3,
+ 0x87, 0xbd, 0x64, 0x22, 0x2e, 0x83, 0x1f, 0xd6,
+ 0x10, 0x27, 0x0c, 0xd7, 0xea, 0x25, 0x05, 0x54,
+ 0x97, 0x58, 0xbf, 0x75, 0xc0, 0x5a, 0x99, 0x4a,
+ 0x6d, 0x03, 0x4f, 0x65, 0xf8, 0xf0, 0xe6, 0xfd,
+ 0xca, 0xea, 0xb1, 0xa3, 0x4d, 0x4a, 0x6b, 0x4b,
+ 0x63, 0x6e, 0x07, 0x0a, 0x38, 0xbc, 0xe7, 0x37
+};
+
+static const u_char sha2_hmac3_key[] = {
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa
+};
+
+static const u_char sha2_hmac3_msg[] = {
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd
+};
+
+static const u_char sha2_hmac3_256[] = {
+ 0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46,
+ 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7,
+ 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22,
+ 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe
+};
+
+static const u_char sha2_hmac3_384[] = {
+ 0x88, 0x06, 0x26, 0x08, 0xd3, 0xe6, 0xad, 0x8a,
+ 0x0a, 0xa2, 0xac, 0xe0, 0x14, 0xc8, 0xa8, 0x6f,
+ 0x0a, 0xa6, 0x35, 0xd9, 0x47, 0xac, 0x9f, 0xeb,
+ 0xe8, 0x3e, 0xf4, 0xe5, 0x59, 0x66, 0x14, 0x4b,
+ 0x2a, 0x5a, 0xb3, 0x9d, 0xc1, 0x38, 0x14, 0xb9,
+ 0x4e, 0x3a, 0xb6, 0xe1, 0x01, 0xa3, 0x4f, 0x27
+};
+
+static const u_char sha2_hmac3_512[] = {
+ 0xfa, 0x73, 0xb0, 0x08, 0x9d, 0x56, 0xa2, 0x84,
+ 0xef, 0xb0, 0xf0, 0x75, 0x6c, 0x89, 0x0b, 0xe9,
+ 0xb1, 0xb5, 0xdb, 0xdd, 0x8e, 0xe8, 0x1a, 0x36,
+ 0x55, 0xf8, 0x3e, 0x33, 0xb2, 0x27, 0x9d, 0x39,
+ 0xbf, 0x3e, 0x84, 0x82, 0x79, 0xa7, 0x22, 0xc8,
+ 0x06, 0xb4, 0x85, 0xa4, 0x7e, 0x67, 0xc8, 0x07,
+ 0xb9, 0x46, 0xa3, 0x37, 0xbe, 0xe8, 0x94, 0x26,
+ 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb
+};
+
+static const u_char sha2_hmac4_key[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x19
+};
+
+static const u_char sha2_hmac4_msg[] = {
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd
+};
+
+static const u_char sha2_hmac4_256[] = {
+ 0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e,
+ 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a,
+ 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07,
+ 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b
+};
+
+static const u_char sha2_hmac4_384[] = {
+ 0x3e, 0x8a, 0x69, 0xb7, 0x78, 0x3c, 0x25, 0x85,
+ 0x19, 0x33, 0xab, 0x62, 0x90, 0xaf, 0x6c, 0xa7,
+ 0x7a, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9c,
+ 0xc5, 0x57, 0x7c, 0x6e, 0x1f, 0x57, 0x3b, 0x4e,
+ 0x68, 0x01, 0xdd, 0x23, 0xc4, 0xa7, 0xd6, 0x79,
+ 0xcc, 0xf8, 0xa3, 0x86, 0xc6, 0x74, 0xcf, 0xfb
+};
+
+static const u_char sha2_hmac4_512[] = {
+ 0xb0, 0xba, 0x46, 0x56, 0x37, 0x45, 0x8c, 0x69,
+ 0x90, 0xe5, 0xa8, 0xc5, 0xf6, 0x1d, 0x4a, 0xf7,
+ 0xe5, 0x76, 0xd9, 0x7f, 0xf9, 0x4b, 0x87, 0x2d,
+ 0xe7, 0x6f, 0x80, 0x50, 0x36, 0x1e, 0xe3, 0xdb,
+ 0xa9, 0x1c, 0xa5, 0xc1, 0x1a, 0xa2, 0x5e, 0xb4,
+ 0xd6, 0x79, 0x27, 0x5c, 0xc5, 0x78, 0x80, 0x63,
+ 0xa5, 0xf1, 0x97, 0x41, 0x12, 0x0c, 0x4f, 0x2d,
+ 0xe2, 0xad, 0xeb, 0xeb, 0x10, 0xa2, 0x98, 0xdd
+};
+
+static const u_char sha2_hmac6_key[] = {
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa
+};
+
+static const u_char sha2_hmac6_msg[] = {
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
+ 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
+ 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
+ 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
+ 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
+ 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
+ 0x20, 0x46, 0x69, 0x72, 0x73, 0x74
+};
+
+static const u_char sha2_hmac6_256[] = {
+ 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f,
+ 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f,
+ 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14,
+ 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54
+};
+
+static const u_char sha2_hmac6_384[] = {
+ 0x4e, 0xce, 0x08, 0x44, 0x85, 0x81, 0x3e, 0x90,
+ 0x88, 0xd2, 0xc6, 0x3a, 0x04, 0x1b, 0xc5, 0xb4,
+ 0x4f, 0x9e, 0xf1, 0x01, 0x2a, 0x2b, 0x58, 0x8f,
+ 0x3c, 0xd1, 0x1f, 0x05, 0x03, 0x3a, 0xc4, 0xc6,
+ 0x0c, 0x2e, 0xf6, 0xab, 0x40, 0x30, 0xfe, 0x82,
+ 0x96, 0x24, 0x8d, 0xf1, 0x63, 0xf4, 0x49, 0x52
+};
+
+static const u_char sha2_hmac6_512[] = {
+ 0x80, 0xb2, 0x42, 0x63, 0xc7, 0xc1, 0xa3, 0xeb,
+ 0xb7, 0x14, 0x93, 0xc1, 0xdd, 0x7b, 0xe8, 0xb4,
+ 0x9b, 0x46, 0xd1, 0xf4, 0x1b, 0x4a, 0xee, 0xc1,
+ 0x12, 0x1b, 0x01, 0x37, 0x83, 0xf8, 0xf3, 0x52,
+ 0x6b, 0x56, 0xd0, 0x37, 0xe0, 0x5f, 0x25, 0x98,
+ 0xbd, 0x0f, 0xd2, 0x21, 0x5d, 0x6a, 0x1e, 0x52,
+ 0x95, 0xe6, 0x4f, 0x73, 0xf6, 0x3f, 0x0a, 0xec,
+ 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98
+};
+
+static const u_char sha2_hmac7_msg[] = {
+ 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+ 0x61, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x75,
+ 0x73, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x20, 0x6c,
+ 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74, 0x68,
+ 0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63, 0x6b,
+ 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6b, 0x65,
+ 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x61, 0x20,
+ 0x6c, 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, 0x74,
+ 0x68, 0x61, 0x6e, 0x20, 0x62, 0x6c, 0x6f, 0x63,
+ 0x6b, 0x2d, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x64,
+ 0x61, 0x74, 0x61, 0x2e, 0x20, 0x54, 0x68, 0x65,
+ 0x20, 0x6b, 0x65, 0x79, 0x20, 0x6e, 0x65, 0x65,
+ 0x64, 0x73, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65,
+ 0x20, 0x68, 0x61, 0x73, 0x68, 0x65, 0x64, 0x20,
+ 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x20, 0x62,
+ 0x65, 0x69, 0x6e, 0x67, 0x20, 0x75, 0x73, 0x65,
+ 0x64, 0x20, 0x62, 0x79, 0x20, 0x74, 0x68, 0x65,
+ 0x20, 0x48, 0x4d, 0x41, 0x43, 0x20, 0x61, 0x6c,
+ 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x2e
+};
+
+static const u_char sha2_hmac7_256[] = {
+ 0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb,
+ 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44,
+ 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93,
+ 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2
+};
+
+static const u_char sha2_hmac7_384[] = {
+ 0x66, 0x17, 0x17, 0x8e, 0x94, 0x1f, 0x02, 0x0d,
+ 0x35, 0x1e, 0x2f, 0x25, 0x4e, 0x8f, 0xd3, 0x2c,
+ 0x60, 0x24, 0x20, 0xfe, 0xb0, 0xb8, 0xfb, 0x9a,
+ 0xdc, 0xce, 0xbb, 0x82, 0x46, 0x1e, 0x99, 0xc5,
+ 0xa6, 0x78, 0xcc, 0x31, 0xe7, 0x99, 0x17, 0x6d,
+ 0x38, 0x60, 0xe6, 0x11, 0x0c, 0x46, 0x52, 0x3e
+};
+
+static const u_char sha2_hmac7_512[] = {
+ 0xe3, 0x7b, 0x6a, 0x77, 0x5d, 0xc8, 0x7d, 0xba,
+ 0xa4, 0xdf, 0xa9, 0xf9, 0x6e, 0x5e, 0x3f, 0xfd,
+ 0xde, 0xbd, 0x71, 0xf8, 0x86, 0x72, 0x89, 0x86,
+ 0x5d, 0xf5, 0xa3, 0x2d, 0x20, 0xcd, 0xc9, 0x44,
+ 0xb6, 0x02, 0x2c, 0xac, 0x3c, 0x49, 0x82, 0xb1,
+ 0x0d, 0x5e, 0xeb, 0x55, 0xc3, 0xe4, 0xde, 0x15,
+ 0x13, 0x46, 0x76, 0xfb, 0x6d, 0xe0, 0x44, 0x60,
+ 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58
+};
+
+static const hmac_testvector_t sha256_hmac_testvectors[] = {
+ { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_256 },
+ { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_256 },
+ { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_256 },
+ { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_256 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_256 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_256 },
+ { 0, NULL, 0, NULL, NULL }
+};
+
+static const hmac_testvector_t sha384_hmac_testvectors[] = {
+ { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_384 },
+ { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_384 },
+ { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_384 },
+ { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_384 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_384 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_384 },
+ { 0, NULL, 0, NULL, NULL }
+};
+
+static const hmac_testvector_t sha512_hmac_testvectors[] = {
+ { sizeof(sha2_hmac1_key), sha2_hmac1_key, sizeof(sha2_hmac1_msg), sha2_hmac1_msg, sha2_hmac1_512 },
+ { sizeof(sha2_hmac2_key), sha2_hmac2_key, sizeof(sha2_hmac2_msg), sha2_hmac2_msg, sha2_hmac2_512 },
+ { sizeof(sha2_hmac3_key), sha2_hmac3_key, sizeof(sha2_hmac3_msg), sha2_hmac3_msg, sha2_hmac3_512 },
+ { sizeof(sha2_hmac4_key), sha2_hmac4_key, sizeof(sha2_hmac4_msg), sha2_hmac4_msg, sha2_hmac4_512 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac6_msg), sha2_hmac6_msg, sha2_hmac6_512 },
+ { sizeof(sha2_hmac6_key), sha2_hmac6_key, sizeof(sha2_hmac7_msg), sha2_hmac7_msg, sha2_hmac7_512 },
+ { 0, NULL, 0, NULL, NULL }
+};
+
+struct hash_desc hash_desc_sha2_256 = {
+ algo_type: IKE_ALG_HASH,
+ algo_id: OAKLEY_SHA2_256,
+ algo_next: NULL,
+ hash_ctx_size: sizeof(sha256_context),
+ hash_block_size: SHA2_256_BLOCK_SIZE,
+ hash_digest_size: SHA2_256_DIGEST_SIZE,
+ hash_testvectors: sha256_hash_testvectors,
+ hmac_testvectors: sha256_hmac_testvectors,
+ hash_init: (void (*)(void *))sha256_init,
+ hash_update: (void (*)(void *, const u_char *, size_t ))sha256_write,
+ hash_final:(void (*)(u_char *, void *))sha256_hash_final
+};
+
+struct hash_desc hash_desc_sha2_384 = {
+ algo_type: IKE_ALG_HASH,
+ algo_id: OAKLEY_SHA2_384,
+ algo_next: NULL,
+ hash_ctx_size: sizeof(sha512_context),
+ hash_block_size: SHA2_384_BLOCK_SIZE,
+ hash_digest_size: SHA2_384_DIGEST_SIZE,
+ hash_testvectors: sha384_hash_testvectors,
+ hmac_testvectors: sha384_hmac_testvectors,
+ hash_init: (void (*)(void *))sha384_init,
+ hash_update: (void (*)(void *, const u_char *, size_t ))sha512_write,
+ hash_final:(void (*)(u_char *, void *))sha384_hash_final
+};
+
+struct hash_desc hash_desc_sha2_512 = {
+ algo_type: IKE_ALG_HASH,
+ algo_id: OAKLEY_SHA2_512,
+ algo_next: NULL,
+ hash_ctx_size: sizeof(sha512_context),
+ hash_block_size: SHA2_512_BLOCK_SIZE,
+ hash_digest_size: SHA2_512_DIGEST_SIZE,
+ hash_testvectors: sha512_hash_testvectors,
+ hmac_testvectors: sha512_hmac_testvectors,
+ hash_init: (void (*)(void *))sha512_init,
+ hash_update: (void (*)(void *, const u_char *, size_t ))sha512_write,
+ hash_final:(void (*)(u_char *, void *))sha512_hash_final
+};
+
+int ike_alg_sha2_init(void);
+
+int
+ike_alg_sha2_init(void)
+{
+ int ret
+;
+ ret = ike_alg_register_hash(&hash_desc_sha2_256);
+ if (ret)
+ goto out;
+ ret = ike_alg_register_hash(&hash_desc_sha2_384);
+ if (ret)
+ goto out;
+ ret = ike_alg_register_hash(&hash_desc_sha2_512);
+
+out:
+ return ret;
+}
+
+/*
+IKE_ALG_INIT_NAME: ike_alg_sha2_init
+*/
diff --git a/src/pluto/alg/ike_alg_twofish.c b/src/pluto/alg/ike_alg_twofish.c
new file mode 100644
index 000000000..1788bc394
--- /dev/null
+++ b/src/pluto/alg/ike_alg_twofish.c
@@ -0,0 +1,85 @@
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "libtwofish/twofish_cbc.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+
+#define TWOFISH_CBC_BLOCK_SIZE (128/BITS_PER_BYTE)
+#define TWOFISH_KEY_MIN_LEN 128
+#define TWOFISH_KEY_DEF_LEN 128
+#define TWOFISH_KEY_MAX_LEN 256
+
+static void
+do_twofish(u_int8_t *buf, size_t buf_size, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+{
+ twofish_context twofish_ctx;
+ char iv_bak[TWOFISH_CBC_BLOCK_SIZE];
+ char *new_iv = NULL; /* logic will avoid copy to NULL */
+
+ twofish_set_key(&twofish_ctx, key, key_size);
+ /*
+ * my TWOFISH cbc does not touch passed IV (optimization for
+ * ESP handling), so I must "emulate" des-like IV
+ * crunching
+ */
+ if (!enc)
+ memcpy(new_iv=iv_bak,
+ (char*) buf + buf_size-TWOFISH_CBC_BLOCK_SIZE,
+ TWOFISH_CBC_BLOCK_SIZE);
+
+ twofish_cbc_encrypt(&twofish_ctx, buf, buf, buf_size, iv, enc);
+
+ if (enc)
+ new_iv = (char*) buf + buf_size-TWOFISH_CBC_BLOCK_SIZE;
+
+ memcpy(iv, new_iv, TWOFISH_CBC_BLOCK_SIZE);
+}
+
+struct encrypt_desc encrypt_desc_twofish =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_TWOFISH_CBC,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(twofish_context),
+ enc_blocksize: TWOFISH_CBC_BLOCK_SIZE,
+ keydeflen: TWOFISH_KEY_MIN_LEN,
+ keyminlen: TWOFISH_KEY_DEF_LEN,
+ keymaxlen: TWOFISH_KEY_MAX_LEN,
+ do_crypt: do_twofish,
+};
+
+struct encrypt_desc encrypt_desc_twofish_ssh =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_TWOFISH_CBC_SSH,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(twofish_context),
+ enc_blocksize: TWOFISH_CBC_BLOCK_SIZE,
+ keydeflen: TWOFISH_KEY_MIN_LEN,
+ keyminlen: TWOFISH_KEY_DEF_LEN,
+ keymaxlen: TWOFISH_KEY_MAX_LEN,
+ do_crypt: do_twofish,
+};
+
+int ike_alg_twofish_init(void);
+
+int
+ike_alg_twofish_init(void)
+{
+ int ret = ike_alg_register_enc(&encrypt_desc_twofish);
+
+ if (ike_alg_register_enc(&encrypt_desc_twofish_ssh) < 0)
+ plog("ike_alg_twofish_init(): Experimental OAKLEY_TWOFISH_CBC_SSH activation failed");
+
+ return ret;
+}
+/*
+IKE_ALG_INIT_NAME: ike_alg_twofish_init
+*/
diff --git a/src/pluto/alg/ike_alginit.c b/src/pluto/alg/ike_alginit.c
new file mode 100644
index 000000000..8784bf31b
--- /dev/null
+++ b/src/pluto/alg/ike_alginit.c
@@ -0,0 +1,7 @@
+extern int ike_alg_init(void); int ike_alg_init(void) {
+{ extern int ike_alg_aes_init (void); ike_alg_aes_init();}
+{ extern int ike_alg_blowfish_init (void); ike_alg_blowfish_init();}
+{ extern int ike_alg_serpent_init (void); ike_alg_serpent_init();}
+{ extern int ike_alg_sha2_init (void); ike_alg_sha2_init();}
+{ extern int ike_alg_twofish_init (void); ike_alg_twofish_init();}
+return 0;}
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
new file mode 100644
index 000000000..ac5d1672f
--- /dev/null
+++ b/src/pluto/alg_info.c
@@ -0,0 +1,1205 @@
+/*
+ * Algorithm info parsing and creation functions
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * $Id: alg_info.c,v 1.5 2004/09/29 22:42:49 as Exp $
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <freeswan.h>
+#include <ipsec_policy.h>
+#include <pfkeyv2.h>
+
+#include "alg_info.h"
+#include "constants.h"
+#ifndef NO_PLUTO
+#include "defs.h"
+#include "log.h"
+#include "whack.h"
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h"
+#include "kernel_alg.h"
+#include "ike_alg.h"
+#else
+/*
+ * macros/functions for compilation without pluto (eg: spi for manual conns)
+ */
+#include <assert.h>
+#define passert(x) assert(x)
+extern int debug; /* eg: spi.c */
+#define DBG(cond, action) { if (debug) { action ; } }
+#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
+#define RC_LOG_SERIOUS
+#define loglog(x, args...) fprintf(stderr, ##args);
+#define alloc_thing(thing, name) alloc_bytes(sizeof (thing), name)
+void * alloc_bytes(size_t size, const char *name) {
+ void *p=malloc(size);
+ if (p == NULL)
+ fprintf(stderr, "unable to malloc %lu bytes for %s",
+ (unsigned long) size, name);
+ memset(p, '\0', size);
+ return p;
+}
+#define pfreeany(ptr) free(ptr)
+#endif /* NO_PLUTO */
+
+/*
+ * sadb/ESP aa attrib converters
+ */
+int
+alg_info_esp_aa2sadb(int auth)
+{
+ int sadb_aalg = 0;
+
+ switch(auth) {
+ case AUTH_ALGORITHM_HMAC_MD5:
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ sadb_aalg = auth + 1;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA2_256:
+ case AUTH_ALGORITHM_HMAC_SHA2_384:
+ case AUTH_ALGORITHM_HMAC_SHA2_512:
+ case AUTH_ALGORITHM_HMAC_RIPEMD:
+ sadb_aalg = auth;
+ break;
+ default:
+ /* loose ... */
+ sadb_aalg = auth;
+ }
+ return sadb_aalg;
+}
+
+int /* __attribute__ ((unused)) */
+alg_info_esp_sadb2aa(int sadb_aalg)
+{
+ int auth = 0;
+
+ switch(sadb_aalg) {
+ case SADB_AALG_MD5_HMAC:
+ case SADB_AALG_SHA1_HMAC:
+ auth = sadb_aalg - 1;
+ break;
+ /* since they are the same ... :) */
+ case AUTH_ALGORITHM_HMAC_SHA2_256:
+ case AUTH_ALGORITHM_HMAC_SHA2_384:
+ case AUTH_ALGORITHM_HMAC_SHA2_512:
+ case AUTH_ALGORITHM_HMAC_RIPEMD:
+ auth = sadb_aalg;
+ break;
+ default:
+ /* loose ... */
+ auth = sadb_aalg;
+ }
+ return auth;
+}
+
+/*
+ * Search enum_name array with in prefixed uppercase
+ */
+static int
+enum_search_prefix (enum_names *ed, const char *prefix, const char *str, int strlen)
+{
+ char buf[64];
+ char *ptr;
+ int ret;
+ int len = sizeof(buf) - 1; /* reserve space for final \0 */
+
+ for (ptr = buf; *prefix; *ptr++ = *prefix++, len--);
+ while (strlen-- && len-- && *str) *ptr++ = toupper(*str++);
+ *ptr = 0;
+
+ DBG(DBG_CRYPT,
+ DBG_log("enum_search_prefix () calling enum_search(%p, \"%s\")"
+ , ed, buf)
+ )
+ ret = enum_search(ed, buf);
+ return ret;
+}
+
+/*
+ * Search enum_name array with in prefixed and postfixed uppercase
+ */
+static int
+enum_search_ppfix (enum_names *ed, const char *prefix, const char *postfix, const char *str, int strlen)
+{
+ char buf[64];
+ char *ptr;
+ int ret;
+ int len = sizeof(buf) - 1; /* reserve space for final \0 */
+
+ for (ptr = buf; *prefix; *ptr++ = *prefix++, len--);
+ while (strlen-- && len-- && *str) *ptr++ = toupper(*str++);
+ while (len-- && *postfix) *ptr++ = *postfix++;
+ *ptr = 0;
+
+ DBG(DBG_CRYPT,
+ DBG_log("enum_search_ppfixi () calling enum_search(%p, \"%s\")"
+ , ed, buf)
+ )
+ ret = enum_search(ed, buf);
+ return ret;
+}
+
+/*
+ * Search esp_transformid_names for a match, eg:
+ * "3des" <=> "ESP_3DES"
+ */
+#define ESP_MAGIC_ID 0x00ffff01
+
+static int
+ealg_getbyname_esp(const char *const str, int len)
+{
+ if (!str || !*str)
+ return -1;
+
+ /* leave special case for eg: "id248" string */
+ if (strcmp("id", str) == 0)
+ return ESP_MAGIC_ID;
+
+ return enum_search_prefix(&esp_transformid_names, "ESP_", str, len);
+}
+
+/*
+ * Search auth_alg_names for a match, eg:
+ * "md5" <=> "AUTH_ALGORITHM_HMAC_MD5"
+ */
+static int
+aalg_getbyname_esp(const char *const str, int len)
+{
+ int ret;
+ unsigned num;
+
+ if (!str || !*str)
+ return -1;
+
+ /* interpret 'SHA' as 'SHA1' */
+ if (strncasecmp("SHA", str, len) == 0)
+ return enum_search(&auth_alg_names, "AUTH_ALGORITHM_HMAC_SHA1");
+
+ ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_HMAC_", str ,len);
+ if (ret >= 0)
+ return ret;
+
+ ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_", str, len);
+ if (ret >= 0)
+ return ret;
+
+ sscanf(str, "id%d%n", &ret, &num);
+ return (ret >= 0 && num != strlen(str))? -1 : ret;
+}
+
+static int
+modp_getbyname_esp(const char *const str, int len)
+{
+ int ret;
+
+ if (!str || !*str)
+ return -1;
+
+ ret = enum_search_prefix(&oakley_group_names,"OAKLEY_GROUP_", str, len);
+ if (ret >= 0)
+ return ret;
+
+ ret = enum_search_ppfix(&oakley_group_names, "OAKLEY_GROUP_", " (extension)", str, len);
+ return ret;
+}
+
+void
+alg_info_free(struct alg_info *alg_info)
+{
+ pfreeany(alg_info);
+}
+
+/*
+ * Raw add routine: only checks for no duplicates
+ */
+static void
+__alg_info_esp_add (struct alg_info_esp *alg_info, int ealg_id, unsigned ek_bits, int aalg_id, unsigned ak_bits)
+{
+ struct esp_info *esp_info=alg_info->esp;
+ unsigned cnt = alg_info->alg_info_cnt, i;
+
+ /* check for overflows */
+ passert(cnt < elemsof(alg_info->esp));
+
+ /* dont add duplicates */
+ for (i = 0; i < cnt; i++)
+ {
+ if (esp_info[i].esp_ealg_id == ealg_id
+ && (!ek_bits || esp_info[i].esp_ealg_keylen == ek_bits)
+ && esp_info[i].esp_aalg_id == aalg_id
+ && (!ak_bits || esp_info[i].esp_aalg_keylen == ak_bits))
+ return;
+ }
+
+ esp_info[cnt].esp_ealg_id = ealg_id;
+ esp_info[cnt].esp_ealg_keylen = ek_bits;
+ esp_info[cnt].esp_aalg_id = aalg_id;
+ esp_info[cnt].esp_aalg_keylen = ak_bits;
+
+ /* sadb values */
+ esp_info[cnt].encryptalg = ealg_id;
+ esp_info[cnt].authalg = alg_info_esp_aa2sadb(aalg_id);
+ alg_info->alg_info_cnt++;
+
+ DBG(DBG_CRYPT,
+ DBG_log("__alg_info_esp_add() ealg=%d aalg=%d cnt=%d"
+ , ealg_id, aalg_id, alg_info->alg_info_cnt)
+ )
+}
+
+/*
+ * Add ESP alg info _with_ logic (policy):
+ */
+static void
+alg_info_esp_add (struct alg_info *alg_info, int ealg_id, int ek_bits, int aalg_id, int ak_bits)
+{
+ /* Policy: default to 3DES */
+ if (ealg_id == 0)
+ ealg_id = ESP_3DES;
+
+ if (ealg_id > 0)
+ {
+#ifndef NO_PLUTO
+ if (aalg_id > 0)
+#else
+ /* Allow no auth for manual conns (from spi.c) */
+ if (aalg_id >= 0)
+#endif
+ __alg_info_esp_add((struct alg_info_esp *)alg_info,
+ ealg_id, ek_bits,
+ aalg_id, ak_bits);
+ else
+ {
+ /* Policy: default to MD5 and SHA1 */
+ __alg_info_esp_add((struct alg_info_esp *)alg_info,
+ ealg_id, ek_bits,
+ AUTH_ALGORITHM_HMAC_MD5, ak_bits);
+ __alg_info_esp_add((struct alg_info_esp *)alg_info,
+ ealg_id, ek_bits,
+ AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+ }
+ }
+}
+
+#ifndef NO_PLUTO
+/**************************************
+ *
+ * IKE alg
+ *
+ *************************************/
+/*
+ * Search oakley_enc_names for a match, eg:
+ * "3des_cbc" <=> "OAKLEY_3DES_CBC"
+ */
+static int
+ealg_getbyname_ike(const char *const str, int len)
+{
+ int ret;
+
+ if (!str || !*str)
+ return -1;
+
+ ret = enum_search_prefix(&oakley_enc_names,"OAKLEY_", str, len);
+ if (ret >= 0)
+ return ret;
+
+ ret = enum_search_ppfix(&oakley_enc_names, "OAKLEY_", "_CBC", str, len);
+ return ret;
+}
+
+/*
+ * Search oakley_hash_names for a match, eg:
+ * "md5" <=> "OAKLEY_MD5"
+ */
+static int
+aalg_getbyname_ike(const char *const str, int len)
+{
+ int ret;
+ unsigned num;
+
+ if (!str || !*str)
+ return -1;
+
+ /* interpret 'SHA1' as 'SHA' */
+ if (strncasecmp("SHA1", str, len) == 0)
+ return enum_search(&oakley_hash_names, "OAKLEY_SHA");
+
+ ret = enum_search_prefix(&oakley_hash_names,"OAKLEY_", str, len);
+ if (ret >= 0)
+ return ret;
+
+ sscanf(str, "id%d%n", &ret, &num);
+ return (ret >=0 && num != strlen(str))? -1 : ret;
+}
+
+/*
+ * Search oakley_group_names for a match, eg:
+ * "modp1024" <=> "OAKLEY_GROUP_MODP1024"
+ */
+static int
+modp_getbyname_ike(const char *const str, int len)
+{
+ int ret;
+
+ if (!str || !*str)
+ return -1;
+
+ ret = enum_search_prefix(&oakley_group_names,"OAKLEY_GROUP_", str, len);
+ if (ret >= 0)
+ return ret;
+
+ ret = enum_search_ppfix(&oakley_group_names, "OAKLEY_GROUP_", " (extension)", str, len);
+ return ret;
+}
+
+static void
+__alg_info_ike_add (struct alg_info_ike *alg_info, int ealg_id, unsigned ek_bits, int aalg_id, unsigned ak_bits, int modp_id)
+{
+ struct ike_info *ike_info = alg_info->ike;
+ unsigned cnt = alg_info->alg_info_cnt;
+ unsigned i;
+
+ /* check for overflows */
+ passert(cnt < elemsof(alg_info->ike));
+
+ /* dont add duplicates */
+ for (i = 0;i < cnt; i++)
+ {
+ if (ike_info[i].ike_ealg == ealg_id
+ && (!ek_bits || ike_info[i].ike_eklen == ek_bits)
+ && ike_info[i].ike_halg == aalg_id
+ && (!ak_bits || ike_info[i].ike_hklen == ak_bits)
+ && ike_info[i].ike_modp==modp_id)
+ return;
+ }
+
+ ike_info[cnt].ike_ealg = ealg_id;
+ ike_info[cnt].ike_eklen = ek_bits;
+ ike_info[cnt].ike_halg = aalg_id;
+ ike_info[cnt].ike_hklen = ak_bits;
+ ike_info[cnt].ike_modp = modp_id;
+ alg_info->alg_info_cnt++;
+
+ DBG(DBG_CRYPT,
+ DBG_log("__alg_info_ike_add() ealg=%d aalg=%d modp_id=%d, cnt=%d"
+ , ealg_id, aalg_id, modp_id
+ , alg_info->alg_info_cnt)
+ )
+}
+
+/*
+ * Proposals will be built by looping over default_ike_groups array and
+ * merging alg_info (ike_info) contents
+ */
+
+static int default_ike_groups[] = {
+ OAKLEY_GROUP_MODP1536,
+ OAKLEY_GROUP_MODP1024
+};
+
+/*
+ * Add IKE alg info _with_ logic (policy):
+ */
+static void
+alg_info_ike_add (struct alg_info *alg_info, int ealg_id, int ek_bits, int aalg_id, int ak_bits, int modp_id)
+{
+ int i = 0;
+ int n_groups = elemsof(default_ike_groups);
+
+ /* if specified modp_id avoid loop over default_ike_groups */
+ if (modp_id)
+ {
+ n_groups=0;
+ goto in_loop;
+ }
+
+ for (; n_groups--; i++)
+ {
+ modp_id = default_ike_groups[i];
+in_loop:
+ /* Policy: default to 3DES */
+ if (ealg_id == 0)
+ ealg_id = OAKLEY_3DES_CBC;
+
+ if (ealg_id > 0)
+ {
+ if (aalg_id > 0)
+ __alg_info_ike_add((struct alg_info_ike *)alg_info,
+ ealg_id, ek_bits,
+ aalg_id, ak_bits,
+ modp_id);
+ else
+ {
+ /* Policy: default to MD5 and SHA */
+ __alg_info_ike_add((struct alg_info_ike *)alg_info,
+ ealg_id, ek_bits,
+ OAKLEY_MD5, ak_bits,
+ modp_id);
+ __alg_info_ike_add((struct alg_info_ike *)alg_info,
+ ealg_id, ek_bits,
+ OAKLEY_SHA, ak_bits,
+ modp_id);
+ }
+ }
+ }
+}
+#endif /* NO_PLUTO */
+
+/*
+ * Creates a new alg_info by parsing passed string
+ */
+enum parser_state_esp {
+ ST_INI,
+ ST_EA, /* encrypt algo */
+ ST_EA_END,
+ ST_EK, /* enc. key length */
+ ST_EK_END,
+ ST_AA, /* auth algo */
+ ST_AA_END,
+ ST_AK, /* auth. key length */
+ ST_AK_END,
+ ST_MODP, /* modp spec */
+ ST_FLAG_STRICT,
+ ST_END,
+ ST_EOF,
+ ST_ERR
+};
+
+static const char *parser_state_esp_names[] = {
+ "ST_INI",
+ "ST_EA",
+ "ST_EA_END",
+ "ST_EK",
+ "ST_EK_END",
+ "ST_AA",
+ "ST_AA_END",
+ "ST_AK",
+ "ST_AK_END",
+ "ST_MOPD",
+ "ST_FLAG_STRICT",
+ "ST_END",
+ "ST_EOF",
+ "ST_ERR"
+};
+
+static const char*
+parser_state_name_esp(enum parser_state_esp state)
+{
+ return parser_state_esp_names[state];
+}
+
+/* XXX:jjo to implement different parser for ESP and IKE */
+struct parser_context {
+ unsigned state, old_state;
+ unsigned protoid;
+ char ealg_buf[16];
+ char aalg_buf[16];
+ char modp_buf[16];
+ int (*ealg_getbyname)(const char *const str, int len);
+ int (*aalg_getbyname)(const char *const str, int len);
+ int (*modp_getbyname)(const char *const str, int len);
+ char *ealg_str;
+ char *aalg_str;
+ char *modp_str;
+ int eklen;
+ int aklen;
+ int ch;
+ const char *err;
+};
+
+static inline void
+parser_set_state(struct parser_context *p_ctx, enum parser_state_esp state)
+{
+ if (state != p_ctx->state)
+ {
+ p_ctx->old_state = p_ctx->state;
+ p_ctx->state = state;
+ }
+}
+
+static int
+parser_machine(struct parser_context *p_ctx)
+{
+ int ch = p_ctx->ch;
+
+ /* special 'absolute' cases */
+ p_ctx->err = "No error.";
+
+ /* chars that end algo strings */
+ switch (ch){
+ case 0: /* end-of-string */
+ case '!': /* flag as strict algo list */
+ case ',': /* algo string separator */
+ switch (p_ctx->state) {
+ case ST_EA:
+ case ST_EK:
+ case ST_AA:
+ case ST_AK:
+ case ST_MODP:
+ case ST_FLAG_STRICT:
+ {
+ enum parser_state_esp next_state = 0;
+
+ switch (ch) {
+ case 0:
+ next_state = ST_EOF;
+ break;
+ case ',':
+ next_state = ST_END;
+ break;
+ case '!':
+ next_state = ST_FLAG_STRICT;
+ break;
+ }
+ /* ch? parser_set_state(p_ctx, ST_END) : parser_set_state(p_ctx, ST_EOF) ; */
+ parser_set_state(p_ctx, next_state);
+ goto out;
+ }
+ default:
+ p_ctx->err = "String ended with invalid char";
+ goto err;
+ }
+ }
+re_eval:
+ switch (p_ctx->state) {
+ case ST_INI:
+ if (isspace(ch))
+ break;
+ if (isalnum(ch))
+ {
+ *(p_ctx->ealg_str++) = ch;
+ parser_set_state(p_ctx, ST_EA);
+ break;
+ }
+ p_ctx->err = "No alphanum. char initially found";
+ goto err;
+ case ST_EA:
+ if (isalpha(ch) || ch == '_')
+ {
+ *(p_ctx->ealg_str++) = ch;
+ break;
+ }
+ if (isdigit(ch))
+ {
+ /* bravely switch to enc keylen */
+ *(p_ctx->ealg_str) = 0;
+ parser_set_state(p_ctx, ST_EK);
+ goto re_eval;
+ }
+ if (ch == '-')
+ {
+ *(p_ctx->ealg_str) = 0;
+ parser_set_state(p_ctx, ST_EA_END);
+ break;
+ }
+ p_ctx->err = "No valid char found after enc alg string";
+ goto err;
+ case ST_EA_END:
+ if (isdigit(ch))
+ {
+ /* bravely switch to enc keylen */
+ parser_set_state(p_ctx, ST_EK);
+ goto re_eval;
+ }
+ if (isalpha(ch))
+ {
+ parser_set_state(p_ctx, ST_AA);
+ goto re_eval;
+ }
+ p_ctx->err = "No alphanum char found after enc alg separator";
+ goto err;
+ case ST_EK:
+ if (ch == '-')
+ {
+ parser_set_state(p_ctx, ST_EK_END);
+ break;
+ }
+ if (isdigit(ch))
+ {
+ p_ctx->eklen = p_ctx->eklen*10 + ch - '0';
+ break;
+ }
+ p_ctx->err = "Non digit or valid separator found while reading enc keylen";
+ goto err;
+ case ST_EK_END:
+ if (isalpha(ch))
+ {
+ parser_set_state(p_ctx, ST_AA);
+ goto re_eval;
+ }
+ p_ctx->err = "Non alpha char found after enc keylen end separator";
+ goto err;
+ case ST_AA:
+ if (ch == '-')
+ {
+ *(p_ctx->aalg_str++) = 0;
+ parser_set_state(p_ctx, ST_AA_END);
+ break;
+ }
+ if (isalnum(ch) || ch == '_')
+ {
+ *(p_ctx->aalg_str++) = ch;
+ break;
+ }
+ p_ctx->err = "Non alphanum or valid separator found in auth string";
+ goto err;
+ case ST_AA_END:
+ if (isdigit(ch))
+ {
+ parser_set_state(p_ctx, ST_AK);
+ goto re_eval;
+ }
+ /* Only allow modpXXXX string if we have a modp_getbyname method */
+ if ((p_ctx->modp_getbyname) && isalpha(ch))
+ {
+ parser_set_state(p_ctx, ST_MODP);
+ goto re_eval;
+ }
+ p_ctx->err = "Non initial digit found for auth keylen";
+ goto err;
+ case ST_AK:
+ if (ch=='-')
+ {
+ parser_set_state(p_ctx, ST_AK_END);
+ break;
+ }
+ if (isdigit(ch))
+ {
+ p_ctx->aklen = p_ctx->aklen*10 + ch - '0';
+ break;
+ }
+ p_ctx->err = "Non digit found for auth keylen";
+ goto err;
+ case ST_AK_END:
+ /* Only allow modpXXXX string if we have a modp_getbyname method */
+ if ((p_ctx->modp_getbyname) && isalpha(ch))
+ {
+ parser_set_state(p_ctx, ST_MODP);
+ goto re_eval;
+ }
+ p_ctx->err = "Non alpha char found after auth keylen";
+ goto err;
+ case ST_MODP:
+ if (isalnum(ch))
+ {
+ *(p_ctx->modp_str++) = ch;
+ break;
+ }
+ p_ctx->err = "Non alphanum char found after in modp string";
+ goto err;
+ case ST_FLAG_STRICT:
+ if (ch == 0)
+ parser_set_state(p_ctx, ST_END);
+ p_ctx->err = "Flags character(s) must be at end of whole string";
+ goto err;
+
+ /* XXX */
+ case ST_END:
+ case ST_EOF:
+ case ST_ERR:
+ break;
+ /* XXX */
+ }
+out:
+ return p_ctx->state;
+err:
+ parser_set_state(p_ctx, ST_ERR);
+ return ST_ERR;
+}
+
+/*
+ * Must be called for each "new" char, with new
+ * character in ctx.ch
+ */
+static void
+parser_init(struct parser_context *p_ctx, unsigned protoid)
+{
+ memset(p_ctx, 0, sizeof (*p_ctx));
+ p_ctx->protoid = protoid; /* XXX: jjo */
+ p_ctx->protoid = PROTO_IPSEC_ESP;
+ p_ctx->ealg_str = p_ctx->ealg_buf;
+ p_ctx->aalg_str = p_ctx->aalg_buf;
+ p_ctx->modp_str = p_ctx->modp_buf;
+ p_ctx->state = ST_INI;
+
+ switch (protoid) {
+#ifndef NO_PLUTO
+ case PROTO_ISAKMP:
+ p_ctx->ealg_getbyname = ealg_getbyname_ike;
+ p_ctx->aalg_getbyname = aalg_getbyname_ike;
+ p_ctx->modp_getbyname = modp_getbyname_ike;
+ break;
+#endif
+ case PROTO_IPSEC_ESP:
+ p_ctx->ealg_getbyname = ealg_getbyname_esp;
+ p_ctx->aalg_getbyname = aalg_getbyname_esp;
+ break;
+ }
+}
+
+static int
+parser_alg_info_add(struct parser_context *p_ctx, struct alg_info *alg_info)
+{
+ int ealg_id = 0;
+ int aalg_id = 0;
+ int modp_id = 0;
+#ifndef NO_PLUTO
+ const struct oakley_group_desc *gd;
+#endif
+
+ if (*p_ctx->ealg_buf)
+ {
+ ealg_id = p_ctx->ealg_getbyname(p_ctx->ealg_buf, strlen(p_ctx->ealg_buf));
+ if (ealg_id == ESP_MAGIC_ID)
+ {
+ ealg_id = p_ctx->eklen;
+ p_ctx->eklen = 0;
+ }
+ if (ealg_id < 0)
+ {
+ p_ctx->err = "enc_alg not found";
+ return -1;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("parser_alg_info_add() ealg_getbyname(\"%s\")=%d"
+ , p_ctx->ealg_buf
+ , ealg_id)
+ )
+ }
+ if (*p_ctx->aalg_buf)
+ {
+ aalg_id = p_ctx->aalg_getbyname(p_ctx->aalg_buf, strlen(p_ctx->aalg_buf));
+ if (aalg_id < 0)
+ {
+ p_ctx->err = "hash_alg not found";
+ return -1;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("parser_alg_info_add() aalg_getbyname(\"%s\")=%d"
+ , p_ctx->aalg_buf
+ , aalg_id)
+ )
+ }
+ if (p_ctx->modp_getbyname && *p_ctx->modp_buf)
+ {
+ modp_id = p_ctx->modp_getbyname(p_ctx->modp_buf, strlen(p_ctx->modp_buf));
+ if (modp_id < 0)
+ {
+ p_ctx->err = "modp group not found";
+ return -1;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("parser_alg_info_add() modp_getbyname(\"%s\")=%d"
+ , p_ctx->modp_buf
+ , modp_id)
+ )
+ }
+ switch (alg_info->alg_info_protoid) {
+ case PROTO_IPSEC_ESP:
+ alg_info_esp_add(alg_info,
+ ealg_id, p_ctx->eklen,
+ aalg_id, p_ctx->aklen);
+ break;
+#ifndef NO_PLUTO
+ case PROTO_ISAKMP:
+ if (modp_id && !(gd = lookup_group(modp_id)))
+ {
+ p_ctx->err = "found modp group id, but not supported";
+ return -1;
+ }
+ alg_info_ike_add(alg_info,
+ ealg_id, p_ctx->eklen,
+ aalg_id, p_ctx->aklen,
+ modp_id);
+ break;
+#endif
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+static int
+alg_info_parse_str (struct alg_info *alg_info, const char *alg_str, const char **err_p)
+{
+ struct parser_context ctx;
+ int ret;
+ const char *ptr;
+ static char err_buf[256];
+
+ *err_buf = 0;
+ parser_init(&ctx, alg_info->alg_info_protoid);
+ if (err_p)
+ *err_p = NULL;
+
+ /* use default if nul esp string */
+ if (!*alg_str)
+ {
+ switch (alg_info->alg_info_protoid) {
+#ifndef NO_PLUTO
+ case PROTO_ISAKMP:
+ alg_info_ike_add(alg_info, 0, 0, 0, 0, 0);
+ return 0;
+#endif
+ case PROTO_IPSEC_ESP:
+ alg_info_esp_add(alg_info, 0, 0, 0, 0);
+ return 0;
+ default:
+ /* IMPOSSIBLE */
+ passert(alg_info->alg_info_protoid);
+ }
+ }
+
+ for (ret = 0, ptr = alg_str; ret < ST_EOF;)
+ {
+ ctx.ch = *ptr++;
+ ret = parser_machine(&ctx);
+
+ switch (ret) {
+ case ST_FLAG_STRICT:
+ alg_info->alg_info_flags |= ALG_INFO_F_STRICT;
+ break;
+ case ST_END:
+ case ST_EOF:
+ DBG(DBG_CRYPT,
+ DBG_log("alg_info_parse_str() ealg_buf=%s aalg_buf=%s"
+ "eklen=%d aklen=%d",
+ ctx.ealg_buf, ctx.aalg_buf,
+ ctx.eklen, ctx.aklen)
+ )
+ if (parser_alg_info_add(&ctx, alg_info) < 0)
+ {
+ snprintf(err_buf, sizeof(err_buf),
+ "%s, enc_alg=\"%s\", auth_alg=\"%s\", modp=\"%s\"",
+ ctx.err,
+ ctx.ealg_buf,
+ ctx.aalg_buf,
+ ctx.modp_buf);
+ goto err;
+ }
+ /* zero out for next run (ST_END) */
+ parser_init(&ctx, alg_info->alg_info_protoid);
+ break;
+ case ST_ERR:
+ snprintf(err_buf, sizeof(err_buf),
+ "%s, just after \"%.*s\" (old_state=%s)",
+ ctx.err,
+ (int)(ptr-alg_str-1), alg_str ,
+ parser_state_name_esp(ctx.old_state));
+ goto err;
+ default:
+ if (!ctx.ch)
+ break;
+ }
+ }
+ return 0;
+err:
+ if (err_p)
+ *err_p=err_buf;
+ return -1;
+}
+
+struct alg_info_esp *
+alg_info_esp_create_from_str (const char *alg_str, const char **err_p)
+{
+ struct alg_info_esp *alg_info_esp;
+ char esp_buf[256];
+ static char err_buf[256];
+ char *pfs_name;
+ int ret = 0;
+ /*
+ * alg_info storage should be sized dynamically
+ * but this may require 2passes to know
+ * transform count in advance.
+ */
+ alg_info_esp = alloc_thing (struct alg_info_esp, "alg_info_esp");
+ if (!alg_info_esp)
+ goto out;
+
+ pfs_name=index (alg_str, ';');
+ if (pfs_name)
+ {
+ memcpy(esp_buf, alg_str, pfs_name-alg_str);
+ esp_buf[pfs_name-alg_str] = 0;
+ alg_str = esp_buf;
+ pfs_name++;
+
+ /* if pfs strings AND first char is not '0' */
+ if (*pfs_name && pfs_name[0] != '0')
+ {
+ ret = modp_getbyname_esp(pfs_name, strlen(pfs_name));
+ if (ret < 0)
+ {
+ /* Bomb if pfsgroup not found */
+ DBG(DBG_CRYPT,
+ DBG_log("alg_info_esp_create_from_str(): pfsgroup \"%s\" not found"
+ , pfs_name)
+ )
+ if (*err_p)
+ {
+ snprintf(err_buf, sizeof(err_buf),
+ "pfsgroup \"%s\" not found",
+ pfs_name);
+
+ *err_p = err_buf;
+ }
+ goto out;
+ }
+ alg_info_esp->esp_pfsgroup = ret;
+ }
+ }
+ else
+ alg_info_esp->esp_pfsgroup = 0;
+
+ alg_info_esp->alg_info_protoid = PROTO_IPSEC_ESP;
+ ret = alg_info_parse_str((struct alg_info *)alg_info_esp, alg_str, err_p) ;
+out:
+ if (ret < 0)
+ {
+ pfreeany(alg_info_esp);
+ alg_info_esp = NULL;
+ }
+ return alg_info_esp;
+}
+
+#ifndef NO_PLUTO
+struct alg_info_ike *
+alg_info_ike_create_from_str (const char *alg_str, const char **err_p)
+{
+ struct alg_info_ike *alg_info_ike;
+ /*
+ * alg_info storage should be sized dynamically
+ * but this may require 2passes to know
+ * transform count in advance.
+ */
+ alg_info_ike = alloc_thing (struct alg_info_ike, "alg_info_ike");
+ alg_info_ike->alg_info_protoid = PROTO_ISAKMP;
+
+ if (alg_info_parse_str((struct alg_info *)alg_info_ike,
+ alg_str, err_p) < 0)
+ {
+ pfreeany(alg_info_ike);
+ return NULL;
+ }
+ return alg_info_ike;
+}
+#endif
+
+/*
+ * alg_info struct can be shared by
+ * several connections instances,
+ * handle free() with ref_cnts
+ */
+void
+alg_info_addref(struct alg_info *alg_info)
+{
+ if (alg_info != NULL)
+ {
+ alg_info->ref_cnt++;
+ DBG(DBG_CRYPT,
+ DBG_log("alg_info_addref() alg_info->ref_cnt=%d"
+ , alg_info->ref_cnt)
+ )
+ }
+}
+
+void
+alg_info_delref(struct alg_info **alg_info_p)
+{
+ struct alg_info *alg_info = *alg_info_p;
+
+ if (alg_info != NULL)
+ {
+ passert(alg_info->ref_cnt != 0);
+ alg_info->ref_cnt--;
+ DBG(DBG_CRYPT,
+ DBG_log("alg_info_delref() alg_info->ref_cnt=%d"
+ , alg_info->ref_cnt)
+ )
+ if (alg_info->ref_cnt == 0)
+ {
+ DBG(DBG_CRYPT,
+ DBG_log("alg_info_delref() freeing alg_info")
+ )
+ alg_info_free(alg_info);
+ }
+ *alg_info_p = NULL;
+ }
+}
+
+/* snprint already parsed transform list (alg_info) */
+int
+alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
+{
+ char *ptr = buf;
+ int np = 0;
+ struct esp_info *esp_info;
+#ifndef NO_PLUTO
+ struct ike_info *ike_info;
+#endif
+ int cnt;
+
+ switch (alg_info->alg_info_protoid) {
+ case PROTO_IPSEC_ESP:
+ {
+ struct alg_info_esp *alg_info_esp = (struct alg_info_esp *)alg_info;
+
+ ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
+ {
+ np = snprintf(ptr, buflen, "%d_%03d-%d, "
+ , esp_info->esp_ealg_id
+ , (int)esp_info->esp_ealg_keylen
+ , esp_info->esp_aalg_id);
+ ptr += np;
+ buflen -= np;
+ if (buflen < 0)
+ goto out;
+ }
+ if (alg_info_esp->esp_pfsgroup)
+ {
+ np = snprintf(ptr, buflen, "; pfsgroup=%d; "
+ , alg_info_esp->esp_pfsgroup);
+ ptr += np;
+ buflen -= np;
+ if (buflen < 0)
+ goto out;
+ }
+ break;
+ }
+#ifndef NO_PLUTO
+ case PROTO_ISAKMP:
+ ALG_INFO_IKE_FOREACH((struct alg_info_ike *)alg_info, ike_info, cnt)
+ {
+ np = snprintf(ptr, buflen, "%d_%03d-%d-%d, "
+ , ike_info->ike_ealg
+ , (int)ike_info->ike_eklen
+ , ike_info->ike_halg
+ , ike_info->ike_modp);
+ ptr += np;
+ buflen -= np;
+ if (buflen < 0)
+ goto out;
+ }
+ break;
+#endif
+ default:
+ np = snprintf(buf, buflen, "INVALID protoid=%d\n"
+ , alg_info->alg_info_protoid);
+ ptr += np;
+ buflen -= np;
+ goto out;
+ }
+
+ np = snprintf(ptr, buflen, "%s"
+ , alg_info->alg_info_flags & ALG_INFO_F_STRICT?
+ "strict":"");
+ ptr += np;
+ buflen -= np;
+out:
+ if (buflen < 0)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "buffer space exhausted in alg_info_snprint_ike(), buflen=%d"
+ , buflen);
+ }
+
+ return ptr - buf;
+}
+
+#ifndef NO_PLUTO
+int
+alg_info_snprint_esp(char *buf, int buflen, struct alg_info_esp *alg_info)
+{
+ char *ptr = buf;
+
+ int cnt = alg_info->alg_info_cnt;
+ struct esp_info *esp_info = alg_info->esp;
+
+ while (cnt--)
+ {
+ if (kernel_alg_esp_enc_ok(esp_info->esp_ealg_id, 0, NULL)
+ && kernel_alg_esp_auth_ok(esp_info->esp_aalg_id, NULL))
+ {
+ u_int eklen = (esp_info->esp_ealg_keylen)
+ ? esp_info->esp_ealg_keylen
+ : kernel_alg_esp_enc_keylen(esp_info->esp_ealg_id)
+ * BITS_PER_BYTE;
+
+ u_int aklen = esp_info->esp_aalg_keylen
+ ? esp_info->esp_aalg_keylen
+ : kernel_alg_esp_auth_keylen(esp_info->esp_aalg_id)
+ * BITS_PER_BYTE;
+
+ int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d, ",
+ esp_info->esp_ealg_id, eklen,
+ esp_info->esp_aalg_id, aklen);
+ ptr += ret;
+ buflen -= ret;
+ if (buflen < 0)
+ break;
+ }
+ esp_info++;
+ }
+ return ptr - buf;
+}
+
+int
+alg_info_snprint_ike(char *buf, int buflen, struct alg_info_ike *alg_info)
+{
+ char *ptr = buf;
+
+ int cnt = alg_info->alg_info_cnt;
+ struct ike_info *ike_info = alg_info->ike;
+
+ while (cnt--)
+ {
+ struct encrypt_desc *enc_desc = ike_alg_get_encrypter(ike_info->ike_ealg);
+ struct hash_desc *hash_desc = ike_alg_get_hasher(ike_info->ike_halg);
+
+ if (enc_desc != NULL && hash_desc != NULL
+ && lookup_group(ike_info->ike_modp))
+ {
+
+ u_int eklen = (ike_info->ike_eklen)
+ ? ike_info->ike_eklen
+ : enc_desc->keydeflen;
+
+ u_int aklen = (ike_info->ike_hklen)
+ ? ike_info->ike_hklen
+ : hash_desc->hash_digest_size * BITS_PER_BYTE;
+
+ int ret = snprintf(ptr, buflen, "%d_%03d-%d_%03d-%d, ",
+ ike_info->ike_ealg, eklen,
+ ike_info->ike_halg, aklen,
+ ike_info->ike_modp);
+ ptr += ret;
+ buflen -= ret;
+ if (buflen < 0)
+ break;
+ }
+ ike_info++;
+ }
+ return ptr - buf;
+}
+#endif /* NO_PLUTO */
diff --git a/src/pluto/alg_info.h b/src/pluto/alg_info.h
new file mode 100644
index 000000000..cd2011dcc
--- /dev/null
+++ b/src/pluto/alg_info.h
@@ -0,0 +1,85 @@
+/* Algorithm info parsing and creation functions
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: alg_info.h,v 1.4 2004/09/29 22:39:44 as Exp $
+ */
+
+#ifndef ALG_INFO_H
+#define ALG_INFO_H
+
+struct esp_info {
+ u_int8_t transid; /* ESP transform */
+ u_int16_t auth; /* AUTH */
+ size_t enckeylen; /* keylength for ESP transform */
+ size_t authkeylen; /* keylength for AUTH */
+ u_int8_t encryptalg; /* normally encryptalg=transid */
+ u_int8_t authalg; /* normally authalg=auth+1 */
+};
+
+struct ike_info {
+ u_int16_t ike_ealg; /* high 16 bit nums for reserved */
+ u_int8_t ike_halg;
+ size_t ike_eklen;
+ size_t ike_hklen;
+ u_int16_t ike_modp;
+};
+
+#define ALG_INFO_COMMON \
+ int alg_info_cnt; \
+ int ref_cnt; \
+ unsigned alg_info_flags; \
+ unsigned alg_info_protoid
+
+struct alg_info {
+ ALG_INFO_COMMON;
+};
+
+struct alg_info_esp {
+ ALG_INFO_COMMON;
+ struct esp_info esp[64];
+ int esp_pfsgroup;
+};
+
+struct alg_info_ike {
+ ALG_INFO_COMMON;
+ struct ike_info ike[64];
+};
+#define esp_ealg_id transid
+#define esp_aalg_id auth
+#define esp_ealg_keylen enckeylen /* bits */
+#define esp_aalg_keylen authkeylen /* bits */
+
+/* alg_info_flags bits */
+#define ALG_INFO_F_STRICT 0x01
+
+extern int alg_info_esp_aa2sadb(int auth);
+extern int alg_info_esp_sadb2aa(int sadb_aalg);
+extern void alg_info_free(struct alg_info *alg_info);
+extern void alg_info_addref(struct alg_info *alg_info);
+extern void alg_info_delref(struct alg_info **alg_info);
+extern struct alg_info_esp* alg_info_esp_create_from_str(const char *alg_str
+ , const char **err_p);
+extern struct alg_info_ike* alg_info_ike_create_from_str(const char *alg_str
+ , const char **err_p);
+extern int alg_info_parse(const char *str);
+extern int alg_info_snprint(char *buf, int buflen
+ , struct alg_info *alg_info);
+extern int alg_info_snprint_esp(char *buf, int buflen
+ , struct alg_info_esp *alg_info);
+extern int alg_info_snprint_ike(char *buf, int buflen
+ , struct alg_info_ike *alg_info);
+#define ALG_INFO_ESP_FOREACH(ai, ai_esp, i) \
+ for (i=(ai)->alg_info_cnt,ai_esp=(ai)->esp; i--; ai_esp++)
+#define ALG_INFO_IKE_FOREACH(ai, ai_ike, i) \
+ for (i=(ai)->alg_info_cnt,ai_ike=(ai)->ike; i--; ai_ike++)
+#endif /* ALG_INFO_H */
diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c
new file mode 100644
index 000000000..0663bc490
--- /dev/null
+++ b/src/pluto/asn1.c
@@ -0,0 +1,770 @@
+/* Simple ASN.1 parser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: asn1.c,v 1.16 2006/01/04 21:00:43 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "asn1.h"
+#include "oid.h"
+#include "log.h"
+
+/* some common prefabricated ASN.1 constants */
+
+static u_char ASN1_INTEGER_0_str[] = { 0x02, 0x00 };
+static u_char ASN1_INTEGER_1_str[] = { 0x02, 0x01, 0x01 };
+static u_char ASN1_INTEGER_2_str[] = { 0x02, 0x01, 0x02 };
+
+const chunk_t ASN1_INTEGER_0 = strchunk(ASN1_INTEGER_0_str);
+const chunk_t ASN1_INTEGER_1 = strchunk(ASN1_INTEGER_1_str);
+const chunk_t ASN1_INTEGER_2 = strchunk(ASN1_INTEGER_2_str);
+
+/* some popular algorithmIdentifiers */
+
+static u_char ASN1_md5_id_str[] = {
+ 0x30, 0x0C,
+ 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,
+ 0x05, 0x00
+};
+
+static u_char ASN1_sha1_id_str[] = {
+ 0x30, 0x09,
+ 0x06, 0x05, 0x2B, 0x0E,0x03, 0x02, 0x1A,
+ 0x05, 0x00
+};
+
+static u_char ASN1_md5WithRSA_id_str[] = {
+ 0x30, 0x0D,
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04,
+ 0x05, 0x00
+};
+
+static u_char ASN1_sha1WithRSA_id_str[] = {
+ 0x30, 0x0D,
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05,
+ 0x05, 0x00
+};
+
+static u_char ASN1_rsaEncryption_id_str[] = {
+ 0x30, 0x0D,
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+ 0x05, 0x00
+};
+
+const chunk_t ASN1_md5_id = strchunk(ASN1_md5_id_str);
+const chunk_t ASN1_sha1_id = strchunk(ASN1_sha1_id_str);
+const chunk_t ASN1_rsaEncryption_id = strchunk(ASN1_rsaEncryption_id_str);
+const chunk_t ASN1_md5WithRSA_id = strchunk(ASN1_md5WithRSA_id_str);
+const chunk_t ASN1_sha1WithRSA_id = strchunk(ASN1_sha1WithRSA_id_str);
+
+/* ASN.1 definiton of an algorithmIdentifier */
+
+static const asn1Object_t algorithmIdentifierObjects[] = {
+ { 0, "algorithmIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "algorithm", ASN1_OID, ASN1_BODY }, /* 1 */
+ { 1, "parameters", ASN1_EOC, ASN1_RAW } /* 2 */
+};
+
+#define ALGORITHM_ID_ALG 1
+#define ALGORITHM_ID_PARAMETERS 2
+#define ALGORITHM_ID_ROOF 3
+
+/*
+ * return the ASN.1 encoded algorithm identifier
+ */
+chunk_t
+asn1_algorithmIdentifier(int oid)
+{
+ switch (oid)
+ {
+ case OID_RSA_ENCRYPTION:
+ return ASN1_rsaEncryption_id;
+ case OID_MD5_WITH_RSA:
+ return ASN1_md5WithRSA_id;
+ case OID_SHA1_WITH_RSA:
+ return ASN1_sha1WithRSA_id;
+ case OID_MD5:
+ return ASN1_md5_id;
+ case OID_SHA1:
+ return ASN1_sha1_id;
+ default:
+ return empty_chunk;
+ }
+}
+
+/* If the oid is listed in the oid_names table then the corresponding
+ * position in the oid_names table is returned otherwise -1 is returned
+ */
+int
+known_oid(chunk_t object)
+{
+ int oid = 0;
+
+ while (object.len)
+ {
+ if (oid_names[oid].octet == *object.ptr)
+ {
+ if (--object.len == 0 || oid_names[oid].down == 0)
+ {
+ return oid; /* found terminal symbol */
+ }
+ else
+ {
+ object.ptr++; oid++; /* advance to next hex octet */
+ }
+ }
+ else
+ {
+ if (oid_names[oid].next)
+ oid = oid_names[oid].next;
+ else
+ return OID_UNKNOWN;
+ }
+ }
+ return -1;
+}
+
+/*
+ * Decodes the length in bytes of an ASN.1 object
+ */
+u_int
+asn1_length(chunk_t *blob)
+{
+ u_char n;
+ size_t len;
+
+ /* advance from tag field on to length field */
+ blob->ptr++;
+ blob->len--;
+
+ /* read first octet of length field */
+ n = *blob->ptr++;
+ blob->len--;
+
+ if ((n & 0x80) == 0) /* single length octet */
+ return n;
+
+ /* composite length, determine number of length octets */
+ n &= 0x7f;
+
+ if (n > blob->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than ASN.1 object")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
+
+ if (n > sizeof(len))
+ {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than limit of %d octets"
+ , (int)sizeof(len))
+ )
+ return ASN1_INVALID_LENGTH;
+ }
+
+ len = 0;
+
+ while (n-- > 0)
+ {
+ len = 256*len + *blob->ptr++;
+ blob->len--;
+ }
+ return len;
+}
+
+/*
+ * codes ASN.1 lengths up to a size of 16'777'215 bytes
+ */
+void
+code_asn1_length(size_t length, chunk_t *code)
+{
+ if (length < 128)
+ {
+ code->ptr[0] = length;
+ code->len = 1;
+ }
+ else if (length < 256)
+ {
+ code->ptr[0] = 0x81;
+ code->ptr[1] = (u_char) length;
+ code->len = 2;
+ }
+ else if (length < 65536)
+ {
+ code->ptr[0] = 0x82;
+ code->ptr[1] = length >> 8;
+ code->ptr[2] = length & 0x00ff;
+ code->len = 3;
+ }
+ else
+ {
+ code->ptr[0] = 0x83;
+ code->ptr[1] = length >> 16;
+ code->ptr[2] = (length >> 8) & 0x00ff;
+ code->ptr[3] = length & 0x0000ff;
+ code->len = 4;
+ }
+}
+
+/*
+ * build an empty asn.1 object with tag and length fields already filled in
+ */
+u_char*
+build_asn1_object(chunk_t *object, asn1_t type, size_t datalen)
+{
+ u_char length_buf[4];
+ chunk_t length = { length_buf, 0 };
+ u_char *pos;
+
+ /* code the asn.1 length field */
+ code_asn1_length(datalen, &length);
+
+ /* allocate memory for the asn.1 TLV object */
+ object->len = 1 + length.len + datalen;
+ object->ptr = alloc_bytes(object->len, "asn1 object");
+
+ /* set position pointer at the start of the object */
+ pos = object->ptr;
+
+ /* copy the asn.1 tag field and advance the pointer */
+ *pos++ = type;
+
+ /* copy the asn.1 length field and advance the pointer */
+ chunkcpy(pos, length);
+
+ return pos;
+}
+
+/*
+ * build a simple ASN.1 object
+ */
+chunk_t
+asn1_simple_object(asn1_t tag, chunk_t content)
+{
+ chunk_t object;
+
+ u_char *pos = build_asn1_object(&object, tag, content.len);
+ chunkcpy(pos, content);
+
+ return object;
+}
+
+/* Build an ASN.1 object from a variable number of individual chunks.
+ * Depending on the mode, chunks either are moved ('m') or copied ('c').
+ */
+chunk_t
+asn1_wrap(asn1_t type, const char *mode, ...)
+{
+ chunk_t construct;
+ va_list chunks;
+ u_char *pos;
+ int i;
+ int count = strlen(mode);
+
+ /* sum up lengths of individual chunks */
+ va_start(chunks, mode);
+ construct.len = 0;
+ for (i = 0; i < count; i++)
+ {
+ chunk_t ch = va_arg(chunks, chunk_t);
+ construct.len += ch.len;
+ }
+ va_end(chunks);
+
+ /* allocate needed memory for construct */
+ pos = build_asn1_object(&construct, type, construct.len);
+
+ /* copy or move the chunks */
+ va_start(chunks, mode);
+ for (i = 0; i < count; i++)
+ {
+ chunk_t ch = va_arg(chunks, chunk_t);
+
+ switch (*mode++)
+ {
+ case 'm':
+ mv_chunk(&pos, ch);
+ break;
+ case 'c':
+ default:
+ chunkcpy(pos, ch);
+ }
+ }
+ va_end(chunks);
+
+ return construct;
+}
+
+/*
+ * convert a MP integer into a DER coded ASN.1 object
+ */
+chunk_t
+asn1_integer_from_mpz(const mpz_t value)
+{
+ size_t bits = mpz_sizeinbase(value, 2); /* size in bits */
+ size_t size = 1 + bits / BITS_PER_BYTE; /* size in bytes */
+ chunk_t n = mpz_to_n(value, size);
+
+ return asn1_wrap(ASN1_INTEGER, "m", n);
+}
+
+/*
+ * determines if a character string is of type ASN.1 printableString
+ */
+bool
+is_printablestring(chunk_t str)
+{
+ const char printablestring_charset[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 '()+,-./:=?";
+ u_int i;
+
+ for (i = 0; i < str.len; i++)
+ {
+ if (strchr(printablestring_charset, str.ptr[i]) == NULL)
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*
+ * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
+ */
+time_t
+asn1totime(const chunk_t *utctime, asn1_t type)
+{
+ struct tm t;
+ time_t tz_offset;
+ u_char *eot = NULL;
+
+ if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
+ {
+ tz_offset = 0; /* Zulu time with a zero time zone offset */
+ }
+ else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
+ {
+ int tz_hour, tz_min;
+
+ sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
+ }
+ else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
+ {
+ int tz_hour, tz_min;
+
+ sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
+ }
+ else
+ {
+ return 0; /* error in time format */
+ }
+
+ {
+ const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
+ "%4d%2d%2d%2d%2d";
+
+ sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min);
+ }
+
+ /* is there a seconds field? */
+ if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
+ {
+ sscanf(eot-2, "%2d", &t.tm_sec);
+ }
+ else
+ {
+ t.tm_sec = 0;
+ }
+
+ /* representation of year */
+ if (t.tm_year >= 1900)
+ {
+ t.tm_year -= 1900;
+ }
+ else if (t.tm_year >= 100)
+ {
+ return 0;
+ }
+ else if (t.tm_year < 50)
+ {
+ t.tm_year += 100;
+ }
+
+ /* representation of month 0..11*/
+ t.tm_mon--;
+
+ /* set daylight saving time to off */
+ t.tm_isdst = 0;
+
+ /* compensate timezone */
+
+ return mktime(&t) - timezone - tz_offset;
+}
+
+/*
+ * convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
+ */
+chunk_t
+timetoasn1(const time_t *time, asn1_t type)
+{
+ int offset;
+ const char *format;
+ char buf[TIMETOA_BUF];
+ chunk_t formatted_time;
+ struct tm *t = gmtime(time);
+
+ if (type == ASN1_GENERALIZEDTIME)
+ {
+ format = "%04d%02d%02d%02d%02d%02dZ";
+ offset = 1900;
+ }
+ else /* ASN1_UTCTIME */
+ {
+ format = "%02d%02d%02d%02d%02d%02dZ";
+ offset = (t->tm_year < 100)? 0 : -100;
+ }
+ sprintf(buf, format, t->tm_year + offset, t->tm_mon + 1, t->tm_mday
+ , t->tm_hour, t->tm_min, t->tm_sec);
+ formatted_time.ptr = buf;
+ formatted_time.len = strlen(buf);
+ return asn1_simple_object(type, formatted_time);
+}
+
+
+/*
+ * Initializes the internal context of the ASN.1 parser
+ */
+void
+asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0,
+ bool implicit, u_int cond)
+{
+ ctx->blobs[0] = blob;
+ ctx->level0 = level0;
+ ctx->implicit = implicit;
+ ctx->cond = cond;
+ memset(ctx->loopAddr, '\0', sizeof(ctx->loopAddr));
+}
+
+/*
+ * print the value of an ASN.1 simple object
+ */
+static void
+debug_asn1_simple_object(chunk_t object, asn1_t type, u_int cond)
+{
+ int oid;
+
+ switch (type)
+ {
+ case ASN1_OID:
+ oid = known_oid(object);
+ if (oid != OID_UNKNOWN)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" '%s'",oid_names[oid].name);
+ )
+ return;
+ }
+ break;
+ case ASN1_UTF8STRING:
+ case ASN1_IA5STRING:
+ case ASN1_PRINTABLESTRING:
+ case ASN1_T61STRING:
+ case ASN1_VISIBLESTRING:
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'", (int)object.len, object.ptr);
+ )
+ return;
+ case ASN1_UTCTIME:
+ case ASN1_GENERALIZEDTIME:
+ DBG(DBG_PARSING,
+ time_t time = asn1totime(&object, type);
+ DBG_log(" '%s'", timetoa(&time, TRUE));
+ )
+ return;
+ default:
+ break;
+ }
+ DBG(cond,
+ DBG_dump_chunk("", object);
+ )
+}
+
+/*
+ * Parses and extracts the next ASN.1 object
+ */
+bool
+extract_object(asn1Object_t const *objects,
+ u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx)
+{
+ asn1Object_t obj = objects[*objectID];
+ chunk_t *blob;
+ chunk_t *blob1;
+ u_char *start_ptr;
+
+ *object = empty_chunk;
+
+ if (obj.flags & ASN1_END) /* end of loop or option found */
+ {
+ if (ctx->loopAddr[obj.level] && ctx->blobs[obj.level+1].len > 0)
+ {
+ *objectID = ctx->loopAddr[obj.level]; /* another iteration */
+ obj = objects[*objectID];
+ }
+ else
+ {
+ ctx->loopAddr[obj.level] = 0; /* exit loop or option*/
+ return TRUE;
+ }
+ }
+
+ *level = ctx->level0 + obj.level;
+ blob = ctx->blobs + obj.level;
+ blob1 = blob + 1;
+ start_ptr = blob->ptr;
+
+ /* handle ASN.1 defaults values */
+
+ if ((obj.flags & ASN1_DEF)
+ && (blob->len == 0 || *start_ptr != obj.type) )
+ {
+ /* field is missing */
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s:", *level, obj.name);
+ )
+ if (obj.type & ASN1_CONSTRUCTED)
+ {
+ (*objectID)++ ; /* skip context-specific tag */
+ }
+ return TRUE;
+ }
+
+ /* handle ASN.1 options */
+
+ if ((obj.flags & ASN1_OPT)
+ && (blob->len == 0 || *start_ptr != obj.type))
+ {
+ /* advance to end of missing option field */
+ do
+ (*objectID)++;
+ while (!((objects[*objectID].flags & ASN1_END)
+ && (objects[*objectID].level == obj.level)));
+ return TRUE;
+ }
+
+ /* an ASN.1 object must possess at least a tag and length field */
+
+ if (blob->len < 2)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: ASN.1 object smaller than 2 octets",
+ *level, obj.name);
+ )
+ return FALSE;
+ }
+
+ blob1->len = asn1_length(blob);
+
+ if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: length of ASN.1 object invalid or too large",
+ *level, obj.name);
+ )
+ return FALSE;
+ }
+
+ blob1->ptr = blob->ptr;
+ blob->ptr += blob1->len;
+ blob->len -= blob1->len;
+
+ /* return raw ASN.1 object without prior type checking */
+
+ if (obj.flags & ASN1_RAW)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s:", *level, obj.name);
+ )
+ object->ptr = start_ptr;
+ object->len = (size_t)(blob->ptr - start_ptr);
+ return TRUE;
+ }
+
+ if (*start_ptr != obj.type && !(ctx->implicit && *objectID == 0))
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+ *level, obj.name, obj.type, *start_ptr);
+ DBG_dump("", start_ptr, (u_int)(blob->ptr - start_ptr));
+ )
+ return FALSE;
+ }
+
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s:", ctx->level0+obj.level, obj.name);
+ )
+
+ /* In case of "SEQUENCE OF" or "SET OF" start a loop */
+
+ if (obj.flags & ASN1_LOOP)
+ {
+ if (blob1->len > 0)
+ {
+ /* at least one item, start the loop */
+ ctx->loopAddr[obj.level] = *objectID + 1;
+ }
+ else
+ {
+ /* no items, advance directly to end of loop */
+ do
+ (*objectID)++;
+ while (!((objects[*objectID].flags & ASN1_END)
+ && (objects[*objectID].level == obj.level)));
+ return TRUE;
+ }
+ }
+
+ if (obj.flags & ASN1_OBJ)
+ {
+ object->ptr = start_ptr;
+ object->len = (size_t)(blob->ptr - start_ptr);
+ DBG(ctx->cond,
+ DBG_dump_chunk("", *object);
+ )
+ }
+ else if (obj.flags & ASN1_BODY)
+ {
+ *object = *blob1;
+ debug_asn1_simple_object(*object, obj.type, ctx->cond);
+ }
+ return TRUE;
+}
+
+/*
+ * parse an ASN.1 simple type
+ */
+bool
+parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level
+, const char* name)
+{
+ size_t len;
+
+ /* an ASN.1 object must possess at least a tag and length field */
+ if (object->len < 2)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: ASN.1 object smaller than 2 octets",
+ level, name);
+ )
+ return FALSE;
+ }
+
+ if (*object->ptr != type)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+ level, name, type, *object->ptr);
+ )
+ return FALSE;
+ }
+
+ len = asn1_length(object);
+
+ if (len == ASN1_INVALID_LENGTH || object->len < len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s: length of ASN.1 object invalid or too large",
+ level, name);
+ )
+ return FALSE;
+ }
+
+ DBG(DBG_PARSING,
+ DBG_log("L%d - %s:", level, name);
+ )
+ debug_asn1_simple_object(*object, type, DBG_RAW);
+ return TRUE;
+}
+
+/*
+ * extracts an algorithmIdentifier
+ */
+int
+parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int alg = OID_UNKNOWN;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < ALGORITHM_ID_ROOF)
+ {
+ if (!extract_object(algorithmIdentifierObjects, &objectID, &object, &level, &ctx))
+ return OID_UNKNOWN;
+
+ switch (objectID)
+ {
+ case ALGORITHM_ID_ALG:
+ alg = known_oid(object);
+ break;
+ case ALGORITHM_ID_PARAMETERS:
+ if (parameters != NULL)
+ *parameters = object;
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+ return alg;
+ }
+
+/*
+ * tests if a blob contains a valid ASN.1 set or sequence
+ */
+bool
+is_asn1(chunk_t blob)
+{
+ u_int len;
+ u_char tag = *blob.ptr;
+
+ if (tag != ASN1_SEQUENCE && tag != ASN1_SET)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" file content is not binary ASN.1");
+ )
+ return FALSE;
+ }
+ len = asn1_length(&blob);
+ if (len != blob.len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" file size does not match ASN.1 coded length");
+ )
+ return FALSE;
+ }
+ return TRUE;
+}
diff --git a/src/pluto/asn1.h b/src/pluto/asn1.h
new file mode 100644
index 000000000..2a3fb3e9e
--- /dev/null
+++ b/src/pluto/asn1.h
@@ -0,0 +1,141 @@
+/* Simple ASN.1 parser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: asn1.h,v 1.14 2005/12/06 22:50:10 as Exp $
+ */
+
+#ifndef _ASN1_H
+#define _ASN1_H
+
+#include <stdarg.h>
+#include <gmp.h>
+
+#include "defs.h"
+
+/* Defines some primitive ASN1 types */
+
+typedef enum {
+ ASN1_EOC = 0x00,
+ ASN1_BOOLEAN = 0x01,
+ ASN1_INTEGER = 0x02,
+ ASN1_BIT_STRING = 0x03,
+ ASN1_OCTET_STRING = 0x04,
+ ASN1_NULL = 0x05,
+ ASN1_OID = 0x06,
+ ASN1_ENUMERATED = 0x0A,
+ ASN1_UTF8STRING = 0x0C,
+ ASN1_NUMERICSTRING = 0x12,
+ ASN1_PRINTABLESTRING = 0x13,
+ ASN1_T61STRING = 0x14,
+ ASN1_VIDEOTEXSTRING = 0x15,
+ ASN1_IA5STRING = 0x16,
+ ASN1_UTCTIME = 0x17,
+ ASN1_GENERALIZEDTIME = 0x18,
+ ASN1_GRAPHICSTRING = 0x19,
+ ASN1_VISIBLESTRING = 0x1A,
+ ASN1_GENERALSTRING = 0x1B,
+ ASN1_UNIVERSALSTRING = 0x1C,
+ ASN1_BMPSTRING = 0x1E,
+
+ ASN1_CONSTRUCTED = 0x20,
+
+ ASN1_SEQUENCE = 0x30,
+
+ ASN1_SET = 0x31,
+
+ ASN1_CONTEXT_S_0 = 0x80,
+ ASN1_CONTEXT_S_1 = 0x81,
+ ASN1_CONTEXT_S_2 = 0x82,
+ ASN1_CONTEXT_S_3 = 0x83,
+ ASN1_CONTEXT_S_4 = 0x84,
+ ASN1_CONTEXT_S_5 = 0x85,
+ ASN1_CONTEXT_S_6 = 0x86,
+ ASN1_CONTEXT_S_7 = 0x87,
+ ASN1_CONTEXT_S_8 = 0x88,
+
+ ASN1_CONTEXT_C_0 = 0xA0,
+ ASN1_CONTEXT_C_1 = 0xA1,
+ ASN1_CONTEXT_C_2 = 0xA2,
+ ASN1_CONTEXT_C_3 = 0xA3,
+ ASN1_CONTEXT_C_4 = 0xA4,
+ ASN1_CONTEXT_C_5 = 0xA5
+} asn1_t;
+
+/* Definition of ASN1 flags */
+
+#define ASN1_NONE 0x00
+#define ASN1_DEF 0x01
+#define ASN1_OPT 0x02
+#define ASN1_LOOP 0x04
+#define ASN1_END 0x08
+#define ASN1_OBJ 0x10
+#define ASN1_BODY 0x20
+#define ASN1_RAW 0x40
+
+#define ASN1_INVALID_LENGTH 0xffffffff
+
+/* definition of an ASN.1 object */
+
+typedef struct {
+ u_int level;
+ const u_char *name;
+ asn1_t type;
+ u_char flags;
+} asn1Object_t;
+
+#define ASN1_MAX_LEVEL 10
+
+typedef struct {
+ bool implicit;
+ u_int cond;
+ u_int level0;
+ u_int loopAddr[ASN1_MAX_LEVEL+1];
+ chunk_t blobs[ASN1_MAX_LEVEL+2];
+} asn1_ctx_t;
+
+/* some common prefabricated ASN.1 constants */
+
+extern const chunk_t ASN1_INTEGER_0;
+extern const chunk_t ASN1_INTEGER_1;
+extern const chunk_t ASN1_INTEGER_2;
+
+/* some popular algorithmIdentifiers */
+extern const chunk_t ASN1_md5_id;
+extern const chunk_t ASN1_sha1_id;
+extern const chunk_t ASN1_rsaEncryption_id;
+extern const chunk_t ASN1_md5WithRSA_id;
+extern const chunk_t ASN1_sha1WithRSA_id;
+
+extern chunk_t asn1_algorithmIdentifier(int oid);
+extern int known_oid(chunk_t object);
+extern u_int asn1_length(chunk_t *blob);
+extern void code_asn1_length(size_t length, chunk_t *code);
+extern u_char* build_asn1_object(chunk_t *object, asn1_t type, size_t datalen);
+extern chunk_t asn1_integer_from_mpz(const mpz_t value);
+extern chunk_t asn1_simple_object(asn1_t tag, chunk_t content);
+extern chunk_t asn1_wrap(asn1_t type, const char *mode, ...);
+extern bool is_printablestring(chunk_t str);
+extern time_t asn1totime(const chunk_t *utctime, asn1_t type);
+extern chunk_t timetoasn1(const time_t *time, asn1_t type);
+extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob
+ , u_int level0, bool implicit, u_int cond);
+extern bool extract_object(asn1Object_t const *objects
+ , u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx);
+extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level
+ , const char* name);
+extern int parse_algorithmIdentifier(chunk_t blob, int level0
+ , chunk_t *parameters);
+extern bool is_asn1(chunk_t blob);
+
+#endif /* _ASN1_H */
+
diff --git a/src/pluto/ca.c b/src/pluto/ca.c
new file mode 100644
index 000000000..d1be22e2f
--- /dev/null
+++ b/src/pluto/ca.c
@@ -0,0 +1,694 @@
+/* Certification Authority (CA) support for IKE authentication
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ca.c,v 1.10 2005/12/25 12:29:55 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <time.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "x509.h"
+#include "ca.h"
+#include "certs.h"
+#include "whack.h"
+#include "fetch.h"
+
+/* chained list of X.509 authority certificates (ca, aa, and ocsp) */
+
+static x509cert_t *x509authcerts = NULL;
+
+const ca_info_t empty_ca_info = {
+ NULL , /* next */
+ NULL , /* name */
+ UNDEFINED_TIME,
+ { NULL, 0 } , /* authName */
+ { NULL, 0 } , /* authKeyID */
+ { NULL, 0 } , /* authKey SerialNumber */
+ NULL , /* ldaphost */
+ NULL , /* ldapbase */
+ NULL , /* ocspori */
+ NULL , /* crluri */
+ FALSE /* strictcrlpolicy */
+};
+
+/* chained list of X.509 certification authority information records */
+
+static ca_info_t *ca_infos = NULL;
+
+/*
+ * Checks if CA a is trusted by CA b
+ */
+bool
+trusted_ca(chunk_t a, chunk_t b, int *pathlen)
+{
+ bool match = FALSE;
+
+ /* no CA b specified -> any CA a is accepted */
+ if (b.ptr == NULL)
+ {
+ *pathlen = (a.ptr == NULL)? 0 : MAX_CA_PATH_LEN;
+ return TRUE;
+ }
+
+ /* no CA a specified -> trust cannot be established */
+ if (a.ptr == NULL)
+ {
+ *pathlen = MAX_CA_PATH_LEN;
+ return FALSE;
+ }
+
+ *pathlen = 0;
+
+ /* CA a equals CA b -> we have a match */
+ if (same_dn(a, b))
+ return TRUE;
+
+ /* CA a might be a subordinate CA of b */
+ lock_authcert_list("trusted_ca");
+
+ while ((*pathlen)++ < MAX_CA_PATH_LEN)
+ {
+ x509cert_t *cacert = get_authcert(a, empty_chunk, empty_chunk, AUTH_CA);
+
+ /* cacert not found or self-signed root cacert-> exit */
+ if (cacert == NULL || same_dn(cacert->issuer, a))
+ break;
+
+ /* does the issuer of CA a match CA b? */
+ match = same_dn(cacert->issuer, b);
+
+ /* we have a match and exit the loop */
+ if (match)
+ break;
+
+ /* go one level up in the CA chain */
+ a = cacert->issuer;
+ }
+
+ unlock_authcert_list("trusted_ca");
+ return match;
+}
+
+/*
+ * does our CA match one of the requested CAs?
+ */
+bool
+match_requested_ca(generalName_t *requested_ca, chunk_t our_ca, int *our_pathlen)
+{
+ /* if no ca is requested than any ca will match */
+ if (requested_ca == NULL)
+ {
+ *our_pathlen = 0;
+ return TRUE;
+ }
+
+ *our_pathlen = MAX_CA_PATH_LEN + 1;
+
+ while (requested_ca != NULL)
+ {
+ int pathlen;
+
+ if (trusted_ca(our_ca, requested_ca->name, &pathlen)
+ && pathlen < *our_pathlen)
+ *our_pathlen = pathlen;
+ requested_ca = requested_ca->next;
+ }
+
+ return *our_pathlen <= MAX_CA_PATH_LEN;
+}
+
+/*
+ * free the first authority certificate in the chain
+ */
+static void
+free_first_authcert(void)
+{
+ x509cert_t *first = x509authcerts;
+ x509authcerts = first->next;
+ free_x509cert(first);
+}
+
+/*
+ * free all CA certificates
+ */
+void
+free_authcerts(void)
+{
+ lock_authcert_list("free_authcerts");
+
+ while (x509authcerts != NULL)
+ free_first_authcert();
+
+ unlock_authcert_list("free_authcerts");
+}
+
+/*
+ * get a X.509 authority certificate with a given subject or keyid
+ */
+x509cert_t*
+get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid, u_char auth_flags)
+{
+ x509cert_t *cert = x509authcerts;
+ x509cert_t *prev_cert = NULL;
+
+ while (cert != NULL)
+ {
+ if (cert->authority_flags & auth_flags
+ && ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
+ : (same_dn(subject, cert->subject)
+ && same_serial(serial, cert->serialNumber))))
+ {
+ if (cert != x509authcerts)
+ {
+ /* bring the certificate up front */
+ prev_cert->next = cert->next;
+ cert->next = x509authcerts;
+ x509authcerts = cert;
+ }
+ return cert;
+ }
+ prev_cert = cert;
+ cert = cert->next;
+ }
+ return NULL;
+}
+
+/*
+ * add an authority certificate to the chained list
+ */
+bool
+add_authcert(x509cert_t *cert, u_char auth_flags)
+{
+ x509cert_t *old_cert;
+
+ /* set authority flags */
+ cert->authority_flags |= auth_flags;
+
+ lock_authcert_list("add_authcert");
+
+ old_cert = get_authcert(cert->subject, cert->serialNumber
+ , cert->subjectKeyID, auth_flags);
+
+ if (old_cert != NULL)
+ {
+ if (same_x509cert(cert, old_cert))
+ {
+ /* cert is already present, just add additional authority flags */
+ old_cert->authority_flags |= cert->authority_flags;
+ DBG(DBG_CONTROL | DBG_PARSING ,
+ DBG_log(" authcert is already present and identical")
+ )
+ unlock_authcert_list("add_authcert");
+
+ free_x509cert(cert);
+ return FALSE;
+ }
+ else
+ {
+ /* cert is already present but will be replaced by new cert */
+ free_first_authcert();
+ DBG(DBG_CONTROL | DBG_PARSING ,
+ DBG_log(" existing authcert deleted")
+ )
+ }
+ }
+
+ /* add new authcert to chained list */
+ cert->next = x509authcerts;
+ x509authcerts = cert;
+ share_x509cert(cert); /* set count to one */
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log(" authcert inserted")
+ )
+ unlock_authcert_list("add_authcert");
+ return TRUE;
+}
+
+/*
+ * Loads authority certificates
+ */
+void
+load_authcerts(const char *type, const char *path, u_char auth_flags)
+{
+ struct dirent **filelist;
+ u_char buf[BUF_LEN];
+ u_char *save_dir;
+ int n;
+
+ /* change directory to specified path */
+ save_dir = getcwd(buf, BUF_LEN);
+
+ if (chdir(path))
+ {
+ plog("Could not change to directory '%s'", path);
+ }
+ else
+ {
+ plog("Changing to directory '%s'", path);
+ n = scandir(path, &filelist, file_select, alphasort);
+
+ if (n < 0)
+ plog(" scandir() error");
+ else
+ {
+ while (n--)
+ {
+ cert_t cert;
+
+ if (load_cert(filelist[n]->d_name, type, &cert))
+ add_authcert(cert.u.x509, auth_flags);
+
+ free(filelist[n]);
+ }
+ free(filelist);
+ }
+ }
+ /* restore directory path */
+ chdir(save_dir);
+}
+
+/*
+ * list all X.509 authcerts with given auth flags in a chained list
+ */
+void
+list_authcerts(const char *caption, u_char auth_flags, bool utc)
+{
+ lock_authcert_list("list_authcerts");
+ list_x509cert_chain(caption, x509authcerts, auth_flags, utc);
+ unlock_authcert_list("list_authcerts");
+}
+
+/*
+ * get a cacert with a given subject or keyid from an alternative list
+ */
+static const x509cert_t*
+get_alt_cacert(chunk_t subject, chunk_t serial, chunk_t keyid
+ , const x509cert_t *cert)
+{
+ while (cert != NULL)
+ {
+ if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->subjectKeyID)
+ : (same_dn(subject, cert->subject)
+ && same_serial(serial, cert->serialNumber)))
+ {
+ return cert;
+ }
+ cert = cert->next;
+ }
+ return NULL;
+}
+
+/* establish trust into a candidate authcert by going up the trust chain.
+ * validity and revocation status are not checked.
+ */
+bool
+trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chain)
+{
+ int pathlen;
+
+ lock_authcert_list("trust_authcert_candidate");
+
+ for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ {
+ const x509cert_t *authcert = NULL;
+ u_char buf[BUF_LEN];
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, cert->subject);
+ DBG_log("subject: '%s'",buf);
+ dntoa(buf, BUF_LEN, cert->issuer);
+ DBG_log("issuer: '%s'",buf);
+ if (cert->authKeyID.ptr != NULL)
+ {
+ datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ )
+
+ /* search in alternative chain first */
+ authcert = get_alt_cacert(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID, alt_chain);
+
+ if (authcert != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("issuer cacert found in alternative chain")
+ )
+ }
+ else
+ {
+ /* search in trusted chain */
+ authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID, AUTH_CA);
+
+ if (authcert != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("issuer cacert found")
+ )
+ }
+ else
+ {
+ plog("issuer cacert not found");
+ unlock_authcert_list("trust_authcert_candidate");
+ return FALSE;
+ }
+ }
+
+ if (!check_signature(cert->tbsCertificate, cert->signature
+ , cert->algorithm, cert->algorithm, authcert))
+ {
+ plog("certificate signature is invalid");
+ unlock_authcert_list("trust_authcert_candidate");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("certificate signature is valid")
+ )
+
+ /* check if cert is a self-signed root ca */
+ if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("reached self-signed root ca")
+ )
+ unlock_authcert_list("trust_authcert_candidate");
+ return TRUE;
+ }
+
+ /* go up one step in the trust chain */
+ cert = authcert;
+ }
+ plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+ unlock_authcert_list("trust_authcert_candidate");
+ return FALSE;
+}
+
+/*
+ * get a CA info record with a given authName or authKeyID
+ */
+ca_info_t*
+get_ca_info(chunk_t authname, chunk_t serial, chunk_t keyid)
+{
+ ca_info_t *ca= ca_infos;
+
+ while (ca!= NULL)
+ {
+ if ((keyid.ptr != NULL) ? same_keyid(keyid, ca->authKeyID)
+ : (same_dn(authname, ca->authName)
+ && same_serial(serial, ca->authKeySerialNumber)))
+ {
+ return ca;
+ }
+ ca = ca->next;
+ }
+ return NULL;
+}
+
+
+/*
+ * free the dynamic memory used by a ca_info record
+ */
+static void
+free_ca_info(ca_info_t* ca_info)
+{
+ if (ca_info == NULL)
+ return;
+
+ pfreeany(ca_info->name);
+ pfreeany(ca_info->ldaphost);
+ pfreeany(ca_info->ldapbase);
+ pfreeany(ca_info->ocspuri);
+
+ freeanychunk(ca_info->authName);
+ freeanychunk(ca_info->authKeyID);
+ freeanychunk(ca_info->authKeySerialNumber);
+
+ free_generalNames(ca_info->crluri, TRUE);
+
+ pfree(ca_info);
+}
+
+/*
+ * free all CA certificates
+ */
+void
+free_ca_infos(void)
+{
+ while (ca_infos != NULL)
+ {
+ ca_info_t *ca = ca_infos;
+
+ ca_infos = ca_infos->next;
+ free_ca_info(ca);
+ }
+}
+
+/*
+ * find a CA information record by name and optionally delete it
+ */
+bool
+find_ca_info_by_name(const char *name, bool delete)
+{
+ ca_info_t **ca_p = &ca_infos;
+ ca_info_t *ca = *ca_p;
+
+ while (ca != NULL)
+ {
+ /* is there already an entry? */
+ if (streq(name, ca->name))
+ {
+ if (delete)
+ {
+ lock_ca_info_list("find_ca_info_by_name");
+ *ca_p = ca->next;
+ free_ca_info(ca);
+ plog("deleting ca description \"%s\"", name);
+ unlock_ca_info_list("find_ca_info_by_name");
+ }
+ return TRUE;
+ }
+ ca_p = &ca->next;
+ ca = *ca_p;
+ }
+ return FALSE;
+}
+
+
+ /*
+ * adds a CA description to a chained list
+ */
+void
+add_ca_info(const whack_message_t *msg)
+{
+ smartcard_t *sc = NULL;
+ cert_t cert;
+ bool valid_cert = FALSE;
+ bool cached_cert = FALSE;
+
+ if (find_ca_info_by_name(msg->name, FALSE))
+ {
+ loglog(RC_DUPNAME, "attempt to redefine ca record \"%s\"", msg->name);
+ return;
+ }
+
+ if (scx_on_smartcard(msg->cacert))
+ {
+ /* load CA cert from smartcard */
+ valid_cert = scx_load_cert(msg->cacert, &sc, &cert, &cached_cert);
+ }
+ else
+ {
+ /* load CA cert from file */
+ valid_cert = load_ca_cert(msg->cacert, &cert);
+ }
+
+ if (valid_cert)
+ {
+ char buf[BUF_LEN];
+ x509cert_t *cacert = cert.u.x509;
+ ca_info_t *ca = NULL;
+
+ /* does the authname already exist? */
+ ca = get_ca_info(cacert->subject, cacert->serialNumber
+ , cacert->subjectKeyID);
+
+ if (ca != NULL)
+ {
+ /* ca_info is already present */
+ loglog(RC_DUPNAME, " duplicate ca information in record \"%s\" found,"
+ "ignoring \"%s\"", ca->name, msg->name);
+ free_x509cert(cacert);
+ return;
+ }
+
+ plog("added ca description \"%s\"", msg->name);
+
+ /* create and initialize new ca_info record */
+ ca = alloc_thing(ca_info_t, "ca info");
+ *ca = empty_ca_info;
+
+ /* name */
+ ca->name = clone_str(msg->name, "ca name");
+
+ /* authName */
+ clonetochunk(ca->authName, cacert->subject.ptr
+ , cacert->subject.len, "authName");
+ dntoa(buf, BUF_LEN, ca->authName);
+ DBG(DBG_CONTROL,
+ DBG_log("authname: '%s'", buf)
+ )
+
+ /* authSerialNumber */
+ clonetochunk(ca->authKeySerialNumber, cacert->serialNumber.ptr
+ , cacert->serialNumber.len, "authKeySerialNumber");
+
+ /* authKeyID */
+ if (cacert->subjectKeyID.ptr != NULL)
+ {
+ clonetochunk(ca->authKeyID, cacert->subjectKeyID.ptr
+ , cacert->subjectKeyID.len, "authKeyID");
+ datatot(cacert->subjectKeyID.ptr, cacert->subjectKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG(DBG_CONTROL | DBG_PARSING ,
+ DBG_log("authkey: %s", buf)
+ )
+ }
+
+ /* ldaphost */
+ ca->ldaphost = clone_str(msg->ldaphost, "ldaphost");
+
+ /* ldapbase */
+ ca->ldapbase = clone_str(msg->ldapbase, "ldapbase");
+
+ /* ocspuri */
+ if (msg->ocspuri != NULL)
+ {
+ if (strncasecmp(msg->ocspuri, "http", 4) == 0)
+ ca->ocspuri = clone_str(msg->ocspuri, "ocspuri");
+ else
+ plog(" ignoring ocspuri with unkown protocol");
+ }
+
+ /* crluri2*/
+ if (msg->crluri2 != NULL)
+ {
+ generalName_t gn =
+ { NULL, GN_URI, {msg->crluri2, strlen(msg->crluri2)} };
+
+ add_distribution_points(&gn, &ca->crluri);
+ }
+
+ /* crluri */
+ if (msg->crluri != NULL)
+ {
+ generalName_t gn =
+ { NULL, GN_URI, {msg->crluri, strlen(msg->crluri)} };
+
+ add_distribution_points(&gn, &ca->crluri);
+ }
+
+ /* strictrlpolicy */
+ ca->strictcrlpolicy = msg->whack_strict;
+
+ /* insert ca_info record into the chained list */
+ lock_ca_info_list("add_ca_info");
+
+ ca->next = ca_infos;
+ ca_infos = ca;
+ ca->installed = time(NULL);
+
+ unlock_ca_info_list("add_ca_info");
+
+ /* add cacert to list of authcerts */
+ if (!cached_cert)
+ {
+ if (add_authcert(cacert, AUTH_CA) && sc != NULL)
+ {
+ if (sc->last_cert.type == CERT_X509_SIGNATURE)
+ sc->last_cert.u.x509->count--;
+ sc->last_cert = cert;
+ share_cert(sc->last_cert);
+ }
+ }
+ if (sc != NULL)
+ time(&sc->last_load);
+ }
+}
+
+/*
+ * list all ca_info records in the chained list
+ */
+void
+list_ca_infos(bool utc)
+{
+ ca_info_t *ca = ca_infos;
+
+ if (ca != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of X.509 CA Information Records:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (ca != NULL)
+ {
+ u_char buf[BUF_LEN];
+
+ /* strictpolicy per CA not supported yet
+ *
+ whack_log(RC_COMMENT, "%s, \"%s\", strictcrlpolicy: %s"
+ , timetoa(&ca->installed, utc), ca->name
+ , ca->strictcrlpolicy? "yes":"no");
+ */
+ whack_log(RC_COMMENT, "%s, \"%s\"", timetoa(&ca->installed, utc), ca->name);
+ dntoa(buf, BUF_LEN, ca->authName);
+ whack_log(RC_COMMENT, " authname: '%s'", buf);
+ if (ca->ldaphost != NULL)
+ whack_log(RC_COMMENT, " ldaphost: '%s'", ca->ldaphost);
+ if (ca->ldapbase != NULL)
+ whack_log(RC_COMMENT, " ldapbase: '%s'", ca->ldapbase);
+ if (ca->ocspuri != NULL)
+ whack_log(RC_COMMENT, " ocspuri: '%s'", ca->ocspuri);
+
+ list_distribution_points(ca->crluri);
+
+ if (ca->authKeyID.ptr != NULL)
+ {
+ datatot(ca->authKeyID.ptr, ca->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (ca->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(ca->authKeySerialNumber.ptr, ca->authKeySerialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+ ca = ca->next;
+ }
+}
+
+
diff --git a/src/pluto/ca.h b/src/pluto/ca.h
new file mode 100644
index 000000000..8d4602dc6
--- /dev/null
+++ b/src/pluto/ca.h
@@ -0,0 +1,70 @@
+/* Certification Authority (CA) support for IKE authentication
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ca.h,v 1.5 2005/12/25 12:28:40 as Exp $
+ */
+
+#ifndef _CA_H
+#define _CA_H
+
+#include "x509.h"
+#include "whack.h"
+
+#define MAX_CA_PATH_LEN 7
+
+/* authority flags */
+
+#define AUTH_NONE 0x00 /* no authorities */
+#define AUTH_CA 0x01 /* certification authority */
+#define AUTH_AA 0x02 /* authorization authority */
+#define AUTH_OCSP 0x04 /* ocsp signing authority */
+
+/* CA info structures */
+
+typedef struct ca_info ca_info_t;
+
+struct ca_info {
+ ca_info_t *next;
+ char *name;
+ time_t installed;
+ chunk_t authName;
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+ char *ldaphost;
+ char *ldapbase;
+ char *ocspuri;
+ generalName_t *crluri;
+ bool strictcrlpolicy;
+};
+
+extern bool trusted_ca(chunk_t a, chunk_t b, int *pathlen);
+extern bool match_requested_ca(generalName_t *requested_ca
+ , chunk_t our_ca, int *our_pathlen);
+extern x509cert_t* get_authcert(chunk_t subject, chunk_t serial, chunk_t keyid
+ , u_char auth_flags);
+extern void load_authcerts(const char *type, const char *path
+ , u_char auth_flags);
+extern bool add_authcert(x509cert_t *cert, u_char auth_flags);
+extern void free_authcerts(void);
+extern void list_authcerts(const char *caption, u_char auth_flags, bool utc);
+extern bool trust_authcert_candidate(const x509cert_t *cert
+ , const x509cert_t *alt_chain);
+extern ca_info_t* get_ca_info(chunk_t name, chunk_t serial, chunk_t keyid);
+extern bool find_ca_info_by_name(const char *name, bool delete);
+extern void add_ca_info(const whack_message_t *msg);
+extern void delete_ca_info(const char *name);
+extern void free_ca_infos(void);
+extern void list_ca_infos(bool utc);
+
+#endif /* _CA_H */
+
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
new file mode 100644
index 000000000..779646a98
--- /dev/null
+++ b/src/pluto/certs.c
@@ -0,0 +1,287 @@
+/* Certificate support for IKE authentication
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: certs.c,v 1.8 2005/11/06 22:55:41 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "asn1.h"
+#include "id.h"
+#include "x509.h"
+#include "pgp.h"
+#include "pem.h"
+#include "certs.h"
+#include "pkcs1.h"
+
+/*
+ * used for initializatin of certs
+ */
+const cert_t empty_cert = {CERT_NONE, {NULL}};
+
+/*
+ * extracts the certificate to be sent to the peer
+ */
+chunk_t
+get_mycert(cert_t cert)
+{
+ switch (cert.type)
+ {
+ case CERT_PGP:
+ return cert.u.pgp->certificate;
+ case CERT_X509_SIGNATURE:
+ return cert.u.x509->certificate;
+ default:
+ return empty_chunk;
+ }
+}
+
+/* load a coded key or certificate file with autodetection
+ * of binary DER or base64 PEM ASN.1 formats and armored PGP format
+ */
+bool
+load_coded_file(const char *filename, prompt_pass_t *pass, const char *type
+, chunk_t *blob, bool *pgp)
+{
+ err_t ugh = NULL;
+
+ FILE *fd = fopen(filename, "r");
+
+ if (fd)
+ {
+ int bytes;
+ fseek(fd, 0, SEEK_END );
+ blob->len = ftell(fd);
+ rewind(fd);
+ blob->ptr = alloc_bytes(blob->len, type);
+ bytes = fread(blob->ptr, 1, blob->len, fd);
+ fclose(fd);
+ plog(" loaded %s file '%s' (%d bytes)", type, filename, bytes);
+
+ *pgp = FALSE;
+
+ /* try DER format */
+ if (is_asn1(*blob))
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" file coded in DER format");
+ )
+ return TRUE;
+ }
+
+ /* try PEM format */
+ ugh = pemtobin(blob, pass, filename, pgp);
+
+ if (ugh == NULL)
+ {
+ if (*pgp)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" file coded in armored PGP format");
+ )
+ return TRUE;
+ }
+ if (is_asn1(*blob))
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" file coded in PEM format");
+ )
+ return TRUE;
+ }
+ ugh = "file coded in unknown format, discarded";
+ }
+
+ /* a conversion error has occured */
+ plog(" %s", ugh);
+ pfree(blob->ptr);
+ *blob = empty_chunk;
+ }
+ else
+ {
+ plog(" could not open %s file '%s'", type, filename);
+ }
+ return FALSE;
+}
+
+/*
+ * Loads a PKCS#1 or PGP private RSA key file
+ */
+err_t
+load_rsa_private_key(const char* filename, prompt_pass_t *pass
+, RSA_private_key_t *key)
+{
+ err_t ugh = NULL;
+ bool pgp = FALSE;
+ chunk_t blob = empty_chunk;
+
+ const char *path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+
+ if (load_coded_file(path, pass, "private key", &blob, &pgp))
+ {
+ if (pgp)
+ {
+ if (!parse_pgp(blob, NULL, key))
+ ugh = "syntax error in PGP private key file";
+ }
+ else
+ {
+ if (!pkcs1_parse_private_key(blob, key))
+ ugh = "syntax error in PKCS#1 private key file";
+ }
+ pfree(blob.ptr);
+ }
+ else
+ ugh = "error loading RSA private key file";
+
+ return ugh;
+}
+/*
+ * Loads a X.509 or OpenPGP certificate
+ */
+bool
+load_cert(const char *filename, const char *label, cert_t *cert)
+{
+ bool pgp = FALSE;
+ chunk_t blob = empty_chunk;
+
+ /* initialize cert struct */
+ cert->type = CERT_NONE;
+ cert->u.x509 = NULL;
+
+ if (load_coded_file(filename, NULL, label, &blob, &pgp))
+ {
+ if (pgp)
+ {
+ pgpcert_t *pgpcert = alloc_thing(pgpcert_t, "pgpcert");
+ *pgpcert = empty_pgpcert;
+ if (parse_pgp(blob, pgpcert, NULL))
+ {
+ cert->type = CERT_PGP;
+ cert->u.pgp = pgpcert;
+ return TRUE;
+ }
+ else
+ {
+ plog(" error in OpenPGP certificate");
+ free_pgpcert(pgpcert);
+ return FALSE;
+ }
+ }
+ else
+ {
+ x509cert_t *x509cert = alloc_thing(x509cert_t, "x509cert");
+ *x509cert = empty_x509cert;
+ if (parse_x509cert(blob, 0, x509cert))
+ {
+ cert->type = CERT_X509_SIGNATURE;
+ cert->u.x509 = x509cert;
+ return TRUE;
+ }
+ else
+ {
+ plog(" error in X.509 certificate");
+ free_x509cert(x509cert);
+ return FALSE;
+ }
+ }
+ }
+ return FALSE;
+}
+
+/*
+ * Loads a host certificate
+ */
+bool
+load_host_cert(const char *filename, cert_t *cert)
+{
+ const char *path = concatenate_paths(HOST_CERT_PATH, filename);
+
+ return load_cert(path, "host cert", cert);
+}
+
+/*
+ * Loads a CA certificate
+ */
+bool
+load_ca_cert(const char *filename, cert_t *cert)
+{
+ const char *path = concatenate_paths(CA_CERT_PATH, filename);
+
+ return load_cert(path, "CA cert", cert);
+}
+
+/*
+ * establish equality of two certificates
+ */
+bool
+same_cert(const cert_t *a, const cert_t *b)
+{
+ return a->type == b->type && a->u.x509 == b->u.x509;
+}
+
+/* for each link pointing to the certif icate
+ " increase the count by one
+ */
+void
+share_cert(cert_t cert)
+{
+ switch (cert.type)
+ {
+ case CERT_PGP:
+ share_pgpcert(cert.u.pgp);
+ break;
+ case CERT_X509_SIGNATURE:
+ share_x509cert(cert.u.x509);
+ break;
+ default:
+ break;
+ }
+}
+
+/* release of a certificate decreases the count by one
+ " the certificate is freed when the counter reaches zero
+ */
+void
+release_cert(cert_t cert)
+{
+ switch (cert.type)
+ {
+ case CERT_PGP:
+ release_pgpcert(cert.u.pgp);
+ break;
+ case CERT_X509_SIGNATURE:
+ release_x509cert(cert.u.x509);
+ break;
+ default:
+ break;
+ }
+}
+
+/*
+ * list all X.509 and OpenPGP end certificates
+ */
+void
+list_certs(bool utc)
+{
+ list_x509_end_certs(utc);
+ list_pgp_end_certs(utc);
+}
+
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
new file mode 100644
index 000000000..ca5acd35a
--- /dev/null
+++ b/src/pluto/certs.h
@@ -0,0 +1,80 @@
+/* Certificate support for IKE authentication
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: certs.h,v 1.7 2005/11/06 22:55:41 as Exp $
+ */
+
+#ifndef _CERTS_H
+#define _CERTS_H
+
+#include "pkcs1.h"
+#include "x509.h"
+#include "pgp.h"
+
+/* path definitions for private keys, end certs,
+ * cacerts, attribute certs and crls
+ */
+#define PRIVATE_KEY_PATH IPSEC_CONFDIR "/ipsec.d/private"
+#define HOST_CERT_PATH IPSEC_CONFDIR "/ipsec.d/certs"
+#define CA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/cacerts"
+#define A_CERT_PATH IPSEC_CONFDIR "/ipsec.d/acerts"
+#define AA_CERT_PATH IPSEC_CONFDIR "/ipsec.d/aacerts"
+#define OCSP_CERT_PATH IPSEC_CONFDIR "/ipsec.d/ocspcerts"
+#define CRL_PATH IPSEC_CONFDIR "/ipsec.d/crls"
+#define REQ_PATH IPSEC_CONFDIR "/ipsec.d/reqs"
+
+/* advance warning of imminent expiry of
+ * cacerts, public keys, and crls
+ */
+#define CA_CERT_WARNING_INTERVAL 30 /* days */
+#define OCSP_CERT_WARNING_INTERVAL 30 /* days */
+#define PUBKEY_WARNING_INTERVAL 7 /* days */
+#define CRL_WARNING_INTERVAL 7 /* days */
+#define ACERT_WARNING_INTERVAL 1 /* day */
+
+/* certificate access structure
+ * currently X.509 and OpenPGP certificates are supported
+ */
+typedef struct {
+ u_char type;
+ union {
+ x509cert_t *x509;
+ pgpcert_t *pgp;
+ } u;
+} cert_t;
+
+/* used for initialization */
+extern const cert_t empty_cert;
+
+/* do not send certificate requests
+ * flag set in plutomain.c and used in ipsec_doi.c
+ */
+extern bool no_cr_send;
+
+extern err_t load_rsa_private_key(const char* filename, prompt_pass_t *pass
+ , RSA_private_key_t *key);
+extern chunk_t get_mycert(cert_t cert);
+extern bool load_coded_file(const char *filename, prompt_pass_t *pass
+ , const char *type, chunk_t *blob, bool *pgp);
+extern bool load_cert(const char *filename, const char *label
+ , cert_t *cert);
+extern bool load_host_cert(const char *filename, cert_t *cert);
+extern bool load_ca_cert(const char *filename, cert_t *cert);
+extern bool same_cert(const cert_t *a, const cert_t *b);
+extern void share_cert(cert_t cert);
+extern void release_cert(cert_t cert);
+extern void list_certs(bool utc);
+
+#endif /* _CERTS_H */
+
+
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
new file mode 100644
index 000000000..0d02b979c
--- /dev/null
+++ b/src/pluto/connections.c
@@ -0,0 +1,4406 @@
+/* information about connections between hosts and clients
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: connections.c,v 1.43 2006/04/29 18:16:02 as Exp $
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+#include "kameipsec.h"
+
+#include "constants.h"
+#include "defs.h"
+#include "id.h"
+#include "x509.h"
+#include "ca.h"
+#include "crl.h"
+#include "pgp.h"
+#include "certs.h"
+#include "ac.h"
+#include "smartcard.h"
+#include "fetch.h"
+#include "connections.h"
+#include "foodgroups.h"
+#include "demux.h"
+#include "state.h"
+#include "timer.h"
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "server.h"
+#include "kernel.h"
+#include "log.h"
+#include "keys.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "whack.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+#include "nat_traversal.h"
+#include "virtual.h"
+
+static void flush_pending_by_connection(struct connection *c); /* forward */
+
+static struct connection *connections = NULL;
+
+/* struct host_pair: a nexus of information about a pair of hosts.
+ * A host is an IP address, UDP port pair. This is a debatable choice:
+ * - should port be considered (no choice of port in standard)?
+ * - should ID be considered (hard because not always known)?
+ * - should IP address matter on our end (we don't know our end)?
+ * Only oriented connections are registered.
+ * Unoriented connections are kept on the unoriented_connections
+ * linked list (using hp_next). For them, host_pair is NULL.
+ */
+
+struct host_pair {
+ struct {
+ ip_address addr;
+ u_int16_t port; /* host order */
+ } me, him;
+ bool initial_connection_sent;
+ struct connection *connections; /* connections with this pair */
+ struct pending *pending; /* awaiting Keying Channel */
+ struct host_pair *next;
+};
+
+static struct host_pair *host_pairs = NULL;
+
+static struct connection *unoriented_connections = NULL;
+
+/* check to see that Ids of peers match */
+bool
+same_peer_ids(const struct connection *c, const struct connection *d
+, const struct id *his_id)
+{
+ return same_id(&c->spd.this.id, &d->spd.this.id)
+ && same_id(his_id == NULL? &c->spd.that.id : his_id, &d->spd.that.id);
+}
+
+static struct host_pair *
+find_host_pair(const ip_address *myaddr, u_int16_t myport
+, const ip_address *hisaddr, u_int16_t hisport)
+{
+ struct host_pair *p, *prev;
+
+ /* default hisaddr to an appropriate any */
+ if (hisaddr == NULL)
+ hisaddr = aftoinfo(addrtypeof(myaddr))->any;
+
+ if (nat_traversal_enabled)
+ {
+ /**
+ * port is not relevant in host_pair. with nat_traversal we
+ * always use pluto_port (500)
+ */
+ myport = pluto_port;
+ hisport = pluto_port;
+ }
+
+ for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
+ {
+ if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
+ && sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+ {
+ if (prev != NULL)
+ {
+ prev->next = p->next; /* remove p from list */
+ p->next = host_pairs; /* and stick it on front */
+ host_pairs = p;
+ }
+ break;
+ }
+ }
+ return p;
+}
+
+/* find head of list of connections with this pair of hosts */
+static struct connection *
+find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
+, const ip_address *hisaddr, u_int16_t hisport)
+{
+ struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
+
+ if (nat_traversal_enabled && hp && hisaddr)
+ {
+ struct connection *c;
+
+ for (c = hp->connections; c != NULL; c = c->hp_next)
+ {
+ if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
+ return c;
+ }
+ return NULL;
+ }
+ return hp == NULL? NULL : hp->connections;
+}
+
+static void
+connect_to_host_pair(struct connection *c)
+{
+ if (oriented(*c))
+ {
+ struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+ , &c->spd.that.host_addr, c->spd.that.host_port);
+
+ if (hp == NULL)
+ {
+ /* no suitable host_pair -- build one */
+ hp = alloc_thing(struct host_pair, "host_pair");
+ hp->me.addr = c->spd.this.host_addr;
+ hp->him.addr = c->spd.that.host_addr;
+ hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
+ hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
+ hp->initial_connection_sent = FALSE;
+ hp->connections = NULL;
+ hp->pending = NULL;
+ hp->next = host_pairs;
+ host_pairs = hp;
+ }
+ c->host_pair = hp;
+ c->hp_next = hp->connections;
+ hp->connections = c;
+ }
+ else
+ {
+ /* since this connection isn't oriented, we place it
+ * in the unoriented_connections list instead.
+ */
+ c->host_pair = NULL;
+ c->hp_next = unoriented_connections;
+ unoriented_connections = c;
+ }
+}
+
+/* find a connection by name.
+ * If strict, don't accept a CK_INSTANCE.
+ * Move the winner (if any) to the front.
+ * If none is found, and strict, a diagnostic is logged to whack.
+ */
+struct connection *
+con_by_name(const char *nm, bool strict)
+{
+ struct connection *p, *prev;
+
+ for (prev = NULL, p = connections; ; prev = p, p = p->ac_next)
+ {
+ if (p == NULL)
+ {
+ if (strict)
+ whack_log(RC_UNKNOWN_NAME
+ , "no connection named \"%s\"", nm);
+ break;
+ }
+ if (streq(p->name, nm)
+ && (!strict || p->kind != CK_INSTANCE))
+ {
+ if (prev != NULL)
+ {
+ prev->ac_next = p->ac_next; /* remove p from list */
+ p->ac_next = connections; /* and stick it on front */
+ connections = p;
+ }
+ break;
+ }
+ }
+ return p;
+}
+
+void
+release_connection(struct connection *c, bool relations)
+{
+ if (c->kind == CK_INSTANCE)
+ {
+ /* This does everything we need.
+ * Note that we will be called recursively by delete_connection,
+ * but kind will be CK_GOING_AWAY.
+ */
+ delete_connection(c, relations);
+ }
+ else
+ {
+ flush_pending_by_connection(c);
+ delete_states_by_connection(c, relations);
+ unroute_connection(c);
+ }
+}
+
+/* Delete a connection */
+
+#define list_rm(etype, enext, e, ehead) { \
+ etype **ep; \
+ for (ep = &(ehead); *ep != (e); ep = &(*ep)->enext) \
+ passert(*ep != NULL); /* we must not come up empty-handed */ \
+ *ep = (e)->enext; \
+ }
+
+
+void
+delete_connection(struct connection *c, bool relations)
+{
+ struct connection *old_cur_connection
+ = cur_connection == c? NULL : cur_connection;
+#ifdef DEBUG
+ lset_t old_cur_debugging = cur_debugging;
+#endif
+
+ set_cur_connection(c);
+
+ /* Must be careful to avoid circularity:
+ * we mark c as going away so it won't get deleted recursively.
+ */
+ passert(c->kind != CK_GOING_AWAY);
+ if (c->kind == CK_INSTANCE)
+ {
+ plog("deleting connection \"%s\" instance with peer %s {isakmp=#%lu/ipsec=#%lu}"
+ , c->name
+ , ip_str(&c->spd.that.host_addr)
+ , c->newest_isakmp_sa, c->newest_ipsec_sa);
+ c->kind = CK_GOING_AWAY;
+ }
+ else
+ {
+ plog("deleting connection");
+ }
+ release_connection(c, relations); /* won't delete c */
+
+ if (c->kind == CK_GROUP)
+ delete_group(c);
+
+ /* free up any logging resources */
+ perpeer_logfree(c);
+
+ /* find and delete c from connections list */
+ list_rm(struct connection, ac_next, c, connections);
+ cur_connection = old_cur_connection;
+
+ /* find and delete c from the host pair list */
+ if (c->host_pair == NULL)
+ {
+ if (c->ikev1)
+ list_rm(struct connection, hp_next, c, unoriented_connections);
+ }
+ else
+ {
+ struct host_pair *hp = c->host_pair;
+
+ list_rm(struct connection, hp_next, c, hp->connections);
+ c->host_pair = NULL; /* redundant, but safe */
+
+ /* if there are no more connections with this host_pair
+ * and we haven't even made an initial contact, let's delete
+ * this guy in case we were created by an attempted DOS attack.
+ */
+ if (hp->connections == NULL
+ && !hp->initial_connection_sent)
+ {
+ passert(hp->pending == NULL); /* ??? must deal with this! */
+ list_rm(struct host_pair, next, hp, host_pairs);
+ pfree(hp);
+ }
+ }
+
+ if (c->kind != CK_GOING_AWAY)
+ pfreeany(c->spd.that.virt);
+
+#ifdef DEBUG
+ cur_debugging = old_cur_debugging;
+#endif
+ pfreeany(c->name);
+ free_id_content(&c->spd.this.id);
+ pfreeany(c->spd.this.updown);
+ freeanychunk(c->spd.this.ca);
+ free_ietfAttrList(c->spd.this.groups);
+ free_id_content(&c->spd.that.id);
+ pfreeany(c->spd.that.updown);
+ freeanychunk(c->spd.that.ca);
+ free_ietfAttrList(c->spd.that.groups);
+ free_generalNames(c->requested_ca, TRUE);
+ gw_delref(&c->gw_info);
+
+ lock_certs_and_keys("delete_connection");
+ release_cert(c->spd.this.cert);
+ scx_release(c->spd.this.sc);
+ release_cert(c->spd.that.cert);
+ scx_release(c->spd.that.sc);
+ unlock_certs_and_keys("delete_connection");
+
+ alg_info_delref((struct alg_info **)&c->alg_info_esp);
+ alg_info_delref((struct alg_info **)&c->alg_info_ike);
+
+ pfree(c);
+}
+
+/* Delete connections with the specified name */
+void
+delete_connections_by_name(const char *name, bool strict)
+{
+ struct connection *c = con_by_name(name, strict);
+
+ for (; c != NULL; c = con_by_name(name, FALSE))
+ delete_connection(c, FALSE);
+}
+
+void
+delete_every_connection(void)
+{
+ while (connections != NULL)
+ delete_connection(connections, TRUE);
+}
+
+void
+release_dead_interfaces(void)
+{
+ struct host_pair *hp;
+
+ for (hp = host_pairs; hp != NULL; hp = hp->next)
+ {
+ struct connection **pp
+ , *p;
+
+ for (pp = &hp->connections; (p = *pp) != NULL; )
+ {
+ if (p->interface->change == IFN_DELETE)
+ {
+ /* this connection's interface is going away */
+ enum connection_kind k = p->kind;
+
+ release_connection(p, TRUE);
+
+ if (k <= CK_PERMANENT)
+ {
+ /* The connection should have survived release:
+ * move it to the unoriented_connections list.
+ */
+ passert(p == *pp);
+
+ p->interface = NULL;
+
+ *pp = p->hp_next; /* advance *pp */
+ p->host_pair = NULL;
+ p->hp_next = unoriented_connections;
+ unoriented_connections = p;
+ }
+ else
+ {
+ /* The connection should have vanished,
+ * but the previous connection remains.
+ */
+ passert(p != *pp);
+ }
+ }
+ else
+ {
+ pp = &p->hp_next; /* advance pp */
+ }
+ }
+ }
+}
+
+/* adjust orientations of connections to reflect newly added interfaces */
+void
+check_orientations(void)
+{
+ /* try to orient all the unoriented connections */
+ {
+ struct connection *c = unoriented_connections;
+
+ unoriented_connections = NULL;
+
+ while (c != NULL)
+ {
+ struct connection *nxt = c->hp_next;
+
+ (void)orient(c);
+ connect_to_host_pair(c);
+ c = nxt;
+ }
+ }
+
+ /* Check that no oriented connection has become double-oriented.
+ * In other words, the far side must not match one of our new interfaces.
+ */
+ {
+ struct iface *i;
+
+ for (i = interfaces; i != NULL; i = i->next)
+ {
+ if (i->change == IFN_ADD)
+ {
+ struct host_pair *hp;
+
+ for (hp = host_pairs; hp != NULL; hp = hp->next)
+ {
+ if (sameaddr(&hp->him.addr, &i->addr)
+ && (!no_klips || hp->him.port == pluto_port))
+ {
+ /* bad news: the whole chain of connections
+ * hanging off this host pair has both sides
+ * matching an interface.
+ * We'll get rid of them, using orient and
+ * connect_to_host_pair. But we'll be lazy
+ * and not ditch the host_pair itself (the
+ * cost of leaving it is slight and cannot
+ * be induced by a foe).
+ */
+ struct connection *c = hp->connections;
+
+ hp->connections = NULL;
+ while (c != NULL)
+ {
+ struct connection *nxt = c->hp_next;
+
+ c->interface = NULL;
+ (void)orient(c);
+ connect_to_host_pair(c);
+ c = nxt;
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+static err_t
+default_end(struct end *e, ip_address *dflt_nexthop)
+{
+ err_t ugh = NULL;
+ const struct af_info *afi = aftoinfo(addrtypeof(&e->host_addr));
+
+ if (afi == NULL)
+ return "unknown address family in default_end";
+
+ /* default ID to IP (but only if not NO_IP -- WildCard) */
+ if (e->id.kind == ID_NONE && !isanyaddr(&e->host_addr))
+ {
+ e->id.kind = afi->id_addr;
+ e->id.ip_addr = e->host_addr;
+ e->has_id_wildcards = FALSE;
+ }
+
+ /* default nexthop to other side */
+ if (isanyaddr(&e->host_nexthop))
+ e->host_nexthop = *dflt_nexthop;
+
+ /* default client to subnet containing only self
+ * XXX This may mean that the client's address family doesn't match
+ * tunnel_addr_family.
+ */
+ if (!e->has_client)
+ ugh = addrtosubnet(&e->host_addr, &e->client);
+
+ return ugh;
+}
+
+/* Format the topology of a connection end, leaving out defaults.
+ * Largest left end looks like: client === host : port [ host_id ] --- hop
+ * Note: if that==NULL, skip nexthop
+ * Returns strlen of formated result (length excludes NUL at end).
+ */
+size_t
+format_end(char *buf
+, size_t buf_len
+, const struct end *this
+, const struct end *that
+, bool is_left
+, lset_t policy)
+{
+ char client[SUBNETTOT_BUF];
+ const char *client_sep = "";
+ char protoport[sizeof(":255/65535")];
+ const char *host = NULL;
+ char host_space[ADDRTOT_BUF];
+ char host_port[sizeof(":65535")];
+ char host_id[BUF_LEN + 2];
+ char hop[ADDRTOT_BUF];
+ const char *hop_sep = "";
+ const char *open_brackets = "";
+ const char *close_brackets = "";
+
+ if (isanyaddr(&this->host_addr))
+ {
+ switch (policy & (POLICY_GROUP | POLICY_OPPO))
+ {
+ case POLICY_GROUP:
+ host = "%group";
+ break;
+ case POLICY_OPPO:
+ host = "%opportunistic";
+ break;
+ case POLICY_GROUP | POLICY_OPPO:
+ host = "%opportunisticgroup";
+ break;
+ default:
+ host = "%any";
+ break;
+ }
+ }
+
+ client[0] = '\0';
+
+ if (is_virtual_end(this) && isanyaddr(&this->host_addr))
+ {
+ host = "%virtual";
+ }
+
+ /* [client===] */
+ if (this->has_client)
+ {
+ ip_address client_net, client_mask;
+
+ networkof(&this->client, &client_net);
+ maskof(&this->client, &client_mask);
+ client_sep = "===";
+
+ /* {client_subnet_wildcard} */
+ if (this->has_client_wildcard)
+ {
+ open_brackets = "{";
+ close_brackets = "}";
+ }
+
+ if (isanyaddr(&client_net) && isanyaddr(&client_mask)
+ && (policy & (POLICY_GROUP | POLICY_OPPO)))
+ client_sep = ""; /* boring case */
+ else if (subnetisnone(&this->client))
+ strcpy(client, "?");
+ else
+ subnettot(&this->client, 0, client, sizeof(client));
+ }
+ else if (this->modecfg && isanyaddr(&this->host_srcip))
+ {
+ /* we are mode config client */
+ client_sep = "===";
+ strcpy(client, "%modecfg");
+ }
+
+ /* host */
+ if (host == NULL)
+ {
+ addrtot(&this->host_addr, 0, host_space, sizeof(host_space));
+ host = host_space;
+ }
+
+ host_port[0] = '\0';
+ if (this->host_port != IKE_UDP_PORT)
+ snprintf(host_port, sizeof(host_port), ":%u"
+ , this->host_port);
+
+ /* payload portocol and port */
+ protoport[0] = '\0';
+ if (this->has_port_wildcard)
+ snprintf(protoport, sizeof(protoport), ":%u/%%any", this->protocol);
+ else if (this->port || this->protocol)
+ snprintf(protoport, sizeof(protoport), ":%u/%u", this->protocol
+ , this->port);
+
+ /* id, if different from host */
+ host_id[0] = '\0';
+ if (this->id.kind == ID_MYID)
+ {
+ strcpy(host_id, "[%myid]");
+ }
+ else if (!(this->id.kind == ID_NONE
+ || (id_is_ipaddr(&this->id) && sameaddr(&this->id.ip_addr, &this->host_addr))))
+ {
+ int len = idtoa(&this->id, host_id+1, sizeof(host_id)-2);
+
+ host_id[0] = '[';
+ strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
+ }
+
+ /* [---hop] */
+ hop[0] = '\0';
+ hop_sep = "";
+ if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
+ {
+ addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
+ hop_sep = "---";
+ }
+
+ if (is_left)
+ snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
+ , open_brackets, client, close_brackets
+ , client_sep, host, host_port, host_id
+ , protoport, hop_sep, hop);
+ else
+ snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
+ , hop, hop_sep, host, host_port, host_id
+ , protoport, client_sep
+ , open_brackets, client, close_brackets);
+ return strlen(buf);
+}
+
+/* format topology of a connection.
+ * Two symmetric ends separated by ...
+ */
+#define CONNECTION_BUF (2 * (END_BUF - 1) + 4)
+
+static size_t
+format_connection(char *buf, size_t buf_len
+ , const struct connection *c
+ , struct spd_route *sr)
+{
+ size_t w = format_end(buf, buf_len, &sr->this, &sr->that, TRUE, LEMPTY);
+
+ w += snprintf(buf + w, buf_len - w, "...");
+ return w + format_end(buf + w, buf_len - w, &sr->that, &sr->this, FALSE, c->policy);
+}
+
+static void
+unshare_connection_strings(struct connection *c)
+{
+ c->name = clone_str(c->name, "connection name");
+
+ unshare_id_content(&c->spd.this.id);
+ c->spd.this.updown = clone_str(c->spd.this.updown, "updown");
+ scx_share(c->spd.this.sc);
+ share_cert(c->spd.this.cert);
+ if (c->spd.this.ca.ptr != NULL)
+ clonetochunk(c->spd.this.ca, c->spd.this.ca.ptr, c->spd.this.ca.len, "ca string");
+
+ unshare_id_content(&c->spd.that.id);
+ c->spd.that.updown = clone_str(c->spd.that.updown, "updown");
+ scx_share(c->spd.that.sc);
+ share_cert(c->spd.that.cert);
+ if (c->spd.that.ca.ptr != NULL)
+ clonetochunk(c->spd.that.ca, c->spd.that.ca.ptr, c->spd.that.ca.len, "ca string");
+
+ /* increment references to algo's */
+ alg_info_addref((struct alg_info *)c->alg_info_esp);
+ alg_info_addref((struct alg_info *)c->alg_info_ike);
+}
+
+static void
+load_end_certificate(const char *filename, struct end *dst)
+{
+ time_t valid_until;
+ cert_t cert;
+ bool valid_cert = FALSE;
+ bool cached_cert = FALSE;
+
+ /* initialize end certificate */
+ dst->cert.type = CERT_NONE;
+ dst->cert.u.x509 = NULL;
+
+ /* initialize smartcard info record */
+ dst->sc = NULL;
+
+ if (filename != NULL)
+ {
+ if (scx_on_smartcard(filename))
+ {
+ /* load cert from smartcard */
+ valid_cert = scx_load_cert(filename, &dst->sc, &cert, &cached_cert);
+ }
+ else
+ {
+ /* load cert from file */
+ valid_cert = load_host_cert(filename, &cert);
+ }
+ }
+
+ if (valid_cert)
+ {
+ err_t ugh = NULL;
+
+ switch (cert.type)
+ {
+ case CERT_PGP:
+ select_pgpcert_id(cert.u.pgp, &dst->id);
+
+ if (cached_cert)
+ dst->cert = cert;
+ else
+ {
+ valid_until = cert.u.pgp->until;
+ add_pgp_public_key(cert.u.pgp, cert.u.pgp->until, DAL_LOCAL);
+ dst->cert.type = cert.type;
+ dst->cert.u.pgp = add_pgpcert(cert.u.pgp);
+ }
+ break;
+ case CERT_X509_SIGNATURE:
+ select_x509cert_id(cert.u.x509, &dst->id);
+
+ if (cached_cert)
+ dst->cert = cert;
+ else
+ {
+ /* check validity of cert */
+ valid_until = cert.u.x509->notAfter;
+ ugh = check_validity(cert.u.x509, &valid_until);
+ if (ugh != NULL)
+ {
+ plog(" %s", ugh);
+ free_x509cert(cert.u.x509);
+ break;
+ }
+
+ DBG(DBG_CONTROL,
+ DBG_log("certificate is valid")
+ )
+ add_x509_public_key(cert.u.x509, valid_until, DAL_LOCAL);
+ dst->cert.type = cert.type;
+ dst->cert.u.x509 = add_x509cert(cert.u.x509);
+ }
+ /* if no CA is defined, use issuer as default */
+ if (dst->ca.ptr == NULL)
+ dst->ca = dst->cert.u.x509->issuer;
+ break;
+ default:
+ break;
+ }
+
+ /* cache the certificate that was last retrieved from the smartcard */
+ if (dst->sc != NULL)
+ {
+ if (!same_cert(&dst->sc->last_cert, &dst->cert))
+ {
+ lock_certs_and_keys("load_end_certificates");
+ release_cert(dst->sc->last_cert);
+ dst->sc->last_cert = dst->cert;
+ share_cert(dst->cert);
+ unlock_certs_and_keys("load_end_certificates");
+ }
+ time(&dst->sc->last_load);
+ }
+ }
+}
+
+static bool
+extract_end(struct end *dst, const whack_end_t *src, const char *which)
+{
+ bool same_ca = FALSE;
+
+ /* decode id, if any */
+ if (src->id == NULL)
+ {
+ dst->id.kind = ID_NONE;
+ }
+ else
+ {
+ err_t ugh = atoid(src->id, &dst->id, TRUE);
+
+ if (ugh != NULL)
+ {
+ loglog(RC_BADID, "bad %s --id: %s (ignored)", which, ugh);
+ dst->id = empty_id; /* ignore bad one */
+ }
+ }
+
+ dst->ca = empty_chunk;
+
+ /* decode CA distinguished name, if any */
+ if (src->ca != NULL)
+ {
+ if streq(src->ca, "%same")
+ same_ca = TRUE;
+ else if (!streq(src->ca, "%any"))
+ {
+ err_t ugh;
+
+ dst->ca.ptr = temporary_cyclic_buffer();
+ ugh = atodn(src->ca, &dst->ca);
+ if (ugh != NULL)
+ {
+ plog("bad CA string '%s': %s (ignored)", src->ca, ugh);
+ dst->ca = empty_chunk;
+ }
+ }
+ }
+
+ /* load local end certificate and extract ID, if any */
+ load_end_certificate(src->cert, dst);
+
+ /* does id has wildcards? */
+ dst->has_id_wildcards = id_count_wildcards(&dst->id) > 0;
+
+ /* decode group attributes, if any */
+ decode_groups(src->groups, &dst->groups);
+
+ /* the rest is simple copying of corresponding fields */
+ dst->host_addr = src->host_addr;
+ dst->host_nexthop = src->host_nexthop;
+ dst->host_srcip = src->host_srcip;
+ dst->has_natip = src->has_natip;
+ dst->client = src->client;
+ dst->protocol = src->protocol;
+ dst->port = src->port;
+ dst->has_port_wildcard = src->has_port_wildcard;
+ dst->key_from_DNS_on_demand = src->key_from_DNS_on_demand;
+ dst->has_client = src->has_client;
+ dst->has_client_wildcard = src->has_client_wildcard;
+ dst->modecfg = src->modecfg;
+ dst->hostaccess = src->hostaccess;
+ dst->sendcert = src->sendcert;
+ dst->updown = src->updown;
+ dst->host_port = src->host_port;
+
+ /* if host sourceip is defined but no client is present
+ * behind the host then set client to sourceip/32
+ */
+ if (addrbytesptr(&dst->host_srcip, NULL)
+ && !isanyaddr(&dst->host_srcip)
+ && !dst->has_natip
+ && !dst->has_client)
+ {
+ err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client);
+
+ if (ugh != NULL)
+ plog("could not assign host sourceip to client subnet");
+ else
+ dst->has_client = TRUE;
+ }
+ return same_ca;
+}
+
+static bool
+check_connection_end(const whack_end_t *this, const whack_end_t *that
+, const whack_message_t *wm)
+{
+ if (wm->addr_family != addrtypeof(&this->host_addr)
+ || wm->addr_family != addrtypeof(&this->host_nexthop)
+ || (this->has_client? wm->tunnel_addr_family : wm->addr_family)
+ != subnettypeof(&this->client)
+ || subnettypeof(&this->client) != subnettypeof(&that->client))
+ {
+ /* this should have been diagnosed by whack, so we need not be clear
+ * !!! overloaded use of RC_CLASH
+ */
+ loglog(RC_CLASH, "address family inconsistency in connection");
+ return FALSE;
+ }
+
+ if (isanyaddr(&that->host_addr))
+ {
+ /* other side is wildcard: we must check if other conditions met */
+ if (isanyaddr(&this->host_addr))
+ {
+ loglog(RC_ORIENT, "connection must specify host IP address for our side");
+ return FALSE;
+ }
+ }
+
+ if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
+ {
+ loglog(RC_CLASH,
+ "virtual IP must only be used with %%any and without client");
+ return FALSE;
+ }
+
+ return TRUE; /* happy */
+}
+
+struct connection *
+find_connection_by_reqid(uint32_t reqid)
+{
+ struct connection *c;
+
+ reqid &= ~3;
+ for (c = connections; c != NULL; c = c->ac_next)
+ {
+ if (c->spd.reqid == reqid)
+ return c;
+ }
+
+ return NULL;
+}
+
+static uint32_t
+gen_reqid(void)
+{
+ uint32_t start;
+ static uint32_t reqid = IPSEC_MANUAL_REQID_MAX & ~3;
+
+ start = reqid;
+ do {
+ reqid += 4;
+ if (reqid == 0)
+ reqid = (IPSEC_MANUAL_REQID_MAX & ~3) + 4;
+ if (!find_connection_by_reqid(reqid))
+ return reqid;
+ } while (reqid != start);
+
+ exit_log("unable to allocate reqid");
+}
+
+void
+add_connection(const whack_message_t *wm)
+{
+ if (con_by_name(wm->name, FALSE) != NULL)
+ {
+ loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", wm->name);
+ }
+ else if (wm->right.protocol != wm->left.protocol)
+ {
+ /* this should haven been diagnosed by whack
+ * !!! overloaded use of RC_CLASH
+ */
+ loglog(RC_CLASH, "the protocol must be the same for leftport and rightport");
+ }
+ else if (check_connection_end(&wm->right, &wm->left, wm)
+ && check_connection_end(&wm->left, &wm->right, wm))
+ {
+ bool same_rightca, same_leftca;
+ struct connection *c = alloc_thing(struct connection, "struct connection");
+
+ c->name = wm->name;
+ c->ikev1 = wm->ikev1;
+ c->policy = wm->policy;
+
+ if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
+ loglog(RC_COMMENT
+ , "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
+ , c->name);
+
+ if (wm->esp)
+ {
+ const char *ugh;
+
+ DBG(DBG_CONTROL,
+ DBG_log("from whack: got --esp=%s", wm->esp ? wm->esp: "NULL")
+ )
+ c->alg_info_esp= alg_info_esp_create_from_str(wm->esp? wm->esp : "", &ugh);
+
+ DBG(DBG_CRYPT|DBG_CONTROL,
+ static char buf[256]="<NULL>";
+
+ if (c->alg_info_esp)
+ alg_info_snprint(buf, sizeof(buf)
+ ,(struct alg_info *)c->alg_info_esp);
+ DBG_log("esp string values: %s", buf);
+ )
+ if (c->alg_info_esp)
+ {
+ if (c->alg_info_esp->alg_info_cnt==0)
+ loglog(RC_LOG_SERIOUS
+ , "got 0 transforms for esp=\"%s\"", wm->esp);
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "esp string error: %s", ugh? ugh : "Unknown");
+ }
+ }
+
+ if (wm->ike)
+ {
+ const char *ugh;
+
+ DBG(DBG_CONTROL,
+ DBG_log("from whack: got --ike=%s", wm->ike ? wm->ike: "NULL")
+ )
+ c->alg_info_ike= alg_info_ike_create_from_str(wm->ike? wm->ike : "", &ugh);
+
+ DBG(DBG_CRYPT|DBG_CONTROL,
+ static char buf[256]="<NULL>";
+
+ if (c->alg_info_ike)
+ alg_info_snprint(buf, sizeof(buf)
+ , (struct alg_info *)c->alg_info_ike);
+ DBG_log("ike string values: %s", buf);
+ )
+ if (c->alg_info_ike)
+ {
+ if (c->alg_info_ike->alg_info_cnt==0)
+ loglog(RC_LOG_SERIOUS
+ , "got 0 transforms for ike=\"%s\"", wm->ike);
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ike string error: %s", ugh? ugh : "Unknown");
+ }
+ }
+
+ c->sa_ike_life_seconds = wm->sa_ike_life_seconds;
+ c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds;
+ c->sa_rekey_margin = wm->sa_rekey_margin;
+ c->sa_rekey_fuzz = wm->sa_rekey_fuzz;
+ c->sa_keying_tries = wm->sa_keying_tries;
+
+ /* RFC 3706 DPD */
+ c->dpd_delay = wm->dpd_delay;
+ c->dpd_timeout = wm->dpd_timeout;
+ c->dpd_action = wm->dpd_action;
+
+ c->addr_family = wm->addr_family;
+ c->tunnel_addr_family = wm->tunnel_addr_family;
+
+ c->requested_ca = NULL;
+
+ same_leftca = extract_end(&c->spd.this, &wm->left, "left");
+ same_rightca = extract_end(&c->spd.that, &wm->right, "right");
+
+ if (same_rightca)
+ c->spd.that.ca = c->spd.this.ca;
+ else if (same_leftca)
+ c->spd.this.ca = c->spd.that.ca;
+
+ default_end(&c->spd.this, &c->spd.that.host_addr);
+ default_end(&c->spd.that, &c->spd.this.host_addr);
+
+ /* force any wildcard host IP address, any wildcard subnet
+ * or any wildcard ID to that end
+ */
+ if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
+ || c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
+ {
+ struct end t = c->spd.this;
+
+ c->spd.this = c->spd.that;
+ c->spd.that = t;
+ }
+
+ c->spd.next = NULL;
+ c->spd.reqid = gen_reqid();
+
+ /* set internal fields */
+ c->instance_serial = 0;
+ c->ac_next = connections;
+ connections = c;
+ c->interface = NULL;
+ c->spd.routing = RT_UNROUTED;
+ c->newest_isakmp_sa = SOS_NOBODY;
+ c->newest_ipsec_sa = SOS_NOBODY;
+ c->spd.eroute_owner = SOS_NOBODY;
+
+ if (c->policy & POLICY_GROUP)
+ {
+ c->kind = CK_GROUP;
+ add_group(c);
+ }
+ else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
+ || c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
+ || c->spd.that.has_id_wildcards)
+ {
+ /* Opportunistic or Road Warrior or wildcard client subnet
+ * or wildcard ID */
+ c->kind = CK_TEMPLATE;
+ }
+ else
+ {
+ c->kind = CK_PERMANENT;
+ }
+ set_policy_prio(c); /* must be after kind is set */
+
+#ifdef DEBUG
+ c->extra_debugging = wm->debugging;
+#endif
+
+ c->gw_info = NULL;
+
+ passert(!(wm->left.virt && wm->right.virt));
+ if (wm->left.virt || wm->right.virt)
+ {
+ passert(isanyaddr(&c->spd.that.host_addr));
+ c->spd.that.virt = create_virtual(c,
+ wm->left.virt ? wm->left.virt : wm->right.virt);
+ if (c->spd.that.virt)
+ c->spd.that.has_client = TRUE;
+ }
+
+ unshare_connection_strings(c);
+ (void)orient(c);
+
+ if (c->ikev1)
+ connect_to_host_pair(c);
+
+ /* log all about this connection */
+ plog("added connection description \"%s\"", c->name);
+ DBG(DBG_CONTROL,
+ char topo[CONNECTION_BUF];
+
+ (void) format_connection(topo, sizeof(topo), c, &c->spd);
+
+ DBG_log("%s", topo);
+
+ /* Make sure that address families can be correctly inferred
+ * from printed ends.
+ */
+ passert(c->addr_family == addrtypeof(&c->spd.this.host_addr)
+ && c->addr_family == addrtypeof(&c->spd.this.host_nexthop)
+ && (c->spd.this.has_client? c->tunnel_addr_family : c->addr_family)
+ == subnettypeof(&c->spd.this.client)
+
+ && c->addr_family == addrtypeof(&c->spd.that.host_addr)
+ && c->addr_family == addrtypeof(&c->spd.that.host_nexthop)
+ && (c->spd.that.has_client? c->tunnel_addr_family : c->addr_family)
+ == subnettypeof(&c->spd.that.client));
+
+ DBG_log("ike_life: %lus; ipsec_life: %lus; rekey_margin: %lus;"
+ " rekey_fuzz: %lu%%; keyingtries: %lu; policy: %s"
+ , (unsigned long) c->sa_ike_life_seconds
+ , (unsigned long) c->sa_ipsec_life_seconds
+ , (unsigned long) c->sa_rekey_margin
+ , (unsigned long) c->sa_rekey_fuzz
+ , (unsigned long) c->sa_keying_tries
+ , prettypolicy(c->policy));
+ );
+ }
+}
+
+/* Derive a template connection from a group connection and target.
+ * Similar to instantiate(). Happens at whack --listen.
+ * Returns name of new connection. May be NULL.
+ * Caller is responsible for pfreeing.
+ */
+char *
+add_group_instance(struct connection *group, const ip_subnet *target)
+{
+ char namebuf[100]
+ , targetbuf[SUBNETTOT_BUF];
+ struct connection *t;
+ char *name = NULL;
+
+ passert(group->kind == CK_GROUP);
+ passert(oriented(*group));
+
+ /* manufacture a unique name for this template */
+ subnettot(target, 0, targetbuf, sizeof(targetbuf));
+ snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf);
+
+ if (con_by_name(namebuf, FALSE) != NULL)
+ {
+ loglog(RC_DUPNAME, "group name + target yields duplicate name \"%s\""
+ , namebuf);
+ }
+ else
+ {
+ t = clone_thing(*group, "group instance");
+ t->name = namebuf;
+ unshare_connection_strings(t);
+ name = clone_str(t->name, "group instance name");
+ t->spd.that.client = *target;
+ t->policy &= ~(POLICY_GROUP | POLICY_GROUTED);
+ t->kind = isanyaddr(&t->spd.that.host_addr) && !NEVER_NEGOTIATE(t->policy)
+ ? CK_TEMPLATE : CK_INSTANCE;
+
+ /* reset log file info */
+ t->log_file_name = NULL;
+ t->log_file = NULL;
+ t->log_file_err = FALSE;
+
+ t->spd.reqid = gen_reqid();
+
+ if (t->spd.that.virt)
+ {
+ DBG_log("virtual_ip not supported in group instance");
+ t->spd.that.virt = NULL;
+ }
+
+ /* add to connections list */
+ t->ac_next = connections;
+ connections = t;
+
+ /* same host_pair as parent: stick after parent on list */
+ group->hp_next = t;
+
+ /* route if group is routed */
+ if (group->policy & POLICY_GROUTED)
+ {
+ if (!trap_connection(t))
+ whack_log(RC_ROUTE, "could not route");
+ }
+ }
+ return name;
+}
+
+/* an old target has disappeared for a group: delete instance */
+void
+remove_group_instance(const struct connection *group USED_BY_DEBUG
+, const char *name)
+{
+ passert(group->kind == CK_GROUP);
+ passert(oriented(*group));
+
+ delete_connections_by_name(name, FALSE);
+}
+
+/* Common part of instantiating a Road Warrior or Opportunistic connection.
+ * his_id can be used to carry over an ID discovered in Phase 1.
+ * It must not disagree with the one in c, but if that is unspecified,
+ * the new connection will use his_id.
+ * If his_id is NULL, and c.that.id is uninstantiated (ID_NONE), the
+ * new connection will continue to have an uninstantiated that.id.
+ * Note: instantiation does not affect port numbers.
+ *
+ * Note that instantiate can only deal with a single SPD/eroute.
+ */
+static struct connection *
+instantiate(struct connection *c, const ip_address *him
+, u_int16_t his_port
+, const struct id *his_id)
+{
+ struct connection *d;
+ int wildcards;
+
+ passert(c->kind == CK_TEMPLATE);
+ passert(c->spd.next == NULL);
+
+ c->instance_serial++;
+ d = clone_thing(*c, "temporary connection");
+ if (his_id != NULL)
+ {
+ passert(match_id(his_id, &d->spd.that.id, &wildcards));
+ d->spd.that.id = *his_id;
+ d->spd.that.has_id_wildcards = FALSE;
+ }
+ unshare_connection_strings(d);
+ unshare_ietfAttrList(&d->spd.this.groups);
+ unshare_ietfAttrList(&d->spd.that.groups);
+ d->kind = CK_INSTANCE;
+
+ passert(oriented(*d));
+ d->spd.that.host_addr = *him;
+ setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
+
+ if (his_port) d->spd.that.host_port = his_port;
+
+ default_end(&d->spd.that, &d->spd.this.host_addr);
+
+ /* We cannot guess what our next_hop should be, but if it was
+ * explicitly specified as 0.0.0.0, we set it to be him.
+ * (whack will not allow nexthop to be elided in RW case.)
+ */
+ default_end(&d->spd.this, &d->spd.that.host_addr);
+ d->spd.next = NULL;
+ d->spd.reqid = gen_reqid();
+
+ /* set internal fields */
+ d->ac_next = connections;
+ connections = d;
+ d->spd.routing = RT_UNROUTED;
+ d->newest_isakmp_sa = SOS_NOBODY;
+ d->newest_ipsec_sa = SOS_NOBODY;
+ d->spd.eroute_owner = SOS_NOBODY;
+
+ /* reset log file info */
+ d->log_file_name = NULL;
+ d->log_file = NULL;
+ d->log_file_err = FALSE;
+
+ connect_to_host_pair(d);
+
+ return d;
+}
+
+struct connection *
+rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
+, const ip_subnet *his_net, const struct id *his_id)
+{
+ struct connection *d = instantiate(c, him, his_port, his_id);
+
+ if (d && his_net && is_virtual_connection(c))
+ {
+ d->spd.that.client = *his_net;
+ d->spd.that.virt = NULL;
+ if (subnetishost(his_net) && addrinsubnet(him, his_net))
+ d->spd.that.has_client = FALSE;
+ }
+
+ if (d->policy & POLICY_OPPO)
+ {
+ /* This must be before we know the client addresses.
+ * Fill in one that is impossible. This prevents anyone else from
+ * trying to use this connection to get to a particular client
+ */
+ d->spd.that.client = *aftoinfo(subnettypeof(&d->spd.that.client))->none;
+ }
+ DBG(DBG_CONTROL
+ , DBG_log("instantiated \"%s\" for %s" , d->name, ip_str(him)));
+ return d;
+}
+
+struct connection *
+oppo_instantiate(struct connection *c
+, const ip_address *him
+, const struct id *his_id
+, struct gw_info *gw
+, const ip_address *our_client USED_BY_DEBUG
+, const ip_address *peer_client)
+{
+ struct connection *d = instantiate(c, him, 0, his_id);
+
+ passert(d->spd.next == NULL);
+
+ /* fill in our client side */
+ if (d->spd.this.has_client)
+ {
+ /* there was a client in the abstract connection
+ * so we demand that the required client is within that subnet.
+ */
+ passert(addrinsubnet(our_client, &d->spd.this.client));
+ happy(addrtosubnet(our_client, &d->spd.this.client));
+ /* opportunistic connections do not use port selectors */
+ setportof(0, &d->spd.this.client.addr);
+ }
+ else
+ {
+ /* there was no client in the abstract connection
+ * so we demand that the required client be the host
+ */
+ passert(sameaddr(our_client, &d->spd.this.host_addr));
+ }
+
+ /* fill in peer's client side.
+ * If the client is the peer, excise the client from the connection.
+ */
+ passert((d->policy & POLICY_OPPO)
+ && addrinsubnet(peer_client, &d->spd.that.client));
+ happy(addrtosubnet(peer_client, &d->spd.that.client));
+ /* opportunistic connections do not use port selectors */
+ setportof(0, &d->spd.that.client.addr);
+
+ if (sameaddr(peer_client, &d->spd.that.host_addr))
+ d->spd.that.has_client = FALSE;
+
+ passert(d->gw_info == NULL);
+ gw_addref(gw);
+ d->gw_info = gw;
+
+ /* Adjust routing if something is eclipsing c.
+ * It must be a %hold for us (hard to passert this).
+ * If there was another instance eclipsing, we'd be using it.
+ */
+ if (c->spd.routing == RT_ROUTED_ECLIPSED)
+ d->spd.routing = RT_ROUTED_PROSPECTIVE;
+
+ /* Remember if the template is routed:
+ * if so, this instance applies for initiation
+ * even if it is created for responding.
+ */
+ if (routed(c->spd.routing))
+ d->instance_initiation_ok = TRUE;
+
+ DBG(DBG_CONTROL,
+ char topo[CONNECTION_BUF];
+
+ (void) format_connection(topo, sizeof(topo), d, &d->spd);
+ DBG_log("instantiated \"%s\": %s", d->name, topo);
+ );
+ return d;
+}
+
+/* priority formatting */
+void
+fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF])
+{
+ if (pp == BOTTOM_PRIO)
+ snprintf(buf, POLICY_PRIO_BUF, "0");
+ else
+ snprintf(buf, POLICY_PRIO_BUF, "%lu,%lu"
+ , pp>>16, (pp & ~(~(policy_prio_t)0 << 16)) >> 8);
+}
+
+/* Format any information needed to identify an instance of a connection.
+ * Fills any needed information into buf which MUST be big enough.
+ * Road Warrior: peer's IP address
+ * Opportunistic: [" " myclient "==="] " ..." peer ["===" hisclient] '\0'
+ */
+static size_t
+fmt_client(const ip_subnet *client, const ip_address *gw, const char *prefix, char buf[ADDRTOT_BUF])
+{
+ if (subnetisaddr(client, gw))
+ {
+ buf[0] = '\0'; /* compact denotation for "self" */
+ }
+ else
+ {
+ char *ap;
+
+ strcpy(buf, prefix);
+ ap = buf + strlen(prefix);
+ if (subnetisnone(client))
+ strcpy(ap, "?"); /* unknown */
+ else
+ subnettot(client, 0, ap, SUBNETTOT_BUF);
+ }
+ return strlen(buf);
+}
+
+void
+fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
+{
+ char *p = buf;
+
+ *p = '\0';
+
+ if (c->kind == CK_INSTANCE)
+ {
+ if (c->instance_serial != 0)
+ {
+ snprintf(p, CONN_INST_BUF, "[%lu]", c->instance_serial);
+ p += strlen(p);
+ }
+
+ if (c->policy & POLICY_OPPO)
+ {
+ size_t w = fmt_client(&c->spd.this.client, &c->spd.this.host_addr, " ", p);
+
+ p += w;
+
+ strcpy(p, w == 0? " ..." : "=== ...");
+ p += strlen(p);
+
+ addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
+ p += strlen(p);
+
+ (void) fmt_client(&c->spd.that.client, &c->spd.that.host_addr, "===", p);
+ }
+ else
+ {
+ *p++ = ' ';
+ addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
+#
+ if (c->spd.that.host_port != pluto_port)
+ {
+ p += strlen(p);
+ sprintf(p, ":%d", c->spd.that.host_port);
+ }
+ }
+ }
+}
+
+/* Find an existing connection for a trapped outbound packet.
+ * This is attempted before we bother with gateway discovery.
+ * + this connection is routed or instance_of_routed_template
+ * (i.e. approved for on-demand)
+ * + this subnet contains our_client (or we are our_client)
+ * + that subnet contains peer_client (or peer is peer_client)
+ * + don't care about Phase 1 IDs (we don't know)
+ * Note: result may still need to be instantiated.
+ * The winner has the highest policy priority.
+ *
+ * If there are several with that priority, we give preference to
+ * the first one that is an instance.
+ *
+ * See also build_outgoing_opportunistic_connection.
+ */
+struct connection *
+find_connection_for_clients(struct spd_route **srp,
+ const ip_address *our_client,
+ const ip_address *peer_client,
+ int transport_proto)
+{
+ struct connection *c = connections, *best = NULL;
+ policy_prio_t best_prio = BOTTOM_PRIO;
+ struct spd_route *sr;
+ struct spd_route *best_sr = NULL;
+ int our_port = ntohs(portof(our_client));
+ int peer_port = ntohs(portof(peer_client));
+
+ passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROL))
+ {
+ char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
+
+ addrtot(our_client, 0, ocb, sizeof(ocb));
+ addrtot(peer_client, 0, pcb, sizeof(pcb));
+ DBG_log("find_connection: "
+ "looking for policy for connection: %s:%d/%d -> %s:%d/%d"
+ , ocb, transport_proto, our_port, pcb, transport_proto, peer_port);
+ }
+#endif /* DEBUG */
+
+ for (c = connections; c != NULL; c = c->ac_next)
+ {
+ if (c->kind == CK_GROUP)
+ continue;
+
+ for (sr = &c->spd; best!=c && sr; sr = sr->next)
+ {
+ if ((routed(sr->routing) || c->instance_initiation_ok)
+ && addrinsubnet(our_client, &sr->this.client)
+ && addrinsubnet(peer_client, &sr->that.client)
+ && addrinsubnet(peer_client, &sr->that.client)
+ && (!sr->this.protocol || transport_proto == sr->this.protocol)
+ && (!sr->this.port || our_port == sr->this.port)
+ && (!sr->that.port || peer_port == sr->that.port))
+ {
+ char cib[CONN_INST_BUF];
+ char cib2[CONN_INST_BUF];
+
+ policy_prio_t prio = 8 * (c->prio + (c->kind == CK_INSTANCE))
+ + 2 * (sr->this.port == our_port)
+ + 2 * (sr->that.port == peer_port)
+ + (sr->this.protocol == transport_proto);
+
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROL|DBG_CONTROLMORE))
+ {
+ char c_ocb[SUBNETTOT_BUF], c_pcb[SUBNETTOT_BUF];
+
+ subnettot(&c->spd.this.client, 0, c_ocb, sizeof(c_ocb));
+ subnettot(&c->spd.that.client, 0, c_pcb, sizeof(c_pcb));
+ DBG_log("find_connection: conn \"%s\"%s has compatible peers: %s->%s [pri: %ld]"
+ , c->name
+ , (fmt_conn_instance(c, cib), cib)
+ , c_ocb, c_pcb, prio);
+ }
+#endif /* DEBUG */
+
+ if (best == NULL)
+ {
+ best = c;
+ best_sr = sr;
+ best_prio = prio;
+ }
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log("find_connection: "
+ "comparing best \"%s\"%s [pri:%ld]{%p} (child %s) to \"%s\"%s [pri:%ld]{%p} (child %s)"
+ , best->name
+ , (fmt_conn_instance(best, cib), cib)
+ , best_prio
+ , best
+ , (best->policy_next ? best->policy_next->name : "none")
+ , c->name
+ , (fmt_conn_instance(c, cib2), cib2)
+ , prio
+ , c
+ , (c->policy_next ? c->policy_next->name : "none")));
+
+ if (prio > best_prio)
+ {
+ best = c;
+ best_sr = sr;
+ best_prio = prio;
+ }
+ }
+ }
+ }
+
+ if (best!= NULL && NEVER_NEGOTIATE(best->policy))
+ best = NULL;
+
+ if (srp != NULL && best != NULL)
+ *srp = best_sr;
+
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROL))
+ {
+ if (best)
+ {
+ char cib[CONN_INST_BUF];
+ DBG_log("find_connection: concluding with \"%s\"%s [pri:%ld]{%p} kind=%s"
+ , best->name
+ , (fmt_conn_instance(best, cib), cib)
+ , best_prio
+ , best
+ , enum_name(&connection_kind_names, best->kind));
+ } else {
+ DBG_log("find_connection: concluding with empty");
+ }
+ }
+#endif /* DEBUG */
+
+ return best;
+}
+
+/* Find and instantiate a connection for an outgoing Opportunistic connection.
+ * We've already discovered its gateway.
+ * We look for a the connection such that:
+ * + this is one of our interfaces
+ * + this subnet contains our_client (or we are our_client)
+ * (we will specialize the client). We prefer the smallest such subnet.
+ * + that subnet contains peer_clent (we will specialize the client).
+ * We prefer the smallest such subnet.
+ * + is opportunistic
+ * + that peer is NO_IP
+ * + don't care about Phase 1 IDs (probably should be default)
+ * We could look for a connection that already had the desired peer
+ * (rather than NO_IP) specified, but it doesn't seem worth the
+ * bother.
+ *
+ * We look for the routed policy applying to the narrowest subnets.
+ * We only succeed if we find such a policy AND it is satisfactory.
+ *
+ * The body of the inner loop is a lot like that in
+ * find_connection_for_clients. In this case, we know the gateways
+ * that we need to instantiate an opportunistic connection.
+ */
+struct connection *
+build_outgoing_opportunistic_connection(struct gw_info *gw
+ ,const ip_address *our_client
+ ,const ip_address *peer_client)
+{
+ struct iface *p;
+ struct connection *best = NULL;
+ struct spd_route *sr, *bestsr;
+ char ocb[ADDRTOT_BUF], pcb[ADDRTOT_BUF];
+
+ addrtot(our_client, 0, ocb, sizeof(ocb));
+ addrtot(peer_client, 0, pcb, sizeof(pcb));
+
+ passert(!isanyaddr(our_client) && !isanyaddr(peer_client));
+
+ /* We don't know his ID yet, so gw id must be an ipaddr */
+ passert(gw->key != NULL);
+ passert(id_is_ipaddr(&gw->gw_id));
+
+ /* for each of our addresses... */
+ for (p = interfaces; p != NULL; p = p->next)
+ {
+ /* go through those connections with our address and NO_IP as hosts
+ * We cannot know what port the peer would use, so we assume
+ * that it is pluto_port (makes debugging easier).
+ */
+ struct connection *c = find_host_pair_connections(&p->addr
+ , pluto_port, (ip_address *)NULL, pluto_port);
+
+ for (; c != NULL; c = c->hp_next)
+ {
+ DBG(DBG_OPPO,
+ DBG_log("checking %s", c->name));
+ if (c->kind == CK_GROUP)
+ {
+ continue;
+ }
+
+ for (sr = &c->spd; best!=c && sr; sr = sr->next)
+ {
+ if (routed(sr->routing)
+ && addrinsubnet(our_client, &sr->this.client)
+ && addrinsubnet(peer_client, &sr->that.client))
+ {
+ if (best == NULL)
+ {
+ best = c;
+ break;
+ }
+
+ DBG(DBG_OPPO,
+ DBG_log("comparing best %s to %s"
+ , best->name, c->name));
+
+ for (bestsr = &best->spd; best!=c && bestsr; bestsr=bestsr->next)
+ {
+ if (!subnetinsubnet(&bestsr->this.client, &sr->this.client)
+ || (samesubnet(&bestsr->this.client, &sr->this.client)
+ && !subnetinsubnet(&bestsr->that.client
+ , &sr->that.client)))
+ {
+ best = c;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ if (best == NULL
+ || NEVER_NEGOTIATE(best->policy)
+ || (best->policy & POLICY_OPPO) == LEMPTY
+ || best->kind != CK_TEMPLATE)
+ return NULL;
+ else
+ return oppo_instantiate(best, &gw->gw_id.ip_addr, NULL, gw
+ , our_client, peer_client);
+}
+
+bool
+orient(struct connection *c)
+{
+ struct spd_route *sr;
+
+ if (!oriented(*c))
+ {
+ struct iface *p;
+
+ for (sr = &c->spd; sr; sr = sr->next)
+ {
+ /* Note: this loop does not stop when it finds a match:
+ * it continues checking to catch any ambiguity.
+ */
+ for (p = interfaces; p != NULL; p = p->next)
+ {
+ if (p->ike_float)
+ continue;
+
+ for (;;)
+ {
+ /* check if this interface matches this end */
+ if (sameaddr(&sr->this.host_addr, &p->addr)
+ && (!no_klips || sr->this.host_port == pluto_port))
+ {
+ if (oriented(*c))
+ {
+ if (c->interface == p)
+ loglog(RC_LOG_SERIOUS
+ , "both sides of \"%s\" are our interface %s!"
+ , c->name, p->rname);
+ else
+ loglog(RC_LOG_SERIOUS, "two interfaces match \"%s\" (%s, %s)"
+ , c->name, c->interface->rname, p->rname);
+ c->interface = NULL; /* withdraw orientation */
+ return FALSE;
+ }
+ c->interface = p;
+ }
+
+ /* done with this interface if it doesn't match that end */
+ if (!(sameaddr(&sr->that.host_addr, &p->addr)
+ && (!no_klips || sr->that.host_port == pluto_port)))
+ break;
+
+ /* swap ends and try again.
+ * It is a little tricky to see that this loop will stop.
+ * Only continue if the far side matches.
+ * If both sides match, there is an error-out.
+ */
+ {
+ struct end t = sr->this;
+
+ sr->this = sr->that;
+ sr->that = t;
+ }
+ }
+ }
+ }
+ }
+ return oriented(*c);
+}
+
+void
+initiate_connection(const char *name, int whackfd)
+{
+ struct connection *c = con_by_name(name, TRUE);
+
+ if (c != NULL && c->ikev1)
+ {
+ set_cur_connection(c);
+ if (!oriented(*c))
+ {
+ loglog(RC_ORIENT, "we have no ipsecN interface for either end of this connection");
+ }
+ else if (NEVER_NEGOTIATE(c->policy))
+ {
+ loglog(RC_INITSHUNT
+ , "cannot initiate an authby=never connection");
+ }
+ else if (c->kind != CK_PERMANENT)
+ {
+ if (isanyaddr(&c->spd.that.host_addr))
+ loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
+ else
+ loglog(RC_WILDCARD, "cannot initiate connection with ID wildcards");
+ }
+ else
+ {
+ /* We will only request an IPsec SA if policy isn't empty
+ * (ignoring Main Mode items).
+ * This is a fudge, but not yet important.
+ * If we are to proceed asynchronously, whackfd will be NULL_FD.
+ */
+ c->policy |= POLICY_UP;
+ /* do we have to prompt for a PIN code? */
+ if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+ scx_get_pin(c->spd.this.sc, whackfd);
+
+ if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
+ {
+ loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
+ }
+ else
+ {
+ ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
+ whackfd = NULL_FD; /* protect from close */
+ }
+ }
+ reset_cur_connection();
+ }
+ close_any(whackfd);
+}
+
+/* (Possibly) Opportunistic Initiation:
+ * Knowing clients (single IP addresses), try to build an tunnel.
+ * This may involve discovering a gateway and instantiating an
+ * Opportunistic connection. Called when a packet is caught by
+ * a %trap, or when whack --oppohere --oppothere is used.
+ * It may turn out that an existing or non-opporunistic connnection
+ * can handle the traffic.
+ *
+ * Most of the code will be restarted if an ADNS request is made
+ * to discover the gateway. The only difference between the first
+ * and second entry is whether gateways_from_dns is NULL or not.
+ * initiate_opportunistic: initial entrypoint
+ * continue_oppo: where we pickup when ADNS result arrives
+ * initiate_opportunistic_body: main body shared by above routines
+ * cannot_oppo: a helper function to log a diagnostic
+ * This structure repeats a lot of code when the ADNS result arrives.
+ * This seems like a waste, but anything learned the first time through
+ * may no longer be true!
+ *
+ * After the first IKE message is sent, the regular state machinery
+ * carries negotiation forward.
+ */
+
+enum find_oppo_step {
+ fos_start,
+ fos_myid_ip_txt,
+ fos_myid_hostname_txt,
+ fos_myid_ip_key,
+ fos_myid_hostname_key,
+ fos_our_client,
+ fos_our_txt,
+#ifdef USE_KEYRR
+ fos_our_key,
+#endif /* USE_KEYRR */
+ fos_his_client,
+ fos_done
+};
+
+#ifdef DEBUG
+static const char *const oppo_step_name[] = {
+ "fos_start",
+ "fos_myid_ip_txt",
+ "fos_myid_hostname_txt",
+ "fos_myid_ip_key",
+ "fos_myid_hostname_key",
+ "fos_our_client",
+ "fos_our_txt",
+#ifdef USE_KEYRR
+ "fos_our_key",
+#endif /* USE_KEYRR */
+ "fos_his_client",
+ "fos_done"
+};
+#endif /* DEBUG */
+
+struct find_oppo_bundle {
+ enum find_oppo_step step;
+ err_t want;
+ bool failure_ok; /* if true, continue_oppo should not die on DNS failure */
+ ip_address our_client; /* not pointer! */
+ ip_address peer_client;
+ int transport_proto;
+ bool held;
+ policy_prio_t policy_prio;
+ ipsec_spi_t failure_shunt; /* in host order! 0 for delete. */
+ int whackfd;
+};
+
+struct find_oppo_continuation {
+ struct adns_continuation ac; /* common prefix */
+ struct find_oppo_bundle b;
+};
+
+static void
+cannot_oppo(struct connection *c
+ , struct find_oppo_bundle *b
+ , err_t ugh)
+{
+ char pcb[ADDRTOT_BUF];
+ char ocb[ADDRTOT_BUF];
+
+ addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
+ addrtot(&b->our_client, 0, ocb, sizeof(ocb));
+
+ DBG(DBG_DNS | DBG_OPPO, DBG_log("Can't Opportunistically initiate for %s to %s: %s"
+ , ocb, pcb, ugh));
+
+ whack_log(RC_OPPOFAILURE
+ , "Can't Opportunistically initiate for %s to %s: %s"
+ , ocb, pcb, ugh);
+
+ if (c != NULL && c->policy_next != NULL)
+ {
+ /* there is some policy that comes afterwards */
+ struct spd_route *shunt_spd;
+ struct connection *nc = c->policy_next;
+ struct state *st;
+
+ passert(c->kind == CK_TEMPLATE);
+ passert(c->policy_next->kind == CK_PERMANENT);
+
+ DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
+ , ocb, pcb, c->policy_next->name));
+
+ /*
+ * okay, here we need add to the "next" policy, which is ought
+ * to be an instance.
+ * We will add another entry to the spd_route list for the specific
+ * situation that we have.
+ */
+
+ shunt_spd = clone_thing(nc->spd, "shunt eroute policy");
+
+ shunt_spd->next = nc->spd.next;
+ nc->spd.next = shunt_spd;
+
+ happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
+
+ if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
+ shunt_spd->that.has_client = FALSE;
+
+ /*
+ * override the tunnel destination with the one from the secondaried
+ * policy
+ */
+ shunt_spd->that.host_addr = nc->spd.that.host_addr;
+
+ /* now, lookup the state, and poke it up.
+ */
+
+ st = state_with_serialno(nc->newest_ipsec_sa);
+
+ /* XXX what to do if the IPSEC SA has died? */
+ passert(st != NULL);
+
+ /* link the new connection instance to the state's list of
+ * connections
+ */
+
+ DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
+ , nc->newest_ipsec_sa
+ , ocb, pcb));
+
+#ifdef DEBUG
+ if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
+ {
+ char state_buf[LOG_WIDTH];
+ char state_buf2[LOG_WIDTH];
+ time_t n = now();
+
+ fmt_state(FALSE, st, n
+ , state_buf, sizeof(state_buf)
+ , state_buf2, sizeof(state_buf2));
+ DBG_log("cannot_oppo, failure SA1: %s", state_buf);
+ DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
+ }
+#endif /* DEBUG */
+
+ if (!route_and_eroute(c, shunt_spd, st))
+ {
+ whack_log(RC_OPPOFAILURE
+ , "failed to instantiate shunt policy %s for %s to %s"
+ , c->name
+ , ocb, pcb);
+ }
+ return;
+ }
+
+#ifdef KLIPS
+ if (b->held)
+ {
+ /* Replace HOLD with b->failure_shunt.
+ * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
+ */
+ if (b->failure_shunt == 0)
+ {
+ DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass"
+ , ocb, pcb));
+ }
+
+ (void) replace_bare_shunt(&b->our_client, &b->peer_client
+ , b->policy_prio
+ , b->failure_shunt
+ , b->failure_shunt != 0
+ , b->transport_proto
+ , ugh);
+ }
+#endif
+}
+
+static void initiate_opportunistic_body(struct find_oppo_bundle *b
+ , struct adns_continuation *ac, err_t ac_ugh); /* forward */
+
+void
+initiate_opportunistic(const ip_address *our_client
+, const ip_address *peer_client
+, int transport_proto
+, bool held
+, int whackfd)
+{
+ struct find_oppo_bundle b;
+
+ b.want = (whackfd == NULL_FD ? "whack" : "acquire");
+ b.failure_ok = FALSE;
+ b.our_client = *our_client;
+ b.peer_client = *peer_client;
+ b.transport_proto = transport_proto;
+ b.held = held;
+ b.policy_prio = BOTTOM_PRIO;
+ b.failure_shunt = 0;
+ b.whackfd = whackfd;
+ b.step = fos_start;
+ initiate_opportunistic_body(&b, NULL, NULL);
+}
+
+static void
+continue_oppo(struct adns_continuation *acr, err_t ugh)
+{
+ struct find_oppo_continuation *cr = (void *)acr; /* inherit, damn you! */
+ struct connection *c;
+ bool was_held = cr->b.held;
+ int whackfd = cr->b.whackfd;
+
+ /* note: cr->id has no resources; cr->sgw_id is id_none:
+ * neither need freeing.
+ */
+ whack_log_fd = whackfd;
+
+#ifdef KLIPS
+ /* Discover and record whether %hold has gone away.
+ * This could have happened while we were awaiting DNS.
+ * We must check BEFORE any call to cannot_oppo.
+ */
+ if (was_held)
+ cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
+ , cr->b.transport_proto);
+#endif
+
+#ifdef DEBUG
+ /* if we're going to ignore the error, at least note it in debugging log */
+ if (cr->b.failure_ok && ugh != NULL)
+ {
+ DBG(DBG_CONTROL | DBG_DNS,
+ {
+ char ocb[ADDRTOT_BUF];
+ char pcb[ADDRTOT_BUF];
+
+ addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
+ addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
+ DBG_log("continuing from failed DNS lookup for %s, %s to %s: %s"
+ , cr->b.want, ocb, pcb, ugh);
+ });
+ }
+#endif
+
+ if (!cr->b.failure_ok && ugh != NULL)
+ {
+ c = find_connection_for_clients(NULL, &cr->b.our_client, &cr->b.peer_client
+ , cr->b.transport_proto);
+ cannot_oppo(c, &cr->b
+ , builddiag("%s: %s", cr->b.want, ugh));
+ }
+ else if (was_held && !cr->b.held)
+ {
+ /* was_held indicates we were started due to a %trap firing
+ * (as opposed to a "whack --oppohere --oppothere").
+ * Since the %hold has gone, we can assume that somebody else
+ * has beaten us to the punch. We can go home. But lets log it.
+ */
+ char ocb[ADDRTOT_BUF];
+ char pcb[ADDRTOT_BUF];
+
+ addrtot(&cr->b.our_client, 0, ocb, sizeof(ocb));
+ addrtot(&cr->b.peer_client, 0, pcb, sizeof(pcb));
+
+ loglog(RC_COMMENT
+ , "%%hold otherwise handled during DNS lookup for Opportunistic Initiation for %s to %s"
+ , ocb, pcb);
+ }
+ else
+ {
+ initiate_opportunistic_body(&cr->b, &cr->ac, ugh);
+ whackfd = NULL_FD; /* was handed off */
+ }
+
+ whack_log_fd = NULL_FD;
+ close_any(whackfd);
+}
+
+#ifdef USE_KEYRR
+static err_t
+check_key_recs(enum myid_state try_state
+, const struct connection *c
+, struct adns_continuation *ac)
+{
+ /* Check if KEY lookup yielded good results.
+ * Looking up based on our ID. Used if
+ * client is ourself, or if TXT had no public key.
+ * Note: if c is different this time, there is
+ * a chance that we did the wrong query.
+ * If so, treat as a kind of failure.
+ */
+ enum myid_state old_myid_state = myid_state;
+ const struct RSA_private_key *our_RSA_pri;
+ err_t ugh = NULL;
+
+ myid_state = try_state;
+
+ if (old_myid_state != myid_state
+ && old_myid_state == MYID_SPECIFIED)
+ {
+ ugh = "%myid was specified while we were guessing";
+ }
+ else if ((our_RSA_pri = get_RSA_private_key(c)) == NULL)
+ {
+ ugh = "we don't know our own RSA key";
+ }
+ else if (!same_id(&ac->id, &c->spd.this.id))
+ {
+ ugh = "our ID changed underfoot";
+ }
+ else
+ {
+ /* Similar to code in RSA_check_signature
+ * for checking the other side.
+ */
+ pubkey_list_t *kr;
+
+ ugh = "no KEY RR found for us";
+ for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
+ {
+ ugh = "all our KEY RRs have the wrong public key";
+ if (kr->key->alg == PUBKEY_ALG_RSA
+ && same_RSA_public_key(&our_RSA_pri->pub, &kr->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ if (ugh != NULL)
+ myid_state = old_myid_state;
+ return ugh;
+}
+#endif /* USE_KEYRR */
+
+static err_t
+check_txt_recs(enum myid_state try_state
+, const struct connection *c
+, struct adns_continuation *ac)
+{
+ /* Check if TXT lookup yielded good results.
+ * Looking up based on our ID. Used if
+ * client is ourself, or if TXT had no public key.
+ * Note: if c is different this time, there is
+ * a chance that we did the wrong query.
+ * If so, treat as a kind of failure.
+ */
+ enum myid_state old_myid_state = myid_state;
+ const struct RSA_private_key *our_RSA_pri;
+ err_t ugh = NULL;
+
+ myid_state = try_state;
+
+ if (old_myid_state != myid_state
+ && old_myid_state == MYID_SPECIFIED)
+ {
+ ugh = "%myid was specified while we were guessing";
+ }
+ else if ((our_RSA_pri = get_RSA_private_key(c)) == NULL)
+ {
+ ugh = "we don't know our own RSA key";
+ }
+ else if (!same_id(&ac->id, &c->spd.this.id))
+ {
+ ugh = "our ID changed underfoot";
+ }
+ else
+ {
+ /* Similar to code in RSA_check_signature
+ * for checking the other side.
+ */
+ struct gw_info *gwp;
+
+ ugh = "no TXT RR found for us";
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ ugh = "all our TXT RRs have the wrong public key";
+ if (gwp->key->alg == PUBKEY_ALG_RSA
+ && same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ if (ugh != NULL)
+ myid_state = old_myid_state;
+ return ugh;
+}
+
+
+/* note: gateways_from_dns must be NULL iff this is the first call */
+static void
+initiate_opportunistic_body(struct find_oppo_bundle *b
+, struct adns_continuation *ac
+, err_t ac_ugh)
+{
+ struct connection *c;
+ struct spd_route *sr;
+
+ /* What connection shall we use?
+ * First try for one that explicitly handles the clients.
+ */
+ DBG(DBG_CONTROL,
+ {
+ char ours[ADDRTOT_BUF];
+ char his[ADDRTOT_BUF];
+ int ourport;
+ int hisport;
+
+ addrtot(&b->our_client, 0, ours, sizeof(ours));
+ addrtot(&b->peer_client, 0, his, sizeof(his));
+ ourport = ntohs(portof(&b->our_client));
+ hisport = ntohs(portof(&b->peer_client));
+ DBG_log("initiate on demand from %s:%d to %s:%d proto=%d state: %s because: %s"
+ , ours, ourport, his, hisport, b->transport_proto
+ , oppo_step_name[b->step], b->want);
+ });
+ if (isanyaddr(&b->our_client) || isanyaddr(&b->peer_client))
+ {
+ cannot_oppo(NULL, b, "impossible IP address");
+ }
+ else if ((c = find_connection_for_clients(&sr
+ , &b->our_client
+ , &b->peer_client
+ , b->transport_proto)) == NULL)
+ {
+ /* No connection explicitly handles the clients and there
+ * are no Opportunistic connections -- whine and give up.
+ * The failure policy cannot be gotten from a connection; we pick %pass.
+ */
+ cannot_oppo(NULL, b, "no routed Opportunistic template covers this pair");
+ }
+ else if (c->kind != CK_TEMPLATE)
+ {
+ /* We've found a connection that can serve.
+ * Do we have to initiate it?
+ * Not if there is currently an IPSEC SA.
+ * But if there is an IPSEC SA, then KLIPS would not
+ * have generated the acquire. So we assume that there isn't one.
+ * This may be redundant if a non-opportunistic
+ * negotiation is already being attempted.
+ */
+
+ /* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
+
+ if(c->kind == CK_INSTANCE)
+ {
+ char cib[CONN_INST_BUF];
+ /* there is already an instance being negotiated, no nothing */
+ DBG(DBG_CONTROL, DBG_log("found existing instance \"%s\"%s, rekeying it"
+ , c->name
+ , (fmt_conn_instance(c, cib), cib)));
+ /* XXX-mcr - return; */
+ }
+
+ /* otherwise, there is some kind of static conn that can handle
+ * this connection, so we initiate it */
+
+#ifdef KLIPS
+ if (b->held)
+ {
+ /* what should we do on failure? */
+ (void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
+ }
+#endif
+ ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
+ b->whackfd = NULL_FD; /* protect from close */
+ }
+ else
+ {
+ /* We are handling an opportunistic situation.
+ * This involves several DNS lookup steps that require suspension.
+ * Note: many facts might change while we're suspended.
+ * Here be dragons.
+ *
+ * The first chunk of code handles the result of the previous
+ * DNS query (if any). It also selects the kind of the next step.
+ * The second chunk initiates the next DNS query (if any).
+ */
+ enum find_oppo_step next_step;
+ err_t ugh = ac_ugh;
+ char mycredentialstr[BUF_LEN];
+ char cib[CONN_INST_BUF];
+
+ DBG(DBG_CONTROL, DBG_log("creating new instance from \"%s\"%s"
+ , c->name
+ , (fmt_conn_instance(c, cib), cib)));
+
+
+ idtoa(&sr->this.id, mycredentialstr, sizeof(mycredentialstr));
+
+ passert(c->policy & POLICY_OPPO); /* can't initiate Road Warrior connections */
+
+ /* handle any DNS answer; select next step */
+
+ switch (b->step)
+ {
+ case fos_start:
+ /* just starting out: select first query step */
+ next_step = fos_myid_ip_txt;
+ break;
+
+ case fos_myid_ip_txt: /* TXT for our default IP address as %myid */
+ ugh = check_txt_recs(MYID_IP, c, ac);
+ if (ugh != NULL)
+ {
+ /* cannot use our IP as OE identitiy for initiation */
+ DBG(DBG_OPPO, DBG_log("can not use our IP (%s:TXT) as identity: %s"
+ , myid_str[MYID_IP]
+ , ugh));
+ if (!logged_myid_ip_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "can not use our IP (%s:TXT) as identity: %s"
+ , myid_str[MYID_IP]
+ , ugh);
+ logged_myid_ip_txt_warning = TRUE;
+ }
+
+ next_step = fos_myid_hostname_txt;
+ ugh = NULL; /* failure can be recovered from */
+ }
+ else
+ {
+ /* we can use our IP as OE identity for initiation */
+ if (!logged_myid_ip_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "using our IP (%s:TXT) as identity!"
+ , myid_str[MYID_IP]);
+ logged_myid_ip_txt_warning = TRUE;
+ }
+
+ next_step = fos_our_client;
+ }
+ break;
+
+ case fos_myid_hostname_txt: /* TXT for our hostname as %myid */
+ ugh = check_txt_recs(MYID_HOSTNAME, c, ac);
+ if (ugh != NULL)
+ {
+ /* cannot use our hostname as OE identitiy for initiation */
+ DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:TXT) as identity: %s"
+ , myid_str[MYID_HOSTNAME]
+ , ugh));
+ if (!logged_myid_fqdn_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "can not use our hostname (%s:TXT) as identity: %s"
+ , myid_str[MYID_HOSTNAME]
+ , ugh);
+ logged_myid_fqdn_txt_warning = TRUE;
+ }
+#ifdef USE_KEYRR
+ next_step = fos_myid_ip_key;
+ ugh = NULL; /* failure can be recovered from */
+#endif
+ }
+ else
+ {
+ /* we can use our hostname as OE identity for initiation */
+ if (!logged_myid_fqdn_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "using our hostname (%s:TXT) as identity!"
+ , myid_str[MYID_HOSTNAME]);
+ logged_myid_fqdn_txt_warning = TRUE;
+ }
+ next_step = fos_our_client;
+ }
+ break;
+
+#ifdef USE_KEYRR
+ case fos_myid_ip_key: /* KEY for our default IP address as %myid */
+ ugh = check_key_recs(MYID_IP, c, ac);
+ if (ugh != NULL)
+ {
+ /* cannot use our IP as OE identitiy for initiation */
+ DBG(DBG_OPPO, DBG_log("can not use our IP (%s:KEY) as identity: %s"
+ , myid_str[MYID_IP]
+ , ugh));
+ if (!logged_myid_ip_key_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "can not use our IP (%s:KEY) as identity: %s"
+ , myid_str[MYID_IP]
+ , ugh);
+ logged_myid_ip_key_warning = TRUE;
+ }
+
+ next_step = fos_myid_hostname_key;
+ ugh = NULL; /* failure can be recovered from */
+ }
+ else
+ {
+ /* we can use our IP as OE identity for initiation */
+ if (!logged_myid_ip_key_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "using our IP (%s:KEY) as identity!"
+ , myid_str[MYID_IP]);
+ logged_myid_ip_key_warning = TRUE;
+ }
+ next_step = fos_our_client;
+ }
+ break;
+
+ case fos_myid_hostname_key: /* KEY for our hostname as %myid */
+ ugh = check_key_recs(MYID_HOSTNAME, c, ac);
+ if (ugh != NULL)
+ {
+ /* cannot use our IP as OE identitiy for initiation */
+ DBG(DBG_OPPO, DBG_log("can not use our hostname (%s:KEY) as identity: %s"
+ , myid_str[MYID_HOSTNAME]
+ , ugh));
+ if (!logged_myid_fqdn_key_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "can not use our hostname (%s:KEY) as identity: %s"
+ , myid_str[MYID_HOSTNAME]
+ , ugh);
+ logged_myid_fqdn_key_warning = TRUE;
+ }
+
+ next_step = fos_myid_hostname_key;
+ ugh = NULL; /* failure can be recovered from */
+ }
+ else
+ {
+ /* we can use our IP as OE identity for initiation */
+ if (!logged_myid_fqdn_key_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "using our hostname (%s:KEY) as identity!"
+ , myid_str[MYID_HOSTNAME]);
+ logged_myid_fqdn_key_warning = TRUE;
+ }
+ next_step = fos_our_client;
+ }
+ break;
+#endif
+
+ case fos_our_client: /* TXT for our client */
+ {
+ /* Our client is not us: we must check the TXT records.
+ * Note: if c is different this time, there is
+ * a chance that we did the wrong query.
+ * If so, treat as a kind of failure.
+ */
+ const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
+
+ next_step = fos_his_client; /* normal situation */
+
+ passert(sr != NULL);
+
+ if (our_RSA_pri == NULL)
+ {
+ ugh = "we don't know our own RSA key";
+ }
+ else if (sameaddr(&sr->this.host_addr, &b->our_client))
+ {
+ /* this wasn't true when we started -- bail */
+ ugh = "our IP address changed underfoot";
+ }
+ else if (!same_id(&ac->sgw_id, &sr->this.id))
+ {
+ /* this wasn't true when we started -- bail */
+ ugh = "our ID changed underfoot";
+ }
+ else
+ {
+ /* Similar to code in quick_inI1_outR1_tail
+ * for checking the other side.
+ */
+ struct gw_info *gwp;
+
+ ugh = "no TXT RR for our client delegates us";
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ passert(same_id(&gwp->gw_id, &sr->this.id));
+
+ ugh = "TXT RR for our client has wrong key";
+ /* If there is a key from the TXT record,
+ * we count it as a win if we match the key.
+ * If there was no key, we have a tentative win:
+ * we need to check our KEY record to be sure.
+ */
+ if (!gwp->gw_key_present)
+ {
+ /* Success, but the TXT had no key
+ * so we must check our our own KEY records.
+ */
+ next_step = fos_our_txt;
+ ugh = NULL; /* good! */
+ break;
+ }
+ if (same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ }
+ break;
+
+ case fos_our_txt: /* TXT for us */
+ {
+ /* Check if TXT lookup yielded good results.
+ * Looking up based on our ID. Used if
+ * client is ourself, or if TXT had no public key.
+ * Note: if c is different this time, there is
+ * a chance that we did the wrong query.
+ * If so, treat as a kind of failure.
+ */
+ const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
+
+ next_step = fos_his_client; /* unless we decide to look for KEY RR */
+
+ if (our_RSA_pri == NULL)
+ {
+ ugh = "we don't know our own RSA key";
+ }
+ else if (!same_id(&ac->id, &c->spd.this.id))
+ {
+ ugh = "our ID changed underfoot";
+ }
+ else
+ {
+ /* Similar to code in RSA_check_signature
+ * for checking the other side.
+ */
+ struct gw_info *gwp;
+
+ ugh = "no TXT RR for us";
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ passert(same_id(&gwp->gw_id, &sr->this.id));
+
+ ugh = "TXT RR for us has wrong key";
+ if (gwp->gw_key_present
+ && same_RSA_public_key(&our_RSA_pri->pub, &gwp->key->u.rsa))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("initiate on demand found TXT with right public key at: %s"
+ , mycredentialstr));
+ ugh = NULL;
+ break;
+ }
+ }
+#ifdef USE_KEYRR
+ if (ugh != NULL)
+ {
+ /* if no TXT with right key, try KEY */
+ DBG(DBG_CONTROL,
+ DBG_log("will try for KEY RR since initiate on demand found %s: %s"
+ , ugh, mycredentialstr));
+ next_step = fos_our_key;
+ ugh = NULL;
+ }
+#endif
+ }
+ }
+ break;
+
+#ifdef USE_KEYRR
+ case fos_our_key: /* KEY for us */
+ {
+ /* Check if KEY lookup yielded good results.
+ * Looking up based on our ID. Used if
+ * client is ourself, or if TXT had no public key.
+ * Note: if c is different this time, there is
+ * a chance that we did the wrong query.
+ * If so, treat as a kind of failure.
+ */
+ const struct RSA_private_key *our_RSA_pri = get_RSA_private_key(c);
+
+ next_step = fos_his_client; /* always */
+
+ if (our_RSA_pri == NULL)
+ {
+ ugh = "we don't know our own RSA key";
+ }
+ else if (!same_id(&ac->id, &c->spd.this.id))
+ {
+ ugh = "our ID changed underfoot";
+ }
+ else
+ {
+ /* Similar to code in RSA_check_signature
+ * for checking the other side.
+ */
+ pubkey_list_t *kr;
+
+ ugh = "no KEY RR found for us (and no good TXT RR)";
+ for (kr = ac->keys_from_dns; kr != NULL; kr = kr->next)
+ {
+ ugh = "all our KEY RRs have the wrong public key (and no good TXT RR)";
+ if (kr->key->alg == PUBKEY_ALG_RSA
+ && same_RSA_public_key(&our_RSA_pri->pub, &kr->key->u.rsa))
+ {
+ /* do this only once a day */
+ if (!logged_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "found KEY RR but not TXT RR for %s. See http://www.freeswan.org/err/txt-change.html."
+ , mycredentialstr);
+ logged_txt_warning = TRUE;
+ }
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ }
+ break;
+#endif /* USE_KEYRR */
+
+ case fos_his_client: /* TXT for his client */
+ {
+ /* We've finished last DNS queries: TXT for his client.
+ * Using the information, try to instantiate a connection
+ * and start negotiating.
+ * We now know the peer. The chosing of "c" ignored this,
+ * so we will disregard its current value.
+ * !!! We need to randomize the entry in gw that we choose.
+ */
+ next_step = fos_done; /* no more queries */
+
+ c = build_outgoing_opportunistic_connection(ac->gateways_from_dns
+ , &b->our_client
+ , &b->peer_client);
+
+ if (c == NULL)
+ {
+ /* We cannot seem to instantiate a suitable connection:
+ * complain clearly.
+ */
+ char ocb[ADDRTOT_BUF]
+ , pcb[ADDRTOT_BUF]
+ , pb[ADDRTOT_BUF];
+
+ addrtot(&b->our_client, 0, ocb, sizeof(ocb));
+ addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
+ passert(id_is_ipaddr(&ac->gateways_from_dns->gw_id));
+ addrtot(&ac->gateways_from_dns->gw_id.ip_addr, 0, pb, sizeof(pb));
+ loglog(RC_OPPOFAILURE
+ , "no suitable connection for opportunism"
+ " between %s and %s with %s as peer"
+ , ocb, pcb, pb);
+
+#ifdef KLIPS
+ if (b->held)
+ {
+ /* Replace HOLD with PASS.
+ * The type of replacement *ought* to be
+ * specified by policy.
+ */
+ (void) replace_bare_shunt(&b->our_client, &b->peer_client
+ , BOTTOM_PRIO
+ , SPI_PASS /* fail into PASS */
+ , TRUE, b->transport_proto
+ , "no suitable connection");
+ }
+#endif
+ }
+ else
+ {
+ /* If we are to proceed asynchronously, b->whackfd will be NULL_FD. */
+ passert(c->kind == CK_INSTANCE);
+ passert(c->gw_info != NULL);
+ passert(HAS_IPSEC_POLICY(c->policy));
+ passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
+#ifdef KLIPS
+ if (b->held)
+ {
+ /* what should we do on failure? */
+ (void) assign_hold(c, &c->spd
+ , b->transport_proto
+ , &b->our_client, &b->peer_client);
+ }
+#endif
+ c->gw_info->key->last_tried_time = now();
+ ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
+ b->whackfd = NULL_FD; /* protect from close */
+ }
+ }
+ break;
+
+ default:
+ bad_case(b->step);
+ }
+
+ /* the second chunk: initiate the next DNS query (if any) */
+ DBG(DBG_CONTROL,
+ {
+ char ours[ADDRTOT_BUF];
+ char his[ADDRTOT_BUF];
+
+ addrtot(&b->our_client, 0, ours, sizeof(ours));
+ addrtot(&b->peer_client, 0, his, sizeof(his));
+ DBG_log("initiate on demand from %s to %s new state: %s with ugh: %s"
+ , ours, his, oppo_step_name[b->step], ugh ? ugh : "ok");
+ });
+
+ if (ugh != NULL)
+ {
+ b->policy_prio = c->prio;
+ b->failure_shunt = shunt_policy_spi(c, FALSE);
+ cannot_oppo(c, b, ugh);
+ }
+ else if (next_step == fos_done)
+ {
+ /* nothing to do */
+ }
+ else
+ {
+ /* set up the next query */
+ struct find_oppo_continuation *cr = alloc_thing(struct find_oppo_continuation
+ , "opportunistic continuation");
+ struct id id;
+
+ b->policy_prio = c->prio;
+ b->failure_shunt = shunt_policy_spi(c, FALSE);
+ cr->b = *b; /* copy; start hand off of whackfd */
+ cr->b.failure_ok = FALSE;
+ cr->b.step = next_step;
+
+ for (sr = &c->spd
+ ; sr!=NULL && !sameaddr(&sr->this.host_addr, &b->our_client)
+ ; sr = sr->next)
+ ;
+
+ if (sr == NULL)
+ sr = &c->spd;
+
+ /* If a %hold shunt has replaced the eroute for this template,
+ * record this fact.
+ */
+ if (b->held
+ && sr->routing == RT_ROUTED_PROSPECTIVE && eclipsable(sr))
+ {
+ sr->routing = RT_ROUTED_ECLIPSED;
+ eclipse_count++;
+ }
+
+ /* Switch to issue next query.
+ * A case may turn out to be unnecessary. If so, it falls
+ * through to the next case.
+ * Figuring out what %myid can stand for must be done before
+ * our client credentials are looked up: we must know what
+ * the client credentials may use to identify us.
+ * On the other hand, our own credentials should be looked
+ * up after our clients in case our credentials are not
+ * needed at all.
+ * XXX this is a wasted effort if we don't have credentials
+ * BUT they are not needed.
+ */
+ switch (next_step)
+ {
+ case fos_myid_ip_txt:
+ if (c->spd.this.id.kind == ID_MYID
+ && myid_state != MYID_SPECIFIED)
+ {
+ cr->b.failure_ok = TRUE;
+ cr->b.want = b->want = "TXT record for IP address as %myid";
+ ugh = start_adns_query(&myids[MYID_IP]
+ , &myids[MYID_IP]
+ , T_TXT
+ , continue_oppo
+ , &cr->ac);
+ break;
+ }
+ cr->b.step = fos_myid_hostname_txt;
+ /* fall through */
+
+ case fos_myid_hostname_txt:
+ if (c->spd.this.id.kind == ID_MYID
+ && myid_state != MYID_SPECIFIED)
+ {
+#ifdef USE_KEYRR
+ cr->b.failure_ok = TRUE;
+#else
+ cr->b.failure_ok = FALSE;
+#endif
+ cr->b.want = b->want = "TXT record for hostname as %myid";
+ ugh = start_adns_query(&myids[MYID_HOSTNAME]
+ , &myids[MYID_HOSTNAME]
+ , T_TXT
+ , continue_oppo
+ , &cr->ac);
+ break;
+ }
+
+#ifdef USE_KEYRR
+ cr->b.step = fos_myid_ip_key;
+ /* fall through */
+
+ case fos_myid_ip_key:
+ if (c->spd.this.id.kind == ID_MYID
+ && myid_state != MYID_SPECIFIED)
+ {
+ cr->b.failure_ok = TRUE;
+ cr->b.want = b->want = "KEY record for IP address as %myid (no good TXT)";
+ ugh = start_adns_query(&myids[MYID_IP]
+ , (const struct id *) NULL /* security gateway meaningless */
+ , T_KEY
+ , continue_oppo
+ , &cr->ac);
+ break;
+ }
+ cr->b.step = fos_myid_hostname_key;
+ /* fall through */
+
+ case fos_myid_hostname_key:
+ if (c->spd.this.id.kind == ID_MYID
+ && myid_state != MYID_SPECIFIED)
+ {
+ cr->b.failure_ok = FALSE; /* last attempt! */
+ cr->b.want = b->want = "KEY record for hostname as %myid (no good TXT)";
+ ugh = start_adns_query(&myids[MYID_HOSTNAME]
+ , (const struct id *) NULL /* security gateway meaningless */
+ , T_KEY
+ , continue_oppo
+ , &cr->ac);
+ break;
+ }
+#endif
+ cr->b.step = fos_our_client;
+ /* fall through */
+
+ case fos_our_client: /* TXT for our client */
+ if (!sameaddr(&c->spd.this.host_addr, &b->our_client))
+ {
+ /* Check that at least one TXT(reverse(b->our_client)) is workable.
+ * Note: {unshare|free}_id_content not needed for id: ephemeral.
+ */
+ cr->b.want = b->want = "our client's TXT record";
+ iptoid(&b->our_client, &id);
+ ugh = start_adns_query(&id
+ , &c->spd.this.id /* we are the security gateway */
+ , T_TXT
+ , continue_oppo
+ , &cr->ac);
+ break;
+ }
+ cr->b.step = fos_our_txt;
+ /* fall through */
+
+ case fos_our_txt: /* TXT for us */
+ cr->b.failure_ok = b->failure_ok = TRUE;
+ cr->b.want = b->want = "our TXT record";
+ ugh = start_adns_query(&sr->this.id
+ , &sr->this.id /* we are the security gateway XXX - maybe ignore? mcr */
+ , T_TXT
+ , continue_oppo
+ , &cr->ac);
+ break;
+
+#ifdef USE_KEYRR
+ case fos_our_key: /* KEY for us */
+ cr->b.want = b->want = "our KEY record";
+ cr->b.failure_ok = b->failure_ok = FALSE;
+ ugh = start_adns_query(&sr->this.id
+ , (const struct id *) NULL /* security gateway meaningless */
+ , T_KEY
+ , continue_oppo
+ , &cr->ac);
+ break;
+#endif /* USE_KEYRR */
+
+ case fos_his_client: /* TXT for his client */
+ /* note: {unshare|free}_id_content not needed for id: ephemeral */
+ cr->b.want = b->want = "target's TXT record";
+ cr->b.failure_ok = b->failure_ok = FALSE;
+ iptoid(&b->peer_client, &id);
+ ugh = start_adns_query(&id
+ , (const struct id *) NULL /* security gateway unconstrained */
+ , T_TXT
+ , continue_oppo
+ , &cr->ac);
+ break;
+
+ default:
+ bad_case(next_step);
+ }
+
+ if (ugh == NULL)
+ b->whackfd = NULL_FD; /* complete hand-off */
+ else
+ cannot_oppo(c, b, ugh);
+ }
+ }
+ close_any(b->whackfd);
+}
+
+void
+terminate_connection(const char *nm)
+{
+ /* Loop because more than one may match (master and instances)
+ * But at least one is required (enforced by con_by_name).
+ */
+ struct connection *c = con_by_name(nm, TRUE);
+
+ if (c == NULL || !c->ikev1)
+ return;
+
+ do
+ {
+ struct connection *n = c->ac_next; /* grab this before c might disappear */
+
+ if (streq(c->name, nm)
+ && c->kind >= CK_PERMANENT
+ && !NEVER_NEGOTIATE(c->policy))
+ {
+ set_cur_connection(c);
+ plog("terminating SAs using this connection");
+ c->policy &= ~POLICY_UP;
+ flush_pending_by_connection(c);
+ delete_states_by_connection(c, FALSE);
+ reset_cur_connection();
+ }
+ c = n;
+ } while (c != NULL);
+}
+
+/* check nexthop safety
+ * Our nexthop must not be within a routed client subnet, and vice versa.
+ * Note: we don't think this is true. We think that KLIPS will
+ * not process a packet output by an eroute.
+ */
+#ifdef NEVER
+//bool
+//check_nexthop(const struct connection *c)
+//{
+// struct connection *d;
+//
+// if (addrinsubnet(&c->spd.this.host_nexthop, &c->spd.that.client))
+// {
+// loglog(RC_LOG_SERIOUS, "cannot perform routing for connection \"%s\""
+// " because nexthop is within peer's client network",
+// c->name);
+// return FALSE;
+// }
+//
+// for (d = connections; d != NULL; d = d->next)
+// {
+// if (d->routing != RT_UNROUTED)
+// {
+// if (addrinsubnet(&c->spd.this.host_nexthop, &d->spd.that.client))
+// {
+// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
+// " because nexthop is contained in"
+// " existing routing for connection \"%s\"",
+// c->name, d->name);
+// return FALSE;
+// }
+// if (addrinsubnet(&d->spd.this.host_nexthop, &c->spd.that.client))
+// {
+// loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
+// " because it contains nexthop of"
+// " existing routing for connection \"%s\"",
+// c->name, d->name);
+// return FALSE;
+// }
+// }
+// }
+// return TRUE;
+//}
+#endif /* NEVER */
+
+/* an ISAKMP SA has been established.
+ * Note the serial number, and release any connections with
+ * the same peer ID but different peer IP address.
+ */
+bool uniqueIDs = FALSE; /* --uniqueids? */
+
+void
+ISAKMP_SA_established(struct connection *c, so_serial_t serial)
+{
+ c->newest_isakmp_sa = serial;
+
+ /* the connection is now oriented so that we are able to determine
+ * whether we are a mode config server with a virtual IP to send.
+ */
+ if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip)
+ c->spd.that.modecfg = TRUE;
+
+ if (uniqueIDs)
+ {
+ /* for all connections: if the same Phase 1 IDs are used
+ * for a different IP address, unorient that connection.
+ */
+ struct connection *d;
+
+ for (d = connections; d != NULL; )
+ {
+ struct connection *next = d->ac_next; /* might move underneath us */
+
+ if (d->kind >= CK_PERMANENT
+ && same_id(&c->spd.this.id, &d->spd.this.id)
+ && same_id(&c->spd.that.id, &d->spd.that.id)
+ && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr) ||
+ (c->spd.that.host_port != d->spd.that.host_port)))
+ {
+ release_connection(d, FALSE);
+ }
+ d = next;
+ }
+ }
+}
+
+/* Find the connection to connection c's peer's client with the
+ * largest value of .routing. All other things being equal,
+ * preference is given to c. If none is routed, return NULL.
+ *
+ * If erop is non-null, set *erop to a connection sharing both
+ * our client subnet and peer's client subnet with the largest value
+ * of .routing. If none is erouted, set *erop to NULL.
+ *
+ * The return value is used to find other connections sharing a route.
+ * *erop is used to find other connections sharing an eroute.
+ */
+struct connection *
+route_owner(struct connection *c
+ , struct spd_route **srp
+ , struct connection **erop
+ , struct spd_route **esrp)
+{
+ struct connection *d
+ , *best_ro = c
+ , *best_ero = c;
+ struct spd_route *srd, *src;
+ struct spd_route *best_sr, *best_esr;
+ enum routing_t best_routing, best_erouting;
+
+ passert(oriented(*c));
+ best_sr = NULL;
+ best_esr = NULL;
+ best_routing = c->spd.routing;
+ best_erouting = best_routing;
+
+ for (d = connections; d != NULL; d = d->ac_next)
+ {
+ for (srd = &d->spd; srd; srd = srd->next)
+ {
+ if (srd->routing == RT_UNROUTED)
+ continue;
+
+ for (src = &c->spd; src; src=src->next)
+ {
+ if (!samesubnet(&src->that.client, &srd->that.client))
+ continue;
+ if (src->that.protocol != srd->that.protocol)
+ continue;
+ if (src->that.port != srd->that.port)
+ continue;
+ passert(oriented(*d));
+ if (srd->routing > best_routing)
+ {
+ best_ro = d;
+ best_sr = srd;
+ best_routing = srd->routing;
+ }
+
+ if (!samesubnet(&src->this.client, &srd->this.client))
+ continue;
+ if (src->this.protocol != srd->this.protocol)
+ continue;
+ if (src->this.port != srd->this.port)
+ continue;
+ if (srd->routing > best_erouting)
+ {
+ best_ero = d;
+ best_esr = srd;
+ best_erouting = srd->routing;
+ }
+ }
+ }
+ }
+
+ DBG(DBG_CONTROL,
+ {
+ char cib[CONN_INST_BUF];
+ err_t m = builddiag("route owner of \"%s\"%s %s:"
+ , c->name
+ , (fmt_conn_instance(c, cib), cib)
+ , enum_name(&routing_story, c->spd.routing));
+
+ if (!routed(best_ro->spd.routing))
+ m = builddiag("%s NULL", m);
+ else if (best_ro == c)
+ m = builddiag("%s self", m);
+ else
+ m = builddiag("%s \"%s\"%s %s", m
+ , best_ro->name
+ , (fmt_conn_instance(best_ro, cib), cib)
+ , enum_name(&routing_story, best_ro->spd.routing));
+
+ if (erop != NULL)
+ {
+ m = builddiag("%s; eroute owner:", m);
+ if (!erouted(best_ero->spd.routing))
+ m = builddiag("%s NULL", m);
+ else if (best_ero == c)
+ m = builddiag("%s self", m);
+ else
+ m = builddiag("%s \"%s\"%s %s", m
+ , best_ero->name
+ , (fmt_conn_instance(best_ero, cib), cib)
+ , enum_name(&routing_story, best_ero->spd.routing));
+ }
+
+ DBG_log("%s", m);
+ });
+
+ if (erop != NULL)
+ *erop = erouted(best_erouting)? best_ero : NULL;
+
+ if (srp != NULL )
+ {
+ *srp = best_sr;
+ if (esrp != NULL )
+ *esrp = best_esr;
+ }
+
+ return routed(best_routing)? best_ro : NULL;
+}
+
+/* Find a connection that owns the shunt eroute between subnets.
+ * There ought to be only one.
+ * This might get to be a bottleneck -- try hashing if it does.
+ */
+struct connection *
+shunt_owner(const ip_subnet *ours, const ip_subnet *his)
+{
+ struct connection *c;
+ struct spd_route *sr;
+
+ for (c = connections; c != NULL; c = c->ac_next)
+ {
+ for (sr = &c->spd; sr; sr = sr->next)
+ {
+ if (shunt_erouted(sr->routing)
+ && samesubnet(ours, &sr->this.client)
+ && samesubnet(his, &sr->that.client))
+ return c;
+ }
+ }
+ return NULL;
+}
+
+/* Find some connection with this pair of hosts.
+ * We don't know enough to chose amongst those available.
+ * ??? no longer usefully different from find_host_pair_connections
+ */
+struct connection *
+find_host_connection(const ip_address *me, u_int16_t my_port
+, const ip_address *him, u_int16_t his_port, lset_t policy)
+{
+ struct connection *c = find_host_pair_connections(me, my_port, him, his_port);
+
+ if (policy != LEMPTY)
+ {
+ lset_t auth_requested = policy & POLICY_ID_AUTH_MASK;
+
+ /* if we have requirements for the policy,
+ * choose the first matching connection.
+ */
+ while (c != NULL)
+ {
+ if (c->policy & auth_requested)
+ {
+ break;
+ }
+ c = c->hp_next;
+ }
+ }
+ return c;
+}
+
+/* given an up-until-now satisfactory connection, find the best connection
+ * now that we just got the Phase 1 Id Payload from the peer.
+ *
+ * Comments in the code describe the (tricky!) matching criteria.
+ * Although this routine could handle the initiator case,
+ * it isn't currently called in this case.
+ * If it were, it could "upgrade" an Opportunistic Connection
+ * to a Road Warrior Connection if a suitable Peer ID were found.
+ *
+ * In RFC 2409 "The Internet Key Exchange (IKE)",
+ * in 5.1 "IKE Phase 1 Authenticated With Signatures", describing Main
+ * Mode:
+ *
+ * Initiator Responder
+ * ----------- -----------
+ * HDR, SA -->
+ * <-- HDR, SA
+ * HDR, KE, Ni -->
+ * <-- HDR, KE, Nr
+ * HDR*, IDii, [ CERT, ] SIG_I -->
+ * <-- HDR*, IDir, [ CERT, ] SIG_R
+ *
+ * In 5.4 "Phase 1 Authenticated With a Pre-Shared Key":
+ *
+ * HDR, SA -->
+ * <-- HDR, SA
+ * HDR, KE, Ni -->
+ * <-- HDR, KE, Nr
+ * HDR*, IDii, HASH_I -->
+ * <-- HDR*, IDir, HASH_R
+ *
+ * refine_host_connection could be called in two case:
+ *
+ * - the Responder receives the IDii payload:
+ * + [PSK] after using PSK to decode this message
+ * + before sending its IDir payload
+ * + before using its ID in HASH_R computation
+ * + [DSig] before using its private key to sign SIG_R
+ * + before using the Initiator's ID in HASH_I calculation
+ * + [DSig] before using the Initiator's public key to check SIG_I
+ *
+ * - the Initiator receives the IDir payload:
+ * + [PSK] after using PSK to encode previous message and decode this message
+ * + after sending its IDii payload
+ * + after using its ID in HASH_I computation
+ * + [DSig] after using its private key to sign SIG_I
+ * + before using the Responder's ID to compute HASH_R
+ * + [DSig] before using Responder's public key to check SIG_R
+ *
+ * refine_host_connection can choose a different connection, as long as
+ * nothing already used is changed.
+ *
+ * In the Initiator case, the particular connection might have been
+ * specified by whatever provoked Pluto to initiate. For example:
+ * whack --initiate connection-name
+ * The advantages of switching connections when we're the Initiator seem
+ * less important than the disadvantages, so after FreeS/WAN 1.9, we
+ * don't do this.
+ */
+struct connection *
+refine_host_connection(const struct state *st, const struct id *peer_id
+, chunk_t peer_ca)
+{
+ struct connection *c = st->st_connection;
+ u_int16_t auth = st->st_oakley.auth;
+ struct connection *d;
+ struct connection *best_found = NULL;
+ lset_t auth_policy;
+ const chunk_t *psk = NULL;
+ bool wcpip; /* wildcard Peer IP? */
+
+ int wildcards, our_pathlen, peer_pathlen;
+ int best_wildcards = MAX_WILDCARDS;
+ int best_our_pathlen = MAX_CA_PATH_LEN;
+ int best_peer_pathlen = MAX_CA_PATH_LEN;
+
+ if (same_id(&c->spd.that.id, peer_id)
+ && trusted_ca(peer_ca, c->spd.that.ca, &peer_pathlen)
+ && peer_pathlen == 0
+ && match_requested_ca(c->requested_ca, c->spd.this.ca, &our_pathlen)
+ && our_pathlen == 0)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("current connection is a full match"
+ " -- no need to look further");
+ )
+ return c;
+ }
+
+ switch (auth)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ auth_policy = POLICY_PSK;
+ psk = get_preshared_secret(c);
+ /* It should be virtually impossible to fail to find PSK:
+ * we just used it to decode the current message!
+ */
+ if (psk == NULL)
+ return NULL; /* cannot determine PSK! */
+ break;
+ case XAUTHInitPreShared:
+ case XAUTHRespPreShared:
+ auth_policy = POLICY_XAUTH_PSK;
+ psk = get_preshared_secret(c);
+ if (psk == NULL)
+ return NULL; /* cannot determine PSK! */
+ break;
+ case OAKLEY_RSA_SIG:
+ auth_policy = POLICY_RSASIG;
+ break;
+ case XAUTHInitRSA:
+ case XAUTHRespRSA:
+ auth_policy = POLICY_XAUTH_RSASIG;
+ break;
+ default:
+ bad_case(auth);
+ }
+
+ /* The current connection won't do: search for one that will.
+ * First search for one with the same pair of hosts.
+ * If that fails, search for a suitable Road Warrior or Opportunistic
+ * connection (i.e. wildcard peer IP).
+ * We need to match:
+ * - peer_id (slightly complicated by instantiation)
+ * - if PSK auth, the key must not change (we used it to decode message)
+ * - policy-as-used must be acceptable to new connection
+ */
+ d = c->host_pair->connections;
+ for (wcpip = FALSE; ; wcpip = TRUE)
+ {
+ for (; d != NULL; d = d->hp_next)
+ {
+ const char *match_name[] = {"no", "ok"};
+
+ bool matching_id = match_id(peer_id
+ , &d->spd.that.id, &wildcards);
+ bool matching_auth = (d->policy & auth_policy) != LEMPTY;
+
+ bool matching_trust = trusted_ca(peer_ca
+ , d->spd.that.ca, &peer_pathlen);
+ bool matching_request = match_requested_ca(c->requested_ca
+ , d->spd.this.ca, &our_pathlen);
+ bool match = matching_id && matching_auth &&
+ matching_trust && matching_request;
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s)"
+ , d->name
+ , match ? "full":" no"
+ , match_name[matching_id]
+ , match_name[matching_auth]
+ , match_name[matching_trust]
+ , match_name[matching_request])
+ )
+
+ /* do we have a match? */
+ if (!match)
+ continue;
+
+ /* ignore group connections */
+ if (d->policy & POLICY_GROUP)
+ continue;
+
+ if (c->spd.that.host_port != d->spd.that.host_port
+ && d->kind == CK_INSTANCE)
+ {
+ continue;
+ }
+
+ switch (auth)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ case XAUTHInitPreShared:
+ case XAUTHRespPreShared:
+ /* secret must match the one we already used */
+ {
+ const chunk_t *dpsk = get_preshared_secret(d);
+
+ if (dpsk == NULL)
+ continue; /* no secret */
+
+ if (psk != dpsk)
+ if (psk->len != dpsk->len
+ || memcmp(psk->ptr, dpsk->ptr, psk->len) != 0)
+ continue; /* different secret */
+ }
+ break;
+
+ case OAKLEY_RSA_SIG:
+ case XAUTHInitRSA:
+ case XAUTHRespRSA:
+ /*
+ * We must at least be able to find our private key
+ .*/
+ if (d->spd.this.sc == NULL /* no smartcard */
+ && get_RSA_private_key(d) == NULL) /* no private key */
+ continue;
+ break;
+
+ default:
+ bad_case(auth);
+ }
+
+ /* d has passed all the tests.
+ * We'll go with it if the Peer ID was an exact match.
+ */
+ if (match && wildcards == 0 && peer_pathlen == 0 && our_pathlen == 0)
+ return d;
+
+ /* We'll remember it as best_found in case an exact
+ * match doesn't come along.
+ */
+ if (best_found == NULL || wildcards < best_wildcards
+ || ((wildcards == best_wildcards && peer_pathlen < best_peer_pathlen)
+ || (peer_pathlen == best_peer_pathlen && our_pathlen < best_our_pathlen)))
+ {
+ best_found = d;
+ best_wildcards = wildcards;
+ best_peer_pathlen = peer_pathlen;
+ best_our_pathlen = our_pathlen;
+ }
+ }
+ if (wcpip)
+ return best_found; /* been around twice already */
+
+ /* Starting second time around.
+ * We're willing to settle for a connection that needs Peer IP
+ * instantiated: Road Warrior or Opportunistic.
+ * Look on list of connections for host pair with wildcard Peer IP
+ */
+ d = find_host_pair_connections(&c->spd.this.host_addr, c->spd.this.host_port
+ , (ip_address *)NULL, c->spd.that.host_port);
+ }
+}
+
+/**
+ * With virtual addressing, we must not allow someone to use an already
+ * used (by another id) addr/net.
+ */
+static bool
+is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
+{
+ struct connection *d;
+
+ for (d = connections; d != NULL; d = d->ac_next)
+ {
+ switch (d->kind)
+ {
+ case CK_PERMANENT:
+ case CK_INSTANCE:
+ if ((subnetinsubnet(peer_net,&d->spd.that.client) ||
+ subnetinsubnet(&d->spd.that.client,peer_net))
+ && !same_id(&d->spd.that.id, peer_id))
+ {
+ char buf[BUF_LEN];
+ char client[SUBNETTOT_BUF];
+
+ subnettot(peer_net, 0, client, sizeof(client));
+ idtoa(&d->spd.that.id, buf, sizeof(buf));
+ plog("Virtual IP %s is already used by '%s'", client, buf);
+ idtoa(peer_id, buf, sizeof(buf));
+ plog("Your ID is '%s'", buf);
+ return TRUE; /* already used by another one */
+ }
+ break;
+ case CK_GOING_AWAY:
+ default:
+ break;
+ }
+ }
+ return FALSE; /* you can safely use it */
+}
+
+/* find_client_connection: given a connection suitable for ISAKMP
+ * (i.e. the hosts match), find a one suitable for IPSEC
+ * (i.e. with matching clients).
+ *
+ * If we don't find an exact match (not even our current connection),
+ * we try for one that still needs instantiation. Try Road Warrior
+ * abstract connections and the Opportunistic abstract connections.
+ * This requires inverse instantiation: abstraction.
+ *
+ * After failing to find an exact match, we abstract the peer
+ * to be NO_IP (the wildcard value). This enables matches with
+ * Road Warrior and Opportunistic abstract connections.
+ *
+ * After failing that search, we also abstract the Phase 1 peer ID
+ * if possible. If the peer's ID was the peer's IP address, we make
+ * it NO_ID; instantiation will make it the peer's IP address again.
+ *
+ * If searching for a Road Warrior abstract connection fails,
+ * and conditions are suitable, we search for the best Opportunistic
+ * abstract connection.
+ *
+ * Note: in the end, both Phase 1 IDs must be preserved, after any
+ * instantiation. They are the IDs that have been authenticated.
+ */
+
+#define PATH_WEIGHT 1
+#define WILD_WEIGHT (MAX_CA_PATH_LEN+1)
+#define PRIO_WEIGHT (MAX_WILDCARDS+1)*WILD_WEIGHT
+
+/* fc_try: a helper function for find_client_connection */
+static struct connection *
+fc_try(const struct connection *c
+, struct host_pair *hp
+, const struct id *peer_id
+, const ip_subnet *our_net
+, const ip_subnet *peer_net
+, const u_int8_t our_protocol
+, const u_int16_t our_port
+, const u_int8_t peer_protocol
+, const u_int16_t peer_port
+, chunk_t peer_ca
+, const ietfAttrList_t *peer_list)
+{
+ struct connection *d;
+ struct connection *best = NULL;
+ policy_prio_t best_prio = BOTTOM_PRIO;
+ int wildcards, pathlen;
+
+ const bool peer_net_is_host = subnetisaddr(peer_net, &c->spd.that.host_addr);
+
+ for (d = hp->connections; d != NULL; d = d->hp_next)
+ {
+ struct spd_route *sr;
+
+ if (d->policy & POLICY_GROUP)
+ continue;
+
+ if (!(same_id(&c->spd.this.id, &d->spd.this.id)
+ && match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
+ && trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
+ && group_membership(peer_list, d->name, d->spd.that.groups)))
+ continue;
+
+ /* compare protocol and ports */
+ if (d->spd.this.protocol != our_protocol
+ || d->spd.this.port != our_port
+ || d->spd.that.protocol != peer_protocol
+ || (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
+ continue;
+
+ /* non-Opportunistic case:
+ * our_client must match.
+ *
+ * So must peer_client, but the testing is complicated
+ * by the fact that the peer might be a wildcard
+ * and if so, the default value of that.client
+ * won't match the default peer_net. The appropriate test:
+ *
+ * If d has a peer client, it must match peer_net.
+ * If d has no peer client, peer_net must just have peer itself.
+ */
+
+ for (sr = &d->spd; best != d && sr != NULL; sr = sr->next)
+ {
+ policy_prio_t prio;
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROLMORE))
+ {
+ char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+ char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+
+ subnettot(our_net, 0, s1, sizeof(s1));
+ subnettot(peer_net, 0, d1, sizeof(d1));
+ subnettot(&sr->this.client, 0, s3, sizeof(s3));
+ subnettot(&sr->that.client, 0, d3, sizeof(d3));
+ DBG_log(" fc_try trying "
+ "%s:%s:%d/%d -> %s:%d/%d vs %s:%s:%d/%d -> %s:%d/%d"
+ , c->name, s1, c->spd.this.protocol, c->spd.this.port
+ , d1, c->spd.that.protocol, c->spd.that.port
+ , d->name, s3, sr->this.protocol, sr->this.port
+ , d3, sr->that.protocol, sr->that.port);
+ }
+#endif /* DEBUG */
+
+ if (!samesubnet(&sr->this.client, our_net))
+ continue;
+
+ if (sr->that.has_client)
+ {
+ if (sr->that.has_client_wildcard)
+ {
+ if (!subnetinsubnet(peer_net, &sr->that.client))
+ continue;
+ }
+ else
+ {
+ if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
+ continue;
+ if (is_virtual_connection(d)
+ && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
+ || is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
+ continue;
+ }
+ }
+ else
+ {
+ if (!peer_net_is_host)
+ continue;
+ }
+
+ /* We've run the gauntlet -- success:
+ * We've got an exact match of subnets.
+ * The connection is feasible, but we continue looking for the best.
+ * The highest priority wins, implementing eroute-like rule.
+ * - a routed connection is preferrred
+ * - given that, the smallest number of ID wildcards are preferred
+ * - given that, the shortest CA pathlength is preferred
+ */
+ prio = PRIO_WEIGHT * routed(sr->routing)
+ + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
+ + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
+ + 1;
+ if (prio > best_prio)
+ {
+ best = d;
+ best_prio = prio;
+ }
+ }
+ }
+
+ if (best != NULL && NEVER_NEGOTIATE(best->policy))
+ best = NULL;
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" fc_try concluding with %s [%ld]"
+ , (best ? best->name : "none"), best_prio)
+ )
+ return best;
+}
+
+static struct connection *
+fc_try_oppo(const struct connection *c
+, struct host_pair *hp
+, const ip_subnet *our_net
+, const ip_subnet *peer_net
+, const u_int8_t our_protocol
+, const u_int16_t our_port
+, const u_int8_t peer_protocol
+, const u_int16_t peer_port
+, chunk_t peer_ca
+, const ietfAttrList_t *peer_list)
+{
+ struct connection *d;
+ struct connection *best = NULL;
+ policy_prio_t best_prio = BOTTOM_PRIO;
+ int wildcards, pathlen;
+
+ for (d = hp->connections; d != NULL; d = d->hp_next)
+ {
+ struct spd_route *sr;
+ policy_prio_t prio;
+
+ if (d->policy & POLICY_GROUP)
+ continue;
+
+ if (!(same_id(&c->spd.this.id, &d->spd.this.id)
+ && match_id(&c->spd.that.id, &d->spd.that.id, &wildcards)
+ && trusted_ca(peer_ca, d->spd.that.ca, &pathlen)
+ && group_membership(peer_list, d->name, d->spd.that.groups)))
+ continue;
+
+ /* compare protocol and ports */
+ if (d->spd.this.protocol != our_protocol
+ || d->spd.this.port != our_port
+ || d->spd.that.protocol != peer_protocol
+ || (d->spd.that.port != peer_port && !d->spd.that.has_port_wildcard))
+ continue;
+
+ /* Opportunistic case:
+ * our_net must be inside d->spd.this.client
+ * and peer_net must be inside d->spd.that.client
+ * Note: this host_pair chain also has shunt
+ * eroute conns (clear, drop), but they won't
+ * be marked as opportunistic.
+ */
+ for (sr = &d->spd; sr != NULL; sr = sr->next)
+ {
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROLMORE))
+ {
+ char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+ char s3[SUBNETTOT_BUF],d3[SUBNETTOT_BUF];
+
+ subnettot(our_net, 0, s1, sizeof(s1));
+ subnettot(peer_net, 0, d1, sizeof(d1));
+ subnettot(&sr->this.client, 0, s3, sizeof(s3));
+ subnettot(&sr->that.client, 0, d3, sizeof(d3));
+ DBG_log(" fc_try_oppo trying %s:%s -> %s vs %s:%s -> %s"
+ , c->name, s1, d1, d->name, s3, d3);
+ }
+#endif /* DEBUG */
+
+ if (!subnetinsubnet(our_net, &sr->this.client)
+ || !subnetinsubnet(peer_net, &sr->that.client))
+ continue;
+
+ /* The connection is feasible, but we continue looking for the best.
+ * The highest priority wins, implementing eroute-like rule.
+ * - our smallest client subnet is preferred (longest mask)
+ * - given that, his smallest client subnet is preferred
+ * - given that, a routed connection is preferrred
+ * - given that, the smallest number of ID wildcards are preferred
+ * - given that, the shortest CA pathlength is preferred
+ */
+ prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
+ + WILD_WEIGHT * (MAX_WILDCARDS - wildcards)
+ + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
+ if (prio > best_prio)
+ {
+ best = d;
+ best_prio = prio;
+ }
+ }
+ }
+
+ /* if the best wasn't opportunistic, we fail: it must be a shunt */
+ if (best != NULL
+ && (NEVER_NEGOTIATE(best->policy)
+ || (best->policy & POLICY_OPPO) == LEMPTY))
+ {
+ best = NULL;
+ }
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" fc_try_oppo concluding with %s [%ld]"
+ , (best ? best->name : "none"), best_prio)
+ )
+ return best;
+
+}
+
+/*
+ * get the peer's CA and group attributes
+ */
+chunk_t
+get_peer_ca_and_groups(struct connection *c, const ietfAttrList_t **peer_list)
+{
+ struct state *p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
+
+ *peer_list = NULL;
+
+ if (p1st != NULL
+ && p1st->st_peer_pubkey != NULL
+ && p1st->st_peer_pubkey->issuer.ptr != NULL)
+ {
+ x509acert_t *ac = get_x509acert(p1st->st_peer_pubkey->issuer
+ , p1st->st_peer_pubkey->serial);;
+
+ if (ac != NULL && verify_x509acert(ac, strict_crl_policy))
+ *peer_list = ac->groups;
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("no valid attribute cert found")
+ )
+ }
+ return p1st->st_peer_pubkey->issuer;
+ }
+ return empty_chunk;
+}
+
+struct connection *
+find_client_connection(struct connection *c
+, const ip_subnet *our_net, const ip_subnet *peer_net
+, const u_int8_t our_protocol, const u_int16_t our_port
+, const u_int8_t peer_protocol, const u_int16_t peer_port)
+{
+ struct connection *d;
+ struct spd_route *sr;
+
+ const ietfAttrList_t *peer_list = NULL;
+ chunk_t peer_ca = get_peer_ca_and_groups(c, &peer_list);
+
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROLMORE))
+ {
+ char s1[SUBNETTOT_BUF],d1[SUBNETTOT_BUF];
+
+ subnettot(our_net, 0, s1, sizeof(s1));
+ subnettot(peer_net, 0, d1, sizeof(d1));
+
+ DBG_log("find_client_connection starting with %s"
+ , (c ? c->name : "(none)"));
+ DBG_log(" looking for %s:%d/%d -> %s:%d/%d"
+ , s1, our_protocol, our_port
+ , d1, peer_protocol, peer_port);
+ }
+#endif /* DEBUG */
+
+ /* give priority to current connection
+ * but even greater priority to a routed concrete connection
+ */
+ {
+ struct connection *unrouted = NULL;
+ int srnum = -1;
+
+ for (sr = &c->spd; unrouted == NULL && sr != NULL; sr = sr->next)
+ {
+ srnum++;
+
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROLMORE))
+ {
+ char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
+
+ subnettot(&sr->this.client, 0, s2, sizeof(s2));
+ subnettot(&sr->that.client, 0, d2, sizeof(d2));
+ DBG_log(" concrete checking against sr#%d %s -> %s"
+ , srnum, s2, d2);
+ }
+#endif /* DEBUG */
+
+ if (samesubnet(&sr->this.client, our_net)
+ && samesubnet(&sr->that.client, peer_net)
+ && sr->this.protocol == our_protocol
+ && sr->this.port == our_port
+ && sr->that.protocol == peer_protocol
+ && sr->that.port == peer_port
+ && group_membership(peer_list, c->name, sr->that.groups))
+ {
+ passert(oriented(*c));
+ if (routed(sr->routing))
+ return c;
+
+ unrouted = c;
+ }
+ }
+
+ /* exact match? */
+ d = fc_try(c, c->host_pair, NULL, our_net, peer_net
+ , our_protocol, our_port, peer_protocol, peer_port
+ , peer_ca, peer_list);
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" fc_try %s gives %s"
+ , c->name
+ , (d ? d->name : "none"))
+ )
+
+ if (d == NULL)
+ d = unrouted;
+ }
+
+ if (d == NULL)
+ {
+ /* look for an abstract connection to match */
+ struct spd_route *sr;
+ struct host_pair *hp = NULL;
+
+ for (sr = &c->spd; hp==NULL && sr != NULL; sr = sr->next)
+ {
+ hp = find_host_pair(&sr->this.host_addr
+ , sr->this.host_port
+ , NULL
+ , sr->that.host_port);
+#ifdef DEBUG
+ if (DBGP(DBG_CONTROLMORE))
+ {
+ char s2[SUBNETTOT_BUF],d2[SUBNETTOT_BUF];
+
+ subnettot(&sr->this.client, 0, s2, sizeof(s2));
+ subnettot(&sr->that.client, 0, d2, sizeof(d2));
+
+ DBG_log(" checking hostpair %s -> %s is %s"
+ , s2, d2
+ , (hp ? "found" : "not found"));
+ }
+#endif /* DEBUG */
+ }
+
+ if (hp != NULL)
+ {
+ /* RW match with actual peer_id or abstract peer_id? */
+ d = fc_try(c, hp, NULL, our_net, peer_net
+ , our_protocol, our_port, peer_protocol, peer_port
+ , peer_ca, peer_list);
+
+ if (d == NULL
+ && subnetishost(our_net)
+ && subnetishost(peer_net))
+ {
+ /* Opportunistic match?
+ * Always use abstract peer_id.
+ * Note that later instantiation will result in the same peer_id.
+ */
+ d = fc_try_oppo(c, hp, our_net, peer_net
+ , our_protocol, our_port, peer_protocol, peer_port
+ , peer_ca, peer_list);
+ }
+ }
+ }
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" concluding with d = %s"
+ , (d ? d->name : "none"))
+ )
+ return d;
+}
+
+int
+connection_compare(const struct connection *ca
+, const struct connection *cb)
+{
+ int ret;
+
+ /* DBG_log("comparing %s to %s", ca->name, cb->name); */
+
+ ret = strcasecmp(ca->name, cb->name);
+ if (ret != 0)
+ return ret;
+
+ ret = ca->kind - cb->kind; /* note: enum connection_kind behaves like int */
+ if (ret != 0)
+ return ret;
+
+ /* same name, and same type */
+ switch (ca->kind)
+ {
+ case CK_INSTANCE:
+ return ca->instance_serial < cb->instance_serial ? -1
+ : ca->instance_serial > cb->instance_serial ? 1
+ : 0;
+
+ default:
+ return ca->prio < cb->prio ? -1
+ : ca->prio > cb->prio ? 1
+ : 0;
+ }
+}
+
+static int
+connection_compare_qsort(const void *a, const void *b)
+{
+ return connection_compare(*(const struct connection *const *)a
+ , *(const struct connection *const *)b);
+}
+
+void
+show_connections_status(bool all, const char *name)
+{
+ struct connection *c;
+ int count, i;
+ struct connection **array;
+
+ /* make an array of connections, and sort it */
+ count = 0;
+ for (c = connections; c != NULL; c = c->ac_next)
+ {
+ if (c->ikev1 && (name == NULL || streq(c->name, name)))
+ count++;
+ }
+ array = alloc_bytes(sizeof(struct connection *)*count, "connection array");
+
+ count=0;
+ for (c = connections; c != NULL; c = c->ac_next)
+ {
+ if (c->ikev1 && (name == NULL || streq(c->name, name)))
+ array[count++]=c;
+ }
+
+ /* sort it! */
+ qsort(array, count, sizeof(struct connection *), connection_compare_qsort);
+
+ for (i = 0; i < count; i++)
+ {
+ const char *ifn;
+ char instance[1 + 10 + 1];
+ char prio[POLICY_PRIO_BUF];
+
+ c = array[i];
+
+ ifn = oriented(*c)? c->interface->rname : "";
+
+ instance[0] = '\0';
+ if (c->kind == CK_INSTANCE && c->instance_serial != 0)
+ snprintf(instance, sizeof(instance), "[%lu]", c->instance_serial);
+
+ /* show topology */
+ {
+ char topo[CONNECTION_BUF];
+ struct spd_route *sr = &c->spd;
+ int num=0;
+
+ while (sr != NULL)
+ {
+ (void) format_connection(topo, sizeof(topo), c, sr);
+ whack_log(RC_COMMENT, "\"%s\"%s: %s; %s; eroute owner: #%lu"
+ , c->name, instance, topo
+ , enum_name(&routing_story, sr->routing)
+ , sr->eroute_owner);
+ sr = sr->next;
+ num++;
+ }
+ }
+
+ if (all)
+ {
+ /* show CAs if defined */
+ if (c->spd.this.ca.ptr != NULL || c->spd.that.ca.ptr != NULL)
+ {
+ char this_ca[BUF_LEN], that_ca[BUF_LEN];
+
+ dntoa_or_null(this_ca, BUF_LEN, c->spd.this.ca, "%any");
+ dntoa_or_null(that_ca, BUF_LEN, c->spd.that.ca, "%any");
+
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: CAs: '%s'...'%s'"
+ , c->name
+ , instance
+ , this_ca
+ , that_ca);
+ }
+
+ /* show group attributes if defined */
+ if (c->spd.that.groups != NULL)
+ {
+ char buf[BUF_LEN];
+
+ format_groups(c->spd.that.groups, buf, BUF_LEN);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: groups: %s"
+ , c->name
+ , instance
+ , buf);
+ }
+
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: ike_life: %lus; ipsec_life: %lus;"
+ " rekey_margin: %lus; rekey_fuzz: %lu%%; keyingtries: %lu"
+ , c->name
+ , instance
+ , (unsigned long) c->sa_ike_life_seconds
+ , (unsigned long) c->sa_ipsec_life_seconds
+ , (unsigned long) c->sa_rekey_margin
+ , (unsigned long) c->sa_rekey_fuzz
+ , (unsigned long) c->sa_keying_tries);
+
+ /* show DPD parameters if defined */
+
+ if (c->dpd_action != DPD_ACTION_NONE)
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: dpd_action: %s;"
+ " dpd_delay: %lus; dpd_timeout: %lus;"
+ , c->name
+ , instance
+ , enum_show(&dpd_action_names, c->dpd_action)
+ , (unsigned long) c->dpd_delay
+ , (unsigned long) c->dpd_timeout);
+
+ if (c->policy_next)
+ {
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: policy_next: %s"
+ , c->name, instance, c->policy_next->name);
+ }
+
+ /* Note: we display key_from_DNS_on_demand as if policy [lr]KOD */
+ fmt_policy_prio(c->prio, prio);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: policy: %s%s%s; prio: %s; interface: %s; "
+ , c->name
+ , instance
+ , prettypolicy(c->policy)
+ , c->spd.this.key_from_DNS_on_demand? "+lKOD" : ""
+ , c->spd.that.key_from_DNS_on_demand? "+rKOD" : ""
+ , prio
+ , ifn);
+ }
+
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: newest ISAKMP SA: #%ld; newest IPsec SA: #%ld; "
+ , c->name
+ , instance
+ , c->newest_isakmp_sa
+ , c->newest_ipsec_sa);
+
+ if (all)
+ {
+ ike_alg_show_connection(c, instance);
+ kernel_alg_show_connection(c, instance);
+ }
+ }
+ if (count > 0)
+ whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
+
+ pfree(array);
+}
+
+/* struct pending, the structure representing Quick Mode
+ * negotiations delayed until a Keying Channel has been negotiated.
+ * Essentially, a pending call to quick_outI1.
+ */
+
+struct pending {
+ int whack_sock;
+ struct state *isakmp_sa;
+ struct connection *connection;
+ lset_t policy;
+ unsigned long try;
+ so_serial_t replacing;
+
+ struct pending *next;
+};
+
+/* queue a Quick Mode negotiation pending completion of a suitable Main Mode */
+void
+add_pending(int whack_sock
+, struct state *isakmp_sa
+, struct connection *c
+, lset_t policy
+, unsigned long try
+, so_serial_t replacing)
+{
+ bool already_queued = FALSE;
+ struct pending *p = c->host_pair->pending;
+
+ while (p != NULL)
+ {
+ if (streq(c->name, p->connection->name))
+ {
+ already_queued = TRUE;
+ break;
+ }
+ p = p->next;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("Queuing pending Quick Mode with %s \"%s\"%s"
+ , ip_str(&c->spd.that.host_addr)
+ , c->name
+ , already_queued? " already done" : "")
+ )
+ if (already_queued)
+ return;
+
+ p = alloc_thing(struct pending, "struct pending");
+ p->whack_sock = whack_sock;
+ p->isakmp_sa = isakmp_sa;
+ p->connection = c;
+ p->policy = policy;
+ p->try = try;
+ p->replacing = replacing;
+ p->next = c->host_pair->pending;
+ c->host_pair->pending = p;
+}
+
+/* Release all the whacks awaiting the completion of this state.
+ * This is accomplished by closing all the whack socket file descriptors.
+ * We go to a lot of trouble to tell each whack, but to not tell it twice.
+ */
+void
+release_pending_whacks(struct state *st, err_t story)
+{
+ struct pending *p;
+ struct stat stst;
+
+ if (st->st_whack_sock == NULL_FD || fstat(st->st_whack_sock, &stst) != 0)
+ zero(&stst); /* resulting st_dev/st_ino ought to be distinct */
+
+ release_whack(st);
+
+ for (p = st->st_connection->host_pair->pending; p != NULL; p = p->next)
+ {
+ if (p->isakmp_sa == st && p->whack_sock != NULL_FD)
+ {
+ struct stat pst;
+
+ if (fstat(p->whack_sock, &pst) == 0
+ && (stst.st_dev != pst.st_dev || stst.st_ino != pst.st_ino))
+ {
+ passert(whack_log_fd == NULL_FD);
+ whack_log_fd = p->whack_sock;
+ whack_log(RC_COMMENT
+ , "%s for ISAKMP SA, but releasing whack for pending IPSEC SA"
+ , story);
+ whack_log_fd = NULL_FD;
+ }
+ close(p->whack_sock);
+ p->whack_sock = NULL_FD;
+ }
+ }
+}
+
+static void
+delete_pending(struct pending **pp)
+{
+ struct pending *p = *pp;
+
+ *pp = p->next;
+ if (p->connection != NULL)
+ connection_discard(p->connection);
+ close_any(p->whack_sock);
+ pfree(p);
+}
+
+void
+unpend(struct state *st)
+{
+ struct pending **pp
+ , *p;
+
+ for (pp = &st->st_connection->host_pair->pending; (p = *pp) != NULL; )
+ {
+ if (p->isakmp_sa == st)
+ {
+ DBG(DBG_CONTROL, DBG_log("unqueuing pending Quick Mode with %s \"%s\""
+ , ip_str(&p->connection->spd.that.host_addr)
+ , p->connection->name));
+ (void) quick_outI1(p->whack_sock, st, p->connection, p->policy
+ , p->try, p->replacing);
+ p->whack_sock = NULL_FD; /* ownership transferred */
+ p->connection = NULL; /* ownership transferred */
+ delete_pending(pp);
+ }
+ else
+ {
+ pp = &p->next;
+ }
+ }
+}
+
+/* a Main Mode negotiation has been replaced; update any pending */
+void
+update_pending(struct state *os, struct state *ns)
+{
+ struct pending *p;
+
+ for (p = os->st_connection->host_pair->pending; p != NULL; p = p->next)
+ {
+ if (p->isakmp_sa == os)
+ p->isakmp_sa = ns;
+ if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
+ {
+ p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
+ p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
+ }
+ }
+}
+
+/* a Main Mode negotiation has failed; discard any pending */
+void
+flush_pending_by_state(struct state *st)
+{
+ struct host_pair *hp = st->st_connection->host_pair;
+
+ if (hp != NULL)
+ {
+ struct pending **pp
+ , *p;
+
+ for (pp = &hp->pending; (p = *pp) != NULL; )
+ {
+ if (p->isakmp_sa == st)
+ delete_pending(pp);
+ else
+ pp = &p->next;
+ }
+ }
+}
+
+/* a connection has been deleted; discard any related pending */
+static void
+flush_pending_by_connection(struct connection *c)
+{
+ if (c->host_pair != NULL)
+ {
+ struct pending **pp
+ , *p;
+
+ for (pp = &c->host_pair->pending; (p = *pp) != NULL; )
+ {
+ if (p->connection == c)
+ {
+ p->connection = NULL; /* prevent delete_pending from releasing */
+ delete_pending(pp);
+ }
+ else
+ {
+ pp = &p->next;
+ }
+ }
+ }
+}
+
+void
+show_pending_phase2(const struct host_pair *hp, const struct state *st)
+{
+ const struct pending *p;
+
+ for (p = hp->pending; p != NULL; p = p->next)
+ {
+ if (p->isakmp_sa == st)
+ {
+ /* connection-name state-number [replacing state-number] */
+ char cip[CONN_INST_BUF];
+
+ fmt_conn_instance(p->connection, cip);
+ whack_log(RC_COMMENT, "#%lu: pending Phase 2 for \"%s\"%s replacing #%lu"
+ , p->isakmp_sa->st_serialno
+ , p->connection->name
+ , cip
+ , p->replacing);
+ }
+ }
+}
+
+/* Delete a connection if it is an instance and it is no longer in use.
+ * We must be careful to avoid circularity:
+ * we don't touch it if it is CK_GOING_AWAY.
+ */
+void
+connection_discard(struct connection *c)
+{
+ if (c->kind == CK_INSTANCE)
+ {
+ /* see if it is being used by a pending */
+ struct pending *p;
+
+ for (p = c->host_pair->pending; p != NULL; p = p->next)
+ if (p->connection == c)
+ return; /* in use, so we're done */
+
+ if (!states_use_connection(c))
+ delete_connection(c, FALSE);
+ }
+}
+
+
+/* A template connection's eroute can be eclipsed by
+ * either a %hold or an eroute for an instance iff
+ * the template is a /32 -> /32. This requires some special casing.
+ */
+
+long eclipse_count = 0;
+
+struct connection *
+eclipsed(struct connection *c, struct spd_route **esrp)
+{
+ struct connection *ue;
+ struct spd_route *sr1 = &c->spd;
+
+ ue = NULL;
+
+ while (sr1 != NULL && ue != NULL)
+ {
+ for (ue = connections; ue != NULL; ue = ue->ac_next)
+ {
+ struct spd_route *srue = &ue->spd;
+
+ while (srue != NULL
+ && srue->routing == RT_ROUTED_ECLIPSED
+ && !(samesubnet(&sr1->this.client, &srue->this.client)
+ && samesubnet(&sr1->that.client, &srue->that.client)))
+ {
+ srue = srue->next;
+ }
+ if (srue != NULL && srue->routing==RT_ROUTED_ECLIPSED)
+ {
+ *esrp = srue;
+ break;
+ }
+ }
+ }
+ return ue;
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
new file mode 100644
index 000000000..df3af9dd4
--- /dev/null
+++ b/src/pluto/connections.h
@@ -0,0 +1,367 @@
+/* information about connections between hosts and clients
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: connections.h,v 1.18 2006/04/22 21:59:20 as Exp $
+ */
+
+#ifndef _CONNECTIONS_H
+#define _CONNECTIONS_H
+
+#include <sys/queue.h>
+
+#include "id.h"
+#include "certs.h"
+#include "ac.h"
+#include "smartcard.h"
+#include "whack.h"
+
+/* There are two kinds of connections:
+ * - ISAKMP connections, between hosts (for IKE communication)
+ * - IPsec connections, between clients (for secure IP communication)
+ *
+ * An ISAKMP connection looks like:
+ * host<--->host
+ *
+ * An IPsec connection looks like:
+ * client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
+ *
+ * For the connection to be relevant to this instance of Pluto,
+ * exactly one of the hosts must be a public interface of our machine
+ * known to this instance.
+ *
+ * The client subnet might simply be the host -- this is a
+ * representation of "host mode".
+ *
+ * Each nexthop defaults to the neighbouring host's IP address.
+ * The nexthop is a property of the pair of hosts, not each
+ * individually. It is only needed for IPsec because of the
+ * way IPsec is mixed into the kernel routing logic. Furthermore,
+ * only this end's nexthop is actually used. Eventually, nexthop
+ * will be unnecessary.
+ *
+ * Other information represented:
+ * - each connection has a name: a chunk of uninterpreted text
+ * that is unique for each connection.
+ * - security requirements (currently just the "policy" flags from
+ * the whack command to initiate the connection, but eventually
+ * much more. Different for ISAKMP and IPsec connections.
+ * - rekeying parameters:
+ * + time an SA may live
+ * + time before SA death that a rekeying should be attempted
+ * (only by the initiator)
+ * + number of times to attempt rekeying
+ * - With the current KLIPS, we must route packets for a client
+ * subnet through the ipsec interface (ipsec0). Only one
+ * gateway can get traffic for a specific (client) subnet.
+ * Furthermore, if the routing isn't in place, packets will
+ * be sent in the clear.
+ * "routing" indicates whether the routing has been done for
+ * this connection. Note that several connections may claim
+ * the same routing, as long as they agree about where the
+ * packets are to be sent.
+ * - With the current KLIPS, only one outbound IPsec SA bundle can be
+ * used for a particular client. This is due to a limitation
+ * of using only routing for selection. So only one IPsec state (SA)
+ * may "own" the eroute. "eroute_owner" is the serial number of
+ * this state, SOS_NOBODY if there is none. "routing" indicates
+ * what kind of erouting has been done for this connection, if any.
+ *
+ * Details on routing is in constants.h
+ *
+ * Operations on Connections:
+ *
+ * - add a new connection (with all details) [whack command]
+ * - delete a connection (by name) [whack command]
+ * - initiate a connection (by name) [whack command]
+ * - find a connection (by IP addresses of hosts)
+ * [response to peer request; finding ISAKMP connection for IPsec connection]
+ *
+ * Some connections are templates, missing the address of the peer
+ * (represented by INADDR_ANY). These are always arranged so that the
+ * missing end is "that" (there can only be one missing end). These can
+ * be instantiated (turned into real connections) by Pluto in one of two
+ * different ways: Road Warrior Instantiation or Opportunistic
+ * Instantiation. A template connection is marked for Opportunistic
+ * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
+ * equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
+ *
+ * Instantiation creates a new temporary connection, with the missing
+ * details filled in. The resulting template lasts only as long as there
+ * is a state that uses it.
+ */
+
+/* connection policy priority: how important this policy is
+ * - used to implement eroute-like precedence (augmented by a small
+ * bonus for a routed connection).
+ * - a whole number
+ * - larger is more important
+ * - three subcomponents. In order of decreasing significance:
+ * + length of source subnet mask (8 bits)
+ * + length of destination subnet mask (8 bits)
+ * + bias (8 bit)
+ * - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
+ * normal priorities
+ * - other bias values are created on the fly to give mild preference
+ * to certaion conditions (eg. routedness)
+ * - priority is inherited -- an instance of a policy has the same priority
+ * as the original policy, even though its subnets might be smaller.
+ * - display format: n,m
+ */
+typedef unsigned long policy_prio_t;
+#define BOTTOM_PRIO ((policy_prio_t)0) /* smaller than any real prio */
+#define set_policy_prio(c) { (c)->prio = \
+ ((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
+ | ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
+ | (policy_prio_t)1; }
+#define POLICY_PRIO_BUF (3+1+3+1)
+extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
+
+struct virtual_t;
+
+struct end {
+ struct id id;
+ ip_address
+ host_addr,
+ host_nexthop,
+ host_srcip;
+ ip_subnet client;
+
+ bool key_from_DNS_on_demand;
+ bool has_client;
+ bool has_client_wildcard;
+ bool has_port_wildcard;
+ bool has_id_wildcards;
+ bool has_natip;
+ char *updown;
+ u_int16_t host_port; /* host order */
+ u_int16_t port; /* host order */
+ u_int8_t protocol;
+ cert_t cert; /* end certificate */
+ chunk_t ca; /* CA distinguished name */
+ struct ietfAttrList *groups;/* access control groups */
+ smartcard_t *sc; /* smartcard reader and key info */
+ struct virtual_t *virt;
+ bool modecfg; /* this end: request local address from server */
+ /* that end: give local addresses to clients */
+ bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
+ /* rules if client behind host is a subnet */
+ certpolicy_t sendcert; /* whether or not to send the certificate */
+};
+
+struct spd_route {
+ struct spd_route *next;
+ struct end this;
+ struct end that;
+ so_serial_t eroute_owner;
+ enum routing_t routing; /* level of routing in place */
+ uint32_t reqid;
+};
+
+struct connection {
+ char *name;
+ bool ikev1;
+
+ lset_t policy;
+ time_t sa_ike_life_seconds;
+ time_t sa_ipsec_life_seconds;
+ time_t sa_rekey_margin;
+ unsigned long sa_rekey_fuzz;
+ unsigned long sa_keying_tries;
+
+ /* RFC 3706 DPD */
+ time_t dpd_delay;
+ time_t dpd_timeout;
+ dpd_action_t dpd_action;
+
+ char *log_file_name; /* name of log file */
+ FILE *log_file; /* possibly open FILE */
+ CIRCLEQ_ENTRY(connection) log_link; /* linked list of open conns */
+ bool log_file_err; /* only bitch once */
+
+ struct spd_route spd;
+
+ /* internal fields: */
+
+ unsigned long instance_serial;
+ policy_prio_t prio;
+ bool instance_initiation_ok; /* this is an instance of a policy that mandates initiate */
+ enum connection_kind kind;
+ const struct iface *interface; /* filled in iff oriented */
+
+ so_serial_t /* state object serial number */
+ newest_isakmp_sa,
+ newest_ipsec_sa;
+
+
+#ifdef DEBUG
+ lset_t extra_debugging;
+#endif
+
+ /* note: if the client is the gateway, the following must be equal */
+ sa_family_t addr_family; /* between gateways */
+ sa_family_t tunnel_addr_family; /* between clients */
+
+ struct connection *policy_next; /* if multiple policies,
+ next one to apply */
+
+ struct gw_info *gw_info;
+ struct alg_info_esp *alg_info_esp;
+ struct alg_info_ike *alg_info_ike;
+
+ struct host_pair *host_pair;
+ struct connection *hp_next; /* host pair list link */
+
+ struct connection *ac_next; /* all connections list link */
+
+ generalName_t *requested_ca; /* collected certificate requests */
+ bool got_certrequest;
+};
+
+#define oriented(c) ((c).interface != NULL)
+extern bool orient(struct connection *c);
+
+extern bool same_peer_ids(const struct connection *c
+ , const struct connection *d, const struct id *his_id);
+
+/* Format the topology of a connection end, leaving out defaults.
+ * Largest left end looks like: client === host : port [ host_id ] --- hop
+ * Note: if that==NULL, skip nexthop
+ */
+#define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
+extern size_t format_end(char *buf, size_t buf_len
+ , const struct end *this, const struct end *that
+ , bool is_left, lset_t policy);
+
+extern void add_connection(const whack_message_t *wm);
+extern void initiate_connection(const char *name, int whackfd);
+extern void initiate_opportunistic(const ip_address *our_client
+ , const ip_address *peer_client, int transport_proto, bool held, int whackfd);
+extern void terminate_connection(const char *nm);
+extern void release_connection(struct connection *c, bool relations);
+extern void delete_connection(struct connection *c, bool relations);
+extern void delete_connections_by_name(const char *name, bool strict);
+extern void delete_every_connection(void);
+extern char *add_group_instance(struct connection *group, const ip_subnet *target);
+extern void remove_group_instance(const struct connection *group, const char *name);
+extern void release_dead_interfaces(void);
+extern void check_orientations(void);
+extern struct connection *route_owner(struct connection *c
+ , struct spd_route **srp
+ , struct connection **erop
+ , struct spd_route **esrp);
+extern struct connection *shunt_owner(const ip_subnet *ours
+ , const ip_subnet *his);
+
+extern bool uniqueIDs; /* --uniqueids? */
+extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial);
+
+#define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \
+ && (id_is_ipaddr(&(c)->spd.that.id)? \
+ sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE))
+
+struct state; /* forward declaration of tag (defined in state.h) */
+extern struct connection
+ *con_by_name(const char *nm, bool strict),
+ *find_host_connection(const ip_address *me, u_int16_t my_port
+ , const ip_address *him, u_int16_t his_port, lset_t policy),
+ *refine_host_connection(const struct state *st, const struct id *id
+ , chunk_t peer_ca),
+ *find_client_connection(struct connection *c
+ , const ip_subnet *our_net
+ , const ip_subnet *peer_net
+ , const u_int8_t our_protocol
+ , const u_int16_t out_port
+ , const u_int8_t peer_protocol
+ , const u_int16_t peer_port),
+ *find_connection_by_reqid(uint32_t reqid);
+
+extern struct connection *
+find_connection_for_clients(struct spd_route **srp
+ , const ip_address *our_client
+ , const ip_address *peer_client
+ , int transport_proto);
+
+extern chunk_t get_peer_ca_and_groups(struct connection *c
+ , const ietfAttrList_t **peer_list);
+
+/* instantiating routines
+ * Note: connection_discard() is in state.h because all its work
+ * is looking through state objects.
+ */
+struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
+struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
+extern struct connection *rw_instantiate(struct connection *c
+ , const ip_address *him
+ , u_int16_t his_port
+ , const ip_subnet *his_net
+ , const struct id *his_id);
+
+extern struct connection *oppo_instantiate(struct connection *c
+ , const ip_address *him
+ , const struct id *his_id
+ , struct gw_info *gw
+ , const ip_address *our_client
+ , const ip_address *peer_client);
+
+extern struct connection
+ *build_outgoing_opportunistic_connection(struct gw_info *gw
+ , const ip_address *our_client
+ , const ip_address *peer_client);
+
+/* worst case: "[" serial "] " myclient "=== ..." peer "===" hisclient '\0' */
+#define CONN_INST_BUF \
+ (2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1)
+
+extern void fmt_conn_instance(const struct connection *c
+ , char buf[CONN_INST_BUF]);
+
+/* operations on "pending", the structure representing Quick Mode
+ * negotiations delayed until a Keying Channel has been negotiated.
+ */
+
+struct pending; /* forward declaration (opaque outside connections.c) */
+
+extern void add_pending(int whack_sock
+ , struct state *isakmp_sa
+ , struct connection *c
+ , lset_t policy
+ , unsigned long try
+ , so_serial_t replacing);
+
+extern void release_pending_whacks(struct state *st, err_t story);
+extern void unpend(struct state *st);
+extern void update_pending(struct state *os, struct state *ns);
+extern void flush_pending_by_state(struct state *st);
+extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
+
+extern void connection_discard(struct connection *c);
+
+/* A template connection's eroute can be eclipsed by
+ * either a %hold or an eroute for an instance iff
+ * the template is a /32 -> /32. This requires some special casing.
+ */
+#define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
+extern long eclipse_count;
+extern struct connection *eclipsed(struct connection *c, struct spd_route **);
+
+
+/* print connection status */
+
+extern void show_connections_status(bool all, const char *name);
+extern int connection_compare(const struct connection *ca
+ , const struct connection *cb);
+extern void update_host_pair(const char *why, struct connection *c
+ , const ip_address *myaddr, u_int16_t myport
+ , const ip_address *hisaddr, u_int16_t hisport);
+
+#endif /* _CONNECTIONS_H */
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
new file mode 100644
index 000000000..e7d7216ee
--- /dev/null
+++ b/src/pluto/constants.c
@@ -0,0 +1,1353 @@
+/* tables of names for values defined in constants.h
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: constants.c,v 1.21 2006/03/27 07:38:59 as Exp $
+ */
+
+/*
+ * Note that the array sizes are all specified; this is to enable range
+ * checking by code that only includes constants.h.
+ */
+
+#include <stddef.h>
+#include <string.h>
+#include <stdio.h>
+#include <netinet/in.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "packet.h"
+
+/* string naming compile-time options that have interop implications */
+
+const char compile_time_interop_options[] = ""
+#ifdef THREADS
+ " THREADS"
+#endif
+#ifdef LIBCURL
+ " LIBCURL"
+#endif
+#ifdef LIBLDAP
+ " LIBLDAP"
+#endif
+#ifdef SMARTCARD
+ " SMARTCARD"
+#endif
+#ifdef VENDORID
+ " VENDORID"
+#endif
+#ifdef CISCO_QUIRKS
+ " CISCO_QUIRKS"
+#endif
+#ifdef USE_KEYRR
+ " KEYRR"
+#endif
+ ;
+
+/* version */
+
+static const char *const version_name[] = {
+ "ISAKMP Version 1.0",
+};
+
+enum_names version_names =
+ { ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
+ ISAKMP_MAJOR_VERSION<<ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION,
+ version_name, NULL };
+
+/* RFC 2459 CRL reason codes */
+
+static const char *const crl_reason_name[] = {
+ "unspecified",
+ "key compromise",
+ "ca compromise",
+ "affiliation changed",
+ "superseded",
+ "cessation of operation",
+ "certificate hold",
+ "reason #7",
+ "remove from crl"
+ };
+
+enum_names crl_reason_names =
+ { REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL, crl_reason_name, NULL};
+
+/* RFC 3706 Dead Peer Detection */
+
+static const char *const dpd_action_name[] = {
+ "none",
+ "clear",
+ "hold",
+ "restart"
+ };
+
+enum_names dpd_action_names =
+ { DPD_ACTION_NONE, DPD_ACTION_RESTART, dpd_action_name, NULL};
+
+/* Timer events */
+
+static const char *const timer_event_name[] = {
+ "EVENT_NULL",
+ "EVENT_REINIT_SECRET",
+ "EVENT_SHUNT_SCAN",
+ "EVENT_SO_DISCARD",
+ "EVENT_RETRANSMIT",
+ "EVENT_SA_REPLACE",
+ "EVENT_SA_REPLACE_IF_USED",
+ "EVENT_SA_EXPIRE",
+ "EVENT_NAT_T_KEEPALIVE",
+ "EVENT_DPD",
+ "EVENT_DPD_TIMEOUT",
+ "EVENT_LOG_DAILY"
+ };
+
+enum_names timer_event_names =
+ { EVENT_NULL, EVENT_LOG_DAILY, timer_event_name, NULL };
+
+/* Domain of Interpretation */
+
+static const char *const doi_name[] = {
+ "ISAKMP_DOI_ISAKMP",
+ "ISAKMP_DOI_IPSEC",
+};
+
+enum_names doi_names = { ISAKMP_DOI_ISAKMP, ISAKMP_DOI_IPSEC, doi_name, NULL };
+
+/* debugging settings: a set of selections for reporting
+ * These would be more naturally situated in log.h,
+ * but they are shared with whack.
+ * It turns out that "debug-" is clutter in all contexts this is used,
+ * so we leave it off.
+ */
+#ifdef DEBUG
+const char *const debug_bit_names[] = {
+ "raw",
+ "crypt",
+ "parsing",
+ "emitting",
+ "control",
+ "lifecycle",
+ "klips",
+ "dns",
+ "natt",
+ "oppo",
+ "controlmore",
+
+ "private",
+
+ "impair-delay-adns-key-answer",
+ "impair-delay-adns-txt-answer",
+ "impair-bust-mi2",
+ "impair-bust-mr2",
+
+ NULL
+ };
+#endif
+
+/* State of exchanges */
+
+static const char *const state_name[] = {
+ "STATE_MAIN_R0",
+ "STATE_MAIN_I1",
+ "STATE_MAIN_R1",
+ "STATE_MAIN_I2",
+ "STATE_MAIN_R2",
+ "STATE_MAIN_I3",
+ "STATE_MAIN_R3",
+ "STATE_MAIN_I4",
+
+ "STATE_QUICK_R0",
+ "STATE_QUICK_I1",
+ "STATE_QUICK_R1",
+ "STATE_QUICK_I2",
+ "STATE_QUICK_R2",
+
+ "STATE_INFO",
+ "STATE_INFO_PROTECTED",
+
+ "STATE_XAUTH_I0",
+ "STATE_XAUTH_R1",
+ "STATE_XAUTH_I1",
+ "STATE_XAUTH_R2",
+ "STATE_XAUTH_I2",
+ "STATE_XAUTH_R3",
+
+ "STATE_MODE_CFG_R0",
+ "STATE_MODE_CFG_I1",
+ "STATE_MODE_CFG_R1",
+ "STATE_MODE_CFG_I2",
+
+ "STATE_MODE_CFG_I0",
+ "STATE_MODE_CFG_R3",
+ "STATE_MODE_CFG_I3",
+ "STATE_MODE_CFG_R4",
+
+ "STATE_IKE_ROOF"
+ };
+
+enum_names state_names =
+ { STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL };
+
+/* story for state */
+
+const char *const state_story[] = {
+ "expecting MI1", /* STATE_MAIN_R0 */
+ "sent MI1, expecting MR1", /* STATE_MAIN_I1 */
+ "sent MR1, expecting MI2", /* STATE_MAIN_R1 */
+ "sent MI2, expecting MR2", /* STATE_MAIN_I2 */
+ "sent MR2, expecting MI3", /* STATE_MAIN_R2 */
+ "sent MI3, expecting MR3", /* STATE_MAIN_I3 */
+ "sent MR3, ISAKMP SA established", /* STATE_MAIN_R3 */
+ "ISAKMP SA established", /* STATE_MAIN_I4 */
+
+ "expecting QI1", /* STATE_QUICK_R0 */
+ "sent QI1, expecting QR1", /* STATE_QUICK_I1 */
+ "sent QR1, inbound IPsec SA installed, expecting QI2", /* STATE_QUICK_R1 */
+ "sent QI2, IPsec SA established", /* STATE_QUICK_I2 */
+ "IPsec SA established", /* STATE_QUICK_R2 */
+
+ "got Informational Message in clear", /* STATE_INFO */
+ "got encrypted Informational Message", /* STATE_INFO_PROTECTED */
+
+ "expecting XAUTH request", /* STATE_XAUTH_I0 */
+ "sent XAUTH request, expecting reply", /* STATE_XAUTH_R1 */
+ "sent XAUTH reply, expecting status", /* STATE_XAUTH_I1 */
+ "sent XAUTH status, expecting ack", /* STATE_XAUTH_R2 */
+ "sent XAUTH ack, established", /* STATE_XAUTH_I2 */
+ "received XAUTH ack, established", /* STATE_XAUTH_R3 */
+
+ "expecting ModeCfg request", /* STATE_MODE_CFG_R0 */
+ "sent ModeCfg request, expecting reply", /* STATE_MODE_CFG_I1 */
+ "sent ModeCfg reply, established", /* STATE_MODE_CFG_R1 */
+ "received ModeCfg reply, established", /* STATE_MODE_CFG_I2 */
+
+ "expecting ModeCfg set", /* STATE_MODE_CFG_I0 */
+ "sent ModeCfg set, expecting ack", /* STATE_MODE_CFG_R3 */
+ "sent ModeCfg ack, established", /* STATE_MODE_CFG_I3 */
+ "received ModeCfg ack, established", /* STATE_MODE_CFG_R4 */
+ };
+
+/* kind of struct connection */
+
+static const char *const connection_kind_name[] = {
+ "CK_GROUP", /* policy group: instantiates to template */
+ "CK_TEMPLATE", /* abstract connection, with wildcard */
+ "CK_PERMANENT", /* normal connection */
+ "CK_INSTANCE", /* instance of template, created for a particular attempt */
+ "CK_GOING_AWAY" /* instance being deleted -- don't delete again */
+};
+
+enum_names connection_kind_names =
+ { CK_GROUP, CK_GOING_AWAY, connection_kind_name, NULL };
+
+/* routing status names */
+
+static const char *const routing_story_strings[] = {
+ "unrouted", /* RT_UNROUTED: unrouted */
+ "unrouted HOLD", /* RT_UNROUTED_HOLD: unrouted, but HOLD shunt installed */
+ "eroute eclipsed", /* RT_ROUTED_ECLIPSED: RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
+ "prospective erouted", /* RT_ROUTED_PROSPECTIVE: routed, and prospective shunt installed */
+ "erouted HOLD", /* RT_ROUTED_HOLD: routed, and HOLD shunt installed */
+ "fail erouted", /* RT_ROUTED_FAILURE: routed, and failure-context shunt eroute installed */
+ "erouted", /* RT_ROUTED_TUNNEL: routed, and erouted to an IPSEC SA group */
+ "keyed, unrouted", /* RT_UNROUTED_KEYED: was routed+keyed, but it got turned into an outer policy */
+ };
+
+enum_names routing_story =
+ { RT_UNROUTED, RT_ROUTED_TUNNEL, routing_story_strings, NULL};
+
+/* Payload types (RFC 2408 "ISAKMP" section 3.1) */
+
+const char *const payload_name[] = {
+ "ISAKMP_NEXT_NONE",
+ "ISAKMP_NEXT_SA",
+ "ISAKMP_NEXT_P",
+ "ISAKMP_NEXT_T",
+ "ISAKMP_NEXT_KE",
+ "ISAKMP_NEXT_ID",
+ "ISAKMP_NEXT_CERT",
+ "ISAKMP_NEXT_CR",
+ "ISAKMP_NEXT_HASH",
+ "ISAKMP_NEXT_SIG",
+ "ISAKMP_NEXT_NONCE",
+ "ISAKMP_NEXT_N",
+ "ISAKMP_NEXT_D",
+ "ISAKMP_NEXT_VID",
+ "ISAKMP_NEXT_MODECFG",
+ "ISAKMP_NEXT_15",
+ "ISAKMP_NEXT_16",
+ "ISAKMP_NEXT_17",
+ "ISAKMP_NEXT_18",
+ "ISAKMP_NEXT_19",
+ "ISAKMP_NEXT_NAT-D",
+ "ISAKMP_NEXT_NAT-OA",
+ NULL
+ };
+
+const char *const payload_name_nat_d[] = { "ISAKMP_NEXT_NAT-D",
+ "ISAKMP_NEXT_NAT-OA", NULL };
+
+static enum_names payload_names_nat_d =
+ { ISAKMP_NEXT_NATD_DRAFTS, ISAKMP_NEXT_NATOA_DRAFTS, payload_name_nat_d, NULL };
+
+enum_names payload_names =
+ { ISAKMP_NEXT_NONE, ISAKMP_NEXT_NATOA_RFC, payload_name, &payload_names_nat_d };
+
+/* Exchange types (note: two discontinuous ranges) */
+
+static const char *const exchange_name[] = {
+ "ISAKMP_XCHG_NONE",
+ "ISAKMP_XCHG_BASE",
+ "ISAKMP_XCHG_IDPROT",
+ "ISAKMP_XCHG_AO",
+ "ISAKMP_XCHG_AGGR",
+ "ISAKMP_XCHG_INFO",
+ "ISAKMP_XCHG_MODE_CFG",
+ };
+
+static const char *const exchange_name2[] = {
+ "ISAKMP_XCHG_QUICK",
+ "ISAKMP_XCHG_NGRP",
+ "ISAKMP_XCHG_ACK_INFO",
+ };
+
+static enum_names exchange_desc2 =
+ { ISAKMP_XCHG_QUICK, ISAKMP_XCHG_ACK_INFO, exchange_name2, NULL };
+
+enum_names exchange_names =
+ { ISAKMP_XCHG_NONE, ISAKMP_XCHG_MODE_CFG, exchange_name, &exchange_desc2 };
+
+/* Flag BITS */
+const char *const flag_bit_names[] = {
+ "ISAKMP_FLAG_ENCRYPTION",
+ "ISAKMP_FLAG_COMMIT",
+ NULL
+ };
+
+/* Situation BITS definition for IPsec DOI */
+
+const char *const sit_bit_names[] = {
+ "SIT_IDENTITY_ONLY",
+ "SIT_SECRECY",
+ "SIT_INTEGRITY",
+ NULL
+ };
+
+/* Protocol IDs (RFC 2407 "IPsec DOI" section 4.4.1) */
+
+static const char *const protocol_name[] = {
+ "PROTO_ISAKMP",
+ "PROTO_IPSEC_AH",
+ "PROTO_IPSEC_ESP",
+ "PROTO_IPCOMP",
+ };
+
+enum_names protocol_names =
+ { PROTO_ISAKMP, PROTO_IPCOMP, protocol_name, NULL };
+
+/* IPsec ISAKMP transform values */
+
+static const char *const isakmp_transform_name[] = {
+ "KEY_IKE",
+ };
+
+enum_names isakmp_transformid_names =
+ { KEY_IKE, KEY_IKE, isakmp_transform_name, NULL };
+
+/* IPsec AH transform values */
+
+static const char *const ah_transform_name[] = {
+ "AH_MD5",
+ "AH_SHA",
+ "AH_DES",
+ "AH_SHA2_256",
+ "AH_SHA2_384",
+ "AH_SHA2_512",
+ "AH_RIPEMD"
+ };
+
+enum_names ah_transformid_names =
+ { AH_MD5, AH_RIPEMD, ah_transform_name, NULL };
+
+/* IPsec ESP transform values */
+
+static const char *const esp_transform_name[] = {
+ "ESP_DES_IV64",
+ "ESP_DES",
+ "ESP_3DES",
+ "ESP_RC5",
+ "ESP_IDEA",
+ "ESP_CAST",
+ "ESP_BLOWFISH",
+ "ESP_3IDEA",
+ "ESP_DES_IV32",
+ "ESP_RC4",
+ "ESP_NULL",
+ "ESP_AES",
+ "ESP_AES-CTR",
+ "ESP_AES-CCM_8",
+ "ESP_AES-CCM_12",
+ "ESP_AES-CCM_16"
+ };
+
+/*
+ * ipsec drafts suggest "high" ESP ids values for testing,
+ * assign generic ESP_ID<num> if not officially defined
+ */
+static const char *const esp_transform_name_high[] = {
+ "ESP_SERPENT",
+ "ESP_TWOFISH"
+ };
+
+enum_names esp_transformid_names_high =
+ { ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
+
+enum_names esp_transformid_names =
+ { ESP_DES_IV64, ESP_AES_CCM_16, esp_transform_name, &esp_transformid_names_high };
+
+/* IPCOMP transform values */
+
+static const char *const ipcomp_transform_name[] = {
+ "IPCOMP_OUI",
+ "IPCOMP_DEFLAT",
+ "IPCOMP_LZS",
+ "IPCOMP_LZJH",
+ };
+
+enum_names ipcomp_transformid_names =
+ { IPCOMP_OUI, IPCOMP_LZJH, ipcomp_transform_name, NULL };
+
+/* Identification type values */
+
+static const char *const ident_name[] = {
+ "ID_IPV4_ADDR",
+ "ID_FQDN",
+ "ID_USER_FQDN",
+ "ID_IPV4_ADDR_SUBNET",
+ "ID_IPV6_ADDR",
+ "ID_IPV6_ADDR_SUBNET",
+ "ID_IPV4_ADDR_RANGE",
+ "ID_IPV6_ADDR_RANGE",
+ "ID_DER_ASN1_DN",
+ "ID_DER_ASN1_GN",
+ "ID_KEY_ID",
+ };
+
+enum_names ident_names =
+ { ID_IPV4_ADDR, ID_KEY_ID, ident_name, NULL };
+
+/* Certificate type values */
+
+static const char *const cert_type_name[] = {
+ "CERT_NONE",
+ "CERT_PKCS7_WRAPPED_X509",
+ "CERT_PGP",
+ "CERT_DNS_SIGNED_KEY",
+ "CERT_X509_SIGNATURE",
+ "CERT_X509_KEY_EXCHANGE",
+ "CERT_KERBEROS_TOKENS",
+ "CERT_CRL",
+ "CERT_ARL",
+ "CERT_SPKI",
+ "CERT_X509_ATTRIBUTE",
+ };
+
+enum_names cert_type_names =
+ { CERT_NONE, CERT_X509_ATTRIBUTE, cert_type_name, NULL };
+
+/* Certificate policy names */
+
+static const char *const cert_policy_name[] = {
+ "ALWAYS_SEND",
+ "SEND_IF_ASKED",
+ "NEVER_SEND",
+ };
+
+enum_names cert_policy_names =
+ { CERT_ALWAYS_SEND, CERT_NEVER_SEND, cert_policy_name, NULL };
+
+/* Goal BITs for establishing an SA
+ * Note: we drop the POLICY_ prefix so that logs are more concise.
+ */
+
+const char *const sa_policy_bit_names[] = {
+ "PSK",
+ "RSASIG",
+ "ENCRYPT",
+ "AUTHENTICATE",
+ "COMPRESS",
+ "TUNNEL",
+ "PFS",
+ "DISABLEARRIVALCHECK",
+ "SHUNT0",
+ "SHUNT1",
+ "FAILSHUNT0",
+ "FAILSHUNT1",
+ "DONTREKEY",
+ "OPPORTUNISTIC",
+ "GROUP",
+ "GROUTED",
+ "UP",
+ "MODECFGPUSH",
+ "XAUTHPSK",
+ "XAUTHRSASIG",
+ "XAUTHSERVER",
+ "DONTREAUTH",
+ NULL
+ };
+
+const char *const policy_shunt_names[4] = {
+ "TRAP",
+ "PASS",
+ "DROP",
+ "REJECT",
+ };
+
+const char *const policy_fail_names[4] = {
+ "NONE",
+ "PASS",
+ "DROP",
+ "REJECT",
+ };
+
+/* Oakley transform attributes
+ * oakley_attr_bit_names does double duty: it is used for enum names
+ * and bit names.
+ */
+
+const char *const oakley_attr_bit_names[] = {
+ "OAKLEY_ENCRYPTION_ALGORITHM",
+ "OAKLEY_HASH_ALGORITHM",
+ "OAKLEY_AUTHENTICATION_METHOD",
+ "OAKLEY_GROUP_DESCRIPTION",
+ "OAKLEY_GROUP_TYPE",
+ "OAKLEY_GROUP_PRIME",
+ "OAKLEY_GROUP_GENERATOR_ONE",
+ "OAKLEY_GROUP_GENERATOR_TWO",
+ "OAKLEY_GROUP_CURVE_A",
+ "OAKLEY_GROUP_CURVE_B",
+ "OAKLEY_LIFE_TYPE",
+ "OAKLEY_LIFE_DURATION",
+ "OAKLEY_PRF",
+ "OAKLEY_KEY_LENGTH",
+ "OAKLEY_FIELD_SIZE",
+ "OAKLEY_GROUP_ORDER",
+ "OAKLEY_BLOCK_SIZE",
+ NULL
+ };
+
+static const char *const oakley_var_attr_name[] = {
+ "OAKLEY_GROUP_PRIME (variable length)",
+ "OAKLEY_GROUP_GENERATOR_ONE (variable length)",
+ "OAKLEY_GROUP_GENERATOR_TWO (variable length)",
+ "OAKLEY_GROUP_CURVE_A (variable length)",
+ "OAKLEY_GROUP_CURVE_B (variable length)",
+ NULL,
+ "OAKLEY_LIFE_DURATION (variable length)",
+ NULL,
+ NULL,
+ NULL,
+ "OAKLEY_GROUP_ORDER (variable length)",
+ };
+
+static enum_names oakley_attr_desc_tv = {
+ OAKLEY_ENCRYPTION_ALGORITHM + ISAKMP_ATTR_AF_TV,
+ OAKLEY_GROUP_ORDER + ISAKMP_ATTR_AF_TV, oakley_attr_bit_names, NULL };
+
+enum_names oakley_attr_names = {
+ OAKLEY_GROUP_PRIME, OAKLEY_GROUP_ORDER,
+ oakley_var_attr_name, &oakley_attr_desc_tv };
+
+/* for each Oakley attribute, which enum_names describes its values? */
+enum_names *oakley_attr_val_descs[] = {
+ NULL, /* (none) */
+ &oakley_enc_names, /* OAKLEY_ENCRYPTION_ALGORITHM */
+ &oakley_hash_names, /* OAKLEY_HASH_ALGORITHM */
+ &oakley_auth_names, /* OAKLEY_AUTHENTICATION_METHOD */
+ &oakley_group_names, /* OAKLEY_GROUP_DESCRIPTION */
+ &oakley_group_type_names,/* OAKLEY_GROUP_TYPE */
+ NULL, /* OAKLEY_GROUP_PRIME */
+ NULL, /* OAKLEY_GROUP_GENERATOR_ONE */
+ NULL, /* OAKLEY_GROUP_GENERATOR_TWO */
+ NULL, /* OAKLEY_GROUP_CURVE_A */
+ NULL, /* OAKLEY_GROUP_CURVE_B */
+ &oakley_lifetime_names, /* OAKLEY_LIFE_TYPE */
+ NULL, /* OAKLEY_LIFE_DURATION */
+ &oakley_prf_names, /* OAKLEY_PRF */
+ NULL, /* OAKLEY_KEY_LENGTH */
+ NULL, /* OAKLEY_FIELD_SIZE */
+ NULL, /* OAKLEY_GROUP_ORDER */
+ };
+
+/* IPsec DOI attributes (RFC 2407 "IPsec DOI" section 4.5) */
+
+static const char *const ipsec_attr_name[] = {
+ "SA_LIFE_TYPE",
+ "SA_LIFE_DURATION",
+ "GROUP_DESCRIPTION",
+ "ENCAPSULATION_MODE",
+ "AUTH_ALGORITHM",
+ "KEY_LENGTH",
+ "KEY_ROUNDS",
+ "COMPRESS_DICT_SIZE",
+ "COMPRESS_PRIVATE_ALG",
+ };
+
+static const char *const ipsec_var_attr_name[] = {
+ "SA_LIFE_DURATION (variable length)",
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ "COMPRESS_PRIVATE_ALG (variable length)",
+ };
+
+static enum_names ipsec_attr_desc_tv = {
+ SA_LIFE_TYPE + ISAKMP_ATTR_AF_TV,
+ COMPRESS_PRIVATE_ALG + ISAKMP_ATTR_AF_TV,
+ ipsec_attr_name, NULL };
+
+enum_names ipsec_attr_names = {
+ SA_LIFE_DURATION, COMPRESS_PRIVATE_ALG,
+ ipsec_var_attr_name, &ipsec_attr_desc_tv };
+
+/* for each IPsec attribute, which enum_names describes its values? */
+enum_names *ipsec_attr_val_descs[] = {
+ NULL, /* (none) */
+ &sa_lifetime_names, /* SA_LIFE_TYPE */
+ NULL, /* SA_LIFE_DURATION */
+ &oakley_group_names, /* GROUP_DESCRIPTION */
+ &enc_mode_names, /* ENCAPSULATION_MODE */
+ &auth_alg_names, /* AUTH_ALGORITHM */
+ NULL, /* KEY_LENGTH */
+ NULL, /* KEY_ROUNDS */
+ NULL, /* COMPRESS_DICT_SIZE */
+ NULL, /* COMPRESS_PRIVATE_ALG */
+ };
+
+/* SA Lifetime Type attribute */
+
+static const char *const sa_lifetime_name[] = {
+ "SA_LIFE_TYPE_SECONDS",
+ "SA_LIFE_TYPE_KBYTES",
+ };
+
+enum_names sa_lifetime_names =
+ { SA_LIFE_TYPE_SECONDS, SA_LIFE_TYPE_KBYTES, sa_lifetime_name, NULL };
+
+/* Encapsulation Mode attribute */
+
+static const char *const enc_mode_name[] = {
+ "ENCAPSULATION_MODE_TUNNEL",
+ "ENCAPSULATION_MODE_TRANSPORT",
+ "ENCAPSULATION_MODE_UDP_TUNNEL",
+ "ENCAPSULATION_MODE_UDP_TRANSPORT",
+ };
+
+static const char *const enc_udp_mode_name[] = {
+ "ENCAPSULATION_MODE_UDP_TUNNEL",
+ "ENCAPSULATION_MODE_UDP_TRANSPORT",
+ };
+
+static enum_names enc_udp_mode_names =
+ { ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, NULL };
+
+enum_names enc_mode_names =
+ { ENCAPSULATION_MODE_TUNNEL, ENCAPSULATION_MODE_UDP_TRANSPORT_RFC, enc_mode_name, &enc_udp_mode_names };
+
+/* Auth Algorithm attribute */
+
+static const char *const auth_alg_name[] = {
+ "AUTH_ALGORITHM_HMAC_MD5",
+ "AUTH_ALGORITHM_HMAC_SHA1",
+ "AUTH_ALGORITHM_DES_MAC",
+ "AUTH_ALGORITHM_KPDK",
+ "AUTH_ALGORITHM_HMAC_SHA2_256",
+ "AUTH_ALGORITHM_HMAC_SHA2_384",
+ "AUTH_ALGORITHM_HMAC_SHA2_512",
+ "AUTH_ALGORITHM_HMAC_RIPEMD",
+ };
+
+static const char *const extended_auth_alg_name[] = {
+ "AUTH_ALGORITHM_NULL"
+ };
+
+enum_names extended_auth_alg_names =
+ { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
+
+enum_names auth_alg_names =
+ { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
+ , &extended_auth_alg_names };
+
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_type_name[] = {
+ "Generic",
+ "RADIUS-CHAP",
+ "OTP",
+ "S/KEY",
+};
+
+enum_names xauth_type_names =
+ { XAUTH_TYPE_GENERIC, XAUTH_TYPE_SKEY, xauth_type_name, NULL};
+
+/* From draft-beaulieu-ike-xauth */
+static const char *const xauth_attr_tv_name[] = {
+ "XAUTH_TYPE",
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ "XAUTH_STATUS",
+ };
+
+enum_names xauth_attr_tv_names = {
+ XAUTH_TYPE + ISAKMP_ATTR_AF_TV,
+ XAUTH_STATUS + ISAKMP_ATTR_AF_TV, xauth_attr_tv_name, NULL };
+
+static const char *const unity_attr_name[] = {
+ "UNITY_BANNER",
+ "UNITY_SAVE_PASSWD",
+ "UNITY_DEF_DOMAIN",
+ "UNITY_SPLITDNS_NAME",
+ "UNITY_SPLIT_INCLUDE",
+ "UNITY_NATT_PORT",
+ "UNITY_LOCAL_LAN",
+ "UNITY_PFS",
+ "UNITY_FW_TYPE",
+ "UNITY_BACKUP_SERVERS",
+ "UNITY_DDNS_HOSTNAME",
+};
+
+enum_names unity_attr_names =
+ { UNITY_BANNER , UNITY_DDNS_HOSTNAME, unity_attr_name , &xauth_attr_tv_names };
+
+
+static const char *const xauth_attr_name[] = {
+ "XAUTH_USER_NAME",
+ "XAUTH_USER_PASSWORD",
+ "XAUTH_PASSCODE",
+ "XAUTH_MESSAGE",
+ "XAUTH_CHALLENGE",
+ "XAUTH_DOMAIN",
+ "XAUTH_STATUS (wrong TLV syntax, should be TV)",
+ "XAUTH_NEXT_PIN",
+ "XAUTH_ANSWER",
+ };
+
+enum_names xauth_attr_names =
+ { XAUTH_USER_NAME , XAUTH_ANSWER, xauth_attr_name , &unity_attr_names };
+
+static const char *const modecfg_attr_name[] = {
+ "INTERNAL_IP4_ADDRESS",
+ "INTERNAL_IP4_NETMASK",
+ "INTERNAL_IP4_DNS",
+ "INTERNAL_IP4_NBNS",
+ "INTERNAL_ADDRESS_EXPIRY",
+ "INTERNAL_IP4_DHCP",
+ "APPLICATION_VERSION",
+ "INTERNAL_IP6_ADDRESS",
+ "INTERNAL_IP6_NETMASK",
+ "INTERNAL_IP6_DNS",
+ "INTERNAL_IP6_NBNS",
+ "INTERNAL_IP6_DHCP",
+ "INTERNAL_IP4_SUBNET",
+ "SUPPORTED_ATTRIBUTES",
+ "INTERNAL_IP6_SUBNET",
+ };
+
+enum_names modecfg_attr_names =
+ { INTERNAL_IP4_ADDRESS, INTERNAL_IP6_SUBNET, modecfg_attr_name , &xauth_attr_names };
+
+/* Oakley Lifetime Type attribute */
+
+static const char *const oakley_lifetime_name[] = {
+ "OAKLEY_LIFE_SECONDS",
+ "OAKLEY_LIFE_KILOBYTES",
+ };
+
+enum_names oakley_lifetime_names =
+ { OAKLEY_LIFE_SECONDS, OAKLEY_LIFE_KILOBYTES, oakley_lifetime_name, NULL };
+
+/* Oakley PRF attribute (none defined) */
+
+enum_names oakley_prf_names =
+ { 1, 0, NULL, NULL };
+
+/* Oakley Encryption Algorithm attribute */
+
+static const char *const oakley_enc_name[] = {
+ "OAKLEY_DES_CBC",
+ "OAKLEY_IDEA_CBC",
+ "OAKLEY_BLOWFISH_CBC",
+ "OAKLEY_RC5_R16_B64_CBC",
+ "OAKLEY_3DES_CBC",
+ "OAKLEY_CAST_CBC",
+ "OAKLEY_AES_CBC",
+ };
+
+#ifdef NO_EXTRA_IKE
+enum_names oakley_enc_names =
+ { OAKLEY_DES_CBC, OAKLEY_AES_CBC, oakley_enc_name, NULL };
+#else
+static const char *const oakley_enc_name_draft_aes_cbc_02[] = {
+ "OAKLEY_MARS_CBC" /* 65001 */,
+ "OAKLEY_RC6_CBC" /* 65002 */,
+ "OAKLEY_ID_65003" /* 65003 */,
+ "OAKLEY_SERPENT_CBC" /* 65004 */,
+ "OAKLEY_TWOFISH_CBC" /* 65005 */,
+};
+static const char *const oakley_enc_name_ssh[] = {
+ "OAKLEY_TWOFISH_CBC_SSH",
+};
+enum_names oakley_enc_names_ssh =
+ { OAKLEY_TWOFISH_CBC_SSH, OAKLEY_TWOFISH_CBC_SSH, oakley_enc_name_ssh
+ , NULL };
+
+enum_names oakley_enc_names_draft_aes_cbc_02 =
+ { OAKLEY_MARS_CBC, OAKLEY_TWOFISH_CBC, oakley_enc_name_draft_aes_cbc_02
+ , &oakley_enc_names_ssh };
+
+enum_names oakley_enc_names =
+ { OAKLEY_DES_CBC, OAKLEY_AES_CBC, oakley_enc_name
+ , &oakley_enc_names_draft_aes_cbc_02 };
+#endif
+
+/* Oakley Hash Algorithm attribute */
+
+static const char *const oakley_hash_name[] = {
+ "OAKLEY_MD5",
+ "OAKLEY_SHA",
+ "OAKLEY_TIGER",
+ "OAKLEY_SHA2_256",
+ "OAKLEY_SHA2_384",
+ "OAKLEY_SHA2_512",
+ };
+
+enum_names oakley_hash_names =
+ { OAKLEY_MD5, OAKLEY_SHA2_512, oakley_hash_name, NULL };
+
+/* Oakley Authentication Method attribute */
+
+static const char *const oakley_auth_name1[] = {
+ "OAKLEY_PRESHARED_KEY",
+ "OAKLEY_DSS_SIG",
+ "OAKLEY_RSA_SIG",
+ "OAKLEY_RSA_ENC",
+ "OAKLEY_RSA_ENC_REV",
+ "OAKLEY_ELGAMAL_ENC",
+ "OAKLEY_ELGAMAL_ENC_REV",
+ };
+
+static const char *const oakley_auth_name2[] = {
+ "HybridInitRSA",
+ "HybridRespRSA",
+ "HybridInitDSS",
+ "HybridRespDSS",
+ };
+
+static const char *const oakley_auth_name3[] = {
+ "XAUTHInitPreShared",
+ "XAUTHRespPreShared",
+ "XAUTHInitDSS",
+ "XAUTHRespDSS",
+ "XAUTHInitRSA",
+ "XAUTHRespRSA",
+ "XAUTHInitRSAEncryption",
+ "XAUTHRespRSAEncryption",
+ "XAUTHInitRSARevisedEncryption",
+ "XAUTHRespRSARevisedEncryption",
+ };
+
+static enum_names oakley_auth_names1 =
+ { OAKLEY_PRESHARED_KEY, OAKLEY_ELGAMAL_ENC_REV
+ , oakley_auth_name1, NULL };
+
+static enum_names oakley_auth_names2 =
+ { HybridInitRSA, HybridRespDSS
+ , oakley_auth_name2, &oakley_auth_names1 };
+
+enum_names oakley_auth_names =
+ { XAUTHInitPreShared, XAUTHRespRSARevisedEncryption
+ , oakley_auth_name3, &oakley_auth_names2 };
+
+/* Oakley Group Description attribute */
+
+static const char *const oakley_group_name[] = {
+ "OAKLEY_GROUP_MODP768",
+ "OAKLEY_GROUP_MODP1024",
+ "OAKLEY_GROUP_GP155",
+ "OAKLEY_GROUP_GP185",
+ "OAKLEY_GROUP_MODP1536",
+ };
+
+static const char *const oakley_group_name_rfc3526[] = {
+ "OAKLEY_GROUP_MODP2048",
+ "OAKLEY_GROUP_MODP3072",
+ "OAKLEY_GROUP_MODP4096",
+ "OAKLEY_GROUP_MODP6144",
+ "OAKLEY_GROUP_MODP8192"
+};
+enum_names oakley_group_names_rfc3526 =
+ { OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP8192,
+ oakley_group_name_rfc3526, NULL };
+
+enum_names oakley_group_names =
+ { OAKLEY_GROUP_MODP768, OAKLEY_GROUP_MODP1536,
+ oakley_group_name, &oakley_group_names_rfc3526 };
+
+/* Oakley Group Type attribute */
+
+static const char *const oakley_group_type_name[] = {
+ "OAKLEY_GROUP_TYPE_MODP",
+ "OAKLEY_GROUP_TYPE_ECP",
+ "OAKLEY_GROUP_TYPE_EC2N",
+ };
+
+enum_names oakley_group_type_names =
+ { OAKLEY_GROUP_TYPE_MODP, OAKLEY_GROUP_TYPE_EC2N, oakley_group_type_name, NULL };
+
+/* Notify messages -- error types */
+
+static const char *const notification_name[] = {
+ "INVALID_PAYLOAD_TYPE",
+ "DOI_NOT_SUPPORTED",
+ "SITUATION_NOT_SUPPORTED",
+ "INVALID_COOKIE",
+ "INVALID_MAJOR_VERSION",
+ "INVALID_MINOR_VERSION",
+ "INVALID_EXCHANGE_TYPE",
+ "INVALID_FLAGS",
+ "INVALID_MESSAGE_ID",
+ "INVALID_PROTOCOL_ID",
+ "INVALID_SPI",
+ "INVALID_TRANSFORM_ID",
+ "ATTRIBUTES_NOT_SUPPORTED",
+ "NO_PROPOSAL_CHOSEN",
+ "BAD_PROPOSAL_SYNTAX",
+ "PAYLOAD_MALFORMED",
+ "INVALID_KEY_INFORMATION",
+ "INVALID_ID_INFORMATION",
+ "INVALID_CERT_ENCODING",
+ "INVALID_CERTIFICATE",
+ "CERT_TYPE_UNSUPPORTED",
+ "INVALID_CERT_AUTHORITY",
+ "INVALID_HASH_INFORMATION",
+ "AUTHENTICATION_FAILED",
+ "INVALID_SIGNATURE",
+ "ADDRESS_NOTIFICATION",
+ "NOTIFY_SA_LIFETIME",
+ "CERTIFICATE_UNAVAILABLE",
+ "UNSUPPORTED_EXCHANGE_TYPE",
+ "UNEQUAL_PAYLOAD_LENGTHS",
+ };
+
+static const char *const notification_status_name[] = {
+ "CONNECTED",
+ };
+
+static const char *const ipsec_notification_name[] = {
+ "IPSEC_RESPONDER_LIFETIME",
+ "IPSEC_REPLAY_STATUS",
+ "IPSEC_INITIAL_CONTACT",
+ };
+
+static const char *const notification_dpd_name[] = {
+ "R_U_THERE",
+ "R_U_THERE_ACK",
+};
+
+enum_names notification_dpd_names =
+ { R_U_THERE, R_U_THERE_ACK,
+ notification_dpd_name, NULL };
+
+enum_names ipsec_notification_names =
+ { IPSEC_RESPONDER_LIFETIME, IPSEC_INITIAL_CONTACT,
+ ipsec_notification_name, &notification_dpd_names };
+
+enum_names notification_status_names =
+ { CONNECTED, CONNECTED,
+ notification_status_name, &ipsec_notification_names };
+
+enum_names notification_names =
+ { INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
+ notification_name, &notification_status_names };
+
+/* MODECFG
+ * From draft-dukes-ike-mode-cfg
+ */
+const char *const attr_msg_type_name[] = {
+ "ISAKMP_CFG_RESERVED",
+ "ISAKMP_CFG_REQUEST",
+ "ISAKMP_CFG_REPLY",
+ "ISAKMP_CFG_SET",
+ "ISAKMP_CFG_ACK",
+ NULL
+ };
+
+enum_names attr_msg_type_names =
+ { 0 , ISAKMP_CFG_ACK, attr_msg_type_name , NULL };
+
+/* socket address family info */
+
+static const char *const af_inet_name[] = {
+ "AF_INET",
+ };
+
+static const char *const af_inet6_name[] = {
+ "AF_INET6",
+ };
+
+static enum_names af_names6 = { AF_INET6, AF_INET6, af_inet6_name, NULL };
+
+enum_names af_names = { AF_INET, AF_INET, af_inet_name, &af_names6 };
+
+static ip_address ipv4_any, ipv6_any;
+static ip_subnet ipv4_wildcard, ipv6_wildcard;
+static ip_subnet ipv4_all, ipv6_all;
+
+const struct af_info af_inet4_info = {
+ AF_INET,
+ "AF_INET",
+ sizeof(struct in_addr),
+ sizeof(struct sockaddr_in),
+ 32,
+ ID_IPV4_ADDR, ID_IPV4_ADDR_SUBNET, ID_IPV4_ADDR_RANGE,
+ &ipv4_any, &ipv4_wildcard, &ipv4_all,
+ };
+
+const struct af_info af_inet6_info = {
+ AF_INET6,
+ "AF_INET6",
+ sizeof(struct in6_addr),
+ sizeof(struct sockaddr_in6),
+ 128,
+ ID_IPV6_ADDR, ID_IPV6_ADDR_SUBNET, ID_IPV6_ADDR_RANGE,
+ &ipv6_any, &ipv6_wildcard, &ipv6_all,
+ };
+
+const struct af_info *
+aftoinfo(int af)
+{
+ switch (af)
+ {
+ case AF_INET:
+ return &af_inet4_info;
+ case AF_INET6:
+ return &af_inet6_info;
+ default:
+ return NULL;
+ }
+}
+
+bool
+subnetisnone(const ip_subnet *sn)
+{
+ ip_address base;
+
+ networkof(sn, &base);
+ return isanyaddr(&base) && subnetishost(sn);
+}
+
+/* BIND enumerated types */
+
+#include <arpa/nameser.h>
+
+static const char *const rr_type_name[] = {
+ "T_A", /* 1 host address */
+ "T_NS", /* 2 authoritative server */
+ "T_MD", /* 3 mail destination */
+ "T_MF", /* 4 mail forwarder */
+ "T_CNAME", /* 5 canonical name */
+ "T_SOA", /* 6 start of authority zone */
+ "T_MB", /* 7 mailbox domain name */
+ "T_MG", /* 8 mail group member */
+ "T_MR", /* 9 mail rename name */
+ "T_NULL", /* 10 null resource record */
+ "T_WKS", /* 11 well known service */
+ "T_PTR", /* 12 domain name pointer */
+ "T_HINFO", /* 13 host information */
+ "T_MINFO", /* 14 mailbox information */
+ "T_MX", /* 15 mail routing information */
+ "T_TXT", /* 16 text strings */
+ "T_RP", /* 17 responsible person */
+ "T_AFSDB", /* 18 AFS cell database */
+ "T_X25", /* 19 X_25 calling address */
+ "T_ISDN", /* 20 ISDN calling address */
+ "T_RT", /* 21 router */
+ "T_NSAP", /* 22 NSAP address */
+ "T_NSAP_PTR", /* 23 reverse NSAP lookup (deprecated) */
+ "T_SIG", /* 24 security signature */
+ "T_KEY", /* 25 security key */
+ "T_PX", /* 26 X.400 mail mapping */
+ "T_GPOS", /* 27 geographical position (withdrawn) */
+ "T_AAAA", /* 28 IP6 Address */
+ "T_LOC", /* 29 Location Information */
+ "T_NXT", /* 30 Next Valid Name in Zone */
+ "T_EID", /* 31 Endpoint identifier */
+ "T_NIMLOC", /* 32 Nimrod locator */
+ "T_SRV", /* 33 Server selection */
+ "T_ATMA", /* 34 ATM Address */
+ "T_NAPTR", /* 35 Naming Authority PoinTeR */
+ NULL
+ };
+
+enum_names rr_type_names = { T_A, T_NAPTR, rr_type_name, NULL };
+
+/* Query type values which do not appear in resource records */
+static const char *const rr_qtype_name[] = {
+ "T_IXFR", /* 251 incremental zone transfer */
+ "T_AXFR", /* 252 transfer zone of authority */
+ "T_MAILB", /* 253 transfer mailbox records */
+ "T_MAILA", /* 254 transfer mail agent records */
+ "T_ANY", /* 255 wildcard match */
+ NULL
+ };
+
+enum_names rr_qtype_names = { T_IXFR, T_ANY, rr_qtype_name, &rr_type_names };
+
+static const char *const rr_class_name[] = {
+ "C_IN", /* 1 the arpa internet */
+ NULL
+ };
+
+enum_names rr_class_names = { C_IN, C_IN, rr_class_name, NULL };
+
+/*
+ * NAT-Traversal defines for nat_traveral type from nat_traversal.h
+ *
+ */
+const char *const natt_type_bitnames[] = {
+ "draft-ietf-ipsec-nat-t-ike-00/01", /* 0 */
+ "draft-ietf-ipsec-nat-t-ike-02/03",
+ "RFC 3947",
+ "3", /* 3 */
+ "4", "5", "6", "7",
+ "8", "9", "10", "11",
+ "12", "13", "14", "15",
+ "16", "17", "18", "19",
+ "20", "21", "22", "23",
+ "24", "25", "26", "27",
+ "28", "29",
+ "nat is behind me",
+ "nat is behind peer"
+};
+
+/* look up enum names in an enum_names */
+
+const char *
+enum_name(enum_names *ed, unsigned long val)
+{
+ enum_names *p;
+
+ for (p = ed; p != NULL; p = p->en_next_range)
+ {
+ if (p->en_first <= val && val <= p->en_last)
+ return p->en_names[val - p->en_first];
+ }
+ return NULL;
+}
+
+/* find or construct a string to describe an enum value
+ * Result may be in STATIC buffer!
+ */
+const char *
+enum_show(enum_names *ed, unsigned long val)
+{
+ const char *p = enum_name(ed, val);
+
+ if (p == NULL)
+ {
+ static char buf[12]; /* only one! I hope that it is big enough */
+
+ snprintf(buf, sizeof(buf), "%lu??", val);
+ p = buf;
+ }
+ return p;
+}
+
+
+static char bitnamesbuf[200]; /* only one! I hope that it is big enough! */
+
+int
+enum_search(enum_names *ed, const char *str)
+{
+ enum_names *p;
+ const char *ptr;
+ unsigned en;
+
+ for (p = ed; p != NULL; p = p->en_next_range)
+ for (en = p->en_first; en <= p->en_last ;en++)
+ {
+ ptr = p->en_names[en - p->en_first];
+ if (ptr == 0) continue;
+ /* if (strncmp(ptr, str, strlen(ptr))==0) */
+ if (strcmp(ptr, str) == 0)
+ return en;
+ }
+ return -1;
+}
+
+/* construct a string to name the bits on in a set
+ * Result may be in STATIC buffer!
+ * Note: prettypolicy depends on internal details.
+ */
+const char *
+bitnamesof(const char *const table[], lset_t val)
+{
+ char *p = bitnamesbuf;
+ lset_t bit;
+ const char *const *tp;
+
+ if (val == 0)
+ return "none";
+
+ for (tp = table, bit = 01; val != 0; bit <<= 1)
+ {
+ if (val & bit)
+ {
+ const char *n = *tp;
+ size_t nl;
+
+ if (n == NULL || *n == '\0')
+ {
+ /* no name for this bit, so use hex */
+ static char flagbuf[sizeof("0x80000000")];
+
+ snprintf(flagbuf, sizeof(flagbuf), "0x%llx", bit);
+ n = flagbuf;
+ }
+
+ nl = strlen(n);
+
+ if (p != bitnamesbuf && p < bitnamesbuf+sizeof(bitnamesbuf) - 1)
+ *p++ = '+';
+
+ if (bitnamesbuf+sizeof(bitnamesbuf) - p > (ptrdiff_t)nl)
+ {
+ strcpy(p, n);
+ p += nl;
+ }
+ val -= bit;
+ }
+ if (*tp != NULL)
+ tp++; /* move on, but not past end */
+ }
+ *p = '\0';
+ return bitnamesbuf;
+}
+
+/* print a policy: like bitnamesof, but it also does the non-bitfields.
+ * Suppress the shunt and fail fields if 0.
+ */
+const char *
+prettypolicy(lset_t policy)
+{
+ const char *bn = bitnamesof(sa_policy_bit_names
+ , policy & ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK));
+ size_t len;
+ lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
+ lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
+
+ if (bn != bitnamesbuf)
+ bitnamesbuf[0] = '\0';
+ len = strlen(bitnamesbuf);
+ if (shunt != 0)
+ {
+ snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+%s"
+ , policy_shunt_names[shunt]);
+ len += strlen(bitnamesbuf + len);
+ }
+ if (fail != 0)
+ {
+ snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+failure%s"
+ , policy_fail_names[fail]);
+ len += strlen(bitnamesbuf + len);
+ }
+ if (NEVER_NEGOTIATE(policy))
+ {
+ snprintf(bitnamesbuf + len, sizeof(bitnamesbuf) - len, "+NEVER_NEGOTIATE");
+ len += strlen(bitnamesbuf + len);
+ }
+ return bitnamesbuf;
+}
+
+/* test a set by seeing if all bits have names */
+
+bool
+testset(const char *const table[], lset_t val)
+{
+ lset_t bit;
+ const char *const *tp;
+
+ for (tp = table, bit = 01; val != 0; bit <<= 1, tp++)
+ {
+ const char *n = *tp;
+
+ if (n == NULL || ((val & bit) && *n == '\0'))
+ return FALSE;
+ val &= ~bit;
+ }
+ return TRUE;
+}
+
+
+const char sparse_end[] = "end of sparse names";
+
+/* look up enum names in a sparse_names */
+const char *sparse_name(sparse_names sd, unsigned long val)
+{
+ const struct sparse_name *p;
+
+ for (p = sd; p->name != sparse_end; p++)
+ if (p->val == val)
+ return p->name;
+ return NULL;
+}
+
+/* find or construct a string to describe an sparse value
+ * Result may be in STATIC buffer!
+ */
+const char *
+sparse_val_show(sparse_names sd, unsigned long val)
+{
+ const char *p = sparse_name(sd, val);
+
+ if (p == NULL)
+ {
+ static char buf[12]; /* only one! I hope that it is big enough */
+
+ snprintf(buf, sizeof(buf), "%lu??", val);
+ p = buf;
+ }
+ return p;
+}
+
+void init_constants(void)
+{
+ happy(anyaddr(AF_INET, &ipv4_any));
+ happy(anyaddr(AF_INET6, &ipv6_any));
+
+ happy(addrtosubnet(&ipv4_any, &ipv4_wildcard));
+ happy(addrtosubnet(&ipv6_any, &ipv6_wildcard));
+
+ happy(initsubnet(&ipv4_any, 0, '0', &ipv4_all));
+ happy(initsubnet(&ipv6_any, 0, '0', &ipv6_all));
+}
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
new file mode 100644
index 000000000..3ab10be61
--- /dev/null
+++ b/src/pluto/constants.h
@@ -0,0 +1,1269 @@
+
+/* manifest constants
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: constants.h,v 1.20 2006/02/28 19:13:33 as Exp $
+ */
+
+#ifndef _CONSTANTS_H
+#define _CONSTANTS_H
+
+extern const char compile_time_interop_options[];
+
+extern void init_constants(void);
+
+/*
+ * NOTE:For debugging purposes, constants.c has tables to map numbers back to names.
+ * Any changes here should be reflected there.
+ */
+
+#define elemsof(array) (sizeof(array) / sizeof(*(array))) /* number of elements in an array */
+
+/* Many routines return only success or failure, but wish to describe
+ * the failure in a message. We use the convention that they return
+ * a NULL on success and a pointer to constant string on failure.
+ * The fact that the string is a constant is limiting, but it
+ * avoids storage management issues: the recipient is allowed to assume
+ * that the string will live "long enough" (usually forever).
+ * <freeswan.h> defines err_t for this return type.
+ */
+
+typedef int bool;
+#define FALSE 0
+#define TRUE 1
+
+#define NULL_FD (-1) /* NULL file descriptor */
+#define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
+#define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
+
+#define BITS_PER_BYTE 8
+
+#define streq(a, b) (strcmp((a), (b)) == 0) /* clearer shorthand */
+#define strcaseeq(a, b) (strcasecmp((a), (b)) == 0) /* clearer shorthand */
+
+/* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
+
+typedef unsigned long long lset_t;
+#define LEMPTY 0ULL
+#define LELEM(opt) (1ULL << (opt))
+#define LRANGE(lwb, upb) LRANGES(LELEM(lwb), LELEM(upb))
+#define LRANGES(first, last) (last - first + last)
+#define LHAS(set, elem) ((LELEM(elem) & (set)) != LEMPTY)
+#define LIN(subset, set) (((subset) & (set)) == (subset))
+#define LDISJOINT(a, b) (((a) & (b)) == LEMPTY)
+
+/* Control and lock pathnames */
+#ifndef IPSEC_PIDDIR
+# define IPSEC_PIDDIR "/var/run"
+#endif
+#ifndef DEFAULT_CTLBASE
+# define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
+#endif
+
+#define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */
+#define LOCK_SUFFIX ".pid" /* for pluto's lock */
+#define INFO_SUFFIX ".info" /* for UNIX domain socket for apps */
+
+/* Routines to check and display values.
+ *
+ * An enum_names describes an enumeration.
+ * enum_name() returns the name of an enum value, or NULL if invalid.
+ * enum_show() is like enum_name, except it formats a numeric representation
+ * for any invalid value (in a static area!)
+ *
+ * bitnames() formats a display of a set of named bits (in a static area)
+ */
+
+struct enum_names {
+ unsigned long en_first; /* first value in range */
+ unsigned long en_last; /* last value in range (inclusive) */
+ const char *const *en_names;
+ const struct enum_names *en_next_range; /* descriptor of next range */
+};
+
+typedef const struct enum_names enum_names;
+
+extern const char *enum_name(enum_names *ed, unsigned long val);
+extern const char *enum_show(enum_names *ed, unsigned long val);
+extern int enum_search(enum_names *ed, const char *string);
+
+extern bool testset(const char *const table[], lset_t val);
+extern const char *bitnamesof(const char *const table[], lset_t val);
+
+/* sparse_names is much like enum_names, except values are
+ * not known to be contiguous or ordered.
+ * The array of names is ended with one with the name sparse_end
+ * (this avoids having to reserve a value to signify the end).
+ * Often appropriate for enums defined by others.
+ */
+struct sparse_name {
+ unsigned long val;
+ const char *const name;
+};
+typedef const struct sparse_name sparse_names[];
+
+extern const char *sparse_name(sparse_names sd, unsigned long val);
+extern const char *sparse_val_show(sparse_names sd, unsigned long val);
+extern const char sparse_end[];
+
+#define FULL_INET_ADDRESS_SIZE 6
+
+/* Group parameters from draft-ietf-ike-01.txt section 6 */
+
+#define MODP_GENERATOR "2"
+
+#define MODP768_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
+ "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF"
+
+#define MODP1024_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 " \
+ "FFFFFFFF FFFFFFFF"
+
+#define MODP1536_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D " \
+ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F " \
+ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D " \
+ "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF "
+
+/* draft-ietf-ipsec-ike-modp-groups-03.txt */
+#define MODP2048_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
+ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
+ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
+ "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
+ "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
+ "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
+ "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF"
+
+#define MODP3072_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
+ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
+ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
+ "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
+ "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
+ "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
+ "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
+ "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
+ "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
+ "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
+ "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
+ "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF"
+
+#define MODP4096_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
+ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
+ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
+ "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
+ "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
+ "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
+ "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
+ "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
+ "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
+ "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
+ "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
+ "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
+ "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
+ "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
+ "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
+ "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
+ "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
+ "FFFFFFFF FFFFFFFF"
+
+/* copy&pasted from rfc3526: */
+#define MODP6144_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08" \
+ "8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B" \
+ "302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9" \
+ "A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6" \
+ "49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8" \
+ "FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
+ "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C" \
+ "180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718" \
+ "3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D" \
+ "04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D" \
+ "B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226" \
+ "1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
+ "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC" \
+ "E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 88719A10 BDBA5B26" \
+ "99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8 DBBBC2DB" \
+ "04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2" \
+ "233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127" \
+ "D5B05AA9 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
+ "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD F8FF9406" \
+ "AD9E530E E5DB382F 413001AE B06A53ED 9027D831 179727B0 865A8918" \
+ "DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B DB7F1447 E6CC254B 33205151" \
+ "2BD7AF42 6FB8F401 378CD2BF 5983CA01 C64B92EC F032EA15 D1721D03" \
+ "F482D7CE 6E74FEF6 D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F" \
+ "BEC7E8F3 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
+ "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 06A1D58B" \
+ "B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C DA56C9EC 2EF29632" \
+ "387FE8D7 6E3C0468 043E8F66 3F4860EE 12BF2D5B 0B7474D6 E694F91E" \
+ "6DCC4024 FFFFFFFF FFFFFFFF"
+
+/* copy&pasted from rfc3526: */
+#define MODP8192_MODULUS \
+ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
+ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
+ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
+ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
+ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
+ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
+ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
+ "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
+ "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
+ "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
+ "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
+ "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
+ "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
+ "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
+ "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
+ "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
+ "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
+ "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
+ "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
+ "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
+ "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
+ "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
+ "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
+ "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
+ "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
+ "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
+ "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
+ "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
+ "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
+ "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
+ "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
+ "12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \
+ "38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \
+ "741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \
+ "3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \
+ "22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \
+ "4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \
+ "062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \
+ "4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \
+ "B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \
+ "4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
+ "9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
+ "60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
+#define LOCALSECRETSIZE (256 / BITS_PER_BYTE)
+
+/* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */
+#define MINIMUM_NONCE_SIZE 8 /* bytes */
+#define DEFAULT_NONCE_SIZE 16 /* bytes */
+#define MAXIMUM_NONCE_SIZE 256 /* bytes */
+
+#define COOKIE_SIZE 8
+#define MAX_ISAKMP_SPI_SIZE 16
+
+#define MD2_DIGEST_SIZE (128 / BITS_PER_BYTE)
+#define MD5_DIGEST_SIZE (128 / BITS_PER_BYTE)
+#define SHA1_DIGEST_SIZE (160 / BITS_PER_BYTE)
+#define SHA2_256_DIGEST_SIZE (256 / BITS_PER_BYTE)
+#define SHA2_384_DIGEST_SIZE (384 / BITS_PER_BYTE)
+#define SHA2_512_DIGEST_SIZE (512 / BITS_PER_BYTE)
+
+#define MD5_BLOCK_SIZE (512 / BITS_PER_BYTE)
+#define SHA1_BLOCK_SIZE (512 / BITS_PER_BYTE)
+#define SHA2_256_BLOCK_SIZE (512 / BITS_PER_BYTE)
+#define SHA2_384_BLOCK_SIZE (1024 / BITS_PER_BYTE)
+#define SHA2_512_BLOCK_SIZE (1024 / BITS_PER_BYTE)
+
+#define DES_CBC_BLOCK_SIZE (64 / BITS_PER_BYTE)
+
+#define DSS_QBITS 160 /* bits in DSS's "q" (FIPS 186-1) */
+
+/* Maximum is required for SHA2_512 */
+#define MAX_DIGEST_LEN SHA2_512_DIGEST_SIZE
+#define MAX_HASH_BLOCK_SIZE SHA2_512_BLOCK_SIZE
+
+/* RFC 2404 "HMAC-SHA-1-96" section 3 */
+#define HMAC_SHA1_KEY_LEN SHA1_DIGEST_SIZE
+
+/* RFC 2403 "HMAC-MD5-96" section 3 */
+#define HMAC_MD5_KEY_LEN MD5_DIGEST_SIZE
+
+#define IKE_UDP_PORT 500
+
+/* RFC 2560 OCSP - certificate status */
+
+typedef enum {
+ CERT_GOOD = 0,
+ CERT_REVOKED = 1,
+ CERT_UNKNOWN = 2,
+ CERT_UNDEFINED = 3
+} cert_status_t;
+
+/* RFC 2459 CRL reason codes */
+
+extern enum_names crl_reason_names;
+
+typedef enum {
+ REASON_UNSPECIFIED = 0,
+ REASON_KEY_COMPROMISE = 1,
+ REASON_CA_COMPROMISE = 2,
+ REASON_AFFILIATION_CHANGED = 3,
+ REASON_SUPERSEDED = 4,
+ REASON_CESSATION_OF_OPERATON = 5,
+ REASON_CERTIFICATE_HOLD = 6,
+ REASON_REMOVE_FROM_CRL = 8
+} crl_reason_t;
+
+/* RFC 3706 Dead Peer Detection */
+
+extern enum_names dpd_action_names;
+
+typedef enum {
+ DPD_ACTION_NONE = 0,
+ DPD_ACTION_CLEAR = 1,
+ DPD_ACTION_HOLD = 2,
+ DPD_ACTION_RESTART = 3,
+ DPD_ACTION_UNKNOWN = 4
+} dpd_action_t;
+
+/* Timer events */
+
+extern enum_names timer_event_names;
+
+enum event_type {
+ EVENT_NULL, /* non-event */
+ EVENT_REINIT_SECRET, /* Refresh cookie secret */
+#ifdef KLIPS
+ EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */
+#endif
+ EVENT_SO_DISCARD, /* discard unfinished state object */
+ EVENT_RETRANSMIT, /* Retransmit packet */
+ EVENT_SA_REPLACE, /* SA replacement event */
+ EVENT_SA_REPLACE_IF_USED, /* SA replacement event */
+ EVENT_SA_EXPIRE, /* SA expiration event */
+ EVENT_NAT_T_KEEPALIVE, /* NAT Traversal Keepalive */
+ EVENT_DPD, /* dead peer detection */
+ EVENT_DPD_TIMEOUT, /* dead peer detection timeout */
+ EVENT_LOG_DAILY /* reset certain log events/stats */
+};
+
+#define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */
+#define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */
+
+/* Misc. stuff */
+
+#define MAXIMUM_RETRANSMISSIONS 2
+#define MAXIMUM_RETRANSMISSIONS_INITIAL 20
+
+#define MAX_INPUT_UDP_SIZE 65536
+#define MAX_OUTPUT_UDP_SIZE 65536
+
+/* Version numbers */
+
+#define ISAKMP_MAJOR_VERSION 0x1
+#define ISAKMP_MINOR_VERSION 0x0
+
+extern enum_names version_names;
+
+/* Domain of Interpretation */
+
+extern enum_names doi_names;
+
+#define ISAKMP_DOI_ISAKMP 0
+#define ISAKMP_DOI_IPSEC 1
+
+/* IPsec DOI things */
+
+#define IPSEC_DOI_SITUATION_LENGTH 4
+#define IPSEC_DOI_LDI_LENGTH 4
+#define IPSEC_DOI_SPI_SIZE 4
+
+/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
+ * ESP: RFC 2402 2.4; AH: RFC 2406 2.1
+ * IPComp RFC 2393 substitutes a CPI in the place of an SPI.
+ * see also draft-shacham-ippcp-rfc2393bis-05.txt.
+ * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so
+ * Pluto won't generate these values.
+ */
+#define IPSEC_DOI_SPI_MIN 0x100
+#define IPSEC_DOI_SPI_OUR_MIN 0x1000
+
+/* debugging settings: a set of selections for reporting
+ * These would be more naturally situated in log.h,
+ * but they are shared with whack.
+ * IMPAIR_* actually change behaviour, usually badly,
+ * to aid in testing. Naturally, these are not included in ALL.
+ *
+ * NOTE: changes here must be done in concert with changes to DBGOPT_*
+ * in whack.c. A change to WHACK_MAGIC in whack.h will be required too.
+ */
+#ifdef DEBUG
+extern const char *const debug_bit_names[];
+#endif
+
+#define DBG_RAW LELEM(0) /* raw packet I/O */
+#define DBG_CRYPT LELEM(1) /* encryption/decryption of messages */
+#define DBG_PARSING LELEM(2) /* show decoding of messages */
+#define DBG_EMITTING LELEM(3) /* show encoding of messages */
+#define DBG_CONTROL LELEM(4) /* control flow within Pluto */
+#define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */
+#define DBG_KLIPS LELEM(6) /* messages to KLIPS */
+#define DBG_DNS LELEM(7) /* DNS activity */
+#define DBG_NATT LELEM(8) /* NAT-T */
+#define DBG_OPPO LELEM(9) /* opportunism */
+#define DBG_CONTROLMORE LELEM(10) /* more detailed debugging */
+
+#define DBG_PRIVATE LELEM(11) /* private information: DANGER! */
+
+#define IMPAIR0 12 /* first bit for IMPAIR_* */
+
+#define IMPAIR_DELAY_ADNS_KEY_ANSWER LELEM(IMPAIR0+0) /* sleep before answering */
+#define IMPAIR_DELAY_ADNS_TXT_ANSWER LELEM(IMPAIR0+1) /* sleep before answering */
+#define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2) /* make MI2 really large */
+#define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3) /* make MI2 really large */
+
+#define DBG_NONE 0 /* no options on, including impairments */
+#define DBG_ALL LRANGES(DBG_RAW, DBG_CONTROLMORE) /* all logging options on EXCEPT DBG_PRIVATE */
+
+/* State of exchanges
+ *
+ * The name of the state describes the last message sent, not the
+ * message currently being input or output (except during retry).
+ * In effect, the state represents the last completed action.
+ *
+ * Messages are named [MQ][IR]n where
+ * - M stands for Main Mode (Phase 1);
+ * Q stands for Quick Mode (Phase 2)
+ * - I stands for Initiator;
+ * R stands for Responder
+ * - n, a digit, stands for the number of the message
+ *
+ * It would be more convenient if each state accepted a message
+ * and produced one. This is the case for states at the start
+ * or end of an exchange. To fix this, we pretend that there are
+ * MR0 and QR0 messages before the MI1 and QR1 messages. Similarly,
+ * we pretend that there are MR4 and QR2 messages.
+ *
+ * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
+ * retained between messages) representing the state that accepts the
+ * first message of an exchange has been read but not processed.
+ *
+ * state_microcode state_microcode_table in demux.c describes
+ * other important details.
+ */
+
+extern enum_names state_names;
+extern const char *const state_story[];
+
+enum state_kind {
+ STATE_UNDEFINED, /* 0 -- most likely accident */
+
+ /* Opportunism states: see "Opportunistic Encryption" 2.2 */
+
+ OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */
+ OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
+
+ /* IKE states */
+
+ STATE_MAIN_R0,
+ STATE_MAIN_I1,
+ STATE_MAIN_R1,
+ STATE_MAIN_I2,
+ STATE_MAIN_R2,
+ STATE_MAIN_I3,
+ STATE_MAIN_R3,
+ STATE_MAIN_I4,
+
+ STATE_QUICK_R0,
+ STATE_QUICK_I1,
+ STATE_QUICK_R1,
+ STATE_QUICK_I2,
+ STATE_QUICK_R2,
+
+ STATE_INFO,
+ STATE_INFO_PROTECTED,
+
+ /* XAUTH states */
+
+ STATE_XAUTH_I0, /* initiator state (client) */
+ STATE_XAUTH_R1, /* responder state (server) */
+ STATE_XAUTH_I1,
+ STATE_XAUTH_R2,
+ STATE_XAUTH_I2,
+ STATE_XAUTH_R3,
+
+ /* Mode Config pull states */
+
+ STATE_MODE_CFG_R0, /* responder state (server) */
+ STATE_MODE_CFG_I1, /* initiator state (client) */
+ STATE_MODE_CFG_R1,
+ STATE_MODE_CFG_I2,
+
+ /* Mode Config push states */
+
+ STATE_MODE_CFG_I0, /* initiator state (client) */
+ STATE_MODE_CFG_R3, /* responder state (server) */
+ STATE_MODE_CFG_I3,
+ STATE_MODE_CFG_R4,
+
+ STATE_IKE_ROOF
+};
+
+#define STATE_IKE_FLOOR STATE_MAIN_R0
+
+#define PHASE1_INITIATOR_STATES (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
+ | LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
+#define ISAKMP_SA_ESTABLISHED_STATES ( \
+ LELEM(STATE_MAIN_R3) | LELEM(STATE_MAIN_I4) \
+ | LELEM(STATE_XAUTH_R1) | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
+ | LELEM(STATE_XAUTH_I1) | LELEM(STATE_XAUTH_I2) \
+ | LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
+ | LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
+
+#define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
+ || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
+ || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
+
+#define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
+#define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
+
+#define IS_ISAKMP_SA_ESTABLISHED(s) ( \
+ (s) == STATE_MAIN_R3 \
+ || (s) == STATE_MAIN_I4 \
+ || (s) == STATE_XAUTH_I2 \
+ || (s) == STATE_XAUTH_R3 \
+ || (s) == STATE_MODE_CFG_R1 \
+ || (s) == STATE_MODE_CFG_I2 \
+ || (s) == STATE_MODE_CFG_I3 \
+ || (s) == STATE_MODE_CFG_R4)
+
+#define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
+#define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
+
+/* kind of struct connection
+ * Ordered (mostly) by concreteness. Order is exploited.
+ */
+
+extern enum_names connection_kind_names;
+
+enum connection_kind {
+ CK_GROUP, /* policy group: instantiates to template */
+ CK_TEMPLATE, /* abstract connection, with wildcard */
+ CK_PERMANENT, /* normal connection */
+ CK_INSTANCE, /* instance of template, created for a particular attempt */
+ CK_GOING_AWAY /* instance being deleted -- don't delete again */
+};
+
+
+/* routing status.
+ * Note: routing ignores source address, but erouting does not!
+ * Note: a connection can only be routed if it is NEVER_NEGOTIATE
+ * or HAS_IPSEC_POLICY.
+ */
+
+extern enum_names routing_story;
+
+/* note that this is assumed to be ordered! */
+enum routing_t {
+ RT_UNROUTED, /* unrouted */
+ RT_UNROUTED_HOLD, /* unrouted, but HOLD shunt installed */
+ RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
+ RT_ROUTED_PROSPECTIVE, /* routed, and prospective shunt installed */
+ RT_ROUTED_HOLD, /* routed, and HOLD shunt installed */
+ RT_ROUTED_FAILURE, /* routed, and failure-context shunt installed */
+ RT_ROUTED_TUNNEL, /* routed, and erouted to an IPSEC SA group */
+ RT_UNROUTED_KEYED /* keyed, but not routed, on purpose */
+};
+
+#define routed(rs) ((rs) > RT_UNROUTED_HOLD)
+#define erouted(rs) ((rs) != RT_UNROUTED)
+#define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
+
+/* Payload types
+ * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
+ * section 3.1
+ *
+ * RESERVED 14-127
+ * Private USE 128-255
+ */
+
+extern enum_names payload_names;
+extern const char *const payload_name[];
+
+#define ISAKMP_NEXT_NONE 0 /* No other payload following */
+#define ISAKMP_NEXT_SA 1 /* Security Association */
+#define ISAKMP_NEXT_P 2 /* Proposal */
+#define ISAKMP_NEXT_T 3 /* Transform */
+#define ISAKMP_NEXT_KE 4 /* Key Exchange */
+#define ISAKMP_NEXT_ID 5 /* Identification */
+#define ISAKMP_NEXT_CERT 6 /* Certificate */
+#define ISAKMP_NEXT_CR 7 /* Certificate Request */
+#define ISAKMP_NEXT_HASH 8 /* Hash */
+#define ISAKMP_NEXT_SIG 9 /* Signature */
+#define ISAKMP_NEXT_NONCE 10 /* Nonce */
+#define ISAKMP_NEXT_N 11 /* Notification */
+#define ISAKMP_NEXT_D 12 /* Delete */
+#define ISAKMP_NEXT_VID 13 /* Vendor ID */
+#define ISAKMP_NEXT_ATTR 14 /* Mode config Attribute */
+
+#define ISAKMP_NEXT_NATD_RFC 20 /* NAT-Traversal: NAT-D (rfc) */
+#define ISAKMP_NEXT_NATOA_RFC 21 /* NAT-Traversal: NAT-OA (rfc) */
+#define ISAKMP_NEXT_ROOF 22 /* roof on payload types */
+
+#define ISAKMP_NEXT_NATD_DRAFTS 130 /* NAT-Traversal: NAT-D (drafts) */
+#define ISAKMP_NEXT_NATOA_DRAFTS 131 /* NAT-Traversal: NAT-OA (drafts) */
+
+/* These values are to be used within the Type field of an Attribute (14)
+ * ISAKMP payload.
+ */
+#define ISAKMP_CFG_REQUEST 1
+#define ISAKMP_CFG_REPLY 2
+#define ISAKMP_CFG_SET 3
+#define ISAKMP_CFG_ACK 4
+
+extern enum_names attr_msg_type_names;
+
+/* Mode Config attribute values */
+#define INTERNAL_IP4_ADDRESS 1
+#define INTERNAL_IP4_NETMASK 2
+#define INTERNAL_IP4_DNS 3
+#define INTERNAL_IP4_NBNS 4
+#define INTERNAL_ADDRESS_EXPIRY 5
+#define INTERNAL_IP4_DHCP 6
+#define APPLICATION_VERSION 7
+#define INTERNAL_IP6_ADDRESS 8
+#define INTERNAL_IP6_NETMASK 9
+#define INTERNAL_IP6_DNS 10
+#define INTERNAL_IP6_NBNS 11
+#define INTERNAL_IP6_DHCP 12
+#define INTERNAL_IP4_SUBNET 13
+#define SUPPORTED_ATTRIBUTES 14
+#define INTERNAL_IP6_SUBNET 15
+
+
+extern enum_names modecfg_attr_names;
+
+/* XAUTH attribute values */
+#define XAUTH_TYPE 16520
+#define XAUTH_USER_NAME 16521
+#define XAUTH_USER_PASSWORD 16522
+#define XAUTH_PASSCODE 16523
+#define XAUTH_MESSAGE 16524
+#define XAUTH_CHALLENGE 16525
+#define XAUTH_DOMAIN 16526
+#define XAUTH_STATUS 16527
+#define XAUTH_NEXT_PIN 16528
+#define XAUTH_ANSWER 16529
+
+#define XAUTH_BASE XAUTH_TYPE
+
+extern enum_names xauth_attr_names;
+
+/* ISAKMP mode config attributes specific to the Unity vendor Id */
+#define UNITY_BANNER 28672
+#define UNITY_SAVE_PASSWD 28673
+#define UNITY_DEF_DOMAIN 28674
+#define UNITY_SPLITDNS_NAME 28675
+#define UNITY_SPLIT_INCLUDE 28676
+#define UNITY_NATT_PORT 28677
+#define UNITY_LOCAL_LAN 28678
+#define UNITY_PFS 28679
+#define UNITY_FW_TYPE 28680
+#define UNITY_BACKUP_SERVERS 28681
+#define UNITY_DDNS_HOSTNAME 28682
+
+#define UNITY_BASE UNITY_BANNER
+
+extern enum_names unity_attr_names;
+
+/* XAUTH authentication types */
+#define XAUTH_TYPE_GENERIC 0
+#define XAUTH_TYPE_CHAP 1
+#define XAUTH_TYPE_OTP 2
+#define XAUTH_TYPE_SKEY 3
+
+/* Values for XAUTH_STATUS */
+#define XAUTH_STATUS_FAIL 0
+#define XAUTH_STATUS_OK 1
+
+extern enum_names xauth_type_names;
+
+/* Exchange types
+ * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
+ * section 3.1
+ *
+ * ISAKMP Future Use 6 - 31
+ * DOI Specific Use 32 - 239
+ * Private Use 240 - 255
+ *
+ * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A
+ * defines "DHless RSA Encryption" as 6.
+ */
+
+extern enum_names exchange_names;
+
+#define ISAKMP_XCHG_NONE 0
+#define ISAKMP_XCHG_BASE 1
+#define ISAKMP_XCHG_IDPROT 2 /* ID Protection */
+#define ISAKMP_XCHG_AO 3 /* Authentication Only */
+#define ISAKMP_XCHG_AGGR 4 /* Aggressive */
+#define ISAKMP_XCHG_INFO 5 /* Informational */
+#define ISAKMP_XCHG_MODE_CFG 6 /* Mode Config */
+
+/* Extra exchange types, defined by Oakley
+ * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
+ */
+#define ISAKMP_XCHG_QUICK 32 /* Oakley Quick Mode */
+#define ISAKMP_XCHG_NGRP 33 /* Oakley New Group Mode */
+/* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
+#define ISAKMP_XCHG_ACK_INFO 34 /* Oakley Acknowledged Informational */
+
+/* Flag bits */
+
+extern const char *const flag_bit_names[];
+
+#define ISAKMP_FLAG_ENCRYPTION 0x1
+#define ISAKMP_FLAG_COMMIT 0x2
+
+/* Situation definition for IPsec DOI */
+
+extern const char *const sit_bit_names[];
+
+#define SIT_IDENTITY_ONLY 0x01
+#define SIT_SECRECY 0x02
+#define SIT_INTEGRITY 0x04
+
+/* Protocol IDs
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1
+ */
+
+extern enum_names protocol_names;
+
+#define PROTO_ISAKMP 1
+#define PROTO_IPSEC_AH 2
+#define PROTO_IPSEC_ESP 3
+#define PROTO_IPCOMP 4
+
+/* warning: trans_show uses enum_show, so same static buffer is used */
+#define trans_show(p, t) \
+ ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
+ : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
+ : (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
+ : "??")
+
+/* many transform values are moved to freeswan/ipsec_policy.h */
+
+extern enum_names isakmp_transformid_names;
+
+#define KEY_IKE 1
+
+extern enum_names ah_transformid_names;
+extern enum_names esp_transformid_names;
+extern enum_names ipcomp_transformid_names;
+
+/* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
+typedef u_int16_t cpi_t;
+#define IPCOMP_CPI_SIZE 2
+#define IPCOMP_FIRST_NEGOTIATED 256
+#define IPCOMP_LAST_NEGOTIATED 61439
+
+/* Identification type values
+ * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
+ */
+
+extern enum_names ident_names;
+extern enum_names cert_type_names;
+extern enum_names cert_policy_names;
+
+typedef enum certpolicy {
+ CERT_ALWAYS_SEND = 0, /* the default */
+ CERT_SEND_IF_ASKED = 1,
+ CERT_NEVER_SEND = 2,
+
+ CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
+ CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */
+} certpolicy_t;
+
+/* Policies for establishing an SA
+ *
+ * These are used to specify attributes (eg. encryption) and techniques
+ * (eg PFS) for an SA.
+ * Note: certain CD_ definitions in whack.c parallel these -- keep them
+ * in sync!
+ */
+
+extern const char *const sa_policy_bit_names[];
+extern const char *prettypolicy(lset_t policy);
+
+/* ISAKMP auth techniques (none means never negotiate) */
+#define POLICY_PSK LELEM(0)
+#define POLICY_RSASIG LELEM(1)
+
+#define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */
+#define POLICY_ID_AUTH_MASK (POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
+#define POLICY_ISAKMP_MASK POLICY_ID_AUTH_MASK /* all so far */
+
+/* Quick Mode (IPSEC) attributes */
+#define POLICY_ENCRYPT LELEM(2) /* must be first of IPSEC policies */
+#define POLICY_AUTHENTICATE LELEM(3) /* must be second */
+#define POLICY_COMPRESS LELEM(4) /* must be third */
+#define POLICY_TUNNEL LELEM(5)
+#define POLICY_PFS LELEM(6)
+#define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
+
+#define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
+#define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
+
+/* shunt attributes: what to do when routed without tunnel (2 bits) */
+#define POLICY_SHUNT_SHIFT 8 /* log2(POLICY_SHUNT_PASS) */
+#define POLICY_SHUNT_MASK (03ul << POLICY_SHUNT_SHIFT)
+
+#define POLICY_SHUNT_TRAP (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
+#define POLICY_SHUNT_PASS (1ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_DROP (2ul << POLICY_SHUNT_SHIFT)
+#define POLICY_SHUNT_REJECT (3ul << POLICY_SHUNT_SHIFT)
+
+/* fail attributes: what to do with failed negotiation (2 bits) */
+
+#define POLICY_FAIL_SHIFT 10 /* log2(POLICY_FAIL_PASS) */
+#define POLICY_FAIL_MASK (03ul << POLICY_FAIL_SHIFT)
+
+#define POLICY_FAIL_NONE (0ul << POLICY_FAIL_SHIFT) /* default */
+#define POLICY_FAIL_PASS (1ul << POLICY_FAIL_SHIFT)
+#define POLICY_FAIL_DROP (2ul << POLICY_FAIL_SHIFT)
+#define POLICY_FAIL_REJECT (3ul << POLICY_FAIL_SHIFT)
+
+/* connection policy
+ * Other policies could vary per state object. These live in connection.
+ */
+#define POLICY_DONT_REKEY LELEM(12) /* don't rekey state either Phase */
+#define POLICY_OPPO LELEM(13) /* is this opportunistic? */
+#define POLICY_GROUP LELEM(14) /* is this a group template? */
+#define POLICY_GROUTED LELEM(15) /* do we want this group routed? */
+#define POLICY_UP LELEM(16) /* do we want this up? */
+#define POLICY_MODECFG_PUSH LELEM(17) /* is modecfg pushed by server? */
+#define POLICY_XAUTH_PSK LELEM(18) /* do we support XAUTH????PreShared? */
+#define POLICY_XAUTH_RSASIG LELEM(19) /* do we support XAUTH????RSA? */
+#define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */
+#define POLICY_DONT_REAUTH LELEM(21) /* don't reauthenticate on rekeying, IKEv2 only */
+#define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */
+
+/* Any IPsec policy? If not, a connection description
+ * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
+ * Note: a connection can only be routed if it is NEVER_NEGOTIATE
+ * or HAS_IPSEC_POLICY.
+ */
+#define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
+
+/* Don't allow negotiation? */
+#define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_ID_AUTH_MASK))
+
+
+/* Oakley transform attributes
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ */
+
+extern enum_names oakley_attr_names;
+extern const char *const oakley_attr_bit_names[];
+
+#define OAKLEY_ENCRYPTION_ALGORITHM 1
+#define OAKLEY_HASH_ALGORITHM 2
+#define OAKLEY_AUTHENTICATION_METHOD 3
+#define OAKLEY_GROUP_DESCRIPTION 4
+#define OAKLEY_GROUP_TYPE 5
+#define OAKLEY_GROUP_PRIME 6 /* B/V */
+#define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */
+#define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */
+#define OAKLEY_GROUP_CURVE_A 9 /* B/V */
+#define OAKLEY_GROUP_CURVE_B 10 /* B/V */
+#define OAKLEY_LIFE_TYPE 11
+#define OAKLEY_LIFE_DURATION 12 /* B/V */
+#define OAKLEY_PRF 13
+#define OAKLEY_KEY_LENGTH 14
+#define OAKLEY_FIELD_SIZE 15
+#define OAKLEY_GROUP_ORDER 16 /* B/V */
+#define OAKLEY_BLOCK_SIZE 17
+
+/* for each Oakley attribute, which enum_names describes its values? */
+extern enum_names *oakley_attr_val_descs[];
+
+/* IPsec DOI attributes
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
+ */
+
+extern enum_names ipsec_attr_names;
+
+#define SA_LIFE_TYPE 1
+#define SA_LIFE_DURATION 2 /* B/V */
+#define GROUP_DESCRIPTION 3
+#define ENCAPSULATION_MODE 4
+#define AUTH_ALGORITHM 5
+#define KEY_LENGTH 6
+#define KEY_ROUNDS 7
+#define COMPRESS_DICT_SIZE 8
+#define COMPRESS_PRIVATE_ALG 9 /* B/V */
+
+/* for each IPsec attribute, which enum_names describes its values? */
+extern enum_names *ipsec_attr_val_descs[];
+
+/* SA Lifetime Type attribute
+ * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
+ * Default time specified in 4.5
+ *
+ * There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
+ * and PLUTO_SA_LIFE_DURATION_DEFAULT.
+ * SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
+ * Security Domain of Interpretation for ISAKMP" 4.5. It applies when
+ * an ISAKMP negotiation does not explicitly specify a life duration.
+ * PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8). It applies
+ * when a connection description does not specify --ipseclifetime.
+ * The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
+ */
+
+extern enum_names sa_lifetime_names;
+
+#define SA_LIFE_TYPE_SECONDS 1
+#define SA_LIFE_TYPE_KBYTES 2
+
+#define SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (RFC2407 4.5) */
+#define PLUTO_SA_LIFE_DURATION_DEFAULT 3600 /* one hour (pluto(8)) */
+#define SA_LIFE_DURATION_MAXIMUM 86400 /* one day */
+
+#define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */
+#define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */
+#define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */
+
+#define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu
+
+/* Encapsulation Mode attribute */
+
+extern enum_names enc_mode_names;
+
+#define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */
+#define ENCAPSULATION_MODE_TUNNEL 1
+#define ENCAPSULATION_MODE_TRANSPORT 2
+
+#define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
+#define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
+
+#define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
+#define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
+
+/* Auth Algorithm attribute */
+
+extern enum_names auth_alg_names, extended_auth_alg_names;
+
+#define AUTH_ALGORITHM_NONE 0 /* our private designation */
+#define AUTH_ALGORITHM_HMAC_MD5 1
+#define AUTH_ALGORITHM_HMAC_SHA1 2
+#define AUTH_ALGORITHM_DES_MAC 3
+#define AUTH_ALGORITHM_KPDK 4
+#define AUTH_ALGORITHM_HMAC_SHA2_256 5
+#define AUTH_ALGORITHM_HMAC_SHA2_384 6
+#define AUTH_ALGORITHM_HMAC_SHA2_512 7
+#define AUTH_ALGORITHM_HMAC_RIPEMD 8
+#define AUTH_ALGORITHM_NULL 251
+
+/* Oakley Lifetime Type attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ * As far as I can see, there is not specification for
+ * OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop problems!
+ * For no particular reason, we chose three hours.
+ * The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
+ */
+extern enum_names oakley_lifetime_names;
+
+#define OAKLEY_LIFE_SECONDS 1
+#define OAKLEY_LIFE_KILOBYTES 2
+
+#define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 10800 /* three hours */
+#define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* one day */
+
+/* Oakley PRF attribute (none defined)
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ */
+extern enum_names oakley_prf_names;
+
+/* HMAC (see rfc2104.txt) */
+
+#define HMAC_IPAD 0x36
+#define HMAC_OPAD 0x5C
+
+/* Oakley Encryption Algorithm attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
+ */
+
+extern enum_names oakley_enc_names;
+
+#define OAKLEY_DES_CBC 1
+#define OAKLEY_IDEA_CBC 2
+#define OAKLEY_BLOWFISH_CBC 3
+#define OAKLEY_RC5_R16_B64_CBC 4
+#define OAKLEY_3DES_CBC 5
+#define OAKLEY_CAST_CBC 6
+#define OAKLEY_AES_CBC 7
+
+#define OAKLEY_MARS_CBC 65001
+#define OAKLEY_RC6_CBC 65002
+#define OAKLEY_ID_65003 65003
+#define OAKLEY_SERPENT_CBC 65004
+#define OAKLEY_TWOFISH_CBC 65005
+
+#define OAKLEY_TWOFISH_CBC_SSH 65289
+
+#define OAKLEY_ENCRYPT_MAX 65535 /* pretty useless :) */
+
+/* Oakley Hash Algorithm attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
+ */
+
+extern enum_names oakley_hash_names;
+
+#define OAKLEY_MD5 1
+#define OAKLEY_SHA 2
+#define OAKLEY_TIGER 3
+#define OAKLEY_SHA2_256 4
+#define OAKLEY_SHA2_384 5
+#define OAKLEY_SHA2_512 6
+
+#define OAKLEY_HASH_MAX 7
+
+/* Oakley Authentication Method attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ * Goofy Hybrid extensions from draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
+ * Goofy XAUTH extensions from draft-ietf-ipsec-isakmp-xauth-06.txt
+ */
+
+extern enum_names oakley_auth_names;
+
+#define OAKLEY_PRESHARED_KEY 1
+#define OAKLEY_DSS_SIG 2
+#define OAKLEY_RSA_SIG 3
+#define OAKLEY_RSA_ENC 4
+#define OAKLEY_RSA_ENC_REV 5
+#define OAKLEY_ELGAMAL_ENC 6
+#define OAKLEY_ELGAMAL_ENC_REV 7
+
+#define OAKLEY_AUTH_ROOF 8 /* roof on auth values THAT WE SUPPORT */
+
+#define HybridInitRSA 64221
+#define HybridRespRSA 64222
+#define HybridInitDSS 64223
+#define HybridRespDSS 64224
+
+#define XAUTHInitPreShared 65001
+#define XAUTHRespPreShared 65002
+#define XAUTHInitDSS 65003
+#define XAUTHRespDSS 65004
+#define XAUTHInitRSA 65005
+#define XAUTHRespRSA 65006
+#define XAUTHInitRSAEncryption 65007
+#define XAUTHRespRSAEncryption 65008
+#define XAUTHInitRSARevisedEncryption 65009
+#define XAUTHRespRSARevisedEncryption 65010
+
+/* Oakley Group Description attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ */
+extern enum_names oakley_group_names;
+
+#define OAKLEY_GROUP_MODP768 1
+#define OAKLEY_GROUP_MODP1024 2
+#define OAKLEY_GROUP_GP155 3
+#define OAKLEY_GROUP_GP185 4
+#define OAKLEY_GROUP_MODP1536 5
+
+#define OAKLEY_GROUP_MODP2048 14
+#define OAKLEY_GROUP_MODP3072 15
+#define OAKLEY_GROUP_MODP4096 16
+#define OAKLEY_GROUP_MODP6144 17
+#define OAKLEY_GROUP_MODP8192 18
+/* you must also touch: constants.c, crypto.c */
+
+/* Oakley Group Type attribute
+ * draft-ietf-ipsec-ike-01.txt appendix A
+ */
+extern enum_names oakley_group_type_names;
+
+#define OAKLEY_GROUP_TYPE_MODP 1
+#define OAKLEY_GROUP_TYPE_ECP 2
+#define OAKLEY_GROUP_TYPE_EC2N 3
+
+
+/* Notify messages -- error types
+ * See RFC2408 ISAKMP 3.14.1
+ */
+
+extern enum_names notification_names;
+extern enum_names ipsec_notification_names;
+
+typedef enum {
+ NOTHING_WRONG = 0, /* unofficial! */
+
+ INVALID_PAYLOAD_TYPE = 1,
+ DOI_NOT_SUPPORTED = 2,
+ SITUATION_NOT_SUPPORTED = 3,
+ INVALID_COOKIE = 4,
+ INVALID_MAJOR_VERSION = 5,
+ INVALID_MINOR_VERSION = 6,
+ INVALID_EXCHANGE_TYPE = 7,
+ INVALID_FLAGS = 8,
+ INVALID_MESSAGE_ID = 9,
+ INVALID_PROTOCOL_ID = 10,
+ INVALID_SPI = 11,
+ INVALID_TRANSFORM_ID = 12,
+ ATTRIBUTES_NOT_SUPPORTED = 13,
+ NO_PROPOSAL_CHOSEN = 14,
+ BAD_PROPOSAL_SYNTAX = 15,
+ PAYLOAD_MALFORMED = 16,
+ INVALID_KEY_INFORMATION = 17,
+ INVALID_ID_INFORMATION = 18,
+ INVALID_CERT_ENCODING = 19,
+ INVALID_CERTIFICATE = 20,
+ CERT_TYPE_UNSUPPORTED = 21,
+ INVALID_CERT_AUTHORITY = 22,
+ INVALID_HASH_INFORMATION = 23,
+ AUTHENTICATION_FAILED = 24,
+ INVALID_SIGNATURE = 25,
+ ADDRESS_NOTIFICATION = 26,
+ NOTIFY_SA_LIFETIME = 27,
+ CERTIFICATE_UNAVAILABLE = 28,
+ UNSUPPORTED_EXCHANGE_TYPE = 29,
+ UNEQUAL_PAYLOAD_LENGTHS = 30,
+
+ /* ISAKMP status type */
+ CONNECTED = 16384,
+
+ /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
+ * These must be sent under the protection of an ISAKMP SA.
+ */
+ IPSEC_RESPONDER_LIFETIME = 24576,
+ IPSEC_REPLAY_STATUS = 24577,
+ IPSEC_INITIAL_CONTACT = 24578,
+
+ /* RFC 3706 DPD */
+ R_U_THERE = 36136,
+ R_U_THERE_ACK = 36137
+
+ } notification_t;
+
+
+/* Public key algorithm number
+ * Same numbering as used in DNSsec
+ * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification.
+ * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes.
+ */
+
+enum pubkey_alg
+{
+ PUBKEY_ALG_RSA = 1,
+ PUBKEY_ALG_DSA = 3,
+};
+
+/* Limits on size of RSA moduli.
+ * The upper bound matches that of DNSsec (see RFC 2537).
+ * The lower bound must be more than 11 octets for certain
+ * the encoding to work, but it must be much larger for any
+ * real security. For now, we require 512 bits.
+ */
+
+#define RSA_MIN_OCTETS_RFC 12
+
+#define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
+#define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits"
+
+#define RSA_MAX_OCTETS (8192 / BITS_PER_BYTE)
+#define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 8192 bits"
+
+/* Note: RFC 2537 encoding adds a few bytes. If you use a small
+ * modulus like 3, the overhead is only 2 bytes
+ */
+#define RSA_MAX_ENCODING_BYTES (RSA_MAX_OCTETS + 2)
+
+/* socket address family info */
+
+struct af_info
+{
+ int af;
+ const char *name;
+ size_t ia_sz;
+ size_t sa_sz;
+ int mask_cnt;
+ u_int8_t id_addr, id_subnet, id_range;
+ const ip_address *any;
+ const ip_subnet *none; /* 0.0.0.0/32 or IPv6 equivalent */
+ const ip_subnet *all; /* 0.0.0.0/0 or IPv6 equivalent */
+};
+
+extern const struct af_info
+ af_inet4_info,
+ af_inet6_info;
+
+extern const struct af_info *aftoinfo(int af);
+
+extern enum_names af_names;
+
+#define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
+extern bool subnetisnone(const ip_subnet *sn);
+
+/* BIND enumerated types */
+
+extern enum_names
+ rr_qtype_names,
+ rr_type_names,
+ rr_class_names;
+
+/* How authenticated is info that might have come from DNS?
+ * In order of increasing confidence.
+ */
+enum dns_auth_level {
+ DAL_UNSIGNED, /* AD in response, but no signature: no authentication */
+ DAL_NOTSEC, /* no AD in response: authentication impossible */
+ DAL_SIGNED, /* AD and signature in response: authentic */
+ DAL_LOCAL /* locally provided (pretty good) */
+};
+
+/*
+ * define a macro for use in error messages
+ */
+
+#ifdef USE_KEYRR
+#define RRNAME "TXT or KEY"
+#else
+#define RRNAME "TXT"
+#endif
+
+/* natt traversal types */
+extern const char *const natt_type_bitnames[];
+
+#endif /* _CONSTANTS_H */
diff --git a/src/pluto/cookie.c b/src/pluto/cookie.c
new file mode 100644
index 000000000..458120e46
--- /dev/null
+++ b/src/pluto/cookie.c
@@ -0,0 +1,67 @@
+/* cookie generation/verification routines.
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: cookie.c,v 1.2 2005/08/17 16:38:20 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "sha1.h"
+#include "rnd.h"
+#include "cookie.h"
+
+const u_char zero_cookie[COOKIE_SIZE]; /* guaranteed 0 */
+
+/* Generate a cookie.
+ * First argument is true if we're to create an Initiator cookie.
+ * Length SHOULD be a multiple of sizeof(u_int32_t).
+ */
+void
+get_cookie(bool initiator, u_int8_t *cookie, int length, const ip_address *addr)
+{
+ u_char buffer[SHA1_DIGEST_SIZE];
+ SHA1_CTX ctx;
+
+ do {
+ if (initiator)
+ {
+ get_rnd_bytes(cookie, length);
+ }
+ else /* Responder cookie */
+ {
+ /* This looks as good as any way */
+ size_t addr_length;
+ static u_int32_t counter = 0;
+ unsigned char addr_buff[
+ sizeof(union {struct in_addr A; struct in6_addr B;})];
+
+ addr_length = addrbytesof(addr, addr_buff, sizeof(addr_buff));
+ SHA1Init(&ctx);
+ SHA1Update(&ctx, addr_buff, addr_length);
+ SHA1Update(&ctx, secret_of_the_day, sizeof(secret_of_the_day));
+ counter++;
+ SHA1Update(&ctx, (const void *) &counter, sizeof(counter));
+ SHA1Final(buffer, &ctx);
+ memcpy(cookie, buffer, length);
+ }
+ } while (is_zero_cookie(cookie)); /* probably never loops */
+}
diff --git a/src/pluto/cookie.h b/src/pluto/cookie.h
new file mode 100644
index 000000000..f5b0e64d1
--- /dev/null
+++ b/src/pluto/cookie.h
@@ -0,0 +1,24 @@
+/* cookie generation/verification routines.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: cookie.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#include <freeswan.h>
+
+extern const u_char zero_cookie[COOKIE_SIZE]; /* guaranteed 0 */
+
+extern void get_cookie(bool initiator, u_int8_t *cookie, int length
+ , const ip_address *addr);
+
+#define is_zero_cookie(cookie) all_zero((cookie), COOKIE_SIZE)
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
new file mode 100644
index 000000000..05e8d1402
--- /dev/null
+++ b/src/pluto/crl.c
@@ -0,0 +1,763 @@
+/* Support of X.509 certificate revocation lists (CRLs)
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: crl.c,v 1.12 2005/12/06 22:49:57 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <time.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "asn1.h"
+#include "oid.h"
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "certs.h"
+#include "keys.h"
+#include "whack.h"
+#include "fetch.h"
+#include "sha1.h"
+
+/* chained lists of X.509 crls */
+
+static x509crl_t *x509crls = NULL;
+
+/* ASN.1 definition of an X.509 certificate list */
+
+static const asn1Object_t crlObjects[] = {
+ { 0, "certificateList", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
+ { 1, "tbsCertList", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
+ { 2, "version", ASN1_INTEGER, ASN1_OPT |
+ ASN1_BODY }, /* 2 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 3 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 4 */
+ { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
+ { 2, "thisUpdate", ASN1_EOC, ASN1_RAW }, /* 6 */
+ { 2, "nextUpdate", ASN1_EOC, ASN1_RAW }, /* 7 */
+ { 2, "revokedCertificates", ASN1_SEQUENCE, ASN1_OPT |
+ ASN1_LOOP }, /* 8 */
+ { 3, "certList", ASN1_SEQUENCE, ASN1_NONE }, /* 9 */
+ { 4, "userCertificate", ASN1_INTEGER, ASN1_BODY }, /* 10 */
+ { 4, "revocationDate", ASN1_EOC, ASN1_RAW }, /* 11 */
+ { 4, "crlEntryExtensions", ASN1_SEQUENCE, ASN1_OPT |
+ ASN1_LOOP }, /* 12 */
+ { 5, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
+ { 6, "extnID", ASN1_OID, ASN1_BODY }, /* 14 */
+ { 6, "critical", ASN1_BOOLEAN, ASN1_DEF |
+ ASN1_BODY }, /* 15 */
+ { 6, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
+ { 4, "end opt or loop", ASN1_EOC, ASN1_END }, /* 17 */
+ { 2, "end opt or loop", ASN1_EOC, ASN1_END }, /* 18 */
+ { 2, "optional extensions", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 19 */
+ { 3, "crlExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 20 */
+ { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 21 */
+ { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 22 */
+ { 5, "critical", ASN1_BOOLEAN, ASN1_DEF |
+ ASN1_BODY }, /* 23 */
+ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
+ { 3, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 26 */
+ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 27 */
+ { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 28 */
+ };
+
+#define CRL_OBJ_CERTIFICATE_LIST 0
+#define CRL_OBJ_TBS_CERT_LIST 1
+#define CRL_OBJ_VERSION 2
+#define CRL_OBJ_SIG_ALG 4
+#define CRL_OBJ_ISSUER 5
+#define CRL_OBJ_THIS_UPDATE 6
+#define CRL_OBJ_NEXT_UPDATE 7
+#define CRL_OBJ_USER_CERTIFICATE 10
+#define CRL_OBJ_REVOCATION_DATE 11
+#define CRL_OBJ_CRL_ENTRY_EXTN_ID 14
+#define CRL_OBJ_CRL_ENTRY_CRITICAL 15
+#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE 16
+#define CRL_OBJ_EXTN_ID 22
+#define CRL_OBJ_CRITICAL 23
+#define CRL_OBJ_EXTN_VALUE 24
+#define CRL_OBJ_ALGORITHM 27
+#define CRL_OBJ_SIGNATURE 28
+#define CRL_OBJ_ROOF 29
+
+
+const x509crl_t empty_x509crl = {
+ NULL , /* *next */
+ UNDEFINED_TIME, /* installed */
+ NULL , /* distributionPoints */
+ { NULL, 0 } , /* certificateList */
+ { NULL, 0 } , /* tbsCertList */
+ 1 , /* version */
+ OID_UNKNOWN , /* sigAlg */
+ { NULL, 0 } , /* issuer */
+ UNDEFINED_TIME, /* thisUpdate */
+ UNDEFINED_TIME, /* nextUpdate */
+ NULL , /* revokedCertificates */
+ /* crlExtensions */
+ /* extension */
+ /* extnID */
+ /* critical */
+ /* extnValue */
+ { NULL, 0 } , /* authKeyID */
+ { NULL, 0 } , /* authKeySerialNumber */
+ OID_UNKNOWN , /* algorithm */
+ { NULL, 0 } /* signature */
+};
+
+/*
+ * get the X.509 CRL with a given issuer
+ */
+static x509crl_t*
+get_x509crl(chunk_t issuer, chunk_t serial, chunk_t keyid)
+{
+ x509crl_t *crl = x509crls;
+ x509crl_t *prev_crl = NULL;
+
+ while (crl != NULL)
+ {
+ if ((keyid.ptr != NULL && crl->authKeyID.ptr != NULL)
+ ? same_keyid(keyid, crl->authKeyID)
+ : (same_dn(crl->issuer, issuer) && same_serial(serial, crl->authKeySerialNumber)))
+ {
+ if (crl != x509crls)
+ {
+ /* bring the CRL up front */
+ prev_crl->next = crl->next;
+ crl->next = x509crls;
+ x509crls = crl;
+ }
+ return crl;
+ }
+ prev_crl = crl;
+ crl = crl->next;
+ }
+ return NULL;
+}
+
+/*
+ * free the dynamic memory used to store revoked certificates
+ */
+static void
+free_revoked_certs(revokedCert_t* revokedCerts)
+{
+ while (revokedCerts != NULL)
+ {
+ revokedCert_t * revokedCert = revokedCerts;
+ revokedCerts = revokedCert->next;
+ pfree(revokedCert);
+ }
+}
+
+/*
+ * free the dynamic memory used to store CRLs
+ */
+void
+free_crl(x509crl_t *crl)
+{
+ free_revoked_certs(crl->revokedCertificates);
+ free_generalNames(crl->distributionPoints, TRUE);
+ pfree(crl->certificateList.ptr);
+ pfree(crl);
+}
+
+static void
+free_first_crl(void)
+{
+ x509crl_t *crl = x509crls;
+
+ x509crls = crl->next;
+ free_crl(crl);
+}
+
+void
+free_crls(void)
+{
+ lock_crl_list("free_crls");
+
+ while (x509crls != NULL)
+ free_first_crl();
+
+ unlock_crl_list("free_crls");
+}
+
+/*
+ * Insert X.509 CRL into chained list
+ */
+bool
+insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl)
+{
+ x509crl_t *crl = alloc_thing(x509crl_t, "x509crl");
+
+ *crl = empty_x509crl;
+
+ if (parse_x509crl(blob, 0, crl))
+ {
+ x509cert_t *issuer_cert;
+ x509crl_t *oldcrl;
+ bool valid_sig;
+ generalName_t *gn;
+
+ /* add distribution point */
+ gn = alloc_thing(generalName_t, "generalName");
+ gn->kind = GN_URI;
+ gn->name = crl_uri;
+ gn->next = crl->distributionPoints;
+ crl->distributionPoints = gn;
+
+ lock_authcert_list("insert_crl");
+ /* get the issuer cacert */
+ issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber,
+ crl->authKeyID, AUTH_CA);
+ if (issuer_cert == NULL)
+ {
+ plog("crl issuer cacert not found");
+ free_crl(crl);
+ unlock_authcert_list("insert_crl");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("crl issuer cacert found")
+ )
+
+ /* check the issuer's signature of the crl */
+ valid_sig = check_signature(crl->tbsCertList, crl->signature
+ , crl->algorithm, crl->algorithm, issuer_cert);
+ unlock_authcert_list("insert_crl");
+
+ if (!valid_sig)
+ {
+ free_crl(crl);
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("crl signature is valid")
+ )
+
+ lock_crl_list("insert_crl");
+ oldcrl = get_x509crl(crl->issuer, crl->authKeySerialNumber
+ , crl->authKeyID);
+
+ if (oldcrl != NULL)
+ {
+ if (crl->thisUpdate > oldcrl->thisUpdate)
+ {
+ /* keep any known CRL distribution points */
+ add_distribution_points(oldcrl->distributionPoints
+ , &crl->distributionPoints);
+
+ /* now delete the old CRL */
+ free_first_crl();
+ DBG(DBG_CONTROL,
+ DBG_log("thisUpdate is newer - existing crl deleted")
+ )
+ }
+ else
+ {
+ unlock_crl_list("insert_crls");
+ DBG(DBG_CONTROL,
+ DBG_log("thisUpdate is not newer - existing crl not replaced");
+ )
+ free_crl(crl);
+ return oldcrl->nextUpdate - time(NULL) > 2*crl_check_interval;
+ }
+ }
+
+ /* insert new CRL */
+ crl->next = x509crls;
+ x509crls = crl;
+
+ unlock_crl_list("insert_crl");
+
+ /* If crl caching is enabled then the crl is saved locally.
+ * Only http or ldap URIs are cached but not local file URIs.
+ * The issuer's subjectKeyID is used as a unique filename
+ */
+ if (cache_crl && strncasecmp(crl_uri.ptr, "file", 4) != 0)
+ {
+ char path[BUF_LEN];
+ char buf[BUF_LEN];
+ char digest_buf[SHA1_DIGEST_SIZE];
+ chunk_t subjectKeyID = { digest_buf, SHA1_DIGEST_SIZE };
+
+ if (issuer_cert->subjectKeyID.ptr == NULL)
+ compute_subjectKeyID(issuer_cert, subjectKeyID);
+ else
+ subjectKeyID = issuer_cert->subjectKeyID;
+
+ datatot(subjectKeyID.ptr, subjectKeyID.len, 16, buf, BUF_LEN);
+ snprintf(path, BUF_LEN, "%s/%s.crl", CRL_PATH, buf);
+ write_chunk(path, "crl", crl->certificateList, 0022, TRUE);
+ }
+
+ /* is the fetched crl valid? */
+ return crl->nextUpdate - time(NULL) > 2*crl_check_interval;
+ }
+ else
+ {
+ plog(" error in X.509 crl");
+ free_crl(crl);
+ return FALSE;
+ }
+}
+
+/*
+ * Loads CRLs
+ */
+void
+load_crls(void)
+{
+ struct dirent **filelist;
+ u_char buf[BUF_LEN];
+ u_char *save_dir;
+ int n;
+
+ /* change directory to specified path */
+ save_dir = getcwd(buf, BUF_LEN);
+ if (chdir(CRL_PATH))
+ {
+ plog("Could not change to directory '%s'", CRL_PATH);
+ }
+ else
+ {
+ plog("Changing to directory '%s'", CRL_PATH);
+ n = scandir(CRL_PATH, &filelist, file_select, alphasort);
+
+ if (n < 0)
+ plog(" scandir() error");
+ else
+ {
+ while (n--)
+ {
+ bool pgp = FALSE;
+ chunk_t blob = empty_chunk;
+ char *filename = filelist[n]->d_name;
+
+ if (load_coded_file(filename, NULL, "crl", &blob, &pgp))
+ {
+ chunk_t crl_uri;
+
+ crl_uri.len = 7 + sizeof(CRL_PATH) + strlen(filename);
+ crl_uri.ptr = alloc_bytes(crl_uri.len + 1, "crl uri");
+
+ /* build CRL file URI */
+ snprintf(crl_uri.ptr, crl_uri.len + 1, "file://%s/%s"
+ , CRL_PATH, filename);
+
+ insert_crl(blob, crl_uri, FALSE);
+ }
+ free(filelist[n]);
+ }
+ free(filelist);
+ }
+ }
+ /* restore directory path */
+ chdir(save_dir);
+}
+
+/*
+ * Parses a CRL revocation reason code
+ */
+static crl_reason_t
+parse_crl_reasonCode(chunk_t object)
+{
+ crl_reason_t reason = REASON_UNSPECIFIED;
+
+ if (*object.ptr == ASN1_ENUMERATED
+ && asn1_length(&object) == 1)
+ {
+ reason = *object.ptr;
+ }
+
+ DBG(DBG_PARSING,
+ DBG_log(" '%s'", enum_name(&crl_reason_names, reason))
+ )
+ return reason;
+}
+
+/*
+ * Parses an X.509 CRL
+ */
+bool
+parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
+{
+ u_char buf[BUF_LEN];
+ asn1_ctx_t ctx;
+ bool critical;
+ chunk_t extnID;
+ chunk_t userCertificate;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < CRL_OBJ_ROOF)
+ {
+ if (!extract_object(crlObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ /* those objects which will parsed further need the next higher level */
+ level++;
+
+ switch (objectID) {
+ case CRL_OBJ_CERTIFICATE_LIST:
+ crl->certificateList = object;
+ break;
+ case CRL_OBJ_TBS_CERT_LIST:
+ crl->tbsCertList = object;
+ break;
+ case CRL_OBJ_VERSION:
+ crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+ DBG(DBG_PARSING,
+ DBG_log(" v%d", crl->version);
+ )
+ break;
+ case CRL_OBJ_SIG_ALG:
+ crl->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case CRL_OBJ_ISSUER:
+ crl->issuer = object;
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'",buf)
+ )
+ break;
+ case CRL_OBJ_THIS_UPDATE:
+ crl->thisUpdate = parse_time(object, level);
+ break;
+ case CRL_OBJ_NEXT_UPDATE:
+ crl->nextUpdate = parse_time(object, level);
+ break;
+ case CRL_OBJ_USER_CERTIFICATE:
+ userCertificate = object;
+ break;
+ case CRL_OBJ_REVOCATION_DATE:
+ {
+ /* put all the serial numbers and the revocation date in a chained list
+ with revocedCertificates pointing to the first revoked certificate */
+
+ revokedCert_t *revokedCert = alloc_thing(revokedCert_t, "revokedCert");
+ revokedCert->userCertificate = userCertificate;
+ revokedCert->revocationDate = parse_time(object, level);
+ revokedCert->revocationReason = REASON_UNSPECIFIED;
+ revokedCert->next = crl->revokedCertificates;
+ crl->revokedCertificates = revokedCert;
+ }
+ break;
+ case CRL_OBJ_CRL_ENTRY_EXTN_ID:
+ case CRL_OBJ_EXTN_ID:
+ extnID = object;
+ break;
+ case CRL_OBJ_CRL_ENTRY_CRITICAL:
+ case CRL_OBJ_CRITICAL:
+ critical = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(critical)?"TRUE":"FALSE");
+ )
+ break;
+ case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
+ case CRL_OBJ_EXTN_VALUE:
+ {
+ u_int extn_oid = known_oid(extnID);
+
+ if (extn_oid == OID_CRL_REASON_CODE)
+ {
+ crl->revokedCertificates->revocationReason =
+ parse_crl_reasonCode(object);
+ }
+ else if (extn_oid == OID_AUTHORITY_KEY_ID)
+ {
+ parse_authorityKeyIdentifier(object, level
+ , &crl->authKeyID, &crl->authKeySerialNumber);
+ }
+ }
+ break;
+ case CRL_OBJ_ALGORITHM:
+ crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case CRL_OBJ_SIGNATURE:
+ crl->signature = object;
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+ time(&crl->installed);
+ return TRUE;
+}
+
+/* Checks if the current certificate is revoked. It goes through the
+ * list of revoked certificates of the corresponding crl. Either the
+ * status CERT_GOOD or CERT_REVOKED is returned
+ */
+static cert_status_t
+check_revocation(const x509crl_t *crl, chunk_t serial
+, time_t *revocationDate, crl_reason_t * revocationReason)
+{
+ revokedCert_t *revokedCert = crl->revokedCertificates;
+
+ *revocationDate = UNDEFINED_TIME;
+ *revocationReason = REASON_UNSPECIFIED;
+
+ DBG(DBG_CONTROL,
+ DBG_dump_chunk("serial number:", serial)
+ )
+
+ while(revokedCert != NULL)
+ {
+ /* compare serial numbers */
+ if (revokedCert->userCertificate.len == serial.len &&
+ memcmp(revokedCert->userCertificate.ptr, serial.ptr, serial.len) == 0)
+ {
+ *revocationDate = revokedCert->revocationDate;
+ *revocationReason = revokedCert->revocationReason;
+ return CERT_REVOKED;
+ }
+ revokedCert = revokedCert->next;
+ }
+ return CERT_GOOD;
+}
+
+/*
+ * check if any crls are about to expire
+ */
+void
+check_crls(void)
+{
+ x509crl_t *crl;
+
+ lock_crl_list("check_crls");
+ crl = x509crls;
+
+ while (crl != NULL)
+ {
+ time_t time_left = crl->nextUpdate - time(NULL);
+ u_char buf[BUF_LEN];
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, crl->issuer);
+ DBG_log("issuer: '%s'",buf);
+ if (crl->authKeyID.ptr != NULL)
+ {
+ datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ DBG_log("%ld seconds left", time_left)
+ )
+ if (time_left < 2*crl_check_interval)
+ {
+ fetch_req_t *req = build_crl_fetch_request(crl->issuer
+ , crl->authKeySerialNumber
+ , crl->authKeyID, crl->distributionPoints);
+ add_crl_fetch_request(req);
+ }
+ crl = crl->next;
+ }
+ unlock_crl_list("check_crls");
+}
+
+/*
+ * verify if a cert hasn't been revoked by a crl
+ */
+cert_status_t
+verify_by_crl(const x509cert_t *cert, time_t *until, time_t *revocationDate
+, crl_reason_t *revocationReason)
+{
+ x509crl_t *crl;
+
+ ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID);
+
+ generalName_t *crluri = (ca == NULL)? NULL : ca->crluri;
+
+ *revocationDate = UNDEFINED_TIME;
+ *revocationReason = REASON_UNSPECIFIED;
+
+ lock_crl_list("verify_by_crl");
+ crl = get_x509crl(cert->issuer, cert->authKeySerialNumber, cert->authKeyID);
+
+ if (crl == NULL)
+ {
+ unlock_crl_list("verify_by_crl");
+ plog("crl not found");
+
+ if (cert->crlDistributionPoints != NULL)
+ {
+ fetch_req_t *req = build_crl_fetch_request(cert->issuer
+ , cert->authKeySerialNumber
+ , cert->authKeyID, cert->crlDistributionPoints);
+ add_crl_fetch_request(req);
+ }
+
+ if (crluri != NULL)
+ {
+ fetch_req_t *req = build_crl_fetch_request(cert->issuer
+ , cert->authKeySerialNumber
+ , cert->authKeyID, crluri);
+ add_crl_fetch_request(req);
+ }
+
+ if (cert->crlDistributionPoints != 0 || crluri != NULL)
+ {
+ wake_fetch_thread("verify_by_crl");
+ return CERT_UNKNOWN;
+ }
+ else
+ return CERT_UNDEFINED;
+ }
+ else
+ {
+ x509cert_t *issuer_cert;
+ bool valid;
+
+ DBG(DBG_CONTROL,
+ DBG_log("crl found")
+ )
+
+ add_distribution_points(cert->crlDistributionPoints
+ , &crl->distributionPoints);
+
+ add_distribution_points(crluri
+ , &crl->distributionPoints);
+
+ lock_authcert_list("verify_by_crl");
+
+ issuer_cert = get_authcert(crl->issuer, crl->authKeySerialNumber
+ , crl->authKeyID, AUTH_CA);
+ valid = check_signature(crl->tbsCertList, crl->signature
+ , crl->algorithm, crl->algorithm, issuer_cert);
+
+ unlock_authcert_list("verify_by_crl");
+
+ if (valid)
+ {
+ cert_status_t status;
+
+ DBG(DBG_CONTROL,
+ DBG_log("crl signature is valid")
+ )
+ /* return the expiration date */
+ *until = crl->nextUpdate;
+
+ /* has the certificate been revoked? */
+ status = check_revocation(crl, cert->serialNumber, revocationDate
+ , revocationReason);
+
+ if (*until < time(NULL))
+ {
+ fetch_req_t *req;
+
+ plog("crl update is overdue since %s"
+ , timetoa(until, TRUE));
+
+ /* try to fetch a crl update */
+ req = build_crl_fetch_request(crl->issuer
+ , crl->authKeySerialNumber
+ , crl->authKeyID, crl->distributionPoints);
+ unlock_crl_list("verify_by_crl");
+
+ add_crl_fetch_request(req);
+ wake_fetch_thread("verify_by_crl");
+ }
+ else
+ {
+ unlock_crl_list("verify_by_crl");
+ DBG(DBG_CONTROL,
+ DBG_log("crl is valid")
+ )
+ }
+ return status;
+ }
+ else
+ {
+ unlock_crl_list("verify_by_crl");
+ plog("crl signature is invalid");
+ return CERT_UNKNOWN;
+ }
+ }
+}
+
+/*
+ * list all X.509 crls in the chained list
+ */
+void
+list_crls(bool utc, bool strict)
+{
+ x509crl_t *crl;
+
+ lock_crl_list("list_crls");
+ crl = x509crls;
+
+ if (crl != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of X.509 CRLs:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (crl != NULL)
+ {
+ u_char buf[BUF_LEN];
+ u_int revoked = 0;
+ revokedCert_t *revokedCert = crl->revokedCertificates;
+
+ /* count number of revoked certificates in CRL */
+ while (revokedCert != NULL)
+ {
+ revoked++;
+ revokedCert = revokedCert->next;
+ }
+
+ whack_log(RC_COMMENT, "%s, revoked certs: %d",
+ timetoa(&crl->installed, utc), revoked);
+ dntoa(buf, BUF_LEN, crl->issuer);
+ whack_log(RC_COMMENT, " issuer: '%s'", buf);
+
+ list_distribution_points(crl->distributionPoints);
+
+ whack_log(RC_COMMENT, " updates: this %s",
+ timetoa(&crl->thisUpdate, utc));
+ whack_log(RC_COMMENT, " next %s %s",
+ timetoa(&crl->nextUpdate, utc),
+ check_expiry(crl->nextUpdate, CRL_WARNING_INTERVAL, strict));
+ if (crl->authKeyID.ptr != NULL)
+ {
+ datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (crl->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(crl->authKeySerialNumber.ptr, crl->authKeySerialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+
+ crl = crl->next;
+ }
+ unlock_crl_list("list_crls");
+}
+
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
new file mode 100644
index 000000000..9f985b6cd
--- /dev/null
+++ b/src/pluto/crl.h
@@ -0,0 +1,87 @@
+/* Support of X.509 certificate revocation lists (CRLs)
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: crl.h,v 1.4 2005/07/18 19:36:22 as Exp $
+ */
+
+#include "constants.h"
+
+/* access structure for a revoked serial number */
+
+typedef struct revokedCert revokedCert_t;
+
+struct revokedCert{
+ revokedCert_t *next;
+ chunk_t userCertificate;
+ time_t revocationDate;
+ crl_reason_t revocationReason;
+};
+
+/* storage structure for an X.509 CRL */
+
+typedef struct x509crl x509crl_t;
+
+struct x509crl {
+ x509crl_t *next;
+ time_t installed;
+ generalName_t *distributionPoints;
+ chunk_t certificateList;
+ chunk_t tbsCertList;
+ u_int version;
+ /* signature */
+ int sigAlg;
+ chunk_t issuer;
+ time_t thisUpdate;
+ time_t nextUpdate;
+ revokedCert_t *revokedCertificates;
+ /* v2 extensions */
+ /* crlExtensions */
+ /* extension */
+ /* extnID */
+ /* critical */
+ /* extnValue */
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+
+ /* signatureAlgorithm */
+ int algorithm;
+ chunk_t signature;
+};
+
+/* apply a strict CRL policy
+ * flag set in plutomain.c and used in ipsec_doi.c and rcv_whack.c
+ */
+extern bool strict_crl_policy;
+
+/*
+ * cache the retrieved CRLs by storing them locally as a file
+ */
+extern bool cache_crls;
+
+/*
+ * check periodically for expired crls
+ */
+extern long crl_check_interval;
+
+/* used for initialization */
+extern const x509crl_t empty_x509crl;
+
+extern bool parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl);
+extern void load_crls(void);
+extern void check_crls(void);
+extern bool insert_crl(chunk_t blob, chunk_t crl_uri, bool cache_crl);
+extern cert_status_t verify_by_crl(const x509cert_t *cert, time_t *until
+ , time_t *revocationDate, crl_reason_t *revocationReason);
+extern void list_crls(bool utc, bool strict);
+extern void free_crls(void);
+extern void free_crl(x509crl_t *crl);
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
new file mode 100644
index 000000000..f1b7c3f5f
--- /dev/null
+++ b/src/pluto/crypto.c
@@ -0,0 +1,627 @@
+/* crypto interfaces
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: crypto.c,v 1.5 2005/12/06 22:51:34 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+#define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
+#include <libdes/des.h>
+
+#include <errno.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "state.h"
+#include "log.h"
+#include "md5.h"
+#include "sha1.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+#include "alg_info.h"
+#include "ike_alg.h"
+
+
+/* moduli and generator. */
+
+static MP_INT
+ modp1024_modulus,
+ modp1536_modulus,
+ modp2048_modulus,
+ modp3072_modulus,
+ modp4096_modulus,
+ modp6144_modulus,
+ modp8192_modulus;
+
+MP_INT groupgenerator; /* MODP group generator (2) */
+
+static void do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
+
+static struct encrypt_desc crypto_encryptor_3des =
+{
+ algo_type: IKE_ALG_ENCRYPT,
+ algo_id: OAKLEY_3DES_CBC,
+ algo_next: NULL,
+ enc_ctxsize: sizeof(des_key_schedule) * 3,
+ enc_blocksize: DES_CBC_BLOCK_SIZE,
+ keydeflen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+ keyminlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+ keymaxlen: DES_CBC_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+ do_crypt: do_3des,
+};
+
+/* MD5 hash test vectors
+ * from RFC 1321 "MD5 Message-Digest Algorithm"
+ * April 1992, R. Rivest, RSA Data Security
+ */
+
+static const u_char md5_test0_msg[] = {
+
+};
+
+static const u_char md5_test0_msg_digest[] = {
+ 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
+ 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e
+};
+
+static const u_char md5_test1_msg[] = {
+ 0x61
+};
+
+static const u_char md5_test1_msg_digest[] = {
+ 0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
+ 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
+};
+
+static const u_char md5_test2_msg[] = {
+ 0x61, 0x62, 0x63
+};
+
+static const u_char md5_test2_msg_digest[] = {
+ 0x90, 0x01, 0x50, 0x98, 0x3c, 0xd2, 0x4f, 0xb0,
+ 0xd6, 0x96, 0x3f, 0x7d, 0x28, 0xe1, 0x7f, 0x72
+};
+
+static const u_char md5_test3_msg[] = {
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20,
+ 0x64, 0x69, 0x67, 0x65, 0x73, 0x74
+};
+
+static const u_char md5_test3_msg_digest[] = {
+ 0xf9, 0x6b, 0x69, 0x7d, 0x7c, 0xb7, 0x93, 0x8d,
+ 0x52, 0x5a, 0x2f, 0x31, 0xaa, 0xf1, 0x61, 0xd0
+};
+
+static const u_char md5_test4_msg[] = {
+ 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
+ 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
+ 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+ 0x79, 0x7a
+};
+
+static const u_char md5_test4_msg_digest[] = {
+ 0xc3, 0xfc, 0xd3, 0xd7, 0x61, 0x92, 0xe4, 0x00,
+ 0x7d, 0xfb, 0x49, 0x6c, 0xca, 0x67, 0xe1, 0x3b
+};
+
+static const u_char md5_test5_msg[] = {
+ 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+ 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
+ 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
+ 0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
+ 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e,
+ 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76,
+ 0x77, 0x78, 0x79, 0x7a, 0x30, 0x31, 0x32, 0x33,
+ 0x34, 0x35, 0x36, 0x37, 0x38, 0x39
+};
+
+static const u_char md5_test5_msg_digest[] = {
+ 0xd1, 0x74, 0xab, 0x98, 0xd2, 0x77, 0xd9, 0xf5,
+ 0xa5, 0x61, 0x1c, 0x2c, 0x9f, 0x41, 0x9d, 0x9f
+};
+
+static const u_char md5_test6_msg[] = {
+ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
+ 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
+ 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
+ 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30,
+ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
+ 0x39, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36,
+ 0x37, 0x38, 0x39, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32,
+ 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30
+};
+
+static const u_char md5_test6_msg_digest[] = {
+ 0x57, 0xed, 0xf4, 0xa2, 0x2b, 0xe3, 0xc9, 0x55,
+ 0xac, 0x49, 0xda, 0x2e, 0x21, 0x07, 0xb6, 0x7a
+};
+
+static const hash_testvector_t md5_hash_testvectors[] = {
+ { sizeof(md5_test0_msg), md5_test0_msg, md5_test0_msg_digest },
+ { sizeof(md5_test1_msg), md5_test1_msg, md5_test1_msg_digest },
+ { sizeof(md5_test2_msg), md5_test2_msg, md5_test2_msg_digest },
+ { sizeof(md5_test3_msg), md5_test3_msg, md5_test3_msg_digest },
+ { sizeof(md5_test4_msg), md5_test4_msg, md5_test4_msg_digest },
+ { sizeof(md5_test5_msg), md5_test5_msg, md5_test5_msg_digest },
+ { sizeof(md5_test6_msg), md5_test6_msg, md5_test6_msg_digest },
+ { 0, NULL, NULL }
+};
+
+/* MD5 hmac test vectors
+ * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
+ * September 1997, P. Cheng, IBM & R. Glenn, NIST
+ */
+
+static const u_char md5_hmac1_key[] = {
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
+};
+
+static const u_char md5_hmac1_msg[] = {
+ 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+};
+
+static const u_char md5_hmac1[] = {
+ 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
+ 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
+};
+
+static const u_char md5_hmac2_key[] = {
+ 0x4a, 0x65, 0x66, 0x65
+};
+
+static const u_char md5_hmac2_msg[] = {
+ 0x77, 0x68, 0x61, 0x74, 0x20, 0x64, 0x6f, 0x20,
+ 0x79, 0x61, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20,
+ 0x66, 0x6f, 0x72, 0x20, 0x6e, 0x6f, 0x74, 0x68,
+ 0x69, 0x6e, 0x67, 0x3f
+};
+
+static const u_char md5_hmac2[] = {
+ 0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
+ 0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38
+};
+
+static const u_char md5_hmac3_key[] = {
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa
+};
+
+static const u_char md5_hmac3_msg[] = {
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+ 0xdd, 0xdd
+};
+
+static const u_char md5_hmac3[] = {
+ 0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
+ 0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6
+};
+
+static const u_char md5_hmac4_key[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x19
+};
+
+static const u_char md5_hmac4_msg[] = {
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+ 0xcd, 0xcd
+};
+
+static const u_char md5_hmac4[] = {
+ 0x69, 0x7e, 0xaf, 0x0a, 0xca, 0x3a, 0x3a, 0xea,
+ 0x3a, 0x75, 0x16, 0x47, 0x46, 0xff, 0xaa, 0x79
+};
+
+static const u_char md5_hmac6_key[] = {
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+};
+
+static const u_char md5_hmac6_msg[] = {
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
+ 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
+ 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
+ 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
+ 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x2d, 0x20,
+ 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79,
+ 0x20, 0x46, 0x69, 0x72, 0x73, 0x74
+};
+
+static const u_char md5_hmac6[] = {
+ 0x6b, 0x1a, 0xb7, 0xfe, 0x4b, 0xd7, 0xbf, 0x8f,
+ 0x0b, 0x62, 0xe6, 0xce, 0x61, 0xb9, 0xd0, 0xcd
+};
+
+static const u_char md5_hmac7_msg[] = {
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69,
+ 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65,
+ 0x72, 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42,
+ 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a,
+ 0x65, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x61, 0x6e,
+ 0x64, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72,
+ 0x20, 0x54, 0x68, 0x61, 0x6e, 0x20, 0x4f, 0x6e,
+ 0x65, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d,
+ 0x53, 0x69, 0x7a, 0x65, 0x20, 0x44, 0x61, 0x74,
+ 0x61
+};
+
+static const u_char md5_hmac7[] = {
+ 0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee,
+ 0x1f, 0xb1, 0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e
+};
+
+static const hmac_testvector_t md5_hmac_testvectors[] = {
+ { sizeof(md5_hmac1_key), md5_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, md5_hmac1 },
+ { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, md5_hmac2 },
+ { sizeof(md5_hmac3_key), md5_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, md5_hmac3 },
+ { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, md5_hmac4 },
+ { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, md5_hmac6 },
+ { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, md5_hmac7 },
+ { 0, NULL, 0, NULL, NULL }
+};
+
+static struct hash_desc crypto_hasher_md5 =
+{
+ algo_type: IKE_ALG_HASH,
+ algo_id: OAKLEY_MD5,
+ algo_next: NULL,
+ hash_ctx_size: sizeof(MD5_CTX),
+ hash_block_size: MD5_BLOCK_SIZE,
+ hash_digest_size: MD5_DIGEST_SIZE,
+ hash_testvectors: md5_hash_testvectors,
+ hmac_testvectors: md5_hmac_testvectors,
+ hash_init: (void (*)(void *)) MD5Init,
+ hash_update: (void (*)(void *, const u_int8_t *, size_t)) MD5Update,
+ hash_final: (void (*)(u_char *, void *)) MD5Final
+};
+
+/* SHA-1 test vectors
+ * from "The Secure Hash Algorithm Validation System (SHAVS)"
+ * July 22, 2004, Lawrence E. Bassham III, NIST
+ */
+
+static const u_char sha1_short2_msg[] = {
+ 0x5e
+};
+
+static const u_char sha1_short2_msg_digest[] = {
+ 0x5e, 0x6f, 0x80, 0xa3, 0x4a, 0x97, 0x98, 0xca,
+ 0xfc, 0x6a, 0x5d, 0xb9, 0x6c, 0xc5, 0x7b, 0xa4,
+ 0xc4, 0xdb, 0x59, 0xc2
+};
+
+static const u_char sha1_short4_msg[] = {
+ 0x9a, 0x7d, 0xfd, 0xf1, 0xec, 0xea, 0xd0, 0x6e,
+ 0xd6, 0x46, 0xaa, 0x55, 0xfe, 0x75, 0x71, 0x46
+};
+
+static const u_char sha1_short4_msg_digest[] = {
+ 0x82, 0xab, 0xff, 0x66, 0x05, 0xdb, 0xe1, 0xc1,
+ 0x7d, 0xef, 0x12, 0xa3, 0x94, 0xfa, 0x22, 0xa8,
+ 0x2b, 0x54, 0x4a, 0x35
+};
+
+static const u_char sha1_long2_msg[] = {
+ 0xf7, 0x8f, 0x92, 0x14, 0x1b, 0xcd, 0x17, 0x0a,
+ 0xe8, 0x9b, 0x4f, 0xba, 0x15, 0xa1, 0xd5, 0x9f,
+ 0x3f, 0xd8, 0x4d, 0x22, 0x3c, 0x92, 0x51, 0xbd,
+ 0xac, 0xbb, 0xae, 0x61, 0xd0, 0x5e, 0xd1, 0x15,
+ 0xa0, 0x6a, 0x7c, 0xe1, 0x17, 0xb7, 0xbe, 0xea,
+ 0xd2, 0x44, 0x21, 0xde, 0xd9, 0xc3, 0x25, 0x92,
+ 0xbd, 0x57, 0xed, 0xea, 0xe3, 0x9c, 0x39, 0xfa,
+ 0x1f, 0xe8, 0x94, 0x6a, 0x84, 0xd0, 0xcf, 0x1f,
+ 0x7b, 0xee, 0xad, 0x17, 0x13, 0xe2, 0xe0, 0x95,
+ 0x98, 0x97, 0x34, 0x7f, 0x67, 0xc8, 0x0b, 0x04,
+ 0x00, 0xc2, 0x09, 0x81, 0x5d, 0x6b, 0x10, 0xa6,
+ 0x83, 0x83, 0x6f, 0xd5, 0x56, 0x2a, 0x56, 0xca,
+ 0xb1, 0xa2, 0x8e, 0x81, 0xb6, 0x57, 0x66, 0x54,
+ 0x63, 0x1c, 0xf1, 0x65, 0x66, 0xb8, 0x6e, 0x3b,
+ 0x33, 0xa1, 0x08, 0xb0, 0x53, 0x07, 0xc0, 0x0a,
+ 0xff, 0x14, 0xa7, 0x68, 0xed, 0x73, 0x50, 0x60,
+ 0x6a, 0x0f, 0x85, 0xe6, 0xa9, 0x1d, 0x39, 0x6f,
+ 0x5b, 0x5c, 0xbe, 0x57, 0x7f, 0x9b, 0x38, 0x80,
+ 0x7c, 0x7d, 0x52, 0x3d, 0x6d, 0x79, 0x2f, 0x6e,
+ 0xbc, 0x24, 0xa4, 0xec, 0xf2, 0xb3, 0xa4, 0x27,
+ 0xcd, 0xbb, 0xfb
+};
+
+static const u_char sha1_long2_msg_digest[] = {
+ 0xcb, 0x00, 0x82, 0xc8, 0xf1, 0x97, 0xd2, 0x60,
+ 0x99, 0x1b, 0xa6, 0xa4, 0x60, 0xe7, 0x6e, 0x20,
+ 0x2b, 0xad, 0x27, 0xb3
+};
+
+static const hash_testvector_t sha1_hash_testvectors[] = {
+ { sizeof(sha1_short2_msg), sha1_short2_msg, sha1_short2_msg_digest },
+ { sizeof(sha1_short4_msg), sha1_short4_msg, sha1_short4_msg_digest },
+ { sizeof(sha1_long2_msg), sha1_long2_msg, sha1_long2_msg_digest },
+ { 0, NULL, NULL }
+};
+
+/* SHA-1 hmac test vectors
+ * from RFC 2202 "Test Cases for HMAC-MD5 and HMAC-SHA-1"
+ * September 1997, P. Cheng, IBM & R. Glenn, NIST
+ */
+
+static const u_char sha1_hmac1_key[] = {
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+ 0x0b, 0x0b, 0x0b, 0x0b
+};
+
+static const u_char sha1_hmac1[] = {
+ 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+ 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+ 0xf1, 0x46, 0xbe, 0x00
+};
+
+static const u_char sha1_hmac2[] = {
+ 0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
+ 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
+ 0x25, 0x9a, 0x7c, 0x79
+};
+
+static const u_char sha1_hmac3_key[] = {
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+ 0xaa, 0xaa, 0xaa, 0xaa
+};
+
+static const u_char sha1_hmac3[] = {
+ 0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
+ 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
+ 0x63, 0xf1, 0x75, 0xd3
+};
+
+static const u_char sha1_hmac4[] = {
+ 0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
+ 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
+ 0x2d, 0x72, 0x35, 0xda
+};
+
+static const u_char sha1_hmac6[] = {
+ 0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
+ 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
+ 0xed, 0x40, 0x21, 0x12
+};
+
+static const u_char sha1_hmac7[] = {
+ 0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
+ 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
+ 0xbb, 0xff, 0x1a, 0x91
+};
+
+static const hmac_testvector_t sha1_hmac_testvectors[] = {
+ { sizeof(sha1_hmac1_key), sha1_hmac1_key, sizeof(md5_hmac1_msg), md5_hmac1_msg, sha1_hmac1 },
+ { sizeof(md5_hmac2_key), md5_hmac2_key, sizeof(md5_hmac2_msg), md5_hmac2_msg, sha1_hmac2 },
+ { sizeof(sha1_hmac3_key), sha1_hmac3_key, sizeof(md5_hmac3_msg), md5_hmac3_msg, sha1_hmac3 },
+ { sizeof(md5_hmac4_key), md5_hmac4_key, sizeof(md5_hmac4_msg), md5_hmac4_msg, sha1_hmac4 },
+ { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac6_msg), md5_hmac6_msg, sha1_hmac6 },
+ { sizeof(md5_hmac6_key), md5_hmac6_key, sizeof(md5_hmac7_msg), md5_hmac7_msg, sha1_hmac7 },
+ { 0, NULL, 0, NULL, NULL }
+};
+
+static struct hash_desc crypto_hasher_sha1 =
+{
+ algo_type: IKE_ALG_HASH,
+ algo_id: OAKLEY_SHA,
+ algo_next: NULL,
+ hash_ctx_size: sizeof(SHA1_CTX),
+ hash_block_size: SHA1_BLOCK_SIZE,
+ hash_digest_size: SHA1_DIGEST_SIZE,
+ hash_testvectors: sha1_hash_testvectors,
+ hmac_testvectors: sha1_hmac_testvectors,
+ hash_init: (void (*)(void *)) SHA1Init,
+ hash_update: (void (*)(void *, const u_int8_t *, size_t)) SHA1Update,
+ hash_final: (void (*)(u_char *, void *)) SHA1Final
+};
+
+void
+init_crypto(void)
+{
+ if (mpz_init_set_str(&groupgenerator, MODP_GENERATOR, 10) != 0
+ || mpz_init_set_str(&modp1024_modulus, MODP1024_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp1536_modulus, MODP1536_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp2048_modulus, MODP2048_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp3072_modulus, MODP3072_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp4096_modulus, MODP4096_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp6144_modulus, MODP6144_MODULUS, 16) != 0
+ || mpz_init_set_str(&modp8192_modulus, MODP8192_MODULUS, 16) != 0)
+ exit_log("mpz_init_set_str() failed in init_crypto()");
+
+ ike_alg_add((struct ike_alg *) &crypto_encryptor_3des);
+ ike_alg_add((struct ike_alg *) &crypto_hasher_sha1);
+ ike_alg_add((struct ike_alg *) &crypto_hasher_md5);
+ ike_alg_init();
+ ike_alg_test();
+}
+
+/* Oakley group description
+ *
+ * See RFC2409 "The Internet key exchange (IKE)" 6.
+ */
+
+const struct oakley_group_desc unset_group = {0, NULL, 0}; /* magic signifier */
+
+const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE] = {
+# define BYTES(bits) (((bits) + BITS_PER_BYTE - 1) / BITS_PER_BYTE)
+ { OAKLEY_GROUP_MODP1024, &modp1024_modulus, BYTES(1024) },
+ { OAKLEY_GROUP_MODP1536, &modp1536_modulus, BYTES(1536) },
+ { OAKLEY_GROUP_MODP2048, &modp2048_modulus, BYTES(2048) },
+ { OAKLEY_GROUP_MODP3072, &modp3072_modulus, BYTES(3072) },
+ { OAKLEY_GROUP_MODP4096, &modp4096_modulus, BYTES(4096) },
+ { OAKLEY_GROUP_MODP6144, &modp6144_modulus, BYTES(6144) },
+ { OAKLEY_GROUP_MODP8192, &modp8192_modulus, BYTES(8192) },
+# undef BYTES
+};
+
+const struct oakley_group_desc *
+lookup_group(u_int16_t group)
+{
+ int i;
+
+ for (i = 0; i != elemsof(oakley_group); i++)
+ if (group == oakley_group[i].group)
+ return &oakley_group[i];
+ return NULL;
+}
+
+/* Encryption Routines
+ *
+ * Each uses and updates the state object's st_new_iv.
+ * This must already be initialized.
+ */
+
+/* encrypt or decrypt part of an IKE message using DES
+ * See RFC 2409 "IKE" Appendix B
+ */
+static void __attribute__ ((unused))
+do_des(bool enc, void *buf, size_t buf_len, struct state *st)
+{
+ des_key_schedule ks;
+
+ (void) des_set_key((des_cblock *)st->st_enc_key.ptr, ks);
+
+ passert(st->st_new_iv_len >= DES_CBC_BLOCK_SIZE);
+ st->st_new_iv_len = DES_CBC_BLOCK_SIZE; /* truncate */
+
+ des_ncbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
+ ks,
+ (des_cblock *)st->st_new_iv, enc);
+}
+
+/* encrypt or decrypt part of an IKE message using 3DES
+ * See RFC 2409 "IKE" Appendix B
+ */
+static void
+do_3des(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc)
+{
+ des_key_schedule ks[3];
+
+ passert (!key_size || (key_size==(DES_CBC_BLOCK_SIZE * 3)))
+ (void) des_set_key((des_cblock *)key + 0, ks[0]);
+ (void) des_set_key((des_cblock *)key + 1, ks[1]);
+ (void) des_set_key((des_cblock *)key + 2, ks[2]);
+
+ des_ede3_cbc_encrypt((des_cblock *)buf, (des_cblock *)buf, buf_len,
+ ks[0], ks[1], ks[2],
+ (des_cblock *)iv, enc);
+}
+
+/* hash and prf routines */
+void
+crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st)
+{
+ passert(st->st_new_iv_len >= e->enc_blocksize);
+ st->st_new_iv_len = e->enc_blocksize; /* truncate */
+
+ e->do_crypt(buf, size, st->st_enc_key.ptr, st->st_enc_key.len, st->st_new_iv, enc);
+ /*
+ e->set_key(&ctx, st->st_enc_key.ptr, st->st_enc_key.len);
+ e->cbc_crypt(&ctx, buf, size, st->st_new_iv, enc);
+ */
+}
+
+/* HMAC package
+ * rfc2104.txt specifies how HMAC works.
+ */
+
+void
+hmac_init(struct hmac_ctx *ctx,
+ const struct hash_desc *h,
+ const u_char *key, size_t key_len)
+{
+ int k;
+
+ ctx->h = h;
+ ctx->hmac_digest_size = h->hash_digest_size;
+
+ /* Prepare the two pads for the HMAC */
+
+ memset(ctx->buf1, '\0', h->hash_block_size);
+
+ if (key_len <= h->hash_block_size)
+ {
+ memcpy(ctx->buf1, key, key_len);
+ }
+ else
+ {
+ h->hash_init(&ctx->hash_ctx);
+ h->hash_update(&ctx->hash_ctx, key, key_len);
+ h->hash_final(ctx->buf1, &ctx->hash_ctx);
+ }
+
+ memcpy(ctx->buf2, ctx->buf1, h->hash_block_size);
+
+ for (k = 0; k < h->hash_block_size; k++)
+ {
+ ctx->buf1[k] ^= HMAC_IPAD;
+ ctx->buf2[k] ^= HMAC_OPAD;
+ }
+
+ hmac_reinit(ctx);
+}
+
+void
+hmac_reinit(struct hmac_ctx *ctx)
+{
+ ctx->h->hash_init(&ctx->hash_ctx);
+ ctx->h->hash_update(&ctx->hash_ctx, ctx->buf1, ctx->h->hash_block_size);
+}
+
+void
+hmac_update(struct hmac_ctx *ctx,
+ const u_char *data, size_t data_len)
+{
+ ctx->h->hash_update(&ctx->hash_ctx, data, data_len);
+}
+
+void
+hmac_final(u_char *output, struct hmac_ctx *ctx)
+{
+ const struct hash_desc *h = ctx->h;
+
+ h->hash_final(output, &ctx->hash_ctx);
+
+ h->hash_init(&ctx->hash_ctx);
+ h->hash_update(&ctx->hash_ctx, ctx->buf2, h->hash_block_size);
+ h->hash_update(&ctx->hash_ctx, output, h->hash_digest_size);
+ h->hash_final(output, &ctx->hash_ctx);
+}
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
new file mode 100644
index 000000000..48c983349
--- /dev/null
+++ b/src/pluto/crypto.h
@@ -0,0 +1,108 @@
+/* crypto interfaces
+ * Copyright (C) 1998, 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: crypto.h,v 1.6 2005/04/07 20:13:30 as Exp $
+ */
+
+#include <gmp.h> /* GNU MP library */
+
+#include "libsha2/sha2.h"
+#include "ike_alg.h"
+
+extern void init_crypto(void);
+
+/* Oakley group descriptions */
+
+extern MP_INT groupgenerator; /* MODP group generator (2) */
+
+struct oakley_group_desc {
+ u_int16_t group;
+ MP_INT *modulus;
+ size_t bytes;
+};
+
+extern const struct oakley_group_desc unset_group; /* magic signifier */
+extern const struct oakley_group_desc *lookup_group(u_int16_t group);
+#define OAKLEY_GROUP_SIZE 7
+extern const struct oakley_group_desc oakley_group[OAKLEY_GROUP_SIZE];
+
+/* unification of cryptographic encoding/decoding algorithms
+ * The IV is taken from and returned to st->st_new_iv.
+ * This allows the old IV to be retained.
+ * Use update_iv to commit to the new IV (for example, once a packet has
+ * been validated).
+ */
+
+#define MAX_OAKLEY_KEY_LEN0 (3 * DES_CBC_BLOCK_SIZE)
+#define MAX_OAKLEY_KEY_LEN (256/BITS_PER_BYTE)
+
+struct state; /* forward declaration, dammit */
+
+void crypto_cbc_encrypt(const struct encrypt_desc *e, bool enc, u_int8_t *buf, size_t size, struct state *st);
+
+#define update_iv(st) memcpy((st)->st_iv, (st)->st_new_iv \
+ , (st)->st_iv_len = (st)->st_new_iv_len)
+
+#define set_ph1_iv(st, iv) \
+ passert((st)->st_ph1_iv_len <= sizeof((st)->st_ph1_iv)); \
+ memcpy((st)->st_ph1_iv, (iv), (st)->st_ph1_iv_len);
+
+/* unification of cryptographic hashing mechanisms */
+
+#ifndef NO_HASH_CTX
+union hash_ctx {
+ MD5_CTX ctx_md5;
+ SHA1_CTX ctx_sha1;
+ sha256_context ctx_sha256;
+ sha512_context ctx_sha512;
+ };
+
+/* HMAC package
+ * Note that hmac_ctx can be (and is) copied since there are
+ * no persistent pointers into it.
+ */
+
+struct hmac_ctx {
+ const struct hash_desc *h; /* underlying hash function */
+ size_t hmac_digest_size; /* copy of h->hash_digest_size */
+ union hash_ctx hash_ctx; /* ctx for hash function */
+ u_char buf1[MAX_HASH_BLOCK_SIZE];
+ u_char buf2[MAX_HASH_BLOCK_SIZE];
+ };
+
+extern void hmac_init(
+ struct hmac_ctx *ctx,
+ const struct hash_desc *h,
+ const u_char *key,
+ size_t key_len);
+
+#define hmac_init_chunk(ctx, h, ch) hmac_init((ctx), (h), (ch).ptr, (ch).len)
+
+extern void hmac_reinit(struct hmac_ctx *ctx); /* saves recreating pads */
+
+extern void hmac_update(
+ struct hmac_ctx *ctx,
+ const u_char *data,
+ size_t data_len);
+
+#define hmac_update_chunk(ctx, ch) hmac_update((ctx), (ch).ptr, (ch).len)
+
+extern void hmac_final(u_char *output, struct hmac_ctx *ctx);
+
+#define hmac_final_chunk(ch, name, ctx) { \
+ pfreeany((ch).ptr); \
+ (ch).len = (ctx)->hmac_digest_size; \
+ (ch).ptr = alloc_bytes((ch).len, name); \
+ hmac_final((ch).ptr, (ctx)); \
+ }
+#endif
diff --git a/src/pluto/db_ops.c b/src/pluto/db_ops.c
new file mode 100644
index 000000000..bbcd7918f
--- /dev/null
+++ b/src/pluto/db_ops.c
@@ -0,0 +1,439 @@
+/* Dynamic db (proposal, transforms, attributes) handling.
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: db_ops.c,v 1.4 2005/04/07 20:13:44 as Exp $
+ */
+
+/*
+ * The stratedy is to have (full contained) struct db_prop in db_context
+ * pointing to ONE dynamically sizable transform vector (trans0).
+ * Each transform stores attrib. in ONE dyn. sizable attribute vector (attrs0)
+ * in a "serialized" way (attributes storage is used in linear sequence for
+ * subsecuent transforms).
+ *
+ * Resizing for both trans0 and attrs0 is supported:
+ * - For trans0: quite simple, just allocate and copy trans. vector content
+ * also update trans_cur (by offset)
+ * - For attrs0: after allocating and copying attrs, I must rewrite each
+ * trans->attrs present in trans0; to achieve this, calculate
+ * attrs pointer offset (new minus old) and iterate over
+ * each transform "adding" this difference.
+ * also update attrs_cur (by offset)
+ *
+ * db_context structure:
+ * +---------------------+
+ * | prop |
+ * | .protoid |
+ * | .trans | --+
+ * | .trans_cnt | |
+ * +---------------------+ <-+
+ * | trans0 | ----> { trans#1 | ... | trans#i | ... }
+ * +---------------------+ ^
+ * | trans_cur | ----------------------' current transf.
+ * +---------------------+
+ * | attrs0 | ----> { attr#1 | ... | attr#j | ... }
+ * +---------------------+ ^
+ * | attrs_cur | ---------------------' current attr.
+ * +---------------------+
+ * | max_trans,max_attrs | max_trans/attrs: number of elem. of each vector
+ * +---------------------+
+ *
+ * See testing examples at end for interface usage.
+ */
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <malloc.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "state.h"
+#include "packet.h"
+#include "spdb.h"
+#include "db_ops.h"
+#include "log.h"
+#include "whack.h"
+
+#include <assert.h>
+
+#ifndef NO_PLUTO
+#else
+#define passert(x) assert(x)
+extern int debug; /* eg: spi.c */
+#define DBG(cond, action) { if (debug) { action ; } }
+#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
+#define alloc_thing(thing, name) alloc_bytes(sizeof (thing), name)
+void * alloc_bytes(size_t size, const char *name) {
+ void *p=malloc(size);
+ if (p == NULL)
+ fprintf(stderr, "unable to malloc %lu bytes for %s",
+ (unsigned long) size, name);
+ memset(p, '\0', size);
+ return p;
+}
+#define pfreeany(ptr) free(ptr)
+
+#endif
+
+#ifdef NOT_YET
+/*
+ * Allocator cache:
+ * Because of the single-threaded nature of pluto/spdb.c,
+ * alloc()/free() is exercised many times with very small
+ * lifetime objects.
+ * Just caching last object (currently it will select the
+ * largest) will avoid this allocation mas^Wperturbations
+ *
+ */
+struct db_ops_alloc_cache {
+ void *ptr;
+ int size;
+};
+#endif
+
+#ifndef NO_DB_OPS_STATS
+/*
+ * stats: do account for allocations
+ * displayed in db_ops_show_status()
+ */
+struct db_ops_stats {
+ int st_curr_cnt; /* current number of allocations */
+ int st_total_cnt; /* total allocations so far */
+ size_t st_maxsz; /* max. size requested */
+};
+#define DB_OPS_ZERO { 0, 0, 0};
+#define DB_OPS_STATS_DESC "{curr_cnt, total_cnt, maxsz}"
+#define DB_OPS_STATS_STR(name) name "={%d,%d,%d} "
+#define DB_OPS_STATS_F(st) (st).st_curr_cnt, (st).st_total_cnt, (int)(st).st_maxsz
+static struct db_ops_stats db_context_st = DB_OPS_ZERO;
+static struct db_ops_stats db_trans_st = DB_OPS_ZERO;
+static struct db_ops_stats db_attrs_st = DB_OPS_ZERO;
+static __inline__ void * alloc_bytes_st (size_t size, const char *str, struct db_ops_stats *st)
+{
+ void *ptr = alloc_bytes(size, str);
+ if (ptr) {
+ st->st_curr_cnt++;
+ st->st_total_cnt++;
+ if (size > st->st_maxsz) st->st_maxsz=size;
+ }
+ return ptr;
+}
+#define ALLOC_BYTES_ST(z,s,st) alloc_bytes_st(z, s, &st);
+#define PFREE_ST(p,st) do { st.st_curr_cnt--; pfree(p); } while (0);
+
+#else
+
+#define ALLOC_BYTES_ST(z,s,n) alloc_bytes(z, s);
+#define PFREE_ST(p,n) pfree(p);
+
+#endif /* NO_DB_OPS_STATS */
+/* Initialize db object
+ * max_trans and max_attrs can be 0, will be dynamically expanded
+ * as a result of "add" operations
+ */
+int
+db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs)
+{
+ int ret=-1;
+
+ ctx->trans0 = NULL;
+ ctx->attrs0 = NULL;
+
+ if (max_trans > 0) { /* quite silly if not */
+ ctx->trans0 = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
+ "db_context->trans", db_trans_st);
+ if (!ctx->trans0) goto out;
+ }
+
+ if (max_attrs > 0) { /* quite silly if not */
+ ctx->attrs0 = ALLOC_BYTES_ST (sizeof (struct db_attr) * max_attrs,
+ "db_context->attrs", db_attrs_st);
+ if (!ctx->attrs0) goto out;
+ }
+ ret = 0;
+out:
+ if (ret < 0 && ctx->trans0) {
+ PFREE_ST(ctx->trans0, db_trans_st);
+ ctx->trans0 = NULL;
+ }
+ ctx->max_trans = max_trans;
+ ctx->max_attrs = max_attrs;
+ ctx->trans_cur = ctx->trans0;
+ ctx->attrs_cur = ctx->attrs0;
+ ctx->prop.protoid = protoid;
+ ctx->prop.trans = ctx->trans0;
+ ctx->prop.trans_cnt = 0;
+ return ret;
+}
+
+/* Expand storage for transforms by number delta_trans */
+static int
+db_trans_expand(struct db_context *ctx, int delta_trans)
+{
+ int ret = -1;
+ struct db_trans *new_trans, *old_trans;
+ int max_trans = ctx->max_trans + delta_trans;
+ int offset;
+
+ old_trans = ctx->trans0;
+ new_trans = ALLOC_BYTES_ST ( sizeof (struct db_trans) * max_trans,
+ "db_context->trans (expand)", db_trans_st);
+ if (!new_trans)
+ goto out;
+ memcpy(new_trans, old_trans, ctx->max_trans * sizeof(struct db_trans));
+
+ /* update trans0 (obviously) */
+ ctx->trans0 = ctx->prop.trans = new_trans;
+ /* update trans_cur (by offset) */
+ offset = (char *)(new_trans) - (char *)(old_trans);
+
+ {
+ char *cctx = (char *)(ctx->trans_cur);
+
+ cctx += offset;
+ ctx->trans_cur = (struct db_trans *)cctx;
+ }
+ /* update elem count */
+ ctx->max_trans = max_trans;
+ PFREE_ST(old_trans, db_trans_st);
+ ret = 0;
+out:
+ return ret;
+}
+/*
+ * Expand storage for attributes by delta_attrs number AND
+ * rewrite trans->attr pointers
+ */
+static int
+db_attrs_expand(struct db_context *ctx, int delta_attrs)
+{
+ int ret = -1;
+ struct db_attr *new_attrs, *old_attrs;
+ struct db_trans *t;
+ int ti;
+ int max_attrs = ctx->max_attrs + delta_attrs;
+ int offset;
+
+ old_attrs = ctx->attrs0;
+ new_attrs = ALLOC_BYTES_ST ( sizeof (struct db_attr) * max_attrs,
+ "db_context->attrs (expand)", db_attrs_st);
+ if (!new_attrs)
+ goto out;
+
+ memcpy(new_attrs, old_attrs, ctx->max_attrs * sizeof(struct db_attr));
+
+ /* update attrs0 and attrs_cur (obviously) */
+ offset = (char *)(new_attrs) - (char *)(old_attrs);
+
+ {
+ char *actx = (char *)(ctx->attrs0);
+
+ actx += offset;
+ ctx->attrs0 = (struct db_attr *)actx;
+
+ actx = (char *)ctx->attrs_cur;
+ actx += offset;
+ ctx->attrs_cur = (struct db_attr *)actx;
+ }
+
+ /* for each transform, rewrite attrs pointer by offsetting it */
+ for (t=ctx->prop.trans, ti=0; ti < ctx->prop.trans_cnt; t++, ti++) {
+ char *actx = (char *)(t->attrs);
+
+ actx += offset;
+ t->attrs = (struct db_attr *)actx;
+ }
+ /* update elem count */
+ ctx->max_attrs = max_attrs;
+ PFREE_ST(old_attrs, db_attrs_st);
+ ret = 0;
+out:
+ return ret;
+}
+/* Allocate a new db object */
+struct db_context *
+db_prop_new(u_int8_t protoid, int max_trans, int max_attrs)
+{
+ struct db_context *ctx;
+ ctx = ALLOC_BYTES_ST ( sizeof (struct db_context), "db_context", db_context_st);
+ if (!ctx) goto out;
+
+ if (db_prop_init(ctx, protoid, max_trans, max_attrs) < 0) {
+ PFREE_ST(ctx, db_context_st);
+ ctx=NULL;
+ }
+out:
+ return ctx;
+}
+/* Free a db object */
+void
+db_destroy(struct db_context *ctx)
+{
+ if (ctx->trans0) PFREE_ST(ctx->trans0, db_trans_st);
+ if (ctx->attrs0) PFREE_ST(ctx->attrs0, db_attrs_st);
+ PFREE_ST(ctx, db_context_st);
+}
+/* Start a new transform, expand trans0 is needed */
+int
+db_trans_add(struct db_context *ctx, u_int8_t transid)
+{
+ /* skip incrementing current trans pointer the 1st time*/
+ if (ctx->trans_cur && ctx->trans_cur->attr_cnt)
+ ctx->trans_cur++;
+ /*
+ * Strategy: if more space is needed, expand by
+ * <current_size>/2 + 1
+ *
+ * This happens to produce a "reasonable" sequence
+ * after few allocations, eg.:
+ * 0,1,2,4,8,13,20,31,47
+ */
+ if ((ctx->trans_cur - ctx->trans0) >= ctx->max_trans) {
+ /* XXX:jjo if fails should shout and flag it */
+ if (db_trans_expand(ctx, ctx->max_trans/2 + 1)<0)
+ return -1;
+ }
+ ctx->trans_cur->transid = transid;
+ ctx->trans_cur->attrs=ctx->attrs_cur;
+ ctx->trans_cur->attr_cnt = 0;
+ ctx->prop.trans_cnt++;
+ return 0;
+}
+/* Add attr copy to current transform, expanding attrs0 if needed */
+int
+db_attr_add(struct db_context *ctx, const struct db_attr *a)
+{
+ /*
+ * Strategy: if more space is needed, expand by
+ * <current_size>/2 + 1
+ */
+ if ((ctx->attrs_cur - ctx->attrs0) >= ctx->max_attrs) {
+ /* XXX:jjo if fails should shout and flag it */
+ if (db_attrs_expand(ctx, ctx->max_attrs/2 + 1) < 0)
+ return -1;
+ }
+ *ctx->attrs_cur++=*a;
+ ctx->trans_cur->attr_cnt++;
+ return 0;
+}
+/* Add attr copy (by value) to current transform,
+ * expanding attrs0 if needed, just calls db_attr_add().
+ */
+int
+db_attr_add_values(struct db_context *ctx, u_int16_t type, u_int16_t val)
+{
+ struct db_attr attr;
+ attr.type = type;
+ attr.val = val;
+ return db_attr_add (ctx, &attr);
+}
+#ifndef NO_DB_OPS_STATS
+int
+db_ops_show_status(void)
+{
+ whack_log(RC_COMMENT, "stats " __FILE__ ": "
+ DB_OPS_STATS_DESC " :"
+ DB_OPS_STATS_STR("context")
+ DB_OPS_STATS_STR("trans")
+ DB_OPS_STATS_STR("attrs"),
+ DB_OPS_STATS_F(db_context_st),
+ DB_OPS_STATS_F(db_trans_st),
+ DB_OPS_STATS_F(db_attrs_st)
+ );
+ return 0;
+}
+#endif /* NO_DB_OPS_STATS */
+/*
+ * From below to end just testing stuff ....
+ */
+#ifdef TEST
+static void db_prop_print(struct db_prop *p)
+{
+ struct db_trans *t;
+ struct db_attr *a;
+ int ti, ai;
+ enum_names *n, *n_at, *n_av;
+ printf("protoid=\"%s\"\n", enum_name(&protocol_names, p->protoid));
+ for (ti=0, t=p->trans; ti< p->trans_cnt; ti++, t++) {
+ switch( t->transid) {
+ case PROTO_ISAKMP:
+ n=&isakmp_transformid_names;break;
+ case PROTO_IPSEC_ESP:
+ n=&esp_transformid_names;break;
+ default:
+ continue;
+ }
+ printf(" transid=\"%s\"\n",
+ enum_name(n, t->transid));
+ for (ai=0, a=t->attrs; ai < t->attr_cnt; ai++, a++) {
+ int i;
+ switch( t->transid) {
+ case PROTO_ISAKMP:
+ n_at=&oakley_attr_names;
+ i=a->type|ISAKMP_ATTR_AF_TV;
+ n_av=oakley_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
+ break;
+ case PROTO_IPSEC_ESP:
+ n_at=&ipsec_attr_names;
+ i=a->type|ISAKMP_ATTR_AF_TV;
+ n_av=ipsec_attr_val_descs[(i)&ISAKMP_ATTR_RTYPE_MASK];
+ break;
+ default:
+ continue;
+ }
+ printf(" type=\"%s\" value=\"%s\"\n",
+ enum_name(n_at, i),
+ enum_name(n_av, a->val));
+ }
+ }
+
+}
+static void db_print(struct db_context *ctx)
+{
+ printf("trans_cur diff=%d, attrs_cur diff=%d\n",
+ ctx->trans_cur - ctx->trans0,
+ ctx->attrs_cur - ctx->attrs0);
+ db_prop_print(&ctx->prop);
+}
+
+void
+passert_fail(const char *pred_str, const char *file_str, unsigned long line_no);
+void abort(void);
+void
+passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
+{
+ fprintf(stderr, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+ abort(); /* exiting correctly doesn't always work */
+}
+int main(void) {
+ struct db_context *ctx=db_prop_new(PROTO_ISAKMP, 0, 0);
+ db_trans_add(ctx, KEY_IKE);
+ db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC);
+ db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
+ db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
+ db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024);
+ db_trans_add(ctx, KEY_IKE);
+ db_attr_add_values(ctx, OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_AES_CBC);
+ db_attr_add_values(ctx, OAKLEY_HASH_ALGORITHM, OAKLEY_MD5);
+ db_attr_add_values(ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
+ db_attr_add_values(ctx, OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536);
+ db_trans_add(ctx, ESP_3DES);
+ db_attr_add_values(ctx, AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1);
+ db_print(ctx);
+ db_destroy(ctx);
+ return 0;
+}
+#endif
diff --git a/src/pluto/db_ops.h b/src/pluto/db_ops.h
new file mode 100644
index 000000000..433e75280
--- /dev/null
+++ b/src/pluto/db_ops.h
@@ -0,0 +1,56 @@
+/* Dynamic db (proposal, transforms, attributes) handling.
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: db_ops.h,v 1.3 2004/09/17 12:37:37 as Exp $
+ */
+
+#ifndef _DB_OPS_H
+#define _DB_OPS_H
+
+/*
+ * Main db object, (quite proposal "oriented")
+ */
+#ifndef NO_DB_CONTEXT
+struct db_context {
+ struct db_prop prop; /* proposal buffer (not pointer) */
+ struct db_trans *trans0; /* transf. list, dynamically sized */
+ struct db_trans *trans_cur; /* current transform ptr */
+ struct db_attr *attrs0; /* attr. list, dynamically sized */
+ struct db_attr *attrs_cur; /* current attribute ptr */
+ int max_trans; /* size of trans list */
+ int max_attrs; /* size of attrs list */
+};
+/*
+ * Allocate a new db object
+ */
+struct db_context * db_prop_new(u_int8_t protoid, int max_trans, int max_attrs);
+/* Initialize object for proposal building */
+int db_prop_init(struct db_context *ctx, u_int8_t protoid, int max_trans, int max_attrs);
+/* Free all resourses for this db */
+void db_destroy(struct db_context *ctx);
+
+/* Start a new transform */
+int db_trans_add(struct db_context *ctx, u_int8_t transid);
+/* Add a new attribute by copying db_attr content */
+int db_attr_add(struct db_context *db_ctx, const struct db_attr *attr);
+/* Add a new attribute by value */
+int db_attr_add_values(struct db_context *ctx, u_int16_t type, u_int16_t val);
+
+/* Get proposal from db object */
+static __inline__ struct db_prop *db_prop_get(struct db_context *ctx) {
+ return &ctx->prop;
+}
+/* Show stats (allocation, etc) */
+#endif /* NO_DB_CONTEXT */
+int db_ops_show_status(void);
+#endif /* _DB_OPS_H */
diff --git a/src/pluto/defs.c b/src/pluto/defs.c
new file mode 100644
index 000000000..9ae32a480
--- /dev/null
+++ b/src/pluto/defs.c
@@ -0,0 +1,374 @@
+/* misc. universal things
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: defs.c,v 1.9 2006/01/04 21:00:43 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <dirent.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+
+const chunk_t empty_chunk = { NULL, 0 };
+
+bool
+all_zero(const unsigned char *m, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i != len; i++)
+ if (m[i] != '\0')
+ return FALSE;
+ return TRUE;
+}
+
+/* memory allocation
+ *
+ * LEAK_DETECTIVE puts a wrapper around each allocation and maintains
+ * a list of live ones. If a dead one is freed, an assertion MIGHT fail.
+ * If the live list is currupted, that will often be detected.
+ * In the end, report_leaks() is called, and the names of remaining
+ * live allocations are printed. At the moment, it is hoped, not that
+ * the list is empty, but that there will be no surprises.
+ *
+ * Accepted Leaks:
+ * - "struct iface" and "device name" (for "discovered" net interfaces)
+ * - "struct event in event_schedule()" (events not associated with states)
+ * - "Pluto lock name" (one only, needed until end -- why bother?)
+ */
+
+#ifdef LEAK_DETECTIVE
+
+/* this magic number is 3671129837 decimal (623837458 complemented) */
+#define LEAK_MAGIC 0xDAD0FEEDul
+
+union mhdr {
+ struct {
+ const char *name;
+ union mhdr *older, *newer;
+ unsigned long magic;
+ } i; /* info */
+ unsigned long junk; /* force maximal alignment */
+};
+
+static union mhdr *allocs = NULL;
+
+void *alloc_bytes(size_t size, const char *name)
+{
+ union mhdr *p = malloc(sizeof(union mhdr) + size);
+
+ if (p == NULL)
+ exit_log("unable to malloc %lu bytes for %s"
+ , (unsigned long) size, name);
+ p->i.name = name;
+ p->i.older = allocs;
+ if (allocs != NULL)
+ allocs->i.newer = p;
+ allocs = p;
+ p->i.newer = NULL;
+ p->i.magic = LEAK_MAGIC;
+
+ memset(p+1, '\0', size);
+ return p+1;
+}
+
+void *
+clone_bytes(const void *orig, size_t size, const char *name)
+{
+ void *p = alloc_bytes(size, name);
+
+ memcpy(p, orig, size);
+ return p;
+}
+
+void
+pfree(void *ptr)
+{
+ union mhdr *p;
+
+ passert(ptr != NULL);
+ p = ((union mhdr *)ptr) - 1;
+ passert(p->i.magic == LEAK_MAGIC);
+ if (p->i.older != NULL)
+ {
+ passert(p->i.older->i.newer == p);
+ p->i.older->i.newer = p->i.newer;
+ }
+ if (p->i.newer == NULL)
+ {
+ passert(p == allocs);
+ allocs = p->i.older;
+ }
+ else
+ {
+ passert(p->i.newer->i.older == p);
+ p->i.newer->i.older = p->i.older;
+ }
+ p->i.magic = ~LEAK_MAGIC;
+ free(p);
+}
+
+void
+report_leaks(void)
+{
+ union mhdr
+ *p = allocs,
+ *pprev = NULL;
+ unsigned long n = 0;
+
+ while (p != NULL)
+ {
+ passert(p->i.magic == LEAK_MAGIC);
+ passert(pprev == p->i.newer);
+ pprev = p;
+ p = p->i.older;
+ n++;
+ if (p == NULL || pprev->i.name != p->i.name)
+ {
+ if (n != 1)
+ plog("leak: %lu * %s", n, pprev->i.name);
+ else
+ plog("leak: %s", pprev->i.name);
+ n = 0;
+ }
+ }
+}
+
+#else /* !LEAK_DETECTIVE */
+
+void *alloc_bytes(size_t size, const char *name)
+{
+ void *p = malloc(size);
+
+ if (p == NULL)
+ exit_log("unable to malloc %lu bytes for %s"
+ , (unsigned long) size, name);
+ memset(p, '\0', size);
+ return p;
+}
+
+void *clone_bytes(const void *orig, size_t size, const char *name)
+{
+ void *p = malloc(size);
+
+ if (p == NULL)
+ exit_log("unable to malloc %lu bytes for %s"
+ , (unsigned long) size, name);
+ memcpy(p, orig, size);
+ return p;
+}
+#endif /* !LEAK_DETECTIVE */
+
+/* Note that there may be as many as six IDs that are temporary at
+ * one time before unsharing the two ends of a connection. So we need
+ * at least six temporary buffers for DER_ASN1_DN IDs.
+ * We rotate them. Be careful!
+ */
+#define MAX_BUF 10
+
+char*
+temporary_cyclic_buffer(void)
+{
+ static char buf[MAX_BUF][BUF_LEN]; /* MAX_BUF internal buffers */
+ static int counter = 0; /* cyclic counter */
+
+ if (++counter == MAX_BUF) counter = 0; /* next internal buffer */
+ return buf[counter]; /* assign temporary buffer */
+}
+
+/* concatenates two sub paths into a string with a maximum size of BUF_LEN
+ * use for temporary storage only
+ */
+const char*
+concatenate_paths(const char *a, const char *b)
+{
+ char *c;
+
+ if (*b == '/' || *b == '.')
+ return b;
+
+ c = temporary_cyclic_buffer();
+ snprintf(c, BUF_LEN, "%s/%s", a, b);
+ return c;
+}
+
+/* compare two chunks, returns zero if a equals b
+ * negative/positive if a is earlier/later in the alphabet than b
+ */
+int
+cmp_chunk(chunk_t a, chunk_t b)
+{
+ int cmp_len, len, cmp_value;
+
+ cmp_len = a.len - b.len;
+ len = (cmp_len < 0)? a.len : b.len;
+ cmp_value = memcmp(a.ptr, b.ptr, len);
+
+ return (cmp_value == 0)? cmp_len : cmp_value;
+};
+
+/* moves a chunk to a memory position, chunk is freed afterwards
+ * position pointer is advanced after the insertion point
+ */
+void
+mv_chunk(u_char **pos, chunk_t content)
+{
+ if (content.len > 0)
+ {
+ chunkcpy(*pos, content);
+ freeanychunk(content);
+ }
+}
+
+/*
+ * write the binary contents of a chunk_t to a file
+ */
+bool
+write_chunk(const char *filename, const char *label, chunk_t ch
+, mode_t mask, bool force)
+{
+ mode_t oldmask;
+ FILE *fd;
+
+ if (!force)
+ {
+ fd = fopen(filename, "r");
+ if (fd)
+ {
+ fclose(fd);
+ plog(" %s file '%s' already exists", label, filename);
+ return FALSE;
+ }
+ }
+
+ /* set umask */
+ oldmask = umask(mask);
+
+ fd = fopen(filename, "w");
+
+ if (fd)
+ {
+ fwrite(ch.ptr, sizeof(u_char), ch.len, fd);
+ fclose(fd);
+ plog(" written %s file '%s' (%d bytes)", label, filename, (int)ch.len);
+ umask(oldmask);
+ return TRUE;
+ }
+ else
+ {
+ plog(" could not open %s file '%s' for writing", label, filename);
+ umask(oldmask);
+ return FALSE;
+ }
+}
+
+/* Names of the months */
+
+static const char* months[] = {
+ "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+ "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+};
+
+
+/*
+ * Display a date either in local or UTC time
+ */
+char*
+timetoa(const time_t *time, bool utc)
+{
+ static char buf[TIMETOA_BUF];
+
+ if (*time == UNDEFINED_TIME)
+ sprintf(buf, "--- -- --:--:--%s----", (utc)?" UTC ":" ");
+ else
+ {
+ struct tm *t = (utc)? gmtime(time) : localtime(time);
+
+ sprintf(buf, "%s %02d %02d:%02d:%02d%s%04d",
+ months[t->tm_mon], t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec,
+ (utc)?" UTC ":" ", t->tm_year + 1900
+ );
+ }
+ return buf;
+}
+
+/* checks if the expiration date has been reached and
+ * warns during the warning_interval of the imminent
+ * expiry. strict=TRUE declares a fatal error,
+ * strict=FALSE issues a warning upon expiry.
+ */
+const char*
+check_expiry(time_t expiration_date, int warning_interval, bool strict)
+{
+ time_t now;
+ int time_left;
+
+ if (expiration_date == UNDEFINED_TIME)
+ return "ok (expires never)";
+
+ /* determine the current time */
+ time(&now);
+
+ time_left = (expiration_date - now);
+ if (time_left < 0)
+ return strict? "fatal (expired)" : "warning (expired)";
+
+ if (time_left > 86400*warning_interval)
+ return "ok";
+ {
+ static char buf[35]; /* temporary storage */
+ const char* unit = "second";
+
+ if (time_left > 172800)
+ {
+ time_left /= 86400;
+ unit = "day";
+ }
+ else if (time_left > 7200)
+ {
+ time_left /= 3600;
+ unit = "hour";
+ }
+ else if (time_left > 120)
+ {
+ time_left /= 60;
+ unit = "minute";
+ }
+ snprintf(buf, 35, "warning (expires in %d %s%s)", time_left,
+ unit, (time_left == 1)?"":"s");
+ return buf;
+ }
+}
+
+
+/*
+ * Filter eliminating the directory entries '.' and '..'
+ */
+int
+file_select(const struct dirent *entry)
+{
+ return strcmp(entry->d_name, "." ) &&
+ strcmp(entry->d_name, "..");
+}
+
+
diff --git a/src/pluto/defs.h b/src/pluto/defs.h
new file mode 100644
index 000000000..3bfb29a22
--- /dev/null
+++ b/src/pluto/defs.h
@@ -0,0 +1,145 @@
+/* misc. universal things
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: defs.h,v 1.10 2006/01/04 21:00:43 as Exp $
+ */
+
+#ifndef _DEFS_H
+#define _DEFS_H
+
+#include <sys/types.h>
+
+#ifdef KLIPS
+# define USED_BY_KLIPS /* ignore */
+#else
+# define USED_BY_KLIPS UNUSED
+#endif
+
+#ifdef DEBUG
+# define USED_BY_DEBUG /* ignore */
+#else
+# define USED_BY_DEBUG UNUSED
+#endif
+
+/* Length of temporary buffers */
+
+#define BUF_LEN 512
+
+/* type of serial number of a state object
+ * Needed in connections.h and state.h; here to simplify dependencies.
+ */
+typedef unsigned long so_serial_t;
+#define SOS_NOBODY 0 /* null serial number */
+#define SOS_FIRST 1 /* first normal serial number */
+
+/* memory allocation */
+
+extern void *alloc_bytes(size_t size, const char *name);
+#define alloc_thing(thing, name) (alloc_bytes(sizeof(thing), (name)))
+
+extern void *clone_bytes(const void *orig, size_t size, const char *name);
+#define clone_thing(orig, name) clone_bytes((const void *)&(orig), sizeof(orig), (name))
+#define clone_str(str, name) \
+ ((str) == NULL? NULL : clone_bytes((str), strlen((str))+1, (name)))
+
+#ifdef LEAK_DETECTIVE
+ extern void pfree(void *ptr);
+ extern void report_leaks(void);
+#else
+# define pfree(ptr) free(ptr) /* ordinary stdc free */
+#endif
+#define pfreeany(p) { if ((p) != NULL) pfree(p); }
+#define replace(p, q) { pfreeany(p); (p) = (q); }
+
+
+/* chunk is a simple pointer-and-size abstraction */
+
+struct chunk {
+ u_char *ptr;
+ size_t len;
+ };
+typedef struct chunk chunk_t;
+
+#define setchunk(ch, addr, size) { (ch).ptr = (addr); (ch).len = (size); }
+#define strchunk(str) { str, sizeof(str) }
+/* NOTE: freeanychunk, unlike pfreeany, NULLs .ptr */
+#define freeanychunk(ch) { pfreeany((ch).ptr); (ch).ptr = NULL; }
+#define clonetochunk(ch, addr, size, name) \
+ { (ch).ptr = clone_bytes((addr), (ch).len = (size), name); }
+#define clonereplacechunk(ch, addr, size, name) \
+ { pfreeany((ch).ptr); clonetochunk(ch, addr, size, name); }
+#define chunkcpy(dst, chunk) \
+ { memcpy(dst, chunk.ptr, chunk.len); dst += chunk.len;}
+#define same_chunk(a, b) \
+ ( (a).len == (b).len && memcmp((a).ptr, (b).ptr, (b).len) == 0 )
+
+extern char* temporary_cyclic_buffer(void);
+extern const char* concatenate_paths(const char *a, const char *b);
+
+extern const chunk_t empty_chunk;
+
+/* compare two chunks */
+extern int cmp_chunk(chunk_t a, chunk_t b);
+
+/* move a chunk to a memory position and free it after insertion */
+extern void mv_chunk(u_char **pos, chunk_t content);
+
+/* write the binary contents of a chunk_t to a file */
+extern bool write_chunk(const char *filename, const char *label, chunk_t ch
+ ,mode_t mask, bool force);
+
+/* display a date either in local or UTC time */
+extern char* timetoa(const time_t *time, bool utc);
+
+/* warns a predefined interval before expiry */
+extern const char* check_expiry(time_t expiration_date,
+ int warning_interval, bool strict);
+
+#define MAX_PROMPT_PASS_TRIALS 5
+#define PROMPT_PASS_LEN 64
+
+/* struct used to prompt for a secret passphrase
+ * from a console with file descriptor fd
+ */
+typedef struct {
+ char secret[PROMPT_PASS_LEN+1];
+ bool prompt;
+ int fd;
+} prompt_pass_t;
+
+/* no time defined in time_t */
+#define UNDEFINED_TIME 0
+
+/* size of timetoa string buffer */
+#define TIMETOA_BUF 30
+
+/* filter eliminating the directory entries '.' and '..' */
+typedef struct dirent dirent_t;
+extern int file_select(const dirent_t *entry);
+
+/* cleanly exit Pluto */
+
+extern void exit_pluto(int /*status*/) NEVER_RETURNS;
+
+
+/* zero all bytes */
+#define zero(x) memset((x), '\0', sizeof(*(x)))
+
+/* are all bytes 0? */
+extern bool all_zero(const unsigned char *m, size_t len);
+
+/* pad_up(n, m) is the amount to add to n to make it a multiple of m */
+#define pad_up(n, m) (((m) - 1) - (((n) + (m) - 1) % (m)))
+
+#endif /* _DEFS_H */
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
new file mode 100644
index 000000000..7e59b184d
--- /dev/null
+++ b/src/pluto/demux.c
@@ -0,0 +1,2499 @@
+/* demultiplex incoming IKE messages
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: demux.c,v 1.14 2006/06/22 11:58:25 as Exp $
+ */
+
+/* Ordering Constraints on Payloads
+ *
+ * rfc2409: The Internet Key Exchange (IKE)
+ *
+ * 5 Exchanges:
+ * "The SA payload MUST precede all other payloads in a phase 1 exchange."
+ *
+ * "Except where otherwise noted, there are no requirements for ISAKMP
+ * payloads in any message to be in any particular order."
+ *
+ * 5.3 Phase 1 Authenticated With a Revised Mode of Public Key Encryption:
+ *
+ * "If the HASH payload is sent it MUST be the first payload of the
+ * second message exchange and MUST be followed by the encrypted
+ * nonce. If the HASH payload is not sent, the first payload of the
+ * second message exchange MUST be the encrypted nonce."
+ *
+ * "Save the requirements on the location of the optional HASH payload
+ * and the mandatory nonce payload there are no further payload
+ * requirements. All payloads-- in whatever order-- following the
+ * encrypted nonce MUST be encrypted with Ke_i or Ke_r depending on the
+ * direction."
+ *
+ * 5.5 Phase 2 - Quick Mode
+ *
+ * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
+ * header and a SA payload MUST immediately follow the HASH."
+ * [NOTE: there may be more than one SA payload, so this is not
+ * totally reasonable. Probably all SAs should be so constrained.]
+ *
+ * "If ISAKMP is acting as a client negotiator on behalf of another
+ * party, the identities of the parties MUST be passed as IDci and
+ * then IDcr."
+ *
+ * "With the exception of the HASH, SA, and the optional ID payloads,
+ * there are no payload ordering restrictions on Quick Mode."
+ */
+
+/* Unfolding of Identity -- a central mystery
+ *
+ * This concerns Phase 1 identities, those of the IKE hosts.
+ * These are the only ones that are authenticated. Phase 2
+ * identities are for IPsec SAs.
+ *
+ * There are three case of interest:
+ *
+ * (1) We initiate, based on a whack command specifying a Connection.
+ * We know the identity of the peer from the Connection.
+ *
+ * (2) (to be implemented) we initiate based on a flow from our client
+ * to some IP address.
+ * We immediately know one of the peer's client IP addresses from
+ * the flow. We must use this to figure out the peer's IP address
+ * and Id. To be solved.
+ *
+ * (3) We respond to an IKE negotiation.
+ * We immediately know the peer's IP address.
+ * We get an ID Payload in Main I2.
+ *
+ * Unfortunately, this is too late for a number of things:
+ * - the ISAKMP SA proposals have already been made (Main I1)
+ * AND one accepted (Main R1)
+ * - the SA includes a specification of the type of ID
+ * authentication so this is negotiated without being told the ID.
+ * - with Preshared Key authentication, Main I2 is encrypted
+ * using the key, so it cannot be decoded to reveal the ID
+ * without knowing (or guessing) which key to use.
+ *
+ * There are three reasonable choices here for the responder:
+ * + assume that the initiator is making wise offers since it
+ * knows the IDs involved. We can balk later (but not gracefully)
+ * when we find the actual initiator ID
+ * + attempt to infer identity by IP address. Again, we can balk
+ * when the true identity is revealed. Actually, it is enough
+ * to infer properties of the identity (eg. SA properties and
+ * PSK, if needed).
+ * + make all properties universal so discrimination based on
+ * identity isn't required. For example, always accept the same
+ * kinds of encryption. Accept Public Key Id authentication
+ * since the Initiator presumably has our public key and thinks
+ * we must have / can find his. This approach is weakest
+ * for preshared key since the actual key must be known to
+ * decrypt the Initiator's ID Payload.
+ * These choices can be blended. For example, a class of Identities
+ * can be inferred, sufficient to select a preshared key but not
+ * sufficient to infer a unique identity.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/time.h> /* only used for belt-and-suspenders select call */
+#include <sys/poll.h> /* only used for forensic poll call */
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/queue.h>
+
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+# include <asm/types.h> /* for __u8, __u32 */
+# include <linux/errqueue.h>
+# include <sys/uio.h> /* struct iovec */
+#endif
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "cookie.h"
+#include "connections.h"
+#include "state.h"
+#include "packet.h"
+#include "md5.h"
+#include "sha1.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+#include "ike_alg.h"
+#include "log.h"
+#include "demux.h" /* needs packet.h */
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "timer.h"
+#include "whack.h" /* requires connections.h */
+#include "server.h"
+#include "nat_traversal.h"
+#include "vendor.h"
+#include "modecfg.h"
+
+/* This file does basic header checking and demux of
+ * incoming packets.
+ */
+
+/* forward declarations */
+static bool read_packet(struct msg_digest *md);
+static void process_packet(struct msg_digest **mdp);
+
+/* Reply messages are built in this buffer.
+ * Only one state transition function can be using it at a time
+ * so suspended STFs must save and restore it.
+ * It could be an auto variable of complete_state_transition except for the fact
+ * that when a suspended STF resumes, its reply message buffer
+ * must be at the same location -- there are pointers into it.
+ */
+u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
+
+/* state_microcode is a tuple of information parameterizing certain
+ * centralized processing of a packet. For example, it roughly
+ * specifies what payloads are expected in this message.
+ * The microcode is selected primarily based on the state.
+ * In Phase 1, the payload structure often depends on the
+ * authentication technique, so that too plays a part in selecting
+ * the state_microcode to use.
+ */
+
+struct state_microcode {
+ enum state_kind state, next_state;
+ lset_t flags;
+ lset_t req_payloads; /* required payloads (allows just one) */
+ lset_t opt_payloads; /* optional payloads (any mumber) */
+ /* if not ISAKMP_NEXT_NONE, process_packet will emit HDR with this as np */
+ u_int8_t first_out_payload;
+ enum event_type timeout_event;
+ state_transition_fn *processor;
+};
+
+/* State Microcode Flags, in several groups */
+
+/* Oakley Auth values: to which auth values does this entry apply?
+ * Most entries will use SMF_ALL_AUTH because they apply to all.
+ * Note: SMF_ALL_AUTH matches 0 for those circumstances when no auth
+ * has been set.
+ */
+#define SMF_ALL_AUTH LRANGE(0, OAKLEY_AUTH_ROOF-1)
+#define SMF_PSK_AUTH LELEM(OAKLEY_PRESHARED_KEY)
+#define SMF_DS_AUTH (LELEM(OAKLEY_DSS_SIG) | LELEM(OAKLEY_RSA_SIG))
+#define SMF_PKE_AUTH (LELEM(OAKLEY_RSA_ENC) | LELEM(OAKLEY_ELGAMAL_ENC))
+#define SMF_RPKE_AUTH (LELEM(OAKLEY_RSA_ENC_REV) | LELEM(OAKLEY_ELGAMAL_ENC_REV))
+
+/* misc flags */
+
+#define SMF_INITIATOR LELEM(OAKLEY_AUTH_ROOF + 0)
+#define SMF_FIRST_ENCRYPTED_INPUT LELEM(OAKLEY_AUTH_ROOF + 1)
+#define SMF_INPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 2)
+#define SMF_OUTPUT_ENCRYPTED LELEM(OAKLEY_AUTH_ROOF + 3)
+#define SMF_RETRANSMIT_ON_DUPLICATE LELEM(OAKLEY_AUTH_ROOF + 4)
+
+#define SMF_ENCRYPTED (SMF_INPUT_ENCRYPTED | SMF_OUTPUT_ENCRYPTED)
+
+/* this state generates a reply message */
+#define SMF_REPLY LELEM(OAKLEY_AUTH_ROOF + 5)
+
+/* this state completes P1, so any pending P2 negotiations should start */
+#define SMF_RELEASE_PENDING_P2 LELEM(OAKLEY_AUTH_ROOF + 6)
+
+/* end of flags */
+
+
+static state_transition_fn /* forward declaration */
+ unexpected,
+ informational;
+
+/* state_microcode_table is a table of all state_microcode tuples.
+ * It must be in order of state (the first element).
+ * After initialization, ike_microcode_index[s] points to the
+ * first entry in state_microcode_table for state s.
+ * Remember that each state name in Main or Quick Mode describes
+ * what has happened in the past, not what this message is.
+ */
+
+static const struct state_microcode
+ *ike_microcode_index[STATE_IKE_ROOF - STATE_IKE_FLOOR];
+
+static const struct state_microcode state_microcode_table[] = {
+#define PT(n) ISAKMP_NEXT_##n
+#define P(n) LELEM(PT(n))
+
+ /***** Phase 1 Main Mode *****/
+
+ /* No state for main_outI1: --> HDR, SA */
+
+ /* STATE_MAIN_R0: I1 --> R1
+ * HDR, SA --> HDR, SA
+ */
+ { STATE_MAIN_R0, STATE_MAIN_R1
+ , SMF_ALL_AUTH | SMF_REPLY
+ , P(SA), P(VID) | P(CR), PT(NONE)
+ , EVENT_RETRANSMIT, main_inI1_outR1},
+
+ /* STATE_MAIN_I1: R1 --> I2
+ * HDR, SA --> auth dependent
+ * SMF_PSK_AUTH, SMF_DS_AUTH: --> HDR, KE, Ni
+ * SMF_PKE_AUTH:
+ * --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+ * SMF_RPKE_AUTH:
+ * --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+ * Note: since we don't know auth at start, we cannot differentiate
+ * microcode entries based on it.
+ */
+ { STATE_MAIN_I1, STATE_MAIN_I2
+ , SMF_ALL_AUTH | SMF_INITIATOR | SMF_REPLY
+ , P(SA), P(VID) | P(CR), PT(NONE) /* don't know yet */
+ , EVENT_RETRANSMIT, main_inR1_outI2 },
+
+ /* STATE_MAIN_R1: I2 --> R2
+ * SMF_PSK_AUTH, SMF_DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
+ * SMF_PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+ * --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+ * SMF_RPKE_AUTH:
+ * HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+ * --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+ */
+ { STATE_MAIN_R1, STATE_MAIN_R2
+ , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
+ , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
+ , EVENT_RETRANSMIT, main_inI2_outR2 },
+
+ { STATE_MAIN_R1, STATE_UNDEFINED
+ , SMF_PKE_AUTH | SMF_REPLY
+ , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR) | P(HASH), PT(KE)
+ , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+ { STATE_MAIN_R1, STATE_UNDEFINED
+ , SMF_RPKE_AUTH | SMF_REPLY
+ , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR) | P(HASH) | P(CERT), PT(NONCE)
+ , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+ /* for states from here on, output message must be encrypted */
+
+ /* STATE_MAIN_I2: R2 --> I3
+ * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
+ * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
+ * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+ * --> HDR*, HASH_I
+ * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+ * --> HDR*, HASH_I
+ */
+ { STATE_MAIN_I2, STATE_MAIN_I3
+ , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+ , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
+ , EVENT_RETRANSMIT, main_inR2_outI3 },
+
+ { STATE_MAIN_I2, STATE_UNDEFINED
+ , SMF_PKE_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+ , P(KE) | P(ID) | P(NONCE), P(VID) | P(CR), PT(HASH)
+ , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+ { STATE_MAIN_I2, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
+ , P(NONCE) | P(KE) | P(ID), P(VID) | P(CR), PT(HASH)
+ , EVENT_RETRANSMIT, unexpected /* ??? not yet implemented */ },
+
+ /* for states from here on, input message must be encrypted */
+
+ /* STATE_MAIN_R2: I3 --> R3
+ * SMF_PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
+ * SMF_DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
+ * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
+ */
+ { STATE_MAIN_R2, STATE_MAIN_R3
+ , SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+ | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
+ , EVENT_SA_REPLACE, main_inI3_outR3 },
+
+ { STATE_MAIN_R2, STATE_MAIN_R3
+ , SMF_DS_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+ | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
+ , EVENT_SA_REPLACE, main_inI3_outR3 },
+
+ { STATE_MAIN_R2, STATE_UNDEFINED
+ , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED
+ | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(HASH), P(VID) | P(CR), PT(NONE)
+ , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
+
+ /* STATE_MAIN_I3: R3 --> done
+ * SMF_PSK_AUTH: HDR*, IDr1, HASH_R --> done
+ * SMF_DS_AUTH: HDR*, IDr1, [ CERT, ] SIG_R --> done
+ * SMF_PKE_AUTH, SMF_RPKE_AUTH: HDR*, HASH_R --> done
+ * May initiate quick mode by calling quick_outI1
+ */
+ { STATE_MAIN_I3, STATE_MAIN_I4
+ , SMF_PSK_AUTH | SMF_INITIATOR
+ | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(ID) | P(HASH), P(VID) | P(CR), PT(NONE)
+ , EVENT_SA_REPLACE, main_inR3 },
+
+ { STATE_MAIN_I3, STATE_MAIN_I4
+ , SMF_DS_AUTH | SMF_INITIATOR
+ | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(ID) | P(SIG), P(VID) | P(CR) | P(CERT), PT(NONE)
+ , EVENT_SA_REPLACE, main_inR3 },
+
+ { STATE_MAIN_I3, STATE_UNDEFINED
+ , SMF_PKE_AUTH | SMF_RPKE_AUTH | SMF_INITIATOR
+ | SMF_FIRST_ENCRYPTED_INPUT | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(HASH), P(VID) | P(CR), PT(NONE)
+ , EVENT_SA_REPLACE, unexpected /* ??? not yet implemented */ },
+
+ /* STATE_MAIN_R3: can only get here due to packet loss */
+ { STATE_MAIN_R3, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
+ , LEMPTY, LEMPTY
+ , PT(NONE), EVENT_NULL, unexpected },
+
+ /* STATE_MAIN_I4: can only get here due to packet loss */
+ { STATE_MAIN_I4, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY
+ , PT(NONE), EVENT_NULL, unexpected },
+
+
+ /***** Phase 2 Quick Mode *****/
+
+ /* No state for quick_outI1:
+ * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
+ */
+
+ /* STATE_QUICK_R0:
+ * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
+ * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
+ * Installs inbound IPsec SAs.
+ * Because it may suspend for asynchronous DNS, first_out_payload
+ * is set to NONE to suppress early emission of HDR*.
+ * ??? it is legal to have multiple SAs, but we don't support it yet.
+ */
+ { STATE_QUICK_R0, STATE_QUICK_R1
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
+ , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
+ , EVENT_RETRANSMIT, quick_inI1_outR1 },
+
+ /* STATE_QUICK_I1:
+ * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
+ * HDR*, HASH(3)
+ * Installs inbound and outbound IPsec SAs, routing, etc.
+ * ??? it is legal to have multiple SAs, but we don't support it yet.
+ */
+ { STATE_QUICK_I1, STATE_QUICK_I2
+ , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
+ , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
+ , EVENT_SA_REPLACE, quick_inR1_outI2 },
+
+ /* STATE_QUICK_R1: HDR*, HASH(3) --> done
+ * Installs outbound IPsec SAs, routing, etc.
+ */
+ { STATE_QUICK_R1, STATE_QUICK_R2
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , P(HASH), LEMPTY, PT(NONE)
+ , EVENT_SA_REPLACE, quick_inI2 },
+
+ /* STATE_QUICK_I2: can only happen due to lost packet */
+ { STATE_QUICK_I2, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_RETRANSMIT_ON_DUPLICATE
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ /* STATE_QUICK_R2: can only happen due to lost packet */
+ { STATE_QUICK_R2, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+
+ /***** informational messages *****/
+
+ /* STATE_INFO: */
+ { STATE_INFO, STATE_UNDEFINED
+ , SMF_ALL_AUTH
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, informational },
+
+ /* STATE_INFO_PROTECTED: */
+ { STATE_INFO_PROTECTED, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , P(HASH), LEMPTY, PT(NONE)
+ , EVENT_NULL, informational },
+
+ /* XAUTH state transitions */
+ { STATE_XAUTH_I0, STATE_XAUTH_I1
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_RETRANSMIT, xauth_inI0 },
+
+ { STATE_XAUTH_R1, STATE_XAUTH_R2
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_RETRANSMIT, xauth_inR1 },
+
+ { STATE_XAUTH_I1, STATE_XAUTH_I2
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, xauth_inI1 },
+
+ { STATE_XAUTH_R2, STATE_XAUTH_R3
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(NONE)
+ , EVENT_SA_REPLACE, xauth_inR2 },
+
+ { STATE_XAUTH_I2, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ { STATE_XAUTH_R3, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ /* ModeCfg pull mode state transitions */
+
+ { STATE_MODE_CFG_R0, STATE_MODE_CFG_R1
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, modecfg_inR0 },
+
+ { STATE_MODE_CFG_I1, STATE_MODE_CFG_I2
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, modecfg_inI1 },
+
+ { STATE_MODE_CFG_R1, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ { STATE_MODE_CFG_I2, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ /* ModeCfg push mode state transitions */
+
+ { STATE_MODE_CFG_I0, STATE_MODE_CFG_I3
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, modecfg_inI0 },
+
+ { STATE_MODE_CFG_R3, STATE_MODE_CFG_R4
+ , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_RELEASE_PENDING_P2
+ , P(ATTR) | P(HASH), P(VID), PT(HASH)
+ , EVENT_SA_REPLACE, modecfg_inR3 },
+
+ { STATE_MODE_CFG_I3, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+ { STATE_MODE_CFG_R4, STATE_UNDEFINED
+ , SMF_ALL_AUTH | SMF_ENCRYPTED
+ , LEMPTY, LEMPTY, PT(NONE)
+ , EVENT_NULL, unexpected },
+
+#undef P
+#undef PT
+};
+
+void
+init_demux(void)
+{
+ /* fill ike_microcode_index:
+ * make ike_microcode_index[s] point to first entry in
+ * state_microcode_table for state s (backward scan makes this easier).
+ * Check that table is in order -- catch coding errors.
+ * For what it's worth, this routine is idempotent.
+ */
+ const struct state_microcode *t;
+
+ for (t = &state_microcode_table[elemsof(state_microcode_table) - 1];;)
+ {
+ passert(STATE_IKE_FLOOR <= t->state && t->state < STATE_IKE_ROOF);
+ ike_microcode_index[t->state - STATE_IKE_FLOOR] = t;
+ if (t == state_microcode_table)
+ break;
+ t--;
+ passert(t[0].state <= t[1].state);
+ }
+}
+
+/* Process any message on the MSG_ERRQUEUE
+ *
+ * This information is generated because of the IP_RECVERR socket option.
+ * The API is sparsely documented, and may be LINUX-only, and only on
+ * fairly recent versions at that (hence the conditional compilation).
+ *
+ * - ip(7) describes IP_RECVERR
+ * - recvmsg(2) describes MSG_ERRQUEUE
+ * - readv(2) describes iovec
+ * - cmsg(3) describes how to process auxilliary messages
+ *
+ * ??? we should link this message with one we've sent
+ * so that the diagnostic can refer to that negotiation.
+ *
+ * ??? how long can the messge be?
+ *
+ * ??? poll(2) has a very incomplete description of the POLL* events.
+ * We assume that POLLIN, POLLOUT, and POLLERR are all we need to deal with
+ * and that POLLERR will be on iff there is a MSG_ERRQUEUE message.
+ *
+ * We have to code around a couple of surprises:
+ *
+ * - Select can say that a socket is ready to read from, and
+ * yet a read will hang. It turns out that a message available on the
+ * MSG_ERRQUEUE will cause select to say something is pending, but
+ * a normal read will hang. poll(2) can tell when a MSG_ERRQUEUE
+ * message is pending.
+ *
+ * This is dealt with by calling check_msg_errqueue after select
+ * has indicated that there is something to read, but before the
+ * read is performed. check_msg_errqueue will return TRUE if there
+ * is something left to read.
+ *
+ * - A write to a socket may fail because there is a pending MSG_ERRQUEUE
+ * message, without there being anything wrong with the write. This
+ * makes for confusing diagnostics.
+ *
+ * To avoid this, we call check_msg_errqueue before a write. True,
+ * there is a race condition (a MSG_ERRQUEUE message might arrive
+ * between the check and the write), but we should eliminate many
+ * of the problematic events. To narrow the window, the poll(2)
+ * will await until an event happens (in the case or a write,
+ * POLLOUT; this should be benign for POLLIN).
+ */
+
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+static bool
+check_msg_errqueue(const struct iface *ifp, short interest)
+{
+ struct pollfd pfd;
+
+ pfd.fd = ifp->fd;
+ pfd.events = interest | POLLPRI | POLLOUT;
+
+ while (pfd.revents = 0
+ , poll(&pfd, 1, -1) > 0 && (pfd.revents & POLLERR))
+ {
+ u_int8_t buffer[3000]; /* hope that this is big enough */
+ union
+ {
+ struct sockaddr sa;
+ struct sockaddr_in sa_in4;
+ struct sockaddr_in6 sa_in6;
+ } from;
+
+ int from_len = sizeof(from);
+
+ int packet_len;
+
+ struct msghdr emh;
+ struct iovec eiov;
+ union {
+ /* force alignment (not documented as necessary) */
+ struct cmsghdr ecms;
+
+ /* how much space is enough? */
+ unsigned char space[256];
+ } ecms_buf;
+
+ struct cmsghdr *cm;
+ char fromstr[sizeof(" for message to port 65536") + INET6_ADDRSTRLEN];
+ struct state *sender = NULL;
+
+ zero(&from.sa);
+ from_len = sizeof(from);
+
+ emh.msg_name = &from.sa; /* ??? filled in? */
+ emh.msg_namelen = sizeof(from);
+ emh.msg_iov = &eiov;
+ emh.msg_iovlen = 1;
+ emh.msg_control = &ecms_buf;
+ emh.msg_controllen = sizeof(ecms_buf);
+ emh.msg_flags = 0;
+
+ eiov.iov_base = buffer; /* see readv(2) */
+ eiov.iov_len = sizeof(buffer);
+
+ packet_len = recvmsg(ifp->fd, &emh, MSG_ERRQUEUE);
+
+ if (packet_len == -1)
+ {
+ log_errno((e, "recvmsg(,, MSG_ERRQUEUE) on %s failed in comm_handle"
+ , ifp->rname));
+ break;
+ }
+ else if (packet_len == sizeof(buffer))
+ {
+ plog("MSG_ERRQUEUE message longer than %lu bytes; truncated"
+ , (unsigned long) sizeof(buffer));
+ }
+ else
+ {
+ sender = find_sender((size_t) packet_len, buffer);
+ }
+
+ DBG_cond_dump(DBG_ALL, "rejected packet:\n", buffer, packet_len);
+ DBG_cond_dump(DBG_ALL, "control:\n", emh.msg_control, emh.msg_controllen);
+ /* ??? Andi Kleen <ak@suse.de> and misc documentation
+ * suggests that name will have the original destination
+ * of the packet. We seem to see msg_namelen == 0.
+ * Andi says that this is a kernel bug and has fixed it.
+ * Perhaps in 2.2.18/2.4.0.
+ */
+ passert(emh.msg_name == &from.sa);
+ DBG_cond_dump(DBG_ALL, "name:\n", emh.msg_name
+ , emh.msg_namelen);
+
+ fromstr[0] = '\0'; /* usual case :-( */
+ switch (from.sa.sa_family)
+ {
+ char as[INET6_ADDRSTRLEN];
+
+ case AF_INET:
+ if (emh.msg_namelen == sizeof(struct sockaddr_in))
+ snprintf(fromstr, sizeof(fromstr)
+ , " for message to %s port %u"
+ , inet_ntop(from.sa.sa_family
+ , &from.sa_in4.sin_addr, as, sizeof(as))
+ , ntohs(from.sa_in4.sin_port));
+ break;
+ case AF_INET6:
+ if (emh.msg_namelen == sizeof(struct sockaddr_in6))
+ snprintf(fromstr, sizeof(fromstr)
+ , " for message to %s port %u"
+ , inet_ntop(from.sa.sa_family
+ , &from.sa_in6.sin6_addr, as, sizeof(as))
+ , ntohs(from.sa_in6.sin6_port));
+ break;
+ }
+
+ for (cm = CMSG_FIRSTHDR(&emh)
+ ; cm != NULL
+ ; cm = CMSG_NXTHDR(&emh,cm))
+ {
+ if (cm->cmsg_level == SOL_IP
+ && cm->cmsg_type == IP_RECVERR)
+ {
+ /* ip(7) and recvmsg(2) specify:
+ * ee_origin is SO_EE_ORIGIN_ICMP for ICMP
+ * or SO_EE_ORIGIN_LOCAL for locally generated errors.
+ * ee_type and ee_code are from the ICMP header.
+ * ee_info is the discovered MTU for EMSGSIZE errors
+ * ee_data is not used.
+ *
+ * ??? recvmsg(2) says "SOCK_EE_OFFENDER" but
+ * means "SO_EE_OFFENDER". The OFFENDER is really
+ * the router that complained. As such, the port
+ * is meaningless.
+ */
+
+ /* ??? cmsg(3) claims that CMSG_DATA returns
+ * void *, but RFC 2292 and /usr/include/bits/socket.h
+ * say unsigned char *. The manual is being fixed.
+ */
+ struct sock_extended_err *ee = (void *)CMSG_DATA(cm);
+ const char *offstr = "unspecified";
+ char offstrspace[INET6_ADDRSTRLEN];
+ char orname[50];
+
+ if (cm->cmsg_len > CMSG_LEN(sizeof(struct sock_extended_err)))
+ {
+ const struct sockaddr *offender = SO_EE_OFFENDER(ee);
+
+ switch (offender->sa_family)
+ {
+ case AF_INET:
+ offstr = inet_ntop(offender->sa_family
+ , &((const struct sockaddr_in *)offender)->sin_addr
+ , offstrspace, sizeof(offstrspace));
+ break;
+ case AF_INET6:
+ offstr = inet_ntop(offender->sa_family
+ , &((const struct sockaddr_in6 *)offender)->sin6_addr
+ , offstrspace, sizeof(offstrspace));
+ break;
+ default:
+ offstr = "unknown";
+ break;
+ }
+ }
+
+ switch (ee->ee_origin)
+ {
+ case SO_EE_ORIGIN_NONE:
+ snprintf(orname, sizeof(orname), "none");
+ break;
+ case SO_EE_ORIGIN_LOCAL:
+ snprintf(orname, sizeof(orname), "local");
+ break;
+ case SO_EE_ORIGIN_ICMP:
+ snprintf(orname, sizeof(orname)
+ , "ICMP type %d code %d (not authenticated)"
+ , ee->ee_type, ee->ee_code
+ );
+ break;
+ case SO_EE_ORIGIN_ICMP6:
+ snprintf(orname, sizeof(orname)
+ , "ICMP6 type %d code %d (not authenticated)"
+ , ee->ee_type, ee->ee_code
+ );
+ break;
+ default:
+ snprintf(orname, sizeof(orname), "invalid origin %lu"
+ , (unsigned long) ee->ee_origin);
+ break;
+ }
+
+ {
+ struct state *old_state = cur_state;
+
+ cur_state = sender;
+
+ /* note dirty trick to suppress ~ at start of format
+ * if we know what state to blame.
+ */
+ if ((packet_len == 1) && (buffer[0] = 0xff)
+#ifdef DEBUG
+ && ((cur_debugging & DBG_NATT) == 0)
+#endif
+ ) {
+ /* don't log NAT-T keepalive related errors unless NATT debug is
+ * enabled
+ */
+ }
+ else
+ plog((sender != NULL) + "~"
+ "ERROR: asynchronous network error report on %s"
+ "%s"
+ ", complainant %s"
+ ": %s"
+ " [errno %lu, origin %s"
+ /* ", pad %d, info %ld" */
+ /* ", data %ld" */
+ "]"
+ , ifp->rname
+ , fromstr
+ , offstr
+ , strerror(ee->ee_errno)
+ , (unsigned long) ee->ee_errno
+ , orname
+ /* , ee->ee_pad, (unsigned long)ee->ee_info */
+ /* , (unsigned long)ee->ee_data */
+ );
+ cur_state = old_state;
+ }
+ }
+ else
+ {
+ /* .cmsg_len is a kernel_size_t(!), but the value
+ * certainly ought to fit in an unsigned long.
+ */
+ plog("unknown cmsg: level %d, type %d, len %lu"
+ , cm->cmsg_level, cm->cmsg_type
+ , (unsigned long) cm->cmsg_len);
+ }
+ }
+ }
+ return (pfd.revents & interest) != 0;
+}
+#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
+
+bool
+send_packet(struct state *st, const char *where)
+{
+ struct connection *c = st->st_connection;
+ int port_buf;
+ bool err;
+ u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
+ u_int8_t *ptr;
+ unsigned long len;
+
+ if (c->interface->ike_float && st->st_tpacket.len != 1)
+ {
+ if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
+ {
+ DBG_log("send_packet(): really too big");
+ return FALSE;
+ }
+ ptr = ike_pkt;
+ /** Add Non-ESP marker **/
+ memset(ike_pkt, 0, sizeof(u_int32_t));
+ memcpy(ike_pkt + sizeof(u_int32_t), st->st_tpacket.ptr,
+ (unsigned long)st->st_tpacket.len);
+ len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
+ }
+ else
+ {
+ ptr = st->st_tpacket.ptr;
+ len = (unsigned long) st->st_tpacket.len;
+ }
+
+ DBG(DBG_RAW,
+ {
+ DBG_log("sending %lu bytes for %s through %s to %s:%u:"
+ , (unsigned long) st->st_tpacket.len
+ , where
+ , c->interface->rname
+ , ip_str(&c->spd.that.host_addr)
+ , (unsigned)c->spd.that.host_port);
+ DBG_dump_chunk(NULL, st->st_tpacket);
+ });
+
+ /* XXX: Not very clean. We manipulate the port of the ip_address to
+ * have a port in the sockaddr*, but we retain the original port
+ * and restore it afterwards.
+ */
+
+ port_buf = portof(&c->spd.that.host_addr);
+ setportof(htons(c->spd.that.host_port), &c->spd.that.host_addr);
+
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+ (void) check_msg_errqueue(c->interface, POLLOUT);
+#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
+
+ err = sendto(c->interface->fd
+ , ptr, len, 0
+ , sockaddrof(&c->spd.that.host_addr)
+ , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
+
+ /* restore port */
+ setportof(port_buf, &c->spd.that.host_addr);
+
+ if (err)
+ {
+ /* do not log NAT-T Keep Alive packets */
+ if (streq(where, "NAT-T Keep Alive"))
+ return FALSE;
+ log_errno((e, "sendto on %s to %s:%u failed in %s"
+ , c->interface->rname
+ , ip_str(&c->spd.that.host_addr)
+ , (unsigned)c->spd.that.host_port
+ , where));
+ return FALSE;
+ }
+ else
+ {
+ return TRUE;
+ }
+}
+
+static stf_status
+unexpected(struct msg_digest *md)
+{
+ loglog(RC_LOG_SERIOUS, "unexpected message received in state %s"
+ , enum_name(&state_names, md->st->st_state));
+ return STF_IGNORE;
+}
+
+static stf_status
+informational(struct msg_digest *md UNUSED)
+{
+ struct payload_digest *const n_pld = md->chain[ISAKMP_NEXT_N];
+
+ /* If the Notification Payload is not null... */
+ if (n_pld != NULL)
+ {
+ pb_stream *const n_pbs = &n_pld->pbs;
+ struct isakmp_notification *const n = &n_pld->payload.notification;
+ int disp_len;
+ char disp_buf[200];
+
+ /* Switch on Notification Type (enum) */
+ switch (n->isan_type)
+ {
+ case R_U_THERE:
+ return dpd_inI_outR(md->st, n, n_pbs);
+
+ case R_U_THERE_ACK:
+ return dpd_inR(md->st, n, n_pbs);
+ default:
+ if (pbs_left(n_pbs) >= sizeof(disp_buf)-1)
+ disp_len = sizeof(disp_buf)-1;
+ else
+ disp_len = pbs_left(n_pbs);
+ memcpy(disp_buf, n_pbs->cur, disp_len);
+ disp_buf[disp_len] = '\0';
+ break;
+ }
+ }
+ return STF_IGNORE;
+}
+
+/* message digest allocation and deallocation */
+
+static struct msg_digest *md_pool = NULL;
+
+/* free_md_pool is only used to avoid leak reports */
+void
+free_md_pool(void)
+{
+ for (;;)
+ {
+ struct msg_digest *md = md_pool;
+
+ if (md == NULL)
+ break;
+ md_pool = md->next;
+ pfree(md);
+ }
+}
+
+static struct msg_digest *
+alloc_md(void)
+{
+ struct msg_digest *md = md_pool;
+
+ /* convenient initializer:
+ * - all pointers NULL
+ * - .note = NOTHING_WRONG
+ * - .encrypted = FALSE
+ */
+ static const struct msg_digest blank_md;
+
+ if (md == NULL)
+ md = alloc_thing(struct msg_digest, "msg_digest");
+ else
+ md_pool = md->next;
+
+ *md = blank_md;
+ md->digest_roof = md->digest;
+
+ /* note: although there may be multiple msg_digests at once
+ * (due to suspended state transitions), there is a single
+ * global reply_buffer. It will need to be saved and restored.
+ */
+ init_pbs(&md->reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+
+ return md;
+}
+
+void
+release_md(struct msg_digest *md)
+{
+ freeanychunk(md->raw_packet);
+ pfreeany(md->packet_pbs.start);
+ md->packet_pbs.start = NULL;
+ md->next = md_pool;
+ md_pool = md;
+}
+
+/* wrapper for read_packet and process_packet
+ *
+ * The main purpose of this wrapper is to factor out teardown code
+ * from the many return points in process_packet. This amounts to
+ * releasing the msg_digest and resetting global variables.
+ *
+ * When processing of a packet is suspended (STF_SUSPEND),
+ * process_packet sets md to NULL to prevent the msg_digest being freed.
+ * Someone else must ensure that msg_digest is freed eventually.
+ *
+ * read_packet is broken out to minimize the lifetime of the
+ * enormous input packet buffer, an auto.
+ */
+void
+comm_handle(const struct iface *ifp)
+{
+ static struct msg_digest *md;
+
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+ /* Even though select(2) says that there is a message,
+ * it might only be a MSG_ERRQUEUE message. At least
+ * sometimes that leads to a hanging recvfrom. To avoid
+ * what appears to be a kernel bug, check_msg_errqueue
+ * uses poll(2) and tells us if there is anything for us
+ * to read.
+ *
+ * This is early enough that teardown isn't required:
+ * just return on failure.
+ */
+ if (!check_msg_errqueue(ifp, POLLIN))
+ return; /* no normal message to read */
+#endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
+
+ md = alloc_md();
+ md->iface = ifp;
+
+ if (read_packet(md))
+ process_packet(&md);
+
+ if (md != NULL)
+ release_md(md);
+
+ cur_state = NULL;
+ reset_cur_connection();
+ cur_from = NULL;
+}
+
+/* read the message.
+ * Since we don't know its size, we read it into
+ * an overly large buffer and then copy it to a
+ * new, properly sized buffer.
+ */
+static bool
+read_packet(struct msg_digest *md)
+{
+ const struct iface *ifp = md->iface;
+ int packet_len;
+ u_int8_t *buffer;
+ u_int8_t *buffer_nat;
+ union
+ {
+ struct sockaddr sa;
+ struct sockaddr_in sa_in4;
+ struct sockaddr_in6 sa_in6;
+ } from;
+ int from_len = sizeof(from);
+ err_t from_ugh = NULL;
+ static const char undisclosed[] = "unknown source";
+
+ happy(anyaddr(addrtypeof(&ifp->addr), &md->sender));
+ zero(&from.sa);
+ ioctl(ifp->fd, FIONREAD, &packet_len);
+ buffer = alloc_bytes(packet_len, "buffer read packet");
+ packet_len = recvfrom(ifp->fd, buffer, packet_len, 0
+ , &from.sa, &from_len);
+
+ /* First: digest the from address.
+ * We presume that nothing here disturbs errno.
+ */
+ if (packet_len == -1
+ && from_len == sizeof(from)
+ && all_zero((const void *)&from.sa, sizeof(from)))
+ {
+ /* "from" is untouched -- not set by recvfrom */
+ from_ugh = undisclosed;
+ }
+ else if (from_len
+ < (int) (offsetof(struct sockaddr, sa_family) + sizeof(from.sa.sa_family)))
+ {
+ from_ugh = "truncated";
+ }
+ else
+ {
+ const struct af_info *afi = aftoinfo(from.sa.sa_family);
+
+ if (afi == NULL)
+ {
+ from_ugh = "unexpected Address Family";
+ }
+ else if (from_len != (int)afi->sa_sz)
+ {
+ from_ugh = "wrong length";
+ }
+ else
+ {
+ switch (from.sa.sa_family)
+ {
+ case AF_INET:
+ from_ugh = initaddr((void *) &from.sa_in4.sin_addr
+ , sizeof(from.sa_in4.sin_addr), AF_INET, &md->sender);
+ md->sender_port = ntohs(from.sa_in4.sin_port);
+ break;
+ case AF_INET6:
+ from_ugh = initaddr((void *) &from.sa_in6.sin6_addr
+ , sizeof(from.sa_in6.sin6_addr), AF_INET6, &md->sender);
+ md->sender_port = ntohs(from.sa_in6.sin6_port);
+ break;
+ }
+ }
+ }
+
+ /* now we report any actual I/O error */
+ if (packet_len == -1)
+ {
+ if (from_ugh == undisclosed
+ && errno == ECONNREFUSED)
+ {
+ /* Tone down scary message for vague event:
+ * We get "connection refused" in response to some
+ * datagram we sent, but we cannot tell which one.
+ */
+ plog("some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details)");
+ }
+ else if (from_ugh != NULL)
+ {
+ log_errno((e, "recvfrom on %s failed; Pluto cannot decode source sockaddr in rejection: %s"
+ , ifp->rname, from_ugh));
+ }
+ else
+ {
+ log_errno((e, "recvfrom on %s from %s:%u failed"
+ , ifp->rname
+ , ip_str(&md->sender), (unsigned)md->sender_port));
+ }
+
+ return FALSE;
+ }
+ else if (from_ugh != NULL)
+ {
+ plog("recvfrom on %s returned misformed source sockaddr: %s"
+ , ifp->rname, from_ugh);
+ return FALSE;
+ }
+ cur_from = &md->sender;
+ cur_from_port = md->sender_port;
+
+ if (ifp->ike_float == TRUE)
+ {
+ u_int32_t non_esp;
+
+ if (packet_len < (int)sizeof(u_int32_t))
+ {
+ plog("recvfrom %s:%u too small packet (%d)"
+ , ip_str(cur_from), (unsigned) cur_from_port, packet_len);
+ return FALSE;
+ }
+ memcpy(&non_esp, buffer, sizeof(u_int32_t));
+ if (non_esp != 0)
+ {
+ plog("recvfrom %s:%u has no Non-ESP marker"
+ , ip_str(cur_from), (unsigned) cur_from_port);
+ return FALSE;
+ }
+ packet_len -= sizeof(u_int32_t);
+ buffer_nat = alloc_bytes(packet_len, "buffer read packet");
+ memcpy(buffer_nat, buffer + sizeof(u_int32_t), packet_len);
+ pfree(buffer);
+ buffer = buffer_nat;
+ }
+
+ /* Clone actual message contents
+ * and set up md->packet_pbs to describe it.
+ */
+ init_pbs(&md->packet_pbs, buffer, packet_len, "packet");
+
+ DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL,
+ {
+ DBG_log(BLANK_FORMAT);
+ DBG_log("*received %d bytes from %s:%u on %s"
+ , (int) pbs_room(&md->packet_pbs)
+ , ip_str(cur_from), (unsigned) cur_from_port
+ , ifp->rname);
+ });
+
+ DBG(DBG_RAW,
+ DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
+
+ if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
+ {
+ /**
+ * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
+ * layer. But boggus keep-alive packets (sent with a non-esp marker)
+ * can reach this point. Complain and discard them.
+ */
+ DBG(DBG_NATT,
+ DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
+ "Ignored. Sender: %s:%u", ip_str(cur_from),
+ (unsigned) cur_from_port);
+ )
+ return FALSE;
+ }
+
+#define IKEV2_VERSION_OFFSET 17
+#define IKEV2_VERSION 0x20
+
+ /* ignore IKEv2 packets - they will be handled by charon */
+ if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
+ && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
+ {
+ DBG(DBG_CONTROLMORE,
+ DBG_log(" ignoring IKEv2 packet")
+ )
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/* process an input packet, possibly generating a reply.
+ *
+ * If all goes well, this routine eventually calls a state-specific
+ * transition function.
+ */
+static void
+process_packet(struct msg_digest **mdp)
+{
+ struct msg_digest *md = *mdp;
+ const struct state_microcode *smc;
+ bool new_iv_set = FALSE;
+ bool restore_iv = FALSE;
+ u_char new_iv[MAX_DIGEST_LEN];
+ u_int new_iv_len = 0;
+
+ struct state *st = NULL;
+ enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
+
+#define SEND_NOTIFICATION(t) { \
+ if (st) send_notification_from_state(st, from_state, t); \
+ else send_notification_from_md(md, t); }
+
+ if (!in_struct(&md->hdr, &isakmp_hdr_desc, &md->packet_pbs, &md->message_pbs))
+ {
+ /* Identify specific failures:
+ * - bad ISAKMP major/minor version numbers
+ */
+ if (md->packet_pbs.roof - md->packet_pbs.cur >= (ptrdiff_t)isakmp_hdr_desc.size)
+ {
+ struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
+ if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
+ {
+ SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
+ return;
+ }
+ else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
+ {
+ SEND_NOTIFICATION(INVALID_MINOR_VERSION);
+ return;
+ }
+ }
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+
+ if (md->packet_pbs.roof != md->message_pbs.roof)
+ {
+ plog("size (%u) differs from size specified in ISAKMP HDR (%u)"
+ , (unsigned) pbs_room(&md->packet_pbs), md->hdr.isa_length);
+#ifdef CISCO_QUIRKS
+ if (pbs_room(&md->packet_pbs) - md->hdr.isa_length == 16)
+ plog("Cisco VPN client appends 16 surplus NULL bytes");
+ else
+#endif
+ return;
+ }
+
+ switch (md->hdr.isa_xchg)
+ {
+#ifdef NOTYET
+ case ISAKMP_XCHG_NONE:
+ case ISAKMP_XCHG_BASE:
+#endif
+
+ case ISAKMP_XCHG_IDPROT: /* part of a Main Mode exchange */
+ if (md->hdr.isa_msgid != MAINMODE_MSGID)
+ {
+ plog("Message ID was 0x%08lx but should be zero in Main Mode",
+ (unsigned long) md->hdr.isa_msgid);
+ SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ return;
+ }
+
+ if (is_zero_cookie(md->hdr.isa_icookie))
+ {
+ plog("Initiator Cookie must not be zero in Main Mode message");
+ SEND_NOTIFICATION(INVALID_COOKIE);
+ return;
+ }
+
+ if (is_zero_cookie(md->hdr.isa_rcookie))
+ {
+ /* initial message from initiator
+ * ??? what if this is a duplicate of another message?
+ */
+ if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
+ {
+ plog("initial Main Mode message is invalid:"
+ " its Encrypted Flag is on");
+ SEND_NOTIFICATION(INVALID_FLAGS);
+ return;
+ }
+
+ /* don't build a state until the message looks tasty */
+ from_state = STATE_MAIN_R0;
+ }
+ else
+ {
+ /* not an initial message */
+
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, md->hdr.isa_msgid);
+
+ if (st == NULL)
+ {
+ /* perhaps this is a first message from the responder
+ * and contains a responder cookie that we've not yet seen.
+ */
+ st = find_state(md->hdr.isa_icookie, zero_cookie
+ , &md->sender, md->hdr.isa_msgid);
+
+ if (st == NULL)
+ {
+ plog("Main Mode message is part of an unknown exchange");
+ /* XXX Could send notification back */
+ return;
+ }
+ }
+ set_cur_state(st);
+ from_state = st->st_state;
+ }
+ break;
+
+#ifdef NOTYET
+ case ISAKMP_XCHG_AO:
+ case ISAKMP_XCHG_AGGR:
+#endif
+
+ case ISAKMP_XCHG_INFO: /* an informational exchange */
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, MAINMODE_MSGID);
+
+ if (st != NULL)
+ set_cur_state(st);
+
+ if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
+ {
+ if (st == NULL)
+ {
+ plog("Informational Exchange is for an unknown (expired?) SA");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (!IS_ISAKMP_ENCRYPTED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS, "encrypted Informational Exchange message is invalid"
+ " because no key is known");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (md->hdr.isa_msgid == MAINMODE_MSGID)
+ {
+ loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
+ " it has a Message ID of 0");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (!reserve_msgid(st, md->hdr.isa_msgid))
+ {
+ loglog(RC_LOG_SERIOUS, "Informational Exchange message is invalid because"
+ " it has a previously used Message ID (0x%08lx)"
+ , (unsigned long)md->hdr.isa_msgid);
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ memcpy(st->st_ph1_iv, st->st_new_iv, st->st_new_iv_len);
+ st->st_ph1_iv_len = st->st_new_iv_len;
+
+ /* backup new_iv */
+ new_iv_len = st->st_new_iv_len;
+ passert(new_iv_len <= MAX_DIGEST_LEN)
+ memcpy(new_iv, st->st_new_iv, new_iv_len);
+ restore_iv = TRUE;
+ }
+ init_phase2_iv(st, &md->hdr.isa_msgid);
+ new_iv_set = TRUE;
+
+ from_state = STATE_INFO_PROTECTED;
+ }
+ else
+ {
+ if (st != NULL && IS_ISAKMP_ENCRYPTED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS, "Informational Exchange message"
+ " must be encrypted");
+ /* XXX Could send notification back */
+ return;
+ }
+ from_state = STATE_INFO;
+ }
+ break;
+
+ case ISAKMP_XCHG_QUICK: /* part of a Quick Mode exchange */
+ if (is_zero_cookie(md->hdr.isa_icookie))
+ {
+ plog("Quick Mode message is invalid because"
+ " it has an Initiator Cookie of 0");
+ SEND_NOTIFICATION(INVALID_COOKIE);
+ return;
+ }
+
+ if (is_zero_cookie(md->hdr.isa_rcookie))
+ {
+ plog("Quick Mode message is invalid because"
+ " it has a Responder Cookie of 0");
+ SEND_NOTIFICATION(INVALID_COOKIE);
+ return;
+ }
+
+ if (md->hdr.isa_msgid == MAINMODE_MSGID)
+ {
+ plog("Quick Mode message is invalid because"
+ " it has a Message ID of 0");
+ SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ return;
+ }
+
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, md->hdr.isa_msgid);
+
+ if (st == NULL)
+ {
+ /* No appropriate Quick Mode state.
+ * See if we have a Main Mode state.
+ * ??? what if this is a duplicate of another message?
+ */
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, MAINMODE_MSGID);
+
+ if (st == NULL)
+ {
+ plog("Quick Mode message is for a non-existent (expired?)"
+ " ISAKMP SA");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ set_cur_state(st);
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
+ " it is for an incomplete ISAKMP SA");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+ return;
+ }
+
+ /* only accept this new Quick Mode exchange if it has a unique message ID */
+ if (!reserve_msgid(st, md->hdr.isa_msgid))
+ {
+ loglog(RC_LOG_SERIOUS, "Quick Mode I1 message is unacceptable because"
+ " it uses a previously used Message ID 0x%08lx"
+ " (perhaps this is a duplicated packet)"
+ , (unsigned long) md->hdr.isa_msgid);
+ SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ return;
+ }
+
+ /* Quick Mode Initial IV */
+ init_phase2_iv(st, &md->hdr.isa_msgid);
+ new_iv_set = TRUE;
+
+ from_state = STATE_QUICK_R0;
+ }
+ else
+ {
+ set_cur_state(st);
+ from_state = st->st_state;
+ }
+
+ break;
+
+ case ISAKMP_XCHG_MODE_CFG:
+ if (is_zero_cookie(md->hdr.isa_icookie))
+ {
+ plog("ModeCfg message is invalid because"
+ " it has an Initiator Cookie of 0");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (is_zero_cookie(md->hdr.isa_rcookie))
+ {
+ plog("ModeCfg message is invalid because"
+ " it has a Responder Cookie of 0");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ if (md->hdr.isa_msgid == 0)
+ {
+ plog("ModeCfg message is invalid because"
+ " it has a Message ID of 0");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, md->hdr.isa_msgid);
+
+ if (st == NULL)
+ {
+ bool has_xauth_policy;
+
+ /* No appropriate ModeCfg state.
+ * See if we have a Main Mode state.
+ * ??? what if this is a duplicate of another message?
+ */
+ st = find_state(md->hdr.isa_icookie, md->hdr.isa_rcookie
+ , &md->sender, 0);
+
+ if (st == NULL)
+ {
+ plog("ModeCfg message is for a non-existent (expired?)"
+ " ISAKMP SA");
+ /* XXX Could send notification back */
+ return;
+ }
+
+ set_cur_state(st);
+
+ /* the XAUTH_STATUS message might have a new msgid */
+ if (st->st_state == STATE_XAUTH_I1)
+ {
+ init_phase2_iv(st, &md->hdr.isa_msgid);
+ new_iv_set = TRUE;
+ from_state = st->st_state;
+ break;
+ }
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS, "ModeCfg message is unacceptable because"
+ " it is for an incomplete ISAKMP SA (state=%s)"
+ , enum_name(&state_names, st->st_state));
+ /* XXX Could send notification back */
+ return;
+ }
+ init_phase2_iv(st, &md->hdr.isa_msgid);
+ new_iv_set = TRUE;
+
+ /*
+ * okay, now we have to figure out if we are receiving a bogus
+ * new message in an oustanding XAUTH server conversation
+ * (i.e. a reply to our challenge)
+ * (this occurs with some broken other implementations).
+ *
+ * or if receiving for the first time, an XAUTH challenge.
+ *
+ * or if we are getting a MODECFG request.
+ *
+ * we distinguish these states because we can not both be an
+ * XAUTH server and client, and our policy tells us which
+ * one we are.
+ *
+ * to complicate further, it is normal to start a new msgid
+ * when going from one state to another, or when restarting
+ * the challenge.
+ *
+ */
+
+ has_xauth_policy = (st->st_connection->policy
+ & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
+ != LEMPTY;
+
+ if (has_xauth_policy && !st->st_xauth.started
+ && IS_PHASE1(st->st_state))
+ {
+ from_state = STATE_XAUTH_I0;
+ }
+ else if (st->st_connection->spd.that.modecfg
+ && IS_PHASE1(st->st_state))
+ {
+ from_state = STATE_MODE_CFG_R0;
+ }
+ else if (st->st_connection->spd.this.modecfg
+ && IS_PHASE1(st->st_state))
+ {
+ from_state = STATE_MODE_CFG_I0;
+ }
+ else
+ {
+ /* XXX check if we are being a mode config server here */
+ plog("received ModeCfg message when in state %s, and we aren't mode config client"
+ , enum_name(&state_names, st->st_state));
+ return;
+ }
+ }
+ else
+ {
+ set_cur_state(st);
+ from_state = st->st_state;
+ }
+ break;
+
+#ifdef NOTYET
+ case ISAKMP_XCHG_NGRP:
+ case ISAKMP_XCHG_ACK_INFO:
+#endif
+
+ default:
+ plog("unsupported exchange type %s in message"
+ , enum_show(&exchange_names, md->hdr.isa_xchg));
+ SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
+ return;
+ }
+
+ /* We have found a from_state, and perhaps a state object.
+ * If we need to build a new state object,
+ * we wait until the packet has been sanity checked.
+ */
+
+ /* We don't support the Commit Flag. It is such a bad feature.
+ * It isn't protected -- neither encrypted nor authenticated.
+ * A man in the middle turns it on, leading to DoS.
+ * We just ignore it, with a warning.
+ * By placing the check here, we could easily add a policy bit
+ * to a connection to suppress the warning. This might be useful
+ * because the Commit Flag is expected from some peers.
+ */
+ if (md->hdr.isa_flags & ISAKMP_FLAG_COMMIT)
+ {
+ plog("IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag");
+ }
+
+ /* Set smc to describe this state's properties.
+ * Look up the appropriate microcode based on state and
+ * possibly Oakley Auth type.
+ */
+ passert(STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF);
+ smc = ike_microcode_index[from_state - STATE_IKE_FLOOR];
+
+ if (st != NULL)
+ {
+ u_int16_t auth;
+
+ switch (st->st_oakley.auth)
+ {
+ case XAUTHInitPreShared:
+ case XAUTHRespPreShared:
+ auth = OAKLEY_PRESHARED_KEY;
+ break;
+ case XAUTHInitRSA:
+ case XAUTHRespRSA:
+ auth = OAKLEY_RSA_SIG;
+ break;
+ default:
+ auth = st->st_oakley.auth;
+ }
+
+ while (!LHAS(smc->flags, auth))
+ {
+ smc++;
+ passert(smc->state == from_state);
+ }
+ }
+
+ /* Ignore a packet if the state has a suspended state transition
+ * Probably a duplicated packet but the original packet is not yet
+ * recorded in st->st_rpacket, so duplicate checking won't catch.
+ * ??? Should the packet be recorded earlier to improve diagnosis?
+ */
+ if (st != NULL && st->st_suspended_md != NULL)
+ {
+ loglog(RC_LOG, "discarding packet received during DNS lookup in %s"
+ , enum_name(&state_names, st->st_state));
+ return;
+ }
+
+ /* Detect and handle duplicated packets.
+ * This won't work for the initial packet of an exchange
+ * because we won't have a state object to remember it.
+ * If we are in a non-receiving state (terminal), and the preceding
+ * state did transmit, then the duplicate may indicate that that
+ * transmission wasn't received -- retransmit it.
+ * Otherwise, just discard it.
+ * ??? Notification packets are like exchanges -- I hope that
+ * they are idempotent!
+ */
+ if (st != NULL
+ && st->st_rpacket.ptr != NULL
+ && st->st_rpacket.len == pbs_room(&md->packet_pbs)
+ && memcmp(st->st_rpacket.ptr, md->packet_pbs.start, st->st_rpacket.len) == 0)
+ {
+ if (smc->flags & SMF_RETRANSMIT_ON_DUPLICATE)
+ {
+ if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
+ {
+ st->st_retransmit++;
+ loglog(RC_RETRANSMISSION
+ , "retransmitting in response to duplicate packet; already %s"
+ , enum_name(&state_names, st->st_state));
+ send_packet(st, "retransmit in response to duplicate");
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "discarding duplicate packet -- exhausted retransmission; already %s"
+ , enum_name(&state_names, st->st_state));
+ }
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "discarding duplicate packet; already %s"
+ , enum_name(&state_names, st->st_state));
+ }
+ return;
+ }
+
+ if (md->hdr.isa_flags & ISAKMP_FLAG_ENCRYPTION)
+ {
+ DBG(DBG_CRYPT, DBG_log("received encrypted packet from %s:%u"
+ , ip_str(&md->sender), (unsigned)md->sender_port));
+
+ if (st == NULL)
+ {
+ plog("discarding encrypted message for an unknown ISAKMP SA");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+ return;
+ }
+ if (st->st_skeyid_e.ptr == (u_char *) NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "discarding encrypted message"
+ " because we haven't yet negotiated keying materiel");
+ SEND_NOTIFICATION(INVALID_FLAGS);
+ return;
+ }
+
+ /* Mark as encrypted */
+ md->encrypted = TRUE;
+
+ DBG(DBG_CRYPT, DBG_log("decrypting %u bytes using algorithm %s"
+ , (unsigned) pbs_left(&md->message_pbs)
+ , enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
+
+ /* do the specified decryption
+ *
+ * IV is from st->st_iv or (if new_iv_set) st->st_new_iv.
+ * The new IV is placed in st->st_new_iv
+ *
+ * See RFC 2409 "IKE" Appendix B
+ *
+ * XXX The IV should only be updated really if the packet
+ * is successfully processed.
+ * We should keep this value, check for a success return
+ * value from the parsing routines and then replace.
+ *
+ * Each post phase 1 exchange generates IVs from
+ * the last phase 1 block, not the last block sent.
+ */
+ {
+ const struct encrypt_desc *e = st->st_oakley.encrypter;
+
+ if (pbs_left(&md->message_pbs) % e->enc_blocksize != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+
+ /* XXX Detect weak keys */
+
+ /* grab a copy of raw packet (for duplicate packet detection) */
+ clonetochunk(md->raw_packet, md->packet_pbs.start
+ , pbs_room(&md->packet_pbs), "raw packet");
+
+ /* Decrypt everything after header */
+ if (!new_iv_set)
+ {
+ /* use old IV */
+ passert(st->st_iv_len <= sizeof(st->st_new_iv));
+ st->st_new_iv_len = st->st_iv_len;
+ memcpy(st->st_new_iv, st->st_iv, st->st_new_iv_len);
+ }
+ crypto_cbc_encrypt(e, FALSE, md->message_pbs.cur,
+ pbs_left(&md->message_pbs) , st);
+ if (restore_iv)
+ {
+ memcpy(st->st_new_iv, new_iv, new_iv_len);
+ st->st_new_iv_len = new_iv_len;
+ }
+ }
+
+ DBG_cond_dump(DBG_CRYPT, "decrypted:\n", md->message_pbs.cur
+ , md->message_pbs.roof - md->message_pbs.cur);
+
+ DBG_cond_dump(DBG_CRYPT, "next IV:"
+ , st->st_new_iv, st->st_new_iv_len);
+ }
+ else
+ {
+ /* packet was not encryped -- should it have been? */
+
+ if (smc->flags & SMF_INPUT_ENCRYPTED)
+ {
+ loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
+ SEND_NOTIFICATION(INVALID_FLAGS);
+ return;
+ }
+ }
+
+ /* Digest the message.
+ * Padding must be removed to make hashing work.
+ * Padding comes from encryption (so this code must be after decryption).
+ * Padding rules are described before the definition of
+ * struct isakmp_hdr in packet.h.
+ */
+ {
+ struct payload_digest *pd = md->digest;
+ int np = md->hdr.isa_np;
+ lset_t needed = smc->req_payloads;
+ const char *excuse
+ = LIN(SMF_PSK_AUTH | SMF_FIRST_ENCRYPTED_INPUT, smc->flags)
+ ? "probable authentication failure (mismatch of preshared secrets?): "
+ : "";
+
+ while (np != ISAKMP_NEXT_NONE)
+ {
+ struct_desc *sd = np < ISAKMP_NEXT_ROOF? payload_descs[np] : NULL;
+
+ if (pd == &md->digest[PAYLIMIT])
+ {
+ loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+
+ switch (np)
+ {
+ case ISAKMP_NEXT_NATD_RFC:
+ case ISAKMP_NEXT_NATOA_RFC:
+ if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+ {
+ /*
+ * don't accept NAT-D/NAT-OA reloc directly in message, unless
+ * we're using NAT-T RFC
+ */
+ sd = NULL;
+ }
+ break;
+ }
+
+ if (sd == NULL)
+ {
+ /* payload type is out of range or requires special handling */
+ switch (np)
+ {
+ case ISAKMP_NEXT_ID:
+ sd = IS_PHASE1(from_state)
+ ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
+ break;
+ case ISAKMP_NEXT_NATD_DRAFTS:
+ np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */
+ sd = payload_descs[np];
+ break;
+ case ISAKMP_NEXT_NATOA_DRAFTS:
+ np = ISAKMP_NEXT_NATOA_RFC; /* NAT-OA relocated */
+ sd = payload_descs[np];
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
+ " unexpected payload type (%s) at the outermost level"
+ , excuse, enum_show(&payload_names, np));
+ SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+ return;
+ }
+ }
+
+ {
+ lset_t s = LELEM(np);
+
+ if (LDISJOINT(s
+ , needed | smc->opt_payloads| LELEM(ISAKMP_NEXT_N) | LELEM(ISAKMP_NEXT_D)))
+ {
+ loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
+ "contains an unexpected payload type (%s)"
+ , excuse, enum_show(&payload_names, np));
+ SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+ return;
+ }
+ needed &= ~s;
+ }
+
+ if (!in_struct(&pd->payload, sd, &md->message_pbs, &pd->pbs))
+ {
+ loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
+ if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+
+ /* place this payload at the end of the chain for this type */
+ {
+ struct payload_digest **p;
+
+ for (p = &md->chain[np]; *p != NULL; p = &(*p)->next)
+ ;
+ *p = pd;
+ pd->next = NULL;
+ }
+
+ np = pd->payload.generic.isag_np;
+ pd++;
+
+ /* since we've digested one payload happily, it is probably
+ * the case that any decryption worked. So we will not suggest
+ * encryption failure as an excuse for subsequent payload
+ * problems.
+ */
+ excuse = "";
+ }
+
+ md->digest_roof = pd;
+
+ DBG(DBG_PARSING,
+ if (pbs_left(&md->message_pbs) != 0)
+ DBG_log("removing %d bytes of padding", (int) pbs_left(&md->message_pbs)));
+
+ md->message_pbs.roof = md->message_pbs.cur;
+
+ /* check that all mandatory payloads appeared */
+
+ if (needed != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
+ , enum_show(&state_names, from_state)
+ , bitnamesof(payload_name, needed));
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+ }
+
+ /* more sanity checking: enforce most ordering constraints */
+
+ if (IS_PHASE1(from_state))
+ {
+ /* rfc2409: The Internet Key Exchange (IKE), 5 Exchanges:
+ * "The SA payload MUST precede all other payloads in a phase 1 exchange."
+ */
+ if (md->chain[ISAKMP_NEXT_SA] != NULL
+ && md->hdr.isa_np != ISAKMP_NEXT_SA)
+ {
+ loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+ }
+ else if (IS_QUICK(from_state))
+ {
+ /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode
+ *
+ * "In Quick Mode, a HASH payload MUST immediately follow the ISAKMP
+ * header and a SA payload MUST immediately follow the HASH."
+ * [NOTE: there may be more than one SA payload, so this is not
+ * totally reasonable. Probably all SAs should be so constrained.]
+ *
+ * "If ISAKMP is acting as a client negotiator on behalf of another
+ * party, the identities of the parties MUST be passed as IDci and
+ * then IDcr."
+ *
+ * "With the exception of the HASH, SA, and the optional ID payloads,
+ * there are no payload ordering restrictions on Quick Mode."
+ */
+
+ if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
+ {
+ loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+
+ {
+ struct payload_digest *p;
+ int i;
+
+ for (p = md->chain[ISAKMP_NEXT_SA], i = 1; p != NULL
+ ; p = p->next, i++)
+ {
+ if (p != &md->digest[i])
+ {
+ loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+ }
+ }
+
+ /* rfc2409: The Internet Key Exchange (IKE), 5.5 Phase 2 - Quick Mode:
+ * "If ISAKMP is acting as a client negotiator on behalf of another
+ * party, the identities of the parties MUST be passed as IDci and
+ * then IDcr."
+ */
+ {
+ struct payload_digest *id = md->chain[ISAKMP_NEXT_ID];
+
+ if (id != NULL)
+ {
+ if (id->next == NULL || id->next->next != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
+ " if any ID payload is present,"
+ " there must be exactly two");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+ if (id+1 != id->next)
+ {
+ loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
+ " the ID payloads are not adjacent");
+ SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ return;
+ }
+ }
+ }
+ }
+
+ /* Ignore payloads that we don't handle:
+ * Delete, Notification, VendorID
+ */
+ /* XXX Handle deletions */
+ /* XXX Handle Notifications */
+ /* XXX Handle VID payloads */
+ {
+ struct payload_digest *p;
+
+ for (p = md->chain[ISAKMP_NEXT_N]; p != NULL; p = p->next)
+ {
+ if (p->payload.notification.isan_type != R_U_THERE
+ && p->payload.notification.isan_type != R_U_THERE_ACK)
+ {
+ loglog(RC_LOG_SERIOUS, "ignoring informational payload, type %s"
+ , enum_show(&notification_names, p->payload.notification.isan_type));
+ }
+ DBG_cond_dump(DBG_PARSING, "info:", p->pbs.cur, pbs_left(&p->pbs));
+ }
+
+ for (p = md->chain[ISAKMP_NEXT_D]; p != NULL; p = p->next)
+ {
+ accept_delete(st, md, p);
+ DBG_cond_dump(DBG_PARSING, "del:", p->pbs.cur, pbs_left(&p->pbs));
+ }
+
+ for (p = md->chain[ISAKMP_NEXT_VID]; p != NULL; p = p->next)
+ {
+ handle_vendorid(md, p->pbs.cur, pbs_left(&p->pbs));
+ }
+ }
+ md->from_state = from_state;
+ md->smc = smc;
+ md->st = st;
+
+ /* possibly fill in hdr */
+ if (smc->first_out_payload != ISAKMP_NEXT_NONE)
+ echo_hdr(md, (smc->flags & SMF_OUTPUT_ENCRYPTED) != 0
+ , smc->first_out_payload);
+
+ complete_state_transition(mdp, smc->processor(md));
+}
+
+/* complete job started by the state-specific state transition function */
+
+void
+complete_state_transition(struct msg_digest **mdp, stf_status result)
+{
+ bool has_xauth_policy;
+ bool is_xauth_server;
+ struct msg_digest *md = *mdp;
+ const struct state_microcode *smc = md->smc;
+ enum state_kind from_state = md->from_state;
+ struct state *st;
+
+ cur_state = st = md->st; /* might have changed */
+
+ /* If state has DPD support, import it */
+ if (st && md->dpd)
+ st->st_dpd = TRUE;
+
+ switch (result)
+ {
+ case STF_IGNORE:
+ break;
+
+ case STF_SUSPEND:
+ /* the stf didn't complete its job: don't relase md */
+ *mdp = NULL;
+ break;
+
+ case STF_OK:
+ /* advance the state */
+ st->st_state = smc->next_state;
+
+ /* Delete previous retransmission event.
+ * New event will be scheduled below.
+ */
+ delete_event(st);
+
+ /* replace previous receive packet with latest */
+
+ pfreeany(st->st_rpacket.ptr);
+
+ if (md->encrypted)
+ {
+ /* if encrypted, duplication already done */
+ st->st_rpacket = md->raw_packet;
+ md->raw_packet.ptr = NULL;
+ }
+ else
+ {
+ clonetochunk(st->st_rpacket
+ , md->packet_pbs.start
+ , pbs_room(&md->packet_pbs), "raw packet");
+ }
+
+ /* free previous transmit packet */
+ freeanychunk(st->st_tpacket);
+
+ /* if requested, send the new reply packet */
+ if (smc->flags & SMF_REPLY)
+ {
+ close_output_pbs(&md->reply); /* good form, but actually a no-op */
+
+ clonetochunk(st->st_tpacket, md->reply.start
+ , pbs_offset(&md->reply), "reply packet");
+
+ if (nat_traversal_enabled)
+ nat_traversal_change_port_lookup(md, md->st);
+
+ /* actually send the packet
+ * Note: this is a great place to implement "impairments"
+ * for testing purposes. Suppress or duplicate the
+ * send_packet call depending on st->st_state.
+ */
+ send_packet(st, enum_name(&state_names, from_state));
+ }
+
+ /* Schedule for whatever timeout is specified */
+ {
+ time_t delay;
+ enum event_type kind = smc->timeout_event;
+ bool agreed_time = FALSE;
+ struct connection *c = st->st_connection;
+
+ switch (kind)
+ {
+ case EVENT_RETRANSMIT: /* Retransmit packet */
+ delay = EVENT_RETRANSMIT_DELAY_0;
+ break;
+
+ case EVENT_SA_REPLACE: /* SA replacement event */
+ if (IS_PHASE1(st->st_state))
+ {
+ /* Note: we will defer to the "negotiated" (dictated)
+ * lifetime if we are POLICY_DONT_REKEY.
+ * This allows the other side to dictate
+ * a time we would not otherwise accept
+ * but it prevents us from having to initiate
+ * rekeying. The negative consequences seem
+ * minor.
+ */
+ delay = c->sa_ike_life_seconds;
+ if ((c->policy & POLICY_DONT_REKEY)
+ || delay >= st->st_oakley.life_seconds)
+ {
+ agreed_time = TRUE;
+ delay = st->st_oakley.life_seconds;
+ }
+ }
+ else
+ {
+ /* Delay is min of up to four things:
+ * each can limit the lifetime.
+ */
+ delay = c->sa_ipsec_life_seconds;
+ if (st->st_ah.present
+ && delay >= st->st_ah.attrs.life_seconds)
+ {
+ agreed_time = TRUE;
+ delay = st->st_ah.attrs.life_seconds;
+ }
+ if (st->st_esp.present
+ && delay >= st->st_esp.attrs.life_seconds)
+ {
+ agreed_time = TRUE;
+ delay = st->st_esp.attrs.life_seconds;
+ }
+ if (st->st_ipcomp.present
+ && delay >= st->st_ipcomp.attrs.life_seconds)
+ {
+ agreed_time = TRUE;
+ delay = st->st_ipcomp.attrs.life_seconds;
+ }
+ }
+
+ /* By default, we plan to rekey.
+ *
+ * If there isn't enough time to rekey, plan to
+ * expire.
+ *
+ * If we are --dontrekey, a lot more rules apply.
+ * If we are the Initiator, use REPLACE_IF_USED.
+ * If we are the Responder, and the dictated time
+ * was unacceptable (too large), plan to REPLACE
+ * (the only way to ratchet down the time).
+ * If we are the Responder, and the dictated time
+ * is acceptable, plan to EXPIRE.
+ *
+ * Important policy lies buried here.
+ * For example, we favour the initiator over the
+ * responder by making the initiator start rekeying
+ * sooner. Also, fuzz is only added to the
+ * initiator's margin.
+ *
+ * Note: for ISAKMP SA, we let the negotiated
+ * time stand (implemented by earlier logic).
+ */
+ if (agreed_time
+ && (c->policy & POLICY_DONT_REKEY))
+ {
+ kind = (smc->flags & SMF_INITIATOR)
+ ? EVENT_SA_REPLACE_IF_USED
+ : EVENT_SA_EXPIRE;
+ }
+ if (kind != EVENT_SA_EXPIRE)
+ {
+ unsigned long marg = c->sa_rekey_margin;
+
+ if (smc->flags & SMF_INITIATOR)
+ marg += marg
+ * c->sa_rekey_fuzz / 100.E0
+ * (rand() / (RAND_MAX + 1.E0));
+ else
+ marg /= 2;
+
+ if ((unsigned long)delay > marg)
+ {
+ delay -= marg;
+ st->st_margin = marg;
+ }
+ else
+ {
+ kind = EVENT_SA_EXPIRE;
+ }
+ }
+ break;
+
+ case EVENT_NULL: /* non-event */
+ case EVENT_REINIT_SECRET: /* Refresh cookie secret */
+ default:
+ bad_case(kind);
+ }
+ event_schedule(kind, delay, st);
+ }
+
+ /* tell whack and log of progress */
+ {
+ const char *story = state_story[st->st_state - STATE_MAIN_R0];
+ enum rc_type w = RC_NEW_STATE + st->st_state;
+ char sadetails[128];
+
+ sadetails[0]='\0';
+
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ char *b = sadetails;
+ const char *ini = " {";
+ const char *fin = "";
+
+ /* -1 is to leave space for "fin" */
+
+ if (st->st_esp.present)
+ {
+ snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+ , "%sESP=>0x%08x <0x%08x"
+ , ini
+ , ntohl(st->st_esp.attrs.spi)
+ , ntohl(st->st_esp.our_spi));
+ ini = " ";
+ fin = "}";
+ }
+ /* advance b to end of string */
+ b = b + strlen(b);
+
+ if (st->st_ah.present)
+ {
+ snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+ , "%sAH=>0x%08x <0x%08x"
+ , ini
+ , ntohl(st->st_ah.attrs.spi)
+ , ntohl(st->st_ah.our_spi));
+ ini = " ";
+ fin = "}";
+ }
+ /* advance b to end of string */
+ b = b + strlen(b);
+
+ if (st->st_ipcomp.present)
+ {
+ snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+ , "%sIPCOMP=>0x%08x <0x%08x"
+ , ini
+ , ntohl(st->st_ipcomp.attrs.spi)
+ , ntohl(st->st_ipcomp.our_spi));
+ ini = " ";
+ fin = "}";
+ }
+ /* advance b to end of string */
+ b = b + strlen(b);
+
+ if (st->nat_traversal)
+ {
+ char oa[ADDRTOT_BUF];
+ addrtot(&st->nat_oa, 0, oa, sizeof(oa));
+ snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+ , "%sNATOA=%s"
+ , ini, oa);
+ ini = " ";
+ fin = "}";
+ }
+
+ /* advance b to end of string */
+ b = b + strlen(b);
+
+ if (st->st_dpd)
+ {
+ snprintf(b, sizeof(sadetails)-(b-sadetails)-1
+ , "%sDPD"
+ , ini);
+ ini = " ";
+ fin = "}";
+ }
+
+ strcat(b, fin);
+ }
+
+ if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ || IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ /* log our success */
+ plog("%s%s", story, sadetails);
+ w = RC_SUCCESS;
+ }
+
+ /* tell whack our progress */
+ whack_log(w
+ , "%s: %s%s"
+ , enum_name(&state_names, st->st_state)
+ , story, sadetails);
+ }
+
+ has_xauth_policy = (st->st_connection->policy
+ & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK))
+ != LEMPTY;
+ is_xauth_server = (st->st_connection->policy
+ & POLICY_XAUTH_SERVER)
+ != LEMPTY;
+
+ /* Should we start XAUTH as a server */
+ if (has_xauth_policy && is_xauth_server
+ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && !st->st_xauth.started)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("starting XAUTH server")
+ )
+ xauth_send_request(st);
+ break;
+ }
+
+ /* Wait for XAUTH request from server */
+ if (has_xauth_policy && !is_xauth_server
+ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && !st->st_xauth.started)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("waiting for XAUTH request from server")
+ )
+ break;
+ }
+
+ /* Should we start ModeConfig as a client? */
+ if (st->st_connection->spd.this.modecfg
+ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && !(st->st_connection->policy & POLICY_MODECFG_PUSH)
+ && !st->st_modecfg.started)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("starting ModeCfg client in pull mode")
+ )
+ modecfg_send_request(st);
+ break;
+ }
+
+ /* Should we start ModeConfig as a server? */
+ if (st->st_connection->spd.that.modecfg
+ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && !st->st_modecfg.started
+ && (st->st_connection->policy & POLICY_MODECFG_PUSH))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("starting ModeCfg server in push mode")
+ )
+ modecfg_send_set(st);
+ break;
+ }
+
+ /* Wait for ModeConfig set from server */
+ if (st->st_connection->spd.this.modecfg
+ && IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ && !st->st_modecfg.vars_set)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("waiting for ModeCfg set from server")
+ )
+ break;
+ }
+
+ if (smc->flags & SMF_RELEASE_PENDING_P2)
+ {
+ /* Initiate any Quick Mode negotiations that
+ * were waiting to piggyback on this Keying Channel.
+ *
+ * ??? there is a potential race condition
+ * if we are the responder: the initial Phase 2
+ * message might outrun the final Phase 1 message.
+ * I think that retransmission will recover.
+ */
+ unpend(st);
+ }
+
+ if (IS_ISAKMP_SA_ESTABLISHED(st->st_state)
+ || IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ release_whack(st);
+ break;
+
+ case STF_INTERNAL_ERROR:
+ whack_log(RC_INTERNALERR + md->note
+ , "%s: internal error"
+ , enum_name(&state_names, st->st_state));
+
+ DBG(DBG_CONTROL,
+ DBG_log("state transition function for %s had internal error"
+ , enum_name(&state_names, from_state)));
+ break;
+
+ default: /* a shortcut to STF_FAIL, setting md->note */
+ passert(result > STF_FAIL);
+ md->note = result - STF_FAIL;
+ result = STF_FAIL;
+ /* FALL THROUGH ... */
+ case STF_FAIL:
+ /* As it is, we act as if this message never happened:
+ * whatever retrying was in place, remains in place.
+ */
+ whack_log(RC_NOTIFICATION + md->note
+ , "%s: %s"
+ , enum_name(&state_names, (st == NULL)? STATE_MAIN_R0:st->st_state)
+ , enum_name(&notification_names, md->note));
+
+ SEND_NOTIFICATION(md->note);
+
+ DBG(DBG_CONTROL,
+ DBG_log("state transition function for %s failed: %s"
+ , enum_name(&state_names, from_state)
+ , enum_name(&notification_names, md->note)));
+ break;
+ }
+}
diff --git a/src/pluto/demux.h b/src/pluto/demux.h
new file mode 100644
index 000000000..373dd6315
--- /dev/null
+++ b/src/pluto/demux.h
@@ -0,0 +1,93 @@
+/* demultiplex incoming IKE messages
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: demux.h,v 1.4 2004/07/22 22:57:25 as Exp $
+ */
+
+#include "packet.h"
+
+struct state; /* forward declaration of tag */
+extern void init_demux(void);
+extern bool send_packet(struct state *st, const char *where);
+extern void comm_handle(const struct iface *ifp);
+
+extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
+
+/* State transition function infrastructure
+ *
+ * com_handle parses a message, decides what state object it applies to,
+ * and calls the appropriate state transition function (STF).
+ * These declarations define the interface to these functions.
+ *
+ * Each STF must be able to be restarted up to any failure point:
+ * a later message will cause the state to be re-entered. This
+ * explains the use of the replace macro and the care in handling
+ * MP_INT members of struct state.
+ */
+
+struct payload_digest {
+ pb_stream pbs;
+ union payload payload;
+ struct payload_digest *next; /* of same kind */
+};
+
+/* message digest
+ * Note: raw_packet and packet_pbs are "owners" of space on heap.
+ */
+
+struct msg_digest {
+ struct msg_digest *next; /* for free list */
+ chunk_t raw_packet; /* if encrypted, received packet before decryption */
+ const struct iface *iface; /* interface on which message arrived */
+ ip_address sender; /* where message came from */
+ u_int16_t sender_port; /* host order */
+ pb_stream packet_pbs; /* whole packet */
+ pb_stream message_pbs; /* message to be processed */
+ struct isakmp_hdr hdr; /* message's header */
+ bool encrypted; /* was it encrypted? */
+ enum state_kind from_state; /* state we started in */
+ const struct state_microcode *smc; /* microcode for initial state */
+ struct state *st; /* current state object */
+ pb_stream reply; /* room for reply */
+ pb_stream rbody; /* room for reply body (after header) */
+ notification_t note; /* reason for failure */
+ bool dpd; /* peer supports RFC 3706 DPD */
+ bool openpgp; /* peer supports OpenPGP certificates */
+
+# define PAYLIMIT 40
+ struct payload_digest
+ digest[PAYLIMIT],
+ *digest_roof,
+ *chain[ISAKMP_NEXT_ROOF];
+ unsigned short nat_traversal_vid;
+};
+
+extern void release_md(struct msg_digest *md);
+
+/* status for state-transition-function
+ * Note: STF_FAIL + notification_t means fail with that notification
+ */
+
+typedef enum {
+ STF_IGNORE, /* don't respond */
+ STF_SUSPEND, /* unfinished -- don't release resources */
+ STF_OK, /* success */
+ STF_INTERNAL_ERROR, /* discard everything, we failed */
+ STF_FAIL /* discard everything, something failed. notification_t added. */
+} stf_status;
+
+typedef stf_status state_transition_fn(struct msg_digest *md);
+
+extern void complete_state_transition(struct msg_digest **mdp, stf_status result);
+
+extern void free_md_pool(void);
diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c
new file mode 100644
index 000000000..23863b0a2
--- /dev/null
+++ b/src/pluto/dnskey.c
@@ -0,0 +1,1962 @@
+/* Find public key in DNS
+ * Copyright (C) 2000-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: dnskey.c,v 1.5 2005/09/08 16:26:30 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h> /* ??? for h_errno */
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "defs.h"
+#include "log.h"
+#include "id.h"
+#include "connections.h"
+#include "keys.h" /* needs connections.h */
+#include "dnskey.h"
+#include "packet.h"
+#include "timer.h"
+
+/* somebody has to decide */
+#define MAX_TXT_RDATA ((MAX_KEY_BYTES * 8 / 6) + 40) /* somewhat arbitrary overkill */
+
+/* ADNS stuff */
+
+int adns_qfd = NULL_FD, /* file descriptor for sending queries to adns (O_NONBLOCK) */
+ adns_afd = NULL_FD; /* file descriptor for receiving answers from adns */
+static pid_t adns_pid = 0;
+const char *pluto_adns_option = NULL; /* path from --pluto_adns */
+
+int adns_restart_count;
+#define ADNS_RESTART_MAX 20
+
+void
+init_adns(void)
+{
+ const char *adns_path = pluto_adns_option;
+#ifndef USE_LWRES
+ static const char adns_name[] = "_pluto_adns";
+ const char *helper_bin_dir = getenv("IPSEC_LIBDIR");
+#else /* USE_LWRES */
+ static const char adns_name[] = "lwdnsq";
+ const char *helper_bin_dir = getenv("IPSEC_EXECDIR");
+#endif /* USE_LWRES */
+ char adns_path_space[4096]; /* plenty long? */
+ int qfds[2];
+ int afds[2];
+
+ /* find a pathname to the ADNS program */
+ if (adns_path == NULL)
+ {
+ /* pathname was not specified as an option: build it.
+ * First, figure out the directory to be used.
+ */
+ ssize_t n;
+
+ if (helper_bin_dir != NULL)
+ {
+ n = strlen(helper_bin_dir);
+ if ((size_t)n <= sizeof(adns_path_space) - sizeof(adns_name))
+ {
+ strcpy(adns_path_space, helper_bin_dir);
+ if (n > 0 && adns_path_space[n -1] != '/')
+ adns_path_space[n++] = '/';
+ }
+ }
+ else
+ {
+ /* The program will be in the same directory as Pluto,
+ * so we use the sympolic link /proc/self/exe to
+ * tell us of the path prefix.
+ */
+ n = readlink("/proc/self/exe", adns_path_space, sizeof(adns_path_space));
+
+ if (n < 0)
+ exit_log_errno((e
+ , "readlink(\"/proc/self/exe\") failed in init_adns()"));
+
+ }
+
+ if ((size_t)n > sizeof(adns_path_space) - sizeof(adns_name))
+ exit_log("path to %s is too long", adns_name);
+
+ while (n > 0 && adns_path_space[n - 1] != '/')
+ n--;
+
+ strcpy(adns_path_space + n, adns_name);
+ adns_path = adns_path_space;
+ }
+ if (access(adns_path, X_OK) < 0)
+ exit_log_errno((e, "%s missing or not executable", adns_path));
+
+ if (pipe(qfds) != 0 || pipe(afds) != 0)
+ exit_log_errno((e, "pipe(2) failed in init_adns()"));
+
+ adns_pid = fork();
+ switch (adns_pid)
+ {
+ case -1:
+ exit_log_errno((e, "fork() failed in init_adns()"));
+
+ case 0:
+ /* child */
+ {
+ /* Make stdin and stdout our pipes.
+ * Take care to handle case where pipes already use these fds.
+ */
+ if (afds[1] == 0)
+ afds[1] = dup(afds[1]); /* avoid being overwritten */
+ if (qfds[0] != 0)
+ {
+ dup2(qfds[0], 0);
+ close(qfds[0]);
+ }
+ if (afds[1] != 1)
+ {
+ dup2(afds[1], 1);
+ close(qfds[1]);
+ }
+ if (afds[0] > 1)
+ close(afds[0]);
+ if (afds[1] > 1)
+ close(afds[1]);
+
+ DBG(DBG_DNS, execlp(adns_path, adns_name, "-d", NULL));
+
+ execlp(adns_path, adns_name, NULL);
+ exit_log_errno((e, "execlp of %s failed", adns_path));
+ }
+
+ default:
+ /* parent */
+ close(qfds[0]);
+ adns_qfd = qfds[1];
+ adns_afd = afds[0];
+ close(afds[1]);
+ fcntl(adns_qfd, F_SETFD, FD_CLOEXEC);
+ fcntl(adns_afd, F_SETFD, FD_CLOEXEC);
+ fcntl(adns_qfd, F_SETFL, O_NONBLOCK);
+ break;
+ }
+}
+
+void
+stop_adns(void)
+{
+ close_any(adns_qfd);
+ adns_qfd = NULL_FD;
+ close_any(adns_afd);
+ adns_afd = NULL_FD;
+
+ if (adns_pid != 0)
+ {
+ int status;
+ pid_t p = waitpid(adns_pid, &status, 0);
+
+ if (p == -1)
+ {
+ log_errno((e, "waitpid for ADNS process failed"));
+ }
+ else if (WIFEXITED(status))
+ {
+ if (WEXITSTATUS(status) != 0)
+ plog("ADNS process exited with status %d"
+ , (int) WEXITSTATUS(status));
+ }
+ else if (WIFSIGNALED(status))
+ {
+ plog("ADNS process terminated by signal %d", (int)WTERMSIG(status));
+ }
+ else
+ {
+ plog("wait for end of ADNS process returned odd status 0x%x\n"
+ , status);
+ }
+ }
+}
+
+
+
+/* tricky macro to pass any hot potato */
+#define TRY(x) { err_t ugh = x; if (ugh != NULL) return ugh; }
+
+
+/* Process TXT X-IPsec-Server record, accumulating relevant ones
+ * in cr->gateways_from_dns, a list sorted by "preference".
+ *
+ * Format of TXT record body: X-IPsec-Server ( nnn ) = iii kkk
+ * nnn is a 16-bit unsigned integer preference
+ * iii is @FQDN or dotted-decimal IPv4 address or colon-hex IPv6 address
+ * kkk is an optional RSA public signing key in base 64.
+ *
+ * NOTE: we've got to be very wary of anything we find -- bad guys
+ * might have prepared it.
+ */
+
+#define our_TXT_attr_string "X-IPsec-Server"
+static const char our_TXT_attr[] = our_TXT_attr_string;
+
+static err_t
+decode_iii(u_char **pp, struct id *gw_id)
+{
+ u_char *p = *pp + strspn(*pp, " \t");
+ u_char *e = p + strcspn(p, " \t");
+ u_char under = *e;
+
+ if (p == e)
+ return "TXT " our_TXT_attr_string " badly formed (no gateway specified)";
+
+ *e = '\0';
+ if (*p == '@')
+ {
+ /* gateway specification in this record is @FQDN */
+ err_t ugh = atoid(p, gw_id, FALSE);
+
+ if (ugh != NULL)
+ return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s"
+ , ugh);
+ }
+ else
+ {
+ /* gateway specification is numeric */
+ ip_address ip;
+ err_t ugh = tnatoaddr(p, e-p
+ , strchr(p, ':') == NULL? AF_INET : AF_INET6
+ , &ip);
+
+ if (ugh != NULL)
+ return builddiag("malformed IP address in TXT " our_TXT_attr_string ": %s"
+ , ugh);
+
+ if (isanyaddr(&ip))
+ return "gateway address must not be 0.0.0.0 or 0::0";
+
+ iptoid(&ip, gw_id);
+ }
+
+ *e = under;
+ *pp = e + strspn(e, " \t");
+
+ return NULL;
+}
+
+static err_t
+process_txt_rr_body(u_char *str
+, bool doit /* should we capture information? */
+, enum dns_auth_level dns_auth_level
+, struct adns_continuation *const cr)
+{
+ const struct id *client_id = &cr->id; /* subject of query */
+ u_char *p = str;
+ unsigned long pref = 0;
+ struct gw_info gi;
+
+ p += strspn(p, " \t"); /* ignore leading whitespace */
+
+ /* is this for us? */
+ if (strncasecmp(p, our_TXT_attr, sizeof(our_TXT_attr)-1) != 0)
+ return NULL; /* neither interesting nor bad */
+
+ p += sizeof(our_TXT_attr) - 1; /* ignore our attribute name */
+ p += strspn(p, " \t"); /* ignore leading whitespace */
+
+ /* decode '(' nnn ')' */
+ if (*p != '(')
+ return "X-IPsec-Server missing '('";
+
+ {
+ char *e;
+
+ p++;
+ pref = strtoul(p, &e, 0);
+ if ((u_char *)e == p)
+ return "malformed X-IPsec-Server priority";
+
+ p = e + strspn(e, " \t");
+
+ if (*p != ')')
+ return "X-IPsec-Server priority missing ')'";
+
+ p++;
+ p += strspn(p, " \t");
+
+ if (pref > 0xFFFF)
+ return "X-IPsec-Server priority larger than 0xFFFF";
+ }
+
+ /* time for '=' */
+
+ if (*p != '=')
+ return "X-IPsec-Server priority missing '='";
+
+ p++;
+ p += strspn(p, " \t");
+
+ /* Decode iii (Security Gateway ID). */
+
+ zero(&gi); /* before first use */
+
+ TRY(decode_iii(&p, &gi.gw_id)); /* will need to unshare_id_content */
+
+ if (!cr->sgw_specified)
+ {
+ /* we don't know the peer's ID (because we are initiating
+ * and we don't know who to initiate with.
+ * So we're looking for gateway specs with an IP address
+ */
+ if (!id_is_ipaddr(&gi.gw_id))
+ {
+ DBG(DBG_DNS,
+ {
+ char cidb[BUF_LEN];
+ char gwidb[BUF_LEN];
+
+ idtoa(client_id, cidb, sizeof(cidb));
+ idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+ DBG_log("TXT %s record for %s: security gateway %s;"
+ " ignored because gateway's IP is unspecified"
+ , our_TXT_attr, cidb, gwidb);
+ });
+ return NULL; /* we cannot use this record, but it isn't wrong */
+ }
+ }
+ else
+ {
+ /* We do know the peer's ID (because we are responding)
+ * So we're looking for gateway specs specifying this known ID.
+ */
+ const struct id *peer_id = &cr->sgw_id;
+
+ if (!same_id(peer_id, &gi.gw_id))
+ {
+ DBG(DBG_DNS,
+ {
+ char cidb[BUF_LEN];
+ char gwidb[BUF_LEN];
+ char pidb[BUF_LEN];
+
+ idtoa(client_id, cidb, sizeof(cidb));
+ idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+ idtoa(peer_id, pidb, sizeof(pidb));
+ DBG_log("TXT %s record for %s: security gateway %s;"
+ " ignored -- looking to confirm %s as gateway"
+ , our_TXT_attr, cidb, gwidb, pidb);
+ });
+ return NULL; /* we cannot use this record, but it isn't wrong */
+ }
+ }
+
+ if (doit)
+ {
+ /* really accept gateway */
+ struct gw_info **gwip; /* gateway insertion point */
+
+ gi.client_id = *client_id; /* will need to unshare_id_content */
+
+ /* decode optional kkk: base 64 encoding of key */
+
+ gi.gw_key_present = *p != '\0';
+ if (gi.gw_key_present)
+ {
+ /* Decode base 64 encoding of key.
+ * Similar code is in process_lwdnsq_key.
+ */
+ u_char kb[RSA_MAX_ENCODING_BYTES]; /* plenty of space for binary form of public key */
+ chunk_t kbc;
+ struct RSA_public_key r;
+
+ err_t ugh = ttodatav(p, 0, 64, kb, sizeof(kb), &kbc.len
+ , diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
+
+ if (ugh != NULL)
+ return builddiag("malformed key data: %s", ugh);
+
+ if (kbc.len > sizeof(kb))
+ return builddiag("key data larger than %lu bytes"
+ , (unsigned long) sizeof(kb));
+
+ kbc.ptr = kb;
+ ugh = unpack_RSA_public_key(&r, &kbc);
+ if (ugh != NULL)
+ return builddiag("invalid key data: %s", ugh);
+
+ /* now find a key entry to put it in */
+ gi.key = public_key_from_rsa(&r);
+
+ free_RSA_public_content(&r);
+
+ unreference_key(&cr->last_info);
+ cr->last_info = reference_key(gi.key);
+ }
+
+ /* we're home free! Allocate everything and add to gateways list. */
+ gi.refcnt = 1;
+ gi.pref = pref;
+ gi.key->dns_auth_level = dns_auth_level;
+ gi.key->last_tried_time = gi.key->last_worked_time = NO_TIME;
+
+ /* find insertion point */
+ for (gwip = &cr->gateways_from_dns; *gwip != NULL && (*gwip)->pref < pref; gwip = &(*gwip)->next)
+ ;
+
+ DBG(DBG_DNS,
+ {
+ char cidb[BUF_LEN];
+ char gwidb[BUF_LEN];
+
+ idtoa(client_id, cidb, sizeof(cidb));
+ idtoa(&gi.gw_id, gwidb, sizeof(gwidb));
+ if (gi.gw_key_present)
+ {
+ DBG_log("gateway for %s is %s with key %s"
+ , cidb, gwidb, gi.key->u.rsa.keyid);
+ }
+ else
+ {
+ DBG_log("gateway for %s is %s; no key specified"
+ , cidb, gwidb);
+ }
+ });
+
+ gi.next = *gwip;
+ *gwip = clone_thing(gi, "gateway info");
+ unshare_id_content(&(*gwip)->gw_id);
+ unshare_id_content(&(*gwip)->client_id);
+ }
+
+ return NULL;
+}
+
+static const char *
+rr_typename(int type)
+{
+ switch (type)
+ {
+ case T_TXT:
+ return "TXT";
+ case T_KEY:
+ return "KEY";
+ default:
+ return "???";
+ }
+}
+
+
+#ifdef USE_LWRES
+
+# ifdef USE_KEYRR
+static err_t
+process_lwdnsq_key(u_char *str
+, enum dns_auth_level dns_auth_level
+, struct adns_continuation *const cr)
+{
+ /* fields of KEY record. See RFC 2535 3.1 KEY RDATA format. */
+ unsigned long flags /* 16 bits */
+ , protocol /* 8 bits */
+ , algorithm; /* 8 bits */
+
+ char *rest = str
+ , *p
+ , *endofnumber;
+
+ /* flags */
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq KEY: missing flags";
+
+ flags = strtoul(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq KEY: malformed flags";
+
+ /* protocol */
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq KEY: missing protocol";
+
+ protocol = strtoul(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq KEY: malformed protocol";
+
+ /* algorithm */
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq KEY: missing algorithm";
+
+ algorithm = strtoul(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq KEY: malformed algorithm";
+
+ /* is this key interesting? */
+ if (protocol == 4 /* IPSEC (RFC 2535 3.1.3) */
+ && algorithm == 1 /* RSA/MD5 (RFC 2535 3.2) */
+ && (flags & 0x8000ul) == 0 /* use for authentication (3.1.2) */
+ && (flags & 0x2CF0ul) == 0) /* must be zero */
+ {
+ /* Decode base 64 encoding of key.
+ * Similar code is in process_txt_rr_body.
+ */
+ u_char kb[RSA_MAX_ENCODING_BYTES]; /* plenty of space for binary form of public key */
+ chunk_t kbc;
+ err_t ugh = ttodatav(rest, 0, 64, kb, sizeof(kb), &kbc.len
+ , diag_space, sizeof(diag_space), TTODATAV_IGNORESPACE);
+
+ if (ugh != NULL)
+ return builddiag("malformed key data: %s", ugh);
+
+ if (kbc.len > sizeof(kb))
+ return builddiag("key data larger than %lu bytes"
+ , (unsigned long) sizeof(kb));
+
+ kbc.ptr = kb;
+ TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &kbc
+ , &cr->keys_from_dns));
+
+ /* keep a reference to last one */
+ unreference_key(&cr->last_info);
+ cr->last_info = reference_key(cr->keys_from_dns->key);
+ }
+ return NULL;
+}
+# endif /* USE_KEYRR */
+
+#else /* ! USE_LWRES */
+
+/* structure of Query Reply (RFC 1035 4.1.1):
+ *
+ * +---------------------+
+ * | Header |
+ * +---------------------+
+ * | Question | the question for the name server
+ * +---------------------+
+ * | Answer | RRs answering the question
+ * +---------------------+
+ * | Authority | RRs pointing toward an authority
+ * +---------------------+
+ * | Additional | RRs holding additional information
+ * +---------------------+
+ */
+
+/* Header section format (as modified by RFC 2535 6.1):
+ * 1 1 1 1 1 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | ID |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * |QR| Opcode |AA|TC|RD|RA| Z|AD|CD| RCODE |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | QDCOUNT |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | ANCOUNT |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | NSCOUNT |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | ARCOUNT |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ */
+struct qr_header {
+ u_int16_t id; /* 16-bit identifier to match query */
+
+ u_int16_t stuff; /* packed crud: */
+
+#define QRS_QR 0x8000 /* QR: on if this is a response */
+
+#define QRS_OPCODE_SHIFT 11 /* OPCODE field */
+#define QRS_OPCODE_MASK 0xF
+#define QRSO_QUERY 0 /* standard query */
+#define QRSO_IQUERY 1 /* inverse query */
+#define QRSO_STATUS 2 /* server status request query */
+
+#define QRS_AA 0x0400 /* AA: on if Authoritative Answer */
+#define QRS_TC 0x0200 /* TC: on if truncation happened */
+#define QRS_RD 0x0100 /* RD: on if recursion desired */
+#define QRS_RA 0x0080 /* RA: on if recursion available */
+#define QRS_Z 0x0040 /* Z: reserved; must be zero */
+#define QRS_AD 0x0020 /* AD: on if authentic data (RFC 2535) */
+#define QRS_CD 0x0010 /* AD: on if checking disabled (RFC 2535) */
+
+#define QRS_RCODE_SHIFT 0 /* RCODE field: response code */
+#define QRS_RCODE_MASK 0xF
+#define QRSR_OK 0
+
+
+ u_int16_t qdcount; /* number of entries in question section */
+ u_int16_t ancount; /* number of resource records in answer section */
+ u_int16_t nscount; /* number of name server resource records in authority section */
+ u_int16_t arcount; /* number of resource records in additional records section */
+};
+
+static field_desc qr_header_fields[] = {
+ { ft_nat, 16/BITS_PER_BYTE, "ID", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "stuff", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "QD Count", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "Answer Count", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "Authority Count", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "Additional Count", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+static struct_desc qr_header_desc = {
+ "Query Response Header",
+ qr_header_fields,
+ sizeof(struct qr_header)
+};
+
+/* Messages for codes in RCODE (see RFC 1035 4.1.1) */
+static const err_t rcode_text[QRS_RCODE_MASK + 1] = {
+ NULL, /* not an error */
+ "Format error - The name server was unable to interpret the query",
+ "Server failure - The name server was unable to process this query"
+ " due to a problem with the name server",
+ "Name Error - Meaningful only for responses from an authoritative name"
+ " server, this code signifies that the domain name referenced in"
+ " the query does not exist",
+ "Not Implemented - The name server does not support the requested"
+ " kind of query",
+ "Refused - The name server refuses to perform the specified operation"
+ " for policy reasons",
+ /* the rest are reserved for future use */
+ };
+
+/* throw away a possibly compressed domain name */
+
+static err_t
+eat_name(pb_stream *pbs)
+{
+ u_char name_buf[NS_MAXDNAME + 2];
+ u_char *ip = pbs->cur;
+ unsigned oi = 0;
+ unsigned jump_count = 0;
+
+ for (;;)
+ {
+ u_int8_t b;
+
+ if (ip >= pbs->roof)
+ return "ran out of message while skipping domain name";
+
+ b = *ip++;
+ if (jump_count == 0)
+ pbs->cur = ip;
+
+ if (b == 0)
+ break;
+
+ switch (b & 0xC0)
+ {
+ case 0x00:
+ /* we grab the next b characters */
+ if (oi + b > NS_MAXDNAME)
+ return "domain name too long";
+
+ if (pbs->roof - ip <= b)
+ return "domain name falls off end of message";
+
+ if (oi != 0)
+ name_buf[oi++] = '.';
+
+ memcpy(name_buf + oi, ip, b);
+ oi += b;
+ ip += b;
+ if (jump_count == 0)
+ pbs->cur = ip;
+ break;
+
+ case 0xC0:
+ {
+ unsigned ix;
+
+ if (ip >= pbs->roof)
+ return "ran out of message in middle of compressed domain name";
+
+ ix = ((b & ~0xC0u) << 8) | *ip++;
+ if (jump_count == 0)
+ pbs->cur = ip;
+
+ if (ix >= pbs_room(pbs))
+ return "impossible compressed domain name";
+
+ /* Avoid infinite loop.
+ * There can be no more jumps than there are bytes
+ * in the packet. Not a tight limit, but good enough.
+ */
+ jump_count++;
+ if (jump_count > pbs_room(pbs))
+ return "loop in compressed domain name";
+
+ ip = pbs->start + ix;
+ }
+ break;
+
+ default:
+ return "invalid code in label";
+ }
+ }
+
+ name_buf[oi++] = '\0';
+
+ DBG(DBG_DNS, DBG_log("skipping name %s", name_buf));
+
+ return NULL;
+}
+
+static err_t
+eat_name_helpfully(pb_stream *pbs, const char *context)
+{
+ err_t ugh = eat_name(pbs);
+
+ return ugh == NULL? ugh
+ : builddiag("malformed name within DNS record of %s: %s", context, ugh);
+}
+
+/* non-variable part of 4.1.2 Question Section entry:
+ * 1 1 1 1 1 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | |
+ * / QNAME /
+ * / /
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | QTYPE |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | QCLASS |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ */
+
+struct qs_fixed {
+ u_int16_t qtype;
+ u_int16_t qclass;
+};
+
+static field_desc qs_fixed_fields[] = {
+ { ft_loose_enum, 16/BITS_PER_BYTE, "QTYPE", &rr_qtype_names },
+ { ft_loose_enum, 16/BITS_PER_BYTE, "QCLASS", &rr_class_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+static struct_desc qs_fixed_desc = {
+ "Question Section entry fixed part",
+ qs_fixed_fields,
+ sizeof(struct qs_fixed)
+};
+
+/* 4.1.3. Resource record format:
+ * 1 1 1 1 1 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | |
+ * / /
+ * / NAME /
+ * | |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | TYPE |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | CLASS |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | TTL |
+ * | |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | RDLENGTH |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+ * / RDATA /
+ * / /
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ */
+
+struct rr_fixed {
+ u_int16_t type;
+ u_int16_t class;
+ u_int32_t ttl; /* actually signed */
+ u_int16_t rdlength;
+};
+
+
+static field_desc rr_fixed_fields[] = {
+ { ft_loose_enum, 16/BITS_PER_BYTE, "type", &rr_type_names },
+ { ft_loose_enum, 16/BITS_PER_BYTE, "class", &rr_class_names },
+ { ft_nat, 32/BITS_PER_BYTE, "TTL", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "RD length", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+static struct_desc rr_fixed_desc = {
+ "Resource Record fixed part",
+ rr_fixed_fields,
+ /* note: following is tricky: avoids padding problems */
+ offsetof(struct rr_fixed, rdlength) + sizeof(u_int16_t)
+};
+
+/* RFC 1035 3.3.14: TXT RRs have text in the RDATA field.
+ * It is in the form of a sequence of <character-string>s as described in 3.3.
+ * unpack_txt_rdata() deals with this peculiar representation.
+ */
+
+/* RFC 2535 3.1 KEY RDATA format:
+ *
+ * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | flags | protocol | algorithm |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | /
+ * / public key /
+ * / /
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ */
+
+struct key_rdata {
+ u_int16_t flags;
+ u_int8_t protocol;
+ u_int8_t algorithm;
+};
+
+static field_desc key_rdata_fields[] = {
+ { ft_nat, 16/BITS_PER_BYTE, "flags", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "protocol", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+static struct_desc key_rdata_desc = {
+ "KEY RR RData fixed part",
+ key_rdata_fields,
+ sizeof(struct key_rdata)
+};
+
+/* RFC 2535 4.1 SIG RDATA format:
+ *
+ * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | type covered | algorithm | labels |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | original TTL |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | signature expiration |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | signature inception |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | key tag | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name +
+ * | /
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
+ * / /
+ * / signature /
+ * / /
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+struct sig_rdata {
+ u_int16_t type_covered;
+ u_int8_t algorithm;
+ u_int8_t labels;
+ u_int32_t original_ttl;
+ u_int32_t sig_expiration;
+ u_int32_t sig_inception;
+ u_int16_t key_tag;
+};
+
+static field_desc sig_rdata_fields[] = {
+ { ft_nat, 16/BITS_PER_BYTE, "type_covered", NULL},
+ { ft_nat, 8/BITS_PER_BYTE, "algorithm", NULL},
+ { ft_nat, 8/BITS_PER_BYTE, "labels", NULL},
+ { ft_nat, 32/BITS_PER_BYTE, "original ttl", NULL},
+ { ft_nat, 32/BITS_PER_BYTE, "sig expiration", NULL},
+ { ft_nat, 32/BITS_PER_BYTE, "sig inception", NULL},
+ { ft_nat, 16/BITS_PER_BYTE, "key tag", NULL},
+ { ft_end, 0, NULL, NULL }
+};
+
+static struct_desc sig_rdata_desc = {
+ "SIG RR RData fixed part",
+ sig_rdata_fields,
+ sizeof(struct sig_rdata)
+};
+
+/* handle a KEY Resource Record. */
+
+#ifdef USE_KEYRR
+static err_t
+process_key_rr(u_char *ptr, size_t len
+, bool doit /* should we capture information? */
+, enum dns_auth_level dns_auth_level
+, struct adns_continuation *const cr)
+{
+ pb_stream pbs;
+ struct key_rdata kr;
+
+ if (len < sizeof(struct key_rdata))
+ return "KEY Resource Record's RD Length is too small";
+
+ init_pbs(&pbs, ptr, len, "KEY RR");
+
+ if (!in_struct(&kr, &key_rdata_desc, &pbs, NULL))
+ return "failed to get fixed part of KEY Resource Record RDATA";
+
+ if (kr.protocol == 4 /* IPSEC (RFC 2535 3.1.3) */
+ && kr.algorithm == 1 /* RSA/MD5 (RFC 2535 3.2) */
+ && (kr.flags & 0x8000) == 0 /* use for authentication (3.1.2) */
+ && (kr.flags & 0x2CF0) == 0) /* must be zero */
+ {
+ /* we have what seems to be a tasty key */
+
+ if (doit)
+ {
+ chunk_t k;
+
+ setchunk(k, pbs.cur, pbs_left(&pbs));
+ TRY(add_public_key(&cr->id, dns_auth_level, PUBKEY_ALG_RSA, &k
+ , &cr->keys_from_dns));
+ }
+ }
+ return NULL;
+}
+#endif /* USE_KEYRR */
+
+
+/* unpack TXT rr RDATA into C string.
+ * A sequence of <character-string>s as described in RFC 1035 3.3.
+ * We concatenate them.
+ */
+static err_t
+unpack_txt_rdata(u_char *d, size_t dlen, const u_char *s, size_t slen)
+{
+ size_t i = 0
+ , o = 0;
+
+ while (i < slen)
+ {
+ size_t cl = s[i++];
+
+ if (i + cl > slen)
+ return "TXT rr RDATA representation malformed";
+
+ if (o + cl >= dlen)
+ return "TXT rr RDATA too large";
+
+ memcpy(d + o, s + i, cl);
+ i += cl;
+ o += cl;
+ }
+ d[o] = '\0';
+ if (strlen(d) != o)
+ return "TXT rr RDATA contains a NUL";
+
+ return NULL;
+}
+
+static err_t
+process_txt_rr(u_char *rdata, size_t rdlen
+, bool doit /* should we capture information? */
+, enum dns_auth_level dns_auth_level
+, struct adns_continuation *const cr)
+{
+ u_char str[RSA_MAX_ENCODING_BYTES * 8 / 6 + 20]; /* space for unpacked RDATA */
+
+ TRY(unpack_txt_rdata(str, sizeof(str), rdata, rdlen));
+ return process_txt_rr_body(str, doit, dns_auth_level, cr);
+}
+
+static err_t
+process_answer_section(pb_stream *pbs
+, bool doit /* should we capture information? */
+, enum dns_auth_level *dns_auth_level
+, u_int16_t ancount /* number of RRs in the answer section */
+, struct adns_continuation *const cr)
+{
+ const int type = cr->query.type; /* type of RR of interest */
+ unsigned c;
+
+ DBG(DBG_DNS, DBG_log("*Answer Section:"));
+
+ for (c = 0; c != ancount; c++)
+ {
+ struct rr_fixed rrf;
+ size_t tail;
+
+ /* ??? do we need to match the name? */
+
+ TRY(eat_name_helpfully(pbs, "Answer Section"));
+
+ if (!in_struct(&rrf, &rr_fixed_desc, pbs, NULL))
+ return "failed to get fixed part of Answer Section Resource Record";
+
+ if (rrf.rdlength > pbs_left(pbs))
+ return "RD Length extends beyond end of message";
+
+ /* ??? should we care about ttl? */
+
+ tail = rrf.rdlength;
+
+ if (rrf.type == type && rrf.class == C_IN)
+ {
+ err_t ugh = NULL;
+
+ switch (type)
+ {
+#ifdef USE_KEYRR
+ case T_KEY:
+ ugh = process_key_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
+ break;
+#endif /* USE_KEYRR */
+ case T_TXT:
+ ugh = process_txt_rr(pbs->cur, tail, doit, *dns_auth_level, cr);
+ break;
+ case T_SIG:
+ /* Check if SIG RR authenticates what we are learning.
+ * The RRset covered by a SIG must have the same owner,
+ * class, and type.
+ * For us, the class is always C_IN, so that matches.
+ * We decode the SIG RR's fixed part to check
+ * that the type_covered field matches our query type
+ * (this may be redundant).
+ * We don't check the owner (apparently this is the
+ * name on the record) -- we assume that it matches
+ * or we would not have been given this SIG in the
+ * Answer Section.
+ *
+ * We only look on first pass, and only if we've something
+ * to learn. This cuts down on useless decoding.
+ */
+ if (!doit && *dns_auth_level == DAL_UNSIGNED)
+ {
+ struct sig_rdata sr;
+
+ if (!in_struct(&sr, &sig_rdata_desc, pbs, NULL))
+ ugh = "failed to get fixed part of SIG Resource Record RDATA";
+ else if (sr.type_covered == type)
+ *dns_auth_level = DAL_SIGNED;
+ }
+ break;
+ default:
+ ugh = builddiag("unexpected RR type %d", type);
+ break;
+ }
+ if (ugh != NULL)
+ return ugh;
+ }
+ in_raw(NULL, tail, pbs, "RR RDATA");
+ }
+
+ return doit
+ && cr->gateways_from_dns == NULL
+#ifdef USE_KEYRR
+ && cr->keys_from_dns == NULL
+#endif /* USE_KEYRR */
+ ? builddiag("no suitable %s record found in DNS", rr_typename(type))
+ : NULL;
+}
+
+/* process DNS answer -- TXT or KEY query */
+
+static err_t
+process_dns_answer(struct adns_continuation *const cr
+, u_char ans[], int anslen)
+{
+ const int type = cr->query.type; /* type of record being sought */
+ int r; /* all-purpose return value holder */
+ u_int16_t c; /* number of current RR in current answer section */
+ pb_stream pbs;
+ u_int8_t *ans_start; /* saved position of answer section */
+ struct qr_header qr_header;
+ enum dns_auth_level dns_auth_level;
+
+ init_pbs(&pbs, ans, anslen, "Query Response Message");
+
+ /* decode and check header */
+
+ if (!in_struct(&qr_header, &qr_header_desc, &pbs, NULL))
+ return "malformed header";
+
+ /* ID: nothing to do with us */
+
+ /* stuff -- lots of things */
+ if ((qr_header.stuff & QRS_QR) == 0)
+ return "not a response?!?";
+
+ if (((qr_header.stuff >> QRS_OPCODE_SHIFT) & QRS_OPCODE_MASK) != QRSO_QUERY)
+ return "unexpected opcode";
+
+ /* I don't think we care about AA */
+
+ if (qr_header.stuff & QRS_TC)
+ return "response truncated";
+
+ /* I don't think we care about RD, RA, or CD */
+
+ /* AD means "authentic data" */
+ dns_auth_level = qr_header.stuff & QRS_AD? DAL_UNSIGNED : DAL_NOTSEC;
+
+ if (qr_header.stuff & QRS_Z)
+ return "Z bit is not zero";
+
+ r = (qr_header.stuff >> QRS_RCODE_SHIFT) & QRS_RCODE_MASK;
+ if (r != 0)
+ return r < (int)elemsof(rcode_text)? rcode_text[r] : "unknown rcode";
+
+ if (qr_header.ancount == 0)
+ return builddiag("no %s RR found by DNS", rr_typename(type));
+
+ /* end of header checking */
+
+ /* Question Section processing */
+
+ /* 4.1.2. Question section format:
+ * 1 1 1 1 1 1
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | |
+ * / QNAME /
+ * / /
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | QTYPE |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ * | QCLASS |
+ * +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ */
+
+ DBG(DBG_DNS, DBG_log("*Question Section:"));
+
+ for (c = 0; c != qr_header.qdcount; c++)
+ {
+ struct qs_fixed qsf;
+
+ TRY(eat_name_helpfully(&pbs, "Question Section"));
+
+ if (!in_struct(&qsf, &qs_fixed_desc, &pbs, NULL))
+ return "failed to get fixed part of Question Section";
+
+ if (qsf.qtype != type)
+ return "unexpected QTYPE in Question Section";
+
+ if (qsf.qclass != C_IN)
+ return "unexpected QCLASS in Question Section";
+ }
+
+ /* rest of sections are made up of Resource Records */
+
+ /* Answer Section processing -- error checking, noting T_SIG */
+
+ ans_start = pbs.cur; /* remember start of answer section */
+
+ TRY(process_answer_section(&pbs, FALSE, &dns_auth_level
+ , qr_header.ancount, cr));
+
+ /* Authority Section processing (just sanity checking) */
+
+ DBG(DBG_DNS, DBG_log("*Authority Section:"));
+
+ for (c = 0; c != qr_header.nscount; c++)
+ {
+ struct rr_fixed rrf;
+ size_t tail;
+
+ TRY(eat_name_helpfully(&pbs, "Authority Section"));
+
+ if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
+ return "failed to get fixed part of Authority Section Resource Record";
+
+ if (rrf.rdlength > pbs_left(&pbs))
+ return "RD Length extends beyond end of message";
+
+ /* ??? should we care about ttl? */
+
+ tail = rrf.rdlength;
+
+ in_raw(NULL, tail, &pbs, "RR RDATA");
+ }
+
+ /* Additional Section processing (just sanity checking) */
+
+ DBG(DBG_DNS, DBG_log("*Additional Section:"));
+
+ for (c = 0; c != qr_header.arcount; c++)
+ {
+ struct rr_fixed rrf;
+ size_t tail;
+
+ TRY(eat_name_helpfully(&pbs, "Additional Section"));
+
+ if (!in_struct(&rrf, &rr_fixed_desc, &pbs, NULL))
+ return "failed to get fixed part of Additional Section Resource Record";
+
+ if (rrf.rdlength > pbs_left(&pbs))
+ return "RD Length extends beyond end of message";
+
+ /* ??? should we care about ttl? */
+
+ tail = rrf.rdlength;
+
+ in_raw(NULL, tail, &pbs, "RR RDATA");
+ }
+
+ /* done all sections */
+
+ /* ??? is padding legal, or can we complain if more left in record? */
+
+ /* process Answer Section again -- accept contents */
+
+ pbs.cur = ans_start; /* go back to start of answer section */
+
+ return process_answer_section(&pbs, TRUE, &dns_auth_level
+ , qr_header.ancount, cr);
+}
+
+#endif /* ! USE_LWRES */
+
+
+/****************************************************************/
+
+static err_t
+build_dns_name(u_char name_buf[NS_MAXDNAME + 2]
+, unsigned long serial USED_BY_DEBUG
+, const struct id *id
+, const char *typename USED_BY_DEBUG
+, const char *gwname USED_BY_DEBUG)
+{
+ /* note: all end in "." to suppress relative searches */
+ id = resolve_myid(id);
+ switch (id->kind)
+ {
+ case ID_IPV4_ADDR:
+ {
+ /* XXX: this is really ugly and only temporary until addrtot can
+ * generate the correct format
+ */
+ const unsigned char *b;
+ size_t bl USED_BY_DEBUG = addrbytesptr(&id->ip_addr, &b);
+
+ passert(bl == 4);
+ snprintf(name_buf, NS_MAXDNAME + 2, "%d.%d.%d.%d.in-addr.arpa."
+ , b[3], b[2], b[1], b[0]);
+ break;
+ }
+
+ case ID_IPV6_ADDR:
+ {
+ /* ??? is this correct? */
+ const unsigned char *b;
+ size_t bl;
+ u_char *op = name_buf;
+ static const char suffix[] = "IP6.INT.";
+
+ for (bl = addrbytesptr(&id->ip_addr, &b); bl-- != 0; )
+ {
+ if (op + 4 + sizeof(suffix) >= name_buf + NS_MAXDNAME + 1)
+ return "IPv6 reverse name too long";
+ op += sprintf(op, "%x.%x.", b[bl] & 0xF, b[bl] >> 4);
+ }
+ strcpy(op, suffix);
+ break;
+ }
+
+ case ID_FQDN:
+ /* strip trailing "." characters, then add one */
+ {
+ size_t il = id->name.len;
+
+ while (il > 0 && id->name.ptr[il - 1] == '.')
+ il--;
+ if (il > NS_MAXDNAME)
+ return "FQDN too long for domain name";
+
+ memcpy(name_buf, id->name.ptr, il);
+ strcpy(name_buf + il, ".");
+ }
+ break;
+
+ default:
+ return "can only query DNS for key for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR";
+ }
+
+ DBG(DBG_CONTROL | DBG_DNS, DBG_log("DNS query %lu for %s for %s (gw: %s)"
+ , serial, typename, name_buf, gwname));
+ return NULL;
+}
+
+void
+gw_addref(struct gw_info *gw)
+{
+ if (gw != NULL)
+ {
+ DBG(DBG_DNS, DBG_log("gw_addref: %p refcnt: %d++", gw, gw->refcnt))
+ gw->refcnt++;
+ }
+}
+
+void
+gw_delref(struct gw_info **gwp)
+{
+ struct gw_info *gw = *gwp;
+
+ if (gw != NULL)
+ {
+ DBG(DBG_DNS, DBG_log("gw_delref: %p refcnt: %d--", gw, gw->refcnt));
+
+ passert(gw->refcnt != 0);
+ gw->refcnt--;
+ if (gw->refcnt == 0)
+ {
+ free_id_content(&gw->client_id);
+ free_id_content(&gw->gw_id);
+ if (gw->gw_key_present)
+ unreference_key(&gw->key);
+ gw_delref(&gw->next);
+ pfree(gw); /* trickery could make this a tail-call */
+ }
+ *gwp = NULL;
+ }
+}
+
+static int adns_in_flight = 0; /* queries outstanding */
+
+/* Start an asynchronous DNS query.
+ *
+ * For KEY record, the result will be a list in cr->keys_from_dns.
+ * For TXT records, the result will be a list in cr->gateways_from_dns.
+ *
+ * If sgw_id is null, only consider TXT records that specify an
+ * IP address for the gatway: we need this in the initiation case.
+ *
+ * If sgw_id is non-null, only consider TXT records that specify
+ * this id as the security gatway; this is useful to the Responder
+ * for confirming claims of gateways.
+ *
+ * Continuation cr gives information for continuing when the result shows up.
+ *
+ * Two kinds of errors must be handled: synchronous (immediate)
+ * and asynchronous. Synchronous errors are indicated by the returned
+ * value of start_adns_query; in this case, the continuation will
+ * have been freed and the continuation routine will not be called.
+ * Asynchronous errors are indicated by the ugh parameter passed to the
+ * continuation routine.
+ *
+ * After the continuation routine has completed, handle_adns_answer
+ * will free the continuation. The continuation routine should have
+ * freed any axiliary resources.
+ *
+ * Note: in the synchronous error case, start_adns_query will have
+ * freed the continuation; this means that the caller will have to
+ * be very careful to release any auxiliary resources that were in
+ * the continuation record without using the continuation record.
+ *
+ * Either there will be an error result passed to the continuation routine,
+ * or the results will be in cr->keys_from_dns or cr->gateways_from_dns.
+ * The result variables must by left NULL by the continutation routine.
+ * The continuation routine is responsible for establishing and
+ * disestablishing any logging context (whack_log_fd, cur_*).
+ */
+
+static struct adns_continuation *continuations = NULL; /* newest of queue */
+static struct adns_continuation *next_query = NULL; /* oldest not sent */
+
+static struct adns_continuation *
+continuation_for_qtid(unsigned long qtid)
+{
+ struct adns_continuation *cr = NULL;
+
+ if (qtid != 0)
+ for (cr = continuations; cr != NULL && cr->qtid != qtid; cr = cr->previous)
+ ;
+ return cr;
+}
+
+static void
+release_adns_continuation(struct adns_continuation *cr)
+{
+ passert(cr != next_query);
+ gw_delref(&cr->gateways_from_dns);
+#ifdef USE_KEYRR
+ free_public_keys(&cr->keys_from_dns);
+#endif /* USE_KEYRR */
+ unshare_id_content(&cr->id);
+ unshare_id_content(&cr->sgw_id);
+
+ /* unlink from doubly-linked list */
+ if (cr->next == NULL)
+ {
+ passert(continuations == cr);
+ continuations = cr->previous;
+ }
+ else
+ {
+ passert(cr->next->previous == cr);
+ cr->next->previous = cr->previous;
+ }
+
+ if (cr->previous != NULL)
+ {
+ passert(cr->previous->next == cr);
+ cr->previous->next = cr->next;
+ }
+
+ pfree(cr);
+}
+
+err_t
+start_adns_query(const struct id *id /* domain to query */
+, const struct id *sgw_id /* if non-null, any accepted gw_info must match */
+, int type /* T_TXT or T_KEY, selecting rr type of interest */
+, cont_fn_t cont_fn
+, struct adns_continuation *cr)
+{
+ static unsigned long qtid = 1; /* query transaction id; NOTE: static */
+ const char *typename = rr_typename(type);
+ char gwidb[BUF_LEN];
+
+ if(adns_pid == 0
+ && adns_restart_count < ADNS_RESTART_MAX)
+ {
+ plog("ADNS helper was not running. Restarting attempt %d",adns_restart_count);
+ init_adns();
+ }
+
+
+ /* Splice this in at head of doubly-linked list of continuations.
+ * Note: this must be done before any release_adns_continuation().
+ */
+ cr->next = NULL;
+ cr->previous = continuations;
+ if (continuations != NULL)
+ {
+ passert(continuations->next == NULL);
+ continuations->next = cr;
+ }
+ continuations = cr;
+
+ cr->qtid = qtid++;
+ cr->type = type;
+ cr->cont_fn = cont_fn;
+ cr->id = *id;
+ unshare_id_content(&cr->id);
+ cr->sgw_specified = sgw_id != NULL;
+ cr->sgw_id = cr->sgw_specified? *sgw_id : empty_id;
+ unshare_id_content(&cr->sgw_id);
+ cr->gateways_from_dns = NULL;
+#ifdef USE_KEYRR
+ cr->keys_from_dns = NULL;
+#endif /* USE_KEYRR */
+
+#ifdef DEBUG
+ cr->debugging = cur_debugging;
+#else
+ cr->debugging = LEMPTY;
+#endif
+
+ idtoa(&cr->sgw_id, gwidb, sizeof(gwidb));
+
+ zero(&cr->query);
+
+ {
+ err_t ugh = build_dns_name(cr->query.name_buf, cr->qtid
+ , id, typename, gwidb);
+
+ if (ugh != NULL)
+ {
+ release_adns_continuation(cr);
+ return ugh;
+ }
+ }
+
+ if (next_query == NULL)
+ next_query = cr;
+
+ unsent_ADNS_queries = TRUE;
+
+ return NULL;
+}
+
+/* send remaining ADNS queries (until pipe full or none left)
+ *
+ * This is a co-routine, so it uses static variables to
+ * preserve state across calls.
+ */
+bool unsent_ADNS_queries = FALSE;
+
+void
+send_unsent_ADNS_queries(void)
+{
+ static const unsigned char *buf_end = NULL; /* NOTE STATIC */
+ static const unsigned char *buf_cur = NULL; /* NOTE STATIC */
+
+ if (adns_qfd == NULL_FD)
+ return; /* nothing useful to do */
+
+ for (;;)
+ {
+ if (buf_cur != buf_end)
+ {
+ static int try = 0; /* NOTE STATIC */
+ size_t n = buf_end - buf_cur;
+ ssize_t r = write(adns_qfd, buf_cur, n);
+
+ if (r == -1)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ continue; /* try again now */
+ case EAGAIN:
+ DBG(DBG_DNS, DBG_log("EAGAIN writing to ADNS"));
+ break; /* try again later */
+ default:
+ try++;
+ log_errno((e, "error %d writing DNS query", try));
+ break; /* try again later */
+ }
+ unsent_ADNS_queries = TRUE;
+ break; /* done! */
+ }
+ else
+ {
+ passert(r >= 0);
+ try = 0;
+ buf_cur += r;
+ }
+ }
+ else
+ {
+ if (next_query == NULL)
+ {
+ unsent_ADNS_queries = FALSE;
+ break; /* done! */
+ }
+
+#ifdef USE_LWRES
+ next_query->used = FALSE;
+ {
+ /* NOTE STATIC: */
+ static unsigned char qbuf[LWDNSQ_CMDBUF_LEN + 1]; /* room for NUL */
+
+ snprintf(qbuf, sizeof(qbuf), "%s %lu %s\n"
+ , rr_typename(next_query->type)
+ , next_query->qtid
+ , next_query->query.name_buf);
+ DBG(DBG_DNS, DBG_log("lwdnsq query: %.*s", (int)(strlen(qbuf) - 1), qbuf));
+ buf_cur = qbuf;
+ buf_end = qbuf + strlen(qbuf);
+ }
+#else /* !USE_LWRES */
+ next_query->query.debugging = next_query->debugging;
+ next_query->query.serial = next_query->qtid;
+ next_query->query.len = sizeof(next_query->query);
+ next_query->query.qmagic = ADNS_Q_MAGIC;
+ next_query->query.type = next_query->type;
+ buf_cur = (const void *)&next_query->query;
+ buf_end = buf_cur + sizeof(next_query->query);
+#endif /* !USE_LWRES */
+ next_query = next_query->next;
+ adns_in_flight++;
+ }
+ }
+}
+
+#ifdef USE_LWRES
+/* Process a line of lwdnsq answer.
+ * Returns with error message iff lwdnsq result is malformed.
+ * Most errors will be in DNS data and will be handled by cr->cont_fn.
+ */
+static err_t
+process_lwdnsq_answer(char *ts)
+{
+ err_t ugh = NULL;
+ char *rest;
+ char *p;
+ char *endofnumber;
+ struct adns_continuation *cr = NULL;
+ unsigned long qtid;
+ time_t anstime; /* time of answer */
+ char *atype; /* type of answer */
+ long ttl; /* ttl of answer; int, but long for conversion */
+ bool AuthenticatedData = FALSE;
+ static char scratch_null_str[] = ""; /* cannot be const, but isn't written */
+
+ /* query transaction id */
+ rest = ts;
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq: answer missing query transaction ID";
+
+ qtid = strtoul(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq: malformed query transaction ID";
+
+ cr = continuation_for_qtid(qtid);
+ if (qtid != 0 && cr == NULL)
+ return "lwdnsq: unrecognized qtid"; /* can't happen! */
+
+ /* time */
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq: missing time";
+
+ anstime = strtoul(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq: malformed time";
+
+ /* TTL */
+ p = strsep(&rest, " \t");
+ if (p == NULL)
+ return "lwdnsq: missing TTL";
+
+ ttl = strtol(p, &endofnumber, 10);
+ if (*endofnumber != '\0')
+ return "lwdnsq: malformed TTL";
+
+ /* type */
+ atype = strsep(&rest, " \t");
+ if (atype == NULL)
+ return "lwdnsq: missing type";
+
+ /* if rest is NULL, make it "", otherwise eat whitespace after type */
+ rest = rest == NULL? scratch_null_str : rest + strspn(rest, " \t");
+
+ if (strncasecmp(atype, "AD-", 3) == 0)
+ {
+ AuthenticatedData = TRUE;
+ atype += 3;
+ }
+
+ /* deal with each type */
+
+ if (cr == NULL)
+ {
+ /* we don't actually know which this applies to */
+ return builddiag("lwdnsq: 0 qtid invalid with %s", atype);
+ }
+ else if (strcaseeq(atype, "START"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "DONE"))
+ {
+ if (!cr->used)
+ {
+ /* "no results returned by lwdnsq" should not happen */
+ cr->cont_fn(cr
+ , cr->gateways_from_dns == NULL
+#ifdef USE_KEYRR
+ && cr->keys_from_dns == NULL
+#endif /* USE_KEYRR */
+ ? "no results returned by lwdnsq" : NULL);
+ cr->used = TRUE;
+ }
+ reset_globals();
+ release_adns_continuation(cr);
+ adns_in_flight--;
+ }
+ else if (strcaseeq(atype, "RETRY"))
+ {
+ if (!cr->used)
+ {
+ cr->cont_fn(cr, rest);
+ cr->used = TRUE;
+ }
+ }
+ else if (strcaseeq(atype, "FATAL"))
+ {
+ if (!cr->used)
+ {
+ cr->cont_fn(cr, rest);
+ cr->used = TRUE;
+ }
+ }
+ else if (strcaseeq(atype, "DNSSEC"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "NAME"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "TXT"))
+ {
+ char *end = rest + strlen(rest);
+ err_t txt_ugh;
+
+ if (*rest == '"' && end[-1] == '"')
+ {
+ /* strip those pesky quotes */
+ rest++;
+ *--end = '\0';
+ }
+
+ txt_ugh = process_txt_rr_body(rest
+ , TRUE
+ , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
+ , cr);
+
+ if (txt_ugh != NULL)
+ {
+ DBG(DBG_DNS,
+ DBG_log("error processing TXT resource record (%s) while processing: %s"
+ , txt_ugh, rest));
+ cr->cont_fn(cr, txt_ugh);
+ cr->used = TRUE;
+ }
+ }
+ else if (strcaseeq(atype, "SIG"))
+ {
+ /* record the SIG records for posterity */
+ if (cr->last_info != NULL)
+ {
+ pfreeany(cr->last_info->dns_sig);
+ cr->last_info->dns_sig = clone_str(rest, "sigrecord");
+ }
+ }
+ else if (strcaseeq(atype, "A"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "AAAA"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "CNAME"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "CNAMEFROM"))
+ {
+ /* ignore */
+ }
+ else if (strcaseeq(atype, "PTR"))
+ {
+ /* ignore */
+ }
+#ifdef USE_KEYRR
+ else if (strcaseeq(atype, "KEY"))
+ {
+ err_t key_ugh = process_lwdnsq_key(rest
+ , AuthenticatedData? DAL_SIGNED : DAL_NOTSEC
+ , cr);
+
+ if (key_ugh != NULL)
+ {
+ DBG(DBG_DNS,
+ DBG_log("error processing KEY resource record (%s) while processing: %s"
+ , key_ugh, rest));
+ cr->cont_fn(cr, key_ugh);
+ cr->used = TRUE;
+ }
+ }
+#endif /* USE_KEYRR */
+ else
+ {
+ ugh = "lwdnsq: unrecognized type";
+ }
+ return ugh;
+}
+#endif /* USE_LWRES */
+
+static void
+recover_adns_die(void)
+{
+ struct adns_continuation *cr = NULL;
+
+ adns_pid = 0;
+ if(adns_restart_count < ADNS_RESTART_MAX) {
+ adns_restart_count++;
+
+ /* next DNS query will restart it */
+
+ /* we have to walk the list of the outstanding requests,
+ * and redo them!
+ */
+
+ cr = continuations;
+
+ /* find the head of the list */
+ if(continuations != NULL) {
+ for (; cr->previous != NULL; cr = cr->previous);
+ }
+
+ next_query = cr;
+
+ if(next_query != NULL) {
+ unsent_ADNS_queries = TRUE;
+ }
+ }
+}
+
+void reset_adns_restart_count(void)
+{
+ adns_restart_count=0;
+}
+
+void
+handle_adns_answer(void)
+{
+ /* These are retained across calls to handle_adns_answer. */
+ static size_t buflen = 0; /* bytes in answer buffer */
+#ifndef USE_LWRES
+ static struct adns_answer buf;
+#else /* USE_LWRES */
+ static char buf[LWDNSQ_RESULT_LEN_MAX];
+ static char buf_copy[LWDNSQ_RESULT_LEN_MAX];
+#endif /* USE_LWRES */
+
+ ssize_t n;
+
+ passert(buflen < sizeof(buf));
+ n = read(adns_afd, (unsigned char *)&buf + buflen, sizeof(buf) - buflen);
+
+ if (n < 0)
+ {
+ if (errno != EINTR)
+ {
+ log_errno((e, "error reading answer from adns"));
+ /* ??? how can we recover? */
+ }
+ n = 0; /* now n reflects amount read */
+ }
+ else if (n == 0)
+ {
+ /* EOF */
+ if (adns_in_flight != 0)
+ {
+ plog("EOF from ADNS with %d queries outstanding (restarts %d)"
+ , adns_in_flight, adns_restart_count);
+ recover_adns_die();
+ }
+ if (buflen != 0)
+ {
+ plog("EOF from ADNS with %lu bytes of a partial answer outstanding"
+ "(restarts %d)"
+ , (unsigned long)buflen
+ , adns_restart_count);
+ recover_adns_die();
+ }
+ stop_adns();
+ return;
+ }
+ else
+ {
+ passert(adns_in_flight > 0);
+ }
+
+ buflen += n;
+#ifndef USE_LWRES
+ while (buflen >= offsetof(struct adns_answer, ans) && buflen >= buf.len)
+ {
+ /* we've got a tasty answer -- process it */
+ err_t ugh;
+ struct adns_continuation *cr = continuation_for_qtid(buf.serial); /* assume it works */
+ const char *typename = rr_typename(cr->query.type);
+ const char *name_buf = cr->query.name_buf;
+
+#ifdef USE_KEYRR
+ passert(cr->keys_from_dns == NULL);
+#endif /* USE_KEYRR */
+ passert(cr->gateways_from_dns == NULL);
+ adns_in_flight--;
+ if (buf.result == -1)
+ {
+ /* newer resolvers support statp->res_h_errno as well as h_errno.
+ * That might be better, but older resolvers don't.
+ * See resolver(3), if you have it.
+ * The undocumented(!) h_errno values are defined in
+ * /usr/include/netdb.h.
+ */
+ switch (buf.h_errno_val)
+ {
+ case NO_DATA:
+ ugh = builddiag("no %s record for %s", typename, name_buf);
+ break;
+ case HOST_NOT_FOUND:
+ ugh = builddiag("no host %s for %s record", name_buf, typename);
+ break;
+ default:
+ ugh = builddiag("failure querying DNS for %s of %s: %s"
+ , typename, name_buf, hstrerror(buf.h_errno_val));
+ break;
+ }
+ }
+ else if (buf.result > (int) sizeof(buf.ans))
+ {
+ ugh = builddiag("(INTERNAL ERROR) answer too long (%ld) for buffer"
+ , (long)buf.result);
+ }
+ else
+ {
+ ugh = process_dns_answer(cr, buf.ans, buf.result);
+ if (ugh != NULL)
+ ugh = builddiag("failure processing %s record of DNS answer for %s: %s"
+ , typename, name_buf, ugh);
+ }
+ DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS,
+ DBG_log(BLANK_FORMAT);
+ if (ugh == NULL)
+ DBG_log("asynch DNS answer %lu for %s of %s"
+ , cr->query.serial, typename, name_buf);
+ else
+ DBG_log("asynch DNS answer %lu %s", cr->query.serial, ugh);
+ );
+
+ passert(GLOBALS_ARE_RESET());
+ cr->cont_fn(cr, ugh);
+ reset_globals();
+ release_adns_continuation(cr);
+
+ /* shift out answer that we've consumed */
+ buflen -= buf.len;
+ memmove((unsigned char *)&buf, (unsigned char *)&buf + buf.len, buflen);
+ }
+#else /* USE_LWRES */
+ for (;;)
+ {
+ err_t ugh;
+ char *nlp = memchr(buf, '\n', buflen);
+
+ if (nlp == NULL)
+ break;
+
+ /* we've got a line */
+ *nlp++ = '\0';
+
+ DBG(DBG_RAW | DBG_CRYPT | DBG_PARSING | DBG_CONTROL | DBG_DNS
+ , DBG_log("lwdns: %s", buf));
+
+ /* process lwdnsq_answer may modify buf, so make a copy. */
+ buf_copy[0]='\0';
+ strncat(buf_copy, buf, sizeof(buf_copy));
+
+ ugh = process_lwdnsq_answer(buf_copy);
+ if (ugh != NULL)
+ plog("failure processing lwdnsq output: %s; record: %s"
+ , ugh, buf);
+
+ passert(GLOBALS_ARE_RESET());
+ reset_globals();
+
+ /* shift out answer that we've consumed */
+ buflen -= nlp - buf;
+ memmove(buf, nlp, buflen);
+ }
+#endif /* USE_LWRES */
+}
diff --git a/src/pluto/dnskey.h b/src/pluto/dnskey.h
new file mode 100644
index 000000000..0b9f0ee33
--- /dev/null
+++ b/src/pluto/dnskey.h
@@ -0,0 +1,84 @@
+/* Find public key in DNS
+ * Copyright (C) 2000-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: dnskey.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+extern int
+ adns_qfd, /* file descriptor for sending queries to adns */
+ adns_afd; /* file descriptor for receiving answers from adns */
+extern const char *pluto_adns_option; /* path from --pluto_adns */
+extern void init_adns(void);
+extern void stop_adns(void);
+extern void handle_adns_answer(void);
+
+extern bool unsent_ADNS_queries;
+extern void send_unsent_ADNS_queries(void);
+
+/* (common prefix of) stuff remembered between async query and answer.
+ * Filled in by start_adns_query.
+ * Freed by call to release_adns_continuation.
+ */
+
+struct adns_continuation; /* forward declaration (not far!) */
+
+typedef void (*cont_fn_t)(struct adns_continuation *cr, err_t ugh);
+
+struct adns_continuation {
+ unsigned long qtid; /* query transaction id number */
+ int type; /* T_TXT or T_KEY, selecting rr type of interest */
+ cont_fn_t cont_fn; /* function to carry on suspended work */
+ struct id id; /* subject of query */
+ bool sgw_specified;
+ struct id sgw_id; /* peer, if constrained */
+ lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
+ struct gw_info *gateways_from_dns; /* answer, if looking for our TXT rrs */
+#ifdef USE_KEYRR
+ struct pubkey_list *keys_from_dns; /* answer, if looking for KEY rrs */
+#endif
+ struct adns_continuation *previous, *next;
+ struct pubkey *last_info; /* the last structure we accumulated */
+#ifdef USE_LWRES
+ bool used; /* have we called the cont_fn yet? */
+ struct {
+ u_char name_buf[NS_MAXDNAME + 2];
+ } query;
+#else /* ! USE_LWRES */
+ struct adns_query query;
+#endif /* ! USE_LWRES */
+};
+
+extern err_t start_adns_query(const struct id *id /* domain to query */
+ , const struct id *sgw_id /* if non-null, any accepted gw_info must match */
+ , int type /* T_TXT or T_KEY, selecting rr type of interest */
+ , cont_fn_t cont_fn /* continuation function */
+ , struct adns_continuation *cr);
+
+
+/* Gateway info gleaned from reverse DNS of client */
+struct gw_info {
+ unsigned refcnt; /* reference counted! */
+ unsigned pref; /* preference: lower is better */
+#define NO_TIME ((time_t) -2) /* time_t value meaning "not_yet" */
+ struct id client_id; /* id of client of peer */
+ struct id gw_id; /* id of peer (if id_is_ipaddr, .ip_addr is address) */
+ bool gw_key_present;
+ struct pubkey *key;
+ struct gw_info *next;
+};
+
+extern void gw_addref(struct gw_info *gw)
+ , gw_delref(struct gw_info **gwp);
+
+extern void reset_adns_restart_count(void);
+
diff --git a/src/pluto/dsa.c b/src/pluto/dsa.c
new file mode 100644
index 000000000..c5982fbf4
--- /dev/null
+++ b/src/pluto/dsa.c
@@ -0,0 +1,476 @@
+/* dsa.c - DSA signature scheme
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef PLUTO
+#include <gmp.h>
+#include <freeswan.h>
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "rnd.h"
+#include "gcryptfix.h"
+#else /*! PLUTO */
+/* #include <config.h> */
+#endif /* !PLUTO */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef PLUTO
+/* #include <assert.h> */
+/* #include "util.h" */
+/* #include "mpi.h" */
+/* #include "cipher.h" */
+#endif
+
+#include "dsa.h"
+
+typedef struct {
+ MPI p; /* prime */
+ MPI q; /* group order */
+ MPI g; /* group generator */
+ MPI y; /* g^x mod p */
+} DSA_public_key;
+
+
+typedef struct {
+ MPI p; /* prime */
+ MPI q; /* group order */
+ MPI g; /* group generator */
+ MPI y; /* g^x mod p */
+ MPI x; /* secret exponent */
+} DSA_secret_key;
+
+
+static MPI gen_k( MPI q );
+static void test_keys( DSA_secret_key *sk, unsigned qbits );
+static int check_secret_key( DSA_secret_key *sk );
+static void generate( DSA_secret_key *sk, unsigned nbits, MPI **ret_factors );
+static void sign(MPI r, MPI s, MPI input, DSA_secret_key *skey);
+static int verify(MPI r, MPI s, MPI input, DSA_public_key *pkey);
+
+static void
+progress( int c )
+{
+ fputc( c, stderr );
+}
+
+
+/****************
+ * Generate a random secret exponent k less than q
+ */
+static MPI
+gen_k( MPI q )
+{
+ MPI k = mpi_alloc_secure( mpi_get_nlimbs(q) );
+ unsigned int nbits = mpi_get_nbits(q);
+ unsigned int nbytes = (nbits+7)/8;
+ char *rndbuf = NULL;
+
+ if( DBG_CIPHER )
+ log_debug("choosing a random k ");
+ for(;;) {
+ if( DBG_CIPHER )
+ progress('.');
+
+ if( !rndbuf || nbits < 32 ) {
+ m_free(rndbuf);
+ rndbuf = get_random_bits( nbits, 1, 1 );
+ }
+ else { /* change only some of the higher bits */
+ /* we could imporove this by directly requesting more memory
+ * at the first call to get_random_bits() and use this the here
+ * maybe it is easier to do this directly in random.c */
+ char *pp = get_random_bits( 32, 1, 1 );
+ memcpy( rndbuf,pp, 4 );
+ m_free(pp);
+ }
+ mpi_set_buffer( k, rndbuf, nbytes, 0 );
+ if( mpi_test_bit( k, nbits-1 ) )
+ mpi_set_highbit( k, nbits-1 );
+ else {
+ mpi_set_highbit( k, nbits-1 );
+ mpi_clear_bit( k, nbits-1 );
+ }
+
+ if( !(mpi_cmp( k, q ) < 0) ) { /* check: k < q */
+ if( DBG_CIPHER )
+ progress('+');
+ continue; /* no */
+ }
+ if( !(mpi_cmp_ui( k, 0 ) > 0) ) { /* check: k > 0 */
+ if( DBG_CIPHER )
+ progress('-');
+ continue; /* no */
+ }
+ break; /* okay */
+ }
+ m_free(rndbuf);
+ if( DBG_CIPHER )
+ progress('\n');
+
+ return k;
+}
+
+
+static void
+test_keys( DSA_secret_key *sk, unsigned qbits )
+{
+ DSA_public_key pk;
+ MPI test = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
+ MPI out1_a = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
+ MPI out1_b = mpi_alloc( qbits / BITS_PER_MPI_LIMB );
+
+ pk.p = sk->p;
+ pk.q = sk->q;
+ pk.g = sk->g;
+ pk.y = sk->y;
+ /*mpi_set_bytes( test, qbits, get_random_byte, 0 );*/
+ { char *p = get_random_bits( qbits, 0, 0 );
+ mpi_set_buffer( test, p, (qbits+7)/8, 0 );
+ m_free(p);
+ }
+
+ sign( out1_a, out1_b, test, sk );
+ if( !verify( out1_a, out1_b, test, &pk ) )
+ log_fatal("DSA:: sign, verify failed\n");
+
+ mpi_free( test );
+ mpi_free( out1_a );
+ mpi_free( out1_b );
+}
+
+
+
+/****************
+ * Generate a DSA key pair with a key of size NBITS
+ * Returns: 2 structures filled with all needed values
+ * and an array with the n-1 factors of (p-1)
+ */
+static void
+generate( DSA_secret_key *sk, unsigned nbits, MPI **ret_factors )
+{
+ MPI p; /* the prime */
+ MPI q; /* the 160 bit prime factor */
+ MPI g; /* the generator */
+ MPI y; /* g^x mod p */
+ MPI x; /* the secret exponent */
+ MPI h, e; /* helper */
+ unsigned qbits;
+ byte *rndbuf;
+
+ assert( nbits >= 512 && nbits <= 1024 );
+
+ qbits = 160;
+ p = generate_elg_prime( 1, nbits, qbits, NULL, ret_factors );
+ /* get q out of factors */
+ q = mpi_copy((*ret_factors)[0]);
+ if( mpi_get_nbits(q) != qbits )
+ BUG();
+
+ /* find a generator g (h and e are helpers)*/
+ /* e = (p-1)/q */
+ e = mpi_alloc( mpi_get_nlimbs(p) );
+ mpi_sub_ui( e, p, 1 );
+ mpi_fdiv_q( e, e, q );
+ g = mpi_alloc( mpi_get_nlimbs(p) );
+ h = mpi_alloc_set_ui( 1 ); /* we start with 2 */
+ do {
+ mpi_add_ui( h, h, 1 );
+ /* g = h^e mod p */
+ mpi_powm( g, h, e, p );
+ } while( !mpi_cmp_ui( g, 1 ) ); /* continue until g != 1 */
+
+ /* select a random number which has these properties:
+ * 0 < x < q-1
+ * This must be a very good random number because this
+ * is the secret part. */
+ if( DBG_CIPHER )
+ log_debug("choosing a random x ");
+ assert( qbits >= 160 );
+ x = mpi_alloc_secure( mpi_get_nlimbs(q) );
+ mpi_sub_ui( h, q, 1 ); /* put q-1 into h */
+ rndbuf = NULL;
+ do {
+ if( DBG_CIPHER )
+ progress('.');
+ if( !rndbuf )
+ rndbuf = get_random_bits( qbits, 2, 1 );
+ else { /* change only some of the higher bits (= 2 bytes)*/
+ char *r = get_random_bits( 16, 2, 1 );
+ memcpy(rndbuf, r, 16/8 );
+ m_free(r);
+ }
+ mpi_set_buffer( x, rndbuf, (qbits+7)/8, 0 );
+ mpi_clear_highbit( x, qbits+1 );
+ } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, h )<0 ) );
+ m_free(rndbuf);
+ mpi_free( e );
+ mpi_free( h );
+
+ /* y = g^x mod p */
+ y = mpi_alloc( mpi_get_nlimbs(p) );
+ mpi_powm( y, g, x, p );
+
+ if( DBG_CIPHER ) {
+ progress('\n');
+ log_mpidump("dsa p= ", p );
+ log_mpidump("dsa q= ", q );
+ log_mpidump("dsa g= ", g );
+ log_mpidump("dsa y= ", y );
+ log_mpidump("dsa x= ", x );
+ }
+
+ /* copy the stuff to the key structures */
+ sk->p = p;
+ sk->q = q;
+ sk->g = g;
+ sk->y = y;
+ sk->x = x;
+
+ /* now we can test our keys (this should never fail!) */
+ test_keys( sk, qbits );
+}
+
+
+
+/****************
+ * Test whether the secret key is valid.
+ * Returns: if this is a valid key.
+ */
+static int
+check_secret_key( DSA_secret_key *sk )
+{
+ int rc;
+ MPI y = mpi_alloc( mpi_get_nlimbs(sk->y) );
+
+ mpi_powm( y, sk->g, sk->x, sk->p );
+ rc = !mpi_cmp( y, sk->y );
+ mpi_free( y );
+ return rc;
+}
+
+
+
+/****************
+ * Make a DSA signature from HASH and put it into r and s.
+ */
+
+static void
+sign(MPI r, MPI s, MPI hash, DSA_secret_key *skey )
+{
+ MPI k;
+ MPI kinv;
+ MPI tmp;
+
+ /* select a random k with 0 < k < q */
+ k = gen_k( skey->q );
+
+ /* r = (a^k mod p) mod q */
+ mpi_powm( r, skey->g, k, skey->p );
+ mpi_fdiv_r( r, r, skey->q );
+
+ /* kinv = k^(-1) mod q */
+ kinv = mpi_alloc( mpi_get_nlimbs(k) );
+ mpi_invm(kinv, k, skey->q );
+
+ /* s = (kinv * ( hash + x * r)) mod q */
+ tmp = mpi_alloc( mpi_get_nlimbs(skey->p) );
+ mpi_mul( tmp, skey->x, r );
+ mpi_add( tmp, tmp, hash );
+ mpi_mulm( s , kinv, tmp, skey->q );
+
+ mpi_free(k);
+ mpi_free(kinv);
+ mpi_free(tmp);
+}
+
+
+/****************
+ * Returns true if the signature composed from R and S is valid.
+ */
+static int
+verify(MPI r, MPI s, MPI hash, DSA_public_key *pkey )
+{
+ int rc;
+ MPI w, u1, u2, v;
+ MPI base[3];
+ MPI exp[3];
+
+
+ if( !(mpi_cmp_ui( r, 0 ) > 0 && mpi_cmp( r, pkey->q ) < 0) )
+ return 0; /* assertion 0 < r < q failed */
+ if( !(mpi_cmp_ui( s, 0 ) > 0 && mpi_cmp( s, pkey->q ) < 0) )
+ return 0; /* assertion 0 < s < q failed */
+
+ w = mpi_alloc( mpi_get_nlimbs(pkey->q) );
+ u1 = mpi_alloc( mpi_get_nlimbs(pkey->q) );
+ u2 = mpi_alloc( mpi_get_nlimbs(pkey->q) );
+ v = mpi_alloc( mpi_get_nlimbs(pkey->p) );
+
+ /* w = s^(-1) mod q */
+ mpi_invm( w, s, pkey->q );
+
+ /* u1 = (hash * w) mod q */
+ mpi_mulm( u1, hash, w, pkey->q );
+
+ /* u2 = r * w mod q */
+ mpi_mulm( u2, r, w, pkey->q );
+
+ /* v = g^u1 * y^u2 mod p mod q */
+ base[0] = pkey->g; exp[0] = u1;
+ base[1] = pkey->y; exp[1] = u2;
+ base[2] = NULL; exp[2] = NULL;
+ mpi_mulpowm( v, base, exp, pkey->p );
+ mpi_fdiv_r( v, v, pkey->q );
+
+ rc = !mpi_cmp( v, r );
+
+ mpi_free(w);
+ mpi_free(u1);
+ mpi_free(u2);
+ mpi_free(v);
+ return rc;
+}
+
+
+/*********************************************
+ ************** interface ******************
+ *********************************************/
+
+int
+dsa_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors )
+{
+ DSA_secret_key sk;
+
+ if( algo != PUBKEY_ALGO_DSA )
+ return G10ERR_PUBKEY_ALGO;
+
+ generate( &sk, nbits, retfactors );
+ skey[0] = sk.p;
+ skey[1] = sk.q;
+ skey[2] = sk.g;
+ skey[3] = sk.y;
+ skey[4] = sk.x;
+ return 0;
+}
+
+
+int
+dsa_check_secret_key( int algo, MPI *skey )
+{
+ DSA_secret_key sk;
+
+ if( algo != PUBKEY_ALGO_DSA )
+ return G10ERR_PUBKEY_ALGO;
+ if( !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] )
+ return G10ERR_BAD_MPI;
+
+ sk.p = skey[0];
+ sk.q = skey[1];
+ sk.g = skey[2];
+ sk.y = skey[3];
+ sk.x = skey[4];
+ if( !check_secret_key( &sk ) )
+ return G10ERR_BAD_SECKEY;
+
+ return 0;
+}
+
+
+
+int
+dsa_sign( int algo, MPI *resarr, MPI data, MPI *skey )
+{
+ DSA_secret_key sk;
+
+ if( algo != PUBKEY_ALGO_DSA )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data || !skey[0] || !skey[1] || !skey[2] || !skey[3] || !skey[4] )
+ return G10ERR_BAD_MPI;
+
+ sk.p = skey[0];
+ sk.q = skey[1];
+ sk.g = skey[2];
+ sk.y = skey[3];
+ sk.x = skey[4];
+ resarr[0] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
+ resarr[1] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
+ sign( resarr[0], resarr[1], data, &sk );
+ return 0;
+}
+
+int
+dsa_verify( int algo, MPI hash, MPI *data, MPI *pkey,
+ int (*cmp)(void *, MPI) UNUSED, void *opaquev UNUSED)
+{
+ DSA_public_key pk;
+
+ if( algo != PUBKEY_ALGO_DSA )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data[0] || !data[1] || !hash
+ || !pkey[0] || !pkey[1] || !pkey[2] || !pkey[3] )
+ return G10ERR_BAD_MPI;
+
+ pk.p = pkey[0];
+ pk.q = pkey[1];
+ pk.g = pkey[2];
+ pk.y = pkey[3];
+ if( !verify( data[0], data[1], hash, &pk ) )
+ return G10ERR_BAD_SIGN;
+ return 0;
+}
+
+
+
+unsigned
+dsa_get_nbits( int algo, MPI *pkey )
+{
+ if( algo != PUBKEY_ALGO_DSA )
+ return 0;
+ return mpi_get_nbits( pkey[0] );
+}
+
+
+/****************
+ * Return some information about the algorithm. We need algo here to
+ * distinguish different flavors of the algorithm.
+ * Returns: A pointer to string describing the algorithm or NULL if
+ * the ALGO is invalid.
+ * Usage: Bit 0 set : allows signing
+ * 1 set : allows encryption
+ */
+const char *
+dsa_get_info( int algo, int *npkey, int *nskey, int *nenc, int *nsig,
+ int *use )
+{
+ *npkey = 4;
+ *nskey = 5;
+ *nenc = 0;
+ *nsig = 2;
+
+ switch( algo ) {
+ case PUBKEY_ALGO_DSA: *use = PUBKEY_USAGE_SIG; return "DSA";
+ default: *use = 0; return NULL;
+ }
+}
+
+
diff --git a/src/pluto/dsa.h b/src/pluto/dsa.h
new file mode 100644
index 000000000..1456d65b6
--- /dev/null
+++ b/src/pluto/dsa.h
@@ -0,0 +1,32 @@
+/* dsa.h - DSA signature scheme
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+#ifndef G10_DSA_H
+#define G10_DSA_H
+
+int dsa_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors );
+int dsa_check_secret_key( int algo, MPI *skey );
+int dsa_sign( int algo, MPI *resarr, MPI data, MPI *skey );
+int dsa_verify( int algo, MPI hash, MPI *data, MPI *pkey,
+ int (*cmp)(void *, MPI), void *opaquev );
+unsigned dsa_get_nbits( int algo, MPI *pkey );
+const char *dsa_get_info( int algo, int *npkey, int *nskey,
+ int *nenc, int *nsig, int *use );
+
+#endif /*G10_DSA_H*/
diff --git a/src/pluto/elgamal.c b/src/pluto/elgamal.c
new file mode 100644
index 000000000..0c099bb90
--- /dev/null
+++ b/src/pluto/elgamal.c
@@ -0,0 +1,613 @@
+/* elgamal.c - ElGamal Public Key encryption
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * For a description of the algorithm, see:
+ * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996.
+ * ISBN 0-471-11709-9. Pages 476 ff.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef PLUTO
+#include <gmp.h>
+#include <freeswan.h>
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "rnd.h"
+#include "gcryptfix.h"
+#else /*! PLUTO */
+/* #include <config.h> */
+#endif /* !PLUTO */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef PLUTO
+/* #include "util.h" */
+/* #include "mpi.h" */
+/* #include "cipher.h" */
+#endif
+
+#include "elgamal.h"
+
+typedef struct {
+ MPI p; /* prime */
+ MPI g; /* group generator */
+ MPI y; /* g^x mod p */
+} ELG_public_key;
+
+
+typedef struct {
+ MPI p; /* prime */
+ MPI g; /* group generator */
+ MPI y; /* g^x mod p */
+ MPI x; /* secret exponent */
+} ELG_secret_key;
+
+
+static void test_keys( ELG_secret_key *sk, unsigned nbits );
+static MPI gen_k( MPI p );
+static void generate( ELG_secret_key *sk, unsigned nbits, MPI **factors );
+static int check_secret_key( ELG_secret_key *sk );
+static void encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey );
+static void decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey );
+static void sign(MPI a, MPI b, MPI input, ELG_secret_key *skey);
+static int verify(MPI a, MPI b, MPI input, ELG_public_key *pkey);
+
+
+static void
+progress( int c )
+{
+ fputc( c, stderr );
+}
+
+
+static void
+test_keys( ELG_secret_key *sk, unsigned nbits )
+{
+ ELG_public_key pk;
+ MPI test = mpi_alloc( 0 );
+ MPI out1_a = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
+ MPI out1_b = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
+ MPI out2 = mpi_alloc( nbits / BITS_PER_MPI_LIMB );
+
+ pk.p = sk->p;
+ pk.g = sk->g;
+ pk.y = sk->y;
+
+ /*mpi_set_bytes( test, nbits, get_random_byte, 0 );*/
+ { char *p = get_random_bits( nbits, 0, 0 );
+ mpi_set_buffer( test, p, (nbits+7)/8, 0 );
+ m_free(p);
+ }
+
+ encrypt( out1_a, out1_b, test, &pk );
+ decrypt( out2, out1_a, out1_b, sk );
+ if( mpi_cmp( test, out2 ) )
+ log_fatal("ElGamal operation: encrypt, decrypt failed\n");
+
+ sign( out1_a, out1_b, test, sk );
+ if( !verify( out1_a, out1_b, test, &pk ) )
+ log_fatal("ElGamal operation: sign, verify failed\n");
+
+ mpi_free( test );
+ mpi_free( out1_a );
+ mpi_free( out1_b );
+ mpi_free( out2 );
+}
+
+
+/****************
+ * generate a random secret exponent k from prime p, so
+ * that k is relatively prime to p-1
+ */
+static MPI
+gen_k( MPI p )
+{
+ MPI k = mpi_alloc_secure( 0 );
+ MPI temp = mpi_alloc( mpi_get_nlimbs(p) );
+ MPI p_1 = mpi_copy(p);
+ unsigned int nbits = mpi_get_nbits(p);
+ unsigned int nbytes = (nbits+7)/8;
+ char *rndbuf = NULL;
+
+ if( DBG_CIPHER )
+ log_debug("choosing a random k ");
+ mpi_sub_ui( p_1, p, 1);
+ for(;;) {
+ if( DBG_CIPHER )
+ progress('.');
+ if( !rndbuf || nbits < 32 ) {
+ m_free(rndbuf);
+ rndbuf = get_random_bits( nbits, 1, 1 );
+ }
+ else { /* change only some of the higher bits */
+ /* we could imporove this by directly requesting more memory
+ * at the first call to get_random_bits() and use this the here
+ * maybe it is easier to do this directly in random.c */
+ char *pp = get_random_bits( 32, 1, 1 );
+ memcpy( rndbuf,pp, 4 );
+ m_free(pp);
+ }
+ mpi_set_buffer( k, rndbuf, nbytes, 0 );
+
+ for(;;) {
+ /* make sure that the number is of the exact lenght */
+ if( mpi_test_bit( k, nbits-1 ) )
+ mpi_set_highbit( k, nbits-1 );
+ else {
+ mpi_set_highbit( k, nbits-1 );
+ mpi_clear_bit( k, nbits-1 );
+ }
+ if( !(mpi_cmp( k, p_1 ) < 0) ) { /* check: k < (p-1) */
+ if( DBG_CIPHER )
+ progress('+');
+ break; /* no */
+ }
+ if( !(mpi_cmp_ui( k, 0 ) > 0) ) { /* check: k > 0 */
+ if( DBG_CIPHER )
+ progress('-');
+ break; /* no */
+ }
+ if( mpi_gcd( temp, k, p_1 ) )
+ goto found; /* okay, k is relatively prime to (p-1) */
+ mpi_add_ui( k, k, 1 );
+ }
+ }
+ found:
+ m_free(rndbuf);
+ if( DBG_CIPHER )
+ progress('\n');
+ mpi_free(p_1);
+ mpi_free(temp);
+
+ return k;
+}
+
+/****************
+ * Generate a key pair with a key of size NBITS
+ * Returns: 2 structures filles with all needed values
+ * and an array with n-1 factors of (p-1)
+ */
+static void
+generate( ELG_secret_key *sk, unsigned nbits, MPI **ret_factors )
+{
+ MPI p; /* the prime */
+ MPI p_min1;
+ MPI g;
+ MPI x; /* the secret exponent */
+ MPI y;
+ MPI temp;
+ unsigned qbits;
+ byte *rndbuf;
+
+ p_min1 = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
+ temp = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
+ if( nbits < 512 )
+ qbits = 120;
+ else if( nbits <= 1024 )
+ qbits = 160;
+ else if( nbits <= 2048 )
+ qbits = 200;
+ else
+ qbits = 240;
+ g = mpi_alloc(1);
+ p = generate_elg_prime( 0, nbits, qbits, g, ret_factors );
+ mpi_sub_ui(p_min1, p, 1);
+
+
+ /* select a random number which has these properties:
+ * 0 < x < p-1
+ * This must be a very good random number because this is the
+ * secret part. The prime is public and may be shared anyway,
+ * so a random generator level of 1 is used for the prime.
+ */
+ x = mpi_alloc_secure( nbits/BITS_PER_MPI_LIMB );
+ if( DBG_CIPHER )
+ log_debug("choosing a random x ");
+ rndbuf = NULL;
+ do {
+ if( DBG_CIPHER )
+ progress('.');
+ if( rndbuf ) { /* change only some of the higher bits */
+ if( nbits < 16 ) {/* should never happen ... */
+ m_free(rndbuf);
+ rndbuf = get_random_bits( nbits, 2, 1 );
+ }
+ else {
+ char *r = get_random_bits( 16, 2, 1 );
+ memcpy(rndbuf, r, 16/8 );
+ m_free(r);
+ }
+ }
+ else
+ rndbuf = get_random_bits( nbits, 2, 1 );
+ mpi_set_buffer( x, rndbuf, (nbits+7)/8, 0 );
+ mpi_clear_highbit( x, nbits+1 );
+ } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, p_min1 )<0 ) );
+ m_free(rndbuf);
+
+ y = mpi_alloc(nbits/BITS_PER_MPI_LIMB);
+ mpi_powm( y, g, x, p );
+
+ if( DBG_CIPHER ) {
+ progress('\n');
+ log_mpidump("elg p= ", p );
+ log_mpidump("elg g= ", g );
+ log_mpidump("elg y= ", y );
+ log_mpidump("elg x= ", x );
+ }
+
+ /* copy the stuff to the key structures */
+ sk->p = p;
+ sk->g = g;
+ sk->y = y;
+ sk->x = x;
+
+ /* now we can test our keys (this should never fail!) */
+ test_keys( sk, nbits - 64 );
+
+ mpi_free( p_min1 );
+ mpi_free( temp );
+}
+
+
+/****************
+ * Test whether the secret key is valid.
+ * Returns: if this is a valid key.
+ */
+static int
+check_secret_key( ELG_secret_key *sk )
+{
+ int rc;
+ MPI y = mpi_alloc( mpi_get_nlimbs(sk->y) );
+
+ mpi_powm( y, sk->g, sk->x, sk->p );
+ rc = !mpi_cmp( y, sk->y );
+ mpi_free( y );
+ return rc;
+}
+
+
+static void
+encrypt(MPI a, MPI b, MPI input, ELG_public_key *pkey )
+{
+ MPI k;
+
+ /* Note: maybe we should change the interface, so that it
+ * is possible to check that input is < p and return an
+ * error code.
+ */
+
+ k = gen_k( pkey->p );
+ mpi_powm( a, pkey->g, k, pkey->p );
+ /* b = (y^k * input) mod p
+ * = ((y^k mod p) * (input mod p)) mod p
+ * and because input is < p
+ * = ((y^k mod p) * input) mod p
+ */
+ mpi_powm( b, pkey->y, k, pkey->p );
+ mpi_mulm( b, b, input, pkey->p );
+ #if 0
+ if( DBG_CIPHER ) {
+ log_mpidump("elg encrypted y= ", pkey->y);
+ log_mpidump("elg encrypted p= ", pkey->p);
+ log_mpidump("elg encrypted k= ", k);
+ log_mpidump("elg encrypted M= ", input);
+ log_mpidump("elg encrypted a= ", a);
+ log_mpidump("elg encrypted b= ", b);
+ }
+ #endif
+ mpi_free(k);
+}
+
+
+
+
+static void
+decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey )
+{
+ MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+
+ /* output = b/(a^x) mod p */
+
+ mpi_powm( t1, a, skey->x, skey->p );
+ mpi_invm( t1, t1, skey->p );
+ mpi_mulm( output, b, t1, skey->p );
+ #if 0
+ if( DBG_CIPHER ) {
+ log_mpidump("elg decrypted x= ", skey->x);
+ log_mpidump("elg decrypted p= ", skey->p);
+ log_mpidump("elg decrypted a= ", a);
+ log_mpidump("elg decrypted b= ", b);
+ log_mpidump("elg decrypted M= ", output);
+ }
+ #endif
+ mpi_free(t1);
+}
+
+
+/****************
+ * Make an Elgamal signature out of INPUT
+ */
+
+static void
+sign(MPI a, MPI b, MPI input, ELG_secret_key *skey )
+{
+ MPI k;
+ MPI t = mpi_alloc( mpi_get_nlimbs(a) );
+ MPI inv = mpi_alloc( mpi_get_nlimbs(a) );
+ MPI p_1 = mpi_copy(skey->p);
+
+ /*
+ * b = (t * inv) mod (p-1)
+ * b = (t * inv(k,(p-1),(p-1)) mod (p-1)
+ * b = (((M-x*a) mod (p-1)) * inv(k,(p-1),(p-1))) mod (p-1)
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+ k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+ while( mpi_is_neg(t) )
+ mpi_add(t, t, p_1);
+ mpi_invm(inv, k, p_1 );
+ mpi_mulm(b, t, inv, p_1 );
+
+ #if 0
+ if( DBG_CIPHER ) {
+ log_mpidump("elg sign p= ", skey->p);
+ log_mpidump("elg sign g= ", skey->g);
+ log_mpidump("elg sign y= ", skey->y);
+ log_mpidump("elg sign x= ", skey->x);
+ log_mpidump("elg sign k= ", k);
+ log_mpidump("elg sign M= ", input);
+ log_mpidump("elg sign a= ", a);
+ log_mpidump("elg sign b= ", b);
+ }
+ #endif
+ mpi_free(k);
+ mpi_free(t);
+ mpi_free(inv);
+ mpi_free(p_1);
+}
+
+
+/****************
+ * Returns true if the signature composed of A and B is valid.
+ */
+static int
+verify(MPI a, MPI b, MPI input, ELG_public_key *pkey )
+{
+ int rc;
+ MPI t1;
+ MPI t2;
+ MPI base[4];
+ MPI exp[4];
+
+ if( !(mpi_cmp_ui( a, 0 ) > 0 && mpi_cmp( a, pkey->p ) < 0) )
+ return 0; /* assertion 0 < a < p failed */
+
+ t1 = mpi_alloc( mpi_get_nlimbs(a) );
+ t2 = mpi_alloc( mpi_get_nlimbs(a) );
+
+ #if 0
+ /* t1 = (y^a mod p) * (a^b mod p) mod p */
+ mpi_powm( t1, pkey->y, a, pkey->p );
+ mpi_powm( t2, a, b, pkey->p );
+ mpi_mulm( t1, t1, t2, pkey->p );
+
+ /* t2 = g ^ input mod p */
+ mpi_powm( t2, pkey->g, input, pkey->p );
+
+ rc = !mpi_cmp( t1, t2 );
+ #elif 0
+ /* t1 = (y^a mod p) * (a^b mod p) mod p */
+ base[0] = pkey->y; exp[0] = a;
+ base[1] = a; exp[1] = b;
+ base[2] = NULL; exp[2] = NULL;
+ mpi_mulpowm( t1, base, exp, pkey->p );
+
+ /* t2 = g ^ input mod p */
+ mpi_powm( t2, pkey->g, input, pkey->p );
+
+ rc = !mpi_cmp( t1, t2 );
+ #else
+ /* t1 = g ^ - input * y ^ a * a ^ b mod p */
+ mpi_invm(t2, pkey->g, pkey->p );
+ base[0] = t2 ; exp[0] = input;
+ base[1] = pkey->y; exp[1] = a;
+ base[2] = a; exp[2] = b;
+ base[3] = NULL; exp[3] = NULL;
+ mpi_mulpowm( t1, base, exp, pkey->p );
+ rc = !mpi_cmp_ui( t1, 1 );
+
+ #endif
+
+ mpi_free(t1);
+ mpi_free(t2);
+ return rc;
+}
+
+/*********************************************
+ ************** interface ******************
+ *********************************************/
+
+int
+elg_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors )
+{
+ ELG_secret_key sk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+
+ generate( &sk, nbits, retfactors );
+ skey[0] = sk.p;
+ skey[1] = sk.g;
+ skey[2] = sk.y;
+ skey[3] = sk.x;
+ return 0;
+}
+
+
+int
+elg_check_secret_key( int algo, MPI *skey )
+{
+ ELG_secret_key sk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+ if( !skey[0] || !skey[1] || !skey[2] || !skey[3] )
+ return G10ERR_BAD_MPI;
+
+ sk.p = skey[0];
+ sk.g = skey[1];
+ sk.y = skey[2];
+ sk.x = skey[3];
+ if( !check_secret_key( &sk ) )
+ return G10ERR_BAD_SECKEY;
+
+ return 0;
+}
+
+
+
+int
+elg_encrypt( int algo, MPI *resarr, MPI data, MPI *pkey )
+{
+ ELG_public_key pk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data || !pkey[0] || !pkey[1] || !pkey[2] )
+ return G10ERR_BAD_MPI;
+
+ pk.p = pkey[0];
+ pk.g = pkey[1];
+ pk.y = pkey[2];
+ resarr[0] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
+ resarr[1] = mpi_alloc( mpi_get_nlimbs( pk.p ) );
+ encrypt( resarr[0], resarr[1], data, &pk );
+ return 0;
+}
+
+int
+elg_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+{
+ ELG_secret_key sk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data[0] || !data[1]
+ || !skey[0] || !skey[1] || !skey[2] || !skey[3] )
+ return G10ERR_BAD_MPI;
+
+ sk.p = skey[0];
+ sk.g = skey[1];
+ sk.y = skey[2];
+ sk.x = skey[3];
+ *result = mpi_alloc_secure( mpi_get_nlimbs( sk.p ) );
+ decrypt( *result, data[0], data[1], &sk );
+ return 0;
+}
+
+int
+elg_sign( int algo, MPI *resarr, MPI data, MPI *skey )
+{
+ ELG_secret_key sk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data || !skey[0] || !skey[1] || !skey[2] || !skey[3] )
+ return G10ERR_BAD_MPI;
+
+ sk.p = skey[0];
+ sk.g = skey[1];
+ sk.y = skey[2];
+ sk.x = skey[3];
+ resarr[0] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
+ resarr[1] = mpi_alloc( mpi_get_nlimbs( sk.p ) );
+ sign( resarr[0], resarr[1], data, &sk );
+ return 0;
+}
+
+int
+elg_verify( int algo, MPI hash, MPI *data, MPI *pkey,
+ int (*cmp)(void *, MPI) UNUSED, void *opaquev UNUSED)
+{
+ ELG_public_key pk;
+
+ if( !is_ELGAMAL(algo) )
+ return G10ERR_PUBKEY_ALGO;
+ if( !data[0] || !data[1] || !hash
+ || !pkey[0] || !pkey[1] || !pkey[2] )
+ return G10ERR_BAD_MPI;
+
+ pk.p = pkey[0];
+ pk.g = pkey[1];
+ pk.y = pkey[2];
+ if( !verify( data[0], data[1], hash, &pk ) )
+ return G10ERR_BAD_SIGN;
+ return 0;
+}
+
+
+
+unsigned
+elg_get_nbits( int algo, MPI *pkey )
+{
+ if( !is_ELGAMAL(algo) )
+ return 0;
+ return mpi_get_nbits( pkey[0] );
+}
+
+
+/****************
+ * Return some information about the algorithm. We need algo here to
+ * distinguish different flavors of the algorithm.
+ * Returns: A pointer to string describing the algorithm or NULL if
+ * the ALGO is invalid.
+ * Usage: Bit 0 set : allows signing
+ * 1 set : allows encryption
+ * NOTE: This function allows signing also for ELG-E, which is not
+ * okay but a bad hack to allow to work with old gpg keys. The real check
+ * is done in the gnupg ocde depending on the packet version.
+ */
+const char *
+elg_get_info( int algo, int *npkey, int *nskey, int *nenc, int *nsig,
+ int *use )
+{
+ *npkey = 3;
+ *nskey = 4;
+ *nenc = 2;
+ *nsig = 2;
+
+ switch( algo ) {
+ case PUBKEY_ALGO_ELGAMAL:
+ *use = PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC;
+ return "ELG";
+ case PUBKEY_ALGO_ELGAMAL_E:
+ *use = PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC;
+ return "ELG-E";
+ default: *use = 0; return NULL;
+ }
+}
+
+
diff --git a/src/pluto/elgamal.h b/src/pluto/elgamal.h
new file mode 100644
index 000000000..f104c2a52
--- /dev/null
+++ b/src/pluto/elgamal.h
@@ -0,0 +1,35 @@
+/* elgamal.h
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+#ifndef G10_ELGAMAL_H
+#define G10_ELGAMAL_H
+
+int elg_generate( int algo, unsigned nbits, MPI *skey, MPI **retfactors );
+int elg_check_secret_key( int algo, MPI *skey );
+int elg_encrypt( int algo, MPI *resarr, MPI data, MPI *pkey );
+int elg_decrypt( int algo, MPI *result, MPI *data, MPI *skey );
+int elg_sign( int algo, MPI *resarr, MPI data, MPI *skey );
+int elg_verify( int algo, MPI hash, MPI *data, MPI *pkey,
+ int (*cmp)(void *, MPI), void *opaquev );
+unsigned elg_get_nbits( int algo, MPI *pkey );
+const char *elg_get_info( int algo, int *npkey, int *nskey,
+ int *nenc, int *nsig, int *use );
+
+
+#endif /*G10_ELGAMAL_H*/
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
new file mode 100644
index 000000000..e3e56d3a8
--- /dev/null
+++ b/src/pluto/fetch.c
@@ -0,0 +1,1081 @@
+/* Dynamic fetching of X.509 CRLs
+ * Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: fetch.c,v 1.12 2006/05/16 14:19:27 as Exp $
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <time.h>
+#include <string.h>
+
+#ifdef THREADS
+#include <pthread.h>
+#endif
+
+#ifdef LIBCURL
+#include <curl/curl.h>
+#endif
+
+#include <freeswan.h>
+
+#ifdef LIBLDAP
+#include <ldap.h>
+#endif
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "id.h"
+#include "asn1.h"
+#include "pem.h"
+#include "x509.h"
+#include "ca.h"
+#include "whack.h"
+#include "ocsp.h"
+#include "crl.h"
+#include "fetch.h"
+
+fetch_req_t empty_fetch_req = {
+ NULL , /* next */
+ 0 , /* installed */
+ 0 , /* trials */
+ { NULL, 0}, /* issuer */
+ { NULL, 0}, /* authKeyID */
+ { NULL, 0}, /* authKeySerialNumber */
+ NULL /* distributionPoints */
+};
+
+/* chained list of crl fetch requests */
+static fetch_req_t *crl_fetch_reqs = NULL;
+
+/* chained list of ocsp fetch requests */
+static ocsp_location_t *ocsp_fetch_reqs = NULL;
+
+#ifdef THREADS
+static pthread_t thread;
+static pthread_mutex_t certs_and_keys_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t authcert_list_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t crl_list_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t ocsp_cache_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t ca_info_list_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t crl_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t ocsp_fetch_list_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_mutex_t fetch_wake_mutex = PTHREAD_MUTEX_INITIALIZER;
+static pthread_cond_t fetch_wake_cond = PTHREAD_COND_INITIALIZER;
+
+/*
+ * lock access to my certs and keys
+ */
+void
+lock_certs_and_keys(const char *who)
+{
+ pthread_mutex_lock(&certs_and_keys_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("certs and keys locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to my certs and keys
+ */
+void
+unlock_certs_and_keys(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("certs and keys unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&certs_and_keys_mutex);
+}
+
+/*
+ * lock access to the chained authcert list
+ */
+void
+lock_authcert_list(const char *who)
+{
+ pthread_mutex_lock(&authcert_list_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("authcert list locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the chained authcert list
+ */
+void
+unlock_authcert_list(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("authcert list unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&authcert_list_mutex);
+}
+
+/*
+ * lock access to the chained crl list
+ */
+void
+lock_crl_list(const char *who)
+{
+ pthread_mutex_lock(&crl_list_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("crl list locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the chained crl list
+ */
+void
+unlock_crl_list(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("crl list unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&crl_list_mutex);
+}
+
+/*
+ * lock access to the ocsp cache
+ */
+extern void
+lock_ocsp_cache(const char *who)
+{
+ pthread_mutex_lock(&ocsp_cache_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ocsp cache locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the ocsp cache
+ */
+extern void
+unlock_ocsp_cache(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ocsp cache unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&ocsp_cache_mutex);
+}
+
+/*
+ * lock access to the ca info list
+ */
+extern void
+lock_ca_info_list(const char *who)
+{
+ pthread_mutex_lock(&ca_info_list_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ca info list locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the ca info list
+ */
+extern void
+unlock_ca_info_list(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ca info list unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&ca_info_list_mutex);
+}
+
+/*
+ * lock access to the chained crl fetch request list
+ */
+static void
+lock_crl_fetch_list(const char *who)
+{
+ pthread_mutex_lock(&crl_fetch_list_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("crl fetch request list locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the chained crl fetch request list
+ */
+static void
+unlock_crl_fetch_list(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("crl fetch request list unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&crl_fetch_list_mutex);
+}
+
+/*
+ * lock access to the chained ocsp fetch request list
+ */
+static void
+lock_ocsp_fetch_list(const char *who)
+{
+ pthread_mutex_lock(&ocsp_fetch_list_mutex);
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ocsp fetch request list locked by '%s'", who)
+ )
+}
+
+/*
+ * unlock access to the chained ocsp fetch request list
+ */
+static void
+unlock_ocsp_fetch_list(const char *who)
+{
+ DBG(DBG_CONTROLMORE,
+ DBG_log("ocsp fetch request list unlocked by '%s'", who)
+ )
+ pthread_mutex_unlock(&ocsp_fetch_list_mutex);
+}
+
+/*
+ * wakes up the sleeping fetch thread
+ */
+void
+wake_fetch_thread(const char *who)
+{
+ if (crl_check_interval > 0)
+ {
+ DBG(DBG_CONTROLMORE,
+ DBG_log("fetch thread wake call by '%s'", who)
+ )
+ pthread_mutex_lock(&fetch_wake_mutex);
+ pthread_cond_signal(&fetch_wake_cond);
+ pthread_mutex_unlock(&fetch_wake_mutex);
+ }
+}
+#else /* !THREADS */
+#define lock_crl_fetch_list(who) /* do nothing */
+#define unlock_crl_fetch_list(who) /* do nothing */
+#define lock_ocsp_fetch_list(who) /* do nothing */
+#define unlock_ocsp_fetch_list(who) /* do nothing */
+#endif /* !THREADS */
+
+/*
+ * free the dynamic memory used to store fetch requests
+ */
+static void
+free_fetch_request(fetch_req_t *req)
+{
+ pfree(req->issuer.ptr);
+ pfreeany(req->authKeySerialNumber.ptr);
+ pfreeany(req->authKeyID.ptr);
+ free_generalNames(req->distributionPoints, TRUE);
+ pfree(req);
+}
+
+/* writes data into a dynamically resizeable chunk_t
+ * needed for libcurl responses
+ */
+size_t
+write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
+{
+ size_t realsize = size * nmemb;
+ chunk_t *mem = (chunk_t*)data;
+
+ mem->ptr = (u_char *)realloc(mem->ptr, mem->len + realsize);
+ if (mem->ptr) {
+ memcpy(&(mem->ptr[mem->len]), ptr, realsize);
+ mem->len += realsize;
+ }
+ return realsize;
+}
+
+#ifdef THREADS
+/*
+ * fetches a binary blob from a url with libcurl
+ */
+static err_t
+fetch_curl(char *url, chunk_t *blob)
+{
+#ifdef LIBCURL
+ char errorbuffer[CURL_ERROR_SIZE] = "";
+ chunk_t response = empty_chunk;
+ CURLcode res;
+
+ /* get it with libcurl */
+ CURL *curl = curl_easy_init();
+
+ if (curl != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("Trying cURL '%s'", url)
+ )
+
+ curl_easy_setopt(curl, CURLOPT_URL, url);
+ curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, &errorbuffer);
+ curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
+ curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
+
+ res = curl_easy_perform(curl);
+
+ if (res == CURLE_OK)
+ {
+ blob->len = response.len;
+ blob->ptr = alloc_bytes(response.len, "curl blob");
+ memcpy(blob->ptr, response.ptr, response.len);
+ }
+ else
+ {
+ plog("fetching uri (%s) with libcurl failed: %s", url, errorbuffer);
+ }
+ curl_easy_cleanup(curl);
+ /* not using freeanychunk because of realloc (no leak detective) */
+ curl_free(response.ptr);
+ }
+ return strlen(errorbuffer) > 0 ? "libcurl error" : NULL;
+#else /* !LIBCURL */
+ return "warning: not compiled with libcurl support";
+#endif /* !LIBCURL */
+}
+
+#ifdef LIBLDAP
+/*
+ * parses the result returned by an ldap query
+ */
+static err_t
+parse_ldap_result(LDAP * ldap, LDAPMessage *result, chunk_t *blob)
+{
+ err_t ugh = NULL;
+
+ LDAPMessage * entry = ldap_first_entry(ldap, result);
+
+ if (entry != NULL)
+ {
+ BerElement *ber = NULL;
+ char *attr;
+
+ attr = ldap_first_attribute(ldap, entry, &ber);
+
+ if (attr != NULL)
+ {
+ struct berval **values = ldap_get_values_len(ldap, entry, attr);
+
+ if (values != NULL)
+ {
+ if (values[0] != NULL)
+ {
+ blob->len = values[0]->bv_len;
+ blob->ptr = alloc_bytes(blob->len, "ldap blob");
+ memcpy(blob->ptr, values[0]->bv_val, blob->len);
+ if (values[1] != NULL)
+ {
+ plog("warning: more than one value was fetched from LDAP URL");
+ }
+ }
+ else
+ {
+ ugh = "no values in attribute";
+ }
+ ldap_value_free_len(values);
+ }
+ else
+ {
+ ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+ }
+ ldap_memfree(attr);
+ }
+ else
+ {
+ ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+ }
+ ber_free(ber, 0);
+ }
+ else
+ {
+ ugh = ldap_err2string(ldap_result2error(ldap, result, 0));
+ }
+ return ugh;
+}
+
+/*
+ * fetches a binary blob from an ldap url
+ */
+static err_t
+fetch_ldap_url(char *url, chunk_t *blob)
+{
+ LDAPURLDesc *lurl;
+ err_t ugh = NULL;
+ int rc;
+
+ DBG(DBG_CONTROL,
+ DBG_log("Trying LDAP URL '%s'", url)
+ )
+
+ rc = ldap_url_parse(url, &lurl);
+
+ if (rc == LDAP_SUCCESS)
+ {
+ LDAP *ldap = ldap_init(lurl->lud_host, lurl->lud_port);
+
+ if (ldap != NULL)
+ {
+ int ldap_version = LDAP_VERSION3;
+ struct timeval timeout;
+
+ timeout.tv_sec = FETCH_CMD_TIMEOUT;
+ timeout.tv_usec = 0;
+ ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+ ldap_set_option(ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
+
+ rc = ldap_simple_bind_s(ldap, NULL, NULL);
+
+ if (rc == LDAP_SUCCESS)
+ {
+ LDAPMessage *result;
+
+ timeout.tv_sec = FETCH_CMD_TIMEOUT;
+ timeout.tv_usec = 0;
+
+ rc = ldap_search_st(ldap, lurl->lud_dn
+ , lurl->lud_scope
+ , lurl->lud_filter
+ , lurl->lud_attrs
+ , 0, &timeout, &result);
+
+ if (rc == LDAP_SUCCESS)
+ {
+ ugh = parse_ldap_result(ldap, result, blob);
+ ldap_msgfree(result);
+ }
+ else
+ {
+ ugh = ldap_err2string(rc);
+ }
+ }
+ else
+ {
+ ugh = ldap_err2string(rc);
+ }
+ ldap_unbind_s(ldap);
+ }
+ else
+ {
+ ugh = "ldap init";
+ }
+ ldap_free_urldesc(lurl);
+ }
+ else
+ {
+ ugh = ldap_err2string(rc);
+ }
+ return ugh;
+}
+#else /* !LIBLDAP */
+static err_t
+fetch_ldap_url(char *url, chunk_t *blob)
+{
+ return "LDAP URL fetching not activated in pluto source code";
+}
+#endif /* !LIBLDAP */
+
+/*
+ * fetch an ASN.1 blob coded in PEM or DER format from a URL
+ */
+static err_t
+fetch_asn1_blob(char *url, chunk_t *blob)
+{
+ err_t ugh = NULL;
+
+ if (strlen(url) >= 4 && strncasecmp(url, "ldap", 4) == 0)
+ {
+ ugh = fetch_ldap_url(url, blob);
+ }
+ else
+ {
+ ugh = fetch_curl(url, blob);
+ }
+ if (ugh != NULL)
+ return ugh;
+
+ if (is_asn1(*blob))
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" fetched blob coded in DER format")
+ )
+ }
+ else
+ {
+ bool pgp = FALSE;
+
+ ugh = pemtobin(blob, NULL, "", &pgp);
+ if (ugh == NULL)
+ {
+ if (is_asn1(*blob))
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" fetched blob coded in PEM format")
+ )
+ }
+ else
+ {
+ ugh = "blob coded in unknown format";
+ pfree(blob->ptr);
+ }
+ }
+ else
+ {
+ pfree(blob->ptr);
+ }
+ }
+ return ugh;
+}
+
+/*
+ * complete a distributionPoint URI with ca information
+ */
+static char*
+complete_uri(chunk_t distPoint, const char *ldaphost)
+{
+ char *uri;
+ char *ptr = distPoint.ptr;
+ size_t len = distPoint.len;
+
+ char *symbol = memchr(ptr, ':', len);
+
+ if (symbol != NULL)
+ {
+ size_t type_len = symbol - ptr;
+
+ if (type_len >= 4 && strncasecmp(ptr, "ldap", 4) == 0)
+ {
+ ptr = symbol + 1;
+ len -= (type_len + 1);
+
+ if (len > 2 && *ptr++ == '/' && *ptr++ == '/')
+ {
+ len -= 2;
+ symbol = memchr(ptr, '/', len);
+
+ if (symbol != NULL && symbol - ptr == 0 && ldaphost != NULL)
+ {
+ uri = alloc_bytes(distPoint.len+strlen(ldaphost)+1, "uri");
+
+ /* insert the ldaphost into the uri */
+ sprintf(uri, "%.*s%s%.*s"
+ , (int)(distPoint.len - len), distPoint.ptr
+ , ldaphost
+ , (int)len, symbol);
+ return uri;
+ }
+ }
+ }
+ }
+
+ /* default action: copy distributionPoint without change */
+ uri = alloc_bytes(distPoint.len+1, "uri");
+ sprintf(uri, "%.*s", (int)distPoint.len, distPoint.ptr);
+ return uri;
+}
+
+/*
+ * try to fetch the crls defined by the fetch requests
+ */
+static void
+fetch_crls(bool cache_crls)
+{
+ fetch_req_t *req;
+ fetch_req_t **reqp;
+
+ lock_crl_fetch_list("fetch_crls");
+ req = crl_fetch_reqs;
+ reqp = &crl_fetch_reqs;
+
+ while (req != NULL)
+ {
+ bool valid_crl = FALSE;
+ chunk_t blob = empty_chunk;
+ generalName_t *gn = req->distributionPoints;
+ const char *ldaphost;
+ ca_info_t *ca;
+
+ lock_ca_info_list("fetch_crls");
+
+ ca = get_ca_info(req->issuer, req->authKeySerialNumber, req->authKeyID);
+ ldaphost = (ca == NULL)? NULL : ca->ldaphost;
+
+ while (gn != NULL)
+ {
+ char *uri = complete_uri(gn->name, ldaphost);
+
+ err_t ugh = fetch_asn1_blob(uri, &blob);
+ pfree(uri);
+
+ if (ugh != NULL)
+ {
+ plog("fetch failed: %s", ugh);
+ }
+ else
+ {
+ chunk_t crl_uri;
+
+ clonetochunk(crl_uri, gn->name.ptr, gn->name.len, "crl uri");
+ if (insert_crl(blob, crl_uri, cache_crls))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("we have a valid crl")
+ )
+ valid_crl = TRUE;
+ break;
+ }
+ }
+ gn = gn->next;
+ }
+
+ unlock_ca_info_list("fetch_crls");
+
+ if (valid_crl)
+ {
+ /* delete fetch request */
+ fetch_req_t *req_free = req;
+
+ req = req->next;
+ *reqp = req;
+ free_fetch_request(req_free);
+ }
+ else
+ {
+ /* try again next time */
+ req->trials++;
+ reqp = &req->next;
+ req = req->next;
+ }
+ }
+ unlock_crl_fetch_list("fetch_crls");
+}
+
+static void
+fetch_ocsp_status(ocsp_location_t* location)
+{
+#ifdef LIBCURL
+ chunk_t request;
+ chunk_t response = empty_chunk;
+
+ CURL* curl;
+ CURLcode res;
+
+ request = build_ocsp_request(location);
+
+ DBG(DBG_CONTROL,
+ DBG_log("sending ocsp request to location '%.*s'"
+ , (int)location->uri.len, location->uri.ptr)
+ )
+ DBG(DBG_RAW,
+ DBG_dump_chunk("OCSP request", request)
+ )
+
+ /* send via http post using libcurl */
+ curl = curl_easy_init();
+
+ if (curl != NULL)
+ {
+ char errorbuffer[CURL_ERROR_SIZE];
+ struct curl_slist *headers = NULL;
+ char* uri = alloc_bytes(location->uri.len+1, "ocsp uri");
+
+ /* we need a null terminated string for curl */
+ memcpy(uri, location->uri.ptr, location->uri.len);
+ *(uri + location->uri.len) = '\0';
+
+ /* set content type header */
+ headers = curl_slist_append(headers, "Content-Type: application/ocsp-request");
+ curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
+
+ curl_easy_setopt(curl, CURLOPT_URL, uri);
+ curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
+ curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request.ptr);
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, request.len);
+ curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, &errorbuffer);
+ curl_easy_setopt(curl, CURLOPT_FAILONERROR, TRUE);
+ curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, FETCH_CMD_TIMEOUT);
+
+ res = curl_easy_perform(curl);
+
+ if (res == CURLE_OK)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("received ocsp response")
+ )
+ DBG(DBG_RAW,
+ DBG_dump_chunk("OCSP response:\n", response)
+ )
+ parse_ocsp(location, response);
+ }
+ else
+ {
+ plog("failed to fetch ocsp status from '%s': %s", uri, errorbuffer);
+ }
+ curl_slist_free_all(headers);
+ curl_easy_cleanup(curl);
+ pfree(uri);
+ /* not using freeanychunk because of realloc (no leak detective) */
+ curl_free(response.ptr);
+ }
+ freeanychunk(location->nonce);
+ freeanychunk(request);
+
+ /* increment the trial counter of the unresolved fetch requests */
+ {
+ ocsp_certinfo_t *certinfo = location->certinfo;
+
+ while (certinfo != NULL)
+ {
+ certinfo->trials++;
+ certinfo = certinfo->next;
+ }
+ }
+ return;
+#else /* !LIBCURL */
+ plog("ocsp error: pluto wasn't compiled with libcurl support");
+#endif /* !LIBCURL */
+}
+
+/*
+ * try to fetch the necessary ocsp information
+ */
+static void
+fetch_ocsp(void)
+{
+ ocsp_location_t *location;
+
+ lock_ocsp_fetch_list("fetch_ocsp");
+ location = ocsp_fetch_reqs;
+
+ /* fetch the ocps status for all locations */
+ while (location != NULL)
+ {
+ if (location->certinfo != NULL)
+ fetch_ocsp_status(location);
+ location = location->next;
+ }
+
+ unlock_ocsp_fetch_list("fetch_ocsp");
+}
+
+static void*
+fetch_thread(void *arg)
+{
+ struct timespec wait_interval;
+
+ DBG(DBG_CONTROL,
+ DBG_log("fetch thread started")
+ )
+
+ pthread_mutex_lock(&fetch_wake_mutex);
+
+ while(1)
+ {
+ int status;
+
+ wait_interval.tv_nsec = 0;
+ wait_interval.tv_sec = time(NULL) + crl_check_interval;
+
+ DBG(DBG_CONTROL,
+ DBG_log("next regular crl check in %ld seconds", crl_check_interval)
+ )
+ status = pthread_cond_timedwait(&fetch_wake_cond, &fetch_wake_mutex
+ , &wait_interval);
+
+ if (status == ETIMEDOUT)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log(" ");
+ DBG_log("*time to check crls and the ocsp cache")
+ )
+ check_ocsp();
+ check_crls();
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("fetch thread was woken up")
+ )
+ }
+ fetch_ocsp();
+ fetch_crls(cache_crls);
+ }
+}
+#endif /* THREADS*/
+
+/*
+ * initializes curl and starts the fetching thread
+ */
+void
+init_fetch(void)
+{
+ int status;
+
+#ifdef LIBCURL
+ /* init curl */
+ status = curl_global_init(CURL_GLOBAL_NOTHING);
+ if (status != CURLE_OK)
+ {
+ plog("libcurl could not be initialized, status = %d", status);
+ }
+#endif /* LIBCURL */
+
+ if (crl_check_interval > 0)
+ {
+#ifdef THREADS
+ status = pthread_create( &thread, NULL, fetch_thread, NULL);
+ if (status != 0)
+ {
+ plog("fetching thread could not be started, status = %d", status);
+ }
+#else /* !THREADS */
+ plog("warning: not compiled with pthread support");
+#endif /* !THREADS */
+ }
+}
+
+void
+free_crl_fetch(void)
+{
+ lock_crl_fetch_list("free_crl_fetch");
+
+ while (crl_fetch_reqs != NULL)
+ {
+ fetch_req_t *req = crl_fetch_reqs;
+ crl_fetch_reqs = req->next;
+ free_fetch_request(req);
+ }
+
+ unlock_crl_fetch_list("free_crl_fetch");
+
+#ifdef LIBCURL
+ if (crl_check_interval > 0)
+ {
+ /* cleanup curl */
+ curl_global_cleanup();
+ }
+#endif /* LIBCURL */
+}
+
+/*
+ * free the chained list of ocsp requests
+ */
+void
+free_ocsp_fetch(void)
+{
+ lock_ocsp_fetch_list("free_ocsp_fetch");
+ free_ocsp_locations(&ocsp_fetch_reqs);
+ unlock_ocsp_fetch_list("free_ocsp_fetch");
+}
+
+
+/*
+ * add additional distribution points
+ */
+void
+add_distribution_points(const generalName_t *newPoints ,generalName_t **distributionPoints)
+{
+ while (newPoints != NULL)
+ {
+ /* skip empty distribution point */
+ if (newPoints->name.len > 0)
+ {
+ bool add = TRUE;
+ generalName_t *gn = *distributionPoints;
+
+ while (gn != NULL)
+ {
+ if (gn->kind == newPoints->kind
+ && gn->name.len == newPoints->name.len
+ && memcmp(gn->name.ptr, newPoints->name.ptr, gn->name.len) == 0)
+ {
+ /* skip if the distribution point is already present */
+ add = FALSE;
+ break;
+ }
+ gn = gn->next;
+ }
+
+ if (add)
+ {
+ /* clone additional distribution point */
+ gn = clone_thing(*newPoints, "generalName");
+ clonetochunk(gn->name, newPoints->name.ptr, newPoints->name.len
+ , "crl uri");
+
+ /* insert additional CRL distribution point */
+ gn->next = *distributionPoints;
+ *distributionPoints = gn;
+ }
+ }
+ newPoints = newPoints->next;
+ }
+}
+
+fetch_req_t*
+build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber
+, chunk_t authKeyID, const generalName_t *gn)
+{
+ fetch_req_t *req = alloc_thing(fetch_req_t, "fetch request");
+ *req = empty_fetch_req;
+
+ /* note current time */
+ req->installed = time(NULL);
+
+ /* clone fields */
+ clonetochunk(req->issuer, issuer.ptr, issuer.len, "issuer");
+ if (authKeySerialNumber.ptr != NULL)
+ {
+ clonetochunk(req->authKeySerialNumber, authKeySerialNumber.ptr
+ , authKeySerialNumber.len, "authKeySerialNumber");
+ }
+ if (authKeyID.ptr != NULL)
+ {
+ clonetochunk(req->authKeyID, authKeyID.ptr, authKeyID.len, "authKeyID");
+ }
+
+ /* copy distribution points */
+ add_distribution_points(gn, &req->distributionPoints);
+
+ return req;
+}
+
+/*
+ * add a crl fetch request to the chained list
+ */
+void
+add_crl_fetch_request(fetch_req_t *req)
+{
+ fetch_req_t *r;
+
+ lock_crl_fetch_list("add_crl_fetch_request");
+ r = crl_fetch_reqs;
+
+ while (r != NULL)
+ {
+ if ((req->authKeyID.ptr != NULL)? same_keyid(req->authKeyID, r->authKeyID)
+ : (same_dn(req->issuer, r->issuer)
+ && same_serial(req->authKeySerialNumber, r->authKeySerialNumber)))
+ {
+ /* there is already a fetch request */
+ DBG(DBG_CONTROL,
+ DBG_log("crl fetch request already exists")
+ )
+
+ /* there might be new distribution points */
+ add_distribution_points(req->distributionPoints, &r->distributionPoints);
+
+ unlock_crl_fetch_list("add_crl_fetch_request");
+ free_fetch_request(req);
+ return;
+ }
+ r = r->next;
+ }
+
+ /* insert new fetch request at the head of the queue */
+ req->next = crl_fetch_reqs;
+ crl_fetch_reqs = req;
+
+ DBG(DBG_CONTROL,
+ DBG_log("crl fetch request added")
+ )
+ unlock_crl_fetch_list("add_crl_fetch_request");
+}
+
+/*
+ * add an ocsp fetch request to the chained list
+ */
+void
+add_ocsp_fetch_request(ocsp_location_t *location, chunk_t serialNumber)
+{
+ ocsp_certinfo_t certinfo;
+
+ certinfo.serialNumber = serialNumber;
+
+ lock_ocsp_fetch_list("add_ocsp_fetch_request");
+ add_certinfo(location, &certinfo, &ocsp_fetch_reqs, TRUE);
+ unlock_ocsp_fetch_list("add_ocsp_fetch_request");
+}
+
+/*
+ * list all distribution points
+ */
+void
+list_distribution_points(const generalName_t *gn)
+{
+ bool first_gn = TRUE;
+
+ while (gn != NULL)
+ {
+ whack_log(RC_COMMENT, " %s '%.*s'", (first_gn)? "distPts: "
+ :" ", (int)gn->name.len, gn->name.ptr);
+ first_gn = FALSE;
+ gn = gn->next;
+ }
+}
+
+/*
+ * list all fetch requests in the chained list
+ */
+void
+list_crl_fetch_requests(bool utc)
+{
+ fetch_req_t *req;
+
+ lock_crl_fetch_list("list_crl_fetch_requests");
+ req = crl_fetch_reqs;
+
+ if (req != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of CRL fetch requests:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (req != NULL)
+ {
+ u_char buf[BUF_LEN];
+
+ whack_log(RC_COMMENT, "%s, trials: %d"
+ , timetoa(&req->installed, utc), req->trials);
+ dntoa(buf, BUF_LEN, req->issuer);
+ whack_log(RC_COMMENT, " issuer: '%s'", buf);
+ if (req->authKeyID.ptr != NULL)
+ {
+ datatot(req->authKeyID.ptr, req->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (req->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(req->authKeySerialNumber.ptr, req->authKeySerialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+ list_distribution_points(req->distributionPoints);
+ req = req->next;
+ }
+ unlock_crl_fetch_list("list_crl_fetch_requests");
+}
+
+void
+list_ocsp_fetch_requests(bool utc)
+{
+ lock_ocsp_fetch_list("list_ocsp_fetch_requests");
+ list_ocsp_locations(ocsp_fetch_reqs, TRUE, utc, FALSE);
+ unlock_ocsp_fetch_list("list_ocsp_fetch_requests");
+
+}
diff --git a/src/pluto/fetch.h b/src/pluto/fetch.h
new file mode 100644
index 000000000..6303f37e4
--- /dev/null
+++ b/src/pluto/fetch.h
@@ -0,0 +1,79 @@
+/* Dynamic fetching of X.509 CRLs
+ * Copyright (C) 2002 Stephane Laroche <stephane.laroche@colubris.com>
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: fetch.h,v 1.6 2005/11/25 10:08:00 as Exp $
+ */
+
+#include "x509.h"
+
+#define FETCH_CMD_TIMEOUT 10 /* seconds */
+
+struct ocsp_location; /* forward declaration of ocsp_location defined in ocsp.h */
+
+typedef enum {
+ FETCH_GET = 1,
+ FETCH_POST = 2
+} fetch_request_t;
+
+typedef struct fetch_req fetch_req_t;
+
+struct fetch_req {
+ fetch_req_t *next;
+ time_t installed;
+ int trials;
+ chunk_t issuer;
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+ generalName_t *distributionPoints;
+};
+
+#ifdef THREADS
+extern void lock_crl_list(const char *who);
+extern void unlock_crl_list(const char *who);
+extern void lock_ocsp_cache(const char *who);
+extern void unlock_ocsp_cache(const char *who);
+extern void lock_ca_info_list(const char *who);
+extern void unlock_ca_info_list(const char *who);
+extern void lock_authcert_list(const char *who);
+extern void unlock_authcert_list(const char *who);
+extern void lock_certs_and_keys(const char *who);
+extern void unlock_certs_and_keys(const char *who);
+extern void wake_fetch_thread(const char *who);
+#else
+#define lock_crl_list(who) /* do nothing */
+#define unlock_crl_list(who) /* do nothing */
+#define lock_ocsp_cache(who) /* do nothing */
+#define unlock_ocsp_cache(who) /* do nothing */
+#define lock_ca_info_list(who) /* do nothing */
+#define unlock_ca_info_list(who) /* do nothing */
+#define lock_authcert_list(who) /* do nothing */
+#define unlock_authcert_list(who) /* do nothing */
+#define lock_certs_and_keys(who) /* do nothing */
+#define unlock_certs_and_keys(who) /* do nothing */
+#define wake_fetch_thread(who) /* do nothing */
+#endif
+extern void init_fetch(void);
+extern void free_crl_fetch(void);
+extern void free_ocsp_fetch(void);
+extern void add_distribution_points(const generalName_t *newPoints
+ , generalName_t **distributionPoints);
+extern fetch_req_t* build_crl_fetch_request(chunk_t issuer, chunk_t authKeySerialNumber
+ , chunk_t authKeyID, const generalName_t *gn);
+extern void add_crl_fetch_request(fetch_req_t *req);
+extern void add_ocsp_fetch_request(struct ocsp_location *location, chunk_t serialNumber);
+extern void list_distribution_points(const generalName_t *gn);
+extern void list_crl_fetch_requests(bool utc);
+extern void list_ocsp_fetch_requests(bool utc);
+extern size_t write_buffer(void *ptr, size_t size, size_t nmemb, void *data);
+
diff --git a/src/pluto/foodgroups.c b/src/pluto/foodgroups.c
new file mode 100644
index 000000000..c92bdb3d4
--- /dev/null
+++ b/src/pluto/foodgroups.c
@@ -0,0 +1,462 @@
+/* Implement policy groups-style control files (aka "foodgroups")
+ * Copyright (C) 2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: foodgroups.c,v 1.2 2004/04/01 18:28:32 as Exp $
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "connections.h"
+#include "foodgroups.h"
+#include "kernel.h"
+#include "lex.h"
+#include "log.h"
+#include "whack.h"
+
+
+/* Food group config files are found in directory fg_path */
+
+#ifndef POLICYGROUPSDIR
+#define POLICYGROUPSDIR IPSEC_CONFDIR "/ipsec.d/policies"
+#endif
+
+const char *policygroups_dir = POLICYGROUPSDIR;
+
+static char *fg_path = NULL;
+static size_t fg_path_space = 0;
+
+
+/* Groups is a list of connections that are policy groups.
+ * The list is updated as group connections are added and deleted.
+ */
+
+struct fg_groups {
+ struct fg_groups *next;
+ struct connection *connection;
+};
+
+static struct fg_groups *groups = NULL;
+
+
+/* Targets is a list of pairs: subnet and its policy group.
+ * This list is bulk-updated on whack --listen and
+ * incrementally updated when group connections are deleted.
+ *
+ * It is ordered by source subnet, and if those are equal, then target subnet.
+ * A subnet is compared by comparing the network, and if those are equal,
+ * comparing the mask.
+ */
+
+struct fg_targets {
+ struct fg_targets *next;
+ struct fg_groups *group;
+ ip_subnet subnet;
+ char *name; /* name of instance of group conn */
+};
+
+static struct fg_targets *targets = NULL;
+
+struct fg_targets *new_targets;
+
+/* ipcmp compares the two ip_address values a and b.
+ * It returns -1, 0, or +1 if a is, respectively,
+ * less than, equal to, or greater than b.
+ */
+static int
+ipcmp(ip_address *a, ip_address *b)
+{
+ if (addrtypeof(a) != addrtypeof(b))
+ {
+ return addrtypeof(a) < addrtypeof(b)? -1 : 1;
+ }
+ else if (sameaddr(a, b))
+ {
+ return 0;
+ }
+ else
+ {
+ const struct sockaddr *sa = sockaddrof(a)
+ , *sb = sockaddrof(b);
+
+ passert(addrtypeof(a) == AF_INET); /* not yet implemented IPv6 version :-( */
+ return (ntohl(((const struct sockaddr_in *)sa)->sin_addr.s_addr)
+ < ntohl(((const struct sockaddr_in *)sb)->sin_addr.s_addr))
+ ? -1 : 1;
+ }
+}
+
+/* subnetcmp compares the two ip_subnet values a and b.
+ * It returns -1, 0, or +1 if a is, respectively,
+ * less than, equal to, or greater than b.
+ */
+static int
+subnetcmp(const ip_subnet *a, const ip_subnet *b)
+{
+ ip_address neta, maska, netb, maskb;
+ int r;
+
+ networkof(a, &neta);
+ maskof(a, &maska);
+ networkof(b, &netb);
+ maskof(b, &maskb);
+ r = ipcmp(&neta, &netb);
+ if (r == 0)
+ r = ipcmp(&maska, &maskb);
+ return r;
+}
+
+static void
+read_foodgroup(struct fg_groups *g)
+{
+ const char *fgn = g->connection->name;
+ const ip_subnet *lsn = &g->connection->spd.this.client;
+ size_t plen = strlen(policygroups_dir) + 1 + strlen(fgn) + 1;
+ struct file_lex_position flp_space;
+
+ if (plen > fg_path_space)
+ {
+ pfreeany(fg_path);
+ fg_path_space = plen + 10;
+ fg_path = alloc_bytes(fg_path_space, "policy group path");
+ }
+ snprintf(fg_path, fg_path_space, "%s/%s", policygroups_dir, fgn);
+ if (!lexopen(&flp_space, fg_path, TRUE))
+ {
+ DBG(DBG_CONTROL, DBG_log("no group file \"%s\"", fg_path));
+ }
+ else
+ {
+ plog("loading group \"%s\"", fg_path);
+ for (;;)
+ {
+ switch (flp->bdry)
+ {
+ case B_none:
+ {
+ /* !!! this test is not sufficient for distinguishing address families.
+ * We need a notation to specify that a FQDN is to be resolved to IPv6.
+ */
+ const struct af_info *afi = strchr(tok, ':') == NULL
+ ? &af_inet4_info: &af_inet6_info;
+ ip_subnet sn;
+ err_t ugh;
+
+ if (strchr(tok, '/') == NULL)
+ {
+ /* no /, so treat as /32 or V6 equivalent */
+ ip_address t;
+
+ ugh = ttoaddr(tok, 0, afi->af, &t);
+ if (ugh == NULL)
+ ugh = addrtosubnet(&t, &sn);
+ }
+ else
+ {
+ ugh = ttosubnet(tok, 0, afi->af, &sn);
+ }
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s \"%s\""
+ , flp->filename, flp->lino, ugh, tok);
+ }
+ else if (afi->af != AF_INET)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "\"%s\" line %d: unsupported Address Family \"%s\""
+ , flp->filename, flp->lino, tok);
+ }
+ else
+ {
+ /* Find where new entry ought to go in new_targets. */
+ struct fg_targets **pp;
+ int r;
+
+ for (pp = &new_targets; ; pp = &(*pp)->next)
+ {
+ if (*pp == NULL)
+ {
+ r = -1; /* end of list is infinite */
+ break;
+ }
+ r = subnetcmp(lsn, &(*pp)->group->connection->spd.this.client);
+ if (r == 0)
+ r = subnetcmp(&sn, &(*pp)->subnet);
+ if (r <= 0)
+ break;
+ }
+
+ if (r == 0)
+ {
+ char source[SUBNETTOT_BUF];
+
+ subnettot(lsn, 0, source, sizeof(source));
+ loglog(RC_LOG_SERIOUS
+ , "\"%s\" line %d: subnet \"%s\", source %s, already \"%s\""
+ , flp->filename
+ , flp->lino
+ , tok
+ , source
+ , (*pp)->group->connection->name);
+ }
+ else
+ {
+ struct fg_targets *f = alloc_thing(struct fg_targets, "fg_target");
+
+ f->next = *pp;
+ f->group = g;
+ f->subnet = sn;
+ f->name = NULL;
+ *pp = f;
+ }
+ }
+ }
+ (void)shift(); /* next */
+ continue;
+
+ case B_record:
+ flp->bdry = B_none; /* eat the Record Boundary */
+ (void)shift(); /* get real first token */
+ continue;
+
+ case B_file:
+ break; /* done */
+ }
+ break; /* if we reach here, out of loop */
+ }
+ lexclose();
+ }
+}
+
+static void
+free_targets(void)
+{
+ while (targets != NULL)
+ {
+ struct fg_targets *t = targets;
+
+ targets = t->next;
+ pfreeany(t->name);
+ pfree(t);
+ }
+}
+
+void
+load_groups(void)
+{
+ passert(new_targets == NULL);
+
+ /* for each group, add config file targets into new_targets */
+ {
+ struct fg_groups *g;
+
+ for (g = groups; g != NULL; g = g->next)
+ if (oriented(*g->connection))
+ read_foodgroup(g);
+ }
+
+ /* dump new_targets */
+ DBG(DBG_CONTROL,
+ {
+ struct fg_targets *t;
+
+ for (t = new_targets; t != NULL; t = t->next)
+ {
+ char asource[SUBNETTOT_BUF];
+ char atarget[SUBNETTOT_BUF];
+
+ subnettot(&t->group->connection->spd.this.client
+ , 0, asource, sizeof(asource));
+ subnettot(&t->subnet, 0, atarget, sizeof(atarget));
+ DBG_log("%s->%s %s"
+ , asource, atarget
+ , t->group->connection->name);
+ }
+ });
+
+ /* determine and deal with differences between targets and new_targets.
+ * structured like a merge.
+ */
+ {
+ struct fg_targets *op = targets
+ , *np = new_targets;
+
+ while (op != NULL && np != NULL)
+ {
+ int r = subnetcmp(&op->group->connection->spd.this.client
+ , &np->group->connection->spd.this.client);
+
+ if (r == 0)
+ r = subnetcmp(&op->subnet, &np->subnet);
+
+ if (r == 0 && op->group == np->group)
+ {
+ /* unchanged -- steal name & skip over */
+ np->name = op->name;
+ op->name = NULL;
+ op = op->next;
+ np = np->next;
+ }
+ else
+ {
+ /* note: following cases overlap! */
+ if (r <= 0)
+ {
+ remove_group_instance(op->group->connection, op->name);
+ op = op->next;
+ }
+ if (r >= 0)
+ {
+ np->name = add_group_instance(np->group->connection, &np->subnet);
+ np = np->next;
+ }
+ }
+ }
+ for (; op != NULL; op = op->next)
+ remove_group_instance(op->group->connection, op->name);
+ for (; np != NULL; np = np->next)
+ np->name = add_group_instance(np->group->connection, &np->subnet);
+
+ /* update: new_targets replaces targets */
+ free_targets();
+ targets = new_targets;
+ new_targets = NULL;
+ }
+}
+
+
+void
+add_group(struct connection *c)
+{
+ struct fg_groups *g = alloc_thing(struct fg_groups, "policy group");
+
+ g->next = groups;
+ groups = g;
+
+ g->connection = c;
+}
+
+static struct fg_groups *
+find_group(const struct connection *c)
+{
+ struct fg_groups *g;
+
+ for (g = groups; g != NULL && g->connection != c; g = g->next)
+ ;
+ return g;
+}
+
+void
+route_group(struct connection *c)
+{
+ /* it makes no sense to route a connection that is ISAKMP-only */
+ if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
+ {
+ loglog(RC_ROUTE, "cannot route an ISAKMP-only group connection");
+ }
+ else
+ {
+ struct fg_groups *g = find_group(c);
+ struct fg_targets *t;
+
+ passert(g != NULL);
+ g->connection->policy |= POLICY_GROUTED;
+ for (t = targets; t != NULL; t = t->next)
+ {
+ if (t->group == g)
+ {
+ struct connection *ci = con_by_name(t->name, FALSE);
+
+ if (ci != NULL)
+ {
+ set_cur_connection(ci);
+ if (!trap_connection(ci))
+ whack_log(RC_ROUTE, "could not route");
+ set_cur_connection(c);
+ }
+ }
+ }
+ }
+}
+
+void
+unroute_group(struct connection *c)
+{
+ struct fg_groups *g = find_group(c);
+ struct fg_targets *t;
+
+ passert(g != NULL);
+ g->connection->policy &= ~POLICY_GROUTED;
+ for (t = targets; t != NULL; t = t->next)
+ {
+ if (t->group == g)
+ {
+ struct connection *ci = con_by_name(t->name, FALSE);
+
+ if (ci != NULL)
+ {
+ set_cur_connection(ci);
+ unroute_connection(ci);
+ set_cur_connection(c);
+ }
+ }
+ }
+}
+
+void
+delete_group(const struct connection *c)
+{
+ struct fg_groups *g;
+
+ /* find and remove from groups */
+ {
+ struct fg_groups **pp;
+
+ for (pp = &groups; (g = *pp)->connection != c; pp = &(*pp)->next)
+ ;
+
+ *pp = g->next;
+ }
+
+ /* find and remove from targets */
+ {
+ struct fg_targets **pp;
+
+ for (pp = &targets; *pp != NULL; )
+ {
+ struct fg_targets *t = *pp;
+
+ if (t->group == g)
+ {
+ *pp = t->next;
+ remove_group_instance(t->group->connection, t->name);
+ pfree(t);
+ /* pp is ready for next iteration */
+ }
+ else
+ {
+ pp = &t->next;
+ }
+ }
+ }
+
+ pfree(g);
+}
diff --git a/src/pluto/foodgroups.h b/src/pluto/foodgroups.h
new file mode 100644
index 000000000..7cbbccc44
--- /dev/null
+++ b/src/pluto/foodgroups.h
@@ -0,0 +1,24 @@
+/* Implement policygroups-style control files (aka "foodgroups")
+ * Copyright (C) 2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: foodgroups.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+struct connection; /* forward declaration */
+extern void add_group(struct connection *c);
+extern void route_group(struct connection *c);
+extern void unroute_group(struct connection *c);
+extern void delete_group(const struct connection *c);
+
+extern const char *policygroups_dir;
+extern void load_groups(void);
diff --git a/src/pluto/gcryptfix.c b/src/pluto/gcryptfix.c
new file mode 100644
index 000000000..1ebacdcf6
--- /dev/null
+++ b/src/pluto/gcryptfix.c
@@ -0,0 +1,283 @@
+/* Routines to make gcrypt routines feel at home in Pluto.
+ * Copyright (C) 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: gcryptfix.c,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#include <stdlib.h>
+
+#include <gmp.h>
+#include <freeswan.h>
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "rnd.h"
+#include "gcryptfix.h" /* includes <gmp.h> "defs.h" "rnd.h" */
+
+MPI
+mpi_alloc( unsigned nlimbs UNUSED )
+{
+ MPI n = alloc_bytes(sizeof *n, "mpi_alloc");
+
+ mpz_init(n);
+ return n;
+}
+
+MPI
+mpi_alloc_secure( unsigned nlimbs )
+{
+ return mpi_alloc(nlimbs);
+}
+
+MPI
+mpi_alloc_set_ui( unsigned long u)
+{
+ MPI n = alloc_bytes(sizeof *n, "mpi_copy");
+
+ mpz_init_set_ui(n, u);
+ return n;
+}
+
+MPI
+mpi_copy( MPI a )
+{
+ MPI n = alloc_bytes(sizeof *n, "mpi_copy");
+
+ mpz_init_set(n, a);
+ return n;
+}
+
+void
+mpi_free( MPI a )
+{
+ mpz_clear(a);
+ pfree(a);
+}
+
+int
+mpi_divisible_ui(MPI dividend, ulong divisor )
+{
+ ulong rem;
+ mpz_t remtoo;
+
+ mpz_init(remtoo);
+ rem = mpz_mod_ui(remtoo, dividend, divisor);
+ mpz_clear(remtoo);
+ return rem == 0;
+}
+
+unsigned
+mpi_trailing_zeros( MPI a )
+{
+ return mpz_scan1(a, 0);
+}
+
+unsigned
+mpi_get_nbits( MPI a )
+{
+ return mpz_sizeinbase(a, 2);
+}
+
+int
+mpi_test_bit( MPI a, unsigned n )
+{
+ /* inspired by gmp/mpz/clrbit.c */
+ mp_size_t li = n / mp_bits_per_limb;
+
+ if (li >= a->_mp_size)
+ return 0;
+ return (a->_mp_d[li] & ((mp_limb_t) 1 << (n % mp_bits_per_limb))) != 0;
+}
+
+void
+mpi_set_bit( MPI a, unsigned n )
+{
+ mpz_setbit(a, n);
+}
+
+void
+mpi_clear_bit( MPI a, unsigned n )
+{
+ mpz_clrbit(a, n);
+}
+
+void
+mpi_clear_highbit( MPI a, unsigned n )
+{
+ /* This seems whacky, but what do I know. */
+ mpz_fdiv_r_2exp(a, a, n);
+}
+
+void
+mpi_set_highbit( MPI a, unsigned n )
+{
+ /* This seems whacky, but what do I know. */
+ mpz_fdiv_r_2exp(a, a, n+1);
+ mpz_setbit(a, n);
+}
+
+void
+mpi_set_buffer( MPI a, const u_char *buffer, unsigned nbytes, int sign )
+{
+ /* this is a lot like n_to_mpz */
+ size_t i;
+
+ passert(sign == 0); /* we won't hit any negative numbers */
+ mpz_init_set_ui(a, 0);
+
+ for (i = 0; i != nbytes; i++)
+ {
+ mpz_mul_ui(a, a, 1 << BITS_PER_BYTE);
+ mpz_add_ui(a, a, buffer[i]);
+ }
+}
+
+u_char *
+get_random_bits(size_t nbits, int level UNUSED, int secure UNUSED)
+{
+ size_t nbytes = (nbits+7)/8;
+ u_char *b = alloc_bytes(nbytes, "random bytes");
+
+ get_rnd_bytes(b, nbytes);
+ return b;
+}
+/**************** from gnupg-1.0.0/mpi/mpi-mpow.c
+ * RES = (BASE[0] ^ EXP[0]) * (BASE[1] ^ EXP[1]) * ... * mod M
+ */
+#define barrett_mulm( w, u, v, m, y, k, r1, r2 ) mpi_mulm( (w), (u), (v), (m) )
+
+static int
+build_index( MPI *exparray, int k, int i, int t )
+{
+ int j, bitno;
+ int index = 0;
+
+ bitno = t-i;
+ for(j=k-1; j >= 0; j-- ) {
+ index <<= 1;
+ if( mpi_test_bit( exparray[j], bitno ) )
+ index |= 1;
+ }
+ /*log_debug("t=%d i=%d index=%d\n", t, i, index );*/
+ return index;
+}
+
+void
+mpi_mulpowm( MPI res, MPI *basearray, MPI *exparray, MPI m)
+{
+ int k; /* number of elements */
+ int t; /* bit size of largest exponent */
+ int i, j, idx;
+ MPI *G; /* table with precomputed values of size 2^k */
+ MPI tmp;
+ #ifdef USE_BARRETT
+ MPI barrett_y, barrett_r1, barrett_r2;
+ int barrett_k;
+ #endif
+
+ for(k=0; basearray[k]; k++ )
+ ;
+ passert(k);
+ for(t=0, i=0; (tmp=exparray[i]); i++ ) {
+ /*log_mpidump("exp: ", tmp );*/
+ j = mpi_get_nbits(tmp);
+ if( j > t )
+ t = j;
+ }
+ /*log_mpidump("mod: ", m );*/
+ passert(i==k);
+ passert(t);
+ passert( k < 10 );
+
+#ifdef PLUTO
+ m_alloc_ptrs_clear(G, 1<<k);
+#else
+ G = m_alloc_clear( (1<<k) * sizeof *G );
+#endif
+
+ #ifdef USE_BARRETT
+ barrett_y = init_barrett( m, &barrett_k, &barrett_r1, &barrett_r2 );
+ #endif
+ /* and calculate */
+ tmp = mpi_alloc( mpi_get_nlimbs(m)+1 );
+ mpi_set_ui( res, 1 );
+ for(i = 1; i <= t; i++ ) {
+ barrett_mulm(tmp, res, res, m, barrett_y, barrett_k,
+ barrett_r1, barrett_r2 );
+ idx = build_index( exparray, k, i, t );
+ passert( idx >= 0 && idx < (1<<k) );
+ if( !G[idx] ) {
+ if( !idx )
+ G[0] = mpi_alloc_set_ui( 1 );
+ else {
+ for(j=0; j < k; j++ ) {
+ if( (idx & (1<<j) ) ) {
+ if( !G[idx] )
+ G[idx] = mpi_copy( basearray[j] );
+ else
+ barrett_mulm( G[idx], G[idx], basearray[j],
+ m, barrett_y, barrett_k, barrett_r1, barrett_r2 );
+ }
+ }
+ if( !G[idx] )
+ G[idx] = mpi_alloc(0);
+ }
+ }
+ barrett_mulm(res, tmp, G[idx], m, barrett_y, barrett_k, barrett_r1, barrett_r2 );
+ }
+
+ /* cleanup */
+ mpi_free(tmp);
+ #ifdef USE_BARRETT
+ mpi_free(barrett_y);
+ mpi_free(barrett_r1);
+ mpi_free(barrett_r2);
+ #endif
+ for(i=0; i < (1<<k); i++ )
+ mpi_free(G[i]);
+ m_free(G);
+}
+
+void
+log_mpidump( const char *text UNUSED, MPI a )
+{
+ /* Print number in hex -- helpful to see if they match bytes.
+ * Humans are not going to do arithmetic with the large numbers!
+ * Much code adapted from mpz_to_n.
+ */
+ u_char buf[8048]; /* this ought to be big enough */
+ size_t len = (mpz_sizeinbase(a, 16) + 1) / 2; /* bytes */
+ MP_INT temp1, temp2;
+ int i;
+
+ passert(len <= sizeof(buf));
+
+ mpz_init(&temp1);
+ mpz_init(&temp2);
+
+ mpz_set(&temp1, a);
+
+ for (i = len-1; i >= 0; i--)
+ {
+ buf[i] = mpz_mdivmod_ui(&temp2, NULL, &temp1, 1 << BITS_PER_BYTE);
+ mpz_set(&temp1, &temp2);
+ }
+
+ passert(mpz_sgn(&temp1) == 0); /* we must have done all the bits */
+ mpz_clear(&temp1);
+ mpz_clear(&temp2);
+
+#ifdef DEBUG
+ DBG_dump(text, buf, len);
+#endif /* DEBUG */
+}
diff --git a/src/pluto/gcryptfix.h b/src/pluto/gcryptfix.h
new file mode 100644
index 000000000..637ecbc8d
--- /dev/null
+++ b/src/pluto/gcryptfix.h
@@ -0,0 +1,111 @@
+/* Definitions to make gcrypt routines feel at home in Pluto.
+ * Copyright (C) 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: gcryptfix.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#define DBG_CIPHER 1 /* some day we'll do this right */
+
+/* Simulate MPI routines with gmp routines.
+ * gmp's MP_INT is a stuct; MPI's MPI is a pointer to an analogous struct.
+ * gmp's mpz_t is an array of one of these structs to enable magic pointer
+ * conversions to make the notation convenient (but confusing).
+ */
+typedef u_char byte;
+typedef MP_INT *MPI;
+
+#define BITS_PER_MPI_LIMB mp_bits_per_limb
+
+extern MPI mpi_alloc( unsigned nlimbs );
+extern MPI mpi_alloc_secure( unsigned nlimbs );
+#define mpi_alloc_like(n) mpi_alloc(mpi_get_nlimbs(n))
+extern MPI mpi_alloc_set_ui( unsigned long u);
+#define mpi_set_ui(w, u) mpz_set_ui(w, u)
+#define mpi_set(w, u) mpz_set(w, u)
+extern void mpi_free( MPI a );
+extern MPI mpi_copy( MPI a );
+extern unsigned mpi_get_nbits( MPI a );
+#define mpi_get_nlimbs(a) ((a)->_mp_alloc) /* dirty, but useless */
+extern void mpi_set_buffer( MPI a, const u_char *buffer, unsigned nbytes, int sign );
+extern unsigned mpi_trailing_zeros( MPI a );
+extern int mpi_test_bit( MPI a, unsigned n );
+extern void mpi_set_bit( MPI a, unsigned n );
+extern void mpi_clear_bit( MPI a, unsigned n );
+extern void mpi_clear_highbit( MPI a, unsigned n );
+extern void mpi_set_highbit( MPI a, unsigned n );
+#define mpi_cmp_ui(u, v) mpz_cmp_ui((u), (v))
+#define mpi_cmp(u, v) mpz_cmp((u), (v))
+#define mpi_is_neg(n) (mpz_sgn(n) < 0)
+#define mpi_add(w, u, v) mpz_add((w), (u), (v))
+#define mpi_add_ui(w, u, v) mpz_add_ui((w), (u), (v))
+#define mpi_sub_ui(w, u, v) mpz_sub_ui((w), (u), (v))
+#define mpi_subm( w, u, v, m) { mpz_sub( (w), (u), (v)) ; mpz_fdiv_r((w), (w), (m)); }
+#define mpi_mul( w, u, v) mpz_mul( (w), (u), (v))
+#define mpi_mul_ui( w, u, v) mpz_mul_ui( (w), (u), (v))
+#define mpi_mulm( w, u, v, m) { mpz_mul( (w), (u), (v)) ; mpz_fdiv_r((w), (w), (m)); }
+#define mpi_fdiv_q(quot, dividend, divisor) mpz_fdiv_q((quot), (dividend), (divisor))
+#define mpi_fdiv_r( rem, dividend, divisor ) mpz_fdiv_r( (rem), (dividend), (divisor) )
+#define mpi_fdiv_r_ui( rem, dividend, divisor ) mpz_fdiv_r_ui( (rem), (dividend), (divisor) )
+#define mpi_tdiv_q_2exp( w, u, count ) mpz_tdiv_q_2exp( (w), (u), (count) )
+extern int mpi_divisible_ui(MPI dividend, ulong divisor );
+#define mpi_powm( res, base, exp, mod) mpz_powm( res, base, exp, mod)
+extern void mpi_mulpowm( MPI res, MPI *basearray, MPI *exparray, MPI mod);
+#define mpi_gcd( g, a, b ) ( mpz_gcd( (g), (a), (b) ), !mpi_cmp_ui( (g), 1))
+#define mpi_invm( x, a, n ) mpz_invert( (x), (a), (n) )
+
+#ifdef DEBUG
+# define log_debug(f...) DBG_log(f)
+#else
+# define log_debug(f...) do ; while (0) /* do nothing, carefully */
+#endif
+#define log_fatal(f...) exit_log(f) /* overreaction? */
+extern void log_mpidump( const char *text, MPI a );
+
+#define assert(p) passert(p)
+#define BUG() passert(FALSE)
+
+#define m_alloc_ptrs_clear(pp, n) { \
+ int c = (n); \
+ (pp) = alloc_bytes((n) * sizeof(*(pp)), "m_alloc_ptrs_clear"); \
+ while (c > 0) (pp)[--c] = NULL; \
+ }
+
+extern u_char *get_random_bits(size_t nbits, int level, int secure);
+#define m_alloc(sz) alloc_bytes((sz), "m_alloc") /* not initialized */
+#define m_free(n) pfree(n) /* always freeing something from get_random_bits */
+
+/* declarations from gnupg-1.0.0/include/cipher.h */
+/*-- primegen.c --*/
+MPI generate_secret_prime( unsigned nbits );
+MPI generate_public_prime( unsigned nbits );
+MPI generate_elg_prime( int mode, unsigned pbits, unsigned qbits,
+ MPI g, MPI **factors );
+
+#define PUBKEY_ALGO_ELGAMAL_E 16 /* encrypt only ElGamal (but not for v3)*/
+#define PUBKEY_ALGO_DSA 17
+#define PUBKEY_ALGO_ELGAMAL 20 /* sign and encrypt elgamal */
+
+#define is_ELGAMAL(a) ((a)==PUBKEY_ALGO_ELGAMAL || (a)==PUBKEY_ALGO_ELGAMAL_E)
+
+#define PUBKEY_USAGE_SIG 1 /* key is good for signatures */
+#define PUBKEY_USAGE_ENC 2 /* key is good for encryption */
+
+/* from gnupg-1.0.0/include/errors.h */
+
+#define G10ERR_PUBKEY_ALGO 4 /* Unknown pubkey algorithm */
+#define G10ERR_BAD_SECKEY 7 /* Bad secret key */
+#define G10ERR_BAD_SIGN 8 /* Bad signature */
+#define G10ERR_BAD_MPI 30
+
+/*-- smallprime.c --*/
+extern ushort small_prime_numbers[];
diff --git a/src/pluto/id.c b/src/pluto/id.c
new file mode 100644
index 000000000..4e75ec2e9
--- /dev/null
+++ b/src/pluto/id.c
@@ -0,0 +1,509 @@
+/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
+ * Copyright (C) 1999-2001 D. Hugh Redelmeier
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: id.c,v 1.4 2005/08/15 20:07:08 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#ifndef HOST_NAME_MAX /* POSIX 1003.1-2001 says <unistd.h> defines this */
+# define HOST_NAME_MAX 255 /* upper bound, according to SUSv2 */
+#endif
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "id.h"
+#include "log.h"
+#include "connections.h"
+#include "packet.h"
+#include "whack.h"
+
+const struct id empty_id; /* ID_NONE */
+
+enum myid_state myid_state = MYID_UNKNOWN;
+struct id myids[MYID_SPECIFIED+1]; /* %myid */
+char *myid_str[MYID_SPECIFIED+1]; /* string form of IDs */
+
+/* initialize id module
+ * Fills in myid from environment variable IPSECmyid or defaultrouteaddr
+ */
+void
+init_id(void)
+{
+ passert(empty_id.kind == ID_NONE);
+ myid_state = MYID_UNKNOWN;
+ {
+ enum myid_state s;
+
+ for (s = MYID_UNKNOWN; s <= MYID_SPECIFIED; s++)
+ {
+ myids[s] = empty_id;
+ myid_str[s] = NULL;
+ }
+ }
+ set_myid(MYID_SPECIFIED, getenv("IPSECmyid"));
+ set_myid(MYID_IP, getenv("defaultrouteaddr"));
+ set_myFQDN();
+}
+
+static void
+calc_myid_str(enum myid_state s)
+{
+ /* preformat the ID name */
+ char buf[BUF_LEN];
+
+ idtoa(&myids[s], buf, BUF_LEN);
+ replace(myid_str[s], clone_str(buf, "myid string"));
+}
+
+
+void
+set_myid(enum myid_state s, char *idstr)
+{
+ if (idstr != NULL)
+ {
+ struct id id;
+ err_t ugh = atoid(idstr, &id, FALSE);
+
+ if (ugh != NULL)
+ {
+ loglog(RC_BADID, "myid malformed: %s \"%s\"", ugh, idstr);
+ }
+ else
+ {
+ free_id_content(&myids[s]);
+ unshare_id_content(&id);
+ myids[s] = id;
+ if (s == MYID_SPECIFIED)
+ myid_state = MYID_SPECIFIED;
+
+ calc_myid_str(s);
+ }
+ }
+}
+
+void
+set_myFQDN(void)
+{
+ char FQDN[HOST_NAME_MAX + 1];
+ int r = gethostname(FQDN, sizeof(FQDN));
+
+ free_id_content(&myids[MYID_HOSTNAME]);
+ myids[MYID_HOSTNAME] = empty_id;
+ if (r != 0)
+ {
+ log_errno((e, "gethostname() failed in set_myFQDN"));
+ }
+ else
+ {
+ FQDN[sizeof(FQDN) - 1] = '\0'; /* insurance */
+
+ {
+ size_t len = strlen(FQDN);
+
+ if (len > 0 && FQDN[len-1] == '.')
+ {
+ /* nuke trailing . */
+ FQDN[len-1]='\0';
+ }
+ }
+
+ if (!strcaseeq(FQDN, "localhost.localdomain"))
+ {
+ clonetochunk(myids[MYID_HOSTNAME].name, FQDN, strlen(FQDN), "my FQDN");
+ myids[MYID_HOSTNAME].kind = ID_FQDN;
+ calc_myid_str(MYID_HOSTNAME);
+ }
+ }
+}
+
+void
+show_myid_status(void)
+{
+ char idstr[BUF_LEN];
+
+ (void)idtoa(&myids[myid_state], idstr, sizeof(idstr));
+ whack_log(RC_COMMENT, "%%myid = %s", idstr);
+}
+
+/* Convert textual form of id into a (temporary) struct id.
+ * Note that if the id is to be kept, unshare_id_content will be necessary.
+ */
+err_t
+atoid(char *src, struct id *id, bool myid_ok)
+{
+ err_t ugh = NULL;
+
+ *id = empty_id;
+
+ if (myid_ok && streq("%myid", src))
+ {
+ id->kind = ID_MYID;
+ }
+ else if (strchr(src, '=') != NULL)
+ {
+ /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */
+ id->kind = ID_DER_ASN1_DN;
+ id->name.ptr = temporary_cyclic_buffer(); /* assign temporary buffer */
+ id->name.len = 0;
+ /* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
+ * discard optional @ character in front of DN
+ */
+ ugh = atodn((*src == '@')?src+1:src, &id->name);
+ }
+ else if (strchr(src, '@') == NULL)
+ {
+ if (streq(src, "%any") || streq(src, "0.0.0.0"))
+ {
+ /* any ID will be accepted */
+ id->kind = ID_NONE;
+ }
+ else
+ {
+ /* !!! this test is not sufficient for distinguishing address families.
+ * We need a notation to specify that a FQDN is to be resolved to IPv6.
+ */
+ const struct af_info *afi = strchr(src, ':') == NULL
+ ? &af_inet4_info: &af_inet6_info;
+
+ id->kind = afi->id_addr;
+ ugh = ttoaddr(src, 0, afi->af, &id->ip_addr);
+ }
+ }
+ else
+ {
+ if (*src == '@')
+ {
+ if (*(src+1) == '#')
+ {
+ /* if there is a second specifier (#) on the line
+ * we interprete this as ID_KEY_ID
+ */
+ id->kind = ID_KEY_ID;
+ id->name.ptr = src;
+ /* discard @~, convert from hex to bin */
+ ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
+ }
+ else if (*(src+1) == '~')
+ {
+ /* if there is a second specifier (~) on the line
+ * we interprete this as a binary ID_DER_ASN1_DN
+ */
+ id->kind = ID_DER_ASN1_DN;
+ id->name.ptr = src;
+ /* discard @~, convert from hex to bin */
+ ugh = ttodata(src+2, 0, 16, id->name.ptr, strlen(src), &id->name.len);
+ }
+ else
+ {
+ id->kind = ID_FQDN;
+ id->name.ptr = src+1; /* discard @ */
+ id->name.len = strlen(src)-1;
+ }
+ }
+ else
+ {
+ /* We leave in @, as per DOI 4.6.2.4
+ * (but DNS wants . instead).
+ */
+ id->kind = ID_USER_FQDN;
+ id->name.ptr = src;
+ id->name.len = strlen(src);
+ }
+ }
+ return ugh;
+}
+
+
+/*
+ * Converts a binary key ID into hexadecimal format
+ */
+int
+keyidtoa(char *dst, size_t dstlen, chunk_t keyid)
+{
+ int n = datatot(keyid.ptr, keyid.len, 'x', dst, dstlen);
+ return (((size_t)n < dstlen)? n : dstlen) - 1;
+}
+
+void
+iptoid(const ip_address *ip, struct id *id)
+{
+ *id = empty_id;
+
+ switch (addrtypeof(ip))
+ {
+ case AF_INET:
+ id->kind = ID_IPV4_ADDR;
+ break;
+ case AF_INET6:
+ id->kind = ID_IPV6_ADDR;
+ break;
+ default:
+ bad_case(addrtypeof(ip));
+ }
+ id->ip_addr = *ip;
+}
+
+int
+idtoa(const struct id *id, char *dst, size_t dstlen)
+{
+ int n;
+
+ id = resolve_myid(id);
+ switch (id->kind)
+ {
+ case ID_NONE:
+ n = snprintf(dst, dstlen, "(none)");
+ break;
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ n = (int)addrtot(&id->ip_addr, 0, dst, dstlen) - 1;
+ break;
+ case ID_FQDN:
+ n = snprintf(dst, dstlen, "@%.*s", (int)id->name.len, id->name.ptr);
+ break;
+ case ID_USER_FQDN:
+ n = snprintf(dst, dstlen, "%.*s", (int)id->name.len, id->name.ptr);
+ break;
+ case ID_DER_ASN1_DN:
+ n = dntoa(dst, dstlen, id->name);
+ break;
+ case ID_KEY_ID:
+ n = keyidtoa(dst, dstlen, id->name);
+ break;
+ default:
+ n = snprintf(dst, dstlen, "unknown id kind %d", id->kind);
+ break;
+ }
+
+ /* "Sanitize" string so that log isn't endangered:
+ * replace unprintable characters with '?'.
+ */
+ if (n > 0)
+ {
+ for ( ; *dst != '\0'; dst++)
+ if (!isprint(*dst))
+ *dst = '?';
+ }
+
+ return n;
+}
+
+/* Replace the shell metacharacters ', \, ", `, and $ in a character string
+ * by escape sequences consisting of their octal values
+ */
+void
+escape_metachar(const char *src, char *dst, size_t dstlen)
+{
+ while (*src != '\0' && dstlen > 4)
+ {
+ switch (*src)
+ {
+ case '\'':
+ case '\\':
+ case '"':
+ case '`':
+ case '$':
+ sprintf(dst,"\\%s%o", (*src < 64)?"0":"", *src);
+ dst += 4;
+ dstlen -= 4;
+ break;
+ default:
+ *dst++ = *src;
+ dstlen--;
+ }
+ src++;
+ }
+ *dst = '\0';
+}
+
+
+/* Make private copy of string in struct id.
+ * This is needed if the result of atoid is to be kept.
+ */
+void
+unshare_id_content(struct id *id)
+{
+ switch (id->kind)
+ {
+ case ID_FQDN:
+ case ID_USER_FQDN:
+ case ID_DER_ASN1_DN:
+ case ID_KEY_ID:
+ id->name.ptr = clone_bytes(id->name.ptr, id->name.len, "keep id name");
+ break;
+ case ID_MYID:
+ case ID_NONE:
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ break;
+ default:
+ bad_case(id->kind);
+ }
+}
+
+void
+free_id_content(struct id *id)
+{
+ switch (id->kind)
+ {
+ case ID_FQDN:
+ case ID_USER_FQDN:
+ case ID_DER_ASN1_DN:
+ case ID_KEY_ID:
+ freeanychunk(id->name);
+ break;
+ case ID_MYID:
+ case ID_NONE:
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ break;
+ default:
+ bad_case(id->kind);
+ }
+}
+
+/* compare two struct id values */
+bool
+same_id(const struct id *a, const struct id *b)
+{
+ a = resolve_myid(a);
+ b = resolve_myid(b);
+ if (a->kind != b->kind)
+ return FALSE;
+ switch (a->kind)
+ {
+ case ID_NONE:
+ return TRUE; /* kind of vacuous */
+
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ return sameaddr(&a->ip_addr, &b->ip_addr);
+
+ case ID_FQDN:
+ case ID_USER_FQDN:
+ /* assumptions:
+ * - case should be ignored
+ * - trailing "." should be ignored (even if the only character?)
+ */
+ {
+ size_t al = a->name.len
+ , bl = b->name.len;
+
+ while (al > 0 && a->name.ptr[al - 1] == '.')
+ al--;
+ while (bl > 0 && b->name.ptr[bl - 1] == '.')
+ bl--;
+ return al == bl
+ && strncasecmp(a->name.ptr, b->name.ptr, al) == 0;
+ }
+
+ case ID_DER_ASN1_DN:
+ return same_dn(a->name, b->name);
+
+ case ID_KEY_ID:
+ return a->name.len == b->name.len
+ && memcmp(a->name.ptr, b->name.ptr, a->name.len) == 0;
+
+ default:
+ bad_case(a->kind);
+ }
+ return FALSE;
+}
+
+/* compare two struct id values, DNs can contain wildcards */
+bool
+match_id(const struct id *a, const struct id *b, int *wildcards)
+{
+ if (b->kind == ID_NONE)
+ {
+ *wildcards = MAX_WILDCARDS;
+ return TRUE;
+ }
+ if (a->kind != b->kind)
+ return FALSE;
+ if (a->kind == ID_DER_ASN1_DN)
+ return match_dn(a->name, b->name, wildcards);
+ else
+ {
+ *wildcards = 0;
+ return same_id(a, b);
+ }
+}
+
+/* count the numer of wildcards in an id */
+int
+id_count_wildcards(const struct id *id)
+{
+ switch (id->kind)
+ {
+ case ID_NONE:
+ return MAX_WILDCARDS;
+ case ID_DER_ASN1_DN:
+ return dn_count_wildcards(id->name);
+ default:
+ return 0;
+ }
+}
+
+/* build an ID payload
+ * Note: no memory is allocated for the body of the payload (tl->ptr).
+ * We assume it will end up being a pointer into a sufficiently
+ * stable datastructure. It only needs to last a short time.
+ */
+void
+build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end)
+{
+ const struct id *id = resolve_myid(&end->id);
+
+ zero(hd);
+ hd->isaiid_idtype = id->kind;
+ switch (id->kind)
+ {
+ case ID_NONE:
+ hd->isaiid_idtype = aftoinfo(addrtypeof(&end->host_addr))->id_addr;
+ tl->len = addrbytesptr(&end->host_addr
+ , (const unsigned char **)&tl->ptr); /* sets tl->ptr too */
+ break;
+ case ID_FQDN:
+ case ID_USER_FQDN:
+ case ID_DER_ASN1_DN:
+ case ID_KEY_ID:
+ *tl = id->name;
+ break;
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ tl->len = addrbytesptr(&id->ip_addr
+ , (const unsigned char **)&tl->ptr); /* sets tl->ptr too */
+ break;
+ default:
+ bad_case(id->kind);
+ }
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/id.h b/src/pluto/id.h
new file mode 100644
index 000000000..4fe9ef227
--- /dev/null
+++ b/src/pluto/id.h
@@ -0,0 +1,67 @@
+/* identity representation, as in IKE ID Payloads (RFC 2407 DOI 4.6.2.1)
+ * Copyright (C) 1999-2001 D. Hugh Redelmeier
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: id.h,v 1.5 2005/08/15 20:07:08 as Exp $
+ */
+
+#ifndef _ID_H
+#define _ID_H
+
+#include "defs.h"
+
+struct id {
+ int kind; /* ID_* value */
+ ip_address ip_addr; /* ID_IPV4_ADDR, ID_IPV6_ADDR */
+ chunk_t name; /* ID_FQDN, ID_USER_FQDN (with @) */
+ /* ID_KEY_ID, ID_DER_ASN_DN */
+};
+
+extern void init_id(void);
+
+extern const struct id empty_id; /* ID_NONE */
+
+enum myid_state {
+ MYID_UNKNOWN, /* not yet figured out */
+ MYID_HOSTNAME, /* our current hostname */
+ MYID_IP, /* our default IP address */
+ MYID_SPECIFIED /* as specified by ipsec.conf */
+};
+
+extern enum myid_state myid_state;
+extern struct id myids[MYID_SPECIFIED+1]; /* %myid */
+extern char *myid_str[MYID_SPECIFIED+1]; /* strings */
+extern void set_myid(enum myid_state s, char *);
+extern void show_myid_status(void);
+#define resolve_myid(id) ((id)->kind == ID_MYID? &myids[myid_state] : (id))
+extern void set_myFQDN(void);
+
+extern err_t atoid(char *src, struct id *id, bool myid_ok);
+extern int keyidtoa(char *dst, size_t dstlen, chunk_t keyid);
+extern void iptoid(const ip_address *ip, struct id *id);
+extern int idtoa(const struct id *id, char *dst, size_t dstlen);
+#define IDTOA_BUF 512
+extern void escape_metachar(const char *src, char *dst, size_t dstlen);
+struct end; /* forward declaration of tag (defined in connections.h) */
+extern void unshare_id_content(struct id *id);
+extern void free_id_content(struct id *id);
+extern bool same_id(const struct id *a, const struct id *b);
+#define MAX_WILDCARDS 15
+extern bool match_id(const struct id *a, const struct id *b, int *wildcards);
+extern int id_count_wildcards(const struct id *id);
+#define id_is_ipaddr(id) ((id)->kind == ID_IPV4_ADDR || (id)->kind == ID_IPV6_ADDR)
+
+struct isakmp_ipsec_id; /* forward declaration of tag (defined in packet.h) */
+extern void
+ build_id_payload(struct isakmp_ipsec_id *hd, chunk_t *tl, struct end *end);
+
+#endif /* _ID_H */
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
new file mode 100644
index 000000000..1c6514b4b
--- /dev/null
+++ b/src/pluto/ike_alg.c
@@ -0,0 +1,592 @@
+/* IKE modular algorithm handling interface
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ike_alg.c,v 1.6 2004/09/17 21:29:50 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h"
+
+#include "state.h"
+#include "packet.h"
+#include "log.h"
+#include "whack.h"
+#include "spdb.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+#include "db_ops.h"
+#include "connections.h"
+#include "kernel.h"
+
+#define return_on(var, val) do { var=val;goto return_out; } while(0);
+
+/*
+ * IKE algorithm list handling - registration and lookup
+ */
+
+/* Modular IKE algorithm storage structure */
+
+static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL};
+
+/*
+ * return ike_algo object by {type, id}
+ */
+static struct ike_alg *
+ike_alg_find(u_int algo_type, u_int algo_id, u_int keysize __attribute__((unused)))
+{
+ struct ike_alg *e = ike_alg_base[algo_type];
+
+ while (e != NULL && algo_id > e->algo_id)
+ {
+ e = e->algo_next;
+ }
+ return (e != NULL && e->algo_id == algo_id) ? e : NULL;
+}
+
+/*
+ * "raw" ike_alg list adding function
+ */
+int
+ike_alg_add(struct ike_alg* a)
+{
+ if (a->algo_type > IKE_ALG_MAX)
+ {
+ plog("ike_alg: Not added, invalid algorithm type");
+ return -EINVAL;
+ }
+
+ if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
+ {
+ plog("ike_alg: Not added, algorithm already exists");
+ return -EEXIST;
+ }
+
+ {
+ struct ike_alg **ep = &ike_alg_base[a->algo_type];
+ struct ike_alg *e = *ep;
+
+ while (e != NULL && a->algo_id > e->algo_id)
+ {
+ ep = &e->algo_next;
+ e = *ep;
+ }
+ *ep = a;
+ a->algo_next = e;
+ return 0;
+ }
+}
+
+/*
+ * get IKE hash algorithm
+ */
+struct hash_desc *ike_alg_get_hasher(u_int alg)
+{
+ return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
+}
+
+/*
+ * get IKE encryption algorithm
+ */
+struct encrypt_desc *ike_alg_get_encrypter(u_int alg)
+{
+ return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
+}
+
+/*
+ * check if IKE hash algorithm is present
+ */
+bool
+ike_alg_hash_present(u_int halg)
+{
+ return ike_alg_get_hasher(halg) != NULL;
+}
+
+/*
+ * check if IKE encryption algorithm is present
+ */
+bool
+ike_alg_enc_present(u_int ealg)
+{
+ return ike_alg_get_encrypter(ealg) != NULL;
+}
+
+/*
+ * Validate and register IKE hash algorithm object
+ */
+int
+ike_alg_register_hash(struct hash_desc *hash_desc)
+{
+ const char *alg_name = NULL;
+ int ret = 0;
+
+ if (hash_desc->algo_id > OAKLEY_HASH_MAX)
+ {
+ plog ("ike_alg: hash alg=%d > max=%d"
+ , hash_desc->algo_id, OAKLEY_HASH_MAX);
+ return_on(ret,-EINVAL);
+ }
+
+ if (hash_desc->hash_ctx_size > sizeof (union hash_ctx))
+ {
+ plog ("ike_alg: hash alg=%d has ctx_size=%d > hash_ctx=%d"
+ , hash_desc->algo_id
+ , (int)hash_desc->hash_ctx_size
+ , (int)sizeof (union hash_ctx));
+ return_on(ret,-EOVERFLOW);
+ }
+
+ if (!(hash_desc->hash_init && hash_desc->hash_update && hash_desc->hash_final))
+ {
+ plog ("ike_alg: hash alg=%d needs hash_init(), hash_update() and hash_final()"
+ , hash_desc->algo_id);
+ return_on(ret,-EINVAL);
+ }
+
+ alg_name = enum_name(&oakley_hash_names, hash_desc->algo_id);
+ if (!alg_name)
+ {
+ plog ("ike_alg: hash alg=%d not found in constants.c:oakley_hash_names"
+ , hash_desc->algo_id);
+ alg_name = "<NULL>";
+ }
+
+return_out:
+ if (ret == 0)
+ ret = ike_alg_add((struct ike_alg *)hash_desc);
+
+ plog("ike_alg: Activating %s hash: %s"
+ ,alg_name, ret == 0 ? "Ok" : "FAILED");
+
+ return ret;
+}
+
+/*
+ * Validate and register IKE encryption algorithm object
+ */
+int
+ike_alg_register_enc(struct encrypt_desc *enc_desc)
+{
+ int ret = ike_alg_add((struct ike_alg *)enc_desc);
+
+ const char *alg_name = enum_name(&oakley_enc_names, enc_desc->algo_id);
+
+ char alg_number[20];
+
+ /* algorithm is not listed in oakley_enc_names */
+ if (alg_name == NULL)
+ {
+ snprintf(alg_number, sizeof(alg_number), "OAKLEY_ID_%d"
+ , enc_desc->algo_id);
+ alg_name = alg_number;
+ }
+
+ plog("ike_alg: Activating %s encryption: %s"
+ , alg_name, ret == 0 ? "Ok" : "FAILED");
+
+ return ret;
+}
+
+/*
+ * Get pfsgroup for this connection
+ */
+const struct oakley_group_desc *
+ike_alg_pfsgroup(struct connection *c, lset_t policy)
+{
+ const struct oakley_group_desc * ret = NULL;
+
+ if ((policy & POLICY_PFS)
+ && c->alg_info_esp
+ && c->alg_info_esp->esp_pfsgroup)
+ ret = lookup_group(c->alg_info_esp->esp_pfsgroup);
+ return ret;
+}
+
+/*
+ * Create an OAKLEY proposal based on alg_info and policy
+ */
+struct db_context *
+ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
+{
+ struct db_context *db_ctx = NULL;
+ struct ike_info *ike_info;
+ struct encrypt_desc *enc_desc;
+ u_int ealg, halg, modp, eklen = 0;
+ int i;
+
+ bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
+
+ if (!ai)
+ {
+ whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
+ "for this connection "
+ "(check ike algorithm string)");
+ goto fail;
+ }
+ policy &= POLICY_ID_AUTH_MASK;
+ db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
+
+ /* for each group */
+ ALG_INFO_IKE_FOREACH(ai, ike_info, i)
+ {
+ ealg = ike_info->ike_ealg;
+ halg = ike_info->ike_halg;
+ modp = ike_info->ike_modp;
+ eklen= ike_info->ike_eklen;
+
+ if (!ike_alg_enc_present(ealg))
+ {
+ DBG_log("ike_alg: ike enc ealg=%d not present"
+ , ealg);
+ continue;
+ }
+
+ if (!ike_alg_hash_present(halg))
+ {
+ DBG_log("ike_alg: ike hash halg=%d not present"
+ , halg);
+ continue;
+ }
+
+ enc_desc = ike_alg_get_encrypter(ealg);
+ passert(enc_desc != NULL);
+
+ if (eklen
+ && (eklen < enc_desc->keyminlen || eklen > enc_desc->keymaxlen))
+ {
+ DBG_log("ike_alg: ealg=%d (specified) keylen:%d, not valid min=%d, max=%d"
+ , ealg
+ , eklen
+ , enc_desc->keyminlen
+ , enc_desc->keymaxlen
+ );
+ continue;
+ }
+
+ if (policy & POLICY_RSASIG)
+ {
+ db_trans_add(db_ctx, KEY_IKE);
+ db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+ db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+ if (eklen)
+ db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+ db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
+ db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+ }
+
+ if (policy & POLICY_PSK)
+ {
+ db_trans_add(db_ctx, KEY_IKE);
+ db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+ db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+ if (eklen)
+ db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+ db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
+ db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+ }
+
+ if (policy & POLICY_XAUTH_RSASIG)
+ {
+ db_trans_add(db_ctx, KEY_IKE);
+ db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+ db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+ if (eklen)
+ db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+ db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
+ , is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
+ db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+ }
+
+ if (policy & POLICY_XAUTH_PSK)
+ {
+ db_trans_add(db_ctx, KEY_IKE);
+ db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
+ db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
+ if (eklen)
+ db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
+ db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
+ , is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
+ db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
+ }
+ }
+fail:
+ return db_ctx;
+}
+
+/*
+ * Show registered IKE algorithms
+ */
+void
+ike_alg_list(void)
+{
+ u_int i;
+ struct ike_alg *a;
+
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of registered IKE Encryption Algorithms:");
+ whack_log(RC_COMMENT, " ");
+
+ for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
+ {
+ struct encrypt_desc *desc = (struct encrypt_desc*)a;
+
+ whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d-%d"
+ , a->algo_id
+ , enum_name(&oakley_enc_names, a->algo_id)
+ , (int)desc->enc_blocksize*BITS_PER_BYTE
+ , desc->keyminlen
+ , desc->keydeflen
+ , desc->keymaxlen
+ );
+ }
+
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of registered IKE Hash Algorithms:");
+ whack_log(RC_COMMENT, " ");
+
+ for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
+ {
+ whack_log(RC_COMMENT, "#%-5d %s, hashsize: %d"
+ , a->algo_id
+ , enum_name(&oakley_hash_names, a->algo_id)
+ , (int)((struct hash_desc *)a)->hash_digest_size*BITS_PER_BYTE
+ );
+ }
+
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of registered IKE DH Groups:");
+ whack_log(RC_COMMENT, " ");
+
+ for (i = 0; i < elemsof(oakley_group); i++)
+ {
+ const struct oakley_group_desc *gdesc=oakley_group + i;
+
+ whack_log(RC_COMMENT, "#%-5d %s, groupsize: %d"
+ , gdesc->group
+ , enum_name(&oakley_group_names, gdesc->group)
+ , (int)gdesc->bytes*BITS_PER_BYTE
+ );
+ }
+}
+
+/* Show IKE algorithms for
+ * - this connection (result from ike= string)
+ * - newest SA
+ */
+void
+ike_alg_show_connection(struct connection *c, const char *instance)
+{
+ char buf[256];
+ struct state *st;
+
+ if (c->alg_info_ike)
+ {
+ alg_info_snprint(buf, sizeof(buf)-1, (struct alg_info *)c->alg_info_ike);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: IKE algorithms wanted: %s"
+ , c->name
+ , instance
+ , buf
+ );
+
+ alg_info_snprint_ike(buf, sizeof(buf)-1, c->alg_info_ike);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: IKE algorithms found: %s"
+ , c->name
+ , instance
+ , buf
+ );
+ }
+
+ st = state_with_serialno(c->newest_isakmp_sa);
+ if (st)
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: IKE algorithm newest: %s_%d-%s-%s"
+ , c->name
+ , instance
+ , enum_show(&oakley_enc_names, st->st_oakley.encrypt)
+ +7 /* strlen("OAKLEY_") */
+ /* , st->st_oakley.encrypter->keydeflen */
+ , st->st_oakley.enckeylen
+ , enum_show(&oakley_hash_names, st->st_oakley.hash)
+ +7 /* strlen("OAKLEY_") */
+ , enum_show(&oakley_group_names, st->st_oakley.group->group)
+ +13 /* strlen("OAKLEY_GROUP_") */
+ );
+}
+
+/*
+ * Apply a suite of testvectors to a hash algorithm
+ */
+static bool
+ike_hash_test(const struct hash_desc *desc)
+{
+ bool hash_results = TRUE;
+ bool hmac_results = TRUE;
+
+ if (desc->hash_testvectors == NULL)
+ {
+ plog(" %s hash self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
+ }
+ else
+ {
+ int i;
+
+ for (i = 0; desc->hash_testvectors[i].msg_digest != NULL; i++)
+ {
+ u_char digest[MAX_DIGEST_LEN];
+ bool result;
+
+ union hash_ctx ctx;
+
+ desc->hash_init(&ctx);
+ desc->hash_update(&ctx, desc->hash_testvectors[i].msg
+ ,desc->hash_testvectors[i].msg_size);
+ desc->hash_final(digest, &ctx);
+ result = memcmp(digest, desc->hash_testvectors[i].msg_digest
+ , desc->hash_digest_size) == 0;
+ DBG(DBG_CRYPT,
+ DBG_log(" hash testvector %d: %s", i, result ? "ok":"failed")
+ )
+ hash_results &= result;
+ }
+ plog(" %s hash self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
+ , hash_results ? "passed":"failed");
+ }
+
+ if (desc->hmac_testvectors == NULL)
+ {
+ plog(" %s hmac self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
+ }
+ else
+ {
+ int i;
+
+ for (i = 0; desc->hmac_testvectors[i].hmac != NULL; i++)
+ {
+ u_char digest[MAX_DIGEST_LEN];
+ bool result;
+
+ struct hmac_ctx ctx;
+
+ hmac_init(&ctx, desc, desc->hmac_testvectors[i].key
+ , desc->hmac_testvectors[i].key_size);
+ hmac_update(&ctx, desc->hmac_testvectors[i].msg
+ ,desc->hmac_testvectors[i].msg_size);
+ hmac_final(digest, &ctx);
+ result = memcmp(digest, desc->hmac_testvectors[i].hmac
+ , desc->hash_digest_size) == 0;
+ DBG(DBG_CRYPT,
+ DBG_log(" hmac testvector %d: %s", i, result ? "ok":"failed")
+ )
+ hmac_results &= result;
+ }
+ plog(" %s hmac self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
+ , hmac_results ? "passed":"failed");
+ }
+ return hash_results && hmac_results;
+}
+
+/*
+ * Apply test vectors to registered encryption and hash algorithms
+ */
+bool
+ike_alg_test(void)
+{
+ bool all_results = TRUE;
+ struct ike_alg *a;
+
+ plog("Testing registered IKE encryption algorithms:");
+
+ for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
+ {
+
+ struct encrypt_desc *desc = (struct encrypt_desc*)a;
+
+ plog(" %s self-test not available", enum_name(&oakley_enc_names, a->algo_id));
+ }
+
+ plog("Testing registered IKE hash algorithms:");
+
+ for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
+ {
+ struct hash_desc *desc = (struct hash_desc*)a;
+
+ all_results &= ike_hash_test(desc);
+ }
+
+ if (all_results)
+ plog("All crypto self-tests passed");
+ else
+ plog("Some crypto self-tests failed");
+ return all_results;
+}
+
+/*
+ * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms
+ */
+bool
+ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group
+, struct alg_info_ike *alg_info_ike)
+{
+ /*
+ * simple test to discard low key_len, will accept it only
+ * if specified in "esp" string
+ */
+ bool ealg_insecure = (key_len < 128);
+
+ if (ealg_insecure
+ || (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
+ {
+ int i;
+ struct ike_info *ike_info;
+
+ if (alg_info_ike)
+ {
+ ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
+ {
+ if (ike_info->ike_ealg == ealg
+ && (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
+ && ike_info->ike_halg == aalg
+ && ike_info->ike_modp == group)
+ {
+ if (ealg_insecure)
+ loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
+ , enum_name(&oakley_enc_names, ealg));
+ return TRUE;
+ }
+ }
+ }
+ plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
+ , enum_name(&oakley_enc_names, ealg), key_len
+ , enum_name(&oakley_hash_names, aalg)
+ , enum_name(&oakley_group_names, group)
+ , ealg_insecure ?
+ "insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
+ );
+ return FALSE;
+ }
+ return TRUE;
+}
+
diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h
new file mode 100644
index 000000000..19e2e591c
--- /dev/null
+++ b/src/pluto/ike_alg.h
@@ -0,0 +1,94 @@
+/* IKE modular algorithm handling interface
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ike_alg.h,v 1.3 2004/09/16 23:22:22 as Exp $
+ */
+
+#ifndef _IKE_ALG_H
+#define _IKE_ALG_H
+
+#include "connections.h"
+
+struct ike_alg {
+ u_int16_t algo_type;
+ u_int16_t algo_id;
+ struct ike_alg *algo_next;
+};
+
+struct encrypt_desc {
+ u_int16_t algo_type;
+ u_int16_t algo_id;
+ struct ike_alg *algo_next;
+
+ size_t enc_ctxsize;
+ size_t enc_blocksize;
+ u_int keydeflen;
+ u_int keymaxlen;
+ u_int keyminlen;
+ void (*do_crypt)(u_int8_t *dat, size_t datasize, u_int8_t *key, size_t key_size, u_int8_t *iv, bool enc);
+};
+
+typedef struct hash_testvector hash_testvector_t;
+
+struct hash_testvector {
+ const size_t msg_size;
+ const u_char *msg;
+ const u_char *msg_digest;
+};
+
+typedef struct hmac_testvector hmac_testvector_t;
+
+struct hmac_testvector {
+ const size_t key_size;
+ const u_char *key;
+ const size_t msg_size;
+ const u_char *msg;
+ const u_char *hmac;
+};
+struct hash_desc {
+ u_int16_t algo_type;
+ u_int16_t algo_id;
+ struct ike_alg *algo_next;
+
+ size_t hash_ctx_size;
+ size_t hash_block_size;
+ size_t hash_digest_size;
+ const hash_testvector_t *hash_testvectors;
+ const hmac_testvector_t *hmac_testvectors;
+ void (*hash_init)(void *ctx);
+ void (*hash_update)(void *ctx, const u_int8_t *in, size_t datasize);
+ void (*hash_final)(u_int8_t *out, void *ctx);
+};
+
+#define IKE_ALG_ENCRYPT 0
+#define IKE_ALG_HASH 1
+#define IKE_ALG_MAX IKE_ALG_HASH
+
+extern int ike_alg_add(struct ike_alg *a);
+extern struct hash_desc *ike_alg_get_hasher(u_int alg);
+extern struct encrypt_desc *ike_alg_get_encrypter(u_int alg);
+extern bool ike_alg_enc_present(u_int ealg);
+extern bool ike_alg_hash_present(u_int halg);
+extern int ike_alg_register_hash(struct hash_desc *a);
+extern int ike_alg_register_enc(struct encrypt_desc *e);
+extern const struct oakley_group_desc* ike_alg_pfsgroup(struct connection *c
+ , lset_t policy);
+extern struct db_context * ike_alg_db_new(struct alg_info_ike *ai, lset_t policy);
+extern void ike_alg_list(void);
+extern void ike_alg_show_connection(struct connection *c, const char *instance);
+extern bool ike_alg_test(void);
+extern bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group
+ , struct alg_info_ike *alg_info_ike);
+extern int ike_alg_init(void);
+
+#endif /* _IKE_ALG_H */
diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5
new file mode 100644
index 000000000..3cce4d3f8
--- /dev/null
+++ b/src/pluto/ipsec.secrets.5
@@ -0,0 +1,175 @@
+.TH IPSEC.SECRETS 5 "28 March 1999"
+.SH NAME
+ipsec.secrets \- secrets for IKE/IPsec authentication
+.SH DESCRIPTION
+The file \fIipsec.secrets\fP holds a table of secrets.
+These secrets are used by \fIipsec_pluto\fP(8), the FreeS/WAN Internet Key
+Exchange daemon, to authenticate other hosts.
+Currently there are two kinds of secrets: preshared secrets and
+.\" the private part of DSS keys.
+RSA private keys.
+.LP
+It is vital that these secrets be protected. The file should be owned
+by the super-user,
+and its permissions should be set to block all access by others.
+.LP
+The file is a sequence of entries and include directives.
+Here is an example. Each entry or directive must start at the
+left margin, but if it continues beyond a single line, each continuation
+line must be indented.
+.LP
+.RS
+.nf
+# sample /etc/ipsec.secrets file for 10.1.0.1
+10.1.0.1 10.2.0.1: PSK "secret shared by two hosts"
+
+# an entry may be split across lines,
+# but indentation matters
+www.xs4all.nl @www.kremvax.ru
+\ \ \ \ 10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5"
+
+.\" # Private part of our DSS key, in base 64,
+.\" # as generated by BIND 8.2.1's dnskeygen.
+.\" # Since this is the default key for this host,
+.\" # there is no need to specify indices.
+.\" : DSS 0siMs0N/hfRoCBMXA6plPtuv58/+c=
+# an RSA private key.
+# note that the lines are too wide for a
+# man page, so ... has been substituted for
+# the truncated part
+@my.com: rsa {
+\ \ \ \ Modulus:\ 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
+\ \ \ \ PublicExponent:\ 0sAw==
+\ \ \ \ PrivateExponent:\ 0shlGbVR1m8Z+7rhzSyenCaBN...
+\ \ \ \ Prime1:\ 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
+\ \ \ \ Prime2:\ 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
+\ \ \ \ Exponent1:\ 0soaXj85ihM5M2inVf/NfHmtLutVz4r...
+\ \ \ \ Exponent2:\ 0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
+\ \ \ \ Coefficient:\ 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
+\ \ \ \ }
+
+include ipsec.*.secrets # get secrets from other files
+.fi
+.RE
+.LP
+Each entry in the file is a list of indices, followed by a secret.
+The two parts are separated by a colon (\fB:\fP) that is
+followed by whitespace or a newline. For compatability
+with the previous form of this file, if the key part is just a
+double-quoted string the colon may be left out.
+.LP
+An index is an IP address, or a Fully Qualified Domain Name, user@FQDN,
+\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
+in the familiar dotted quad form or as a domain name to be looked up
+when the file is loaded
+(or in any of the forms supported by the FreeS/WAN \fIipsec_ttoaddr\fP(3)
+routine). In many cases it is a bad idea to use domain names because
+the name server may not be running or may be insecure. To denote a
+Fully Qualified Domain Name (as opposed to an IP address denoted by
+its domain name), precede the name with an at sign (\fB@\fP).
+.LP
+Matching IDs with indices is fairly straightforward: they have to be
+equal. In the case of a ``Road Warrior'' connection, if an equal
+match is not found for the Peer's ID, and it is in the form of an IP
+address, an index of \fB%any\fP will match the peer's IP address if IPV4
+and \fB%any6\fP will match a the peer's IP address if IPV6.
+Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
+\fB%any\fP.
+.LP
+An additional complexity
+arises in the case of authentication by preshared secret: the
+responder will need to look up the secret before the Peer's ID payload has
+been decoded, so the ID used will be the IP address.
+.LP
+To authenticate a connection between two hosts, the entry that most
+specifically matches the host and peer IDs is used. An entry with no
+index will match any host and peer. More specifically, an entry with one index will
+match a host and peer if the index matches the host's ID (the peer isn't
+considered). Still more specifically, an entry with multiple indices will match a host and
+peer if the host ID and peer ID each match one of the indices. If the key
+is for an asymmetric authentication technique (i.e. a public key
+system such as RSA), an entry with multiple indices will match a host
+and peer even if only the host ID matches an index (it is presumed that the
+multiple indices are all identities of the host).
+It is acceptable for two entries to be the best match as
+long as they agree about the secret or private key.
+.LP
+Authentication by preshared secret requires that both systems find the
+identical secret (the secret is not actually transmitted by the IKE
+protocol). If both the host and peer appear in the index list, the
+same entry will be suitable for both systems so verbatim copying
+between systems can be used. This naturally extends to larger groups
+sharing the same secret. Thus multiple-index entries are best for PSK
+authentication.
+.LP
+Authentication by RSA Signatures requires that each host have its own private
+key. A host could reasonably use a different private keys
+for different interfaces and for different peers. But it would not
+be normal to share entries between systems. Thus thus no-index and
+one-index forms of entry often make sense for RSA Signature authentication.
+.LP
+The key part of an entry may start with a token indicating the kind of
+key. ``RSA'' signifies RSA private key and ``PSK'' signifies
+PreShared Key (case is ignored). For compatability with previous
+forms of this file, PSK is the default.
+.LP
+A preshared secret is most conveniently represented as a sequence of
+characters, delimited by the double-quote
+character (\fB"\fP). The sequence cannot contain a newline or
+double-quote. Strictly speaking, the secret is actually the sequence
+of bytes that is used in the file to represent the sequence of
+characters (excluding the delimiters).
+A preshared secret may also be represented, without quotes, in any form supported by
+\fIipsec_ttodata\fP(3).
+.LP
+An RSA private key is a composite of eight generally large numbers. The notation
+used is a brace-enclosed list of field name and value pairs (see the example above).
+A suitable key, in a suitable format, may be generated by \fIipsec_rsasigkey\fP(8).
+The structure is very similar to that used by BIND 8.2.2 or later, but note that
+the numbers must have a ``0s'' prefix if they are in base 64. The order of
+the fields is fixed.
+.LP
+The first token an entry must start in
+the first column of its line. Subsequent tokens must be
+separated by whitespace,
+except for a colon token, which only needs to be followed by whitespace.
+A newline is taken as whitespace, but every
+line of an entry after the first must be indented.
+.LP
+Whitespace at the end of a line is ignored (except in the 0t
+notation for a key). At the start of line or
+after whitespace, \fB#\fP and the following text up to the end of the
+line is treated as a comment. Within entries, all lines must be
+indented (except for lines with no tokens).
+Outside entries, no line may be indented (this is to make sure that
+the file layout reflects its structure).
+.LP
+An include directive causes the contents of the named file to be processed
+before continuing with the current file. The filename is subject to
+``globbing'' as in \fIsh\fP(1), so every file with a matching name
+is processed. Includes may be nested to a modest
+depth (10, currently). If the filename doesn't start with a \fB/\fP, the
+directory containing the current file is prepended to the name. The
+include directive is a line that starts with the word \fBinclude\fP,
+followed by whitespace, followed by the filename (which must not contain
+whitespace).
+.SH FILES
+/etc/ipsec.secrets
+.SH SEE ALSO
+The rest of the FreeS/WAN distribution, in particular
+\fIipsec.conf\fP(5),
+\fIipsec\fP(8),
+\fIipsec_newhostkey\fP(8),
+\fIipsec_rsasigkey\fP(8),
+\fIipsec_showhostkey\fP(8),
+\fIipsec_auto\fP(8) \fB\-\-rereadsecrets\fP,
+and \fIipsec_pluto\fP(8) \fB\-\-listen\fP,.
+.br
+BIND 8.2.2 or later, ftp://ftp.isc.org/isc/bind/src/
+.SH HISTORY
+Designed for the FreeS/WAN project
+<http://www.freeswan.org>
+by D. Hugh Redelmeier.
+.SH BUGS
+If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
+if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
new file mode 100644
index 000000000..1c22b299b
--- /dev/null
+++ b/src/pluto/ipsec_doi.c
@@ -0,0 +1,5630 @@
+/* IPsec DOI and Oakley resolution routines
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_doi.c,v 1.39 2006/04/22 21:59:20 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+#include <sys/time.h> /* for gettimeofday */
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "state.h"
+#include "id.h"
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "certs.h"
+#include "smartcard.h"
+#include "connections.h"
+#include "keys.h"
+#include "packet.h"
+#include "demux.h" /* needs packet.h */
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "kernel.h"
+#include "log.h"
+#include "cookie.h"
+#include "server.h"
+#include "spdb.h"
+#include "timer.h"
+#include "rnd.h"
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "whack.h"
+#include "fetch.h"
+#include "pkcs7.h"
+#include "asn1.h"
+
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+#include "vendor.h"
+#include "alg_info.h"
+#include "ike_alg.h"
+#include "kernel_alg.h"
+#include "nat_traversal.h"
+#include "virtual.h"
+
+/*
+ * are we sending Pluto's Vendor ID?
+ */
+#ifdef VENDORID
+#define SEND_PLUTO_VID 1
+#else /* !VENDORID */
+#define SEND_PLUTO_VID 0
+#endif /* !VENDORID */
+
+/*
+ * are we sending a Cisco Unity VID?
+ */
+#ifdef CISCO_QUIRKS
+#define SEND_CISCO_UNITY_VID 1
+#else /* !CISCO_QUIRKS */
+#define SEND_CISCO_UNITY_VID 0
+#endif /* !CISCO_QUIRKS */
+
+/* MAGIC: perform f, a function that returns notification_t
+ * and return from the ENCLOSING stf_status returning function if it fails.
+ */
+#define RETURN_STF_FAILURE(f) \
+ { int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
+
+/* create output HDR as replica of input HDR */
+void
+echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
+{
+ struct isakmp_hdr r_hdr = md->hdr; /* mostly same as incoming header */
+
+ r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT; /* we won't ever turn on this bit */
+ if (enc)
+ r_hdr.isa_flags |= ISAKMP_FLAG_ENCRYPTION;
+ /* some day, we may have to set r_hdr.isa_version */
+ r_hdr.isa_np = np;
+ if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
+ impossible(); /* surely must have room and be well-formed */
+}
+
+/* Compute DH shared secret from our local secret and the peer's public value.
+ * We make the leap that the length should be that of the group
+ * (see quoted passage at start of ACCEPT_KE).
+ */
+static void
+compute_dh_shared(struct state *st, const chunk_t g
+, const struct oakley_group_desc *group)
+{
+ MP_INT mp_g, mp_shared;
+ struct timeval tv0, tv1;
+ unsigned long tv_diff;
+
+ gettimeofday(&tv0, NULL);
+ passert(st->st_sec_in_use);
+ n_to_mpz(&mp_g, g.ptr, g.len);
+ mpz_init(&mp_shared);
+ mpz_powm(&mp_shared, &mp_g, &st->st_sec, group->modulus);
+ mpz_clear(&mp_g);
+ freeanychunk(st->st_shared); /* happens in odd error cases */
+ st->st_shared = mpz_to_n(&mp_shared, group->bytes);
+ mpz_clear(&mp_shared);
+ gettimeofday(&tv1, NULL);
+ tv_diff=(tv1.tv_sec - tv0.tv_sec) * 1000000 + (tv1.tv_usec - tv0.tv_usec);
+ DBG(DBG_CRYPT,
+ DBG_log("compute_dh_shared(): time elapsed (%s): %ld usec"
+ , enum_show(&oakley_group_names, st->st_oakley.group->group)
+ , tv_diff);
+ );
+ /* if took more than 200 msec ... */
+ if (tv_diff > 200000) {
+ loglog(RC_LOG_SERIOUS, "WARNING: compute_dh_shared(): for %s took "
+ "%ld usec"
+ , enum_show(&oakley_group_names, st->st_oakley.group->group)
+ , tv_diff);
+ }
+
+ DBG_cond_dump_chunk(DBG_CRYPT, "DH shared secret:\n", st->st_shared);
+}
+
+/* if we haven't already done so, compute a local DH secret (st->st_sec) and
+ * the corresponding public value (g). This is emitted as a KE payload.
+ */
+static bool
+build_and_ship_KE(struct state *st, chunk_t *g
+, const struct oakley_group_desc *group, pb_stream *outs, u_int8_t np)
+{
+ if (!st->st_sec_in_use)
+ {
+ u_char tmp[LOCALSECRETSIZE];
+ MP_INT mp_g;
+
+ get_rnd_bytes(tmp, LOCALSECRETSIZE);
+ st->st_sec_in_use = TRUE;
+ n_to_mpz(&st->st_sec, tmp, LOCALSECRETSIZE);
+
+ mpz_init(&mp_g);
+ mpz_powm(&mp_g, &groupgenerator, &st->st_sec, group->modulus);
+ freeanychunk(*g); /* happens in odd error cases */
+ *g = mpz_to_n(&mp_g, group->bytes);
+ mpz_clear(&mp_g);
+ DBG(DBG_CRYPT,
+ DBG_dump("Local DH secret:\n", tmp, LOCALSECRETSIZE);
+ DBG_dump_chunk("Public DH value sent:\n", *g));
+ }
+ return out_generic_chunk(np, &isakmp_keyex_desc, outs, *g, "keyex value");
+}
+
+/* accept_ke
+ *
+ * Check and accept DH public value (Gi or Gr) from peer's message.
+ * According to RFC2409 "The Internet key exchange (IKE)" 5:
+ * The Diffie-Hellman public value passed in a KE payload, in either
+ * a phase 1 or phase 2 exchange, MUST be the length of the negotiated
+ * Diffie-Hellman group enforced, if necessary, by pre-pending the
+ * value with zeros.
+ */
+static notification_t
+accept_KE(chunk_t *dest, const char *val_name
+, const struct oakley_group_desc *gr
+, pb_stream *pbs)
+{
+ if (pbs_left(pbs) != gr->bytes)
+ {
+ loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
+ , (unsigned) pbs_left(pbs), (unsigned) gr->bytes);
+ /* XXX Could send notification back */
+ return INVALID_KEY_INFORMATION;
+ }
+ clonereplacechunk(*dest, pbs->cur, pbs_left(pbs), val_name);
+ DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
+ return NOTHING_WRONG;
+}
+
+/* accept_PFS_KE
+ *
+ * Check and accept optional Quick Mode KE payload for PFS.
+ * Extends ACCEPT_PFS to check whether KE is allowed or required.
+ */
+static notification_t
+accept_PFS_KE(struct msg_digest *md, chunk_t *dest
+, const char *val_name, const char *msg_name)
+{
+ struct state *st = md->st;
+ struct payload_digest *const ke_pd = md->chain[ISAKMP_NEXT_KE];
+
+ if (ke_pd == NULL)
+ {
+ if (st->st_pfs_group != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
+ return INVALID_KEY_INFORMATION;
+ }
+ }
+ else
+ {
+ if (st->st_pfs_group == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
+ , msg_name);
+ return INVALID_KEY_INFORMATION;
+ }
+ if (ke_pd->next != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
+ return INVALID_KEY_INFORMATION; /* ??? */
+ }
+ return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
+ }
+ return NOTHING_WRONG;
+}
+
+static bool
+build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np
+, const char *name)
+{
+ freeanychunk(*n);
+ setchunk(*n, alloc_bytes(DEFAULT_NONCE_SIZE, name), DEFAULT_NONCE_SIZE);
+ get_rnd_bytes(n->ptr, DEFAULT_NONCE_SIZE);
+ return out_generic_chunk(np, &isakmp_nonce_desc, outs, *n, name);
+}
+
+static bool
+collect_rw_ca_candidates(struct msg_digest *md, generalName_t **top)
+{
+ struct connection *d = find_host_connection(&md->iface->addr
+ , pluto_port, (ip_address*)NULL, md->sender_port, LEMPTY);
+
+ for (; d != NULL; d = d->hp_next)
+ {
+ /* must be a road warrior connection */
+ if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO)
+ && d->spd.that.ca.ptr != NULL)
+ {
+ generalName_t *gn;
+ bool new_entry = TRUE;
+
+ for (gn = *top; gn != NULL; gn = gn->next)
+ {
+ if (same_dn(gn->name, d->spd.that.ca))
+ {
+ new_entry = FALSE;
+ break;
+ }
+ }
+ if (new_entry)
+ {
+ gn = alloc_thing(generalName_t, "generalName");
+ gn->kind = GN_DIRECTORY_NAME;
+ gn->name = d->spd.that.ca;
+ gn->next = *top;
+ *top = gn;
+ }
+ }
+ }
+ return *top != NULL;
+}
+
+static bool
+build_and_ship_CR(u_int8_t type, chunk_t ca, pb_stream *outs, u_int8_t np)
+{
+ pb_stream cr_pbs;
+ struct isakmp_cr cr_hd;
+ cr_hd.isacr_np = np;
+ cr_hd.isacr_type = type;
+
+ /* build CR header */
+ if (!out_struct(&cr_hd, &isakmp_ipsec_cert_req_desc, outs, &cr_pbs))
+ return FALSE;
+
+ if (ca.ptr != NULL)
+ {
+ /* build CR body containing the distinguished name of the CA */
+ if (!out_chunk(ca, &cr_pbs, "CA"))
+ return FALSE;
+ }
+ close_output_pbs(&cr_pbs);
+ return TRUE;
+}
+
+/* Send a notification to the peer. We could decide
+ * whether to send the notification, based on the type and the
+ * destination, if we care to.
+ */
+static void
+send_notification(struct state *sndst, u_int16_t type, struct state *encst,
+ msgid_t msgid, u_char *icookie, u_char *rcookie,
+ u_char *spi, size_t spisize, u_char protoid)
+{
+ u_char buffer[1024];
+ pb_stream pbs, r_hdr_pbs;
+ u_char *r_hashval = NULL; /* where in reply to jam hash value */
+ u_char *r_hash_start = NULL; /* start of what is to be hashed */
+
+ passert((sndst) && (sndst->st_connection));
+
+ plog("sending %snotification %s to %s:%u"
+ , encst ? "encrypted " : ""
+ , enum_name(&notification_names, type)
+ , ip_str(&sndst->st_connection->spd.that.host_addr)
+ , (unsigned)sndst->st_connection->spd.that.host_port);
+
+ memset(buffer, 0, sizeof(buffer));
+ init_pbs(&pbs, buffer, sizeof(buffer), "ISAKMP notify");
+
+ /* HDR* */
+ {
+ struct isakmp_hdr hdr;
+
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = encst ? ISAKMP_NEXT_HASH : ISAKMP_NEXT_N;
+ hdr.isa_xchg = ISAKMP_XCHG_INFO;
+ hdr.isa_msgid = msgid;
+ hdr.isa_flags = encst ? ISAKMP_FLAG_ENCRYPTION : 0;
+ if (icookie)
+ memcpy(hdr.isa_icookie, icookie, COOKIE_SIZE);
+ if (rcookie)
+ memcpy(hdr.isa_rcookie, rcookie, COOKIE_SIZE);
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &pbs, &r_hdr_pbs))
+ impossible();
+ }
+
+ /* HASH -- value to be filled later */
+ if (encst)
+ {
+ pb_stream hash_pbs;
+ if (!out_generic(ISAKMP_NEXT_N, &isakmp_hash_desc, &r_hdr_pbs,
+ &hash_pbs))
+ impossible();
+ r_hashval = hash_pbs.cur; /* remember where to plant value */
+ if (!out_zero(
+ encst->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH"))
+ impossible();
+ close_output_pbs(&hash_pbs);
+ r_hash_start = r_hdr_pbs.cur; /* hash from after HASH */
+ }
+
+ /* Notification Payload */
+ {
+ pb_stream not_pbs;
+ struct isakmp_notification isan;
+
+ isan.isan_doi = ISAKMP_DOI_IPSEC;
+ isan.isan_np = ISAKMP_NEXT_NONE;
+ isan.isan_type = type;
+ isan.isan_spisize = spisize;
+ isan.isan_protoid = protoid;
+
+ if (!out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, &not_pbs)
+ || !out_raw(spi, spisize, &not_pbs, "spi"))
+ impossible();
+ close_output_pbs(&not_pbs);
+ }
+
+ /* calculate hash value and patch into Hash Payload */
+ if (encst)
+ {
+ struct hmac_ctx ctx;
+ hmac_init_chunk(&ctx, encst->st_oakley.hasher, encst->st_skeyid_a);
+ hmac_update(&ctx, (u_char *) &msgid, sizeof(msgid_t));
+ hmac_update(&ctx, r_hash_start, r_hdr_pbs.cur-r_hash_start);
+ hmac_final(r_hashval, &ctx);
+
+ DBG(DBG_CRYPT,
+ DBG_log("HASH computed:");
+ DBG_dump("", r_hashval, ctx.hmac_digest_size);
+ )
+ }
+
+ /* Encrypt message (preserve st_iv and st_new_iv) */
+ if (encst)
+ {
+ u_char old_iv[MAX_DIGEST_LEN];
+ u_char new_iv[MAX_DIGEST_LEN];
+
+ u_int old_iv_len = encst->st_iv_len;
+ u_int new_iv_len = encst->st_new_iv_len;
+
+ if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
+ impossible();
+
+ memcpy(old_iv, encst->st_iv, old_iv_len);
+ memcpy(new_iv, encst->st_new_iv, new_iv_len);
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
+ {
+ memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
+ encst->st_ph1_iv_len = encst->st_new_iv_len;
+ }
+ init_phase2_iv(encst, &msgid);
+ if (!encrypt_message(&r_hdr_pbs, encst))
+ impossible();
+
+ /* restore preserved st_iv and st_new_iv */
+ memcpy(encst->st_iv, old_iv, old_iv_len);
+ memcpy(encst->st_new_iv, new_iv, new_iv_len);
+ encst->st_iv_len = old_iv_len;
+ encst->st_new_iv_len = new_iv_len;
+ }
+ else
+ {
+ close_output_pbs(&r_hdr_pbs);
+ }
+
+ /* Send packet (preserve st_tpacket) */
+ {
+ chunk_t saved_tpacket = sndst->st_tpacket;
+
+ setchunk(sndst->st_tpacket, pbs.start, pbs_offset(&pbs));
+ send_packet(sndst, "ISAKMP notify");
+ sndst->st_tpacket = saved_tpacket;
+ }
+}
+
+void
+send_notification_from_state(struct state *st, enum state_kind state,
+ u_int16_t type)
+{
+ struct state *p1st;
+
+ passert(st);
+
+ if (state == STATE_UNDEFINED)
+ state = st->st_state;
+
+ if (IS_QUICK(state))
+ {
+ p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+ if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
+ {
+ loglog(RC_LOG_SERIOUS,
+ "no Phase1 state for Quick mode notification");
+ return;
+ }
+ send_notification(st, type, p1st, generate_msgid(p1st),
+ st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+ }
+ else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
+ {
+ send_notification(st, type, st, generate_msgid(st),
+ st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+ }
+ else
+ {
+ /* no ISAKMP SA established - don't encrypt notification */
+ send_notification(st, type, NULL, 0,
+ st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
+ }
+}
+
+void
+send_notification_from_md(struct msg_digest *md, u_int16_t type)
+{
+ /**
+ * Create a dummy state to be able to use send_packet in
+ * send_notification
+ *
+ * we need to set:
+ * st_connection->that.host_addr
+ * st_connection->that.host_port
+ * st_connection->interface
+ */
+ struct state st;
+ struct connection cnx;
+
+ passert(md);
+
+ memset(&st, 0, sizeof(st));
+ memset(&cnx, 0, sizeof(cnx));
+ st.st_connection = &cnx;
+ cnx.spd.that.host_addr = md->sender;
+ cnx.spd.that.host_port = md->sender_port;
+ cnx.interface = md->iface;
+
+ send_notification(&st, type, NULL, 0,
+ md->hdr.isa_icookie, md->hdr.isa_rcookie, NULL, 0, PROTO_ISAKMP);
+}
+
+/* Send a Delete Notification to announce deletion of ISAKMP SA or
+ * inbound IPSEC SAs. Does nothing if no such SAs are being deleted.
+ * Delete Notifications cannot announce deletion of outbound IPSEC/ISAKMP SAs.
+ */
+void
+send_delete(struct state *st)
+{
+ pb_stream reply_pbs;
+ pb_stream r_hdr_pbs;
+ msgid_t msgid;
+ u_char buffer[8192];
+ struct state *p1st;
+ ip_said said[EM_MAXRELSPIS];
+ ip_said *ns = said;
+ u_char
+ *r_hashval, /* where in reply to jam hash value */
+ *r_hash_start; /* start of what is to be hashed */
+ bool isakmp_sa = FALSE;
+
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+ if (p1st == NULL)
+ {
+ DBG(DBG_CONTROL, DBG_log("no Phase 1 state for Delete"));
+ return;
+ }
+
+ if (st->st_ah.present)
+ {
+ ns->spi = st->st_ah.our_spi;
+ ns->dst = st->st_connection->spd.this.host_addr;
+ ns->proto = PROTO_IPSEC_AH;
+ ns++;
+ }
+ if (st->st_esp.present)
+ {
+ ns->spi = st->st_esp.our_spi;
+ ns->dst = st->st_connection->spd.this.host_addr;
+ ns->proto = PROTO_IPSEC_ESP;
+ ns++;
+ }
+
+ passert(ns != said); /* there must be some SAs to delete */
+ }
+ else if (IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ p1st = st;
+ isakmp_sa = TRUE;
+ }
+ else
+ {
+ return; /* nothing to do */
+ }
+
+ msgid = generate_msgid(p1st);
+
+ zero(buffer);
+ init_pbs(&reply_pbs, buffer, sizeof(buffer), "delete msg");
+
+ /* HDR* */
+ {
+ struct isakmp_hdr hdr;
+
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = ISAKMP_NEXT_HASH;
+ hdr.isa_xchg = ISAKMP_XCHG_INFO;
+ hdr.isa_msgid = msgid;
+ hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+ memcpy(hdr.isa_icookie, p1st->st_icookie, COOKIE_SIZE);
+ memcpy(hdr.isa_rcookie, p1st->st_rcookie, COOKIE_SIZE);
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &reply_pbs, &r_hdr_pbs))
+ impossible();
+ }
+
+ /* HASH -- value to be filled later */
+ {
+ pb_stream hash_pbs;
+
+ if (!out_generic(ISAKMP_NEXT_D, &isakmp_hash_desc, &r_hdr_pbs, &hash_pbs))
+ impossible();
+ r_hashval = hash_pbs.cur; /* remember where to plant value */
+ if (!out_zero(p1st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH(1)"))
+ impossible();
+ close_output_pbs(&hash_pbs);
+ r_hash_start = r_hdr_pbs.cur; /* hash from after HASH(1) */
+ }
+
+ /* Delete Payloads */
+ if (isakmp_sa)
+ {
+ pb_stream del_pbs;
+ struct isakmp_delete isad;
+ u_char isakmp_spi[2*COOKIE_SIZE];
+
+ isad.isad_doi = ISAKMP_DOI_IPSEC;
+ isad.isad_np = ISAKMP_NEXT_NONE;
+ isad.isad_spisize = (2 * COOKIE_SIZE);
+ isad.isad_protoid = PROTO_ISAKMP;
+ isad.isad_nospi = 1;
+
+ memcpy(isakmp_spi, st->st_icookie, COOKIE_SIZE);
+ memcpy(isakmp_spi+COOKIE_SIZE, st->st_rcookie, COOKIE_SIZE);
+
+ if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
+ || !out_raw(&isakmp_spi, (2*COOKIE_SIZE), &del_pbs, "delete payload"))
+ impossible();
+ close_output_pbs(&del_pbs);
+ }
+ else
+ {
+ while (ns != said)
+ {
+
+ pb_stream del_pbs;
+ struct isakmp_delete isad;
+
+ ns--;
+ isad.isad_doi = ISAKMP_DOI_IPSEC;
+ isad.isad_np = ns == said? ISAKMP_NEXT_NONE : ISAKMP_NEXT_D;
+ isad.isad_spisize = sizeof(ipsec_spi_t);
+ isad.isad_protoid = ns->proto;
+
+ isad.isad_nospi = 1;
+ if (!out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, &del_pbs)
+ || !out_raw(&ns->spi, sizeof(ipsec_spi_t), &del_pbs, "delete payload"))
+ impossible();
+ close_output_pbs(&del_pbs);
+ }
+ }
+
+ /* calculate hash value and patch into Hash Payload */
+ {
+ struct hmac_ctx ctx;
+ hmac_init_chunk(&ctx, p1st->st_oakley.hasher, p1st->st_skeyid_a);
+ hmac_update(&ctx, (u_char *) &msgid, sizeof(msgid_t));
+ hmac_update(&ctx, r_hash_start, r_hdr_pbs.cur-r_hash_start);
+ hmac_final(r_hashval, &ctx);
+
+ DBG(DBG_CRYPT,
+ DBG_log("HASH(1) computed:");
+ DBG_dump("", r_hashval, ctx.hmac_digest_size);
+ )
+ }
+
+ /* Do a dance to avoid needing a new state object.
+ * We use the Phase 1 State. This is the one with right
+ * IV, for one thing.
+ * The tricky bits are:
+ * - we need to preserve (save/restore) st_iv (but not st_iv_new)
+ * - we need to preserve (save/restore) st_tpacket.
+ */
+ {
+ u_char old_iv[MAX_DIGEST_LEN];
+ chunk_t saved_tpacket = p1st->st_tpacket;
+
+ memcpy(old_iv, p1st->st_iv, p1st->st_iv_len);
+ init_phase2_iv(p1st, &msgid);
+
+ if (!encrypt_message(&r_hdr_pbs, p1st))
+ impossible();
+
+ setchunk(p1st->st_tpacket, reply_pbs.start, pbs_offset(&reply_pbs));
+ send_packet(p1st, "delete notify");
+ p1st->st_tpacket = saved_tpacket;
+
+ /* get back old IV for this state */
+ memcpy(p1st->st_iv, old_iv, p1st->st_iv_len);
+ }
+}
+
+void
+accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
+{
+ struct isakmp_delete *d = &(p->payload.delete);
+ size_t sizespi;
+ int i;
+
+ if (!md->encrypted)
+ {
+ loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: not encrypted");
+ return;
+ }
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ /* can't happen (if msg is encrypt), but just to be sure */
+ loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
+ "ISAKMP SA not established");
+ return;
+ }
+
+ if (d->isad_nospi == 0)
+ {
+ loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: no SPI");
+ return;
+ }
+
+ switch (d->isad_protoid)
+ {
+ case PROTO_ISAKMP:
+ sizespi = 2 * COOKIE_SIZE;
+ break;
+ case PROTO_IPSEC_AH:
+ case PROTO_IPSEC_ESP:
+ sizespi = sizeof(ipsec_spi_t);
+ break;
+ case PROTO_IPCOMP:
+ /* nothing interesting to delete */
+ return;
+ default:
+ loglog(RC_LOG_SERIOUS
+ , "ignoring Delete SA payload: unknown Protocol ID (%s)"
+ , enum_show(&protocol_names, d->isad_protoid));
+ return;
+ }
+
+ if (d->isad_spisize != sizespi)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ignoring Delete SA payload: bad SPI size (%d) for %s"
+ , d->isad_spisize, enum_show(&protocol_names, d->isad_protoid));
+ return;
+ }
+
+ if (pbs_left(&p->pbs) != d->isad_nospi * sizespi)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ignoring Delete SA payload: invalid payload size");
+ return;
+ }
+
+ for (i = 0; i < d->isad_nospi; i++)
+ {
+ u_char *spi = p->pbs.cur + (i * sizespi);
+
+ if (d->isad_protoid == PROTO_ISAKMP)
+ {
+ /**
+ * ISAKMP
+ */
+ struct state *dst = find_state(spi /*iCookie*/
+ , spi+COOKIE_SIZE /*rCookie*/
+ , &st->st_connection->spd.that.host_addr
+ , MAINMODE_MSGID);
+
+ if (dst == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
+ "ISAKMP SA not found (maybe expired)");
+ }
+ else if (!same_peer_ids(st->st_connection, dst->st_connection, NULL))
+ {
+ /* we've not authenticated the relevant identities */
+ loglog(RC_LOG_SERIOUS, "ignoring Delete SA payload: "
+ "ISAKMP SA used to convey Delete has different IDs from ISAKMP SA it deletes");
+ }
+ else
+ {
+ struct connection *oldc;
+
+ oldc = cur_connection;
+ set_cur_connection(dst->st_connection);
+
+ if (nat_traversal_enabled)
+ nat_traversal_change_port_lookup(md, dst);
+
+ loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+ "deleting ISAKMP State #%lu", dst->st_serialno);
+ delete_state(dst);
+ set_cur_connection(oldc);
+ }
+ }
+ else
+ {
+ /**
+ * IPSEC (ESP/AH)
+ */
+ bool bogus;
+ struct state *dst = find_phase2_state_to_delete(st
+ , d->isad_protoid
+ , *(ipsec_spi_t *)spi /* network order */
+ , &bogus);
+
+ if (dst == NULL)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ignoring Delete SA payload: %s SA(0x%08lx) not found (%s)"
+ , enum_show(&protocol_names, d->isad_protoid)
+ , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
+ , bogus ? "our SPI - bogus implementation" : "maybe expired");
+ }
+ else
+ {
+ struct connection *rc = dst->st_connection;
+ struct connection *oldc;
+
+ oldc = cur_connection;
+ set_cur_connection(rc);
+
+ if (nat_traversal_enabled)
+ nat_traversal_change_port_lookup(md, dst);
+
+ if (rc->newest_ipsec_sa == dst->st_serialno
+ && (rc->policy & POLICY_UP))
+ {
+ /* Last IPSec SA for a permanent connection that we
+ * have initiated. Replace it in a few seconds.
+ *
+ * Useful if the other peer is rebooting.
+ */
+#define DELETE_SA_DELAY EVENT_RETRANSMIT_DELAY_0
+ if (dst->st_event != NULL
+ && dst->st_event->ev_type == EVENT_SA_REPLACE
+ && dst->st_event->ev_time <= DELETE_SA_DELAY + now())
+ {
+ /* Patch from Angus Lees to ignore retransmited
+ * Delete SA.
+ */
+ loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+ "already replacing IPSEC State #%lu in %d seconds"
+ , dst->st_serialno, (int)(dst->st_event->ev_time - now()));
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
+ "replace IPSEC State #%lu in %d seconds"
+ , dst->st_serialno, DELETE_SA_DELAY);
+ dst->st_margin = DELETE_SA_DELAY;
+ delete_event(dst);
+ event_schedule(EVENT_SA_REPLACE, DELETE_SA_DELAY, dst);
+ }
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "received Delete SA(0x%08lx) payload: "
+ "deleting IPSEC State #%lu"
+ , (unsigned long)ntohl((unsigned long)*(ipsec_spi_t *)spi)
+ , dst->st_serialno);
+ delete_state(dst);
+ }
+
+ /* reset connection */
+ set_cur_connection(oldc);
+ }
+ }
+ }
+}
+
+/* The whole message must be a multiple of 4 octets.
+ * I'm not sure where this is spelled out, but look at
+ * rfc2408 3.6 Transform Payload.
+ * Note: it talks about 4 BYTE boundaries!
+ */
+void
+close_message(pb_stream *pbs)
+{
+ size_t padding = pad_up(pbs_offset(pbs), 4);
+
+ if (padding != 0)
+ (void) out_zero(padding, pbs, "message padding");
+ close_output_pbs(pbs);
+}
+
+/* Initiate an Oakley Main Mode exchange.
+ * --> HDR;SA
+ * Note: this is not called from demux.c
+ */
+static stf_status
+main_outI1(int whack_sock, struct connection *c, struct state *predecessor
+ , lset_t policy, unsigned long try)
+{
+ struct state *st = new_state();
+ pb_stream reply; /* not actually a reply, but you know what I mean */
+ pb_stream rbody;
+
+ int vids_to_send = 0;
+
+ /* set up new state */
+ st->st_connection = c;
+ set_cur_state(st); /* we must reset before exit */
+ st->st_policy = policy & ~POLICY_IPSEC_MASK;
+ st->st_whack_sock = whack_sock;
+ st->st_try = try;
+ st->st_state = STATE_MAIN_I1;
+
+ /* determine how many Vendor ID payloads we will be sending */
+ if (SEND_PLUTO_VID)
+ vids_to_send++;
+ if (SEND_CISCO_UNITY_VID)
+ vids_to_send++;
+ if (c->spd.this.cert.type == CERT_PGP)
+ vids_to_send++;
+ /* always send XAUTH Vendor ID */
+ vids_to_send++;
+ /* always send DPD Vendor ID */
+ vids_to_send++;
+ if (nat_traversal_enabled)
+ vids_to_send++;
+
+ get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
+
+ insert_state(st); /* needs cookies, connection, and msgid (0) */
+
+ if (HAS_IPSEC_POLICY(policy))
+ add_pending(dup_any(whack_sock), st, c, policy, 1
+ , predecessor == NULL? SOS_NOBODY : predecessor->st_serialno);
+
+ if (predecessor == NULL)
+ plog("initiating Main Mode");
+ else
+ plog("initiating Main Mode to replace #%lu", predecessor->st_serialno);
+
+ /* set up reply */
+ init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+
+ /* HDR out */
+ {
+ struct isakmp_hdr hdr;
+
+ zero(&hdr); /* default to 0 */
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = ISAKMP_NEXT_SA;
+ hdr.isa_xchg = ISAKMP_XCHG_IDPROT;
+ memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+ /* R-cookie, flags and MessageID are left zero */
+
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* SA out */
+ {
+ u_char *sa_start = rbody.cur;
+ lset_t auth_policy = policy & POLICY_ID_AUTH_MASK;
+
+ if (!out_sa(&rbody, &oakley_sadb, st, TRUE
+ , vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* save initiator SA for later HASH */
+ passert(st->st_p1isa.ptr == NULL); /* no leak! (MUST be first time) */
+ clonetochunk(st->st_p1isa, sa_start, rbody.cur - sa_start
+ , "sa in main_outI1");
+ }
+
+ /* if enabled send Pluto Vendor ID */
+ if (SEND_PLUTO_VID)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody, VID_STRONGSWAN))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* if enabled send Cisco Unity Vendor ID */
+ if (SEND_CISCO_UNITY_VID)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody, VID_CISCO_UNITY))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+ /* if we have an OpenPGP certificate we assume an
+ * OpenPGP peer and have to send the Vendor ID
+ */
+ if (c->spd.this.cert.type == CERT_PGP)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody, VID_OPENPGP))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* Announce our ability to do eXtended AUTHentication to the peer */
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody, VID_MISC_XAUTH))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* Announce our ability to do Dead Peer Detection to the peer */
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody, VID_MISC_DPD))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ if (nat_traversal_enabled)
+ {
+ /* Add supported NAT-Traversal VID */
+ if (!nat_traversal_add_vid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &rbody))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ close_message(&rbody);
+ close_output_pbs(&reply);
+
+ clonetochunk(st->st_tpacket, reply.start, pbs_offset(&reply)
+ , "reply packet for main_outI1");
+
+ /* Transmit */
+
+ send_packet(st, "main_outI1");
+
+ /* Set up a retransmission event, half a minute henceforth */
+ delete_event(st);
+ event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+
+ if (predecessor != NULL)
+ {
+ update_pending(predecessor, st);
+ whack_log(RC_NEW_STATE + STATE_MAIN_I1
+ , "%s: initiate, replacing #%lu"
+ , enum_name(&state_names, st->st_state)
+ , predecessor->st_serialno);
+ }
+ else
+ {
+ whack_log(RC_NEW_STATE + STATE_MAIN_I1
+ , "%s: initiate", enum_name(&state_names, st->st_state));
+ }
+ reset_cur_state();
+ return STF_OK;
+}
+
+void
+ipsecdoi_initiate(int whack_sock
+, struct connection *c
+, lset_t policy
+, unsigned long try
+, so_serial_t replacing)
+{
+ /* If there's already an ISAKMP SA established, use that and
+ * go directly to Quick Mode. We are even willing to use one
+ * that is still being negotiated, but only if we are the Initiator
+ * (thus we can be sure that the IDs are not going to change;
+ * other issues around intent might matter).
+ * Note: there is no way to initiate with a Road Warrior.
+ */
+ struct state *st = find_phase1_state(c
+ , ISAKMP_SA_ESTABLISHED_STATES | PHASE1_INITIATOR_STATES);
+
+ if (st == NULL)
+ {
+ (void) main_outI1(whack_sock, c, NULL, policy, try);
+ }
+ else if (HAS_IPSEC_POLICY(policy))
+ {
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ /* leave our Phase 2 negotiation pending */
+ add_pending(whack_sock, st, c, policy, try, replacing);
+ }
+ else
+ {
+ /* ??? we assume that peer_nexthop_sin isn't important:
+ * we already have it from when we negotiated the ISAKMP SA!
+ * It isn't clear what to do with the error return.
+ */
+ (void) quick_outI1(whack_sock, st, c, policy, try, replacing);
+ }
+ }
+ else
+ {
+ close_any(whack_sock);
+ }
+}
+
+/* Replace SA with a fresh one that is similar
+ *
+ * Shares some logic with ipsecdoi_initiate, but not the same!
+ * - we must not reuse the ISAKMP SA if we are trying to replace it!
+ * - if trying to replace IPSEC SA, use ipsecdoi_initiate to build
+ * ISAKMP SA if needed.
+ * - duplicate whack fd, if live.
+ * Does not delete the old state -- someone else will do that.
+ */
+void
+ipsecdoi_replace(struct state *st, unsigned long try)
+{
+ int whack_sock = dup_any(st->st_whack_sock);
+ lset_t policy = st->st_policy;
+
+ if (IS_PHASE1(st->st_state))
+ {
+ passert(!HAS_IPSEC_POLICY(policy));
+ (void) main_outI1(whack_sock, st->st_connection, st, policy, try);
+ }
+ else
+ {
+ /* Add features of actual old state to policy. This ensures
+ * that rekeying doesn't downgrade security. I admit that
+ * this doesn't capture everything.
+ */
+ if (st->st_pfs_group != NULL)
+ policy |= POLICY_PFS;
+ if (st->st_ah.present)
+ {
+ policy |= POLICY_AUTHENTICATE;
+ if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ policy |= POLICY_TUNNEL;
+ }
+ if (st->st_esp.present && st->st_esp.attrs.transid != ESP_NULL)
+ {
+ policy |= POLICY_ENCRYPT;
+ if (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ policy |= POLICY_TUNNEL;
+ }
+ if (st->st_ipcomp.present)
+ {
+ policy |= POLICY_COMPRESS;
+ if (st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ policy |= POLICY_TUNNEL;
+ }
+ passert(HAS_IPSEC_POLICY(policy));
+ ipsecdoi_initiate(whack_sock, st->st_connection, policy, try
+ , st->st_serialno);
+ }
+}
+
+/* SKEYID for preshared keys.
+ * See draft-ietf-ipsec-ike-01.txt 4.1
+ */
+static bool
+skeyid_preshared(struct state *st)
+{
+ const chunk_t *pss = get_preshared_secret(st->st_connection);
+
+ if (pss == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "preshared secret disappeared!");
+ return FALSE;
+ }
+ else
+ {
+ struct hmac_ctx ctx;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, *pss);
+ hmac_update_chunk(&ctx, st->st_ni);
+ hmac_update_chunk(&ctx, st->st_nr);
+ hmac_final_chunk(st->st_skeyid, "st_skeyid in skeyid_preshared()", &ctx);
+ return TRUE;
+ }
+}
+
+static bool
+skeyid_digisig(struct state *st)
+{
+ struct hmac_ctx ctx;
+ chunk_t nir;
+
+ /* We need to hmac_init with the concatenation of Ni_b and Nr_b,
+ * so we have to build a temporary concatentation.
+ */
+ nir.len = st->st_ni.len + st->st_nr.len;
+ nir.ptr = alloc_bytes(nir.len, "Ni + Nr in skeyid_digisig");
+ memcpy(nir.ptr, st->st_ni.ptr, st->st_ni.len);
+ memcpy(nir.ptr+st->st_ni.len, st->st_nr.ptr, st->st_nr.len);
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, nir);
+ pfree(nir.ptr);
+
+ hmac_update_chunk(&ctx, st->st_shared);
+ hmac_final_chunk(st->st_skeyid, "st_skeyid in skeyid_digisig()", &ctx);
+ return TRUE;
+}
+
+/* Generate the SKEYID_* and new IV
+ * See draft-ietf-ipsec-ike-01.txt 4.1
+ */
+static bool
+generate_skeyids_iv(struct state *st)
+{
+ /* Generate the SKEYID */
+ switch (st->st_oakley.auth)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ case XAUTHInitPreShared:
+ case XAUTHRespPreShared:
+ if (!skeyid_preshared(st))
+ return FALSE;
+ break;
+
+ case OAKLEY_RSA_SIG:
+ case XAUTHInitRSA:
+ case XAUTHRespRSA:
+ if (!skeyid_digisig(st))
+ return FALSE;
+ break;
+
+ case OAKLEY_DSS_SIG:
+ /* XXX */
+
+ case OAKLEY_RSA_ENC:
+ case OAKLEY_RSA_ENC_REV:
+ case OAKLEY_ELGAMAL_ENC:
+ case OAKLEY_ELGAMAL_ENC_REV:
+ /* XXX */
+
+ default:
+ bad_case(st->st_oakley.auth);
+ }
+
+ /* generate SKEYID_* from SKEYID */
+ {
+ struct hmac_ctx ctx;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid);
+
+ /* SKEYID_D */
+ hmac_update_chunk(&ctx, st->st_shared);
+ hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
+ hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
+ hmac_update(&ctx, "\0", 1);
+ hmac_final_chunk(st->st_skeyid_d, "st_skeyid_d in generate_skeyids_iv()", &ctx);
+
+ /* SKEYID_A */
+ hmac_reinit(&ctx);
+ hmac_update_chunk(&ctx, st->st_skeyid_d);
+ hmac_update_chunk(&ctx, st->st_shared);
+ hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
+ hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
+ hmac_update(&ctx, "\1", 1);
+ hmac_final_chunk(st->st_skeyid_a, "st_skeyid_a in generate_skeyids_iv()", &ctx);
+
+ /* SKEYID_E */
+ hmac_reinit(&ctx);
+ hmac_update_chunk(&ctx, st->st_skeyid_a);
+ hmac_update_chunk(&ctx, st->st_shared);
+ hmac_update(&ctx, st->st_icookie, COOKIE_SIZE);
+ hmac_update(&ctx, st->st_rcookie, COOKIE_SIZE);
+ hmac_update(&ctx, "\2", 1);
+ hmac_final_chunk(st->st_skeyid_e, "st_skeyid_e in generate_skeyids_iv()", &ctx);
+ }
+
+ /* generate IV */
+ {
+ union hash_ctx hash_ctx;
+ const struct hash_desc *h = st->st_oakley.hasher;
+
+ st->st_new_iv_len = h->hash_digest_size;
+ passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+
+ DBG(DBG_CRYPT,
+ DBG_dump_chunk("DH_i:", st->st_gi);
+ DBG_dump_chunk("DH_r:", st->st_gr);
+ );
+ h->hash_init(&hash_ctx);
+ h->hash_update(&hash_ctx, st->st_gi.ptr, st->st_gi.len);
+ h->hash_update(&hash_ctx, st->st_gr.ptr, st->st_gr.len);
+ h->hash_final(st->st_new_iv, &hash_ctx);
+ }
+
+ /* Oakley Keying Material
+ * Derived from Skeyid_e: if it is not big enough, generate more
+ * using the PRF.
+ * See RFC 2409 "IKE" Appendix B
+ */
+ {
+ /* const size_t keysize = st->st_oakley.encrypter->keydeflen/BITS_PER_BYTE; */
+ const size_t keysize = st->st_oakley.enckeylen/BITS_PER_BYTE;
+ u_char keytemp[MAX_OAKLEY_KEY_LEN + MAX_DIGEST_LEN];
+ u_char *k = st->st_skeyid_e.ptr;
+
+ if (keysize > st->st_skeyid_e.len)
+ {
+ struct hmac_ctx ctx;
+ size_t i = 0;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_e);
+ hmac_update(&ctx, "\0", 1);
+ for (;;)
+ {
+ hmac_final(&keytemp[i], &ctx);
+ i += ctx.hmac_digest_size;
+ if (i >= keysize)
+ break;
+ hmac_reinit(&ctx);
+ hmac_update(&ctx, &keytemp[i - ctx.hmac_digest_size], ctx.hmac_digest_size);
+ }
+ k = keytemp;
+ }
+ clonereplacechunk(st->st_enc_key, k, keysize, "st_enc_key");
+ }
+
+ DBG(DBG_CRYPT,
+ DBG_dump_chunk("Skeyid: ", st->st_skeyid);
+ DBG_dump_chunk("Skeyid_d:", st->st_skeyid_d);
+ DBG_dump_chunk("Skeyid_a:", st->st_skeyid_a);
+ DBG_dump_chunk("Skeyid_e:", st->st_skeyid_e);
+ DBG_dump_chunk("enc key:", st->st_enc_key);
+ DBG_dump("IV:", st->st_new_iv, st->st_new_iv_len));
+ return TRUE;
+}
+
+/* Generate HASH_I or HASH_R for ISAKMP Phase I.
+ * This will *not* generate other hash payloads (eg. Phase II or Quick Mode,
+ * New Group Mode, or ISAKMP Informational Exchanges).
+ * If the hashi argument is TRUE, generate HASH_I; if FALSE generate HASH_R.
+ * If hashus argument is TRUE, we're generating a hash for our end.
+ * See RFC2409 IKE 5.
+ *
+ * Generating the SIG_I and SIG_R for DSS is an odd perversion of this:
+ * Most of the logic is the same, but SHA-1 is used in place of HMAC-whatever.
+ * The extensive common logic is embodied in main_mode_hash_body().
+ * See draft-ietf-ipsec-ike-01.txt 4.1 and 6.1.1.2
+ */
+
+typedef void (*hash_update_t)(union hash_ctx *, const u_char *, size_t) ;
+static void
+main_mode_hash_body(struct state *st
+, bool hashi /* Initiator? */
+, const pb_stream *idpl /* ID payload, as PBS */
+, union hash_ctx *ctx
+, void (*hash_update_void)(void *, const u_char *input, size_t))
+{
+#define HASH_UPDATE_T (union hash_ctx *, const u_char *input, unsigned int len)
+ hash_update_t hash_update=(hash_update_t) hash_update_void;
+#if 0 /* if desperate to debug hashing */
+# define hash_update(ctx, input, len) { \
+ DBG_dump("hash input", input, len); \
+ (hash_update)(ctx, input, len); \
+ }
+#endif
+
+# define hash_update_chunk(ctx, ch) hash_update((ctx), (ch).ptr, (ch).len)
+
+ if (hashi)
+ {
+ hash_update_chunk(ctx, st->st_gi);
+ hash_update_chunk(ctx, st->st_gr);
+ hash_update(ctx, st->st_icookie, COOKIE_SIZE);
+ hash_update(ctx, st->st_rcookie, COOKIE_SIZE);
+ }
+ else
+ {
+ hash_update_chunk(ctx, st->st_gr);
+ hash_update_chunk(ctx, st->st_gi);
+ hash_update(ctx, st->st_rcookie, COOKIE_SIZE);
+ hash_update(ctx, st->st_icookie, COOKIE_SIZE);
+ }
+
+ DBG(DBG_CRYPT, DBG_log("hashing %lu bytes of SA"
+ , (unsigned long) (st->st_p1isa.len - sizeof(struct isakmp_generic))));
+
+ /* SA_b */
+ hash_update(ctx, st->st_p1isa.ptr + sizeof(struct isakmp_generic)
+ , st->st_p1isa.len - sizeof(struct isakmp_generic));
+
+ /* Hash identification payload, without generic payload header.
+ * We used to reconstruct ID Payload for this purpose, but now
+ * we use the bytes as they appear on the wire to avoid
+ * "spelling problems".
+ */
+ hash_update(ctx
+ , idpl->start + sizeof(struct isakmp_generic)
+ , pbs_offset(idpl) - sizeof(struct isakmp_generic));
+
+# undef hash_update_chunk
+# undef hash_update
+}
+
+static size_t /* length of hash */
+main_mode_hash(struct state *st
+, u_char *hash_val /* resulting bytes */
+, bool hashi /* Initiator? */
+, const pb_stream *idpl) /* ID payload, as PBS; cur must be at end */
+{
+ struct hmac_ctx ctx;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid);
+ main_mode_hash_body(st, hashi, idpl, &ctx.hash_ctx, ctx.h->hash_update);
+ hmac_final(hash_val, &ctx);
+ return ctx.hmac_digest_size;
+}
+
+#if 0 /* only needed for DSS */
+static void
+main_mode_sha1(struct state *st
+, u_char *hash_val /* resulting bytes */
+, size_t *hash_len /* length of hash */
+, bool hashi /* Initiator? */
+, const pb_stream *idpl) /* ID payload, as PBS */
+{
+ union hash_ctx ctx;
+
+ SHA1Init(&ctx.ctx_sha1);
+ SHA1Update(&ctx.ctx_sha1, st->st_skeyid.ptr, st->st_skeyid.len);
+ *hash_len = SHA1_DIGEST_SIZE;
+ main_mode_hash_body(st, hashi, idpl, &ctx
+ , (void (*)(union hash_ctx *, const u_char *, unsigned int))&SHA1Update);
+ SHA1Final(hash_val, &ctx.ctx_sha1);
+}
+#endif
+
+/* Create an RSA signature of a hash.
+ * Poorly specified in draft-ietf-ipsec-ike-01.txt 6.1.1.2.
+ * Use PKCS#1 version 1.5 encryption of hash (called
+ * RSAES-PKCS1-V1_5) in PKCS#2.
+ */
+static size_t
+RSA_sign_hash(struct connection *c
+, u_char sig_val[RSA_MAX_OCTETS]
+, const u_char *hash_val, size_t hash_len)
+{
+ size_t sz = 0;
+ smartcard_t *sc = c->spd.this.sc;
+
+ if (sc == NULL) /* no smartcard */
+ {
+ const struct RSA_private_key *k = get_RSA_private_key(c);
+
+ if (k == NULL)
+ return 0; /* failure: no key to use */
+
+ sz = k->pub.k;
+ passert(RSA_MIN_OCTETS <= sz && 4 + hash_len < sz && sz <= RSA_MAX_OCTETS);
+ sign_hash(k, hash_val, hash_len, sig_val, sz);
+ }
+ else if (sc->valid) /* if valid pin then sign hash on the smartcard */
+ {
+ lock_certs_and_keys("RSA_sign_hash");
+ if (!scx_establish_context(sc) || !scx_login(sc))
+ {
+ scx_release_context(sc);
+ unlock_certs_and_keys("RSA_sign_hash");
+ return 0;
+ }
+
+ sz = scx_get_keylength(sc);
+ if (sz == 0)
+ {
+ plog("failed to get keylength from smartcard");
+ scx_release_context(sc);
+ unlock_certs_and_keys("RSA_sign_hash");
+ return 0;
+ }
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
+ , (int)sc->slot, sc->id)
+ )
+ sz = scx_sign_hash(sc, hash_val, hash_len, sig_val, sz) ? sz : 0;
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+ unlock_certs_and_keys("RSA_sign_hash");
+ }
+ return sz;
+}
+
+/* Check a Main Mode RSA Signature against computed hash using RSA public key k.
+ *
+ * As a side effect, on success, the public key is copied into the
+ * state object to record the authenticator.
+ *
+ * Can fail because wrong public key is used or because hash disagrees.
+ * We distinguish because diagnostics should also.
+ *
+ * The result is NULL if the Signature checked out.
+ * Otherwise, the first character of the result indicates
+ * how far along failure occurred. A greater character signifies
+ * greater progress.
+ *
+ * Classes:
+ * 0 reserved for caller
+ * 1 SIG length doesn't match key length -- wrong key
+ * 2-8 malformed ECB after decryption -- probably wrong key
+ * 9 decrypted hash != computed hash -- probably correct key
+ *
+ * Although the math should be the same for generating and checking signatures,
+ * it is not: the knowledge of the private key allows more efficient (i.e.
+ * different) computation for encryption.
+ */
+static err_t
+try_RSA_signature(const u_char hash_val[MAX_DIGEST_LEN], size_t hash_len
+, const pb_stream *sig_pbs, pubkey_t *kr
+, struct state *st)
+{
+ const u_char *sig_val = sig_pbs->cur;
+ size_t sig_len = pbs_left(sig_pbs);
+ u_char s[RSA_MAX_OCTETS]; /* for decrypted sig_val */
+ u_char *hash_in_s = &s[sig_len - hash_len];
+ const struct RSA_public_key *k = &kr->u.rsa;
+
+ /* decrypt the signature -- reversing RSA_sign_hash */
+ if (sig_len != k->k)
+ {
+ /* XXX notification: INVALID_KEY_INFORMATION */
+ return "1" "SIG length does not match public key length";
+ }
+
+ /* actual exponentiation; see PKCS#1 v2.0 5.1 */
+ {
+ chunk_t temp_s;
+ mpz_t c;
+
+ n_to_mpz(c, sig_val, sig_len);
+ mpz_powm(c, c, &k->e, &k->n);
+
+ temp_s = mpz_to_n(c, sig_len); /* back to octets */
+ memcpy(s, temp_s.ptr, sig_len);
+ pfree(temp_s.ptr);
+ mpz_clear(c);
+ }
+
+ /* sanity check on signature: see if it matches
+ * PKCS#1 v1.5 8.1 encryption-block formatting
+ */
+ {
+ err_t ugh = NULL;
+
+ if (s[0] != 0x00)
+ ugh = "2" "no leading 00";
+ else if (hash_in_s[-1] != 0x00)
+ ugh = "3" "00 separator not present";
+ else if (s[1] == 0x01)
+ {
+ const u_char *p;
+
+ for (p = &s[2]; p != hash_in_s - 1; p++)
+ {
+ if (*p != 0xFF)
+ {
+ ugh = "4" "invalid Padding String";
+ break;
+ }
+ }
+ }
+ else if (s[1] == 0x02)
+ {
+ const u_char *p;
+
+ for (p = &s[2]; p != hash_in_s - 1; p++)
+ {
+ if (*p == 0x00)
+ {
+ ugh = "5" "invalid Padding String";
+ break;
+ }
+ }
+ }
+ else
+ ugh = "6" "Block Type not 01 or 02";
+
+ if (ugh != NULL)
+ {
+ /* note: it might be a good idea to make sure that
+ * an observer cannot tell what kind of failure happened.
+ * I don't know what this means in practice.
+ */
+ /* We probably selected the wrong public key for peer:
+ * SIG Payload decrypted into malformed ECB
+ */
+ /* XXX notification: INVALID_KEY_INFORMATION */
+ return ugh;
+ }
+ }
+
+ /* We have the decoded hash: see if it matches. */
+ if (memcmp(hash_val, hash_in_s, hash_len) != 0)
+ {
+ /* good: header, hash, signature, and other payloads well-formed
+ * good: we could find an RSA Sig key for the peer.
+ * bad: hash doesn't match
+ * Guess: sides disagree about key to be used.
+ */
+ DBG_cond_dump(DBG_CRYPT, "decrypted SIG", s, sig_len);
+ DBG_cond_dump(DBG_CRYPT, "computed HASH", hash_val, hash_len);
+ /* XXX notification: INVALID_HASH_INFORMATION */
+ return "9" "authentication failure: received SIG does not match computed HASH, but message is well-formed";
+ }
+
+ /* Success: copy successful key into state.
+ * There might be an old one if we previously aborted this
+ * state transition.
+ */
+ unreference_key(&st->st_peer_pubkey);
+ st->st_peer_pubkey = reference_key(kr);
+
+ return NULL; /* happy happy */
+}
+
+/* Check signature against all RSA public keys we can find.
+ * If we need keys from DNS KEY records, and they haven't been fetched,
+ * return STF_SUSPEND to ask for asynch DNS lookup.
+ *
+ * Note: parameter keys_from_dns contains results of DNS lookup for key
+ * or is NULL indicating lookup not yet tried.
+ *
+ * take_a_crack is a helper function. Mostly forensic.
+ * If only we had coroutines.
+ */
+struct tac_state {
+ /* RSA_check_signature's args that take_a_crack needs */
+ struct state *st;
+ const u_char *hash_val;
+ size_t hash_len;
+ const pb_stream *sig_pbs;
+
+ /* state carried between calls */
+ err_t best_ugh; /* most successful failure */
+ int tried_cnt; /* number of keys tried */
+ char tried[50]; /* keyids of tried public keys */
+ char *tn; /* roof of tried[] */
+};
+
+static bool
+take_a_crack(struct tac_state *s
+, pubkey_t *kr
+, const char *story USED_BY_DEBUG)
+{
+ err_t ugh = try_RSA_signature(s->hash_val, s->hash_len, s->sig_pbs
+ , kr, s->st);
+ const struct RSA_public_key *k = &kr->u.rsa;
+
+ s->tried_cnt++;
+ if (ugh == NULL)
+ {
+ DBG(DBG_CRYPT | DBG_CONTROL
+ , DBG_log("an RSA Sig check passed with *%s [%s]"
+ , k->keyid, story));
+ return TRUE;
+ }
+ else
+ {
+ DBG(DBG_CRYPT
+ , DBG_log("an RSA Sig check failure %s with *%s [%s]"
+ , ugh + 1, k->keyid, story));
+ if (s->best_ugh == NULL || s->best_ugh[0] < ugh[0])
+ s->best_ugh = ugh;
+ if (ugh[0] > '0'
+ && s->tn - s->tried + KEYID_BUF + 2 < (ptrdiff_t)sizeof(s->tried))
+ {
+ strcpy(s->tn, " *");
+ strcpy(s->tn + 2, k->keyid);
+ s->tn += strlen(s->tn);
+ }
+ return FALSE;
+ }
+}
+
+static stf_status
+RSA_check_signature(const struct id* peer
+, struct state *st
+, const u_char hash_val[MAX_DIGEST_LEN]
+, size_t hash_len
+, const pb_stream *sig_pbs
+#ifdef USE_KEYRR
+, const pubkey_list_t *keys_from_dns
+#endif /* USE_KEYRR */
+, const struct gw_info *gateways_from_dns
+)
+{
+ const struct connection *c = st->st_connection;
+ struct tac_state s;
+ err_t dns_ugh = NULL;
+
+ s.st = st;
+ s.hash_val = hash_val;
+ s.hash_len = hash_len;
+ s.sig_pbs = sig_pbs;
+
+ s.best_ugh = NULL;
+ s.tried_cnt = 0;
+ s.tn = s.tried;
+
+ /* try all gateway records hung off c */
+ if (c->policy & POLICY_OPPO)
+ {
+ struct gw_info *gw;
+
+ for (gw = c->gw_info; gw != NULL; gw = gw->next)
+ {
+ /* only consider entries that have a key and are for our peer */
+ if (gw->gw_key_present
+ && same_id(&gw->gw_id, &c->spd.that.id)
+ && take_a_crack(&s, gw->key, "key saved from DNS TXT"))
+ return STF_OK;
+ }
+ }
+
+ /* try all appropriate Public keys */
+ {
+ pubkey_list_t *p, **pp;
+
+ pp = &pubkeys;
+
+ for (p = pubkeys; p != NULL; p = *pp)
+ {
+ pubkey_t *key = p->key;
+
+ if (key->alg == PUBKEY_ALG_RSA && same_id(peer, &key->id))
+ {
+ time_t now = time(NULL);
+
+ /* check if found public key has expired */
+ if (key->until_time != UNDEFINED_TIME && key->until_time < now)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "cached RSA public key has expired and has been deleted");
+ *pp = free_public_keyentry(p);
+ continue; /* continue with next public key */
+ }
+
+ if (take_a_crack(&s, key, "preloaded key"))
+ return STF_OK;
+ }
+ pp = &p->next;
+ }
+ }
+
+ /* if no key was found (evidenced by best_ugh == NULL)
+ * and that side of connection is key_from_DNS_on_demand
+ * then go search DNS for keys for peer.
+ */
+ if (s.best_ugh == NULL && c->spd.that.key_from_DNS_on_demand)
+ {
+ if (gateways_from_dns != NULL)
+ {
+ /* TXT keys */
+ const struct gw_info *gwp;
+
+ for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ if (gwp->gw_key_present
+ && take_a_crack(&s, gwp->key, "key from DNS TXT"))
+ return STF_OK;
+ }
+#ifdef USE_KEYRR
+ else if (keys_from_dns != NULL)
+ {
+ /* KEY keys */
+ const pubkey_list_t *kr;
+
+ for (kr = keys_from_dns; kr != NULL; kr = kr->next)
+ if (kr->key->alg == PUBKEY_ALG_RSA
+ && take_a_crack(&s, kr->key, "key from DNS KEY"))
+ return STF_OK;
+ }
+#endif /* USE_KEYRR */
+ else
+ {
+ /* nothing yet: ask for asynch DNS lookup */
+ return STF_SUSPEND;
+ }
+ }
+
+ /* no acceptable key was found: diagnose */
+ {
+ char id_buf[BUF_LEN]; /* arbitrary limit on length of ID reported */
+
+ (void) idtoa(peer, id_buf, sizeof(id_buf));
+
+ if (s.best_ugh == NULL)
+ {
+ if (dns_ugh == NULL)
+ loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
+ , id_buf);
+ else
+ loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
+ "; DNS search for KEY failed (%s)"
+ , id_buf, dns_ugh);
+
+ /* ??? is this the best code there is? */
+ return STF_FAIL + INVALID_KEY_INFORMATION;
+ }
+
+ if (s.best_ugh[0] == '9')
+ {
+ loglog(RC_LOG_SERIOUS, "%s", s.best_ugh + 1);
+ /* XXX Could send notification back */
+ return STF_FAIL + INVALID_HASH_INFORMATION;
+ }
+ else
+ {
+ if (s.tried_cnt == 1)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "Signature check (on %s) failed (wrong key?); tried%s"
+ , id_buf, s.tried);
+ DBG(DBG_CONTROL,
+ DBG_log("public key for %s failed:"
+ " decrypted SIG payload into a malformed ECB (%s)"
+ , id_buf, s.best_ugh + 1));
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "Signature check (on %s) failed:"
+ " tried%s keys but none worked."
+ , id_buf, s.tried);
+ DBG(DBG_CONTROL,
+ DBG_log("all %d public keys for %s failed:"
+ " best decrypted SIG payload into a malformed ECB (%s)"
+ , s.tried_cnt, id_buf, s.best_ugh + 1));
+ }
+ return STF_FAIL + INVALID_KEY_INFORMATION;
+ }
+ }
+}
+
+static notification_t
+accept_nonce(struct msg_digest *md, chunk_t *dest, const char *name)
+{
+ pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs;
+ size_t len = pbs_left(nonce_pbs);
+
+ if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len)
+ {
+ loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
+ , name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
+ return PAYLOAD_MALFORMED; /* ??? */
+ }
+ clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce");
+ return NOTHING_WRONG;
+}
+
+/* encrypt message, sans fixed part of header
+ * IV is fetched from st->st_new_iv and stored into st->st_iv.
+ * The theory is that there will be no "backing out", so we commit to IV.
+ * We also close the pbs.
+ */
+bool
+encrypt_message(pb_stream *pbs, struct state *st)
+{
+ const struct encrypt_desc *e = st->st_oakley.encrypter;
+ u_int8_t *enc_start = pbs->start + sizeof(struct isakmp_hdr);
+ size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
+
+ DBG_cond_dump(DBG_CRYPT | DBG_RAW, "encrypting:\n", enc_start, enc_len);
+
+ /* Pad up to multiple of encryption blocksize.
+ * See the description associated with the definition of
+ * struct isakmp_hdr in packet.h.
+ */
+ {
+ size_t padding = pad_up(enc_len, e->enc_blocksize);
+
+ if (padding != 0)
+ {
+ if (!out_zero(padding, pbs, "encryption padding"))
+ return FALSE;
+ enc_len += padding;
+ }
+ }
+
+ DBG(DBG_CRYPT, DBG_log("encrypting using %s", enum_show(&oakley_enc_names, st->st_oakley.encrypt)));
+
+ /* e->crypt(TRUE, enc_start, enc_len, st); */
+ crypto_cbc_encrypt(e, TRUE, enc_start, enc_len, st);
+
+ update_iv(st);
+ DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
+ close_message(pbs);
+ return TRUE;
+}
+
+/* Compute HASH(1), HASH(2) of Quick Mode.
+ * HASH(1) is part of Quick I1 message.
+ * HASH(2) is part of Quick R1 message.
+ * Used by: quick_outI1, quick_inI1_outR1 (twice), quick_inR1_outI2
+ * (see RFC 2409 "IKE" 5.5, pg. 18 or draft-ietf-ipsec-ike-01.txt 6.2 pg 25)
+ */
+static size_t
+quick_mode_hash12(u_char *dest, const u_char *start, const u_char *roof
+, const struct state *st, const msgid_t *msgid, bool hash2)
+{
+ struct hmac_ctx ctx;
+
+#if 0 /* if desperate to debug hashing */
+# define hmac_update(ctx, ptr, len) { \
+ DBG_dump("hash input", (ptr), (len)); \
+ (hmac_update)((ctx), (ptr), (len)); \
+ }
+ DBG_dump("hash key", st->st_skeyid_a.ptr, st->st_skeyid_a.len);
+#endif
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
+ hmac_update(&ctx, (const void *) msgid, sizeof(msgid_t));
+ if (hash2)
+ hmac_update_chunk(&ctx, st->st_ni); /* include Ni_b in the hash */
+ hmac_update(&ctx, start, roof-start);
+ hmac_final(dest, &ctx);
+
+ DBG(DBG_CRYPT,
+ DBG_log("HASH(%d) computed:", hash2 + 1);
+ DBG_dump("", dest, ctx.hmac_digest_size));
+ return ctx.hmac_digest_size;
+# undef hmac_update
+}
+
+/* Compute HASH(3) in Quick Mode (part of Quick I2 message).
+ * Used by: quick_inR1_outI2, quick_inI2
+ * See RFC2409 "The Internet Key Exchange (IKE)" 5.5.
+ * NOTE: this hash (unlike HASH(1) and HASH(2)) ONLY covers the
+ * Message ID and Nonces. This is a mistake.
+ */
+static size_t
+quick_mode_hash3(u_char *dest, struct state *st)
+{
+ struct hmac_ctx ctx;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
+ hmac_update(&ctx, "\0", 1);
+ hmac_update(&ctx, (u_char *) &st->st_msgid, sizeof(st->st_msgid));
+ hmac_update_chunk(&ctx, st->st_ni);
+ hmac_update_chunk(&ctx, st->st_nr);
+ hmac_final(dest, &ctx);
+ DBG_cond_dump(DBG_CRYPT, "HASH(3) computed:", dest, ctx.hmac_digest_size);
+ return ctx.hmac_digest_size;
+}
+
+/* Compute Phase 2 IV.
+ * Uses Phase 1 IV from st_iv; puts result in st_new_iv.
+ */
+void
+init_phase2_iv(struct state *st, const msgid_t *msgid)
+{
+ const struct hash_desc *h = st->st_oakley.hasher;
+ union hash_ctx ctx;
+
+ DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:"
+ , st->st_ph1_iv, st->st_ph1_iv_len);
+
+ st->st_new_iv_len = h->hash_digest_size;
+ passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
+
+ h->hash_init(&ctx);
+ h->hash_update(&ctx, st->st_ph1_iv, st->st_ph1_iv_len);
+ passert(*msgid != 0);
+ h->hash_update(&ctx, (const u_char *)msgid, sizeof(*msgid));
+ h->hash_final(st->st_new_iv, &ctx);
+
+ DBG_cond_dump(DBG_CRYPT, "computed Phase 2 IV:"
+ , st->st_new_iv, st->st_new_iv_len);
+}
+
+/* Initiate quick mode.
+ * --> HDR*, HASH(1), SA, Nr [, KE ] [, IDci, IDcr ]
+ * (see RFC 2409 "IKE" 5.5)
+ * Note: this is not called from demux.c
+ */
+
+static bool
+emit_subnet_id(ip_subnet *net
+, u_int8_t np, u_int8_t protoid, u_int16_t port, pb_stream *outs)
+{
+ struct isakmp_ipsec_id id;
+ pb_stream id_pbs;
+ ip_address ta;
+ const unsigned char *tbp;
+ size_t tal;
+
+ id.isaiid_np = np;
+ id.isaiid_idtype = subnetishost(net)
+ ? aftoinfo(subnettypeof(net))->id_addr
+ : aftoinfo(subnettypeof(net))->id_subnet;
+ id.isaiid_protoid = protoid;
+ id.isaiid_port = port;
+
+ if (!out_struct(&id, &isakmp_ipsec_identification_desc, outs, &id_pbs))
+ return FALSE;
+
+ networkof(net, &ta);
+ tal = addrbytesptr(&ta, &tbp);
+ if (!out_raw(tbp, tal, &id_pbs, "client network"))
+ return FALSE;
+
+ if (!subnetishost(net))
+ {
+ maskof(net, &ta);
+ tal = addrbytesptr(&ta, &tbp);
+ if (!out_raw(tbp, tal, &id_pbs, "client mask"))
+ return FALSE;
+ }
+
+ close_output_pbs(&id_pbs);
+ return TRUE;
+}
+
+stf_status
+quick_outI1(int whack_sock
+, struct state *isakmp_sa
+, struct connection *c
+, lset_t policy
+, unsigned long try
+, so_serial_t replacing)
+{
+ struct state *st = duplicate_state(isakmp_sa);
+ pb_stream reply; /* not really a reply */
+ pb_stream rbody;
+ u_char /* set by START_HASH_PAYLOAD: */
+ *r_hashval, /* where in reply to jam hash value */
+ *r_hash_start; /* start of what is to be hashed */
+ bool has_client = c->spd.this.has_client || c->spd.that.has_client ||
+ c->spd.this.protocol || c->spd.that.protocol ||
+ c->spd.this.port || c->spd.that.port;
+
+ bool send_natoa = FALSE;
+ u_int8_t np = ISAKMP_NEXT_NONE;
+
+ st->st_whack_sock = whack_sock;
+ st->st_connection = c;
+ set_cur_state(st); /* we must reset before exit */
+ st->st_policy = policy;
+ st->st_try = try;
+
+ st->st_myuserprotoid = c->spd.this.protocol;
+ st->st_peeruserprotoid = c->spd.that.protocol;
+ st->st_myuserport = c->spd.this.port;
+ st->st_peeruserport = c->spd.that.port;
+
+ st->st_msgid = generate_msgid(isakmp_sa);
+ st->st_state = STATE_QUICK_I1;
+
+ insert_state(st); /* needs cookies, connection, and msgid */
+
+ if (replacing == SOS_NOBODY)
+ plog("initiating Quick Mode %s {using isakmp#%lu}"
+ , prettypolicy(policy)
+ , isakmp_sa->st_serialno);
+ else
+ plog("initiating Quick Mode %s to replace #%lu {using isakmp#%lu}"
+ , prettypolicy(policy)
+ , replacing
+ , isakmp_sa->st_serialno);
+
+ if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
+ {
+ /* Duplicate nat_traversal status in new state */
+ st->nat_traversal = isakmp_sa->nat_traversal;
+
+ if (isakmp_sa->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ has_client = TRUE;
+
+ nat_traversal_change_port_lookup(NULL, st);
+ }
+ else
+ st->nat_traversal = 0;
+
+ /* are we going to send a NAT-OA payload? */
+ if ((st->nat_traversal & NAT_T_WITH_NATOA)
+ && !(st->st_policy & POLICY_TUNNEL)
+ && (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)))
+ {
+ send_natoa = TRUE;
+ np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+ ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
+ }
+
+ /* set up reply */
+ init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
+
+ /* HDR* out */
+ {
+ struct isakmp_hdr hdr;
+
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = ISAKMP_NEXT_HASH;
+ hdr.isa_xchg = ISAKMP_XCHG_QUICK;
+ hdr.isa_msgid = st->st_msgid;
+ hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+ memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+ memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* HASH(1) -- create and note space to be filled later */
+ START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_SA);
+
+ /* SA out */
+
+ /*
+ * See if pfs_group has been specified for this conn,
+ * if not, fallback to old use-same-as-P1 behaviour
+ */
+#ifndef NO_IKE_ALG
+ if (st->st_connection)
+ st->st_pfs_group = ike_alg_pfsgroup(st->st_connection, policy);
+ if (!st->st_pfs_group)
+#endif
+ /* If PFS specified, use the same group as during Phase 1:
+ * since no negotiation is possible, we pick one that is
+ * very likely supported.
+ */
+ st->st_pfs_group = policy & POLICY_PFS? isakmp_sa->st_oakley.group : NULL;
+
+ /* Emit SA payload based on a subset of the policy bits.
+ * POLICY_COMPRESS is considered iff we can do IPcomp.
+ */
+ {
+ lset_t pm = POLICY_ENCRYPT | POLICY_AUTHENTICATE;
+
+ if (can_do_IPcomp)
+ pm |= POLICY_COMPRESS;
+
+ if (!out_sa(&rbody
+ , &ipsec_sadb[(st->st_policy & pm) >> POLICY_IPSEC_SHIFT]
+ , st, FALSE, ISAKMP_NEXT_NONCE))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* Ni out */
+ if (!build_and_ship_nonce(&st->st_ni, &rbody
+ , policy & POLICY_PFS? ISAKMP_NEXT_KE : has_client? ISAKMP_NEXT_ID : np
+ , "Ni"))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* [ KE ] out (for PFS) */
+
+ if (st->st_pfs_group != NULL)
+ {
+ if (!build_and_ship_KE(st, &st->st_gi, st->st_pfs_group
+ , &rbody, has_client? ISAKMP_NEXT_ID : np))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* [ IDci, IDcr ] out */
+ if (has_client)
+ {
+ /* IDci (we are initiator), then IDcr (peer is responder) */
+ if (!emit_subnet_id(&c->spd.this.client
+ , ISAKMP_NEXT_ID, st->st_myuserprotoid, st->st_myuserport, &rbody)
+ || !emit_subnet_id(&c->spd.that.client
+ , np, st->st_peeruserprotoid, st->st_peeruserport, &rbody))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* Send NAT-OA if our address is NATed */
+ if (send_natoa)
+ {
+ if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &rbody, st))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* finish computing HASH(1), inserting it in output */
+ (void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
+ , st, &st->st_msgid, FALSE);
+
+ /* encrypt message, except for fixed part of header */
+
+ init_phase2_iv(isakmp_sa, &st->st_msgid);
+ st->st_new_iv_len = isakmp_sa->st_new_iv_len;
+ memcpy(st->st_new_iv, isakmp_sa->st_new_iv, st->st_new_iv_len);
+
+ if (!encrypt_message(&rbody, st))
+ {
+ reset_cur_state();
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* save packet, now that we know its size */
+ clonetochunk(st->st_tpacket, reply.start, pbs_offset(&reply)
+ , "reply packet from quick_outI1");
+
+ /* send the packet */
+
+ send_packet(st, "quick_outI1");
+
+ delete_event(st);
+ event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+
+ if (replacing == SOS_NOBODY)
+ whack_log(RC_NEW_STATE + STATE_QUICK_I1
+ , "%s: initiate"
+ , enum_name(&state_names, st->st_state));
+ else
+ whack_log(RC_NEW_STATE + STATE_QUICK_I1
+ , "%s: initiate to replace #%lu"
+ , enum_name(&state_names, st->st_state)
+ , replacing);
+ reset_cur_state();
+ return STF_OK;
+}
+
+
+/*
+ * Decode the CERT payload of Phase 1.
+ */
+static void
+decode_cert(struct msg_digest *md)
+{
+ struct payload_digest *p;
+
+ for (p = md->chain[ISAKMP_NEXT_CERT]; p != NULL; p = p->next)
+ {
+ struct isakmp_cert *const cert = &p->payload.cert;
+ chunk_t blob;
+ time_t valid_until;
+ blob.ptr = p->pbs.cur;
+ blob.len = pbs_left(&p->pbs);
+ if (cert->isacert_type == CERT_X509_SIGNATURE)
+ {
+ x509cert_t cert = empty_x509cert;
+ if (parse_x509cert(blob, 0, &cert))
+ {
+ if (verify_x509cert(&cert, strict_crl_policy, &valid_until))
+ {
+ DBG(DBG_PARSING,
+ DBG_log("Public key validated")
+ )
+ add_x509_public_key(&cert, valid_until, DAL_SIGNED);
+ }
+ else
+ {
+ plog("X.509 certificate rejected");
+ }
+ free_generalNames(cert.subjectAltName, FALSE);
+ free_generalNames(cert.crlDistributionPoints, FALSE);
+ }
+ else
+ plog("Syntax error in X.509 certificate");
+ }
+ else if (cert->isacert_type == CERT_PKCS7_WRAPPED_X509)
+ {
+ x509cert_t *cert = NULL;
+
+ if (pkcs7_parse_signedData(blob, NULL, &cert, NULL, NULL))
+ store_x509certs(&cert, strict_crl_policy);
+ else
+ plog("Syntax error in PKCS#7 wrapped X.509 certificates");
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "ignoring %s certificate payload",
+ enum_show(&cert_type_names, cert->isacert_type));
+ DBG_cond_dump_chunk(DBG_PARSING, "CERT:\n", blob);
+ }
+ }
+}
+
+/*
+ * Decode the CR payload of Phase 1.
+ */
+static void
+decode_cr(struct msg_digest *md, struct connection *c)
+{
+ struct payload_digest *p;
+
+ for (p = md->chain[ISAKMP_NEXT_CR]; p != NULL; p = p->next)
+ {
+ struct isakmp_cr *const cr = &p->payload.cr;
+ chunk_t ca_name;
+
+ ca_name.len = pbs_left(&p->pbs);
+ ca_name.ptr = (ca_name.len > 0)? p->pbs.cur : NULL;
+
+ DBG_cond_dump_chunk(DBG_PARSING, "CR", ca_name);
+
+ if (cr->isacr_type == CERT_X509_SIGNATURE)
+ {
+ char buf[BUF_LEN];
+
+ if (ca_name.len > 0)
+ {
+ generalName_t *gn;
+
+ if (!is_asn1(ca_name))
+ continue;
+
+ gn = alloc_thing(generalName_t, "generalName");
+ clonetochunk(ca_name, ca_name.ptr,ca_name.len, "ca name");
+ gn->kind = GN_DIRECTORY_NAME;
+ gn->name = ca_name;
+ gn->next = c->requested_ca;
+ c->requested_ca = gn;
+ }
+ c->got_certrequest = TRUE;
+
+ DBG(DBG_PARSING | DBG_CONTROL,
+ dntoa_or_null(buf, BUF_LEN, ca_name, "%any");
+ DBG_log("requested CA: '%s'", buf);
+ )
+ }
+ else
+ loglog(RC_LOG_SERIOUS, "ignoring %s certificate request payload",
+ enum_show(&cert_type_names, cr->isacr_type));
+ }
+}
+
+/* Decode the ID payload of Phase 1 (main_inI3_outR3 and main_inR3)
+ * Note: we may change connections as a result.
+ * We must be called before SIG or HASH are decoded since we
+ * may change the peer's RSA key or ID.
+ */
+static bool
+decode_peer_id(struct msg_digest *md, struct id *peer)
+{
+ struct state *const st = md->st;
+ struct payload_digest *const id_pld = md->chain[ISAKMP_NEXT_ID];
+ const pb_stream *const id_pbs = &id_pld->pbs;
+ struct isakmp_id *const id = &id_pld->payload.id;
+
+ /* I think that RFC2407 (IPSEC DOI) 4.6.2 is confused.
+ * It talks about the protocol ID and Port fields of the ID
+ * Payload, but they don't exist as such in Phase 1.
+ * We use more appropriate names.
+ * isaid_doi_specific_a is in place of Protocol ID.
+ * isaid_doi_specific_b is in place of Port.
+ * Besides, there is no good reason for allowing these to be
+ * other than 0 in Phase 1.
+ */
+ if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
+ && id->isaid_doi_specific_a == IPPROTO_UDP
+ && (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
+ {
+ DBG_log("protocol/port in Phase 1 ID Payload is %d/%d. "
+ "accepted with port_floating NAT-T",
+ id->isaid_doi_specific_a, id->isaid_doi_specific_b);
+ }
+ else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
+ && !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
+ {
+ loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
+ " but are %d/%d"
+ , IPPROTO_UDP, IKE_UDP_PORT
+ , id->isaid_doi_specific_a, id->isaid_doi_specific_b);
+ return FALSE;
+ }
+
+ peer->kind = id->isaid_idtype;
+
+ switch (peer->kind)
+ {
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ /* failure mode for initaddr is probably inappropriate address length */
+ {
+ err_t ugh = initaddr(id_pbs->cur, pbs_left(id_pbs)
+ , peer->kind == ID_IPV4_ADDR? AF_INET : AF_INET6
+ , &peer->ip_addr);
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "improper %s identification payload: %s"
+ , enum_show(&ident_names, peer->kind), ugh);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ }
+ break;
+
+ case ID_USER_FQDN:
+ if (memchr(id_pbs->cur, '@', pbs_left(id_pbs)) == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "peer's ID_USER_FQDN contains no @");
+ return FALSE;
+ }
+ /* FALLTHROUGH */
+ case ID_FQDN:
+ if (memchr(id_pbs->cur, '\0', pbs_left(id_pbs)) != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "Phase 1 ID Payload of type %s contains a NUL"
+ , enum_show(&ident_names, peer->kind));
+ return FALSE;
+ }
+
+ /* ??? ought to do some more sanity check, but what? */
+
+ setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
+ break;
+
+ case ID_KEY_ID:
+ setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
+ DBG(DBG_PARSING,
+ DBG_dump_chunk("KEY ID:", peer->name));
+ break;
+
+ case ID_DER_ASN1_DN:
+ setchunk(peer->name, id_pbs->cur, pbs_left(id_pbs));
+ DBG(DBG_PARSING,
+ DBG_dump_chunk("DER ASN1 DN:", peer->name));
+ break;
+
+ default:
+ /* XXX Could send notification back */
+ loglog(RC_LOG_SERIOUS, "Unacceptable identity type (%s) in Phase 1 ID Payload"
+ , enum_show(&ident_names, peer->kind));
+ return FALSE;
+ }
+
+ {
+ char buf[BUF_LEN];
+
+ idtoa(peer, buf, sizeof(buf));
+ plog("Peer ID is %s: '%s'",
+ enum_show(&ident_names, id->isaid_idtype), buf);
+ }
+
+ /* check for certificates */
+ decode_cert(md);
+ return TRUE;
+}
+
+/* Now that we've decoded the ID payload, let's see if we
+ * need to switch connections.
+ * We must not switch horses if we initiated:
+ * - if the initiation was explicit, we'd be ignoring user's intent
+ * - if opportunistic, we'll lose our HOLD info
+ */
+static bool
+switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
+{
+ struct state *const st = md->st;
+ struct connection *c = st->st_connection;
+
+ chunk_t peer_ca = (st->st_peer_pubkey != NULL)
+ ? st->st_peer_pubkey->issuer : empty_chunk;
+
+ DBG(DBG_CONTROL,
+ char buf[BUF_LEN];
+
+ dntoa_or_null(buf, BUF_LEN, peer_ca, "%none");
+ DBG_log("peer CA: '%s'", buf);
+ )
+
+ if (initiator)
+ {
+ int pathlen;
+
+ if (!same_id(&c->spd.that.id, peer))
+ {
+ char expect[BUF_LEN]
+ , found[BUF_LEN];
+
+ idtoa(&c->spd.that.id, expect, sizeof(expect));
+ idtoa(peer, found, sizeof(found));
+ loglog(RC_LOG_SERIOUS
+ , "we require peer to have ID '%s', but peer declares '%s'"
+ , expect, found);
+ return FALSE;
+ }
+
+ DBG(DBG_CONTROL,
+ char buf[BUF_LEN];
+
+ dntoa_or_null(buf, BUF_LEN, c->spd.this.ca, "%none");
+ DBG_log("required CA: '%s'", buf);
+ )
+
+ if (!trusted_ca(peer_ca, c->spd.that.ca, &pathlen))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "we don't accept the peer's CA");
+ return FALSE;
+ }
+ }
+ else
+ {
+ struct connection *r;
+
+ /* check for certificate requests */
+ decode_cr(md, c);
+
+ r = refine_host_connection(st, peer, peer_ca);
+
+ /* delete the collected certificate requests */
+ free_generalNames(c->requested_ca, TRUE);
+ c->requested_ca = NULL;
+
+ if (r == NULL)
+ {
+ char buf[BUF_LEN];
+
+ idtoa(peer, buf, sizeof(buf));
+ loglog(RC_LOG_SERIOUS, "no suitable connection for peer '%s'", buf);
+ return FALSE;
+ }
+
+ DBG(DBG_CONTROL,
+ char buf[BUF_LEN];
+
+ dntoa_or_null(buf, BUF_LEN, r->spd.this.ca, "%none");
+ DBG_log("offered CA: '%s'", buf);
+ )
+
+ if (r != c)
+ {
+ /* apparently, r is an improvement on c -- replace */
+
+ DBG(DBG_CONTROL
+ , DBG_log("switched from \"%s\" to \"%s\"", c->name, r->name));
+ if (r->kind == CK_TEMPLATE)
+ {
+ /* instantiate it, filling in peer's ID */
+ r = rw_instantiate(r, &c->spd.that.host_addr
+ , c->spd.that.host_port, NULL, peer);
+ }
+
+ /* copy certificate request info */
+ r->got_certrequest = c->got_certrequest;
+
+ st->st_connection = r; /* kill reference to c */
+ set_cur_connection(r);
+ connection_discard(c);
+ }
+ else if (c->spd.that.has_id_wildcards)
+ {
+ free_id_content(&c->spd.that.id);
+ c->spd.that.id = *peer;
+ c->spd.that.has_id_wildcards = FALSE;
+ unshare_id_content(&c->spd.that.id);
+ }
+ }
+ return TRUE;
+}
+
+/* Decode the variable part of an ID packet (during Quick Mode).
+ * This is designed for packets that identify clients, not peers.
+ * Rejects 0.0.0.0/32 or IPv6 equivalent because
+ * (1) it is wrong and (2) we use this value for inband signalling.
+ */
+static bool
+decode_net_id(struct isakmp_ipsec_id *id
+, pb_stream *id_pbs
+, ip_subnet *net
+, const char *which)
+{
+ const struct af_info *afi = NULL;
+
+ /* Note: the following may be a pointer into static memory
+ * that may be recycled, but only if the type is not known.
+ * That case is disposed of very early -- in the first switch.
+ */
+ const char *idtypename = enum_show(&ident_names, id->isaiid_idtype);
+
+ switch (id->isaiid_idtype)
+ {
+ case ID_IPV4_ADDR:
+ case ID_IPV4_ADDR_SUBNET:
+ case ID_IPV4_ADDR_RANGE:
+ afi = &af_inet4_info;
+ break;
+ case ID_IPV6_ADDR:
+ case ID_IPV6_ADDR_SUBNET:
+ case ID_IPV6_ADDR_RANGE:
+ afi = &af_inet6_info;
+ break;
+ case ID_FQDN:
+ return TRUE;
+ default:
+ /* XXX support more */
+ loglog(RC_LOG_SERIOUS, "unsupported ID type %s"
+ , idtypename);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+
+ switch (id->isaiid_idtype)
+ {
+ case ID_IPV4_ADDR:
+ case ID_IPV6_ADDR:
+ {
+ ip_address temp_address;
+ err_t ugh;
+
+ ugh = initaddr(id_pbs->cur, pbs_left(id_pbs), afi->af, &temp_address);
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s has wrong length in Quick I1 (%s)"
+ , which, idtypename, ugh);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ if (isanyaddr(&temp_address))
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s is invalid (%s) in Quick I1"
+ , which, idtypename, ip_str(&temp_address));
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ happy(addrtosubnet(&temp_address, net));
+ DBG(DBG_PARSING | DBG_CONTROL
+ , DBG_log("%s is %s", which, ip_str(&temp_address)));
+ break;
+ }
+
+ case ID_IPV4_ADDR_SUBNET:
+ case ID_IPV6_ADDR_SUBNET:
+ {
+ ip_address temp_address, temp_mask;
+ err_t ugh;
+
+ if (pbs_left(id_pbs) != 2 * afi->ia_sz)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
+ , which, idtypename);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ ugh = initaddr(id_pbs->cur
+ , afi->ia_sz, afi->af, &temp_address);
+ if (ugh == NULL)
+ ugh = initaddr(id_pbs->cur + afi->ia_sz
+ , afi->ia_sz, afi->af, &temp_mask);
+ if (ugh == NULL)
+ ugh = initsubnet(&temp_address, masktocount(&temp_mask)
+ , '0', net);
+ if (ugh == NULL && subnetisnone(net))
+ ugh = "contains only anyaddr";
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s bad subnet in Quick I1 (%s)"
+ , which, idtypename, ugh);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ DBG(DBG_PARSING | DBG_CONTROL,
+ {
+ char temp_buff[SUBNETTOT_BUF];
+
+ subnettot(net, 0, temp_buff, sizeof(temp_buff));
+ DBG_log("%s is subnet %s", which, temp_buff);
+ });
+ break;
+ }
+
+ case ID_IPV4_ADDR_RANGE:
+ case ID_IPV6_ADDR_RANGE:
+ {
+ ip_address temp_address_from, temp_address_to;
+ err_t ugh;
+
+ if (pbs_left(id_pbs) != 2 * afi->ia_sz)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s wrong length in Quick I1"
+ , which, idtypename);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+ ugh = initaddr(id_pbs->cur, afi->ia_sz, afi->af, &temp_address_from);
+ if (ugh == NULL)
+ ugh = initaddr(id_pbs->cur + afi->ia_sz
+ , afi->ia_sz, afi->af, &temp_address_to);
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID payload %s malformed (%s) in Quick I1"
+ , which, idtypename, ugh);
+ /* XXX Could send notification back */
+ return FALSE;
+ }
+
+ ugh = rangetosubnet(&temp_address_from, &temp_address_to, net);
+ if (ugh == NULL && subnetisnone(net))
+ ugh = "contains only anyaddr";
+ if (ugh != NULL)
+ {
+ char temp_buff1[ADDRTOT_BUF], temp_buff2[ADDRTOT_BUF];
+
+ addrtot(&temp_address_from, 0, temp_buff1, sizeof(temp_buff1));
+ addrtot(&temp_address_to, 0, temp_buff2, sizeof(temp_buff2));
+ loglog(RC_LOG_SERIOUS, "%s ID payload in Quick I1, %s"
+ " %s - %s unacceptable: %s"
+ , which, idtypename, temp_buff1, temp_buff2, ugh);
+ return FALSE;
+ }
+ DBG(DBG_PARSING | DBG_CONTROL,
+ {
+ char temp_buff[SUBNETTOT_BUF];
+
+ subnettot(net, 0, temp_buff, sizeof(temp_buff));
+ DBG_log("%s is subnet %s (received as range)"
+ , which, temp_buff);
+ });
+ break;
+ }
+ }
+
+ /* set the port selector */
+ setportof(htons(id->isaiid_port), &net->addr);
+
+ DBG(DBG_PARSING | DBG_CONTROL,
+ DBG_log("%s protocol/port is %d/%d", which, id->isaiid_protoid, id->isaiid_port)
+ )
+
+ return TRUE;
+}
+
+/* like decode, but checks that what is received matches what was sent */
+static bool
+
+check_net_id(struct isakmp_ipsec_id *id
+, pb_stream *id_pbs
+, u_int8_t *protoid
+, u_int16_t *port
+, ip_subnet *net
+, const char *which)
+{
+ ip_subnet net_temp;
+
+ if (!decode_net_id(id, id_pbs, &net_temp, which))
+ return FALSE;
+
+ if (!samesubnet(net, &net_temp)
+ || *protoid != id->isaiid_protoid || *port != id->isaiid_port)
+ {
+ loglog(RC_LOG_SERIOUS, "%s ID returned doesn't match my proposal", which);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*
+ * look for the existence of a non-expiring preloaded public key
+ */
+static bool
+has_preloaded_public_key(struct state *st)
+{
+ struct connection *c = st->st_connection;
+
+ /* do not consider rw connections since
+ * the peer's identity must be known
+ */
+ if (c->kind == CK_PERMANENT)
+ {
+ pubkey_list_t *p;
+
+ /* look for a matching RSA public key */
+ for (p = pubkeys; p != NULL; p = p->next)
+ {
+ pubkey_t *key = p->key;
+
+ if (key->alg == PUBKEY_ALG_RSA &&
+ same_id(&c->spd.that.id, &key->id) &&
+ key->until_time == UNDEFINED_TIME)
+ {
+ /* found a preloaded public key */
+ return TRUE;
+ }
+ }
+ }
+ return FALSE;
+}
+
+/*
+ * Produce the new key material of Quick Mode.
+ * RFC 2409 "IKE" section 5.5
+ * specifies how this is to be done.
+ */
+static void
+compute_proto_keymat(struct state *st
+, u_int8_t protoid
+, struct ipsec_proto_info *pi)
+{
+ size_t needed_len; /* bytes of keying material needed */
+
+ /* Add up the requirements for keying material
+ * (It probably doesn't matter if we produce too much!)
+ */
+ switch (protoid)
+ {
+ case PROTO_IPSEC_ESP:
+ switch (pi->attrs.transid)
+ {
+ case ESP_NULL:
+ needed_len = 0;
+ break;
+ case ESP_DES:
+ needed_len = DES_CBC_BLOCK_SIZE;
+ break;
+ case ESP_3DES:
+ needed_len = DES_CBC_BLOCK_SIZE * 3;
+ break;
+ default:
+#ifndef NO_KERNEL_ALG
+ if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
+ /* XXX: check key_len "coupling with kernel.c's */
+ if (pi->attrs.key_len) {
+ needed_len=pi->attrs.key_len/8;
+ DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+ "key_len=%d from peer",
+ (int)needed_len));
+ }
+ break;
+ }
+#endif
+ bad_case(pi->attrs.transid);
+ }
+
+#ifndef NO_KERNEL_ALG
+ DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+ "needed_len (after ESP enc)=%d",
+ (int)needed_len));
+ if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+ needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
+ } else
+#endif
+ switch (pi->attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ break;
+ case AUTH_ALGORITHM_HMAC_MD5:
+ needed_len += HMAC_MD5_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ needed_len += HMAC_SHA1_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_DES_MAC:
+ default:
+ bad_case(pi->attrs.auth);
+ }
+ DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
+ "needed_len (after ESP auth)=%d",
+ (int)needed_len));
+ break;
+
+ case PROTO_IPSEC_AH:
+ switch (pi->attrs.transid)
+ {
+ case AH_MD5:
+ needed_len = HMAC_MD5_KEY_LEN;
+ break;
+ case AH_SHA:
+ needed_len = HMAC_SHA1_KEY_LEN;
+ break;
+ default:
+ bad_case(pi->attrs.transid);
+ }
+ break;
+
+ default:
+ bad_case(protoid);
+ }
+
+ pi->keymat_len = needed_len;
+
+ /* Allocate space for the keying material.
+ * Although only needed_len bytes are desired, we
+ * must round up to a multiple of ctx.hmac_digest_size
+ * so that our buffer isn't overrun.
+ */
+ {
+ struct hmac_ctx ctx_me, ctx_peer;
+ size_t needed_space; /* space needed for keying material (rounded up) */
+ size_t i;
+
+ hmac_init_chunk(&ctx_me, st->st_oakley.hasher, st->st_skeyid_d);
+ ctx_peer = ctx_me; /* duplicate initial conditions */
+
+ needed_space = needed_len + pad_up(needed_len, ctx_me.hmac_digest_size);
+ replace(pi->our_keymat, alloc_bytes(needed_space, "keymat in compute_keymat()"));
+ replace(pi->peer_keymat, alloc_bytes(needed_space, "peer_keymat in quick_inI1_outR1()"));
+
+ for (i = 0;; )
+ {
+ if (st->st_shared.ptr != NULL)
+ {
+ /* PFS: include the g^xy */
+ hmac_update_chunk(&ctx_me, st->st_shared);
+ hmac_update_chunk(&ctx_peer, st->st_shared);
+ }
+ hmac_update(&ctx_me, &protoid, sizeof(protoid));
+ hmac_update(&ctx_peer, &protoid, sizeof(protoid));
+
+ hmac_update(&ctx_me, (u_char *)&pi->our_spi, sizeof(pi->our_spi));
+ hmac_update(&ctx_peer, (u_char *)&pi->attrs.spi, sizeof(pi->attrs.spi));
+
+ hmac_update_chunk(&ctx_me, st->st_ni);
+ hmac_update_chunk(&ctx_peer, st->st_ni);
+
+ hmac_update_chunk(&ctx_me, st->st_nr);
+ hmac_update_chunk(&ctx_peer, st->st_nr);
+
+ hmac_final(pi->our_keymat + i, &ctx_me);
+ hmac_final(pi->peer_keymat + i, &ctx_peer);
+
+ i += ctx_me.hmac_digest_size;
+ if (i >= needed_space)
+ break;
+
+ /* more keying material needed: prepare to go around again */
+
+ hmac_reinit(&ctx_me);
+ hmac_reinit(&ctx_peer);
+
+ hmac_update(&ctx_me, pi->our_keymat + i - ctx_me.hmac_digest_size
+ , ctx_me.hmac_digest_size);
+ hmac_update(&ctx_peer, pi->peer_keymat + i - ctx_peer.hmac_digest_size
+ , ctx_peer.hmac_digest_size);
+ }
+ }
+
+ DBG(DBG_CRYPT,
+ DBG_dump("KEYMAT computed:\n", pi->our_keymat, pi->keymat_len);
+ DBG_dump("Peer KEYMAT computed:\n", pi->peer_keymat, pi->keymat_len));
+}
+
+static void
+compute_keymats(struct state *st)
+{
+ if (st->st_ah.present)
+ compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah);
+ if (st->st_esp.present)
+ compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp);
+}
+
+/* State Transition Functions.
+ *
+ * The definition of state_microcode_table in demux.c is a good
+ * overview of these routines.
+ *
+ * - Called from process_packet; result handled by complete_state_transition
+ * - struct state_microcode member "processor" points to these
+ * - these routine definitionss are in state order
+ * - these routines must be restartable from any point of error return:
+ * beware of memory allocated before any error.
+ * - output HDR is usually emitted by process_packet (if state_microcode
+ * member first_out_payload isn't ISAKMP_NEXT_NONE).
+ *
+ * The transition functions' functions include:
+ * - process and judge payloads
+ * - update st_iv (result of decryption is in st_new_iv)
+ * - build reply packet
+ */
+
+/* Handle a Main Mode Oakley first packet (responder side).
+ * HDR;SA --> HDR;SA
+ */
+stf_status
+main_inI1_outR1(struct msg_digest *md)
+{
+ struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
+ struct state *st;
+ struct connection *c;
+ struct isakmp_proposal proposal;
+ pb_stream proposal_pbs;
+ pb_stream r_sa_pbs;
+ u_int32_t ipsecdoisit;
+ lset_t policy = LEMPTY;
+ int vids_to_send = 0;
+
+ /* We preparse the peer's proposal in order to determine
+ * the requested authentication policy (RSA or PSK)
+ */
+ RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa
+ , &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
+
+ backup_pbs(&proposal_pbs);
+ RETURN_STF_FAILURE(parse_isakmp_policy(&proposal_pbs
+ , proposal.isap_notrans, &policy));
+ restore_pbs(&proposal_pbs);
+
+ /* We are only considering candidate connections that match
+ * the requested authentication policy (RSA or PSK)
+ */
+ c = find_host_connection(&md->iface->addr, pluto_port
+ , &md->sender, md->sender_port, policy);
+
+ if (c == NULL && md->iface->ike_float)
+ {
+ c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
+ , &md->sender, md->sender_port, policy);
+ }
+
+ if (c == NULL)
+ {
+ /* See if a wildcarded connection can be found.
+ * We cannot pick the right connection, so we're making a guess.
+ * All Road Warrior connections are fair game:
+ * we pick the first we come across (if any).
+ * If we don't find any, we pick the first opportunistic
+ * with the smallest subnet that includes the peer.
+ * There is, of course, no necessary relationship between
+ * an Initiator's address and that of its client,
+ * but Food Groups kind of assumes one.
+ */
+ {
+ struct connection *d;
+
+ d = find_host_connection(&md->iface->addr
+ , pluto_port, (ip_address*)NULL, md->sender_port, policy);
+
+ for (; d != NULL; d = d->hp_next)
+ {
+ if (d->kind == CK_GROUP)
+ {
+ /* ignore */
+ }
+ else
+ {
+ if (d->kind == CK_TEMPLATE && !(d->policy & POLICY_OPPO))
+ {
+ /* must be Road Warrior: we have a winner */
+ c = d;
+ break;
+ }
+
+ /* Opportunistic or Shunt: pick tightest match */
+ if (addrinsubnet(&md->sender, &d->spd.that.client)
+ && (c == NULL || !subnetinsubnet(&c->spd.that.client, &d->spd.that.client)))
+ c = d;
+ }
+ }
+ }
+
+ if (c == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
+ " but no connection has been authorized%s%s"
+ , ip_str(&md->iface->addr), ntohs(portof(&md->iface->addr))
+ , (policy != LEMPTY) ? " with policy=" : ""
+ , (policy != LEMPTY) ? bitnamesof(sa_policy_bit_names, policy) : "");
+ /* XXX notification is in order! */
+ return STF_IGNORE;
+ }
+ else if (c->kind != CK_TEMPLATE)
+ {
+ loglog(RC_LOG_SERIOUS, "initial Main Mode message received on %s:%u"
+ " but \"%s\" forbids connection"
+ , ip_str(&md->iface->addr), pluto_port, c->name);
+ /* XXX notification is in order! */
+ return STF_IGNORE;
+ }
+ else
+ {
+ /* Create a temporary connection that is a copy of this one.
+ * His ID isn't declared yet.
+ */
+ c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
+ }
+ }
+ else if (c->kind == CK_TEMPLATE)
+ {
+ /* Create an instance
+ * This is a rare case: wildcard peer ID but static peer IP address
+ */
+ c = rw_instantiate(c, &md->sender, md->sender_port, NULL, &c->spd.that.id);
+ }
+
+ /* Set up state */
+ md->st = st = new_state();
+ st->st_connection = c;
+ set_cur_state(st); /* (caller will reset cur_state) */
+ st->st_try = 0; /* not our job to try again from start */
+ st->st_policy = c->policy & ~POLICY_IPSEC_MASK; /* only as accurate as connection */
+
+ memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
+ get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
+
+ insert_state(st); /* needs cookies, connection, and msgid (0) */
+
+ st->st_doi = ISAKMP_DOI_IPSEC;
+ st->st_situation = SIT_IDENTITY_ONLY; /* We only support this */
+
+ if ((c->kind == CK_INSTANCE) && (c->spd.that.host_port != pluto_port))
+ {
+ plog("responding to Main Mode from unknown peer %s:%u"
+ , ip_str(&c->spd.that.host_addr), c->spd.that.host_port);
+ }
+ else if (c->kind == CK_INSTANCE)
+ {
+ plog("responding to Main Mode from unknown peer %s"
+ , ip_str(&c->spd.that.host_addr));
+ }
+ else
+ {
+ plog("responding to Main Mode");
+ }
+
+ /* parse_isakmp_sa also spits out a winning SA into our reply,
+ * so we have to build our md->reply and emit HDR before calling it.
+ */
+
+ /* determine how many Vendor ID payloads we will be sending */
+ if (SEND_PLUTO_VID)
+ vids_to_send++;
+ if (SEND_CISCO_UNITY_VID)
+ vids_to_send++;
+ if (md->openpgp)
+ vids_to_send++;
+ /* always send XAUTH Vendor ID */
+ vids_to_send++;
+ /* always send DPD Vendor ID */
+ vids_to_send++;
+ if (md->nat_traversal_vid && nat_traversal_enabled)
+ vids_to_send++;
+
+ /* HDR out.
+ * We can't leave this to comm_handle() because we must
+ * fill in the cookie.
+ */
+ {
+ struct isakmp_hdr r_hdr = md->hdr;
+
+ r_hdr.isa_flags &= ~ISAKMP_FLAG_COMMIT; /* we won't ever turn on this bit */
+ memcpy(r_hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+ r_hdr.isa_np = ISAKMP_NEXT_SA;
+ if (!out_struct(&r_hdr, &isakmp_hdr_desc, &md->reply, &md->rbody))
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* start of SA out */
+ {
+ struct isakmp_sa r_sa = sa_pd->payload.sa;
+
+ r_sa.isasa_np = vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE;
+
+ if (!out_struct(&r_sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* SA body in and out */
+ RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit, &proposal_pbs
+ ,&proposal, &r_sa_pbs, st, FALSE));
+
+ /* if enabled send Pluto Vendor ID */
+ if (SEND_PLUTO_VID)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, VID_STRONGSWAN))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* if enabled send Cisco Unity Vendor ID */
+ if (SEND_CISCO_UNITY_VID)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, VID_CISCO_UNITY))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /*
+ * if the peer sent an OpenPGP Vendor ID we offer the same capability
+ */
+ if (md->openpgp)
+ {
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, VID_OPENPGP))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* Announce our ability to do eXtended AUTHentication to the peer */
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, VID_MISC_XAUTH))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* Announce our ability to do Dead Peer Detection to the peer */
+ if (!out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, VID_MISC_DPD))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+
+ if (md->nat_traversal_vid && nat_traversal_enabled)
+ {
+ /* reply if NAT-Traversal draft is supported */
+ st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
+
+ if (st->nat_traversal
+ && !out_vendorid(vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE
+ , &md->rbody, md->nat_traversal_vid))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ close_message(&md->rbody);
+
+ /* save initiator SA for HASH */
+ clonereplacechunk(st->st_p1isa, sa_pd->pbs.start, pbs_room(&sa_pd->pbs), "sa in main_inI1_outR1()");
+
+ return STF_OK;
+}
+
+/* STATE_MAIN_I1: HDR, SA --> auth dependent
+ * PSK_AUTH, DS_AUTH: --> HDR, KE, Ni
+ *
+ * The following are not yet implemented:
+ * PKE_AUTH: --> HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+ * RPKE_AUTH: --> HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
+ * <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+ *
+ * We must verify that the proposal received matches one we sent.
+ */
+stf_status
+main_inR1_outI2(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+
+ u_int8_t np = ISAKMP_NEXT_NONE;
+
+ /* verify echoed SA */
+ {
+ u_int32_t ipsecdoisit;
+ pb_stream proposal_pbs;
+ struct isakmp_proposal proposal;
+ struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
+
+ RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sapd->payload.sa
+ ,&sapd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
+ if (proposal.isap_notrans != 1)
+ {
+ loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
+ , (unsigned)proposal.isap_notrans);
+ RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
+ }
+ RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
+ , &proposal_pbs, &proposal, NULL, st, TRUE));
+ }
+
+ if (nat_traversal_enabled && md->nat_traversal_vid)
+ {
+ st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
+ plog("enabling possible NAT-traversal with method %s"
+ , bitnamesof(natt_type_bitnames, st->nat_traversal));
+ }
+ if (st->nat_traversal & NAT_T_WITH_NATD)
+ {
+ np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+ ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
+ }
+
+ /**************** build output packet HDR;KE;Ni ****************/
+
+ /* HDR out.
+ * We can't leave this to comm_handle() because the isa_np
+ * depends on the type of Auth (eventually).
+ */
+ echo_hdr(md, FALSE, ISAKMP_NEXT_KE);
+
+ /* KE out */
+ if (!build_and_ship_KE(st, &st->st_gi, st->st_oakley.group
+ , &md->rbody, ISAKMP_NEXT_NONCE))
+ return STF_INTERNAL_ERROR;
+
+#ifdef DEBUG
+ /* Ni out */
+ if (!build_and_ship_nonce(&st->st_ni, &md->rbody
+ , (cur_debugging & IMPAIR_BUST_MI2)? ISAKMP_NEXT_VID : np, "Ni"))
+ return STF_INTERNAL_ERROR;
+
+ if (cur_debugging & IMPAIR_BUST_MI2)
+ {
+ /* generate a pointless large VID payload to push message over MTU */
+ pb_stream vid_pbs;
+
+ if (!out_generic(np, &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+ return STF_INTERNAL_ERROR;
+ if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&vid_pbs);
+ }
+#else
+ /* Ni out */
+ if (!build_and_ship_nonce(&st->st_ni, &md->rbody, np, "Ni"))
+ return STF_INTERNAL_ERROR;
+#endif
+
+ if (st->nat_traversal & NAT_T_WITH_NATD)
+ {
+ if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* finish message */
+ close_message(&md->rbody);
+
+ /* Reinsert the state, using the responder cookie we just received */
+ unhash_state(st);
+ memcpy(st->st_rcookie, md->hdr.isa_rcookie, COOKIE_SIZE);
+ insert_state(st); /* needs cookies, connection, and msgid (0) */
+
+ return STF_OK;
+}
+
+/* STATE_MAIN_R1:
+ * PSK_AUTH, DS_AUTH: HDR, KE, Ni --> HDR, KE, Nr
+ *
+ * The following are not yet implemented:
+ * PKE_AUTH: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
+ * --> HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+ * RPKE_AUTH:
+ * HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDi1_b>Ke_i [,<<Cert-I_b>Ke_i]
+ * --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+ */
+stf_status
+main_inI2_outR2(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ pb_stream *keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
+
+ /* send CR if auth is RSA and no preloaded RSA public key exists*/
+ bool RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
+ || st->st_oakley.auth == XAUTHInitRSA
+ || st->st_oakley.auth == XAUTHRespRSA;
+ bool send_cr = !no_cr_send && RSA_auth && !has_preloaded_public_key(st);
+
+ u_int8_t np = ISAKMP_NEXT_NONE;
+
+ /* KE in */
+ RETURN_STF_FAILURE(accept_KE(&st->st_gi, "Gi", st->st_oakley.group, keyex_pbs));
+
+ /* Ni in */
+ RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
+
+ if (st->nat_traversal & NAT_T_WITH_NATD)
+ {
+ nat_traversal_natd_lookup(md);
+
+ np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
+ ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
+ }
+ if (st->nat_traversal)
+ {
+ nat_traversal_show_result(st->nat_traversal, md->sender_port);
+ }
+ if (st->nat_traversal & NAT_T_WITH_KA)
+ {
+ nat_traversal_new_ka_event();
+ }
+
+ /* decode certificate requests */
+ st->st_connection->got_certrequest = FALSE;
+ decode_cr(md, st->st_connection);
+
+ /**************** build output packet HDR;KE;Nr ****************/
+
+ /* HDR out done */
+
+ /* KE out */
+ if (!build_and_ship_KE(st, &st->st_gr, st->st_oakley.group
+ , &md->rbody, ISAKMP_NEXT_NONCE))
+ return STF_INTERNAL_ERROR;
+
+#ifdef DEBUG
+ /* Nr out */
+ if (!build_and_ship_nonce(&st->st_nr, &md->rbody
+ , (cur_debugging & IMPAIR_BUST_MR2)? ISAKMP_NEXT_VID
+ : (send_cr? ISAKMP_NEXT_CR : np), "Nr"))
+ return STF_INTERNAL_ERROR;
+
+ if (cur_debugging & IMPAIR_BUST_MR2)
+ {
+ /* generate a pointless large VID payload to push message over MTU */
+ pb_stream vid_pbs;
+
+ if (!out_generic((send_cr)? ISAKMP_NEXT_CR : np,
+ &isakmp_vendor_id_desc, &md->rbody, &vid_pbs))
+ return STF_INTERNAL_ERROR;
+ if (!out_zero(1500 /*MTU?*/, &vid_pbs, "Filler VID"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&vid_pbs);
+ }
+#else
+ /* Nr out */
+ if (!build_and_ship_nonce(&st->st_nr, &md->rbody,
+ (send_cr)? ISAKMP_NEXT_CR : np, "Nr"))
+ return STF_INTERNAL_ERROR;
+#endif
+
+ /* CR out */
+ if (send_cr)
+ {
+ if (st->st_connection->kind == CK_PERMANENT)
+ {
+ if (!build_and_ship_CR(CERT_X509_SIGNATURE
+ , st->st_connection->spd.that.ca
+ , &md->rbody, np))
+ return STF_INTERNAL_ERROR;
+ }
+ else
+ {
+ generalName_t *ca = NULL;
+
+ if (collect_rw_ca_candidates(md, &ca))
+ {
+ generalName_t *gn;
+
+ for (gn = ca; gn != NULL; gn = gn->next)
+ {
+ if (!build_and_ship_CR(CERT_X509_SIGNATURE, gn->name
+ , &md->rbody
+ , gn->next == NULL ? np : ISAKMP_NEXT_CR))
+ return STF_INTERNAL_ERROR;
+ }
+ free_generalNames(ca, FALSE);
+ }
+ else
+ {
+ if (!build_and_ship_CR(CERT_X509_SIGNATURE, empty_chunk
+ , &md->rbody, np))
+ return STF_INTERNAL_ERROR;
+ }
+ }
+ }
+
+ if (st->nat_traversal & NAT_T_WITH_NATD)
+ {
+ if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* finish message */
+ close_message(&md->rbody);
+
+ /* next message will be encrypted, but not this one.
+ * We could defer this calculation.
+ */
+ compute_dh_shared(st, st->st_gi, st->st_oakley.group);
+ if (!generate_skeyids_iv(st))
+ return STF_FAIL + AUTHENTICATION_FAILED;
+ update_iv(st);
+
+ return STF_OK;
+}
+
+/* STATE_MAIN_I2:
+ * SMF_PSK_AUTH: HDR, KE, Nr --> HDR*, IDi1, HASH_I
+ * SMF_DS_AUTH: HDR, KE, Nr --> HDR*, IDi1, [ CERT, ] SIG_I
+ *
+ * The following are not yet implemented.
+ * SMF_PKE_AUTH: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
+ * --> HDR*, HASH_I
+ * SMF_RPKE_AUTH: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r
+ * --> HDR*, HASH_I
+ */
+stf_status
+main_inR2_outI3(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs;
+ pb_stream id_pbs; /* ID Payload; also used for hash calculation */
+
+ certpolicy_t cert_policy = st->st_connection->spd.this.sendcert;
+ cert_t mycert = st->st_connection->spd.this.cert;
+ bool requested, send_cert, send_cr;
+
+ bool RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
+ || st->st_oakley.auth == XAUTHInitRSA
+ || st->st_oakley.auth == XAUTHRespRSA;
+
+ int auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
+
+ /* KE in */
+ RETURN_STF_FAILURE(accept_KE(&st->st_gr, "Gr", st->st_oakley.group, keyex_pbs));
+
+ /* Nr in */
+ RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
+
+ /* decode certificate requests */
+ st->st_connection->got_certrequest = FALSE;
+ decode_cr(md, st->st_connection);
+
+ /* free collected certificate requests since as initiator
+ * we don't heed them anyway
+ */
+ free_generalNames(st->st_connection->requested_ca, TRUE);
+ st->st_connection->requested_ca = NULL;
+
+ /* send certificate if auth is RSA, we have one and we want
+ * or are requested to send it
+ */
+ requested = cert_policy == CERT_SEND_IF_ASKED
+ && st->st_connection->got_certrequest;
+ send_cert = RSA_auth && mycert.type != CERT_NONE
+ && (cert_policy == CERT_ALWAYS_SEND || requested);
+
+ /* send certificate request if we don't have a preloaded RSA public key */
+ send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
+
+ /* done parsing; initialize crypto */
+ compute_dh_shared(st, st->st_gr, st->st_oakley.group);
+ if (!generate_skeyids_iv(st))
+ return STF_FAIL + AUTHENTICATION_FAILED;
+
+ if (st->nat_traversal & NAT_T_WITH_NATD)
+ {
+ nat_traversal_natd_lookup(md);
+ }
+ if (st->nat_traversal)
+ {
+ nat_traversal_show_result(st->nat_traversal, md->sender_port);
+ }
+ if (st->nat_traversal & NAT_T_WITH_KA)
+ {
+ nat_traversal_new_ka_event();
+ }
+
+ /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
+ /* ??? NOTE: this is almost the same as main_inI3_outR3's code */
+
+ /* HDR* out done */
+
+ /* IDii out */
+ {
+ struct isakmp_ipsec_id id_hd;
+ chunk_t id_b;
+
+ build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
+ id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
+ if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &id_pbs)
+ || !out_chunk(id_b, &id_pbs, "my identity"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&id_pbs);
+ }
+
+ /* CERT out */
+ if (RSA_auth)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("our certificate policy is %s"
+ , enum_name(&cert_policy_names, cert_policy))
+ )
+ if (mycert.type != CERT_NONE)
+ {
+ const char *request_text = "";
+
+ if (cert_policy == CERT_SEND_IF_ASKED)
+ request_text = (send_cert)? "upon request":"without request";
+ plog("we have a cert %s sending it %s"
+ , send_cert? "and are":"but are not", request_text);
+ }
+ else
+ {
+ plog("we don't have a cert");
+ }
+ }
+ if (send_cert)
+ {
+ pb_stream cert_pbs;
+
+ struct isakmp_cert cert_hd;
+ cert_hd.isacert_np = (send_cr)? ISAKMP_NEXT_CR : ISAKMP_NEXT_SIG;
+ cert_hd.isacert_type = mycert.type;
+
+ if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
+ return STF_INTERNAL_ERROR;
+ if (!out_chunk(get_mycert(mycert), &cert_pbs, "CERT"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&cert_pbs);
+ }
+
+ /* CR out */
+ if (send_cr)
+ {
+ if (!build_and_ship_CR(mycert.type, st->st_connection->spd.that.ca
+ , &md->rbody, ISAKMP_NEXT_SIG))
+ return STF_INTERNAL_ERROR;
+ }
+
+ /* HASH_I or SIG_I out */
+ {
+ u_char hash_val[MAX_DIGEST_LEN];
+ size_t hash_len = main_mode_hash(st, hash_val, TRUE, &id_pbs);
+
+ if (auth_payload == ISAKMP_NEXT_HASH)
+ {
+ /* HASH_I out */
+ if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody
+ , hash_val, hash_len, "HASH_I"))
+ return STF_INTERNAL_ERROR;
+ }
+ else
+ {
+ /* SIG_I out */
+ u_char sig_val[RSA_MAX_OCTETS];
+ size_t sig_len = RSA_sign_hash(st->st_connection
+ , sig_val, hash_val, hash_len);
+
+ if (sig_len == 0)
+ {
+ loglog(RC_LOG_SERIOUS, "unable to locate my private key for RSA Signature");
+ return STF_FAIL + AUTHENTICATION_FAILED;
+ }
+
+ if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
+ , &md->rbody, sig_val, sig_len, "SIG_I"))
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* encrypt message, except for fixed part of header */
+
+ /* st_new_iv was computed by generate_skeyids_iv */
+ if (!encrypt_message(&md->rbody, st))
+ return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+
+ return STF_OK;
+}
+
+/* Shared logic for asynchronous lookup of DNS KEY records.
+ * Used for STATE_MAIN_R2 and STATE_MAIN_I3.
+ */
+
+enum key_oppo_step {
+ kos_null,
+ kos_his_txt
+#ifdef USE_KEYRR
+ , kos_his_key
+#endif
+};
+
+struct key_continuation {
+ struct adns_continuation ac; /* common prefix */
+ struct msg_digest *md;
+ enum key_oppo_step step;
+ bool failure_ok;
+ err_t last_ugh;
+};
+
+typedef stf_status (key_tail_fn)(struct msg_digest *md
+ , struct key_continuation *kc);
+static void
+report_key_dns_failure(struct id *id, err_t ugh)
+{
+ char id_buf[BUF_LEN]; /* arbitrary limit on length of ID reported */
+
+ (void) idtoa(id, id_buf, sizeof(id_buf));
+ loglog(RC_LOG_SERIOUS, "no RSA public key known for '%s'"
+ "; DNS search for KEY failed (%s)", id_buf, ugh);
+}
+
+
+/* Processs the Main Mode ID Payload and the Authenticator
+ * (Hash or Signature Payload).
+ * If a DNS query is still needed to get the other host's public key,
+ * the query is initiated and STF_SUSPEND is returned.
+ * Note: parameter kc is a continuation containing the results from
+ * the previous DNS query, or NULL indicating no query has been issued.
+ */
+static stf_status
+main_id_and_auth(struct msg_digest *md
+ , bool initiator /* are we the Initiator? */
+ , cont_fn_t cont_fn /* continuation function */
+ , const struct key_continuation *kc /* current state, can be NULL */
+)
+{
+ struct state *st = md->st;
+ u_char hash_val[MAX_DIGEST_LEN];
+ size_t hash_len;
+ struct id peer;
+ stf_status r = STF_OK;
+
+ /* ID Payload in */
+ if (!decode_peer_id(md, &peer))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ /* Hash the ID Payload.
+ * main_mode_hash requires idpl->cur to be at end of payload
+ * so we temporarily set if so.
+ */
+ {
+ pb_stream *idpl = &md->chain[ISAKMP_NEXT_ID]->pbs;
+ u_int8_t *old_cur = idpl->cur;
+
+ idpl->cur = idpl->roof;
+ hash_len = main_mode_hash(st, hash_val, !initiator, idpl);
+ idpl->cur = old_cur;
+ }
+
+ switch (st->st_oakley.auth)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ case XAUTHInitPreShared:
+ case XAUTHRespPreShared:
+ {
+ pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs;
+
+ if (pbs_left(hash_pbs) != hash_len
+ || memcmp(hash_pbs->cur, hash_val, hash_len) != 0)
+ {
+ DBG_cond_dump(DBG_CRYPT, "received HASH:"
+ , hash_pbs->cur, pbs_left(hash_pbs));
+ loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
+ /* XXX Could send notification back */
+ r = STF_FAIL + INVALID_HASH_INFORMATION;
+ }
+ }
+ break;
+
+ case OAKLEY_RSA_SIG:
+ case XAUTHInitRSA:
+ case XAUTHRespRSA:
+ r = RSA_check_signature(&peer, st, hash_val, hash_len
+ , &md->chain[ISAKMP_NEXT_SIG]->pbs
+#ifdef USE_KEYRR
+ , kc == NULL? NULL : kc->ac.keys_from_dns
+#endif /* USE_KEYRR */
+ , kc == NULL? NULL : kc->ac.gateways_from_dns
+ );
+
+ if (r == STF_SUSPEND)
+ {
+ /* initiate/resume asynchronous DNS lookup for key */
+ struct key_continuation *nkc
+ = alloc_thing(struct key_continuation, "key continuation");
+ enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
+ err_t ugh;
+
+ /* Record that state is used by a suspended md */
+ passert(st->st_suspended_md == NULL);
+ st->st_suspended_md = md;
+
+ nkc->failure_ok = FALSE;
+ nkc->md = md;
+
+ switch (step_done)
+ {
+ case kos_null:
+ /* first try: look for the TXT records */
+ nkc->step = kos_his_txt;
+#ifdef USE_KEYRR
+ nkc->failure_ok = TRUE;
+#endif
+ ugh = start_adns_query(&peer
+ , &peer /* SG itself */
+ , T_TXT
+ , cont_fn
+ , &nkc->ac);
+ break;
+
+#ifdef USE_KEYRR
+ case kos_his_txt:
+ /* second try: look for the KEY records */
+ nkc->step = kos_his_key;
+ ugh = start_adns_query(&peer
+ , NULL /* no sgw for KEY */
+ , T_KEY
+ , cont_fn
+ , &nkc->ac);
+ break;
+#endif /* USE_KEYRR */
+
+ default:
+ bad_case(step_done);
+ }
+
+ if (ugh != NULL)
+ {
+ report_key_dns_failure(&peer, ugh);
+ st->st_suspended_md = NULL;
+ r = STF_FAIL + INVALID_KEY_INFORMATION;
+ }
+ }
+ break;
+
+ default:
+ bad_case(st->st_oakley.auth);
+ }
+ if (r != STF_OK)
+ return r;
+
+ DBG(DBG_CRYPT, DBG_log("authentication succeeded"));
+
+ /*
+ * With the peer ID known, let's see if we need to switch connections.
+ */
+ if (!switch_connection(md, &peer, initiator))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ return r;
+}
+
+/* This continuation is called as part of either
+ * the main_inI3_outR3 state or main_inR3 state.
+ *
+ * The "tail" function is the corresponding tail
+ * function main_inI3_outR3_tail | main_inR3_tail,
+ * either directly when the state is started, or via
+ * adns continuation.
+ *
+ * Basically, we go around in a circle:
+ * main_in?3* -> key_continue
+ * ^ \
+ * / V
+ * adns main_in?3*_tail
+ * ^ |
+ * \ V
+ * main_id_and_auth
+ *
+ * until such time as main_id_and_auth is able
+ * to find authentication, or we run out of things
+ * to try.
+ */
+static void
+key_continue(struct adns_continuation *cr
+, err_t ugh
+, key_tail_fn *tail)
+{
+ struct key_continuation *kc = (void *)cr;
+ struct state *st = kc->md->st;
+
+ passert(cur_state == NULL);
+
+ /* if st == NULL, our state has been deleted -- just clean up */
+ if (st != NULL)
+ {
+ stf_status r;
+
+ passert(st->st_suspended_md == kc->md);
+ st->st_suspended_md = NULL; /* no longer connected or suspended */
+ cur_state = st;
+
+ if (!kc->failure_ok && ugh != NULL)
+ {
+ report_key_dns_failure(&st->st_connection->spd.that.id, ugh);
+ r = STF_FAIL + INVALID_KEY_INFORMATION;
+ }
+ else
+ {
+
+#ifdef USE_KEYRR
+ passert(kc->step == kos_his_txt || kc->step == kos_his_key);
+#else
+ passert(kc->step == kos_his_txt);
+#endif
+ kc->last_ugh = ugh; /* record previous error in case we need it */
+ r = (*tail)(kc->md, kc);
+ }
+ complete_state_transition(&kc->md, r);
+ }
+ if (kc->md != NULL)
+ release_md(kc->md);
+ cur_state = NULL;
+}
+
+/* STATE_MAIN_R2:
+ * PSK_AUTH: HDR*, IDi1, HASH_I --> HDR*, IDr1, HASH_R
+ * DS_AUTH: HDR*, IDi1, [ CERT, ] SIG_I --> HDR*, IDr1, [ CERT, ] SIG_R
+ * PKE_AUTH, RPKE_AUTH: HDR*, HASH_I --> HDR*, HASH_R
+ *
+ * Broken into parts to allow asynchronous DNS lookup.
+ *
+ * - main_inI3_outR3 to start
+ * - main_inI3_outR3_tail to finish or suspend for DNS lookup
+ * - main_inI3_outR3_continue to start main_inI3_outR3_tail again
+ */
+static key_tail_fn main_inI3_outR3_tail; /* forward */
+
+stf_status
+main_inI3_outR3(struct msg_digest *md)
+{
+ return main_inI3_outR3_tail(md, NULL);
+}
+
+static void
+main_inI3_outR3_continue(struct adns_continuation *cr, err_t ugh)
+{
+ key_continue(cr, ugh, main_inI3_outR3_tail);
+}
+
+static stf_status
+main_inI3_outR3_tail(struct msg_digest *md
+, struct key_continuation *kc)
+{
+ struct state *const st = md->st;
+ u_int8_t auth_payload;
+ pb_stream r_id_pbs; /* ID Payload; also used for hash calculation */
+ certpolicy_t cert_policy;
+ cert_t mycert;
+ bool RSA_auth;
+ bool send_cert;
+ bool requested;
+
+ /* ID and HASH_I or SIG_I in
+ * Note: this may switch the connection being used!
+ */
+ {
+ stf_status r = main_id_and_auth(md, FALSE
+ , main_inI3_outR3_continue
+ , kc);
+
+ if (r != STF_OK)
+ return r;
+ }
+
+ /* send certificate if auth is RSA, we have one and we want
+ * or are requested to send it
+ */
+ cert_policy = st->st_connection->spd.this.sendcert;
+ mycert = st->st_connection->spd.this.cert;
+ requested = cert_policy == CERT_SEND_IF_ASKED
+ && st->st_connection->got_certrequest;
+ RSA_auth = st->st_oakley.auth == OAKLEY_RSA_SIG
+ || st->st_oakley.auth == XAUTHInitRSA
+ || st->st_oakley.auth == XAUTHRespRSA;
+ send_cert = RSA_auth
+ && mycert.type != CERT_NONE
+ && (cert_policy == CERT_ALWAYS_SEND || requested);
+
+ /*************** build output packet HDR*;IDir;HASH/SIG_R ***************/
+ /* proccess_packet() would automatically generate the HDR*
+ * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
+ * We don't do this because we wish there to be no partially
+ * built output packet if we need to suspend for asynch DNS.
+ */
+ /* ??? NOTE: this is almost the same as main_inR2_outI3's code */
+
+ /* HDR* out
+ * If auth were PKE_AUTH or RPKE_AUTH, ISAKMP_NEXT_HASH would
+ * be first payload.
+ */
+ echo_hdr(md, TRUE, ISAKMP_NEXT_ID);
+
+ auth_payload = RSA_auth ? ISAKMP_NEXT_SIG : ISAKMP_NEXT_HASH;
+
+ /* IDir out */
+ {
+ /* id_hd should be struct isakmp_id, but struct isakmp_ipsec_id
+ * allows build_id_payload() to work for both phases.
+ */
+ struct isakmp_ipsec_id id_hd;
+ chunk_t id_b;
+
+ build_id_payload(&id_hd, &id_b, &st->st_connection->spd.this);
+ id_hd.isaiid_np = (send_cert)? ISAKMP_NEXT_CERT : auth_payload;
+ if (!out_struct(&id_hd, &isakmp_ipsec_identification_desc, &md->rbody, &r_id_pbs)
+ || !out_chunk(id_b, &r_id_pbs, "my identity"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&r_id_pbs);
+ }
+
+ /* CERT out */
+ if (RSA_auth)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("our certificate policy is %s"
+ , enum_name(&cert_policy_names, cert_policy))
+ )
+ if (mycert.type != CERT_NONE)
+ {
+ const char *request_text = "";
+
+ if (cert_policy == CERT_SEND_IF_ASKED)
+ request_text = (send_cert)? "upon request":"without request";
+ plog("we have a cert %s sending it %s"
+ , send_cert? "and are":"but are not", request_text);
+ }
+ else
+ {
+ plog("we don't have a cert");
+ }
+ }
+ if (send_cert)
+ {
+ pb_stream cert_pbs;
+
+ struct isakmp_cert cert_hd;
+ cert_hd.isacert_np = ISAKMP_NEXT_SIG;
+ cert_hd.isacert_type = mycert.type;
+
+ if (!out_struct(&cert_hd, &isakmp_ipsec_certificate_desc, &md->rbody, &cert_pbs))
+ return STF_INTERNAL_ERROR;
+ if (!out_chunk(get_mycert(mycert), &cert_pbs, "CERT"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&cert_pbs);
+ }
+
+ /* HASH_R or SIG_R out */
+ {
+ u_char hash_val[MAX_DIGEST_LEN];
+ size_t hash_len = main_mode_hash(st, hash_val, FALSE, &r_id_pbs);
+
+ if (auth_payload == ISAKMP_NEXT_HASH)
+ {
+ /* HASH_R out */
+ if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_hash_desc, &md->rbody
+ , hash_val, hash_len, "HASH_R"))
+ return STF_INTERNAL_ERROR;
+ }
+ else
+ {
+ /* SIG_R out */
+ u_char sig_val[RSA_MAX_OCTETS];
+ size_t sig_len = RSA_sign_hash(st->st_connection
+ , sig_val, hash_val, hash_len);
+
+ if (sig_len == 0)
+ {
+ loglog(RC_LOG_SERIOUS, "unable to locate my private key for RSA Signature");
+ return STF_FAIL + AUTHENTICATION_FAILED;
+ }
+
+ if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
+ , &md->rbody, sig_val, sig_len, "SIG_R"))
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* encrypt message, sans fixed part of header */
+
+ if (!encrypt_message(&md->rbody, st))
+ return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+
+ /* Last block of Phase 1 (R3), kept for Phase 2 IV generation */
+ DBG_cond_dump(DBG_CRYPT, "last encrypted block of Phase 1:"
+ , st->st_new_iv, st->st_new_iv_len);
+
+ ISAKMP_SA_established(st->st_connection, st->st_serialno);
+
+ /* Save Phase 1 IV */
+ st->st_ph1_iv_len = st->st_new_iv_len;
+ set_ph1_iv(st, st->st_new_iv);
+
+ return STF_OK;
+}
+
+/* STATE_MAIN_I3:
+ * Handle HDR*;IDir;HASH/SIG_R from responder.
+ *
+ * Broken into parts to allow asynchronous DNS for KEY records.
+ *
+ * - main_inR3 to start
+ * - main_inR3_tail to finish or suspend for DNS lookup
+ * - main_inR3_continue to start main_inR3_tail again
+ */
+
+static key_tail_fn main_inR3_tail; /* forward */
+
+stf_status
+main_inR3(struct msg_digest *md)
+{
+ return main_inR3_tail(md, NULL);
+}
+
+static void
+main_inR3_continue(struct adns_continuation *cr, err_t ugh)
+{
+ key_continue(cr, ugh, main_inR3_tail);
+}
+
+static stf_status
+main_inR3_tail(struct msg_digest *md
+, struct key_continuation *kc)
+{
+ struct state *const st = md->st;
+
+ /* ID and HASH_R or SIG_R in
+ * Note: this may switch the connection being used!
+ */
+ {
+ stf_status r = main_id_and_auth(md, TRUE, main_inR3_continue, kc);
+
+ if (r != STF_OK)
+ return r;
+ }
+
+ /**************** done input ****************/
+
+ ISAKMP_SA_established(st->st_connection, st->st_serialno);
+
+ /* Save Phase 1 IV */
+ st->st_ph1_iv_len = st->st_new_iv_len;
+ set_ph1_iv(st, st->st_new_iv);
+
+
+ update_iv(st); /* finalize our Phase 1 IV */
+
+ return STF_OK;
+}
+
+/* Handle first message of Phase 2 -- Quick Mode.
+ * HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] -->
+ * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ]
+ * (see RFC 2409 "IKE" 5.5)
+ * Installs inbound IPsec SAs.
+ * Although this seems early, we know enough to do so, and
+ * this way we know that it is soon enough to catch all
+ * packets that other side could send using this IPsec SA.
+ *
+ * Broken into parts to allow asynchronous DNS for TXT records:
+ *
+ * - quick_inI1_outR1 starts the ball rolling.
+ * It checks and parses enough to learn the Phase 2 IDs
+ *
+ * - quick_inI1_outR1_tail does the rest of the job
+ * unless DNS must be consulted. In that case,
+ * it starts a DNS query, salts away what is needed
+ * to continue, and suspends. Calls
+ * + quick_inI1_outR1_start_query
+ * + quick_inI1_outR1_process_answer
+ *
+ * - quick_inI1_outR1_continue will restart quick_inI1_outR1_tail
+ * when DNS comes back with an answer.
+ *
+ * A big chunk of quick_inI1_outR1_tail is executed twice.
+ * This is necessary because the set of connections
+ * might change while we are awaiting DNS.
+ * When first called, gateways_from_dns == NULL. If DNS is
+ * consulted asynchronously, gateways_from_dns != NULL the second time.
+ * Remember that our state object might disappear too!
+ *
+ *
+ * If the connection is opportunistic, we must verify delegation.
+ *
+ * 1. Check that we are authorized to be SG for
+ * our client. We look for the TXT record that
+ * delegates us. We also check that the public
+ * key (if present) matches the private key we used.
+ * Eventually, we should probably require DNSsec
+ * authentication for our side.
+ *
+ * 2. If our client TXT record did not include a
+ * public key, check the KEY record indicated
+ * by the identity in the TXT record.
+ *
+ * 3. If the peer's client is the peer itself, we
+ * consider it authenticated. Otherwise, we check
+ * the TXT record for the client to see that
+ * the identity of the SG matches the peer and
+ * that some public key (if present in the TXT)
+ * matches. We need not check the public key if
+ * it isn't in the TXT record.
+ *
+ * Since p isn't yet instantiated, we need to look
+ * in c for description of peer.
+ *
+ * We cannot afford to block waiting for a DNS query.
+ * The code here is structured as two halves:
+ * - process the result of just completed
+ * DNS query (if any)
+ * - if another query is needed, initiate the next
+ * DNS query and suspend
+ */
+
+enum verify_oppo_step {
+ vos_fail,
+ vos_start,
+ vos_our_client,
+ vos_our_txt,
+#ifdef USE_KEYRR
+ vos_our_key,
+#endif /* USE_KEYRR */
+ vos_his_client,
+ vos_done
+};
+
+static const char *const verify_step_name[] = {
+ "vos_fail",
+ "vos_start",
+ "vos_our_client",
+ "vos_our_txt",
+#ifdef USE_KEYRR
+ "vos_our_key",
+#endif /* USE_KEYRR */
+ "vos_his_client",
+ "vos_done"
+};
+
+/* hold anything we can handle of a Phase 2 ID */
+struct p2id {
+ ip_subnet net;
+ u_int8_t proto;
+ u_int16_t port;
+};
+
+struct verify_oppo_bundle {
+ enum verify_oppo_step step;
+ bool failure_ok; /* if true, quick_inI1_outR1_continue will try
+ * other things on DNS failure */
+ struct msg_digest *md;
+ struct p2id my, his;
+ unsigned int new_iv_len; /* p1st's might change */
+ u_char new_iv[MAX_DIGEST_LEN];
+ /* int whackfd; */ /* not needed because we are Responder */
+};
+
+struct verify_oppo_continuation {
+ struct adns_continuation ac; /* common prefix */
+ struct verify_oppo_bundle b;
+};
+
+static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b
+ , struct adns_continuation *ac);
+
+stf_status
+quick_inI1_outR1(struct msg_digest *md)
+{
+ const struct state *const p1st = md->st;
+ struct connection *c = p1st->st_connection;
+ struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+ struct verify_oppo_bundle b;
+
+ /* HASH(1) in */
+ CHECK_QUICK_HASH(md
+ , quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
+ , p1st, &md->hdr.isa_msgid, FALSE)
+ , "HASH(1)", "Quick I1");
+
+ /* [ IDci, IDcr ] in
+ * We do this now (probably out of physical order) because
+ * we wish to select the correct connection before we consult
+ * it for policy.
+ */
+
+ if (id_pd != NULL)
+ {
+ /* ??? we are assuming IPSEC_DOI */
+
+ /* IDci (initiator is peer) */
+
+ if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
+ , &b.his.net, "peer client"))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ /* Hack for MS 818043 NAT-T Update */
+
+ if (id_pd->payload.ipsec_id.isaiid_idtype == ID_FQDN)
+ happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
+
+ /* End Hack for MS 818043 NAT-T Update */
+
+ b.his.proto = id_pd->payload.ipsec_id.isaiid_protoid;
+ b.his.port = id_pd->payload.ipsec_id.isaiid_port;
+ b.his.net.addr.u.v4.sin_port = htons(b.his.port);
+
+ /* IDcr (we are responder) */
+
+ if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
+ , &b.my.net, "our client"))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
+ b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
+ b.my.net.addr.u.v4.sin_port = htons(b.my.port);
+ }
+ else
+ {
+ /* implicit IDci and IDcr: peer and self */
+ if (!sameaddrtype(&c->spd.this.host_addr, &c->spd.that.host_addr))
+ return STF_FAIL;
+
+ happy(addrtosubnet(&c->spd.this.host_addr, &b.my.net));
+ happy(addrtosubnet(&c->spd.that.host_addr, &b.his.net));
+ b.his.proto = b.my.proto = 0;
+ b.his.port = b.my.port = 0;
+ }
+ b.step = vos_start;
+ b.md = md;
+ b.new_iv_len = p1st->st_new_iv_len;
+ memcpy(b.new_iv, p1st->st_new_iv, p1st->st_new_iv_len);
+ return quick_inI1_outR1_tail(&b, NULL);
+}
+
+static void
+report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
+{
+ struct state *st = b->md->st;
+ char fgwb[ADDRTOT_BUF]
+ , cb[ADDRTOT_BUF];
+ ip_address client;
+ err_t which;
+
+ switch (b->step)
+ {
+ case vos_our_client:
+ case vos_our_txt:
+#ifdef USE_KEYRR
+ case vos_our_key:
+#endif /* USE_KEYRR */
+ which = "our";
+ networkof(&b->my.net, &client);
+ break;
+
+ case vos_his_client:
+ which = "his";
+ networkof(&b->his.net, &client);
+ break;
+
+ case vos_start:
+ case vos_done:
+ case vos_fail:
+ default:
+ bad_case(b->step);
+ }
+
+ addrtot(&st->st_connection->spd.that.host_addr, 0, fgwb, sizeof(fgwb));
+ addrtot(&client, 0, cb, sizeof(cb));
+ loglog(RC_OPPOFAILURE
+ , "gateway %s wants connection with %s as %s client, but DNS fails to confirm delegation: %s"
+ , fgwb, cb, which, ugh);
+}
+
+static void
+quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
+{
+ stf_status r;
+ struct verify_oppo_continuation *vc = (void *)cr;
+ struct verify_oppo_bundle *b = &vc->b;
+ struct state *st = b->md->st;
+
+ passert(cur_state == NULL);
+ /* if st == NULL, our state has been deleted -- just clean up */
+ if (st != NULL)
+ {
+ passert(st->st_suspended_md == b->md);
+ st->st_suspended_md = NULL; /* no longer connected or suspended */
+ cur_state = st;
+ if (!b->failure_ok && ugh != NULL)
+ {
+ report_verify_failure(b, ugh);
+ r = STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ else
+ {
+ r = quick_inI1_outR1_tail(b, cr);
+ }
+ complete_state_transition(&b->md, r);
+ }
+ if (b->md != NULL)
+ release_md(b->md);
+ cur_state = NULL;
+}
+
+static stf_status
+quick_inI1_outR1_start_query(struct verify_oppo_bundle *b
+, enum verify_oppo_step next_step)
+{
+ struct msg_digest *md = b->md;
+ struct state *p1st = md->st;
+ struct connection *c = p1st->st_connection;
+ struct verify_oppo_continuation *vc
+ = alloc_thing(struct verify_oppo_continuation, "verify continuation");
+ struct id id /* subject of query */
+ , *our_id /* needed for myid playing */
+ , our_id_space; /* ephemeral: no need for unshare_id_content */
+ ip_address client;
+ err_t ugh;
+
+ /* Record that state is used by a suspended md */
+ b->step = next_step; /* not just vc->b.step */
+ vc->b = *b;
+ passert(p1st->st_suspended_md == NULL);
+ p1st->st_suspended_md = b->md;
+
+ DBG(DBG_CONTROL,
+ {
+ char ours[SUBNETTOT_BUF];
+ char his[SUBNETTOT_BUF];
+
+ subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+ subnettot(&c->spd.that.client, 0, his, sizeof(his));
+
+ DBG_log("responding with DNS query - from %s to %s new state: %s"
+ , ours, his, verify_step_name[b->step]);
+ });
+
+ /* Resolve %myid in a cheesy way.
+ * We have to do the resolution because start_adns_query
+ * et al have insufficient information to do so.
+ * If %myid is already known, we'll use that value
+ * (XXX this may be a mistake: it could be stale).
+ * If %myid is unknown, we should check to see if
+ * there are credentials for the IP address or the FQDN.
+ * Instead, we'll just assume the IP address since we are
+ * acting as the responder and only the IP address would
+ * have gotten it to us.
+ * We don't even try to do this for the other side:
+ * %myid makes no sense for the other side (but it is syntactically
+ * legal).
+ */
+ our_id = resolve_myid(&c->spd.this.id);
+ if (our_id->kind == ID_NONE)
+ {
+ iptoid(&c->spd.this.host_addr, &our_id_space);
+ our_id = &our_id_space;
+ }
+
+ switch (next_step)
+ {
+ case vos_our_client:
+ networkof(&b->my.net, &client);
+ iptoid(&client, &id);
+ vc->b.failure_ok = b->failure_ok = FALSE;
+ ugh = start_adns_query(&id
+ , our_id
+ , T_TXT
+ , quick_inI1_outR1_continue
+ , &vc->ac);
+ break;
+
+ case vos_our_txt:
+ vc->b.failure_ok = b->failure_ok = TRUE;
+ ugh = start_adns_query(our_id
+ , our_id /* self as SG */
+ , T_TXT
+ , quick_inI1_outR1_continue
+ , &vc->ac);
+ break;
+
+#ifdef USE_KEYRR
+ case vos_our_key:
+ vc->b.failure_ok = b->failure_ok = FALSE;
+ ugh = start_adns_query(our_id
+ , NULL
+ , T_KEY
+ , quick_inI1_outR1_continue
+ , &vc->ac);
+ break;
+#endif
+
+ case vos_his_client:
+ networkof(&b->his.net, &client);
+ iptoid(&client, &id);
+ vc->b.failure_ok = b->failure_ok = FALSE;
+ ugh = start_adns_query(&id
+ , &c->spd.that.id
+ , T_TXT
+ , quick_inI1_outR1_continue
+ , &vc->ac);
+ break;
+
+ default:
+ bad_case(next_step);
+ }
+
+ if (ugh != NULL)
+ {
+ /* note: we'd like to use vc->b but vc has been freed
+ * so we have to use b. This is why we plunked next_state
+ * into b, not just vc->b.
+ */
+ report_verify_failure(b, ugh);
+ p1st->st_suspended_md = NULL;
+ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ else
+ {
+ return STF_SUSPEND;
+ }
+}
+
+static enum verify_oppo_step
+quick_inI1_outR1_process_answer(struct verify_oppo_bundle *b
+, struct adns_continuation *ac
+, struct state *p1st)
+{
+ struct connection *c = p1st->st_connection;
+ enum verify_oppo_step next_step;
+ err_t ugh = NULL;
+
+ DBG(DBG_CONTROL,
+ {
+ char ours[SUBNETTOT_BUF];
+ char his[SUBNETTOT_BUF];
+
+ subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+ subnettot(&c->spd.that.client, 0, his, sizeof(his));
+ DBG_log("responding on demand from %s to %s state: %s"
+ , ours, his, verify_step_name[b->step]);
+ });
+
+ /* process just completed DNS query (if any) */
+ switch (b->step)
+ {
+ case vos_start:
+ /* no query to digest */
+ next_step = vos_our_client;
+ break;
+
+ case vos_our_client:
+ next_step = vos_his_client;
+ {
+ const struct RSA_private_key *pri = get_RSA_private_key(c);
+ struct gw_info *gwp;
+
+ if (pri == NULL)
+ {
+ ugh = "we don't know our own key";
+ break;
+ }
+ ugh = "our client does not delegate us as its Security Gateway";
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ ugh = "our client delegates us as its Security Gateway but with the wrong public key";
+ /* If there is no key in the TXT record,
+ * we count it as a win, but we will have
+ * to separately fetch and check the KEY record.
+ * If there is a key from the TXT record,
+ * we count it as a win if we match the key.
+ */
+ if (!gwp->gw_key_present)
+ {
+ next_step = vos_our_txt;
+ ugh = NULL; /* good! */
+ break;
+ }
+ else if (same_RSA_public_key(&pri->pub, &gwp->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ break;
+
+ case vos_our_txt:
+ next_step = vos_his_client;
+ {
+ const struct RSA_private_key *pri = get_RSA_private_key(c);
+
+ if (pri == NULL)
+ {
+ ugh = "we don't know our own key";
+ break;
+ }
+ {
+ struct gw_info *gwp;
+
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+#ifdef USE_KEYRR
+ /* not an error yet, because we have to check KEY RR as well */
+ ugh = NULL;
+#else
+ ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
+#endif
+ if (gwp->gw_key_present
+ && same_RSA_public_key(&pri->pub, &gwp->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+#ifdef USE_KEYRR
+ next_step = vos_our_key;
+#endif
+ }
+ }
+ }
+ break;
+
+#ifdef USE_KEYRR
+ case vos_our_key:
+ next_step = vos_his_client;
+ {
+ const struct RSA_private_key *pri = get_RSA_private_key(c);
+
+ if (pri == NULL)
+ {
+ ugh = "we don't know our own key";
+ break;
+ }
+ {
+ pubkey_list_t *kp;
+
+ ugh = "our client delegation depends on our missing " RRNAME " record";
+ for (kp = ac->keys_from_dns; kp != NULL; kp = kp->next)
+ {
+ ugh = "our client delegation depends on our " RRNAME " record, but it has the wrong public key";
+ if (same_RSA_public_key(&pri->pub, &kp->key->u.rsa))
+ {
+ /* do this only once a day */
+ if (!logged_txt_warning)
+ {
+ loglog(RC_LOG_SERIOUS, "found KEY RR but not TXT RR. See http://www.freeswan.org/err/txt-change.html.");
+ logged_txt_warning = TRUE;
+ }
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ }
+ break;
+#endif /* USE_KEYRR */
+
+ case vos_his_client:
+ next_step = vos_done;
+ {
+ struct gw_info *gwp;
+
+ /* check that the public key that authenticated
+ * the ISAKMP SA (p1st) will do for this gateway.
+ */
+
+ ugh = "peer's client does not delegate to peer";
+ for (gwp = ac->gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ ugh = "peer and its client disagree about public key";
+ /* If there is a key from the TXT record,
+ * we count it as a win if we match the key.
+ * If there was no key, we claim a match since
+ * it implies fetching a KEY from the same
+ * place we must have gotten it.
+ */
+ if (!gwp->gw_key_present
+ || same_RSA_public_key(&p1st->st_peer_pubkey->u.rsa
+ , &gwp->key->u.rsa))
+ {
+ ugh = NULL; /* good! */
+ break;
+ }
+ }
+ }
+ break;
+
+ default:
+ bad_case(b->step);
+ }
+
+ if (ugh != NULL)
+ {
+ report_verify_failure(b, ugh);
+ next_step = vos_fail;
+ }
+ return next_step;
+}
+
+static stf_status
+quick_inI1_outR1_tail(struct verify_oppo_bundle *b
+, struct adns_continuation *ac)
+{
+ struct msg_digest *md = b->md;
+ struct state *const p1st = md->st;
+ struct connection *c = p1st->st_connection;
+ struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+ ip_subnet *our_net = &b->my.net
+ , *his_net = &b->his.net;
+
+ u_char /* set by START_HASH_PAYLOAD: */
+ *r_hashval, /* where in reply to jam hash value */
+ *r_hash_start; /* from where to start hashing */
+
+ /* Now that we have identities of client subnets, we must look for
+ * a suitable connection (our current one only matches for hosts).
+ */
+ {
+ struct connection *p = find_client_connection(c
+ , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);
+
+ if (p == NULL)
+ {
+ /* This message occurs in very puzzling circumstances
+ * so we must add as much information and beauty as we can.
+ */
+ struct end
+ me = c->spd.this,
+ he = c->spd.that;
+ char buf[2*SUBNETTOT_BUF + 2*ADDRTOT_BUF + 2*BUF_LEN + 2*ADDRTOT_BUF + 12]; /* + 12 for separating */
+ size_t l;
+
+ me.client = *our_net;
+ me.has_client = !subnetisaddr(our_net, &me.host_addr);
+ me.protocol = b->my.proto;
+ me.port = b->my.port;
+
+ he.client = *his_net;
+ he.has_client = !subnetisaddr(his_net, &he.host_addr);
+ he.protocol = b->his.proto;
+ he.port = b->his.port;
+
+ l = format_end(buf, sizeof(buf), &me, NULL, TRUE, LEMPTY);
+ l += snprintf(buf + l, sizeof(buf) - l, "...");
+ (void)format_end(buf + l, sizeof(buf) - l, &he, NULL, FALSE, LEMPTY);
+ plog("cannot respond to IPsec SA request"
+ " because no connection is known for %s"
+ , buf);
+ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ else if (p != c)
+ {
+ /* We've got a better connection: it can support the
+ * specified clients. But it may need instantiation.
+ */
+ if (p->kind == CK_TEMPLATE)
+ {
+ /* Yup, it needs instantiation. How much?
+ * Is it a Road Warrior connection (simple)
+ * or is it an Opportunistic connection (needing gw validation)?
+ */
+ if (p->policy & POLICY_OPPO)
+ {
+ /* Opportunistic case: delegation must be verified.
+ * Here be dragons.
+ */
+ enum verify_oppo_step next_step;
+ ip_address our_client, his_client;
+
+ passert(subnetishost(our_net) && subnetishost(his_net));
+ networkof(our_net, &our_client);
+ networkof(his_net, &his_client);
+
+ next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
+ if (next_step == vos_fail)
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ /* short circuit: if peer's client is self,
+ * accept that we've verified delegation in Phase 1
+ */
+ if (next_step == vos_his_client
+ && sameaddr(&c->spd.that.host_addr, &his_client))
+ next_step = vos_done;
+
+ /* the second chunk: initiate the next DNS query (if any) */
+ DBG(DBG_CONTROL,
+ {
+ char ours[SUBNETTOT_BUF];
+ char his[SUBNETTOT_BUF];
+
+ subnettot(&c->spd.this.client, 0, ours, sizeof(ours));
+ subnettot(&c->spd.that.client, 0, his, sizeof(his));
+
+ DBG_log("responding on demand from %s to %s new state: %s"
+ , ours, his, verify_step_name[next_step]);
+ });
+
+ /* start next DNS query and suspend (if necessary) */
+ if (next_step != vos_done)
+ return quick_inI1_outR1_start_query(b, next_step);
+
+ /* Instantiate inbound Opportunistic connection,
+ * carrying over authenticated peer ID
+ * and filling in a few more details.
+ * We used to include gateways_from_dns, but that
+ * seems pointless at this stage of negotiation.
+ * We should record DNS sec use, if any -- belongs in
+ * state during perhaps.
+ */
+ p = oppo_instantiate(p, &c->spd.that.host_addr, &c->spd.that.id
+ , NULL, &our_client, &his_client);
+ }
+ else
+ {
+ /* Plain Road Warrior:
+ * instantiate, carrying over authenticated peer ID
+ */
+ p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
+ , his_net, &c->spd.that.id);
+ }
+ }
+#ifdef DEBUG
+ /* temporarily bump up cur_debugging to get "using..." message
+ * printed if we'd want it with new connection.
+ */
+ {
+ lset_t old_cur_debugging = cur_debugging;
+
+ cur_debugging |= p->extra_debugging;
+ DBG(DBG_CONTROL, DBG_log("using connection \"%s\"", p->name));
+ cur_debugging = old_cur_debugging;
+ }
+#endif
+ c = p;
+ }
+ /* fill in the client's true ip address/subnet */
+ if (p->spd.that.has_client_wildcard)
+ {
+ p->spd.that.client = *his_net;
+ p->spd.that.has_client_wildcard = FALSE;
+ }
+ else if (is_virtual_connection(c))
+ {
+ c->spd.that.client = *his_net;
+ c->spd.that.virt = NULL;
+ if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
+ c->spd.that.has_client = FALSE;
+ }
+
+ /* fill in the client's true port */
+ if (p->spd.that.has_port_wildcard)
+ {
+ int port = htons(b->his.port);
+
+ setportof(port, &p->spd.that.host_addr);
+ setportof(port, &p->spd.that.client.addr);
+
+ p->spd.that.port = b->his.port;
+ p->spd.that.has_port_wildcard = FALSE;
+ }
+ }
+
+ /* now that we are sure of our connection, create our new state */
+ {
+ struct state *const st = duplicate_state(p1st);
+
+ /* first: fill in missing bits of our new state object
+ * note: we don't copy over st_peer_pubkey, the public key
+ * that authenticated the ISAKMP SA. We only need it in this
+ * routine, so we can "reach back" to p1st to get it.
+ */
+
+ if (st->st_connection != c)
+ {
+ struct connection *t = st->st_connection;
+
+ st->st_connection = c;
+ set_cur_connection(c);
+ connection_discard(t);
+ }
+
+ st->st_try = 0; /* not our job to try again from start */
+
+ st->st_msgid = md->hdr.isa_msgid;
+
+ st->st_new_iv_len = b->new_iv_len;
+ memcpy(st->st_new_iv, b->new_iv, b->new_iv_len);
+
+ set_cur_state(st); /* (caller will reset) */
+ md->st = st; /* feed back new state */
+
+ st->st_peeruserprotoid = b->his.proto;
+ st->st_peeruserport = b->his.port;
+ st->st_myuserprotoid = b->my.proto;
+ st->st_myuserport = b->my.port;
+
+ insert_state(st); /* needs cookies, connection, and msgid */
+
+ /* copy the connection's
+ * IPSEC policy into our state. The ISAKMP policy is water under
+ * the bridge, I think. It will reflect the ISAKMP SA that we
+ * are using.
+ */
+ st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
+ | (c->policy & ~POLICY_ISAKMP_MASK);
+
+ if (p1st->nat_traversal & NAT_T_DETECTED)
+ {
+ st->nat_traversal = p1st->nat_traversal;
+ nat_traversal_change_port_lookup(md, md->st);
+ }
+ else
+ {
+ st->nat_traversal = 0;
+ }
+ if ((st->nat_traversal & NAT_T_DETECTED)
+ && (st->nat_traversal & NAT_T_WITH_NATOA))
+ {
+ nat_traversal_natoa_lookup(md);
+ }
+
+ /* Start the output packet.
+ *
+ * proccess_packet() would automatically generate the HDR*
+ * payload if smc->first_out_payload is not ISAKMP_NEXT_NONE.
+ * We don't do this because we wish there to be no partially
+ * built output packet if we need to suspend for asynch DNS.
+ *
+ * We build the reply packet as we parse the message since
+ * the parse_ipsec_sa_body emits the reply SA
+ */
+
+ /* HDR* out */
+ echo_hdr(md, TRUE, ISAKMP_NEXT_HASH);
+
+ /* HASH(2) out -- first pass */
+ START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_SA);
+
+ /* process SA (in and out) */
+ {
+ struct payload_digest *const sapd = md->chain[ISAKMP_NEXT_SA];
+ pb_stream r_sa_pbs;
+ struct isakmp_sa sa = sapd->payload.sa;
+
+ /* sa header is unchanged -- except for np */
+ sa.isasa_np = ISAKMP_NEXT_NONCE;
+ if (!out_struct(&sa, &isakmp_sa_desc, &md->rbody, &r_sa_pbs))
+ return STF_INTERNAL_ERROR;
+
+ /* parse and accept body */
+ st->st_pfs_group = &unset_group;
+ RETURN_STF_FAILURE(parse_ipsec_sa_body(&sapd->pbs
+ , &sapd->payload.sa, &r_sa_pbs, FALSE, st));
+ }
+
+ passert(st->st_pfs_group != &unset_group);
+
+ if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
+ return STF_FAIL + NO_PROPOSAL_CHOSEN; /* ??? */
+ }
+
+ /* Ni in */
+ RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
+
+ /* [ KE ] in (for PFS) */
+ RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gi, "Gi", "Quick Mode I1"));
+
+ plog("responding to Quick Mode");
+
+ /**** finish reply packet: Nr [, KE ] [, IDci, IDcr ] ****/
+
+ /* Nr out */
+ if (!build_and_ship_nonce(&st->st_nr, &md->rbody
+ , st->st_pfs_group != NULL? ISAKMP_NEXT_KE : id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE
+ , "Nr"))
+ return STF_INTERNAL_ERROR;
+
+ /* [ KE ] out (for PFS) */
+
+ if (st->st_pfs_group != NULL)
+ {
+ if (!build_and_ship_KE(st, &st->st_gr, st->st_pfs_group
+ , &md->rbody, id_pd != NULL? ISAKMP_NEXT_ID : ISAKMP_NEXT_NONE))
+ return STF_INTERNAL_ERROR;
+
+ /* MPZ-Operations might be done after sending the packet... */
+ compute_dh_shared(st, st->st_gi, st->st_pfs_group);
+ }
+
+ /* [ IDci, IDcr ] out */
+ if (id_pd != NULL)
+ {
+ struct isakmp_ipsec_id *p = (void *)md->rbody.cur; /* UGH! */
+
+ if (!out_raw(id_pd->pbs.start, pbs_room(&id_pd->pbs), &md->rbody, "IDci"))
+ return STF_INTERNAL_ERROR;
+ p->isaiid_np = ISAKMP_NEXT_ID;
+
+ p = (void *)md->rbody.cur; /* UGH! */
+
+ if (!out_raw(id_pd->next->pbs.start, pbs_room(&id_pd->next->pbs), &md->rbody, "IDcr"))
+ return STF_INTERNAL_ERROR;
+ p->isaiid_np = ISAKMP_NEXT_NONE;
+ }
+
+ if ((st->nat_traversal & NAT_T_WITH_NATOA)
+ && (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+ && (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
+ {
+ /** Send NAT-OA if our address is NATed and if we use Transport Mode */
+ if (!nat_traversal_add_natoa(ISAKMP_NEXT_NONE, &md->rbody, md->st))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+ if ((st->nat_traversal & NAT_T_DETECTED)
+ && (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT)
+ && (c->spd.that.has_client))
+ {
+ /** Remove client **/
+ addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
+ c->spd.that.has_client = FALSE;
+ }
+
+ /* Compute reply HASH(2) and insert in output */
+ (void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
+ , st, &st->st_msgid, TRUE);
+
+ /* Derive new keying material */
+ compute_keymats(st);
+
+ /* Tell the kernel to establish the new inbound SA
+ * (unless the commit bit is set -- which we don't support).
+ * We do this before any state updating so that
+ * failure won't look like success.
+ */
+ if (!install_inbound_ipsec_sa(st))
+ return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+
+ /* encrypt message, except for fixed part of header */
+
+ if (!encrypt_message(&md->rbody, st))
+ return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+
+ return STF_OK;
+ }
+}
+
+/*
+ * Initialize RFC 3706 Dead Peer Detection
+ */
+static void
+dpd_init(struct state *st)
+{
+ struct state *p1st = find_state(st->st_icookie, st->st_rcookie
+ , &st->st_connection->spd.that.host_addr, 0);
+
+ if (p1st == NULL)
+ loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
+ else if (p1st->st_dpd)
+ {
+ plog("Dead Peer Detection (RFC 3706) enabled");
+ /* randomize the first DPD event */
+
+ event_schedule(EVENT_DPD
+ , (0.5 + rand()/(RAND_MAX + 1.E0)) * st->st_connection->dpd_delay
+ , st);
+ }
+}
+
+/* Handle (the single) message from Responder in Quick Mode.
+ * HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr ] -->
+ * HDR*, HASH(3)
+ * (see RFC 2409 "IKE" 5.5)
+ * Installs inbound and outbound IPsec SAs, routing, etc.
+ */
+stf_status
+quick_inR1_outI2(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ const struct connection *c = st->st_connection;
+
+ /* HASH(2) in */
+ CHECK_QUICK_HASH(md
+ , quick_mode_hash12(hash_val, hash_pbs->roof, md->message_pbs.roof
+ , st, &st->st_msgid, TRUE)
+ , "HASH(2)", "Quick R1");
+
+ /* SA in */
+ {
+ struct payload_digest *const sa_pd = md->chain[ISAKMP_NEXT_SA];
+
+ RETURN_STF_FAILURE(parse_ipsec_sa_body(&sa_pd->pbs
+ , &sa_pd->payload.sa, NULL, TRUE, st));
+ }
+
+ /* Nr in */
+ RETURN_STF_FAILURE(accept_nonce(md, &st->st_nr, "Nr"));
+
+ /* [ KE ] in (for PFS) */
+ RETURN_STF_FAILURE(accept_PFS_KE(md, &st->st_gr, "Gr", "Quick Mode R1"));
+
+ if (st->st_pfs_group != NULL)
+ compute_dh_shared(st, st->st_gr, st->st_pfs_group);
+
+ /* [ IDci, IDcr ] in; these must match what we sent */
+
+ {
+ struct payload_digest *const id_pd = md->chain[ISAKMP_NEXT_ID];
+
+ if (id_pd != NULL)
+ {
+ /* ??? we are assuming IPSEC_DOI */
+
+ /* IDci (we are initiator) */
+
+ if (!check_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
+ , &st->st_myuserprotoid, &st->st_myuserport
+ , &st->st_connection->spd.this.client
+ , "our client"))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+
+ /* IDcr (responder is peer) */
+
+ if (!check_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
+ , &st->st_peeruserprotoid, &st->st_peeruserport
+ , &st->st_connection->spd.that.client
+ , "peer client"))
+ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ else
+ {
+ /* no IDci, IDcr: we must check that the defaults match our proposal */
+ if (!subnetisaddr(&c->spd.this.client, &c->spd.this.host_addr)
+ || !subnetisaddr(&c->spd.that.client, &c->spd.that.host_addr))
+ {
+ loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
+ " but default does not match proposal");
+ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ }
+ }
+
+ /* check the peer's group attributes */
+
+ {
+ const ietfAttrList_t *peer_list = NULL;
+
+ get_peer_ca_and_groups(st->st_connection, &peer_list);
+
+ if (!group_membership(peer_list, st->st_connection->name
+ , st->st_connection->spd.that.groups))
+ {
+ char buf[BUF_LEN];
+
+ format_groups(st->st_connection->spd.that.groups, buf, BUF_LEN);
+ loglog(RC_LOG_SERIOUS, "peer is not member of one of the groups: %s"
+ , buf);
+ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+ }
+
+ if ((st->nat_traversal & NAT_T_DETECTED)
+ && (st->nat_traversal & NAT_T_WITH_NATOA))
+ {
+ nat_traversal_natoa_lookup(md);
+ }
+
+ /* ??? We used to copy the accepted proposal into the state, but it was
+ * never used. From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
+ */
+
+ /**************** build reply packet HDR*, HASH(3) ****************/
+
+ /* HDR* out done */
+
+ /* HASH(3) out -- since this is the only content, no passes needed */
+ {
+ u_char /* set by START_HASH_PAYLOAD: */
+ *r_hashval, /* where in reply to jam hash value */
+ *r_hash_start; /* start of what is to be hashed */
+
+ START_HASH_PAYLOAD(md->rbody, ISAKMP_NEXT_NONE);
+ (void)quick_mode_hash3(r_hashval, st);
+ }
+
+ /* Derive new keying material */
+ compute_keymats(st);
+
+ /* Tell the kernel to establish the inbound, outbound, and routing part
+ * of the new SA (unless the commit bit is set -- which we don't support).
+ * We do this before any state updating so that
+ * failure won't look like success.
+ */
+ if (!install_ipsec_sa(st, TRUE))
+ return STF_INTERNAL_ERROR;
+
+ /* encrypt message, except for fixed part of header */
+
+ if (!encrypt_message(&md->rbody, st))
+ return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+
+ {
+ DBG(DBG_CONTROLMORE, DBG_log("inR1_outI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+ , st->st_connection->name
+ , st->st_connection->instance_serial
+ , st->st_serialno
+ , st->st_connection->newest_ipsec_sa
+ , st->st_connection->spd.eroute_owner));
+ }
+
+ st->st_connection->newest_ipsec_sa = st->st_serialno;
+
+ /* note (presumed) success */
+ if (c->gw_info != NULL)
+ c->gw_info->key->last_worked_time = now();
+
+ /* If we want DPD on this connection then initialize it */
+ if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+ dpd_init(st);
+
+ return STF_OK;
+}
+
+/* Handle last message of Quick Mode.
+ * HDR*, HASH(3) -> done
+ * (see RFC 2409 "IKE" 5.5)
+ * Installs outbound IPsec SAs, routing, etc.
+ */
+stf_status
+quick_inI2(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+
+ /* HASH(3) in */
+ CHECK_QUICK_HASH(md, quick_mode_hash3(hash_val, st)
+ , "HASH(3)", "Quick I2");
+
+ /* Tell the kernel to establish the outbound and routing part of the new SA
+ * (the previous state established inbound)
+ * (unless the commit bit is set -- which we don't support).
+ * We do this before any state updating so that
+ * failure won't look like success.
+ */
+ if (!install_ipsec_sa(st, FALSE))
+ return STF_INTERNAL_ERROR;
+
+ {
+ DBG(DBG_CONTROLMORE, DBG_log("inI2: instance %s[%ld], setting newest_ipsec_sa to #%ld (was #%ld) (spd.eroute=#%ld)"
+ , st->st_connection->name
+ , st->st_connection->instance_serial
+ , st->st_serialno
+ , st->st_connection->newest_ipsec_sa
+ , st->st_connection->spd.eroute_owner));
+ }
+
+ st->st_connection->newest_ipsec_sa = st->st_serialno;
+
+ update_iv(st); /* not actually used, but tidy */
+
+ /* note (presumed) success */
+ {
+ struct gw_info *gw = st->st_connection->gw_info;
+
+ if (gw != NULL)
+ gw->key->last_worked_time = now();
+ }
+
+ /* If we want DPD on this connection then initialize it */
+ if (st->st_connection->dpd_action != DPD_ACTION_NONE)
+ dpd_init(st);
+
+ return STF_OK;
+}
+
+static stf_status
+send_isakmp_notification(struct state *st, u_int16_t type
+ , const void *data, size_t len)
+{
+ msgid_t msgid;
+ pb_stream reply;
+ pb_stream rbody;
+ u_char
+ *r_hashval, /* where in reply to jam hash value */
+ *r_hash_start; /* start of what is to be hashed */
+
+ msgid = generate_msgid(st);
+
+ init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "ISAKMP notify");
+
+ /* HDR* */
+ {
+ struct isakmp_hdr hdr;
+
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = ISAKMP_NEXT_HASH;
+ hdr.isa_xchg = ISAKMP_XCHG_INFO;
+ hdr.isa_msgid = msgid;
+ hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+ memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+ memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &reply, &rbody))
+ impossible();
+ }
+ /* HASH -- create and note space to be filled later */
+ START_HASH_PAYLOAD(rbody, ISAKMP_NEXT_N);
+
+ /* NOTIFY */
+ {
+ pb_stream notify_pbs;
+ struct isakmp_notification isan;
+
+ isan.isan_np = ISAKMP_NEXT_NONE;
+ isan.isan_doi = ISAKMP_DOI_IPSEC;
+ isan.isan_protoid = PROTO_ISAKMP;
+ isan.isan_spisize = COOKIE_SIZE * 2;
+ isan.isan_type = type;
+ if (!out_struct(&isan, &isakmp_notification_desc, &rbody, &notify_pbs))
+ return STF_INTERNAL_ERROR;
+ if (!out_raw(st->st_icookie, COOKIE_SIZE, &notify_pbs, "notify icookie"))
+ return STF_INTERNAL_ERROR;
+ if (!out_raw(st->st_rcookie, COOKIE_SIZE, &notify_pbs, "notify rcookie"))
+ return STF_INTERNAL_ERROR;
+ if (data != NULL && len > 0)
+ if (!out_raw(data, len, &notify_pbs, "notify data"))
+ return STF_INTERNAL_ERROR;
+ close_output_pbs(&notify_pbs);
+ }
+
+ {
+ /* finish computing HASH */
+ struct hmac_ctx ctx;
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
+ hmac_update(&ctx, (const u_char *) &msgid, sizeof(msgid_t));
+ hmac_update(&ctx, r_hash_start, rbody.cur-r_hash_start);
+ hmac_final(r_hashval, &ctx);
+
+ DBG(DBG_CRYPT,
+ DBG_log("HASH computed:");
+ DBG_dump("", r_hashval, ctx.hmac_digest_size));
+ }
+
+ /* Encrypt message (preserve st_iv and st_new_iv) */
+ {
+ u_char old_iv[MAX_DIGEST_LEN];
+ u_char new_iv[MAX_DIGEST_LEN];
+
+ u_int old_iv_len = st->st_iv_len;
+ u_int new_iv_len = st->st_new_iv_len;
+
+ if (old_iv_len > MAX_DIGEST_LEN || new_iv_len > MAX_DIGEST_LEN)
+ return STF_INTERNAL_ERROR;
+
+ memcpy(old_iv, st->st_iv, old_iv_len);
+ memcpy(new_iv, st->st_new_iv, new_iv_len);
+
+ init_phase2_iv(st, &msgid);
+ if (!encrypt_message(&rbody, st))
+ return STF_INTERNAL_ERROR;
+
+ /* restore preserved st_iv and st_new_iv */
+ memcpy(st->st_iv, old_iv, old_iv_len);
+ memcpy(st->st_new_iv, new_iv, new_iv_len);
+ st->st_iv_len = old_iv_len;
+ st->st_new_iv_len = new_iv_len;
+ }
+
+ /* Send packet (preserve st_tpacket) */
+ {
+ chunk_t saved_tpacket = st->st_tpacket;
+
+ setchunk(st->st_tpacket, reply.start, pbs_offset(&reply));
+ send_packet(st, "ISAKMP notify");
+ st->st_tpacket = saved_tpacket;
+ }
+
+ return STF_IGNORE;
+}
+
+/*
+ * DPD Out Initiator
+ */
+void
+dpd_outI(struct state *p2st)
+{
+ struct state *st;
+ u_int32_t seqno;
+ time_t tm;
+ time_t idle_time;
+ time_t delay = p2st->st_connection->dpd_delay;
+ time_t timeout = p2st->st_connection->dpd_timeout;
+
+ /* find the newest related Phase 1 state */
+ st = find_phase1_state(p2st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
+
+ if (st == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: Could not find newest phase 1 state");
+ return;
+ }
+
+ /* If no DPD, then get out of here */
+ if (!st->st_dpd)
+ return;
+
+ /* schedule the next periodic DPD event */
+ event_schedule(EVENT_DPD, delay, p2st);
+
+ /* Current time */
+ tm = now();
+
+ /* Make sure we really need to invoke DPD */
+ if (!was_eroute_idle(p2st, delay, &idle_time))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("recent eroute activity %u seconds ago, "
+ "no need to send DPD notification"
+ , (int)idle_time)
+ )
+ st->st_last_dpd = tm;
+ delete_dpd_event(st);
+ return;
+ }
+
+ /* If an R_U_THERE has been sent or received recently, or if a
+ * companion Phase 2 SA has shown eroute activity,
+ * then we don't need to invoke DPD.
+ */
+ if (tm < st->st_last_dpd + delay)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("recent DPD activity %u seconds ago, "
+ "no need to send DPD notification"
+ , (int)(tm - st->st_last_dpd))
+ )
+ return;
+ }
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ return;
+
+ if (!st->st_dpd_seqno)
+ {
+ /* Get a non-zero random value that has room to grow */
+ get_rnd_bytes((u_char *)&st->st_dpd_seqno, sizeof(st->st_dpd_seqno));
+ st->st_dpd_seqno &= 0x7fff;
+ st->st_dpd_seqno++;
+ }
+ seqno = htonl(st->st_dpd_seqno);
+
+ if (send_isakmp_notification(st, R_U_THERE, &seqno, sizeof(seqno)) != STF_IGNORE)
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: Could not send R_U_THERE");
+ return;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("sent DPD notification R_U_THERE with seqno = %u", st->st_dpd_seqno)
+ )
+ st->st_dpd_expectseqno = st->st_dpd_seqno++;
+ st->st_last_dpd = tm;
+ /* Only schedule a new timeout if there isn't one currently,
+ * or if it would be sooner than the current timeout. */
+ if (st->st_dpd_event == NULL
+ || st->st_dpd_event->ev_time > tm + timeout)
+ {
+ delete_dpd_event(st);
+ event_schedule(EVENT_DPD_TIMEOUT, timeout, st);
+ }
+}
+
+/*
+ * DPD in Initiator, out Responder
+ */
+stf_status
+dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
+{
+ time_t tm = now();
+ u_int32_t seqno;
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
+ return STF_IGNORE;
+ }
+ if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
+ return STF_FAIL + PAYLOAD_MALFORMED;
+ }
+
+ if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
+ {
+#ifdef APPLY_CRISCO
+ /* Ignore it, cisco sends odd icookies */
+#else
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
+ return STF_FAIL + INVALID_COOKIE;
+#endif
+ }
+ pbs->cur += COOKIE_SIZE;
+
+ if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
+ return STF_FAIL + INVALID_COOKIE;
+ }
+ pbs->cur += COOKIE_SIZE;
+
+ if (pbs_left(pbs) != sizeof(seqno))
+ {
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
+ , (int) pbs_left(pbs));
+ return STF_FAIL + PAYLOAD_MALFORMED;
+ }
+
+ seqno = ntohl(*(u_int32_t *)pbs->cur);
+ DBG(DBG_CONTROL,
+ DBG_log("received DPD notification R_U_THERE with seqno = %u", seqno)
+ )
+
+ if (st->st_dpd_peerseqno && seqno <= st->st_dpd_peerseqno) {
+ loglog(RC_LOG_SERIOUS, "DPD: Received old or duplicate R_U_THERE");
+ return STF_IGNORE;
+ }
+
+ st->st_dpd_peerseqno = seqno;
+ delete_dpd_event(st);
+
+ if (send_isakmp_notification(st, R_U_THERE_ACK, pbs->cur, pbs_left(pbs)) != STF_IGNORE)
+ {
+ loglog(RC_LOG_SERIOUS, "DPD Info: could not send R_U_THERE_ACK");
+ return STF_IGNORE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("sent DPD notification R_U_THERE_ACK with seqno = %u", seqno)
+ )
+
+ st->st_last_dpd = tm;
+ return STF_IGNORE;
+}
+
+/*
+ * DPD out Responder
+ */
+stf_status
+dpd_inR(struct state *st, struct isakmp_notification *const n, pb_stream *pbs)
+{
+ u_int32_t seqno;
+
+ if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
+ return STF_FAIL;
+ }
+
+ if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
+ , n->isan_spisize);
+ return STF_FAIL + PAYLOAD_MALFORMED;
+ }
+
+ if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
+ {
+#ifdef APPLY_CRISCO
+ /* Ignore it, cisco sends odd icookies */
+#else
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
+ return STF_FAIL + INVALID_COOKIE;
+#endif
+ }
+ pbs->cur += COOKIE_SIZE;
+
+ if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
+ {
+#ifdef APPLY_CRISCO
+ /* Ignore it, cisco sends odd icookies */
+#else
+ loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
+ return STF_FAIL + INVALID_COOKIE;
+#endif
+ }
+ pbs->cur += COOKIE_SIZE;
+
+ if (pbs_left(pbs) != sizeof(seqno))
+ {
+ loglog(RC_LOG_SERIOUS
+ , " DPD: R_U_THERE_ACK has invalid data length (%d)"
+ , (int) pbs_left(pbs));
+ return STF_FAIL + PAYLOAD_MALFORMED;
+ }
+
+ seqno = ntohl(*(u_int32_t *)pbs->cur);
+ DBG(DBG_CONTROL,
+ DBG_log("received DPD notification R_U_THERE_ACK with seqno = %u"
+ , seqno)
+ )
+
+ if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "DPD: R_U_THERE_ACK has unexpected sequence number");
+ return STF_FAIL + PAYLOAD_MALFORMED;
+ }
+
+ st->st_dpd_expectseqno = 0;
+ delete_dpd_event(st);
+ return STF_IGNORE;
+}
+
+/*
+ * DPD Timeout Function
+ *
+ * This function is called when a timeout DPD_EVENT occurs. We set clear/trap
+ * both the SA and the eroutes, depending on what the connection definition
+ * tells us (either 'hold' or 'clear')
+ */
+void
+dpd_timeout(struct state *st)
+{
+ struct state *newest_phase1_st;
+ struct connection *c = st->st_connection;
+ int action = st->st_connection->dpd_action;
+
+ passert(action == DPD_ACTION_HOLD
+ || action == DPD_ACTION_CLEAR
+ || DPD_ACTION_RESTART);
+
+ /* is there a newer phase1_state? */
+ newest_phase1_st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
+ if (newest_phase1_st != NULL && newest_phase1_st != st)
+ {
+ plog("DPD: Phase1 state #%ld has been superseded by #%ld"
+ " - timeout ignored"
+ , st->st_serialno, newest_phase1_st->st_serialno);
+ return;
+ }
+
+ loglog(RC_LOG_SERIOUS, "DPD: No response from peer - declaring peer dead");
+
+ /* delete the state, which is probably in phase 2 */
+ set_cur_connection(c);
+ plog("DPD: Terminating all SAs using this connection");
+ delete_states_by_connection(c, TRUE);
+ reset_cur_connection();
+
+ switch (action)
+ {
+ case DPD_ACTION_HOLD:
+ /* dpdaction=hold - Wipe the SA's but %trap the eroute so we don't
+ * leak traffic. Also, being in %trap means new packets will
+ * force an initiation of the conn again.
+ */
+ loglog(RC_LOG_SERIOUS, "DPD: Putting connection into %%trap");
+ break;
+ case DPD_ACTION_CLEAR:
+ /* dpdaction=clear - Wipe the SA & eroute - everything */
+ loglog(RC_LOG_SERIOUS, "DPD: Clearing connection");
+ unroute_connection(c);
+ break;
+ case DPD_ACTION_RESTART:
+ /* dpdaction=restart - Restart connection,
+ * except if roadwarrior connection
+ */
+ loglog(RC_LOG_SERIOUS, "DPD: Restarting connection");
+ unroute_connection(c);
+ initiate_connection(c->name, NULL_FD);
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "DPD: unknown action");
+ }
+}
+
diff --git a/src/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h
new file mode 100644
index 000000000..80b12c31d
--- /dev/null
+++ b/src/pluto/ipsec_doi.h
@@ -0,0 +1,104 @@
+/* IPsec DOI and Oakley resolution routines
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: ipsec_doi.h,v 1.3 2005/01/06 22:10:44 as Exp $
+ */
+
+extern void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np);
+
+extern void ipsecdoi_initiate(int whack_sock, struct connection *c
+ , lset_t policy, unsigned long try, so_serial_t replacing);
+
+extern void ipsecdoi_replace(struct state *st, unsigned long try);
+
+extern void init_phase2_iv(struct state *st, const msgid_t *msgid);
+
+extern stf_status quick_outI1(int whack_sock
+ , struct state *isakmp_sa
+ , struct connection *c
+ , lset_t policy
+ , unsigned long try
+ , so_serial_t replacing);
+
+extern state_transition_fn
+ main_inI1_outR1,
+ main_inR1_outI2,
+ main_inI2_outR2,
+ main_inR2_outI3,
+ main_inI3_outR3,
+ main_inR3,
+ quick_inI1_outR1,
+ quick_inR1_outI2,
+ quick_inI2;
+
+extern void send_delete(struct state *st);
+extern void accept_delete(struct state *st, struct msg_digest *md
+ , struct payload_digest *p);
+extern void close_message(pb_stream *pbs);
+extern bool encrypt_message(pb_stream *pbs, struct state *st);
+
+
+extern void send_notification_from_state(struct state *st,
+ enum state_kind state, u_int16_t type);
+extern void send_notification_from_md(struct msg_digest *md, u_int16_t type);
+
+extern const char *init_pluto_vendorid(void);
+
+extern void dpd_outI(struct state *st);
+extern stf_status dpd_inI_outR(struct state *st
+ , struct isakmp_notification *const n, pb_stream *n_pbs);
+extern stf_status dpd_inR(struct state *st
+ , struct isakmp_notification *const n, pb_stream *n_pbs);
+extern void dpd_timeout(struct state *st);
+
+/* START_HASH_PAYLOAD
+ *
+ * Emit a to-be-filled-in hash payload, noting the field start (r_hashval)
+ * and the start of the part of the message to be hashed (r_hash_start).
+ * This macro is magic.
+ * - it can cause the caller to return
+ * - it references variables local to the caller (r_hashval, r_hash_start, st)
+ */
+#define START_HASH_PAYLOAD(rbody, np) { \
+ pb_stream hash_pbs; \
+ if (!out_generic(np, &isakmp_hash_desc, &(rbody), &hash_pbs)) \
+ return STF_INTERNAL_ERROR; \
+ r_hashval = hash_pbs.cur; /* remember where to plant value */ \
+ if (!out_zero(st->st_oakley.hasher->hash_digest_size, &hash_pbs, "HASH")) \
+ return STF_INTERNAL_ERROR; \
+ close_output_pbs(&hash_pbs); \
+ r_hash_start = (rbody).cur; /* hash from after HASH payload */ \
+}
+
+/* CHECK_QUICK_HASH
+ *
+ * This macro is magic -- it cannot be expressed as a function.
+ * - it causes the caller to return!
+ * - it declares local variables and expects the "do_hash" argument
+ * expression to reference them (hash_val, hash_pbs)
+ */
+#define CHECK_QUICK_HASH(md, do_hash, hash_name, msg_name) { \
+ pb_stream *const hash_pbs = &md->chain[ISAKMP_NEXT_HASH]->pbs; \
+ u_char hash_val[MAX_DIGEST_LEN]; \
+ size_t hash_len = do_hash; \
+ if (pbs_left(hash_pbs) != hash_len \
+ || memcmp(hash_pbs->cur, hash_val, hash_len) != 0) \
+ { \
+ DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
+ loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
+ /* XXX Could send notification back */ \
+ return STF_FAIL + INVALID_HASH_INFORMATION; \
+ } \
+ }
+
+
diff --git a/src/pluto/kameipsec.h b/src/pluto/kameipsec.h
new file mode 100644
index 000000000..5f08c7d38
--- /dev/null
+++ b/src/pluto/kameipsec.h
@@ -0,0 +1,47 @@
+#ifndef __IPSEC_H
+#define __IPSEC_H 1
+
+/* The definitions, required to talk to KAME racoon IKE. */
+
+#define IPSEC_PORT_ANY 0
+#define IPSEC_ULPROTO_ANY 255
+#define IPSEC_PROTO_ANY 255
+
+enum {
+ IPSEC_MODE_ANY = 0, /* We do not support this for SA */
+ IPSEC_MODE_TRANSPORT = 1,
+ IPSEC_MODE_TUNNEL = 2
+};
+
+enum {
+ IPSEC_DIR_ANY = 0,
+ IPSEC_DIR_INBOUND = 1,
+ IPSEC_DIR_OUTBOUND = 2,
+ IPSEC_DIR_FWD = 3, /* It is our own */
+ IPSEC_DIR_MAX = 4,
+ IPSEC_DIR_INVALID = 5
+};
+
+enum {
+ IPSEC_POLICY_DISCARD = 0,
+ IPSEC_POLICY_NONE = 1,
+ IPSEC_POLICY_IPSEC = 2,
+ IPSEC_POLICY_ENTRUST = 3,
+ IPSEC_POLICY_BYPASS = 4
+};
+
+enum {
+ IPSEC_LEVEL_DEFAULT = 0,
+ IPSEC_LEVEL_USE = 1,
+ IPSEC_LEVEL_REQUIRE = 2,
+ IPSEC_LEVEL_UNIQUE = 3
+};
+
+#define IPSEC_MANUAL_REQID_MAX 0x3fff
+
+#define IPSEC_REPLAYWSIZE 32
+
+#define IP_IPSEC_POLICY 16
+#define IPV6_IPSEC_POLICY 34
+
+#endif /* __IPSEC_H */
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
new file mode 100644
index 000000000..663fa7230
--- /dev/null
+++ b/src/pluto/kernel.c
@@ -0,0 +1,2995 @@
+/* routines that interface with the kernel's IPsec mechanism
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel.c,v 1.26 2006/04/29 18:16:02 as Exp $
+ */
+
+#include <stddef.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <wait.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/queue.h>
+
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#ifdef KLIPS
+#include <signal.h>
+#include <sys/time.h> /* for select(2) */
+#include <sys/types.h> /* for select(2) */
+#include <pfkeyv2.h>
+#include <pfkey.h>
+#include "kameipsec.h"
+#endif /* KLIPS */
+
+#include "constants.h"
+#include "defs.h"
+#include "rnd.h"
+#include "id.h"
+#include "connections.h"
+#include "state.h"
+#include "timer.h"
+#include "kernel.h"
+#include "kernel_netlink.h"
+#include "kernel_pfkey.h"
+#include "kernel_noklips.h"
+#include "log.h"
+#include "ca.h"
+#include "server.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+#include "keys.h"
+#include "nat_traversal.h"
+#include "alg_info.h"
+#include "kernel_alg.h"
+
+
+bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
+
+/* How far can IPsec messages arrive out of order before the anti-replay
+ * logic loses track and swats them? 64 is the best KLIPS can do.
+ * And 32 is the best XFRM can do...
+ */
+#define REPLAY_WINDOW 64
+#define REPLAY_WINDOW_XFRM 32
+
+/* test if the routes required for two different connections agree
+ * It is assumed that the destination subnets agree; we are only
+ * testing that the interfaces and nexthops match.
+ */
+#define routes_agree(c, d) ((c)->interface == (d)->interface \
+ && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
+
+#ifndef KLIPS
+
+bool no_klips = TRUE; /* don't actually use KLIPS */
+
+#else /* !KLIPS */
+
+/* bare (connectionless) shunt (eroute) table
+ *
+ * Bare shunts are those that don't "belong" to a connection.
+ * This happens because some %trapped traffic hasn't yet or cannot be
+ * assigned to a connection. The usual reason is that we cannot discover
+ * the peer SG. Another is that even when the peer has been discovered,
+ * it may be that no connection matches all the particulars.
+ * We record them so that, with scanning, we can discover
+ * which %holds are news and which others should expire.
+ */
+
+#define SHUNT_SCAN_INTERVAL (60 * 2) /* time between scans of eroutes */
+
+/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
+ * SHUNT_SCAN_INTERVAL.
+ * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
+ * we minimize the effects of jitter.
+ */
+#define SHUNT_PATIENCE (SHUNT_SCAN_INTERVAL * 15 / 2) /* inactivity timeout */
+
+struct bare_shunt {
+ policy_prio_t policy_prio;
+ ip_subnet ours;
+ ip_subnet his;
+ ip_said said;
+ int transport_proto;
+ unsigned long count;
+ time_t last_activity;
+ char *why;
+ struct bare_shunt *next;
+};
+
+static struct bare_shunt *bare_shunts = NULL;
+
+#ifdef DEBUG
+static void
+DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
+{
+ DBG(DBG_KLIPS,
+ {
+ int ourport = ntohs(portof(&(bs)->ours.addr));
+ int hisport = ntohs(portof(&(bs)->his.addr));
+ char ourst[SUBNETTOT_BUF];
+ char hist[SUBNETTOT_BUF];
+ char sat[SATOT_BUF];
+ char prio[POLICY_PRIO_BUF];
+
+ subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
+ subnettot(&(bs)->his, 0, hist, sizeof(hist));
+ satot(&(bs)->said, 0, sat, sizeof(sat));
+ fmt_policy_prio(bs->policy_prio, prio);
+ DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s %s"
+ , op, (const void *)(bs), ourst, ourport, hist, hisport
+ , sat, (bs)->transport_proto, prio, (bs)->why);
+ });
+}
+#else /* !DEBUG */
+#define DBG_bare_shunt(op, bs) {}
+#endif /* !DEBUG */
+
+/* The orphaned_holds table records %holds for which we
+ * scan_proc_shunts found no representation of in any connection.
+ * The corresponding ACQUIRE message might have been lost.
+ */
+struct eroute_info *orphaned_holds = NULL;
+
+/* forward declaration */
+static bool shunt_eroute(struct connection *c
+ , struct spd_route *sr
+ , enum routing_t rt_kind
+ , unsigned int op, const char *opname);
+static void set_text_said(char *text_said
+ , const ip_address *dst
+ , ipsec_spi_t spi
+ , int proto);
+
+bool no_klips = FALSE; /* don't actually use KLIPS */
+
+static const struct pfkey_proto_info null_proto_info[2] = {
+ {
+ proto: IPPROTO_ESP,
+ encapsulation: ENCAPSULATION_MODE_TRANSPORT,
+ reqid: 0
+ },
+ {
+ proto: 0,
+ encapsulation: 0,
+ reqid: 0
+ }
+};
+
+void
+record_and_initiate_opportunistic(const ip_subnet *ours
+ , const ip_subnet *his
+ , int transport_proto
+ , const char *why)
+{
+ passert(samesubnettype(ours, his));
+
+ /* Add to bare shunt list.
+ * We need to do this because the shunt was installed by KLIPS
+ * which can't do this itself.
+ */
+ {
+ struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
+
+ bs->why = clone_str(why, "story for bare shunt");
+ bs->ours = *ours;
+ bs->his = *his;
+ bs->transport_proto = transport_proto;
+ bs->policy_prio = BOTTOM_PRIO;
+
+ bs->said.proto = SA_INT;
+ bs->said.spi = htonl(SPI_HOLD);
+ bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
+
+ bs->count = 0;
+ bs->last_activity = now();
+
+ bs->next = bare_shunts;
+ bare_shunts = bs;
+ DBG_bare_shunt("add", bs);
+ }
+
+ /* actually initiate opportunism */
+ {
+ ip_address src, dst;
+
+ networkof(ours, &src);
+ networkof(his, &dst);
+ initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
+ }
+
+ /* if present, remove from orphaned_holds list.
+ * NOTE: we do this last in case ours or his is a pointer into a member.
+ */
+ {
+ struct eroute_info **pp, *p;
+
+ for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
+ {
+ if (samesubnet(ours, &p->ours)
+ && samesubnet(his, &p->his)
+ && transport_proto == p->transport_proto
+ && portof(&ours->addr) == portof(&p->ours.addr)
+ && portof(&his->addr) == portof(&p->his.addr))
+ {
+ *pp = p->next;
+ pfree(p);
+ break;
+ }
+ }
+ }
+}
+
+#endif /* KLIPS */
+
+static unsigned get_proto_reqid(unsigned base, int proto)
+{
+ switch (proto)
+ {
+ default:
+ case IPPROTO_COMP:
+ base++;
+ /* fall through */
+ case IPPROTO_ESP:
+ base++;
+ /* fall through */
+ case IPPROTO_AH:
+ break;
+ }
+
+ return base;
+}
+
+/* Generate Unique SPI numbers.
+ *
+ * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN.
+ * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN,
+ * reserving numbers in between for manual keying (but we cannot so
+ * restrict numbers generated by our peer).
+ * XXX This should be replaced by a call to the kernel when
+ * XXX we get an API.
+ * The returned SPI is in network byte order.
+ * We use a random number as the initial SPI so that there is
+ * a good chance that different Pluto instances will choose
+ * different SPIs. This is good for two reasons.
+ * - the keying material for the initiator and responder only
+ * differs if the SPIs differ.
+ * - if Pluto is restarted, it would otherwise recycle the SPI
+ * numbers and confuse everything. When the kernel generates
+ * SPIs, this will no longer matter.
+ * We then allocate numbers sequentially. Thus we don't have to
+ * check if the number was previously used (assuming that no
+ * SPI lives longer than 4G of its successors).
+ */
+ipsec_spi_t
+get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr, bool tunnel)
+{
+ static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
+ char text_said[SATOT_BUF];
+
+ set_text_said(text_said, &sr->this.host_addr, 0, proto);
+
+ if (kernel_ops->get_spi)
+ return kernel_ops->get_spi(&sr->that.host_addr
+ , &sr->this.host_addr, proto, tunnel
+ , get_proto_reqid(sr->reqid, proto)
+ , IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
+ , text_said);
+
+ spi++;
+ while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
+ get_rnd_bytes((u_char *)&spi, sizeof(spi));
+
+ DBG(DBG_CONTROL,
+ {
+ ipsec_spi_t spi_net = htonl(spi);
+
+ DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
+ });
+
+ return htonl(spi);
+}
+
+/* Generate Unique CPI numbers.
+ * The result is returned as an SPI (4 bytes) in network order!
+ * The real bits are in the nework-low-order 2 bytes.
+ * Modelled on get_ipsec_spi, but range is more limited:
+ * 256-61439.
+ * If we can't find one easily, return 0 (a bad SPI,
+ * no matter what order) indicating failure.
+ */
+ipsec_spi_t
+get_my_cpi(struct spd_route *sr, bool tunnel)
+{
+ static cpi_t
+ first_busy_cpi = 0,
+ latest_cpi;
+ char text_said[SATOT_BUF];
+
+ set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
+
+ if (kernel_ops->get_spi)
+ return kernel_ops->get_spi(&sr->that.host_addr
+ , &sr->this.host_addr, IPPROTO_COMP, tunnel
+ , get_proto_reqid(sr->reqid, IPPROTO_COMP)
+ , IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
+ , text_said);
+
+ while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
+ {
+ get_rnd_bytes((u_char *)&first_busy_cpi, sizeof(first_busy_cpi));
+ latest_cpi = first_busy_cpi;
+ }
+
+ latest_cpi++;
+
+ if (latest_cpi == first_busy_cpi)
+ find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
+
+ if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
+ latest_cpi = IPCOMP_FIRST_NEGOTIATED;
+
+ return htonl((ipsec_spi_t)latest_cpi);
+}
+
+/* invoke the updown script to do the routing and firewall commands required
+ *
+ * The user-specified updown script is run. Parameters are fed to it in
+ * the form of environment variables. All such environment variables
+ * have names starting with "PLUTO_".
+ *
+ * The operation to be performed is specified by PLUTO_VERB. This
+ * verb has a suffix "-host" if the client on this end is just the
+ * host; otherwise the suffix is "-client". If the address family
+ * of the host is IPv6, an extra suffix of "-v6" is added.
+ *
+ * "prepare-host" and "prepare-client" are used to delete a route
+ * that may exist (due to forces outside of Pluto). It is used to
+ * prepare for pluto creating a route.
+ *
+ * "route-host" and "route-client" are used to install a route.
+ * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
+ * values are probably of no use (using them may signify a bug).
+ *
+ * "unroute-host" and "unroute-client" are used to delete a route.
+ * Since routing is based only on destination, the PLUTO_MY_CLIENT_*
+ * values are probably of no use (using them may signify a bug).
+ *
+ * "up-host" and "up-client" are run when an eroute is added (not replaced).
+ * They are useful for adjusting a firewall: usually for adding a rule
+ * to let processed packets flow between clients. Note that only
+ * one eroute may exist for a pair of client subnets but inbound
+ * IPsec SAs may persist without an eroute.
+ *
+ * "down-host" and "down-client" are run when an eroute is deleted.
+ * They are useful for adjusting a firewall.
+ */
+
+#ifndef DEFAULT_UPDOWN
+# define DEFAULT_UPDOWN "ipsec _updown"
+#endif
+
+static bool
+do_command(struct connection *c, struct spd_route *sr, const char *verb)
+{
+ char cmd[1536]; /* arbitrary limit on shell command length */
+ const char *verb_suffix;
+
+ /* figure out which verb suffix applies */
+ {
+ const char *hs, *cs;
+
+ switch (addrtypeof(&sr->this.host_addr))
+ {
+ case AF_INET:
+ hs = "-host";
+ cs = "-client";
+ break;
+ case AF_INET6:
+ hs = "-host-v6";
+ cs = "-client-v6";
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "unknown address family");
+ return FALSE;
+ }
+ verb_suffix = subnetisaddr(&sr->this.client, &sr->this.host_addr)
+ ? hs : cs;
+ }
+
+ /* form the command string */
+ {
+ char
+ nexthop_str[sizeof("PLUTO_NEXT_HOP='' ") +ADDRTOT_BUF] = "",
+ srcip_str[sizeof("PLUTO_MY_SOURCEIP='' ")+ADDRTOT_BUF] = "",
+ me_str[ADDRTOT_BUF],
+ myid_str[BUF_LEN],
+ myclient_str[SUBNETTOT_BUF],
+ myclientnet_str[ADDRTOT_BUF],
+ myclientmask_str[ADDRTOT_BUF],
+ peer_str[ADDRTOT_BUF],
+ peerid_str[BUF_LEN],
+ peerclient_str[SUBNETTOT_BUF],
+ peerclientnet_str[ADDRTOT_BUF],
+ peerclientmask_str[ADDRTOT_BUF],
+ peerca_str[BUF_LEN],
+ secure_myid_str[BUF_LEN] = "",
+ secure_peerid_str[BUF_LEN] = "",
+ secure_peerca_str[BUF_LEN] = "";
+ ip_address ta;
+ pubkey_list_t *p;
+
+ if (addrbytesptr(&sr->this.host_nexthop, NULL)
+ && !isanyaddr(&sr->this.host_nexthop))
+ {
+ char *n;
+
+ strcpy(nexthop_str, "PLUTO_NEXT_HOP='");
+ n = nexthop_str + strlen(nexthop_str);
+
+ addrtot(&sr->this.host_nexthop, 0
+ ,n , sizeof(nexthop_str)-strlen(nexthop_str));
+ strncat(nexthop_str, "' ", sizeof(nexthop_str));
+ }
+
+ if (addrbytesptr(&sr->this.host_srcip, NULL)
+ && !isanyaddr(&sr->this.host_srcip))
+ {
+ char *n;
+
+ strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
+ n = srcip_str + strlen(srcip_str);
+
+ addrtot(&sr->this.host_srcip, 0
+ ,n , sizeof(srcip_str)-strlen(srcip_str));
+ strncat(srcip_str, "' ", sizeof(srcip_str));
+ }
+
+ addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
+ idtoa(&sr->this.id, myid_str, sizeof(myid_str));
+ escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
+ subnettot(&sr->this.client, 0, myclient_str, sizeof(myclientnet_str));
+ networkof(&sr->this.client, &ta);
+ addrtot(&ta, 0, myclientnet_str, sizeof(myclientnet_str));
+ maskof(&sr->this.client, &ta);
+ addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str));
+
+ addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str));
+ idtoa(&sr->that.id, peerid_str, sizeof(peerid_str));
+ escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str));
+ subnettot(&sr->that.client, 0, peerclient_str, sizeof(peerclientnet_str));
+ networkof(&sr->that.client, &ta);
+ addrtot(&ta, 0, peerclientnet_str, sizeof(peerclientnet_str));
+ maskof(&sr->that.client, &ta);
+ addrtot(&ta, 0, peerclientmask_str, sizeof(peerclientmask_str));
+
+ for (p = pubkeys; p != NULL; p = p->next)
+ {
+ pubkey_t *key = p->key;
+ int pathlen;
+
+ if (key->alg == PUBKEY_ALG_RSA && same_id(&sr->that.id, &key->id)
+ && trusted_ca(key->issuer, sr->that.ca, &pathlen))
+ {
+ dntoa_or_null(peerca_str, BUF_LEN, key->issuer, "");
+ escape_metachar(peerca_str, secure_peerca_str, sizeof(secure_peerca_str));
+ break;
+ }
+ }
+
+ if (-1 == snprintf(cmd, sizeof(cmd)
+ , "2>&1 " /* capture stderr along with stdout */
+ "PLUTO_VERSION='1.1' " /* change VERSION when interface spec changes */
+ "PLUTO_VERB='%s%s' "
+ "PLUTO_CONNECTION='%s' "
+ "%s" /* optional PLUTO_NEXT_HOP */
+ "PLUTO_INTERFACE='%s' "
+ "%s" /* optional PLUTO_HOST_ACCESS */
+ "PLUTO_REQID='%u' "
+ "PLUTO_ME='%s' "
+ "PLUTO_MY_ID='%s' "
+ "PLUTO_MY_CLIENT='%s' "
+ "PLUTO_MY_CLIENT_NET='%s' "
+ "PLUTO_MY_CLIENT_MASK='%s' "
+ "PLUTO_MY_PORT='%u' "
+ "PLUTO_MY_PROTOCOL='%u' "
+ "PLUTO_PEER='%s' "
+ "PLUTO_PEER_ID='%s' "
+ "PLUTO_PEER_CLIENT='%s' "
+ "PLUTO_PEER_CLIENT_NET='%s' "
+ "PLUTO_PEER_CLIENT_MASK='%s' "
+ "PLUTO_PEER_PORT='%u' "
+ "PLUTO_PEER_PROTOCOL='%u' "
+ "PLUTO_PEER_CA='%s' "
+ "%s" /* optional PLUTO_MY_SRCIP */
+ "%s" /* actual script */
+ , verb, verb_suffix
+ , c->name
+ , nexthop_str
+ , c->interface->vname
+ , sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
+ , sr->reqid + 1 /* ESP requid */
+ , me_str
+ , secure_myid_str
+ , myclient_str
+ , myclientnet_str
+ , myclientmask_str
+ , sr->this.port
+ , sr->this.protocol
+ , peer_str
+ , secure_peerid_str
+ , peerclient_str
+ , peerclientnet_str
+ , peerclientmask_str
+ , sr->that.port
+ , sr->that.protocol
+ , secure_peerca_str
+ , srcip_str
+ , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
+ return FALSE;
+ }
+ }
+
+ DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
+ , verb, verb_suffix, cmd));
+
+#ifdef KLIPS
+ if (!no_klips)
+ {
+ /* invoke the script, catching stderr and stdout
+ * It may be of concern that some file descriptors will
+ * be inherited. For the ones under our control, we
+ * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+ * Any used by library routines (perhaps the resolver or syslog)
+ * will remain.
+ */
+ FILE *f = popen(cmd, "r");
+
+ if (f == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+ return FALSE;
+ }
+
+ /* log any output */
+ for (;;)
+ {
+ /* if response doesn't fit in this buffer, it will be folded */
+ char resp[256];
+
+ if (fgets(resp, sizeof(resp), f) == NULL)
+ {
+ if (ferror(f))
+ {
+ log_errno((e, "fgets failed on output of %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
+ }
+ else
+ {
+ passert(feof(f));
+ break;
+ }
+ }
+ else
+ {
+ char *e = resp + strlen(resp);
+
+ if (e > resp && e[-1] == '\n')
+ e[-1] = '\0'; /* trim trailing '\n' */
+ plog("%s%s output: %s", verb, verb_suffix, resp);
+ }
+ }
+
+ /* report on and react to return code */
+ {
+ int r = pclose(f);
+
+ if (r == -1)
+ {
+ log_errno((e, "pclose failed for %s%s command"
+ , verb, verb_suffix));
+ return FALSE;
+ }
+ else if (WIFEXITED(r))
+ {
+ if (WEXITSTATUS(r) != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+ , verb, verb_suffix, WEXITSTATUS(r));
+ return FALSE;
+ }
+ }
+ else if (WIFSIGNALED(r))
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+ , verb, verb_suffix, WTERMSIG(r));
+ return FALSE;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+ , verb, verb_suffix, r);
+ return FALSE;
+ }
+ }
+ }
+#endif /* KLIPS */
+ return TRUE;
+}
+
+/* Check that we can route (and eroute). Diagnose if we cannot. */
+
+enum routability {
+ route_impossible = 0,
+ route_easy = 1,
+ route_nearconflict = 2,
+ route_farconflict = 3
+};
+
+static enum routability
+could_route(struct connection *c)
+{
+ struct spd_route *esr, *rosr;
+ struct connection *ero /* who, if anyone, owns our eroute? */
+ , *ro = route_owner(c, &rosr, &ero, &esr); /* who owns our route? */
+
+ /* it makes no sense to route a connection that is ISAKMP-only */
+ if (!NEVER_NEGOTIATE(c->policy) && !HAS_IPSEC_POLICY(c->policy))
+ {
+ loglog(RC_ROUTE, "cannot route an ISAKMP-only connection");
+ return route_impossible;
+ }
+
+ /* if this is a Road Warrior template, we cannot route.
+ * Opportunistic template is OK.
+ */
+ if (c->kind == CK_TEMPLATE && !(c->policy & POLICY_OPPO))
+ {
+ loglog(RC_ROUTE, "cannot route Road Warrior template");
+ return route_impossible;
+ }
+
+ /* if we don't know nexthop, we cannot route */
+ if (isanyaddr(&c->spd.this.host_nexthop))
+ {
+ loglog(RC_ROUTE, "cannot route connection without knowing our nexthop");
+ return route_impossible;
+ }
+
+ /* if routing would affect IKE messages, reject */
+ if (!no_klips
+ && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+ && c->spd.this.host_port != IKE_UDP_PORT
+ && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+ {
+ loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
+ return route_impossible;
+ }
+
+ /* If there is already a route for peer's client subnet
+ * and it disagrees about interface or nexthop, we cannot steal it.
+ * Note: if this connection is already routed (perhaps for another
+ * state object), the route will agree.
+ * This is as it should be -- it will arise during rekeying.
+ */
+ if (ro != NULL && !routes_agree(ro, c))
+ {
+ loglog(RC_LOG_SERIOUS, "cannot route -- route already in use for \"%s\""
+ , ro->name);
+ return route_impossible; /* another connection already
+ using the eroute */
+ }
+
+#ifdef KLIPS
+ /* if there is an eroute for another connection, there is a problem */
+ if (ero != NULL && ero != c)
+ {
+ struct connection *ero2, *ero_top;
+ struct connection *inside, *outside;
+
+ /*
+ * note, wavesec (PERMANENT) goes *outside* and
+ * OE goes *inside* (TEMPLATE)
+ */
+ inside = NULL;
+ outside= NULL;
+ if (ero->kind == CK_PERMANENT
+ && c->kind == CK_TEMPLATE)
+ {
+ outside = ero;
+ inside = c;
+ }
+ else if (c->kind == CK_PERMANENT
+ && ero->kind == CK_TEMPLATE)
+ {
+ outside = c;
+ inside = ero;
+ }
+
+ /* okay, check again, with correct order */
+ if (outside && outside->kind == CK_PERMANENT
+ && inside && inside->kind == CK_TEMPLATE)
+ {
+ char inst[CONN_INST_BUF];
+
+ /* this is a co-terminal attempt of the "near" kind. */
+ /* when chaining, we chain from inside to outside */
+
+ /* XXX permit multiple deep connections? */
+ passert(inside->policy_next == NULL);
+
+ inside->policy_next = outside;
+
+ /* since we are going to steal the eroute from the secondary
+ * policy, we need to make sure that it no longer thinks that
+ * it owns the eroute.
+ */
+ outside->spd.eroute_owner = SOS_NOBODY;
+ outside->spd.routing = RT_UNROUTED_KEYED;
+
+ /* set the priority of the new eroute owner to be higher
+ * than that of the current eroute owner
+ */
+ inside->prio = outside->prio + 1;
+
+ fmt_conn_instance(inside, inst);
+
+ loglog(RC_LOG_SERIOUS
+ , "conflict on eroute (%s), switching eroute to %s and linking %s"
+ , inst, inside->name, outside->name);
+
+ return route_nearconflict;
+ }
+
+ /* look along the chain of policies for one with the same name */
+ ero_top = ero;
+
+ for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
+ {
+ if (ero2->kind == CK_TEMPLATE
+ && streq(ero2->name, c->name))
+ break;
+ }
+
+ /* If we fell of the end of the list, then we found no TEMPLATE
+ * so there must be a conflict that we can't resolve.
+ * As the names are not equal, then we aren't replacing/rekeying.
+ */
+ if (ero2 == NULL)
+ {
+ char inst[CONN_INST_BUF];
+
+ fmt_conn_instance(ero, inst);
+
+ loglog(RC_LOG_SERIOUS
+ , "cannot install eroute -- it is in use for \"%s\"%s #%lu"
+ , ero->name, inst, esr->eroute_owner);
+ return FALSE; /* another connection already using the eroute */
+ }
+ }
+#endif /* KLIPS */
+ return route_easy;
+}
+
+bool
+trap_connection(struct connection *c)
+{
+ switch (could_route(c))
+ {
+ case route_impossible:
+ return FALSE;
+
+ case route_nearconflict:
+ case route_easy:
+ /* RT_ROUTED_TUNNEL is treated specially: we don't override
+ * because we don't want to lose track of the IPSEC_SAs etc.
+ */
+ if (c->spd.routing < RT_ROUTED_TUNNEL)
+ {
+ return route_and_eroute(c, &c->spd, NULL);
+ }
+ return TRUE;
+
+ case route_farconflict:
+ return FALSE;
+ }
+
+ return FALSE;
+}
+
+/* delete any eroute for a connection and unroute it if route isn't shared */
+void
+unroute_connection(struct connection *c)
+{
+ struct spd_route *sr;
+ enum routing_t cr;
+
+ for (sr = &c->spd; sr; sr = sr->next)
+ {
+ cr = sr->routing;
+
+ if (erouted(cr))
+ {
+ /* cannot handle a live one */
+ passert(sr->routing != RT_ROUTED_TUNNEL);
+#ifdef KLIPS
+ shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
+#endif
+ }
+
+ sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */
+
+ /* only unroute if no other connection shares it */
+ if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
+ (void) do_command(c, sr, "unroute");
+ }
+}
+
+
+#ifdef KLIPS
+
+static void
+set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto)
+{
+ ip_said said;
+
+ initsaid(dst, spi, proto, &said);
+ satot(&said, 0, text_said, SATOT_BUF);
+}
+
+/* find an entry in the bare_shunt table.
+ * Trick: return a pointer to the pointer to the entry;
+ * this allows the entry to be deleted.
+ */
+static struct bare_shunt **
+bare_shunt_ptr(const ip_subnet *ours, const ip_subnet *his, int transport_proto)
+{
+ struct bare_shunt *p, **pp;
+
+ for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
+ {
+ if (samesubnet(ours, &p->ours)
+ && samesubnet(his, &p->his)
+ && transport_proto == p->transport_proto
+ && portof(&ours->addr) == portof(&p->ours.addr)
+ && portof(&his->addr) == portof(&p->his.addr))
+ return pp;
+ }
+ return NULL;
+}
+
+/* free a bare_shunt entry, given a pointer to the pointer */
+static void
+free_bare_shunt(struct bare_shunt **pp)
+{
+ if (pp == NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("delete bare shunt: null pointer")
+ )
+ }
+ else
+ {
+ struct bare_shunt *p = *pp;
+
+ *pp = p->next;
+ DBG_bare_shunt("delete", p);
+ pfree(p->why);
+ pfree(p);
+ }
+}
+
+void
+show_shunt_status(void)
+{
+ struct bare_shunt *bs;
+
+ for (bs = bare_shunts; bs != NULL; bs = bs->next)
+ {
+ /* Print interesting fields. Ignore count and last_active. */
+
+ int ourport = ntohs(portof(&bs->ours.addr));
+ int hisport = ntohs(portof(&bs->his.addr));
+ char ourst[SUBNETTOT_BUF];
+ char hist[SUBNETTOT_BUF];
+ char sat[SATOT_BUF];
+ char prio[POLICY_PRIO_BUF];
+
+ subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
+ subnettot(&(bs)->his, 0, hist, sizeof(hist));
+ satot(&(bs)->said, 0, sat, sizeof(sat));
+ fmt_policy_prio(bs->policy_prio, prio);
+
+ whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s %s"
+ , ourst, ourport, hist, hisport, sat, bs->transport_proto
+ , prio, bs->why);
+ }
+ if (bare_shunts != NULL)
+ whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
+}
+
+/* Setup an IPsec route entry.
+ * op is one of the ERO_* operators.
+ */
+
+static bool
+raw_eroute(const ip_address *this_host
+ , const ip_subnet *this_client
+ , const ip_address *that_host
+ , const ip_subnet *that_client
+ , ipsec_spi_t spi
+ , unsigned int proto
+ , unsigned int satype
+ , unsigned int transport_proto
+ , const struct pfkey_proto_info *proto_info
+ , time_t use_lifetime
+ , unsigned int op
+ , const char *opname USED_BY_DEBUG)
+{
+ char text_said[SATOT_BUF];
+
+ set_text_said(text_said, that_host, spi, proto);
+
+ DBG(DBG_CONTROL | DBG_KLIPS,
+ {
+ int sport = ntohs(portof(&this_client->addr));
+ int dport = ntohs(portof(&that_client->addr));
+ char mybuf[SUBNETTOT_BUF];
+ char peerbuf[SUBNETTOT_BUF];
+
+ subnettot(this_client, 0, mybuf, sizeof(mybuf));
+ subnettot(that_client, 0, peerbuf, sizeof(peerbuf));
+ DBG_log("%s eroute %s:%d -> %s:%d => %s:%d"
+ , opname, mybuf, sport, peerbuf, dport
+ , text_said, transport_proto);
+ });
+
+ return kernel_ops->raw_eroute(this_host, this_client
+ , that_host, that_client, spi, satype, transport_proto, proto_info
+ , use_lifetime, op, text_said);
+}
+
+/* test to see if %hold remains */
+bool
+has_bare_hold(const ip_address *src, const ip_address *dst, int transport_proto)
+{
+ ip_subnet this_client, that_client;
+ struct bare_shunt **bspp;
+
+ passert(addrtypeof(src) == addrtypeof(dst));
+ happy(addrtosubnet(src, &this_client));
+ happy(addrtosubnet(dst, &that_client));
+ bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
+ return bspp != NULL
+ && (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
+}
+
+
+/* Replace (or delete) a shunt that is in the bare_shunts table.
+ * Issues the PF_KEY commands and updates the bare_shunts table.
+ */
+bool
+replace_bare_shunt(const ip_address *src, const ip_address *dst
+ , policy_prio_t policy_prio
+ , ipsec_spi_t shunt_spi /* in host order! */
+ , bool repl /* if TRUE, replace; if FALSE, delete */
+ , unsigned int transport_proto
+ , const char *why)
+{
+ ip_subnet this_client, that_client;
+ ip_subnet this_broad_client, that_broad_client;
+ const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
+
+ passert(addrtypeof(src) == addrtypeof(dst));
+ happy(addrtosubnet(src, &this_client));
+ happy(addrtosubnet(dst, &that_client));
+ this_broad_client = this_client;
+ that_broad_client = that_client;
+ setportof(0, &this_broad_client.addr);
+ setportof(0, &that_broad_client.addr);
+
+ if (repl)
+ {
+ struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
+ , &that_broad_client, 0);
+
+ /* is there already a broad host-to-host bare shunt? */
+ if (bs_pp == NULL)
+ {
+ if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
+ , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
+ , 0, null_proto_info
+ , SHUNT_PATIENCE, ERO_ADD, why))
+ {
+ struct bare_shunt *bs = alloc_thing(struct bare_shunt, "bare shunt");
+
+ bs->ours = this_broad_client;
+ bs->his = that_broad_client;
+ bs->transport_proto = 0;
+ bs->said.proto = SA_INT;
+ bs->why = clone_str(why, "bare shunt story");
+ bs->policy_prio = policy_prio;
+ bs->said.spi = htonl(shunt_spi);
+ bs->said.dst = *null_host;
+ bs->count = 0;
+ bs->last_activity = now();
+ bs->next = bare_shunts;
+ bare_shunts = bs;
+ DBG_bare_shunt("add", bs);
+ }
+ }
+ shunt_spi = SPI_HOLD;
+ }
+
+ if (raw_eroute(null_host, &this_client, null_host, &that_client
+ , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
+ , transport_proto, null_proto_info
+ , SHUNT_PATIENCE, ERO_DELETE, why))
+ {
+ struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
+ , transport_proto);
+
+ /* delete bare eroute */
+ free_bare_shunt(bs_pp);
+ return TRUE;
+ }
+ else
+ {
+ return FALSE;
+ }
+}
+
+static bool
+eroute_connection(struct spd_route *sr
+, ipsec_spi_t spi, unsigned int proto, unsigned int satype
+, const struct pfkey_proto_info *proto_info
+, unsigned int op, const char *opname)
+{
+ const ip_address *peer = &sr->that.host_addr;
+ char buf2[256];
+
+ snprintf(buf2, sizeof(buf2)
+ , "eroute_connection %s", opname);
+
+ if (proto == SA_INT)
+ peer = aftoinfo(addrtypeof(peer))->any;
+
+ return raw_eroute(&sr->this.host_addr, &sr->this.client
+ , peer
+ , &sr->that.client
+ , spi, proto, satype
+ , sr->this.protocol, proto_info, 0, op, buf2);
+}
+
+/* assign a bare hold to a connection */
+
+bool
+assign_hold(struct connection *c USED_BY_DEBUG
+ , struct spd_route *sr
+ , int transport_proto
+ , const ip_address *src, const ip_address *dst)
+{
+ /* either the automatically installed %hold eroute is broad enough
+ * or we try to add a broader one and delete the automatic one.
+ * Beware: this %hold might be already handled, but still squeak
+ * through because of a race.
+ */
+ enum routing_t ro = sr->routing /* routing, old */
+ , rn = ro; /* routing, new */
+
+ passert(LHAS(LELEM(CK_PERMANENT) | LELEM(CK_INSTANCE), c->kind));
+ /* figure out what routing should become */
+ switch (ro)
+ {
+ case RT_UNROUTED:
+ rn = RT_UNROUTED_HOLD;
+ break;
+ case RT_ROUTED_PROSPECTIVE:
+ rn = RT_ROUTED_HOLD;
+ break;
+ default:
+ /* no change: this %hold is old news and should just be deleted */
+ break;
+ }
+
+ /* we need a broad %hold, not the narrow one.
+ * First we ensure that there is a broad %hold.
+ * There may already be one (race condition): no need to create one.
+ * There may already be a %trap: replace it.
+ * There may not be any broad eroute: add %hold.
+ * Once the broad %hold is in place, delete the narrow one.
+ */
+ if (rn != ro)
+ {
+ if (erouted(ro)
+ ? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
+ , null_proto_info
+ , ERO_REPLACE, "replace %trap with broad %hold")
+ : !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
+ , null_proto_info
+ , ERO_ADD, "add broad %hold"))
+ {
+ return FALSE;
+ }
+ }
+ if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
+ , transport_proto, "delete narrow %hold"))
+ {
+ return FALSE;
+ }
+ sr->routing = rn;
+ return TRUE;
+}
+
+/* install or remove eroute for SA Group */
+static bool
+sag_eroute(struct state *st, struct spd_route *sr
+ , unsigned op, const char *opname)
+{
+ u_int inner_proto = 0;
+ u_int inner_satype = 0;
+ ipsec_spi_t inner_spi = 0;
+ struct pfkey_proto_info proto_info[4];
+ int i;
+ bool tunnel;
+
+ /* figure out the SPI and protocol (in two forms)
+ * for the innermost transformation.
+ */
+
+ i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
+ proto_info[i].proto = 0;
+ tunnel = FALSE;
+
+ if (st->st_ah.present)
+ {
+ inner_spi = st->st_ah.attrs.spi;
+ inner_proto = SA_AH;
+ inner_satype = SADB_SATYPE_AH;
+
+ i--;
+ proto_info[i].proto = IPPROTO_AH;
+ proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
+ tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+ proto_info[i].reqid = sr->reqid;
+ }
+
+ if (st->st_esp.present)
+ {
+ inner_spi = st->st_esp.attrs.spi;
+ inner_proto = SA_ESP;
+ inner_satype = SADB_SATYPE_ESP;
+
+ i--;
+ proto_info[i].proto = IPPROTO_ESP;
+ proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
+ tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+ proto_info[i].reqid = sr->reqid + 1;
+ }
+
+ if (st->st_ipcomp.present)
+ {
+ inner_spi = st->st_ipcomp.attrs.spi;
+ inner_proto = SA_COMP;
+ inner_satype = SADB_X_SATYPE_COMP;
+
+ i--;
+ proto_info[i].proto = IPPROTO_COMP;
+ proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
+ tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+ proto_info[i].reqid = sr->reqid + 2;
+ }
+
+ if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
+ {
+ impossible(); /* no transform at all! */
+ }
+
+ if (tunnel)
+ {
+ int j;
+
+ inner_spi = st->st_tunnel_out_spi;
+ inner_proto = SA_IPIP;
+ inner_satype = SADB_X_SATYPE_IPIP;
+
+ proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
+ for (j = i + 1; proto_info[j].proto; j++)
+ {
+ proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+ }
+
+ return eroute_connection(sr
+ , inner_spi, inner_proto, inner_satype, proto_info + i
+ , op, opname);
+}
+
+/* compute a (host-order!) SPI to implement the policy in connection c */
+ipsec_spi_t
+shunt_policy_spi(struct connection *c, bool prospective)
+{
+ /* note: these are in host order :-( */
+ static const ipsec_spi_t shunt_spi[] =
+ {
+ SPI_TRAP, /* --initiateontraffic */
+ SPI_PASS, /* --pass */
+ SPI_DROP, /* --drop */
+ SPI_REJECT, /* --reject */
+ };
+
+ static const ipsec_spi_t fail_spi[] =
+ {
+ 0, /* --none*/
+ SPI_PASS, /* --failpass */
+ SPI_DROP, /* --faildrop */
+ SPI_REJECT, /* --failreject */
+ };
+
+ return prospective
+ ? shunt_spi[(c->policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT]
+ : fail_spi[(c->policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT];
+}
+
+/* Add/replace/delete a shunt eroute.
+ * Such an eroute determines the fate of packets without the use
+ * of any SAs. These are defaults, in effect.
+ * If a negotiation has not been attempted, use %trap.
+ * If negotiation has failed, the choice between %trap/%pass/%drop/%reject
+ * is specified in the policy of connection c.
+ */
+static bool
+shunt_eroute(struct connection *c
+, struct spd_route *sr
+, enum routing_t rt_kind
+, unsigned int op, const char *opname)
+{
+ /* We are constructing a special SAID for the eroute.
+ * The destination doesn't seem to matter, but the family does.
+ * The protocol is SA_INT -- mark this as shunt.
+ * The satype has no meaning, but is required for PF_KEY header!
+ * The SPI signifies the kind of shunt.
+ */
+ ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
+ bool ok;
+
+ if (spi == 0)
+ {
+ /* we're supposed to end up with no eroute: rejig op and opname */
+ switch (op)
+ {
+ case ERO_REPLACE:
+ /* replace with nothing == delete */
+ op = ERO_DELETE;
+ opname = "delete";
+ break;
+ case ERO_ADD:
+ /* add nothing == do nothing */
+ return TRUE;
+ case ERO_DELETE:
+ /* delete remains delete */
+ break;
+ default:
+ bad_case(op);
+ }
+ }
+ if (sr->routing == RT_ROUTED_ECLIPSED && c->kind == CK_TEMPLATE)
+ {
+ /* We think that we have an eroute, but we don't.
+ * Adjust the request and account for eclipses.
+ */
+ passert(eclipsable(sr));
+ switch (op)
+ {
+ case ERO_REPLACE:
+ /* really an add */
+ op = ERO_ADD;
+ opname = "replace eclipsed";
+ eclipse_count--;
+ break;
+ case ERO_DELETE:
+ /* delete unnecessary: we don't actually have an eroute */
+ eclipse_count--;
+ return TRUE;
+ case ERO_ADD:
+ default:
+ bad_case(op);
+ }
+ }
+ else if (eclipse_count > 0 && op == ERO_DELETE && eclipsable(sr))
+ {
+ /* maybe we are uneclipsing something */
+ struct spd_route *esr;
+ struct connection *ue = eclipsed(c, &esr);
+
+ if (ue != NULL)
+ {
+ esr->routing = RT_ROUTED_PROSPECTIVE;
+ return shunt_eroute(ue, esr
+ , RT_ROUTED_PROSPECTIVE, ERO_REPLACE, "restoring eclipsed");
+ }
+ }
+
+ ok = TRUE;
+ if (kernel_ops->inbound_eroute)
+ {
+ ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+ , &c->spd.this.host_addr, &c->spd.this.client
+ , htonl(spi), SA_INT, SADB_X_SATYPE_INT
+ , 0, null_proto_info, 0
+ , op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
+ }
+ return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
+ , null_proto_info, op, opname) && ok;
+}
+
+
+/*
+ * This is only called when s is a likely SAID with trailing protocol i.e.
+ * it has the form :-
+ *
+ * %<keyword>:p
+ * <ip-proto><spi>@a.b.c.d:p
+ *
+ * The task here is to remove the ":p" part so that the rest can be read
+ * by another routine.
+ */
+static const char *
+read_proto(const char * s, size_t * len, int * transport_proto)
+{
+ const char * p;
+ const char * ugh;
+ unsigned long proto;
+ size_t l;
+
+ l = *len;
+ p = memchr(s, ':', l);
+ if (p == 0) {
+ *transport_proto = 0;
+ return 0;
+ }
+ ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
+ if (ugh != 0)
+ return ugh;
+ if (proto > 65535)
+ return "protocol number is too large, legal range is 0-65535";
+ *len = p-s;
+ *transport_proto = proto;
+ return 0;
+}
+
+
+/* scan /proc/net/ipsec_eroute every once in a while, looking for:
+ *
+ * - %hold shunts of which Pluto isn't aware. This situation could
+ * be caused by lost ACQUIRE messages. When found, they will
+ * added to orphan_holds. This in turn will lead to Opportunistic
+ * initiation.
+ *
+ * - other kinds of shunts that haven't been used recently. These will be
+ * deleted. They represent OE failures.
+ *
+ * - recording recent uses of tunnel eroutes so that rekeying decisions
+ * can be made for OE connections.
+ *
+ * Here are some sample lines:
+ * 10 10.3.2.1.0/24 -> 0.0.0.0/0 => %trap
+ * 259 10.3.2.1.115/32 -> 10.19.75.161/32 => tun0x1002@10.19.75.145
+ * 71 10.44.73.97/32 -> 0.0.0.0/0 => %trap
+ * 4119 10.44.73.97/32 -> 10.114.121.41/32 => %pass
+ * Newer versions of KLIPS start each line with a 32-bit packet count.
+ * If available, the count is used to detect whether a %pass shunt is in use.
+ *
+ * NOTE: execution time is quadratic in the number of eroutes since the
+ * searching for each is sequential. If this becomes a problem, faster
+ * searches could be implemented (hash or radix tree, for example).
+ */
+void
+scan_proc_shunts(void)
+{
+ static const char procname[] = "/proc/net/ipsec_eroute";
+ FILE *f;
+ time_t nw = now();
+ int lino;
+ struct eroute_info *expired = NULL;
+
+ event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
+
+ DBG(DBG_CONTROL,
+ DBG_log("scanning for shunt eroutes")
+ )
+
+ /* free any leftover entries: they will be refreshed if still current */
+ while (orphaned_holds != NULL)
+ {
+ struct eroute_info *p = orphaned_holds;
+
+ orphaned_holds = p->next;
+ pfree(orphaned_holds);
+ }
+
+ /* decode the /proc file. Don't do anything strenuous to it
+ * (certainly no PF_KEY stuff) to minimize the chance that it
+ * might change underfoot.
+ */
+
+ f = fopen(procname, "r");
+ if (f == NULL)
+ return;
+
+ /* for each line... */
+ for (lino = 1; ; lino++)
+ {
+ unsigned char buf[1024]; /* should be big enough */
+ chunk_t field[10]; /* 10 is loose upper bound */
+ chunk_t *ff = NULL; /* fixed fields (excluding optional count) */
+ int fi;
+ struct eroute_info eri;
+ char *cp;
+ err_t context = ""
+ , ugh = NULL;
+
+ cp = fgets(buf, sizeof(buf), f);
+ if (cp == NULL)
+ break;
+
+ /* break out each field
+ * Note: if there are too many fields, just stop;
+ * it will be diagnosed a little later.
+ */
+ for (fi = 0; fi < (int)elemsof(field); fi++)
+ {
+ static const char sep[] = " \t\n"; /* field-separating whitespace */
+ size_t w;
+
+ cp += strspn(cp, sep); /* find start of field */
+ w = strcspn(cp, sep); /* find width of field */
+ setchunk(field[fi], cp, w);
+ cp += w;
+ if (w == 0)
+ break;
+ }
+
+ /* This odd do-hickey is to share error reporting code.
+ * A break will get to that common code. The setting
+ * of "ugh" and "context" parameterize it.
+ */
+ do {
+ /* Old entries have no packet count; new ones do.
+ * check if things are as they should be.
+ */
+ if (fi == 5)
+ ff = &field[0]; /* old form, with no count */
+ else if (fi == 6)
+ ff = &field[1]; /* new form, with count */
+ else
+ {
+ ugh = "has wrong number of fields";
+ break;
+ }
+
+ if (ff[1].len != 2
+ || strncmp(ff[1].ptr, "->", 2) != 0
+ || ff[3].len != 2
+ || strncmp(ff[3].ptr, "=>", 2) != 0)
+ {
+ ugh = "is missing -> or =>";
+ break;
+ }
+
+ /* actually digest fields of interest */
+
+ /* packet count */
+
+ eri.count = 0;
+ if (ff != field)
+ {
+ context = "count field is malformed: ";
+ ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
+ if (ugh != NULL)
+ break;
+ }
+
+ /* our client */
+
+ context = "source subnet field malformed: ";
+ ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
+ if (ugh != NULL)
+ break;
+
+ /* his client */
+
+ context = "destination subnet field malformed: ";
+ ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
+ if (ugh != NULL)
+ break;
+
+ /* SAID */
+
+ context = "SA ID field malformed: ";
+ ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
+ if (ugh != NULL)
+ break;
+ ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
+ } while (FALSE);
+
+ if (ugh != NULL)
+ {
+ plog("INTERNAL ERROR: %s line %d %s%s"
+ , procname, lino, context, ugh);
+ continue; /* ignore rest of line */
+ }
+
+ /* Now we have decoded eroute, let's consider it.
+ * For shunt eroutes:
+ *
+ * %hold: if not known, add to orphaned_holds list for initiation
+ * because ACQUIRE might have been lost.
+ *
+ * %pass, %drop, %reject: determine if idle; if so, blast it away.
+ * Can occur bare (if DNS provided insufficient information)
+ * or with a connection (failure context).
+ * Could even be installed by ipsec manual.
+ *
+ * %trap: always welcome.
+ *
+ * For other eroutes: find state and record count change
+ */
+ if (eri.said.proto == SA_INT)
+ {
+ /* shunt eroute */
+ switch (ntohl(eri.said.spi))
+ {
+ case SPI_HOLD:
+ if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
+ && shunt_owner(&eri.ours, &eri.his) == NULL)
+ {
+ int ourport = ntohs(portof(&eri.ours.addr));
+ int hisport = ntohs(portof(&eri.his.addr));
+ char ourst[SUBNETTOT_BUF];
+ char hist[SUBNETTOT_BUF];
+ char sat[SATOT_BUF];
+
+ subnettot(&eri.ours, 0, ourst, sizeof(ourst));
+ subnettot(&eri.his, 0, hist, sizeof(hist));
+ satot(&eri.said, 0, sat, sizeof(sat));
+
+ DBG(DBG_CONTROL,
+ DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
+ , ourst, ourport, hist, hisport, sat, eri.transport_proto)
+ )
+ eri.next = orphaned_holds;
+ orphaned_holds = clone_thing(eri, "orphaned %hold");
+ }
+ break;
+
+ case SPI_PASS:
+ case SPI_DROP:
+ case SPI_REJECT:
+ /* nothing sensible to do if we don't have counts */
+ if (ff != field)
+ {
+ struct bare_shunt **bs_pp
+ = bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
+
+ if (bs_pp != NULL)
+ {
+ struct bare_shunt *bs = *bs_pp;
+
+ if (eri.count != bs->count)
+ {
+ bs->count = eri.count;
+ bs->last_activity = nw;
+ }
+ else if (nw - bs->last_activity > SHUNT_PATIENCE)
+ {
+ eri.next = expired;
+ expired = clone_thing(eri, "expired %pass");
+ }
+ }
+ }
+ break;
+
+ case SPI_TRAP:
+ break;
+
+ default:
+ bad_case(ntohl(eri.said.spi));
+ }
+ }
+ else
+ {
+ /* regular (non-shunt) eroute */
+ state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
+ }
+ } /* for each line */
+ fclose(f);
+
+ /* Now that we've finished processing the /proc file,
+ * it is safe to delete the expired %pass shunts.
+ */
+ while (expired != NULL)
+ {
+ struct eroute_info *p = expired;
+ ip_address src, dst;
+
+ networkof(&p->ours, &src);
+ networkof(&p->his, &dst);
+ (void) replace_bare_shunt(&src, &dst
+ , BOTTOM_PRIO /* not used because we are deleting. This value is a filler */
+ , SPI_PASS /* not used because we are deleting. This value is a filler */
+ , FALSE, p->transport_proto, "delete expired bare shunts");
+ expired = p->next;
+ pfree(p);
+ }
+}
+
+static bool
+del_spi(ipsec_spi_t spi, int proto
+, const ip_address *src, const ip_address *dest)
+{
+ char text_said[SATOT_BUF];
+ struct kernel_sa sa;
+
+ set_text_said(text_said, dest, spi, proto);
+
+ DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
+
+ memset(&sa, 0, sizeof(sa));
+ sa.spi = spi;
+ sa.proto = proto;
+ sa.src = src;
+ sa.dst = dest;
+ sa.text_said = text_said;
+
+ return kernel_ops->del_sa(&sa);
+}
+
+/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
+ * ipsec-0.5.
+ */
+
+static bool
+setup_half_ipsec_sa(struct state *st, bool inbound)
+{
+ /* Build an inbound or outbound SA */
+
+ struct connection *c = st->st_connection;
+ ip_subnet src, dst;
+ ip_subnet src_client, dst_client;
+ ipsec_spi_t inner_spi = 0;
+ u_int proto = 0;
+ u_int satype = SADB_SATYPE_UNSPEC;
+ bool replace;
+
+ /* SPIs, saved for spigrouping or undoing, if necessary */
+ struct kernel_sa
+ said[EM_MAXRELSPIS],
+ *said_next = said;
+
+ char text_said[SATOT_BUF];
+ int encapsulation;
+
+ replace = inbound && (kernel_ops->get_spi != NULL);
+
+ src.maskbits = 0;
+ dst.maskbits = 0;
+
+ if (inbound)
+ {
+ src.addr = c->spd.that.host_addr;
+ dst.addr = c->spd.this.host_addr;
+ src_client = c->spd.that.client;
+ dst_client = c->spd.this.client;
+ }
+ else
+ {
+ src.addr = c->spd.this.host_addr,
+ dst.addr = c->spd.that.host_addr;
+ src_client = c->spd.this.client;
+ dst_client = c->spd.that.client;
+ }
+
+ encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ encapsulation = ENCAPSULATION_MODE_TUNNEL;
+ }
+
+ memset(said, 0, sizeof(said));
+
+ /* If we are tunnelling, set up IP in IP pseudo SA */
+
+ if (kernel_ops->inbound_eroute)
+ {
+ inner_spi = 256;
+ proto = SA_IPIP;
+ satype = SADB_SATYPE_UNSPEC;
+ }
+ else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ /* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
+ * XXX FOR IP-in-IP ENCAPSULATION!
+ */
+
+ ipsec_spi_t ipip_spi;
+
+ /* Allocate an SPI for the tunnel.
+ * Since our peer will never see this,
+ * and it comes from its own number space,
+ * it is purely a local implementation wart.
+ */
+ {
+ static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
+
+ ipip_spi = htonl(++last_tunnel_spi);
+ if (inbound)
+ st->st_tunnel_in_spi = ipip_spi;
+ else
+ st->st_tunnel_out_spi = ipip_spi;
+ }
+
+ set_text_said(text_said
+ , &c->spd.that.host_addr, ipip_spi, SA_IPIP);
+
+ said_next->src = &src.addr;
+ said_next->dst = &dst.addr;
+ said_next->src_client = &src_client;
+ said_next->dst_client = &dst_client;
+ said_next->spi = ipip_spi;
+ said_next->satype = SADB_X_SATYPE_IPIP;
+ said_next->text_said = text_said;
+
+ if (!kernel_ops->add_sa(said_next, replace))
+ goto fail;
+
+ said_next++;
+
+ inner_spi = ipip_spi;
+ proto = SA_IPIP;
+ satype = SADB_X_SATYPE_IPIP;
+ }
+
+ /* set up IPCOMP SA, if any */
+
+ if (st->st_ipcomp.present)
+ {
+ ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
+ unsigned compalg;
+
+ switch (st->st_ipcomp.attrs.transid)
+ {
+ case IPCOMP_DEFLATE:
+ compalg = SADB_X_CALG_DEFLATE;
+ break;
+
+ default:
+ loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
+ , enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
+ goto fail;
+ }
+
+ set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
+
+ said_next->src = &src.addr;
+ said_next->dst = &dst.addr;
+ said_next->src_client = &src_client;
+ said_next->dst_client = &dst_client;
+ said_next->spi = ipcomp_spi;
+ said_next->satype = SADB_X_SATYPE_COMP;
+ said_next->compalg = compalg;
+ said_next->encapsulation = encapsulation;
+ said_next->reqid = c->spd.reqid + 2;
+ said_next->text_said = text_said;
+
+ if (!kernel_ops->add_sa(said_next, replace))
+ goto fail;
+
+ said_next++;
+
+ encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+
+ /* set up ESP SA, if any */
+
+ if (st->st_esp.present)
+ {
+ ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+ u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
+ const struct esp_info *ei;
+ u_int16_t key_len;
+
+ static const struct esp_info esp_info[] = {
+ { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
+ 0, HMAC_MD5_KEY_LEN,
+ SADB_EALG_NULL, SADB_AALG_MD5_HMAC },
+ { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
+ 0, HMAC_SHA1_KEY_LEN,
+ SADB_EALG_NULL, SADB_AALG_SHA1_HMAC },
+
+ { ESP_DES, AUTH_ALGORITHM_NONE,
+ DES_CBC_BLOCK_SIZE, 0,
+ SADB_EALG_DES_CBC, SADB_AALG_NONE },
+ { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
+ DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
+ SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC },
+ { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
+ DES_CBC_BLOCK_SIZE,
+ HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC },
+
+ { ESP_3DES, AUTH_ALGORITHM_NONE,
+ DES_CBC_BLOCK_SIZE * 3, 0,
+ SADB_EALG_3DES_CBC, SADB_AALG_NONE },
+ { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
+ DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
+ SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC },
+ { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
+ DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
+ SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
+ };
+
+ u_int8_t natt_type = 0;
+ u_int16_t natt_sport = 0;
+ u_int16_t natt_dport = 0;
+ ip_address natt_oa;
+
+ if (st->nat_traversal & NAT_T_DETECTED)
+ {
+ natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
+ ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
+ natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
+ natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+ natt_oa = st->nat_oa;
+ }
+
+ for (ei = esp_info; ; ei++)
+ {
+ if (ei == &esp_info[elemsof(esp_info)])
+ {
+ /* Check for additional kernel alg */
+#ifndef NO_KERNEL_ALG
+ if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
+ st->st_esp.attrs.auth))!=NULL) {
+ break;
+ }
+#endif
+
+ /* note: enum_show may use a static buffer, so two
+ * calls in one printf would be a mistake.
+ * enum_name does the same job, without a static buffer,
+ * assuming the name will be found.
+ */
+ loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
+ , enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
+ , enum_name(&auth_alg_names, st->st_esp.attrs.auth));
+ goto fail;
+ }
+
+ if (st->st_esp.attrs.transid == ei->transid
+ && st->st_esp.attrs.auth == ei->auth)
+ break;
+ }
+
+ key_len = st->st_esp.attrs.key_len/8;
+ if (key_len)
+ {
+ /* XXX: must change to check valid _range_ key_len */
+ if (key_len > ei->enckeylen)
+ {
+ loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+ enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+ (int)key_len, (int)ei->enckeylen);
+ goto fail;
+ }
+ }
+ else
+ {
+ key_len = ei->enckeylen;
+ }
+ /* Grrrrr.... f*cking 7 bits jurassic algos */
+
+ /* 168 bits in kernel, need 192 bits for keymat_len */
+ if (ei->transid == ESP_3DES && key_len == 21)
+ key_len = 24;
+
+ /* 56 bits in kernel, need 64 bits for keymat_len */
+ if (ei->transid == ESP_DES && key_len == 7)
+ key_len = 8;
+
+ /* divide up keying material */
+ /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
+ DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING,
+ if(st->st_esp.keymat_len != key_len + ei->authkeylen)
+ DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
+ st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
+ )
+ passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
+
+ set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
+
+ said_next->src = &src.addr;
+ said_next->dst = &dst.addr;
+ said_next->src_client = &src_client;
+ said_next->dst_client = &dst_client;
+ said_next->spi = esp_spi;
+ said_next->satype = SADB_SATYPE_ESP;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->authalg = ei->authalg;
+ said_next->authkeylen = ei->authkeylen;
+ /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
+ said_next->authkey = esp_dst_keymat + key_len;
+ said_next->encalg = ei->encryptalg;
+ /* said_next->enckeylen = ei->enckeylen; */
+ said_next->enckeylen = key_len;
+ said_next->enckey = esp_dst_keymat;
+ said_next->encapsulation = encapsulation;
+ said_next->reqid = c->spd.reqid + 1;
+ said_next->natt_sport = natt_sport;
+ said_next->natt_dport = natt_dport;
+ said_next->transid = st->st_esp.attrs.transid;
+ said_next->natt_type = natt_type;
+ said_next->natt_oa = &natt_oa;
+ said_next->text_said = text_said;
+
+ if (!kernel_ops->add_sa(said_next, replace))
+ goto fail;
+
+ said_next++;
+
+ encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+
+ /* set up AH SA, if any */
+
+ if (st->st_ah.present)
+ {
+ ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
+ u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
+
+ unsigned char authalg;
+
+ switch (st->st_ah.attrs.auth)
+ {
+ case AUTH_ALGORITHM_HMAC_MD5:
+ authalg = SADB_AALG_MD5_HMAC;
+ break;
+
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ authalg = SADB_AALG_SHA1_HMAC;
+ break;
+
+ default:
+ loglog(RC_LOG_SERIOUS, "%s not implemented yet"
+ , enum_show(&auth_alg_names, st->st_ah.attrs.auth));
+ goto fail;
+ }
+
+ set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
+
+ said_next->src = &src.addr;
+ said_next->dst = &dst.addr;
+ said_next->src_client = &src_client;
+ said_next->dst_client = &dst_client;
+ said_next->spi = ah_spi;
+ said_next->satype = SADB_SATYPE_AH;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->authalg = authalg;
+ said_next->authkeylen = st->st_ah.keymat_len;
+ said_next->authkey = ah_dst_keymat;
+ said_next->encapsulation = encapsulation;
+ said_next->reqid = c->spd.reqid;
+ said_next->text_said = text_said;
+
+ if (!kernel_ops->add_sa(said_next, replace))
+ goto fail;
+
+ said_next++;
+
+ encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+
+ if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ encapsulation = ENCAPSULATION_MODE_TUNNEL;
+ }
+
+ if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
+ : encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ /* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
+ * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
+ * Note reversed ends.
+ * Not much to be done on failure.
+ */
+ if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
+ {
+ struct pfkey_proto_info proto_info[4];
+ int i = 0;
+
+ if (st->st_ipcomp.present)
+ {
+ proto_info[i].proto = IPPROTO_COMP;
+ proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
+ proto_info[i].reqid = c->spd.reqid + 2;
+ i++;
+ }
+
+ if (st->st_esp.present)
+ {
+ proto_info[i].proto = IPPROTO_ESP;
+ proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
+ proto_info[i].reqid = c->spd.reqid + 1;
+ i++;
+ }
+
+ if (st->st_ah.present)
+ {
+ proto_info[i].proto = IPPROTO_AH;
+ proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
+ proto_info[i].reqid = c->spd.reqid;
+ i++;
+ }
+
+ proto_info[i].proto = 0;
+
+ if (kernel_ops->inbound_eroute
+ && encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
+ for (i = 1; proto_info[i].proto; i++)
+ {
+ proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+ }
+
+ /* MCR - should be passed a spd_eroute structure here */
+ (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+ , &c->spd.this.host_addr, &c->spd.this.client
+ , inner_spi, proto, satype, c->spd.this.protocol
+ , proto_info, 0
+ , ERO_ADD_INBOUND, "add inbound");
+ }
+ }
+
+ /* If there are multiple SPIs, group them. */
+
+ if (kernel_ops->grp_sa && said_next > &said[1])
+ {
+ struct kernel_sa *s;
+
+ /* group SAs, two at a time, inner to outer (backwards in said[])
+ * The grouping is by pairs. So if said[] contains ah esp ipip,
+ * the grouping would be ipip:esp, esp:ah.
+ */
+ for (s = said; s < said_next-1; s++)
+ {
+ char
+ text_said0[SATOT_BUF],
+ text_said1[SATOT_BUF];
+
+ /* group s[1] and s[0], in that order */
+
+ set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
+ set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
+
+ DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
+
+ s[0].text_said = text_said0;
+ s[1].text_said = text_said1;
+
+ if (!kernel_ops->grp_sa(s + 1, s))
+ goto fail;
+ }
+ /* could update said, but it will not be used */
+ }
+
+ return TRUE;
+
+fail:
+ {
+ /* undo the done SPIs */
+ while (said_next-- != said)
+ (void) del_spi(said_next->spi, said_next->proto
+ , &src.addr, said_next->dst);
+ return FALSE;
+ }
+}
+
+/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
+
+static bool
+teardown_half_ipsec_sa(struct state *st, bool inbound)
+{
+ /* We need to delete AH, ESP, and IP in IP SPIs.
+ * But if there is more than one, they have been grouped
+ * so deleting any one will do. So we just delete the
+ * first one found. It may or may not be the only one.
+ */
+ struct connection *c = st->st_connection;
+ struct {
+ unsigned proto;
+ struct ipsec_proto_info *info;
+ } protos[4];
+ int i;
+ bool result;
+
+ i = 0;
+ if (kernel_ops->inbound_eroute && inbound
+ && c->spd.eroute_owner == SOS_NOBODY)
+ {
+ (void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
+ , &c->spd.this.host_addr, &c->spd.this.client
+ , 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
+ , null_proto_info, 0
+ , ERO_DEL_INBOUND, "delete inbound");
+ }
+
+ if (!kernel_ops->grp_sa)
+ {
+ if (st->st_ah.present)
+ {
+ protos[i].info = &st->st_ah;
+ protos[i].proto = SA_AH;
+ i++;
+ }
+
+ if (st->st_esp.present)
+ {
+ protos[i].info = &st->st_esp;
+ protos[i].proto = SA_ESP;
+ i++;
+ }
+
+ if (st->st_ipcomp.present)
+ {
+ protos[i].info = &st->st_ipcomp;
+ protos[i].proto = SA_COMP;
+ i++;
+ }
+ }
+ else if (st->st_ah.present)
+ {
+ protos[i].info = &st->st_ah;
+ protos[i].proto = SA_AH;
+ i++;
+ }
+ else if (st->st_esp.present)
+ {
+ protos[i].info = &st->st_esp;
+ protos[i].proto = SA_ESP;
+ i++;
+ }
+ else
+ {
+ impossible(); /* neither AH nor ESP in outbound SA bundle! */
+ }
+ protos[i].proto = 0;
+
+ result = TRUE;
+ for (i = 0; protos[i].proto; i++)
+ {
+ unsigned proto = protos[i].proto;
+ ipsec_spi_t spi;
+ const ip_address *src, *dst;
+
+ if (inbound)
+ {
+ spi = protos[i].info->our_spi;
+ src = &c->spd.that.host_addr;
+ dst = &c->spd.this.host_addr;
+ }
+ else
+ {
+ spi = protos[i].info->attrs.spi;
+ src = &c->spd.this.host_addr;
+ dst = &c->spd.that.host_addr;
+ }
+
+ result &= del_spi(spi, proto, src, dst);
+ }
+ return result;
+}
+
+/*
+ * get information about a given sa
+ */
+bool
+get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
+{
+ char text_said[SATOT_BUF];
+ struct kernel_sa sa;
+ struct connection *c = st->st_connection;
+
+ *use_time = UNDEFINED_TIME;
+
+ if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+ return FALSE;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.proto = SA_ESP;
+
+ if (inbound)
+ {
+ sa.src = &c->spd.that.host_addr;
+ sa.dst = &c->spd.this.host_addr;
+ sa.spi = st->st_esp.our_spi;
+ }
+ else
+ {
+ sa.src = &c->spd.this.host_addr;
+ sa.dst = &c->spd.that.host_addr;
+ sa.spi = st->st_esp.attrs.spi;
+ }
+ set_text_said(text_said, sa.dst, sa.spi, sa.proto);
+
+ sa.text_said = text_said;
+
+ DBG(DBG_KLIPS,
+ DBG_log("get %s", text_said)
+ )
+ if (!kernel_ops->get_sa(&sa, bytes))
+ return FALSE;
+ DBG(DBG_KLIPS,
+ DBG_log(" current: %d bytes", *bytes)
+ )
+
+ if (st->st_serialno == c->spd.eroute_owner)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("get %sbound policy with reqid %u"
+ , inbound? "in":"out", (u_int)c->spd.reqid + 1)
+ )
+ sa.transport_proto = c->spd.this.protocol;
+ sa.encapsulation = st->st_esp.attrs.encapsulation;
+
+ if (inbound)
+ {
+ sa.src_client = &c->spd.that.client;
+ sa.dst_client = &c->spd.this.client;
+ }
+ else
+ {
+ sa.src_client = &c->spd.this.client;
+ sa.dst_client = &c->spd.that.client;
+ }
+ if (!kernel_ops->get_policy(&sa, inbound, use_time))
+ return FALSE;
+ DBG(DBG_KLIPS,
+ DBG_log(" use_time: %s", timetoa(use_time, FALSE))
+ )
+ }
+ return TRUE;
+}
+
+const struct kernel_ops *kernel_ops;
+
+#endif /* KLIPS */
+
+void
+init_kernel(void)
+{
+#ifdef KLIPS
+
+ if (no_klips)
+ {
+ kernel_ops = &noklips_kernel_ops;
+ return;
+ }
+
+ init_pfkey();
+
+ kernel_ops = &klips_kernel_ops;
+
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+ {
+ bool linux_ipsec = 0;
+ struct stat buf;
+
+ linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
+ if (linux_ipsec)
+ {
+ plog("Using Linux 2.6 IPsec interface code");
+ kernel_ops = &linux_kernel_ops;
+ }
+ else
+ {
+ plog("Using KLIPS IPsec interface code");
+ }
+ }
+#endif
+
+ if (kernel_ops->init)
+ {
+ kernel_ops->init();
+ }
+
+ /* register SA types that we can negotiate */
+ can_do_IPcomp = FALSE; /* until we get a response from KLIPS */
+ kernel_ops->pfkey_register();
+
+ if (!kernel_ops->policy_lifetime)
+ {
+ event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
+ }
+#endif
+}
+
+/* Note: install_inbound_ipsec_sa is only used by the Responder.
+ * The Responder will subsequently use install_ipsec_sa for the outbound.
+ * The Initiator uses install_ipsec_sa to install both at once.
+ */
+bool
+install_inbound_ipsec_sa(struct state *st)
+{
+ struct connection *const c = st->st_connection;
+
+ /* If our peer has a fixed-address client, check if we already
+ * have a route for that client that conflicts. We will take this
+ * as proof that that route and the connections using it are
+ * obsolete and should be eliminated. Interestingly, this is
+ * the only case in which we can tell that a connection is obsolete.
+ */
+ passert(c->kind == CK_PERMANENT || c->kind == CK_INSTANCE);
+ if (c->spd.that.has_client)
+ {
+ for (;;)
+ {
+ struct spd_route *esr;
+ struct connection *o = route_owner(c, &esr, NULL, NULL);
+
+ if (o == NULL)
+ break; /* nobody has a route */
+
+ /* note: we ignore the client addresses at this end */
+ if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
+ && o->interface == c->interface)
+ break; /* existing route is compatible */
+
+ if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
+ break; /* ??? is this good enough?? */
+
+ loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
+ , o->name, ip_str(&o->spd.that.host_addr));
+ release_connection(o, FALSE);
+ }
+ }
+
+ DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa() checking if we can route"));
+ /* check that we will be able to route and eroute */
+ switch (could_route(c))
+ {
+ case route_easy:
+ case route_nearconflict:
+ break;
+
+ default:
+ return FALSE;
+ }
+
+#ifdef KLIPS
+ /* (attempt to) actually set up the SAs */
+ return setup_half_ipsec_sa(st, TRUE);
+#else /* !KLIPS */
+ DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
+ return TRUE;
+#endif /* !KLIPS */
+}
+
+/* Install a route and then a prospective shunt eroute or an SA group eroute.
+ * Assumption: could_route gave a go-ahead.
+ * Any SA Group must have already been created.
+ * On failure, steps will be unwound.
+ */
+bool
+route_and_eroute(struct connection *c USED_BY_KLIPS
+ , struct spd_route *sr USED_BY_KLIPS
+ , struct state *st USED_BY_KLIPS)
+{
+#ifdef KLIPS
+ struct spd_route *esr;
+ struct spd_route *rosr;
+ struct connection *ero /* who, if anyone, owns our eroute? */
+ , *ro = route_owner(c, &rosr, &ero, &esr);
+ bool eroute_installed = FALSE
+ , firewall_notified = FALSE
+ , route_installed = FALSE;
+
+ struct connection *ero_top;
+ struct bare_shunt **bspp;
+
+ DBG(DBG_CONTROLMORE,
+ DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
+ , c->name
+ , (c->policy_next ? c->policy_next->name : "none")
+ , ero ? ero->name : "null"
+ , esr
+ , ro ? ro->name : "null"
+ , rosr
+ , st ? st->st_serialno : 0));
+
+ /* look along the chain of policies for one with the same name */
+ ero_top = ero;
+
+#if 0
+ /* XXX - mcr this made sense before, and likely will make sense
+ * again, so I'l leaving this to remind me what is up */
+ if (ero!= NULL && ero->routing == RT_UNROUTED_KEYED)
+ ero = NULL;
+
+ for (ero2 = ero; ero2 != NULL; ero2 = ero->policy_next)
+ if ((ero2->kind == CK_TEMPLATE || ero2->kind==CK_SECONDARY)
+ && streq(ero2->name, c->name))
+ break;
+#endif
+
+ bspp = (ero == NULL)
+ ? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
+ : NULL;
+
+ /* install the eroute */
+
+ passert(bspp == NULL || ero == NULL); /* only one non-NULL */
+
+ if (bspp != NULL || ero != NULL)
+ {
+ /* We're replacing an eroute */
+
+ /* if no state provided, then install a shunt for later */
+ if (st == NULL)
+ eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
+ , ERO_REPLACE, "replace");
+ else
+ eroute_installed = sag_eroute(st, sr, ERO_REPLACE, "replace");
+
+#if 0
+ /* XXX - MCR. I previously felt that this was a bogus check */
+ if (ero != NULL && ero != c && esr != sr)
+ {
+ /* By elimination, we must be eclipsing ero. Check. */
+ passert(ero->kind == CK_TEMPLATE && streq(ero->name, c->name));
+ passert(LHAS(LELEM(RT_ROUTED_PROSPECTIVE) | LELEM(RT_ROUTED_ECLIPSED)
+ , esr->routing));
+ passert(samesubnet(&esr->this.client, &sr->this.client)
+ && samesubnet(&esr->that.client, &sr->that.client));
+ }
+#endif
+ /* remember to free bspp iff we make it out of here alive */
+ }
+ else
+ {
+ /* we're adding an eroute */
+
+ /* if no state provided, then install a shunt for later */
+ if (st == NULL)
+ eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
+ , ERO_ADD, "add");
+ else
+ eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
+ }
+
+ /* notify the firewall of a new tunnel */
+
+ if (eroute_installed)
+ {
+ /* do we have to notify the firewall? Yes, if we are installing
+ * a tunnel eroute and the firewall wasn't notified
+ * for a previous tunnel with the same clients. Any Previous
+ * tunnel would have to be for our connection, so the actual
+ * test is simple.
+ */
+ firewall_notified = st == NULL /* not a tunnel eroute */
+ || sr->eroute_owner != SOS_NOBODY /* already notified */
+ || do_command(c, sr, "up"); /* go ahead and notify */
+ }
+
+ /* install the route */
+
+ DBG(DBG_CONTROL,
+ DBG_log("route_and_eroute: firewall_notified: %s"
+ , firewall_notified ? "true" : "false"));
+ if (!firewall_notified)
+ {
+ /* we're in trouble -- don't do routing */
+ }
+ else if (ro == NULL)
+ {
+ /* a new route: no deletion required, but preparation is */
+ (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
+ route_installed = do_command(c, sr, "route");
+ }
+ else if (routed(sr->routing)
+ || routes_agree(ro, c))
+ {
+ route_installed = TRUE; /* nothing to be done */
+ }
+ else
+ {
+ /* Some other connection must own the route
+ * and the route must disagree. But since could_route
+ * must have allowed our stealing it, we'll do so.
+ *
+ * A feature of LINUX allows us to install the new route
+ * before deleting the old if the nexthops differ.
+ * This reduces the "window of vulnerability" when packets
+ * might flow in the clear.
+ */
+ if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
+ {
+ (void) do_command(ro, sr, "unroute");
+ route_installed = do_command(c, sr, "route");
+ }
+ else
+ {
+ route_installed = do_command(c, sr, "route");
+ (void) do_command(ro, sr, "unroute");
+ }
+
+ /* record unrouting */
+ if (route_installed)
+ {
+ do {
+ passert(!erouted(rosr->routing));
+ rosr->routing = RT_UNROUTED;
+
+ /* no need to keep old value */
+ ro = route_owner(c, &rosr, NULL, NULL);
+ } while (ro != NULL);
+ }
+ }
+
+ /* all done -- clean up */
+ if (route_installed)
+ {
+ /* Success! */
+
+ if (bspp != NULL)
+ {
+ free_bare_shunt(bspp);
+ }
+ else if (ero != NULL && ero != c)
+ {
+ /* check if ero is an ancestor of c. */
+ struct connection *ero2;
+
+ for (ero2 = c; ero2 != NULL && ero2 != c; ero2 = ero2->policy_next)
+ ;
+
+ if (ero2 == NULL)
+ {
+ /* By elimination, we must be eclipsing ero. Checked above. */
+ if (ero->spd.routing != RT_ROUTED_ECLIPSED)
+ {
+ ero->spd.routing = RT_ROUTED_ECLIPSED;
+ eclipse_count++;
+ }
+ }
+ }
+
+ if (st == NULL)
+ {
+ passert(sr->eroute_owner == SOS_NOBODY);
+ sr->routing = RT_ROUTED_PROSPECTIVE;
+ }
+ else
+ {
+ char cib[CONN_INST_BUF];
+ sr->routing = RT_ROUTED_TUNNEL;
+
+ DBG(DBG_CONTROL,
+ DBG_log("route_and_eroute: instance \"%s\"%s, setting eroute_owner {spd=%p,sr=%p} to #%ld (was #%ld) (newest_ipsec_sa=#%ld)"
+ , st->st_connection->name
+ , (fmt_conn_instance(st->st_connection, cib), cib)
+ , &st->st_connection->spd, sr
+ , st->st_serialno
+ , sr->eroute_owner
+ , st->st_connection->newest_ipsec_sa));
+ sr->eroute_owner = st->st_serialno;
+ }
+
+ return TRUE;
+ }
+ else
+ {
+ /* Failure! Unwind our work. */
+ if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
+ (void) do_command(c, sr, "down");
+
+ if (eroute_installed)
+ {
+ /* Restore original eroute, if we can.
+ * Since there is nothing much to be done if the restoration
+ * fails, ignore success or failure.
+ */
+ if (bspp != NULL)
+ {
+ /* Restore old bare_shunt.
+ * I don't think that this case is very likely.
+ * Normally a bare shunt would have been assigned
+ * to a connection before we've gotten this far.
+ */
+ struct bare_shunt *bs = *bspp;
+
+ (void) raw_eroute(&bs->said.dst /* should be useless */
+ , &bs->ours
+ , &bs->said.dst /* should be useless */
+ , &bs->his
+ , bs->said.spi /* network order */
+ , SA_INT
+ , SADB_X_SATYPE_INT
+ , 0
+ , null_proto_info
+ , SHUNT_PATIENCE
+ , ERO_REPLACE, "restore");
+ }
+ else if (ero != NULL)
+ {
+ /* restore ero's former glory */
+ if (esr->eroute_owner == SOS_NOBODY)
+ {
+ /* note: normal or eclipse case */
+ (void) shunt_eroute(ero, esr
+ , esr->routing, ERO_REPLACE, "restore");
+ }
+ else
+ {
+ /* Try to find state that owned eroute.
+ * Don't do anything if it cannot be found.
+ * This case isn't likely since we don't run
+ * the updown script when replacing a SA group
+ * with its successor (for the same conn).
+ */
+ struct state *ost = state_with_serialno(esr->eroute_owner);
+
+ if (ost != NULL)
+ (void) sag_eroute(ost, esr, ERO_REPLACE, "restore");
+ }
+ }
+ else
+ {
+ /* there was no previous eroute: delete whatever we installed */
+ if (st == NULL)
+ (void) shunt_eroute(c, sr
+ , sr->routing, ERO_DELETE, "delete");
+ else
+ (void) sag_eroute(st, sr
+ , ERO_DELETE, "delete");
+ }
+ }
+
+ return FALSE;
+ }
+#else /* !KLIPS */
+ return TRUE;
+#endif /* !KLIPS */
+}
+
+bool
+install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+{
+#ifdef KLIPS
+ struct spd_route *sr;
+
+ DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
+ , st->st_serialno
+ , inbound_also?
+ "inbound and outbound" : "outbound only"));
+
+ switch (could_route(st->st_connection))
+ {
+ case route_easy:
+ case route_nearconflict:
+ break;
+
+ default:
+ return FALSE;
+ }
+
+ /* (attempt to) actually set up the SA group */
+ if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
+ || !setup_half_ipsec_sa(st, FALSE))
+ return FALSE;
+
+ for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
+ {
+ DBG(DBG_CONTROL, DBG_log("sr for #%ld: %s"
+ , st->st_serialno
+ , enum_name(&routing_story, sr->routing)));
+
+ /*
+ * if the eroute owner is not us, then make it us.
+ * See test co-terminal-02, pluto-rekey-01, pluto-unit-02/oppo-twice
+ */
+ pexpect(sr->eroute_owner == SOS_NOBODY
+ || sr->routing >= RT_ROUTED_TUNNEL);
+
+ if (sr->eroute_owner != st->st_serialno
+ && sr->routing != RT_UNROUTED_KEYED)
+ {
+ if (!route_and_eroute(st->st_connection, sr, st))
+ {
+ delete_ipsec_sa(st, FALSE);
+ /* XXX go and unroute any SRs that were successfully
+ * routed already.
+ */
+ return FALSE;
+ }
+ }
+ }
+#else /* !KLIPS */
+ DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
+ , inbound_also? "inbound and oubound" : "outbound only"));
+
+ switch (could_route(st->st_connection))
+ {
+ case route_easy:
+ case route_nearconflict:
+ break;
+
+ default:
+ return FALSE;
+ }
+
+
+#endif /* !KLIPS */
+
+ return TRUE;
+}
+
+/* delete an IPSEC SA.
+ * we may not succeed, but we bull ahead anyway because
+ * we cannot do anything better by recognizing failure
+ */
+void
+delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS)
+{
+#ifdef KLIPS
+ if (!inbound_only)
+ {
+ /* If the state is the eroute owner, we must adjust
+ * the routing for the connection.
+ */
+ struct connection *c = st->st_connection;
+ struct spd_route *sr;
+
+ passert(st->st_connection);
+
+ for (sr = &c->spd; sr; sr = sr->next)
+ {
+ if (sr->eroute_owner == st->st_serialno
+ && sr->routing == RT_ROUTED_TUNNEL)
+ {
+ sr->eroute_owner = SOS_NOBODY;
+
+ /* Routing should become RT_ROUTED_FAILURE,
+ * but if POLICY_FAIL_NONE, then we just go
+ * right back to RT_ROUTED_PROSPECTIVE as if no
+ * failure happened.
+ */
+ sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
+ ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
+
+ (void) do_command(c, sr, "down");
+ if ((c->policy & POLICY_DONT_REKEY)
+ && c->kind == CK_INSTANCE)
+ {
+ /* in this special case, even if the connection
+ * is still alive (due to an ISAKMP SA),
+ * we get rid of routing.
+ * Even though there is still an eroute, the c->routing
+ * setting will convince unroute_connection to delete it.
+ * unroute_connection would be upset if c->routing == RT_ROUTED_TUNNEL
+ */
+ unroute_connection(c);
+ }
+ else
+ {
+ (void) shunt_eroute(c, sr, sr->routing, ERO_REPLACE, "replace with shunt");
+ }
+ }
+ }
+ (void) teardown_half_ipsec_sa(st, FALSE);
+ }
+ (void) teardown_half_ipsec_sa(st, TRUE);
+#else /* !KLIPS */
+ DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
+#endif /* !KLIPS */
+}
+
+#ifdef KLIPS
+static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
+{
+ struct connection *c = st->st_connection;
+ char text_said[SATOT_BUF];
+ struct kernel_sa sa;
+ ip_address
+ src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
+ dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
+
+ ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+
+ u_int16_t
+ natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
+ natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+
+ set_text_said(text_said, &dst, esp_spi, SA_ESP);
+
+ memset(&sa, 0, sizeof(sa));
+ sa.spi = esp_spi;
+ sa.src = &src;
+ sa.dst = &dst;
+ sa.text_said = text_said;
+ sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
+ sa.natt_sport = natt_sport;
+ sa.natt_dport = natt_dport;
+ sa.transid = st->st_esp.attrs.transid;
+
+ return kernel_ops->add_sa(&sa, TRUE);
+}
+#endif
+
+bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
+{
+#ifdef KLIPS
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ if (st->st_esp.present && (
+ (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
+ (!update_nat_t_ipsec_esp_sa (st, FALSE))))
+ {
+ return FALSE;
+ }
+ }
+ else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
+ {
+ return FALSE;
+ }
+ }
+ else
+ {
+ DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
+ return FALSE;
+ }
+ return TRUE;
+#else /* !KLIPS */
+ DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
+ return TRUE;
+#endif /* !KLIPS */
+}
+
+/* Check if there was traffic on given SA during the last idle_max
+ * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
+ * If FALSE, DPD is not necessary. We also return TRUE for errors, as they
+ * could mean that the SA is broken and needs to be replace anyway.
+ */
+bool
+was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
+{
+ static const char procname[] = "/proc/net/ipsec_spi";
+ FILE *f;
+ char buf[1024];
+ u_int bytes;
+ int ret = TRUE;
+
+ passert(st != NULL);
+
+ f = fopen(procname, "r");
+ if (f == NULL)
+ {
+ /* Can't open the file, perhaps were are on 26sec? */
+ time_t use_time;
+
+ if (get_sa_info(st, TRUE, &bytes, &use_time)
+ && use_time != UNDEFINED_TIME)
+ {
+ *idle_time = time(NULL) - use_time;
+ ret = *idle_time >= idle_max;
+ }
+ }
+ else
+ {
+ while (f != NULL)
+ {
+ char *line;
+ char text_said[SATOT_BUF];
+ u_int8_t proto = 0;
+ ip_address dst;
+ ip_said said;
+ ipsec_spi_t spi = 0;
+ static const char idle[] = "idle=";
+
+ dst = st->st_connection->spd.this.host_addr; /* inbound SA */
+ if (st->st_ah.present)
+ {
+ proto = SA_AH;
+ spi = st->st_ah.our_spi;
+ }
+ if (st->st_esp.present)
+ {
+ proto = SA_ESP;
+ spi = st->st_esp.our_spi;
+ }
+
+ if (proto == 0 && spi == 0)
+ {
+ ret = TRUE;
+ break;
+ }
+
+ initsaid(&dst, spi, proto, &said);
+ satot(&said, 'x', text_said, SATOT_BUF);
+
+ line = fgets(buf, sizeof(buf), f);
+ if (line == NULL)
+ {
+ /* Reached end of list */
+ ret = TRUE;
+ break;
+ }
+
+ if (strncmp(line, text_said, strlen(text_said)) == 0)
+ {
+ /* we found a match, now try to find idle= */
+ char *p = strstr(line, idle);
+
+ if (p == NULL)
+ {
+ /* SAs which haven't been used yet don't have it */
+ ret = TRUE; /* it didn't have traffic */
+ break;
+ }
+ p += sizeof(idle)-1;
+ if (*p == '\0')
+ {
+ ret = TRUE; /* be paranoid */
+ break;
+ }
+ if (sscanf(p, "%d", (int *) idle_time) <= 0)
+ {
+ ret = TRUE;
+ break;
+ }
+ if (*idle_time >= idle_max)
+ {
+ ret = TRUE;
+ break;
+ }
+ else
+ {
+ ret = FALSE;
+ break;
+ }
+ }
+ }
+ fclose(f);
+ }
+ return ret;
+}
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
new file mode 100644
index 000000000..e7ff08c7b
--- /dev/null
+++ b/src/pluto/kernel.h
@@ -0,0 +1,198 @@
+/* declarations of routines that interface with the kernel's IPsec mechanism
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel.h,v 1.10 2006/03/08 22:12:37 as Exp $
+ */
+
+#include "connections.h"
+
+extern bool no_klips; /* don't actually use KLIPS */
+extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
+
+#ifdef KLIPS
+/* Declare eroute things early enough for uses.
+ *
+ * Flags are encoded above the low-order byte of verbs.
+ * "real" eroutes are only outbound. Inbound eroutes don't exist,
+ * but an addflow with an INBOUND flag allows IPIP tunnels to be
+ * limited to appropriate source and destination addresses.
+ */
+
+#define ERO_MASK 0xFF
+#define ERO_FLAG_SHIFT 8
+
+#define ERO_DELETE SADB_X_DELFLOW
+#define ERO_ADD SADB_X_ADDFLOW
+#define ERO_REPLACE (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
+#define ERO_ADD_INBOUND (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+#define ERO_DEL_INBOUND (SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+
+struct pfkey_proto_info {
+ int proto;
+ int encapsulation;
+ unsigned reqid;
+};
+struct sadb_msg;
+
+struct kernel_sa {
+ const ip_address *src;
+ const ip_address *dst;
+
+ const ip_subnet *src_client;
+ const ip_subnet *dst_client;
+
+ ipsec_spi_t spi;
+ unsigned proto;
+ unsigned satype;
+ unsigned transport_proto;
+ unsigned replay_window;
+ unsigned reqid;
+
+ unsigned authalg;
+ unsigned authkeylen;
+ char *authkey;
+
+ unsigned encalg;
+ unsigned enckeylen;
+ char *enckey;
+
+ unsigned compalg;
+
+ int encapsulation;
+
+ u_int16_t natt_sport, natt_dport;
+ u_int8_t transid, natt_type;
+ ip_address *natt_oa;
+
+ const char *text_said;
+};
+
+struct kernel_ops {
+ enum {
+ KERNEL_TYPE_NONE,
+ KERNEL_TYPE_KLIPS,
+ KERNEL_TYPE_LINUX,
+ } type;
+ bool inbound_eroute;
+ bool policy_lifetime;
+ int *async_fdp;
+
+ void (*init)(void);
+ void (*pfkey_register)(void);
+ void (*pfkey_register_response)(const struct sadb_msg *msg);
+ void (*process_queue)(void);
+ void (*process_msg)(void);
+ bool (*raw_eroute)(const ip_address *this_host,
+ const ip_subnet *this_client,
+ const ip_address *that_host,
+ const ip_subnet *that_client,
+ ipsec_spi_t spi,
+ unsigned int satype,
+ unsigned int transport_proto,
+ const struct pfkey_proto_info *proto_info,
+ time_t use_lifetime,
+ unsigned int op,
+ const char *text_said);
+ bool (*get_policy)(const struct kernel_sa *sa, bool inbound,
+ time_t *use_time);
+ bool (*add_sa)(const struct kernel_sa *sa, bool replace);
+ bool (*grp_sa)(const struct kernel_sa *sa_outer,
+ const struct kernel_sa *sa_inner);
+ bool (*del_sa)(const struct kernel_sa *sa);
+ bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes);
+ ipsec_spi_t (*get_spi)(const ip_address *src,
+ const ip_address *dst,
+ int proto,
+ bool tunnel_mode,
+ unsigned reqid,
+ ipsec_spi_t min,
+ ipsec_spi_t max,
+ const char *text_said);
+};
+
+
+extern const struct kernel_ops *kernel_ops;
+
+/* information from /proc/net/ipsec_eroute */
+
+struct eroute_info {
+ unsigned long count;
+ ip_subnet ours;
+ ip_subnet his;
+ ip_address dst;
+ ip_said said;
+ int transport_proto;
+ struct eroute_info *next;
+};
+
+extern struct eroute_info *orphaned_holds;
+
+extern void show_shunt_status(void);
+#endif
+
+/* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
+ * Is there a PF_KEY equivalent?
+ */
+#ifndef EM_MAXRELSPIS
+# define EM_MAXRELSPIS 4 /* AH ESP IPCOMP IPIP */
+#endif
+
+extern void record_and_initiate_opportunistic(const ip_subnet *
+ , const ip_subnet *
+ , int transport_proto
+ , const char *why);
+
+extern void init_kernel(void);
+
+extern void scan_proc_shunts(void);
+
+extern bool trap_connection(struct connection *c);
+extern void unroute_connection(struct connection *c);
+
+extern bool has_bare_hold(const ip_address *src, const ip_address *dst
+ , int transport_proto);
+
+extern bool replace_bare_shunt(const ip_address *src, const ip_address *dst
+ , policy_prio_t policy_prio
+ , ipsec_spi_t shunt_spi /* in host order! */
+ , bool repl
+ , unsigned int transport_proto
+ , const char *why);
+
+extern bool assign_hold(struct connection *c
+ , struct spd_route *sr
+ , int transport_proto
+ , const ip_address *src, const ip_address *dst);
+
+extern ipsec_spi_t shunt_policy_spi(struct connection *c, bool prospective);
+
+
+struct state; /* forward declaration of tag */
+extern ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid
+ , int proto
+ , struct spd_route *sr
+ , bool tunnel_mode);
+extern ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel_mode);
+
+extern bool install_inbound_ipsec_sa(struct state *st);
+extern bool install_ipsec_sa(struct state *st, bool inbound_also);
+extern void delete_ipsec_sa(struct state *st, bool inbound_only);
+extern bool route_and_eroute(struct connection *c
+ , struct spd_route *sr
+ , struct state *st);
+extern bool was_eroute_idle(struct state *st, time_t idle_max
+ , time_t *idle_time);
+extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
+ , time_t *use_time);
+
+extern bool update_ipsec_sa(struct state *st);
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
new file mode 100644
index 000000000..91dfaff59
--- /dev/null
+++ b/src/pluto/kernel_alg.c
@@ -0,0 +1,775 @@
+/* Kernel runtime algorithm handling interface
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_alg.c,v 1.9 2005/08/17 16:31:24 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <sys/queue.h>
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "connections.h"
+#include "state.h"
+#include "packet.h"
+#include "spdb.h"
+#include "kernel.h"
+#include "kernel_alg.h"
+#include "alg_info.h"
+
+#ifndef NO_PLUTO
+#include "log.h"
+#include "whack.h"
+#include "db_ops.h"
+#else
+/*
+ * macros/functions for compilation without pluto (eg: spi for manual conns)
+ */
+extern int debug;
+#include <assert.h>
+#define passert(x) assert(x)
+#define DBG(cond, action) { if (debug) { action ; } }
+#define DBG_log(x, args...) fprintf(stderr, x "\n" , ##args);
+#define plog(x, args...) fprintf(stderr, x "\n" , ##args);
+#endif /* NO_PLUTO */
+/* ALG storage */
+static struct sadb_alg esp_aalg[SADB_AALG_MAX+1];
+static struct sadb_alg esp_ealg[SADB_EALG_MAX+1];
+static int esp_ealg_num = 0;
+static int esp_aalg_num = 0;
+
+#define ESP_EALG_PRESENT(algo) (((algo)<=SADB_EALG_MAX)&&(esp_ealg[(algo)].sadb_alg_id==(algo)))
+#define ESP_EALG_FOR_EACH_UPDOWN(algo) \
+ for (algo=SADB_EALG_MAX; algo >0 ; algo--) \
+ if (ESP_EALG_PRESENT(algo))
+#define ESP_AALG_PRESENT(algo) ((algo<=SADB_AALG_MAX)&&(esp_aalg[(algo)].sadb_alg_id==(algo)))
+#define ESP_AALG_FOR_EACH_UPDOWN(algo) \
+ for (algo=SADB_AALG_MAX; algo >0 ; algo--) \
+ if (ESP_AALG_PRESENT(algo))
+
+static struct sadb_alg*
+sadb_alg_ptr (int satype, int exttype, int alg_id, int rw)
+{
+ struct sadb_alg *alg_p = NULL;
+
+ switch (exttype)
+ {
+ case SADB_EXT_SUPPORTED_AUTH:
+ if (alg_id > SADB_AALG_MAX)
+ return NULL;
+ break;
+ case SADB_EXT_SUPPORTED_ENCRYPT:
+ if (alg_id > SADB_EALG_MAX)
+ return NULL;
+ break;
+ default:
+ return NULL;
+ }
+
+ switch (satype)
+ {
+ case SADB_SATYPE_ESP:
+ alg_p = (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
+ &esp_ealg[alg_id] : &esp_aalg[alg_id];
+ /* get for write: increment elem count */
+ if (rw)
+ {
+ (exttype == SADB_EXT_SUPPORTED_ENCRYPT)?
+ esp_ealg_num++ : esp_aalg_num++;
+ }
+ break;
+ case SADB_SATYPE_AH:
+ default:
+ return NULL;
+ }
+
+ return alg_p;
+}
+
+const struct sadb_alg *
+kernel_alg_sadb_alg_get(int satype, int exttype, int alg_id)
+{
+ return sadb_alg_ptr(satype, exttype, alg_id, 0);
+}
+
+/*
+ * Forget previous registration
+ */
+static void
+kernel_alg_init(void)
+{
+ DBG(DBG_KLIPS,
+ DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
+ &esp_aalg, (int)sizeof (esp_aalg),
+ &esp_ealg, (int)sizeof (esp_ealg))
+ )
+ memset (&esp_aalg, 0, sizeof (esp_aalg));
+ memset (&esp_ealg, 0, sizeof (esp_ealg));
+ esp_ealg_num=esp_aalg_num = 0;
+}
+
+static int
+kernel_alg_add(int satype, int exttype, const struct sadb_alg *sadb_alg)
+{
+ struct sadb_alg *alg_p = NULL;
+ int alg_id = sadb_alg->sadb_alg_id;
+
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
+ satype, exttype, sadb_alg->sadb_alg_id)
+ )
+ if (!(alg_p = sadb_alg_ptr(satype, exttype, alg_id, 1)))
+ return -1;
+
+ /* This logic "mimics" KLIPS: first algo implementation will be used */
+ if (alg_p->sadb_alg_id)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_add(): discarding already setup "
+ "satype=%d, exttype=%d, alg_id=%d",
+ satype, exttype, sadb_alg->sadb_alg_id)
+ )
+ return 0;
+ }
+ *alg_p = *sadb_alg;
+ return 1;
+}
+
+bool
+kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
+ struct alg_info_esp *alg_info __attribute__((unused)))
+{
+ struct sadb_alg *alg_p = NULL;
+
+ /*
+ * test #1: encrypt algo must be present
+ */
+ int ret = ESP_EALG_PRESENT(alg_id);
+ if (!ret) goto out;
+
+ alg_p = &esp_ealg[alg_id];
+
+ /*
+ * test #2: if key_len specified, it must be in range
+ */
+ if (key_len
+ && (key_len < alg_p->sadb_alg_minbits || key_len > alg_p->sadb_alg_maxbits))
+ {
+ plog("kernel_alg_db_add() key_len not in range: alg_id=%d, "
+ "key_len=%d, alg_minbits=%d, alg_maxbits=%d"
+ , alg_id, key_len
+ , alg_p->sadb_alg_minbits
+ , alg_p->sadb_alg_maxbits);
+ ret = FALSE;
+ }
+
+out:
+ if (ret)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
+ "alg_id=%d, "
+ "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+ "res=%d, ret=%d"
+ , alg_id, key_len
+ , alg_p->sadb_alg_id
+ , alg_p->sadb_alg_ivlen
+ , alg_p->sadb_alg_minbits
+ , alg_p->sadb_alg_maxbits
+ , alg_p->sadb_alg_reserved
+ , ret);
+ )
+ }
+ else
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
+ )
+ }
+ return ret;
+}
+
+/*
+ * ML: make F_STRICT logic consider enc,auth algorithms
+ */
+#ifndef NO_PLUTO
+bool
+kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struct alg_info_esp *alg_info)
+{
+ int ealg_insecure;
+
+ /*
+ * key_len passed comes from esp_attrs read from peer
+ * For many older algoritms (eg 3DES) this key_len is fixed
+ * and get passed as 0.
+ * ... then get default key_len
+ */
+ if (key_len == 0)
+ key_len = kernel_alg_esp_enc_keylen(ealg) * BITS_PER_BYTE;
+
+ /*
+ * simple test to toss low key_len, will accept it only
+ * if specified in "esp" string
+ */
+ ealg_insecure = (key_len < 128) ;
+
+ if (ealg_insecure
+ || (alg_info && alg_info->alg_info_flags & ALG_INFO_F_STRICT))
+ {
+ int i;
+ struct esp_info *esp_info;
+
+ if (alg_info)
+ {
+ ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
+ {
+ if (esp_info->esp_ealg_id == ealg
+ && (esp_info->esp_ealg_keylen == 0 || key_len == 0
+ || esp_info->esp_ealg_keylen == key_len)
+ && esp_info->esp_aalg_id == aalg)
+ {
+ if (ealg_insecure)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "You should NOT use insecure ESP algorithms [%s (%d)]!"
+ , enum_name(&esp_transformid_names, ealg), key_len);
+ }
+ return TRUE;
+ }
+ }
+ }
+ plog("IPSec Transform [%s (%d), %s] refused due to %s",
+ enum_name(&esp_transformid_names, ealg), key_len,
+ enum_name(&auth_alg_names, aalg),
+ ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
+ return FALSE;
+ }
+ return TRUE;
+}
+#endif /* NO_PLUTO */
+
+/*
+ * Load kernel_alg arrays from /proc
+ * used in manual mode from klips/utils/spi.c
+ */
+int
+kernel_alg_proc_read(void)
+{
+ int satype;
+ int supp_exttype;
+ int alg_id, ivlen, minbits, maxbits;
+ struct sadb_alg sadb_alg;
+ int ret;
+ char buf[128];
+
+ FILE *fp=fopen("/proc/net/pf_key_supported", "r");
+
+ if (!fp)
+ return -1;
+
+ kernel_alg_init();
+
+ while (fgets(buf, sizeof(buf), fp))
+ {
+ if (buf[0] != ' ') /* skip titles */
+ continue;
+
+ sscanf(buf, "%d %d %d %d %d %d"
+ ,&satype, &supp_exttype
+ , &alg_id, &ivlen
+ , &minbits, &maxbits);
+
+ switch (satype)
+ {
+ case SADB_SATYPE_ESP:
+ switch(supp_exttype)
+ {
+ case SADB_EXT_SUPPORTED_AUTH:
+ case SADB_EXT_SUPPORTED_ENCRYPT:
+ sadb_alg.sadb_alg_id = alg_id;
+ sadb_alg.sadb_alg_ivlen = ivlen;
+ sadb_alg.sadb_alg_minbits = minbits;
+ sadb_alg.sadb_alg_maxbits = maxbits;
+ ret = kernel_alg_add(satype, supp_exttype, &sadb_alg);
+ DBG(DBG_CRYPT,
+ DBG_log("kernel_alg_proc_read() alg_id=%d, "
+ "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+ "ret=%d"
+ , sadb_alg.sadb_alg_id
+ , sadb_alg.sadb_alg_ivlen
+ , sadb_alg.sadb_alg_minbits
+ , sadb_alg.sadb_alg_maxbits
+ , ret)
+ )
+ }
+ default:
+ continue;
+ }
+ }
+ fclose(fp);
+ return 0;
+}
+
+/*
+ * Load kernel_alg arrays pluto's SADB_REGISTER
+ * user by pluto/kernel.c
+ */
+
+void
+kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
+{
+ /* Trick: one 'type-mangle-able' pointer to ease offset/assign */
+ union {
+ const struct sadb_msg *msg;
+ const struct sadb_supported *supported;
+ const struct sadb_ext *ext;
+ const struct sadb_alg *alg;
+ const char *ch;
+ } sadb;
+
+ int satype;
+ int msglen;
+ int i = 0;
+
+ /* Initialize alg arrays */
+ kernel_alg_init();
+ satype = msg_buf->sadb_msg_satype;
+ sadb.msg = msg_buf;
+ msglen = sadb.msg->sadb_msg_len*IPSEC_PFKEYv2_ALIGN;
+ msglen -= sizeof(struct sadb_msg);
+ buflen -= sizeof(struct sadb_msg);
+ passert(buflen > 0);
+
+ sadb.msg++;
+
+ while(msglen)
+ {
+ int supp_exttype = sadb.supported->sadb_supported_exttype;
+ int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
+
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
+ "sadb_msg_len=%d sadb_supported_len=%d"
+ , satype==SADB_SATYPE_ESP? "ESP" : "AH"
+ , msg_buf->sadb_msg_len, supp_len)
+ )
+ sadb.supported++;
+ msglen -= supp_len;
+ buflen -= supp_len;
+ passert(buflen >= 0);
+
+ for (supp_len -= sizeof(struct sadb_supported);
+ supp_len;
+ supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
+ {
+ int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
+
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
+ "alg[%d], exttype=%d, satype=%d, alg_id=%d, "
+ "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
+ "res=%d, ret=%d"
+ , satype==SADB_SATYPE_ESP? "ESP" : "AH"
+ , i
+ , supp_exttype
+ , satype
+ , sadb.alg->sadb_alg_id
+ , sadb.alg->sadb_alg_ivlen
+ , sadb.alg->sadb_alg_minbits
+ , sadb.alg->sadb_alg_maxbits
+ , sadb.alg->sadb_alg_reserved
+ , ret)
+ )
+ }
+ }
+}
+
+u_int
+kernel_alg_esp_enc_keylen(u_int alg_id)
+{
+ u_int keylen = 0;
+
+ if (!ESP_EALG_PRESENT(alg_id))
+ goto none;
+
+ keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
+
+ switch (alg_id)
+ {
+ /*
+ * this is veryUgly[TM]
+ * Peer should have sent KEY_LENGTH attribute for ESP_AES
+ * but if not do force it to 128 instead of using sadb_alg_maxbits
+ * from kernel.
+ */
+ case ESP_AES:
+ keylen = 128/BITS_PER_BYTE;
+ break;
+ }
+
+none:
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_esp_enc_keylen():"
+ "alg_id=%d, keylen=%d",
+ alg_id, keylen)
+ )
+ return keylen;
+}
+
+struct sadb_alg *
+kernel_alg_esp_sadb_alg(u_int alg_id)
+{
+ struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
+ ? &esp_ealg[alg_id] : NULL;
+
+ DBG(DBG_KLIPS,
+ DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
+ , alg_id, sadb_alg)
+ )
+ return sadb_alg;
+}
+
+#ifndef NO_PLUTO
+void kernel_alg_list(void)
+{
+ u_int sadb_id;
+
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of registered ESP Encryption Algorithms:");
+ whack_log(RC_COMMENT, " ");
+
+ for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++)
+ {
+ if (ESP_EALG_PRESENT(sadb_id))
+ {
+ struct sadb_alg *alg_p = &esp_ealg[sadb_id];
+
+ whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d"
+ , sadb_id
+ , enum_name(&esp_transformid_names, sadb_id)
+ , alg_p->sadb_alg_ivlen
+ , alg_p->sadb_alg_minbits
+ , alg_p->sadb_alg_maxbits
+ );
+ }
+ }
+
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of registered ESP Authentication Algorithms:");
+ whack_log(RC_COMMENT, " ");
+
+ for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++)
+ {
+ if (ESP_AALG_PRESENT(sadb_id))
+ {
+ u_int aaid = alg_info_esp_sadb2aa(sadb_id);
+ struct sadb_alg *alg_p = &esp_aalg[sadb_id];
+
+ whack_log(RC_COMMENT, "#%-5d %s, keylen: %d-%d"
+ , aaid
+ , enum_name(&auth_alg_names, aaid)
+ , alg_p->sadb_alg_minbits
+ , alg_p->sadb_alg_maxbits
+ );
+ }
+ }
+}
+
+void
+kernel_alg_show_connection(struct connection *c, const char *instance)
+{
+ char buf[256];
+ struct state *st;
+
+ if (c->alg_info_esp)
+ {
+ alg_info_snprint(buf, sizeof(buf), (struct alg_info *)c->alg_info_esp);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: ESP algorithms wanted: %s"
+ , c->name
+ , instance
+ , buf);
+ }
+ if (c->alg_info_esp)
+ {
+ alg_info_snprint_esp(buf, sizeof(buf), c->alg_info_esp);
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: ESP algorithms loaded: %s"
+ , c->name
+ , instance
+ , buf);
+ }
+ st = state_with_serialno(c->newest_ipsec_sa);
+ if (st && st->st_esp.present)
+ whack_log(RC_COMMENT
+ , "\"%s\"%s: ESP algorithm newest: %s_%d-%s; pfsgroup=%s"
+ , c->name
+ , instance
+ , enum_show(&esp_transformid_names, st->st_esp.attrs.transid)
+ +4 /* strlen("ESP_") */
+ , st->st_esp.attrs.key_len
+ , enum_show(&auth_alg_names, st->st_esp.attrs.auth)+
+ +15 /* strlen("AUTH_ALGORITHM_") */
+ , c->policy & POLICY_PFS ?
+ c->alg_info_esp->esp_pfsgroup ?
+ enum_show(&oakley_group_names,
+ c->alg_info_esp->esp_pfsgroup)
+ +13 /*strlen("OAKLEY_GROUP_")*/
+ : "<Phase1>"
+ : "<N/A>"
+ );
+}
+#endif /* NO_PLUTO */
+
+bool
+kernel_alg_esp_auth_ok(u_int auth,
+ struct alg_info_esp *alg_info __attribute__((unused)))
+{
+ return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
+}
+
+u_int
+kernel_alg_esp_auth_keylen(u_int auth)
+{
+ u_int sadb_aalg = alg_info_esp_aa2sadb(auth);
+
+ u_int a_keylen = (sadb_aalg)
+ ? esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE
+ : 0;
+
+ DBG(DBG_CONTROL | DBG_CRYPT | DBG_PARSING,
+ DBG_log("kernel_alg_esp_auth_keylen(auth=%d, sadb_aalg=%d): "
+ "a_keylen=%d", auth, sadb_aalg, a_keylen)
+ )
+ return a_keylen;
+}
+
+struct esp_info *
+kernel_alg_esp_info(int transid, int auth)
+{
+ int sadb_aalg, sadb_ealg;
+ static struct esp_info ei_buf;
+
+ sadb_ealg = transid;
+ sadb_aalg = alg_info_esp_aa2sadb(auth);
+
+ if (!ESP_EALG_PRESENT(sadb_ealg))
+ goto none;
+ if (!ESP_AALG_PRESENT(sadb_aalg))
+ goto none;
+
+ memset(&ei_buf, 0, sizeof (ei_buf));
+ ei_buf.transid = transid;
+ ei_buf.auth = auth;
+
+ /* don't return "default" keylen because this value is used from
+ * setup_half_ipsec_sa() to "validate" keylen
+ * In effect, enckeylen will be used as "max" value
+ */
+ ei_buf.enckeylen = esp_ealg[sadb_ealg].sadb_alg_maxbits/BITS_PER_BYTE;
+ ei_buf.authkeylen = esp_aalg[sadb_aalg].sadb_alg_maxbits/BITS_PER_BYTE;
+ ei_buf.encryptalg = sadb_ealg;
+ ei_buf.authalg = sadb_aalg;
+
+ DBG(DBG_PARSING,
+ DBG_log("kernel_alg_esp_info():"
+ "transid=%d, auth=%d, ei=%p, "
+ "enckeylen=%d, authkeylen=%d, encryptalg=%d, authalg=%d",
+ transid, auth, &ei_buf,
+ (int)ei_buf.enckeylen, (int)ei_buf.authkeylen,
+ ei_buf.encryptalg, ei_buf.authalg)
+ )
+ return &ei_buf;
+
+none:
+ DBG(DBG_PARSING,
+ DBG_log("kernel_alg_esp_info():"
+ "transid=%d, auth=%d, ei=NULL",
+ transid, auth)
+ )
+ return NULL;
+}
+
+#ifndef NO_PLUTO
+static void
+kernel_alg_policy_algorithms(struct esp_info *esp_info)
+{
+ u_int ealg_id = esp_info->esp_ealg_id;
+
+ switch(ealg_id)
+ {
+ case 0:
+ case ESP_DES:
+ case ESP_3DES:
+ case ESP_NULL:
+ case ESP_CAST:
+ break;
+ default:
+ if (!esp_info->esp_ealg_keylen)
+ {
+ /* algos that need KEY_LENGTH
+ *
+ * Note: this is a very dirty hack ;-)
+ * Idea: Add a key_length_needed attribute to
+ * esp_ealg ??
+ */
+ esp_info->esp_ealg_keylen = esp_ealg[ealg_id].sadb_alg_maxbits;
+ }
+ }
+}
+
+static bool
+kernel_alg_db_add(struct db_context *db_ctx, struct esp_info *esp_info, lset_t policy)
+{
+ u_int ealg_id, aalg_id;
+
+ ealg_id = esp_info->esp_ealg_id;
+
+ if (!ESP_EALG_PRESENT(ealg_id))
+ {
+ DBG_log("kernel_alg_db_add() kernel enc ealg_id=%d not present", ealg_id);
+ return FALSE;
+ }
+
+ if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */
+ {
+ aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
+
+ if (!ESP_AALG_PRESENT(aalg_id))
+ {
+ DBG_log("kernel_alg_db_add() kernel auth "
+ "aalg_id=%d not present", aalg_id);
+ return FALSE;
+ }
+ }
+
+ /* do algo policy */
+ kernel_alg_policy_algorithms(esp_info);
+
+ /* open new transformation */
+ db_trans_add(db_ctx, ealg_id);
+
+ /* add ESP auth attr */
+ if (!(policy & POLICY_AUTHENTICATE))
+ db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+
+ /* add keylegth if specified in esp= string */
+ if (esp_info->esp_ealg_keylen)
+ db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
+
+ return TRUE;
+}
+
+/*
+ * Create proposal with runtime kernel algos, merging
+ * with passed proposal if not NULL
+ *
+ * for now this function does free() previous returned
+ * malloced pointer (this quirk allows easier spdb.c change)
+ */
+struct db_context *
+kernel_alg_db_new(struct alg_info_esp *alg_info, lset_t policy )
+{
+ const struct esp_info *esp_info;
+ struct esp_info tmp_esp_info;
+ struct db_context *ctx_new=NULL;
+ struct db_trans *t;
+ struct db_prop *prop;
+ u_int trans_cnt;
+ int tn = 0;
+
+ if (!(policy & POLICY_ENCRYPT)) /* not possible, I think */
+ return NULL;
+
+ trans_cnt = esp_ealg_num * esp_aalg_num;
+ DBG(DBG_EMITTING,
+ DBG_log("kernel_alg_db_prop_new() initial trans_cnt=%d"
+ , trans_cnt)
+ )
+
+ /* pass aprox. number of transforms and attributes */
+ ctx_new = db_prop_new(PROTO_IPSEC_ESP, trans_cnt, trans_cnt * 2);
+
+ /*
+ * Loop: for each element (struct esp_info) of alg_info,
+ * if kernel support is present then build the transform (and attrs)
+ * if NULL alg_info, propose everything ...
+ */
+
+ if (alg_info)
+ {
+ int i;
+
+ ALG_INFO_ESP_FOREACH(alg_info, esp_info, i)
+ {
+ tmp_esp_info = *esp_info;
+ kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+ }
+ }
+ else
+ {
+ u_int ealg_id;
+
+ ESP_EALG_FOR_EACH_UPDOWN(ealg_id)
+ {
+ u_int aalg_id;
+
+ tmp_esp_info.esp_ealg_id = ealg_id;
+ tmp_esp_info.esp_ealg_keylen = 0;
+
+ for (aalg_id = 1; aalg_id <= SADB_AALG_MAX; aalg_id++)
+ {
+ if (ESP_AALG_PRESENT(aalg_id))
+ {
+ tmp_esp_info.esp_aalg_id = alg_info_esp_sadb2aa(aalg_id);
+ tmp_esp_info.esp_aalg_keylen = 0;
+ kernel_alg_db_add(ctx_new, &tmp_esp_info, policy);
+ }
+ }
+ }
+ }
+
+ prop = db_prop_get(ctx_new);
+
+ DBG(DBG_CONTROL|DBG_EMITTING,
+ DBG_log("kernel_alg_db_prop_new() "
+ "will return p_new->protoid=%d, p_new->trans_cnt=%d"
+ , prop->protoid, prop->trans_cnt)
+ )
+
+ for (t = prop->trans, tn = 0; tn < prop->trans_cnt; tn++)
+ {
+ DBG(DBG_CONTROL|DBG_EMITTING,
+ DBG_log("kernel_alg_db_prop_new() "
+ " trans[%d]: transid=%d, attr_cnt=%d, "
+ "attrs[0].type=%d, attrs[0].val=%d"
+ , tn
+ , t[tn].transid, t[tn].attr_cnt
+ , t[tn].attrs[0].type, t[tn].attrs[0].val)
+ )
+ }
+ return ctx_new;
+}
+#endif /* NO_PLUTO */
diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
new file mode 100644
index 000000000..483e97da1
--- /dev/null
+++ b/src/pluto/kernel_alg.h
@@ -0,0 +1,46 @@
+/* Kernel runtime algorithm handling interface definitions
+ * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_alg.h,v 1.5 2005/08/17 16:31:24 as Exp $
+ */
+
+#ifndef _KERNEL_ALG_H
+#define _KERNEL_ALG_H
+
+#include "alg_info.h"
+#include "spdb.h"
+
+/* status info */
+extern void kernel_alg_show_status(void);
+void kernel_alg_show_connection(struct connection *c, const char *instance);
+
+/* Registration messages from pluto */
+extern void kernel_alg_register_pfkey(const struct sadb_msg *msg, int buflen);
+
+/* ESP interface */
+extern struct sadb_alg *kernel_alg_esp_sadb_alg(u_int alg_id);
+extern u_int kernel_alg_esp_ivlen(u_int alg_id);
+extern bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len, struct alg_info_esp *nfo);
+extern bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struct alg_info_esp *alg_info);
+extern u_int kernel_alg_esp_enc_keylen(u_int alg_id);
+extern bool kernel_alg_esp_auth_ok(u_int auth, struct alg_info_esp *nfo);
+extern u_int kernel_alg_esp_auth_keylen(u_int auth);
+extern int kernel_alg_proc_read(void);
+extern void kernel_alg_list(void);
+
+/* get sadb_alg for passed args */
+extern const struct sadb_alg * kernel_alg_sadb_alg_get(int satype, int exttype, int alg_id);
+
+extern struct db_context * kernel_alg_db_new(struct alg_info_esp *ai, lset_t policy);
+struct esp_info * kernel_alg_esp_info(int esp_id, int auth_id);
+#endif /* _KERNEL_ALG_H */
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
new file mode 100644
index 000000000..1947ddbac
--- /dev/null
+++ b/src/pluto/kernel_netlink.c
@@ -0,0 +1,1219 @@
+/* netlink interface to the kernel's IPsec mechanism
+ * Copyright (C) 2003 Herbert Xu.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_netlink.c,v 1.24 2006/03/10 14:49:43 as Exp $
+ */
+
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <unistd.h>
+
+#include "kameipsec.h"
+#include "linux26/rtnetlink.h"
+#include "linux26/xfrm.h"
+
+#include <freeswan.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "kernel.h"
+#include "kernel_netlink.h"
+#include "kernel_pfkey.h"
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+#include "kernel_alg.h"
+
+/* Minimum priority number in SPD used by pluto. */
+#define MIN_SPD_PRIORITY 1024
+
+static int netlinkfd = NULL_FD;
+static int netlink_bcast_fd = NULL_FD;
+
+#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
+
+static sparse_names xfrm_type_names = {
+ NE(NLMSG_NOOP),
+ NE(NLMSG_ERROR),
+ NE(NLMSG_DONE),
+ NE(NLMSG_OVERRUN),
+
+ NE(XFRM_MSG_NEWSA),
+ NE(XFRM_MSG_DELSA),
+ NE(XFRM_MSG_GETSA),
+
+ NE(XFRM_MSG_NEWPOLICY),
+ NE(XFRM_MSG_DELPOLICY),
+ NE(XFRM_MSG_GETPOLICY),
+
+ NE(XFRM_MSG_ALLOCSPI),
+ NE(XFRM_MSG_ACQUIRE),
+ NE(XFRM_MSG_EXPIRE),
+
+ NE(XFRM_MSG_UPDPOLICY),
+ NE(XFRM_MSG_UPDSA),
+
+ NE(XFRM_MSG_POLEXPIRE),
+
+ NE(XFRM_MSG_MAX),
+
+ { 0, sparse_end }
+};
+
+#undef NE
+
+/* Authentication algorithms */
+static sparse_names aalg_list = {
+ { SADB_X_AALG_NULL, "digest_null" },
+ { SADB_AALG_MD5_HMAC, "md5" },
+ { SADB_AALG_SHA1_HMAC, "sha1" },
+ { SADB_AALG_SHA2_256_HMAC, "sha256" },
+ { SADB_AALG_SHA2_384_HMAC, "sha384" },
+ { SADB_AALG_SHA2_512_HMAC, "sha512" },
+ { SADB_AALG_RIPEMD_160_HMAC, "ripemd160" },
+ { SADB_X_AALG_NULL, "null" },
+ { 0, sparse_end }
+};
+
+/* Encryption algorithms */
+static sparse_names ealg_list = {
+ { SADB_EALG_NULL, "cipher_null" },
+ { SADB_EALG_DES_CBC, "des" },
+ { SADB_EALG_3DES_CBC, "des3_ede" },
+ { SADB_EALG_IDEA_CBC, "idea" },
+ { SADB_EALG_CAST_CBC, "cast128" },
+ { SADB_EALG_BLOWFISH_CBC, "blowfish" },
+ { SADB_EALG_AES_CBC, "aes" },
+ { SADB_X_EALG_SERPENT_CBC, "serpent" },
+ { SADB_X_EALG_TWOFISH_CBC, "twofish" },
+ { 0, sparse_end }
+};
+
+/* Compression algorithms */
+static sparse_names calg_list = {
+ { SADB_X_CALG_DEFLATE, "deflate" },
+ { SADB_X_CALG_LZS, "lzs" },
+ { SADB_X_CALG_LZJH, "lzjh" },
+ { 0, sparse_end }
+};
+
+/** ip2xfrm - Take an IP address and convert to an xfrm.
+ *
+ * @param addr ip_address
+ * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
+ */
+static void
+ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
+{
+ if (addr->u.v4.sin_family == AF_INET)
+ {
+ xaddr->a4 = addr->u.v4.sin_addr.s_addr;
+ }
+ else
+ {
+ memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6));
+ }
+}
+
+/** init_netlink - Initialize the netlink inferface. Opens the sockets and
+ * then binds to the broadcast socket.
+ */
+static void
+init_netlink(void)
+{
+ struct sockaddr_nl addr;
+
+ netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
+
+ if (netlinkfd < 0)
+ exit_log_errno((e, "socket() in init_netlink()"));
+
+ if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
+ exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
+
+ netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
+
+ if (netlink_bcast_fd < 0)
+ exit_log_errno((e, "socket() for bcast in init_netlink()"));
+
+ if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
+ exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
+
+ if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
+ exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
+
+ addr.nl_family = AF_NETLINK;
+ addr.nl_pid = getpid();
+ addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
+ if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+ exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
+}
+
+/** send_netlink_msg
+ *
+ * @param hdr - Data to be sent.
+ * @param rbuf - Return Buffer - contains data returned from the send.
+ * @param rbuf_len - Length of rbuf
+ * @param description - String - user friendly description of what is
+ * being attempted. Used for diagnostics
+ * @param text_said - String
+ * @return bool True if the message was succesfully sent.
+ */
+static bool
+send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
+, const char *description, const char *text_said)
+{
+ struct {
+ struct nlmsghdr n;
+ struct nlmsgerr e;
+ char data[1024];
+ } rsp;
+
+ size_t len;
+ ssize_t r;
+ struct sockaddr_nl addr;
+ static uint32_t seq;
+
+ if (no_klips)
+ {
+ return TRUE;
+ }
+
+ hdr->nlmsg_seq = ++seq;
+ len = hdr->nlmsg_len;
+ do {
+ r = write(netlinkfd, hdr, len);
+ } while (r < 0 && errno == EINTR);
+ if (r < 0)
+ {
+ log_errno((e
+ , "netlink write() of %s message"
+ " for %s %s failed"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said));
+ return FALSE;
+ }
+ else if ((size_t)r != len)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: netlink write() of %s message"
+ " for %s %s truncated: %ld instead of %lu"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said
+ , (long)r, (unsigned long)len);
+ return FALSE;
+ }
+
+ for (;;) {
+ socklen_t alen;
+
+ alen = sizeof(addr);
+ r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0
+ , (struct sockaddr *)&addr, &alen);
+ if (r < 0)
+ {
+ if (errno == EINTR)
+ {
+ continue;
+ }
+ log_errno((e
+ , "netlink recvfrom() of response to our %s message"
+ " for %s %s failed"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said));
+ return FALSE;
+ }
+ else if ((size_t) r < sizeof(rsp.n))
+ {
+ plog("netlink read truncated message: %ld bytes; ignore message"
+ , (long) r);
+ continue;
+ }
+ else if (addr.nl_pid != 0)
+ {
+ /* not for us: ignore */
+ DBG(DBG_KLIPS,
+ DBG_log("netlink: ignoring %s message from process %u"
+ , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
+ , addr.nl_pid));
+ continue;
+ }
+ else if (rsp.n.nlmsg_seq != seq)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("netlink: ignoring out of sequence (%u/%u) message %s"
+ , rsp.n.nlmsg_seq, seq
+ , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
+ continue;
+ }
+ break;
+ }
+
+ if (rsp.n.nlmsg_len > (size_t) r)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "netlink recvfrom() of response to our %s message"
+ " for %s %s was truncated: %ld instead of %lu"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said
+ , (long) len, (unsigned long) rsp.n.nlmsg_len);
+ return FALSE;
+ }
+ else if (rsp.n.nlmsg_type != NLMSG_ERROR
+ && (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "netlink recvfrom() of response to our %s message"
+ " for %s %s was of wrong type (%s)"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said
+ , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type));
+ return FALSE;
+ }
+ else if (rbuf)
+ {
+ if ((size_t) r > rbuf_len)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "netlink recvfrom() of response to our %s message"
+ " for %s %s was too long: %ld > %lu"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , description, text_said
+ , (long)r, (unsigned long)rbuf_len);
+ return FALSE;
+ }
+ memcpy(rbuf, &rsp, r);
+ return TRUE;
+ }
+ else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: netlink response for %s %s included errno %d: %s"
+ , description, text_said
+ , -rsp.e.error
+ , strerror(-rsp.e.error));
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/** netlink_policy -
+ *
+ * @param hdr - Data to check
+ * @param enoent_ok - Boolean - OK or not OK.
+ * @param text_said - String
+ * @return boolean
+ */
+static bool
+netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
+{
+ struct {
+ struct nlmsghdr n;
+ struct nlmsgerr e;
+ } rsp;
+ int error;
+
+ rsp.n.nlmsg_type = NLMSG_ERROR;
+ if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said))
+ {
+ return FALSE;
+ }
+
+ error = -rsp.e.error;
+ if (!error)
+ {
+ return TRUE;
+ }
+
+ if (error == ENOENT && enoent_ok)
+ {
+ return TRUE;
+ }
+
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: netlink %s response for flow %s included errno %d: %s"
+ , sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
+ , text_said
+ , error
+ , strerror(error));
+ return FALSE;
+}
+
+/** netlink_raw_eroute
+ *
+ * @param this_host ip_address
+ * @param this_client ip_subnet
+ * @param that_host ip_address
+ * @param that_client ip_subnet
+ * @param spi
+ * @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...)
+ * @param transport_proto int (Currently unused) 0=tunnel, 1=transport
+ * @param satype int
+ * @param proto_info
+ * @param lifetime (Currently unused)
+ * @param ip int
+ * @return boolean True if successful
+ */
+static bool
+netlink_raw_eroute(const ip_address *this_host
+ , const ip_subnet *this_client
+ , const ip_address *that_host
+ , const ip_subnet *that_client
+ , ipsec_spi_t spi
+ , unsigned int satype
+ , unsigned int transport_proto
+ , const struct pfkey_proto_info *proto_info
+ , time_t use_lifetime UNUSED
+ , unsigned int op
+ , const char *text_said)
+{
+ struct {
+ struct nlmsghdr n;
+ union {
+ struct xfrm_userpolicy_info p;
+ struct xfrm_userpolicy_id id;
+ } u;
+ char data[1024];
+ } req;
+ int shift;
+ int dir;
+ int family;
+ int policy;
+ bool ok;
+ bool enoent_ok;
+
+ policy = IPSEC_POLICY_IPSEC;
+
+ if (satype == SADB_X_SATYPE_INT)
+ {
+ /* shunt route */
+ switch (ntohl(spi))
+ {
+ case SPI_PASS:
+ policy = IPSEC_POLICY_NONE;
+ break;
+ case SPI_DROP:
+ case SPI_REJECT:
+ default:
+ policy = IPSEC_POLICY_DISCARD;
+ break;
+ case SPI_TRAP:
+ case SPI_TRAPSUBNET:
+ case SPI_HOLD:
+ if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+ {
+ return TRUE;
+ }
+ break;
+ }
+ }
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+
+ family = that_client->addr.u.v4.sin_family;
+ shift = (family == AF_INET) ? 5 : 7;
+
+ req.u.p.sel.sport = portof(&this_client->addr);
+ req.u.p.sel.dport = portof(&that_client->addr);
+ req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0;
+ req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0;
+ ip2xfrm(&this_client->addr, &req.u.p.sel.saddr);
+ ip2xfrm(&that_client->addr, &req.u.p.sel.daddr);
+ req.u.p.sel.prefixlen_s = this_client->maskbits;
+ req.u.p.sel.prefixlen_d = that_client->maskbits;
+ req.u.p.sel.proto = transport_proto;
+ req.u.p.sel.family = family;
+
+ dir = XFRM_POLICY_OUT;
+ if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+ {
+ dir = XFRM_POLICY_IN;
+ }
+
+ if ((op & ERO_MASK) == ERO_DELETE)
+ {
+ req.u.id.dir = dir;
+ req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id)));
+ }
+ else
+ {
+ int src, dst;
+
+ req.u.p.dir = dir;
+
+ src = req.u.p.sel.prefixlen_s;
+ dst = req.u.p.sel.prefixlen_d;
+ if (dir != XFRM_POLICY_OUT) {
+ src = req.u.p.sel.prefixlen_d;
+ dst = req.u.p.sel.prefixlen_s;
+ }
+ req.u.p.priority = MIN_SPD_PRIORITY
+ + (((2 << shift) - src) << shift)
+ + (2 << shift) - dst;
+
+ req.u.p.action = XFRM_POLICY_ALLOW;
+ if (policy == IPSEC_POLICY_DISCARD)
+ {
+ req.u.p.action = XFRM_POLICY_BLOCK;
+ }
+ req.u.p.lft.soft_use_expires_seconds = use_lifetime;
+ req.u.p.lft.soft_byte_limit = XFRM_INF;
+ req.u.p.lft.soft_packet_limit = XFRM_INF;
+ req.u.p.lft.hard_byte_limit = XFRM_INF;
+ req.u.p.lft.hard_packet_limit = XFRM_INF;
+
+ req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+ if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
+ {
+ req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
+ }
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
+ }
+
+ if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE)
+ {
+ struct rtattr *attr;
+ struct xfrm_user_tmpl tmpl[4];
+ int i;
+
+ memset(tmpl, 0, sizeof(tmpl));
+ for (i = 0; proto_info[i].proto; i++)
+ {
+ tmpl[i].reqid = proto_info[i].reqid;
+ tmpl[i].id.proto = proto_info[i].proto;
+ tmpl[i].optional =
+ proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
+ tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
+ tmpl[i].mode =
+ proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
+
+ if (!tmpl[i].mode)
+ {
+ continue;
+ }
+
+ ip2xfrm(this_host, &tmpl[i].saddr);
+ ip2xfrm(that_host, &tmpl[i].id.daddr);
+ }
+
+ attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
+ attr->rta_type = XFRMA_TMPL;
+ attr->rta_len = i * sizeof(tmpl[0]);
+ memcpy(RTA_DATA(attr), tmpl, attr->rta_len);
+ attr->rta_len = RTA_LENGTH(attr->rta_len);
+ req.n.nlmsg_len += attr->rta_len;
+ }
+
+ enoent_ok = FALSE;
+ if (op == ERO_DEL_INBOUND)
+ {
+ enoent_ok = TRUE;
+ }
+ else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD)
+ {
+ enoent_ok = TRUE;
+ }
+
+ ok = netlink_policy(&req.n, enoent_ok, text_said);
+ switch (dir)
+ {
+ case XFRM_POLICY_IN:
+ if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY)
+ {
+ req.u.id.dir = XFRM_POLICY_FWD;
+ }
+ else if (!ok)
+ {
+ break;
+ }
+ else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL
+ && satype != SADB_X_SATYPE_INT)
+ {
+ break;
+ }
+ else
+ {
+ req.u.p.dir = XFRM_POLICY_FWD;
+ }
+ ok &= netlink_policy(&req.n, enoent_ok, text_said);
+ break;
+ }
+
+ return ok;
+}
+
+/** netlink_add_sa - Add an SA into the kernel SPDB via netlink
+ *
+ * @param sa Kernel SA to add/modify
+ * @param replace boolean - true if this replaces an existing SA
+ * @return bool True if successfull
+ */
+static bool
+netlink_add_sa(const struct kernel_sa *sa, bool replace)
+{
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_usersa_info p;
+ char data[1024];
+ } req;
+ struct rtattr *attr;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+
+ ip2xfrm(sa->src, &req.p.saddr);
+ ip2xfrm(sa->dst, &req.p.id.daddr);
+
+ req.p.id.spi = sa->spi;
+ req.p.id.proto = satype2proto(sa->satype);
+ req.p.family = sa->src->u.v4.sin_family;
+ req.p.mode = (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL);
+ req.p.replay_window = sa->replay_window;
+ req.p.reqid = sa->reqid;
+ req.p.lft.soft_byte_limit = XFRM_INF;
+ req.p.lft.soft_packet_limit = XFRM_INF;
+ req.p.lft.hard_byte_limit = XFRM_INF;
+ req.p.lft.hard_packet_limit = XFRM_INF;
+
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
+
+ attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
+
+ if (sa->authalg)
+ {
+ struct xfrm_algo algo;
+ const char *name;
+
+ name = sparse_name(aalg_list, sa->authalg);
+ if (!name) {
+ loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
+ , sa->authalg);
+ return FALSE;
+ }
+
+ strcpy(algo.alg_name, name);
+ algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+
+ attr->rta_type = XFRMA_ALG_AUTH;
+ attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+ memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+ memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+ , sa->authkeylen);
+
+ req.n.nlmsg_len += attr->rta_len;
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
+
+ if (sa->encalg)
+ {
+ struct xfrm_algo algo;
+ const char *name;
+
+ name = sparse_name(ealg_list, sa->encalg);
+ if (!name) {
+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
+ , sa->encalg);
+ return FALSE;
+ }
+
+ strcpy(algo.alg_name, name);
+ algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+
+ attr->rta_type = XFRMA_ALG_CRYPT;
+ attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
+
+ memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+ memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
+ , sa->enckeylen);
+
+ req.n.nlmsg_len += attr->rta_len;
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
+
+ if (sa->compalg)
+ {
+ struct xfrm_algo algo;
+ const char *name;
+
+ name = sparse_name(calg_list, sa->compalg);
+ if (!name) {
+ loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
+ , sa->compalg);
+ return FALSE;
+ }
+
+ strcpy(algo.alg_name, name);
+ algo.alg_key_len = 0;
+
+ attr->rta_type = XFRMA_ALG_COMP;
+ attr->rta_len = RTA_LENGTH(sizeof(algo));
+
+ memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+
+ req.n.nlmsg_len += attr->rta_len;
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
+
+ if (sa->natt_type)
+ {
+ struct xfrm_encap_tmpl natt;
+
+ natt.encap_type = sa->natt_type;
+ natt.encap_sport = ntohs(sa->natt_sport);
+ natt.encap_dport = ntohs(sa->natt_dport);
+ memset (&natt.encap_oa, 0, sizeof (natt.encap_oa));
+
+ attr->rta_type = XFRMA_ENCAP;
+ attr->rta_len = RTA_LENGTH(sizeof(natt));
+
+ memcpy(RTA_DATA(attr), &natt, sizeof(natt));
+
+ req.n.nlmsg_len += attr->rta_len;
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
+
+ return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
+}
+
+/** netlink_del_sa - Delete an SA from the Kernel
+ *
+ * @param sa Kernel SA to be deleted
+ * @return bool True if successfull
+ */
+static bool
+netlink_del_sa(const struct kernel_sa *sa)
+{
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_usersa_id id;
+ char data[1024];
+ } req;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ req.n.nlmsg_type = XFRM_MSG_DELSA;
+
+ ip2xfrm(sa->dst, &req.id.daddr);
+
+ req.id.spi = sa->spi;
+ req.id.family = sa->src->u.v4.sin_family;
+ req.id.proto = sa->proto;
+
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+
+ return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
+}
+
+static bool
+netlink_error(const char *req_type, const struct nlmsghdr *n
+, const struct nlmsgerr *e, int rsp_size)
+{
+ if (n->nlmsg_type == NLMSG_ERROR)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("%s returned with errno %d: %s"
+ , req_type
+ , -e->error
+ , strerror(-e->error))
+ )
+ return TRUE;
+ }
+ if (n->nlmsg_len < NLMSG_LENGTH(rsp_size))
+ {
+ plog("%s returned message with length %lu < %lu bytes"
+ , req_type
+ , (unsigned long) n->nlmsg_len
+ , (unsigned long) rsp_size);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+static bool
+netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
+{
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_userpolicy_id id;
+ } req;
+
+ struct {
+ struct nlmsghdr n;
+ union {
+ struct nlmsgerr e;
+ struct xfrm_userpolicy_info info;
+ } u;
+ char data[1024];
+ } rsp;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
+
+ req.id.sel.sport = portof(&sa->src_client->addr);
+ req.id.sel.dport = portof(&sa->dst_client->addr);
+ req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0;
+ req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0;
+ ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr);
+ ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr);
+ req.id.sel.prefixlen_s = sa->src_client->maskbits;
+ req.id.sel.prefixlen_d = sa->dst_client->maskbits;
+ req.id.sel.proto = sa->transport_proto;
+ req.id.sel.family = sa->dst_client->addr.u.v4.sin_family;
+
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+ rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+
+ req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
+
+ if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ return FALSE;
+
+ if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ return FALSE;
+
+ *use_time = (time_t)rsp.u.info.curlft.use_time;
+
+ if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ {
+ time_t use_time_fwd;
+
+ req.id.dir = XFRM_POLICY_FWD;
+
+ if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ return FALSE;
+
+ if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ return FALSE;
+
+ use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
+ *use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
+ }
+ return TRUE;
+}
+
+
+/** netlink_get_sa - Get information about an SA from the Kernel
+ *
+ * @param sa Kernel SA to be queried
+ * @return bool True if successfull
+ */
+static bool
+netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
+{
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_usersa_id id;
+ } req;
+
+ struct {
+ struct nlmsghdr n;
+ union {
+ struct nlmsgerr e;
+ struct xfrm_usersa_info info;
+ } u;
+ char data[1024];
+ } rsp;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = XFRM_MSG_GETSA;
+
+ ip2xfrm(sa->dst, &req.id.daddr);
+
+ req.id.spi = sa->spi;
+ req.id.family = sa->src->u.v4.sin_family;
+ req.id.proto = sa->proto;
+
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+ rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
+
+ if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
+ return FALSE;
+
+ if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ return FALSE;
+
+ *bytes = (u_int) rsp.u.info.curlft.bytes;
+
+ return TRUE;
+}
+
+static void
+linux_pfkey_register_response(const struct sadb_msg *msg)
+{
+ switch (msg->sadb_msg_satype)
+ {
+ case SADB_SATYPE_ESP:
+#ifndef NO_KERNEL_ALG
+ kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
+#endif
+ break;
+ case SADB_X_SATYPE_IPCOMP:
+ can_do_IPcomp = TRUE;
+ break;
+ default:
+ break;
+ }
+}
+
+/** linux_pfkey_register - Register via PFKEY our capabilities
+ *
+ */
+static void
+linux_pfkey_register(void)
+{
+ pfkey_register_proto(SADB_SATYPE_AH, "AH");
+ pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+ pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
+ pfkey_close();
+}
+
+/** Create ip_address out of xfrm_address_t.
+ *
+ * @param family
+ * @param src xfrm formatted IP address
+ * @param dst ip_address formatted destination
+ * @return err_t NULL if okay, otherwise an error
+ */
+static err_t
+xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
+{
+ switch (family)
+ {
+ case AF_INET: /* IPv4 */
+ case AF_UNSPEC: /* Unspecified, we assume IPv4 */
+ initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst);
+ return NULL;
+ case AF_INET6: /* IPv6 */
+ initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst);
+ return NULL;
+ default:
+ return "unknown address family";
+ }
+}
+
+/* Create a pair of ip_address's out of xfrm_sel.
+ *
+ * @param sel xfrm selector
+ * @param src ip_address formatted source
+ * @param dst ip_address formatted destination
+ * @return err_t NULL if okay, otherwise an error
+ */
+static err_t
+xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
+ , ip_address *src
+ , ip_address *dst)
+{
+ int family;
+ err_t ugh;
+
+ family = sel->family;
+
+ if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
+ || (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
+ return ugh;
+
+ /* family has been verified in xfrm_to_ip_address. */
+ if (family == AF_INET)
+ {
+ src->u.v4.sin_port = sel->sport;
+ dst->u.v4.sin_port = sel->dport;
+ }
+ else
+ {
+ src->u.v6.sin6_port = sel->sport;
+ dst->u.v6.sin6_port = sel->dport;
+ }
+
+ return NULL;
+}
+
+static void
+netlink_acquire(struct nlmsghdr *n)
+{
+ struct xfrm_user_acquire *acquire;
+ ip_address src, dst;
+ ip_subnet ours, his;
+ unsigned transport_proto;
+ err_t ugh = NULL;
+
+ if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
+ {
+ plog("netlink_acquire got message with length %lu < %lu bytes; ignore message"
+ , (unsigned long) n->nlmsg_len
+ , (unsigned long) sizeof(*acquire));
+ return;
+ }
+
+ acquire = NLMSG_DATA(n);
+ transport_proto = acquire->sel.proto;
+
+ /* XXX also the type of src/dst should be checked to make sure
+ * that they aren't v4 to v6 or something goofy
+ */
+
+ if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
+ && !(ugh = addrtosubnet(&src, &ours))
+ && !(ugh = addrtosubnet(&dst, &his)))
+ record_and_initiate_opportunistic(&ours, &his, transport_proto
+ , "%acquire-netlink");
+
+ if (ugh != NULL)
+ plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
+}
+
+static void
+netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
+{
+ ip_address src, dst;
+ unsigned transport_proto;
+ err_t ugh = NULL;
+
+ transport_proto = pol->sel.proto;
+
+ if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst)))
+ {
+ plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh);
+ return;
+ }
+
+ replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto
+ , "delete expired bare shunt");
+}
+
+static void
+netlink_policy_expire(struct nlmsghdr *n)
+{
+ struct xfrm_user_polexpire *upe;
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_userpolicy_id id;
+ } req;
+
+ struct {
+ struct nlmsghdr n;
+ union {
+ struct nlmsgerr e;
+ struct xfrm_userpolicy_info pol;
+ } u;
+ char data[1024];
+ } rsp;
+
+ if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe)))
+ {
+ plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message"
+ , (unsigned long) n->nlmsg_len
+ , (unsigned long) sizeof(*upe));
+ return;
+ }
+
+ upe = NLMSG_DATA(n);
+ req.id.dir = upe->pol.dir;
+ req.id.index = upe->pol.index;
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
+
+ rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
+
+ if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ return;
+
+ if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
+ return;
+
+ if (req.id.index != rsp.u.pol.index)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("netlink_policy_expire: policy was replaced: "
+ "dir=%d, oldindex=%d, newindex=%d"
+ , req.id.dir, req.id.index, rsp.u.pol.index));
+ return;
+ }
+
+ if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time)
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("netlink_policy_expire: policy was replaced "
+ " and you have won the lottery: "
+ "dir=%d, index=%d"
+ , req.id.dir, req.id.index));
+ return;
+ }
+
+ switch (upe->pol.dir)
+ {
+ case XFRM_POLICY_OUT:
+ netlink_shunt_expire(&rsp.u.pol);
+ break;
+ }
+}
+
+static bool
+netlink_get(void)
+{
+ struct {
+ struct nlmsghdr n;
+ char data[1024];
+ } rsp;
+ ssize_t r;
+ struct sockaddr_nl addr;
+ socklen_t alen;
+
+ alen = sizeof(addr);
+ r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0
+ , (struct sockaddr *)&addr, &alen);
+ if (r < 0)
+ {
+ if (errno == EAGAIN)
+ return FALSE;
+ if (errno != EINTR)
+ log_errno((e, "recvfrom() failed in netlink_get"));
+ return TRUE;
+ }
+ else if ((size_t) r < sizeof(rsp.n))
+ {
+ plog("netlink_get read truncated message: %ld bytes; ignore message"
+ , (long) r);
+ return TRUE;
+ }
+ else if (addr.nl_pid != 0)
+ {
+ /* not for us: ignore */
+ DBG(DBG_KLIPS,
+ DBG_log("netlink_get: ignoring %s message from process %u"
+ , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
+ , addr.nl_pid));
+ return TRUE;
+ }
+ else if ((size_t) r != rsp.n.nlmsg_len)
+ {
+ plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message"
+ , (long) r
+ , (unsigned long) rsp.n.nlmsg_len);
+ return TRUE;
+ }
+
+ DBG(DBG_KLIPS,
+ DBG_log("netlink_get: %s message"
+ , sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
+
+ switch (rsp.n.nlmsg_type)
+ {
+ case XFRM_MSG_ACQUIRE:
+ netlink_acquire(&rsp.n);
+ break;
+ case XFRM_MSG_POLEXPIRE:
+ netlink_policy_expire(&rsp.n);
+ break;
+ default:
+ /* ignored */
+ break;
+ }
+
+ return TRUE;
+}
+
+static void
+netlink_process_msg(void)
+{
+ while (netlink_get())
+ ;
+}
+
+static ipsec_spi_t
+netlink_get_spi(const ip_address *src
+, const ip_address *dst
+, int proto
+, bool tunnel_mode
+, unsigned reqid
+, ipsec_spi_t min
+, ipsec_spi_t max
+, const char *text_said)
+{
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_userspi_info spi;
+ } req;
+
+ struct {
+ struct nlmsghdr n;
+ union {
+ struct nlmsgerr e;
+ struct xfrm_usersa_info sa;
+ } u;
+ char data[1024];
+ } rsp;
+
+ memset(&req, 0, sizeof(req));
+ req.n.nlmsg_flags = NLM_F_REQUEST;
+ req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
+
+ ip2xfrm(src, &req.spi.info.saddr);
+ ip2xfrm(dst, &req.spi.info.id.daddr);
+ req.spi.info.mode = tunnel_mode;
+ req.spi.info.reqid = reqid;
+ req.spi.info.id.proto = proto;
+ req.spi.info.family = src->u.v4.sin_family;
+ req.spi.min = min;
+ req.spi.max = max;
+
+ req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi)));
+ rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
+
+ if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
+ return 0;
+
+ if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
+ return 0;
+
+ DBG(DBG_KLIPS,
+ DBG_log("netlink_get_spi: allocated 0x%x for %s"
+ , ntohl(rsp.u.sa.id.spi), text_said));
+ return rsp.u.sa.id.spi;
+}
+
+const struct kernel_ops linux_kernel_ops = {
+ type: KERNEL_TYPE_LINUX,
+ inbound_eroute: 1,
+ policy_lifetime: 1,
+ async_fdp: &netlink_bcast_fd,
+
+ init: init_netlink,
+ pfkey_register: linux_pfkey_register,
+ pfkey_register_response: linux_pfkey_register_response,
+ process_msg: netlink_process_msg,
+ raw_eroute: netlink_raw_eroute,
+ get_policy: netlink_get_policy,
+ add_sa: netlink_add_sa,
+ del_sa: netlink_del_sa,
+ get_sa: netlink_get_sa,
+ process_queue: NULL,
+ grp_sa: NULL,
+ get_spi: netlink_get_spi,
+};
+#endif /* linux && KLIPS */
diff --git a/src/pluto/kernel_netlink.h b/src/pluto/kernel_netlink.h
new file mode 100644
index 000000000..1b5f42e48
--- /dev/null
+++ b/src/pluto/kernel_netlink.h
@@ -0,0 +1,20 @@
+/* declarations of routines that interface with the kernel's pfkey mechanism
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2003 Herbert Xu
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_netlink.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#if defined(KLIPS) && defined(linux)
+extern const struct kernel_ops linux_kernel_ops;
+#endif
diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
new file mode 100644
index 000000000..570bb0470
--- /dev/null
+++ b/src/pluto/kernel_noklips.c
@@ -0,0 +1,126 @@
+/* interface to fake kernel interface, used for testing pluto in-vitro.
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
+ * Copyright (C) 2003 Herbert Xu.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_noklips.c,v 1.5 2006/02/04 00:01:22 as Exp $
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "kernel.h"
+#include "kernel_noklips.h"
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+
+void
+init_noklips(void)
+{
+ return;
+}
+
+/* asynchronous messages from our queue */
+static void
+noklips_dequeue(void)
+{
+}
+
+/* asynchronous messages directly from PF_KEY socket */
+static void
+noklips_event(void)
+{
+}
+
+static void
+noklips_register_response(const struct sadb_msg *msg UNUSED)
+{
+}
+
+static void
+noklips_register(void)
+{
+}
+
+static bool
+noklips_raw_eroute(const ip_address *this_host UNUSED
+ , const ip_subnet *this_client UNUSED
+ , const ip_address *that_host UNUSED
+ , const ip_subnet *that_client UNUSED
+ , ipsec_spi_t spi UNUSED
+ , unsigned int satype UNUSED
+ , unsigned int transport_proto UNUSED
+ , const struct pfkey_proto_info *proto_info UNUSED
+ , time_t use_lifetime UNUSED
+ , unsigned int op UNUSED
+ , const char *text_said UNUSED)
+{
+ return TRUE;
+}
+
+static bool
+noklips_add_sa(const struct kernel_sa *sa UNUSED
+ , bool replace UNUSED)
+{
+ return TRUE;
+}
+
+static bool
+noklips_grp_sa(const struct kernel_sa *sa0 UNUSED
+ , const struct kernel_sa *sa1 UNUSED)
+{
+ return TRUE;
+}
+
+static bool
+noklips_del_sa(const struct kernel_sa *sa UNUSED)
+{
+ return TRUE;
+}
+
+
+const struct kernel_ops noklips_kernel_ops = {
+ type: KERNEL_TYPE_NONE,
+ async_fdp: NULL,
+
+ init: init_noklips,
+ pfkey_register: noklips_register,
+ pfkey_register_response: noklips_register_response,
+ process_queue: noklips_dequeue,
+ process_msg: noklips_event,
+ raw_eroute: noklips_raw_eroute,
+ add_sa: noklips_add_sa,
+ grp_sa: noklips_grp_sa,
+ del_sa: noklips_del_sa,
+ get_sa: NULL,
+ get_spi: NULL,
+ inbound_eroute: FALSE,
+ policy_lifetime: FALSE
+};
diff --git a/src/pluto/kernel_noklips.h b/src/pluto/kernel_noklips.h
new file mode 100644
index 000000000..fe4e77ec4
--- /dev/null
+++ b/src/pluto/kernel_noklips.h
@@ -0,0 +1,19 @@
+/* declarations of routines that interface with the kernel's pfkey mechanism
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2003 Herbert Xu
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_noklips.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+extern void init_noklips(void);
+extern const struct kernel_ops noklips_kernel_ops;
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
new file mode 100644
index 000000000..ced7a1453
--- /dev/null
+++ b/src/pluto/kernel_pfkey.c
@@ -0,0 +1,926 @@
+/* pfkey interface to the kernel's IPsec mechanism
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2003 Herbert Xu.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_pfkey.c,v 1.8 2006/02/04 00:01:22 as Exp $
+ */
+
+#ifdef KLIPS
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "kernel.h"
+#include "kernel_pfkey.h"
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+#include "demux.h"
+#include "nat_traversal.h"
+#include "alg_info.h"
+#include "kernel_alg.h"
+
+
+static int pfkeyfd = NULL_FD;
+
+typedef u_int32_t pfkey_seq_t;
+static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */
+
+static pid_t pid;
+
+#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
+
+static sparse_names pfkey_type_names = {
+ NE(SADB_RESERVED),
+ NE(SADB_GETSPI),
+ NE(SADB_UPDATE),
+ NE(SADB_ADD),
+ NE(SADB_DELETE),
+ NE(SADB_GET),
+ NE(SADB_ACQUIRE),
+ NE(SADB_REGISTER),
+ NE(SADB_EXPIRE),
+ NE(SADB_FLUSH),
+ NE(SADB_DUMP),
+ NE(SADB_X_PROMISC),
+ NE(SADB_X_PCHANGE),
+ NE(SADB_X_GRPSA),
+ NE(SADB_X_ADDFLOW),
+ NE(SADB_X_DELFLOW),
+ NE(SADB_X_DEBUG),
+ NE(SADB_X_NAT_T_NEW_MAPPING),
+ NE(SADB_MAX),
+ { 0, sparse_end }
+};
+
+#ifdef NEVER /* not needed yet */
+static sparse_names pfkey_ext_names = {
+ NE(SADB_EXT_RESERVED),
+ NE(SADB_EXT_SA),
+ NE(SADB_EXT_LIFETIME_CURRENT),
+ NE(SADB_EXT_LIFETIME_HARD),
+ NE(SADB_EXT_LIFETIME_SOFT),
+ NE(SADB_EXT_ADDRESS_SRC),
+ NE(SADB_EXT_ADDRESS_DST),
+ NE(SADB_EXT_ADDRESS_PROXY),
+ NE(SADB_EXT_KEY_AUTH),
+ NE(SADB_EXT_KEY_ENCRYPT),
+ NE(SADB_EXT_IDENTITY_SRC),
+ NE(SADB_EXT_IDENTITY_DST),
+ NE(SADB_EXT_SENSITIVITY),
+ NE(SADB_EXT_PROPOSAL),
+ NE(SADB_EXT_SUPPORTED_AUTH),
+ NE(SADB_EXT_SUPPORTED_ENCRYPT),
+ NE(SADB_EXT_SPIRANGE),
+ NE(SADB_X_EXT_KMPRIVATE),
+ NE(SADB_X_EXT_SATYPE2),
+ NE(SADB_X_EXT_SA2),
+ NE(SADB_X_EXT_ADDRESS_DST2),
+ NE(SADB_X_EXT_ADDRESS_SRC_FLOW),
+ NE(SADB_X_EXT_ADDRESS_DST_FLOW),
+ NE(SADB_X_EXT_ADDRESS_SRC_MASK),
+ NE(SADB_X_EXT_ADDRESS_DST_MASK),
+ NE(SADB_X_EXT_DEBUG),
+ { 0, sparse_end }
+};
+#endif /* NEVER */
+
+#undef NE
+
+void
+init_pfkey(void)
+{
+ pid = getpid();
+
+ /* open PF_KEY socket */
+
+ pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+
+ if (pfkeyfd == -1)
+ exit_log_errno((e, "socket() in init_pfkeyfd()"));
+
+#ifdef NEVER /* apparently unsupported! */
+ if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0)
+ exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()"));
+#endif
+ if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0)
+ exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()"));
+
+ DBG(DBG_KLIPS,
+ DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd));
+}
+
+/* Kinds of PF_KEY message from the kernel:
+ * - response to a request from us
+ * + ACK/NAK
+ * + Register: indicates transforms supported by kernel
+ * + SPI requested by getspi
+ * - Acquire, requesting us to deal with trapped clear packet
+ * - expiration of of one of our SAs
+ * - messages to other processes
+ *
+ * To minimize the effect on the event-driven structure of Pluto,
+ * responses are dealt with synchronously. We hope that the Kernel
+ * produces them synchronously. We must "read ahead" in the PF_KEY
+ * stream, saving Acquire and Expiry messages that are encountered.
+ * We ignore messages to other processes.
+ */
+
+typedef union {
+ unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
+ struct sadb_msg msg;
+ } pfkey_buf;
+
+/* queue of unprocessed PF_KEY messages input from kernel
+ * Note that the pfkey_buf may be partly allocated, reflecting
+ * the variable length nature of the messages. So the link field
+ * must come first.
+ */
+typedef struct pfkey_item {
+ struct pfkey_item *next;
+ pfkey_buf buf;
+ } pfkey_item;
+
+static pfkey_item *pfkey_iq_head = NULL; /* oldest */
+static pfkey_item *pfkey_iq_tail; /* youngest */
+
+static bool
+pfkey_input_ready(void)
+{
+ fd_set readfds;
+ int ndes;
+ struct timeval tm;
+
+ tm.tv_sec = 0; /* don't wait at all */
+ tm.tv_usec = 0;
+
+ FD_ZERO(&readfds); /* we only care about pfkeyfd */
+ FD_SET(pfkeyfd, &readfds);
+
+ do {
+ ndes = select(pfkeyfd + 1, &readfds, NULL, NULL, &tm);
+ } while (ndes == -1 && errno == EINTR);
+
+ if (ndes < 0)
+ {
+ log_errno((e, "select() failed in pfkey_get()"));
+ return FALSE;
+ }
+
+ if (ndes == 0)
+ return FALSE; /* nothing to read */
+
+ passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
+ return TRUE;
+}
+
+/* get a PF_KEY message from kernel.
+ * Returns TRUE is message found, FALSE if no message pending,
+ * and aborts or keeps trying when an error is encountered.
+ * The only validation of the message is that the message length
+ * received matches that in the message header, and that the message
+ * is for this process.
+ */
+static bool
+pfkey_get(pfkey_buf *buf)
+{
+ for (;;)
+ {
+ /* len must be less than PFKEYv2_MAX_MSGSIZE,
+ * so it should fit in an int. We use this fact when printing it.
+ */
+ ssize_t len;
+
+ if (!pfkey_input_ready())
+ return FALSE;
+
+ len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
+
+ if (len < 0)
+ {
+ if (errno == EAGAIN)
+ return FALSE;
+
+ log_errno((e, "read() failed in pfkey_get()"));
+ return FALSE;
+ }
+ else if ((size_t) len < sizeof(buf->msg))
+ {
+ plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message"
+ , (int) len);
+ }
+ else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
+ {
+ plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message"
+ , (int) len
+ , (unsigned) buf->msg.sadb_msg_len
+ , (unsigned) IPSEC_PFKEYv2_ALIGN);
+ }
+ else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
+ || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
+ || (buf->msg.sadb_msg_type == SADB_REGISTER)
+ || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
+ {
+ /* not for us: ignore */
+ DBG(DBG_KLIPS,
+ DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u"
+ , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+ , buf->msg.sadb_msg_seq
+ , buf->msg.sadb_msg_pid));
+ }
+ else
+ {
+ DBG(DBG_KLIPS,
+ DBG_log("pfkey_get: %s message %u"
+ , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+ , buf->msg.sadb_msg_seq));
+ return TRUE;
+ }
+ }
+}
+
+/* get a response to a specific message */
+static bool
+pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
+{
+ while (pfkey_get(buf))
+ {
+ if (buf->msg.sadb_msg_pid == (unsigned)pid
+ && buf->msg.sadb_msg_seq == seq)
+ {
+ return TRUE;
+ }
+ else
+ {
+ /* Not for us: queue it. */
+ size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
+ pfkey_item *it = alloc_bytes(offsetof(pfkey_item, buf) + bl, "pfkey_item");
+
+ memcpy(&it->buf, buf, bl);
+
+ it->next = NULL;
+ if (pfkey_iq_head == NULL)
+ {
+ pfkey_iq_head = it;
+ }
+ else
+ {
+ pfkey_iq_tail->next = it;
+ }
+ pfkey_iq_tail = it;
+ }
+ }
+ return FALSE;
+}
+
+/* Process a SADB_REGISTER message from the kernel.
+ * This will be a response to one of ours, but it may be asynchronous
+ * (if kernel modules are loaded and unloaded).
+ * Some sanity checking has already been performed.
+ */
+static void
+klips_pfkey_register_response(const struct sadb_msg *msg)
+{
+ /* Find out what the kernel can support.
+ * In fact, the only question at the moment
+ * is whether it can support IPcomp.
+ * So we ignore the rest.
+ * ??? we really should pay attention to what transforms are supported.
+ */
+ switch (msg->sadb_msg_satype)
+ {
+ case SADB_SATYPE_AH:
+ break;
+ case SADB_SATYPE_ESP:
+#ifndef NO_KERNEL_ALG
+ kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
+#endif
+ break;
+ case SADB_X_SATYPE_COMP:
+ /* ??? There ought to be an extension to list the
+ * supported algorithms, but RFC 2367 doesn't
+ * list one for IPcomp. KLIPS uses SADB_X_CALG_DEFLATE.
+ * Since we only implement deflate, we'll assume this.
+ */
+ can_do_IPcomp = TRUE;
+ break;
+ case SADB_X_SATYPE_IPIP:
+ break;
+ default:
+ break;
+ }
+}
+
+/* Processs a SADB_ACQUIRE message from KLIPS.
+ * Try to build an opportunistic connection!
+ * See RFC 2367 "PF_KEY Key Management API, Version 2" 3.1.6
+ * <base, address(SD), (address(P)), (identity(SD),) (sensitivity,) proposal>
+ * - extensions for source and data IP addresses
+ * - optional extensions for identity [not useful for us?]
+ * - optional extension for sensitivity [not useful for us?]
+ * - expension for proposal [not useful for us?]
+ *
+ * ??? We must use the sequence number in creating an SA.
+ * We actually need to create up to 4 SAs each way. Which one?
+ * I guess it depends on the protocol present in the sadb_msg_satype.
+ * For now, we'll ignore this requirement.
+ *
+ * ??? We need some mechanism to make sure that multiple ACQUIRE messages
+ * don't cause a whole bunch of redundant negotiations.
+ */
+static void
+process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
+ struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
+ int src_proto = srcx->sadb_address_proto;
+ int dst_proto = dstx->sadb_address_proto;
+ ip_address *src = (ip_address*)&srcx[1];
+ ip_address *dst = (ip_address*)&dstx[1];
+ ip_subnet ours, his;
+ err_t ugh = NULL;
+
+ /* assumption: we're only catching our own outgoing packets
+ * so source is our end and destination is the other end.
+ * Verifying this is not actually convenient.
+ *
+ * This stylized control structure yields a complaint or
+ * desired results. For compactness, a pointer value is
+ * treated as a boolean. Logically, the structure is:
+ * keep going as long as things are OK.
+ */
+ if (buf->msg.sadb_msg_pid == 0 /* we only wish to hear from kernel */
+ && !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
+ && !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
+ && !(ugh = addrtosubnet(src, &ours))
+ && !(ugh = addrtosubnet(dst, &his)))
+ record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire");
+
+ if (ugh != NULL)
+ plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
+
+}
+
+/* Handle PF_KEY messages from the kernel that are not dealt with
+ * synchronously. In other words, all but responses to PF_KEY messages
+ * that we sent.
+ */
+static void
+pfkey_async(pfkey_buf *buf)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+ if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT))
+ {
+ plog("pfkey_async:"
+ " unparseable PF_KEY message:"
+ " %s len=%d, errno=%d, seq=%d, pid=%d; message ignored"
+ , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+ , buf->msg.sadb_msg_len
+ , buf->msg.sadb_msg_errno
+ , buf->msg.sadb_msg_seq
+ , buf->msg.sadb_msg_pid);
+ }
+ else
+ {
+ DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:"
+ " %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u"
+ , sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
+ , buf->msg.sadb_msg_len
+ , buf->msg.sadb_msg_errno
+ , buf->msg.sadb_msg_satype
+ , buf->msg.sadb_msg_seq
+ , buf->msg.sadb_msg_pid));
+
+ switch (buf->msg.sadb_msg_type)
+ {
+ case SADB_REGISTER:
+ kernel_ops->pfkey_register_response(&buf->msg);
+ break;
+ case SADB_ACQUIRE:
+ /* to simulate loss of ACQUIRE, delete this call */
+ process_pfkey_acquire(buf, extensions);
+ break;
+ case SADB_X_NAT_T_NEW_MAPPING:
+ process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
+ break;
+ default:
+ /* ignored */
+ break;
+ }
+ }
+}
+
+/* asynchronous messages from our queue */
+static void
+pfkey_dequeue(void)
+{
+ while (pfkey_iq_head != NULL)
+ {
+ pfkey_item *it = pfkey_iq_head;
+
+ pfkey_async(&it->buf);
+ pfkey_iq_head = it->next;
+ pfree(it);
+ }
+
+ /* Handle any orphaned holds, but only if no pfkey input is pending.
+ * For each, we initiate Opportunistic.
+ * note: we don't need to advance the pointer because
+ * record_and_initiate_opportunistic will remove the current
+ * record each time we call it.
+ */
+ while (orphaned_holds != NULL && !pfkey_input_ready())
+ record_and_initiate_opportunistic(&orphaned_holds->ours
+ , &orphaned_holds->his
+ , orphaned_holds->transport_proto
+ , "%hold found-pfkey");
+
+}
+
+/* asynchronous messages directly from PF_KEY socket */
+static void
+pfkey_event(void)
+{
+ pfkey_buf buf;
+
+ if (pfkey_get(&buf))
+ pfkey_async(&buf);
+}
+
+static bool
+pfkey_build(int error
+, const char *description
+, const char *text_said
+, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ if (error == 0)
+ {
+ return TRUE;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d"
+ , description, text_said, error);
+ pfkey_extensions_free(extensions);
+ return FALSE;
+ }
+}
+
+/* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */
+static bool
+pfkey_msg_start(u_int8_t msg_type
+, u_int8_t satype
+, const char *description
+, const char *text_said
+, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ pfkey_extensions_init(extensions);
+ return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type
+ , satype, 0, ++pfkey_seq, pid)
+ , description, text_said, extensions);
+}
+
+/* pfkey_build + pfkey_address_build */
+static bool
+pfkeyext_address(u_int16_t exttype
+, const ip_address *address
+, const char *description
+, const char *text_said
+, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ /* the following variable is only needed to silence
+ * a warning caused by the fact that the argument
+ * to sockaddrof is NOT pointer to const!
+ */
+ ip_address t = *address;
+
+ return pfkey_build(pfkey_address_build(extensions + exttype
+ , exttype, 0, 0, sockaddrof(&t))
+ , description, text_said, extensions);
+}
+
+/* pfkey_build + pfkey_x_protocol_build */
+static bool
+pfkeyext_protocol(int transport_proto
+, const char *description
+, const char *text_said
+, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ return (transport_proto == 0)? TRUE
+ : pfkey_build(
+ pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
+ , description, text_said, extensions);
+}
+
+
+/* Finish (building, sending, accepting response for) PF_KEY message.
+ * If response isn't NULL, the response from the kernel will be
+ * placed there (and its errno field will not be examined).
+ * Returns TRUE iff all appears well.
+ */
+static bool
+finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
+, const char *description
+, const char *text_said
+, pfkey_buf *response)
+{
+ struct sadb_msg *pfkey_msg;
+ bool success = TRUE;
+ int error;
+
+ error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
+
+ if (error != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d"
+ , description, text_said, error);
+ success = FALSE;
+ }
+ else
+ {
+ size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
+
+ DBG(DBG_KLIPS,
+ DBG_log("finish_pfkey_msg: %s message %u for %s %s"
+ , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+ , pfkey_msg->sadb_msg_seq
+ , description, text_said);
+ DBG_dump(NULL, (void *) pfkey_msg, len));
+
+ if (!no_klips)
+ {
+ ssize_t r = write(pfkeyfd, pfkey_msg, len);
+
+ if (r != (ssize_t)len)
+ {
+ if (r < 0)
+ {
+ log_errno((e
+ , "pfkey write() of %s message %u"
+ " for %s %s failed"
+ , sparse_val_show(pfkey_type_names
+ , pfkey_msg->sadb_msg_type)
+ , pfkey_msg->sadb_msg_seq
+ , description, text_said));
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: pfkey write() of %s message %u"
+ " for %s %s truncated: %ld instead of %ld"
+ , sparse_val_show(pfkey_type_names
+ , pfkey_msg->sadb_msg_type)
+ , pfkey_msg->sadb_msg_seq
+ , description, text_said
+ , (long)r, (long)len);
+ }
+ success = FALSE;
+
+ /* if we were compiled with debugging, but we haven't already
+ * dumped the KLIPS command, do so.
+ */
+#ifdef DEBUG
+ if ((cur_debugging & DBG_KLIPS) == 0)
+ DBG_dump(NULL, (void *) pfkey_msg, len);
+#endif
+ }
+ else
+ {
+ /* Check response from KLIPS.
+ * It ought to be an echo, perhaps with additional info.
+ * If the caller wants it, response will point to space.
+ */
+ pfkey_buf b;
+ pfkey_buf *bp = response != NULL? response : &b;
+
+ if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: no response to our PF_KEY %s message for %s %s"
+ , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+ , description, text_said);
+ success = FALSE;
+ }
+ else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)"
+ , sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type)
+ , description, text_said
+ , sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type));
+ success = FALSE;
+ }
+ else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+ {
+ /* KLIPS is signalling a problem */
+ loglog(RC_LOG_SERIOUS
+ , "ERROR: PF_KEY %s response for %s %s included errno %u: %s"
+ , sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
+ , description, text_said
+ , (unsigned) bp->msg.sadb_msg_errno
+ , strerror(bp->msg.sadb_msg_errno));
+ success = FALSE;
+ }
+ }
+ }
+ }
+
+ /* all paths must exit this way to free resources */
+ pfkey_extensions_free(extensions);
+ pfkey_msg_free(&pfkey_msg);
+ return success;
+}
+
+/* register SA types that can be negotiated */
+void
+pfkey_register_proto(unsigned satype, const char *satypename)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+ pfkey_buf pfb;
+
+ if (!(pfkey_msg_start(SADB_REGISTER
+ , satype
+ , satypename, NULL, extensions)
+ && finish_pfkey_msg(extensions, satypename, "", &pfb)))
+ {
+ /* ??? should this be loglog */
+ plog("no KLIPS support for %s", satypename);
+ }
+ else
+ {
+ kernel_ops->pfkey_register_response(&pfb.msg);
+ DBG(DBG_KLIPS,
+ DBG_log("%s registered with kernel.", satypename));
+ }
+}
+
+static void
+klips_pfkey_register(void)
+{
+ pfkey_register_proto(SADB_SATYPE_AH, "AH");
+ pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+ can_do_IPcomp = FALSE; /* until we get a response from KLIPS */
+ pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP");
+ pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP");
+}
+
+static bool
+pfkey_raw_eroute(const ip_address *this_host
+ , const ip_subnet *this_client
+ , const ip_address *that_host
+ , const ip_subnet *that_client
+ , ipsec_spi_t spi
+ , unsigned int satype
+ , unsigned int transport_proto
+ , const struct pfkey_proto_info *proto_info UNUSED
+ , time_t use_lifetime UNUSED
+ , unsigned int op
+ , const char *text_said)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+ ip_address
+ sflow_ska,
+ dflow_ska,
+ smask_ska,
+ dmask_ska;
+ int sport = ntohs(portof(&this_client->addr));
+ int dport = ntohs(portof(&that_client->addr));
+
+ networkof(this_client, &sflow_ska);
+ maskof(this_client, &smask_ska);
+ setportof(sport ? ~0:0, &smask_ska);
+
+ networkof(that_client, &dflow_ska);
+ maskof(that_client, &dmask_ska);
+ setportof(dport ? ~0:0, &dmask_ska);
+
+ if (!pfkey_msg_start(op & ERO_MASK, satype
+ , "pfkey_msg_hdr flow", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ if (op != ERO_DELETE)
+ {
+ if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+ , SADB_EXT_SA
+ , spi /* in network order */
+ , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT)
+ , "pfkey_sa add flow", text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host
+ , "pfkey_addr_s add flow", text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host
+ , "pfkey_addr_d add flow", text_said
+ , extensions)))
+ {
+ return FALSE;
+ }
+ }
+
+ if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska
+ , "pfkey_addr_sflow", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska
+ , "pfkey_addr_dflow", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska
+ , "pfkey_addr_smask", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska
+ , "pfkey_addr_dmask", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ if (!pfkeyext_protocol(transport_proto
+ , "pfkey_x_protocol", text_said, extensions))
+ {
+ return FALSE;
+ }
+
+ return finish_pfkey_msg(extensions, "flow", text_said, NULL);
+}
+
+static bool
+pfkey_add_sa(const struct kernel_sa *sa, bool replace)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+ return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype
+ , "pfkey_msg_hdr Add SA", sa->text_said, extensions)
+
+ && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+ , SADB_EXT_SA
+ , sa->spi /* in network order */
+ , sa->replay_window, SADB_SASTATE_MATURE
+ , sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0)
+ , "pfkey_sa Add SA", sa->text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
+ , "pfkey_addr_s Add SA", sa->text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
+ , "pfkey_addr_d Add SA", sa->text_said, extensions)
+
+ && (sa->authkeylen == 0
+ || pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH]
+ , SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE
+ , sa->authkey)
+ , "pfkey_key_a Add SA", sa->text_said, extensions))
+
+ && (sa->enckeylen == 0
+ || pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT]
+ , SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
+ , sa->enckey)
+ , "pfkey_key_e Add SA", sa->text_said, extensions))
+
+ && (sa->natt_type == 0
+ || pfkey_build(pfkey_x_nat_t_type_build(
+ &extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
+ "pfkey_nat_t_type Add ESP SA", sa->text_said, extensions))
+ && (sa->natt_sport == 0
+ || pfkey_build(pfkey_x_nat_t_port_build(
+ &extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT,
+ sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said,
+ extensions))
+ && (sa->natt_dport == 0
+ || pfkey_build(pfkey_x_nat_t_port_build(
+ &extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT,
+ sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said,
+ extensions))
+ && (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
+ || pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
+ , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
+
+ && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
+
+}
+
+static bool
+pfkey_grp_sa(const struct kernel_sa *sa0, const struct kernel_sa *sa1)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+ return pfkey_msg_start(SADB_X_GRPSA, sa1->satype
+ , "pfkey_msg_hdr group", sa1->text_said, extensions)
+
+ && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+ , SADB_EXT_SA
+ , sa1->spi /* in network order */
+ , 0, 0, 0, 0, 0)
+ , "pfkey_sa group", sa1->text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst
+ , "pfkey_addr_d group", sa1->text_said, extensions)
+
+ && pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2]
+ , sa0->satype)
+ , "pfkey_satype group", sa0->text_said, extensions)
+
+ && pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2]
+ , SADB_X_EXT_SA2
+ , sa0->spi /* in network order */
+ , 0, 0, 0, 0, 0)
+ , "pfkey_sa2 group", sa0->text_said, extensions)
+
+ && pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst
+ , "pfkey_addr_d2 group", sa0->text_said, extensions)
+
+ && finish_pfkey_msg(extensions, "group", sa1->text_said, NULL);
+}
+
+static bool
+pfkey_del_sa(const struct kernel_sa *sa)
+{
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1];
+
+ return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto)
+ , "pfkey_msg_hdr delete SA", sa->text_said, extensions)
+
+ && pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
+ , SADB_EXT_SA
+ , sa->spi /* in host order */
+ , 0, SADB_SASTATE_MATURE, 0, 0, 0)
+ , "pfkey_sa delete SA", sa->text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
+ , "pfkey_addr_s delete SA", sa->text_said, extensions)
+
+ && pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
+ , "pfkey_addr_d delete SA", sa->text_said, extensions)
+
+ && finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL);
+}
+
+void
+pfkey_close(void)
+{
+ while (pfkey_iq_head != NULL)
+ {
+ pfkey_item *it = pfkey_iq_head;
+
+ pfkey_iq_head = it->next;
+ pfree(it);
+ }
+
+ close(pfkeyfd);
+ pfkeyfd = NULL_FD;
+}
+
+const struct kernel_ops klips_kernel_ops = {
+ type: KERNEL_TYPE_KLIPS,
+ async_fdp: &pfkeyfd,
+
+ pfkey_register: klips_pfkey_register,
+ pfkey_register_response: klips_pfkey_register_response,
+ process_queue: pfkey_dequeue,
+ process_msg: pfkey_event,
+ raw_eroute: pfkey_raw_eroute,
+ add_sa: pfkey_add_sa,
+ grp_sa: pfkey_grp_sa,
+ del_sa: pfkey_del_sa,
+ get_sa: NULL,
+ get_spi: NULL,
+ inbound_eroute: FALSE,
+ policy_lifetime: FALSE,
+ init: NULL
+};
+#endif /* KLIPS */
diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
new file mode 100644
index 000000000..9dbcdd341
--- /dev/null
+++ b/src/pluto/kernel_pfkey.h
@@ -0,0 +1,23 @@
+/* declarations of routines that interface with the kernel's pfkey mechanism
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2003 Herbert Xu
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: kernel_pfkey.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#ifdef KLIPS
+extern void init_pfkey(void);
+extern void pfkey_register_proto(unsigned satype, const char *satypename);
+extern void pfkey_close(void);
+extern const struct kernel_ops klips_kernel_ops;
+#endif
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
new file mode 100644
index 000000000..eed81230f
--- /dev/null
+++ b/src/pluto/keys.c
@@ -0,0 +1,1514 @@
+/* mechanisms for preshared keys (public, private, and preshared secrets)
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: keys.c,v 1.24 2006/01/27 08:59:40 as Exp $
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+
+#include <glob.h>
+#ifndef GLOB_ABORTED
+# define GLOB_ABORTED GLOB_ABEND /* fix for old versions */
+#endif
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "id.h"
+#include "x509.h"
+#include "pgp.h"
+#include "certs.h"
+#include "smartcard.h"
+#include "connections.h"
+#include "state.h"
+#include "lex.h"
+#include "keys.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+#include "timer.h"
+#include "fetch.h"
+#include "xauth.h"
+
+const char *shared_secrets_file = SHARED_SECRETS_FILE;
+
+typedef struct id_list id_list_t;
+
+struct id_list {
+ struct id id;
+ id_list_t *next;
+};
+
+typedef struct secret secret_t;
+
+struct secret {
+ id_list_t *ids;
+ enum PrivateKeyKind kind;
+ union {
+ chunk_t preshared_secret;
+ RSA_private_key_t RSA_private_key;
+ xauth_t xauth_secret;
+ smartcard_t *smartcard;
+ } u;
+ secret_t *next;
+};
+
+static pubkey_t*
+allocate_RSA_public_key(const cert_t cert)
+{
+ pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
+ chunk_t e, n;
+
+ switch (cert.type)
+ {
+ case CERT_PGP:
+ e = cert.u.pgp->publicExponent;
+ n = cert.u.pgp->modulus;
+ break;
+ case CERT_X509_SIGNATURE:
+ e = cert.u.x509->publicExponent;
+ n = cert.u.x509->modulus;
+ break;
+ default:
+ plog("RSA public key allocation error");
+ }
+
+ init_RSA_public_key(&pk->u.rsa, e, n);
+ DBG(DBG_RAW,
+ RSA_show_public_key(&pk->u.rsa)
+ )
+
+ pk->alg = PUBKEY_ALG_RSA;
+ pk->id = empty_id;
+ pk->issuer = empty_chunk;
+ pk->serial = empty_chunk;
+
+ return pk;
+}
+
+/*
+ * free a public key struct
+ */
+static void
+free_public_key(pubkey_t *pk)
+{
+ free_id_content(&pk->id);
+ freeanychunk(pk->issuer);
+ freeanychunk(pk->serial);
+
+ /* algorithm-specific freeing */
+ switch (pk->alg)
+ {
+ case PUBKEY_ALG_RSA:
+ free_RSA_public_content(&pk->u.rsa);
+ break;
+ default:
+ bad_case(pk->alg);
+ }
+ pfree(pk);
+}
+
+secret_t *secrets = NULL;
+
+/* find the struct secret associated with the combination of
+ * me and the peer. We match the Id (if none, the IP address).
+ * Failure is indicated by a NULL.
+ */
+static const secret_t *
+get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
+{
+ enum { /* bits */
+ match_default = 01,
+ match_him = 02,
+ match_me = 04
+ };
+
+ unsigned int best_match = 0;
+ secret_t *best = NULL;
+ secret_t *s;
+ const struct id *my_id = &c->spd.this.id
+ , *his_id = &c->spd.that.id;
+ struct id rw_id;
+
+ /* is there a certificate assigned to this connection? */
+ if (kind == PPK_RSA && c->spd.this.cert.type != CERT_NONE)
+ {
+ pubkey_t *my_public_key = allocate_RSA_public_key(c->spd.this.cert);
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == kind &&
+ same_RSA_public_key(&s->u.RSA_private_key.pub, &my_public_key->u.rsa))
+ {
+ best = s;
+ break; /* we have found the private key - no sense in searching further */
+ }
+ }
+ free_public_key(my_public_key);
+ return best;
+ }
+
+ if (his_id_was_instantiated(c))
+ {
+ /* roadwarrior: replace him with 0.0.0.0 */
+ rw_id.kind = c->spd.that.id.kind;
+ rw_id.name = empty_chunk;
+ happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
+ his_id = &rw_id;
+ }
+ else if (kind == PPK_PSK
+ && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
+ && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) ||
+ (c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
+ {
+ /* roadwarrior: replace him with 0.0.0.0 */
+ rw_id.kind = ID_IPV4_ADDR;
+ happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
+ his_id = &rw_id;
+ }
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == kind)
+ {
+ unsigned int match = 0;
+
+ if (s->ids == NULL)
+ {
+ /* a default (signified by lack of ids):
+ * accept if no more specific match found
+ */
+ match = match_default;
+ }
+ else
+ {
+ /* check if both ends match ids */
+ id_list_t *i;
+
+ for (i = s->ids; i != NULL; i = i->next)
+ {
+ if (same_id(my_id, &i->id))
+ match |= match_me;
+
+ if (same_id(his_id, &i->id))
+ match |= match_him;
+ }
+
+ /* If our end matched the only id in the list,
+ * default to matching any peer.
+ * A more specific match will trump this.
+ */
+ if (match == match_me
+ && s->ids->next == NULL)
+ match |= match_default;
+ }
+
+ switch (match)
+ {
+ case match_me:
+ /* if this is an asymmetric (eg. public key) system,
+ * allow this-side-only match to count, even if
+ * there are other ids in the list.
+ */
+ if (!asym)
+ break;
+ /* FALLTHROUGH */
+ case match_default: /* default all */
+ case match_me | match_default: /* default peer */
+ case match_me | match_him: /* explicit */
+ if (match == best_match)
+ {
+ /* two good matches are equally good:
+ * do they agree?
+ */
+ bool same = FALSE;
+
+ switch (kind)
+ {
+ case PPK_PSK:
+ same = s->u.preshared_secret.len == best->u.preshared_secret.len
+ && memcmp(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len) == 0;
+ break;
+ case PPK_RSA:
+ /* Dirty trick: since we have code to compare
+ * RSA public keys, but not private keys, we
+ * make the assumption that equal public keys
+ * mean equal private keys. This ought to work.
+ */
+ same = same_RSA_public_key(&s->u.RSA_private_key.pub
+ , &best->u.RSA_private_key.pub);
+ break;
+ default:
+ bad_case(kind);
+ }
+ if (!same)
+ {
+ loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:"
+ " first secret used");
+ best = s; /* list is backwards: take latest in list */
+ }
+ }
+ else if (match > best_match)
+ {
+ /* this is the best match so far */
+ best_match = match;
+ best = s;
+ }
+ }
+ }
+ }
+ return best;
+}
+
+/* find the appropriate preshared key (see get_secret).
+ * Failure is indicated by a NULL pointer.
+ * Note: the result is not to be freed by the caller.
+ */
+const chunk_t *
+get_preshared_secret(const struct connection *c)
+{
+ const secret_t *s = get_secret(c, PPK_PSK, FALSE);
+
+ DBG(DBG_PRIVATE,
+ if (s == NULL)
+ DBG_log("no Preshared Key Found");
+ else
+ DBG_dump_chunk("Preshared Key", s->u.preshared_secret);
+ )
+ return s == NULL? NULL : &s->u.preshared_secret;
+}
+
+/* check the existence of an RSA private key matching an RSA public
+ * key contained in an X.509 or OpenPGP certificate
+ */
+bool
+has_private_key(cert_t cert)
+{
+ secret_t *s;
+ bool has_key = FALSE;
+ pubkey_t *pubkey = allocate_RSA_public_key(cert);
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == PPK_RSA &&
+ same_RSA_public_key(&s->u.RSA_private_key.pub, &pubkey->u.rsa))
+ {
+ has_key = TRUE;
+ break;
+ }
+ }
+ free_public_key(pubkey);
+ return has_key;
+}
+
+/*
+ * get the matching RSA private key belonging to a given X.509 certificate
+ */
+const RSA_private_key_t*
+get_x509_private_key(const x509cert_t *cert)
+{
+ secret_t *s;
+ const RSA_private_key_t *pri = NULL;
+ const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+
+ pubkey_t *pubkey = allocate_RSA_public_key(c);
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == PPK_RSA &&
+ same_RSA_public_key(&s->u.RSA_private_key.pub, &pubkey->u.rsa))
+ {
+ pri = &s->u.RSA_private_key;
+ break;
+ }
+ }
+ free_public_key(pubkey);
+ return pri;
+}
+
+/* find the appropriate RSA private key (see get_secret).
+ * Failure is indicated by a NULL pointer.
+ */
+const RSA_private_key_t *
+get_RSA_private_key(const struct connection *c)
+{
+ const secret_t *s = get_secret(c, PPK_RSA, TRUE);
+
+ return s == NULL? NULL : &s->u.RSA_private_key;
+}
+
+/* digest a secrets file
+ *
+ * The file is a sequence of records. A record is a maximal sequence of
+ * tokens such that the first, and only the first, is in the first column
+ * of a line.
+ *
+ * Tokens are generally separated by whitespace and are key words, ids,
+ * strings, or data suitable for ttodata(3). As a nod to convention,
+ * a trailing ":" on what would otherwise be a token is taken as a
+ * separate token. If preceded by whitespace, a "#" is taken as starting
+ * a comment: it and the rest of the line are ignored.
+ *
+ * One kind of record is an include directive. It starts with "include".
+ * The filename is the only other token in the record.
+ * If the filename does not start with /, it is taken to
+ * be relative to the directory containing the current file.
+ *
+ * The other kind of record describes a key. It starts with a
+ * sequence of ids and ends with key information. Each id
+ * is an IP address, a Fully Qualified Domain Name (which will immediately
+ * be resolved), or @FQDN which will be left as a name.
+ *
+ * The key part can be in several forms.
+ *
+ * The old form of the key is still supported: a simple
+ * quoted strings (with no escapes) is taken as a preshred key.
+ *
+ * The new form starts the key part with a ":".
+ *
+ * For Preshared Key, use the "PSK" keyword, and follow it by a string
+ * or a data token suitable for ttodata(3).
+ *
+ * For RSA Private Key, use the "RSA" keyword, followed by a
+ * brace-enclosed list of key field keywords and data values.
+ * The data values are large integers to be decoded by ttodata(3).
+ * The fields are a subset of those used by BIND 8.2 and have the
+ * same names.
+ */
+
+/* parse PSK from file */
+static err_t
+process_psk_secret(chunk_t *psk)
+{
+ err_t ugh = NULL;
+
+ if (*tok == '"' || *tok == '\'')
+ {
+ clonetochunk(*psk, tok+1, flp->cur - tok - 2, "PSK");
+ (void) shift();
+ }
+ else
+ {
+ char buf[BUF_LEN]; /* limit on size of binary representation of key */
+ size_t sz;
+
+ ugh = ttodatav(tok, flp->cur - tok, 0, buf, sizeof(buf), &sz
+ , diag_space, sizeof(diag_space), TTODATAV_SPACECOUNTS);
+ if (ugh != NULL)
+ {
+ /* ttodata didn't like PSK data */
+ ugh = builddiag("PSK data malformed (%s): %s", ugh, tok);
+ }
+ else
+ {
+ clonetochunk(*psk, buf, sz, "PSK");
+ (void) shift();
+ }
+ }
+ return ugh;
+}
+
+/* Parse fields of RSA private key.
+ * A braced list of keyword and value pairs.
+ * At the moment, each field is required, in order.
+ * The fields come from BIND 8.2's representation
+ */
+static err_t
+process_rsa_secret(RSA_private_key_t *rsak)
+{
+ char buf[RSA_MAX_ENCODING_BYTES]; /* limit on size of binary representation of key */
+ const struct fld *p;
+
+ /* save bytes of Modulus and PublicExponent for keyid calculation */
+ unsigned char ebytes[sizeof(buf)];
+ unsigned char *eb_next = ebytes;
+ chunk_t pub_bytes[2];
+ chunk_t *pb_next = &pub_bytes[0];
+
+ for (p = RSA_private_field; p < &RSA_private_field[RSA_PRIVATE_FIELD_ELEMENTS]; p++)
+ {
+ size_t sz;
+ err_t ugh;
+
+ if (!shift())
+ {
+ return "premature end of RSA key";
+ }
+ else if (!tokeqword(p->name))
+ {
+ return builddiag("%s keyword not found where expected in RSA key"
+ , p->name);
+ }
+ else if (!(shift()
+ && (!tokeq(":") || shift()))) /* ignore optional ":" */
+ {
+ return "premature end of RSA key";
+ }
+ else if (NULL != (ugh = ttodatav(tok, flp->cur - tok
+ , 0, buf, sizeof(buf), &sz, diag_space, sizeof(diag_space)
+ , TTODATAV_SPACECOUNTS)))
+ {
+ /* in RSA key, ttodata didn't like */
+ return builddiag("RSA data malformed (%s): %s", ugh, tok);
+ }
+ else
+ {
+ MP_INT *n = (MP_INT *) ((char *)rsak + p->offset);
+
+ n_to_mpz(n, buf, sz);
+ if (pb_next < &pub_bytes[elemsof(pub_bytes)])
+ {
+ if (eb_next - ebytes + sz > sizeof(ebytes))
+ return "public key takes too many bytes";
+
+ setchunk(*pb_next, eb_next, sz);
+ memcpy(eb_next, buf, sz);
+ eb_next += sz;
+ pb_next++;
+ }
+#if 0 /* debugging info that compromises security */
+ {
+ size_t sz = mpz_sizeinbase(n, 16);
+ char buf[RSA_MAX_OCTETS * 2 + 2]; /* ought to be big enough */
+
+ passert(sz <= sizeof(buf));
+ mpz_get_str(buf, 16, n);
+
+ loglog(RC_LOG_SERIOUS, "%s: %s", p->name, buf);
+ }
+#endif
+ }
+ }
+
+ /* We require an (indented) '}' and the end of the record.
+ * We break down the test so that the diagnostic will be
+ * more helpful. Some people don't seem to wish to indent
+ * the brace!
+ */
+ if (!shift() || !tokeq("}"))
+ {
+ return "malformed end of RSA private key -- indented '}' required";
+ }
+ else if (shift())
+ {
+ return "malformed end of RSA private key -- unexpected token after '}'";
+ }
+ else
+ {
+ unsigned bits = mpz_sizeinbase(&rsak->pub.n, 2);
+
+ rsak->pub.k = (bits + BITS_PER_BYTE - 1) / BITS_PER_BYTE;
+ rsak->pub.keyid[0] = '\0'; /* in case of splitkeytoid failure */
+ splitkeytoid(pub_bytes[1].ptr, pub_bytes[1].len
+ , pub_bytes[0].ptr, pub_bytes[0].len
+ , rsak->pub.keyid, sizeof(rsak->pub.keyid));
+ return RSA_private_key_sanity(rsak);
+ }
+}
+
+/* process rsa key file protected with optional passphrase which can either be
+ * read from ipsec.secrets or prompted for by using whack
+ */
+static err_t
+process_rsa_keyfile(RSA_private_key_t *rsak, int whackfd)
+{
+ char filename[BUF_LEN];
+ prompt_pass_t pass;
+
+ memset(filename,'\0', BUF_LEN);
+ memset(pass.secret,'\0', sizeof(pass.secret));
+ pass.prompt = FALSE;
+ pass.fd = whackfd;
+
+ /* we expect the filename of a PKCS#1 private key file */
+
+ if (*tok == '"' || *tok == '\'') /* quoted filename */
+ memcpy(filename, tok+1, flp->cur - tok - 2);
+ else
+ memcpy(filename, tok, flp->cur - tok);
+
+ if (shift())
+ {
+ /* we expect an appended passphrase or passphrase prompt*/
+ if (tokeqword("%prompt"))
+ {
+ if (pass.fd == NULL_FD)
+ return "RSA private key file -- enter passphrase using 'ipsec secrets'";
+ pass.prompt = TRUE;
+ }
+ else
+ {
+ char *passphrase = tok;
+ size_t len = flp->cur - passphrase;
+
+ if (*tok == '"' || *tok == '\'') /* quoted passphrase */
+ {
+ passphrase++;
+ len -= 2;
+ }
+ if (len > PROMPT_PASS_LEN)
+ return "RSA private key file -- passphrase exceeds 64 characters";
+
+ memcpy(pass.secret, passphrase, len);
+ }
+ if (shift())
+ return "RSA private key file -- unexpected token after passphrase";
+ }
+ return load_rsa_private_key(filename, &pass, rsak);
+}
+
+/*
+ * process xauth secret read from ipsec.secrets
+ */
+static err_t
+process_xauth(secret_t *s)
+{
+ chunk_t user_name;
+
+ s->kind = PPK_XAUTH;
+
+ if (!shift())
+ return "missing xauth user name";
+ if (*tok == '"' || *tok == '\'') /* quoted user name */
+ {
+ user_name.ptr = tok + 1;
+ user_name.len = flp->cur - tok - 2;
+ }
+ else
+ {
+ user_name.ptr = tok;
+ user_name.len = flp->cur - tok;
+ }
+ plog(" loaded xauth credentials of user '%.*s'"
+ , user_name.len
+ , user_name.ptr);
+ clonetochunk(s->u.xauth_secret.user_name
+ , user_name.ptr, user_name.len, "xauth user name");
+
+ if (!shift())
+ return "missing xauth user password";
+ return process_psk_secret(&s->u.xauth_secret.user_password);
+}
+
+/* get XAUTH secret from chained secrets lists
+ * only one entry is currently supported
+ */
+static bool
+xauth_get_secret(xauth_t *xauth_secret)
+{
+ secret_t *s;
+ bool found = FALSE;
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == PPK_XAUTH)
+ {
+ if (found)
+ {
+ plog("found multiple xauth secrets - first selected");
+ }
+ else
+ {
+ found = TRUE;
+ *xauth_secret = s->u.xauth_secret;
+ }
+ }
+ }
+ return found;
+}
+
+/*
+ * find a matching secret
+ */
+static bool
+xauth_verify_secret(const xauth_t *xauth_secret)
+{
+ bool found = FALSE;
+ secret_t *s;
+
+ for (s = secrets; s != NULL; s = s->next)
+ {
+ if (s->kind == PPK_XAUTH)
+ {
+ if (!same_chunk(xauth_secret->user_name, s->u.xauth_secret.user_name))
+ continue;
+ found = TRUE;
+ if (same_chunk(xauth_secret->user_password, s->u.xauth_secret.user_password))
+ return TRUE;
+ }
+ }
+ plog("xauth user '%.*s' %s"
+ , xauth_secret->user_name.len, xauth_secret->user_name.ptr
+ , found? "sent wrong password":"not found");
+ return FALSE;
+}
+
+/*
+ * the global xauth_module struct is defined here
+ */
+xauth_module_t xauth_module;
+
+/*
+ * assign the default xauth functions to any null function pointers
+ */
+void
+xauth_defaults(void)
+{
+ if (xauth_module.get_secret == NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("xauth module: using default get_secret() function")
+ )
+ xauth_module.get_secret = xauth_get_secret;
+ }
+ if (xauth_module.verify_secret == NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("xauth module: using default verify_secret() function")
+ )
+ xauth_module.verify_secret = xauth_verify_secret;
+ }
+};
+
+/*
+ * process pin read from ipsec.secrets or prompted for it using whack
+ */
+static err_t
+process_pin(secret_t *s, int whackfd)
+{
+ smartcard_t *sc;
+ const char *pin_status = "no pin";
+
+ s->kind = PPK_PIN;
+
+ /* looking for the smartcard keyword */
+ if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0)
+ return "PIN keyword must be followed by %smartcard<reader>:<id>";
+
+ sc = scx_add(scx_parse_number_slot_id(tok + strlen(SCX_TOKEN)));
+ s->u.smartcard = sc;
+ scx_share(sc);
+ if (sc->pin.ptr != NULL)
+ {
+ scx_release_context(sc);
+ scx_free_pin(&sc->pin);
+ }
+ sc->valid = FALSE;
+
+ if (!shift())
+ return "PIN statement must be terminated either by <pin code>, %pinpad or %prompt";
+
+ if (tokeqword("%prompt"))
+ {
+ shift();
+ /* if whackfd exists, whack will be used to prompt for a pin */
+ if (whackfd != NULL_FD)
+ pin_status = scx_get_pin(sc, whackfd) ? "valid pin" : "invalid pin";
+ else
+ pin_status = "pin entry via prompt";
+ }
+ else if (tokeqword("%pinpad"))
+ {
+ shift();
+ /* pin will be entered via pin pad during verification */
+ clonetochunk(sc->pin, "", 0, "empty pin");
+ sc->pinpad = TRUE;
+ sc->valid = TRUE;
+ pin_status = "pin entry via pad";
+ if (pkcs11_keep_state)
+ scx_verify_pin(sc);
+ }
+ else
+ {
+ /* we read the pin directly from ipsec.secrets */
+ err_t ugh = process_psk_secret(&sc->pin);
+ if (ugh != NULL)
+ return ugh;
+ /* verify the pin */
+ pin_status = scx_verify_pin(sc) ? "valid PIN" : "invalid PIN";
+ }
+#ifdef SMARTCARD
+ {
+ char buf[BUF_LEN];
+
+ if (sc->any_slot)
+ snprintf(buf, BUF_LEN, "any slot");
+ else
+ snprintf(buf, BUF_LEN, "slot: %lu", sc->slot);
+
+ plog(" %s for #%d (%s, id: %s)"
+ , pin_status, sc->number, scx_print_slot(sc, ""), sc->id);
+ }
+#else
+ plog(" warning: SMARTCARD support is deactivated in pluto/Makefile!");
+#endif
+ return NULL;
+}
+
+static void
+process_secret(secret_t *s, int whackfd)
+{
+ err_t ugh = NULL;
+
+ s->kind = PPK_PSK; /* default */
+ if (*tok == '"' || *tok == '\'')
+ {
+ /* old PSK format: just a string */
+ ugh = process_psk_secret(&s->u.preshared_secret);
+ }
+ else if (tokeqword("psk"))
+ {
+ /* preshared key: quoted string or ttodata format */
+ ugh = !shift()? "unexpected end of record in PSK"
+ : process_psk_secret(&s->u.preshared_secret);
+ }
+ else if (tokeqword("rsa"))
+ {
+ /* RSA key: the fun begins.
+ * A braced list of keyword and value pairs.
+ */
+ s->kind = PPK_RSA;
+ if (!shift())
+ {
+ ugh = "bad RSA key syntax";
+ }
+ else if (tokeq("{"))
+ {
+ ugh = process_rsa_secret(&s->u.RSA_private_key);
+ }
+ else
+ {
+ ugh = process_rsa_keyfile(&s->u.RSA_private_key, whackfd);
+ }
+ }
+ else if (tokeqword("xauth"))
+ {
+ ugh = process_xauth(s);
+ }
+ else if (tokeqword("pin"))
+ {
+ ugh = process_pin(s, whackfd);
+ }
+ else
+ {
+ ugh = builddiag("unrecognized key format: %s", tok);
+ }
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s"
+ , flp->filename, flp->lino, ugh);
+ pfree(s);
+ }
+ else if (flushline("expected record boundary in key"))
+ {
+ /* gauntlet has been run: install new secret */
+ lock_certs_and_keys("process_secret");
+ s->next = secrets;
+ secrets = s;
+ unlock_certs_and_keys("process_secrets");
+ }
+}
+
+static void process_secrets_file(const char *file_pat, int whackfd); /* forward declaration */
+
+static void
+process_secret_records(int whackfd)
+{
+ /* read records from ipsec.secrets and load them into our table */
+ for (;;)
+ {
+ (void)flushline(NULL); /* silently ditch leftovers, if any */
+ if (flp->bdry == B_file)
+ break;
+
+ flp->bdry = B_none; /* eat the Record Boundary */
+ (void)shift(); /* get real first token */
+
+ if (tokeqword("include"))
+ {
+ /* an include directive */
+ char fn[MAX_TOK_LEN]; /* space for filename (I hope) */
+ char *p = fn;
+ char *end_prefix = strrchr(flp->filename, '/');
+
+ if (!shift())
+ {
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of include directive"
+ , flp->filename, flp->lino);
+ continue; /* abandon this record */
+ }
+
+ /* if path is relative and including file's pathname has
+ * a non-empty dirname, prefix this path with that dirname.
+ */
+ if (tok[0] != '/' && end_prefix != NULL)
+ {
+ size_t pl = end_prefix - flp->filename + 1;
+
+ /* "clamp" length to prevent problems now;
+ * will be rediscovered and reported later.
+ */
+ if (pl > sizeof(fn))
+ pl = sizeof(fn);
+ memcpy(fn, flp->filename, pl);
+ p += pl;
+ }
+ if (flp->cur - tok >= &fn[sizeof(fn)] - p)
+ {
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: include pathname too long"
+ , flp->filename, flp->lino);
+ continue; /* abandon this record */
+ }
+ strcpy(p, tok);
+ (void) shift(); /* move to Record Boundary, we hope */
+ if (flushline("ignoring malformed INCLUDE -- expected Record Boundary after filename"))
+ {
+ process_secrets_file(fn, whackfd);
+ tok = NULL; /* correct, but probably redundant */
+ }
+ }
+ else
+ {
+ /* expecting a list of indices and then the key info */
+ secret_t *s = alloc_thing(secret_t, "secret");
+
+ s->ids = NULL;
+ s->kind = PPK_PSK; /* default */
+ setchunk(s->u.preshared_secret, NULL, 0);
+ s->next = NULL;
+
+ for (;;)
+ {
+ if (tok[0] == '"' || tok[0] == '\'')
+ {
+ /* found key part */
+ process_secret(s, whackfd);
+ break;
+ }
+ else if (tokeq(":"))
+ {
+ /* found key part */
+ shift(); /* discard explicit separator */
+ process_secret(s, whackfd);
+ break;
+ }
+ else
+ {
+ /* an id
+ * See RFC2407 IPsec Domain of Interpretation 4.6.2
+ */
+ struct id id;
+ err_t ugh;
+
+ if (tokeq("%any"))
+ {
+ id = empty_id;
+ id.kind = ID_IPV4_ADDR;
+ ugh = anyaddr(AF_INET, &id.ip_addr);
+ }
+ else if (tokeq("%any6"))
+ {
+ id = empty_id;
+ id.kind = ID_IPV6_ADDR;
+ ugh = anyaddr(AF_INET6, &id.ip_addr);
+ }
+ else
+ {
+ ugh = atoid(tok, &id, FALSE);
+ }
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ERROR \"%s\" line %d: index \"%s\" %s"
+ , flp->filename, flp->lino, tok, ugh);
+ }
+ else
+ {
+ id_list_t *i = alloc_thing(id_list_t
+ , "id_list");
+
+ i->id = id;
+ unshare_id_content(&i->id);
+ i->next = s->ids;
+ s->ids = i;
+ /* DBG_log("id type %d: %s %.*s", i->kind, ip_str(&i->ip_addr), (int)i->name.len, i->name.ptr); */
+ }
+ if (!shift())
+ {
+ /* unexpected Record Boundary or EOF */
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list"
+ , flp->filename, flp->lino);
+ break;
+ }
+ }
+ }
+ }
+ }
+}
+
+static int
+globugh(const char *epath, int eerrno)
+{
+ log_errno_routine(eerrno, "problem with secrets file \"%s\"", epath);
+ return 1; /* stop glob */
+}
+
+static void
+process_secrets_file(const char *file_pat, int whackfd)
+{
+ struct file_lex_position pos;
+ char **fnp;
+ glob_t globbuf;
+
+ pos.depth = flp == NULL? 0 : flp->depth + 1;
+
+ if (pos.depth > 10)
+ {
+ loglog(RC_LOG_SERIOUS, "preshared secrets file \"%s\" nested too deeply", file_pat);
+ return;
+ }
+
+ /* do globbing */
+ {
+ int r = glob(file_pat, GLOB_ERR, globugh, &globbuf);
+
+ if (r != 0)
+ {
+ switch (r)
+ {
+ case GLOB_NOSPACE:
+ loglog(RC_LOG_SERIOUS, "out of space processing secrets filename \"%s\"", file_pat);
+ break;
+ case GLOB_ABORTED:
+ break; /* already logged */
+ case GLOB_NOMATCH:
+ loglog(RC_LOG_SERIOUS, "no secrets filename matched \"%s\"", file_pat);
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "unknown glob error %d", r);
+ break;
+ }
+ globfree(&globbuf);
+ return;
+ }
+ }
+
+ /* for each file... */
+ for (fnp = globbuf.gl_pathv; *fnp != NULL; fnp++)
+ {
+ if (lexopen(&pos, *fnp, FALSE))
+ {
+ plog("loading secrets from \"%s\"", *fnp);
+ (void) flushline("file starts with indentation (continuation notation)");
+ process_secret_records(whackfd);
+ lexclose();
+ }
+ }
+
+ globfree(&globbuf);
+}
+
+void
+free_preshared_secrets(void)
+{
+ lock_certs_and_keys("free_preshared_secrets");
+
+ if (secrets != NULL)
+ {
+ secret_t *s, *ns;
+
+ plog("forgetting secrets");
+
+ for (s = secrets; s != NULL; s = ns)
+ {
+ id_list_t *i, *ni;
+
+ ns = s->next; /* grab before freeing s */
+ for (i = s->ids; i != NULL; i = ni)
+ {
+ ni = i->next; /* grab before freeing i */
+ free_id_content(&i->id);
+ pfree(i);
+ }
+ switch (s->kind)
+ {
+ case PPK_PSK:
+ pfree(s->u.preshared_secret.ptr);
+ break;
+ case PPK_RSA:
+ free_RSA_private_content(&s->u.RSA_private_key);
+ break;
+ case PPK_XAUTH:
+ pfree(s->u.xauth_secret.user_name.ptr);
+ pfree(s->u.xauth_secret.user_password.ptr);
+ break;
+ case PPK_PIN:
+ scx_release(s->u.smartcard);
+ break;
+ default:
+ bad_case(s->kind);
+ }
+ pfree(s);
+ }
+ secrets = NULL;
+ }
+
+ unlock_certs_and_keys("free_preshard_secrets");
+}
+
+void
+load_preshared_secrets(int whackfd)
+{
+ free_preshared_secrets();
+ (void) process_secrets_file(shared_secrets_file, whackfd);
+}
+
+/* public key machinery
+ * Note: caller must set dns_auth_level.
+ */
+
+pubkey_t *
+public_key_from_rsa(const RSA_public_key_t *k)
+{
+ pubkey_t *p = alloc_thing(pubkey_t, "pubkey");
+
+ p->id = empty_id; /* don't know, doesn't matter */
+ p->issuer = empty_chunk;
+ p->serial = empty_chunk;
+ p->alg = PUBKEY_ALG_RSA;
+
+ memcpy(p->u.rsa.keyid, k->keyid, sizeof(p->u.rsa.keyid));
+ p->u.rsa.k = k->k;
+ mpz_init_set(&p->u.rsa.e, &k->e);
+ mpz_init_set(&p->u.rsa.n, &k->n);
+
+ /* note that we return a 1 reference count upon creation:
+ * invariant: recount > 0.
+ */
+ p->refcnt = 1;
+ time(&p->installed_time);
+ return p;
+}
+
+/* Free a public key record.
+ * As a convenience, this returns a pointer to next.
+ */
+pubkey_list_t *
+free_public_keyentry(pubkey_list_t *p)
+{
+ pubkey_list_t *nxt = p->next;
+
+ if (p->key != NULL)
+ unreference_key(&p->key);
+ pfree(p);
+ return nxt;
+}
+
+void
+free_public_keys(pubkey_list_t **keys)
+{
+ while (*keys != NULL)
+ *keys = free_public_keyentry(*keys);
+}
+
+/* root of chained public key list */
+
+pubkey_list_t *pubkeys = NULL; /* keys from ipsec.conf */
+
+void
+free_remembered_public_keys(void)
+{
+ free_public_keys(&pubkeys);
+}
+
+/* transfer public keys from *keys list to front of pubkeys list */
+void
+transfer_to_public_keys(struct gw_info *gateways_from_dns
+#ifdef USE_KEYRR
+, pubkey_list_t **keys
+#endif /* USE_KEYRR */
+)
+{
+ {
+ struct gw_info *gwp;
+
+ for (gwp = gateways_from_dns; gwp != NULL; gwp = gwp->next)
+ {
+ pubkey_list_t *pl = alloc_thing(pubkey_list_t, "from TXT");
+
+ pl->key = gwp->key; /* note: this is a transfer */
+ gwp->key = NULL; /* really, it is! */
+ pl->next = pubkeys;
+ pubkeys = pl;
+ }
+ }
+
+#ifdef USE_KEYRR
+ {
+ pubkey_list_t **pp = keys;
+
+ while (*pp != NULL)
+ pp = &(*pp)->next;
+ *pp = pubkeys;
+ pubkeys = *keys;
+ *keys = NULL;
+ }
+#endif /* USE_KEYRR */
+}
+
+/* decode of RSA pubkey chunk
+ * - format specified in RFC 2537 RSA/MD5 Keys and SIGs in the DNS
+ * - exponent length in bytes (1 or 3 octets)
+ * + 1 byte if in [1, 255]
+ * + otherwise 0x00 followed by 2 bytes of length
+ * - exponent
+ * - modulus
+ */
+err_t
+unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey)
+{
+ chunk_t exp;
+ chunk_t mod;
+
+ if (pubkey->len < 3)
+ return "RSA public key blob way to short"; /* not even room for length! */
+
+ if (pubkey->ptr[0] != 0x00)
+ {
+ setchunk(exp, pubkey->ptr + 1, pubkey->ptr[0]);
+ }
+ else
+ {
+ setchunk(exp, pubkey->ptr + 3
+ , (pubkey->ptr[1] << BITS_PER_BYTE) + pubkey->ptr[2]);
+ }
+
+ if (pubkey->len - (exp.ptr - pubkey->ptr) < exp.len + RSA_MIN_OCTETS_RFC)
+ return "RSA public key blob too short";
+
+ mod.ptr = exp.ptr + exp.len;
+ mod.len = &pubkey->ptr[pubkey->len] - mod.ptr;
+
+ if (mod.len < RSA_MIN_OCTETS)
+ return RSA_MIN_OCTETS_UGH;
+
+ if (mod.len > RSA_MAX_OCTETS)
+ return RSA_MAX_OCTETS_UGH;
+
+ init_RSA_public_key(rsa, exp, mod);
+ rsa->k = mpz_sizeinbase(&rsa->n, 2); /* size in bits, for a start */
+ rsa->k = (rsa->k + BITS_PER_BYTE - 1) / BITS_PER_BYTE; /* now octets */
+ DBG(DBG_RAW,
+ RSA_show_public_key(rsa)
+ )
+
+ if (rsa->k != mod.len)
+ {
+ mpz_clear(&rsa->e);
+ mpz_clear(&rsa->n);
+ return "RSA modulus shorter than specified";
+ }
+
+ return NULL;
+}
+
+static void
+install_public_key(pubkey_t *pk, pubkey_list_t **head)
+{
+ pubkey_list_t *p = alloc_thing(pubkey_list_t, "pubkey entry");
+
+ unshare_id_content(&pk->id);
+
+ /* copy issuer dn */
+ if (pk->issuer.ptr != NULL)
+ pk->issuer.ptr = clone_bytes(pk->issuer.ptr, pk->issuer.len, "issuer dn");
+
+ /* copy serial number */
+ if (pk->serial.ptr != NULL)
+ pk->serial.ptr = clone_bytes(pk->serial.ptr, pk->serial.len, "serialNumber");
+
+ /* store the time the public key was installed */
+ time(&pk->installed_time);
+
+ /* install new key at front */
+ p->key = reference_key(pk);
+ p->next = *head;
+ *head = p;
+}
+
+
+void
+delete_public_keys(const struct id *id, enum pubkey_alg alg
+, chunk_t issuer, chunk_t serial)
+{
+ pubkey_list_t **pp, *p;
+ pubkey_t *pk;
+
+ for (pp = &pubkeys; (p = *pp) != NULL; )
+ {
+ pk = p->key;
+
+ if (same_id(id, &pk->id) && pk->alg == alg
+ && (issuer.ptr == NULL || pk->issuer.ptr == NULL
+ || same_dn(issuer, pk->issuer))
+ && same_serial(serial, pk->serial))
+ *pp = free_public_keyentry(p);
+ else
+ pp = &p->next;
+ }
+}
+
+pubkey_t *
+reference_key(pubkey_t *pk)
+{
+ pk->refcnt++;
+ return pk;
+}
+
+void
+unreference_key(pubkey_t **pkp)
+{
+ pubkey_t *pk = *pkp;
+ char b[BUF_LEN];
+
+ if (pk == NULL)
+ return;
+
+ /* print stuff */
+ DBG(DBG_CONTROLMORE,
+ idtoa(&pk->id, b, sizeof(b));
+ DBG_log("unreference key: %p %s cnt %d--", pk, b, pk->refcnt)
+ )
+
+ /* cancel out the pointer */
+ *pkp = NULL;
+
+ passert(pk->refcnt != 0);
+ pk->refcnt--;
+ if (pk->refcnt == 0)
+ free_public_key(pk);
+}
+
+err_t
+add_public_key(const struct id *id
+, enum dns_auth_level dns_auth_level
+, enum pubkey_alg alg
+, const chunk_t *key
+, pubkey_list_t **head)
+{
+ pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
+
+ /* first: algorithm-specific decoding of key chunk */
+ switch (alg)
+ {
+ case PUBKEY_ALG_RSA:
+ {
+ err_t ugh = unpack_RSA_public_key(&pk->u.rsa, key);
+
+ if (ugh != NULL)
+ {
+ pfree(pk);
+ return ugh;
+ }
+ }
+ break;
+ default:
+ bad_case(alg);
+ }
+
+ pk->id = *id;
+ pk->dns_auth_level = dns_auth_level;
+ pk->alg = alg;
+ pk->until_time = UNDEFINED_TIME;
+ pk->issuer = empty_chunk;
+ pk->serial = empty_chunk;
+
+ install_public_key(pk, head);
+ return NULL;
+}
+
+/* extract id and public key from x.509 certificate and
+ * insert it into a pubkeyrec
+ */
+void
+add_x509_public_key(x509cert_t *cert , time_t until
+ , enum dns_auth_level dns_auth_level)
+{
+ generalName_t *gn;
+ pubkey_t *pk;
+ cert_t c = { CERT_X509_SIGNATURE, {cert} };
+
+ /* we support RSA only */
+ if (cert->subjectPublicKeyAlgorithm != PUBKEY_ALG_RSA)
+ return;
+
+ /* ID type: ID_DER_ASN1_DN (X.509 subject field) */
+ pk = allocate_RSA_public_key(c);
+ pk->id.kind = ID_DER_ASN1_DN;
+ pk->id.name = cert->subject;
+ pk->dns_auth_level = dns_auth_level;
+ pk->until_time = until;
+ pk->issuer = cert->issuer;
+ pk->serial = cert->serialNumber;
+ delete_public_keys(&pk->id, pk->alg, pk->issuer, pk->serial);
+ install_public_key(pk, &pubkeys);
+
+ gn = cert->subjectAltName;
+
+ while (gn != NULL) /* insert all subjectAltNames */
+ {
+ struct id id = empty_id;
+
+ gntoid(&id, gn);
+ if (id.kind != ID_NONE)
+ {
+ pk = allocate_RSA_public_key(c);
+ pk->id = id;
+ pk->dns_auth_level = dns_auth_level;
+ pk->until_time = until;
+ pk->issuer = cert->issuer;
+ pk->serial = cert->serialNumber;
+ delete_public_keys(&pk->id, pk->alg, pk->issuer, pk->serial);
+ install_public_key(pk, &pubkeys);
+ }
+ gn = gn->next;
+ }
+}
+
+/* extract id and public key from OpenPGP certificate and
+ * insert it into a pubkeyrec
+ */
+void
+add_pgp_public_key(pgpcert_t *cert , time_t until
+ , enum dns_auth_level dns_auth_level)
+{
+ pubkey_t *pk;
+ cert_t c;
+
+ c.type = CERT_PGP;
+ c.u.pgp = cert;
+
+ /* we support RSA only */
+ if (cert->pubkeyAlg != PUBKEY_ALG_RSA)
+ {
+ plog(" RSA public keys supported only");
+ return;
+ }
+
+ pk = allocate_RSA_public_key(c);
+ pk->id.kind = ID_KEY_ID;
+ pk->id.name.ptr = cert->fingerprint;
+ pk->id.name.len = PGP_FINGERPRINT_SIZE;
+ pk->dns_auth_level = dns_auth_level;
+ pk->until_time = until;
+ delete_public_keys(&pk->id, pk->alg, empty_chunk, empty_chunk);
+ install_public_key(pk, &pubkeys);
+}
+
+/* when a X.509 certificate gets revoked, all instances of
+ * the corresponding public key must be removed
+ */
+void
+remove_x509_public_key(const x509cert_t *cert)
+{
+ const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+ pubkey_list_t *p, **pp;
+ pubkey_t *revoked_pk;
+
+ revoked_pk = allocate_RSA_public_key(c);
+ p = pubkeys;
+ pp = &pubkeys;
+
+ while(p != NULL)
+ {
+ if (same_RSA_public_key(&p->key->u.rsa, &revoked_pk->u.rsa))
+ {
+ /* remove p from list and free memory */
+ *pp = free_public_keyentry(p);
+ loglog(RC_LOG_SERIOUS,
+ "invalid RSA public key deleted");
+ }
+ else
+ {
+ pp = &p->next;
+ }
+ p =*pp;
+ }
+ free_public_key(revoked_pk);
+}
+
+/*
+ * list all public keys in the chained list
+ */
+void list_public_keys(bool utc)
+{
+ pubkey_list_t *p = pubkeys;
+
+ if (p != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of Public Keys:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (p != NULL)
+ {
+ pubkey_t *key = p->key;
+
+ if (key->alg == PUBKEY_ALG_RSA)
+ {
+ char buf[BUF_LEN];
+ char expires_buf[TIMETOA_BUF];
+
+ idtoa(&key->id, buf, BUF_LEN);
+ strcpy(expires_buf, timetoa(&key->until_time, utc));
+ whack_log(RC_COMMENT, "%s, %4d RSA Key %s, until %s %s",
+
+ timetoa(&key->installed_time, utc), 8*key->u.rsa.k, key->u.rsa.keyid,
+ expires_buf,
+ check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
+ whack_log(RC_COMMENT," %s '%s'",
+ enum_show(&ident_names, key->id.kind), buf);
+ if (key->issuer.len > 0)
+ {
+ dntoa(buf, BUF_LEN, key->issuer);
+ whack_log(RC_COMMENT," issuer: '%s'", buf);
+ }
+ if (key->serial.len > 0)
+ {
+ datatot(key->serial.ptr, key->serial.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT," serial: %s", buf);
+ }
+ }
+ p = p->next;
+ }
+}
diff --git a/src/pluto/keys.h b/src/pluto/keys.h
new file mode 100644
index 000000000..415bdc3c1
--- /dev/null
+++ b/src/pluto/keys.h
@@ -0,0 +1,113 @@
+/* mechanisms for preshared keys (public, private, and preshared secrets)
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: keys.h,v 1.7 2006/01/26 20:10:34 as Exp $
+ */
+
+#ifndef _KEYS_H
+#define _KEYS_H
+
+#include <gmp.h> /* GNU Multi-Precision library */
+
+#include "pkcs1.h"
+#include "certs.h"
+
+#ifndef SHARED_SECRETS_FILE
+# define SHARED_SECRETS_FILE IPSEC_CONFDIR "/ipsec.secrets"
+#endif
+
+const char *shared_secrets_file;
+
+extern void load_preshared_secrets(int whackfd);
+extern void free_preshared_secrets(void);
+
+enum PrivateKeyKind {
+ PPK_PSK,
+ /* PPK_DSS, */ /* not implemented */
+ PPK_RSA,
+ PPK_XAUTH,
+ PPK_PIN
+};
+
+extern void xauth_defaults(void);
+
+/* forward declaration */
+struct connection;
+
+extern const chunk_t *get_preshared_secret(const struct connection *c);
+extern err_t unpack_RSA_public_key(RSA_public_key_t *rsa, const chunk_t *pubkey);
+extern const RSA_private_key_t *get_RSA_private_key(const struct connection *c);
+extern const RSA_private_key_t *get_x509_private_key(const x509cert_t *cert);
+
+/* public key machinery */
+
+typedef struct pubkey pubkey_t;
+
+struct pubkey {
+ struct id id;
+ unsigned refcnt; /* reference counted! */
+ enum dns_auth_level dns_auth_level;
+ char *dns_sig;
+ time_t installed_time
+ , last_tried_time
+ , last_worked_time
+ , until_time;
+ chunk_t issuer;
+ chunk_t serial;
+ enum pubkey_alg alg;
+ union {
+ RSA_public_key_t rsa;
+ } u;
+};
+
+typedef struct pubkey_list pubkey_list_t;
+
+struct pubkey_list {
+ pubkey_t *key;
+ pubkey_list_t *next;
+};
+
+extern pubkey_list_t *pubkeys; /* keys from ipsec.conf or from certs */
+
+extern pubkey_t *public_key_from_rsa(const RSA_public_key_t *k);
+extern pubkey_list_t *free_public_keyentry(pubkey_list_t *p);
+extern void free_public_keys(pubkey_list_t **keys);
+extern void free_remembered_public_keys(void);
+extern void delete_public_keys(const struct id *id, enum pubkey_alg alg
+ , chunk_t issuer, chunk_t serial);
+
+extern pubkey_t *reference_key(pubkey_t *pk);
+extern void unreference_key(pubkey_t **pkp);
+
+extern err_t add_public_key(const struct id *id
+ , enum dns_auth_level dns_auth_level
+ , enum pubkey_alg alg
+ , const chunk_t *key
+ , pubkey_list_t **head);
+
+extern bool has_private_key(cert_t cert);
+extern void add_x509_public_key(x509cert_t *cert, time_t until
+ , enum dns_auth_level dns_auth_level);
+extern void add_pgp_public_key(pgpcert_t *cert, time_t until
+ , enum dns_auth_level dns_auth_level);
+extern void remove_x509_public_key(const x509cert_t *cert);
+extern void list_public_keys(bool utc);
+
+struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
+extern void transfer_to_public_keys(struct gw_info *gateways_from_dns
+#ifdef USE_KEYRR
+ , pubkey_list_t **keys
+#endif /* USE_KEYRR */
+ );
+
+#endif /* _KEYS_H */
diff --git a/src/pluto/lex.c b/src/pluto/lex.c
new file mode 100644
index 000000000..5c811725a
--- /dev/null
+++ b/src/pluto/lex.c
@@ -0,0 +1,213 @@
+/* lexer (lexical analyzer) for control files
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: lex.c,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+#include "lex.h"
+
+struct file_lex_position *flp = NULL;
+
+/* Open a file for lexical processing.
+ * new_flp and name must point into storage with will live
+ * at least until the file is closed.
+ */
+bool
+lexopen(struct file_lex_position *new_flp, const char *name, bool optional)
+{
+ FILE *f = fopen(name, "r");
+
+ if (f == NULL)
+ {
+ if (!optional || errno != ENOENT)
+ log_errno((e, "could not open \"%s\"", name));
+ return FALSE;
+ }
+ else
+ {
+ new_flp->previous = flp;
+ flp = new_flp;
+ flp->filename = name;
+ flp->fp = f;
+ flp->lino = 0;
+ flp->bdry = B_none;
+
+ flp->cur = flp->buffer; /* nothing loaded yet */
+ flp->under = *flp->cur = '\0';
+
+ (void) shift(); /* prime tok */
+ return TRUE;
+ }
+}
+
+void
+lexclose(void)
+{
+ fclose(flp->fp);
+ flp = flp->previous;
+}
+
+/* Token decoding: shift() loads the next token into tok.
+ * Iff a token starts at the left margin, it is considered
+ * to be the first in a record. We create a special condition,
+ * Record Boundary (analogous to EOF), just before such a token.
+ * We are unwilling to shift through a record boundary:
+ * it must be overridden first.
+ * Returns FALSE iff Record Boundary or EOF (i.e. no token);
+ * tok will then be NULL.
+ */
+
+char *tok;
+#define tokeq(s) (streq(tok, (s)))
+#define tokeqword(s) (strcasecmp(tok, (s)) == 0)
+
+bool
+shift(void)
+{
+ char *p = flp->cur;
+ char *sor = NULL; /* start of record for any new lines */
+
+ passert(flp->bdry == B_none);
+
+ *p = flp->under;
+ flp->under = '\0';
+
+ for (;;)
+ {
+ switch (*p)
+ {
+ case '\0': /* end of line */
+ case '#': /* comment to end of line: treat as end of line */
+ /* get the next line */
+ if (fgets(flp->buffer, sizeof(flp->buffer)-1, flp->fp) == NULL)
+ {
+ flp->bdry = B_file;
+ tok = flp->cur = NULL;
+ return FALSE;
+ }
+ else
+ {
+ /* strip trailing whitespace, including \n */
+
+ for (p = flp->buffer+strlen(flp->buffer)-1
+ ; p>flp->buffer && isspace(p[-1]); p--)
+ ;
+ *p = '\0';
+
+ flp->lino++;
+ sor = p = flp->buffer;
+ }
+ break; /* try again for a token */
+
+ case ' ': /* whitespace */
+ case '\t':
+ p++;
+ break; /* try again for a token */
+
+ case '"': /* quoted token */
+ case '\'':
+ if (p != sor)
+ {
+ /* we have a quoted token: note and advance to its end */
+ tok = p;
+ p = strchr(p+1, *p);
+ if (p == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unterminated string"
+ , flp->filename, flp->lino);
+ p = tok + strlen(tok);
+ }
+ else
+ {
+ p++; /* include delimiter in token */
+ }
+
+ /* remember token delimiter and replace with '\0' */
+ flp->under = *p;
+ *p = '\0';
+ flp->cur = p;
+ return TRUE;
+ }
+ /* FALL THROUGH */
+ default:
+ if (p != sor)
+ {
+ /* we seem to have a token: note and advance to its end */
+ tok = p;
+
+ if (p[0] == '0' && p[1] == 't')
+ {
+ /* 0t... token goes to end of line */
+ p += strlen(p);
+ }
+ else
+ {
+ /* "ordinary" token: up to whitespace or end of line */
+ do {
+ p++;
+ } while (*p != '\0' && !isspace(*p))
+ ;
+
+ /* fudge to separate ':' from a preceding adjacent token */
+ if (p-1 > tok && p[-1] == ':')
+ p--;
+ }
+
+ /* remember token delimiter and replace with '\0' */
+ flp->under = *p;
+ *p = '\0';
+ flp->cur = p;
+ return TRUE;
+ }
+
+ /* we have a start-of-record: return it, deferring "real" token */
+ flp->bdry = B_record;
+ tok = NULL;
+ flp->under = *p;
+ flp->cur = p;
+ return FALSE;
+ }
+ }
+}
+
+/* ensures we are at a Record (or File) boundary, optionally warning if not */
+
+bool
+flushline(const char *m)
+{
+ if (flp->bdry != B_none)
+ {
+ return TRUE;
+ }
+ else
+ {
+ if (m != NULL)
+ loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s", flp->filename, flp->lino, m);
+ do ; while (shift());
+ return FALSE;
+ }
+}
diff --git a/src/pluto/lex.h b/src/pluto/lex.h
new file mode 100644
index 000000000..fb6c15236
--- /dev/null
+++ b/src/pluto/lex.h
@@ -0,0 +1,52 @@
+/* lexer (lexical analyzer) for control files
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: lex.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+#define MAX_TOK_LEN 2048 /* includes terminal '\0' */
+struct file_lex_position
+{
+ int depth; /* how deeply we are nested */
+ const char *filename;
+ FILE *fp;
+ enum { B_none, B_record, B_file } bdry; /* current boundary */
+ int lino; /* line number in file */
+ char buffer[MAX_TOK_LEN + 1]; /* note: one extra char for our use (jamming '"') */
+ char *cur; /* cursor */
+ char under; /* except in shift(): character orignally at *cur */
+ struct file_lex_position *previous;
+};
+
+extern struct file_lex_position *flp;
+
+extern bool lexopen(struct file_lex_position *new_flp, const char *name, bool optional);
+extern void lexclose(void);
+
+
+/* Token decoding: shift() loads the next token into tok.
+ * Iff a token starts at the left margin, it is considered
+ * to be the first in a record. We create a special condition,
+ * Record Boundary (analogous to EOF), just before such a token.
+ * We are unwilling to shift through a record boundary:
+ * it must be overridden first.
+ * Returns FALSE iff Record Boundary or EOF (i.e. no token);
+ * tok will then be NULL.
+ */
+
+extern char *tok;
+#define tokeq(s) (streq(tok, (s)))
+#define tokeqword(s) (strcasecmp(tok, (s)) == 0)
+
+extern bool shift(void);
+extern bool flushline(const char *m);
diff --git a/src/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h
new file mode 100644
index 000000000..6b0896da6
--- /dev/null
+++ b/src/pluto/linux26/netlink.h
@@ -0,0 +1,90 @@
+#ifndef __LINUX_NETLINK_H
+#define __LINUX_NETLINK_H
+
+#include <stdint.h>
+#include <sys/socket.h> /* for sa_family_t */
+
+#define NETLINK_ROUTE 0 /* Routing/device hook */
+#define NETLINK_SKIP 1 /* Reserved for ENskip */
+#define NETLINK_USERSOCK 2 /* Reserved for user mode socket protocols */
+#define NETLINK_FIREWALL 3 /* Firewalling hook */
+#define NETLINK_TCPDIAG 4 /* TCP socket monitoring */
+#define NETLINK_NFLOG 5 /* netfilter/iptables ULOG */
+#define NETLINK_XFRM 6 /* ipsec */
+#define NETLINK_ARPD 8
+#define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */
+#define NETLINK_IP6_FW 13
+#define NETLINK_DNRTMSG 14 /* DECnet routing messages */
+#define NETLINK_TAPBASE 16 /* 16 to 31 are ethertap */
+
+#define MAX_LINKS 32
+
+struct sockaddr_nl
+{
+ sa_family_t nl_family; /* AF_NETLINK */
+ unsigned short nl_pad; /* zero */
+ uint32_t nl_pid; /* process pid */
+ uint32_t nl_groups; /* multicast groups mask */
+};
+
+struct nlmsghdr
+{
+ uint32_t nlmsg_len; /* Length of message including header */
+ uint16_t nlmsg_type; /* Message content */
+ uint16_t nlmsg_flags; /* Additional flags */
+ uint32_t nlmsg_seq; /* Sequence number */
+ uint32_t nlmsg_pid; /* Sending process PID */
+};
+
+/* Flags values */
+
+#define NLM_F_REQUEST 1 /* It is request message. */
+#define NLM_F_MULTI 2 /* Multipart message, terminated by NLMSG_DONE */
+#define NLM_F_ACK 4 /* Reply with ack, with zero or error code */
+#define NLM_F_ECHO 8 /* Echo this request */
+
+/* Modifiers to GET request */
+#define NLM_F_ROOT 0x100 /* specify tree root */
+#define NLM_F_MATCH 0x200 /* return all matching */
+#define NLM_F_ATOMIC 0x400 /* atomic GET */
+#define NLM_F_DUMP (NLM_F_ROOT|NLM_F_MATCH)
+
+/* Modifiers to NEW request */
+#define NLM_F_REPLACE 0x100 /* Override existing */
+#define NLM_F_EXCL 0x200 /* Do not touch, if it exists */
+#define NLM_F_CREATE 0x400 /* Create, if it does not exist */
+#define NLM_F_APPEND 0x800 /* Add to end of list */
+
+/*
+ 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL
+ 4.4BSD CHANGE NLM_F_REPLACE
+
+ True CHANGE NLM_F_CREATE|NLM_F_REPLACE
+ Append NLM_F_CREATE
+ Check NLM_F_EXCL
+ */
+
+#define NLMSG_ALIGNTO 4
+#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) )
+#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr)))
+#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len))
+#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
+#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
+ (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
+#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
+ (nlh)->nlmsg_len <= (len))
+#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
+
+#define NLMSG_NOOP 0x1 /* Nothing. */
+#define NLMSG_ERROR 0x2 /* Error */
+#define NLMSG_DONE 0x3 /* End of a dump */
+#define NLMSG_OVERRUN 0x4 /* Data lost */
+
+struct nlmsgerr
+{
+ int error;
+ struct nlmsghdr msg;
+};
+
+#define NET_MAJOR 36 /* Major 36 is reserved for networking */
+#endif /* __LINUX_NETLINK_H */
diff --git a/src/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h
new file mode 100644
index 000000000..341bc1f86
--- /dev/null
+++ b/src/pluto/linux26/rtnetlink.h
@@ -0,0 +1,562 @@
+#ifndef __LINUX_RTNETLINK_H
+#define __LINUX_RTNETLINK_H
+
+#include "netlink.h"
+#include <stdint.h>
+
+#define RTNL_DEBUG 1
+
+
+/****
+ * Routing/neighbour discovery messages.
+ ****/
+
+/* Types of messages */
+
+#define RTM_BASE 0x10
+
+#define RTM_NEWLINK (RTM_BASE+0)
+#define RTM_DELLINK (RTM_BASE+1)
+#define RTM_GETLINK (RTM_BASE+2)
+#define RTM_SETLINK (RTM_BASE+3)
+
+#define RTM_NEWADDR (RTM_BASE+4)
+#define RTM_DELADDR (RTM_BASE+5)
+#define RTM_GETADDR (RTM_BASE+6)
+
+#define RTM_NEWROUTE (RTM_BASE+8)
+#define RTM_DELROUTE (RTM_BASE+9)
+#define RTM_GETROUTE (RTM_BASE+10)
+
+#define RTM_NEWNEIGH (RTM_BASE+12)
+#define RTM_DELNEIGH (RTM_BASE+13)
+#define RTM_GETNEIGH (RTM_BASE+14)
+
+#define RTM_NEWRULE (RTM_BASE+16)
+#define RTM_DELRULE (RTM_BASE+17)
+#define RTM_GETRULE (RTM_BASE+18)
+
+#define RTM_NEWQDISC (RTM_BASE+20)
+#define RTM_DELQDISC (RTM_BASE+21)
+#define RTM_GETQDISC (RTM_BASE+22)
+
+#define RTM_NEWTCLASS (RTM_BASE+24)
+#define RTM_DELTCLASS (RTM_BASE+25)
+#define RTM_GETTCLASS (RTM_BASE+26)
+
+#define RTM_NEWTFILTER (RTM_BASE+28)
+#define RTM_DELTFILTER (RTM_BASE+29)
+#define RTM_GETTFILTER (RTM_BASE+30)
+
+#define RTM_MAX (RTM_BASE+31)
+
+/*
+ Generic structure for encapsulation optional route information.
+ It is reminiscent of sockaddr, but with sa_family replaced
+ with attribute type.
+ */
+
+struct rtattr
+{
+ unsigned short rta_len;
+ unsigned short rta_type;
+};
+
+/* Macros to handle rtattributes */
+
+#define RTA_ALIGNTO 4
+#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
+#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \
+ (rta)->rta_len <= (len))
+#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \
+ (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+#define RTA_LENGTH(len) (RTA_ALIGN(sizeof(struct rtattr)) + (len))
+#define RTA_SPACE(len) RTA_ALIGN(RTA_LENGTH(len))
+#define RTA_DATA(rta) ((void*)(((char*)(rta)) + RTA_LENGTH(0)))
+#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
+
+
+
+
+/******************************************************************************
+ * Definitions used in routing table administation.
+ ****/
+
+struct rtmsg
+{
+ unsigned char rtm_family;
+ unsigned char rtm_dst_len;
+ unsigned char rtm_src_len;
+ unsigned char rtm_tos;
+
+ unsigned char rtm_table; /* Routing table id */
+ unsigned char rtm_protocol; /* Routing protocol; see below */
+ unsigned char rtm_scope; /* See below */
+ unsigned char rtm_type; /* See below */
+
+ unsigned rtm_flags;
+};
+
+/* rtm_type */
+
+enum
+{
+ RTN_UNSPEC,
+ RTN_UNICAST, /* Gateway or direct route */
+ RTN_LOCAL, /* Accept locally */
+ RTN_BROADCAST, /* Accept locally as broadcast,
+ send as broadcast */
+ RTN_ANYCAST, /* Accept locally as broadcast,
+ but send as unicast */
+ RTN_MULTICAST, /* Multicast route */
+ RTN_BLACKHOLE, /* Drop */
+ RTN_UNREACHABLE, /* Destination is unreachable */
+ RTN_PROHIBIT, /* Administratively prohibited */
+ RTN_THROW, /* Not in this table */
+ RTN_NAT, /* Translate this address */
+ RTN_XRESOLVE, /* Use external resolver */
+};
+
+#define RTN_MAX RTN_XRESOLVE
+
+
+/* rtm_protocol */
+
+#define RTPROT_UNSPEC 0
+#define RTPROT_REDIRECT 1 /* Route installed by ICMP redirects;
+ not used by current IPv4 */
+#define RTPROT_KERNEL 2 /* Route installed by kernel */
+#define RTPROT_BOOT 3 /* Route installed during boot */
+#define RTPROT_STATIC 4 /* Route installed by administrator */
+
+/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel;
+ they just passed from user and back as is.
+ It will be used by hypothetical multiple routing daemons.
+ Note that protocol values should be standardized in order to
+ avoid conflicts.
+ */
+
+#define RTPROT_GATED 8 /* Apparently, GateD */
+#define RTPROT_RA 9 /* RDISC/ND router advertisments */
+#define RTPROT_MRT 10 /* Merit MRT */
+#define RTPROT_ZEBRA 11 /* Zebra */
+#define RTPROT_BIRD 12 /* BIRD */
+#define RTPROT_DNROUTED 13 /* DECnet routing daemon */
+
+/* rtm_scope
+
+ Really it is not scope, but sort of distance to the destination.
+ NOWHERE are reserved for not existing destinations, HOST is our
+ local addresses, LINK are destinations, located on directly attached
+ link and UNIVERSE is everywhere in the Universe.
+
+ Intermediate values are also possible f.e. interior routes
+ could be assigned a value between UNIVERSE and LINK.
+*/
+
+enum rt_scope_t
+{
+ RT_SCOPE_UNIVERSE=0,
+/* User defined values */
+ RT_SCOPE_SITE=200,
+ RT_SCOPE_LINK=253,
+ RT_SCOPE_HOST=254,
+ RT_SCOPE_NOWHERE=255
+};
+
+/* rtm_flags */
+
+#define RTM_F_NOTIFY 0x100 /* Notify user of route change */
+#define RTM_F_CLONED 0x200 /* This route is cloned */
+#define RTM_F_EQUALIZE 0x400 /* Multipath equalizer: NI */
+
+/* Reserved table identifiers */
+
+enum rt_class_t
+{
+ RT_TABLE_UNSPEC=0,
+/* User defined values */
+ RT_TABLE_DEFAULT=253,
+ RT_TABLE_MAIN=254,
+ RT_TABLE_LOCAL=255
+};
+#define RT_TABLE_MAX RT_TABLE_LOCAL
+
+
+
+/* Routing message attributes */
+
+enum rtattr_type_t
+{
+ RTA_UNSPEC,
+ RTA_DST,
+ RTA_SRC,
+ RTA_IIF,
+ RTA_OIF,
+ RTA_GATEWAY,
+ RTA_PRIORITY,
+ RTA_PREFSRC,
+ RTA_METRICS,
+ RTA_MULTIPATH,
+ RTA_PROTOINFO,
+ RTA_FLOW,
+ RTA_CACHEINFO,
+ RTA_SESSION,
+};
+
+#define RTA_MAX RTA_SESSION
+
+#define RTM_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg))))
+#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg))
+
+/* RTM_MULTIPATH --- array of struct rtnexthop.
+ *
+ * "struct rtnexthop" describres all necessary nexthop information,
+ * i.e. parameters of path to a destination via this nextop.
+ *
+ * At the moment it is impossible to set different prefsrc, mtu, window
+ * and rtt for different paths from multipath.
+ */
+
+struct rtnexthop
+{
+ unsigned short rtnh_len;
+ unsigned char rtnh_flags;
+ unsigned char rtnh_hops;
+ int rtnh_ifindex;
+};
+
+/* rtnh_flags */
+
+#define RTNH_F_DEAD 1 /* Nexthop is dead (used by multipath) */
+#define RTNH_F_PERVASIVE 2 /* Do recursive gateway lookup */
+#define RTNH_F_ONLINK 4 /* Gateway is forced on link */
+
+/* Macros to handle hexthops */
+
+#define RTNH_ALIGNTO 4
+#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) )
+#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \
+ ((int)(rtnh)->rtnh_len) <= (len))
+#define RTNH_NEXT(rtnh) ((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len)))
+#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len))
+#define RTNH_SPACE(len) RTNH_ALIGN(RTNH_LENGTH(len))
+#define RTNH_DATA(rtnh) ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0)))
+
+/* RTM_CACHEINFO */
+
+struct rta_cacheinfo
+{
+ uint32_t rta_clntref;
+ uint32_t rta_lastuse;
+ int32_t rta_expires;
+ uint32_t rta_error;
+ uint32_t rta_used;
+
+#define RTNETLINK_HAVE_PEERINFO 1
+ uint32_t rta_id;
+ uint32_t rta_ts;
+ uint32_t rta_tsage;
+};
+
+/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */
+
+enum
+{
+ RTAX_UNSPEC,
+#define RTAX_UNSPEC RTAX_UNSPEC
+ RTAX_LOCK,
+#define RTAX_LOCK RTAX_LOCK
+ RTAX_MTU,
+#define RTAX_MTU RTAX_MTU
+ RTAX_WINDOW,
+#define RTAX_WINDOW RTAX_WINDOW
+ RTAX_RTT,
+#define RTAX_RTT RTAX_RTT
+ RTAX_RTTVAR,
+#define RTAX_RTTVAR RTAX_RTTVAR
+ RTAX_SSTHRESH,
+#define RTAX_SSTHRESH RTAX_SSTHRESH
+ RTAX_CWND,
+#define RTAX_CWND RTAX_CWND
+ RTAX_ADVMSS,
+#define RTAX_ADVMSS RTAX_ADVMSS
+ RTAX_REORDERING,
+#define RTAX_REORDERING RTAX_REORDERING
+};
+
+#define RTAX_MAX RTAX_REORDERING
+
+struct rta_session
+{
+ uint8_t proto;
+
+ union {
+ struct {
+ uint16_t sport;
+ uint16_t dport;
+ } ports;
+
+ struct {
+ uint8_t type;
+ uint8_t code;
+ uint16_t ident;
+ } icmpt;
+
+ uint32_t spi;
+ } u;
+};
+
+
+/*********************************************************
+ * Interface address.
+ ****/
+
+struct ifaddrmsg
+{
+ unsigned char ifa_family;
+ unsigned char ifa_prefixlen; /* The prefix length */
+ unsigned char ifa_flags; /* Flags */
+ unsigned char ifa_scope; /* See above */
+ int ifa_index; /* Link index */
+};
+
+enum
+{
+ IFA_UNSPEC,
+ IFA_ADDRESS,
+ IFA_LOCAL,
+ IFA_LABEL,
+ IFA_BROADCAST,
+ IFA_ANYCAST,
+ IFA_CACHEINFO
+};
+
+#define IFA_MAX IFA_CACHEINFO
+
+/* ifa_flags */
+
+#define IFA_F_SECONDARY 0x01
+#define IFA_F_TEMPORARY IFA_F_SECONDARY
+
+#define IFA_F_DEPRECATED 0x20
+#define IFA_F_TENTATIVE 0x40
+#define IFA_F_PERMANENT 0x80
+
+struct ifa_cacheinfo
+{
+ int32_t ifa_prefered;
+ int32_t ifa_valid;
+};
+
+
+#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
+#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg))
+
+/*
+ Important comment:
+ IFA_ADDRESS is prefix address, rather than local interface address.
+ It makes no difference for normally configured broadcast interfaces,
+ but for point-to-point IFA_ADDRESS is DESTINATION address,
+ local address is supplied in IFA_LOCAL attribute.
+ */
+
+/**************************************************************
+ * Neighbour discovery.
+ ****/
+
+struct ndmsg
+{
+ unsigned char ndm_family;
+ unsigned char ndm_pad1;
+ unsigned short ndm_pad2;
+ int ndm_ifindex; /* Link index */
+ uint16_t ndm_state;
+ uint8_t ndm_flags;
+ uint8_t ndm_type;
+};
+
+enum
+{
+ NDA_UNSPEC,
+ NDA_DST,
+ NDA_LLADDR,
+ NDA_CACHEINFO
+};
+
+#define NDA_MAX NDA_CACHEINFO
+
+#define NDA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
+#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))
+
+/*
+ * Neighbor Cache Entry Flags
+ */
+
+#define NTF_PROXY 0x08 /* == ATF_PUBL */
+#define NTF_ROUTER 0x80
+
+/*
+ * Neighbor Cache Entry States.
+ */
+
+#define NUD_INCOMPLETE 0x01
+#define NUD_REACHABLE 0x02
+#define NUD_STALE 0x04
+#define NUD_DELAY 0x08
+#define NUD_PROBE 0x10
+#define NUD_FAILED 0x20
+
+/* Dummy states */
+#define NUD_NOARP 0x40
+#define NUD_PERMANENT 0x80
+#define NUD_NONE 0x00
+
+
+struct nda_cacheinfo
+{
+ uint32_t ndm_confirmed;
+ uint32_t ndm_used;
+ uint32_t ndm_updated;
+ uint32_t ndm_refcnt;
+};
+
+/****
+ * General form of address family dependent message.
+ ****/
+
+struct rtgenmsg
+{
+ unsigned char rtgen_family;
+};
+
+/*****************************************************************
+ * Link layer specific messages.
+ ****/
+
+/* struct ifinfomsg
+ * passes link level specific information, not dependent
+ * on network protocol.
+ */
+
+struct ifinfomsg
+{
+ unsigned char ifi_family;
+ unsigned char __ifi_pad;
+ unsigned short ifi_type; /* ARPHRD_* */
+ int ifi_index; /* Link index */
+ unsigned ifi_flags; /* IFF_* flags */
+ unsigned ifi_change; /* IFF_* change mask */
+};
+
+enum
+{
+ IFLA_UNSPEC,
+ IFLA_ADDRESS,
+ IFLA_BROADCAST,
+ IFLA_IFNAME,
+ IFLA_MTU,
+ IFLA_LINK,
+ IFLA_QDISC,
+ IFLA_STATS,
+ IFLA_COST,
+#define IFLA_COST IFLA_COST
+ IFLA_PRIORITY,
+#define IFLA_PRIORITY IFLA_PRIORITY
+ IFLA_MASTER,
+#define IFLA_MASTER IFLA_MASTER
+ IFLA_WIRELESS, /* Wireless Extension event - see wireless.h */
+#define IFLA_WIRELESS IFLA_WIRELESS
+};
+
+
+#define IFLA_MAX IFLA_WIRELESS
+
+#define IFLA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg))))
+#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg))
+
+/* ifi_flags.
+
+ IFF_* flags.
+
+ The only change is:
+ IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are
+ more not changeable by user. They describe link media
+ characteristics and set by device driver.
+
+ Comments:
+ - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid
+ - If neiher of these three flags are set;
+ the interface is NBMA.
+
+ - IFF_MULTICAST does not mean anything special:
+ multicasts can be used on all not-NBMA links.
+ IFF_MULTICAST means that this media uses special encapsulation
+ for multicast frames. Apparently, all IFF_POINTOPOINT and
+ IFF_BROADCAST devices are able to use multicasts too.
+ */
+
+/* IFLA_LINK.
+ For usual devices it is equal ifi_index.
+ If it is a "virtual interface" (f.e. tunnel), ifi_link
+ can point to real physical interface (f.e. for bandwidth calculations),
+ or maybe 0, what means, that real media is unknown (usual
+ for IPIP tunnels, when route to endpoint is allowed to change)
+ */
+
+/*****************************************************************
+ * Traffic control messages.
+ ****/
+
+struct tcmsg
+{
+ unsigned char tcm_family;
+ unsigned char tcm__pad1;
+ unsigned short tcm__pad2;
+ int tcm_ifindex;
+ uint32_t tcm_handle;
+ uint32_t tcm_parent;
+ uint32_t tcm_info;
+};
+
+enum
+{
+ TCA_UNSPEC,
+ TCA_KIND,
+ TCA_OPTIONS,
+ TCA_STATS,
+ TCA_XSTATS,
+ TCA_RATE,
+};
+
+#define TCA_MAX TCA_RATE
+
+#define TCA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg))))
+#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg))
+
+
+/* SUMMARY: maximal rtattr understood by kernel */
+
+#define RTATTR_MAX RTA_MAX
+
+/* RTnetlink multicast groups */
+
+#define RTMGRP_LINK 1
+#define RTMGRP_NOTIFY 2
+#define RTMGRP_NEIGH 4
+#define RTMGRP_TC 8
+
+#define RTMGRP_IPV4_IFADDR 0x10
+#define RTMGRP_IPV4_MROUTE 0x20
+#define RTMGRP_IPV4_ROUTE 0x40
+
+#define RTMGRP_IPV6_IFADDR 0x100
+#define RTMGRP_IPV6_MROUTE 0x200
+#define RTMGRP_IPV6_ROUTE 0x400
+
+#define RTMGRP_DECnet_IFADDR 0x1000
+#define RTMGRP_DECnet_ROUTE 0x4000
+
+/* End of information exported to user level */
+
+#endif /* __LINUX_RTNETLINK_H */
diff --git a/src/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h
new file mode 100644
index 000000000..4269ae29b
--- /dev/null
+++ b/src/pluto/linux26/xfrm.h
@@ -0,0 +1,233 @@
+#ifndef _LINUX_XFRM_H
+#define _LINUX_XFRM_H
+
+#include <stdint.h>
+
+/* All of the structures in this file may not change size as they are
+ * passed into the kernel from userspace via netlink sockets.
+ */
+
+/* Structure to encapsulate addresses. I do not want to use
+ * "standard" structure. My apologies.
+ */
+typedef union
+{
+ uint32_t a4;
+ uint32_t a6[4];
+} xfrm_address_t;
+
+/* Ident of a specific xfrm_state. It is used on input to lookup
+ * the state by (spi,daddr,ah/esp) or to store information about
+ * spi, protocol and tunnel address on output.
+ */
+struct xfrm_id
+{
+ xfrm_address_t daddr;
+ uint32_t spi;
+ uint8_t proto;
+};
+
+/* Selector, used as selector both on policy rules (SPD) and SAs. */
+
+struct xfrm_selector
+{
+ xfrm_address_t daddr;
+ xfrm_address_t saddr;
+ uint16_t dport;
+ uint16_t dport_mask;
+ uint16_t sport;
+ uint16_t sport_mask;
+ uint16_t family;
+ uint8_t prefixlen_d;
+ uint8_t prefixlen_s;
+ uint8_t proto;
+ int ifindex;
+ uid_t user;
+};
+
+#define XFRM_INF (~(uint64_t)0)
+
+struct xfrm_lifetime_cfg
+{
+ uint64_t soft_byte_limit;
+ uint64_t hard_byte_limit;
+ uint64_t soft_packet_limit;
+ uint64_t hard_packet_limit;
+ uint64_t soft_add_expires_seconds;
+ uint64_t hard_add_expires_seconds;
+ uint64_t soft_use_expires_seconds;
+ uint64_t hard_use_expires_seconds;
+};
+
+struct xfrm_lifetime_cur
+{
+ uint64_t bytes;
+ uint64_t packets;
+ uint64_t add_time;
+ uint64_t use_time;
+};
+
+struct xfrm_replay_state
+{
+ uint32_t oseq;
+ uint32_t seq;
+ uint32_t bitmap;
+};
+
+struct xfrm_algo {
+ char alg_name[64];
+ int alg_key_len; /* in bits */
+ char alg_key[0];
+};
+
+struct xfrm_stats {
+ uint32_t replay_window;
+ uint32_t replay;
+ uint32_t integrity_failed;
+};
+
+enum
+{
+ XFRM_POLICY_IN = 0,
+ XFRM_POLICY_OUT = 1,
+ XFRM_POLICY_FWD = 2,
+ XFRM_POLICY_MAX = 3
+};
+
+enum
+{
+ XFRM_SHARE_ANY, /* No limitations */
+ XFRM_SHARE_SESSION, /* For this session only */
+ XFRM_SHARE_USER, /* For this user only */
+ XFRM_SHARE_UNIQUE /* Use once */
+};
+
+/* Netlink configuration messages. */
+#define XFRM_MSG_BASE 0x10
+
+#define XFRM_MSG_NEWSA (XFRM_MSG_BASE + 0)
+#define XFRM_MSG_DELSA (XFRM_MSG_BASE + 1)
+#define XFRM_MSG_GETSA (XFRM_MSG_BASE + 2)
+
+#define XFRM_MSG_NEWPOLICY (XFRM_MSG_BASE + 3)
+#define XFRM_MSG_DELPOLICY (XFRM_MSG_BASE + 4)
+#define XFRM_MSG_GETPOLICY (XFRM_MSG_BASE + 5)
+
+#define XFRM_MSG_ALLOCSPI (XFRM_MSG_BASE + 6)
+#define XFRM_MSG_ACQUIRE (XFRM_MSG_BASE + 7)
+#define XFRM_MSG_EXPIRE (XFRM_MSG_BASE + 8)
+
+#define XFRM_MSG_UPDPOLICY (XFRM_MSG_BASE + 9)
+#define XFRM_MSG_UPDSA (XFRM_MSG_BASE + 10)
+
+#define XFRM_MSG_POLEXPIRE (XFRM_MSG_BASE + 11)
+
+#define XFRM_MSG_MAX (XFRM_MSG_POLEXPIRE+1)
+
+struct xfrm_user_tmpl {
+ struct xfrm_id id;
+ uint16_t family;
+ xfrm_address_t saddr;
+ uint32_t reqid;
+ uint8_t mode;
+ uint8_t share;
+ uint8_t optional;
+ uint32_t aalgos;
+ uint32_t ealgos;
+ uint32_t calgos;
+};
+
+struct xfrm_encap_tmpl {
+ uint16_t encap_type;
+ uint16_t encap_sport;
+ uint16_t encap_dport;
+ xfrm_address_t encap_oa;
+};
+
+/* Netlink message attributes. */
+enum xfrm_attr_type_t {
+ XFRMA_UNSPEC,
+ XFRMA_ALG_AUTH, /* struct xfrm_algo */
+ XFRMA_ALG_CRYPT, /* struct xfrm_algo */
+ XFRMA_ALG_COMP, /* struct xfrm_algo */
+ XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */
+ XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */
+
+#define XFRMA_MAX XFRMA_TMPL
+};
+
+struct xfrm_usersa_info {
+ struct xfrm_selector sel;
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ struct xfrm_stats stats;
+ uint32_t seq;
+ uint32_t reqid;
+ uint16_t family;
+ uint8_t mode; /* 0=transport,1=tunnel */
+ uint8_t replay_window;
+ uint8_t flags;
+#define XFRM_STATE_NOECN 1
+};
+
+struct xfrm_usersa_id {
+ xfrm_address_t daddr;
+ uint32_t spi;
+ uint16_t family;
+ uint8_t proto;
+};
+
+struct xfrm_userspi_info {
+ struct xfrm_usersa_info info;
+ uint32_t min;
+ uint32_t max;
+};
+
+struct xfrm_userpolicy_info {
+ struct xfrm_selector sel;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ uint32_t priority;
+ uint32_t index;
+ uint8_t dir;
+ uint8_t action;
+#define XFRM_POLICY_ALLOW 0
+#define XFRM_POLICY_BLOCK 1
+ uint8_t flags;
+#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
+ uint8_t share;
+};
+
+struct xfrm_userpolicy_id {
+ struct xfrm_selector sel;
+ uint32_t index;
+ uint8_t dir;
+};
+
+struct xfrm_user_acquire {
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_selector sel;
+ struct xfrm_userpolicy_info policy;
+ uint32_t aalgos;
+ uint32_t ealgos;
+ uint32_t calgos;
+ uint32_t seq;
+};
+
+struct xfrm_user_expire {
+ struct xfrm_usersa_info state;
+ uint8_t hard;
+};
+
+struct xfrm_user_polexpire {
+ struct xfrm_userpolicy_info pol;
+ uint8_t hard;
+};
+
+#define XFRMGRP_ACQUIRE 1
+#define XFRMGRP_EXPIRE 2
+
+#endif /* _LINUX_XFRM_H */
diff --git a/src/pluto/log.c b/src/pluto/log.c
new file mode 100644
index 000000000..36997122c
--- /dev/null
+++ b/src/pluto/log.c
@@ -0,0 +1,841 @@
+/* error logging functions
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: log.c,v 1.8 2006/04/29 18:16:02 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
+#include <sys/queue.h>
+#include <libgen.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "server.h"
+#include "state.h"
+#include "connections.h"
+#include "kernel.h"
+#include "whack.h" /* needs connections.h */
+#include "timer.h"
+
+/* close one per-peer log */
+static void perpeer_logclose(struct connection *c); /* forward */
+
+
+bool
+ log_to_stderr = TRUE, /* should log go to stderr? */
+ log_to_syslog = TRUE, /* should log go to syslog? */
+ log_to_perpeer= FALSE; /* should log go to per-IP file? */
+
+bool
+ logged_txt_warning = FALSE; /* should we complain about finding KEY? */
+
+/* should we complain when we find no local id */
+bool
+ logged_myid_fqdn_txt_warning = FALSE,
+ logged_myid_ip_txt_warning = FALSE,
+ logged_myid_fqdn_key_warning = FALSE,
+ logged_myid_ip_key_warning = FALSE;
+
+/* may include trailing / */
+const char *base_perpeer_logdir = PERPEERLOGDIR;
+static int perpeer_count = 0;
+
+/* from sys/queue.h */
+static CIRCLEQ_HEAD(,connection) perpeer_list;
+
+
+/* Context for logging.
+ *
+ * Global variables: must be carefully adjusted at transaction boundaries!
+ * If the context provides a whack file descriptor, messages
+ * should be copied to it -- see whack_log()
+ */
+int whack_log_fd = NULL_FD; /* only set during whack_handle() */
+struct state *cur_state = NULL; /* current state, for diagnostics */
+struct connection *cur_connection = NULL; /* current connection, for diagnostics */
+const ip_address *cur_from = NULL; /* source of current current message */
+u_int16_t cur_from_port; /* host order */
+
+void
+init_log(const char *program)
+{
+ if (log_to_stderr)
+ setbuf(stderr, NULL);
+ if (log_to_syslog)
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+
+ CIRCLEQ_INIT(&perpeer_list);
+}
+
+void
+close_peerlog(void)
+{
+ /* end of circular queue is given by pointer to "HEAD"
+ * BUT if the queue is not initialized, this won't be true
+ * so we must guard by test perpeer_list.cqh_first != NULL
+ */
+ if (perpeer_list.cqh_first != NULL)
+ while (perpeer_list.cqh_first != (void *)&perpeer_list)
+ perpeer_logclose(perpeer_list.cqh_first);
+}
+
+void
+close_log(void)
+{
+ if (log_to_syslog)
+ closelog();
+
+ close_peerlog();
+}
+
+/* Sanitize character string in situ: turns dangerous characters into \OOO.
+ * With a bit of work, we could use simpler reps for \\, \r, etc.,
+ * but this is only to protect against something that shouldn't be used.
+ * Truncate resulting string to what fits in buffer.
+ */
+static size_t
+sanitize(char *buf, size_t size)
+{
+# define UGLY_WIDTH 4 /* width for ugly character: \OOO */
+ size_t len;
+ size_t added = 0;
+ char *p;
+
+ passert(size >= UGLY_WIDTH); /* need room to swing cat */
+
+ /* find right side of string to be sanitized and count
+ * number of columns to be added. Stop on end of string
+ * or lack of room for more result.
+ */
+ for (p = buf; *p != '\0' && &p[added] < &buf[size - UGLY_WIDTH]; )
+ {
+ unsigned char c = *p++;
+
+ if (c == '\\' || !isprint(c))
+ added += UGLY_WIDTH - 1;
+ }
+
+ /* at this point, p points after last original character to be
+ * included. added is how many characters are added to sanitize.
+ * so p[added] will point after last sanitized character.
+ */
+
+ p[added] = '\0';
+ len = &p[added] - buf;
+
+ /* scan backwards, copying characters to their new home
+ * and inserting the expansions for ugly characters.
+ * It is finished when no more shifting is required.
+ * This is a predecrement loop.
+ */
+ while (added != 0)
+ {
+ char fmtd[UGLY_WIDTH + 1];
+ unsigned char c;
+
+ while ((c = *--p) != '\\' && isprint(c))
+ p[added] = c;
+ added -= UGLY_WIDTH - 1;
+ snprintf(fmtd, sizeof(fmtd), "\\%03o", c);
+ memcpy(p + added, fmtd, UGLY_WIDTH);
+ }
+ return len;
+# undef UGLY_WIDTH
+}
+
+/* format a string for the log, with suitable prefixes.
+ * A format starting with ~ indicates that this is a reprocessing
+ * of the message, so prefixing and quoting is suppressed.
+ */
+static void
+fmt_log(char *buf, size_t buf_len, const char *fmt, va_list ap)
+{
+ bool reproc = *fmt == '~';
+ size_t ps;
+ struct connection *c = cur_state != NULL ? cur_state->st_connection
+ : cur_connection;
+
+ buf[0] = '\0';
+ if (reproc)
+ fmt++; /* ~ at start of format suppresses this prefix */
+ else if (c != NULL)
+ {
+ /* start with name of connection */
+ char *const be = buf + buf_len;
+ char *bp = buf;
+
+ snprintf(bp, be - bp, "\"%s\"", c->name);
+ bp += strlen(bp);
+
+ /* if it fits, put in any connection instance information */
+ if (be - bp > CONN_INST_BUF)
+ {
+ fmt_conn_instance(c, bp);
+ bp += strlen(bp);
+ }
+
+ if (cur_state != NULL)
+ {
+ /* state number */
+ snprintf(bp, be - bp, " #%lu", cur_state->st_serialno);
+ bp += strlen(bp);
+ }
+ snprintf(bp, be - bp, ": ");
+ }
+ else if (cur_from != NULL)
+ {
+ /* peer's IP address */
+ /* Note: must not use ip_str() because our caller might! */
+ char ab[ADDRTOT_BUF];
+
+ (void) addrtot(cur_from, 0, ab, sizeof(ab));
+ snprintf(buf, buf_len, "packet from %s:%u: "
+ , ab, (unsigned)cur_from_port);
+ }
+
+ ps = strlen(buf);
+ vsnprintf(buf + ps, buf_len - ps, fmt, ap);
+ if (!reproc)
+ (void)sanitize(buf, buf_len);
+}
+
+static void
+perpeer_logclose(struct connection *c)
+{
+ /* only free/close things if we had used them! */
+ if (c->log_file != NULL)
+ {
+ passert(perpeer_count > 0);
+
+ CIRCLEQ_REMOVE(&perpeer_list, c, log_link);
+ perpeer_count--;
+ fclose(c->log_file);
+ c->log_file=NULL;
+ }
+}
+
+void
+perpeer_logfree(struct connection *c)
+{
+ perpeer_logclose(c);
+ if (c->log_file_name != NULL)
+ {
+ pfree(c->log_file_name);
+ c->log_file_name = NULL;
+ c->log_file_err = FALSE;
+ }
+}
+
+/* open the per-peer log */
+static void
+open_peerlog(struct connection *c)
+{
+ syslog(LOG_INFO, "opening log file for conn %s", c->name);
+
+ if (c->log_file_name == NULL)
+ {
+ char peername[ADDRTOT_BUF], dname[ADDRTOT_BUF];
+ int peernamelen, lf_len;
+
+ addrtot(&c->spd.that.host_addr, 'Q', peername, sizeof(peername));
+ peernamelen = strlen(peername);
+
+ /* copy IP address, turning : and . into / */
+ {
+ char c, *p, *q;
+
+ p = peername;
+ q = dname;
+ do {
+ c = *p++;
+ if (c == '.' || c == ':')
+ c = '/';
+ *q++ = c;
+ } while (c != '\0');
+ }
+
+ lf_len = peernamelen * 2
+ + strlen(base_perpeer_logdir)
+ + sizeof("//.log")
+ + 1;
+ c->log_file_name = alloc_bytes(lf_len, "per-peer log file name");
+
+ fprintf(stderr, "base dir |%s| dname |%s| peername |%s|"
+ , base_perpeer_logdir, dname, peername);
+ snprintf(c->log_file_name, lf_len, "%s/%s/%s.log"
+ , base_perpeer_logdir, dname, peername);
+
+ syslog(LOG_DEBUG, "conn %s logfile is %s", c->name, c->log_file_name);
+ }
+
+ /* now open the file, creating directories if necessary */
+
+ { /* create the directory */
+ char *dname;
+ int bpl_len = strlen(base_perpeer_logdir);
+ char *slashloc;
+
+ dname = clone_str(c->log_file_name, "temp copy of file name");
+ dname = dirname(dname);
+
+ if (access(dname, W_OK) != 0)
+ {
+ if (errno != ENOENT)
+ {
+ if (c->log_file_err)
+ {
+ syslog(LOG_CRIT, "can not write to %s: %s"
+ , dname, strerror(errno));
+ c->log_file_err = TRUE;
+ pfree(dname);
+ return;
+ }
+ }
+
+ /* directory does not exist, walk path creating dirs */
+ /* start at base_perpeer_logdir */
+ slashloc = dname + bpl_len;
+ slashloc++; /* since, by construction there is a slash
+ right there */
+
+ while (*slashloc != '\0')
+ {
+ char saveslash;
+
+ /* look for next slash */
+ while (*slashloc != '\0' && *slashloc != '/') slashloc++;
+
+ saveslash = *slashloc;
+
+ *slashloc = '\0';
+
+ if (mkdir(dname, 0750) != 0 && errno != EEXIST)
+ {
+ syslog(LOG_CRIT, "can not create dir %s: %s"
+ , dname, strerror(errno));
+ c->log_file_err = TRUE;
+ pfree(dname);
+ return;
+ }
+ syslog(LOG_DEBUG, "created new directory %s", dname);
+ *slashloc = saveslash;
+ slashloc++;
+ }
+ }
+
+ pfree(dname);
+ }
+
+ c->log_file = fopen(c->log_file_name, "a");
+ if (c->log_file == NULL)
+ {
+ if (c->log_file_err)
+ {
+ syslog(LOG_CRIT, "logging system can not open %s: %s"
+ , c->log_file_name, strerror(errno));
+ c->log_file_err = TRUE;
+ }
+ return;
+ }
+
+ /* look for a connection to close! */
+ while (perpeer_count >= MAX_PEERLOG_COUNT)
+ {
+ /* can not be NULL because perpeer_count > 0 */
+ passert(perpeer_list.cqh_last != (void *)&perpeer_list);
+
+ perpeer_logclose(perpeer_list.cqh_last);
+ }
+
+ /* insert this into the list */
+ CIRCLEQ_INSERT_HEAD(&perpeer_list, c, log_link);
+ passert(c->log_file != NULL);
+ perpeer_count++;
+}
+
+/* log a line to cur_connection's log */
+static void
+peerlog(const char *prefix, const char *m)
+{
+ if (cur_connection == NULL)
+ {
+ /* we can not log it in this case. Oh well. */
+ return;
+ }
+
+ if (cur_connection->log_file == NULL)
+ {
+ open_peerlog(cur_connection);
+ }
+
+ /* despite our attempts above, we may not be able to open the file. */
+ if (cur_connection->log_file != NULL)
+ {
+ char datebuf[32];
+ time_t n;
+ struct tm *t;
+
+ time(&n);
+ t = localtime(&n);
+
+ strftime(datebuf, sizeof(datebuf), "%Y-%m-%d %T", t);
+ fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
+
+ /* now move it to the front of the list */
+ CIRCLEQ_REMOVE(&perpeer_list, cur_connection, log_link);
+ CIRCLEQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
+ }
+}
+
+void
+plog(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ fmt_log(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
+ if (log_to_perpeer)
+ peerlog("", m);
+
+ whack_log(RC_LOG, "~%s", m);
+}
+
+void
+loglog(int mess_no, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ fmt_log(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
+ if (log_to_perpeer)
+ peerlog("", m);
+
+ whack_log(mess_no, "~%s", m);
+}
+
+void
+log_errno_routine(int e, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ fmt_log(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+ if (log_to_perpeer)
+ {
+ peerlog(strerror(e), m);
+ }
+
+ whack_log(RC_LOG_SERIOUS
+ , "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
+}
+
+void
+exit_log(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ fmt_log(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s", m);
+ if (log_to_perpeer)
+ peerlog("FATAL ERROR: ", m);
+
+ whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
+
+ exit_pluto(1);
+}
+
+void
+exit_log_errno_routine(int e, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ fmt_log(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+ if (log_to_perpeer)
+ peerlog(strerror(e), m);
+
+ whack_log(RC_LOG_SERIOUS
+ , "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+
+ exit_pluto(1);
+}
+
+/* emit message to whack.
+ * form is "ddd statename text" where
+ * - ddd is a decimal status code (RC_*) as described in whack.h
+ * - text is a human-readable annotation
+ */
+#ifdef DEBUG
+static volatile sig_atomic_t dying_breath = FALSE;
+#endif
+
+void
+whack_log(int mess_no, const char *message, ...)
+{
+ int wfd = whack_log_fd != NULL_FD ? whack_log_fd
+ : cur_state != NULL ? cur_state->st_whack_sock
+ : NULL_FD;
+
+ if (wfd != NULL_FD
+#ifdef DEBUG
+ || dying_breath
+#endif
+ )
+ {
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+ int prelen = snprintf(m, sizeof(m), "%03d ", mess_no);
+
+ passert(prelen >= 0);
+
+ va_start(args, message);
+ fmt_log(m+prelen, sizeof(m)-prelen, message, args);
+ va_end(args);
+
+#if DEBUG
+ if (dying_breath)
+ {
+ /* status output copied to log */
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m + prelen);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m + prelen);
+ if (log_to_perpeer)
+ peerlog("", m);
+ }
+#endif
+
+ if (wfd != NULL_FD)
+ {
+ /* write to whack socket, but suppress possible SIGPIPE */
+ size_t len = strlen(m);
+#ifdef MSG_NOSIGNAL /* depends on version of glibc??? */
+ m[len] = '\n'; /* don't need NUL, do need NL */
+ (void) send(wfd, m, len + 1, MSG_NOSIGNAL);
+#else /* !MSG_NOSIGNAL */
+ int r;
+ struct sigaction act
+ , oldact;
+
+ m[len] = '\n'; /* don't need NUL, do need NL */
+ act.sa_handler = SIG_IGN;
+ sigemptyset(&act.sa_mask);
+ act.sa_flags = 0; /* no nothing */
+ r = sigaction(SIGPIPE, &act, &oldact);
+ passert(r == 0);
+
+ (void) write(wfd, m, len + 1);
+
+ r = sigaction(SIGPIPE, &oldact, NULL);
+ passert(r == 0);
+#endif /* !MSG_NOSIGNAL */
+ }
+ }
+}
+
+/* Build up a diagnostic in a static buffer.
+ * Although this would be a generally useful function, it is very
+ * hard to come up with a discipline that prevents different uses
+ * from interfering. It is intended that by limiting it to building
+ * diagnostics, we will avoid this problem.
+ * Juggling is performed to allow an argument to be a previous
+ * result: the new string may safely depend on the old one. This
+ * restriction is not checked in any way: violators will produce
+ * confusing results (without crashing!).
+ */
+char diag_space[sizeof(diag_space)];
+
+err_t
+builddiag(const char *fmt, ...)
+{
+ static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */
+ char t[sizeof(diag_space)]; /* build result here first */
+ va_list args;
+
+ va_start(args, fmt);
+ t[0] = '\0'; /* in case nothing terminates string */
+ vsnprintf(t, sizeof(t), fmt, args);
+ va_end(args);
+ strcpy(diag_space, t);
+ return diag_space;
+}
+
+/* Debugging message support */
+
+#ifdef DEBUG
+
+void
+switch_fail(int n, const char *file_str, unsigned long line_no)
+{
+ char buf[30];
+
+ snprintf(buf, sizeof(buf), "case %d unexpected", n);
+ passert_fail(buf, file_str, line_no);
+}
+
+void
+passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
+{
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+ if (!dying_breath)
+ {
+ dying_breath = TRUE;
+ show_status(TRUE, NULL);
+ }
+ abort(); /* exiting correctly doesn't always work */
+}
+
+void
+pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
+{
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+}
+
+lset_t
+ base_debugging = DBG_NONE, /* default to reporting nothing */
+ cur_debugging = DBG_NONE;
+
+void
+extra_debugging(const struct connection *c)
+{
+ if(c == NULL)
+ {
+ reset_debugging();
+ return;
+ }
+
+ if (c!= NULL && c->extra_debugging != 0)
+ {
+ plog("enabling for connection: %s"
+ , bitnamesof(debug_bit_names, c->extra_debugging & ~cur_debugging));
+ cur_debugging |= c->extra_debugging;
+ }
+}
+
+/* log a debugging message (prefixed by "| ") */
+
+void
+DBG_log(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ (void)sanitize(m, sizeof(m));
+
+ if (log_to_stderr)
+ fprintf(stderr, "| %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_DEBUG, "| %s", m);
+ if (log_to_perpeer)
+ peerlog("| ", m);
+}
+
+/* dump raw bytes in hex to stderr (for lack of any better destination) */
+
+void
+DBG_dump(const char *label, const void *p, size_t len)
+{
+# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */
+# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1)
+ char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+ char *bp;
+ const unsigned char *cp = p;
+
+ bp = buf;
+
+ if (label != NULL && label[0] != '\0')
+ {
+ /* Handle the label. Care must be taken to avoid buffer overrun. */
+ size_t llen = strlen(label);
+
+ if (llen + 1 > sizeof(buf))
+ {
+ DBG_log("%s", label);
+ }
+ else
+ {
+ strcpy(buf, label);
+ if (buf[llen-1] == '\n')
+ {
+ buf[llen-1] = '\0'; /* get rid of newline */
+ DBG_log("%s", buf);
+ }
+ else if (llen < DUMP_LABEL_WIDTH)
+ {
+ bp = buf + llen;
+ }
+ else
+ {
+ DBG_log("%s", buf);
+ }
+ }
+ }
+
+ do {
+ int i, j;
+
+ for (i = 0; len!=0 && i!=4; i++)
+ {
+ *bp++ = ' ';
+ for (j = 0; len!=0 && j!=4; len--, j++)
+ {
+ static const char hexdig[] = "0123456789abcdef";
+
+ *bp++ = ' ';
+ *bp++ = hexdig[(*cp >> 4) & 0xF];
+ *bp++ = hexdig[*cp & 0xF];
+ cp++;
+ }
+ }
+ *bp = '\0';
+ DBG_log("%s", buf);
+ bp = buf;
+ } while (len != 0);
+# undef DUMP_LABEL_WIDTH
+# undef DUMP_WIDTH
+}
+
+#endif /* DEBUG */
+
+void
+show_status(bool all, const char *name)
+{
+ if (all)
+ {
+ show_ifaces_status();
+ show_myid_status();
+ show_debug_status();
+ whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
+ }
+ show_connections_status(all, name);
+ show_states_status(all, name);
+#ifdef KLIPS
+ show_shunt_status();
+#endif
+}
+
+/* ip_str: a simple to use variant of addrtot.
+ * It stores its result in a static buffer.
+ * This means that newer calls overwrite the storage of older calls.
+ * Note: this is not used in any of the logging functions, so their
+ * callers may use it.
+ */
+const char *
+ip_str(const ip_address *src)
+{
+ static char buf[ADDRTOT_BUF];
+
+ addrtot(src, 0, buf, sizeof(buf));
+ return buf;
+}
+
+/*
+ * a routine that attempts to schedule itself daily.
+ *
+ */
+
+void
+daily_log_reset(void)
+{
+ /* now perform actions */
+ logged_txt_warning = FALSE;
+
+ logged_myid_fqdn_txt_warning = FALSE;
+ logged_myid_ip_txt_warning = FALSE;
+ logged_myid_fqdn_key_warning = FALSE;
+ logged_myid_ip_key_warning = FALSE;
+}
+
+void
+daily_log_event(void)
+{
+ struct tm *ltime;
+ time_t n, interval;
+
+ /* attempt to schedule oneself to midnight, local time
+ * do this by getting seconds in the day, and delaying
+ * by 86400 - hour*3600+minutes*60+seconds.
+ */
+ time(&n);
+ ltime = localtime(&n);
+ interval = (24 * 60 * 60)
+ - (ltime->tm_sec
+ + ltime->tm_min * 60
+ + ltime->tm_hour * 3600);
+
+ event_schedule(EVENT_LOG_DAILY, interval, NULL);
+
+ daily_log_reset();
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/log.h b/src/pluto/log.h
new file mode 100644
index 000000000..a4eae9d1c
--- /dev/null
+++ b/src/pluto/log.h
@@ -0,0 +1,236 @@
+/* logging definitions
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: log.h,v 1.4 2005/07/11 18:33:45 as Exp $
+ */
+
+#include <freeswan.h>
+
+#define LOG_WIDTH 1024 /* roof of number of chars in log line */
+
+#ifndef PERPEERLOGDIR
+#define PERPEERLOGDIR "/var/log/pluto/peer"
+#endif
+
+/* our versions of assert: log result */
+
+#ifdef DEBUG
+
+extern void passert_fail(const char *pred_str
+ , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+
+extern void pexpect_log(const char *pred_str
+ , const char *file_str, unsigned long line_no);
+
+# define impossible() passert_fail("impossible", __FILE__, __LINE__)
+
+extern void switch_fail(int n
+ , const char *file_str, unsigned long line_no) NEVER_RETURNS;
+
+# define bad_case(n) switch_fail((int) n, __FILE__, __LINE__)
+
+# define passert(pred) { \
+ if (!(pred)) \
+ passert_fail(#pred, __FILE__, __LINE__); \
+ }
+
+# define pexpect(pred) { \
+ if (!(pred)) \
+ pexpect_log(#pred, __FILE__, __LINE__); \
+ }
+
+/* assert that an err_t is NULL; evaluate exactly once */
+# define happy(x) { \
+ err_t ugh = x; \
+ if (ugh != NULL) \
+ passert_fail(ugh, __FILE__, __LINE__); \
+ }
+
+#else /*!DEBUG*/
+
+# define impossible() abort()
+# define bad_case(n) abort()
+# define passert(pred) { } /* do nothing */
+# define happy(x) { (void) x; } /* evaluate non-judgementally */
+
+#endif /*!DEBUG*/
+
+
+extern bool
+ log_to_stderr, /* should log go to stderr? */
+ log_to_syslog, /* should log go to syslog? */
+ log_to_perpeer; /* should log go to per-IP file? */
+
+extern const char *base_perpeer_logdir;
+
+/* maximum number of files to keep open for per-peer log files */
+#define MAX_PEERLOG_COUNT 16
+
+/* Context for logging.
+ *
+ * Global variables: must be carefully adjusted at transaction boundaries!
+ * All are to be left in RESET condition and will be checked.
+ * There are several pairs of routines to set and reset them.
+ * If the context provides a whack file descriptor, messages
+ * should be copied to it -- see whack_log()
+ */
+extern int whack_log_fd; /* only set during whack_handle() */
+extern struct state *cur_state; /* current state, for diagnostics */
+extern struct connection *cur_connection; /* current connection, for diagnostics */
+extern const ip_address *cur_from; /* source of current current message */
+extern u_int16_t cur_from_port; /* host order */
+
+#ifdef DEBUG
+
+ extern lset_t cur_debugging; /* current debugging level */
+
+ extern void extra_debugging(const struct connection *c);
+
+# define reset_debugging() { cur_debugging = base_debugging; }
+
+# define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
+ && cur_state == NULL \
+ && cur_connection == NULL \
+ && cur_from == NULL \
+ && cur_debugging == base_debugging)
+
+#else /*!DEBUG*/
+
+# define extra_debugging(c) { }
+
+# define reset_debugging() { }
+
+# define GLOBALS_ARE_RESET() (whack_log_fd == NULL_FD \
+ && cur_state == NULL \
+ && cur_connection == NULL \
+ && cur_from == NULL)
+
+#endif /*!DEBUG*/
+
+#define reset_globals() { \
+ whack_log_fd = NULL_FD; \
+ cur_state = NULL; \
+ cur_from = NULL; \
+ reset_cur_connection(); \
+ }
+
+
+#define set_cur_connection(c) { \
+ cur_connection = (c); \
+ extra_debugging(c); \
+ }
+
+#define reset_cur_connection() { \
+ cur_connection = NULL; \
+ reset_debugging(); \
+ }
+
+
+#define set_cur_state(s) { \
+ cur_state = (s); \
+ extra_debugging((s)->st_connection); \
+ }
+
+#define reset_cur_state() { \
+ cur_state = NULL; \
+ reset_debugging(); \
+ }
+
+extern void init_log(const char *program);
+extern void close_log(void);
+extern void plog(const char *message, ...) PRINTF_LIKE(1);
+extern void exit_log(const char *message, ...) PRINTF_LIKE(1) NEVER_RETURNS;
+
+/* close of all per-peer logging */
+extern void close_peerlog(void);
+
+/* free all per-peer log resources */
+extern void perpeer_logfree(struct connection *c);
+
+
+
+/* the following routines do a dance to capture errno before it is changed
+ * A call must doubly parenthesize the argument list (no varargs macros).
+ * The first argument must be "e", the local variable that captures errno.
+ */
+#define log_errno(a) { int e = errno; log_errno_routine a; }
+extern void log_errno_routine(int e, const char *message, ...) PRINTF_LIKE(2);
+#define exit_log_errno(a) { int e = errno; exit_log_errno_routine a; }
+extern void exit_log_errno_routine(int e, const char *message, ...) PRINTF_LIKE(2) NEVER_RETURNS NEVER_RETURNS;
+
+extern void whack_log(int mess_no, const char *message, ...) PRINTF_LIKE(2);
+
+/* Log to both main log and whack log
+ * Much like log, actually, except for specifying mess_no.
+ */
+extern void loglog(int mess_no, const char *message, ...) PRINTF_LIKE(2);
+
+/* show status, usually on whack log */
+extern void show_status(bool all, const char *name);
+
+/* Build up a diagnostic in a static buffer.
+ * Although this would be a generally useful function, it is very
+ * hard to come up with a discipline that prevents different uses
+ * from interfering. It is intended that by limiting it to building
+ * diagnostics, we will avoid this problem.
+ * Juggling is performed to allow an argument to be a previous
+ * result: the new string may safely depend on the old one. This
+ * restriction is not checked in any way: violators will produce
+ * confusing results (without crashing!).
+ */
+extern char diag_space[LOG_WIDTH]; /* output buffer, but can be occupied at call */
+extern err_t builddiag(const char *fmt, ...) PRINTF_LIKE(1);
+
+#ifdef DEBUG
+
+extern lset_t base_debugging; /* bits selecting what to report */
+
+#define DBGP(cond) (cur_debugging & (cond))
+#define DBG(cond, action) { if (DBGP(cond)) { action ; } }
+
+extern void DBG_log(const char *message, ...) PRINTF_LIKE(1);
+extern void DBG_dump(const char *label, const void *p, size_t len);
+#define DBG_dump_chunk(label, ch) DBG_dump(label, (ch).ptr, (ch).len)
+
+#else /*!DEBUG*/
+
+#define DBG(cond, action) { } /* do nothing */
+
+#endif /*!DEBUG*/
+
+#define DBG_cond_dump(cond, label, p, len) DBG(cond, DBG_dump(label, p, len))
+#define DBG_cond_dump_chunk(cond, label, ch) DBG(cond, DBG_dump_chunk(label, ch))
+
+
+/* ip_str: a simple to use variant of addrtot.
+ * It stores its result in a static buffer.
+ * This means that newer calls overwrite the storage of older calls.
+ * Note: this is not used in any of the logging functions, so their
+ * callers may use it.
+ */
+extern const char *ip_str(const ip_address *src);
+
+/*
+ * call this routine to reset daily items.
+ */
+extern void daily_log_reset(void);
+extern void daily_log_event(void);
+
+/*
+ * some events are to be logged only occasionally.
+ */
+extern bool logged_txt_warning;
+extern bool logged_myid_ip_txt_warning;
+extern bool logged_myid_ip_key_warning;
+extern bool logged_myid_fqdn_txt_warning;
+extern bool logged_myid_fqdn_key_warning;
diff --git a/src/pluto/md2.c b/src/pluto/md2.c
new file mode 100644
index 000000000..d6465477d
--- /dev/null
+++ b/src/pluto/md2.c
@@ -0,0 +1,237 @@
+/* MD2C.C - RSA Data Security, Inc., MD2 message-digest algorithm
+ */
+
+/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
+ rights reserved.
+
+ License to copy and use this software is granted for
+ non-commercial Internet Privacy-Enhanced Mail provided that it is
+ identified as the "RSA Data Security, Inc. MD2 Message Digest
+ Algorithm" in all material mentioning or referencing this software
+ or this function.
+
+ RSA Data Security, Inc. makes no representations concerning either
+ the merchantability of this software or the suitability of this
+ software for any particular purpose. It is provided "as is"
+ without express or implied warranty of any kind.
+
+ These notices must be retained in any copies of any part of this
+ documentation and/or software.
+ */
+
+#include "md2.h"
+
+#define HAVEMEMCOPY 1 /* use ISO C's memcpy and memset */
+
+static void MD2Transform PROTO_LIST
+ ((unsigned char [16], unsigned char [16], const unsigned char [16]));
+
+#ifdef HAVEMEMCOPY
+#include <memory.h>
+#define MD2_memcpy memcpy
+#define MD2_memset memset
+#else
+#ifdef HAVEBCOPY
+#define MD2_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c))
+#define MD2_memset(_a,_b,_c) memset((_a), '\0',(_c))
+#else
+static void MD2_memcpy PROTO_LIST ((POINTER, CONST_POINTER, unsigned int));
+static void MD2_memset PROTO_LIST ((POINTER, int, unsigned int));
+#endif
+#endif
+
+/* Permutation of 0..255 constructed from the digits of pi. It gives a
+ "random" nonlinear byte substitution operation.
+ */
+static unsigned char PI_SUBST[256] = {
+ 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6,
+ 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188,
+ 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24,
+ 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251,
+ 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63,
+ 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50,
+ 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165,
+ 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210,
+ 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157,
+ 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27,
+ 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15,
+ 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197,
+ 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65,
+ 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123,
+ 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233,
+ 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228,
+ 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237,
+ 31, 26, 219, 153, 141, 51, 159, 17, 131, 20
+};
+
+static const unsigned char *PADDING[] = {
+ (const unsigned char *)"",
+ (const unsigned char *)"\001",
+ (const unsigned char *)"\002\002",
+ (const unsigned char *)"\003\003\003",
+ (const unsigned char *)"\004\004\004\004",
+ (const unsigned char *)"\005\005\005\005\005",
+ (const unsigned char *)"\006\006\006\006\006\006",
+ (const unsigned char *)"\007\007\007\007\007\007\007",
+ (const unsigned char *)"\010\010\010\010\010\010\010\010",
+ (const unsigned char *)"\011\011\011\011\011\011\011\011\011",
+ (const unsigned char *)"\012\012\012\012\012\012\012\012\012\012",
+ (const unsigned char *)"\013\013\013\013\013\013\013\013\013\013\013",
+ (const unsigned char *)"\014\014\014\014\014\014\014\014\014\014\014\014",
+ (const unsigned char *)
+ "\015\015\015\015\015\015\015\015\015\015\015\015\015",
+ (const unsigned char *)
+ "\016\016\016\016\016\016\016\016\016\016\016\016\016\016",
+ (const unsigned char *)
+ "\017\017\017\017\017\017\017\017\017\017\017\017\017\017\017",
+ (const unsigned char *)
+ "\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020"
+};
+
+/* MD2 initialization. Begins an MD2 operation, writing a new context.
+ */
+void MD2Init (context)
+MD2_CTX *context; /* context */
+{
+ context->count = 0;
+ MD2_memset ((POINTER)context->state, 0, sizeof (context->state));
+ MD2_memset
+ ((POINTER)context->checksum, 0, sizeof (context->checksum));
+}
+
+/* MD2 block update operation. Continues an MD2 message-digest
+ operation, processing another message block, and updating the
+ context.
+ */
+void MD2Update (context, input, inputLen)
+MD2_CTX *context; /* context */
+const unsigned char *input; /* input block */
+unsigned int inputLen; /* length of input block */
+{
+ unsigned int i, index, partLen;
+
+ /* Update number of bytes mod 16 */
+ index = context->count;
+ context->count = (index + inputLen) & 0xf;
+
+ partLen = 16 - index;
+
+ /* Transform as many times as possible.
+ */
+ if (inputLen >= partLen) {
+ MD2_memcpy
+ ((POINTER)&context->buffer[index], (CONST_POINTER)input, partLen);
+ MD2Transform (context->state, context->checksum, context->buffer);
+
+ for (i = partLen; i + 15 < inputLen; i += 16)
+ MD2Transform (context->state, context->checksum, &input[i]);
+
+ index = 0;
+ }
+ else
+ i = 0;
+
+ /* Buffer remaining input */
+ MD2_memcpy
+ ((POINTER)&context->buffer[index], (CONST_POINTER)&input[i],
+ inputLen-i);
+}
+
+/* MD2 finalization. Ends an MD2 message-digest operation, writing the
+ message digest and zeroizing the context.
+ */
+void MD2Final (digest, context)
+
+unsigned char digest[16]; /* message digest */
+MD2_CTX *context; /* context */
+{
+ unsigned int index, padLen;
+
+ /* Pad out to multiple of 16.
+ */
+ index = context->count;
+ padLen = 16 - index;
+ MD2Update (context, PADDING[padLen], padLen);
+
+ /* Extend with checksum */
+ MD2Update (context, context->checksum, 16);
+
+ /* Store state in digest */
+ MD2_memcpy ((POINTER)digest, (POINTER)context->state, 16);
+
+ /* Zeroize sensitive information.
+ */
+ MD2_memset ((POINTER)context, 0, sizeof (*context));
+}
+
+/* MD2 basic transformation. Transforms state and updates checksum
+ based on block.
+ */
+static void MD2Transform (state, checksum, block)
+unsigned char state[16];
+unsigned char checksum[16];
+const unsigned char block[16];
+{
+ unsigned int i, j, t;
+ unsigned char x[48];
+
+ /* Form encryption block from state, block, state ^ block.
+ */
+ MD2_memcpy ((POINTER)x, (CONST_POINTER)state, 16);
+ MD2_memcpy ((POINTER)x+16, (CONST_POINTER)block, 16);
+ for (i = 0; i < 16; i++)
+ x[i+32] = state[i] ^ block[i];
+
+ /* Encrypt block (18 rounds).
+ */
+ t = 0;
+ for (i = 0; i < 18; i++) {
+ for (j = 0; j < 48; j++)
+ t = x[j] ^= PI_SUBST[t];
+ t = (t + i) & 0xff;
+ }
+
+ /* Save new state */
+ MD2_memcpy ((POINTER)state, (POINTER)x, 16);
+
+ /* Update checksum.
+ */
+ t = checksum[15];
+ for (i = 0; i < 16; i++)
+ t = checksum[i] ^= PI_SUBST[block[i] ^ t];
+
+ /* Zeroize sensitive information.
+ */
+ MD2_memset ((POINTER)x, 0, sizeof (x));
+}
+
+#ifndef HAVEMEMCOPY
+#ifndef HAVEBCOPY
+/* Note: Replace "for loop" with standard memcpy if possible.
+ */
+static void MD2_memcpy (output, input, len)
+POINTER output;
+POINTER input;
+unsigned int len;
+{
+ unsigned int i;
+
+ for (i = 0; i < len; i++)
+ output[i] = input[i];
+}
+
+/* Note: Replace "for loop" with standard memset if possible.
+ */
+static void MD2_memset (output, value, len)
+POINTER output;
+int value;
+unsigned int len;
+{
+ unsigned int i;
+
+ for (i = 0; i < len; i++)
+ ((char *)output)[i] = (char)value;
+}
+#endif
+#endif
+
diff --git a/src/pluto/md2.h b/src/pluto/md2.h
new file mode 100644
index 000000000..b3b48dd92
--- /dev/null
+++ b/src/pluto/md2.h
@@ -0,0 +1,72 @@
+#ifndef _GLOBAL_H_
+#define _GLOBAL_H_
+/* GLOBAL.H - RSAREF types and constants
+ */
+
+/* PROTOTYPES should be set to one if and only if the compiler supports
+ function argument prototyping.
+ The following makes PROTOTYPES default to 0 if it has not already
+ been defined with C compiler flags.
+ */
+#ifndef PROTOTYPES
+#define PROTOTYPES 1
+#endif
+
+/* POINTER defines a generic pointer type */
+typedef unsigned char *POINTER;
+typedef const unsigned char *CONST_POINTER;
+
+/* UINT2 defines a two byte word */
+typedef unsigned short int UINT2;
+
+/* UINT4 defines a four byte word */
+typedef unsigned long int UINT4;
+
+/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+ If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
+ returns an empty list.
+ */
+
+#if PROTOTYPES
+#define PROTO_LIST(list) list
+#else
+#define PROTO_LIST(list) ()
+#endif
+
+#endif
+
+/* MD2.H - header file for MD2C.C
+ */
+
+/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
+ rights reserved.
+
+ License to copy and use this software is granted for
+ non-commercial Internet Privacy-Enhanced Mail provided that it is
+ identified as the "RSA Data Security, Inc. MD2 Message Digest
+ Algorithm" in all material mentioning or referencing this software
+ or this function.
+
+ RSA Data Security, Inc. makes no representations concerning either
+ the merchantability of this software or the suitability of this
+ software for any particular purpose. It is provided "as is"
+ without express or implied warranty of any kind.
+
+ These notices must be retained in any copies of any part of this
+ documentation and/or software.
+ */
+
+/* MD2 context. */
+typedef struct {
+ unsigned char state[16]; /* state */
+ unsigned char checksum[16]; /* checksum */
+ unsigned int count; /* number of bytes, modulo 16 */
+ unsigned char buffer[16]; /* input buffer */
+} MD2_CTX;
+
+void MD2Init PROTO_LIST ((MD2_CTX *));
+void MD2Update PROTO_LIST
+ ((MD2_CTX *, const unsigned char *, unsigned int));
+void MD2Final PROTO_LIST ((unsigned char [16], MD2_CTX *));
+
+#define _MD2_H_
diff --git a/src/pluto/md5.c b/src/pluto/md5.c
new file mode 100644
index 000000000..5d75e38a4
--- /dev/null
+++ b/src/pluto/md5.c
@@ -0,0 +1,385 @@
+/*
+ * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic
+ * changes to accomodate it in the kernel by ji.
+ * Minor changes to make 64 bit clean by Peter Onion (i.e. using u_int*_t).
+ */
+
+/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/*
+ * Additions by JI
+ *
+ * HAVEMEMCOPY is defined if mem* routines are available
+ *
+ * HAVEHTON is defined if htons() and htonl() can be used
+ * for big/little endian conversions
+ *
+ */
+
+#include <stddef.h>
+#include <string.h>
+#include <sys/types.h> /* for u_int*_t */
+#include <endian.h> /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
+
+#include "md5.h"
+
+#define HAVEMEMCOPY 1 /* use ISO C's memcpy and memset */
+
+/* Constants for MD5Transform routine.
+ */
+
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+#define MD5Transform _MD5Transform
+
+static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64]));
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define Encode MD5_memcpy
+#define Decode MD5_memcpy
+#else
+static void Encode PROTO_LIST
+ ((unsigned char *, UINT4 *, unsigned int));
+static void Decode PROTO_LIST
+ ((UINT4 *, unsigned char *, unsigned int));
+#endif
+
+#ifdef HAVEMEMCOPY
+#include <memory.h>
+#define MD5_memcpy memcpy
+#define MD5_memset memset
+#else
+#ifdef HAVEBCOPY
+#define MD5_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c))
+#define MD5_memset(_a,_b,_c) memset((_a), '\0',(_c))
+#else
+static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
+static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
+#endif
+#endif
+static unsigned char PADDING[64] = {
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+ }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+ }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+ }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+ }
+
+/* MD5 initialization. Begins an MD5 operation, writing a new context.
+ */
+void MD5Init (context)
+MD5_CTX *context; /* context */
+{
+ context->count[0] = context->count[1] = 0;
+ /* Load magic initialization constants.
+*/
+ context->state[0] = 0x67452301;
+ context->state[1] = 0xefcdab89;
+ context->state[2] = 0x98badcfe;
+ context->state[3] = 0x10325476;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+ operation, processing another message block, and updating the
+ context.
+ */
+void MD5Update (context, input, inputLen)
+MD5_CTX *context; /* context */
+const unsigned char *input; /* input block */
+UINT4 inputLen; /* length of input block */
+{
+ UINT4 i;
+ unsigned int index, partLen;
+
+ /* Compute number of bytes mod 64 */
+ index = (unsigned int)((context->count[0] >> 3) & 0x3F);
+
+ /* Update number of bits */
+ if ((context->count[0] += (inputLen << 3)) < (inputLen << 3))
+ context->count[1]++;
+ context->count[1] += (inputLen >> 29);
+
+ partLen = 64 - index;
+
+ /* Transform as many times as possible. */
+ if (inputLen >= partLen) {
+ MD5_memcpy((POINTER)&context->buffer[index], (CONSTPOINTER)input, partLen);
+ MD5Transform (context->state, context->buffer);
+
+ for (i = partLen; i + 63 < inputLen; i += 64)
+ MD5Transform (context->state, &input[i]);
+
+ index = 0;
+ }
+ else
+ i = 0;
+
+ /* Buffer remaining input */
+ MD5_memcpy((POINTER)&context->buffer[index], (CONSTPOINTER)&input[i], inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+ the message digest and zeroizing the context.
+ */
+void MD5Final (digest, context)
+unsigned char digest[16]; /* message digest */
+MD5_CTX *context; /* context */
+{
+ unsigned char bits[8];
+ unsigned int index, padLen;
+
+ /* Save number of bits */
+ Encode (bits, context->count, 8);
+
+ /* Pad out to 56 mod 64.
+*/
+ index = (unsigned int)((context->count[0] >> 3) & 0x3f);
+ padLen = (index < 56) ? (56 - index) : (120 - index);
+ MD5Update (context, PADDING, padLen);
+
+ /* Append length (before padding) */
+ MD5Update (context, bits, 8);
+
+ if (digest != NULL) /* Bill Simpson's padding */
+ {
+ /* store state in digest */
+ Encode (digest, context->state, 16);
+
+ /* Zeroize sensitive information.
+ */
+ MD5_memset ((POINTER)context, 0, sizeof (*context));
+ }
+}
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform (state, block)
+UINT4 state[4];
+const unsigned char block[64];
+{
+ UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+ Decode (x, block, 64);
+
+ /* Round 1 */
+ FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+ FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+ FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+ FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+ FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+ FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+ FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+ FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+ FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+ FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+ FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+ FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+ FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+ FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+ FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+ FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+ /* Round 2 */
+ GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+ GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+ GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+ GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+ GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+ GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
+ GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+ GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+ GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+ GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+ GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+ GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+ GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+ GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+ GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+ GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+ /* Round 3 */
+ HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+ HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+ HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+ HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+ HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+ HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+ HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+ HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+ HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+ HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+ HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+ HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
+ HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+ HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+ HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+ HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+ /* Round 4 */
+ II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+ II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+ II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+ II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+ II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+ II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+ II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+ II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+ II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+ II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+ II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+ II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+ II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+ II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+ II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+ II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+ state[0] += a;
+ state[1] += b;
+ state[2] += c;
+ state[3] += d;
+
+ /* Zeroize sensitive information.
+*/
+ MD5_memset ((POINTER)x, 0, sizeof (x));
+}
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+
+/* Encodes input (UINT4) into output (unsigned char). Assumes len is
+ a multiple of 4.
+ */
+static void Encode (output, input, len)
+unsigned char *output;
+UINT4 *input;
+unsigned int len;
+{
+ unsigned int i, j;
+
+ for (i = 0, j = 0; j < len; i++, j += 4) {
+ output[j] = (unsigned char)(input[i] & 0xff);
+ output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
+ output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
+ output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
+ }
+}
+
+/* Decodes input (unsigned char) into output (UINT4). Assumes len is
+ a multiple of 4.
+ */
+static void Decode (output, input, len)
+UINT4 *output;
+unsigned char *input;
+unsigned int len;
+{
+ unsigned int i, j;
+
+ for (i = 0, j = 0; j < len; i++, j += 4)
+ output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
+ (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
+}
+
+#endif
+
+#ifndef HAVEMEMCOPY
+#ifndef HAVEBCOPY
+/* Note: Replace "for loop" with standard memcpy if possible.
+ */
+
+static void MD5_memcpy (output, input, len)
+POINTER output;
+POINTER input;
+unsigned int len;
+{
+ unsigned int i;
+
+ for (i = 0; i < len; i++)
+
+ output[i] = input[i];
+}
+
+/* Note: Replace "for loop" with standard memset if possible.
+ */
+static void MD5_memset (output, value, len)
+POINTER output;
+int value;
+unsigned int len;
+{
+ unsigned int i;
+
+ for (i = 0; i < len; i++)
+ ((char *)output)[i] = (char)value;
+}
+#endif
+#endif
+
diff --git a/src/pluto/md5.h b/src/pluto/md5.h
new file mode 100644
index 000000000..9b29bc46e
--- /dev/null
+++ b/src/pluto/md5.h
@@ -0,0 +1,75 @@
+#ifndef _GLOBAL_H_
+#define _GLOBAL_H_
+/* GLOBAL.H - RSAREF types and constants
+ */
+
+/* PROTOTYPES should be set to one if and only if the compiler supports
+ function argument prototyping.
+ The following makes PROTOTYPES default to 0 if it has not already
+ been defined with C compiler flags.
+ */
+#ifndef PROTOTYPES
+#define PROTOTYPES 1
+#endif
+
+/* POINTER defines a generic pointer type */
+typedef unsigned char *POINTER;
+typedef const unsigned char *CONSTPOINTER;
+
+/* UINT2 defines a two byte word */
+typedef u_int16_t UINT2;
+
+/* UINT4 defines a four byte word */
+typedef u_int32_t UINT4;
+
+/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
+ If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
+ returns an empty list.
+ */
+
+#if PROTOTYPES
+#define PROTO_LIST(list) list
+#else
+#define PROTO_LIST(list) ()
+#endif
+
+#endif
+
+/* MD5.H - header file for MD5C.C
+ */
+
+/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
+rights reserved.
+
+License to copy and use this software is granted provided that it
+is identified as the "RSA Data Security, Inc. MD5 Message-Digest
+Algorithm" in all material mentioning or referencing this software
+or this function.
+
+License is also granted to make and use derivative works provided
+that such works are identified as "derived from the RSA Data
+Security, Inc. MD5 Message-Digest Algorithm" in all material
+mentioning or referencing the derived work.
+
+RSA Data Security, Inc. makes no representations concerning either
+the merchantability of this software or the suitability of this
+software for any particular purpose. It is provided "as is"
+without express or implied warranty of any kind.
+
+These notices must be retained in any copies of any part of this
+documentation and/or software.
+ */
+
+/* MD5 context. */
+typedef struct {
+ UINT4 state[4]; /* state (ABCD) */
+ UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
+ unsigned char buffer[64]; /* input buffer */
+} MD5_CTX;
+
+void MD5Init PROTO_LIST ((MD5_CTX *));
+void MD5Update PROTO_LIST
+ ((MD5_CTX *, const unsigned char *, UINT4));
+void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
+
+#define _MD5_H_
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
new file mode 100644
index 000000000..ab44a113e
--- /dev/null
+++ b/src/pluto/modecfg.c
@@ -0,0 +1,1078 @@
+/* Mode config related functions
+ * Copyright (C) 2001-2002 Colubris Networks
+ * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc.
+ * Copyright (C) 2003-2004 Xelerance Corporation
+ * Copyright (C) 2006-2007 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: modecfg.c,v 1.6 2006/04/24 20:44:57 as Exp $
+ *
+ * This code originally written by Colubris Networks, Inc.
+ * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
+ * Porting to 2.x by Sean Mathews
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "state.h"
+#include "demux.h"
+#include "timer.h"
+#include "ipsec_doi.h"
+#include "log.h"
+#include "md5.h"
+#include "sha1.h"
+#include "crypto.h"
+#include "modecfg.h"
+#include "whack.h"
+#include "xauth.h"
+
+#define MAX_XAUTH_TRIES 3
+
+#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \
+ | LELEM(INTERNAL_IP4_NETMASK) \
+ | LELEM(INTERNAL_IP4_DNS) \
+ | LELEM(INTERNAL_IP4_NBNS) \
+ | LELEM(APPLICATION_VERSION) \
+ )
+
+#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) )
+
+#define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n"
+
+/*
+ * Addresses assigned (usually via ModeCfg) to the Initiator
+ */
+typedef struct internal_addr internal_addr_t;
+
+struct internal_addr
+{
+ lset_t attr_set;
+ lset_t xauth_attr_set;
+ lset_t unity_attr_set;
+
+ /* ModeCfg variables */
+ ip_address ipaddr;
+ ip_address dns[2];
+ ip_address wins[2];
+
+ char *unity_banner;
+
+ /* XAUTH variables */
+ u_int16_t xauth_type;
+ xauth_t xauth_secret;
+ bool xauth_status;
+};
+
+/*
+ * Initialize an internal_addr struct
+ */
+static void
+init_internal_addr(internal_addr_t *ia)
+{
+ ia->attr_set = LEMPTY;
+ ia->xauth_attr_set = LEMPTY;
+ ia->xauth_secret.user_name = empty_chunk;
+ ia->xauth_secret.user_password = empty_chunk;
+ ia->xauth_type = XAUTH_TYPE_GENERIC;
+ ia->xauth_status = XAUTH_STATUS_FAIL;
+ ia->unity_attr_set = LEMPTY;
+ ia->unity_banner = NULL;
+
+ anyaddr(AF_INET, &ia->ipaddr);
+ anyaddr(AF_INET, &ia->dns[0]);
+ anyaddr(AF_INET, &ia->dns[1]);
+ anyaddr(AF_INET, &ia->wins[0]);
+ anyaddr(AF_INET, &ia->wins[1]);
+}
+
+/*
+ * get internal IP address for a connection
+ */
+static void
+get_internal_addr(struct connection *c, internal_addr_t *ia)
+{
+ if (isanyaddr(&c->spd.that.host_srcip))
+ {
+ /* not defined in connection - fetch it from LDAP */
+ }
+ else
+ {
+ char srcip[ADDRTOT_BUF];
+
+ ia->ipaddr = c->spd.that.host_srcip;
+
+ addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
+ plog("assigning virtual IP source address %s", srcip);
+ }
+
+ if (!isanyaddr(&ia->ipaddr)) /* We got an IP address, send it */
+ {
+ c->spd.that.client.addr = ia->ipaddr;
+ c->spd.that.client.maskbits = 32;
+ c->spd.that.has_client = TRUE;
+
+ ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS)
+ | LELEM(INTERNAL_IP4_NETMASK);
+ }
+
+ if (!isanyaddr(&ia->dns[0])) /* We got DNS addresses, send them */
+ ia->attr_set |= LELEM(INTERNAL_IP4_DNS);
+
+ if (!isanyaddr(&ia->wins[0])) /* We got WINS addresses, send them */
+ ia->attr_set |= LELEM(INTERNAL_IP4_NBNS);
+}
+
+/*
+ * Set srcip and client subnet to internal IP address
+ */
+static bool
+set_internal_addr(struct connection *c, internal_addr_t *ia)
+{
+ if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS)
+ && !isanyaddr(&ia->ipaddr))
+ {
+ if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0
+ || isanyaddr(&c->spd.this.host_srcip)
+ || sameaddr(&c->spd.this.host_srcip, &ia->ipaddr))
+ {
+ char srcip[ADDRTOT_BUF];
+
+ addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip));
+ plog("setting virtual IP source address to %s", srcip);
+ }
+ else
+ {
+ char old_srcip[ADDRTOT_BUF];
+ char new_srcip[ADDRTOT_BUF];
+
+ addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip));
+ addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip));
+ plog("replacing virtual IP source address %s by %s"
+ , old_srcip, new_srcip);
+ }
+
+ /* setting srcip */
+ c->spd.this.host_srcip = ia->ipaddr;
+
+ /* setting client subnet to srcip/32 */
+ addrtosubnet(&ia->ipaddr, &c->spd.this.client);
+ setportof(0, &c->spd.this.client.addr);
+ c->spd.this.has_client = TRUE;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * Compute HASH of Mode Config.
+ */
+static size_t
+modecfg_hash(u_char *dest, const u_char *start, const u_char *roof
+ , const struct state *st)
+{
+ struct hmac_ctx ctx;
+
+ hmac_init_chunk(&ctx, st->st_oakley.hasher, st->st_skeyid_a);
+ hmac_update(&ctx, (const u_char *) &st->st_msgid, sizeof(st->st_msgid));
+ hmac_update(&ctx, start, roof-start);
+ hmac_final(dest, &ctx);
+
+ DBG(DBG_CRYPT,
+ DBG_log("ModeCfg HASH computed:");
+ DBG_dump("", dest, ctx.hmac_digest_size)
+ )
+ return ctx.hmac_digest_size;
+}
+
+
+/*
+ * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS)
+ */
+static stf_status
+modecfg_build_msg(struct state *st, pb_stream *rbody
+ , u_int16_t msg_type
+ , internal_addr_t *ia
+ , u_int16_t ap_id)
+{
+ u_char *r_hash_start, *r_hashval;
+
+ START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR);
+
+ /* ATTR out */
+ {
+ struct isakmp_mode_attr attrh;
+ struct isakmp_attribute attr;
+ pb_stream strattr,attrval;
+ int attr_type;
+ int dns_idx, wins_idx;
+ bool dont_advance;
+ bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY;
+ bool is_unity_attr_set = ia->unity_attr_set != LEMPTY;
+ lset_t attr_set = ia->attr_set;
+
+ attrh.isama_np = ISAKMP_NEXT_NONE;
+ attrh.isama_type = msg_type;
+ attrh.isama_identifier = ap_id;
+
+ if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr))
+ return STF_INTERNAL_ERROR;
+
+ attr_type = 0;
+ dns_idx = 0;
+ wins_idx = 0;
+
+ while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set)
+ {
+ if (attr_set == LEMPTY)
+ {
+ if (is_xauth_attr_set)
+ {
+ attr_set = ia->xauth_attr_set;
+ attr_type = XAUTH_BASE;
+ is_xauth_attr_set = FALSE;
+ }
+ else
+ {
+ attr_set = ia->unity_attr_set;
+ attr_type = UNITY_BASE;
+ is_unity_attr_set = FALSE;
+ }
+ }
+
+ dont_advance = FALSE;
+
+ if (attr_set & 1)
+ {
+ const u_char *byte_ptr;
+ u_int len;
+
+ /* ISAKMP attr out */
+ if (attr_type == XAUTH_TYPE)
+ {
+ attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
+ attr.isaat_lv = ia->xauth_type;
+ }
+ else if (attr_type == XAUTH_STATUS)
+ {
+ attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV;
+ attr.isaat_lv = ia->xauth_status;
+ }
+ else
+ {
+ attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV;
+ }
+ out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval);
+
+ switch (attr_type)
+ {
+ case INTERNAL_IP4_ADDRESS:
+ if (!isanyaddr(&ia->ipaddr))
+ {
+ len = addrbytesptr(&ia->ipaddr, &byte_ptr);
+ out_raw(byte_ptr, len, &attrval, "IP4_addr");
+ }
+ break;
+ case INTERNAL_IP4_NETMASK:
+ {
+ u_int mask;
+#if 0
+ char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
+ int t,m=st->st_connection->that.host_addr.maskbit;
+ for (t=0; t<4; t++)
+ {
+ if (m < 8)
+ mask[t] = bits[m];
+ else
+ mask[t] = 0xff;
+ m -= 8;
+ }
+#endif
+ if (st->st_connection->spd.this.client.maskbits == 0)
+ mask = 0;
+ else
+ mask = 0xffffffff * 1;
+ out_raw(&mask, 4, &attrval, "IP4_mask");
+ }
+ break;
+ case INTERNAL_IP4_SUBNET:
+ {
+ char mask[4];
+ char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe};
+ int t;
+ int m = st->st_connection->spd.this.client.maskbits;
+
+ for (t = 0; t < 4; t++)
+ {
+ if (m < 8)
+ mask[t] = bits[m];
+ else
+ mask[t] = 0xff;
+ m -= 8;
+ if (m < 0)
+ m = 0;
+ }
+ len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr);
+ out_raw(byte_ptr, len, &attrval, "IP4_subnet");
+ out_raw(mask, sizeof(mask), &attrval, "IP4_submsk");
+ }
+ break;
+ case INTERNAL_IP4_DNS:
+ if (!isanyaddr(&ia->dns[dns_idx]))
+ {
+ len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr);
+ out_raw(byte_ptr, len, &attrval, "IP4_dns");
+ }
+ if (dns_idx < 2 && !isanyaddr(&ia->dns[dns_idx]))
+ {
+ dont_advance = TRUE;
+ }
+ break;
+ case INTERNAL_IP4_NBNS:
+ if (!isanyaddr(&ia->wins[wins_idx]))
+ {
+ len = addrbytesptr(&ia->wins[wins_idx++], &byte_ptr);
+ out_raw(byte_ptr, len, &attrval, "IP4_wins");
+ }
+ if (wins_idx < 2 && !isanyaddr(&ia->wins[wins_idx]))
+ {
+ dont_advance = TRUE;
+ }
+ break;
+ case XAUTH_TYPE:
+ break;
+ case XAUTH_USER_NAME:
+ if (ia->xauth_secret.user_name.ptr != NULL)
+ {
+ out_raw(ia->xauth_secret.user_name.ptr
+ , ia->xauth_secret.user_name.len
+ , &attrval, "xauth_user_name");
+ }
+ break;
+ case XAUTH_USER_PASSWORD:
+ if (ia->xauth_secret.user_password.ptr != NULL)
+ {
+ out_raw(ia->xauth_secret.user_password.ptr
+ , ia->xauth_secret.user_password.len
+ , &attrval, "xauth_user_password");
+ }
+ break;
+ case XAUTH_STATUS:
+ break;
+ case UNITY_BANNER:
+ if (ia->unity_banner != NULL)
+ {
+ out_raw(ia->unity_banner
+ , strlen(ia->unity_banner)
+ , &attrval, "UNITY_BANNER");
+ }
+ break;
+ default:
+ plog("attempt to send unsupported mode cfg attribute %s."
+ , enum_show(&modecfg_attr_names, attr_type));
+ break;
+ }
+ close_output_pbs(&attrval);
+ }
+ if (!dont_advance)
+ {
+ attr_type++;
+ attr_set >>= 1;
+ }
+ }
+ close_message(&strattr);
+ }
+
+ modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
+ close_message(rbody);
+ encrypt_message(rbody, st);
+ return STF_OK;
+}
+
+/*
+ * Send ModeCfg message
+ */
+static stf_status
+modecfg_send_msg(struct state *st, int isama_type, internal_addr_t *ia)
+{
+ pb_stream msg;
+ pb_stream rbody;
+ char buf[BUF_LEN];
+
+ /* set up attr */
+ init_pbs(&msg, buf, sizeof(buf), "ModeCfg msg buffer");
+
+ /* this is the beginning of a new exchange */
+ st->st_msgid = generate_msgid(st);
+ init_phase2_iv(st, &st->st_msgid);
+
+ /* HDR out */
+ {
+ struct isakmp_hdr hdr;
+
+ zero(&hdr); /* default to 0 */
+ hdr.isa_version = ISAKMP_MAJOR_VERSION << ISA_MAJ_SHIFT | ISAKMP_MINOR_VERSION;
+ hdr.isa_np = ISAKMP_NEXT_HASH;
+ hdr.isa_xchg = ISAKMP_XCHG_MODE_CFG;
+ hdr.isa_flags = ISAKMP_FLAG_ENCRYPTION;
+ memcpy(hdr.isa_icookie, st->st_icookie, COOKIE_SIZE);
+ memcpy(hdr.isa_rcookie, st->st_rcookie, COOKIE_SIZE);
+ hdr.isa_msgid = st->st_msgid;
+
+ if (!out_struct(&hdr, &isakmp_hdr_desc, &msg, &rbody))
+ {
+ return STF_INTERNAL_ERROR;
+ }
+ }
+
+ /* ATTR out */
+ modecfg_build_msg(st, &rbody
+ , isama_type
+ , ia
+ , 0 /* XXX isama_id */
+ );
+
+ freeanychunk(st->st_tpacket);
+ clonetochunk(st->st_tpacket, msg.start, pbs_offset(&msg), "ModeCfg msg");
+
+ /* Transmit */
+ send_packet(st, "ModeCfg msg");
+
+ if (st->st_event->ev_type != EVENT_RETRANSMIT)
+ {
+ delete_event(st);
+ event_schedule(EVENT_RETRANSMIT, EVENT_RETRANSMIT_DELAY_0, st);
+ }
+ return STF_OK;
+}
+
+/*
+ * Parse a ModeCfg attribute payload
+ */
+static stf_status
+modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia)
+{
+ struct isakmp_attribute attr;
+ pb_stream strattr;
+
+ while (pbs_left(attrs) >= sizeof(struct isakmp_attribute))
+ {
+ u_int16_t attr_type;
+ u_int16_t attr_len;
+
+ if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr))
+ {
+ return STF_FAIL;
+ }
+ attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK;
+ attr_len = attr.isaat_lv;
+
+ switch (attr_type)
+ {
+ case INTERNAL_IP4_ADDRESS:
+ if (attr_len == 4)
+ {
+ initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr);
+ }
+ /* fall through to set attribute flag */
+ case INTERNAL_IP4_NETMASK:
+ case INTERNAL_IP4_DNS:
+ case INTERNAL_IP4_SUBNET:
+ case INTERNAL_IP4_NBNS:
+ case INTERNAL_ADDRESS_EXPIRY:
+ case INTERNAL_IP4_DHCP:
+ case INTERNAL_IP6_ADDRESS:
+ case INTERNAL_IP6_NETMASK:
+ case INTERNAL_IP6_DNS:
+ case INTERNAL_IP6_NBNS:
+ case INTERNAL_IP6_DHCP:
+ case SUPPORTED_ATTRIBUTES:
+ case INTERNAL_IP6_SUBNET:
+ ia->attr_set |= LELEM(attr_type);
+ break;
+ case APPLICATION_VERSION:
+ if (attr_len > 0)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'", attr_len, strattr.cur)
+ )
+ }
+ ia->attr_set |= LELEM(attr_type);
+ break;
+ case XAUTH_TYPE:
+ ia->xauth_type = attr.isaat_lv;
+ ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+ break;
+ case XAUTH_USER_NAME:
+ setchunk(ia->xauth_secret.user_name, strattr.cur, attr_len);
+ ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+ break;
+ case XAUTH_USER_PASSWORD:
+ setchunk(ia->xauth_secret.user_password, strattr.cur, attr_len);
+ ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+ break;
+ case XAUTH_STATUS:
+ ia->xauth_status = attr.isaat_lv;
+ ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+ break;
+ case XAUTH_MESSAGE:
+ if (attr_len > 0)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'", attr_len, strattr.cur)
+ )
+ }
+ /* fall through to set attribute flag */
+ case XAUTH_PASSCODE:
+ case XAUTH_CHALLENGE:
+ case XAUTH_DOMAIN:
+ case XAUTH_NEXT_PIN:
+ case XAUTH_ANSWER:
+ ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE);
+ break;
+ case UNITY_DDNS_HOSTNAME:
+ if (attr_len > 0)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'", attr_len, strattr.cur)
+ )
+ }
+ /* fall through to set attribute flag */
+ case UNITY_BANNER:
+ case UNITY_SAVE_PASSWD:
+ case UNITY_DEF_DOMAIN:
+ case UNITY_SPLITDNS_NAME:
+ case UNITY_SPLIT_INCLUDE:
+ case UNITY_NATT_PORT:
+ case UNITY_LOCAL_LAN:
+ case UNITY_PFS:
+ case UNITY_FW_TYPE:
+ case UNITY_BACKUP_SERVERS:
+ ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE);
+ break;
+ default:
+ plog("unsupported ModeCfg attribute %s received."
+ , enum_show(&modecfg_attr_names, attr_type));
+ break;
+ }
+ }
+ return STF_OK;
+}
+
+/*
+ * Parse a ModeCfg message
+ */
+static stf_status
+modecfg_parse_msg(struct msg_digest *md, int isama_type, u_int16_t *isama_id
+ , internal_addr_t *ia)
+{
+ struct state *const st = md->st;
+ struct payload_digest *p;
+ stf_status stat;
+
+ st->st_msgid = md->hdr.isa_msgid;
+
+ CHECK_QUICK_HASH(md, modecfg_hash(hash_val
+ , hash_pbs->roof
+ , md->message_pbs.roof, st)
+ , "MODECFG-HASH", "ISAKMP_CFG_MSG");
+
+ /* process the ModeCfg payloads received */
+ for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next)
+ {
+ internal_addr_t ia_candidate;
+
+ init_internal_addr(&ia_candidate);
+
+ if (p->payload.attribute.isama_type == isama_type)
+ {
+ *isama_id = p->payload.attribute.isama_identifier;
+
+ stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+ if (stat == STF_OK)
+ {
+ /* return with a valid set of attributes */
+ *ia = ia_candidate;
+ return STF_OK;
+ }
+ }
+ else
+ {
+ plog("expected %s, got %s instead (ignored)"
+ , enum_name(&attr_msg_type_names, isama_type)
+ , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type));
+
+ stat = modecfg_parse_attributes(&p->pbs, &ia_candidate);
+ }
+ if (stat != STF_OK)
+ return stat;
+ }
+ return STF_IGNORE;
+}
+
+/*
+ * Send ModeCfg request message from client to server in pull mode
+ */
+stf_status
+modecfg_send_request(struct state *st)
+{
+ stf_status stat;
+ internal_addr_t ia;
+
+ init_internal_addr(&ia);
+
+ ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS)
+ | LELEM(INTERNAL_IP4_NETMASK);
+
+ plog("sending ModeCfg request");
+ st->st_state = STATE_MODE_CFG_I1;
+ stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+ if (stat == STF_OK)
+ st->st_modecfg.started = TRUE;
+ return stat;
+}
+
+/* STATE_MODE_CFG_R0:
+ * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP)
+ *
+ * used in ModeCfg pull mode, on the server (responder)
+ */
+stf_status
+modecfg_inR0(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ bool want_unity_banner;
+ stf_status stat, stat_build;
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY;
+
+ init_internal_addr(&ia);
+ get_internal_addr(st->st_connection, &ia);
+
+ if (want_unity_banner)
+ {
+ ia.unity_banner = UNITY_BANNER_STR;
+ ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+ }
+
+ plog("sending ModeCfg reply");
+
+ stat_build = modecfg_build_msg(st, &md->rbody
+ , ISAKMP_CFG_REPLY
+ , &ia
+ , isama_id);
+ if (stat_build != STF_OK)
+ return stat_build;
+
+ st->st_msgid = 0;
+ return STF_OK;
+}
+
+/* STATE_MODE_CFG_I1:
+ * HDR*, HASH, ATTR(REPLY=IP)
+ *
+ * used in ModeCfg pull mode, on the client (initiator)
+ */
+stf_status
+modecfg_inI1(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat;
+
+ plog("parsing ModeCfg reply");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+ st->st_msgid = 0;
+ return STF_OK;
+}
+
+
+/*
+ * Send ModeCfg set message from server to client in push mode
+ */
+stf_status
+modecfg_send_set(struct state *st)
+{
+ stf_status stat;
+ internal_addr_t ia;
+
+ init_internal_addr(&ia);
+ get_internal_addr(st->st_connection, &ia);
+
+#ifdef CISCO_QUIRKS
+ ia.unity_banner = UNITY_BANNER_STR;
+ ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE);
+#endif
+
+ plog("sending ModeCfg set");
+ st->st_state = STATE_MODE_CFG_R3;
+ stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+ if (stat == STF_OK)
+ st->st_modecfg.started = TRUE;
+ return stat;
+}
+
+/* STATE_MODE_CFG_I0:
+ * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK)
+ *
+ * used in ModeCfg push mode, on the client (initiator).
+ */
+stf_status
+modecfg_inI0(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ lset_t attr_set, unity_attr_set;
+ stf_status stat, stat_build;
+
+ plog("parsing ModeCfg set");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia);
+
+ /* prepare ModeCfg ack which sends zero length attributes */
+ attr_set = ia.attr_set;
+ unity_attr_set = ia.unity_attr_set;
+ init_internal_addr(&ia);
+ ia.attr_set = attr_set & SUPPORTED_ATTR_SET;
+ ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET;
+
+ plog("sending ModeCfg ack");
+
+ stat_build = modecfg_build_msg(st, &md->rbody
+ , ISAKMP_CFG_ACK
+ , &ia
+ , isama_id);
+ if (stat_build != STF_OK)
+ return stat_build;
+
+ st->st_msgid = 0;
+ return STF_OK;
+}
+
+/* STATE_MODE_CFG_R3:
+ * HDR*, HASH, ATTR(ACK,OK)
+ *
+ * used in ModeCfg push mode, on the server (responder)
+ */
+stf_status
+modecfg_inR3(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat;
+
+ plog("parsing ModeCfg ack");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ st->st_msgid = 0;
+ return STF_OK;
+}
+
+/*
+ * Send XAUTH credentials request (username + password)
+ */
+stf_status
+xauth_send_request(struct state *st)
+{
+ stf_status stat;
+ internal_addr_t ia;
+
+ init_internal_addr(&ia);
+ ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
+ | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+
+ plog("sending XAUTH request");
+ st->st_state = STATE_XAUTH_R1;
+ stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia);
+ if (stat == STF_OK)
+ st->st_xauth.started = TRUE;
+ return stat;
+}
+
+/* STATE_XAUTH_I0:
+ * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD)
+ *
+ * used on the XAUTH client (initiator)
+ */
+stf_status
+xauth_inI0(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat, stat_build;
+ bool xauth_type_present;
+
+ plog("parsing XAUTH request");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ /* check XAUTH attributes */
+ xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY;
+
+ if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC)
+ {
+ plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type));
+ stat = STF_FAIL;
+ }
+ else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+ {
+ plog("user name attribute is missing in XAUTH request");
+ stat = STF_FAIL;
+ }
+ else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+ {
+ plog("user password attribute is missing in XAUTH request");
+ stat = STF_FAIL;
+ }
+
+ /* prepare XAUTH reply */
+ init_internal_addr(&ia);
+
+ if (stat == STF_OK)
+ {
+ /* get user credentials using a plugin function */
+ if (!xauth_module.get_secret(&ia.xauth_secret))
+ {
+ plog("xauth user credentials not found");
+ stat = STF_FAIL;
+ }
+ }
+ if (stat == STF_OK)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("my xauth user name is '%.*s'"
+ , ia.xauth_secret.user_name.len
+ , ia.xauth_secret.user_name.ptr)
+ )
+ DBG(DBG_PRIVATE,
+ DBG_log("my xauth user password is '%.*s'"
+ , ia.xauth_secret.user_password.len
+ , ia.xauth_secret.user_password.ptr)
+ )
+ ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE)
+ | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE);
+ if (xauth_type_present)
+ ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE);
+ }
+ else
+ {
+ ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+ ia.xauth_status = XAUTH_STATUS_FAIL;
+ }
+
+ plog("sending XAUTH reply");
+
+ stat_build = modecfg_build_msg(st, &md->rbody
+ , ISAKMP_CFG_REPLY
+ , &ia
+ , isama_id);
+ if (stat_build != STF_OK)
+ return stat_build;
+
+ if (stat == STF_OK)
+ {
+ st->st_xauth.started = TRUE;
+ st->st_msgid = 0;
+ return STF_OK;
+ }
+ else
+ {
+ /* send XAUTH reply msg and then delete ISAKMP SA */
+ freeanychunk(st->st_tpacket);
+ clonetochunk(st->st_tpacket, md->reply.start
+ , pbs_offset(&md->reply), "XAUTH reply msg");
+ send_packet(st, "XAUTH reply msg");
+ delete_state(st);
+ return STF_IGNORE;
+ }
+}
+
+/* STATE_XAUTH_R1:
+ * HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS)
+ *
+ * used on the XAUTH server (responder)
+ */
+stf_status
+xauth_inR1(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat, stat_build;
+
+ plog("parsing XAUTH reply");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ /* did the client return an XAUTH FAIL status? */
+ if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY)
+ {
+ plog("received FAIL status in XAUTH reply");
+
+ /* client is not able to do XAUTH, delete ISAKMP SA */
+ delete_state(st);
+ return STF_IGNORE;
+ }
+
+ /* check XAUTH reply */
+ if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY)
+ {
+ plog("user name attribute is missing in XAUTH reply");
+ st->st_xauth.status = FALSE;
+ }
+ else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY)
+ {
+ plog("user password attribute is missing in XAUTH reply");
+ st->st_xauth.status = FALSE;
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("peer xauth user name is '%.*s'"
+ , ia.xauth_secret.user_name.len
+ , ia.xauth_secret.user_name.ptr)
+ )
+ DBG(DBG_PRIVATE,
+ DBG_log("peer xauth user password is '%.*s'"
+ , ia.xauth_secret.user_password.len
+ , ia.xauth_secret.user_password.ptr)
+ )
+ /* verify the user credentials using a plugn function */
+ st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret);
+ plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
+ }
+
+ /* prepare XAUTH set which sends the authentication status */
+ init_internal_addr(&ia);
+ ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE);
+ ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL;
+
+ plog("sending XAUTH status:");
+
+ stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia);
+ if (stat_build != STF_OK)
+ return stat_build;
+ return STF_OK;
+}
+
+/* STATE_XAUTH_I1:
+ * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK)
+ *
+ * used on the XAUTH client (initiator)
+ */
+stf_status
+xauth_inI1(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat, stat_build;
+
+ plog("parsing XAUTH status");
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia);
+ if (stat != STF_OK)
+ {
+ /* notification payload - not exactly the right choice, but okay */
+ md->note = ATTRIBUTES_NOT_SUPPORTED;
+ return stat;
+ }
+
+ st->st_xauth.status = ia.xauth_status;
+ plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
+
+ plog("sending XAUTH ack");
+ init_internal_addr(&ia);
+ stat_build = modecfg_build_msg(st, &md->rbody
+ , ISAKMP_CFG_ACK
+ , &ia
+ , isama_id);
+ if (stat_build != STF_OK)
+ return stat_build;
+
+ if (st->st_xauth.status)
+ {
+ st->st_msgid = 0;
+ return STF_OK;
+ }
+ else
+ {
+ /* send XAUTH ack msg and then delete ISAKMP SA */
+ freeanychunk(st->st_tpacket);
+ clonetochunk(st->st_tpacket, md->reply.start
+ , pbs_offset(&md->reply), "XAUTH ack msg");
+ send_packet(st, "XAUTH ack msg");
+ delete_state(st);
+ return STF_IGNORE;
+ }
+}
+
+/* STATE_XAUTH_R2:
+ * HDR*, ATTR(STATUS), HASH --> Done
+ *
+ * used on the XAUTH server (responder)
+ */
+stf_status
+xauth_inR2(struct msg_digest *md)
+{
+ struct state *const st = md->st;
+ u_int16_t isama_id;
+ internal_addr_t ia;
+ stf_status stat;
+
+ plog("parsing XAUTH ack");
+
+ stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia);
+ if (stat != STF_OK)
+ return stat;
+
+ st->st_msgid = 0;
+ if (st->st_xauth.status)
+ {
+ return STF_OK;
+ }
+ else
+ {
+ delete_state(st);
+ return STF_IGNORE;
+ }
+}
diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h
new file mode 100644
index 000000000..68b7ef446
--- /dev/null
+++ b/src/pluto/modecfg.h
@@ -0,0 +1,47 @@
+/* Mode Config related functions
+ * Copyright (C) 2001-2002 Colubris Networks
+ * Copyright (C) 2003-2004 Xelerance Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: modecfg.h,v 1.1 2005/01/06 22:10:15 as Exp $
+ */
+
+#ifndef _MODECFG_H
+#define _MODECFG_H
+
+struct state;
+struct msg_digest;
+
+/* ModeConfig pull mode start function */
+extern stf_status modecfg_send_request(struct state *st);
+
+/* ModeConfig pull mode state transition functions */
+extern stf_status modecfg_inR0(struct msg_digest *md);
+extern stf_status modecfg_inI1(struct msg_digest *md);
+
+/* ModeConfig push mode start function */
+extern stf_status modecfg_send_set(struct state *st);
+
+/* ModeConfig push mode state transition functions */
+extern stf_status modecfg_inI0(struct msg_digest *md);
+extern stf_status modecfg_inR3(struct msg_digest *md);
+
+/* XAUTH start function */
+extern stf_status xauth_send_request(struct state *st);
+
+/* XAUTH state transition funcgtions */
+extern stf_status xauth_inI0(struct msg_digest *md);
+extern stf_status xauth_inR1(struct msg_digest *md);
+extern stf_status xauth_inI1(struct msg_digest *md);
+extern stf_status xauth_inR2(struct msg_digest *md);
+
+#endif /* _MODECFG_H */
diff --git a/src/pluto/mp_defs.c b/src/pluto/mp_defs.c
new file mode 100644
index 000000000..7ad896751
--- /dev/null
+++ b/src/pluto/mp_defs.c
@@ -0,0 +1,70 @@
+/* some multiprecision utilities
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: mp_defs.c,v 1.1 2006/01/05 12:37:11 as Exp $
+ */
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "log.h"
+
+/* Convert MP_INT to network form (binary octets, big-endian).
+ * We do the malloc; caller must eventually do free.
+ */
+chunk_t
+mpz_to_n(const MP_INT *mp, size_t bytes)
+{
+ chunk_t r;
+ MP_INT temp1, temp2;
+ int i;
+
+ r.len = bytes;
+ r.ptr = alloc_bytes(r.len, "host representation of large integer");
+
+ mpz_init(&temp1);
+ mpz_init(&temp2);
+
+ mpz_set(&temp1, mp);
+
+ for (i = r.len-1; i >= 0; i--)
+ {
+ r.ptr[i] = mpz_mdivmod_ui(&temp2, NULL, &temp1, 1 << BITS_PER_BYTE);
+ mpz_set(&temp1, &temp2);
+ }
+
+ passert(mpz_sgn(&temp1) == 0); /* we must have done all the bits */
+ mpz_clear(&temp1);
+ mpz_clear(&temp2);
+
+ return r;
+}
+
+/* Convert network form (binary bytes, big-endian) to MP_INT.
+ * The *mp must not be previously mpz_inited.
+ */
+void
+n_to_mpz(MP_INT *mp, const u_char *nbytes, size_t nlen)
+{
+ size_t i;
+
+ mpz_init_set_ui(mp, 0);
+
+ for (i = 0; i != nlen; i++)
+ {
+ mpz_mul_ui(mp, mp, 1 << BITS_PER_BYTE);
+ mpz_add_ui(mp, mp, nbytes[i]);
+ }
+}
diff --git a/src/pluto/mp_defs.h b/src/pluto/mp_defs.h
new file mode 100644
index 000000000..744a028d1
--- /dev/null
+++ b/src/pluto/mp_defs.h
@@ -0,0 +1,36 @@
+/* some multiprecision utilities
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: mp_defs.h,v 1.2 2006/01/06 11:40:45 as Exp $
+ */
+
+#ifndef _MP_DEFS_H
+#define _MP_DEFS_H
+
+#include <gmp.h>
+
+#include "defs.h"
+
+extern void n_to_mpz(MP_INT *mp, const u_char *nbytes, size_t nlen);
+extern chunk_t mpz_to_n(const MP_INT *mp, size_t bytes);
+
+/* var := mod(base ** exp, mod), ensuring var is mpz_inited */
+#define mpz_init_powm(flag, var, base, exp, mod) { \
+ if (!(flag)) \
+ mpz_init(&(var)); \
+ (flag) = TRUE; \
+ mpz_powm(&(var), &(base), &(exp), (mod)); \
+ }
+
+#endif /* _MP_DEFS_H */
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
new file mode 100644
index 000000000..4a52cc107
--- /dev/null
+++ b/src/pluto/nat_traversal.c
@@ -0,0 +1,866 @@
+/* FreeS/WAN NAT-Traversal
+ * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: nat_traversal.c,v 1.8 2005/01/06 22:36:58 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "server.h"
+#include "state.h"
+#include "connections.h"
+#include "packet.h"
+#include "demux.h"
+#include "kernel.h"
+#include "whack.h"
+#include "timer.h"
+#include "cookie.h"
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h"
+#include "vendor.h"
+#include "ike_alg.h"
+#include "nat_traversal.h"
+
+/* #define FORCE_NAT_TRAVERSAL */
+#define NAT_D_DEBUG
+#define NAT_T_SUPPORT_LAST_DRAFTS
+
+#ifndef SOL_UDP
+#define SOL_UDP 17
+#endif
+
+#ifndef UDP_ESPINUDP
+#define UDP_ESPINUDP 100
+#endif
+
+#define DEFAULT_KEEP_ALIVE_PERIOD 20
+
+#ifdef _IKE_ALG_H
+/* Alg patch: hash_digest_len -> hash_digest_size */
+#define hash_digest_len hash_digest_size
+#endif
+
+bool nat_traversal_enabled = FALSE;
+bool nat_traversal_support_non_ike = FALSE;
+bool nat_traversal_support_port_floating = FALSE;
+
+static unsigned int _kap = 0;
+static unsigned int _ka_evt = 0;
+static bool _force_ka = 0;
+
+static const char *natt_version = "0.6c";
+
+void init_nat_traversal (bool activate, unsigned int keep_alive_period,
+ bool fka, bool spf)
+{
+ nat_traversal_enabled = activate;
+ nat_traversal_support_non_ike = activate;
+#ifdef NAT_T_SUPPORT_LAST_DRAFTS
+ nat_traversal_support_port_floating = activate ? spf : FALSE;
+#endif
+ _force_ka = fka;
+ _kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
+ plog(" including NAT-Traversal patch (Version %s)%s%s%s"
+ , natt_version, activate ? "" : " [disabled]"
+ , activate & fka ? " [Force KeepAlive]" : ""
+ , activate & !spf ? " [Port Floating disabled]" : "");
+}
+
+static void disable_nat_traversal (int type)
+{
+ if (type == ESPINUDP_WITH_NON_IKE)
+ nat_traversal_support_non_ike = FALSE;
+ else
+ nat_traversal_support_port_floating = FALSE;
+
+ if (!nat_traversal_support_non_ike &&
+ !nat_traversal_support_port_floating)
+ nat_traversal_enabled = FALSE;
+}
+
+static void _natd_hash(const struct hash_desc *hasher, char *hash,
+ u_int8_t *icookie, u_int8_t *rcookie,
+ const ip_address *ip, u_int16_t port)
+{
+ union hash_ctx ctx;
+
+ if (is_zero_cookie(icookie))
+ DBG_log("_natd_hash: Warning, icookie is zero !!");
+ if (is_zero_cookie(rcookie))
+ DBG_log("_natd_hash: Warning, rcookie is zero !!");
+
+ /**
+ * draft-ietf-ipsec-nat-t-ike-01.txt
+ *
+ * HASH = HASH(CKY-I | CKY-R | IP | Port)
+ *
+ * All values in network order
+ */
+ hasher->hash_init(&ctx);
+ hasher->hash_update(&ctx, icookie, COOKIE_SIZE);
+ hasher->hash_update(&ctx, rcookie, COOKIE_SIZE);
+ switch (addrtypeof(ip)) {
+ case AF_INET:
+ hasher->hash_update(&ctx, (const u_char *)&ip->u.v4.sin_addr.s_addr
+ , sizeof(ip->u.v4.sin_addr.s_addr));
+ break;
+ case AF_INET6:
+ hasher->hash_update(&ctx, (const u_char *)&ip->u.v6.sin6_addr.s6_addr
+ , sizeof(ip->u.v6.sin6_addr.s6_addr));
+ break;
+ }
+ hasher->hash_update(&ctx, (const u_char *)&port, sizeof(u_int16_t));
+ hasher->hash_final(hash, &ctx);
+#ifdef NAT_D_DEBUG
+ DBG(DBG_NATT,
+ DBG_log("_natd_hash: hasher=%p(%d)", hasher, (int)hasher->hash_digest_len);
+ DBG_dump("_natd_hash: icookie=", icookie, COOKIE_SIZE);
+ DBG_dump("_natd_hash: rcookie=", rcookie, COOKIE_SIZE);
+ switch (addrtypeof(ip)) {
+ case AF_INET:
+ DBG_dump("_natd_hash: ip=", &ip->u.v4.sin_addr.s_addr
+ , sizeof(ip->u.v4.sin_addr.s_addr));
+ break;
+ }
+ DBG_log("_natd_hash: port=%d", port);
+ DBG_dump("_natd_hash: hash=", hash, hasher->hash_digest_len);
+ );
+#endif
+}
+
+/* Add NAT-Traversal VIDs (supported ones)
+ * used when we are Initiator
+ */
+bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs)
+{
+ bool r = TRUE;
+
+ if (nat_traversal_support_port_floating)
+ {
+ u_int8_t last_np = nat_traversal_support_non_ike ?
+ ISAKMP_NEXT_VID : np;
+
+ if (r)
+ r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
+ if (r)
+ r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
+ if (r)
+ r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
+ if (r)
+ r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
+ }
+ if (nat_traversal_support_non_ike)
+ {
+ if (r)
+ r = out_vendorid(np, outs, VID_NATT_IETF_00);
+ }
+ return r;
+}
+
+u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid)
+{
+ switch (nat_t_vid)
+ {
+ case VID_NATT_IETF_00:
+ return LELEM(NAT_TRAVERSAL_IETF_00_01);
+ case VID_NATT_IETF_02:
+ case VID_NATT_IETF_02_N:
+ case VID_NATT_IETF_03:
+ return LELEM(NAT_TRAVERSAL_IETF_02_03);
+ case VID_NATT_RFC:
+ return LELEM(NAT_TRAVERSAL_RFC);
+ }
+ return 0;
+}
+
+void nat_traversal_natd_lookup(struct msg_digest *md)
+{
+ char hash[MAX_DIGEST_LEN];
+ struct payload_digest *p;
+ struct state *st = md->st;
+ int i;
+
+ if (!st || !md->iface || !st->st_oakley.hasher)
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+ , __FILE__, __LINE__);
+ return;
+ }
+
+ /** Count NAT-D **/
+ for (p = md->chain[ISAKMP_NEXT_NATD_RFC], i=0; p != NULL; p = p->next, i++);
+
+ /*
+ * We need at least 2 NAT-D (1 for us, many for peer)
+ */
+ if (i < 2)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "NAT-Traversal: Only %d NAT-D - Aborting NAT-Traversal negociation", i);
+ st->nat_traversal = 0;
+ return;
+ }
+
+ /*
+ * First one with my IP & port
+ */
+ p = md->chain[ISAKMP_NEXT_NATD_RFC];
+ _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
+ &(md->iface->addr), ntohs(st->st_connection->spd.this.host_port));
+
+ if (!(pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
+ memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0))
+ {
+#ifdef NAT_D_DEBUG
+ DBG(DBG_NATT,
+ DBG_log("NAT_TRAVERSAL_NAT_BHND_ME");
+ DBG_dump("expected NAT-D:", hash
+ , st->st_oakley.hasher->hash_digest_len);
+ DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
+ )
+#endif
+ st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
+ }
+
+ /*
+ * The others with sender IP & port
+ */
+ _natd_hash(st->st_oakley.hasher, hash, st->st_icookie, st->st_rcookie,
+ &(md->sender), ntohs(md->sender_port));
+ for (p = p->next, i=0 ; p != NULL; p = p->next)
+ {
+ if (pbs_left(&p->pbs) == st->st_oakley.hasher->hash_digest_len &&
+ memcmp(p->pbs.cur, hash, st->st_oakley.hasher->hash_digest_len) == 0)
+ {
+ i++;
+ }
+ }
+ if (!i)
+ {
+#ifdef NAT_D_DEBUG
+ DBG(DBG_NATT,
+ DBG_log("NAT_TRAVERSAL_NAT_BHND_PEER");
+ DBG_dump("expected NAT-D:", hash
+ , st->st_oakley.hasher->hash_digest_len);
+ p = md->chain[ISAKMP_NEXT_NATD_RFC];
+ for (p = p->next, i=0 ; p != NULL; p = p->next)
+ {
+ DBG_dump("received NAT-D:", p->pbs.cur, pbs_left(&p->pbs));
+ }
+ )
+#endif
+ st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
+ }
+#ifdef FORCE_NAT_TRAVERSAL
+ st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
+ st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
+#endif
+}
+
+bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
+ struct msg_digest *md)
+{
+ char hash[MAX_DIGEST_LEN];
+ struct state *st = md->st;
+
+ if (!st || !st->st_oakley.hasher)
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+ , __FILE__, __LINE__);
+ return FALSE;
+ }
+
+ DBG(DBG_EMITTING,
+ DBG_log("sending NATD payloads")
+ )
+
+ /*
+ * First one with sender IP & port
+ */
+ _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
+ is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
+ &(md->sender),
+#ifdef FORCE_NAT_TRAVERSAL
+ 0
+#else
+ ntohs(md->sender_port)
+#endif
+ );
+ if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
+ ? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
+ hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"))
+ {
+ return FALSE;
+ }
+
+ /*
+ * Second one with my IP & port
+ */
+ _natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
+ is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
+ &(md->iface->addr),
+#ifdef FORCE_NAT_TRAVERSAL
+ 0
+#else
+ ntohs(st->st_connection->spd.this.host_port)
+#endif
+ );
+ return (out_generic_raw(np, &isakmp_nat_d, outs,
+ hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
+}
+
+/*
+ * nat_traversal_natoa_lookup()
+ *
+ * Look for NAT-OA in message
+ */
+void nat_traversal_natoa_lookup(struct msg_digest *md)
+{
+ struct payload_digest *p;
+ struct state *st = md->st;
+ int i;
+ ip_address ip;
+
+ if (!st || !md->iface)
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+ , __FILE__, __LINE__);
+ return;
+ }
+
+ /* Initialize NAT-OA */
+ anyaddr(AF_INET, &st->nat_oa);
+
+ /* Count NAT-OA **/
+ for (p = md->chain[ISAKMP_NEXT_NATOA_RFC], i=0; p != NULL; p = p->next, i++);
+
+ DBG(DBG_NATT,
+ DBG_log("NAT-Traversal: received %d NAT-OA.", i)
+ )
+
+ if (i == 0)
+ return;
+
+ if (!(st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER)))
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
+ "ignored because peer is not NATed", i);
+ return;
+ }
+
+ if (i > 1)
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %d NAT-OA. "
+ "using first, ignoring others", i);
+ }
+
+ /* Take first */
+ p = md->chain[ISAKMP_NEXT_NATOA_RFC];
+
+ DBG(DBG_PARSING,
+ DBG_dump("NAT-OA:", p->pbs.start, pbs_room(&p->pbs));
+ );
+
+ switch (p->payload.nat_oa.isanoa_idtype)
+ {
+ case ID_IPV4_ADDR:
+ if (pbs_left(&p->pbs) == sizeof(struct in_addr))
+ {
+ initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET, &ip);
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv4 NAT-OA "
+ "with invalid IP size (%d)", (int)pbs_left(&p->pbs));
+ return;
+ }
+ break;
+ case ID_IPV6_ADDR:
+ if (pbs_left(&p->pbs) == sizeof(struct in6_addr))
+ {
+ initaddr(p->pbs.cur, pbs_left(&p->pbs), AF_INET6, &ip);
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: received IPv6 NAT-OA "
+ "with invalid IP size (%d)", (int)pbs_left(&p->pbs));
+ return;
+ }
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+ "invalid ID Type (%d) in NAT-OA - ignored",
+ p->payload.nat_oa.isanoa_idtype);
+ return;
+ }
+
+ DBG(DBG_NATT,
+ {
+ char ip_t[ADDRTOT_BUF];
+ addrtot(&ip, 0, ip_t, sizeof(ip_t));
+
+ DBG_log("received NAT-OA: %s", ip_t);
+ }
+ )
+
+ if (isanyaddr(&ip))
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: received %%any NAT-OA...");
+ else
+ st->nat_oa = ip;
+}
+
+bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
+ struct state *st)
+{
+ struct isakmp_nat_oa natoa;
+ pb_stream pbs;
+ unsigned char ip_val[sizeof(struct in6_addr)];
+ size_t ip_len = 0;
+ ip_address *ip;
+
+ if ((!st) || (!st->st_connection))
+ {
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: assert failed %s:%d"
+ , __FILE__, __LINE__);
+ return FALSE;
+ }
+ ip = &(st->st_connection->spd.this.host_addr);
+
+ memset(&natoa, 0, sizeof(natoa));
+ natoa.isanoa_np = np;
+
+ switch (addrtypeof(ip))
+ {
+ case AF_INET:
+ ip_len = sizeof(ip->u.v4.sin_addr.s_addr);
+ memcpy(ip_val, &ip->u.v4.sin_addr.s_addr, ip_len);
+ natoa.isanoa_idtype = ID_IPV4_ADDR;
+ break;
+ case AF_INET6:
+ ip_len = sizeof(ip->u.v6.sin6_addr.s6_addr);
+ memcpy(ip_val, &ip->u.v6.sin6_addr.s6_addr, ip_len);
+ natoa.isanoa_idtype = ID_IPV6_ADDR;
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+ "invalid addrtypeof()=%d", addrtypeof(ip));
+ return FALSE;
+ }
+
+ if (!out_struct(&natoa, &isakmp_nat_oa, outs, &pbs))
+ return FALSE;
+
+ if (!out_raw(ip_val, ip_len, &pbs, "NAT-OA"))
+ return FALSE;
+
+ DBG(DBG_NATT,
+ DBG_dump("NAT-OA (S):", ip_val, ip_len)
+ )
+
+ close_output_pbs(&pbs);
+ return TRUE;
+}
+
+void nat_traversal_show_result (u_int32_t nt, u_int16_t sport)
+{
+ const char *mth = NULL, *rslt = NULL;
+
+ switch (nt & NAT_TRAVERSAL_METHOD)
+ {
+ case LELEM(NAT_TRAVERSAL_IETF_00_01):
+ mth = natt_type_bitnames[0];
+ break;
+ case LELEM(NAT_TRAVERSAL_IETF_02_03):
+ mth = natt_type_bitnames[1];
+ break;
+ case LELEM(NAT_TRAVERSAL_RFC):
+ mth = natt_type_bitnames[2];
+ break;
+ }
+
+ switch (nt & NAT_T_DETECTED)
+ {
+ case 0:
+ rslt = "no NAT detected";
+ break;
+ case LELEM(NAT_TRAVERSAL_NAT_BHND_ME):
+ rslt = "i am NATed";
+ break;
+ case LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
+ rslt = "peer is NATed";
+ break;
+ case LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER):
+ rslt = "both are NATed";
+ break;
+ }
+
+ loglog(RC_LOG_SERIOUS,
+ "NAT-Traversal: Result using %s: %s",
+ mth ? mth : "unknown method",
+ rslt ? rslt : "unknown result"
+ );
+
+ if ((nt & LELEM(NAT_TRAVERSAL_NAT_BHND_PEER))
+ && (sport == IKE_UDP_PORT)
+ && ((nt & NAT_T_WITH_PORT_FLOATING)==0))
+ {
+ loglog(RC_LOG_SERIOUS,
+ "Warning: peer is NATed but source port is still udp/%d. "
+ "Ipsec-passthrough NAT device suspected -- NAT-T may not work.",
+ IKE_UDP_PORT
+ );
+ }
+}
+
+int nat_traversal_espinudp_socket (int sk, u_int32_t type)
+{
+ int r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
+
+ if (r < 0 && errno == ENOPROTOOPT)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
+ "NAT-T disabled", type);
+ disable_nat_traversal(type);
+ }
+ return r;
+}
+
+void nat_traversal_new_ka_event (void)
+{
+ if (_ka_evt)
+ return; /* event already scheduled */
+
+ event_schedule(EVENT_NAT_T_KEEPALIVE, _kap, NULL);
+ _ka_evt = 1;
+}
+
+static void nat_traversal_send_ka (struct state *st)
+{
+ static unsigned char ka_payload = 0xff;
+ chunk_t sav;
+
+ DBG(DBG_NATT,
+ DBG_log("ka_event: send NAT-KA to %s:%d",
+ ip_str(&st->st_connection->spd.that.host_addr),
+ st->st_connection->spd.that.host_port);
+ )
+
+ /* save state chunk */
+ setchunk(sav, st->st_tpacket.ptr, st->st_tpacket.len);
+
+ /* send keep alive */
+ setchunk(st->st_tpacket, &ka_payload, 1);
+ send_packet(st, "NAT-T Keep Alive");
+
+ /* restore state chunk */
+ setchunk(st->st_tpacket, sav.ptr, sav.len);
+}
+
+/**
+ * Find ISAKMP States with NAT-T and send keep-alive
+ */
+static void nat_traversal_ka_event_state (struct state *st, void *data)
+{
+ unsigned int *_kap_st = (unsigned int *)data;
+ const struct connection *c = st->st_connection;
+
+ if (!c)
+ return;
+
+ if ((st->st_state == STATE_MAIN_R3 || st->st_state == STATE_MAIN_I4)
+ && (st->nat_traversal & NAT_T_DETECTED)
+ && ((st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
+ {
+ /*
+ * - ISAKMP established
+ * - NAT-Traversal detected
+ * - NAT-KeepAlive needed (we are NATed)
+ */
+ if (c->newest_isakmp_sa != st->st_serialno)
+ {
+ /*
+ * if newest is also valid, ignore this one, we will only use
+ * newest.
+ */
+ struct state *st_newest;
+
+ st_newest = state_with_serialno(c->newest_isakmp_sa);
+ if (st_newest
+ && (st_newest->st_state == STATE_MAIN_R3 || st_newest->st_state == STATE_MAIN_I4)
+ && (st_newest->nat_traversal & NAT_T_DETECTED)
+ && ((st_newest->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME)) || _force_ka))
+ {
+ return;
+ }
+ }
+ set_cur_state(st);
+ nat_traversal_send_ka(st);
+ reset_cur_state();
+ (*_kap_st)++;
+ }
+}
+
+void nat_traversal_ka_event (void)
+{
+ unsigned int _kap_st = 0;
+
+ _ka_evt = 0; /* ready to be reschedule */
+
+ for_each_state((void *)nat_traversal_ka_event_state, &_kap_st);
+
+ /* if there are still states who needs Keep-Alive, schedule new event */
+ if (_kap_st)
+ nat_traversal_new_ka_event();
+}
+
+struct _new_mapp_nfo {
+ ip_address addr;
+ u_int16_t sport, dport;
+};
+
+static void nat_traversal_find_new_mapp_state (struct state *st, void *data)
+{
+ struct connection *c = st->st_connection;
+ struct _new_mapp_nfo *nfo = (struct _new_mapp_nfo *)data;
+
+ if (c != NULL
+ && sameaddr(&c->spd.that.host_addr, &(nfo->addr))
+ && c->spd.that.host_port == nfo->sport)
+ {
+
+ /* change host port */
+ c->spd.that.host_port = nfo->dport;
+
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+ || IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+ if (!update_ipsec_sa(st))
+ {
+ /*
+ * If ipsec update failed, restore old port or we'll
+ * not be able to update anymore.
+ */
+ c->spd.that.host_port = nfo->sport;
+ }
+ }
+ }
+}
+
+static int nat_traversal_new_mapping(const ip_address *src, u_int16_t sport,
+ const ip_address *dst, u_int16_t dport)
+{
+ char srca[ADDRTOT_BUF], dsta[ADDRTOT_BUF];
+ struct _new_mapp_nfo nfo;
+
+ addrtot(src, 0, srca, ADDRTOT_BUF);
+ addrtot(dst, 0, dsta, ADDRTOT_BUF);
+
+ if (!sameaddr(src, dst))
+ {
+ loglog(RC_LOG_SERIOUS, "nat_traversal_new_mapping: "
+ "address change currently not supported [%s:%d,%s:%d]",
+ srca, sport, dsta, dport);
+ return -1;
+ }
+
+ if (sport == dport)
+ {
+ /* no change */
+ return 0;
+ }
+
+ DBG_log("NAT-T: new mapping %s:%d/%d)", srca, sport, dport);
+
+ nfo.addr = *src;
+ nfo.sport = sport;
+ nfo.dport = dport;
+
+ for_each_state((void *)nat_traversal_find_new_mapp_state, &nfo);
+
+ return 0;
+}
+
+void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
+{
+ struct connection *c = st ? st->st_connection : NULL;
+ struct iface *i = NULL;
+
+ if ((st == NULL) || (c == NULL))
+ return;
+
+ if (md)
+ {
+ /*
+ * If source port has changed, update (including other states and
+ * established kernel SA)
+ */
+ if (c->spd.that.host_port != md->sender_port)
+ {
+ nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+ &c->spd.that.host_addr, md->sender_port);
+ }
+
+ /*
+ * If interface type has changed, update local port (500/4500)
+ */
+ if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !md->iface->ike_float)
+ || (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT && md->iface->ike_float))
+ {
+ c->spd.this.host_port = (md->iface->ike_float)
+ ? NAT_T_IKE_FLOAT_PORT : pluto_port;
+
+ DBG(DBG_NATT,
+ DBG_log("NAT-T: updating local port to %d", c->spd.this.host_port);
+ );
+ }
+ }
+
+ /*
+ * If we're initiator and NAT-T (with port floating) is detected, we
+ * need to change port (MAIN_I3 or QUICK_I1)
+ */
+ if ((st->st_state == STATE_MAIN_I3 || st->st_state == STATE_QUICK_I1)
+ && (st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
+ && (st->nat_traversal & NAT_T_DETECTED)
+ && (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT))
+ {
+ DBG(DBG_NATT,
+ DBG_log("NAT-T: floating to port %d", NAT_T_IKE_FLOAT_PORT);
+ )
+ c->spd.this.host_port = NAT_T_IKE_FLOAT_PORT;
+ c->spd.that.host_port = NAT_T_IKE_FLOAT_PORT;
+ /*
+ * Also update pending connections or they will be deleted if uniqueids
+ * option is set.
+ */
+ update_pending(st, st);
+ }
+
+ /*
+ * Find valid interface according to local port (500/4500)
+ */
+ if ((c->spd.this.host_port == NAT_T_IKE_FLOAT_PORT && !c->interface->ike_float)
+ || (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT && c->interface->ike_float))
+ {
+ for (i = interfaces; i != NULL; i = i->next)
+ {
+ if (sameaddr(&c->interface->addr, &i->addr)
+ && i->ike_float != c->interface->ike_float)
+ {
+ DBG(DBG_NATT,
+ DBG_log("NAT-T: using interface %s:%d", i->rname,
+ i->ike_float ? NAT_T_IKE_FLOAT_PORT : pluto_port);
+ )
+ c->interface = i;
+ break;
+ }
+ }
+ }
+}
+
+struct _new_klips_mapp_nfo {
+ struct sadb_sa *sa;
+ ip_address src, dst;
+ u_int16_t sport, dport;
+};
+
+static void nat_t_new_klips_mapp (struct state *st, void *data)
+{
+ struct connection *c = st->st_connection;
+ struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
+
+ if (c != NULL && st->st_esp.present
+ && sameaddr(&c->spd.that.host_addr, &(nfo->src))
+ && st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
+ {
+ nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+ &(nfo->dst), nfo->dport);
+ }
+}
+
+void process_pfkey_nat_t_new_mapping(
+ struct sadb_msg *msg __attribute__ ((unused)),
+ struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+{
+ struct _new_klips_mapp_nfo nfo;
+ struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
+ struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
+ struct sockaddr *srca, *dsta;
+ err_t ugh = NULL;
+
+ nfo.sa = (void *) extensions[SADB_EXT_SA];
+
+ if (!nfo.sa || !srcx || !dstx)
+ {
+ plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
+ "got NULL params");
+ return;
+ }
+
+ srca = ((struct sockaddr *)(void *)&srcx[1]);
+ dsta = ((struct sockaddr *)(void *)&dstx[1]);
+
+ if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
+ {
+ ugh = "only AF_INET supported";
+ }
+ else
+ {
+ char text_said[SATOT_BUF];
+ char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
+ ip_said said;
+
+ initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
+ sizeof(((const struct sockaddr_in *)srca)->sin_addr),
+ srca->sa_family, &(nfo.src));
+ nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
+ initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
+ sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
+ dsta->sa_family, &(nfo.dst));
+ nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
+
+ DBG(DBG_NATT,
+ initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
+ satot(&said, 0, text_said, SATOT_BUF);
+ addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
+ addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
+ DBG_log("new klips mapping %s %s:%d %s:%d",
+ text_said, _srca, nfo.sport, _dsta, nfo.dport);
+ )
+
+ for_each_state((void *)nat_t_new_klips_mapp, &nfo);
+ }
+
+ if (ugh != NULL)
+ plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
+}
+
diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
new file mode 100644
index 000000000..71222c54c
--- /dev/null
+++ b/src/pluto/nat_traversal.h
@@ -0,0 +1,154 @@
+/* FreeS/WAN NAT-Traversal
+ * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: nat_traversal.h,v 1.4 2004/07/27 21:11:30 as Exp $
+ */
+
+#ifndef _NAT_TRAVERSAL_H
+#define _NAT_TRAVERSAL_H
+
+#include "packet.h"
+
+#define NAT_TRAVERSAL_IETF_00_01 1
+#define NAT_TRAVERSAL_IETF_02_03 2
+#define NAT_TRAVERSAL_RFC 3
+
+#define NAT_TRAVERSAL_NAT_BHND_ME 30
+#define NAT_TRAVERSAL_NAT_BHND_PEER 31
+
+#define NAT_TRAVERSAL_METHOD (0xffffffff - LELEM(30) - LELEM(31))
+
+/**
+ * NAT-Traversal methods which need NAT-D
+ */
+#define NAT_T_WITH_NATD \
+ ( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+ LELEM(NAT_TRAVERSAL_RFC) )
+/**
+ * NAT-Traversal methods which need NAT-OA
+ */
+#define NAT_T_WITH_NATOA \
+ ( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+ LELEM(NAT_TRAVERSAL_RFC) )
+/**
+ * NAT-Traversal methods which use NAT-KeepAlive
+ */
+#define NAT_T_WITH_KA \
+ ( LELEM(NAT_TRAVERSAL_IETF_00_01) | LELEM(NAT_TRAVERSAL_IETF_02_03) | \
+ LELEM(NAT_TRAVERSAL_RFC) )
+/**
+ * NAT-Traversal methods which use floating port
+ */
+#define NAT_T_WITH_PORT_FLOATING \
+ ( LELEM(NAT_TRAVERSAL_IETF_02_03) | LELEM(NAT_TRAVERSAL_RFC) )
+
+/**
+ * NAT-Traversal methods which use officials values (RFC)
+ */
+#define NAT_T_WITH_RFC_VALUES \
+ ( LELEM(NAT_TRAVERSAL_RFC) )
+
+/**
+ * NAT-Traversal detected
+ */
+#define NAT_T_DETECTED \
+ ( LELEM(NAT_TRAVERSAL_NAT_BHND_ME) | LELEM(NAT_TRAVERSAL_NAT_BHND_PEER) )
+
+/**
+ * NAT-T Port Floating
+ */
+#define NAT_T_IKE_FLOAT_PORT 4500
+
+void init_nat_traversal (bool activate, unsigned int keep_alive_period,
+ bool fka, bool spf);
+
+extern bool nat_traversal_enabled;
+extern bool nat_traversal_support_non_ike;
+extern bool nat_traversal_support_port_floating;
+
+/**
+ * NAT-D
+ */
+void nat_traversal_natd_lookup(struct msg_digest *md);
+#ifndef PB_STREAM_UNDEFINED
+bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
+ struct msg_digest *md);
+#endif
+
+/**
+ * NAT-OA
+ */
+void nat_traversal_natoa_lookup(struct msg_digest *md);
+#ifndef PB_STREAM_UNDEFINED
+bool nat_traversal_add_natoa(u_int8_t np, pb_stream *outs,
+ struct state *st);
+#endif
+
+/**
+ * NAT-keep_alive
+ */
+void nat_traversal_new_ka_event (void);
+void nat_traversal_ka_event (void);
+
+void nat_traversal_show_result (u_int32_t nt, u_int16_t sport);
+
+int nat_traversal_espinudp_socket (int sk, u_int32_t type);
+
+/**
+ * Vendor ID
+ */
+#ifndef PB_STREAM_UNDEFINED
+bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs);
+#endif
+u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid);
+
+void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st);
+
+/**
+ * New NAT mapping
+ */
+#ifdef __PFKEY_V2_H
+void process_pfkey_nat_t_new_mapping(
+ struct sadb_msg *,
+ struct sadb_ext *[SADB_EXT_MAX + 1]);
+#endif
+
+/**
+ * IKE port floating
+ */
+bool
+nat_traversal_port_float(struct state *st, struct msg_digest *md, bool in);
+
+/**
+ * Encapsulation mode macro (see demux.c)
+ */
+#define NAT_T_ENCAPSULATION_MODE(st,nat_t_policy) ( \
+ ((st)->nat_traversal & NAT_T_DETECTED) \
+ ? ( ((nat_t_policy) & POLICY_TUNNEL) \
+ ? ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
+ ? (ENCAPSULATION_MODE_UDP_TUNNEL_RFC) \
+ : (ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS) \
+ ) \
+ : ( ((st)->nat_traversal & NAT_T_WITH_RFC_VALUES) \
+ ? (ENCAPSULATION_MODE_UDP_TRANSPORT_RFC) \
+ : (ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS) \
+ ) \
+ ) \
+ : ( ((st)->st_policy & POLICY_TUNNEL) \
+ ? (ENCAPSULATION_MODE_TUNNEL) \
+ : (ENCAPSULATION_MODE_TRANSPORT) \
+ ) \
+ )
+
+#endif /* _NAT_TRAVERSAL_H */
+
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
new file mode 100644
index 000000000..a338be446
--- /dev/null
+++ b/src/pluto/ocsp.c
@@ -0,0 +1,1568 @@
+/* Support of the Online Certificate Status Protocol (OCSP)
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ */
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "rnd.h"
+#include "asn1.h"
+#include "certs.h"
+#include "smartcard.h"
+#include "oid.h"
+#include "whack.h"
+#include "pkcs1.h"
+#include "keys.h"
+#include "fetch.h"
+#include "ocsp.h"
+
+#define NONCE_LENGTH 16
+
+static const char *const cert_status_names[] = {
+ "good",
+ "revoked",
+ "unknown",
+ "undefined"
+};
+
+
+static const char *const response_status_names[] = {
+ "successful",
+ "malformed request",
+ "internal error",
+ "try later",
+ "signature required",
+ "unauthorized"
+};
+
+/* response container */
+typedef struct response response_t;
+
+struct response {
+ chunk_t tbs;
+ chunk_t responder_id_name;
+ chunk_t responder_id_key;
+ time_t produced_at;
+ chunk_t responses;
+ chunk_t nonce;
+ int algorithm;
+ chunk_t signature;
+};
+
+const response_t empty_response = {
+ { NULL, 0 } , /* tbs */
+ { NULL, 0 } , /* responder_id_name */
+ { NULL, 0 } , /* responder_id_key */
+ UNDEFINED_TIME, /* produced_at */
+ { NULL, 0 } , /* single_response */
+ { NULL, 0 } , /* nonce */
+ OID_UNKNOWN , /* signature_algorithm */
+ { NULL, 0 } /* signature */
+};
+
+/* single response container */
+typedef struct single_response single_response_t;
+
+struct single_response {
+ single_response_t *next;
+ int hash_algorithm;
+ chunk_t issuer_name_hash;
+ chunk_t issuer_key_hash;
+ chunk_t serialNumber;
+ cert_status_t status;
+ time_t revocationTime;
+ crl_reason_t revocationReason;
+ time_t thisUpdate;
+ time_t nextUpdate;
+};
+
+const single_response_t empty_single_response = {
+ NULL , /* *next */
+ OID_UNKNOWN , /* hash_algorithm */
+ { NULL, 0 } , /* issuer_name_hash */
+ { NULL, 0 } , /* issuer_key_hash */
+ { NULL, 0 } , /* serial_number */
+ CERT_UNDEFINED , /* status */
+ UNDEFINED_TIME , /* revocationTime */
+ REASON_UNSPECIFIED, /* revocationReason */
+ UNDEFINED_TIME , /* this_update */
+ UNDEFINED_TIME /* next_update */
+};
+
+
+/* list of single requests */
+typedef struct request_list request_list_t;
+struct request_list {
+ chunk_t request;
+ request_list_t *next;
+};
+
+/* some OCSP specific prefabricated ASN.1 constants */
+
+static u_char ASN1_nonce_oid_str[] = {
+ 0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+};
+
+static const chunk_t ASN1_nonce_oid = strchunk(ASN1_nonce_oid_str);
+
+static u_char ASN1_response_oid_str[] = {
+ 0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+};
+
+static const chunk_t ASN1_response_oid = strchunk(ASN1_response_oid_str);
+
+static u_char ASN1_response_content_str[] = {
+ 0x04, 0x0D,
+ 0x30, 0x0B,
+ 0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+};
+
+static const chunk_t ASN1_response_content = strchunk(ASN1_response_content_str);
+
+/* default OCSP uri */
+static chunk_t ocsp_default_uri;
+
+/* ocsp cache: pointer to first element */
+static ocsp_location_t *ocsp_cache = NULL;
+
+/* static temporary storage for ocsp requestor information */
+static x509cert_t *ocsp_requestor_cert = NULL;
+
+static smartcard_t *ocsp_requestor_sc = NULL;
+
+static const struct RSA_private_key *ocsp_requestor_pri = NULL;
+
+/* asn.1 definitions for parsing */
+
+static const asn1Object_t ocspResponseObjects[] = {
+ { 0, "OCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "responseStatus", ASN1_ENUMERATED, ASN1_BODY }, /* 1 */
+ { 1, "responseBytesContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 2 */
+ { 2, "responseBytes", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */
+ { 3, "responseType", ASN1_OID, ASN1_BODY }, /* 4 */
+ { 3, "response", ASN1_OCTET_STRING, ASN1_BODY }, /* 5 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 6 */
+};
+
+#define OCSP_RESPONSE_STATUS 1
+#define OCSP_RESPONSE_TYPE 4
+#define OCSP_RESPONSE 5
+#define OCSP_RESPONSE_ROOF 7
+
+static const asn1Object_t basicResponseObjects[] = {
+ { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
+ { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE |
+ ASN1_DEF }, /* 2 */
+ { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
+ { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */
+ { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
+ { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */
+ { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */
+ { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
+ { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */
+ { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
+ { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */
+ { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */
+ { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */
+ { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */
+ { 5, "critical", ASN1_BOOLEAN, ASN1_BODY |
+ ASN1_DEF }, /* 16 */
+ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */
+ { 4, "end loop", ASN1_EOC, ASN1_END }, /* 18 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
+ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */
+ { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */
+ { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */
+ { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */
+ { 3, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 24 */
+ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 26 */
+};
+
+#define BASIC_RESPONSE_TBS_DATA 1
+#define BASIC_RESPONSE_VERSION 3
+#define BASIC_RESPONSE_ID_BY_NAME 5
+#define BASIC_RESPONSE_ID_BY_KEY 8
+#define BASIC_RESPONSE_PRODUCED_AT 10
+#define BASIC_RESPONSE_RESPONSES 11
+#define BASIC_RESPONSE_EXT_ID 15
+#define BASIC_RESPONSE_CRITICAL 16
+#define BASIC_RESPONSE_EXT_VALUE 17
+#define BASIC_RESPONSE_ALGORITHM 20
+#define BASIC_RESPONSE_SIGNATURE 21
+#define BASIC_RESPONSE_CERTIFICATE 24
+#define BASIC_RESPONSE_ROOF 27
+
+static const asn1Object_t responsesObjects[] = {
+ { 0, "responses", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "singleResponse", ASN1_EOC, ASN1_RAW }, /* 1 */
+ { 0, "end loop", ASN1_EOC, ASN1_END } /* 2 */
+};
+
+#define RESPONSES_SINGLE_RESPONSE 1
+#define RESPONSES_ROOF 3
+
+static const asn1Object_t singleResponseObjects[] = {
+ { 0, "singleResponse", ASN1_SEQUENCE, ASN1_BODY }, /* 0 */
+ { 1, "certID", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 2 */
+ { 2, "issuerNameHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 3 */
+ { 2, "issuerKeyHash", ASN1_OCTET_STRING, ASN1_BODY }, /* 4 */
+ { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 5 */
+ { 1, "certStatusGood", ASN1_CONTEXT_S_0, ASN1_OPT }, /* 6 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
+ { 1, "certStatusRevoked", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 8 */
+ { 2, "revocationTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 9 */
+ { 2, "revocationReason", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 10 */
+ { 3, "crlReason", ASN1_ENUMERATED, ASN1_BODY }, /* 11 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 13 */
+ { 1, "certStatusUnknown", ASN1_CONTEXT_S_2, ASN1_OPT }, /* 14 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 15 */
+ { 1, "thisUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 16 */
+ { 1, "nextUpdateContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 17 */
+ { 2, "nextUpdate", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 18 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 19 */
+ { 1, "singleExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 20 */
+ { 2, "singleExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 21 */
+ { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */
+ { 4, "extnID", ASN1_OID, ASN1_BODY }, /* 23 */
+ { 4, "critical", ASN1_BOOLEAN, ASN1_BODY |
+ ASN1_DEF }, /* 24 */
+ { 4, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 25 */
+ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 26 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 27 */
+};
+
+#define SINGLE_RESPONSE_ALGORITHM 2
+#define SINGLE_RESPONSE_ISSUER_NAME_HASH 3
+#define SINGLE_RESPONSE_ISSUER_KEY_HASH 4
+#define SINGLE_RESPONSE_SERIAL_NUMBER 5
+#define SINGLE_RESPONSE_CERT_STATUS_GOOD 6
+#define SINGLE_RESPONSE_CERT_STATUS_REVOKED 8
+#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME 9
+#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON 11
+#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN 14
+#define SINGLE_RESPONSE_THIS_UPDATE 16
+#define SINGLE_RESPONSE_NEXT_UPDATE 18
+#define SINGLE_RESPONSE_EXT_ID 23
+#define SINGLE_RESPONSE_CRITICAL 24
+#define SINGLE_RESPONSE_EXT_VALUE 25
+#define SINGLE_RESPONSE_ROOF 28
+
+/* build an ocsp location from certificate information
+ * without unsharing its contents
+ */
+static bool
+build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
+{
+ static u_char digest[SHA1_DIGEST_SIZE]; /* temporary storage */
+
+ location->uri = cert->accessLocation;
+
+ if (location->uri.ptr == NULL)
+ {
+ ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID);
+ if (ca != NULL && ca->ocspuri != NULL)
+ setchunk(location->uri, ca->ocspuri, strlen(ca->ocspuri))
+ else
+ /* abort if no ocsp location uri is defined */
+ return FALSE;
+ }
+
+ setchunk(location->authNameID, digest, SHA1_DIGEST_SIZE);
+ compute_digest(cert->issuer, OID_SHA1, &location->authNameID);
+
+ location->next = NULL;
+ location->issuer = cert->issuer;
+ location->authKeyID = cert->authKeyID;
+ location->authKeySerialNumber = cert->authKeySerialNumber;
+
+ if (cert->authKeyID.ptr == NULL)
+ {
+ x509cert_t *authcert = get_authcert(cert->issuer
+ , cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
+
+ if (authcert != NULL)
+ {
+ location->authKeyID = authcert->subjectKeyID;
+ location->authKeySerialNumber = authcert->serialNumber;
+ }
+ }
+
+ location->nonce = empty_chunk;
+ location->certinfo = NULL;
+
+ return TRUE;
+}
+
+/*
+ * compare two ocsp locations for equality
+ */
+static bool
+same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
+{
+ return ((a->authKeyID.ptr != NULL)
+ ? same_keyid(a->authKeyID, b->authKeyID)
+ : (same_dn(a->issuer, b->issuer)
+ && same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
+ && same_chunk(a->uri, b->uri);
+}
+
+/*
+ * find an existing ocsp location in a chained list
+ */
+ocsp_location_t*
+get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
+{
+
+ while (chain != NULL)
+ {
+ if (same_ocsp_location(loc, chain))
+ return chain;
+ chain = chain->next;
+ }
+ return NULL;
+}
+
+/* retrieves the status of a cert from the ocsp cache
+ * returns CERT_UNDEFINED if no status is found
+ */
+static cert_status_t
+get_ocsp_status(const ocsp_location_t *loc, chunk_t serialNumber
+ ,time_t *nextUpdate, time_t *revocationTime, crl_reason_t *revocationReason)
+{
+ ocsp_certinfo_t *certinfo, **certinfop;
+ int cmp = -1;
+
+ /* find location */
+ ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
+
+ if (location == NULL)
+ return CERT_UNDEFINED;
+
+ /* traverse list of certinfos in increasing order */
+ certinfop = &location->certinfo;
+ certinfo = *certinfop;
+
+ while (certinfo != NULL)
+ {
+ cmp = cmp_chunk(serialNumber, certinfo->serialNumber);
+ if (cmp <= 0)
+ break;
+ certinfop = &certinfo->next;
+ certinfo = *certinfop;
+ }
+
+ if (cmp == 0)
+ {
+ *nextUpdate = certinfo->nextUpdate;
+ *revocationTime = certinfo->revocationTime;
+ *revocationReason = certinfo->revocationReason;
+ return certinfo->status;
+ }
+
+ return CERT_UNDEFINED;
+}
+
+/*
+ * verify the ocsp status of a certificate
+ */
+cert_status_t
+verify_by_ocsp(const x509cert_t *cert, time_t *until
+, time_t *revocationDate, crl_reason_t *revocationReason)
+{
+ cert_status_t status;
+ ocsp_location_t location;
+ time_t nextUpdate = 0;
+
+ *revocationDate = UNDEFINED_TIME;
+ *revocationReason = REASON_UNSPECIFIED;
+
+ /* is an ocsp location defined? */
+ if (!build_ocsp_location(cert, &location))
+ return CERT_UNDEFINED;
+
+ lock_ocsp_cache("verify_by_ocsp");
+ status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
+ , revocationDate, revocationReason);
+ unlock_ocsp_cache("verify_by_ocsp");
+
+ if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
+ {
+ plog("ocsp status is stale or not in cache");
+ add_ocsp_fetch_request(&location, cert->serialNumber);
+
+ /* inititate fetching of ocsp status */
+ wake_fetch_thread("verify_by_ocsp");
+ }
+ *until = nextUpdate;
+ return status;
+}
+
+/*
+ * check if an ocsp status is about to expire
+ */
+void
+check_ocsp(void)
+{
+ ocsp_location_t *location;
+
+ lock_ocsp_cache("check_ocsp");
+ location = ocsp_cache;
+
+ while (location != NULL)
+ {
+ char buf[BUF_LEN];
+ bool first = TRUE;
+ ocsp_certinfo_t *certinfo = location->certinfo;
+
+ while (certinfo != NULL)
+ {
+ if (!certinfo->once)
+ {
+ time_t time_left = certinfo->nextUpdate - time(NULL);
+
+ DBG(DBG_CONTROL,
+ if (first)
+ {
+ dntoa(buf, BUF_LEN, location->issuer);
+ DBG_log("issuer: '%s'", buf);
+ if (location->authKeyID.ptr != NULL)
+ {
+ datatot(location->authKeyID.ptr, location->authKeyID.len
+ , ':', buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ first = FALSE;
+ }
+ datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
+ , ':', buf, BUF_LEN);
+ DBG_log("serial: %s, %ld seconds left", buf, time_left)
+ )
+
+ if (time_left < 2*crl_check_interval)
+ add_ocsp_fetch_request(location, certinfo->serialNumber);
+ }
+ certinfo = certinfo->next;
+ }
+ location = location->next;
+ }
+ unlock_ocsp_cache("check_ocsp");
+}
+
+/*
+ * frees the allocated memory of a certinfo struct
+ */
+static void
+free_certinfo(ocsp_certinfo_t *certinfo)
+{
+ freeanychunk(certinfo->serialNumber);
+ pfree(certinfo);
+}
+
+/*
+ * frees all certinfos in a chained list
+ */
+static void
+free_certinfos(ocsp_certinfo_t *chain)
+{
+ ocsp_certinfo_t *certinfo;
+
+ while (chain != NULL)
+ {
+ certinfo = chain;
+ chain = chain->next;
+ free_certinfo(certinfo);
+ }
+}
+
+/*
+ * frees the memory allocated to an ocsp location including all certinfos
+ */
+static void
+free_ocsp_location(ocsp_location_t* location)
+{
+ freeanychunk(location->issuer);
+ freeanychunk(location->authNameID);
+ freeanychunk(location->authKeyID);
+ freeanychunk(location->authKeySerialNumber);
+ freeanychunk(location->uri);
+ free_certinfos(location->certinfo);
+ pfree(location);
+}
+
+/*
+ * free a chained list of ocsp locations
+ */
+void
+free_ocsp_locations(ocsp_location_t **chain)
+{
+ while (*chain != NULL)
+ {
+ ocsp_location_t *location = *chain;
+ *chain = location->next;
+ free_ocsp_location(location);
+ }
+}
+
+/*
+ * free the ocsp cache
+ */
+void
+free_ocsp_cache(void)
+{
+ lock_ocsp_cache("free_ocsp_cache");
+ free_ocsp_locations(&ocsp_cache);
+ unlock_ocsp_cache("free_ocsp_cache");
+}
+
+/*
+ * frees the ocsp cache and global variables
+ */
+void
+free_ocsp(void)
+{
+ pfreeany(ocsp_default_uri.ptr);
+ free_ocsp_cache();
+}
+
+/*
+ * list a chained list of ocsp_locations
+ */
+void
+list_ocsp_locations(ocsp_location_t *location, bool requests, bool utc
+, bool strict)
+{
+ bool first = TRUE;
+
+ while (location != NULL)
+ {
+ ocsp_certinfo_t *certinfo = location->certinfo;
+
+ if (certinfo != NULL)
+ {
+ u_char buf[BUF_LEN];
+
+ if (first)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of OCSP %s:", requests?
+ "fetch requests":"responses");
+ first = FALSE;
+ }
+ whack_log(RC_COMMENT, " ");
+ if (location->issuer.ptr != NULL)
+ {
+ dntoa(buf, BUF_LEN, location->issuer);
+ whack_log(RC_COMMENT, " issuer: '%s'", buf);
+ }
+ whack_log(RC_COMMENT, " uri: '%.*s'", (int)location->uri.len
+ , location->uri.ptr);
+ if (location->authNameID.ptr != NULL)
+ {
+ datatot(location->authNameID.ptr, location->authNameID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authname: %s", buf);
+ }
+ if (location->authKeyID.ptr != NULL)
+ {
+ datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (location->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(location->authKeySerialNumber.ptr
+ , location->authKeySerialNumber.len, ':', buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+ while (certinfo != NULL)
+ {
+ char thisUpdate[TIMETOA_BUF];
+
+ strcpy(thisUpdate, timetoa(&certinfo->thisUpdate, utc));
+
+ if (requests)
+ {
+ whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
+ , certinfo->trials);
+ }
+ else if (certinfo->once)
+ {
+ whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
+ , (certinfo->nextUpdate < time(NULL))? " (expired)": "");
+ }
+ else
+ {
+ whack_log(RC_COMMENT, "%s, until %s %s", thisUpdate
+ , timetoa(&certinfo->nextUpdate, utc)
+ , check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+ }
+ datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " serial: %s, %s", buf
+ , cert_status_names[certinfo->status]);
+ certinfo = certinfo->next;
+ }
+ }
+ location = location->next;
+ }
+}
+
+/*
+ * list the ocsp cache
+ */
+void
+list_ocsp_cache(bool utc, bool strict)
+{
+ lock_ocsp_cache("list_ocsp_cache");
+ list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
+ unlock_ocsp_cache("list_ocsp_cache");
+}
+
+static bool
+get_ocsp_requestor_cert(ocsp_location_t *location)
+{
+ x509cert_t *cert = NULL;
+
+ /* initialize temporary static storage */
+ ocsp_requestor_cert = NULL;
+ ocsp_requestor_sc = NULL;
+ ocsp_requestor_pri = NULL;
+
+ for (;;)
+ {
+ char buf[BUF_LEN];
+
+ /* looking for a certificate from the same issuer */
+ cert = get_x509cert(location->issuer, location->authKeySerialNumber
+ ,location->authKeyID, cert);
+ if (cert == NULL)
+ break;
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, cert->subject);
+ DBG_log("candidate: '%s'", buf);
+ )
+
+ if (cert->smartcard)
+ {
+ /* look for a matching private key on a smartcard */
+ smartcard_t *sc = scx_get(cert);
+
+ if (sc != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("matching smartcard found")
+ )
+ if (sc->valid)
+ {
+ ocsp_requestor_cert = cert;
+ ocsp_requestor_sc = sc;
+ return TRUE;
+ }
+ plog("unable to sign ocsp request without PIN");
+ }
+ }
+ else
+ {
+ /* look for a matching private key in the chained list */
+ const struct RSA_private_key *pri = get_x509_private_key(cert);
+
+ if (pri != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("matching private key found")
+ )
+ ocsp_requestor_cert = cert;
+ ocsp_requestor_pri = pri;
+ return TRUE;
+ }
+ }
+ }
+ return FALSE;
+}
+
+static chunk_t
+generate_signature(chunk_t digest, smartcard_t *sc
+ , const RSA_private_key_t *pri)
+{
+ chunk_t sigdata;
+ u_char *pos;
+ size_t siglen = 0;
+
+ if (sc != NULL)
+ {
+ /* RSA signature is done on smartcard */
+
+ if (!scx_establish_context(sc) || !scx_login(sc))
+ {
+ scx_release_context(sc);
+ return empty_chunk;
+ }
+
+ siglen = scx_get_keylength(sc);
+
+ if (siglen == 0)
+ {
+ plog("failed to get keylength from smartcard");
+ scx_release_context(sc);
+ return empty_chunk;
+ }
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
+ , (int)sc->slot, sc->id)
+ )
+
+ pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
+ *pos++ = 0x00;
+ scx_sign_hash(sc, digest.ptr, digest.len, pos, siglen);
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+ }
+ else
+ {
+ /* RSA signature is done in software */
+ siglen = pri->pub.k;
+ pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
+ *pos++ = 0x00;
+ sign_hash(pri, digest.ptr, digest.len, pos, siglen);
+ }
+ return sigdata;
+}
+
+/*
+ * build signature into ocsp request
+ * gets built only if a request cert with
+ * a corresponding private key is found
+ */
+static chunk_t
+build_signature(chunk_t tbsRequest)
+{
+ chunk_t sigdata, certs;
+ chunk_t digest_info;
+
+ u_char digest_buf[MAX_DIGEST_LEN];
+ chunk_t digest_raw = { digest_buf, MAX_DIGEST_LEN };
+
+ if (!compute_digest(tbsRequest, OID_SHA1, &digest_raw))
+ return empty_chunk;
+
+ /* according to PKCS#1 v2.1 digest must be packaged into
+ * an ASN.1 structure for encryption
+ */
+ digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_sha1_id
+ , asn1_simple_object(ASN1_OCTET_STRING, digest_raw));
+
+ /* generate the RSA signature */
+ sigdata = generate_signature(digest_info
+ , ocsp_requestor_sc
+ , ocsp_requestor_pri);
+ freeanychunk(digest_info);
+
+ /* has the RSA signature generation been successful? */
+ if (sigdata.ptr == NULL)
+ return empty_chunk;
+
+ /* include our certificate */
+ certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
+ , asn1_simple_object(ASN1_SEQUENCE
+ , ocsp_requestor_cert->certificate
+ )
+ );
+
+ /* build signature comprising algorithm, signature and cert */
+ return asn1_wrap(ASN1_CONTEXT_C_0, "m"
+ , asn1_wrap(ASN1_SEQUENCE, "cmm"
+ , ASN1_sha1WithRSA_id
+ , sigdata
+ , certs
+ )
+ );
+}
+
+/* build request (into requestList)
+ * no singleRequestExtensions used
+ */
+static chunk_t
+build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
+{
+ chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
+ , ASN1_sha1_id
+ , asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
+ , asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
+ , asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
+
+ return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
+}
+
+/*
+ * build requestList (into TBSRequest)
+ */
+static chunk_t
+build_request_list(ocsp_location_t *location)
+{
+ chunk_t requestList;
+ request_list_t *reqs = NULL;
+ ocsp_certinfo_t *certinfo = location->certinfo;
+ u_char *pos;
+
+ size_t datalen = 0;
+
+ /* build content */
+ while (certinfo != NULL)
+ {
+ /* build request for every certificate in list
+ * and store them in a chained list
+ */
+ request_list_t *req = alloc_thing(request_list_t, "ocsp request");
+
+ req->request = build_request(location, certinfo);
+ req->next = reqs;
+ reqs = req;
+
+ datalen += req->request.len;
+ certinfo = certinfo->next;
+ }
+
+ pos = build_asn1_object(&requestList, ASN1_SEQUENCE
+ , datalen);
+
+ /* copy all in chained list, free list afterwards */
+ while (reqs != NULL)
+ {
+ request_list_t *req = reqs;
+
+ mv_chunk(&pos, req->request);
+ reqs = reqs->next;
+ pfree(req);
+ }
+
+ return requestList;
+}
+
+/*
+ * build requestorName (into TBSRequest)
+ */
+static chunk_t
+build_requestor_name(void)
+{
+ return asn1_wrap(ASN1_CONTEXT_C_1, "m"
+ , asn1_simple_object(ASN1_CONTEXT_C_4
+ , ocsp_requestor_cert->subject));
+}
+
+/*
+ * build nonce extension (into requestExtensions)
+ */
+static chunk_t
+build_nonce_extension(ocsp_location_t *location)
+{
+ /* generate a random nonce */
+ location->nonce.ptr = alloc_bytes(NONCE_LENGTH, "ocsp nonce"),
+ location->nonce.len = NONCE_LENGTH;
+ get_rnd_bytes(location->nonce.ptr, NONCE_LENGTH);
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_nonce_oid
+ , asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
+}
+
+/*
+ * build requestExtensions (into TBSRequest)
+ */
+static chunk_t
+build_request_ext(ocsp_location_t *location)
+{
+ return asn1_wrap(ASN1_CONTEXT_C_2, "m"
+ , asn1_wrap(ASN1_SEQUENCE, "mm"
+ , build_nonce_extension(location)
+ , asn1_wrap(ASN1_SEQUENCE, "cc"
+ , ASN1_response_oid
+ , ASN1_response_content
+ )
+ )
+ );
+}
+
+/*
+ * build TBSRequest (into OCSPRequest)
+ */
+static chunk_t
+build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
+{
+ /* version is skipped since the default is ok */
+ return asn1_wrap(ASN1_SEQUENCE, "mmm"
+ , (has_requestor_cert)
+ ? build_requestor_name()
+ : empty_chunk
+ , build_request_list(location)
+ , build_request_ext(location));
+}
+
+/* assembles an ocsp request to given location
+ * and sets nonce field in location to the sent nonce
+ */
+chunk_t
+build_ocsp_request(ocsp_location_t *location)
+{
+ bool has_requestor_cert;
+ chunk_t tbsRequest, signature;
+ char buf[BUF_LEN];
+
+ DBG(DBG_CONTROL,
+ DBG_log("assembling ocsp request");
+ dntoa(buf, BUF_LEN, location->issuer);
+ DBG_log("issuer: '%s'", buf);
+ if (location->authKeyID.ptr != NULL)
+ {
+ datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ )
+ lock_certs_and_keys("build_ocsp_request");
+
+ /* looks for requestor cert and matching private key */
+ has_requestor_cert = get_ocsp_requestor_cert(location);
+
+ /* build content */
+ tbsRequest = build_tbs_request(location, has_requestor_cert);
+
+ /* sign tbsReuqest */
+ signature = (has_requestor_cert)? build_signature(tbsRequest)
+ : empty_chunk;
+
+ unlock_certs_and_keys("build_ocsp_request");
+
+ return asn1_wrap(ASN1_SEQUENCE, "mm"
+ , tbsRequest
+ , signature);
+}
+
+/*
+ * check if the OCSP response has a valid signature
+ */
+static bool
+valid_ocsp_response(response_t *res)
+{
+ int pathlen;
+ x509cert_t *authcert;
+
+ lock_authcert_list("valid_ocsp_response");
+
+ authcert = get_authcert(res->responder_id_name, empty_chunk
+ , res->responder_id_key, AUTH_OCSP | AUTH_CA);
+
+ if (authcert == NULL)
+ {
+ plog("no matching ocsp signer cert found");
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("ocsp signer cert found")
+ )
+
+ if (!check_signature(res->tbs, res->signature, res->algorithm
+ , res->algorithm, authcert))
+ {
+ plog("signature of ocsp response is invalid");
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("signature of ocsp response is valid")
+ )
+
+
+ for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ {
+ u_char buf[BUF_LEN];
+ err_t ugh = NULL;
+ time_t until;
+
+ x509cert_t *cert = authcert;
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, cert->subject);
+ DBG_log("subject: '%s'",buf);
+ dntoa(buf, BUF_LEN, cert->issuer);
+ DBG_log("issuer: '%s'",buf);
+ if (cert->authKeyID.ptr != NULL)
+ {
+ datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ )
+
+ ugh = check_validity(authcert, &until);
+
+ if (ugh != NULL)
+ {
+ plog("%s", ugh);
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+ }
+
+ DBG(DBG_CONTROL,
+ DBG_log("certificate is valid")
+ )
+
+ authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID, AUTH_CA);
+
+ if (authcert == NULL)
+ {
+ plog("issuer cacert not found");
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("issuer cacert found")
+ )
+
+ if (!check_signature(cert->tbsCertificate, cert->signature
+ , cert->algorithm, cert->algorithm, authcert))
+ {
+ plog("certificate signature is invalid");
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("certificate signature is valid")
+ )
+
+ /* check if cert is self-signed */
+ if (same_dn(cert->issuer, cert->subject))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("reached self-signed root ca")
+ )
+ unlock_authcert_list("valid_ocsp_response");
+ return TRUE;
+ }
+ }
+ plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+ unlock_authcert_list("valid_ocsp_response");
+ return FALSE;
+}
+
+/*
+ * parse a basic OCSP response
+ */
+static bool
+parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
+{
+ u_int level, version;
+ u_int extn_oid = OID_UNKNOWN;
+ u_char buf[BUF_LEN];
+ asn1_ctx_t ctx;
+ bool critical;
+ chunk_t object;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < BASIC_RESPONSE_ROOF)
+ {
+ if (!extract_object(basicResponseObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ switch (objectID)
+ {
+ case BASIC_RESPONSE_TBS_DATA:
+ res->tbs = object;
+ break;
+ case BASIC_RESPONSE_VERSION:
+ version = (object.len)? (1 + (u_int)*object.ptr) : 1;
+ if (version != OCSP_BASIC_RESPONSE_VERSION)
+ {
+ plog("wrong ocsp basic response version (version= %i)", version);
+ return FALSE;
+ }
+ break;
+ case BASIC_RESPONSE_ID_BY_NAME:
+ res->responder_id_name = object;
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'",buf)
+ )
+ break;
+ case BASIC_RESPONSE_ID_BY_KEY:
+ res->responder_id_key = object;
+ break;
+ case BASIC_RESPONSE_PRODUCED_AT:
+ res->produced_at = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case BASIC_RESPONSE_RESPONSES:
+ res->responses = object;
+ break;
+ case BASIC_RESPONSE_EXT_ID:
+ extn_oid = known_oid(object);
+ break;
+ case BASIC_RESPONSE_CRITICAL:
+ critical = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(critical)?"TRUE":"FALSE");
+ )
+ break;
+ case BASIC_RESPONSE_EXT_VALUE:
+ if (extn_oid == OID_NONCE)
+ res->nonce = object;
+ break;
+ case BASIC_RESPONSE_ALGORITHM:
+ res->algorithm = parse_algorithmIdentifier(object, level+1, NULL);
+ break;
+ case BASIC_RESPONSE_SIGNATURE:
+ res->signature = object;
+ break;
+ case BASIC_RESPONSE_CERTIFICATE:
+ {
+ chunk_t blob;
+ x509cert_t *cert = alloc_thing(x509cert_t, "ocspcert");
+
+ clonetochunk(blob, object.ptr, object.len, "ocspcert blob");
+ *cert = empty_x509cert;
+
+ if (parse_x509cert(blob, level+1, cert)
+ && cert->isOcspSigner
+ && trust_authcert_candidate(cert, NULL))
+ {
+ add_authcert(cert, AUTH_OCSP);
+ }
+ else
+ {
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log("embedded ocsp certificate rejected")
+ )
+ free_x509cert(cert);
+ }
+ }
+ break;
+ }
+ objectID++;
+ }
+ return TRUE;
+}
+
+
+/*
+ * parse an ocsp response and return the result as a response_t struct
+ */
+static response_status
+parse_ocsp_response(chunk_t blob, response_t * res)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ response_status rStatus = STATUS_INTERNALERROR;
+ u_int ocspResponseType = OID_UNKNOWN;
+
+ asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
+
+ while (objectID < OCSP_RESPONSE_ROOF)
+ {
+ if (!extract_object(ocspResponseObjects, &objectID, &object, &level, &ctx))
+ return STATUS_INTERNALERROR;
+
+ switch (objectID) {
+ case OCSP_RESPONSE_STATUS:
+ rStatus = (response_status) *object.ptr;
+
+ switch (rStatus)
+ {
+ case STATUS_SUCCESSFUL:
+ break;
+ case STATUS_MALFORMEDREQUEST:
+ case STATUS_INTERNALERROR:
+ case STATUS_TRYLATER:
+ case STATUS_SIGREQUIRED:
+ case STATUS_UNAUTHORIZED:
+ plog("ocsp response: server said '%s'"
+ , response_status_names[rStatus]);
+ return rStatus;
+ default:
+ return STATUS_INTERNALERROR;
+ }
+ break;
+ case OCSP_RESPONSE_TYPE:
+ ocspResponseType = known_oid(object);
+ break;
+ case OCSP_RESPONSE:
+ {
+ switch (ocspResponseType) {
+ case OID_BASIC:
+ if (!parse_basic_ocsp_response(object, level+1, res))
+ return STATUS_INTERNALERROR;
+ break;
+ default:
+ DBG(DBG_CONTROL,
+ DBG_log("ocsp response is not of type BASIC");
+ DBG_dump_chunk("ocsp response OID: ", object);
+ )
+ return STATUS_INTERNALERROR;
+ }
+ }
+ break;
+ }
+ objectID++;
+ }
+ return rStatus;
+}
+
+/*
+ * parse a basic OCSP response
+ */
+static bool
+parse_ocsp_single_response(chunk_t blob, int level0, single_response_t *sres)
+{
+ u_int level, extn_oid;
+ asn1_ctx_t ctx;
+ bool critical;
+ chunk_t object;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < SINGLE_RESPONSE_ROOF)
+ {
+ if (!extract_object(singleResponseObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ switch (objectID)
+ {
+ case SINGLE_RESPONSE_ALGORITHM:
+ sres->hash_algorithm = parse_algorithmIdentifier(object, level+1, NULL);
+ break;
+ case SINGLE_RESPONSE_ISSUER_NAME_HASH:
+ sres->issuer_name_hash = object;
+ break;
+ case SINGLE_RESPONSE_ISSUER_KEY_HASH:
+ sres->issuer_key_hash = object;
+ break;
+ case SINGLE_RESPONSE_SERIAL_NUMBER:
+ sres->serialNumber = object;
+ break;
+ case SINGLE_RESPONSE_CERT_STATUS_GOOD:
+ sres->status = CERT_GOOD;
+ break;
+ case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
+ sres->status = CERT_REVOKED;
+ break;
+ case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
+ sres->revocationTime = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
+ sres->revocationReason = (object.len == 1)
+ ? *object.ptr : REASON_UNSPECIFIED;
+ break;
+ case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
+ sres->status = CERT_UNKNOWN;
+ break;
+ case SINGLE_RESPONSE_THIS_UPDATE:
+ sres->thisUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case SINGLE_RESPONSE_NEXT_UPDATE:
+ sres->nextUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
+ break;
+ case SINGLE_RESPONSE_EXT_ID:
+ extn_oid = known_oid(object);
+ break;
+ case SINGLE_RESPONSE_CRITICAL:
+ critical = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(critical)?"TRUE":"FALSE");
+ )
+ case SINGLE_RESPONSE_EXT_VALUE:
+ break;
+ }
+ objectID++;
+ }
+ return TRUE;
+}
+
+/*
+ * add an ocsp location to a chained list
+ */
+ocsp_location_t*
+add_ocsp_location(const ocsp_location_t *loc, ocsp_location_t **chain)
+{
+ ocsp_location_t *location = alloc_thing(ocsp_location_t, "ocsp location");
+
+ /* unshare location fields */
+ clonetochunk(location->issuer
+ , loc->issuer.ptr, loc->issuer.len
+ , "ocsp issuer");
+
+ clonetochunk(location->authNameID
+ , loc->authNameID.ptr, loc->authNameID.len
+ , "ocsp authNameID");
+
+ if (loc->authKeyID.ptr == NULL)
+ location->authKeyID = empty_chunk;
+ else
+ clonetochunk(location->authKeyID
+ , loc->authKeyID.ptr, loc->authKeyID.len
+ , "ocsp authKeyID");
+
+ if (loc->authKeySerialNumber.ptr == NULL)
+ location->authKeySerialNumber = empty_chunk;
+ else
+ clonetochunk(location->authKeySerialNumber
+ , loc->authKeySerialNumber.ptr, loc->authKeySerialNumber.len
+ , "ocsp authKeySerialNumber");
+
+ clonetochunk(location->uri
+ , loc->uri.ptr, loc->uri.len
+ , "ocsp uri");
+
+ location->certinfo = NULL;
+
+ /* insert new ocsp location in front of chain */
+ location->next = *chain;
+ *chain = location;
+
+ DBG(DBG_CONTROL,
+ DBG_log("new ocsp location added")
+ )
+
+ return location;
+}
+
+/*
+ * add a certinfo struct to a chained list
+ */
+void
+add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info, ocsp_location_t **chain
+ , bool request)
+{
+ ocsp_location_t *location;
+ ocsp_certinfo_t *certinfo, **certinfop;
+ char buf[BUF_LEN];
+ time_t now;
+ int cmp = -1;
+
+ location = get_ocsp_location(loc, *chain);
+ if (location == NULL)
+ location = add_ocsp_location(loc, chain);
+
+ /* traverse list of certinfos in increasing order */
+ certinfop = &location->certinfo;
+ certinfo = *certinfop;
+
+ while (certinfo != NULL)
+ {
+ cmp = cmp_chunk(info->serialNumber, certinfo->serialNumber);
+ if (cmp <= 0)
+ break;
+ certinfop = &certinfo->next;
+ certinfo = *certinfop;
+ }
+
+ if (cmp != 0)
+ {
+ /* add a new certinfo entry */
+ ocsp_certinfo_t *cnew = alloc_thing(ocsp_certinfo_t, "ocsp certinfo");
+ clonetochunk(cnew->serialNumber, info->serialNumber.ptr
+ , info->serialNumber.len, "serialNumber");
+ cnew->next = certinfo;
+ *certinfop = cnew;
+ certinfo = cnew;
+ }
+
+ DBG(DBG_CONTROL,
+ datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("ocsp %s for serial %s %s"
+ , request?"fetch request":"certinfo"
+ , buf
+ , (cmp == 0)? (request?"already exists":"updated"):"added")
+ )
+
+ time(&now);
+
+ if (request)
+ {
+ certinfo->status = CERT_UNDEFINED;
+
+ if (cmp != 0)
+ certinfo->thisUpdate = now;
+
+ certinfo->nextUpdate = UNDEFINED_TIME;
+ }
+ else
+ {
+ certinfo->status = info->status;
+ certinfo->revocationTime = info->revocationTime;
+ certinfo->revocationReason = info->revocationReason;
+
+ certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
+ info->thisUpdate : now;
+
+ certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
+
+ certinfo->nextUpdate = (certinfo->once)?
+ (now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
+ }
+}
+
+/*
+ * process received ocsp single response and add it to ocsp cache
+ */
+static void
+process_single_response(ocsp_location_t *location, single_response_t *sres)
+{
+ ocsp_certinfo_t *certinfo, **certinfop;
+ int cmp = -1;
+
+ if (sres->hash_algorithm != OID_SHA1)
+ {
+ plog("only SHA-1 hash supported in OCSP single response");
+ return;
+ }
+ if (!(same_chunk(sres->issuer_name_hash, location->authNameID)
+ && same_chunk(sres->issuer_key_hash, location->authKeyID)))
+ {
+ plog("ocsp single response has wrong issuer");
+ return;
+ }
+
+ /* traverse list of certinfos in increasing order */
+ certinfop = &location->certinfo;
+ certinfo = *certinfop;
+
+ while (certinfo != NULL)
+ {
+ cmp = cmp_chunk(sres->serialNumber, certinfo->serialNumber);
+ if (cmp <= 0)
+ break;
+ certinfop = &certinfo->next;
+ certinfo = *certinfop;
+ }
+
+ if (cmp != 0)
+ {
+ plog("received unrequested cert status from ocsp server");
+ return;
+ }
+
+ /* unlink cert from ocsp fetch request list */
+ *certinfop = certinfo->next;
+
+ /* update certinfo using the single response information */
+ certinfo->thisUpdate = sres->thisUpdate;
+ certinfo->nextUpdate = sres->nextUpdate;
+ certinfo->status = sres->status;
+ certinfo->revocationTime = sres->revocationTime;
+ certinfo->revocationReason = sres->revocationReason;
+
+ /* add or update certinfo in ocsp cache */
+ lock_ocsp_cache("process_single_response");
+ add_certinfo(location, certinfo, &ocsp_cache, FALSE);
+ unlock_ocsp_cache("process_single_response");
+
+ /* free certinfo unlinked from ocsp fetch request list */
+ free_certinfo(certinfo);
+
+}
+
+/*
+ * parse and verify ocsp response and update the ocsp cache
+ */
+void
+parse_ocsp(ocsp_location_t *location, chunk_t blob)
+{
+ response_t res = empty_response;
+
+ /* parse the ocsp response without looking at the single responses yet */
+ response_status status = parse_ocsp_response(blob, &res);
+
+ if (status != STATUS_SUCCESSFUL)
+ {
+ plog("error in ocsp response");
+ return;
+ }
+ /* check if there was a nonce in the request */
+ if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
+ {
+ plog("ocsp response contains no nonce, replay attack possible");
+ }
+ /* check if the nonce is identical */
+ if (res.nonce.ptr != NULL && !same_chunk(res.nonce, location->nonce))
+ {
+ plog("invalid nonce in ocsp response");
+ return;
+ }
+ /* check if the response is signed by a trusted key */
+ if (!valid_ocsp_response(&res))
+ {
+ plog("invalid ocsp response");
+ return;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("valid ocsp response")
+ )
+
+ /* now parse the single responses one at a time */
+ {
+ u_int level;
+ asn1_ctx_t ctx;
+ chunk_t object;
+ int objectID = 0;
+
+ asn1_init(&ctx, res.responses, 0, FALSE, DBG_RAW);
+
+ while (objectID < RESPONSES_ROOF)
+ {
+ if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
+ return;
+
+ if (objectID == RESPONSES_SINGLE_RESPONSE)
+ {
+ single_response_t sres = empty_single_response;
+
+ if (parse_ocsp_single_response(object, level+1, &sres))
+ {
+ process_single_response(location, &sres);
+ }
+ }
+ objectID++;
+ }
+ }
+}
diff --git a/src/pluto/ocsp.h b/src/pluto/ocsp.h
new file mode 100644
index 000000000..49e1026ec
--- /dev/null
+++ b/src/pluto/ocsp.h
@@ -0,0 +1,85 @@
+/* Support of the Online Certificate Status Protocol (OCSP) Support
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ */
+
+#include "constants.h"
+
+/* constants */
+
+#define OCSP_BASIC_RESPONSE_VERSION 1
+#define OCSP_DEFAULT_VALID_TIME 120 /* validity of one-time response in seconds */
+#define OCSP_WARNING_INTERVAL 2 /* days */
+
+/* OCSP response status */
+
+typedef enum {
+ STATUS_SUCCESSFUL = 0,
+ STATUS_MALFORMEDREQUEST = 1,
+ STATUS_INTERNALERROR = 2,
+ STATUS_TRYLATER = 3,
+ STATUS_SIGREQUIRED = 5,
+ STATUS_UNAUTHORIZED= 6
+} response_status;
+
+/* OCSP access structures */
+
+typedef struct ocsp_certinfo ocsp_certinfo_t;
+
+struct ocsp_certinfo {
+ ocsp_certinfo_t *next;
+ int trials;
+ chunk_t serialNumber;
+ cert_status_t status;
+ bool once;
+ crl_reason_t revocationReason;
+ time_t revocationTime;
+ time_t thisUpdate;
+ time_t nextUpdate;
+};
+
+typedef struct ocsp_location ocsp_location_t;
+
+struct ocsp_location {
+ ocsp_location_t *next;
+ chunk_t issuer;
+ chunk_t authNameID;
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+ chunk_t uri;
+ chunk_t nonce;
+ ocsp_certinfo_t *certinfo;
+};
+
+extern ocsp_location_t* get_ocsp_location(const ocsp_location_t *loc
+ , ocsp_location_t *chain);
+extern ocsp_location_t* add_ocsp_location(const ocsp_location_t *loc
+ , ocsp_location_t **chain);
+extern void add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info
+ , ocsp_location_t **chain, bool request);
+extern void check_ocsp(void);
+extern cert_status_t verify_by_ocsp(const x509cert_t *cert, time_t *until
+ , time_t *revocationTime, crl_reason_t *revocationReason);
+extern bool ocsp_set_request_cert(char* path);
+extern void ocsp_set_default_uri(char* uri);
+extern void ocsp_cache_add_cert(const x509cert_t* cert);
+extern chunk_t build_ocsp_request(ocsp_location_t* location);
+extern void parse_ocsp(ocsp_location_t* location, chunk_t blob);
+extern void list_ocsp_locations(ocsp_location_t *location, bool requests
+ , bool utc, bool strict);
+extern void list_ocsp_cache(bool utc, bool strict);
+extern void free_ocsp_locations(ocsp_location_t **chain);
+extern void free_ocsp_cache(void);
+extern void free_ocsp(void);
+extern void ocsp_purge_cache(void);
diff --git a/src/pluto/oid.c b/src/pluto/oid.c
new file mode 100644
index 000000000..4b0632de2
--- /dev/null
+++ b/src/pluto/oid.c
@@ -0,0 +1,197 @@
+/* List of some useful object identifiers (OIDs)
+ * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This file has been automatically generated by the script oid.pl
+ * Do not edit manually!
+ */
+
+#include <stdlib.h>
+
+#include "oid.h"
+
+const oid_t oid_names[] = {
+ {0x02, 7, 1, "ITU-T Administration" }, /* 0 */
+ { 0x82, 0, 1, "" }, /* 1 */
+ { 0x06, 0, 1, "Germany ITU-T member" }, /* 2 */
+ { 0x01, 0, 1, "Deutsche Telekom AG" }, /* 3 */
+ { 0x0A, 0, 1, "" }, /* 4 */
+ { 0x07, 0, 1, "" }, /* 5 */
+ { 0x14, 0, 0, "ND" }, /* 6 */
+ {0x09, 18, 1, "data" }, /* 7 */
+ { 0x92, 0, 1, "" }, /* 8 */
+ { 0x26, 0, 1, "" }, /* 9 */
+ { 0x89, 0, 1, "" }, /* 10 */
+ { 0x93, 0, 1, "" }, /* 11 */
+ { 0xF2, 0, 1, "" }, /* 12 */
+ { 0x2C, 0, 1, "" }, /* 13 */
+ { 0x64, 0, 1, "pilot" }, /* 14 */
+ { 0x01, 0, 1, "pilotAttributeType" }, /* 15 */
+ { 0x01, 17, 0, "UID" }, /* 16 */
+ { 0x19, 0, 0, "DC" }, /* 17 */
+ {0x55, 51, 1, "X.500" }, /* 18 */
+ { 0x04, 36, 1, "X.509" }, /* 19 */
+ { 0x03, 21, 0, "CN" }, /* 20 */
+ { 0x04, 22, 0, "S" }, /* 21 */
+ { 0x05, 23, 0, "SN" }, /* 22 */
+ { 0x06, 24, 0, "C" }, /* 23 */
+ { 0x07, 25, 0, "L" }, /* 24 */
+ { 0x08, 26, 0, "ST" }, /* 25 */
+ { 0x0A, 27, 0, "O" }, /* 26 */
+ { 0x0B, 28, 0, "OU" }, /* 27 */
+ { 0x0C, 29, 0, "T" }, /* 28 */
+ { 0x0D, 30, 0, "D" }, /* 29 */
+ { 0x24, 31, 0, "userCertificate" }, /* 30 */
+ { 0x29, 32, 0, "N" }, /* 31 */
+ { 0x2A, 33, 0, "G" }, /* 32 */
+ { 0x2B, 34, 0, "I" }, /* 33 */
+ { 0x2D, 35, 0, "ID" }, /* 34 */
+ { 0x48, 0, 0, "role" }, /* 35 */
+ { 0x1D, 0, 1, "id-ce" }, /* 36 */
+ { 0x09, 38, 0, "subjectDirectoryAttrs" }, /* 37 */
+ { 0x0E, 39, 0, "subjectKeyIdentifier" }, /* 38 */
+ { 0x0F, 40, 0, "keyUsage" }, /* 39 */
+ { 0x10, 41, 0, "privateKeyUsagePeriod" }, /* 40 */
+ { 0x11, 42, 0, "subjectAltName" }, /* 41 */
+ { 0x12, 43, 0, "issuerAltName" }, /* 42 */
+ { 0x13, 44, 0, "basicConstraints" }, /* 43 */
+ { 0x15, 45, 0, "reasonCode" }, /* 44 */
+ { 0x1F, 46, 0, "crlDistributionPoints" }, /* 45 */
+ { 0x20, 47, 0, "certificatePolicies" }, /* 46 */
+ { 0x23, 48, 0, "authorityKeyIdentifier" }, /* 47 */
+ { 0x25, 49, 0, "extendedKeyUsage" }, /* 48 */
+ { 0x37, 50, 0, "targetInformation" }, /* 49 */
+ { 0x38, 0, 0, "noRevAvail" }, /* 50 */
+ {0x2A, 88, 1, "" }, /* 51 */
+ { 0x86, 0, 1, "" }, /* 52 */
+ { 0x48, 0, 1, "" }, /* 53 */
+ { 0x86, 0, 1, "" }, /* 54 */
+ { 0xF7, 0, 1, "" }, /* 55 */
+ { 0x0D, 0, 1, "RSADSI" }, /* 56 */
+ { 0x01, 83, 1, "PKCS" }, /* 57 */
+ { 0x01, 66, 1, "PKCS-1" }, /* 58 */
+ { 0x01, 60, 0, "rsaEncryption" }, /* 59 */
+ { 0x02, 61, 0, "md2WithRSAEncryption" }, /* 60 */
+ { 0x04, 62, 0, "md5WithRSAEncryption" }, /* 61 */
+ { 0x05, 63, 0, "sha-1WithRSAEncryption" }, /* 62 */
+ { 0x0B, 64, 0, "sha256WithRSAEncryption"}, /* 63 */
+ { 0x0C, 65, 0, "sha384WithRSAEncryption"}, /* 64 */
+ { 0x0D, 0, 0, "sha512WithRSAEncryption"}, /* 65 */
+ { 0x07, 73, 1, "PKCS-7" }, /* 66 */
+ { 0x01, 68, 0, "data" }, /* 67 */
+ { 0x02, 69, 0, "signedData" }, /* 68 */
+ { 0x03, 70, 0, "envelopedData" }, /* 69 */
+ { 0x04, 71, 0, "signedAndEnvelopedData" }, /* 70 */
+ { 0x05, 72, 0, "digestedData" }, /* 71 */
+ { 0x06, 0, 0, "encryptedData" }, /* 72 */
+ { 0x09, 0, 1, "PKCS-9" }, /* 73 */
+ { 0x01, 75, 0, "E" }, /* 74 */
+ { 0x02, 76, 0, "unstructuredName" }, /* 75 */
+ { 0x03, 77, 0, "contentType" }, /* 76 */
+ { 0x04, 78, 0, "messageDigest" }, /* 77 */
+ { 0x05, 79, 0, "signingTime" }, /* 78 */
+ { 0x06, 80, 0, "counterSignature" }, /* 79 */
+ { 0x07, 81, 0, "challengePassword" }, /* 80 */
+ { 0x08, 82, 0, "unstructuredAddress" }, /* 81 */
+ { 0x0E, 0, 0, "extensionRequest" }, /* 82 */
+ { 0x02, 86, 1, "digestAlgorithm" }, /* 83 */
+ { 0x02, 85, 0, "md2" }, /* 84 */
+ { 0x05, 0, 0, "md5" }, /* 85 */
+ { 0x03, 0, 1, "encryptionAlgorithm" }, /* 86 */
+ { 0x07, 0, 0, "3des-ede-cbc" }, /* 87 */
+ {0x2B, 149, 1, "" }, /* 88 */
+ { 0x06, 136, 1, "dod" }, /* 89 */
+ { 0x01, 0, 1, "internet" }, /* 90 */
+ { 0x04, 105, 1, "private" }, /* 91 */
+ { 0x01, 0, 1, "enterprise" }, /* 92 */
+ { 0x82, 98, 1, "" }, /* 93 */
+ { 0x37, 0, 1, "Microsoft" }, /* 94 */
+ { 0x0A, 0, 1, "" }, /* 95 */
+ { 0x03, 0, 1, "" }, /* 96 */
+ { 0x03, 0, 0, "msSGC" }, /* 97 */
+ { 0x89, 0, 1, "" }, /* 98 */
+ { 0x31, 0, 1, "" }, /* 99 */
+ { 0x01, 0, 1, "" }, /* 100 */
+ { 0x01, 0, 1, "" }, /* 101 */
+ { 0x02, 0, 1, "" }, /* 102 */
+ { 0x02, 104, 0, "" }, /* 103 */
+ { 0x4B, 0, 0, "TCGID" }, /* 104 */
+ { 0x05, 0, 1, "security" }, /* 105 */
+ { 0x05, 0, 1, "mechanisms" }, /* 106 */
+ { 0x07, 0, 1, "id-pkix" }, /* 107 */
+ { 0x01, 110, 1, "id-pe" }, /* 108 */
+ { 0x01, 0, 0, "authorityInfoAccess" }, /* 109 */
+ { 0x03, 120, 1, "id-kp" }, /* 110 */
+ { 0x01, 112, 0, "serverAuth" }, /* 111 */
+ { 0x02, 113, 0, "clientAuth" }, /* 112 */
+ { 0x03, 114, 0, "codeSigning" }, /* 113 */
+ { 0x04, 115, 0, "emailProtection" }, /* 114 */
+ { 0x05, 116, 0, "ipsecEndSystem" }, /* 115 */
+ { 0x06, 117, 0, "ipsecTunnel" }, /* 116 */
+ { 0x07, 118, 0, "ipsecUser" }, /* 117 */
+ { 0x08, 119, 0, "timeStamping" }, /* 118 */
+ { 0x09, 0, 0, "ocspSigning" }, /* 119 */
+ { 0x08, 122, 1, "id-otherNames" }, /* 120 */
+ { 0x05, 0, 0, "xmppAddr" }, /* 121 */
+ { 0x0A, 127, 1, "id-aca" }, /* 122 */
+ { 0x01, 124, 0, "authenticationInfo" }, /* 123 */
+ { 0x02, 125, 0, "accessIdentity" }, /* 124 */
+ { 0x03, 126, 0, "chargingIdentity" }, /* 125 */
+ { 0x04, 0, 0, "group" }, /* 126 */
+ { 0x30, 0, 1, "id-ad" }, /* 127 */
+ { 0x01, 0, 1, "ocsp" }, /* 128 */
+ { 0x01, 130, 0, "basic" }, /* 129 */
+ { 0x02, 131, 0, "nonce" }, /* 130 */
+ { 0x03, 132, 0, "crl" }, /* 131 */
+ { 0x04, 133, 0, "response" }, /* 132 */
+ { 0x05, 134, 0, "noCheck" }, /* 133 */
+ { 0x06, 135, 0, "archiveCutoff" }, /* 134 */
+ { 0x07, 0, 0, "serviceLocator" }, /* 135 */
+ { 0x0E, 142, 1, "oiw" }, /* 136 */
+ { 0x03, 0, 1, "secsig" }, /* 137 */
+ { 0x02, 0, 1, "algorithms" }, /* 138 */
+ { 0x07, 140, 0, "des-cbc" }, /* 139 */
+ { 0x1A, 141, 0, "sha-1" }, /* 140 */
+ { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 141 */
+ { 0x24, 0, 1, "TeleTrusT" }, /* 142 */
+ { 0x03, 0, 1, "algorithm" }, /* 143 */
+ { 0x03, 0, 1, "signatureAlgorithm" }, /* 144 */
+ { 0x01, 0, 1, "rsaSignature" }, /* 145 */
+ { 0x02, 147, 0, "rsaSigWithripemd160" }, /* 146 */
+ { 0x03, 148, 0, "rsaSigWithripemd128" }, /* 147 */
+ { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 148 */
+ {0x60, 0, 1, "" }, /* 149 */
+ { 0x86, 0, 1, "" }, /* 150 */
+ { 0x48, 0, 1, "" }, /* 151 */
+ { 0x01, 0, 1, "organization" }, /* 152 */
+ { 0x65, 160, 1, "gov" }, /* 153 */
+ { 0x03, 0, 1, "csor" }, /* 154 */
+ { 0x04, 0, 1, "nistalgorithm" }, /* 155 */
+ { 0x02, 0, 1, "hashalgs" }, /* 156 */
+ { 0x01, 158, 0, "id-SHA-256" }, /* 157 */
+ { 0x02, 159, 0, "id-SHA-384" }, /* 158 */
+ { 0x03, 0, 0, "id-SHA-512" }, /* 159 */
+ { 0x86, 0, 1, "" }, /* 160 */
+ { 0xf8, 0, 1, "" }, /* 161 */
+ { 0x42, 174, 1, "netscape" }, /* 162 */
+ { 0x01, 169, 1, "" }, /* 163 */
+ { 0x01, 165, 0, "nsCertType" }, /* 164 */
+ { 0x03, 166, 0, "nsRevocationUrl" }, /* 165 */
+ { 0x04, 167, 0, "nsCaRevocationUrl" }, /* 166 */
+ { 0x08, 168, 0, "nsCaPolicyUrl" }, /* 167 */
+ { 0x0d, 0, 0, "nsComment" }, /* 168 */
+ { 0x03, 172, 1, "directory" }, /* 169 */
+ { 0x01, 0, 1, "" }, /* 170 */
+ { 0x03, 0, 0, "employeeNumber" }, /* 171 */
+ { 0x04, 0, 1, "policy" }, /* 172 */
+ { 0x01, 0, 0, "nsSGC" }, /* 173 */
+ { 0x45, 0, 1, "verisign" }, /* 174 */
+ { 0x01, 0, 1, "pki" }, /* 175 */
+ { 0x09, 0, 1, "attributes" }, /* 176 */
+ { 0x02, 178, 0, "messageType" }, /* 177 */
+ { 0x03, 179, 0, "pkiStatus" }, /* 178 */
+ { 0x04, 180, 0, "failInfo" }, /* 179 */
+ { 0x05, 181, 0, "senderNonce" }, /* 180 */
+ { 0x06, 182, 0, "recipientNonce" }, /* 181 */
+ { 0x07, 183, 0, "transID" }, /* 182 */
+ { 0x08, 0, 0, "extensionReq" } /* 183 */
+};
diff --git a/src/pluto/oid.h b/src/pluto/oid.h
new file mode 100644
index 000000000..ccdfb2954
--- /dev/null
+++ b/src/pluto/oid.h
@@ -0,0 +1,78 @@
+/* Object identifiers (OIDs) used by FreeS/WAN
+ * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This file has been automatically generated by the script oid.pl
+ * Do not edit manually!
+ */
+
+typedef struct {
+ u_char octet;
+ u_int next;
+ u_int down;
+ const u_char *name;
+} oid_t;
+
+extern const oid_t oid_names[];
+
+#define OID_UNKNOWN -1
+#define OID_ROLE 35
+#define OID_SUBJECT_KEY_ID 38
+#define OID_SUBJECT_ALT_NAME 41
+#define OID_BASIC_CONSTRAINTS 43
+#define OID_CRL_REASON_CODE 44
+#define OID_CRL_DISTRIBUTION_POINTS 45
+#define OID_AUTHORITY_KEY_ID 47
+#define OID_EXTENDED_KEY_USAGE 48
+#define OID_TARGET_INFORMATION 49
+#define OID_NO_REV_AVAIL 50
+#define OID_RSA_ENCRYPTION 59
+#define OID_MD2_WITH_RSA 60
+#define OID_MD5_WITH_RSA 61
+#define OID_SHA1_WITH_RSA 62
+#define OID_SHA256_WITH_RSA 63
+#define OID_SHA384_WITH_RSA 64
+#define OID_SHA512_WITH_RSA 65
+#define OID_PKCS7_DATA 67
+#define OID_PKCS7_SIGNED_DATA 68
+#define OID_PKCS7_ENVELOPED_DATA 69
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA 70
+#define OID_PKCS7_DIGESTED_DATA 71
+#define OID_PKCS7_ENCRYPTED_DATA 72
+#define OID_PKCS9_EMAIL 74
+#define OID_PKCS9_CONTENT_TYPE 76
+#define OID_PKCS9_MESSAGE_DIGEST 77
+#define OID_PKCS9_SIGNING_TIME 78
+#define OID_MD2 84
+#define OID_MD5 85
+#define OID_3DES_EDE_CBC 87
+#define OID_AUTHORITY_INFO_ACCESS 109
+#define OID_OCSP_SIGNING 119
+#define OID_XMPP_ADDR 121
+#define OID_AUTHENTICATION_INFO 123
+#define OID_ACCESS_IDENTITY 124
+#define OID_CHARGING_IDENTITY 125
+#define OID_GROUP 126
+#define OID_OCSP 128
+#define OID_BASIC 129
+#define OID_NONCE 130
+#define OID_CRL 131
+#define OID_RESPONSE 132
+#define OID_NO_CHECK 133
+#define OID_ARCHIVE_CUTOFF 134
+#define OID_SERVICE_LOCATOR 135
+#define OID_DES_CBC 139
+#define OID_SHA1 140
+#define OID_SHA1_WITH_RSA_OIW 141
+#define OID_SHA256 157
+#define OID_SHA384 158
+#define OID_SHA512 159
+#define OID_NS_REVOCATION_URL 165
+#define OID_NS_CA_REVOCATION_URL 166
+#define OID_NS_CA_POLICY_URL 167
+#define OID_NS_COMMENT 168
+#define OID_PKI_MESSAGE_TYPE 177
+#define OID_PKI_STATUS 178
+#define OID_PKI_FAIL_INFO 179
+#define OID_PKI_SENDER_NONCE 180
+#define OID_PKI_RECIPIENT_NONCE 181
+#define OID_PKI_TRANS_ID 182
diff --git a/src/pluto/oid.pl b/src/pluto/oid.pl
new file mode 100644
index 000000000..52ac8eae0
--- /dev/null
+++ b/src/pluto/oid.pl
@@ -0,0 +1,123 @@
+#!/usr/bin/perl
+# Generates oid.h and oid.c out of oid.txt
+# Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+
+$copyright="Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur";
+$automatic="This file has been automatically generated by the script oid.pl";
+$warning="Do not edit manually!";
+
+print "oid.pl generating oid.h and oid.c\n";
+
+# Generate oid.h
+
+open(OID_H, ">oid.h")
+ or die "could not open 'oid.h': $!";
+
+print OID_H "/* Object identifiers (OIDs) used by FreeS/WAN\n",
+ " * ", $copyright, "\n",
+ " * \n",
+ " * ", $automatic, "\n",
+ " * ", $warning, "\n",
+ " */\n\n",
+ "typedef struct {\n",
+ " u_char octet;\n",
+ " u_int next;\n",
+ " u_int down;\n",
+ " const u_char *name;\n",
+ "} oid_t;\n",
+ "\n",
+ "extern const oid_t oid_names[];\n",
+ "\n",
+ "#define OID_UNKNOWN -1\n";
+
+# parse oid.txt
+
+open(SRC, "<oid.txt")
+ or die "could not open 'oid.txt': $!";
+
+$counter = 0;
+$max_name = 0;
+$max_order = 0;
+
+while ($line = <SRC>)
+{
+ $line =~ m/( *?)(0x\w{2})\s+(".*?")[ \t]*?([\w_]*?)\Z/;
+
+ @order[$counter] = length($1);
+ @octet[$counter] = $2;
+ @name[$counter] = $3;
+
+ if (length($1) > $max_order)
+ {
+ $max_order = length($1);
+ }
+ if (length($3) > $max_name)
+ {
+ $max_name = length($3);
+ }
+ if (length($4) > 0)
+ {
+ printf OID_H "#define %s%s%d\n", $4, "\t" x ((39-length($4))/8), $counter;
+ }
+ $counter++;
+}
+
+close SRC;
+close OID_H;
+
+# Generate oid.c
+
+open(OID_C, ">oid.c")
+ or die "could not open 'oid.c': $!";
+
+print OID_C "/* List of some useful object identifiers (OIDs)\n",
+ " * ", $copyright, "\n",
+ " * \n",
+ " * ", $automatic, "\n",
+ " * ", $warning, "\n",
+ " */\n",
+ "\n",
+ "#include <stdlib.h>\n",
+ "\n",
+ "#include \"oid.h\"\n",
+ "\n",
+ "const oid_t oid_names[] = {\n";
+
+for ($c = 0; $c < $counter; $c++)
+{
+ $next = 0;
+
+ for ($d = $c+1; $d < $counter && @order[$d] >= @order[$c]; $d++)
+ {
+ if (@order[$d] == @order[$c])
+ {
+ @next[$c] = $d;
+ last;
+ }
+ }
+
+ printf OID_C " {%s%s,%s%3d, %d, %s%s}%s /* %3d */\n"
+ ,' ' x @order[$c]
+ , @octet[$c]
+ , ' ' x (1 + $max_order - @order[$c])
+ , @next[$c]
+ , @order[$c+1] > @order[$c]
+ , @name[$c]
+ , ' ' x ($max_name - length(@name[$c]))
+ , $c != $counter-1 ? "," : " "
+ , $c;
+}
+
+print OID_C "};\n" ;
+close OID_C;
diff --git a/src/pluto/oid.txt b/src/pluto/oid.txt
new file mode 100644
index 000000000..e8750024e
--- /dev/null
+++ b/src/pluto/oid.txt
@@ -0,0 +1,184 @@
+0x02 "ITU-T Administration"
+ 0x82 ""
+ 0x06 "Germany ITU-T member"
+ 0x01 "Deutsche Telekom AG"
+ 0x0A ""
+ 0x07 ""
+ 0x14 "ND"
+0x09 "data"
+ 0x92 ""
+ 0x26 ""
+ 0x89 ""
+ 0x93 ""
+ 0xF2 ""
+ 0x2C ""
+ 0x64 "pilot"
+ 0x01 "pilotAttributeType"
+ 0x01 "UID"
+ 0x19 "DC"
+0x55 "X.500"
+ 0x04 "X.509"
+ 0x03 "CN"
+ 0x04 "S"
+ 0x05 "SN"
+ 0x06 "C"
+ 0x07 "L"
+ 0x08 "ST"
+ 0x0A "O"
+ 0x0B "OU"
+ 0x0C "T"
+ 0x0D "D"
+ 0x24 "userCertificate"
+ 0x29 "N"
+ 0x2A "G"
+ 0x2B "I"
+ 0x2D "ID"
+ 0x48 "role" OID_ROLE
+ 0x1D "id-ce"
+ 0x09 "subjectDirectoryAttrs"
+ 0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID
+ 0x0F "keyUsage"
+ 0x10 "privateKeyUsagePeriod"
+ 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME
+ 0x12 "issuerAltName"
+ 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS
+ 0x15 "reasonCode" OID_CRL_REASON_CODE
+ 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS
+ 0x20 "certificatePolicies"
+ 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID
+ 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE
+ 0x37 "targetInformation" OID_TARGET_INFORMATION
+ 0x38 "noRevAvail" OID_NO_REV_AVAIL
+0x2A ""
+ 0x86 ""
+ 0x48 ""
+ 0x86 ""
+ 0xF7 ""
+ 0x0D "RSADSI"
+ 0x01 "PKCS"
+ 0x01 "PKCS-1"
+ 0x01 "rsaEncryption" OID_RSA_ENCRYPTION
+ 0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA
+ 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA
+ 0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA
+ 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA
+ 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA
+ 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA
+ 0x07 "PKCS-7"
+ 0x01 "data" OID_PKCS7_DATA
+ 0x02 "signedData" OID_PKCS7_SIGNED_DATA
+ 0x03 "envelopedData" OID_PKCS7_ENVELOPED_DATA
+ 0x04 "signedAndEnvelopedData" OID_PKCS7_SIGNED_ENVELOPED_DATA
+ 0x05 "digestedData" OID_PKCS7_DIGESTED_DATA
+ 0x06 "encryptedData" OID_PKCS7_ENCRYPTED_DATA
+ 0x09 "PKCS-9"
+ 0x01 "E" OID_PKCS9_EMAIL
+ 0x02 "unstructuredName"
+ 0x03 "contentType" OID_PKCS9_CONTENT_TYPE
+ 0x04 "messageDigest" OID_PKCS9_MESSAGE_DIGEST
+ 0x05 "signingTime" OID_PKCS9_SIGNING_TIME
+ 0x06 "counterSignature"
+ 0x07 "challengePassword"
+ 0x08 "unstructuredAddress"
+ 0x0E "extensionRequest"
+ 0x02 "digestAlgorithm"
+ 0x02 "md2" OID_MD2
+ 0x05 "md5" OID_MD5
+ 0x03 "encryptionAlgorithm"
+ 0x07 "3des-ede-cbc" OID_3DES_EDE_CBC
+0x2B ""
+ 0x06 "dod"
+ 0x01 "internet"
+ 0x04 "private"
+ 0x01 "enterprise"
+ 0x82 ""
+ 0x37 "Microsoft"
+ 0x0A ""
+ 0x03 ""
+ 0x03 "msSGC"
+ 0x89 ""
+ 0x31 ""
+ 0x01 ""
+ 0x01 ""
+ 0x02 ""
+ 0x02 ""
+ 0x4B "TCGID"
+ 0x05 "security"
+ 0x05 "mechanisms"
+ 0x07 "id-pkix"
+ 0x01 "id-pe"
+ 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS
+ 0x03 "id-kp"
+ 0x01 "serverAuth"
+ 0x02 "clientAuth"
+ 0x03 "codeSigning"
+ 0x04 "emailProtection"
+ 0x05 "ipsecEndSystem"
+ 0x06 "ipsecTunnel"
+ 0x07 "ipsecUser"
+ 0x08 "timeStamping"
+ 0x09 "ocspSigning" OID_OCSP_SIGNING
+ 0x08 "id-otherNames"
+ 0x05 "xmppAddr" OID_XMPP_ADDR
+ 0x0A "id-aca"
+ 0x01 "authenticationInfo" OID_AUTHENTICATION_INFO
+ 0x02 "accessIdentity" OID_ACCESS_IDENTITY
+ 0x03 "chargingIdentity" OID_CHARGING_IDENTITY
+ 0x04 "group" OID_GROUP
+ 0x30 "id-ad"
+ 0x01 "ocsp" OID_OCSP
+ 0x01 "basic" OID_BASIC
+ 0x02 "nonce" OID_NONCE
+ 0x03 "crl" OID_CRL
+ 0x04 "response" OID_RESPONSE
+ 0x05 "noCheck" OID_NO_CHECK
+ 0x06 "archiveCutoff" OID_ARCHIVE_CUTOFF
+ 0x07 "serviceLocator" OID_SERVICE_LOCATOR
+ 0x0E "oiw"
+ 0x03 "secsig"
+ 0x02 "algorithms"
+ 0x07 "des-cbc" OID_DES_CBC
+ 0x1A "sha-1" OID_SHA1
+ 0x1D "sha-1WithRSASignature" OID_SHA1_WITH_RSA_OIW
+ 0x24 "TeleTrusT"
+ 0x03 "algorithm"
+ 0x03 "signatureAlgorithm"
+ 0x01 "rsaSignature"
+ 0x02 "rsaSigWithripemd160"
+ 0x03 "rsaSigWithripemd128"
+ 0x04 "rsaSigWithripemd256"
+0x60 ""
+ 0x86 ""
+ 0x48 ""
+ 0x01 "organization"
+ 0x65 "gov"
+ 0x03 "csor"
+ 0x04 "nistalgorithm"
+ 0x02 "hashalgs"
+ 0x01 "id-SHA-256" OID_SHA256
+ 0x02 "id-SHA-384" OID_SHA384
+ 0x03 "id-SHA-512" OID_SHA512
+ 0x86 ""
+ 0xf8 ""
+ 0x42 "netscape"
+ 0x01 ""
+ 0x01 "nsCertType"
+ 0x03 "nsRevocationUrl" OID_NS_REVOCATION_URL
+ 0x04 "nsCaRevocationUrl" OID_NS_CA_REVOCATION_URL
+ 0x08 "nsCaPolicyUrl" OID_NS_CA_POLICY_URL
+ 0x0d "nsComment" OID_NS_COMMENT
+ 0x03 "directory"
+ 0x01 ""
+ 0x03 "employeeNumber"
+ 0x04 "policy"
+ 0x01 "nsSGC"
+ 0x45 "verisign"
+ 0x01 "pki"
+ 0x09 "attributes"
+ 0x02 "messageType" OID_PKI_MESSAGE_TYPE
+ 0x03 "pkiStatus" OID_PKI_STATUS
+ 0x04 "failInfo" OID_PKI_FAIL_INFO
+ 0x05 "senderNonce" OID_PKI_SENDER_NONCE
+ 0x06 "recipientNonce" OID_PKI_RECIPIENT_NONCE
+ 0x07 "transID" OID_PKI_TRANS_ID
+ 0x08 "extensionReq"
diff --git a/src/pluto/packet.c b/src/pluto/packet.c
new file mode 100644
index 000000000..9f04c8bb2
--- /dev/null
+++ b/src/pluto/packet.c
@@ -0,0 +1,1244 @@
+/* parsing packets: formats and tools
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: packet.c,v 1.7 2005/01/06 22:39:04 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <netinet/in.h>
+#include <string.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "packet.h"
+#include "whack.h" /* for RC_LOG_SERIOUS */
+
+/* ISAKMP Header: for all messages
+ * layout from RFC 2408 "ISAKMP" section 3.1
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Initiator !
+ * ! Cookie !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Responder !
+ * ! Cookie !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Message ID !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+static field_desc isa_fields[] = {
+ { ft_raw, COOKIE_SIZE, "initiator cookie", NULL },
+ { ft_raw, COOKIE_SIZE, "responder cookie", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_enum, 8/BITS_PER_BYTE, "ISAKMP version", &version_names },
+ { ft_enum, 8/BITS_PER_BYTE, "exchange type", &exchange_names },
+ { ft_set, 8/BITS_PER_BYTE, "flags", flag_bit_names },
+ { ft_raw, 32/BITS_PER_BYTE, "message ID", NULL },
+ { ft_len, 32/BITS_PER_BYTE, "length", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_hdr_desc = { "ISAKMP Message", isa_fields, sizeof(struct isakmp_hdr) };
+
+/* Generic portion of all ISAKMP payloads.
+ * layout from RFC 2408 "ISAKMP" section 3.2
+ * This describes the first 32-bit chunk of all payloads.
+ * The previous next payload depends on the actual payload type.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+static field_desc isag_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_generic_desc = { "ISAKMP Generic Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+
+/* ISAKMP Data Attribute (generic representation within payloads)
+ * layout from RFC 2408 "ISAKMP" section 3.3
+ * This is not a payload type.
+ * In TLV format, this is followed by a value field.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * !A! Attribute Type ! AF=0 Attribute Length !
+ * !F! ! AF=1 Attribute Value !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * . AF=0 Attribute Value .
+ * . AF=1 Not Transmitted .
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/* Oakley Attributes */
+static field_desc isaat_fields_oakley[] = {
+ { ft_af_enum, 16/BITS_PER_BYTE, "af+type", &oakley_attr_names },
+ { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_oakley_attribute_desc = {
+ "ISAKMP Oakley attribute",
+ isaat_fields_oakley, sizeof(struct isakmp_attribute) };
+
+/* IPsec DOI Attributes */
+static field_desc isaat_fields_ipsec[] = {
+ { ft_af_enum, 16/BITS_PER_BYTE, "af+type", &ipsec_attr_names },
+ { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_ipsec_attribute_desc = {
+ "ISAKMP IPsec DOI attribute",
+ isaat_fields_ipsec, sizeof(struct isakmp_attribute) };
+
+/* Mode Config Attributes */
+static field_desc isaat_fields_modecfg[] = {
+ { ft_af_loose_enum, 16/BITS_PER_BYTE, "ModeCfg attr type", &modecfg_attr_names },
+ { ft_lv, 16/BITS_PER_BYTE, "length/value", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_modecfg_attribute_desc = {
+ "ISAKMP ModeCfg attribute",
+ isaat_fields_modecfg, sizeof(struct isakmp_attribute) };
+
+/* ISAKMP Security Association Payload
+ * layout from RFC 2408 "ISAKMP" section 3.4
+ * A variable length Situation follows.
+ * Previous next payload: ISAKMP_NEXT_SA
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Situation ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isasa_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_sa_desc = { "ISAKMP Security Association Payload", isasa_fields, sizeof(struct isakmp_sa) };
+
+static field_desc ipsec_sit_field[] = {
+ { ft_set, 32/BITS_PER_BYTE, "IPsec DOI SIT", &sit_bit_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc ipsec_sit_desc = { "IPsec DOI SIT", ipsec_sit_field, sizeof(u_int32_t) };
+
+/* ISAKMP Proposal Payload
+ * layout from RFC 2408 "ISAKMP" section 3.5
+ * A variable length SPI follows.
+ * Previous next payload: ISAKMP_NEXT_P
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! SPI (variable) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isap_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "proposal number", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "protocol ID", &protocol_names },
+ { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "number of transforms", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_proposal_desc = { "ISAKMP Proposal Payload", isap_fields, sizeof(struct isakmp_proposal) };
+
+/* ISAKMP Transform Payload
+ * layout from RFC 2408 "ISAKMP" section 3.6
+ * Variable length SA Attributes follow.
+ * Previous next payload: ISAKMP_NEXT_T
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Transform # ! Transform-Id ! RESERVED2 !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ SA Attributes ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/* PROTO_ISAKMP */
+static field_desc isat_fields_isakmp[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "transform ID", &isakmp_transformid_names },
+ { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_isakmp_transform_desc = {
+ "ISAKMP Transform Payload (ISAKMP)",
+ isat_fields_isakmp, sizeof(struct isakmp_transform) };
+
+/* PROTO_IPSEC_AH */
+static field_desc isat_fields_ah[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
+ { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_ah_transform_desc = {
+ "ISAKMP Transform Payload (AH)",
+ isat_fields_ah, sizeof(struct isakmp_transform) };
+
+/* PROTO_IPSEC_ESP */
+static field_desc isat_fields_esp[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
+ { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_esp_transform_desc = {
+ "ISAKMP Transform Payload (ESP)",
+ isat_fields_esp, sizeof(struct isakmp_transform) };
+
+/* PROTO_IPCOMP */
+static field_desc isat_fields_ipcomp[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ipcomp_transformid_names },
+ { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_ipcomp_transform_desc = {
+ "ISAKMP Transform Payload (COMP)",
+ isat_fields_ipcomp, sizeof(struct isakmp_transform) };
+
+
+/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.7
+ * Variable Key Exchange Data follow the generic fields.
+ * Previous next payload: ISAKMP_NEXT_KE
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Key Exchange Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_keyex_desc = { "ISAKMP Key Exchange Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* ISAKMP Identification Payload
+ * layout from RFC 2408 "ISAKMP" section 3.8
+ * See "struct identity" declared later.
+ * Variable length Identification Data follow.
+ * Previous next payload: ISAKMP_NEXT_ID
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! ID Type ! DOI Specific ID Data !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Identification Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isaid_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names }, /* ??? depends on DOI? */
+ { ft_nat, 8/BITS_PER_BYTE, "DOI specific A", NULL }, /* ??? depends on DOI? */
+ { ft_nat, 16/BITS_PER_BYTE, "DOI specific B", NULL }, /* ??? depends on DOI? */
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_identification_desc = { "ISAKMP Identification Payload", isaid_fields, sizeof(struct isakmp_id) };
+
+/* IPSEC Identification Payload Content
+ * layout from RFC 2407 "IPsec DOI" section 4.6.2
+ * See struct isakmp_id declared earlier.
+ * Note: Hashing skips the ISAKMP generic payload header
+ * Variable length Identification Data follow.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! ID Type ! Protocol ID ! Port !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ~ Identification Data ~
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isaiid_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
+ { ft_nat, 8/BITS_PER_BYTE, "Protocol ID", NULL }, /* ??? UDP/TCP or 0? */
+ { ft_nat, 16/BITS_PER_BYTE, "port", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_ipsec_identification_desc = { "ISAKMP Identification Payload (IPsec DOI)", isaiid_fields, sizeof(struct isakmp_ipsec_id) };
+
+/* ISAKMP Certificate Payload: oddball fixed field beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.9
+ * Variable length Certificate Data follow the generic fields.
+ * Previous next payload: ISAKMP_NEXT_CERT.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Cert Encoding ! !
+ * +-+-+-+-+-+-+-+-+ !
+ * ~ Certificate Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isacert_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "cert encoding", &cert_type_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+/* Note: the size field of isakmp_ipsec_certificate_desc cannot be
+ * sizeof(struct isakmp_cert) because that will rounded up for padding.
+ */
+ struct_desc isakmp_ipsec_certificate_desc = { "ISAKMP Certificate Payload", isacert_fields, ISAKMP_CERT_SIZE };
+
+/* ISAKMP Certificate Request Payload: oddball field beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.10
+ * Variable length Certificate Types and Certificate Authorities follow.
+ * Previous next payload: ISAKMP_NEXT_CR.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Cert. Type ! !
+ * +-+-+-+-+-+-+-+-+ !
+ * ~ Certificate Authority ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isacr_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "cert type", &cert_type_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+/* Note: the size field of isakmp_ipsec_cert_req_desc cannot be
+ * sizeof(struct isakmp_cr) because that will rounded up for padding.
+ */
+struct_desc isakmp_ipsec_cert_req_desc = { "ISAKMP Certificate RequestPayload", isacr_fields, ISAKMP_CR_SIZE };
+
+/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.11
+ * Variable length Hash Data follow.
+ * Previous next payload: ISAKMP_NEXT_HASH.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Hash Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_hash_desc = { "ISAKMP Hash Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.12
+ * Variable length Signature Data follow.
+ * Previous next payload: ISAKMP_NEXT_SIG.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Signature Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_signature_desc = { "ISAKMP Signature Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.13
+ * Variable length Nonce Data follow.
+ * Previous next payload: ISAKMP_NEXT_NONCE.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Nonce Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_nonce_desc = { "ISAKMP Nonce Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* ISAKMP Notification Payload
+ * layout from RFC 2408 "ISAKMP" section 3.14
+ * This is followed by a variable length SPI
+ * and then possibly by variable length Notification Data.
+ * Previous next payload: ISAKMP_NEXT_N
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Protocol-ID ! SPI Size ! Notify Message Type !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Security Parameter Index (SPI) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Notification Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isan_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+ { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL }, /* ??? really enum: ISAKMP, IPSEC, ESP, ... */
+ { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+ { ft_enum, 16/BITS_PER_BYTE, "Notify Message Type", &notification_names },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_notification_desc = { "ISAKMP Notification Payload", isan_fields, sizeof(struct isakmp_notification) };
+
+/* ISAKMP Delete Payload
+ * layout from RFC 2408 "ISAKMP" section 3.15
+ * This is followed by a variable length SPI.
+ * Previous next payload: ISAKMP_NEXT_D
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Protocol-Id ! SPI Size ! # of SPIs !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Security Parameter Index(es) (SPI) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isad_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 32/BITS_PER_BYTE, "DOI", &doi_names },
+ { ft_nat, 8/BITS_PER_BYTE, "protocol ID", NULL }, /* ??? really enum: ISAKMP, IPSEC */
+ { ft_nat, 8/BITS_PER_BYTE, "SPI size", NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "number of SPIs", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_delete_desc = { "ISAKMP Delete Payload", isad_fields, sizeof(struct isakmp_delete) };
+
+/* ISAKMP Vendor ID Payload
+ * layout from RFC 2408 "ISAKMP" section 3.15
+ * This is followed by a variable length VID.
+ * Previous next payload: ISAKMP_NEXT_VID
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Vendor ID (VID) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_vendor_id_desc = { "ISAKMP Vendor ID Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* MODECFG */
+/*
+ * From draft-dukes-ike-mode-cfg
+3.2. Attribute Payload
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Type ! RESERVED ! Identifier !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! !
+ ~ Attributes ~
+ ! !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+static field_desc isaattr_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "Attr Msg Type", &attr_msg_type_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_nat, 16/BITS_PER_BYTE, "Identifier", NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_attr_desc = { "ISAKMP Mode Attribute", isaattr_fields, sizeof(struct isakmp_mode_attr) };
+
+/* ISAKMP NAT-Traversal NAT-D
+ * layout from draft-ietf-ipsec-nat-t-ike-01.txt section 3.2
+ *
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! HASH of the address and port !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct_desc isakmp_nat_d = { "ISAKMP NAT-D Payload", isag_fields, sizeof(struct isakmp_generic) };
+
+/* ISAKMP NAT-Traversal NAT-OA
+ * layout from draft-ietf-ipsec-nat-t-ike-01.txt section 4.2
+ *
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! ID Type ! RESERVED ! RESERVED !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! IPv4 (4 octets) or IPv6 address (16 octets) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+static field_desc isanat_oa_fields[] = {
+ { ft_enum, 8/BITS_PER_BYTE, "next payload type", &payload_names },
+ { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
+ { ft_len, 16/BITS_PER_BYTE, "length", NULL },
+ { ft_enum, 8/BITS_PER_BYTE, "ID type", &ident_names },
+ { ft_mbz, 24/BITS_PER_BYTE, NULL, NULL },
+ { ft_end, 0, NULL, NULL }
+};
+
+struct_desc isakmp_nat_oa = { "ISAKMP NAT-OA Payload", isanat_oa_fields, sizeof(struct isakmp_nat_oa) };
+
+/* descriptor for each payload type
+ *
+ * There is a slight problem in that some payloads differ, depending
+ * on the mode. Since this is table only used for top-level payloads,
+ * Proposal and Transform payloads need not be handled.
+ * That leaves only Identification payloads as a problem.
+ * We make all these entries NULL
+ */
+struct_desc *const payload_descs[ISAKMP_NEXT_ROOF] = {
+ NULL, /* 0 ISAKMP_NEXT_NONE (No other payload following) */
+ &isakmp_sa_desc, /* 1 ISAKMP_NEXT_SA (Security Association) */
+ NULL, /* 2 ISAKMP_NEXT_P (Proposal) */
+ NULL, /* 3 ISAKMP_NEXT_T (Transform) */
+ &isakmp_keyex_desc, /* 4 ISAKMP_NEXT_KE (Key Exchange) */
+ NULL, /* 5 ISAKMP_NEXT_ID (Identification) */
+ &isakmp_ipsec_certificate_desc, /* 6 ISAKMP_NEXT_CERT (Certificate) */
+ &isakmp_ipsec_cert_req_desc, /* 7 ISAKMP_NEXT_CR (Certificate Request) */
+ &isakmp_hash_desc, /* 8 ISAKMP_NEXT_HASH (Hash) */
+ &isakmp_signature_desc, /* 9 ISAKMP_NEXT_SIG (Signature) */
+ &isakmp_nonce_desc, /* 10 ISAKMP_NEXT_NONCE (Nonce) */
+ &isakmp_notification_desc, /* 11 ISAKMP_NEXT_N (Notification) */
+ &isakmp_delete_desc, /* 12 ISAKMP_NEXT_D (Delete) */
+ &isakmp_vendor_id_desc, /* 13 ISAKMP_NEXT_VID (Vendor ID) */
+ &isakmp_attr_desc, /* 14 ISAKMP_NEXT_ATTR (Mode Config) */
+ NULL, /* 15 */
+ NULL, /* 16 */
+ NULL, /* 17 */
+ NULL, /* 18 */
+ NULL, /* 19 */
+ &isakmp_nat_d, /* 20=130 ISAKMP_NEXT_NATD (NAT-D) */
+ &isakmp_nat_oa, /* 20=131 ISAKMP_NEXT_NATOA (NAT-OA) */
+};
+
+void
+init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name)
+{
+ pbs->container = NULL;
+ pbs->desc = NULL;
+ pbs->name = name;
+ pbs->start = pbs->cur = start;
+ pbs->roof = start + len;
+ pbs->lenfld = NULL;
+ pbs->lenfld_desc = NULL;
+}
+
+#ifdef DEBUG
+
+/* print a host struct
+ *
+ * This code assumes that the network and host structure
+ * members have the same alignment and size! This requires
+ * that all padding be explicit.
+ */
+void
+DBG_print_struct(const char *label, const void *struct_ptr
+, struct_desc *sd, bool len_meaningful)
+{
+ bool immediate = FALSE;
+ const u_int8_t *inp = struct_ptr;
+ field_desc *fp;
+
+ DBG_log("%s%s:", label, sd->name);
+
+ for (fp = sd->fields; fp->field_type != ft_end; fp++)
+ {
+ int i = fp->size;
+ u_int32_t n = 0;
+
+ switch (fp->field_type)
+ {
+ case ft_mbz: /* must be zero */
+ inp += i;
+ break;
+ case ft_nat: /* natural number (may be 0) */
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ case ft_enum: /* value from an enumeration */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ case ft_set: /* bits representing set */
+ switch (i)
+ {
+ case 8/BITS_PER_BYTE:
+ n = *(const u_int8_t *)inp;
+ break;
+ case 16/BITS_PER_BYTE:
+ n = *(const u_int16_t *)inp;
+ break;
+ case 32/BITS_PER_BYTE:
+ n = *(const u_int32_t *)inp;
+ break;
+ default:
+ bad_case(i);
+ }
+ switch (fp->field_type)
+ {
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ if (!immediate && !len_meaningful)
+ break;
+ /* FALL THROUGH */
+ case ft_nat: /* natural number (may be 0) */
+ DBG_log(" %s: %lu", fp->name, (unsigned long)n);
+ break;
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ immediate = TRUE;
+ /* FALL THROUGH */
+ case ft_enum: /* value from an enumeration */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ DBG_log(" %s: %s", fp->name, enum_show(fp->desc, n));
+ break;
+ case ft_set: /* bits representing set */
+ DBG_log(" %s: %s", fp->name, bitnamesof(fp->desc, n));
+ break;
+ default:
+ bad_case(fp->field_type);
+ }
+ inp += i;
+ break;
+
+ case ft_raw: /* bytes to be left in network-order */
+ {
+ char m[50]; /* arbitrary limit on name width in log */
+
+ snprintf(m, sizeof(m), " %s:", fp->name);
+ DBG_dump(m, inp, i);
+ inp += i;
+ }
+ break;
+ default:
+ bad_case(fp->field_type);
+ }
+ }
+}
+
+static void
+DBG_prefix_print_struct(const pb_stream *pbs
+, const char *label, const void *struct_ptr
+, struct_desc *sd, bool len_meaningful)
+{
+ /* print out a title, with a prefix of asterisks to show
+ * the nesting level.
+ */
+ char space[40]; /* arbitrary limit on label+flock-of-* */
+ size_t len = strlen(label);
+
+ if (sizeof(space) <= len)
+ {
+ DBG_print_struct(label, struct_ptr, sd, len_meaningful);
+ }
+ else
+ {
+ const pb_stream *p = pbs;
+ char *pre = &space[sizeof(space) - (len + 1)];
+
+ strcpy(pre, label);
+
+ /* put at least one * out */
+ for (;;)
+ {
+ if (pre <= space)
+ break;
+ *--pre = '*';
+ if (p == NULL)
+ break;
+ p = p->container;
+ }
+ DBG_print_struct(pre, struct_ptr, sd, len_meaningful);
+ }
+}
+
+#endif
+
+/* "parse" a network struct into a host struct.
+ *
+ * This code assumes that the network and host structure
+ * members have the same alignment and size! This requires
+ * that all padding be explicit.
+ *
+ * If obj_pbs is supplied, a new pb_stream is created for the
+ * variable part of the structure (this depends on their
+ * being one length field in the structure). The cursor of this
+ * new PBS is set to after the parsed part of the struct.
+ *
+ * This routine returns TRUE iff it succeeds.
+ */
+
+bool
+in_struct(void *struct_ptr, struct_desc *sd
+, pb_stream *ins, pb_stream *obj_pbs)
+{
+ err_t ugh = NULL;
+ u_int8_t *cur = ins->cur;
+
+ if (ins->roof - cur < (ptrdiff_t)sd->size)
+ {
+ ugh = builddiag("not enough room in input packet for %s", sd->name);
+ }
+ else
+ {
+ u_int8_t *roof = cur + sd->size; /* may be changed by a length field */
+ u_int8_t *outp = struct_ptr;
+ bool immediate = FALSE;
+ field_desc *fp;
+
+ for (fp = sd->fields; ugh == NULL; fp++)
+ {
+ size_t i = fp->size;
+
+ passert(ins->roof - cur >= (ptrdiff_t)i);
+ passert(cur - ins->cur <= (ptrdiff_t)(sd->size - i));
+ passert(outp - (cur - ins->cur) == struct_ptr);
+
+#if 0
+ DBG(DBG_PARSING, DBG_log("%d %s"
+ , (int) (cur - ins->cur), fp->name == NULL? "" : fp->name));
+#endif
+ switch (fp->field_type)
+ {
+ case ft_mbz: /* must be zero */
+ for (; i != 0; i--)
+ {
+ if (*cur++ != 0)
+ {
+ ugh = builddiag("byte %d of %s must be zero, but is not"
+ , (int) (cur - ins->cur), sd->name);
+ break;
+ }
+ *outp++ = '\0'; /* probably redundant */
+ }
+ break;
+
+ case ft_nat: /* natural number (may be 0) */
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ case ft_enum: /* value from an enumeration */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ case ft_set: /* bits representing set */
+ {
+ u_int32_t n = 0;
+
+ for (; i != 0; i--)
+ n = (n << BITS_PER_BYTE) | *cur++;
+
+ switch (fp->field_type)
+ {
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ {
+ u_int32_t len = fp->field_type == ft_len? n
+ : immediate? sd->size : n + sd->size;
+
+ if (len < sd->size)
+ {
+ ugh = builddiag("%s of %s is smaller than minimum"
+ , fp->name, sd->name);
+ }
+ else if (pbs_left(ins) < len)
+ {
+ ugh = builddiag("%s of %s is larger than can fit"
+ , fp->name, sd->name);
+ }
+ else
+ {
+ roof = ins->cur + len;
+ }
+ break;
+ }
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ immediate = TRUE;
+ break;
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ immediate = TRUE;
+ /* FALL THROUGH */
+ case ft_enum: /* value from an enumeration */
+ if (enum_name(fp->desc, n) == NULL)
+ {
+ ugh = builddiag("%s of %s has an unknown value: %lu"
+ , fp->name, sd->name, (unsigned long)n);
+ }
+ /* FALL THROUGH */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ break;
+ case ft_set: /* bits representing set */
+ if (!testset(fp->desc, n))
+ {
+ ugh = builddiag("bitset %s of %s has unknown member(s): %s"
+ , fp->name, sd->name, bitnamesof(fp->desc, n));
+ }
+ break;
+ default:
+ break;
+ }
+ i = fp->size;
+ switch (i)
+ {
+ case 8/BITS_PER_BYTE:
+ *(u_int8_t *)outp = n;
+ break;
+ case 16/BITS_PER_BYTE:
+ *(u_int16_t *)outp = n;
+ break;
+ case 32/BITS_PER_BYTE:
+ *(u_int32_t *)outp = n;
+ break;
+ default:
+ bad_case(i);
+ }
+ outp += i;
+ break;
+ }
+
+ case ft_raw: /* bytes to be left in network-order */
+ for (; i != 0; i--)
+ {
+ *outp++ = *cur++;
+ }
+ break;
+
+ case ft_end: /* end of field list */
+ passert(cur == ins->cur + sd->size);
+ if (obj_pbs != NULL)
+ {
+ init_pbs(obj_pbs, ins->cur, roof - ins->cur, sd->name);
+ obj_pbs->container = ins;
+ obj_pbs->desc = sd;
+ obj_pbs->cur = cur;
+ }
+ ins->cur = roof;
+ DBG(DBG_PARSING
+ , DBG_prefix_print_struct(ins, "parse ", struct_ptr, sd, TRUE));
+ return TRUE;
+
+ default:
+ bad_case(fp->field_type);
+ }
+ }
+ }
+
+ /* some failure got us here: report it */
+ loglog(RC_LOG_SERIOUS, ugh);
+ return FALSE;
+}
+
+bool
+in_raw(void *bytes, size_t len, pb_stream *ins, const char *name)
+{
+ if (pbs_left(ins) < len)
+ {
+ loglog(RC_LOG_SERIOUS, "not enough bytes left to get %s from %s", name, ins->name);
+ return FALSE;
+ }
+ else
+ {
+ if (bytes == NULL)
+ {
+ DBG(DBG_PARSING
+ , DBG_log("skipping %u raw bytes of %s (%s)"
+ , (unsigned) len, ins->name, name);
+ DBG_dump(name, ins->cur, len));
+ }
+ else
+ {
+ memcpy(bytes, ins->cur, len);
+ DBG(DBG_PARSING
+ , DBG_log("parsing %u raw bytes of %s into %s"
+ , (unsigned) len, ins->name, name);
+ DBG_dump(name, bytes, len));
+ }
+ ins->cur += len;
+ return TRUE;
+ }
+}
+
+/* "emit" a host struct into a network packet.
+ *
+ * This code assumes that the network and host structure
+ * members have the same alignment and size! This requires
+ * that all padding be explicit.
+ *
+ * If obj_pbs is non-NULL, its pbs describes a new output stream set up
+ * to contain the object. The cursor will be left at the variable part.
+ * This new stream must subsequently be finalized by close_output_pbs().
+ *
+ * The value of any field of type ft_len is computed, not taken
+ * from the input struct. The length is actually filled in when
+ * the object's output stream is finalized. If obj_pbs is NULL,
+ * finalization is done by out_struct before it returns.
+ *
+ * This routine returns TRUE iff it succeeds.
+ */
+
+bool
+out_struct(const void *struct_ptr, struct_desc *sd
+, pb_stream *outs, pb_stream *obj_pbs)
+{
+ err_t ugh = NULL;
+ const u_int8_t *inp = struct_ptr;
+ u_int8_t *cur = outs->cur;
+
+ DBG(DBG_EMITTING
+ , DBG_prefix_print_struct(outs, "emit ", struct_ptr, sd, obj_pbs==NULL));
+
+ if (outs->roof - cur < (ptrdiff_t)sd->size)
+ {
+ ugh = builddiag("not enough room left in output packet to place %s"
+ , sd->name);
+ }
+ else
+ {
+ bool immediate = FALSE;
+ pb_stream obj;
+ field_desc *fp;
+
+ obj.lenfld = NULL; /* until a length field is discovered */
+ obj.lenfld_desc = NULL;
+
+ for (fp = sd->fields; ugh == NULL; fp++)
+ {
+ size_t i = fp->size;
+
+ passert(outs->roof - cur >= (ptrdiff_t)i);
+ passert(cur - outs->cur <= (ptrdiff_t)(sd->size - i));
+ passert(inp - (cur - outs->cur) == struct_ptr);
+
+#if 0
+ DBG(DBG_EMITTING, DBG_log("%d %s"
+ , (int) (cur - outs->cur), fp->name == NULL? "" : fp->name);
+#endif
+ switch (fp->field_type)
+ {
+ case ft_mbz: /* must be zero */
+ inp += i;
+ for (; i != 0; i--)
+ *cur++ = '\0';
+ break;
+ case ft_nat: /* natural number (may be 0) */
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ case ft_enum: /* value from an enumeration */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ case ft_set: /* bits representing set */
+ {
+ u_int32_t n = 0;
+
+ switch (i)
+ {
+ case 8/BITS_PER_BYTE:
+ n = *(const u_int8_t *)inp;
+ break;
+ case 16/BITS_PER_BYTE:
+ n = *(const u_int16_t *)inp;
+ break;
+ case 32/BITS_PER_BYTE:
+ n = *(const u_int32_t *)inp;
+ break;
+ default:
+ bad_case(i);
+ }
+
+ switch (fp->field_type)
+ {
+ case ft_len: /* length of this struct and any following crud */
+ case ft_lv: /* length/value field of attribute */
+ if (immediate)
+ break; /* not a length */
+ /* We can't check the length because it will likely
+ * be filled in after variable part is supplied.
+ * We do record where this is so that it can be
+ * filled in by a subsequent close_output_pbs().
+ */
+ passert(obj.lenfld == NULL); /* only one ft_len allowed */
+ obj.lenfld = cur;
+ obj.lenfld_desc = fp;
+ break;
+ case ft_af_loose_enum: /* Attribute Format + value from an enumeration */
+ if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ immediate = TRUE;
+ break;
+ case ft_af_enum: /* Attribute Format + value from an enumeration */
+ if ((n & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ immediate = TRUE;
+ /* FALL THROUGH */
+ case ft_enum: /* value from an enumeration */
+ if (enum_name(fp->desc, n) == NULL)
+ {
+ ugh = builddiag("%s of %s has an unknown value: %lu"
+ , fp->name, sd->name, (unsigned long)n);
+ }
+ /* FALL THROUGH */
+ case ft_loose_enum: /* value from an enumeration with only some names known */
+ break;
+ case ft_set: /* bits representing set */
+ if (!testset(fp->desc, n))
+ {
+ ugh = builddiag("bitset %s of %s has unknown member(s): %s"
+ , fp->name, sd->name, bitnamesof(fp->desc, n));
+ }
+ break;
+ default:
+ break;
+ }
+
+ while (i-- != 0)
+ {
+ cur[i] = (u_int8_t)n;
+ n >>= BITS_PER_BYTE;
+ }
+ inp += fp->size;
+ cur += fp->size;
+ break;
+ }
+ case ft_raw: /* bytes to be left in network-order */
+ for (; i != 0; i--)
+ *cur++ = *inp++;
+ break;
+ case ft_end: /* end of field list */
+ passert(cur == outs->cur + sd->size);
+
+ obj.container = outs;
+ obj.desc = sd;
+ obj.name = sd->name;
+ obj.start = outs->cur;
+ obj.cur = cur;
+ obj.roof = outs->roof; /* limit of possible */
+ /* obj.lenfld and obj.lenfld_desc already set */
+
+ if (obj_pbs == NULL)
+ {
+ close_output_pbs(&obj); /* fill in length field, if any */
+ }
+ else
+ {
+ /* We set outs->cur to outs->roof so that
+ * any attempt to output something into outs
+ * before obj is closed will trigger an error.
+ */
+ outs->cur = outs->roof;
+
+ *obj_pbs = obj;
+ }
+ return TRUE;
+
+ default:
+ bad_case(fp->field_type);
+ }
+ }
+ }
+
+ /* some failure got us here: report it */
+ loglog(RC_LOG_SERIOUS, ugh); /* ??? serious, but errno not relevant */
+ return FALSE;
+}
+
+bool
+out_generic(u_int8_t np, struct_desc *sd
+, pb_stream *outs, pb_stream *obj_pbs)
+{
+ struct isakmp_generic gen;
+
+ passert(sd->fields == isakmp_generic_desc.fields);
+ gen.isag_np = np;
+ return out_struct(&gen, sd, outs, obj_pbs);
+}
+
+bool
+out_generic_raw(u_int8_t np, struct_desc *sd
+, pb_stream *outs, const void *bytes, size_t len, const char *name)
+{
+ pb_stream pbs;
+
+ if (!out_generic(np, sd, outs, &pbs)
+ || !out_raw(bytes, len, &pbs, name))
+ return FALSE;
+ close_output_pbs(&pbs);
+ return TRUE;
+}
+
+bool
+out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name)
+{
+ if (pbs_left(outs) < len)
+ {
+ loglog(RC_LOG_SERIOUS, "not enough room left to place %lu bytes of %s in %s"
+ , (unsigned long) len, name, outs->name);
+ return FALSE;
+ }
+ else
+ {
+ DBG(DBG_EMITTING
+ , DBG_log("emitting %u raw bytes of %s into %s"
+ , (unsigned) len, name, outs->name);
+ DBG_dump(name, bytes, len));
+ memcpy(outs->cur, bytes, len);
+ outs->cur += len;
+ return TRUE;
+ }
+}
+
+bool
+out_zero(size_t len, pb_stream *outs, const char *name)
+{
+ if (pbs_left(outs) < len)
+ {
+ loglog(RC_LOG_SERIOUS, "not enough room left to place %s in %s", name, outs->name);
+ return FALSE;
+ }
+ else
+ {
+ DBG(DBG_EMITTING, DBG_log("emitting %u zero bytes of %s into %s"
+ , (unsigned) len, name, outs->name));
+ memset(outs->cur, 0x00, len);
+ outs->cur += len;
+ return TRUE;
+ }
+}
+
+/* Record current length.
+ * Note: currently, this may be repeated any number of times;
+ * the last one wins.
+ */
+void
+close_output_pbs(pb_stream *pbs)
+{
+ if (pbs->lenfld != NULL)
+ {
+ u_int32_t len = pbs_offset(pbs);
+ int i = pbs->lenfld_desc->size;
+
+ if (pbs->lenfld_desc->field_type == ft_lv)
+ len -= sizeof(struct isakmp_attribute);
+ DBG(DBG_EMITTING, DBG_log("emitting length of %s: %lu"
+ , pbs->name, (unsigned long) len));
+ while (i-- != 0)
+ {
+ pbs->lenfld[i] = (u_int8_t)len;
+ len >>= BITS_PER_BYTE;
+ }
+ }
+ if (pbs->container != NULL)
+ pbs->container->cur = pbs->cur; /* pass space utilization up */
+}
diff --git a/src/pluto/packet.h b/src/pluto/packet.h
new file mode 100644
index 000000000..676a5e6cd
--- /dev/null
+++ b/src/pluto/packet.h
@@ -0,0 +1,655 @@
+/* parsing packets: formats and tools
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: packet.h,v 1.5 2005/01/06 22:10:15 as Exp $
+ */
+
+#ifndef _PACKET_H
+#define _PACKET_H
+
+/* a struct_desc describes a structure for the struct I/O routines.
+ * This requires arrays of field_desc values to describe struct fields.
+ */
+
+typedef const struct struct_desc {
+ const char *name;
+ const struct field_desc *fields;
+ size_t size;
+} struct_desc;
+
+/* Note: if an ft_af_enum field has the ISAKMP_ATTR_AF_TV bit set,
+ * the subsequent ft_lv field will be interpreted as an immediate value.
+ * This matches how attributes are encoded.
+ * See RFC 2408 "ISAKMP" 3.3
+ */
+
+enum field_type {
+ ft_mbz, /* must be zero */
+ ft_nat, /* natural number (may be 0) */
+ ft_len, /* length of this struct and any following crud */
+ ft_lv, /* length/value field of attribute */
+ ft_enum, /* value from an enumeration */
+ ft_loose_enum, /* value from an enumeration with only some names known */
+ ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
+ ft_af_enum, /* Attribute Format + value from an enumeration */
+ ft_set, /* bits representing set */
+ ft_raw, /* bytes to be left in network-order */
+ ft_end, /* end of field list */
+};
+
+typedef const struct field_desc {
+ enum field_type field_type;
+ int size; /* size, in bytes, of field */
+ const char *name;
+ const void *desc; /* enum_names for enum or char *[] for bits */
+} field_desc;
+
+/* The formatting of input and output of packets is done
+ * through packet_byte_stream objects.
+ * These describe a stream of bytes in memory.
+ * Several routines are provided to manipulate these objects
+ * Actual packet transfer is done elsewhere.
+ */
+typedef struct packet_byte_stream {
+ struct packet_byte_stream *container; /* PBS of which we are part */
+ struct_desc *desc;
+ const char *name; /* what does this PBS represent? */
+ u_int8_t
+ *start,
+ *cur, /* current position in stream */
+ *roof; /* byte after last in PBS (actually just a limit on output) */
+ /* For an output PBS, the length field will be filled in later so
+ * we need to record its particulars. Note: it may not be aligned.
+ */
+ u_int8_t *lenfld;
+ field_desc *lenfld_desc;
+} pb_stream;
+
+/* For an input PBS, pbs_offset is amount of stream processed.
+ * For an output PBS, pbs_offset is current size of stream.
+ * For an input PBS, pbs_room is size of stream.
+ * For an output PBS, pbs_room is maximum size allowed.
+ */
+#define pbs_offset(pbs) ((size_t)((pbs)->cur - (pbs)->start))
+#define pbs_room(pbs) ((size_t)((pbs)->roof - (pbs)->start))
+#define pbs_left(pbs) ((size_t)((pbs)->roof - (pbs)->cur))
+
+extern void init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name);
+
+extern bool in_struct(void *struct_ptr, struct_desc *sd,
+ pb_stream *ins, pb_stream *obj_pbs);
+extern bool in_raw(void *bytes, size_t len, pb_stream *ins, const char *name);
+
+extern bool out_struct(const void *struct_ptr, struct_desc *sd,
+ pb_stream *outs, pb_stream *obj_pbs);
+extern bool out_generic(u_int8_t np, struct_desc *sd,
+ pb_stream *outs, pb_stream *obj_pbs);
+extern bool out_generic_raw(u_int8_t np, struct_desc *sd,
+ pb_stream *outs, const void *bytes, size_t len, const char *name);
+#define out_generic_chunk(np, sd, outs, ch, name) \
+ out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
+extern bool out_zero(size_t len, pb_stream *outs, const char *name);
+extern bool out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name);
+#define out_chunk(ch, outs, name) out_raw((ch).ptr, (ch).len, (outs), (name))
+extern void close_output_pbs(pb_stream *pbs);
+
+#ifdef DEBUG
+extern void DBG_print_struct(const char *label, const void *struct_ptr,
+ struct_desc *sd, bool len_meaningful);
+#endif
+
+/* ISAKMP Header: for all messages
+ * layout from RFC 2408 "ISAKMP" section 3.1
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Initiator !
+ * ! Cookie !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Responder !
+ * ! Cookie !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Message ID !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * Although the drafts are a little unclear, there are a few
+ * places that specify that messages should be padded with 0x00
+ * octets (bytes) to make the length a multiple of something.
+ *
+ * RFC 2408 "ISAKMP" 3.6 specifies that all messages will be
+ * padded to be a multiple of 4 octets in length.
+ * ??? This looks vestigial, and we ignore this requirement.
+ *
+ * RFC 2409 "IKE" Appedix B specifies:
+ * Each message should be padded up to the nearest block size
+ * using bytes containing 0x00.
+ * ??? This does not appear to be limited to encrypted messages,
+ * but it surely must be: the block size is meant to be the encryption
+ * block size, and that is meaningless for a non-encrypted message.
+ *
+ * RFC 2409 "IKE" 5.3 specifies:
+ * Encrypted payloads are padded up to the nearest block size.
+ * All padding bytes, except for the last one, contain 0x00. The
+ * last byte of the padding contains the number of the padding
+ * bytes used, excluding the last one. Note that this means there
+ * will always be padding.
+ * ??? This is nuts since payloads are not padded, messages are.
+ * It also contradicts Appendix B. So we ignore it.
+ *
+ * Summary: we pad encrypted output messages with 0x00 to bring them
+ * up to a multiple of the encryption block size. On input, we require
+ * that any encrypted portion of a message be a multiple of the encryption
+ * block size. After any decryption, we ignore padding (any bytes after
+ * the first payload that specifies a next payload of none; we don't
+ * require them to be zero).
+ */
+
+struct isakmp_hdr
+{
+ u_int8_t isa_icookie[COOKIE_SIZE];
+ u_int8_t isa_rcookie[COOKIE_SIZE];
+ u_int8_t isa_np; /* Next payload */
+ u_int8_t isa_version; /* high-order 4 bits: Major; low order 4: Minor */
+#define ISA_MAJ_SHIFT 4
+#define ISA_MIN_MASK (~((~0u) << ISA_MAJ_SHIFT))
+ u_int8_t isa_xchg; /* Exchange type */
+ u_int8_t isa_flags;
+ u_int32_t isa_msgid; /* Message ID (RAW) */
+ u_int32_t isa_length; /* Length of message */
+};
+
+extern struct_desc isakmp_hdr_desc;
+
+/* Generic portion of all ISAKMP payloads.
+ * layout from RFC 2408 "ISAKMP" section 3.2
+ * This describes the first 32-bit chunk of all payloads.
+ * The previous next payload depends on the actual payload type.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_generic
+{
+ u_int8_t isag_np;
+ u_int8_t isag_reserved;
+ u_int16_t isag_length;
+};
+
+extern struct_desc isakmp_generic_desc;
+
+/* ISAKMP Data Attribute (generic representation within payloads)
+ * layout from RFC 2408 "ISAKMP" section 3.3
+ * This is not a payload type.
+ * In TLV format, this is followed by a value field.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * !A! Attribute Type ! AF=0 Attribute Length !
+ * !F! ! AF=1 Attribute Value !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * . AF=0 Attribute Value .
+ * . AF=1 Not Transmitted .
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_attribute
+{
+ /* The high order bit of isaat_af_type is the Attribute Format
+ * If it is off, the format is TLV: lv is the length of the following
+ * attribute value.
+ * If it is on, the format is TV: lv is the value of the attribute.
+ * ISAKMP_ATTR_AF_MASK is the mask in host form.
+ *
+ * The low order 15 bits of isaat_af_type is the Attribute Type.
+ * ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
+ */
+ u_int16_t isaat_af_type; /* high order bit: AF; lower 15: rtype */
+ u_int16_t isaat_lv; /* Length or value */
+};
+
+#define ISAKMP_ATTR_AF_MASK 0x8000
+#define ISAKMP_ATTR_AF_TV ISAKMP_ATTR_AF_MASK /* value in lv */
+#define ISAKMP_ATTR_AF_TLV 0 /* length in lv; value follows */
+
+#define ISAKMP_ATTR_RTYPE_MASK 0x7FFF
+
+extern struct_desc
+ isakmp_oakley_attribute_desc,
+ isakmp_ipsec_attribute_desc;
+
+/* ISAKMP Security Association Payload
+ * layout from RFC 2408 "ISAKMP" section 3.4
+ * A variable length Situation follows.
+ * Previous next payload: ISAKMP_NEXT_SA
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Situation ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_sa
+{
+ u_int8_t isasa_np; /* Next payload */
+ u_int8_t isasa_reserved;
+ u_int16_t isasa_length; /* Payload length */
+ u_int32_t isasa_doi; /* DOI */
+};
+
+extern struct_desc isakmp_sa_desc;
+
+extern struct_desc ipsec_sit_desc;
+
+/* ISAKMP Proposal Payload
+ * layout from RFC 2408 "ISAKMP" section 3.5
+ * A variable length SPI follows.
+ * Previous next payload: ISAKMP_NEXT_P
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! SPI (variable) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_proposal
+{
+ u_int8_t isap_np;
+ u_int8_t isap_reserved;
+ u_int16_t isap_length;
+ u_int8_t isap_proposal;
+ u_int8_t isap_protoid;
+ u_int8_t isap_spisize;
+ u_int8_t isap_notrans; /* Number of transforms */
+};
+
+extern struct_desc isakmp_proposal_desc;
+
+/* ISAKMP Transform Payload
+ * layout from RFC 2408 "ISAKMP" section 3.6
+ * Variable length SA Attributes follow.
+ * Previous next payload: ISAKMP_NEXT_T
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Transform # ! Transform-Id ! RESERVED2 !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ SA Attributes ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_transform
+{
+ u_int8_t isat_np;
+ u_int8_t isat_reserved;
+ u_int16_t isat_length;
+ u_int8_t isat_transnum; /* Number of the transform */
+ u_int8_t isat_transid;
+ u_int16_t isat_reserved2;
+};
+
+extern struct_desc
+ isakmp_isakmp_transform_desc,
+ isakmp_ah_transform_desc,
+ isakmp_esp_transform_desc,
+ isakmp_ipcomp_transform_desc;
+
+/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.7
+ * Variable Key Exchange Data follow the generic fields.
+ * Previous next payload: ISAKMP_NEXT_KE
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Key Exchange Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+extern struct_desc isakmp_keyex_desc;
+
+/* ISAKMP Identification Payload
+ * layout from RFC 2408 "ISAKMP" section 3.8
+ * See "struct identity" declared later.
+ * Variable length Identification Data follow.
+ * Previous next payload: ISAKMP_NEXT_ID
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! ID Type ! DOI Specific ID Data !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Identification Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_id
+{
+ u_int8_t isaid_np;
+ u_int8_t isaid_reserved;
+ u_int16_t isaid_length;
+ u_int8_t isaid_idtype;
+ u_int8_t isaid_doi_specific_a;
+ u_int16_t isaid_doi_specific_b;
+};
+
+extern struct_desc isakmp_identification_desc;
+
+/* IPSEC Identification Payload Content
+ * layout from RFC 2407 "IPsec DOI" section 4.6.2
+ * See struct isakmp_id declared earlier.
+ * Note: Hashing skips the ISAKMP generic payload header
+ * Variable length Identification Data follow.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! ID Type ! Protocol ID ! Port !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ~ Identification Data ~
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_ipsec_id
+{
+ u_int8_t isaiid_np;
+ u_int8_t isaiid_reserved;
+ u_int16_t isaiid_length;
+ u_int8_t isaiid_idtype;
+ u_int8_t isaiid_protoid;
+ u_int16_t isaiid_port;
+};
+
+extern struct_desc isakmp_ipsec_identification_desc;
+
+/* ISAKMP Certificate Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.9
+ * Variable length Certificate Data follow the generic fields.
+ * Previous next payload: ISAKMP_NEXT_CERT.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Cert Encoding ! !
+ * +-+-+-+-+-+-+-+-+ !
+ * ~ Certificate Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_cert
+{
+ u_int8_t isacert_np;
+ u_int8_t isacert_reserved;
+ u_int16_t isacert_length;
+ u_int8_t isacert_type;
+};
+
+/* NOTE: this packet type has a fixed portion that is not a
+ * multiple of 4 octets. This means that sizeof(struct isakmp_cert)
+ * yields the wrong value for the length.
+ */
+#define ISAKMP_CERT_SIZE 5
+
+extern struct_desc isakmp_ipsec_certificate_desc;
+
+/* ISAKMP Certificate Request Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.10
+ * Variable length Certificate Types and Certificate Authorities follow.
+ * Previous next payload: ISAKMP_NEXT_CR.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Cert. Type ! !
+ * +-+-+-+-+-+-+-+-+ !
+ * ~ Certificate Authority ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_cr
+{
+ u_int8_t isacr_np;
+ u_int8_t isacr_reserved;
+ u_int16_t isacr_length;
+ u_int8_t isacr_type;
+};
+
+/* NOTE: this packet type has a fixed portion that is not a
+ * multiple of 4 octets. This means that sizeof(struct isakmp_cr)
+ * yields the wrong value for the length.
+ */
+#define ISAKMP_CR_SIZE 5
+
+extern struct_desc isakmp_ipsec_cert_req_desc;
+
+/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.11
+ * Variable length Hash Data follow.
+ * Previous next payload: ISAKMP_NEXT_HASH.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Hash Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+extern struct_desc isakmp_hash_desc;
+
+/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.12
+ * Variable length Signature Data follow.
+ * Previous next payload: ISAKMP_NEXT_SIG.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Signature Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+extern struct_desc isakmp_signature_desc;
+
+/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
+ * layout from RFC 2408 "ISAKMP" section 3.13
+ * Variable length Nonce Data follow.
+ * Previous next payload: ISAKMP_NEXT_NONCE.
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Nonce Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+extern struct_desc isakmp_nonce_desc;
+
+/* ISAKMP Notification Payload
+ * layout from RFC 2408 "ISAKMP" section 3.14
+ * This is followed by a variable length SPI
+ * and then possibly by variable length Notification Data.
+ * Previous next payload: ISAKMP_NEXT_N
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Protocol-ID ! SPI Size ! Notify Message Type !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Security Parameter Index (SPI) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Notification Data ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_notification
+{
+ u_int8_t isan_np;
+ u_int8_t isan_reserved;
+ u_int16_t isan_length;
+ u_int32_t isan_doi;
+ u_int8_t isan_protoid;
+ u_int8_t isan_spisize;
+ u_int16_t isan_type;
+};
+
+extern struct_desc isakmp_notification_desc;
+
+/* ISAKMP Delete Payload
+ * layout from RFC 2408 "ISAKMP" section 3.15
+ * This is followed by a variable length SPI.
+ * Previous next payload: ISAKMP_NEXT_D
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Domain of Interpretation (DOI) !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Protocol-Id ! SPI Size ! # of SPIs !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Security Parameter Index(es) (SPI) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct isakmp_delete
+{
+ u_int8_t isad_np;
+ u_int8_t isad_reserved;
+ u_int16_t isad_length;
+ u_int32_t isad_doi;
+ u_int8_t isad_protoid;
+ u_int8_t isad_spisize;
+ u_int16_t isad_nospi;
+};
+
+extern struct_desc isakmp_delete_desc;
+
+/* From draft-dukes-ike-mode-cfg
+3.2. Attribute Payload
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Type ! RESERVED ! Identifier !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! !
+ ! !
+ ~ Attributes ~
+ ! !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+struct isakmp_mode_attr
+{
+ u_int8_t isama_np;
+ u_int8_t isama_reserved;
+ u_int16_t isama_length;
+ u_int8_t isama_type;
+ u_int8_t isama_reserved2;
+ u_int16_t isama_identifier;
+};
+
+extern struct_desc isakmp_attr_desc;
+extern struct_desc isakmp_modecfg_attribute_desc;
+
+/* ISAKMP Vendor ID Payload
+ * layout from RFC 2408 "ISAKMP" section 3.15
+ * This is followed by a variable length VID.
+ * Previous next payload: ISAKMP_NEXT_VID
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! Next Payload ! RESERVED ! Payload Length !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * ! !
+ * ~ Vendor ID (VID) ~
+ * ! !
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+extern struct_desc isakmp_vendor_id_desc;
+
+struct isakmp_nat_oa
+{
+ u_int8_t isanoa_np;
+ u_int8_t isanoa_reserved_1;
+ u_int16_t isanoa_length;
+ u_int8_t isanoa_idtype;
+ u_int8_t isanoa_reserved_2;
+ u_int16_t isanoa_reserved_3;
+};
+
+extern struct_desc isakmp_nat_d;
+extern struct_desc isakmp_nat_oa;
+
+/* union of all payloads */
+
+union payload {
+ struct isakmp_generic generic;
+ struct isakmp_sa sa;
+ struct isakmp_proposal proposal;
+ struct isakmp_transform transform;
+ struct isakmp_id id; /* Main Mode */
+ struct isakmp_cert cert;
+ struct isakmp_cr cr;
+ struct isakmp_ipsec_id ipsec_id; /* Quick Mode */
+ struct isakmp_notification notification;
+ struct isakmp_delete delete;
+ struct isakmp_nat_oa nat_oa;
+ struct isakmp_mode_attr attribute;
+};
+
+/* descriptor for each payload type
+ *
+ * There is a slight problem in that some payloads differ, depending
+ * on the mode. Since this is table only used for top-level payloads,
+ * Proposal and Transform payloads need not be handled.
+ * That leaves only Identification payloads as a problem.
+ * We make all these entries NULL
+ */
+extern struct_desc *const payload_descs[ISAKMP_NEXT_ROOF];
+
+#endif /* _PACKET_H */
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
new file mode 100644
index 000000000..db6d0d7e3
--- /dev/null
+++ b/src/pluto/pem.c
@@ -0,0 +1,463 @@
+/* Loading of PEM encoded files with optional encryption
+ * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pem.c,v 1.4 2005/08/17 16:31:24 as Exp $
+ */
+
+/* decrypt a PEM encoded data block using DES-EDE3-CBC
+ * see RFC 1423 PEM: Algorithms, Modes and Identifiers
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+#define HEADER_DES_LOCL_H /* stupid trick to force prototype decl in <des.h> */
+#include <libdes/des.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "md5.h"
+#include "whack.h"
+#include "pem.h"
+
+/*
+ * check the presence of a pattern in a character string
+ */
+static bool
+present(const char* pattern, chunk_t* ch)
+{
+ u_int pattern_len = strlen(pattern);
+
+ if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0)
+ {
+ ch->ptr += pattern_len;
+ ch->len -= pattern_len;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/*
+ * compare string with chunk
+ */
+static bool
+match(const char *pattern, const chunk_t *ch)
+{
+ return ch->len == strlen(pattern) &&
+ strncmp(pattern, ch->ptr, ch->len) == 0;
+}
+
+/*
+ * find a boundary of the form -----tag name-----
+ */
+static bool
+find_boundary(const char* tag, chunk_t *line)
+{
+ chunk_t name = empty_chunk;
+
+ if (!present("-----", line))
+ return FALSE;
+ if (!present(tag, line))
+ return FALSE;
+ if (*line->ptr != ' ')
+ return FALSE;
+ line->ptr++; line->len--;
+
+ /* extract name */
+ name.ptr = line->ptr;
+ while (line->len > 0)
+ {
+ if (present("-----", line))
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" -----%s %.*s-----",
+ tag, (int)name.len, name.ptr);
+ )
+ return TRUE;
+ }
+ line->ptr++; line->len--; name.len++;
+ }
+ return FALSE;
+}
+
+/*
+ * eat whitespace
+ */
+static void
+eat_whitespace(chunk_t *src)
+{
+ while (src->len > 0 && (*src->ptr == ' ' || *src->ptr == '\t'))
+ {
+ src->ptr++; src->len--;
+ }
+}
+
+/*
+ * extracts a token ending with a given termination symbol
+ */
+static bool
+extract_token(chunk_t *token, char termination, chunk_t *src)
+{
+ u_char *eot = memchr(src->ptr, termination, src->len);
+
+ /* initialize empty token */
+ *token = empty_chunk;
+
+ if (eot == NULL) /* termination symbol not found */
+ return FALSE;
+
+ /* extract token */
+ token->ptr = src->ptr;
+ token->len = (u_int)(eot - src->ptr);
+
+ /* advance src pointer after termination symbol */
+ src->ptr = eot + 1;
+ src->len -= (token->len + 1);
+
+ return TRUE;
+}
+
+/*
+ * extracts a name: value pair from the PEM header
+ */
+static bool
+extract_parameter(chunk_t *name, chunk_t *value, chunk_t *line)
+{
+ DBG(DBG_PARSING,
+ DBG_log(" %.*s", (int)line->len, line->ptr);
+ )
+
+ /* extract name */
+ if (!extract_token(name,':', line))
+ return FALSE;
+
+ eat_whitespace(line);
+
+ /* extract value */
+ *value = *line;
+ return TRUE;
+}
+
+/*
+ * fetches a new line terminated by \n or \r\n
+ */
+static bool
+fetchline(chunk_t *src, chunk_t *line)
+{
+ if (src->len == 0) /* end of src reached */
+ return FALSE;
+
+ if (extract_token(line, '\n', src))
+ {
+ if (line->len > 0 && *(line->ptr + line->len -1) == '\r')
+ line->len--; /* remove optional \r */
+ }
+ else /*last line ends without newline */
+ {
+ *line = *src;
+ src->ptr += src->len;
+ src->len = 0;
+ }
+ return TRUE;
+}
+
+/*
+ * decrypts a DES-EDE-CBC encrypted data block
+ */
+static bool
+pem_decrypt_3des(chunk_t *blob, chunk_t *iv, const char *passphrase)
+{
+ MD5_CTX context;
+ u_char digest[MD5_DIGEST_SIZE];
+ u_char des_iv[DES_CBC_BLOCK_SIZE];
+ u_char key[24];
+ des_cblock *deskey = (des_cblock *)key;
+ des_key_schedule ks[3];
+ u_char padding, *last_padding_pos, *first_padding_pos;
+
+ /* Convert passphrase to 3des key */
+ MD5Init(&context);
+ MD5Update(&context, passphrase, strlen(passphrase));
+ MD5Update(&context, iv->ptr, iv->len);
+ MD5Final(digest, &context);
+
+ memcpy(key, digest, MD5_DIGEST_SIZE);
+
+ MD5Init(&context);
+ MD5Update(&context, digest, MD5_DIGEST_SIZE);
+ MD5Update(&context, passphrase, strlen(passphrase));
+ MD5Update(&context, iv->ptr, iv->len);
+ MD5Final(digest, &context);
+
+ memcpy(key + MD5_DIGEST_SIZE, digest, 24 - MD5_DIGEST_SIZE);
+
+ (void) des_set_key(&deskey[0], ks[0]);
+ (void) des_set_key(&deskey[1], ks[1]);
+ (void) des_set_key(&deskey[2], ks[2]);
+
+ /* decrypt data block */
+ memcpy(des_iv, iv->ptr, DES_CBC_BLOCK_SIZE);
+ des_ede3_cbc_encrypt((des_cblock *)blob->ptr, (des_cblock *)blob->ptr,
+ blob->len, ks[0], ks[1], ks[2], (des_cblock *)des_iv, FALSE);
+
+ /* determine amount of padding */
+ last_padding_pos = blob->ptr + blob->len - 1;
+ padding = *last_padding_pos;
+ first_padding_pos = (padding > blob->len)?
+ blob->ptr : last_padding_pos - padding;
+
+ /* check the padding pattern */
+ while (--last_padding_pos > first_padding_pos)
+ {
+ if (*last_padding_pos != padding)
+ return FALSE;
+ }
+
+ /* remove padding */
+ blob->len -= padding;
+ return TRUE;
+}
+
+/*
+ * optionally prompts for a passphrase before decryption
+ * currently we support DES-EDE3-CBC, only
+ */
+static err_t
+pem_decrypt(chunk_t *blob, chunk_t *iv, prompt_pass_t *pass, const char* label)
+{
+ DBG(DBG_CRYPT,
+ DBG_log(" decrypting file using 'DES-EDE3-CBC'");
+ )
+ if (iv->len != DES_CBC_BLOCK_SIZE)
+ return "size of DES-EDE3-CBC IV is not 8 bytes";
+
+ if (pass == NULL)
+ return "no passphrase available";
+
+ /* do we prompt for the passphrase? */
+ if (pass->prompt && pass->fd != NULL_FD)
+ {
+ int i;
+ chunk_t blob_copy;
+ err_t ugh = "invalid passphrase, too many trials";
+
+ whack_log(RC_ENTERSECRET, "need passphrase for '%s'", label);
+
+ for (i = 0; i < MAX_PROMPT_PASS_TRIALS; i++)
+ {
+ int n;
+
+ if (i > 0)
+ whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+
+ n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+
+ if (n == -1)
+ {
+ err_t ugh = "read(whackfd) failed";
+
+ whack_log(RC_LOG_SERIOUS,ugh);
+ return ugh;
+ }
+
+ pass->secret[n-1] = '\0';
+
+ if (strlen(pass->secret) == 0)
+ {
+ err_t ugh = "no passphrase entered, aborted";
+
+ whack_log(RC_LOG_SERIOUS, ugh);
+ return ugh;
+ }
+
+ clonetochunk(blob_copy, blob->ptr, blob->len, "blob copy");
+
+ if (pem_decrypt_3des(blob, iv, pass->secret))
+ {
+ whack_log(RC_SUCCESS, "valid passphrase");
+ pfree(blob_copy.ptr);
+ return NULL;
+ }
+
+ /* blob is useless after wrong decryption, restore the original */
+ pfree(blob->ptr);
+ *blob = blob_copy;
+ }
+ whack_log(RC_LOG_SERIOUS, ugh);
+ return ugh;
+ }
+ else
+ {
+ if (pem_decrypt_3des(blob, iv, pass->secret))
+ return NULL;
+ else
+ return "invalid passphrase";
+ }
+}
+
+/* Converts a PEM encoded file into its binary form
+ *
+ * RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
+ * RFC 934 Message Encapsulation, January 1985
+ */
+err_t
+pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label, bool *pgp)
+{
+ typedef enum {
+ PEM_PRE = 0,
+ PEM_MSG = 1,
+ PEM_HEADER = 2,
+ PEM_BODY = 3,
+ PEM_POST = 4,
+ PEM_ABORT = 5
+ } state_t;
+
+ bool encrypted = FALSE;
+
+ state_t state = PEM_PRE;
+
+ chunk_t src = *blob;
+ chunk_t dst = *blob;
+ chunk_t line = empty_chunk;
+ chunk_t iv = empty_chunk;
+
+ u_char iv_buf[MAX_DIGEST_LEN];
+
+ /* zero size of converted blob */
+ dst.len = 0;
+
+ /* zero size of IV */
+ iv.ptr = iv_buf;
+ iv.len = 0;
+
+ while (fetchline(&src, &line))
+ {
+ if (state == PEM_PRE)
+ {
+ if (find_boundary("BEGIN", &line))
+ {
+ *pgp = FALSE;
+ state = PEM_MSG;
+ }
+ continue;
+ }
+ else
+ {
+ if (find_boundary("END", &line))
+ {
+ state = PEM_POST;
+ break;
+ }
+ if (state == PEM_MSG)
+ {
+ state = (memchr(line.ptr, ':', line.len) == NULL)?
+ PEM_BODY : PEM_HEADER;
+ }
+ if (state == PEM_HEADER)
+ {
+ chunk_t name = empty_chunk;
+ chunk_t value = empty_chunk;
+
+ /* an empty line separates HEADER and BODY */
+ if (line.len == 0)
+ {
+ state = PEM_BODY;
+ continue;
+ }
+
+ /* we are looking for a name: value pair */
+ if (!extract_parameter(&name, &value, &line))
+ continue;
+
+ if (match("Proc-Type", &name) && *value.ptr == '4')
+ encrypted = TRUE;
+ else if (match("DEK-Info", &name))
+ {
+ const char *ugh = NULL;
+ size_t len = 0;
+ chunk_t dek;
+
+ if (!extract_token(&dek, ',', &value))
+ dek = value;
+
+ /* we support DES-EDE3-CBC encrypted files, only */
+ if (!match("DES-EDE3-CBC", &dek))
+ return "we support DES-EDE3-CBC encrypted files, only";
+
+ eat_whitespace(&value);
+ ugh = ttodata(value.ptr, value.len, 16,
+ iv.ptr, MAX_DIGEST_LEN, &len);
+ if (ugh)
+ return "error in IV";
+
+ iv.len = len;
+ }
+ }
+ else /* state is PEM_BODY */
+ {
+ const char *ugh = NULL;
+ size_t len = 0;
+ chunk_t data;
+
+ /* remove any trailing whitespace */
+ if (!extract_token(&data ,' ', &line))
+ data = line;
+
+ /* check for PGP armor checksum */
+ if (*data.ptr == '=')
+ {
+ *pgp = TRUE;
+ data.ptr++;
+ data.len--;
+ DBG(DBG_PARSING,
+ DBG_log(" Armor checksum: %.*s", (int)data.len, data.ptr);
+ )
+ continue;
+ }
+
+ ugh = ttodata(data.ptr, data.len, 64,
+ dst.ptr, blob->len - dst.len, &len);
+ if (ugh)
+ {
+ DBG(DBG_PARSING,
+ DBG_log(" %s", ugh);
+ )
+ state = PEM_ABORT;
+ break;
+ }
+ else
+ {
+ dst.ptr += len;
+ dst.len += len;
+ }
+ }
+ }
+ }
+ /* set length to size of binary blob */
+ blob->len = dst.len;
+
+ if (state != PEM_POST)
+ return "file coded in unknown format, discarded";
+
+ if (encrypted)
+ return pem_decrypt(blob, &iv, pass, label);
+ else
+ return NULL;
+}
diff --git a/src/pluto/pem.h b/src/pluto/pem.h
new file mode 100644
index 000000000..815b5d85b
--- /dev/null
+++ b/src/pluto/pem.h
@@ -0,0 +1,18 @@
+/* Loading of PEM encoded files with optional encryption
+ * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pem.h,v 1.1 2004/03/15 20:35:28 as Exp $
+ */
+
+extern err_t pemtobin(chunk_t *blob, prompt_pass_t *pass, const char* label
+ , bool *pgp);
diff --git a/src/pluto/pgp.c b/src/pluto/pgp.c
new file mode 100644
index 000000000..307303f6b
--- /dev/null
+++ b/src/pluto/pgp.c
@@ -0,0 +1,647 @@
+/* Support of OpenPGP certificates
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pgp.c,v 1.7 2006/01/04 21:00:43 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "log.h"
+#include "id.h"
+#include "pgp.h"
+#include "certs.h"
+#include "md5.h"
+#include "whack.h"
+#include "pkcs1.h"
+#include "keys.h"
+
+/*
+ * chained list of OpenPGP end certificates
+ */
+static pgpcert_t *pgpcerts = NULL;
+
+/*
+ * OpenPGP packet tags defined in section 4.3 of RFC 2440
+ */
+#define PGP_PKT_RESERVED 0
+#define PGP_PKT_PUBKEY_ENC_SESSION_KEY 1
+#define PGP_PKT_SIGNATURE 2
+#define PGP_PKT_SYMKEY_ENC_SESSION_KEY 3
+#define PGP_PKT_ONE_PASS_SIGNATURE_PKT 4
+#define PGP_PKT_SECRET_KEY 5
+#define PGP_PKT_PUBLIC_KEY 6
+#define PGP_PKT_SECRET_SUBKEY 7
+#define PGP_PKT_COMPRESSED_DATA 8
+#define PGP_PKT_SYMKEY_ENC_DATA 9
+#define PGP_PKT_MARKER 10
+#define PGP_PKT_LITERAL_DATA 11
+#define PGP_PKT_TRUST 12
+#define PGP_PKT_USER_ID 13
+#define PGP_PKT_PUBLIC_SUBKEY 14
+#define PGP_PKT_ROOF 15
+
+static const char *const pgp_packet_type_name[] = {
+ "Reserved",
+ "Public-Key Encrypted Session Key Packet",
+ "Signature Packet",
+ "Symmetric-Key Encrypted Session Key Packet",
+ "One-Pass Signature Packet",
+ "Secret Key Packet",
+ "Public Key Packet",
+ "Secret Subkey Packet",
+ "Compressed Data Packet",
+ "Symmetrically Encrypted Data Packet",
+ "Marker Packet",
+ "Literal Data Packet",
+ "Trust Packet",
+ "User ID Packet",
+ "Public Subkey Packet"
+};
+
+/*
+ * OpenPGP public key algorithms defined in section 9.1 of RFC 2440
+ */
+#define PGP_PUBKEY_ALG_RSA 1
+#define PGP_PUBKEY_ALG_RSA_ENC_ONLY 2
+#define PGP_PUBKEY_ALG_RSA_SIGN_ONLY 3
+#define PGP_PUBKEY_ALG_ELGAMAL_ENC_ONLY 16
+#define PGP_PUBKEY_ALG_DSA 17
+#define PGP_PUBKEY_ALG_ECC 18
+#define PGP_PUBKEY_ALG_ECDSA 19
+#define PGP_PUBKEY_ALG_ELGAMAL 20
+
+/*
+ * OpenPGP symmetric key algorithms defined in section 9.2 of RFC 2440
+ */
+#define PGP_SYM_ALG_PLAIN 0
+#define PGP_SYM_ALG_IDEA 1
+#define PGP_SYM_ALG_3DES 2
+#define PGP_SYM_ALG_CAST5 3
+#define PGP_SYM_ALG_BLOWFISH 4
+#define PGP_SYM_ALG_SAFER 5
+#define PGP_SYM_ALG_DES 6
+#define PGP_SYM_ALG_AES 7
+#define PGP_SYM_ALG_AES_192 8
+#define PGP_SYM_ALG_AES_256 9
+#define PGP_SYM_ALG_TWOFISH 10
+#define PGP_SYM_ALG_ROOF 11
+
+static const char *const pgp_sym_alg_name[] = {
+ "Plaintext",
+ "IDEA",
+ "3DES",
+ "CAST5",
+ "Blowfish",
+ "SAFER",
+ "DES",
+ "AES",
+ "AES-192",
+ "AES-256",
+ "Twofish"
+};
+
+/*
+ * Size of PGP Key ID
+ */
+#define PGP_KEYID_SIZE 8
+
+const pgpcert_t empty_pgpcert = {
+ NULL , /* *next */
+ 0 , /* installed */
+ 0 , /* count */
+ { NULL, 0 }, /* certificate */
+ 0 , /* created */
+ 0 , /* until */
+ 0 , /* pubkeyAlgorithm */
+ { NULL, 0 }, /* modulus */
+ { NULL, 0 }, /* publicExponent */
+ "" /* fingerprint */
+};
+
+static size_t
+pgp_size(chunk_t *blob, int len)
+{
+ size_t size = 0;
+
+ blob->len -= len;
+ while (len-- > 0)
+ size = 256*size + *blob->ptr++;
+ return size;
+}
+
+/*
+ * extracts the length of a PGP packet
+ */
+static size_t
+pgp_old_packet_length(chunk_t *blob)
+{
+ /* bits 0 and 1 define the packet length type */
+ int len_type = 0x03 & *blob->ptr++;
+
+ blob->len--;
+
+ /* len_type: 0 -> 1 byte, 1 -> 2 bytes, 2 -> 4 bytes */
+ return pgp_size(blob, (len_type == 0)? 1: len_type << 1);
+}
+
+/*
+ * extracts PGP packet version (V3 or V4)
+ */
+static u_char
+pgp_version(chunk_t *blob)
+{
+ u_char version = *blob->ptr++;
+ blob->len--;
+ DBG(DBG_PARSING,
+ DBG_log("L3 - version:");
+ DBG_log(" V%d", version)
+ )
+ return version;
+}
+
+/*
+ * Parse OpenPGP public key packet defined in section 5.5.2 of RFC 2440
+ */
+static bool
+parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
+{
+ u_char version = pgp_version(packet);
+
+ if (version < 3 || version > 4)
+ {
+ plog("PGP packet version V%d not supported", version);
+ return FALSE;
+ }
+
+ /* creation date - 4 bytes */
+ cert->created = (time_t)pgp_size(packet, 4);
+ DBG(DBG_PARSING,
+ DBG_log("L3 - created:");
+ DBG_log(" %s", timetoa(&cert->created, TRUE))
+ )
+
+ if (version == 3)
+ {
+ /* validity in days - 2 bytes */
+ cert->until = (time_t)pgp_size(packet, 2);
+
+ /* validity of 0 days means that the key never expires */
+ if (cert->until > 0)
+ cert->until = cert->created + 24*3600*cert->until;
+
+ DBG(DBG_PARSING,
+ DBG_log("L3 - until:");
+ DBG_log(" %s", timetoa(&cert->until, TRUE));
+ )
+ }
+
+ /* public key algorithm - 1 byte */
+ DBG(DBG_PARSING,
+ DBG_log("L3 - public key algorithm:")
+ )
+
+ switch (pgp_size(packet, 1))
+ {
+ case PGP_PUBKEY_ALG_RSA:
+ case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
+ cert->pubkeyAlg = PUBKEY_ALG_RSA;
+ DBG(DBG_PARSING,
+ DBG_log(" RSA")
+ )
+ /* modulus n */
+ cert->modulus.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
+ cert->modulus.ptr = packet->ptr;
+ packet->ptr += cert->modulus.len;
+ packet->len -= cert->modulus.len;
+ DBG(DBG_PARSING,
+ DBG_log("L3 - modulus:")
+ )
+ DBG_cond_dump_chunk(DBG_RAW, "", cert->modulus);
+
+ /* public exponent e */
+ cert->publicExponent.len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
+ cert->publicExponent.ptr = packet->ptr;
+ packet->ptr += cert->publicExponent.len;
+ packet->len -= cert->publicExponent.len;
+ DBG(DBG_PARSING,
+ DBG_log("L3 - public exponent:")
+ )
+ DBG_cond_dump_chunk(DBG_RAW, "", cert->publicExponent);
+
+ if (version == 3)
+ {
+ /* a V3 fingerprint is the MD5 hash of modulus and public exponent */
+ MD5_CTX context;
+ MD5Init(&context);
+ MD5Update(&context, cert->modulus.ptr, cert->modulus.len);
+ MD5Update(&context, cert->publicExponent.ptr, cert->publicExponent.len);
+ MD5Final(cert->fingerprint, &context);
+ }
+ else
+ {
+ plog(" computation of V4 key ID not implemented yet");
+ }
+ break;
+ case PGP_PUBKEY_ALG_DSA:
+ cert->pubkeyAlg = PUBKEY_ALG_DSA;
+ DBG(DBG_PARSING,
+ DBG_log(" DSA")
+ )
+ plog(" DSA public keys not supported");
+ return FALSE;
+ default:
+ cert->pubkeyAlg = 0;
+ DBG(DBG_PARSING,
+ DBG_log(" other")
+ )
+ plog(" exotic not RSA public keys not supported");
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*
+ * Parse OpenPGP secret key packet defined in section 5.5.3 of RFC 2440
+ */
+static bool
+parse_pgp_secretkey_packet(chunk_t *packet, RSA_private_key_t *key)
+{
+ int i, s2k;
+ pgpcert_t cert = empty_pgpcert;
+
+ if (!parse_pgp_pubkey_packet(packet, &cert))
+ return FALSE;
+
+ init_RSA_public_key((RSA_public_key_t *)key, cert.publicExponent
+ , cert.modulus);
+
+ /* string-to-key usage */
+ s2k = pgp_size(packet, 1);
+
+ DBG(DBG_PARSING,
+ DBG_log("L3 - string-to-key: %d", s2k)
+ )
+
+ if (s2k == 255)
+ {
+ plog(" string-to-key specifiers not supported");
+ return FALSE;
+ }
+
+ if (s2k >= PGP_SYM_ALG_ROOF)
+ {
+ plog(" undefined symmetric key algorithm");
+ return FALSE;
+ }
+
+ /* a known symmetric key algorithm is specified*/
+ DBG(DBG_PARSING,
+ DBG_log(" %s", pgp_sym_alg_name[s2k])
+ )
+
+ /* private key is unencrypted */
+ if (s2k == PGP_SYM_ALG_PLAIN)
+ {
+ for (i = 2; i < RSA_PRIVATE_FIELD_ELEMENTS; i++)
+ {
+ mpz_t u; /* auxiliary variable */
+
+ /* compute offset to private key component i*/
+ MP_INT *n = (MP_INT*)((char *)key + RSA_private_field[i].offset);
+
+ switch (i)
+ {
+ case 2:
+ case 3:
+ case 4:
+ {
+ size_t len = (pgp_size(packet, 2)+7) / BITS_PER_BYTE;
+
+ n_to_mpz(n, packet->ptr, len);
+ DBG(DBG_PARSING,
+ DBG_log("L3 - %s:", RSA_private_field[i].name)
+ )
+ DBG_cond_dump(DBG_PRIVATE, "", packet->ptr, len);
+ packet->ptr += len;
+ packet->len -= len;
+ }
+ break;
+ case 5: /* dP = d mod (p-1) */
+ mpz_init(u);
+ mpz_sub_ui(u, &key->p, 1);
+ mpz_mod(n, &key->d, u);
+ mpz_clear(u);
+ break;
+ case 6: /* dQ = d mod (q-1) */
+ mpz_init(u);
+ mpz_sub_ui(u, &key->q, 1);
+ mpz_mod(n, &key->d, u);
+ mpz_clear(u);
+ break;
+ case 7: /* qInv = (q^-1) mod p */
+ mpz_invert(n, &key->q, &key->p);
+ if (mpz_cmp_ui(n, 0) < 0)
+ mpz_add(n, n, &key->p);
+ passert(mpz_cmp(n, &key->p) < 0);
+ break;
+ }
+ }
+ return TRUE;
+ }
+
+ plog(" %s encryption not supported", pgp_sym_alg_name[s2k]);
+ return FALSE;
+}
+
+/*
+ * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
+ */
+static bool
+parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
+{
+ time_t created;
+ chunk_t keyid;
+ u_char sig_type;
+ u_char version = pgp_version(packet);
+
+ /* we parse only V3 signature packets */
+ if (version != 3)
+ return TRUE;
+
+ /* size byte must have the value 5 */
+ if (pgp_size(packet, 1) != 5)
+ {
+ plog(" size must be 5");
+ return FALSE;
+ }
+
+ /* signature type - 1 byte */
+ sig_type = (u_char)pgp_size(packet, 1);
+ DBG(DBG_PARSING,
+ DBG_log("L3 - signature type: 0x%2x", sig_type)
+ )
+
+ /* creation date - 4 bytes */
+ created = (time_t)pgp_size(packet, 4);
+ DBG(DBG_PARSING,
+ DBG_log("L3 - created:");
+ DBG_log(" %s", timetoa(&cert->created, TRUE))
+ )
+
+ /* key ID of signer - 8 bytes */
+ keyid.ptr = packet->ptr;
+ keyid.len = PGP_KEYID_SIZE;
+ DBG_cond_dump_chunk(DBG_PARSING, "L3 - key ID of signer", keyid);
+
+ return TRUE;
+}
+
+bool
+parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key)
+{
+ DBG(DBG_PARSING,
+ DBG_log("L0 - PGP file:")
+ )
+ DBG_cond_dump_chunk(DBG_RAW, "", blob);
+
+ if (cert != NULL)
+ {
+ /* parse a PGP certificate file */
+ cert->certificate = blob;
+ time(&cert->installed);
+ }
+ else if (key == NULL)
+ {
+ /* should not occur, nothing to parse */
+ return FALSE;
+ }
+
+ while (blob.len > 0)
+ {
+ chunk_t packet = empty_chunk;
+ u_char packet_tag = *blob.ptr;
+
+ DBG(DBG_PARSING,
+ DBG_log("L1 - PGP packet: tag= 0x%2x", packet_tag)
+ )
+
+ /* bit 7 must be set */
+ if (!(packet_tag & 0x80))
+ {
+ plog(" incorrect Packet Tag");
+ return FALSE;
+ }
+
+ /* bit 6 set defines new packet format */
+ if (packet_tag & 0x40)
+ {
+ plog(" new PGP packet format not supported");
+ return FALSE;
+ }
+ else
+ {
+ int packet_type = (packet_tag & 0x3C) >> 2;
+
+ packet.len = pgp_old_packet_length(&blob);
+ packet.ptr = blob.ptr;
+ blob.ptr += packet.len;
+ blob.len -= packet.len;
+ DBG(DBG_PARSING,
+ DBG_log(" %s (%d), old format, %d bytes",
+ (packet_type < PGP_PKT_ROOF) ?
+ pgp_packet_type_name[packet_type] :
+ "Undefined Packet Type", packet_type, (int)packet.len);
+ DBG_log("L2 - body:")
+ )
+ DBG_cond_dump_chunk(DBG_RAW, "", packet);
+
+ if (cert != NULL)
+ {
+ /* parse a PGP certificate */
+ switch (packet_type)
+ {
+ case PGP_PKT_PUBLIC_KEY:
+ if (!parse_pgp_pubkey_packet(&packet, cert))
+ return FALSE;
+ break;
+ case PGP_PKT_SIGNATURE:
+ if (!parse_pgp_signature_packet(&packet, cert))
+ return FALSE;
+ break;
+ case PGP_PKT_USER_ID:
+ DBG(DBG_PARSING,
+ DBG_log("L3 - user ID:");
+ DBG_log(" '%.*s'", (int)packet.len, packet.ptr)
+ )
+ break;
+ default:
+ break;
+ }
+ }
+ else
+ {
+ /* parse a PGP private key file */
+ switch (packet_type)
+ {
+ case PGP_PKT_SECRET_KEY:
+ if (!parse_pgp_secretkey_packet(&packet, key))
+ return FALSE;
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ }
+ return TRUE;
+}
+
+/*
+ * compare two OpenPGP certificates
+ */
+static bool
+same_pgpcert(pgpcert_t *a, pgpcert_t *b)
+{
+ return a->certificate.len == b->certificate.len &&
+ memcmp(a->certificate.ptr, b->certificate.ptr, b->certificate.len) == 0;
+}
+
+/*
+ * for each link pointing to the certificate increase the count by one
+ */
+void
+share_pgpcert(pgpcert_t *cert)
+{
+ if (cert != NULL)
+ cert->count++;
+}
+
+/*
+ * select the OpenPGP keyid as ID
+ */
+void
+select_pgpcert_id(pgpcert_t *cert, struct id *end_id)
+{
+ end_id->kind = ID_KEY_ID;
+ end_id->name.len = PGP_FINGERPRINT_SIZE;
+ end_id->name.ptr = cert->fingerprint;
+ end_id->name.ptr = temporary_cyclic_buffer();
+ memcpy(end_id->name.ptr, cert->fingerprint, PGP_FINGERPRINT_SIZE);
+}
+
+/*
+ * add an OpenPGP user/host certificate to the chained list
+ */
+pgpcert_t*
+add_pgpcert(pgpcert_t *cert)
+{
+ pgpcert_t *c = pgpcerts;
+
+ while (c != NULL)
+ {
+ if (same_pgpcert(c, cert)) /* already in chain, free cert */
+ {
+ free_pgpcert(cert);
+ return c;
+ }
+ c = c->next;
+ }
+
+ /* insert new cert at the root of the chain */
+ cert->next = pgpcerts;
+ pgpcerts = cert;
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log(" pgp cert inserted")
+ )
+ return cert;
+}
+
+/* release of a certificate decreases the count by one
+ " the certificate is freed when the counter reaches zero
+ */
+void
+release_pgpcert(pgpcert_t *cert)
+{
+ if (cert != NULL && --cert->count == 0)
+ {
+ pgpcert_t **pp = &pgpcerts;
+ while (*pp != cert)
+ pp = &(*pp)->next;
+ *pp = cert->next;
+ free_pgpcert(cert);
+ }
+}
+
+/*
+ * free a PGP certificate
+ */
+void
+free_pgpcert(pgpcert_t *cert)
+{
+ if (cert != NULL)
+ {
+ if (cert->certificate.ptr != NULL)
+ pfree(cert->certificate.ptr);
+ pfree(cert);
+ }
+}
+
+/*
+ * list all PGP end certificates in a chained list
+ */
+void
+list_pgp_end_certs(bool utc)
+{
+ pgpcert_t *cert = pgpcerts;
+ time_t now;
+
+ /* determine the current time */
+ time(&now);
+
+ if (cert != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of PGP End certificates:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (cert != NULL)
+ {
+ unsigned keysize;
+ char buf[BUF_LEN];
+ cert_t c;
+
+ c.type = CERT_PGP;
+ c.u.pgp = cert;
+
+ whack_log(RC_COMMENT, "%s, count: %d", timetoa(&cert->installed, utc), cert->count);
+ datatot(cert->fingerprint, PGP_FINGERPRINT_SIZE, 'x', buf, BUF_LEN);
+ whack_log(RC_COMMENT, " fingerprint: %s", buf);
+ form_keyid(cert->publicExponent, cert->modulus, buf, &keysize);
+ whack_log(RC_COMMENT, " pubkey: %4d RSA Key %s%s", 8*keysize, buf,
+ (has_private_key(c))? ", has private key" : "");
+ whack_log(RC_COMMENT, " created: %s", timetoa(&cert->created, utc));
+ whack_log(RC_COMMENT, " until: %s %s", timetoa(&cert->until, utc),
+ check_expiry(cert->until, CA_CERT_WARNING_INTERVAL, TRUE));
+ cert = cert->next;
+ }
+}
+
diff --git a/src/pluto/pgp.h b/src/pluto/pgp.h
new file mode 100644
index 000000000..4f34debc9
--- /dev/null
+++ b/src/pluto/pgp.h
@@ -0,0 +1,54 @@
+/* Support of OpenPGP certificates
+ * Copyright (C) 2002-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pgp.h,v 1.3 2005/08/07 07:50:09 as Exp $
+ */
+
+#ifndef _PGP_H
+#define _PGP_H
+
+#include "pkcs1.h"
+/*
+ * Length of PGP V3 fingerprint
+ */
+#define PGP_FINGERPRINT_SIZE MD5_DIGEST_SIZE
+
+typedef char fingerprint_t[PGP_FINGERPRINT_SIZE];
+
+/* access structure for an OpenPGP certificate */
+
+typedef struct pgpcert pgpcert_t;
+
+struct pgpcert {
+ pgpcert_t *next;
+ time_t installed;
+ int count;
+ chunk_t certificate;
+ time_t created;
+ time_t until;
+ enum pubkey_alg pubkeyAlg;
+ chunk_t modulus;
+ chunk_t publicExponent;
+ fingerprint_t fingerprint;
+};
+
+extern const pgpcert_t empty_pgpcert;
+extern bool parse_pgp(chunk_t blob, pgpcert_t *cert, RSA_private_key_t *key);
+extern void share_pgpcert(pgpcert_t *cert);
+extern void select_pgpcert_id(pgpcert_t *cert, struct id *end_id);
+extern pgpcert_t* add_pgpcert(pgpcert_t *cert);
+extern void list_pgp_end_certs(bool utc);
+extern void release_pgpcert(pgpcert_t *cert);
+extern void free_pgpcert(pgpcert_t *cert);
+
+#endif /* _PGP_H */
diff --git a/src/pluto/pkcs1.c b/src/pluto/pkcs1.c
new file mode 100644
index 000000000..ade5fdd94
--- /dev/null
+++ b/src/pluto/pkcs1.c
@@ -0,0 +1,674 @@
+/* Support of PKCS#1 private key data structures
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2005 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs1.c,v 1.17 2006/01/04 21:00:43 as Exp $
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <freeswan.h>
+#include <libsha2/sha2.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "asn1.h"
+#include "oid.h"
+#include "log.h"
+#include "pkcs1.h"
+#include "md2.h"
+#include "md5.h"
+#include "sha1.h"
+#include "rnd.h"
+
+const struct fld RSA_private_field[] =
+{
+ { "Modulus", offsetof(RSA_private_key_t, pub.n) },
+ { "PublicExponent", offsetof(RSA_private_key_t, pub.e) },
+
+ { "PrivateExponent", offsetof(RSA_private_key_t, d) },
+ { "Prime1", offsetof(RSA_private_key_t, p) },
+ { "Prime2", offsetof(RSA_private_key_t, q) },
+ { "Exponent1", offsetof(RSA_private_key_t, dP) },
+ { "Exponent2", offsetof(RSA_private_key_t, dQ) },
+ { "Coefficient", offsetof(RSA_private_key_t, qInv) },
+};
+
+/* ASN.1 definition of a PKCS#1 RSA private key */
+
+static const asn1Object_t privkeyObjects[] = {
+ { 0, "RSAPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
+ { 1, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 2 */
+ { 1, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 3 */
+ { 1, "privateExponent", ASN1_INTEGER, ASN1_BODY }, /* 4 */
+ { 1, "prime1", ASN1_INTEGER, ASN1_BODY }, /* 5 */
+ { 1, "prime2", ASN1_INTEGER, ASN1_BODY }, /* 6 */
+ { 1, "exponent1", ASN1_INTEGER, ASN1_BODY }, /* 7 */
+ { 1, "exponent2", ASN1_INTEGER, ASN1_BODY }, /* 8 */
+ { 1, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 9 */
+ { 1, "otherPrimeInfos", ASN1_SEQUENCE, ASN1_OPT |
+ ASN1_LOOP }, /* 10 */
+ { 2, "otherPrimeInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
+ { 3, "prime", ASN1_INTEGER, ASN1_BODY }, /* 12 */
+ { 3, "exponent", ASN1_INTEGER, ASN1_BODY }, /* 13 */
+ { 3, "coefficient", ASN1_INTEGER, ASN1_BODY }, /* 14 */
+ { 1, "end opt or loop", ASN1_EOC, ASN1_END } /* 15 */
+};
+
+#define PKCS1_PRIV_KEY_VERSION 1
+#define PKCS1_PRIV_KEY_MODULUS 2
+#define PKCS1_PRIV_KEY_PUB_EXP 3
+#define PKCS1_PRIV_KEY_COEFF 9
+#define PKCS1_PRIV_KEY_ROOF 16
+
+
+/*
+ * forms the FreeS/WAN keyid from the public exponent e and modulus n
+ */
+void
+form_keyid(chunk_t e, chunk_t n, char* keyid, unsigned *keysize)
+{
+ /* eliminate leading zero bytes in modulus from ASN.1 coding */
+ while (n.len > 1 && *n.ptr == 0x00)
+ {
+ n.ptr++; n.len--;
+ }
+
+ /* form the FreeS/WAN keyid */
+ keyid[0] = '\0'; /* in case of splitkeytoid failure */
+ splitkeytoid(e.ptr, e.len, n.ptr, n.len, keyid, KEYID_BUF);
+
+ /* return the RSA modulus size in octets */
+ *keysize = n.len;
+}
+
+/*
+ * initialize an RSA_public_key_t object
+ */
+void
+init_RSA_public_key(RSA_public_key_t *rsa, chunk_t e, chunk_t n)
+{
+ n_to_mpz(&rsa->e, e.ptr, e.len);
+ n_to_mpz(&rsa->n, n.ptr, n.len);
+
+ form_keyid(e, n, rsa->keyid, &rsa->k);
+}
+
+#ifdef DEBUG
+static void
+RSA_show_key_fields(RSA_private_key_t *k, int fieldcnt)
+{
+ const struct fld *p;
+
+ DBG_log(" keyid: *%s", k->pub.keyid);
+
+ for (p = RSA_private_field; p < &RSA_private_field[fieldcnt]; p++)
+ {
+ MP_INT *n = (MP_INT *) ((char *)k + p->offset);
+ size_t sz = mpz_sizeinbase(n, 16);
+ char buf[RSA_MAX_OCTETS * 2 + 2]; /* ought to be big enough */
+
+ passert(sz <= sizeof(buf));
+ mpz_get_str(buf, 16, n);
+
+ DBG_log(" %s: 0x%s", p->name, buf);
+ }
+}
+
+/* debugging info that compromises security! */
+void
+RSA_show_private_key(RSA_private_key_t *k)
+{
+ RSA_show_key_fields(k, elemsof(RSA_private_field));
+}
+
+void
+RSA_show_public_key(RSA_public_key_t *k)
+{
+ /* Kludge: pretend that it is a private key, but only display the
+ * first two fields (which are the public key).
+ */
+ passert(offsetof(RSA_private_key_t, pub) == 0);
+ RSA_show_key_fields((RSA_private_key_t *)k, 2);
+}
+#endif
+
+err_t
+RSA_private_key_sanity(RSA_private_key_t *k)
+{
+ /* note that the *last* error found is reported */
+ err_t ugh = NULL;
+ mpz_t t, u, q1;
+
+#ifdef DEBUG /* debugging info that compromises security */
+ DBG(DBG_PRIVATE, RSA_show_private_key(k));
+#endif
+
+ /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
+ * We actually require more (for security).
+ */
+ if (k->pub.k < RSA_MIN_OCTETS)
+ return RSA_MIN_OCTETS_UGH;
+
+ /* we picked a max modulus size to simplify buffer allocation */
+ if (k->pub.k > RSA_MAX_OCTETS)
+ return RSA_MAX_OCTETS_UGH;
+
+ mpz_init(t);
+ mpz_init(u);
+ mpz_init(q1);
+
+ /* check that n == p * q */
+ mpz_mul(u, &k->p, &k->q);
+ if (mpz_cmp(u, &k->pub.n) != 0)
+ ugh = "n != p * q";
+
+ /* check that e divides neither p-1 nor q-1 */
+ mpz_sub_ui(t, &k->p, 1);
+ mpz_mod(t, t, &k->pub.e);
+ if (mpz_cmp_ui(t, 0) == 0)
+ ugh = "e divides p-1";
+
+ mpz_sub_ui(t, &k->q, 1);
+ mpz_mod(t, t, &k->pub.e);
+ if (mpz_cmp_ui(t, 0) == 0)
+ ugh = "e divides q-1";
+
+ /* check that d is e^-1 (mod lcm(p-1, q-1)) */
+ /* see PKCS#1v2, aka RFC 2437, for the "lcm" */
+ mpz_sub_ui(q1, &k->q, 1);
+ mpz_sub_ui(u, &k->p, 1);
+ mpz_gcd(t, u, q1); /* t := gcd(p-1, q-1) */
+ mpz_mul(u, u, q1); /* u := (p-1) * (q-1) */
+ mpz_divexact(u, u, t); /* u := lcm(p-1, q-1) */
+
+ mpz_mul(t, &k->d, &k->pub.e);
+ mpz_mod(t, t, u);
+ if (mpz_cmp_ui(t, 1) != 0)
+ ugh = "(d * e) mod (lcm(p-1, q-1)) != 1";
+
+ /* check that dP is d mod (p-1) */
+ mpz_sub_ui(u, &k->p, 1);
+ mpz_mod(t, &k->d, u);
+ if (mpz_cmp(t, &k->dP) != 0)
+ ugh = "dP is not congruent to d mod (p-1)";
+
+ /* check that dQ is d mod (q-1) */
+ mpz_sub_ui(u, &k->q, 1);
+ mpz_mod(t, &k->d, u);
+ if (mpz_cmp(t, &k->dQ) != 0)
+ ugh = "dQ is not congruent to d mod (q-1)";
+
+ /* check that qInv is (q^-1) mod p */
+ mpz_mul(t, &k->qInv, &k->q);
+ mpz_mod(t, t, &k->p);
+ if (mpz_cmp_ui(t, 1) != 0)
+ ugh = "qInv is not conguent ot (q^-1) mod p";
+
+ mpz_clear(t);
+ mpz_clear(u);
+ mpz_clear(q1);
+ return ugh;
+}
+
+/*
+ * Check the equality of two RSA public keys
+ */
+bool
+same_RSA_public_key(const RSA_public_key_t *a, const RSA_public_key_t *b)
+{
+ return a == b
+ || (a->k == b->k && mpz_cmp(&a->n, &b->n) == 0 && mpz_cmp(&a->e, &b->e) == 0);
+}
+
+/*
+ * Parses a PKCS#1 private key
+ */
+bool
+pkcs1_parse_private_key(chunk_t blob, RSA_private_key_t *key)
+{
+ err_t ugh = NULL;
+ asn1_ctx_t ctx;
+ chunk_t object, modulus, exp;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, 0, FALSE, DBG_PRIVATE);
+
+ while (objectID < PKCS1_PRIV_KEY_ROOF) {
+
+ if (!extract_object(privkeyObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ if (objectID == PKCS1_PRIV_KEY_VERSION)
+ {
+ if (object.len > 0 && *object.ptr != 0)
+ {
+ plog(" wrong PKCS#1 private key version");
+ return FALSE;
+ }
+ }
+ else if (objectID >= PKCS1_PRIV_KEY_MODULUS &&
+ objectID <= PKCS1_PRIV_KEY_COEFF)
+ {
+ MP_INT *u = (MP_INT *) ((char *)key
+ + RSA_private_field[objectID - PKCS1_PRIV_KEY_MODULUS].offset);
+
+ n_to_mpz(u, object.ptr, object.len);
+
+ if (objectID == PKCS1_PRIV_KEY_MODULUS)
+ modulus = object;
+ else if (objectID == PKCS1_PRIV_KEY_PUB_EXP)
+ exp = object;
+ }
+ objectID++;
+ }
+ form_keyid(exp, modulus, key->pub.keyid, &key->pub.k);
+ ugh = RSA_private_key_sanity(key);
+ return (ugh == NULL);
+}
+
+/*
+ * compute a digest over a binary blob
+ */
+bool
+compute_digest(chunk_t tbs, int alg, chunk_t *digest)
+{
+ switch (alg)
+ {
+ case OID_MD2:
+ case OID_MD2_WITH_RSA:
+ {
+ MD2_CTX context;
+
+ MD2Init(&context);
+ MD2Update(&context, tbs.ptr, tbs.len);
+ MD2Final(digest->ptr, &context);
+ digest->len = MD2_DIGEST_SIZE;
+ return TRUE;
+ }
+ case OID_MD5:
+ case OID_MD5_WITH_RSA:
+ {
+ MD5_CTX context;
+
+ MD5Init(&context);
+ MD5Update(&context, tbs.ptr, tbs.len);
+ MD5Final(digest->ptr, &context);
+ digest->len = MD5_DIGEST_SIZE;
+ return TRUE;
+ }
+ case OID_SHA1:
+ case OID_SHA1_WITH_RSA:
+ case OID_SHA1_WITH_RSA_OIW:
+ {
+ SHA1_CTX context;
+
+ SHA1Init(&context);
+ SHA1Update(&context, tbs.ptr, tbs.len);
+ SHA1Final(digest->ptr, &context);
+ digest->len = SHA1_DIGEST_SIZE;
+ return TRUE;
+ }
+ case OID_SHA256:
+ case OID_SHA256_WITH_RSA:
+ {
+ sha256_context context;
+
+ sha256_init(&context);
+ sha256_write(&context, tbs.ptr, tbs.len);
+ sha256_final(&context);
+ memcpy(digest->ptr, context.sha_out, SHA2_256_DIGEST_SIZE);
+ digest->len = SHA2_256_DIGEST_SIZE;
+ return TRUE;
+ }
+ case OID_SHA384:
+ case OID_SHA384_WITH_RSA:
+ {
+ sha512_context context;
+
+ sha384_init(&context);
+ sha512_write(&context, tbs.ptr, tbs.len);
+ sha512_final(&context);
+ memcpy(digest->ptr, context.sha_out, SHA2_384_DIGEST_SIZE);
+ digest->len = SHA2_384_DIGEST_SIZE;
+ return TRUE;
+ }
+ case OID_SHA512:
+ case OID_SHA512_WITH_RSA:
+ {
+ sha512_context context;
+
+ sha512_init(&context);
+ sha512_write(&context, tbs.ptr, tbs.len);
+ sha512_final(&context);
+ memcpy(digest->ptr, context.sha_out, SHA2_512_DIGEST_SIZE);
+ digest->len = SHA2_512_DIGEST_SIZE;
+ return TRUE;
+ }
+ default:
+ digest->len = 0;
+ return FALSE;
+ }
+}
+
+/*
+ * compute an RSA signature with PKCS#1 padding
+ */
+void
+sign_hash(const RSA_private_key_t *k, const u_char *hash_val, size_t hash_len
+ , u_char *sig_val, size_t sig_len)
+{
+ chunk_t ch;
+ mpz_t t1, t2;
+ size_t padlen;
+ u_char *p = sig_val;
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("signing hash with RSA Key *%s", k->pub.keyid)
+ )
+ /* PKCS#1 v1.5 8.1 encryption-block formatting */
+ *p++ = 0x00;
+ *p++ = 0x01; /* BT (block type) 01 */
+ padlen = sig_len - 3 - hash_len;
+ memset(p, 0xFF, padlen);
+ p += padlen;
+ *p++ = 0x00;
+ memcpy(p, hash_val, hash_len);
+ passert(p + hash_len - sig_val == (ptrdiff_t)sig_len);
+
+ /* PKCS#1 v1.5 8.2 octet-string-to-integer conversion */
+ n_to_mpz(t1, sig_val, sig_len); /* (could skip leading 0x00) */
+
+ /* PKCS#1 v1.5 8.3 RSA computation y = x^c mod n
+ * Better described in PKCS#1 v2.0 5.1 RSADP.
+ * There are two methods, depending on the form of the private key.
+ * We use the one based on the Chinese Remainder Theorem.
+ */
+ mpz_init(t2);
+
+ mpz_powm(t2, t1, &k->dP, &k->p); /* m1 = c^dP mod p */
+
+ mpz_powm(t1, t1, &k->dQ, &k->q); /* m2 = c^dQ mod Q */
+
+ mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
+ mpz_mod(t2, t2, &k->p);
+ mpz_mul(t2, t2, &k->qInv);
+ mpz_mod(t2, t2, &k->p);
+
+ mpz_mul(t2, t2, &k->q); /* m = m2 + h q */
+ mpz_add(t1, t1, t2);
+
+ /* PKCS#1 v1.5 8.4 integer-to-octet-string conversion */
+ ch = mpz_to_n(t1, sig_len);
+ memcpy(sig_val, ch.ptr, sig_len);
+ pfree(ch.ptr);
+
+ mpz_clear(t1);
+ mpz_clear(t2);
+}
+
+/*
+ * encrypt data with an RSA public key after padding
+ */
+chunk_t
+RSA_encrypt(const RSA_public_key_t *key, chunk_t in)
+{
+ u_char padded[RSA_MAX_OCTETS];
+ u_char *pos = padded;
+ int padding = key->k - in.len - 3;
+ int i;
+
+ if (padding < 8 || key->k > RSA_MAX_OCTETS)
+ return empty_chunk;
+
+ /* add padding according to PKCS#1 7.2.1 1.+2. */
+ *pos++ = 0x00;
+ *pos++ = 0x02;
+
+ /* pad with pseudo random bytes unequal to zero */
+ get_rnd_bytes(pos, padding);
+ for (i = 0; i < padding; i++)
+ {
+ while (!*pos)
+ get_rnd_bytes(pos, 1);
+ pos++;
+ }
+
+ /* append the padding terminator */
+ *pos++ = 0x00;
+
+ /* now add the data */
+ memcpy(pos, in.ptr, in.len);
+ DBG(DBG_RAW,
+ DBG_dump_chunk("data for rsa encryption:\n", in);
+ DBG_dump("padded data for rsa encryption:\n", padded, key->k)
+ )
+
+ /* convert chunk to integer (PKCS#1 7.2.1 3.a) */
+ {
+ chunk_t out;
+ mpz_t m, c;
+
+ mpz_init(c);
+ n_to_mpz(m, padded, key->k);
+
+ /* encrypt(PKCS#1 7.2.1 3.b) */
+ mpz_powm(c, m, &key->e, &key->n);
+
+ /* convert integer back to a chunk (PKCS#1 7.2.1 3.c) */
+ out = mpz_to_n(c, key->k);
+ mpz_clear(c);
+ mpz_clear(m);
+
+ DBG(DBG_RAW,
+ DBG_dump_chunk("rsa encrypted data:\n", out)
+ )
+ return out;
+ }
+}
+
+/*
+ * decrypt data with an RSA private key and remove padding
+ */
+bool
+RSA_decrypt(const RSA_private_key_t *key, chunk_t in, chunk_t *out)
+{
+ chunk_t padded;
+ u_char *pos;
+ mpz_t t1, t2;
+
+ n_to_mpz(t1, in.ptr,in.len);
+
+ /* PKCS#1 v1.5 8.3 RSA computation y = x^c mod n
+ * Better described in PKCS#1 v2.0 5.1 RSADP.
+ * There are two methods, depending on the form of the private key.
+ * We use the one based on the Chinese Remainder Theorem.
+ */
+ mpz_init(t2);
+
+ mpz_powm(t2, t1, &key->dP, &key->p); /* m1 = c^dP mod p */
+ mpz_powm(t1, t1, &key->dQ, &key->q); /* m2 = c^dQ mod Q */
+
+ mpz_sub(t2, t2, t1); /* h = qInv (m1 - m2) mod p */
+ mpz_mod(t2, t2, &key->p);
+ mpz_mul(t2, t2, &key->qInv);
+ mpz_mod(t2, t2, &key->p);
+
+ mpz_mul(t2, t2, &key->q); /* m = m2 + h q */
+ mpz_add(t1, t1, t2);
+
+ padded = mpz_to_n(t1, key->pub.k);
+ mpz_clear(t1);
+ mpz_clear(t2);
+
+ DBG(DBG_PRIVATE,
+ DBG_dump_chunk("rsa decrypted data with padding:\n", padded)
+ )
+ pos = padded.ptr;
+
+ /* PKCS#1 v1.5 8.1 encryption-block formatting (EB = 00 || 02 || PS || 00 || D) */
+
+ /* check for hex pattern 00 02 in decrypted message */
+ if ((*pos++ != 0x00) || (*(pos++) != 0x02))
+ {
+ plog("incorrect padding - probably wrong RSA key");
+ freeanychunk(padded);
+ return FALSE;
+ }
+ padded.len -= 2;
+
+ /* the plaintext data starts after first 0x00 byte */
+ while (padded.len-- > 0 && *pos++ != 0x00)
+
+ if (padded.len == 0)
+ {
+ plog("no plaintext data");
+ freeanychunk(padded);
+ return FALSE;
+ }
+
+ clonetochunk(*out, pos, padded.len, "decrypted data");
+ freeanychunk(padded);
+ return TRUE;
+}
+
+/*
+ * build signatureValue
+ */
+chunk_t
+pkcs1_build_signature(chunk_t tbs, int hash_alg, const RSA_private_key_t *key
+, bool bit_string)
+{
+
+ size_t siglen = key->pub.k;
+
+ u_char digest_buf[MAX_DIGEST_LEN];
+ chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
+ chunk_t digestInfo, alg_id, signatureValue;
+ u_char *pos;
+
+ switch (hash_alg)
+ {
+ case OID_MD5:
+ case OID_MD5_WITH_RSA:
+ alg_id = ASN1_md5_id;
+ break;
+ case OID_SHA1:
+ case OID_SHA1_WITH_RSA:
+ alg_id = ASN1_sha1_id;
+ break;
+ default:
+ return empty_chunk;
+ }
+ compute_digest(tbs, hash_alg, &digest);
+
+ /* according to PKCS#1 v2.1 digest must be packaged into
+ * an ASN.1 structure for encryption
+ */
+ digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm"
+ , alg_id
+ , asn1_simple_object(ASN1_OCTET_STRING, digest));
+
+ /* generate the RSA signature */
+ if (bit_string)
+ {
+ pos = build_asn1_object(&signatureValue, ASN1_BIT_STRING, 1 + siglen);
+ *pos++ = 0x00;
+ }
+ else
+ {
+ pos = build_asn1_object(&signatureValue, ASN1_OCTET_STRING, siglen);
+ }
+ sign_hash(key, digestInfo.ptr, digestInfo.len, pos, siglen);
+ pfree(digestInfo.ptr);
+
+ return signatureValue;
+}
+
+/*
+ * build a DER-encoded PKCS#1 private key object
+ */
+chunk_t
+pkcs1_build_private_key(const RSA_private_key_t *key)
+{
+ chunk_t pkcs1 = asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm"
+ , ASN1_INTEGER_0
+ , asn1_integer_from_mpz(&key->pub.n)
+ , asn1_integer_from_mpz(&key->pub.e)
+ , asn1_integer_from_mpz(&key->d)
+ , asn1_integer_from_mpz(&key->p)
+ , asn1_integer_from_mpz(&key->q)
+ , asn1_integer_from_mpz(&key->dP)
+ , asn1_integer_from_mpz(&key->dQ)
+ , asn1_integer_from_mpz(&key->qInv));
+
+ DBG(DBG_PRIVATE,
+ DBG_dump_chunk("PKCS#1 encoded private key:", pkcs1)
+ )
+ return pkcs1;
+}
+
+/*
+ * build a DER-encoded PKCS#1 public key object
+ */
+chunk_t
+pkcs1_build_public_key(const RSA_public_key_t *rsa)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "mm"
+ , asn1_integer_from_mpz(&rsa->n)
+ , asn1_integer_from_mpz(&rsa->e));
+}
+
+/*
+ * build a DER-encoded publicKeyInfo object
+ */
+chunk_t
+pkcs1_build_publicKeyInfo(const RSA_public_key_t *rsa)
+{
+ chunk_t publicKey;
+ chunk_t rawKey = pkcs1_build_public_key(rsa);
+
+ u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING
+ , 1 + rawKey.len);
+ *pos++ = 0x00;
+ mv_chunk(&pos, rawKey);
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_rsaEncryption_id
+ , publicKey);
+}
+void
+free_RSA_public_content(RSA_public_key_t *rsa)
+{
+ mpz_clear(&rsa->n);
+ mpz_clear(&rsa->e);
+}
+
+void
+free_RSA_private_content(RSA_private_key_t *rsak)
+{
+ free_RSA_public_content(&rsak->pub);
+ mpz_clear(&rsak->d);
+ mpz_clear(&rsak->p);
+ mpz_clear(&rsak->q);
+ mpz_clear(&rsak->dP);
+ mpz_clear(&rsak->dQ);
+ mpz_clear(&rsak->qInv);
+}
+
diff --git a/src/pluto/pkcs1.h b/src/pluto/pkcs1.h
new file mode 100644
index 000000000..c927db0f8
--- /dev/null
+++ b/src/pluto/pkcs1.h
@@ -0,0 +1,88 @@
+/* Support of PKCS#1 private key data structures
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2005 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs1.h,v 1.14 2005/12/06 22:52:12 as Exp $
+ */
+
+#ifndef _PKCS1_H
+#define _PKCS1_H
+
+#include <gmp.h> /* GNU Multi Precision library */
+
+#include "defs.h"
+
+typedef struct RSA_public_key RSA_public_key_t;
+
+struct RSA_public_key
+{
+ char keyid[KEYID_BUF]; /* see ipsec_keyblobtoid(3) */
+
+ /* length of modulus n in octets: [RSA_MIN_OCTETS, RSA_MAX_OCTETS] */
+ unsigned k;
+
+ /* public: */
+ MP_INT
+ n, /* modulus: p * q */
+ e; /* exponent: relatively prime to (p-1) * (q-1) [probably small] */
+};
+
+typedef struct RSA_private_key RSA_private_key_t;
+
+struct RSA_private_key {
+ struct RSA_public_key pub; /* must be at start for RSA_show_public_key */
+
+ MP_INT
+ d, /* private exponent: (e^-1) mod ((p-1) * (q-1)) */
+ /* help for Chinese Remainder Theorem speedup: */
+ p, /* first secret prime */
+ q, /* second secret prime */
+ dP, /* first factor's exponent: (e^-1) mod (p-1) == d mod (p-1) */
+ dQ, /* second factor's exponent: (e^-1) mod (q-1) == d mod (q-1) */
+ qInv; /* (q^-1) mod p */
+};
+
+struct fld {
+ const char *name;
+ size_t offset;
+};
+
+extern const struct fld RSA_private_field[];
+#define RSA_PRIVATE_FIELD_ELEMENTS 8
+
+extern void init_RSA_public_key(RSA_public_key_t *rsa, chunk_t e, chunk_t n);
+extern bool pkcs1_parse_private_key(chunk_t blob, RSA_private_key_t *key);
+extern chunk_t pkcs1_build_private_key(const RSA_private_key_t *key);
+extern chunk_t pkcs1_build_public_key(const RSA_public_key_t *rsa);
+extern chunk_t pkcs1_build_publicKeyInfo(const RSA_public_key_t *rsa);
+extern chunk_t pkcs1_build_signature(chunk_t tbs, int hash_alg
+ , const RSA_private_key_t *key, bool bit_string);
+extern bool compute_digest(chunk_t tbs, int alg, chunk_t *digest);
+extern void sign_hash(const RSA_private_key_t *k, const u_char *hash_val
+ , size_t hash_len, u_char *sig_val, size_t sig_len);
+extern chunk_t RSA_encrypt(const RSA_public_key_t *key, chunk_t in);
+extern bool RSA_decrypt(const RSA_private_key_t *key, chunk_t in
+ , chunk_t *out);
+extern bool same_RSA_public_key(const RSA_public_key_t *a
+ , const RSA_public_key_t *b);
+extern void form_keyid(chunk_t e, chunk_t n, char* keyid, unsigned *keysize);
+extern err_t RSA_private_key_sanity(RSA_private_key_t *k);
+#ifdef DEBUG
+extern void RSA_show_public_key(RSA_public_key_t *k);
+extern void RSA_show_private_key(RSA_private_key_t *k);
+#endif
+extern void free_RSA_public_content(RSA_public_key_t *rsa);
+extern void free_RSA_private_content(RSA_private_key_t *rsak);
+
+#endif /* _PKCS1_H */
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
new file mode 100644
index 000000000..3068c0c94
--- /dev/null
+++ b/src/pluto/pkcs7.c
@@ -0,0 +1,862 @@
+/* Support of PKCS#7 data structures
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2005 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs7.c,v 1.13 2005/12/22 22:11:24 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <libdes/des.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "asn1.h"
+#include "oid.h"
+#include "log.h"
+#include "x509.h"
+#include "certs.h"
+#include "pkcs7.h"
+#include "rnd.h"
+
+const contentInfo_t empty_contentInfo = {
+ OID_UNKNOWN , /* type */
+ { NULL, 0 } /* content */
+};
+
+/* ASN.1 definition of the PKCS#7 ContentInfo type */
+
+static const asn1Object_t contentInfoObjects[] = {
+ { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
+ { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_BODY }, /* 2 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
+};
+
+#define PKCS7_INFO_TYPE 1
+#define PKCS7_INFO_CONTENT 2
+#define PKCS7_INFO_ROOF 4
+
+/* ASN.1 definition of the PKCS#7 signedData type */
+
+static const asn1Object_t signedDataObjects[] = {
+ { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
+ { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
+ { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
+ { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
+ { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_LOOP }, /* 6 */
+ { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
+ { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
+ { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
+ ASN1_LOOP }, /* 9 */
+ { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
+ { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
+ { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
+ { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
+ { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
+ { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
+ { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
+ { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
+ { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
+ { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_OBJ }, /* 19 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
+ { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
+ { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
+ { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
+ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
+ { 1, "end loop", ASN1_EOC, ASN1_END } /* 25 */
+};
+
+#define PKCS7_DIGEST_ALG 3
+#define PKCS7_SIGNED_CONTENT_INFO 5
+#define PKCS7_SIGNED_CERT 7
+#define PKCS7_SIGNER_INFO 13
+#define PKCS7_SIGNED_ISSUER 16
+#define PKCS7_SIGNED_SERIAL_NUMBER 17
+#define PKCS7_DIGEST_ALGORITHM 18
+#define PKCS7_AUTH_ATTRIBUTES 19
+#define PKCS7_DIGEST_ENC_ALGORITHM 21
+#define PKCS7_ENCRYPTED_DIGEST 22
+#define PKCS7_SIGNED_ROOF 26
+
+/* ASN.1 definition of the PKCS#7 envelopedData type */
+
+static const asn1Object_t envelopedDataObjects[] = {
+ { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
+ { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */
+ { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */
+ { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */
+ { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
+ { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
+ { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */
+ { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */
+ { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
+ { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
+ { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */
+ { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */
+ { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY } /* 14 */
+};
+
+#define PKCS7_ENVELOPED_VERSION 1
+#define PKCS7_RECIPIENT_INFO_VERSION 4
+#define PKCS7_ISSUER 6
+#define PKCS7_SERIAL_NUMBER 7
+#define PKCS7_ENCRYPTION_ALG 8
+#define PKCS7_ENCRYPTED_KEY 9
+#define PKCS7_CONTENT_TYPE 12
+#define PKCS7_CONTENT_ENC_ALGORITHM 13
+#define PKCS7_ENCRYPTED_CONTENT 14
+#define PKCS7_ENVELOPED_ROOF 15
+
+/* PKCS7 contentInfo OIDs */
+
+static u_char ASN1_pkcs7_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
+};
+
+static u_char ASN1_pkcs7_signed_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
+};
+
+static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
+};
+
+static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
+};
+
+static u_char ASN1_pkcs7_digested_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
+};
+
+static char ASN1_pkcs7_encrypted_data_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
+};
+
+static const chunk_t ASN1_pkcs7_data_oid =
+ strchunk(ASN1_pkcs7_data_oid_str);
+static const chunk_t ASN1_pkcs7_signed_data_oid =
+ strchunk(ASN1_pkcs7_signed_data_oid_str);
+static const chunk_t ASN1_pkcs7_enveloped_data_oid =
+ strchunk(ASN1_pkcs7_enveloped_data_oid_str);
+static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
+ strchunk(ASN1_pkcs7_signed_enveloped_data_oid_str);
+static const chunk_t ASN1_pkcs7_digested_data_oid =
+ strchunk(ASN1_pkcs7_digested_data_oid_str);
+static const chunk_t ASN1_pkcs7_encrypted_data_oid =
+ strchunk(ASN1_pkcs7_encrypted_data_oid_str);
+
+/* 3DES and DES encryption OIDs */
+
+static u_char ASN1_3des_ede_cbc_oid_str[] = {
+ 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
+};
+
+static u_char ASN1_des_cbc_oid_str[] = {
+ 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
+};
+
+static const chunk_t ASN1_3des_ede_cbc_oid =
+ strchunk(ASN1_3des_ede_cbc_oid_str);
+static const chunk_t ASN1_des_cbc_oid =
+ strchunk(ASN1_des_cbc_oid_str);
+
+/* PKCS#7 attribute type OIDs */
+
+static u_char ASN1_contentType_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
+};
+
+static u_char ASN1_messageDigest_oid_str[] = {
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
+};
+
+static const chunk_t ASN1_contentType_oid =
+ strchunk(ASN1_contentType_oid_str);
+static const chunk_t ASN1_messageDigest_oid =
+ strchunk(ASN1_messageDigest_oid_str);
+
+/*
+ * Parse PKCS#7 ContentInfo object
+ */
+bool
+pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < PKCS7_INFO_ROOF)
+ {
+ if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ if (objectID == PKCS7_INFO_TYPE)
+ {
+ cInfo->type = known_oid(object);
+ if (cInfo->type < OID_PKCS7_DATA
+ || cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
+ {
+ plog("unknown pkcs7 content type");
+ return FALSE;
+ }
+ }
+ else if (objectID == PKCS7_INFO_CONTENT)
+ {
+ cInfo->content = object;
+ }
+ objectID++;
+ }
+ return TRUE;
+}
+
+/*
+ * Parse a PKCS#7 signedData object
+ */
+bool
+pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
+, chunk_t *attributes, const x509cert_t *cacert)
+{
+ u_char buf[BUF_LEN];
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int digest_alg = OID_UNKNOWN;
+ int enc_alg = OID_UNKNOWN;
+ int signerInfos = 0;
+ int objectID = 0;
+
+ contentInfo_t cInfo = empty_contentInfo;
+ chunk_t encrypted_digest = empty_chunk;
+
+ if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
+ return FALSE;
+
+ if (cInfo.type != OID_PKCS7_SIGNED_DATA)
+ {
+ plog("pkcs7 content type is not signedData");
+ return FALSE;
+ }
+
+ asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
+
+ while (objectID < PKCS7_SIGNED_ROOF)
+ {
+ if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ switch (objectID)
+ {
+ case PKCS7_DIGEST_ALG:
+ digest_alg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case PKCS7_SIGNED_CONTENT_INFO:
+ if (data != NULL)
+ {
+ pkcs7_parse_contentInfo(object, level, data);
+ }
+ break;
+ case PKCS7_SIGNED_CERT:
+ if (cert != NULL)
+ {
+ chunk_t cert_blob;
+
+ x509cert_t *newcert = alloc_thing(x509cert_t
+ , "pkcs7 wrapped x509cert");
+
+ clonetochunk(cert_blob, object.ptr, object.len
+ , "pkcs7 cert blob");
+ *newcert = empty_x509cert;
+
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log("parsing pkcs7-wrapped certificate")
+ )
+ if (parse_x509cert(cert_blob, level+1, newcert))
+ {
+ newcert->next = *cert;
+ *cert = newcert;
+ }
+ else
+ {
+ free_x509cert(newcert);
+ }
+ }
+ break;
+ case PKCS7_SIGNER_INFO:
+ signerInfos++;
+ DBG(DBG_PARSING,
+ DBG_log(" signer #%d", signerInfos)
+ )
+ break;
+ case PKCS7_SIGNED_ISSUER:
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'",buf)
+ )
+ break;
+ case PKCS7_AUTH_ATTRIBUTES:
+ if (attributes != NULL)
+ {
+ *attributes = object;
+ *attributes->ptr = ASN1_SET;
+ }
+ break;
+ case PKCS7_DIGEST_ALGORITHM:
+ digest_alg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case PKCS7_DIGEST_ENC_ALGORITHM:
+ enc_alg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case PKCS7_ENCRYPTED_DIGEST:
+ encrypted_digest = object;
+ }
+ objectID++;
+ }
+
+ /* check the signature only if a cacert is available */
+ if (cacert != NULL)
+ {
+ if (signerInfos == 0)
+ {
+ plog("no signerInfo object found");
+ return FALSE;
+ }
+ else if (signerInfos > 1)
+ {
+ plog("more than one signerInfo object found");
+ return FALSE;
+ }
+ if (attributes->ptr == NULL)
+ {
+ plog("no authenticatedAttributes object found");
+ return FALSE;
+ }
+ if (!check_signature(*attributes, encrypted_digest, digest_alg
+ , enc_alg, cacert))
+ {
+ plog("invalid signature");
+ return FALSE;
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("signature is valid")
+ )
+ }
+ }
+ return TRUE;
+}
+
+/*
+ * Parse a PKCS#7 envelopedData object
+ */
+bool
+pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
+, chunk_t serialNumber, const RSA_private_key_t *key)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ chunk_t iv = empty_chunk;
+ chunk_t symmetric_key = empty_chunk;
+ chunk_t encrypted_content = empty_chunk;
+
+ u_char buf[BUF_LEN];
+ u_int level;
+ u_int total_keys = 3;
+ int enc_alg = OID_UNKNOWN;
+ int content_enc_alg = OID_UNKNOWN;
+ int objectID = 0;
+
+ contentInfo_t cInfo = empty_contentInfo;
+ *data = empty_chunk;
+
+ if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
+ goto failed;
+
+ if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
+ {
+ plog("pkcs7 content type is not envelopedData");
+ return FALSE;
+ }
+
+ asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
+
+ while (objectID < PKCS7_ENVELOPED_ROOF)
+ {
+ if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx))
+ goto failed;
+
+ switch (objectID)
+ {
+ case PKCS7_ENVELOPED_VERSION:
+ if (*object.ptr != 0)
+ {
+ plog("envelopedData version is not 0");
+ goto failed;
+ }
+ break;
+ case PKCS7_RECIPIENT_INFO_VERSION:
+ if (*object.ptr != 0)
+ {
+ plog("recipient info version is not 0");
+ goto failed;
+ }
+ break;
+ case PKCS7_ISSUER:
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'", buf)
+ )
+ break;
+ case PKCS7_SERIAL_NUMBER:
+ if (!same_chunk(serialNumber, object))
+ {
+ plog("serial numbers do not match");
+ goto failed;
+ }
+ break;
+ case PKCS7_ENCRYPTION_ALG:
+ enc_alg = parse_algorithmIdentifier(object, level, NULL);
+ if (enc_alg != OID_RSA_ENCRYPTION)
+ {
+ plog("only rsa encryption supported");
+ goto failed;
+ }
+ break;
+ case PKCS7_ENCRYPTED_KEY:
+ if (!RSA_decrypt(key, object, &symmetric_key))
+ {
+ plog("symmetric key could not be decrypted with rsa");
+ goto failed;
+ }
+ DBG(DBG_PRIVATE,
+ DBG_dump_chunk("symmetric key :", symmetric_key)
+ )
+ break;
+ case PKCS7_CONTENT_TYPE:
+ if (known_oid(object) != OID_PKCS7_DATA)
+ {
+ plog("encrypted content not of type pkcs7 data");
+ goto failed;
+ }
+ break;
+ case PKCS7_CONTENT_ENC_ALGORITHM:
+ content_enc_alg = parse_algorithmIdentifier(object, level, &iv);
+
+ switch (content_enc_alg)
+ {
+ case OID_DES_CBC:
+ total_keys = 1;
+ break;
+ case OID_3DES_EDE_CBC:
+ total_keys = 3;
+ break;
+ default:
+ plog("Only DES and 3DES supported for symmetric encryption");
+ goto failed;
+ }
+ if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
+ {
+ plog("key length is not %d",(total_keys * DES_CBC_BLOCK_SIZE));
+ goto failed;
+ }
+ if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
+ {
+ plog("IV could not be parsed");
+ goto failed;
+ }
+ if (iv.len != DES_CBC_BLOCK_SIZE)
+ {
+ plog("IV has wrong length");
+ goto failed;
+ }
+ break;
+ case PKCS7_ENCRYPTED_CONTENT:
+ encrypted_content = object;
+ break;
+ }
+ objectID++;
+ }
+
+ /* decrypt the content */
+ {
+ u_int i;
+ des_cblock des_key[3], des_iv;
+ des_key_schedule key_s[3];
+
+ memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
+ memcpy((char *)des_iv, iv.ptr, iv.len);
+
+ for (i = 0; i < total_keys; i++)
+ {
+ if (des_set_key(&des_key[i], key_s[i]))
+ {
+ plog("des key schedule failed");
+ goto failed;
+ }
+ }
+
+ data->len = encrypted_content.len;
+ data->ptr = alloc_bytes(data->len, "decrypted data");
+
+ switch (content_enc_alg)
+ {
+ case OID_DES_CBC:
+ des_cbc_encrypt((des_cblock*)encrypted_content.ptr
+ , (des_cblock*)data->ptr, data->len
+ , key_s[0], &des_iv, DES_DECRYPT);
+ break;
+ case OID_3DES_EDE_CBC:
+ des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
+ , (des_cblock*)data->ptr, data->len
+ , key_s[0], key_s[1], key_s[2]
+ , &des_iv, DES_DECRYPT);
+ }
+ DBG(DBG_PRIVATE,
+ DBG_dump_chunk("decrypted content with padding:\n", *data)
+ )
+ }
+
+ /* remove the padding */
+ {
+ u_char *pos = data->ptr + data->len - 1;
+ u_char pattern = *pos;
+ size_t padding = pattern;
+
+ if (padding > data->len)
+ {
+ plog("padding greater than data length");
+ goto failed;
+ }
+ data->len -= padding;
+
+ while (padding-- > 0)
+ {
+ if (*pos-- != pattern)
+ {
+ plog("wrong padding pattern");
+ goto failed;
+ }
+ }
+ }
+ freeanychunk(symmetric_key);
+ return TRUE;
+
+failed:
+ freeanychunk(symmetric_key);
+ pfreeany(data->ptr);
+ return FALSE;
+}
+
+/**
+ * @brief Builds a contentType attribute
+ *
+ * @return ASN.1 encoded contentType attribute
+ */
+chunk_t
+pkcs7_contentType_attribute(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_contentType_oid
+ , asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
+}
+
+/**
+ * @brief Builds a messageDigest attribute
+ *
+ *
+ * @param[in] blob content to create digest of
+ * @param[in] digest_alg digest algorithm to be used
+ * @return ASN.1 encoded messageDigest attribute
+ *
+ */
+chunk_t
+pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
+{
+ u_char digest_buf[MAX_DIGEST_LEN];
+ chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
+
+ compute_digest(content, digest_alg, &digest);
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_messageDigest_oid
+ , asn1_wrap(ASN1_SET, "m"
+ , asn1_simple_object(ASN1_OCTET_STRING, digest)
+ )
+ );
+}
+/*
+ * build a DER-encoded contentInfo object
+ */
+static chunk_t
+pkcs7_build_contentInfo(contentInfo_t *cInfo)
+{
+ chunk_t content_type;
+
+ /* select DER-encoded OID for pkcs7 contentInfo type */
+ switch(cInfo->type)
+ {
+ case OID_PKCS7_DATA:
+ content_type = ASN1_pkcs7_data_oid;
+ break;
+ case OID_PKCS7_SIGNED_DATA:
+ content_type = ASN1_pkcs7_signed_data_oid;
+ break;
+ case OID_PKCS7_ENVELOPED_DATA:
+ content_type = ASN1_pkcs7_enveloped_data_oid;
+ break;
+ case OID_PKCS7_SIGNED_ENVELOPED_DATA:
+ content_type = ASN1_pkcs7_signed_enveloped_data_oid;
+ break;
+ case OID_PKCS7_DIGESTED_DATA:
+ content_type = ASN1_pkcs7_digested_data_oid;
+ break;
+ case OID_PKCS7_ENCRYPTED_DATA:
+ content_type = ASN1_pkcs7_encrypted_data_oid;
+ break;
+ case OID_UNKNOWN:
+ default:
+ fprintf(stderr, "invalid pkcs7 contentInfo type");
+ return empty_chunk;
+ }
+
+ return (cInfo->content.ptr == NULL)
+ ? asn1_simple_object(ASN1_SEQUENCE, content_type)
+ : asn1_wrap(ASN1_SEQUENCE, "cm"
+ , content_type
+ , asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
+ );
+}
+
+/*
+ * build issuerAndSerialNumber object
+ */
+chunk_t
+pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , cert->issuer
+ , asn1_simple_object(ASN1_INTEGER, cert->serialNumber));
+}
+
+/*
+ * create a signed pkcs7 contentInfo object
+ */
+chunk_t
+pkcs7_build_signedData(chunk_t data, chunk_t attributes, const x509cert_t *cert
+, int digest_alg, const RSA_private_key_t *key)
+{
+ contentInfo_t pkcs7Data, signedData;
+ chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
+
+ chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
+
+ if (attributes.ptr != NULL)
+ {
+ encryptedDigest = pkcs1_build_signature(attributes, digest_alg
+ , key, FALSE);
+ clonetochunk(authenticatedAttributes, attributes.ptr, attributes.len
+ , "authenticatedAttributes");
+ *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
+ }
+ else
+ {
+ encryptedDigest = (data.ptr == NULL)? empty_chunk
+ : pkcs1_build_signature(data, digest_alg, key, FALSE);
+ authenticatedAttributes = empty_chunk;
+ }
+
+ signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
+ , ASN1_INTEGER_1
+ , pkcs7_build_issuerAndSerialNumber(cert)
+ , digestAlgorithm
+ , authenticatedAttributes
+ , ASN1_rsaEncryption_id
+ , encryptedDigest);
+
+ pkcs7Data.type = OID_PKCS7_DATA;
+ pkcs7Data.content = (data.ptr == NULL)? empty_chunk
+ : asn1_simple_object(ASN1_OCTET_STRING, data);
+
+ signedData.type = OID_PKCS7_SIGNED_DATA;
+ signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
+ , ASN1_INTEGER_1
+ , asn1_simple_object(ASN1_SET, digestAlgorithm)
+ , pkcs7_build_contentInfo(&pkcs7Data)
+ , asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
+ , asn1_wrap(ASN1_SET, "m", signerInfo));
+
+ cInfo = pkcs7_build_contentInfo(&signedData);
+ DBG(DBG_RAW,
+ DBG_dump_chunk("signedData:\n", cInfo)
+ )
+
+ freeanychunk(pkcs7Data.content);
+ freeanychunk(signedData.content);
+ return cInfo;
+}
+
+/*
+ * create a symmetrically encrypted pkcs7 contentInfo object
+ */
+chunk_t
+pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int cipher)
+{
+ bool des_check_key_save;
+ des_key_schedule ks[3];
+ des_cblock key[3], des_iv, des_iv_buf;
+
+ chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
+ chunk_t out;
+ chunk_t cipher_oid;
+
+ u_int total_keys, i;
+ size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
+
+ RSA_public_key_t public_key;
+
+ init_RSA_public_key(&public_key, cert->publicExponent
+ , cert->modulus);
+
+ if (padding == 0)
+ padding += DES_CBC_BLOCK_SIZE;
+
+ out.len = data.len + padding;
+ out.ptr = alloc_bytes(out.len, "DES-encrypted output");
+
+ DBG(DBG_CONTROL,
+ DBG_log("padding %d bytes of data to multiple DES block size of %d bytes"
+ , (int)data.len, (int)out.len)
+ )
+
+ /* copy data */
+ memcpy(out.ptr, data.ptr, data.len);
+ /* append padding */
+ memset(out.ptr + data.len, padding, padding);
+
+ DBG(DBG_RAW,
+ DBG_dump_chunk("Padded unencrypted data:\n", out)
+ )
+
+ /* select OID and keylength for specified cipher */
+ switch (cipher)
+ {
+ case OID_DES_CBC:
+ total_keys = 1;
+ cipher_oid = ASN1_des_cbc_oid;
+ break;
+ case OID_3DES_EDE_CBC:
+ default:
+ total_keys = 3;
+ cipher_oid = ASN1_3des_ede_cbc_oid;
+ }
+ DBG(DBG_CONTROLMORE,
+ DBG_log("pkcs7 encryption cipher: %s", oid_names[cipher].name)
+ )
+
+ /* generate a strong random key for DES/3DES */
+ des_check_key_save = des_check_key;
+ des_check_key = TRUE;
+ for (i = 0; i < total_keys;i++)
+ {
+ for (;;)
+ {
+ get_rnd_bytes((char*)key[i], DES_CBC_BLOCK_SIZE);
+ des_set_odd_parity(&key[i]);
+ if (!des_set_key(&key[i], ks[i]))
+ break;
+ plog("weak DES key discarded - we try again");
+ }
+ DBG(DBG_PRIVATE,
+ DBG_dump("DES key:", key[i], 8)
+ )
+ }
+ des_check_key = des_check_key_save;
+
+ /* generate an iv for DES/3DES CBC */
+ get_rnd_bytes(des_iv, DES_CBC_BLOCK_SIZE);
+ memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
+ DBG(DBG_RAW,
+ DBG_dump_chunk("DES IV :", iv)
+ )
+
+ /* encryption using specified cipher */
+ switch (cipher)
+ {
+ case OID_DES_CBC:
+ des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
+ , ks[0], &des_iv, DES_ENCRYPT);
+ break;
+ case OID_3DES_EDE_CBC:
+ default:
+ des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
+ , ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);
+ }
+ DBG(DBG_RAW,
+ DBG_dump_chunk("Encrypted data:\n", out));
+
+ /* build pkcs7 enveloped data object */
+ {
+ chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
+ , cipher_oid
+ , asn1_simple_object(ASN1_OCTET_STRING, iv));
+
+ chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
+ , ASN1_pkcs7_data_oid
+ , contentEncryptionAlgorithm
+ , asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
+
+ chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
+
+ chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
+ , RSA_encrypt(&public_key, plainKey));
+
+ chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
+ , ASN1_INTEGER_0
+ , pkcs7_build_issuerAndSerialNumber(cert)
+ , ASN1_rsaEncryption_id
+ , encryptedKey);
+
+ chunk_t cInfo;
+ contentInfo_t envelopedData;
+
+ envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
+ envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
+ , ASN1_INTEGER_0
+ , asn1_wrap(ASN1_SET, "m", recipientInfo)
+ , encryptedContentInfo);
+
+ cInfo = pkcs7_build_contentInfo(&envelopedData);
+ DBG(DBG_RAW,
+ DBG_dump_chunk("envelopedData:\n", cInfo)
+ )
+
+ free_RSA_public_content(&public_key);
+ freeanychunk(envelopedData.content);
+ return cInfo;
+ }
+}
diff --git a/src/pluto/pkcs7.h b/src/pluto/pkcs7.h
new file mode 100644
index 000000000..38c633f4e
--- /dev/null
+++ b/src/pluto/pkcs7.h
@@ -0,0 +1,51 @@
+/* Support of PKCS#7 data structures
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2005 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs7.h,v 1.10 2005/12/22 22:11:24 as Exp $
+ */
+
+#ifndef _PKCS7_H
+#define _PKCS7_H
+
+#include "defs.h"
+#include "pkcs1.h"
+#include "x509.h"
+
+/* Access structure for a PKCS#7 ContentInfo object */
+
+typedef struct contentInfo contentInfo_t;
+
+struct contentInfo {
+ int type;
+ chunk_t content;
+};
+
+extern const contentInfo_t empty_contentInfo;
+
+extern bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0
+ , contentInfo_t *cInfo);
+extern bool pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data
+ , x509cert_t **cert, chunk_t *attributes, const x509cert_t *cacert);
+extern bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
+ , chunk_t serialNumber, const RSA_private_key_t *key);
+extern chunk_t pkcs7_contentType_attribute(void);
+extern chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg);
+extern chunk_t pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert);
+extern chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes
+ ,const x509cert_t *cert, int digest_alg, const RSA_private_key_t *key);
+extern chunk_t pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert
+ , int cipher);
+
+#endif /* _PKCS7_H */
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
new file mode 100644
index 000000000..b80d13772
--- /dev/null
+++ b/src/pluto/pluto.8
@@ -0,0 +1,1649 @@
+.TH IPSEC_PLUTO 8 "28 March 1999"
+.SH NAME
+ipsec pluto \- IPsec IKE keying daemon
+.br
+ipsec whack \- control interface for IPSEC keying daemon
+.SH SYNOPSIS
+.na
+.nh
+.HP
+.ft B
+ipsec pluto
+[\-\-help]
+[\-\-version]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-nofork]
+[\-\-stderrlog]
+[\-\-noklips]
+[\-\-uniqueids]
+[\fB\-\-interface\fP \fIinterfacename\fP]
+[\-\-ikeport\ \c
+\fIportnumber\fP]
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-secretsfile\ \c
+\fIsecrets\(hyfile\fP]
+[\-\-adns \fIpathname\fP]
+[\-\-lwdnsq \fIpathname\fP]
+[\-\-perpeerlog]
+[\-\-perpeerlogbase\ \c
+\fIdirname\fP]
+[\-\-debug\(hynone]
+[\-\-debug\(hyall]
+[\-\-debug\(hyraw]
+[\-\-debug\(hycrypt]
+[\-\-debug\(hyparsing]
+[\-\-debug\(hyemitting]
+[\-\-debug\(hycontrol]
+[\-\-debug\(hylifecycle]
+[\-\-debug\(hyklips]
+[\-\-debug\(hydns]
+[\-\-debug\(hyoppo]
+[\-\-debug\(hyprivate]
+.HP
+.ft B
+ipsec whack
+[\-\-help]
+[\-\-version]
+.HP
+.ft B
+ipsec whack
+\-\-name\ \c
+\fIconnection-name\fP
+.br
+[\-\-id\ \c
+\fIid\fP] \c
+[\-\-host\ \c
+\fIip\(hyaddress\fP]
+[\-\-ikeport\ \c
+\fIport\(hynumber\fP]
+[\-\-nexthop\ \c
+\fIip\(hyaddress\fP]
+[\-\-client\ \c
+\fIsubnet\fP]
+[\-\-dnskeyondemand]
+[\-\-updown\ \c
+\fIupdown\fP]
+.br
+\-\-to
+.br
+[\-\-id\ \c
+\fIid\fP]
+[\-\-host\ \c
+\fIip\(hyaddress\fP]
+[\-\-ikeport\ \c
+\fIport\(hynumber\fP]
+[\-\-nexthop\ \c
+\fIip\(hyaddress\fP]
+[\-\-client\ \c
+\fIsubnet\fP]
+[\-\-dnskeyondemand]
+[\-\-updown\ \c
+\fIupdown\fP]
+.br
+[\-\-psk]
+[\-\-rsasig]
+[\-\-encrypt]
+[\-\-authenticate]
+[\-\-compress]
+[\-\-tunnel]
+[\-\-pfs]
+[\-\-disablearrivalcheck]
+[\-\-ipv4]
+[\-\-ipv6]
+[\-\-tunnelipv4]
+[\-\-tunnelipv6]
+[\-\-ikelifetime\ \c
+\fIseconds\fP]
+[\-\-ipseclifetime\ \c
+\fIseconds\fP]
+[\-\-rekeymargin\ \c
+\fIseconds\fP]
+[\-\-rekeyfuzz\ \c
+\fIpercentage\fP]
+[\-\-keyingtries\ \c
+\fIcount\fP]
+[\-\-dontrekey]
+[\-\-delete]
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-keyid\ \c
+\fIid\fP
+[\-\-addkey]
+[\-\-pubkeyrsa\ \c
+\fIkey\fP]
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-myid\ \c
+\fIid\fP
+.HP
+.ft B
+ipsec whack
+\-\-listen|\-\-unlisten
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-route|\-\-unroute
+\-\-name\ \c
+\fIconnection-name\fP
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-initiate|\-\-terminate
+\-\-name\ \c
+\fIconnection-name\fP
+[\-\-asynchronous]
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+[\-\-tunnelipv4]
+[\-\-tunnelipv6]
+\-\-oppohere \fIip\(hyaddress\fP
+\-\-oppothere \fIip\(hyaddress\fP
+.HP
+.ft B
+ipsec whack
+\-\-delete
+\-\-name\ \c
+\fIconnection-name\fP
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-deletestate\ \c
+\fIstate-number\fP
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+[\-\-name\ \c
+\fIconnection-name\fP]
+[\-\-debug\(hynone]
+[\-\-debug\(hyall]
+[\-\-debug\(hyraw]
+[\-\-debug\(hycrypt]
+[\-\-debug\(hyparsing]
+[\-\-debug\(hyemitting]
+[\-\-debug\(hycontrol]
+[\-\-debug\(hylifecycle]
+[\-\-debug\(hyklips]
+[\-\-debug\(hydns]
+[\-\-debug\(hyoppo]
+[\-\-debug\(hyprivate]
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-status
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.HP
+.ft B
+ipsec whack
+\-\-shutdown
+[\-\-ctlbase\ \c
+\fIpath\fP]
+[\-\-optionsfrom\ \c
+\fIfilename\fP]
+[\-\-label\ \c
+\fIstring\fP]
+.ft R
+.hy
+.ad
+.SH DESCRIPTION
+.BR pluto
+is an IKE (``IPsec Key Exchange'') daemon.
+.BR whack
+is an auxiliary program to allow requests to be made to a running
+.BR pluto .
+.LP
+.BR pluto
+is used to automatically build shared ``security associations'' on a
+system that has IPsec, the secure IP protocol.
+In other words,
+.BR pluto
+can eliminate much of the work of manual keying.
+The actual
+secure transmission of packets is the responsibility of other parts of
+the system (see
+.BR KLIPS ,
+the companion implementation of IPsec).
+\fIipsec_auto\fP(8) provides a more convenient interface to
+\fBpluto\fP and \fBwhack\fP.
+.SS IKE's Job
+.LP
+A \fISecurity Association\fP (\fISA\fP) is an agreement between two network nodes on
+how to process certain traffic between them. This processing involves
+encapsulation, authentication, encryption, or compression.
+.LP
+IKE can be deployed on a network node to negotiate Security
+Associations for that node. These IKE implementations can only
+negotiate with other IKE implementations, so IKE must be on each node
+that is to be an endpoint of an IKE-negotiated Security Association.
+No other nodes need to be running IKE.
+.LP
+An IKE instance (i.e. an IKE implementation on a particular network
+node) communicates with another IKE instance using UDP IP packets, so
+there must be a route between the nodes in each direction.
+.LP
+The negotiation of Security Associations requires a number of choices
+that involve tradeoffs between security, convenience, trust, and
+efficiency. These are policy issues and are normally specified to the
+IKE instance by the system administrator.
+.LP
+IKE deals with two kinds of Security Associations. The first part of
+a negotiation between IKE instances is to build an ISAKMP SA. An
+ISAKMP SA is used to protect communication between the two IKEs.
+IPsec SAs can then be built by the IKEs \- these are used to carry
+protected IP traffic between the systems.
+.LP
+The negotiation of the ISAKMP SA is known as Phase 1. In theory,
+Phase 1 can be accomplished by a couple of different exchange types,
+but we only implement one called Main Mode (we don't implement
+Aggressive Mode).
+.LP
+Any negotiation under the protection of an ISAKMP SA, including the
+negotiation of IPsec SAs, is part of Phase 2. The exchange type
+that we use to negotiate an IPsec SA is called Quick Mode.
+.LP
+IKE instances must be able to authenticate each other as part of their
+negotiation of an ISAKMP SA. This can be done by several mechanisms
+described in the draft standards.
+.LP
+IKE negotiation can be initiated by any instance with any other. If
+both can find an agreeable set of characteristics for a Security
+Association, and both recognize each others authenticity, they can set
+up a Security Association. The standards do not specify what causes
+an IKE instance to initiate a negotiation.
+.LP
+In summary, an IKE instance is prepared to automate the management of
+Security Associations in an IPsec environment, but a number of issues
+are considered policy and are left in the system administrator's hands.
+.SS Pluto
+.LP
+\fBpluto\fP is an implementation of IKE. It runs as a daemon on a network
+node. Currently, this network node must be a LINUX system running the
+\fBKLIPS\fP implementation of IPsec.
+.LP
+\fBpluto\fP only implements a subset of IKE. This is enough for it to
+interoperate with other instances of \fBpluto\fP, and many other IKE
+implementations. We are working on implementing more of IKE.
+.LP
+The policy for acceptable characteristics for Security Associations is
+mostly hardwired into the code of \fBpluto\fP (spdb.c). Eventually
+this will be moved into a security policy database with reasonable
+expressive power and more convenience.
+.LP
+\fBpluto\fP uses shared secrets or RSA signatures to authenticate
+peers with whom it is negotiating.
+.LP
+\fBpluto\fP initiates negotiation of a Security Association when it is
+manually prodded: the program \fBwhack\fP is run to trigger this.
+It will also initiate a negotiation when \fBKLIPS\fP traps an outbound packet
+for Opportunistic Encryption.
+.LP
+\fBpluto\fP implements ISAKMP SAs itself. After it has negotiated the
+characteristics of an IPsec SA, it directs \fBKLIPS\fP to implement it.
+It also invokes a script to adjust any firewall and issue \fIroute\fP(8)
+commands to direct IP packets through \fBKLIPS\fP.
+.LP
+When \fBpluto\fP shuts down, it closes all Security Associations.
+.SS Before Running Pluto
+.LP
+\fBpluto\fP runs as a daemon with userid root. Before running it, a few
+things must be set up.
+.LP
+\fBpluto\fP requires \fBKLIPS\fP, the FreeS/WAN implementation of IPsec.
+All of the components of \fBKLIPS\fP and \fBpluto\fP should be installed.
+.LP
+\fBpluto\fP supports multiple public networks (that is, networks
+that are considered insecure and thus need to have their traffic
+encrypted or authenticated). It discovers the
+public interfaces to use by looking at all interfaces that are
+configured (the \fB\-\-interface\fP option can be used to limit
+the interfaces considered).
+It does this only when \fBwhack\fP tells it to \-\-listen,
+so the interfaces must be configured by then. Each interface with a name of the form
+\fBipsec\fP[\fB0\fP-\fB9\fP] is taken as a \fBKLIPS\fP virtual public interface.
+Another network interface with the same IP address (there should be only
+one) is taken as the corresponding real public
+interface. \fIifconfig\fP(8) with the \fB\-a\fP flag will show
+the name and status of each network interface.
+.LP
+\fBpluto\fP requires a database of preshared secrets and RSA private keys.
+This is described in the
+.IR ipsec.secrets (5).
+\fBpluto\fP is told of RSA public keys via \fBwhack\fP commands.
+If the connection is Opportunistic, and no RSA public key is known,
+\fBpluto\fP will attempt to fetch RSA keys using the Domain Name System.
+.SS Setting up \fBKLIPS\fP for \fBpluto\fP
+.LP
+The most basic network topology that \fBpluto\fP supports has two security
+gateways negotiating on behalf of client subnets. The diagram of RGB's
+testbed is a good example (see \fIklips/doc/rgb_setup.txt\fP).
+.LP
+The file \fIINSTALL\fP in the base directory of this distribution
+explains how to start setting up the whole system, including \fBKLIPS\fP.
+.LP
+Make sure that the security gateways have routes to each other. This
+is usually covered by the default route, but may require issuing
+.IR route (8)
+commands. The route must go through a particular IP
+interface (we will assume it is \fIeth0\fP, but it need not be). The
+interface that connects the security gateway to its client must be a
+different one.
+.LP
+It is necessary to issue a
+.IR ipsec_tncfg (8)
+command on each gateway. The required command is:
+
+\ \ \ ipsec tncfg \-\-attach\ \-\-virtual\ ipsec0 \-\-physical\ eth0
+
+A command to set up the ipsec0 virtual interface will also need to be
+run. It will have the same parameters as the command used to set up
+the physical interface to which it has just been connected using
+.IR ipsec_tncfg (8).
+.SS ipsec.secrets file
+.LP
+A \fBpluto\fP daemon and another IKE daemon (for example, another instance
+of \fBpluto\fP) must convince each other that they are who they are supposed
+to be before any negotiation can succeed. This authentication is
+accomplished by using either secrets that have been shared beforehand
+(manually) or by using RSA signatures. There are other techniques,
+but they have not been implemented in \fBpluto\fP.
+.LP
+The file \fI/etc/ipsec.secrets\fP is used to keep preshared secret keys
+and RSA private keys for
+authentication with other IKE daemons. For debugging, there is an
+argument to the \fBpluto\fP command to use a different file.
+This file is described in
+.IR ipsec.secrets (5).
+.SS Running Pluto
+.LP
+To fire up the daemon, just type \fBpluto\fP (be sure to be running as
+the superuser).
+The default IKE port number is 500, the UDP port assigned by IANA for IKE Daemons.
+\fBpluto\fP must be run by the superuser to be able to use the UDP 500 port.
+.LP
+\fBpluto\fP attempts to create a lockfile with the name
+\fI/var/run/pluto.pid\fP. If the lockfile cannot be created,
+\fBpluto\fP exits \- this prevents multiple \fBpluto\fPs from
+competing Any ``leftover'' lockfile must be removed before
+\fBpluto\fP will run. \fBpluto\fP writes its pid into this file so
+that scripts can find it. This lock will not function properly if it
+is on an NFS volume (but sharing locks on multiple machines doesn't
+make sense anyway).
+.LP
+\fBpluto\fP then forks and the parent exits. This is the conventional
+``daemon fork''. It can make debugging awkward, so there is an option
+to suppress this fork.
+.LP
+All logging, including diagnostics, is sent to
+.IR syslog (3)
+with facility=authpriv;
+it decides where to put these messages (possibly in /var/log/secure).
+Since this too can make debugging awkward, there is an option to
+steer logging to stderr.
+.LP
+If the \fB\-\-perpeerlog\fP option is given, then pluto will open
+a log file per connection. By default, this is in /var/log/pluto/peer,
+in a subdirectory formed by turning all dot (.) [IPv4} or colon (:)
+[IPv6] into slashes (/).
+.LP
+The base directory can be changed with the \fB\-\-perpeerlogbase\fP.
+.LP
+Once \fBpluto\fP is started, it waits for requests from \fBwhack\fP.
+.SS Pluto's Internal State
+.LP
+To understand how to use \fBpluto\fP, it is helpful to understand a little
+about its internal state. Furthermore, the terminology is needed to decipher
+some of the diagnostic messages.
+.LP
+The \fI(potential) connection\fP database describes attributes of a
+connection. These include the IP addresses of the hosts and client
+subnets and the security characteristics desired. \fBpluto\fP
+requires this information (simply called a connection) before it can
+respond to a request to build an SA. Each connection is given a name
+when it is created, and all references are made using this name.
+.LP
+During the IKE exchange to build an SA, the information about the
+negotiation is represented in a \fIstate object\fP. Each state object
+reflects how far the negotiation has reached. Once the negotiation is
+complete and the SA established, the state object remains to represent
+the SA. When the SA is terminated, the state object is discarded.
+Each State object is given a serial number and this is used to refer
+to the state objects in logged messages.
+.LP
+Each state object corresponds to a connection and can be thought of
+as an instantiation of that connection.
+At any particular time, there may be any number of state objects
+corresponding to a particular connection.
+Often there is one representing an ISAKMP SA and another representing
+an IPsec SA.
+.LP
+\fBKLIPS\fP hooks into the routing code in a LINUX kernel.
+Traffic to be processed by an IPsec SA must be directed through
+\fBKLIPS\fP by routing commands. Furthermore, the processing to be
+done is specified by \fIipsec eroute(8)\fP commands.
+\fBpluto\fP takes the responsibility of managing both of these special
+kinds of routes.
+.LP
+Each connection may be routed, and must be while it has an IPsec SA.
+The connection specifies the characteristics of the route: the
+interface on this machine, the ``gateway'' (the nexthop),
+and the peer's client subnet. Two
+connections may not be simultaneously routed if they are for the same
+peer's client subnet but use different interfaces or gateways
+(\fBpluto\fP's logic does not reflect any advanced routing capabilities).
+.LP
+Each eroute is associated with the state object for an IPsec SA
+because it has the particular characteristics of the SA.
+Two eroutes conflict if they specify the identical local
+and remote clients (unlike for routes, the local clients are
+taken into account).
+.LP
+When \fBpluto\fP needs to install a route for a connection,
+it must make sure that no conflicting route is in use. If another
+connection has a conflicting route, that route will be taken down, as long
+as there is no IPsec SA instantiating that connection.
+If there is such an IPsec SA, the attempt to install a route will fail.
+.LP
+There is an exception. If \fBpluto\fP, as Responder, needs to install
+a route to a fixed client subnet for a connection, and there is
+already a conflicting route, then the SAs using the route are deleted
+to make room for the new SAs. The rationale is that the new
+connection is probably more current. The need for this usually is a
+product of Road Warrior connections (these are explained later; they
+cannot be used to initiate).
+.LP
+When \fBpluto\fP needs to install an eroute for an IPsec SA (for a
+state object), first the state object's connection must be routed (if
+this cannot be done, the eroute and SA will not be installed).
+If a conflicting eroute is already in place for another connection,
+the eroute and SA will not be installed (but note that the routing
+exception mentioned above may have already deleted potentially conflicting SAs).
+If another IPsec
+SA for the same connection already has an eroute, all its outgoing traffic
+is taken over by the new eroute. The incoming traffic will still be
+processed. This characteristic is exploited during rekeying.
+.LP
+All of these routing characteristics are expected change when
+\fBKLIPS\fP is modified to use the firewall hooks in the LINUX 2.4.x
+kernel.
+.SS Using Whack
+.LP
+\fBwhack\fP is used to command a running \fBpluto\fP.
+\fBwhack\fP uses a UNIX domain socket to speak to \fBpluto\fP
+(by default, \fI/var/pluto.ctl\fP).
+.LP
+\fBwhack\fP has an intricate argument syntax.
+This syntax allows many different functions to be specified.
+The help form shows the usage or version information.
+The connection form gives \fBpluto\fP a description of a potential connection.
+The public key form informs \fBpluto\fP of the RSA public key for a potential peer.
+The delete form deletes a connection description and all SAs corresponding
+to it.
+The listen form tells \fBpluto\fP to start or stop listening on the public interfaces
+for IKE requests from peers.
+The route form tells \fBpluto\fP to set up routing for a connection;
+the unroute form undoes this.
+The initiate form tells \fBpluto\fP to negotiate an SA corresponding to a connection.
+The terminate form tells \fBpluto\fP to remove all SAs corresponding to a connection,
+including those being negotiated.
+The status form displays the \fBpluto\fP's internal state.
+The debug form tells \fBpluto\fP to change the selection of debugging output
+``on the fly''. The shutdown form tells
+\fBpluto\fP to shut down, deleting all SAs.
+.LP
+Most options are specific to one of the forms, and will be described
+with that form. There are three options that apply to all forms.
+.TP
+\fB\-\-ctlbase\fP\ \fIpath\fP
+\fIpath\fP.ctl is used as the UNIX domain socket for talking
+to \fBpluto\fP.
+This option facilitates debugging.
+.TP
+\fB\-\-optionsfrom\fP\ \fIfilename\fP
+adds the contents of the file to the argument list.
+.TP
+\fB\-\-label\fP\ \fIstring\fP
+adds the string to all error messages generated by \fBwhack\fP.
+.LP
+The help form of \fBwhack\fP is self-explanatory.
+.TP
+\fB\-\-help\fP
+display the usage message.
+.TP
+\fB\-\-version\fP
+display the version of \fBwhack\fP.
+.LP
+The connection form describes a potential connection to \fBpluto\fP.
+\fBpluto\fP needs to know what connections can and should be negotiated.
+When \fBpluto\fP is the initiator, it needs to know what to propose.
+When \fBpluto\fP is the responder, it needs to know enough to decide whether
+is is willing to set up the proposed connection.
+.LP
+The description of a potential connection can specify a large number
+of details. Each connection has a unique name. This name will appear
+in a updown shell command, so it should not contain punctuation
+that would make the command ill-formed.
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.LP
+The topology of
+a connection is symmetric, so to save space here is half a picture:
+
+\ \ \ client_subnet<\-\->host:ikeport<\-\->nexthop<\-\-\-
+
+A similar trick is used in the flags. The same flag names are used for
+both ends. Those before the \fB\-\-to\fP flag describe the left side
+and those afterwards describe the right side. When \fBpluto\fP attempts
+to use the connection, it decides whether it is the left side or the right
+side of the connection, based on the IP numbers of its interfaces.
+.TP
+\fB\-\-id\fP\ \fIid\fP
+the identity of the end. Currently, this can be an IP address (specified
+as dotted quad or as a Fully Qualified Domain Name, which will be resolved
+immediately) or as a Fully Qualified Domain Name itself (prefixed by ``@''
+to signify that it should not be resolved), or as user@FQDN, or as the
+magic value \fB%myid\fP.
+\fBPluto\fP only authenticates the identity, and does not use it for
+addressing, so, for example, an IP address need not be the one to which
+packets are to be sent. If the option is absent, the
+identity defaults to the IP address specified by \fB\-\-host\fP.
+\fB%myid\fP allows the identity to be separately specified (by the \fBpluto\fP or \fBwhack\fP option \fB\-\-myid\fP
+or by the \fBipsec.conf\fP(5) \fBconfig setup\fP parameter \fPmyid\fP).
+Otherwise, \fBpluto\fP tries to guess what \fB%myid\fP should stand for:
+the IP address of \fB%defaultroute\fP, if it is supported by a suitable TXT record in the reverse domain for that IP address,
+or the system's hostname, if it is supported by a suitable TXT record in its forward domain.
+.\" The identity is transmitted in the IKE protocol, and is what is authenticated.
+.TP
+\fB\-\-host\fP\ \fIip\(hyaddress\fP
+.TP
+\fB\-\-host\fP\ \fB%any\fP
+.TP
+\fB\-\-host\fP\ \fB%opportunistic\fP
+the IP address of the end (generally the public interface).
+If \fBpluto\fP is to act as a responder
+for IKE negotiations initiated from unknown IP addresses (the
+``Road Warrior'' case), the
+IP address should be specified as \fB%any\fP (currently,
+the obsolete notation \fB0.0.0.0\fP is also accepted for this).
+If \fBpluto\fP is to opportunistically initiate the connection,
+use \fB%opportunistic\fP
+.TP
+\fB\-\-ikeport\fP\ \fIport\(hynumber\fP
+the UDP port that IKE listens to on that host. The default is 500.
+(\fBpluto\fP on this machine uses the port specified by its own command
+line argument, so this only affects where \fBpluto\fP sends messages.)
+.TP
+\fB\-\-nexthop\fP\ \fIip\(hyaddress\fP
+where to route packets for the peer's client (presumably for the peer too,
+but it will not be used for this).
+When \fBpluto\fP installs an IPsec SA, it issues a route command.
+It uses the nexthop as the gateway.
+The default is the peer's IP address (this can be explicitly written as
+\fB%direct\fP; the obsolete notation \fB0.0.0.0\fP is accepted).
+This option is necessary if \fBpluto\fP's host's interface used for sending
+packets to the peer is neither point-to-point nor directly connected to the
+peer.
+.TP
+\fB\-\-client\fP\ \fIsubnet\fP
+the subnet for which the IPsec traffic will be destined. If not specified,
+the host will be the client.
+The subnet can be specified in any of the forms supported by \fIipsec_atosubnet\fP(3).
+The general form is \fIaddress\fP/\fImask\fP. The \fIaddress\fP can be either
+a domain name or four decimal numbers (specifying octets) separated by dots.
+The most convenient form of the \fImask\fP is a decimal integer, specifying
+the number of leading one bits in the mask. So, for example, 10.0.0.0/8
+would specify the class A network ``Net 10''.
+.TP
+\fB\-\-dnskeyondemand]\fP
+specifies that when an RSA public key is needed to authenticate this
+host, and it isn't already known, fetch it from DNS.
+.TP
+\fB\-\-updown\fP\ \fIupdown\fP
+specifies an external shell command to be run whenever \fBpluto\fP
+brings up or down a connection.
+The script is used to build a shell command, so it may contain positional
+parameters, but ought not to have punctuation that would cause the
+resulting command to be ill-formed.
+The default is \fIipsec _updown\fP.
+.TP
+\fB\-\-to\fP
+separates the specification of the left and right ends of the connection.
+.LP
+The potential connection description also specifies characteristics of
+rekeying and security.
+.TP
+\fB\-\-psk\fP
+Propose and allow preshared secret authentication for IKE peers. This authentication
+requires that each side use the same secret. May be combined with \fB\-\-rsasig\fP;
+at least one must be specified.
+.TP
+\fB\-\-rsasig\fP
+Propose and allow RSA signatures for authentication of IKE peers. This authentication
+requires that each side have have a private key of its own and know the
+public key of its peer. May be combined with \fB\-\-psk\fP;
+at least one must be specified.
+.TP
+\fB\-\-encrypt\fP
+All proposed or accepted IPsec SAs will include non-null ESP.
+The actual choices of transforms are wired into \fBpluto\fP.
+.TP
+\fB\-\-authenticate\fP
+All proposed IPsec SAs will include AH.
+All accepted IPsec SAs will include AH or ESP with authentication.
+The actual choices of transforms are wired into \fBpluto\fP.
+Note that this has nothing to do with IKE authentication.
+.TP
+\fB\-\-compress\fP
+All proposed IPsec SAs will include IPCOMP (compression).
+This will be ignored if KLIPS is not configured with IPCOMP support.
+.TP
+\fB\-\-tunnel\fP
+the IPsec SA should use tunneling. Implicit if the SA is for clients.
+Must only be used with \fB\-\-authenticate\fP or \fB\-\-encrypt\fP.
+.TP
+\fB\-\-ipv4\fP
+The host addresses will be interpreted as IPv4 addresses. This is the
+default. Note that for a connection, all host addresses must be of
+the same Address Family (IPv4 and IPv6 use different Address Families).
+.TP
+\fB\-\-ipv6\fP
+The host addresses (including nexthop) will be interpreted as IPv6 addresses.
+Note that for a connection, all host addresses must be of
+the same Address Family (IPv4 and IPv6 use different Address Families).
+.TP
+\fB\-\-tunnelipv4\fP
+The client addresses will be interpreted as IPv4 addresses. The default is
+to match what the host will be. This does not imply \fB\-\-tunnel\fP so the
+flag can be safely used when no tunnel is actually specified.
+Note that for a connection, all tunnel addresses must be of the same
+Address Family.
+.TP
+\fB\-\-tunnelipv6\fP
+The client addresses will be interpreted as IPv6 addresses. The default is
+to match what the host will be. This does not imply \fB\-\-tunnel\fP so the
+flag can be safely used when no tunnel is actually specified.
+Note that for a connection, all tunnel addresses must be of the same
+Address Family.
+.TP
+\fB\-\-pfs\fP
+There should be Perfect Forward Secrecy \- new keying material will
+be generated for each IPsec SA rather than being derived from the ISAKMP
+SA keying material.
+Since the group to be used cannot be negotiated (a dubious feature of the
+standard), \fBpluto\fP will propose the same group that was used during Phase 1.
+We don't implement a stronger form of PFS which would require that the
+ISAKMP SA be deleted after the IPSEC SA is negotiated.
+.TP
+\fB\-\-disablearrivalcheck\fP
+If the connection is a tunnel, allow packets arriving through the tunnel
+to have any source and destination addresses.
+.LP
+If none of the \fB\-\-encrypt\fP, \fB\-\-authenticate\fP, \fB\-\-compress\fP,
+or \fB\-\-pfs\fP flags is given, the initiating the connection will
+only build an ISAKMP SA. For such a connection, client subnets have
+no meaning and must not be specified.
+.LP
+More work is needed to allow for flexible policies. Currently
+policy is hardwired in the source file spdb.c. The ISAKMP SAs may use
+Oakley groups MODP1024 and MODP1536; 3DES encryption; SHA1-96
+and MD5-96 authentication. The IPsec SAs may use 3DES and
+MD5-96 or SHA1-96 for ESP, or just MD5-96 or SHA1-96 for AH.
+IPCOMP Compression is always Deflate.
+.TP
+\fB\-\-ikelifetime\fP\ \fIseconds\fP
+how long \fBpluto\fP will propose that an ISAKMP SA be allowed to live.
+The default is 10800 (three hours) and the maximum is 86400 (one day).
+This option will not affect what is accepted.
+\fBpluto\fP will reject proposals that exceed the maximum.
+.TP
+\fB\-\-ipseclifetime\fP\ \fIseconds\fP
+how long \fBpluto\fP will propose that an IPsec SA be allowed to live.
+The default is 3600 (one hour) and the maximum is 86400 (one day).
+This option will not affect what is accepted.
+\fBpluto\fP will reject proposals that exceed the maximum.
+.TP
+\fB\-\-rekeymargin\fP\ \fIseconds\fP
+how long before an SA's expiration should \fBpluto\fP try to negotiate
+a replacement SA. This will only happen if \fBpluto\fP was the initiator.
+The default is 540 (nine minutes).
+.TP
+\fB\-\-rekeyfuzz\fP\ \fIpercentage\fP
+maximum size of random component to add to rekeymargin, expressed as
+a percentage of rekeymargin. \fBpluto\fP will select a delay uniformly
+distributed within this range. By default, the percentage will be 100.
+If greater determinism is desired, specify 0. It may be appropriate
+for the percentage to be much larger than 100.
+.TP
+\fB\-\-keyingtries\fP\ \fIcount\fP
+how many times \fBpluto\fP should try to negotiate an SA,
+either for the first time or for rekeying.
+A value of 0 is interpreted as a very large number: never give up.
+The default is three.
+.TP
+\fB\-\-dontrekey\fP
+A misnomer.
+Only rekey a connection if we were the Initiator and there was recent
+traffic on the existing connection.
+This applies to Phase 1 and Phase 2.
+This is currently the only automatic way for a connection to terminate.
+It may be useful with Road Warrior or Opportunistic connections.
+.br
+Since SA lifetime negotiation is take-it-or-leave it, a Responder
+normally uses the shorter of the negotiated or the configured lifetime.
+This only works because if the lifetime is shorter than negotiated,
+the Responder will rekey in time so that everything works.
+This interacts badly with \fB\-\-dontrekey\fP. In this case,
+the Responder will end up rekeying to rectify a shortfall in an IPsec SA
+lifetime; for an ISAKMP SA, the Responder will accept the negotiated
+lifetime.
+.TP
+\fB\-\-delete\fP
+when used in the connection form, it causes any previous connection
+with this name to be deleted before this one is added. Unlike a
+normal delete, no diagnostic is produced if there was no previous
+connection to delete. Any routing in place for the connection is undone.
+.LP
+The delete form deletes a named connection description and any
+SAs established or negotiations initiated using this connection.
+Any routing in place for the connection is undone.
+.TP
+\fB\-\-delete\fP
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.LP
+The deletestate form deletes the state object with the specified serial number.
+This is useful for selectively deleting instances of connections.
+.TP
+\fB\-\-deletestate\fP\ \fIstate-number\fP
+.LP
+The route form of the \fBwhack\fP command tells \fBpluto\fP to set up
+routing for a connection.
+Although like a traditional route, it uses an ipsec device as a
+virtual interface.
+Once routing is set up, no packets will be
+sent ``in the clear'' to the peer's client specified in the connection.
+A TRAP shunt eroute will be installed; if outbound traffic is caught,
+Pluto will initiate the connection.
+An explicit \fBwhack\fP route is not always needed: if it hasn't been
+done when an IPsec SA is being installed, one will be automatically attempted.
+.LP
+When a routing is attempted for a connection, there must not already
+be a routing for a different connection with the same subnet but different
+interface or destination, or if
+there is, it must not be being used by an IPsec SA. Otherwise the
+attempt will fail.
+.TP
+\fB\-\-route\fP
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.LP
+The unroute form of the \fBwhack\fP command tells \fBpluto\fP to undo
+a routing. \fBpluto\fP will refuse if an IPsec SA is using the connection.
+If another connection is sharing the same routing, it will be left in place.
+Without a routing, packets will be sent without encryption or authentication.
+.TP
+\fB\-\-unroute\fP
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.LP
+The initiate form tells \fBpluto\fP to initiate a negotiation with another
+\fBpluto\fP (or other IKE daemon) according to the named connection.
+Initiation requires a route that \fB\-\-route\fP would provide;
+if none is in place at the time an IPsec SA is being installed,
+\fBpluto\fP attempts to set one up.
+.TP
+\fB\-\-initiate\fP
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.TP
+\fB\-\-asynchronous
+.LP
+The initiate form of the \fBwhack\fP command will relay back from
+\fBpluto\fP status information via the UNIX domain socket (unless
+\-\-asynchronous is specified). The status information is meant to
+look a bit like that from \fBFTP\fP. Currently \fBwhack\fP simply
+copies this to stderr. When the request is finished (eg. the SAs are
+established or \fBpluto\fP gives up), \fBpluto\fP closes the channel,
+causing \fBwhack\fP to terminate.
+.LP
+The opportunistic initiate form is mainly used for debugging.
+.TP
+\fB\-\-tunnelipv4\fP
+.TP
+\fB\-\-tunnelipv6\fP
+.TP
+\fB\-\-oppohere\fP\ \fIip-address\fP
+.TP
+\fB\-\-oppothere\fP\ \fIip-address\fP
+.LP
+This will cause \fBpluto\fP to attempt to opportunistically initiate a
+connection from here to the there, even if a previous attempt
+had been made.
+The whack log will show the progress of this attempt.
+.LP
+The terminate form tells \fBpluto\fP to delete any SAs that use the specified
+connection and to stop any negotiations in process.
+It does not prevent new negotiations from starting (the delete form
+has this effect).
+.TP
+\fB\-\-terminate\fP
+.TP
+\fB\-\-name\fP\ \fIconnection-name\fP
+.LP
+The public key for informs \fBpluto\fP of the RSA public key for a potential peer.
+Private keys must be kept secret, so they are kept in
+.IR ipsec.secrets (5).
+.TP
+\fB\-\-keyid\ \fP\fIid\fP
+specififies the identity of the peer for which a public key should be used.
+Its form is identical to the identity in the connection.
+If no public key is specified, \fBpluto\fP attempts to find KEY records
+from DNS for the id (if a FQDN) or through reverse lookup (if an IP address).
+Note that there several interesting ways in which this is not secure.
+.TP
+\fB\-\-addkey\fP
+specifies that the new key is added to the collection; otherwise the
+new key replaces any old ones.
+.TP
+\fB\-\-pubkeyrsa\ \fP\fIkey\fP
+specifies the value of the RSA public key. It is a sequence of bytes
+as described in RFC 2537 ``RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)''.
+It is denoted in a way suitable for \fIipsec_ttodata\fP(3).
+For example, a base 64 numeral starts with 0s.
+.LP
+The listen form tells \fBpluto\fP to start listening for IKE requests
+on its public interfaces. To avoid race conditions, it is normal to
+load the appropriate connections into \fBpluto\fP before allowing it
+to listen. If \fBpluto\fP isn't listening, it is pointless to
+initiate negotiations, so it will refuse requests to do so. Whenever
+the listen form is used, \fBpluto\fP looks for public interfaces and
+will notice when new ones have been added and when old ones have been
+removed. This is also the trigger for \fBpluto\fP to read the
+\fIipsec.secrets\fP file. So listen may useful more than once.
+.TP
+\fB\-\-listen\fP
+start listening for IKE traffic on public interfaces.
+.TP
+\fB\-\-unlisten\fP
+stop listening for IKE traffic on public interfaces.
+.LP
+The status form will display information about the internal state of
+\fBpluto\fP: information about each potential connection, about
+each state object, and about each shunt that \fBpluto\fP is managing
+without an associated connection.
+.TP
+\fB\-\-status\fP
+.LP
+The shutdown form is the proper way to shut down \fBpluto\fP.
+It will tear down the SAs on this machine that \fBpluto\fP has negotiated.
+It does not inform its peers, so the SAs on their machines remain.
+.TP
+\fB\-\-shutdown\fP
+.SS Examples
+.LP
+It would be normal to start \fBpluto\fP in one of the system initialization
+scripts. It needs to be run by the superuser. Generally, no arguments are needed.
+To run in manually, the superuser can simply type
+
+\ \ \ ipsec pluto
+
+The command will immediately return, but a \fBpluto\fP process will be left
+running, waiting for requests from \fBwhack\fP or a peer.
+.LP
+Using \fBwhack\fP, several potential connections would be described:
+.HP
+.na
+\ \ \ ipsec whack \-\-name\ silly
+\-\-host\ 127.0.0.1 \-\-to \-\-host\ 127.0.0.2
+\-\-ikelifetime\ 900 \-\-ipseclifetime\ 800 \-\-keyingtries\ 3
+.ad
+.LP
+Since this silly connection description specifies neither encryption,
+authentication, nor tunneling, it could only be used to establish
+an ISAKMP SA.
+.HP
+.na
+\ \ \ ipsec whack \-\-name\ secret \-\-host\ 10.0.0.1 \-\-client\ 10.0.1.0/24
+\-\-to \-\-host\ 10.0.0.2 \-\-client\ 10.0.2.0/24
+\-\-encrypt
+.ad
+.LP
+This is something that must be done on both sides. If the other
+side is \fBpluto\fP, the same \fBwhack\fP command could be used on it
+(the command syntax is designed to not distinguish which end is ours).
+.LP
+Now that the connections are specified, \fBpluto\fP is ready to handle
+requests and replies via the public interfaces. We must tell it to discover
+those interfaces and start accepting messages from peers:
+
+\ \ \ ipsec whack \-\-listen
+.LP
+If we don't immediately wish to bring up a secure connection between
+the two clients, we might wish to prevent insecure traffic.
+The routing form asks \fBpluto\fP to cause the packets sent from
+our client to the peer's client to be routed through the ipsec0
+device; if there is no SA, they will be discarded:
+
+\ \ \ ipsec whack \-\-route secret
+.LP
+Finally, we are ready to get \fBpluto\fP to initiate negotiation
+for an IPsec SA (and implicitly, an ISAKMP SA):
+
+\ \ \ ipsec whack \-\-initiate\ \-\-name\ secret
+
+A small log of interesting events will appear on standard output
+(other logging is sent to syslog).
+.LP
+\fBwhack\fP can also be used to terminate \fBpluto\fP cleanly, tearing down
+all SAs that it has negotiated.
+
+\ \ \ ipsec whack \-\-shutdown
+
+Notification of any IPSEC SA deletion, but not ISAKMP SA deletion
+is sent to the peer. Unfortunately, such Notification is not reliable.
+Furthermore, \fBpluto\fP itself ignores Notifications.
+.SS The updown command
+.LP
+Whenever \fBpluto\fP brings a connection up or down, it invokes
+the updown command. This command is specified using the \fB\-\-updown\fP
+option. This allows for customized control over routing and firewall manipulation.
+.LP
+The updown is invoked for five different operations. Each of
+these operations can be for our client subnet or for our host itself.
+.TP
+\fBprepare-host\fP or \fBprepare-client\fP
+is run before bringing up a new connection if no other connection
+with the same clients is up. Generally, this is useful for deleting a
+route that might have been set up before \fBpluto\fP was run or
+perhaps by some agent not known to \fBpluto\fP.
+.TP
+\fBroute-host\fP or \fBroute-client\fP
+is run when bringing up a connection for a new peer client subnet
+(even if \fBprepare-host\fP or \fBprepare-client\fP was run). The
+command should install a suitable route. Routing decisions are based
+only on the destination (peer's client) subnet address, unlike eroutes
+which discriminate based on source too.
+.TP
+\fBunroute-host\fP or \fBunroute-client\fP
+is run when bringing down the last connection for a particular peer
+client subnet. It should undo what the \fBroute-host\fP or \fBroute-client\fP
+did.
+.TP
+\fBup-host\fP or \fBup-client\fP
+is run when bringing up a tunnel eroute with a pair of client subnets
+that does not already have a tunnel eroute.
+This command should install firewall rules as appropriate.
+It is generally a good idea to allow IKE messages (UDP port 500)
+travel between the hosts.
+.TP
+\fBdown-host\fP or \fBdown-client\fP
+is run when bringing down the eroute for a pair of client subnets.
+This command should delete firewall rules as appropriate. Note that
+there may remain some inbound IPsec SAs with these client subnets.
+.LP
+The script is passed a large number of environment variables to specify
+what needs to be done.
+.TP
+\fBPLUTO_VERSION\fP
+indicates what version of this interface is being used. This document
+describes version 1.1. This is upwardly compatible with version 1.0.
+.TP
+\fBPLUTO_VERB\fP
+specifies the name of the operation to be performed
+(\fBprepare-host\fP,r \fBprepare-client\fP,
+\fBup-host\fP, \fBup-client\fP,
+\fBdown-host\fP, or \fBdown-client\fP). If the address family for
+security gateway to security gateway communications is IPv6, then
+a suffix of -v6 is added to the verb.
+.TP
+\fBPLUTO_CONNECTION\fP
+is the name of the connection for which we are routing.
+.TP
+\fBPLUTO_NEXT_HOP\fP
+is the next hop to which packets bound for the peer must be sent.
+.TP
+\fBPLUTO_INTERFACE\fP
+is the name of the ipsec interface to be used.
+.TP
+\fBPLUTO_ME\fP
+is the IP address of our host.
+.TP
+\fBPLUTO_MY_CLIENT\fP
+is the IP address / count of our client subnet.
+If the client is just the host, this will be the host's own IP address / max
+(where max is 32 for IPv4 and 128 for IPv6).
+.TP
+\fBPLUTO_MY_CLIENT_NET\fP
+is the IP address of our client net.
+If the client is just the host, this will be the host's own IP address.
+.TP
+\fBPLUTO_MY_CLIENT_MASK\fP
+is the mask for our client net.
+If the client is just the host, this will be 255.255.255.255.
+.TP
+\fBPLUTO_PEER\fP
+is the IP address of our peer.
+.TP
+\fBPLUTO_PEER_CLIENT\fP
+is the IP address / count of the peer's client subnet.
+If the client is just the peer, this will be the peer's own IP address / max
+(where max is 32 for IPv4 and 128 for IPv6).
+.TP
+\fBPLUTO_PEER_CLIENT_NET\fP
+is the IP address of the peer's client net.
+If the client is just the peer, this will be the peer's own IP address.
+.TP
+\fBPLUTO_PEER_CLIENT_MASK\fP
+is the mask for the peer's client net.
+If the client is just the peer, this will be 255.255.255.255.
+.LP
+All output sent by the script to stderr or stdout is logged. The
+script should return an exit status of 0 if and only if it succeeds.
+.LP
+\fBPluto\fP waits for the script to finish and will not do any other
+processing while it is waiting.
+The script may assume that \fBpluto\fP will not change anything
+while the script runs.
+The script should avoid doing anything that takes much time and it
+should not issue any command that requires processing by \fBpluto\fP.
+Either of these activities could be performed by a background
+subprocess of the script.
+.SS Rekeying
+.LP
+When an SA that was initiated by \fBpluto\fP has only a bit of
+lifetime left,
+\fBpluto\fP will initiate the creation of a new SA. This applies to
+ISAKMP and IPsec SAs.
+The rekeying will be initiated when the SA's remaining lifetime is
+less than the rekeymargin plus a random percentage, between 0 and
+rekeyfuzz, of the rekeymargin.
+.LP
+Similarly, when an SA that was initiated by the peer has only a bit of
+lifetime left, \fBpluto\fP will try to initiate the creation of a
+replacement.
+To give preference to the initiator, this rekeying will only be initiated
+when the SA's remaining lifetime is half of rekeymargin.
+If rekeying is done by the responder, the roles will be reversed: the
+responder for the old SA will be the initiator for the replacement.
+The former initiator might also initiate rekeying, so there may
+be redundant SAs created.
+To avoid these complications, make sure that rekeymargin is generous.
+.LP
+One risk of having the former responder initiate is that perhaps
+none of its proposals is acceptable to the former initiator
+(they have not been used in a successful negotiation).
+To reduce the chances of this happening, and to prevent loss of security,
+the policy settings are taken from the old SA (this is the case even if
+the former initiator is initiating).
+These may be stricter than those of the connection.
+.LP
+\fBpluto\fP will not rekey an SA if that SA is not the most recent of its
+type (IPsec or ISAKMP) for its potential connection.
+This avoids creating redundant SAs.
+.LP
+The random component in the rekeying time (rekeyfuzz) is intended to
+make certain pathological patterns of rekeying unstable. If both
+sides decide to rekey at the same time, twice as many SAs as necessary
+are created. This could become a stable pattern without the
+randomness.
+.LP
+Another more important case occurs when a security gateway has SAs
+with many other security gateways. Each of these connections might
+need to be rekeyed at the same time. This would cause a high peek
+requirement for resources (network bandwidth, CPU time, entropy for
+random numbers). The rekeyfuzz can be used to stagger the rekeying
+times.
+.LP
+Once a new set of SAs has been negotiated, \fBpluto\fP will never send
+traffic on a superseded one. Traffic will be accepted on an old SA
+until it expires.
+.SS Selecting a Connection When Responding: Road Warrior Support
+.LP
+When \fBpluto\fP receives an initial Main Mode message, it needs to
+decide which connection this message is for. It picks based solely on
+the source and destination IP addresses of the message. There might
+be several connections with suitable IP addresses, in which case one
+of them is arbitrarily chosen. (The ISAKMP SA proposal contained in
+the message could be taken into account, but it is not.)
+.LP
+The ISAKMP SA is negotiated before the parties pass further
+identifying information, so all ISAKMP SA characteristics specified in
+the connection description should be the same for every connection
+with the same two host IP addresses. At the moment, the only
+characteristic that might differ is authentication method.
+.LP
+Up to this point,
+all configuring has presumed that the IP addresses
+are known to all parties ahead of time. This will not work
+when either end is mobile (or assigned a dynamic IP address for other
+reasons). We call this situation ``Road Warrior''. It is fairly tricky
+and has some important limitations, most of which are features of
+the IKE protocol.
+.LP
+Only the initiator may be mobile:
+the initiator may have an IP number unknown to the responder. When
+the responder doesn't recognize the IP address on the first Main Mode
+packet, it looks for a connection with itself as one end and \fB%any\fP
+as the other.
+If it cannot find one, it refuses to negotiate. If it
+does find one, it creates a temporary connection that is a duplicate
+except with the \fB%any\fP replaced by the source IP address from the
+packet; if there was no identity specified for the peer, the new IP
+address will be used.
+.LP
+When \fBpluto\fP is using one of these temporary connections and
+needs to find the preshared secret or RSA private key in \fIipsec.secrets\fP,
+and and the connection specified no identity for the peer, \fB%any\fP
+is used as its identity. After all, the real IP address was apparently
+unknown to the configuration, so it is unreasonable to require that
+it be used in this table.
+.LP
+Part way into the Phase 1 (Main Mode) negotiation using one of these
+temporary connection descriptions, \fBpluto\fP will be receive an
+Identity Payload. At this point, \fBpluto\fP checks for a more
+appropriate connection, one with an identity for the peer that matches
+the payload but which would use the same keys so-far used for
+authentication. If it finds one, it will switch to using this better
+connection (or a temporary derived from this, if it has \fB%any\fP
+for the peer's IP address). It may even turn out that no connection
+matches the newly discovered identity, including the current connection;
+if so, \fBpluto\fP terminates negotiation.
+.LP
+Unfortunately, if preshared secret authentication is being used, the
+Identity Payload is encrypted using this secret, so the secret must be
+selected by the responder without knowing this payload. This
+limits there to being at most one preshared secret for all Road Warrior
+systems connecting to a host. RSA Signature authentications does not
+require that the responder know how to select the initiator's public key
+until after the initiator's Identity Payload is decoded (using the
+responder's private key, so that must be preselected).
+.LP
+When \fBpluto\fP is responding to a Quick Mode negotiation via one of these
+temporary connection descriptions, it may well find that the subnets
+specified by the initiator don't match those in the temporary
+connection description. If so, it will look for a connection with
+matching subnets, its own host address, a peer address of \fB%any\fP
+and matching identities.
+If it finds one, a new temporary connection is derived from this one
+and used for the Quick Mode negotiation of IPsec SAs. If it does not
+find one, \fBpluto\fP terminates negotiation.
+.LP
+Be sure to specify an appropriate nexthop for the responder
+to send a message to the initiator: \fBpluto\fP has no way of guessing
+it (if forwarding isn't required, use an explicit \fB%direct\fP as the nexthop
+and the IP address of the initiator will be filled in; the obsolete
+notation \fB0.0.0.0\fP is still accepted).
+.LP
+\fBpluto\fP has no special provision for the initiator side. The current
+(possibly dynamic) IP address and nexthop must be used in defining
+connections. These must be
+properly configured each time the initiator's IP address changes.
+\fBpluto\fP has no mechanism to do this automatically.
+.LP
+Although we call this Road Warrior Support, it could also be used to
+support encrypted connections with anonymous initiators. The
+responder's organization could announce the preshared secret that would be used
+with unrecognized initiators and let anyone connect. Of course the initiator's
+identity would not be authenticated.
+.LP
+If any Road Warrior connections are supported, \fBpluto\fP cannot
+reject an exchange initiated by an unknown host until it has
+determined that the secret is not shared or the signature is invalid.
+This must await the
+third Main Mode message from the initiator. If no Road Warrior
+connection is supported, the first message from an unknown source
+would be rejected. This has implications for ease of debugging
+configurations and for denial of service attacks.
+.LP
+Although a Road Warrior connection must be initiated by the mobile
+side, the other side can and will rekey using the temporary connection
+it has created. If the Road Warrior wishes to be able to disconnect,
+it is probably wise to set \fB\-\-keyingtries\fP to 1 in the
+connection on the non-mobile side to prevent it trying to rekey the
+connection. Unfortunately, there is no mechanism to unroute the
+connection automatically.
+.SS Debugging
+.LP
+\fBpluto\fP accepts several optional arguments, useful mostly for debugging.
+Except for \fB\-\-interface\fP, each should appear at most once.
+.TP
+\fB\-\-interface\fP \fIinterfacename\fP
+specifies that the named real public network interface should be considered.
+The interface name specified should not be \fBipsec\fP\fIN\fP.
+If the option doesn't appear, all interfaces are considered.
+To specify several interfaces, use the option once for each.
+One use of this option is to specify which interface should be used
+when two or more share the same IP address.
+.TP
+\fB\-\-ikeport\fP \fIport-number\fP
+changes the UDP port that \fBpluto\fP will use
+(default, specified by IANA: 500)
+.TP
+\fB\-\-ctlbase\fP \fIpath\fP
+basename for control files.
+\fIpath\fP.ctl is the socket through which \fBwhack\fP communicates with
+\fBpluto\fP.
+\fIpath\fP.pid is the lockfile to prevent multiple \fBpluto\fP instances.
+The default is \fI/var/run/pluto\fP).
+.TP
+\fB\-\-secretsfile\fP \fIfile\fP
+specifies the file for authentication secrets
+(default: \fI/etc/ipsec.secrets\fP).
+This name is subject to ``globbing'' as in \fIsh\fP(1),
+so every file with a matching name is processed.
+Quoting is generally needed to prevent the shell from doing the globbing.
+.TP
+\fB\-\-adns\fP \fIpathname\fP
+.TP
+\fB\-\-lwdnsq\fP \fIpathname\fP
+specifies where to find \fBpluto\fP's helper program for asynchronous DNS lookup.
+\fBpluto\fP can be built to use one of two helper programs: \fB_pluto_adns\fP
+or \fBlwdnsq\fP. You must use the program for which it was built.
+By default, \fBpluto\fP will look for the program in
+\fB$IPSEC_DIR\fP (if that environment variable is defined) or, failing that,
+in the same directory as \fBpluto\fP.
+.TP
+\fB\-\-nofork\fP
+disable ``daemon fork'' (default is to fork). In addition, after the
+lock file and control socket are created, print the line ``Pluto
+initialized'' to standard out.
+.TP
+\fB\-\-noklips\fP
+don't actually implement negotiated IPsec SAs
+.TP
+\fB\-\-uniqueids\fP
+if this option has been selected, whenever a new ISAKMP SA is
+established, any connection with the same Peer ID but a different
+Peer IP address is unoriented (causing all its SAs to be deleted).
+This helps clean up dangling SAs when a connection is lost and
+then regained at another IP address.
+.TP
+\fB\-\-stderrlog\fP
+log goes to standard out {default is to use \fIsyslogd\fP(8))
+.LP
+For example
+.TP
+pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
+.LP
+lets one test \fBpluto\fP without using the superuser account.
+.LP
+\fBpluto\fP is willing to produce a prodigious amount of debugging
+information. To do so, it must be compiled with \-DDEBUG. There are
+several classes of debugging output, and \fBpluto\fP may be directed to
+produce a selection of them. All lines of
+debugging output are prefixed with ``|\ '' to distinguish them from error
+messages.
+.LP
+When \fBpluto\fP is invoked, it may be given arguments to specify
+which classes to output. The current options are:
+.TP
+\fB\-\-debug-raw\fP
+show the raw bytes of messages
+.TP
+\fB\-\-debug-crypt\fP
+show the encryption and decryption of messages
+.TP
+\fB\-\-debug-parsing\fP
+show the structure of input messages
+.TP
+\fB\-\-debug-emitting\fP
+show the structure of output messages
+.TP
+\fB\-\-debug-control\fP
+show \fBpluto\fP's decision making
+.TP
+\fB\-\-debug-lifecycle\fP
+[this option is temporary] log more detail of lifecycle of SAs
+.TP
+\fB\-\-debug-klips\fP
+show \fBpluto\fP's interaction with \fBKLIPS\fP
+.TP
+\fB\-\-debug-dns\fP
+show \fBpluto\fP's interaction with \fBDNS\fP for KEY and TXT records
+.TP
+\fB\-\-debug-oppo\fP
+show why \fBpluto\fP didn't find a suitable DNS TXT record to authorize opportunistic initiation
+.TP
+\fB\-\-debug-all\fP
+all of the above
+.TP
+\fB\-\-debug-private\fP
+allow debugging output with private keys.
+.TP
+\fB\-\-debug-none\fP
+none of the above
+.LP
+The debug form of the
+\fBwhack\fP command will change the selection in a running
+\fBpluto\fP.
+If a connection name is specified, the flags are added whenever
+\fBpluto\fP has identified that it is dealing with that connection.
+Unfortunately, this is often part way into the operation being observed.
+.LP
+For example, to start a \fBpluto\fP with a display of the structure of input
+and output:
+.IP
+pluto \-\-debug-emitting \-\-debug-parsing
+.LP
+To later change this \fBpluto\fP to only display raw bytes:
+.IP
+whack \-\-debug-raw
+.LP
+For testing, SSH's IKE test page is quite useful:
+.IP
+\fIhttp://isakmp-test.ssh.fi/\fP
+.LP
+Hint: ISAKMP SAs are often kept alive by IKEs even after the IPsec SA
+is established. This allows future IPsec SA's to be negotiated
+directly. If one of the IKEs is restarted, the other may try to use
+the ISAKMP SA but the new IKE won't know about it. This can lead to
+much confusion. \fBpluto\fP is not yet smart enough to get out of such a
+mess.
+.SS Pluto's Behaviour When Things Go Wrong
+.LP
+When \fBpluto\fP doesn't understand or accept a message, it just
+ignores the message. It is not yet capable of communicating the
+problem to the other IKE daemon (in the future it might use
+Notifications to accomplish this in many cases). It does log a diagnostic.
+.LP
+When \fBpluto\fP gets no response from a message, it resends the same
+message (a message will be sent at most three times). This is
+appropriate: UDP is unreliable.
+.LP
+When pluto gets a message that it has already seen, there are many
+cases when it notices and discards it. This too is appropriate for UDP.
+.LP
+Combine these three rules, and you can explain many apparently
+mysterious behaviours. In a \fBpluto\fP log, retrying isn't usually the
+interesting event. The critical thing is either earlier (\fBpluto\fP
+got a message which it didn't like and so ignored, so it was still
+awaiting an acceptable message and got impatient) or on the other
+system (\fBpluto\fP didn't send a reply because it wasn't happy with
+the previous message).
+.SS Notes
+.LP
+If \fBpluto\fP is compiled without \-DKLIPS, it negotiates Security
+Associations but never ask the kernel to put them in place and never
+makes routing changes. This allows \fBpluto\fP to be tested on systems
+without \fBKLIPS\fP, but makes it rather useless.
+.LP
+Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the SA.
+The IKE protocol lets the destination of the SA choose the SPI.
+The range 0 to 0xFF is reserved for IANA.
+\fBPluto\fP also avoids choosing an SPI in the range 0x100 to 0xFFF,
+leaving these SPIs free for manual keying.
+Remember that the peer, if not \fBpluto\fP, may well chose
+SPIs in this range.
+.SS Policies
+.LP
+This catalogue of policies may be of use when trying to configure
+\fBPluto\fP and another IKE implementation to interoperate.
+.LP
+In Phase 1, only Main Mode is supported. We are not sure that
+Aggressive Mode is secure. For one thing, it does not support
+identity protection. It may allow more severe Denial Of Service
+attacks.
+.LP
+No Informational Exchanges are supported. These are optional and
+since their delivery is not assured, they must not matter.
+It is the case that some IKE implementations won't interoperate
+without Informational Exchanges, but we feel they are broken.
+.LP
+No Informational Payloads are supported. These are optional, but
+useful. It is of concern that these payloads are not authenticated in
+Phase 1, nor in those Phase 2 messages authenticated with HASH(3).
+.IP \(bu \w'\(bu\ 'u
+Diffie Hellman Groups MODP 1024 and MODP 1536 (2 and 5)
+are supported.
+Group MODP768 (1) is not supported because it is too weak.
+.IP \(bu
+Host authetication can be done by RSA Signatures or Pre-Shared
+Secrets.
+.IP \(bu
+3DES CBC (Cypher Block Chaining mode) is the only encryption
+supported, both for ISAKMP SAs and IPSEC SAs.
+.IP \(bu
+MD5 and SHA1 hashing are supported for packet authentication in both
+kinds of SAs.
+.IP \(bu
+The ESP, AH, or AH plus ESP are supported. If, and only if, AH and
+ESP are combined, the ESP need not have its own authentication
+component. The selection is controlled by the \-\-encrypt and
+\-\-authenticate flags.
+.IP \(bu
+Each of these may be combined with IPCOMP Deflate compression,
+but only if the potential connection specifies compression and only
+if KLIPS is configured with IPCOMP support.
+.IP \(bu
+The IPSEC SAs may be tunnel or transport mode, where appropriate.
+The \-\-tunnel flag controls this when \fBpluto\fP is initiating.
+.IP \(bu
+When responding to an ISAKMP SA proposal, the maximum acceptable
+lifetime is eight hours. The default is one hour. There is no
+minimum. The \-\-ikelifetime flag controls this when \fBpluto\fP
+is initiating.
+.IP \(bu
+When responding to an IPSEC SA proposal, the maximum acceptable
+lifetime is one day. The default is eight hours. There is no
+minimum. The \-\-ipseclifetime flag controls this when \fBpluto\fP
+is initiating.
+.IP \(bu
+PFS is acceptable, and will be proposed if the \-\-pfs flag was
+specified. The DH group proposed will be the same as negotiated for
+Phase 1.
+.SH SIGNALS
+.LP
+\fBPluto\fP responds to \fBSIGHUP\fP by issuing a suggestion that ``\fBwhack\fP
+\-\-listen'' might have been intended.
+.LP
+\fBPluto\fP exits when it recieves \fBSIGTERM\fP.
+.SH EXIT STATUS
+.LP
+\fBpluto\fP normally forks a daemon process, so the exit status is
+normally a very preliminary result.
+.TP
+0
+means that all is OK so far.
+.TP
+1
+means that something was wrong.
+.TP
+10
+means that the lock file already exists.
+.LP
+If \fBwhack\fP detects a problem, it will return an exit status of 1.
+If it received progress messages from \fBpluto\fP, it returns as status
+the value of the numeric prefix from the last such message
+that was not a message sent to syslog or a comment
+(but the prefix for success is treated as 0).
+Otherwise, the exit status is 0.
+.SH FILES
+\fI/var/run/pluto.pid\fP
+.br
+\fI/var/run/pluto.ctl\fP
+.br
+\fI/etc/ipsec.secrets\fP
+.br
+\fI$IPSEC_LIBDIR/_pluto_adns\fP
+.br
+\fI$IPSEC_EXECDIR/lwdnsq\fP
+.br
+\fI/dev/urandom\fP
+.SH ENVIRONMENT
+\fIIPSEC_LIBDIR\fP
+.br
+\fIIPSEC_EXECDIR\fP
+.br
+\fIIPSECmyid\fP
+.SH SEE ALSO
+.LP
+The rest of the FreeS/WAN distribution, in particular \fIipsec\fP(8).
+.LP
+\fIipsec_auto\fP(8) is designed to make using \fBpluto\fP more pleasant.
+Use it!
+.LP
+.IR ipsec.secrets (5)
+describes the format of the secrets file.
+.LP
+\fIipsec_atoaddr\fP(3), part of the FreeS/WAN distribution, describes the
+forms that IP addresses may take.
+\fIipsec_atosubnet\fP(3), part of the FreeS/WAN distribution, describes the
+forms that subnet specifications.
+.LP
+For more information on IPsec, the mailing list, and the relevant
+documents, see:
+.IP
+.nh
+\fIhttp://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html\fP
+.hy
+.LP
+At the time of writing, the most relevant IETF RFCs are:
+.IP
+RFC2409 The Internet Key Exchange (IKE)
+.IP
+RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
+.IP
+RFC2407 The Internet IP Security Domain of Interpretation for ISAKMP
+.LP
+The FreeS/WAN web site <htp://www.freeswan.org>
+and the mailing lists described there.
+.SH HISTORY
+This code is released under the GPL terms.
+See the accompanying file COPYING-2.0 for more details.
+The GPL does NOT apply to those pieces of code written by others
+which are included in this distribution, except as noted by the
+individual authors.
+.LP
+This software was originally written
+for the FreeS/WAN project
+<http://www.freeswan.org>
+by Angelos D. Keromytis
+(angelos@dsl.cis.upenn.edu), in May/June 1997, in Athens, Greece.
+Thanks go to John Ioannidis for his help.
+.LP
+It is currently (2000)
+being developed and maintained by D. Hugh Redelmeier
+(hugh@mimosa.com), in Canada. The regulations of Greece and Canada
+allow us to make the code freely redistributable.
+.LP
+Kai Martius (admin@imib.med.tu-dresden.de) contributed the initial
+version of the code supporting PFS.
+.LP
+Richard Guy Briggs <rgb@conscoop.ottawa.on.ca> and Peter Onion
+<ponion@srd.bt.co.uk> added the PFKEY2 support.
+.LP
+We gratefully acknowledge that we use parts of Eric Young's \fIlibdes\fP
+package; see \fI../libdes/COPYRIGHT\fP.
+.SH BUGS
+.BR pluto
+is a work-in-progress. It currently has many limitations.
+For example, it ignores notification messages that it receives, and
+it generates only Delete Notifications and those only for IPSEC SAs.
+.LP
+\fBpluto\fP does not support the Commit Flag.
+The Commit Flag is a bad feature of the IKE protocol.
+It isn't protected -- neither encrypted nor authenticated.
+A man in the middle could turn it on, leading to DoS.
+We just ignore it, with a warning.
+This should let us interoperate with
+implementations that insist on it, with minor damage.
+.LP
+\fBpluto\fP does not check that the SA returned by the Responder
+is actually one that was proposed. It only checks that the SA is
+acceptable. The difference is not large, but can show up in attributes
+such as SA lifetime.
+.LP
+There is no good way for a connection to be automatically terminated.
+This is a problem for Road Warrior and Opportunistic connections.
+The \fB\-\-dontrekey\fP option does prevent the SAs from
+being rekeyed on expiry.
+Additonally, if a Road Warrior connection has a client subnet with a fixed IP
+address, a negotiation with that subnet will cause any other
+connection instantiations with that same subnet to be unoriented
+(deleted, in effect).
+See also the \-\-uniqueids option for an extension of this.
+.LP
+When \fBpluto\fP sends a message to a peer that has disappeared,
+\fBpluto\fP receives incomplete information from the kernel, so it
+logs the unsatisfactory message ``some IKE message we sent has been
+rejected with ECONNREFUSED (kernel supplied no details)''. John
+Denker suggests that this command is useful for tracking down the
+source of these problems:
+.br
+ tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0
+.br
+Substitute your public interface for eth0 if it is different.
+.LP
+The word ``authenticate'' is used for two different features. We must
+authenticate each IKE peer to the other. This is an important task of
+Phase 1. Each packet must be authenticated, both in IKE and in IPsec,
+and the method for IPsec is negotiated as an AH SA or part of an ESP SA.
+Unfortunately, the protocol has no mechanism for authenticating the Phase 2
+identities.
+.LP
+Bugs should be reported to the <users@lists.freeswan.org> mailing list.
+Caution: we cannot accept
+actual code from US residents, or even US citizens living outside the
+US, because that would bring FreeS/WAN under US export law. Some
+other countries cause similar problems. In general, we would prefer
+that you send detailed problem reports rather than code: we want
+FreeS/WAN to be unquestionably freely exportable, which means being
+very careful about where the code comes from, and for a small bug fix,
+that is often more time-consuming than just reinventing the fix
+ourselves.
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
new file mode 100644
index 000000000..e235ff765
--- /dev/null
+++ b/src/pluto/plutomain.c
@@ -0,0 +1,655 @@
+/* Pluto main program
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: plutomain.c,v 1.16 2005/09/25 21:30:52 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/un.h>
+#include <fcntl.h>
+#include <getopt.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+
+#include <freeswan.h>
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "id.h"
+#include "ca.h"
+#include "certs.h"
+#include "ac.h"
+#include "connections.h"
+#include "foodgroups.h"
+#include "packet.h"
+#include "demux.h" /* needs packet.h */
+#include "server.h"
+#include "kernel.h"
+#include "log.h"
+#include "keys.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "rnd.h"
+#include "state.h"
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "ocsp.h"
+#include "crl.h"
+#include "fetch.h"
+#include "xauth.h"
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+#include "nat_traversal.h"
+#include "virtual.h"
+
+static void
+usage(const char *mess)
+{
+ if (mess != NULL && *mess != '\0')
+ fprintf(stderr, "%s\n", mess);
+ fprintf(stderr
+ , "Usage: pluto"
+ " [--help]"
+ " [--version]"
+ " [--optionsfrom <filename>]"
+ " \\\n\t"
+ "[--nofork]"
+ " [--stderrlog]"
+ " [--noklips]"
+ " [--nocrsend]"
+ " \\\n\t"
+ "[--strictcrlpolicy]"
+ " [--crlcheckinterval <interval>]"
+ " [--cachecrls]"
+ " [--uniqueids]"
+ " \\\n\t"
+ "[--interface <ifname>]"
+ " [--ikeport <port-number>]"
+ " \\\n\t"
+ "[--ctlbase <path>]"
+ " \\\n\t"
+ "[--perpeerlogbase <path>] [--perpeerlog]"
+ " \\\n\t"
+ "[--secretsfile <secrets-file>]"
+ " [--policygroupsdir <policygroups-dir>]"
+ " \\\n\t"
+ "[--adns <pathname>]"
+ "[--pkcs11module <path>]"
+ "[--pkcs11keepstate"
+#ifdef DEBUG
+ " \\\n\t"
+ "[--debug-none]"
+ " [--debug-all]"
+ " \\\n\t"
+ "[--debug-raw]"
+ " [--debug-crypt]"
+ " [--debug-parsing]"
+ " [--debug-emitting]"
+ " \\\n\t"
+ "[--debug-control]"
+ " [--debug-lifecycle]"
+ " [--debug-klips]"
+ " [--debug-dns]"
+ " \\\n\t"
+ "[--debug-oppo]"
+ " [--debug-controlmore]"
+ " [--debug-private]"
+#endif
+ " [ --debug-natt]"
+ " \\\n\t"
+ "[--nat_traversal] [--keep_alive <delay_sec>]"
+ " \\\n\t"
+ "[--force_keepalive] [--disable_port_floating]"
+ " \\\n\t"
+ "[--virtual_private <network_list>]"
+ "\n"
+ "strongSwan %s\n"
+ , ipsec_version_code());
+ exit_pluto(mess == NULL? 0 : 1);
+}
+
+
+/* lock file support
+ * - provides convenient way for scripts to find Pluto's pid
+ * - prevents multiple Plutos competing for the same port
+ * - same basename as unix domain control socket
+ * NOTE: will not take account of sharing LOCK_DIR with other systems.
+ */
+
+static char pluto_lock[sizeof(ctl_addr.sun_path)] = DEFAULT_CTLBASE LOCK_SUFFIX;
+static bool pluto_lock_created = FALSE;
+
+/* create lockfile, or die in the attempt */
+static int
+create_lock(void)
+{
+ int fd = open(pluto_lock, O_WRONLY | O_CREAT | O_EXCL | O_TRUNC
+ , S_IRUSR | S_IRGRP | S_IROTH);
+
+ if (fd < 0)
+ {
+ if (errno == EEXIST)
+ {
+ fprintf(stderr, "pluto: lock file \"%s\" already exists\n"
+ , pluto_lock);
+ exit_pluto(10);
+ }
+ else
+ {
+ fprintf(stderr
+ , "pluto: unable to create lock file \"%s\" (%d %s)\n"
+ , pluto_lock, errno, strerror(errno));
+ exit_pluto(1);
+ }
+ }
+ pluto_lock_created = TRUE;
+ return fd;
+}
+
+static bool
+fill_lock(int lockfd, pid_t pid)
+{
+ char buf[30]; /* holds "<pid>\n" */
+ int len = snprintf(buf, sizeof(buf), "%u\n", (unsigned int) pid);
+ bool ok = len > 0 && write(lockfd, buf, len) == len;
+
+ close(lockfd);
+ return ok;
+}
+
+static void
+delete_lock(void)
+{
+ if (pluto_lock_created)
+ {
+ delete_ctl_socket();
+ unlink(pluto_lock); /* is noting failure useful? */
+ }
+}
+
+/* by default pluto sends certificate requests to its peers */
+bool no_cr_send = FALSE;
+
+/* by default the CRL policy is lenient */
+bool strict_crl_policy = FALSE;
+
+/* by default CRLs are cached locally as files */
+bool cache_crls = FALSE;
+
+/* by default pluto does not check crls dynamically */
+long crl_check_interval = 0;
+
+/* path to the PKCS#11 module */
+char *pkcs11_module_path = NULL;
+
+/* by default pluto logs out after every smartcard use */
+bool pkcs11_keep_state = FALSE;
+
+/* by default pluto does not allow pkcs11 proxy access via whack */
+bool pkcs11_proxy = FALSE;
+
+int
+main(int argc, char **argv)
+{
+ bool fork_desired = TRUE;
+ bool log_to_stderr_desired = FALSE;
+ bool nat_traversal = FALSE;
+ bool nat_t_spf = TRUE; /* support port floating */
+ unsigned int keep_alive = 0;
+ bool force_keepalive = FALSE;
+ char *virtual_private = NULL;
+ int lockfd;
+
+ /* handle arguments */
+ for (;;)
+ {
+# define DBG_OFFSET 256
+ static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, 'v' },
+ { "optionsfrom", required_argument, NULL, '+' },
+ { "nofork", no_argument, NULL, 'd' },
+ { "stderrlog", no_argument, NULL, 'e' },
+ { "noklips", no_argument, NULL, 'n' },
+ { "nocrsend", no_argument, NULL, 'c' },
+ { "strictcrlpolicy", no_argument, NULL, 'r' },
+ { "crlcheckinterval", required_argument, NULL, 'x'},
+ { "cachecrls", no_argument, NULL, 'C' },
+ { "uniqueids", no_argument, NULL, 'u' },
+ { "interface", required_argument, NULL, 'i' },
+ { "ikeport", required_argument, NULL, 'p' },
+ { "ctlbase", required_argument, NULL, 'b' },
+ { "secretsfile", required_argument, NULL, 's' },
+ { "foodgroupsdir", required_argument, NULL, 'f' },
+ { "perpeerlogbase", required_argument, NULL, 'P' },
+ { "perpeerlog", no_argument, NULL, 'l' },
+ { "policygroupsdir", required_argument, NULL, 'f' },
+#ifdef USE_LWRES
+ { "lwdnsq", required_argument, NULL, 'a' },
+#else /* !USE_LWRES */
+ { "adns", required_argument, NULL, 'a' },
+#endif /* !USE_LWRES */
+ { "pkcs11module", required_argument, NULL, 'm' },
+ { "pkcs11keepstate", no_argument, NULL, 'k' },
+ { "pkcs11proxy", no_argument, NULL, 'y' },
+ { "nat_traversal", no_argument, NULL, '1' },
+ { "keep_alive", required_argument, NULL, '2' },
+ { "force_keepalive", no_argument, NULL, '3' },
+ { "disable_port_floating", no_argument, NULL, '4' },
+ { "debug-natt", no_argument, NULL, '5' },
+ { "virtual_private", required_argument, NULL, '6' },
+#ifdef DEBUG
+ { "debug-none", no_argument, NULL, 'N' },
+ { "debug-all", no_argument, NULL, 'A' },
+ { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
+ { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
+ { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
+ { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
+ { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
+ { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
+ { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
+ { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
+ { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
+ { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
+ { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
+
+ { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
+ { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
+ { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
+ { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
+#endif
+ { 0,0,0,0 }
+ };
+ /* Note: we don't like the way short options get parsed
+ * by getopt_long, so we simply pass an empty string as
+ * the list. It could be "hvdenp:l:s:" "NARXPECK".
+ */
+ int c = getopt_long(argc, argv, "", long_opts, NULL);
+
+ /* Note: "breaking" from case terminates loop */
+ switch (c)
+ {
+ case EOF: /* end of flags */
+ break;
+
+ case 0: /* long option already handled */
+ continue;
+
+ case ':': /* diagnostic already printed by getopt_long */
+ case '?': /* diagnostic already printed by getopt_long */
+ usage("");
+ break; /* not actually reached */
+
+ case 'h': /* --help */
+ usage(NULL);
+ break; /* not actually reached */
+
+ case 'v': /* --version */
+ {
+ const char **sp = ipsec_copyright_notice();
+
+ printf("%s%s\n", ipsec_version_string(),
+ compile_time_interop_options);
+ for (; *sp != NULL; sp++)
+ puts(*sp);
+ }
+ exit_pluto(0);
+ break; /* not actually reached */
+
+ case '+': /* --optionsfrom <filename> */
+ optionsfrom(optarg, &argc, &argv, optind, stderr);
+ /* does not return on error */
+ continue;
+
+ case 'd': /* --nofork*/
+ fork_desired = FALSE;
+ continue;
+
+ case 'e': /* --stderrlog */
+ log_to_stderr_desired = TRUE;
+ continue;
+
+ case 'n': /* --noklips */
+ no_klips = TRUE;
+ continue;
+
+ case 'c': /* --nocrsend */
+ no_cr_send = TRUE;
+ continue;
+
+ case 'r': /* --strictcrlpolicy */
+ strict_crl_policy = TRUE;
+ continue;
+
+ case 'x': /* --crlcheckinterval <time>*/
+ if (optarg == NULL || !isdigit(optarg[0]))
+ usage("missing interval time");
+
+ {
+ char *endptr;
+ long interval = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || interval <= 0)
+ usage("<interval-time> must be a positive number");
+ crl_check_interval = interval;
+ }
+ continue;
+
+ case 'C': /* --cachecrls */
+ cache_crls = TRUE;
+ continue;
+
+ case 'u': /* --uniqueids */
+ uniqueIDs = TRUE;
+ continue;
+
+ case 'i': /* --interface <ifname> */
+ if (!use_interface(optarg))
+ usage("too many --interface specifications");
+ continue;
+
+ case 'p': /* --port <portnumber> */
+ if (optarg == NULL || !isdigit(optarg[0]))
+ usage("missing port number");
+
+ {
+ char *endptr;
+ long port = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || port <= 0 || port > 0x10000)
+ usage("<port-number> must be a number between 1 and 65535");
+ pluto_port = port;
+ }
+ continue;
+
+ case 'b': /* --ctlbase <path> */
+ if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
+ , "%s%s", optarg, CTL_SUFFIX) == -1)
+ usage("<path>" CTL_SUFFIX " too long for sun_path");
+ if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
+ , "%s%s", optarg, INFO_SUFFIX) == -1)
+ usage("<path>" INFO_SUFFIX " too long for sun_path");
+ if (snprintf(pluto_lock, sizeof(pluto_lock)
+ , "%s%s", optarg, LOCK_SUFFIX) == -1)
+ usage("<path>" LOCK_SUFFIX " must fit");
+ continue;
+
+ case 's': /* --secretsfile <secrets-file> */
+ shared_secrets_file = optarg;
+ continue;
+
+ case 'f': /* --policygroupsdir <policygroups-dir> */
+ policygroups_dir = optarg;
+ continue;
+
+ case 'a': /* --adns <pathname> */
+ pluto_adns_option = optarg;
+ continue;
+
+ case 'm': /* --pkcs11module <pathname> */
+ pkcs11_module_path = optarg;
+ continue;
+
+ case 'k': /* --pkcs11keepstate */
+ pkcs11_keep_state = TRUE;
+ continue;
+
+ case 'y': /* --pkcs11proxy */
+ pkcs11_proxy = TRUE;
+ continue;
+
+#ifdef DEBUG
+ case 'N': /* --debug-none */
+ base_debugging = DBG_NONE;
+ continue;
+
+ case 'A': /* --debug-all */
+ base_debugging = DBG_ALL;
+ continue;
+#endif
+
+ case 'P': /* --perpeerlogbase */
+ base_perpeer_logdir = optarg;
+ continue;
+
+ case 'l':
+ log_to_perpeer = TRUE;
+ continue;
+
+ case '1': /* --nat_traversal */
+ nat_traversal = TRUE;
+ continue;
+ case '2': /* --keep_alive */
+ keep_alive = atoi(optarg);
+ continue;
+ case '3': /* --force_keepalive */
+ force_keepalive = TRUE;
+ continue;
+ case '4': /* --disable_port_floating */
+ nat_t_spf = FALSE;
+ continue;
+ case '5': /* --debug-nat_t */
+ base_debugging |= DBG_NATT;
+ continue;
+ case '6': /* --virtual_private */
+ virtual_private = optarg;
+ continue;
+
+ default:
+#ifdef DEBUG
+ if (c >= DBG_OFFSET)
+ {
+ base_debugging |= c - DBG_OFFSET;
+ continue;
+ }
+# undef DBG_OFFSET
+#endif
+ bad_case(c);
+ }
+ break;
+ }
+ if (optind != argc)
+ usage("unexpected argument");
+ reset_debugging();
+ lockfd = create_lock();
+
+ /* select between logging methods */
+
+ if (log_to_stderr_desired)
+ log_to_syslog = FALSE;
+ else
+ log_to_stderr = FALSE;
+
+ /* set the logging function of pfkey debugging */
+#ifdef DEBUG
+ pfkey_debug_func = DBG_log;
+#else
+ pfkey_debug_func = NULL;
+#endif
+
+ /* create control socket.
+ * We must create it before the parent process returns so that
+ * there will be no race condition in using it. The easiest
+ * place to do this is before the daemon fork.
+ */
+ {
+ err_t ugh = init_ctl_socket();
+
+ if (ugh != NULL)
+ {
+ fprintf(stderr, "pluto: %s", ugh);
+ exit_pluto(1);
+ }
+ }
+
+ /* If not suppressed, do daemon fork */
+
+ if (fork_desired)
+ {
+ {
+ pid_t pid = fork();
+
+ if (pid < 0)
+ {
+ int e = errno;
+
+ fprintf(stderr, "pluto: fork failed (%d %s)\n",
+ errno, strerror(e));
+ exit_pluto(1);
+ }
+
+ if (pid != 0)
+ {
+ /* parent: die, after filling PID into lock file.
+ * must not use exit_pluto: lock would be removed!
+ */
+ exit(fill_lock(lockfd, pid)? 0 : 1);
+ }
+ }
+
+ if (setsid() < 0)
+ {
+ int e = errno;
+
+ fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
+ errno, strerror(e));
+ exit_pluto(1);
+ }
+ }
+ else
+ {
+ /* no daemon fork: we have to fill in lock file */
+ (void) fill_lock(lockfd, getpid());
+ fprintf(stdout, "Pluto initialized\n");
+ fflush(stdout);
+ }
+
+ /* Close everything but ctl_fd and (if needed) stderr.
+ * There is some danger that a library that we don't know
+ * about is using some fd that we don't know about.
+ * I guess we'll soon find out.
+ */
+ {
+ int i;
+
+ for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
+ {
+ if ((!log_to_stderr || i != 2) && i != ctl_fd)
+ close(i);
+ }
+
+ /* make sure that stdin, stdout, stderr are reserved */
+ if (open("/dev/null", O_RDONLY) != 0)
+ abort();
+ if (dup2(0, 1) != 1)
+ abort();
+ if (!log_to_stderr && dup2(0, 2) != 2)
+ abort();
+ }
+
+ init_constants();
+ init_log("pluto");
+
+ /* Note: some scripts may look for this exact message -- don't change
+ * ipsec barf was one, but it no longer does.
+ */
+ plog("Starting Pluto (strongSwan Version %s%s)"
+ , ipsec_version_code()
+ , compile_time_interop_options);
+
+ init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
+ init_virtual_ip(virtual_private);
+ scx_init(pkcs11_module_path); /* load and initialize PKCS #11 module */
+ xauth_init(); /* load and initialize XAUTH module */
+ init_rnd_pool();
+ init_secret();
+ init_states();
+ init_crypto();
+ init_demux();
+ init_kernel();
+ init_adns();
+ init_id();
+ init_fetch();
+
+ /* loading X.509 CA certificates */
+ load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+ /* loading X.509 AA certificates */
+ load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+ /* loading X.509 OCSP certificates */
+ load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+ /* loading X.509 CRLs */
+ load_crls();
+ /* loading attribute certificates (experimental) */
+ load_acerts();
+
+ daily_log_event();
+ call_server();
+ return -1; /* Shouldn't ever reach this */
+}
+
+/* leave pluto, with status.
+ * Once child is launched, parent must not exit this way because
+ * the lock would be released.
+ *
+ * 0 OK
+ * 1 general discomfort
+ * 10 lock file exists
+ */
+void
+exit_pluto(int status)
+{
+ reset_globals(); /* needed because we may be called in odd state */
+ free_preshared_secrets();
+ free_remembered_public_keys();
+ delete_every_connection();
+ free_crl_fetch(); /* free chain of crl fetch requests */
+ free_ocsp_fetch(); /* free chain of ocsp fetch requests */
+ free_authcerts(); /* free chain of X.509 authority certificates */
+ free_crls(); /* free chain of X.509 CRLs */
+ free_acerts(); /* free chain of X.509 attribute certificates */
+ free_ca_infos(); /* free chain of X.509 CA information records */
+ free_ocsp(); /* free ocsp cache */
+ free_ifaces();
+ scx_finalize(); /* finalize and unload PKCS #11 module */
+ xauth_finalize(); /* finalize and unload XAUTH module */
+ stop_adns();
+ free_md_pool();
+ delete_lock();
+#ifdef LEAK_DETECTIVE
+ report_leaks();
+#endif /* LEAK_DETECTIVE */
+ close_log();
+ exit(status);
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/primegen.c b/src/pluto/primegen.c
new file mode 100644
index 000000000..159490345
--- /dev/null
+++ b/src/pluto/primegen.c
@@ -0,0 +1,593 @@
+/* primegen.c - prime number generator
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ *
+ * ***********************************************************************
+ * The algorithm used to generate practically save primes is due to
+ * Lim and Lee as described in the CRYPTO '97 proceedings (ISBN3540633847)
+ * page 260.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef PLUTO
+#include <gmp.h>
+#include <freeswan.h>
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "rnd.h"
+#include "gcryptfix.h"
+#else /*! PLUTO */
+/* #include <assert.h> */
+/* #include <config.h> */
+/* #include "util.h" */
+/* #include "mpi.h" */
+/* #include "cipher.h" */
+#endif /* !PLUTO */
+
+static int no_of_small_prime_numbers;
+static MPI gen_prime( unsigned nbits, int mode, int randomlevel );
+static int check_prime( MPI prime, MPI val_2 );
+static int is_prime( MPI n, unsigned steps, int *count );
+static void m_out_of_n( char *array, int m, int n );
+
+
+static void
+progress( int c )
+{
+ fputc( c, stderr );
+}
+
+
+/****************
+ * Generate a prime number (stored in secure memory)
+ */
+MPI
+generate_secret_prime( unsigned nbits )
+{
+ MPI prime;
+
+ prime = gen_prime( nbits, 1, 2 );
+ progress('\n');
+ return prime;
+}
+
+MPI
+generate_public_prime( unsigned nbits )
+{
+ MPI prime;
+
+ prime = gen_prime( nbits, 0, 2 );
+ progress('\n');
+ return prime;
+}
+
+
+/****************
+ * We do not need to use the strongest RNG because we gain no extra
+ * security from it - The prime number is public and we could also
+ * offer the factors for those who are willing to check that it is
+ * indeed a strong prime.
+ *
+ * mode 0: Standard
+ * 1: Make sure that at least one factor is of size qbits.
+ */
+MPI
+generate_elg_prime( int mode, unsigned pbits, unsigned qbits,
+ MPI g, MPI **ret_factors )
+{
+ int n; /* number of factors */
+ int m; /* number of primes in pool */
+ unsigned fbits; /* length of prime factors */
+ MPI *factors; /* current factors */
+ MPI *pool; /* pool of primes */
+ MPI q; /* first prime factor (variable)*/
+ MPI prime; /* prime test value */
+ MPI q_factor; /* used for mode 1 */
+ byte *perms = NULL;
+ int i, j;
+ int count1, count2;
+ unsigned nprime;
+ unsigned req_qbits = qbits; /* the requested q bits size */
+ MPI val_2 = mpi_alloc_set_ui( 2 );
+
+ /* find number of needed prime factors */
+ for(n=1; (pbits - qbits - 1) / n >= qbits; n++ )
+ ;
+ n--;
+ if( !n || (mode==1 && n < 2) )
+ log_fatal("can't gen prime with pbits=%u qbits=%u\n", pbits, qbits );
+ if( mode == 1 ) {
+ n--;
+ fbits = (pbits - 2*req_qbits -1) / n;
+ qbits = pbits - req_qbits - n*fbits;
+ }
+ else {
+ fbits = (pbits - req_qbits -1) / n;
+ qbits = pbits - n*fbits;
+ }
+ if( DBG_CIPHER )
+ log_debug("gen prime: pbits=%u qbits=%u fbits=%u/%u n=%d\n",
+ pbits, req_qbits, qbits, fbits, n );
+ prime = mpi_alloc( (pbits + BITS_PER_MPI_LIMB - 1) / BITS_PER_MPI_LIMB );
+ q = gen_prime( qbits, 0, 1 );
+ q_factor = mode==1? gen_prime( req_qbits, 0, 1 ) : NULL;
+
+ /* allocate an array to hold the factors + 2 for later usage */
+#ifdef PLUTO
+ m_alloc_ptrs_clear(factors, n+2);
+#else
+ factors = m_alloc_clear( (n+2) * sizeof *factors );
+#endif
+
+ /* make a pool of 3n+5 primes (this is an arbitrary value) */
+ m = n*3+5;
+ if( mode == 1 )
+ m += 5; /* need some more for DSA */
+ if( m < 25 )
+ m = 25;
+#ifdef PLUTO
+ m_alloc_ptrs_clear(pool, m);
+#else
+ pool = m_alloc_clear( m * sizeof *pool );
+#endif
+
+ /* permutate over the pool of primes */
+ count1=count2=0;
+ do {
+ next_try:
+ if( !perms ) {
+ /* allocate new primes */
+ for(i=0; i < m; i++ ) {
+ mpi_free(pool[i]);
+ pool[i] = NULL;
+ }
+ /* init m_out_of_n() */
+#ifdef PLUTO
+ perms = alloc_bytes( m, "perms" );
+#else
+ perms = m_alloc_clear( m );
+#endif
+ for(i=0; i < n; i++ ) {
+ perms[i] = 1;
+ pool[i] = gen_prime( fbits, 0, 1 );
+ factors[i] = pool[i];
+ }
+ }
+ else {
+ m_out_of_n( perms, n, m );
+ for(i=j=0; i < m && j < n ; i++ )
+ if( perms[i] ) {
+ if( !pool[i] )
+ pool[i] = gen_prime( fbits, 0, 1 );
+ factors[j++] = pool[i];
+ }
+ if( i == n ) {
+ m_free(perms); perms = NULL;
+ progress('!');
+ goto next_try; /* allocate new primes */
+ }
+ }
+
+ mpi_set( prime, q );
+ mpi_mul_ui( prime, prime, 2 );
+ if( mode == 1 )
+ mpi_mul( prime, prime, q_factor );
+ for(i=0; i < n; i++ )
+ mpi_mul( prime, prime, factors[i] );
+ mpi_add_ui( prime, prime, 1 );
+ nprime = mpi_get_nbits(prime);
+ if( nprime < pbits ) {
+ if( ++count1 > 20 ) {
+ count1 = 0;
+ qbits++;
+ progress('>');
+ q = gen_prime( qbits, 0, 1 );
+ goto next_try;
+ }
+ }
+ else
+ count1 = 0;
+ if( nprime > pbits ) {
+ if( ++count2 > 20 ) {
+ count2 = 0;
+ qbits--;
+ progress('<');
+ q = gen_prime( qbits, 0, 1 );
+ goto next_try;
+ }
+ }
+ else
+ count2 = 0;
+ } while( !(nprime == pbits && check_prime( prime, val_2 )) );
+
+ if( DBG_CIPHER ) {
+ progress('\n');
+ log_mpidump( "prime : ", prime );
+ log_mpidump( "factor q: ", q );
+ if( mode == 1 )
+ log_mpidump( "factor q0: ", q_factor );
+ for(i=0; i < n; i++ )
+ log_mpidump( "factor pi: ", factors[i] );
+ log_debug("bit sizes: prime=%u, q=%u", mpi_get_nbits(prime), mpi_get_nbits(q) );
+ if( mode == 1 )
+ fprintf(stderr, ", q0=%u", mpi_get_nbits(q_factor) );
+ for(i=0; i < n; i++ )
+ fprintf(stderr, ", p%d=%u", i, mpi_get_nbits(factors[i]) );
+ progress('\n');
+ }
+
+ if( ret_factors ) { /* caller wants the factors */
+#ifdef PLUTO
+ m_alloc_ptrs_clear(*ret_factors, n+2);
+#else
+ *ret_factors = m_alloc_clear( (n+2) * sizeof **ret_factors);
+#endif
+ if( mode == 1 ) {
+ i = 0;
+ (*ret_factors)[i++] = mpi_copy( q_factor );
+ for(; i <= n; i++ )
+ (*ret_factors)[i] = mpi_copy( factors[i] );
+ }
+ else {
+ for(; i < n; i++ )
+ (*ret_factors)[i] = mpi_copy( factors[i] );
+ }
+ }
+
+ if( g ) { /* create a generator (start with 3)*/
+ MPI tmp = mpi_alloc( mpi_get_nlimbs(prime) );
+ MPI b = mpi_alloc( mpi_get_nlimbs(prime) );
+ MPI pmin1 = mpi_alloc( mpi_get_nlimbs(prime) );
+
+ if( mode == 1 )
+ BUG(); /* not yet implemented */
+ factors[n] = q;
+ factors[n+1] = mpi_alloc_set_ui(2);
+ mpi_sub_ui( pmin1, prime, 1 );
+ mpi_set_ui(g,2);
+ do {
+ mpi_add_ui(g, g, 1);
+ if( DBG_CIPHER ) {
+#ifdef PLUTO
+ log_mpidump("checking g: ", g);
+#else
+ log_debug("checking g: ");
+ mpi_print( stderr, g, 1 );
+#endif
+ }
+ else
+ progress('^');
+ for(i=0; i < n+2; i++ ) {
+ /*fputc('~', stderr);*/
+ mpi_fdiv_q(tmp, pmin1, factors[i] );
+ /* (no mpi_pow(), but it is okay to use this with mod prime) */
+ mpi_powm(b, g, tmp, prime );
+ if( !mpi_cmp_ui(b, 1) )
+ break;
+ }
+ if( DBG_CIPHER )
+ progress('\n');
+ } while( i < n+2 );
+ mpi_free(factors[n+1]);
+ mpi_free(tmp);
+ mpi_free(b);
+ mpi_free(pmin1);
+ }
+ if( !DBG_CIPHER )
+ progress('\n');
+
+ m_free( factors ); /* (factors are shallow copies) */
+ for(i=0; i < m; i++ )
+ mpi_free( pool[i] );
+ m_free( pool );
+ m_free(perms);
+ mpi_free(val_2);
+ return prime;
+}
+
+
+
+static MPI
+gen_prime( unsigned nbits, int secret, int randomlevel )
+{
+ unsigned nlimbs;
+ MPI prime, ptest, pminus1, val_2, val_3, result;
+ int i;
+ unsigned x, step;
+ unsigned count1, count2;
+ int *mods;
+
+ if( 0 && DBG_CIPHER )
+ log_debug("generate a prime of %u bits ", nbits );
+
+ if( !no_of_small_prime_numbers ) {
+ for(i=0; small_prime_numbers[i]; i++ )
+ no_of_small_prime_numbers++;
+ }
+ mods = m_alloc( no_of_small_prime_numbers * sizeof *mods );
+ /* make nbits fit into MPI implementation */
+ nlimbs = (nbits + BITS_PER_MPI_LIMB - 1) / BITS_PER_MPI_LIMB;
+ val_2 = mpi_alloc_set_ui( 2 );
+ val_3 = mpi_alloc_set_ui( 3);
+ prime = secret? mpi_alloc_secure( nlimbs ): mpi_alloc( nlimbs );
+ result = mpi_alloc_like( prime );
+ pminus1= mpi_alloc_like( prime );
+ ptest = mpi_alloc_like( prime );
+ count1 = count2 = 0;
+ for(;;) { /* try forvever */
+ int dotcount=0;
+
+ /* generate a random number */
+ { char *p = get_random_bits( nbits, randomlevel, secret );
+ mpi_set_buffer( prime, p, (nbits+7)/8, 0 );
+ m_free(p);
+ }
+
+ /* set high order bit to 1, set low order bit to 1 */
+ mpi_set_highbit( prime, nbits-1 );
+ mpi_set_bit( prime, 0 );
+
+ /* calculate all remainders */
+ for(i=0; (x = small_prime_numbers[i]); i++ )
+ mods[i] = mpi_fdiv_r_ui(NULL, prime, x);
+
+ /* now try some primes starting with prime */
+ for(step=0; step < 20000; step += 2 ) {
+ /* check against all the small primes we have in mods */
+ count1++;
+ for(i=0; (x = small_prime_numbers[i]); i++ ) {
+ while( mods[i] + step >= x )
+ mods[i] -= x;
+ if( !(mods[i] + step) )
+ break;
+ }
+ if( x )
+ continue; /* found a multiple of an already known prime */
+
+ mpi_add_ui( ptest, prime, step );
+
+ /* do a faster Fermat test */
+ count2++;
+ mpi_sub_ui( pminus1, ptest, 1);
+ mpi_powm( result, val_2, pminus1, ptest );
+ if( !mpi_cmp_ui( result, 1 ) ) { /* not composite */
+ /* perform stronger tests */
+ if( is_prime(ptest, 5, &count2 ) ) {
+ if( !mpi_test_bit( ptest, nbits-1 ) ) {
+ progress('\n');
+ log_debug("overflow in prime generation\n");
+ break; /* step loop, continue with a new prime */
+ }
+
+ mpi_free(val_2);
+ mpi_free(val_3);
+ mpi_free(result);
+ mpi_free(pminus1);
+ mpi_free(prime);
+ m_free(mods);
+ return ptest;
+ }
+ }
+ if( ++dotcount == 10 ) {
+ progress('.');
+ dotcount = 0;
+ }
+ }
+ progress(':'); /* restart with a new random value */
+ }
+}
+
+/****************
+ * Returns: true if this may be a prime
+ */
+static int
+check_prime( MPI prime, MPI val_2 )
+{
+ int i;
+ unsigned x;
+ int count=0;
+
+ /* check against small primes */
+ for(i=0; (x = small_prime_numbers[i]); i++ ) {
+ if( mpi_divisible_ui( prime, x ) )
+ return 0;
+ }
+
+ /* a quick fermat test */
+ {
+ MPI result = mpi_alloc_like( prime );
+ MPI pminus1 = mpi_alloc_like( prime );
+ mpi_sub_ui( pminus1, prime, 1);
+ mpi_powm( result, val_2, pminus1, prime );
+ mpi_free( pminus1 );
+ if( mpi_cmp_ui( result, 1 ) ) { /* if composite */
+ mpi_free( result );
+ progress('.');
+ return 0;
+ }
+ mpi_free( result );
+ }
+
+ /* perform stronger tests */
+ if( is_prime(prime, 5, &count ) )
+ return 1; /* is probably a prime */
+ progress('.');
+ return 0;
+}
+
+
+/****************
+ * Return true if n is probably a prime
+ */
+static int
+is_prime( MPI n, unsigned steps, int *count )
+{
+ MPI x = mpi_alloc( mpi_get_nlimbs( n ) );
+ MPI y = mpi_alloc( mpi_get_nlimbs( n ) );
+ MPI z = mpi_alloc( mpi_get_nlimbs( n ) );
+ MPI nminus1 = mpi_alloc( mpi_get_nlimbs( n ) );
+ MPI a2 = mpi_alloc_set_ui( 2 );
+ MPI q;
+ unsigned i, j, k;
+ int rc = 0;
+ unsigned nbits = mpi_get_nbits( n );
+
+ mpi_sub_ui( nminus1, n, 1 );
+
+ /* find q and k, so that n = 1 + 2^k * q */
+ q = mpi_copy( nminus1 );
+ k = mpi_trailing_zeros( q );
+ mpi_tdiv_q_2exp(q, q, k);
+
+ for(i=0 ; i < steps; i++ ) {
+ ++*count;
+ if( !i ) {
+ mpi_set_ui( x, 2 );
+ }
+ else {
+ /*mpi_set_bytes( x, nbits-1, get_random_byte, 0 );*/
+ { char *p = get_random_bits( nbits, 0, 0 );
+ mpi_set_buffer( x, p, (nbits+7)/8, 0 );
+ m_free(p);
+ }
+ /* make sure that the number is smaller than the prime
+ * and keep the randomness of the high bit */
+ if( mpi_test_bit( x, nbits-2 ) ) {
+ mpi_set_highbit( x, nbits-2 ); /* clear all higher bits */
+ }
+ else {
+ mpi_set_highbit( x, nbits-2 );
+ mpi_clear_bit( x, nbits-2 );
+ }
+ assert( mpi_cmp( x, nminus1 ) < 0 && mpi_cmp_ui( x, 1 ) > 0 );
+ }
+ mpi_powm( y, x, q, n);
+ if( mpi_cmp_ui(y, 1) && mpi_cmp( y, nminus1 ) ) {
+ for( j=1; j < k && mpi_cmp( y, nminus1 ); j++ ) {
+ mpi_powm(y, y, a2, n);
+ if( !mpi_cmp_ui( y, 1 ) )
+ goto leave; /* not a prime */
+ }
+ if( mpi_cmp( y, nminus1 ) )
+ goto leave; /* not a prime */
+ }
+ progress('+');
+ }
+ rc = 1; /* may be a prime */
+
+ leave:
+ mpi_free( x );
+ mpi_free( y );
+ mpi_free( z );
+ mpi_free( nminus1 );
+ mpi_free( q );
+
+ return rc;
+}
+
+
+static void
+m_out_of_n( char *array, int m, int n )
+{
+ int i=0, i1=0, j=0, jp=0, j1=0, k1=0, k2=0;
+
+ if( !m || m >= n )
+ return;
+
+ if( m == 1 ) { /* special case */
+ for(i=0; i < n; i++ )
+ if( array[i] ) {
+ array[i++] = 0;
+ if( i >= n )
+ i = 0;
+ array[i] = 1;
+ return;
+ }
+ BUG();
+ }
+
+ for(j=1; j < n; j++ ) {
+ if( array[n-1] == array[n-j-1] )
+ continue;
+ j1 = j;
+ break;
+ }
+
+ if( m & 1 ) { /* m is odd */
+ if( array[n-1] ) {
+ if( j1 & 1 ) {
+ k1 = n - j1;
+ k2 = k1+2;
+ if( k2 > n )
+ k2 = n;
+ goto leave;
+ }
+ goto scan;
+ }
+ k2 = n - j1 - 1;
+ if( k2 == 0 ) {
+ k1 = i;
+ k2 = n - j1;
+ }
+ else if( array[k2] && array[k2-1] )
+ k1 = n;
+ else
+ k1 = k2 + 1;
+ }
+ else { /* m is even */
+ if( !array[n-1] ) {
+ k1 = n - j1;
+ k2 = k1 + 1;
+ goto leave;
+ }
+
+ if( !(j1 & 1) ) {
+ k1 = n - j1;
+ k2 = k1+2;
+ if( k2 > n )
+ k2 = n;
+ goto leave;
+ }
+ scan:
+ jp = n - j1 - 1;
+ for(i=1; i <= jp; i++ ) {
+ i1 = jp + 2 - i;
+ if( array[i1-1] ) {
+ if( array[i1-2] ) {
+ k1 = i1 - 1;
+ k2 = n - j1;
+ }
+ else {
+ k1 = i1 - 1;
+ k2 = n + 1 - j1;
+ }
+ goto leave;
+ }
+ }
+ k1 = 1;
+ k2 = n + 1 - m;
+ }
+ leave:
+ array[k1-1] = !array[k1-1];
+ array[k2-1] = !array[k2-1];
+}
+
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
new file mode 100644
index 000000000..6a39e7c1f
--- /dev/null
+++ b/src/pluto/rcv_whack.c
@@ -0,0 +1,685 @@
+/* whack communicating routines
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: rcv_whack.c,v 1.18 2006/05/25 11:33:57 as Exp $
+ */
+
+#include <stdio.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+#include <fcntl.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "id.h"
+#include "ca.h"
+#include "certs.h"
+#include "ac.h"
+#include "smartcard.h"
+#include "connections.h"
+#include "foodgroups.h"
+#include "whack.h" /* needs connections.h */
+#include "packet.h"
+#include "demux.h" /* needs packet.h */
+#include "state.h"
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "kernel.h"
+#include "rcv_whack.h"
+#include "log.h"
+#include "keys.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "server.h"
+#include "fetch.h"
+#include "ocsp.h"
+#include "crl.h"
+
+#include "kernel_alg.h"
+#include "ike_alg.h"
+/* helper variables and function to decode strings from whack message */
+
+static char *next_str
+ , *str_roof;
+
+static bool
+unpack_str(char **p)
+{
+ char *end = memchr(next_str, '\0', str_roof - next_str);
+
+ if (end == NULL)
+ {
+ return FALSE; /* fishy: no end found */
+ }
+ else
+ {
+ *p = next_str == end? NULL : next_str;
+ next_str = end + 1;
+ return TRUE;
+ }
+}
+
+/* bits loading keys from asynchronous DNS */
+
+enum key_add_attempt {
+ ka_TXT,
+#ifdef USE_KEYRR
+ ka_KEY,
+#endif
+ ka_roof /* largest value + 1 */
+};
+
+struct key_add_common {
+ int refCount;
+ char *diag[ka_roof];
+ int whack_fd;
+ bool success;
+};
+
+struct key_add_continuation {
+ struct adns_continuation ac; /* common prefix */
+ struct key_add_common *common; /* common data */
+ enum key_add_attempt lookingfor;
+};
+
+static void
+key_add_ugh(const struct id *keyid, err_t ugh)
+{
+ char name[BUF_LEN]; /* longer IDs will be truncated in message */
+
+ (void)idtoa(keyid, name, sizeof(name));
+ loglog(RC_NOKEY
+ , "failure to fetch key for %s from DNS: %s", name, ugh);
+}
+
+/* last one out: turn out the lights */
+static void
+key_add_merge(struct key_add_common *oc, const struct id *keyid)
+{
+ if (oc->refCount == 0)
+ {
+ enum key_add_attempt kaa;
+
+ /* if no success, print all diagnostics */
+ if (!oc->success)
+ for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+ key_add_ugh(keyid, oc->diag[kaa]);
+
+ for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+ pfreeany(oc->diag[kaa]);
+
+ close(oc->whack_fd);
+ pfree(oc);
+ }
+}
+
+static void
+key_add_continue(struct adns_continuation *ac, err_t ugh)
+{
+ struct key_add_continuation *kc = (void *) ac;
+ struct key_add_common *oc = kc->common;
+
+ passert(whack_log_fd == NULL_FD);
+ whack_log_fd = oc->whack_fd;
+
+ if (ugh != NULL)
+ {
+ oc->diag[kc->lookingfor] = clone_str(ugh, "key add error");
+ }
+ else
+ {
+ oc->success = TRUE;
+ transfer_to_public_keys(kc->ac.gateways_from_dns
+#ifdef USE_KEYRR
+ , &kc->ac.keys_from_dns
+#endif /* USE_KEYRR */
+ );
+ }
+
+ oc->refCount--;
+ key_add_merge(oc, &ac->id);
+ whack_log_fd = NULL_FD;
+}
+
+static void
+key_add_request(const whack_message_t *msg)
+{
+ struct id keyid;
+ err_t ugh = atoid(msg->keyid, &keyid, FALSE);
+
+ if (ugh != NULL)
+ {
+ loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
+ }
+ else
+ {
+ if (!msg->whack_addkey)
+ delete_public_keys(&keyid, msg->pubkey_alg
+ , empty_chunk, empty_chunk);
+
+ if (msg->keyval.len == 0)
+ {
+ struct key_add_common *oc
+ = alloc_thing(struct key_add_common
+ , "key add common things");
+ enum key_add_attempt kaa;
+
+ /* initialize state shared by queries */
+ oc->refCount = 0;
+ oc->whack_fd = dup_any(whack_log_fd);
+ oc->success = FALSE;
+
+ for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+ {
+ struct key_add_continuation *kc
+ = alloc_thing(struct key_add_continuation
+ , "key add continuation");
+
+ oc->diag[kaa] = NULL;
+ oc->refCount++;
+ kc->common = oc;
+ kc->lookingfor = kaa;
+ switch (kaa)
+ {
+ case ka_TXT:
+ ugh = start_adns_query(&keyid
+ , &keyid /* same */
+ , T_TXT
+ , key_add_continue
+ , &kc->ac);
+ break;
+#ifdef USE_KEYRR
+ case ka_KEY:
+ ugh = start_adns_query(&keyid
+ , NULL
+ , T_KEY
+ , key_add_continue
+ , &kc->ac);
+ break;
+#endif /* USE_KEYRR */
+ default:
+ bad_case(kaa); /* suppress gcc warning */
+ }
+ if (ugh != NULL)
+ {
+ oc->diag[kaa] = clone_str(ugh, "early key add failure");
+ oc->refCount--;
+ }
+ }
+
+ /* Done launching queries.
+ * Handle total failure case.
+ */
+ key_add_merge(oc, &keyid);
+ }
+ else
+ {
+ ugh = add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg
+ , &msg->keyval, &pubkeys);
+ if (ugh != NULL)
+ loglog(RC_LOG_SERIOUS, "%s", ugh);
+ }
+ }
+}
+
+/* Handle a kernel request. Supposedly, there's a message in
+ * the kernelsock socket.
+ */
+void
+whack_handle(int whackctlfd)
+{
+ whack_message_t msg;
+ struct sockaddr_un whackaddr;
+ int whackaddrlen = sizeof(whackaddr);
+ int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
+ /* Note: actual value in n should fit in int. To print, cast to int. */
+ ssize_t n;
+
+ if (whackfd < 0)
+ {
+ log_errno((e, "accept() failed in whack_handle()"));
+ return;
+ }
+ if (fcntl(whackfd, F_SETFD, FD_CLOEXEC) < 0)
+ {
+ log_errno((e, "failed to set CLOEXEC in whack_handle()"));
+ close(whackfd);
+ return;
+ }
+
+ n = read(whackfd, &msg, sizeof(msg));
+
+ if (n == -1)
+ {
+ log_errno((e, "read() failed in whack_handle()"));
+ close(whackfd);
+ return;
+ }
+
+ whack_log_fd = whackfd;
+
+ /* sanity check message */
+ {
+ err_t ugh = NULL;
+
+ next_str = msg.string;
+ str_roof = (char *)&msg + n;
+
+ if ((size_t)n < offsetof(whack_message_t, whack_shutdown) + sizeof(msg.whack_shutdown))
+ {
+ ugh = builddiag("ignoring runt message from whack: got %d bytes", (int)n);
+ }
+ else if (msg.magic != WHACK_MAGIC)
+ {
+ if (msg.magic == WHACK_BASIC_MAGIC)
+ {
+ /* Only shutdown command. Simpler inter-version compatability. */
+ if (msg.whack_shutdown)
+ {
+ plog("shutting down");
+ exit_pluto(0); /* delete lock and leave, with 0 status */
+ }
+ ugh = ""; /* bail early, but without complaint */
+ }
+ else
+ {
+ ugh = builddiag("ignoring message from whack with bad magic %d; should be %d; probably wrong version"
+ , msg.magic, WHACK_MAGIC);
+ }
+ }
+ else if (next_str > str_roof)
+ {
+ ugh = builddiag("ignoring truncated message from whack: got %d bytes; expected %u"
+ , (int) n, (unsigned) sizeof(msg));
+ }
+ else if (!unpack_str(&msg.name) /* string 1 */
+ || !unpack_str(&msg.left.id) /* string 2 */
+ || !unpack_str(&msg.left.cert) /* string 3 */
+ || !unpack_str(&msg.left.ca) /* string 4 */
+ || !unpack_str(&msg.left.groups) /* string 5 */
+ || !unpack_str(&msg.left.updown) /* string 6 */
+ || !unpack_str(&msg.left.virt) /* string 7 */
+ || !unpack_str(&msg.right.id) /* string 8 */
+ || !unpack_str(&msg.right.cert) /* string 9 */
+ || !unpack_str(&msg.right.ca) /* string 10 */
+ || !unpack_str(&msg.right.groups) /* string 11 */
+ || !unpack_str(&msg.right.updown) /* string 12 */
+ || !unpack_str(&msg.right.virt) /* string 13 */
+ || !unpack_str(&msg.keyid) /* string 14 */
+ || !unpack_str(&msg.myid) /* string 15 */
+ || !unpack_str(&msg.cacert) /* string 16 */
+ || !unpack_str(&msg.ldaphost) /* string 17 */
+ || !unpack_str(&msg.ldapbase) /* string 18 */
+ || !unpack_str(&msg.crluri) /* string 19 */
+ || !unpack_str(&msg.crluri2) /* string 20 */
+ || !unpack_str(&msg.ocspuri) /* string 21 */
+ || !unpack_str(&msg.ike) /* string 22 */
+ || !unpack_str(&msg.esp) /* string 23 */
+ || !unpack_str(&msg.sc_data) /* string 24 */
+ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */
+ {
+ ugh = "message from whack contains bad string";
+ }
+ else
+ {
+ msg.keyval.ptr = next_str; /* grab chunk */
+ }
+
+ if (ugh != NULL)
+ {
+ if (*ugh != '\0')
+ loglog(RC_BADWHACKMESSAGE, "%s", ugh);
+ whack_log_fd = NULL_FD;
+ close(whackfd);
+ return;
+ }
+ }
+
+ if (msg.whack_options)
+ {
+#ifdef DEBUG
+ if (msg.name == NULL)
+ {
+ /* we do a two-step so that if either old or new would
+ * cause the message to print, it will be printed.
+ */
+ cur_debugging |= msg.debugging;
+ DBG(DBG_CONTROL
+ , DBG_log("base debugging = %s"
+ , bitnamesof(debug_bit_names, msg.debugging)));
+ cur_debugging = base_debugging = msg.debugging;
+ }
+ else if (!msg.whack_connection)
+ {
+ struct connection *c = con_by_name(msg.name, TRUE);
+
+ if (c != NULL)
+ {
+ c->extra_debugging = msg.debugging;
+ DBG(DBG_CONTROL
+ , DBG_log("\"%s\" extra_debugging = %s"
+ , c->name
+ , bitnamesof(debug_bit_names, c->extra_debugging)));
+ }
+ }
+#endif
+ }
+
+ if (msg.whack_myid)
+ set_myid(MYID_SPECIFIED, msg.myid);
+
+ /* Deleting combined with adding a connection works as replace.
+ * To make this more useful, in only this combination,
+ * delete will silently ignore the lack of the connection.
+ */
+ if (msg.whack_delete)
+ {
+ if (msg.whack_ca)
+ find_ca_info_by_name(msg.name, TRUE);
+ else
+ delete_connections_by_name(msg.name, !msg.whack_connection);
+ }
+
+ if (msg.whack_deletestate)
+ {
+ struct state *st = state_with_serialno(msg.whack_deletestateno);
+
+ if (st == NULL)
+ {
+ loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
+ , msg.whack_deletestateno);
+ }
+ else
+ {
+ delete_state(st);
+ }
+ }
+
+ if (msg.whack_crash)
+ delete_states_by_peer(&msg.whack_crash_peer);
+
+ if (msg.whack_connection)
+ add_connection(&msg);
+
+ if (msg.whack_ca && msg.cacert != NULL)
+ add_ca_info(&msg);
+
+ /* process "listen" before any operation that could require it */
+ if (msg.whack_listen)
+ {
+ close_peerlog(); /* close any open per-peer logs */
+ plog("listening for IKE messages");
+ listening = TRUE;
+ daily_log_reset();
+ reset_adns_restart_count();
+ set_myFQDN();
+ find_ifaces();
+ load_preshared_secrets(NULL_FD);
+ load_groups();
+ }
+ if (msg.whack_unlisten)
+ {
+ plog("no longer listening for IKE messages");
+ listening = FALSE;
+ }
+
+ if (msg.whack_reread & REREAD_SECRETS)
+ {
+ load_preshared_secrets(whackfd);
+ }
+
+ if (msg.whack_reread & REREAD_CACERTS)
+ {
+ load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+ }
+
+ if (msg.whack_reread & REREAD_AACERTS)
+ {
+ load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+ }
+
+ if (msg.whack_reread & REREAD_OCSPCERTS)
+ {
+ load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+ }
+
+ if (msg.whack_reread & REREAD_ACERTS)
+ {
+ load_acerts();
+ }
+
+ if (msg.whack_reread & REREAD_CRLS)
+ {
+ load_crls();
+ }
+
+ if (msg.whack_purgeocsp)
+ {
+ free_ocsp_fetch();
+ free_ocsp_cache();
+ }
+
+ if (msg.whack_list & LIST_ALGS)
+ {
+ ike_alg_list();
+ kernel_alg_list();
+ }
+ if (msg.whack_list & LIST_PUBKEYS)
+ {
+ list_public_keys(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_CERTS)
+ {
+ list_certs(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_CACERTS)
+ {
+ list_authcerts("CA", AUTH_CA, msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_AACERTS)
+ {
+ list_authcerts("AA", AUTH_AA, msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_OCSPCERTS)
+ {
+ list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_ACERTS)
+ {
+ list_acerts(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_GROUPS)
+ {
+ list_groups(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_CAINFOS)
+ {
+ list_ca_infos(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_CRLS)
+ {
+ list_crls(msg.whack_utc, strict_crl_policy);
+ list_crl_fetch_requests(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_OCSP)
+ {
+ list_ocsp_cache(msg.whack_utc, strict_crl_policy);
+ list_ocsp_fetch_requests(msg.whack_utc);
+ }
+
+ if (msg.whack_list & LIST_CARDS)
+ {
+ scx_list(msg.whack_utc);
+ }
+
+ if (msg.whack_key)
+ {
+ /* add a public key */
+ key_add_request(&msg);
+ }
+
+ if (msg.whack_route)
+ {
+ if (!listening)
+ {
+ whack_log(RC_DEAF, "need --listen before --route");
+ }
+ if (msg.name == NULL)
+ {
+ whack_log(RC_UNKNOWN_NAME
+ , "whack --route requires a connection name");
+ }
+ else
+ {
+ struct connection *c = con_by_name(msg.name, TRUE);
+
+ if (c != NULL && c->ikev1)
+ {
+ set_cur_connection(c);
+ if (!oriented(*c))
+ whack_log(RC_ORIENT
+ , "we have no ipsecN interface for either end of this connection");
+ else if (c->policy & POLICY_GROUP)
+ route_group(c);
+ else if (!trap_connection(c))
+ whack_log(RC_ROUTE, "could not route");
+ reset_cur_connection();
+ }
+ }
+ }
+
+ if (msg.whack_unroute)
+ {
+ if (msg.name == NULL)
+ {
+ whack_log(RC_UNKNOWN_NAME
+ , "whack --unroute requires a connection name");
+ }
+ else
+ {
+ struct connection *c = con_by_name(msg.name, TRUE);
+
+ if (c != NULL && c->ikev1)
+ {
+ struct spd_route *sr;
+ int fail = 0;
+
+ set_cur_connection(c);
+
+ for (sr = &c->spd; sr != NULL; sr = sr->next)
+ {
+ if (sr->routing >= RT_ROUTED_TUNNEL)
+ fail++;
+ }
+ if (fail > 0)
+ whack_log(RC_RTBUSY, "cannot unroute: route busy");
+ else if (c->policy & POLICY_GROUP)
+ unroute_group(c);
+ else
+ unroute_connection(c);
+ reset_cur_connection();
+ }
+ }
+ }
+
+ if (msg.whack_initiate)
+ {
+ if (!listening)
+ {
+ whack_log(RC_DEAF, "need --listen before --initiate");
+ }
+ else if (msg.name == NULL)
+ {
+ whack_log(RC_UNKNOWN_NAME
+ , "whack --initiate requires a connection name");
+ }
+ else
+ {
+ initiate_connection(msg.name
+ , msg.whack_async? NULL_FD : dup_any(whackfd));
+ }
+ }
+
+ if (msg.whack_oppo_initiate)
+ {
+ if (!listening)
+ whack_log(RC_DEAF, "need --listen before opportunistic initiation");
+ else
+ initiate_opportunistic(&msg.oppo_my_client, &msg.oppo_peer_client, 0
+ , FALSE
+ , msg.whack_async? NULL_FD : dup_any(whackfd));
+ }
+
+ if (msg.whack_terminate)
+ {
+ if (msg.name == NULL)
+ {
+ whack_log(RC_UNKNOWN_NAME
+ , "whack --terminate requires a connection name");
+ }
+ else
+ {
+ terminate_connection(msg.name);
+ }
+ }
+
+ if (msg.whack_status)
+ show_status(msg.whack_statusall, msg.name);
+
+ if (msg.whack_shutdown)
+ {
+ plog("shutting down");
+ exit_pluto(0); /* delete lock and leave, with 0 status */
+ }
+
+ if (msg.whack_sc_op != SC_OP_NONE)
+ {
+ if (pkcs11_proxy)
+ scx_op_via_whack(msg.sc_data, msg.inbase, msg.outbase
+ , msg.whack_sc_op, msg.keyid, whackfd);
+ else
+ plog("pkcs11 access to smartcard not allowed (set pkcs11proxy=yes)");
+ }
+
+ whack_log_fd = NULL_FD;
+ close(whackfd);
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * c-style: pluto
+ * End:
+ */
diff --git a/src/pluto/rcv_whack.h b/src/pluto/rcv_whack.h
new file mode 100644
index 000000000..f42761c51
--- /dev/null
+++ b/src/pluto/rcv_whack.h
@@ -0,0 +1,17 @@
+/* whack communicating routines
+ * Copyright (C) 1998, 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: rcv_whack.h,v 1.1 2004/03/15 20:35:29 as Exp $
+ */
+
+extern void whack_handle(int kernelfd);
diff --git a/src/pluto/rnd.c b/src/pluto/rnd.c
new file mode 100644
index 000000000..812882c6b
--- /dev/null
+++ b/src/pluto/rnd.c
@@ -0,0 +1,250 @@
+/* randomness machinery
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: rnd.c,v 1.3 2005/09/08 16:26:30 as Exp $
+ */
+
+/* A true random number generator (we hope)
+ *
+ * Under LINUX ("linux" predefined), use /dev/urandom.
+ * Under OpenBSD ("__OpenBSD__" predefined), use arc4random().
+ * Otherwise use our own random number generator based on clock skew.
+ * I (ADK) first heard of the idea from John Ioannidis, who heard it
+ * from Matt Blaze and/or Jack Lacy.
+ * ??? Why is mixing need for linux but not OpenBSD?
+ */
+
+/* Pluto's uses of randomness:
+ *
+ * - Setting up the "secret_of_the_day". This changes every hour! 20
+ * bytes a shot. It is used in building responder cookies.
+ *
+ * - generating initiator cookies (8 bytes, once per Phase 1 initiation).
+ *
+ * - 32 bytes per DH local secret. Once per Main Mode exchange and once
+ * per Quick Mode Exchange with PFS. (Size is our choice, with
+ * tradeoffs.)
+ *
+ * - 16 bytes per nonce we generate. Once per Main Mode exchange and
+ * once per Quick Mode exchange. (Again, we choose the size.)
+ *
+ * - 4 bytes per SPI number that we generate. We choose the SPIs for all
+ * inbound SPIs, one to three per IPSEC SA (one for AH (rare, probably)
+ * one for ESP (almost always), and one for tunnel (very common)).
+ * I don't actually know how the kernel would generate these numbers --
+ * currently Pluto generates them; this isn't the way things will be
+ * done in the future.
+ *
+ * - 4 bytes per Message ID we need to generate. One per Quick Mode
+ * exchange. Eventually, one per informational exchange.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+#include <fcntl.h>
+
+#include <freeswan.h>
+
+#include "sha1.h"
+#include "constants.h"
+#include "defs.h"
+#include "rnd.h"
+#include "log.h"
+#include "timer.h"
+
+#ifdef linux
+# define USE_DEV_RANDOM 1
+# define RANDOM_PATH DEV_URANDOM
+#else
+# ifdef __OpenBSD__
+# define USE_ARC4RANDOM
+# else
+# define USE_CLOCK_SLEW
+# endif
+#endif
+
+#ifdef USE_ARC4RANDOM
+
+#define get_rnd_byte() (arc4random() % 256)
+
+#else /**** start of large #else ****/
+
+#ifdef USE_DEV_RANDOM
+static int random_fd = NULL_FD;
+#endif
+
+#define RANDOM_POOL_SIZE SHA1_DIGEST_SIZE
+static u_char random_pool[RANDOM_POOL_SIZE];
+
+#ifdef USE_DEV_RANDOM
+
+/* Generate (what we hope is) a true random byte using /dev/urandom */
+static u_char
+generate_rnd_byte(void)
+{
+ u_char c;
+
+ if (read(random_fd, &c, sizeof(c)) == -1)
+ exit_log_errno((e, "read() failed in get_rnd_byte()"));
+
+ return c;
+}
+
+#else /* !USE_DEV_RANDOM */
+
+/* Generate (what we hope is) a true random byte using the clock skew trick.
+ * Note: this code is not maintained! In particular, LINUX signal(2)
+ * semantics changed with glibc2 (and not for the better). It isn't clear
+ * that this code will work. We keep the code because someday it might
+ * come in handy.
+ */
+# error "This code is not maintained. Please define USE_DEV_RANDOM."
+
+static volatile sig_atomic_t i, j, k;
+
+/* timer signal handler */
+static void
+rnd_handler(int ignore_me UNUSED)
+{
+ k <<= 1; /* Shift left by 1 */
+ j++;
+ k |= (i & 0x1); /* Get lsbit of counter */
+
+ if (j != 8)
+ signal(SIGVTALRM, rnd_handler);
+}
+
+static u_char
+generate_rnd_byte(void)
+{
+ struct itimerval tmval, ntmval;
+
+# ifdef NEVER /* ??? */
+# ifdef linux
+ int mask = siggetmask();
+
+ mask |= SIGVTALRM;
+ sigsetmask(mask);
+# endif
+# endif
+
+ i = 0;
+ j = 0;
+
+ ntmval.it_interval.tv_sec = 0;
+ ntmval.it_interval.tv_usec = 1;
+ ntmval.it_value.tv_sec = 0;
+ ntmval.it_value.tv_usec = 1;
+ signal(SIGVTALRM, rnd_handler);
+ setitimer(ITIMER_VIRTUAL, &ntmval, &tmval);
+
+ while (j != 8)
+ i++;
+
+ setitimer(ITIMER_VIRTUAL, &tmval, &ntmval);
+ signal(SIGVTALRM, SIG_IGN);
+
+# ifdef NEVER /* ??? */
+# ifdef linux
+ mask ^= SIGVTALRM;
+ sigsetmask(mask);
+# endif
+# endif
+
+ return k;
+}
+
+#endif /* !USE_DEV_RANDOM */
+
+static void
+mix_pool(void)
+{
+ SHA1_CTX ctx;
+
+ SHA1Init(&ctx);
+ SHA1Update(&ctx, random_pool, RANDOM_POOL_SIZE);
+ SHA1Final(random_pool, &ctx);
+}
+
+/*
+ * Get a single random byte.
+ */
+static u_char
+get_rnd_byte(void)
+{
+ random_pool[RANDOM_POOL_SIZE - 1] = generate_rnd_byte();
+ random_pool[0] = generate_rnd_byte();
+ mix_pool();
+ return random_pool[0];
+}
+
+#endif /* !USE_ARC4RANDOM */ /**** end of large #else ****/
+
+void
+get_rnd_bytes(u_char *buffer, int length)
+{
+ int i;
+
+ for (i = 0; i < length; i++)
+ buffer[i] = get_rnd_byte();
+}
+
+/*
+ * Initialize the random pool.
+ */
+void
+init_rnd_pool(void)
+{
+#ifndef USE_ARC4RANDOM
+# ifdef USE_DEV_RANDOM
+ DBG(DBG_KLIPS, DBG_log("opening %s", RANDOM_PATH));
+ random_fd = open(RANDOM_PATH, O_RDONLY);
+ if (random_fd == -1)
+ exit_log_errno((e, "open of %s failed in init_rnd_pool()", RANDOM_PATH));
+ fcntl(random_fd, F_SETFD, FD_CLOEXEC);
+# endif
+
+ get_rnd_bytes(random_pool, RANDOM_POOL_SIZE);
+ mix_pool();
+#endif /* !USE_ARC4RANDOM */
+
+ /* start of rand(3) on the right foot */
+ {
+ unsigned int seed;
+
+ get_rnd_bytes((void *)&seed, sizeof(seed));
+ srand(seed);
+ }
+}
+
+u_char secret_of_the_day[SHA1_DIGEST_SIZE];
+
+#ifndef NO_PLUTO
+
+void
+init_secret(void)
+{
+ /*
+ * Generate the secret value for responder cookies, and
+ * schedule an event for refresh.
+ */
+ get_rnd_bytes(secret_of_the_day, sizeof(secret_of_the_day));
+ event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
+}
+
+#endif /* NO_PLUTO */
diff --git a/src/pluto/rnd.h b/src/pluto/rnd.h
new file mode 100644
index 000000000..0bd168039
--- /dev/null
+++ b/src/pluto/rnd.h
@@ -0,0 +1,21 @@
+/* randomness machinery
+ * Copyright (C) 1998, 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: rnd.h,v 1.1 2004/03/15 20:35:29 as Exp $
+ */
+
+extern u_char secret_of_the_day[SHA1_DIGEST_SIZE];
+
+extern void get_rnd_bytes(u_char *buffer, int length);
+extern void init_rnd_pool(void);
+extern void init_secret(void);
diff --git a/src/pluto/rsaref/pkcs11.h b/src/pluto/rsaref/pkcs11.h
new file mode 100644
index 000000000..9261e1e4c
--- /dev/null
+++ b/src/pluto/rsaref/pkcs11.h
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined. These
+ * macros are described below, and typical definitions for them
+ * are also given. Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set. The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this. You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object. It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name. It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * )
+ * {
+ * ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name. It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name. It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV. It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y) x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points. That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points. A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library. This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+ CK_VERSION version; /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/pluto/rsaref/pkcs11f.h b/src/pluto/rsaref/pkcs11f.h
new file mode 100644
index 000000000..dec6315dd
--- /dev/null
+++ b/src/pluto/rsaref/pkcs11f.h
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes. Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
+ * cast to CK_C_INITIALIZE_ARGS_PTR
+ * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_INFO_PTR pInfo /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
+ * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_BBOOL tokenPresent, /* only slots with tokens? */
+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
+ CK_ULONG_PTR pulCount /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the ID of the slot */
+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of token's slot */
+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
+ CK_ULONG_PTR pulCount /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_MECHANISM_TYPE type, /* type of mechanism */
+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
+ CK_ULONG ulPinLen, /* length in bytes of the PIN */
+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
+ CK_ULONG ulPinLen /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
+ CK_ULONG ulOldLen, /* length of the old PIN */
+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
+ CK_ULONG ulNewLen /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the slot's ID */
+ CK_FLAGS flags, /* from CK_SESSION_INFO */
+ CK_VOID_PTR pApplication, /* passed to callback */
+ CK_NOTIFY Notify, /* callback function */
+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_SESSION_INFO_PTR pInfo /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* gets state */
+ CK_ULONG_PTR pulOperationStateLen /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* holds state */
+ CK_ULONG ulOperationStateLen, /* holds state length */
+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_USER_TYPE userType, /* the user type */
+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
+ CK_ULONG ulPinLen /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ULONG_PTR pulSize /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
+ CK_ULONG ulCount /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
+ CK_ULONG ulMaxObjectCount, /* max handles to get */
+ CK_ULONG_PTR pulObjectCount /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pData, /* the plaintext data */
+ CK_ULONG ulDataLen, /* bytes of plaintext */
+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext data len */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session handle */
+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedData, /* ciphertext */
+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
+ CK_BYTE_PTR pData, /* gets plaintext */
+ CK_ULONG_PTR pulDataLen /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
+ CK_ULONG ulEncryptedPartLen, /* input length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pLastPart, /* gets plaintext */
+ CK_ULONG_PTR pulLastPartLen /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* data to be digested */
+ CK_ULONG ulDataLen, /* bytes of data to digest */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* data to be digested */
+ CK_ULONG ulPartLen /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hKey /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* the data to sign */
+ CK_ULONG ulPartLen /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* signed data */
+ CK_ULONG ulDataLen, /* length of signed data */
+ CK_BYTE_PTR pSignature, /* signature */
+ CK_ULONG ulSignatureLen /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* signed data */
+ CK_ULONG ulPartLen /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen, /* signature length */
+ CK_BYTE_PTR pData, /* gets signed data */
+ CK_ULONG_PTR pulDataLen /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
+ CK_ULONG ulCount, /* # of attrs in template */
+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session
+ * handle */
+ CK_MECHANISM_PTR pMechanism, /* key-gen
+ * mech. */
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
+ * for pub.
+ * key */
+ CK_ULONG ulPublicKeyAttributeCount, /* # pub.
+ * attrs. */
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
+ * for priv.
+ * key */
+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
+ * attrs. */
+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
+ * key
+ * handle */
+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
+ * priv. key
+ * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
+ CK_OBJECT_HANDLE hBaseKey, /* base key */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSeed, /* the seed material */
+ CK_ULONG ulSeedLen /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR RandomData, /* receives the random data */
+ CK_ULONG ulRandomLen /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FLAGS flags, /* blocking/nonblocking flag */
+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
+);
+#endif
diff --git a/src/pluto/rsaref/pkcs11t.h b/src/pluto/rsaref/pkcs11t.h
new file mode 100644
index 000000000..3da20b215
--- /dev/null
+++ b/src/pluto/rsaref/pkcs11t.h
@@ -0,0 +1,1685 @@
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE 0
+
+
+typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+typedef CK_CHAR CK_PTR CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
+typedef CK_ULONG CK_PTR CK_ULONG_PTR;
+typedef void CK_PTR CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+ CK_BYTE major; /* integer portion of version number */
+ CK_BYTE minor; /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+ /* manufacturerID and libraryDecription have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags; /* must be zero */
+
+ /* libraryDescription and libraryVersion are new for v2.0 */
+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
+ CK_VERSION libraryVersion; /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER 0
+
+
+typedef CK_ULONG CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+ /* slotDescription and manufacturerID have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR slotDescription[64]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags;
+
+ /* hardwareVersion and firmwareVersion are new for v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
+#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
+#define CKF_HW_SLOT 0x00000004 /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+ /* label, manufacturerID, and model have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR label[32]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_UTF8CHAR model[16]; /* blank padded */
+ CK_CHAR serialNumber[16]; /* blank padded */
+ CK_FLAGS flags; /* see below */
+
+ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+ * changed from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulMaxSessionCount; /* max open sessions */
+ CK_ULONG ulSessionCount; /* sess. now open */
+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
+ CK_ULONG ulMaxPinLen; /* in bytes */
+ CK_ULONG ulMinPinLen; /* in bytes */
+ CK_ULONG ulTotalPublicMemory; /* in bytes */
+ CK_ULONG ulFreePublicMemory; /* in bytes */
+ CK_ULONG ulTotalPrivateMemory; /* in bytes */
+ CK_ULONG ulFreePrivateMemory; /* in bytes */
+
+ /* hardwareVersion, firmwareVersion, and time are new for
+ * v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+ CK_CHAR utcTime[16]; /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RNG 0x00000001 /* has random #
+ * generator */
+#define CKF_WRITE_PROTECTED 0x00000002 /* token is
+ * write-
+ * protected */
+#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
+ * login */
+#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
+ * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
+ * that the token has some sort of clock. The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN 0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED 0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+ onwards. */
+#define CKF_SECONDARY_AUTHENTICATION 0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW 0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY 0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED 0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW 0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY 0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED 0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO 0
+/* Normal user */
+#define CKU_USER 1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC 2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_STATE;
+#define CKS_RO_PUBLIC_SESSION 0
+#define CKS_RO_USER_FUNCTIONS 1
+#define CKS_RW_PUBLIC_SESSION 2
+#define CKS_RW_USER_FUNCTIONS 3
+#define CKS_RW_SO_FUNCTIONS 4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+ CK_SLOT_ID slotID;
+ CK_STATE state;
+ CK_FLAGS flags; /* see below */
+
+ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulDeviceError; /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RW_SESSION 0x00000002 /* session is r/w */
+#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object */
+typedef CK_ULONG CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes. It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA 0x00000000
+#define CKO_CERTIFICATE 0x00000001
+#define CKO_PUBLIC_KEY 0x00000002
+#define CKO_PRIVATE_KEY 0x00000003
+#define CKO_SECRET_KEY 0x00000004
+#define CKO_HW_FEATURE 0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM 0x00000007
+#define CKO_VENDOR_DEFINED 0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER 0x00000001
+#define CKH_CLOCK 0x00000002
+#define CKH_USER_INTERFACE 0x00000003
+#define CKH_VENDOR_DEFINED 0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA 0x00000000
+#define CKK_DSA 0x00000001
+#define CKK_DH 0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA 0x00000003
+#define CKK_EC 0x00000003
+#define CKK_X9_42_DH 0x00000004
+#define CKK_KEA 0x00000005
+
+#define CKK_GENERIC_SECRET 0x00000010
+#define CKK_RC2 0x00000011
+#define CKK_RC4 0x00000012
+#define CKK_DES 0x00000013
+#define CKK_DES2 0x00000014
+#define CKK_DES3 0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST 0x00000016
+#define CKK_CAST3 0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5 0x00000018
+#define CKK_CAST128 0x00000018
+#define CKK_RC5 0x00000019
+#define CKK_IDEA 0x0000001A
+#define CKK_SKIPJACK 0x0000001B
+#define CKK_BATON 0x0000001C
+#define CKK_JUNIPER 0x0000001D
+#define CKK_CDMF 0x0000001E
+#define CKK_AES 0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH 0x00000020
+#define CKK_TWOFISH 0x00000021
+
+#define CKK_VENDOR_DEFINED 0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509 0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS 0x00000002
+#define CKC_VENDOR_DEFINED 0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE 0x40000000
+
+/* The following attribute types are defined: */
+#define CKA_CLASS 0x00000000
+#define CKA_TOKEN 0x00000001
+#define CKA_PRIVATE 0x00000002
+#define CKA_LABEL 0x00000003
+#define CKA_APPLICATION 0x00000010
+#define CKA_VALUE 0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID 0x00000012
+
+#define CKA_CERTIFICATE_TYPE 0x00000080
+#define CKA_ISSUER 0x00000081
+#define CKA_SERIAL_NUMBER 0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER 0x00000083
+#define CKA_OWNER 0x00000084
+#define CKA_ATTR_TYPES 0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED 0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY 0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
+#define CKA_URL 0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
+#define CKA_CHECK_VALUE 0x00000090
+
+#define CKA_KEY_TYPE 0x00000100
+#define CKA_SUBJECT 0x00000101
+#define CKA_ID 0x00000102
+#define CKA_SENSITIVE 0x00000103
+#define CKA_ENCRYPT 0x00000104
+#define CKA_DECRYPT 0x00000105
+#define CKA_WRAP 0x00000106
+#define CKA_UNWRAP 0x00000107
+#define CKA_SIGN 0x00000108
+#define CKA_SIGN_RECOVER 0x00000109
+#define CKA_VERIFY 0x0000010A
+#define CKA_VERIFY_RECOVER 0x0000010B
+#define CKA_DERIVE 0x0000010C
+#define CKA_START_DATE 0x00000110
+#define CKA_END_DATE 0x00000111
+#define CKA_MODULUS 0x00000120
+#define CKA_MODULUS_BITS 0x00000121
+#define CKA_PUBLIC_EXPONENT 0x00000122
+#define CKA_PRIVATE_EXPONENT 0x00000123
+#define CKA_PRIME_1 0x00000124
+#define CKA_PRIME_2 0x00000125
+#define CKA_EXPONENT_1 0x00000126
+#define CKA_EXPONENT_2 0x00000127
+#define CKA_COEFFICIENT 0x00000128
+#define CKA_PRIME 0x00000130
+#define CKA_SUBPRIME 0x00000131
+#define CKA_BASE 0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS 0x00000133
+#define CKA_SUBPRIME_BITS 0x00000134
+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS 0x00000160
+#define CKA_VALUE_LEN 0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE 0x00000162
+#define CKA_LOCAL 0x00000163
+#define CKA_NEVER_EXTRACTABLE 0x00000164
+#define CKA_ALWAYS_SENSITIVE 0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM 0x00000166
+
+#define CKA_MODIFIABLE 0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS 0x00000180
+#define CKA_EC_PARAMS 0x00000180
+
+#define CKA_EC_POINT 0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH 0x00000200
+#define CKA_AUTH_PIN_FLAGS 0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE 0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED 0x00000210
+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE 0x00000300
+#define CKA_RESET_ON_INIT 0x00000301
+#define CKA_HAS_RESET 0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X 0x00000400
+#define CKA_PIXEL_Y 0x00000401
+#define CKA_RESOLUTION 0x00000402
+#define CKA_CHAR_ROWS 0x00000403
+#define CKA_CHAR_COLUMNS 0x00000404
+#define CKA_COLOR 0x00000405
+#define CKA_BITS_PER_PIXEL 0x00000406
+#define CKA_CHAR_SETS 0x00000480
+#define CKA_ENCODING_METHODS 0x00000481
+#define CKA_MIME_TYPES 0x00000482
+#define CKA_MECHANISM_TYPE 0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED 0x80000000
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+ CK_ATTRIBUTE_TYPE type;
+ CK_VOID_PTR pValue;
+
+ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulValueLen; /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+ CK_CHAR year[4]; /* the year ("1900" - "9999") */
+ CK_CHAR month[2]; /* the month ("01" - "12") */
+ CK_CHAR day[2]; /* the day ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
+#define CKM_RSA_PKCS 0x00000001
+#define CKM_RSA_9796 0x00000002
+#define CKM_RSA_X_509 0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0. They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS 0x00000004
+#define CKM_MD5_RSA_PKCS 0x00000005
+#define CKM_SHA1_RSA_PKCS 0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS 0x00000007
+#define CKM_RIPEMD160_RSA_PKCS 0x00000008
+#define CKM_RSA_PKCS_OAEP 0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
+#define CKM_RSA_X9_31 0x0000000B
+#define CKM_SHA1_RSA_X9_31 0x0000000C
+#define CKM_RSA_PKCS_PSS 0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN 0x00000010
+#define CKM_DSA 0x00000011
+#define CKM_DSA_SHA1 0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
+#define CKM_DH_PKCS_DERIVE 0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
+#define CKM_X9_42_DH_DERIVE 0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
+#define CKM_X9_42_MQV_DERIVE 0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS 0x00000040
+#define CKM_SHA384_RSA_PKCS 0x00000041
+#define CKM_SHA512_RSA_PKCS 0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
+
+#define CKM_RC2_KEY_GEN 0x00000100
+#define CKM_RC2_ECB 0x00000101
+#define CKM_RC2_CBC 0x00000102
+#define CKM_RC2_MAC 0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL 0x00000104
+#define CKM_RC2_CBC_PAD 0x00000105
+
+#define CKM_RC4_KEY_GEN 0x00000110
+#define CKM_RC4 0x00000111
+#define CKM_DES_KEY_GEN 0x00000120
+#define CKM_DES_ECB 0x00000121
+#define CKM_DES_CBC 0x00000122
+#define CKM_DES_MAC 0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL 0x00000124
+#define CKM_DES_CBC_PAD 0x00000125
+
+#define CKM_DES2_KEY_GEN 0x00000130
+#define CKM_DES3_KEY_GEN 0x00000131
+#define CKM_DES3_ECB 0x00000132
+#define CKM_DES3_CBC 0x00000133
+#define CKM_DES3_MAC 0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL 0x00000135
+#define CKM_DES3_CBC_PAD 0x00000136
+#define CKM_CDMF_KEY_GEN 0x00000140
+#define CKM_CDMF_ECB 0x00000141
+#define CKM_CDMF_CBC 0x00000142
+#define CKM_CDMF_MAC 0x00000143
+#define CKM_CDMF_MAC_GENERAL 0x00000144
+#define CKM_CDMF_CBC_PAD 0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64 0x00000150
+#define CKM_DES_OFB8 0x00000151
+#define CKM_DES_CFB64 0x00000152
+#define CKM_DES_CFB8 0x00000153
+
+#define CKM_MD2 0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC 0x00000201
+#define CKM_MD2_HMAC_GENERAL 0x00000202
+
+#define CKM_MD5 0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC 0x00000211
+#define CKM_MD5_HMAC_GENERAL 0x00000212
+
+#define CKM_SHA_1 0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL 0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128 0x00000230
+#define CKM_RIPEMD128_HMAC 0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
+#define CKM_RIPEMD160 0x00000240
+#define CKM_RIPEMD160_HMAC 0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256 0x00000250
+#define CKM_SHA256_HMAC 0x00000251
+#define CKM_SHA256_HMAC_GENERAL 0x00000252
+#define CKM_SHA384 0x00000260
+#define CKM_SHA384_HMAC 0x00000261
+#define CKM_SHA384_HMAC_GENERAL 0x00000262
+#define CKM_SHA512 0x00000270
+#define CKM_SHA512_HMAC 0x00000271
+#define CKM_SHA512_HMAC_GENERAL 0x00000272
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN 0x00000300
+#define CKM_CAST_ECB 0x00000301
+#define CKM_CAST_CBC 0x00000302
+#define CKM_CAST_MAC 0x00000303
+#define CKM_CAST_MAC_GENERAL 0x00000304
+#define CKM_CAST_CBC_PAD 0x00000305
+#define CKM_CAST3_KEY_GEN 0x00000310
+#define CKM_CAST3_ECB 0x00000311
+#define CKM_CAST3_CBC 0x00000312
+#define CKM_CAST3_MAC 0x00000313
+#define CKM_CAST3_MAC_GENERAL 0x00000314
+#define CKM_CAST3_CBC_PAD 0x00000315
+#define CKM_CAST5_KEY_GEN 0x00000320
+#define CKM_CAST128_KEY_GEN 0x00000320
+#define CKM_CAST5_ECB 0x00000321
+#define CKM_CAST128_ECB 0x00000321
+#define CKM_CAST5_CBC 0x00000322
+#define CKM_CAST128_CBC 0x00000322
+#define CKM_CAST5_MAC 0x00000323
+#define CKM_CAST128_MAC 0x00000323
+#define CKM_CAST5_MAC_GENERAL 0x00000324
+#define CKM_CAST128_MAC_GENERAL 0x00000324
+#define CKM_CAST5_CBC_PAD 0x00000325
+#define CKM_CAST128_CBC_PAD 0x00000325
+#define CKM_RC5_KEY_GEN 0x00000330
+#define CKM_RC5_ECB 0x00000331
+#define CKM_RC5_CBC 0x00000332
+#define CKM_RC5_MAC 0x00000333
+#define CKM_RC5_MAC_GENERAL 0x00000334
+#define CKM_RC5_CBC_PAD 0x00000335
+#define CKM_IDEA_KEY_GEN 0x00000340
+#define CKM_IDEA_ECB 0x00000341
+#define CKM_IDEA_CBC 0x00000342
+#define CKM_IDEA_MAC 0x00000343
+#define CKM_IDEA_MAC_GENERAL 0x00000344
+#define CKM_IDEA_CBC_PAD 0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
+#define CKM_XOR_BASE_AND_DATA 0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF 0x00000378
+
+#define CKM_SSL3_MD5_MAC 0x00000380
+#define CKM_SSL3_SHA1_MAC 0x00000381
+#define CKM_MD5_KEY_DERIVATION 0x00000390
+#define CKM_MD2_KEY_DERIVATION 0x00000391
+#define CKM_SHA1_KEY_DERIVATION 0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION 0x00000393
+#define CKM_SHA384_KEY_DERIVATION 0x00000394
+#define CKM_SHA512_KEY_DERIVATION 0x00000395
+
+#define CKM_PBE_MD2_DES_CBC 0x000003A0
+#define CKM_PBE_MD5_DES_CBC 0x000003A1
+#define CKM_PBE_MD5_CAST_CBC 0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
+#define CKM_PBE_SHA1_RC4_128 0x000003A6
+#define CKM_PBE_SHA1_RC4_40 0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2 0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
+#define CKM_WTLS_PRF 0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS 0x00000400
+#define CKM_KEY_WRAP_SET_OAEP 0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG 0x00000500
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN 0x00001000
+#define CKM_SKIPJACK_ECB64 0x00001001
+#define CKM_SKIPJACK_CBC64 0x00001002
+#define CKM_SKIPJACK_OFB64 0x00001003
+#define CKM_SKIPJACK_CFB64 0x00001004
+#define CKM_SKIPJACK_CFB32 0x00001005
+#define CKM_SKIPJACK_CFB16 0x00001006
+#define CKM_SKIPJACK_CFB8 0x00001007
+#define CKM_SKIPJACK_WRAP 0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
+#define CKM_SKIPJACK_RELAYX 0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN 0x00001010
+#define CKM_KEA_KEY_DERIVE 0x00001011
+#define CKM_FORTEZZA_TIMESTAMP 0x00001020
+#define CKM_BATON_KEY_GEN 0x00001030
+#define CKM_BATON_ECB128 0x00001031
+#define CKM_BATON_ECB96 0x00001032
+#define CKM_BATON_CBC128 0x00001033
+#define CKM_BATON_COUNTER 0x00001034
+#define CKM_BATON_SHUFFLE 0x00001035
+#define CKM_BATON_WRAP 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
+#define CKM_EC_KEY_PAIR_GEN 0x00001040
+
+#define CKM_ECDSA 0x00001041
+#define CKM_ECDSA_SHA1 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE 0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
+#define CKM_ECMQV_DERIVE 0x00001052
+
+#define CKM_JUNIPER_KEY_GEN 0x00001060
+#define CKM_JUNIPER_ECB128 0x00001061
+#define CKM_JUNIPER_CBC128 0x00001062
+#define CKM_JUNIPER_COUNTER 0x00001063
+#define CKM_JUNIPER_SHUFFLE 0x00001064
+#define CKM_JUNIPER_WRAP 0x00001065
+#define CKM_FASTHASH 0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN 0x00001080
+#define CKM_AES_ECB 0x00001081
+#define CKM_AES_CBC 0x00001082
+#define CKM_AES_MAC 0x00001083
+#define CKM_AES_MAC_GENERAL 0x00001084
+#define CKM_AES_CBC_PAD 0x00001085
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN 0x00001090
+#define CKM_BLOWFISH_CBC 0x00001091
+#define CKM_TWOFISH_KEY_GEN 0x00001092
+#define CKM_TWOFISH_CBC 0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
+
+#define CKM_DSA_PARAMETER_GEN 0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
+
+#define CKM_VENDOR_DEFINED 0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism */
+typedef struct CK_MECHANISM {
+ CK_MECHANISM_TYPE mechanism;
+ CK_VOID_PTR pParameter;
+
+ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulParameterLen; /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+ CK_ULONG ulMinKeySize;
+ CK_ULONG ulMaxKeySize;
+ CK_FLAGS flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ * Bit Flag Mask Meaning */
+#define CKF_HW 0x00000001 /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0. They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT 0x00000100
+#define CKF_DECRYPT 0x00000200
+#define CKF_DIGEST 0x00000400
+#define CKF_SIGN 0x00000800
+#define CKF_SIGN_RECOVER 0x00001000
+#define CKF_VERIFY 0x00002000
+#define CKF_VERIFY_RECOVER 0x00004000
+#define CKF_GENERATE 0x00008000
+#define CKF_GENERATE_KEY_PAIR 0x00010000
+#define CKF_WRAP 0x00020000
+#define CKF_UNWRAP 0x00040000
+#define CKF_DERIVE 0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P 0x00100000
+#define CKF_EC_F_2M 0x00200000
+#define CKF_EC_ECPARAMETERS 0x00400000
+#define CKF_EC_NAMEDCURVE 0x00800000
+#define CKF_EC_UNCOMPRESS 0x01000000
+#define CKF_EC_COMPRESS 0x02000000
+
+#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_RV;
+
+#define CKR_OK 0x00000000
+#define CKR_CANCEL 0x00000001
+#define CKR_HOST_MEMORY 0x00000002
+#define CKR_SLOT_ID_INVALID 0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR 0x00000005
+#define CKR_FUNCTION_FAILED 0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD 0x00000007
+#define CKR_NO_EVENT 0x00000008
+#define CKR_NEED_TO_CREATE_THREADS 0x00000009
+#define CKR_CANT_LOCK 0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY 0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
+#define CKR_DATA_INVALID 0x00000020
+#define CKR_DATA_LEN_RANGE 0x00000021
+#define CKR_DEVICE_ERROR 0x00000030
+#define CKR_DEVICE_MEMORY 0x00000031
+#define CKR_DEVICE_REMOVED 0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID 0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041
+#define CKR_FUNCTION_CANCELED 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL 0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054
+
+#define CKR_KEY_HANDLE_INVALID 0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE 0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT 0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED 0x00000064
+#define CKR_KEY_CHANGED 0x00000065
+#define CKR_KEY_NEEDED 0x00000066
+#define CKR_KEY_INDIGESTIBLE 0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068
+#define CKR_KEY_NOT_WRAPPABLE 0x00000069
+#define CKR_KEY_UNEXTRACTABLE 0x0000006A
+
+#define CKR_MECHANISM_INVALID 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID 0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID 0x00000082
+#define CKR_OPERATION_ACTIVE 0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED 0x00000091
+#define CKR_PIN_INCORRECT 0x000000A0
+#define CKR_PIN_INVALID 0x000000A1
+#define CKR_PIN_LEN_RANGE 0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED 0x000000A3
+#define CKR_PIN_LOCKED 0x000000A4
+
+#define CKR_SESSION_CLOSED 0x000000B0
+#define CKR_SESSION_COUNT 0x000000B1
+#define CKR_SESSION_HANDLE_INVALID 0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4
+#define CKR_SESSION_READ_ONLY 0x000000B5
+#define CKR_SESSION_EXISTS 0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8
+
+#define CKR_SIGNATURE_INVALID 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE 0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE 0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT 0x000000D1
+#define CKR_TOKEN_NOT_PRESENT 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
+#define CKR_USER_NOT_LOGGED_IN 0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
+#define CKR_USER_TYPE_INVALID 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104
+#define CKR_USER_TOO_MANY_TYPES 0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID 0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG 0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID 0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL 0x00000150
+#define CKR_SAVED_STATE_INVALID 0x00000160
+#define CKR_INFORMATION_SENSITIVE 0x00000170
+#define CKR_STATE_UNSAVEABLE 0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191
+#define CKR_MUTEX_BAD 0x000001A0
+#define CKR_MUTEX_NOT_LOCKED 0x000001A1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED 0x00000200
+
+#define CKR_VENDOR_DEFINED 0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+ CK_CREATEMUTEX CreateMutex;
+ CK_DESTROYMUTEX DestroyMutex;
+ CK_LOCKMUTEX LockMutex;
+ CK_UNLOCKMUTEX UnlockMutex;
+ CK_FLAGS flags;
+ CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK 0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK 1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1 0x00000001
+#define CKG_MGF1_SHA256 0x00000002
+#define CKG_MGF1_SHA384 0x00000003
+#define CKG_MGF1_SHA512 0x00000004
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED 0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+ CK_VOID_PTR pSourceData;
+ CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_ULONG sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL 0x00000001
+#define CKD_SHA1_KDF 0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+ (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1 0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+ CK_BBOOL isSender;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pRandomB;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+ /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+
+ CK_BYTE iv[8]; /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_BYTE_PTR pIv; /* pointer to IV */
+ CK_ULONG ulIvLen; /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms. Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[8];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pPassword;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPAndGLen;
+ CK_ULONG ulQLen;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pPrimeP;
+ CK_BYTE_PTR pBaseG;
+ CK_BYTE_PTR pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+ CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+ CK_ULONG ulOldWrappedXLen;
+ CK_BYTE_PTR pOldWrappedX;
+ CK_ULONG ulOldPasswordLen;
+ CK_BYTE_PTR pOldPassword;
+ CK_ULONG ulOldPublicDataLen;
+ CK_BYTE_PTR pOldPublicData;
+ CK_ULONG ulOldRandomLen;
+ CK_BYTE_PTR pOldRandomA;
+ CK_ULONG ulNewPasswordLen;
+ CK_BYTE_PTR pNewPassword;
+ CK_ULONG ulNewPublicDataLen;
+ CK_BYTE_PTR pNewPublicData;
+ CK_ULONG ulNewRandomLen;
+ CK_BYTE_PTR pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+ CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+ CK_BYTE_PTR pInitVector;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pSalt;
+ CK_ULONG ulSaltLen;
+ CK_ULONG ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+ CK_BYTE bBC; /* block contents byte */
+ CK_BYTE_PTR pX; /* extra data */
+ CK_ULONG ulXLen; /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+ CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hClientMacSecret;
+ CK_OBJECT_HANDLE hServerMacSecret;
+ CK_OBJECT_HANDLE hClientKey;
+ CK_OBJECT_HANDLE hServerKey;
+ CK_BYTE_PTR pIVClient;
+ CK_BYTE_PTR pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_BBOOL bIsExport;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_BYTE_PTR pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hMacSecret;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_ULONG ulSequenceNumber;
+ CK_BBOOL bIsExport;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+ CK_OBJECT_HANDLE certificateHandle;
+ CK_MECHANISM_PTR pSigningMechanism;
+ CK_MECHANISM_PTR pDigestMechanism;
+ CK_UTF8CHAR_PTR pContentType;
+ CK_BYTE_PTR pRequestedAttributes;
+ CK_ULONG ulRequestedAttributesLen;
+ CK_BYTE_PTR pRequiredAttributes;
+ CK_ULONG ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+ CK_BYTE_PTR pData;
+ CK_ULONG ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+ CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED 0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ CK_VOID_PTR pSaltSourceData;
+ CK_ULONG ulSaltSourceDataLen;
+ CK_ULONG iterations;
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ CK_VOID_PTR pPrfData;
+ CK_ULONG ulPrfDataLen;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG_PTR ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+#endif
diff --git a/src/pluto/rsaref/unix.h b/src/pluto/rsaref/unix.h
new file mode 100644
index 000000000..2e7eb6663
--- /dev/null
+++ b/src/pluto/rsaref/unix.h
@@ -0,0 +1,24 @@
+
+
+#ifndef UNIX_H
+#define UNIX_H
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ returnType (* name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+ returnType (* name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#endif
diff --git a/src/pluto/server.c b/src/pluto/server.c
new file mode 100644
index 000000000..1cc221515
--- /dev/null
+++ b/src/pluto/server.c
@@ -0,0 +1,996 @@
+/* get-next-event loop
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#ifdef SOLARIS
+# include <sys/sockio.h> /* for Solaris 2.6: defines SIOCGIFCONF */
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <netdb.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <sys/ioctl.h>
+#include <resolv.h>
+#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
+#include <sys/queue.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "state.h"
+#include "connections.h"
+#include "kernel.h"
+#include "log.h"
+#include "server.h"
+#include "timer.h"
+#include "packet.h"
+#include "demux.h" /* needs packet.h */
+#include "rcv_whack.h"
+#include "keys.h"
+#include "adns.h" /* needs <resolv.h> */
+#include "dnskey.h" /* needs keys.h and adns.h */
+#include "whack.h" /* for RC_LOG_SERIOUS */
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+#include "kameipsec.h"
+#include "nat_traversal.h"
+
+/*
+ * Server main loop and socket initialization routines.
+ */
+
+static const int on = TRUE; /* by-reference parameter; constant, we hope */
+
+/* control (whack) socket */
+int ctl_fd = NULL_FD; /* file descriptor of control (whack) socket */
+struct sockaddr_un ctl_addr = { AF_UNIX, DEFAULT_CTLBASE CTL_SUFFIX };
+
+/* info (showpolicy) socket */
+int policy_fd = NULL_FD;
+struct sockaddr_un info_addr= { AF_UNIX, DEFAULT_CTLBASE INFO_SUFFIX };
+
+/* Initialize the control socket.
+ * Note: this is called very early, so little infrastructure is available.
+ * It is important that the socket is created before the original
+ * Pluto process returns.
+ */
+err_t
+init_ctl_socket(void)
+{
+ err_t failed = NULL;
+
+ delete_ctl_socket(); /* preventative medicine */
+ ctl_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (ctl_fd == -1)
+ failed = "create";
+ else if (fcntl(ctl_fd, F_SETFD, FD_CLOEXEC) == -1)
+ failed = "fcntl FD+CLOEXEC";
+ else if (setsockopt(ctl_fd, SOL_SOCKET, SO_REUSEADDR, (const void *)&on, sizeof(on)) < 0)
+ failed = "setsockopt";
+ else
+ {
+ /* to keep control socket secure, use umask */
+ mode_t ou = umask(~S_IRWXU);
+
+ if (bind(ctl_fd, (struct sockaddr *)&ctl_addr
+ , offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+ failed = "bind";
+ umask(ou);
+ }
+
+ /* 5 is a haphazardly chosen limit for the backlog.
+ * Rumour has it that this is the max on BSD systems.
+ */
+ if (failed == NULL && listen(ctl_fd, 5) < 0)
+ failed = "listen() on";
+
+ return failed == NULL? NULL : builddiag("could not %s control socket: %d %s"
+ , failed, errno, strerror(errno));
+}
+
+void
+delete_ctl_socket(void)
+{
+ /* Is noting failure useful? Not when used as preventative medicine. */
+ unlink(ctl_addr.sun_path);
+}
+
+bool listening = FALSE; /* should we pay attention to IKE messages? */
+
+struct iface *interfaces = NULL; /* public interfaces */
+
+/* Initialize the interface sockets. */
+
+static void
+mark_ifaces_dead(void)
+{
+ struct iface *p;
+
+ for (p = interfaces; p != NULL; p = p->next)
+ p->change = IFN_DELETE;
+}
+
+static void
+free_dead_ifaces(void)
+{
+ struct iface *p;
+ bool some_dead = FALSE
+ , some_new = FALSE;
+
+ for (p = interfaces; p != NULL; p = p->next)
+ {
+ if (p->change == IFN_DELETE)
+ {
+ plog("shutting down interface %s/%s %s"
+ , p->vname, p->rname, ip_str(&p->addr));
+ some_dead = TRUE;
+ }
+ else if (p->change == IFN_ADD)
+ {
+ some_new = TRUE;
+ }
+ }
+
+ if (some_dead)
+ {
+ struct iface **pp;
+
+ release_dead_interfaces();
+ for (pp = &interfaces; (p = *pp) != NULL; )
+ {
+ if (p->change == IFN_DELETE)
+ {
+ *pp = p->next; /* advance *pp */
+ pfree(p->vname);
+ pfree(p->rname);
+ close(p->fd);
+ pfree(p);
+ }
+ else
+ {
+ pp = &p->next; /* advance pp */
+ }
+ }
+ }
+
+ /* this must be done after the release_dead_interfaces
+ * in case some to the newly unoriented connections can
+ * become oriented here.
+ */
+ if (some_dead || some_new)
+ check_orientations();
+}
+
+void
+free_ifaces(void)
+{
+ mark_ifaces_dead();
+ free_dead_ifaces();
+}
+
+struct raw_iface {
+ ip_address addr;
+ char name[IFNAMSIZ + 20]; /* what would be a safe size? */
+ struct raw_iface *next;
+};
+
+/* Called to handle --interface <ifname>
+ * Semantics: if specified, only these (real) interfaces are considered.
+ */
+static const char *pluto_ifn[10];
+static int pluto_ifn_roof = 0;
+
+bool
+use_interface(const char *rifn)
+{
+ if (pluto_ifn_roof >= (int)elemsof(pluto_ifn))
+ {
+ return FALSE;
+ }
+ else
+ {
+ pluto_ifn[pluto_ifn_roof++] = rifn;
+ return TRUE;
+ }
+}
+
+#ifndef IPSECDEVPREFIX
+# define IPSECDEVPREFIX "ipsec"
+#endif
+
+static struct raw_iface *
+find_raw_ifaces4(void)
+{
+ int j; /* index into buf */
+ struct ifconf ifconf;
+ struct ifreq buf[300]; /* for list of interfaces -- arbitrary limit */
+ struct raw_iface *rifaces = NULL;
+ int master_sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); /* Get a UDP socket */
+
+ /* get list of interfaces with assigned IPv4 addresses from system */
+
+ if (master_sock == -1)
+ exit_log_errno((e, "socket() failed in find_raw_ifaces4()"));
+
+ if (setsockopt(master_sock, SOL_SOCKET, SO_REUSEADDR
+ , (const void *)&on, sizeof(on)) < 0)
+ exit_log_errno((e, "setsockopt() in find_raw_ifaces4()"));
+
+ /* bind the socket */
+ {
+ ip_address any;
+
+ happy(anyaddr(AF_INET, &any));
+ setportof(htons(pluto_port), &any);
+ if (bind(master_sock, sockaddrof(&any), sockaddrlenof(&any)) < 0)
+ exit_log_errno((e, "bind() failed in find_raw_ifaces4()"));
+ }
+
+ /* Get local interfaces. See netdevice(7). */
+ ifconf.ifc_len = sizeof(buf);
+ ifconf.ifc_buf = (void *) buf;
+ zero(buf);
+
+ if (ioctl(master_sock, SIOCGIFCONF, &ifconf) == -1)
+ exit_log_errno((e, "ioctl(SIOCGIFCONF) in find_raw_ifaces4()"));
+
+ /* Add an entry to rifaces for each interesting interface. */
+ for (j = 0; (j+1) * sizeof(*buf) <= (size_t)ifconf.ifc_len; j++)
+ {
+ struct raw_iface ri;
+ const struct sockaddr_in *rs = (struct sockaddr_in *) &buf[j].ifr_addr;
+ struct ifreq auxinfo;
+
+ /* ignore all but AF_INET interfaces */
+ if (rs->sin_family != AF_INET)
+ continue; /* not interesting */
+
+ /* build a NUL-terminated copy of the rname field */
+ memcpy(ri.name, buf[j].ifr_name, IFNAMSIZ);
+ ri.name[IFNAMSIZ] = '\0';
+
+ /* ignore if our interface names were specified, and this isn't one */
+ if (pluto_ifn_roof != 0)
+ {
+ int i;
+
+ for (i = 0; i != pluto_ifn_roof; i++)
+ if (streq(ri.name, pluto_ifn[i]))
+ break;
+ if (i == pluto_ifn_roof)
+ continue; /* not found -- skip */
+ }
+
+ /* Find out stuff about this interface. See netdevice(7). */
+ zero(&auxinfo); /* paranoia */
+ memcpy(auxinfo.ifr_name, buf[j].ifr_name, IFNAMSIZ);
+ if (ioctl(master_sock, SIOCGIFFLAGS, &auxinfo) == -1)
+ exit_log_errno((e
+ , "ioctl(SIOCGIFFLAGS) for %s in find_raw_ifaces4()"
+ , ri.name));
+ if (!(auxinfo.ifr_flags & IFF_UP))
+ continue; /* ignore an interface that isn't UP */
+
+ /* ignore unconfigured interfaces */
+ if (rs->sin_addr.s_addr == 0)
+ continue;
+
+ happy(initaddr((const void *)&rs->sin_addr, sizeof(struct in_addr)
+ , AF_INET, &ri.addr));
+
+ DBG(DBG_CONTROL, DBG_log("found %s with address %s"
+ , ri.name, ip_str(&ri.addr)));
+ ri.next = rifaces;
+ rifaces = clone_thing(ri, "struct raw_iface");
+ }
+
+ close(master_sock);
+
+ return rifaces;
+}
+
+static struct raw_iface *
+find_raw_ifaces6(void)
+{
+
+ /* Get list of interfaces with IPv6 addresses from system from /proc/net/if_inet6).
+ *
+ * Documentation of format?
+ * RTFS: linux-2.2.16/net/ipv6/addrconf.c:iface_proc_info()
+ * linux-2.4.9-13/net/ipv6/addrconf.c:iface_proc_info()
+ *
+ * Sample from Gerhard's laptop:
+ * 00000000000000000000000000000001 01 80 10 80 lo
+ * 30490009000000000000000000010002 02 40 00 80 ipsec0
+ * 30490009000000000000000000010002 07 40 00 80 eth0
+ * fe80000000000000025004fffefd5484 02 0a 20 80 ipsec0
+ * fe80000000000000025004fffefd5484 07 0a 20 80 eth0
+ *
+ * Each line contains:
+ * - IPv6 address: 16 bytes, in hex, no punctuation
+ * - ifindex: 1 byte, in hex
+ * - prefix_len: 1 byte, in hex
+ * - scope (e.g. global, link local): 1 byte, in hex
+ * - flags: 1 byte, in hex
+ * - device name: string, followed by '\n'
+ */
+ struct raw_iface *rifaces = NULL;
+ static const char proc_name[] = "/proc/net/if_inet6";
+ FILE *proc_sock = fopen(proc_name, "r");
+
+ if (proc_sock == NULL)
+ {
+ DBG(DBG_CONTROL, DBG_log("could not open %s", proc_name));
+ }
+ else
+ {
+ for (;;)
+ {
+ struct raw_iface ri;
+ unsigned short xb[8]; /* IPv6 address as 8 16-bit chunks */
+ char sb[8*5]; /* IPv6 address as string-with-colons */
+ unsigned int if_idx; /* proc field, not used */
+ unsigned int plen; /* proc field, not used */
+ unsigned int scope; /* proc field, used to exclude link-local */
+ unsigned int dad_status; /* proc field, not used */
+ /* ??? I hate and distrust scanf -- DHR */
+ int r = fscanf(proc_sock
+ , "%4hx%4hx%4hx%4hx%4hx%4hx%4hx%4hx"
+ " %02x %02x %02x %02x %20s\n"
+ , xb+0, xb+1, xb+2, xb+3, xb+4, xb+5, xb+6, xb+7
+ , &if_idx, &plen, &scope, &dad_status, ri.name);
+
+ /* ??? we should diagnose any problems */
+ if (r != 13)
+ break;
+
+ /* ignore addresses with link local scope.
+ * From linux-2.4.9-13/include/net/ipv6.h:
+ * IPV6_ADDR_LINKLOCAL 0x0020U
+ * IPV6_ADDR_SCOPE_MASK 0x00f0U
+ */
+ if ((scope & 0x00f0U) == 0x0020U)
+ continue;
+
+ snprintf(sb, sizeof(sb)
+ , "%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x"
+ , xb[0], xb[1], xb[2], xb[3], xb[4], xb[5], xb[6], xb[7]);
+
+ happy(ttoaddr(sb, 0, AF_INET6, &ri.addr));
+
+ if (!isunspecaddr(&ri.addr))
+ {
+ DBG(DBG_CONTROL
+ , DBG_log("found %s with address %s"
+ , ri.name, sb));
+ ri.next = rifaces;
+ rifaces = clone_thing(ri, "struct raw_iface");
+ }
+ }
+ fclose(proc_sock);
+ }
+
+ return rifaces;
+}
+
+#if 1
+static int
+create_socket(struct raw_iface *ifp, const char *v_name, int port)
+{
+ int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
+ int fcntl_flags;
+
+ if (fd < 0)
+ {
+ log_errno((e, "socket() in process_raw_ifaces()"));
+ return -1;
+ }
+
+#if 1
+ /* Set socket Nonblocking */
+ if ((fcntl_flags=fcntl(fd, F_GETFL)) >= 0) {
+ if (!(fcntl_flags & O_NONBLOCK)) {
+ fcntl_flags |= O_NONBLOCK;
+ fcntl(fd, F_SETFL, fcntl_flags);
+ }
+ }
+#endif
+
+ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+ {
+ log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+
+ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
+ , (const void *)&on, sizeof(on)) < 0)
+ {
+ log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+
+ /* To improve error reporting. See ip(7). */
+#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
+ if (setsockopt(fd, SOL_IP, IP_RECVERR
+ , (const void *)&on, sizeof(on)) < 0)
+ {
+ log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+#endif
+
+ /* With IPv6, there is no fragmentation after
+ * it leaves our interface. PMTU discovery
+ * is mandatory but doesn't work well with IKE (why?).
+ * So we must set the IPV6_USE_MIN_MTU option.
+ * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
+ */
+#ifdef IPV6_USE_MIN_MTU /* YUCK: not always defined */
+ if (addrtypeof(&ifp->addr) == AF_INET6
+ && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
+ , (const void *)&on, sizeof(on)) < 0)
+ {
+ log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+#endif
+
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+ if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+ {
+ struct sadb_x_policy policy;
+ int level, opt;
+
+ policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
+ policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+ policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+ policy.sadb_x_policy_reserved = 0;
+ policy.sadb_x_policy_id = 0;
+ policy.sadb_x_policy_reserved2 = 0;
+
+ if (addrtypeof(&ifp->addr) == AF_INET6)
+ {
+ level = IPPROTO_IPV6;
+ opt = IPV6_IPSEC_POLICY;
+ }
+ else
+ {
+ level = IPPROTO_IP;
+ opt = IP_IPSEC_POLICY;
+ }
+
+ if (setsockopt(fd, level, opt
+ , &policy, sizeof(policy)) < 0)
+ {
+ log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+
+ policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+
+ if (setsockopt(fd, level, opt
+ , &policy, sizeof(policy)) < 0)
+ {
+ log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+ close(fd);
+ return -1;
+ }
+ }
+#endif
+
+ setportof(htons(port), &ifp->addr);
+ if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
+ {
+ log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
+ , ifp->name, v_name
+ , ip_str(&ifp->addr), (unsigned) port));
+ close(fd);
+ return -1;
+ }
+ setportof(htons(pluto_port), &ifp->addr);
+ return fd;
+}
+#endif
+
+static void
+process_raw_ifaces(struct raw_iface *rifaces)
+{
+ struct raw_iface *ifp;
+
+ /* Find all virtual/real interface pairs.
+ * For each real interface...
+ */
+ for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
+ {
+ struct raw_iface *v = NULL; /* matching ipsecX interface */
+ struct raw_iface fake_v;
+ bool after = FALSE; /* has vfp passed ifp on the list? */
+ bool bad = FALSE;
+ struct raw_iface *vfp;
+
+ /* ignore if virtual (ipsec*) interface */
+ if (strncmp(ifp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
+ continue;
+
+ for (vfp = rifaces; vfp != NULL; vfp = vfp->next)
+ {
+ if (vfp == ifp)
+ {
+ after = TRUE;
+ }
+ else if (sameaddr(&ifp->addr, &vfp->addr))
+ {
+ /* Different entries with matching IP addresses.
+ * Many interesting cases.
+ */
+ if (strncmp(vfp->name, IPSECDEVPREFIX, sizeof(IPSECDEVPREFIX)-1) == 0)
+ {
+ if (v != NULL && !streq(v->name, vfp->name))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "ipsec interfaces %s and %s share same address %s"
+ , v->name, vfp->name, ip_str(&ifp->addr));
+ bad = TRUE;
+ }
+ else
+ {
+ v = vfp; /* current winner */
+ }
+ }
+ else
+ {
+ /* ugh: a second real interface with the same IP address
+ * "after" allows us to avoid double reporting.
+ */
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+ if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+ {
+ if (after)
+ {
+ bad = TRUE;
+ break;
+ }
+ continue;
+ }
+#endif
+ if (after)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "IP interfaces %s and %s share address %s!"
+ , ifp->name, vfp->name, ip_str(&ifp->addr));
+ }
+ bad = TRUE;
+ }
+ }
+ }
+
+ if (bad)
+ continue;
+
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+ if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+ {
+ v = ifp;
+ goto add_entry;
+ }
+#endif
+
+ /* what if we didn't find a virtual interface? */
+ if (v == NULL)
+ {
+ if (no_klips)
+ {
+ /* kludge for testing: invent a virtual device */
+ static const char fvp[] = "virtual";
+ fake_v = *ifp;
+ passert(sizeof(fake_v.name) > sizeof(fvp));
+ strcpy(fake_v.name, fvp);
+ addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
+ , sizeof(fake_v.name) - (sizeof(fvp) - 1));
+ v = &fake_v;
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+ , ifp->name, ip_str(&ifp->addr)));
+ continue;
+ }
+ }
+
+ /* We've got all we need; see if this is a new thing:
+ * search old interfaces list.
+ */
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+add_entry:
+#endif
+ {
+ struct iface **p = &interfaces;
+
+ for (;;)
+ {
+ struct iface *q = *p;
+
+ /* search is over if at end of list */
+ if (q == NULL)
+ {
+ /* matches nothing -- create a new entry */
+ int fd = create_socket(ifp, v->name, pluto_port);
+
+ if (fd < 0)
+ break;
+
+ if (nat_traversal_support_non_ike
+ && addrtypeof(&ifp->addr) == AF_INET)
+ {
+ nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
+ }
+
+ q = alloc_thing(struct iface, "struct iface");
+ q->rname = clone_str(ifp->name, "real device name");
+ q->vname = clone_str(v->name, "virtual device name");
+ q->addr = ifp->addr;
+ q->fd = fd;
+ q->next = interfaces;
+ q->change = IFN_ADD;
+ interfaces = q;
+ plog("adding interface %s/%s %s:%d"
+ , q->vname, q->rname, ip_str(&q->addr), pluto_port);
+
+ if (nat_traversal_support_port_floating
+ && addrtypeof(&ifp->addr) == AF_INET)
+ {
+ fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
+ if (fd < 0)
+ break;
+ nat_traversal_espinudp_socket(fd,
+ ESPINUDP_WITH_NON_ESP);
+ q = alloc_thing(struct iface, "struct iface");
+ q->rname = clone_str(ifp->name, "real device name");
+ q->vname = clone_str(v->name, "virtual device name");
+ q->addr = ifp->addr;
+ setportof(htons(NAT_T_IKE_FLOAT_PORT), &q->addr);
+ q->fd = fd;
+ q->next = interfaces;
+ q->change = IFN_ADD;
+ q->ike_float = TRUE;
+ interfaces = q;
+ plog("adding interface %s/%s %s:%d",
+ q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
+ }
+ break;
+ }
+
+ /* search over if matching old entry found */
+ if (streq(q->rname, ifp->name)
+ && streq(q->vname, v->name)
+ && sameaddr(&q->addr, &ifp->addr))
+ {
+ /* matches -- rejuvinate old entry */
+ q->change = IFN_KEEP;
+
+ /* look for other interfaces to keep (due to NAT-T) */
+ for (q = q->next ; q ; q = q->next)
+ {
+ if (streq(q->rname, ifp->name)
+ && streq(q->vname, v->name)
+ && sameaddr(&q->addr, &ifp->addr))
+ {
+ q->change = IFN_KEEP;
+ }
+ }
+ break;
+ }
+
+ /* try again */
+ p = &q->next;
+ } /* for (;;) */
+ }
+ }
+
+ /* delete the raw interfaces list */
+ while (rifaces != NULL)
+ {
+ struct raw_iface *t = rifaces;
+
+ rifaces = t->next;
+ pfree(t);
+ }
+}
+
+void
+find_ifaces(void)
+{
+ mark_ifaces_dead();
+ process_raw_ifaces(find_raw_ifaces4());
+ process_raw_ifaces(find_raw_ifaces6());
+
+ free_dead_ifaces(); /* ditch remaining old entries */
+
+ if (interfaces == NULL)
+ loglog(RC_LOG_SERIOUS, "no public interfaces found");
+}
+
+void
+show_ifaces_status(void)
+{
+ struct iface *p;
+
+ for (p = interfaces; p != NULL; p = p->next)
+ whack_log(RC_COMMENT, "interface %s/%s %s:%d"
+ , p->vname, p->rname, ip_str(&p->addr), ntohs(portof(&p->addr)));
+}
+
+void
+show_debug_status(void)
+{
+#ifdef DEBUG
+ whack_log(RC_COMMENT, "debug %s"
+ , bitnamesof(debug_bit_names, cur_debugging));
+#endif
+}
+
+static volatile sig_atomic_t sighupflag = FALSE;
+
+static void
+huphandler(int sig UNUSED)
+{
+ sighupflag = TRUE;
+}
+
+static volatile sig_atomic_t sigtermflag = FALSE;
+
+static void
+termhandler(int sig UNUSED)
+{
+ sigtermflag = TRUE;
+}
+
+/* call_server listens for incoming ISAKMP packets and Whack messages,
+ * and handles timer events.
+ */
+void
+call_server(void)
+{
+ struct iface *ifp;
+
+ /* catch SIGHUP and SIGTERM */
+ {
+ int r;
+ struct sigaction act;
+
+ act.sa_handler = &huphandler;
+ sigemptyset(&act.sa_mask);
+ act.sa_flags = 0; /* no SA_ONESHOT, no SA_RESTART, no nothing */
+ r = sigaction(SIGHUP, &act, NULL);
+ passert(r == 0);
+
+ act.sa_handler = &termhandler;
+ r = sigaction(SIGTERM, &act, NULL);
+ passert(r == 0);
+ }
+
+ for (;;)
+ {
+ fd_set readfds;
+ fd_set writefds;
+ int ndes;
+
+ /* wait for next interesting thing */
+
+ for (;;)
+ {
+ long next_time = next_event(); /* time to any pending timer event */
+ int maxfd = ctl_fd;
+
+ if (sigtermflag)
+ exit_pluto(0);
+
+ if (sighupflag)
+ {
+ /* Ignorant folks think poking any daemon with SIGHUP
+ * is polite. We catch it and tell them otherwise.
+ * There is one use: unsticking a hung recvfrom.
+ * This sticking happens sometimes -- kernel bug?
+ */
+ sighupflag = FALSE;
+ plog("Pluto ignores SIGHUP -- perhaps you want \"whack --listen\"");
+ }
+
+ FD_ZERO(&readfds);
+ FD_ZERO(&writefds);
+ FD_SET(ctl_fd, &readfds);
+
+ /* the only write file-descriptor of interest */
+ if (adns_qfd != NULL_FD && unsent_ADNS_queries)
+ {
+ if (maxfd < adns_qfd)
+ maxfd = adns_qfd;
+ FD_SET(adns_qfd, &writefds);
+ }
+
+ if (adns_afd != NULL_FD)
+ {
+ if (maxfd < adns_afd)
+ maxfd = adns_afd;
+ FD_SET(adns_afd, &readfds);
+ }
+
+#ifdef KLIPS
+ if (!no_klips)
+ {
+ int fd = *kernel_ops->async_fdp;
+
+ if (kernel_ops->process_queue)
+ kernel_ops->process_queue();
+ if (maxfd < fd)
+ maxfd = fd;
+ passert(!FD_ISSET(fd, &readfds));
+ FD_SET(fd, &readfds);
+ }
+#endif
+
+ if (listening)
+ {
+ for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
+ {
+ if (maxfd < ifp->fd)
+ maxfd = ifp->fd;
+ passert(!FD_ISSET(ifp->fd, &readfds));
+ FD_SET(ifp->fd, &readfds);
+ }
+ }
+
+ if (next_time == -1)
+ {
+ /* select without timer */
+
+ ndes = select(maxfd + 1, &readfds, &writefds, NULL, NULL);
+ }
+ else if (next_time == 0)
+ {
+ /* timer without select: there is a timer event pending,
+ * and it should fire now so don't bother to do the select.
+ */
+ ndes = 0; /* signify timer expiration */
+ }
+ else
+ {
+ /* select with timer */
+
+ struct timeval tm;
+
+ tm.tv_sec = next_time;
+ tm.tv_usec = 0;
+ ndes = select(maxfd + 1, &readfds, &writefds, NULL, &tm);
+ }
+
+ if (ndes != -1)
+ break; /* success */
+
+ if (errno != EINTR)
+ exit_log_errno((e, "select() failed in call_server()"));
+
+ /* retry if terminated by signal */
+ }
+
+ /* figure out what is interesting */
+
+ if (ndes == 0)
+ {
+ /* timer event */
+
+ DBG(DBG_CONTROL,
+ DBG_log(BLANK_FORMAT);
+ DBG_log("*time to handle event"));
+
+ handle_timer_event();
+ passert(GLOBALS_ARE_RESET());
+ }
+ else
+ {
+ /* at least one file descriptor is ready */
+
+ if (adns_qfd != NULL_FD && FD_ISSET(adns_qfd, &writefds))
+ {
+ passert(ndes > 0);
+ send_unsent_ADNS_queries();
+ passert(GLOBALS_ARE_RESET());
+ ndes--;
+ }
+
+ if (adns_afd != NULL_FD && FD_ISSET(adns_afd, &readfds))
+ {
+ passert(ndes > 0);
+ DBG(DBG_CONTROL,
+ DBG_log(BLANK_FORMAT);
+ DBG_log("*received adns message"));
+ handle_adns_answer();
+ passert(GLOBALS_ARE_RESET());
+ ndes--;
+ }
+
+#ifdef KLIPS
+ if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
+ {
+ passert(ndes > 0);
+ DBG(DBG_CONTROL,
+ DBG_log(BLANK_FORMAT);
+ DBG_log("*received kernel message"));
+ kernel_ops->process_msg();
+ passert(GLOBALS_ARE_RESET());
+ ndes--;
+ }
+#endif
+
+ for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
+ {
+ if (FD_ISSET(ifp->fd, &readfds))
+ {
+ /* comm_handle will print DBG_CONTROL intro,
+ * with more info than we have here.
+ */
+
+ passert(ndes > 0);
+ comm_handle(ifp);
+ passert(GLOBALS_ARE_RESET());
+ ndes--;
+ }
+ }
+
+ if (FD_ISSET(ctl_fd, &readfds))
+ {
+ passert(ndes > 0);
+ DBG(DBG_CONTROL,
+ DBG_log(BLANK_FORMAT);
+ DBG_log("*received whack message"));
+ whack_handle(ctl_fd);
+ passert(GLOBALS_ARE_RESET());
+ ndes--;
+ }
+
+ passert(ndes == 0);
+ }
+ }
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset: 4
+ * End Variables:
+ */
diff --git a/src/pluto/server.h b/src/pluto/server.h
new file mode 100644
index 000000000..d90e47c8f
--- /dev/null
+++ b/src/pluto/server.h
@@ -0,0 +1,58 @@
+/* get-next-event loop
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: server.h,v 1.2 2004/03/22 21:53:20 as Exp $
+ */
+
+extern int ctl_fd; /* file descriptor of control (whack) socket */
+extern struct sockaddr_un ctl_addr; /* address of control (whack) socket */
+
+extern int info_fd; /* file descriptor of control (info) socket */
+extern struct sockaddr_un info_addr; /* address of control (info) socket */
+
+extern err_t init_ctl_socket(void);
+extern void delete_ctl_socket(void);
+
+extern bool listening; /* should we pay attention to IKE messages? */
+
+
+/* interface: a terminal point for IKE traffic, IPsec transport mode
+ * and IPsec tunnels.
+ * Essentially:
+ * - an IP device (eg. eth1), and
+ * - its partner, an ipsec device (eg. ipsec0), and
+ * - their shared IP address (eg. 10.7.3.2)
+ * Note: the port for IKE is always implicitly UDP/pluto_port.
+ */
+struct iface {
+ char *vname; /* virtual (ipsec) device name */
+ char *rname; /* real device name */
+ ip_address addr; /* interface IP address */
+ int fd; /* file descriptor of socket for IKE UDP messages */
+ struct iface *next;
+ bool ike_float;
+ enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
+};
+
+extern struct iface *interfaces; /* public interfaces */
+
+extern bool use_interface(const char *rifn);
+extern void find_ifaces(void);
+extern void show_ifaces_status(void);
+extern void free_ifaces(void);
+extern void show_debug_status(void);
+extern void call_server(void);
+
+/* in rcv_info.c */
+extern err_t init_info_socket(void);
+extern void delete_info_socket(void);
diff --git a/src/pluto/sha1.c b/src/pluto/sha1.c
new file mode 100644
index 000000000..bbf062876
--- /dev/null
+++ b/src/pluto/sha1.c
@@ -0,0 +1,193 @@
+/*
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+
+Test Vectors (from FIPS PUB 180-1)
+"abc"
+ A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+ 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+A million repetitions of "a"
+ 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+*/
+
+/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */
+/* #define SHA1HANDSOFF * Copies data before messing with it. */
+
+#define SHA1HANDSOFF
+
+#include <string.h>
+#include <sys/types.h> /* for u_int*_t */
+#include <endian.h> /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */
+
+#include "sha1.h"
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/* blk0() and blk() perform the initial expand. */
+/* I got the idea of expanding during the round function from SSLeay */
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+ |(rol(block->l[i],8)&0x00FF00FF))
+#elif BYTE_ORDER == BIG_ENDIAN
+#define blk0(i) block->l[i]
+#else
+#error "Endianness not defined!"
+#endif
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+ ^block->l[(i+2)&15]^block->l[i&15],1))
+
+/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+
+
+/* Hash a single 512-bit block. This is the core of the algorithm. */
+
+void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
+{
+u_int32_t a, b, c, d, e;
+typedef union {
+ unsigned char c[64];
+ u_int32_t l[16];
+} CHAR64LONG16;
+#ifdef SHA1HANDSOFF
+CHAR64LONG16 block[1]; /* use array to appear as a pointer */
+ memcpy(block, buffer, 64);
+#else
+ /* The following had better never be used because it causes the
+ * pointer-to-const buffer to be cast into a pointer to non-const.
+ * And the result is written through. I threw a "const" in, hoping
+ * this will cause a diagnostic.
+ */
+CHAR64LONG16* block = (const CHAR64LONG16*)buffer;
+#endif
+ /* Copy context->state[] to working vars */
+ a = state[0];
+ b = state[1];
+ c = state[2];
+ d = state[3];
+ e = state[4];
+ /* 4 rounds of 20 operations each. Loop unrolled. */
+ R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+ R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+ R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+ R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+ R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+ R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+ R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+ R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+ R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+ R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+ R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+ R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+ R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+ R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+ R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+ R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+ R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+ R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+ R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+ R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+ /* Add the working vars back into context.state[] */
+ state[0] += a;
+ state[1] += b;
+ state[2] += c;
+ state[3] += d;
+ state[4] += e;
+ /* Wipe variables */
+ a = b = c = d = e = 0;
+#ifdef SHA1HANDSOFF
+ memset(block, '\0', sizeof(block));
+#endif
+}
+
+
+/* SHA1Init - Initialize new context */
+
+void SHA1Init(SHA1_CTX* context)
+{
+ /* SHA1 initialization constants */
+ context->state[0] = 0x67452301;
+ context->state[1] = 0xEFCDAB89;
+ context->state[2] = 0x98BADCFE;
+ context->state[3] = 0x10325476;
+ context->state[4] = 0xC3D2E1F0;
+ context->count[0] = context->count[1] = 0;
+}
+
+
+/* Run your data through this. */
+
+void SHA1Update(SHA1_CTX* context, const unsigned char* data, u_int32_t len)
+{
+u_int32_t i;
+u_int32_t j;
+
+ j = context->count[0];
+ if ((context->count[0] += len << 3) < j)
+ context->count[1]++;
+ context->count[1] += (len>>29);
+ j = (j >> 3) & 63;
+ if ((j + len) > 63) {
+ memcpy(&context->buffer[j], data, (i = 64-j));
+ SHA1Transform(context->state, context->buffer);
+ for ( ; i + 63 < len; i += 64) {
+ SHA1Transform(context->state, &data[i]);
+ }
+ j = 0;
+ }
+ else i = 0;
+ memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/* Add padding and return the message digest. */
+
+void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
+{
+unsigned i;
+unsigned char finalcount[8];
+unsigned char c;
+
+#if 0 /* untested "improvement" by DHR */
+ /* Convert context->count to a sequence of bytes
+ * in finalcount. Second element first, but
+ * big-endian order within element.
+ * But we do it all backwards.
+ */
+ unsigned char *fcp = &finalcount[8];
+
+ for (i = 0; i < 2; i++)
+ {
+ u_int32_t t = context->count[i];
+ int j;
+
+ for (j = 0; j < 4; t >>= 8, j++)
+ *--fcp = (unsigned char) t
+ }
+#else
+ for (i = 0; i < 8; i++) {
+ finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
+ >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
+ }
+#endif
+ c = 0200;
+ SHA1Update(context, &c, 1);
+ while ((context->count[0] & 504) != 448) {
+ c = 0000;
+ SHA1Update(context, &c, 1);
+ }
+ SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
+ for (i = 0; i < 20; i++) {
+ digest[i] = (unsigned char)
+ ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+ }
+ /* Wipe variables */
+ memset(context, '\0', sizeof(*context));
+ memset(&finalcount, '\0', sizeof(finalcount));
+}
diff --git a/src/pluto/sha1.h b/src/pluto/sha1.h
new file mode 100644
index 000000000..64b3d2f5d
--- /dev/null
+++ b/src/pluto/sha1.h
@@ -0,0 +1,16 @@
+/*
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+*/
+
+typedef struct {
+ u_int32_t state[5];
+ u_int32_t count[2];
+ unsigned char buffer[64];
+} SHA1_CTX;
+
+void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64]);
+void SHA1Init(SHA1_CTX* context);
+void SHA1Update(SHA1_CTX* context, const unsigned char* data, u_int32_t len);
+void SHA1Final(unsigned char digest[20], SHA1_CTX* context);
diff --git a/src/pluto/smallprime.c b/src/pluto/smallprime.c
new file mode 100644
index 000000000..87497d096
--- /dev/null
+++ b/src/pluto/smallprime.c
@@ -0,0 +1,122 @@
+/* smallprime.c - List of small primes
+ * Copyright (C) 1998 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#ifdef PLUTO
+#include <gmp.h>
+#include <freeswan.h>
+#include "constants.h"
+#include "defs.h"
+#include "gcryptfix.h"
+#else
+/* #include <config.h> */
+/* #include <stdio.h> */
+/* #include <stdlib.h> */
+/* #include "util.h" */
+/* #include "types.h" */
+#endif
+
+/* Note: 2 is not included because it can be tested more easily
+ * by looking at bit 0. The last entry in this list is marked by a zero
+ */
+ushort
+small_prime_numbers[] = {
+ 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
+ 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
+ 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
+ 157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
+ 211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
+ 269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
+ 331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
+ 389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
+ 449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
+ 509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
+ 587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
+ 643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
+ 709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
+ 773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
+ 853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
+ 919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
+ 991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
+ 1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
+ 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
+ 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
+ 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
+ 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
+ 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
+ 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
+ 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
+ 1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
+ 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
+ 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
+ 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
+ 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
+ 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
+ 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
+ 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
+ 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
+ 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
+ 2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
+ 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
+ 2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
+ 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
+ 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
+ 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
+ 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
+ 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
+ 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
+ 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
+ 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
+ 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
+ 2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
+ 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
+ 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
+ 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
+ 3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
+ 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
+ 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
+ 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
+ 3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
+ 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
+ 3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
+ 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
+ 3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
+ 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
+ 3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
+ 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
+ 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
+ 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
+ 4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
+ 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
+ 4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
+ 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
+ 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
+ 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
+ 4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
+ 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
+ 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
+ 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
+ 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
+ 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
+ 4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
+ 4957, 4967, 4969, 4973, 4987, 4993, 4999,
+ 0
+};
+
+
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
new file mode 100644
index 000000000..744f8a6f3
--- /dev/null
+++ b/src/pluto/smartcard.c
@@ -0,0 +1,1956 @@
+/* Support of smartcards and cryptotokens
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Copyright (C) 2004 David Buechi, Michael Meier
+ * Zuercher Hochschule Winterthur, Switzerland
+ *
+ * Copyright (C) 2005 Michael Joosten
+ *
+ * Copyright (C) 2005 Andreas Steffen
+ * Hochschule für Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: smartcard.c,v 1.41 2006/01/04 21:03:52 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <time.h>
+#include <dlfcn.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+
+#ifdef SMARTCARD
+#include "rsaref/unix.h"
+#include "rsaref/pkcs11.h"
+#endif
+
+#include "defs.h"
+#include "mp_defs.h"
+#include "log.h"
+#include "x509.h"
+#include "ca.h"
+#include "certs.h"
+#include "keys.h"
+#include "smartcard.h"
+#include "whack.h"
+#include "fetch.h"
+
+#define DEFAULT_BASE 16
+
+/* chained list of smartcard records */
+static smartcard_t *smartcards = NULL;
+
+/* number of generated sc objects */
+static int sc_number = 0;
+
+const smartcard_t empty_sc = {
+ NULL , /* next */
+ 0 , /* last_load */
+ { CERT_NONE, {NULL} }, /* last_cert */
+ 0 , /* count */
+ 0 , /* number */
+ 999999 , /* slot */
+ NULL , /* id */
+ NULL , /* label */
+ { NULL, 0 } , /* pin */
+ FALSE , /* pinpad */
+ FALSE , /* valid */
+ FALSE , /* session_opened */
+ FALSE , /* logged_in */
+ TRUE , /* any_slot */
+ 0L , /* session */
+};
+
+#ifdef SMARTCARD /* compile with smartcard support */
+
+#define SCX_MAGIC 0xd00bed00
+
+struct scx_pkcs11_module {
+ u_int _magic;
+ void *handle;
+};
+
+typedef struct scx_pkcs11_module scx_pkcs11_module_t;
+
+/* PKCS #11 cryptoki context */
+static bool scx_initialized = FALSE;
+static scx_pkcs11_module_t *pkcs11_module = NULL_PTR;
+static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR;
+
+/* crytoki v2.11 - return values of PKCS #11 functions*/
+
+static const char *const pkcs11_return_name[] = {
+ "CKR_OK",
+ "CKR_CANCEL",
+ "CKR_HOST_MEMORY",
+ "CKR_SLOT_ID_INVALID",
+ "CKR_FLAGS_INVALID",
+ "CKR_GENERAL_ERROR",
+ "CKR_FUNCTION_FAILED",
+ "CKR_ARGUMENTS_BAD",
+ "CKR_NO_EVENT",
+ "CKR_NEED_TO_CREATE_THREADS",
+ "CKR_CANT_LOCK"
+ };
+
+static const char *const pkcs11_return_name_10[] = {
+ "CKR_ATTRIBUTE_READ_ONLY",
+ "CKR_ATTRIBUTE_SENSITIVE",
+ "CKR_ATTRIBUTE_TYPE_INVALID",
+ "CKR_ATTRIBUTE_VALUE_INVALID"
+ };
+
+static const char *const pkcs11_return_name_20[] = {
+ "CKR_DATA_INVALID",
+ "CKR_DATA_LEN_RANGE"
+ };
+
+static const char *const pkcs11_return_name_30[] = {
+ "CKR_DEVICE_ERROR",
+ "CKR_DEVICE_MEMORY",
+ "CKR_DEVICE_REMOVED"
+ };
+
+static const char *const pkcs11_return_name_40[] = {
+ "CKR_ENCRYPTED_DATA_INVALID",
+ "CKR_ENCRYPTED_DATA_LEN_RANGE"
+ };
+
+static const char *const pkcs11_return_name_50[] = {
+ "CKR_FUNCTION_CANCELED",
+ "CKR_FUNCTION_NOT_PARALLEL",
+ "CKR_0x52_UNDEFINED",
+ "CKR_0x53_UNDEFINED",
+ "CKR_FUNCTION_NOT_SUPPORTED"
+ };
+
+static const char *const pkcs11_return_name_60[] = {
+ "CKR_KEY_HANDLE_INVALID",
+ "CKR_KEY_SENSITIVE",
+ "CKR_KEY_SIZE_RANGE",
+ "CKR_KEY_TYPE_INCONSISTENT",
+ "CKR_KEY_NOT_NEEDED",
+ "CKR_KEY_CHANGED",
+ "CKR_KEY_NEEDED",
+ "CKR_KEY_INDIGESTIBLE",
+ "CKR_KEY_FUNCTION_NOT_PERMITTED",
+ "CKR_KEY_NOT_WRAPPABLE",
+ "CKR_KEY_UNEXTRACTABLE"
+ };
+
+static const char *const pkcs11_return_name_70[] = {
+ "CKR_MECHANISM_INVALID",
+ "CKR_MECHANISM_PARAM_INVALID"
+ };
+
+static const char *const pkcs11_return_name_80[] = {
+ "CKR_OBJECT_HANDLE_INVALID"
+ };
+
+static const char *const pkcs11_return_name_90[] = {
+ "CKR_OPERATION_ACTIVE",
+ "CKR_OPERATION_NOT_INITIALIZED"
+ };
+
+static const char *const pkcs11_return_name_A0[] = {
+ "CKR_PIN_INCORRECT",
+ "CKR_PIN_INVALID",
+ "CKR_PIN_LEN_RANGE",
+ "CKR_PIN_EXPIRED",
+ "CKR_PIN_LOCKED"
+ };
+
+static const char *const pkcs11_return_name_B0[] = {
+ "CKR_SESSION_CLOSED",
+ "CKR_SESSION_COUNT",
+ "CKR_0xB2_UNDEFINED",
+ "CKR_SESSION_HANDLE_INVALID",
+ "CKR_SESSION_PARALLEL_NOT_SUPPORTED",
+ "CKR_SESSION_READ_ONLY",
+ "CKR_SESSION_EXISTS",
+ "CKR_SESSION_READ_ONLY_EXISTS",
+ "CKR_SESSION_READ_WRITE_SO_EXISTS"
+ };
+
+static const char *const pkcs11_return_name_C0[] = {
+ "CKR_SIGNATURE_INVALID",
+ "CKR_SIGNATURE_LEN_RANGE"
+ };
+
+static const char *const pkcs11_return_name_D0[] = {
+ "CKR_TEMPLATE_INCOMPLETE",
+ "CKR_TEMPLATE_INCONSISTENT"
+ };
+
+static const char *const pkcs11_return_name_E0[] = {
+ "CKR_TOKEN_NOT_PRESENT",
+ "CKR_TOKEN_NOT_RECOGNIZED",
+ "CKR_TOKEN_WRITE_PROTECTED"
+ };
+
+static const char *const pkcs11_return_name_F0[] = {
+ "CKR_UNWRAPPING_KEY_HANDLE_INVALID",
+ "CKR_UNWRAPPING_KEY_SIZE_RANGE",
+ "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"
+ };
+
+static const char *const pkcs11_return_name_100[] = {
+ "CKR_USER_ALREADY_LOGGED_IN",
+ "CKR_USER_NOT_LOGGED_IN",
+ "CKR_USER_PIN_NOT_INITIALIZED",
+ "CKR_USER_TYPE_INVALID",
+ "CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
+ "CKR_USER_TOO_MANY_TYPES"
+ };
+
+static const char *const pkcs11_return_name_110[] = {
+ "CKR_WRAPPED_KEY_INVALID",
+ "CKR_0x111_UNDEFINED",
+ "CKR_WRAPPED_KEY_LEN_RANGE",
+ "CKR_WRAPPING_KEY_HANDLE_INVALID",
+ "CKR_WRAPPING_KEY_SIZE_RANGE",
+ "CKR_WRAPPING_KEY_TYPE_INCONSISTENT"
+ };
+
+static const char *const pkcs11_return_name_120[] = {
+ "CKR_RANDOM_SEED_NOT_SUPPORTED",
+ "CKR_RANDOM_NO_RNG"
+ };
+
+static const char *const pkcs11_return_name_130[] = {
+ "CKR_DOMAIN_PARAMS_INVALID"
+ };
+
+static const char *const pkcs11_return_name_150[] = {
+ "CKR_BUFFER_TOO_SMALL"
+ };
+
+static const char *const pkcs11_return_name_160[] = {
+ "CKR_SAVED_STATE_INVALID"
+ };
+
+static const char *const pkcs11_return_name_170[] = {
+ "CKR_INFORMATION_SENSITIVE"
+ };
+
+static const char *const pkcs11_return_name_180[] = {
+ "CKR_STATE_UNSAVEABLE"
+ };
+
+static const char *const pkcs11_return_name_190[] = {
+ "CKR_CRYPTOKI_NOT_INITIALIZED",
+ "CKR_CRYPTOKI_ALREADY_INITIALIZED"
+ };
+
+static const char *const pkcs11_return_name_1A0[] = {
+ "CKR_MUTEX_BAD",
+ "CKR_MUTEX_NOT_LOCKED"
+ };
+
+static const char *const pkcs11_return_name_200[] = {
+ "CKR_FUNCTION_REJECTED"
+ };
+
+static const char *const pkcs11_return_name_vendor[] = {
+ "CKR_VENDOR_DEFINED"
+ };
+
+static enum_names pkcs11_return_names_vendor =
+ { CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED
+ , pkcs11_return_name_vendor, NULL };
+
+static enum_names pkcs11_return_names_200 =
+ { CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED
+ , pkcs11_return_name_200, &pkcs11_return_names_vendor };
+
+static enum_names pkcs11_return_names_1A0 =
+ { CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED
+ , pkcs11_return_name_1A0, &pkcs11_return_names_200 };
+
+static enum_names pkcs11_return_names_190 =
+ { CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED
+ , pkcs11_return_name_190, &pkcs11_return_names_1A0 };
+
+static enum_names pkcs11_return_names_180 =
+ { CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE
+ , pkcs11_return_name_180, &pkcs11_return_names_190 };
+
+static enum_names pkcs11_return_names_170 =
+ { CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE
+ , pkcs11_return_name_170, &pkcs11_return_names_180 };
+
+static enum_names pkcs11_return_names_160 =
+ { CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID
+ , pkcs11_return_name_160, &pkcs11_return_names_170 };
+
+static enum_names pkcs11_return_names_150 =
+ { CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL
+ , pkcs11_return_name_150, &pkcs11_return_names_160 };
+
+static enum_names pkcs11_return_names_130 =
+ { CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID
+ , pkcs11_return_name_130, &pkcs11_return_names_150 };
+
+static enum_names pkcs11_return_names_120 =
+ { CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG
+ , pkcs11_return_name_120, &pkcs11_return_names_130 };
+
+static enum_names pkcs11_return_names_110 =
+ { CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT
+ , pkcs11_return_name_110, &pkcs11_return_names_120 };
+
+static enum_names pkcs11_return_names_100 =
+ { CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES
+ , pkcs11_return_name_100, &pkcs11_return_names_110 };
+
+static enum_names pkcs11_return_names_F0 =
+ { CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
+ , pkcs11_return_name_F0, &pkcs11_return_names_100 };
+
+static enum_names pkcs11_return_names_E0 =
+ { CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED
+ , pkcs11_return_name_E0, &pkcs11_return_names_F0 };
+
+static enum_names pkcs11_return_names_D0 =
+ { CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT
+ , pkcs11_return_name_D0,&pkcs11_return_names_E0 };
+
+static enum_names pkcs11_return_names_C0 =
+ { CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE
+ , pkcs11_return_name_C0, &pkcs11_return_names_D0 };
+
+static enum_names pkcs11_return_names_B0 =
+ { CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS
+ , pkcs11_return_name_B0, &pkcs11_return_names_C0 };
+
+static enum_names pkcs11_return_names_A0 =
+ { CKR_PIN_INCORRECT, CKR_PIN_LOCKED
+ , pkcs11_return_name_A0, &pkcs11_return_names_B0 };
+
+static enum_names pkcs11_return_names_90 =
+ { CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED
+ , pkcs11_return_name_90, &pkcs11_return_names_A0 };
+
+static enum_names pkcs11_return_names_80 =
+ { CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID
+ , pkcs11_return_name_80, &pkcs11_return_names_90 };
+
+static enum_names pkcs11_return_names_70 =
+ { CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID
+ , pkcs11_return_name_70, &pkcs11_return_names_80 };
+
+static enum_names pkcs11_return_names_60 =
+ { CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE
+ , pkcs11_return_name_60, &pkcs11_return_names_70 };
+
+static enum_names pkcs11_return_names_50 =
+ { CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED
+ , pkcs11_return_name_50, &pkcs11_return_names_60 };
+
+static enum_names pkcs11_return_names_40 =
+ { CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE
+ , pkcs11_return_name_40, &pkcs11_return_names_50 };
+
+static enum_names pkcs11_return_names_30 =
+ { CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED
+ , pkcs11_return_name_30, &pkcs11_return_names_40 };
+
+static enum_names pkcs11_return_names_20 =
+ { CKR_DATA_INVALID, CKR_DATA_LEN_RANGE
+ , pkcs11_return_name_20, &pkcs11_return_names_30 };
+
+static enum_names pkcs11_return_names_10 =
+ { CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID
+ , pkcs11_return_name_10, &pkcs11_return_names_20};
+
+static enum_names pkcs11_return_names =
+ { CKR_OK, CKR_CANT_LOCK
+ , pkcs11_return_name, &pkcs11_return_names_10};
+
+/*
+ * Unload a PKCS#11 module.
+ * The calling application is responsible for cleaning up
+ * and calling C_Finalize()
+ */
+static CK_RV
+scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
+{
+ if (!mod || mod->_magic != SCX_MAGIC)
+ return CKR_ARGUMENTS_BAD;
+
+ if (dlclose(mod->handle) < 0)
+ return CKR_FUNCTION_FAILED;
+
+ memset(mod, 0, sizeof(*mod));
+ pfree(mod);
+ return CKR_OK;
+}
+
+static scx_pkcs11_module_t*
+scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs)
+{
+ CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
+ scx_pkcs11_module_t *mod;
+ void *handle;
+ int rv;
+
+ if (name == NULL || *name == '\0')
+ return NULL;
+
+ /* Try to load PKCS#11 library module*/
+ handle = dlopen(name, RTLD_NOW);
+ if (handle == NULL)
+ return NULL;
+
+ mod = alloc_thing(scx_pkcs11_module_t, "scx_pkcs11_module");
+ mod->_magic = SCX_MAGIC;
+ mod->handle = handle;
+
+ /* Get the list of function pointers */
+ c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
+ dlsym(mod->handle, "C_GetFunctionList");
+ if (!c_get_function_list)
+ goto failed;
+
+ rv = c_get_function_list(funcs);
+ if (rv == CKR_OK)
+ return mod;
+
+failed: scx_unload_pkcs11_module(mod);
+ return NULL;
+}
+
+/*
+ * retrieve a certificate object
+ */
+static bool
+scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
+, smartcard_t *sc, cert_t *cert)
+{
+ size_t hex_len, label_len;
+ u_char *hex_id = NULL;
+ chunk_t blob;
+ x509cert_t *x509cert;
+
+ CK_ATTRIBUTE attr[] = {
+ { CKA_ID, NULL_PTR, 0L },
+ { CKA_LABEL, NULL_PTR, 0L },
+ { CKA_VALUE, NULL_PTR, 0L }
+ };
+
+ /* initialize the return argument */
+ *cert = empty_cert;
+
+ /* get the length of the attributes first */
+ CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read the attribute sizes: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ pfreeany(sc->label);
+
+ hex_id = alloc_bytes(attr[0].ulValueLen, "hex id");
+ hex_len = attr[0].ulValueLen;
+ sc->label = alloc_bytes(attr[1].ulValueLen + 1, "sc label");
+ label_len = attr[1].ulValueLen;
+ blob.ptr = alloc_bytes(attr[2].ulValueLen, "x509cert blob");
+ blob.len = attr[2].ulValueLen;
+
+ attr[0].pValue = hex_id;
+ attr[1].pValue = sc->label;
+ attr[2].pValue = blob.ptr;
+
+ /* now get the attributes */
+ rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read the attributes: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ pfree(hex_id);
+ pfreeany(sc->label);
+ pfree(blob.ptr);
+ return FALSE;
+ }
+
+ pfreeany(sc->id);
+
+ /* convert id from hex to ASCII */
+ sc->id = alloc_bytes(2*hex_len + 1, " sc id");
+ datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1);
+ pfree(hex_id);
+
+ /* safeguard in case the label is not null terminated */
+ sc->label[label_len] = '\0';
+
+ /* parse the retrieved cert */
+ x509cert = alloc_thing(x509cert_t, "x509cert");
+ *x509cert = empty_x509cert;
+ x509cert->smartcard = TRUE;
+
+ if (!parse_x509cert(blob, 0, x509cert))
+ {
+ plog("failed to load cert from smartcard, error in X.509 certificate");
+ free_x509cert(x509cert);
+ return FALSE;
+ }
+ cert->type = CERT_X509_SIGNATURE;
+ cert->u.x509 = x509cert;
+ return TRUE;
+}
+
+/*
+ * search a given slot for PKCS#11 certificate objects
+ */
+static void
+scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+ CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }};
+
+ rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjectsInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return;
+ }
+
+ for (;;)
+ {
+ CK_OBJECT_HANDLE object;
+ CK_ULONG obj_count = 0;
+ err_t ugh;
+ time_t valid_until;
+ smartcard_t *sc;
+ x509cert_t *cert;
+
+ rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjects: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ break;
+ }
+
+ /* no objects left */
+ if (obj_count == 0)
+ break;
+
+ /* create and initialize a new smartcard object */
+ sc = alloc_thing(smartcard_t, "smartcard");
+ *sc = empty_sc;
+ sc->any_slot = FALSE;
+ sc->slot = slot;
+
+ if (!scx_find_cert_object(session, object, sc, &sc->last_cert))
+ {
+ scx_free(sc);
+ continue;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("found cert in %s with id: %s, label: '%s'"
+ , scx_print_slot(sc, ""), sc->id, sc->label)
+ )
+
+ /* check validity of certificate */
+ cert = sc->last_cert.u.x509;
+ valid_until = cert->notAfter;
+ ugh = check_validity(cert, &valid_until);
+ if (ugh != NULL)
+ {
+ plog(" %s", ugh);
+ free_x509cert(cert);
+ scx_free(sc);
+ continue;
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log(" certificate is valid")
+ )
+ }
+
+ sc = scx_add(sc);
+
+ /* put end entity and ca certificates into different chains */
+ if (cert->isCA)
+ add_authcert(cert, AUTH_CA);
+ else
+ {
+ add_x509_public_key(cert, valid_until, DAL_LOCAL);
+ sc->last_cert.u.x509 = add_x509cert(cert);
+ }
+
+ share_cert(sc->last_cert);
+ time(&sc->last_load);
+ }
+
+ rv = pkcs11_functions->C_FindObjectsFinal(session);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjectsFinal: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ }
+}
+
+/*
+ * search all slots for PKCS#11 certificate objects
+ */
+static void
+scx_find_all_cert_objects(void)
+{
+ CK_RV rv;
+ CK_SLOT_ID_PTR slots = NULL_PTR;
+ CK_ULONG slot_count = 0;
+ CK_ULONG i;
+
+ if (!scx_initialized)
+ {
+ plog("pkcs11 module not initialized");
+ return;
+ }
+
+ /* read size, always returns CKR_OK ! */
+ rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
+
+ /* allocate memory for the slots */
+ slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");
+
+ rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv));
+ pfreeany(slots);
+ return;
+ }
+
+ /* look in every slot for certificate objects */
+ for (i = 0; i < slot_count; i++)
+ {
+ CK_SLOT_ID slot = slots[i];
+ CK_SLOT_INFO info;
+ CK_SESSION_HANDLE session;
+
+ rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
+
+ if (rv != CKR_OK)
+ {
+ plog("error in C_GetSlotInfo: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ continue;
+ }
+
+ if (!(info.flags & CKF_TOKEN_PRESENT))
+ {
+ plog("no token present in slot %lu", slot);
+ continue;
+ }
+
+ rv = pkcs11_functions->C_OpenSession(slot
+ , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
+ if (rv != CKR_OK)
+ {
+ plog("failed to open a session on slot %lu: %s"
+ , slot, enum_show(&pkcs11_return_names, rv));
+ continue;
+ }
+ DBG(DBG_CONTROLMORE,
+ DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
+ )
+ scx_find_cert_objects(slot, session);
+
+ rv = pkcs11_functions->C_CloseSession(session);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_CloseSession: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ }
+ }
+ pfreeany(slots);
+}
+#endif
+
+/*
+ * load and initialize PKCS#11 cryptoki module
+ */
+void
+scx_init(const char* module)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+
+ if (scx_initialized)
+ {
+ plog("weird - pkcs11 module seems already to be initialized");
+ return;
+ }
+
+ if (module == NULL)
+#ifdef PKCS11_DEFAULT_LIB
+ module = PKCS11_DEFAULT_LIB;
+#else
+ {
+ plog("no pkcs11 module defined");
+ return;
+ }
+#endif
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 module '%s' loading...", module)
+ )
+ pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions);
+ if (pkcs11_module == NULL)
+ {
+ plog("failed to load pkcs11 module '%s'", module);
+ return;
+ }
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 module initializing...")
+ )
+ rv = pkcs11_functions->C_Initialize(NULL);
+ if (rv != CKR_OK)
+ {
+ plog("failed to initialize pkcs11 module: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return;
+ }
+
+ scx_initialized = TRUE;
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 module loaded and initialized")
+ )
+
+ scx_find_all_cert_objects();
+#endif
+}
+
+/*
+ * finalize and unload PKCS#11 cryptoki module
+ */
+void
+scx_finalize(void)
+{
+#ifdef SMARTCARD
+ while (smartcards != NULL)
+ {
+ scx_release(smartcards);
+ }
+
+ if (pkcs11_functions != NULL_PTR)
+ {
+ pkcs11_functions->C_Finalize(NULL_PTR);
+ pkcs11_functions = NULL_PTR;
+ }
+
+ if (pkcs11_module != NULL)
+ {
+ scx_unload_pkcs11_module(pkcs11_module);
+ pkcs11_module = NULL;
+ }
+
+ scx_initialized = FALSE;
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 module finalized and unloaded")
+ )
+#endif
+}
+
+/*
+ * does a filename contain the token %smartcard?
+ */
+bool
+scx_on_smartcard(const char *filename)
+{
+ return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0;
+}
+
+#ifdef SMARTCARD
+/*
+ * find a specific object on the smartcard
+ */
+static bool
+scx_pkcs11_find_object( CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE_PTR object,
+ CK_OBJECT_CLASS class,
+ const char* id)
+{
+ size_t len;
+ char buf[BUF_LEN];
+ CK_RV rv;
+ CK_ULONG obj_count = 0;
+ CK_ULONG attr_count = 1;
+
+ CK_ATTRIBUTE attr[] = {
+ { CKA_CLASS, &class, sizeof(class) },
+ { CKA_ID, &buf, 0L }
+ };
+
+ if (id != NULL)
+ {
+ ttodata(id, strlen(id), 16, buf, BUF_LEN, &len);
+ attr[1].ulValueLen = len;
+ attr_count = 2;
+ }
+
+ /* get info for certificate with id */
+ rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjectsInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_FindObjects(session, object, 1, &obj_count);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjects: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_FindObjectsFinal(session);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_FindObjectsFinal: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ return (obj_count != 0);
+}
+
+/*
+ * check if a given certificate object id is found in a slot
+ */
+static bool
+scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
+{
+ CK_SESSION_HANDLE session;
+ CK_OBJECT_HANDLE object;
+ CK_SLOT_INFO info;
+
+ CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info);
+
+ if (rv != CKR_OK)
+ {
+ plog("error in C_GetSlotInfo: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ if (!(info.flags & CKF_TOKEN_PRESENT))
+ {
+ plog("no token present in slot %lu", slot);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_OpenSession(slot
+ , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
+ if (rv != CKR_OK)
+ {
+ plog("failed to open a session on slot %lu: %s"
+ , slot, enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+ DBG(DBG_CONTROLMORE,
+ DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
+ )
+
+ /* check if there is a certificate on the card in the specified slot */
+ if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id))
+ {
+ sc->slot = slot;
+ sc->any_slot = FALSE;
+ sc->session = session;
+ sc->session_opened = TRUE;
+ return TRUE;
+ }
+
+ rv = pkcs11_functions->C_CloseSession(session);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_CloseSession: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ }
+ return FALSE;
+}
+#endif
+
+/*
+ * Connect to the smart card in the reader and select the correct slot
+ */
+bool
+scx_establish_context(smartcard_t *sc)
+{
+#ifdef SMARTCARD
+ bool id_found = FALSE;
+
+ if (!scx_initialized)
+ {
+ plog("pkcs11 module not initialized");
+ return FALSE;
+ }
+
+ if (sc->session_opened)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 session #%ld already open", sc->session)
+ )
+ return TRUE;
+ }
+
+ if (!sc->any_slot)
+ id_found = scx_find_cert_id_in_slot(sc, sc->slot);
+
+ if (!id_found)
+ {
+ CK_RV rv;
+ CK_SLOT_ID slot;
+ CK_SLOT_ID_PTR slots = NULL_PTR;
+ CK_ULONG slot_count = 0;
+ CK_ULONG i;
+
+ /* read size, always returns CKR_OK ! */
+ rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
+
+ /* allocate memory for the slots */
+ slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");
+
+ rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_GetSlotList: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ pfreeany(slots);
+ return FALSE;
+ }
+
+ /* look in every slot for a certificate with a given object ID */
+ for (i = 0; i < slot_count; i++)
+ {
+ slot = slots[i];
+ id_found = scx_find_cert_id_in_slot(sc, slot);
+ if (id_found)
+ break;
+ }
+ pfreeany(slots)
+ }
+
+ if (id_found)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("found token with id %s in slot %lu", sc->id, sc->slot);
+ DBG_log("pkcs11 session #%ld opened", sc->session)
+ )
+ }
+ else
+ {
+ plog(" no certificate with id %s found on smartcard", sc->id);
+ }
+ return id_found;
+#else
+ plog("warning: SMARTCARD support is deactivated in pluto/Makefile!");
+ return FALSE;
+#endif
+}
+
+/*
+ * log in to a session
+ */
+bool
+scx_login(smartcard_t *sc)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+
+ if (sc->logged_in)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 session #%ld login already done", sc->session)
+ )
+ return TRUE;
+ }
+
+ if (sc->pin.ptr == NULL)
+ {
+ plog("unable to log in without PIN!");
+ return FALSE;
+ }
+
+ if (!sc->session_opened)
+ {
+ plog("session not opened");
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_Login(sc->session, CKU_USER
+ , (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
+ {
+ plog("unable to login: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 session #%ld login successful", sc->session)
+ )
+ sc->logged_in = TRUE;
+ return TRUE;
+#else
+ return FALSE;
+#endif
+}
+
+#ifdef SMARTCARD
+/*
+ * logout from a session
+ */
+static void
+scx_logout(smartcard_t *sc)
+{
+ CK_RV rv;
+
+ rv = pkcs11_functions->C_Logout(sc->session);
+ if (rv != CKR_OK)
+ plog("error in C_Logout: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ else
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 session #%ld logout", sc->session)
+ )
+ sc->logged_in = FALSE;
+}
+#endif
+
+
+/*
+ * Release context and disconnect from card
+ */
+void
+scx_release_context(smartcard_t *sc)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+
+ if (!scx_initialized)
+ return;
+
+ if (sc->session_opened)
+ {
+ if (sc->logged_in)
+ scx_logout(sc);
+
+ sc->session_opened = FALSE;
+
+ rv = pkcs11_functions->C_CloseSession(sc->session);
+ if (rv != CKR_OK)
+ plog("error in C_CloseSession: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ else
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("pkcs11 session #%ld closed", sc->session)
+ )
+ }
+#endif
+}
+
+/*
+ * Load host certificate from smartcard
+ */
+bool
+scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
+, bool *cached)
+{
+#ifdef SMARTCARD /* compile with smartcard support */
+ CK_OBJECT_HANDLE object;
+
+ const char *number_slot_id = filename + strlen(SCX_TOKEN);
+
+ smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id));
+
+ /* return the smartcard object */
+ *scp = sc;
+
+ /* is there a cached smartcard certificate? */
+ *cached = sc->last_cert.type != CERT_NONE
+ && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
+
+ if (*cached)
+ {
+ *cert = sc->last_cert;
+ plog(" using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
+ , sc->number
+ , scx_print_slot(sc, "")
+ , sc->id
+ , sc->label);
+ return TRUE;
+ }
+
+ if (!scx_establish_context(sc))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ /* find the certificate object */
+ if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ /* retrieve the certificate object */
+ if (!scx_find_cert_object(sc->session, object, sc, cert))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+
+ plog(" loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
+ , sc->number
+ , scx_print_slot(sc, "")
+ , sc->id
+ , sc->label);
+
+ return TRUE;
+#else
+ plog(" warning: SMARTCARD support is deactivated in pluto/Makefile!");
+ return FALSE;
+#endif
+}
+
+/*
+ * parse slot number and key id
+ * the following syntax is allowed
+ * number slot id
+ * %smartcard 1 - -
+ * %smartcard#2 2 - -
+ * %smartcard0 - 0 -
+ * %smartcard:45 - - 45
+ * %smartcard0:45 - 0 45
+ */
+smartcard_t*
+scx_parse_number_slot_id(const char *number_slot_id)
+{
+ int len = strlen(number_slot_id);
+ smartcard_t *sc = alloc_thing(smartcard_t, "smartcard");
+
+ /* assign default values */
+ *sc = empty_sc;
+
+ if (len == 0) /* default: use certificate #1 */
+ {
+ sc->number = 1;
+ }
+ else if (*number_slot_id == '#') /* #number scheme */
+ {
+ err_t ugh;
+ unsigned long ul;
+
+ ugh = atoul(number_slot_id+1, len-1 , 10, &ul);
+ if (ugh == NULL)
+ sc->number = (int)ul;
+ else
+ plog("error parsing smartcard number: %s", ugh);
+ }
+ else /* slot:id scheme */
+ {
+ int slot_len = len;
+ char *p = strchr(number_slot_id, ':');
+
+ if (p != NULL)
+ {
+ int id_len = len - (p + 1 - number_slot_id);
+ slot_len -= (1 + id_len);
+
+ if (id_len > 0) /* we have an id */
+ sc->id = p + 1;
+ }
+ if (slot_len > 0) /* we have a slot */
+ {
+ err_t ugh = NULL;
+ unsigned long ul;
+
+ ugh = atoul(number_slot_id, slot_len, 10, &ul);
+ if (ugh == NULL)
+ {
+ sc->slot = ul;
+ sc->any_slot = FALSE;
+ }
+ else
+ plog("error parsing smartcard slot number: %s", ugh);
+ }
+ }
+ /* unshare the id string */
+ sc->id = clone_str(sc->id, "key id");
+ return sc;
+}
+
+/*
+ * Verify pin on card
+ */
+bool
+scx_verify_pin(smartcard_t *sc)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+
+ if (!sc->pinpad)
+ sc->valid = FALSE;
+
+ if (sc->pin.ptr == NULL)
+ {
+ plog("unable to verify without PIN");
+ return FALSE;
+ }
+
+ /* establish context */
+ if (!scx_establish_context(sc))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_Login(sc->session, CKU_USER,
+ (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
+ if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
+ {
+ sc->valid = TRUE;
+ sc->logged_in = TRUE;
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log((rv == CKR_OK)
+ ? "PIN code correct"
+ : "already logged in, no PIN entry required");
+ DBG_log("pkcs11 session #%ld login successful", sc->session)
+ )
+ }
+ else
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("PIN code incorrect")
+ )
+ }
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+#else
+ sc->valid = FALSE;
+#endif
+ return sc->valid;
+}
+
+/*
+ * Sign hash on smartcard
+ */
+bool
+scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
+, u_char *out, size_t outlen)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+ CK_OBJECT_HANDLE object;
+ CK_ULONG siglen = (CK_ULONG)outlen;
+ CK_BBOOL sign_flag, decrypt_flag;
+ CK_ATTRIBUTE attr[] = {
+ { CKA_SIGN, &sign_flag, sizeof(sign_flag) },
+ { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
+ };
+
+ if (!sc->logged_in)
+ return FALSE;
+
+ if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
+ {
+ plog("unable to find private key with id '%s'", sc->id);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read the private key attributes: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("RSA key flags: sign = %s, decrypt = %s"
+ , (sign_flag)? "true":"false"
+ , (decrypt_flag)? "true":"false")
+ )
+
+ if (sign_flag)
+ {
+ CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+ rv = pkcs11_functions->C_SignInit(sc->session, &mech, object);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_SignInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen
+ , out, &siglen);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_Sign: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+ }
+ else if (decrypt_flag)
+ {
+ CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 };
+ size_t padlen;
+ u_char *p = out ;
+
+ /* PKCS#1 v1.5 8.1 encryption-block formatting */
+ *p++ = 0x00;
+ *p++ = 0x01; /* BT (block type) 01 */
+ padlen = outlen - 3 - inlen;
+ memset(p, 0xFF, padlen);
+ p += padlen;
+ *p++ = 0x00;
+ memcpy(p, in, inlen);
+
+ rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_DecryptInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen
+ , out, &siglen);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_Decrypt: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+ }
+ else
+ {
+ plog("private key has neither sign nor decrypt flag set");
+ return FALSE;
+ }
+
+ if (siglen > (CK_ULONG)outlen)
+ {
+ plog("signature length (%lu) larger than allocated buffer (%d)"
+ , siglen, (int)outlen);
+ return FALSE;
+ }
+ return TRUE;
+#else
+ return FALSE;
+#endif
+}
+
+/*
+ * encrypt data block with an RSA public key
+ */
+bool
+scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
+, u_char *out, size_t *outlen)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+ CK_OBJECT_HANDLE object;
+ CK_ULONG len = (CK_ULONG)(*outlen);
+ CK_BBOOL encrypt_flag;
+ CK_ATTRIBUTE attr[] = {
+ { CKA_MODULUS, NULL_PTR, 0L },
+ { CKA_PUBLIC_EXPONENT, NULL_PTR, 0L },
+ { CKA_ENCRYPT, &encrypt_flag, sizeof(encrypt_flag) }
+ };
+ CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+ if (!scx_establish_context(sc))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id))
+ {
+ plog("unable to find public key with id '%s'", sc->id);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read the public key attributes: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ if (!encrypt_flag)
+ {
+ plog("public key cannot be used for encryption");
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ /* there must be enough space left for the PKCS#1 v1.5 padding */
+ if (inlen > attr[0].ulValueLen - 11)
+ {
+ plog("smartcard input data length (%d) exceeds maximum of %lu bytes"
+ , (int)inlen, attr[0].ulValueLen - 11);
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object);
+
+ if (rv != CKR_OK)
+ {
+ if (rv == CKR_FUNCTION_NOT_SUPPORTED)
+ {
+ RSA_public_key_t rsa;
+ chunk_t plain_text = {in, inlen};
+ chunk_t cipher_text;
+
+ DBG(DBG_CONTROL,
+ DBG_log("doing RSA encryption in software")
+ )
+ attr[0].pValue = alloc_bytes(attr[0].ulValueLen, "modulus");
+ attr[1].pValue = alloc_bytes(attr[1].ulValueLen, "exponent");
+
+ rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read modulus and public exponent: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ pfree(attr[0].pValue);
+ pfree(attr[1].pValue);
+ scx_release_context(sc);
+ return FALSE;
+ }
+ rsa.k = attr[0].ulValueLen;
+ n_to_mpz(&rsa.n, attr[0].pValue, attr[0].ulValueLen);
+ n_to_mpz(&rsa.e, attr[1].pValue, attr[1].ulValueLen);
+ pfree(attr[0].pValue);
+ pfree(attr[1].pValue);
+
+ cipher_text = RSA_encrypt(&rsa, plain_text);
+ free_RSA_public_content(&rsa);
+ if (cipher_text.ptr == NULL)
+ {
+ plog("smartcard input data length is too large");
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ memcpy(out, cipher_text.ptr, cipher_text.len);
+ *outlen = cipher_text.len;
+ freeanychunk(cipher_text);
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+ return TRUE;
+ }
+ else
+ {
+ plog("error in C_EncryptInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ scx_release_context(sc);
+ return FALSE;
+ }
+ }
+
+ DBG(DBG_CONTROL,
+ DBG_log("doing RSA encryption on smartcard")
+ )
+ rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen
+ , out, &len);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_Encrypt: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ scx_release_context(sc);
+ return FALSE;
+ }
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+
+ *outlen = (size_t)len;
+ return TRUE;
+#else
+ return FALSE;
+#endif
+}
+/*
+ * decrypt a data block with an RSA private key
+ */
+bool
+scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
+, u_char *out, size_t *outlen)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+ CK_OBJECT_HANDLE object;
+ CK_ULONG len = (CK_ULONG)(*outlen);
+ CK_BBOOL decrypt_flag;
+ CK_ATTRIBUTE attr[] = {
+ { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
+ };
+ CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };
+
+ if (!scx_establish_context(sc) || !scx_login(sc))
+ {
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
+ {
+ plog("unable to find private key with id '%s'", sc->id);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1);
+ if (rv != CKR_OK)
+ {
+ plog("couldn't read the private key attributes: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ if (!decrypt_flag)
+ {
+ plog("private key cannot be used for decryption");
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ DBG(DBG_CONTROL,
+ DBG_log("doing RSA decryption on smartcard")
+ )
+ rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_DecryptInit: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ scx_release_context(sc);
+ return FALSE;
+ }
+
+ rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen
+ , out, &len);
+ if (rv != CKR_OK)
+ {
+ plog("error in C_Decrypt: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ scx_release_context(sc);
+ return FALSE;
+ }
+ if (!pkcs11_keep_state)
+ scx_release_context(sc);
+
+ *outlen = (size_t)len;
+ return TRUE;
+#else
+ return FALSE;
+#endif
+}
+
+/* receive an encrypted data block via whack,
+ * decrypt it using a private RSA key and
+ * return the decrypted data block via whack
+ */
+bool
+scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
+, const char* keyid, int whackfd)
+{
+ char inbuf[RSA_MAX_OCTETS];
+ char outbuf[2*RSA_MAX_OCTETS + 1];
+ size_t outlen = sizeof(inbuf);
+ size_t inlen;
+ smartcard_t *sc,*sc_new;
+
+ const char *number_slot_id = "";
+
+ err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen);
+
+ /* no prefix - use default base */
+ if (ugh != NULL && inbase == 0)
+ ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen);
+
+ if (ugh != NULL)
+ {
+ plog("format error in smartcard input data: %s", ugh);
+ return FALSE;
+ }
+
+ if (keyid != NULL)
+ {
+ number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0)
+ ? keyid + strlen(SCX_TOKEN) : keyid;
+ }
+
+ sc_new = scx_parse_number_slot_id(number_slot_id);
+ sc = scx_add(sc_new);
+ if (sc == sc_new)
+ scx_share(sc);
+
+ DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW,
+ DBG_dump("smartcard input data:\n", inbuf, inlen)
+ )
+
+ if (op == SC_OP_DECRYPT)
+ {
+ if (!sc->valid && whackfd != NULL_FD)
+ scx_get_pin(sc, whackfd);
+
+ if (!sc->valid)
+ {
+ loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN");
+ return FALSE;
+ }
+ }
+
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ DBG_log("using RSA key from smartcard (slot: %d, id: %s)"
+ , (int)sc->slot, sc->id)
+ )
+
+ switch (op)
+ {
+ case SC_OP_ENCRYPT:
+ if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen))
+ return FALSE;
+ break;
+ case SC_OP_DECRYPT:
+ if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen))
+ return FALSE;
+ break;
+ default:
+ break;
+ }
+
+ DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW,
+ DBG_dump("smartcard output data:\n", inbuf, outlen)
+ )
+
+ if (outbase == 0) /* use default base */
+ outbase = DEFAULT_BASE;
+
+ if (outbase == 256) /* ascii plain text */
+ whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf);
+ else
+ {
+ outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf));
+ if (outlen == 0)
+ {
+ plog("error in output format conversion");
+ return FALSE;
+ }
+ whack_log(RC_COMMENT, "%s", outbuf);
+ }
+ return TRUE;
+}
+
+ /*
+ * get length of RSA key in bytes
+ */
+size_t
+scx_get_keylength(smartcard_t *sc)
+{
+#ifdef SMARTCARD
+ CK_RV rv;
+ CK_OBJECT_HANDLE object;
+ CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}};
+
+ if (!sc->logged_in)
+ return FALSE;
+
+ if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
+ {
+ plog("unable to find private key with id '%s'", sc->id);
+ return FALSE;
+ }
+
+ /* get the length of the private key */
+ rv = pkcs11_functions->C_GetAttributeValue(sc->session, object
+ , (CK_ATTRIBUTE_PTR)&attr, 1);
+ if (rv != CKR_OK)
+ {
+ plog("failed to get key length: %s"
+ , enum_show(&pkcs11_return_names, rv));
+ return FALSE;
+ }
+
+ return attr[0].ulValueLen; /*Return key length in bytes */
+#else
+ return 0;
+#endif
+}
+
+/*
+ * prompt for pin and verify it
+ */
+bool
+scx_get_pin(smartcard_t *sc, int whackfd)
+{
+#ifdef SMARTCARD
+ char pin[BUF_LEN];
+ int i, n;
+
+ whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')"
+ , sc->number, scx_print_slot(sc, ""), sc->id, sc->label);
+
+ for (i = 0; i < SCX_MAX_PIN_TRIALS; i++)
+ {
+ if (i > 0)
+ whack_log(RC_ENTERSECRET, "invalid PIN, please try again");
+
+ n = read(whackfd, pin, BUF_LEN);
+
+ if (n == -1)
+ {
+ whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+ return FALSE;
+ }
+
+ if (strlen(pin) == 0)
+ {
+ whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted");
+ return FALSE;
+ }
+
+ sc->pin.ptr = pin;
+ sc->pin.len = strlen(pin);
+
+ /* verify the pin */
+ if (scx_verify_pin(sc))
+ {
+ clonetochunk(sc->pin, pin, strlen(pin), "pin");
+ break;
+ }
+
+ /* wrong pin - we try another round */
+ sc->pin = empty_chunk;
+ }
+
+ if (sc->valid)
+ whack_log(RC_SUCCESS, "valid PIN");
+ else
+ whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials");
+#else
+ sc->valid = FALSE;
+ whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!");
+#endif
+ return sc->valid;
+}
+
+
+/*
+ * free the pin code
+ */
+void
+scx_free_pin(chunk_t *pin)
+{
+ if (pin->ptr != NULL)
+ {
+ /* clear pin field in memory */
+ memset(pin->ptr, '\0', pin->len);
+ pfree(pin->ptr);
+ *pin = empty_chunk;
+ }
+}
+
+/*
+ * frees a smartcard record
+ */
+void
+scx_free(smartcard_t *sc)
+{
+ if (sc != NULL)
+ {
+ scx_release_context(sc);
+ pfreeany(sc->id);
+ pfreeany(sc->label);
+ scx_free_pin(&sc->pin);
+ pfree(sc);
+ }
+}
+
+/* release of a smartcard record decreases the count by one
+ " the record is freed when the counter reaches zero
+ */
+void
+scx_release(smartcard_t *sc)
+{
+ if (sc != NULL && --sc->count == 0)
+ {
+ smartcard_t **pp = &smartcards;
+ while (*pp != sc)
+ pp = &(*pp)->next;
+ *pp = sc->next;
+ release_cert(sc->last_cert);
+ scx_free(sc);
+ }
+}
+
+/*
+ * compare two smartcard records by comparing their slots and ids
+ */
+static bool
+scx_same(smartcard_t *a, smartcard_t *b)
+{
+ if (a->number && b->number)
+ {
+ /* same number */
+ return a->number == b->number;
+ }
+ else
+ {
+ /* same id and/or same slot */
+ return (!a->id || (b->id && streq(a->id, b->id)))
+ && (a->any_slot || b->any_slot || a->slot == b->slot);
+ }
+}
+
+/* for each link pointing to the smartcard record
+ " increase the count by one
+ */
+void
+scx_share(smartcard_t *sc)
+{
+ if (sc != NULL)
+ sc->count++;
+}
+
+/*
+ * adds a smartcard record to the chained list
+ */
+smartcard_t*
+scx_add(smartcard_t *smartcard)
+{
+ smartcard_t *sc = smartcards;
+ smartcard_t **psc = &smartcards;
+
+ while (sc != NULL)
+ {
+ if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */
+ {
+ scx_free(smartcard);
+ return sc;
+ }
+ psc = &sc->next;
+ sc = sc->next;
+ }
+
+ /* insert new smartcard record at the end of the chain */
+ *psc = smartcard;
+ smartcard->number = ++sc_number;
+ smartcard->count = 1;
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log(" smartcard #%d added", sc_number)
+ )
+ return smartcard;
+}
+
+/*
+ * get the smartcard that belongs to an X.509 certificate
+ */
+smartcard_t*
+scx_get(x509cert_t *cert)
+{
+ smartcard_t *sc = smartcards;
+
+ while (sc != NULL)
+ {
+ if (sc->last_cert.u.x509 == cert)
+ return sc;
+ sc = sc->next;
+ }
+ return NULL;
+}
+
+/*
+ * prints either the slot number or 'any slot'
+ */
+char *
+scx_print_slot(smartcard_t *sc, const char *whitespace)
+{
+ char *buf = temporary_cyclic_buffer();
+
+ if (sc->any_slot)
+ snprintf(buf, BUF_LEN, "any slot");
+ else
+ snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot);
+ return buf;
+}
+
+/*
+ * list all smartcard info records in a chained list
+ */
+void
+scx_list(bool utc)
+{
+ smartcard_t *sc = smartcards;
+
+ if (sc != NULL)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of Smartcard Objects:");
+ whack_log(RC_COMMENT, " ");
+ }
+
+ while (sc != NULL)
+ {
+ whack_log(RC_COMMENT, "%s, #%d, count: %d"
+ , timetoa(&sc->last_load, utc)
+ , sc->number
+ , sc->count);
+ whack_log(RC_COMMENT, " %s, session %s, logged %s, has %s"
+ , scx_print_slot(sc, " ")
+ , sc->session_opened? "opened" : "closed"
+ , sc->logged_in? "in" : "out"
+ , sc->pinpad? "pin pad"
+ : ((sc->pin.ptr == NULL)? "no pin"
+ : sc->valid? "valid pin" : "invalid pin"));
+ if (sc->id != NULL)
+ whack_log(RC_COMMENT, " id: %s", sc->id);
+ if (sc->label != NULL)
+ whack_log(RC_COMMENT, " label: '%s'", sc->label);
+ if (sc->last_cert.type == CERT_X509_SIGNATURE)
+ {
+ char buf[BUF_LEN];
+
+ dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject);
+ whack_log(RC_COMMENT, " subject: '%s'", buf);
+ }
+ sc = sc->next;
+ }
+}
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
new file mode 100644
index 000000000..c004ca7dd
--- /dev/null
+++ b/src/pluto/smartcard.h
@@ -0,0 +1,100 @@
+/* Support of smartcards and cryptotokens
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Copyright (C) 2004 David Buechi, Michael Meier
+ * Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: smartcard.h,v 1.14 2005/11/06 22:55:41 as Exp $
+ */
+
+#ifndef _SMARTCARD_H
+#define _SMARTCARD_H
+
+#include "certs.h"
+
+#define SCX_TOKEN "%smartcard"
+#define SCX_CERT_CACHE_INTERVAL 60 /* seconds */
+#define SCX_MAX_PIN_TRIALS 3
+
+/* smartcard operations */
+
+typedef enum {
+ SC_OP_NONE = 0,
+ SC_OP_ENCRYPT = 1,
+ SC_OP_DECRYPT = 2,
+ SC_OP_SIGN = 3,
+} sc_op_t;
+
+/* smartcard record */
+
+typedef struct smartcard smartcard_t;
+
+struct smartcard {
+ smartcard_t *next;
+ time_t last_load;
+ cert_t last_cert;
+ int count;
+ int number;
+ unsigned long slot;
+ char *id;
+ char *label;
+ chunk_t pin;
+ bool pinpad;
+ bool valid;
+ bool session_opened;
+ bool logged_in;
+ bool any_slot;
+ long session;
+};
+
+extern const smartcard_t empty_sc;
+
+/* keep a PKCS#11 login during the lifetime of pluto
+ * flag set in plutomain.c and used in ipsec_doi.c and ocsp.c
+ */
+extern bool pkcs11_keep_state;
+
+/* allow other applications access to pluto's PKCS#11 interface
+ * via whack. Could be used e.g. for disk encryption
+ */
+extern bool pkcs11_proxy;
+
+extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id);
+extern void scx_init(const char *module);
+extern void scx_finalize(void);
+extern bool scx_establish_context(smartcard_t *sc);
+extern bool scx_login(smartcard_t *sc);
+extern bool scx_on_smartcard(const char *filename);
+extern bool scx_load_cert(const char *filename, smartcard_t **scp
+ , cert_t *cert, bool *cached);
+extern bool scx_verify_pin(smartcard_t *sc);
+extern void scx_share(smartcard_t *sc);
+extern bool scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
+ , u_char *out, size_t outlen);
+extern bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
+ , u_char *out, size_t *outlen);
+extern bool scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
+ , u_char *out, size_t *outlen);
+extern bool scx_op_via_whack(const char* msg, int inbase, int outbase
+ , sc_op_t op, const char *keyid, int whackfd);
+extern bool scx_get_pin(smartcard_t *sc, int whackfd);
+extern size_t scx_get_keylength(smartcard_t *sc);
+extern smartcard_t* scx_add(smartcard_t *sc);
+extern smartcard_t* scx_get(x509cert_t *cert);
+extern void scx_release(smartcard_t *sc);
+extern void scx_release_context(smartcard_t *sc);
+extern void scx_free_pin(chunk_t *pin);
+extern void scx_free(smartcard_t *sc);
+extern void scx_list(bool utc);
+extern char *scx_print_slot(smartcard_t *sc, const char *whitespace);
+
+#endif /* _SMARTCARD_H */
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
new file mode 100644
index 000000000..996585135
--- /dev/null
+++ b/src/pluto/spdb.c
@@ -0,0 +1,2314 @@
+/* Security Policy Data Base (such as it is)
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: spdb.c,v 1.9 2006/04/22 21:59:20 as Exp $
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "id.h"
+#include "connections.h"
+#include "state.h"
+#include "packet.h"
+#include "keys.h"
+#include "kernel.h"
+#include "log.h"
+#include "spdb.h"
+#include "whack.h"
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+#include "alg_info.h"
+#include "kernel_alg.h"
+#include "ike_alg.h"
+#include "db_ops.h"
+#include "nat_traversal.h"
+
+#define AD(x) x, elemsof(x) /* Array Description */
+#define AD_NULL NULL, 0
+
+/**************** Oakely (main mode) SA database ****************/
+
+/* array of proposals to be conjoined (can only be one for Oakley) */
+
+static struct db_prop oakley_pc[] =
+ { { PROTO_ISAKMP, AD_NULL } };
+
+/* array of proposal conjuncts (can only be one) */
+
+static struct db_prop_conj oakley_props[] = { { AD(oakley_pc) } };
+
+/* the sadb entry */
+struct db_sa oakley_sadb = { AD(oakley_props) };
+
+/**************** IPsec (quick mode) SA database ****************/
+
+/* arrays of attributes for transforms */
+
+static struct db_attr espsha1_attr[] = {
+ { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
+ };
+
+static struct db_attr ah_HMAC_SHA1_attr[] = {
+ { AUTH_ALGORITHM, AUTH_ALGORITHM_HMAC_SHA1 },
+ };
+
+/* arrays of transforms, each in in preference order */
+
+static struct db_trans espa_trans[] = {
+ { ESP_3DES, AD(espsha1_attr) },
+ };
+
+static struct db_trans esp_trans[] = {
+ { ESP_3DES, AD_NULL },
+ };
+
+#ifdef SUPPORT_ESP_NULL
+static struct db_trans espnull_trans[] = {
+ { ESP_NULL, AD(espsha1_attr) },
+ };
+#endif /* SUPPORT_ESP_NULL */
+
+static struct db_trans ah_trans[] = {
+ { AH_SHA, AD(ah_HMAC_SHA1_attr) },
+ };
+
+static struct db_trans ipcomp_trans[] = {
+ { IPCOMP_DEFLATE, AD_NULL },
+ };
+
+/* arrays of proposals to be conjoined */
+
+static struct db_prop ah_pc[] = {
+ { PROTO_IPSEC_AH, AD(ah_trans) },
+ };
+
+#ifdef SUPPORT_ESP_NULL
+static struct db_prop espnull_pc[] = {
+ { PROTO_IPSEC_ESP, AD(espnull_trans) },
+ };
+#endif /* SUPPORT_ESP_NULL */
+
+static struct db_prop esp_pc[] = {
+ { PROTO_IPSEC_ESP, AD(espa_trans) },
+ };
+
+static struct db_prop ah_esp_pc[] = {
+ { PROTO_IPSEC_AH, AD(ah_trans) },
+ { PROTO_IPSEC_ESP, AD(esp_trans) },
+ };
+
+static struct db_prop compress_pc[] = {
+ { PROTO_IPCOMP, AD(ipcomp_trans) },
+ };
+
+static struct db_prop ah_compress_pc[] = {
+ { PROTO_IPSEC_AH, AD(ah_trans) },
+ { PROTO_IPCOMP, AD(ipcomp_trans) },
+ };
+
+#ifdef SUPPORT_ESP_NULL
+static struct db_prop espnull_compress_pc[] = {
+ { PROTO_IPSEC_ESP, AD(espnull_trans) },
+ { PROTO_IPCOMP, AD(ipcomp_trans) },
+ };
+#endif /* SUPPORT_ESP_NULL */
+
+static struct db_prop esp_compress_pc[] = {
+ { PROTO_IPSEC_ESP, AD(espa_trans) },
+ { PROTO_IPCOMP, AD(ipcomp_trans) },
+ };
+
+static struct db_prop ah_esp_compress_pc[] = {
+ { PROTO_IPSEC_AH, AD(ah_trans) },
+ { PROTO_IPSEC_ESP, AD(esp_trans) },
+ { PROTO_IPCOMP, AD(ipcomp_trans) },
+ };
+
+/* arrays of proposal alternatives (each element is a conjunction) */
+
+static struct db_prop_conj ah_props[] = {
+ { AD(ah_pc) },
+#ifdef SUPPORT_ESP_NULL
+ { AD(espnull_pc) }
+#endif
+ };
+
+static struct db_prop_conj esp_props[] =
+ { { AD(esp_pc) } };
+
+static struct db_prop_conj ah_esp_props[] =
+ { { AD(ah_esp_pc) } };
+
+static struct db_prop_conj compress_props[] = {
+ { AD(compress_pc) },
+ };
+
+static struct db_prop_conj ah_compress_props[] = {
+ { AD(ah_compress_pc) },
+#ifdef SUPPORT_ESP_NULL
+ { AD(espnull_compress_pc) }
+#endif
+ };
+
+static struct db_prop_conj esp_compress_props[] =
+ { { AD(esp_compress_pc) } };
+
+static struct db_prop_conj ah_esp_compress_props[] =
+ { { AD(ah_esp_compress_pc) } };
+
+/* The IPsec sadb is subscripted by a bitset (subset of policy)
+ * with members from { POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS }
+ * shifted right by POLICY_IPSEC_SHIFT.
+ */
+struct db_sa ipsec_sadb[1 << 3] = {
+ { AD_NULL }, /* none */
+ { AD(esp_props) }, /* POLICY_ENCRYPT */
+ { AD(ah_props) }, /* POLICY_AUTHENTICATE */
+ { AD(ah_esp_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE */
+ { AD(compress_props) }, /* POLICY_COMPRESS */
+ { AD(esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_COMPRESS */
+ { AD(ah_compress_props) }, /* POLICY_AUTHENTICATE+POLICY_COMPRESS */
+ { AD(ah_esp_compress_props) }, /* POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_COMPRESS */
+ };
+
+#undef AD
+#undef AD_NULL
+
+/* output an attribute (within an SA) */
+static bool
+out_attr(int type
+, unsigned long val
+, struct_desc *attr_desc
+, enum_names **attr_val_descs USED_BY_DEBUG
+, pb_stream *pbs)
+{
+ struct isakmp_attribute attr;
+
+ if (val >> 16 == 0)
+ {
+ /* short value: use TV form */
+ attr.isaat_af_type = type | ISAKMP_ATTR_AF_TV;
+ attr.isaat_lv = val;
+ if (!out_struct(&attr, attr_desc, pbs, NULL))
+ return FALSE;
+ }
+ else
+ {
+ /* This is a real fudge! Since we rarely use long attributes
+ * and since this is the only place where we can cause an
+ * ISAKMP message length to be other than a multiple of 4 octets,
+ * we force the length of the value to be a multiple of 4 octets.
+ * Furthermore, we only handle values up to 4 octets in length.
+ * Voila: a fixed format!
+ */
+ pb_stream val_pbs;
+ u_int32_t nval = htonl(val);
+
+ attr.isaat_af_type = type | ISAKMP_ATTR_AF_TLV;
+ if (!out_struct(&attr, attr_desc, pbs, &val_pbs)
+ || !out_raw(&nval, sizeof(nval), &val_pbs, "long attribute value"))
+ return FALSE;
+ close_output_pbs(&val_pbs);
+ }
+ DBG(DBG_EMITTING,
+ enum_names *d = attr_val_descs[type];
+
+ if (d != NULL)
+ DBG_log(" [%lu is %s]"
+ , val, enum_show(d, val)));
+ return TRUE;
+}
+#define return_on(var, val) do { var=val;goto return_out; } while(0);
+/* Output an SA, as described by a db_sa.
+ * This has the side-effect of allocating SPIs for us.
+ */
+bool
+out_sa(pb_stream *outs
+, struct db_sa *sadb
+, struct state *st
+, bool oakley_mode
+, u_int8_t np)
+{
+ pb_stream sa_pbs;
+ int pcn;
+ bool ret = FALSE;
+ bool ah_spi_generated = FALSE
+ , esp_spi_generated = FALSE
+ , ipcomp_cpi_generated = FALSE;
+#if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
+ struct db_context *db_ctx = NULL;
+#endif
+
+ /* SA header out */
+ {
+ struct isakmp_sa sa;
+
+ sa.isasa_np = np;
+ st->st_doi = sa.isasa_doi = ISAKMP_DOI_IPSEC; /* all we know */
+ if (!out_struct(&sa, &isakmp_sa_desc, outs, &sa_pbs))
+ return_on(ret, FALSE);
+ }
+
+ /* within SA: situation out */
+ st->st_situation = SIT_IDENTITY_ONLY;
+ if (!out_struct(&st->st_situation, &ipsec_sit_desc, &sa_pbs, NULL))
+ return_on(ret, FALSE);
+
+ /* within SA: Proposal Payloads
+ *
+ * Multiple Proposals with the same number are simultaneous
+ * (conjuncts) and must deal with different protocols (AH or ESP).
+ * Proposals with different numbers are alternatives (disjuncts),
+ * in preference order.
+ * Proposal numbers must be monotonic.
+ * See RFC 2408 "ISAKMP" 4.2
+ */
+
+ for (pcn = 0; pcn != sadb->prop_conj_cnt; pcn++)
+ {
+ struct db_prop_conj *pc = &sadb->prop_conjs[pcn];
+ int pn;
+
+ for (pn = 0; pn != pc->prop_cnt; pn++)
+ {
+ struct db_prop *p = &pc->props[pn];
+ pb_stream proposal_pbs;
+ struct isakmp_proposal proposal;
+ struct_desc *trans_desc;
+ struct_desc *attr_desc;
+ enum_names **attr_val_descs;
+ int tn;
+ bool tunnel_mode;
+
+ tunnel_mode = (pn == pc->prop_cnt-1)
+ && (st->st_policy & POLICY_TUNNEL);
+
+ /* Proposal header */
+ proposal.isap_np = pcn == sadb->prop_conj_cnt-1 && pn == pc->prop_cnt-1
+ ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_P;
+ proposal.isap_proposal = pcn;
+ proposal.isap_protoid = p->protoid;
+ proposal.isap_spisize = oakley_mode ? 0
+ : p->protoid == PROTO_IPCOMP ? IPCOMP_CPI_SIZE
+ : IPSEC_DOI_SPI_SIZE;
+
+ /* In quick mode ONLY, create proposal for runtime kernel algos.
+ * Replace ESP proposals with runtime created one
+ */
+ if (!oakley_mode && p->protoid == PROTO_IPSEC_ESP)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ if (st->st_connection->alg_info_esp)
+ {
+ static char buf[256]="";
+
+ alg_info_snprint(buf, sizeof (buf),
+ (struct alg_info *)st->st_connection->alg_info_esp);
+ DBG_log(buf);
+ }
+ )
+ db_ctx = kernel_alg_db_new(st->st_connection->alg_info_esp, st->st_policy);
+ p = db_prop_get(db_ctx);
+
+ if (!p || p->trans_cnt == 0)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "empty IPSEC SA proposal to send "
+ "(no kernel algorithms for esp selection)");
+ return_on(ret, FALSE);
+ }
+ }
+
+ if (oakley_mode && p->protoid == PROTO_ISAKMP)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT,
+ if (st->st_connection->alg_info_ike)
+ {
+ static char buf[256]="";
+
+ alg_info_snprint(buf, sizeof (buf),
+ (struct alg_info *)st->st_connection->alg_info_ike);
+ DBG_log(buf);
+ }
+ )
+ db_ctx = ike_alg_db_new(st->st_connection->alg_info_ike, st->st_policy);
+ p = db_prop_get(db_ctx);
+
+ if (!p || p->trans_cnt == 0)
+ {
+ loglog(RC_LOG_SERIOUS,
+ "empty ISAKMP SA proposal to send "
+ "(no algorithms for ike selection?)");
+ return_on(ret, FALSE);
+ }
+ }
+
+ proposal.isap_notrans = p->trans_cnt;
+ if (!out_struct(&proposal, &isakmp_proposal_desc, &sa_pbs, &proposal_pbs))
+ return_on(ret, FALSE);
+
+ /* Per-protocols stuff:
+ * Set trans_desc.
+ * Set attr_desc.
+ * Set attr_val_descs.
+ * If not oakley_mode, emit SPI.
+ * We allocate SPIs on demand.
+ * All ESPs in an SA will share a single SPI.
+ * All AHs in an SAwill share a single SPI.
+ * AHs' SPI will be distinct from ESPs'.
+ * This latter is needed because KLIPS doesn't
+ * use the protocol when looking up a (dest, protocol, spi).
+ * ??? If multiple ESPs are composed, how should their SPIs
+ * be allocated?
+ */
+ {
+ ipsec_spi_t *spi_ptr = NULL;
+ int proto = 0;
+ bool *spi_generated = NULL;
+
+ switch (p->protoid)
+ {
+ case PROTO_ISAKMP:
+ passert(oakley_mode);
+ trans_desc = &isakmp_isakmp_transform_desc;
+ attr_desc = &isakmp_oakley_attribute_desc;
+ attr_val_descs = oakley_attr_val_descs;
+ /* no SPI needed */
+ break;
+ case PROTO_IPSEC_AH:
+ passert(!oakley_mode);
+ trans_desc = &isakmp_ah_transform_desc;
+ attr_desc = &isakmp_ipsec_attribute_desc;
+ attr_val_descs = ipsec_attr_val_descs;
+ spi_ptr = &st->st_ah.our_spi;
+ spi_generated = &ah_spi_generated;
+ proto = IPPROTO_AH;
+ break;
+ case PROTO_IPSEC_ESP:
+ passert(!oakley_mode);
+ trans_desc = &isakmp_esp_transform_desc;
+ attr_desc = &isakmp_ipsec_attribute_desc;
+ attr_val_descs = ipsec_attr_val_descs;
+ spi_ptr = &st->st_esp.our_spi;
+ spi_generated = &esp_spi_generated;
+ proto = IPPROTO_ESP;
+ break;
+ case PROTO_IPCOMP:
+ passert(!oakley_mode);
+ trans_desc = &isakmp_ipcomp_transform_desc;
+ attr_desc = &isakmp_ipsec_attribute_desc;
+ attr_val_descs = ipsec_attr_val_descs;
+
+ /* a CPI isn't quite the same as an SPI
+ * so we use specialized code to emit it.
+ */
+ if (!ipcomp_cpi_generated)
+ {
+ st->st_ipcomp.our_spi = get_my_cpi(
+ &st->st_connection->spd, tunnel_mode);
+ if (st->st_ipcomp.our_spi == 0)
+ return_on(ret, FALSE); /* problem generating CPI */
+
+ ipcomp_cpi_generated = TRUE;
+ }
+ /* CPI is stored in network low order end of an
+ * ipsec_spi_t. So we start a couple of bytes in.
+ */
+ if (!out_raw((u_char *)&st->st_ipcomp.our_spi
+ + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+ , IPCOMP_CPI_SIZE
+ , &proposal_pbs, "CPI"))
+ return_on(ret, FALSE);
+ break;
+ default:
+ bad_case(p->protoid);
+ }
+ if (spi_ptr != NULL)
+ {
+ if (!*spi_generated)
+ {
+ *spi_ptr = get_ipsec_spi(0
+ , proto
+ , &st->st_connection->spd
+ , tunnel_mode);
+ if (*spi_ptr == 0)
+ return FALSE;
+ *spi_generated = TRUE;
+ }
+ if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
+ , &proposal_pbs, "SPI"))
+ return_on(ret, FALSE);
+ }
+ }
+
+ /* within proposal: Transform Payloads */
+ for (tn = 0; tn != p->trans_cnt; tn++)
+ {
+ struct db_trans *t = &p->trans[tn];
+ pb_stream trans_pbs;
+ struct isakmp_transform trans;
+ int an;
+
+ trans.isat_np = (tn == p->trans_cnt - 1)
+ ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_T;
+ trans.isat_transnum = tn;
+ trans.isat_transid = t->transid;
+ if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
+ return_on(ret, FALSE);
+
+ /* Within tranform: Attributes. */
+
+ /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
+ * automatically generated because it must be the same
+ * in every transform. Except IPCOMP.
+ */
+ if (p->protoid != PROTO_IPCOMP
+ && st->st_pfs_group != NULL)
+ {
+ passert(!oakley_mode);
+ passert(st->st_pfs_group != &unset_group);
+ out_attr(GROUP_DESCRIPTION, st->st_pfs_group->group
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ }
+
+ /* automatically generate duration
+ * and, for Phase 2 / Quick Mode, encapsulation.
+ */
+ if (oakley_mode)
+ {
+ out_attr(OAKLEY_LIFE_TYPE, OAKLEY_LIFE_SECONDS
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ out_attr(OAKLEY_LIFE_DURATION
+ , st->st_connection->sa_ike_life_seconds
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ }
+ else
+ {
+ /* RFC 2407 (IPSEC DOI) 4.5 specifies that
+ * the default is "unspecified (host-dependent)".
+ * This makes little sense, so we always specify it.
+ *
+ * Unlike other IPSEC transforms, IPCOMP defaults
+ * to Transport Mode, so we can exploit the default
+ * (draft-shacham-ippcp-rfc2393bis-05.txt 4.1).
+ */
+ if (p->protoid != PROTO_IPCOMP
+ || st->st_policy & POLICY_TUNNEL)
+ {
+#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+ if ((st->nat_traversal & NAT_T_DETECTED)
+ && !(st->st_policy & POLICY_TUNNEL))
+ {
+ /* Inform user that we will not respect policy and only
+ * propose Tunnel Mode
+ */
+ loglog(RC_LOG_SERIOUS, "NAT-Traversal: "
+ "Transport Mode not allowed due to security concerns -- "
+ "using Tunnel mode");
+ }
+#endif
+ out_attr(ENCAPSULATION_MODE
+#ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+ , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
+#else
+ /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
+ * Mode has security concerns.
+ *
+ * User has been informed of that
+ */
+ , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
+#endif
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ }
+ out_attr(SA_LIFE_TYPE, SA_LIFE_TYPE_SECONDS
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ out_attr(SA_LIFE_DURATION
+ , st->st_connection->sa_ipsec_life_seconds
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ }
+
+ /* spit out attributes from table */
+ for (an = 0; an != t->attr_cnt; an++)
+ {
+ struct db_attr *a = &t->attrs[an];
+
+ out_attr(a->type, a->val
+ , attr_desc, attr_val_descs
+ , &trans_pbs);
+ }
+
+ close_output_pbs(&trans_pbs);
+ }
+ close_output_pbs(&proposal_pbs);
+ }
+ /* end of a conjunction of proposals */
+ }
+ close_output_pbs(&sa_pbs);
+ ret = TRUE;
+
+return_out:
+
+#if !defined NO_KERNEL_ALG || !defined NO_IKE_ALG
+ if (db_ctx)
+ db_destroy(db_ctx);
+#endif
+ return ret;
+}
+
+/* Handle long form of duration attribute.
+ * The code is can only handle values that can fit in unsigned long.
+ * "Clamping" is probably an acceptable way to impose this limitation.
+ */
+static u_int32_t
+decode_long_duration(pb_stream *pbs)
+{
+ u_int32_t val = 0;
+
+ /* ignore leading zeros */
+ while (pbs_left(pbs) != 0 && *pbs->cur == '\0')
+ pbs->cur++;
+
+ if (pbs_left(pbs) > sizeof(val))
+ {
+ /* "clamp" too large value to max representable value */
+ val -= 1; /* portable way to get to maximum value */
+ DBG(DBG_PARSING, DBG_log(" too large duration clamped to: %lu"
+ , (unsigned long)val));
+ }
+ else
+ {
+ /* decode number */
+ while (pbs_left(pbs) != 0)
+ val = (val << BITS_PER_BYTE) | *pbs->cur++;
+ DBG(DBG_PARSING, DBG_log(" long duration: %lu", (unsigned long)val));
+ }
+ return val;
+}
+
+/* Preparse the body of an ISAKMP SA Payload and
+ * return body of ISAKMP Proposal Payload
+ *
+ * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
+ * Error response is rudimentary.
+ */
+notification_t
+preparse_isakmp_sa_body(const struct isakmp_sa *sa
+ , pb_stream *sa_pbs
+ , u_int32_t *ipsecdoisit
+ , pb_stream *proposal_pbs
+ , struct isakmp_proposal *proposal)
+{
+ /* DOI */
+ if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
+ {
+ loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
+ /* XXX Could send notification back */
+ return DOI_NOT_SUPPORTED;
+ }
+
+ /* Situation */
+ if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+ return SITUATION_NOT_SUPPORTED;
+
+ if (*ipsecdoisit != SIT_IDENTITY_ONLY)
+ {
+ loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
+ , bitnamesof(sit_bit_names, *ipsecdoisit));
+ /* XXX Could send notification back */
+ return SITUATION_NOT_SUPPORTED;
+ }
+
+ /* The rules for ISAKMP SAs are scattered.
+ * RFC 2409 "IKE" section 5 says that there
+ * can only be one SA, and it can have only one proposal in it.
+ * There may well be multiple transforms.
+ */
+ if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
+ return PAYLOAD_MALFORMED;
+
+ if (proposal->isap_np != ISAKMP_NEXT_NONE)
+ {
+ loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
+ , enum_show(&payload_names, proposal->isap_np));
+ return PAYLOAD_MALFORMED;
+ }
+
+ if (proposal->isap_protoid != PROTO_ISAKMP)
+ {
+ loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
+ , enum_show(&protocol_names, proposal->isap_protoid));
+ return INVALID_PROTOCOL_ID;
+ }
+
+ /* Just what should we accept for the SPI field?
+ * The RFC is sort of contradictory. We will ignore the SPI
+ * as long as it is of the proper size.
+ *
+ * From RFC2408 2.4 Identifying Security Associations:
+ * During phase 1 negotiations, the initiator and responder cookies
+ * determine the ISAKMP SA. Therefore, the SPI field in the Proposal
+ * payload is redundant and MAY be set to 0 or it MAY contain the
+ * transmitting entity's cookie.
+ *
+ * From RFC2408 3.5 Proposal Payload:
+ * o SPI Size (1 octet) - Length in octets of the SPI as defined by
+ * the Protocol-Id. In the case of ISAKMP, the Initiator and
+ * Responder cookie pair from the ISAKMP Header is the ISAKMP SPI,
+ * therefore, the SPI Size is irrelevant and MAY be from zero (0) to
+ * sixteen (16). If the SPI Size is non-zero, the content of the
+ * SPI field MUST be ignored. If the SPI Size is not a multiple of
+ * 4 octets it will have some impact on the SPI field and the
+ * alignment of all payloads in the message. The Domain of
+ * Interpretation (DOI) will dictate the SPI Size for other
+ * protocols.
+ */
+ if (proposal->isap_spisize == 0)
+ {
+ /* empty (0) SPI -- fine */
+ }
+ else if (proposal->isap_spisize <= MAX_ISAKMP_SPI_SIZE)
+ {
+ u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
+
+ if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
+ return PAYLOAD_MALFORMED;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
+ , (unsigned)proposal->isap_spisize);
+ return INVALID_SPI;
+ }
+ return NOTHING_WRONG;
+}
+
+static struct {
+ u_int8_t *start;
+ u_int8_t *cur;
+ u_int8_t *roof;
+} backup;
+
+/*
+ * backup the pointer into a pb_stream
+ */
+void
+backup_pbs(pb_stream *pbs)
+{
+ backup.start = pbs->start;
+ backup.cur = pbs->cur;
+ backup.roof = pbs->roof;
+}
+
+/*
+ * restore the pointer into a pb_stream
+ */
+void
+restore_pbs(pb_stream *pbs)
+{
+ pbs->start = backup.start;
+ pbs->cur = backup.cur;
+ pbs->roof = backup.roof;
+}
+
+/*
+ * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
+ */
+notification_t
+parse_isakmp_policy(pb_stream *proposal_pbs
+ , u_int notrans
+ , lset_t *policy)
+{
+ int last_transnum = -1;
+
+ *policy = LEMPTY;
+
+ while (notrans--)
+ {
+ pb_stream trans_pbs;
+ u_char *attr_start;
+ size_t attr_len;
+ struct isakmp_transform trans;
+
+ if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
+ return BAD_PROPOSAL_SYNTAX;
+
+ if (trans.isat_transnum <= last_transnum)
+ {
+ /* picky, picky, picky */
+ loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
+ " in Oakley Proposal");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ last_transnum = trans.isat_transnum;
+
+ if (trans.isat_transid != KEY_IKE)
+ {
+ loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
+ , enum_show(&isakmp_transformid_names, trans.isat_transid));
+ return INVALID_TRANSFORM_ID;
+ }
+
+ attr_start = trans_pbs.cur;
+ attr_len = pbs_left(&trans_pbs);
+
+ /* preprocess authentication attributes only */
+ while (pbs_left(&trans_pbs) != 0)
+ {
+ struct isakmp_attribute a;
+ pb_stream attr_pbs;
+
+ if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+ return BAD_PROPOSAL_SYNTAX;
+
+ passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+
+ switch (a.isaat_af_type)
+ {
+ case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
+ switch (a.isaat_lv)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ *policy |= POLICY_PSK;
+ break;
+ case OAKLEY_RSA_SIG:
+ *policy |= POLICY_RSASIG;
+ break;
+ case XAUTHInitPreShared:
+ *policy |= POLICY_XAUTH_SERVER;
+ /* fall through */
+ case XAUTHRespPreShared:
+ *policy |= POLICY_XAUTH_PSK;
+ break;
+ case XAUTHInitRSA:
+ *policy |= POLICY_XAUTH_SERVER;
+ /* fall through */
+ case XAUTHRespRSA:
+ *policy |= POLICY_XAUTH_RSASIG;
+ break;
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ DBG(DBG_CONTROL|DBG_PARSING,
+ DBG_log("preparse_isakmp_policy: peer requests %s authentication"
+ , prettypolicy(*policy))
+ )
+ return NOTHING_WRONG;
+}
+
+/*
+ * check that we can find a preshared secret
+ */
+static err_t
+find_preshared_key(struct state* st)
+{
+ err_t ugh = NULL;
+ struct connection *c = st->st_connection;
+
+ if (get_preshared_secret(c) == NULL)
+ {
+ char my_id[BUF_LEN], his_id[BUF_LEN];
+
+ idtoa(&c->spd.this.id, my_id, sizeof(my_id));
+ if (his_id_was_instantiated(c))
+ strcpy(his_id, "%any");
+ else
+ idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+ ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
+ , my_id, his_id);
+ }
+ return ugh;
+}
+
+/* Parse the body of an ISAKMP SA Payload (i.e. Phase 1 / Main Mode).
+ * Various shortcuts are taken. In particular, the policy, such as
+ * it is, is hardwired.
+ *
+ * If r_sa is non-NULL, the body of an SA representing the selected
+ * proposal is emitted.
+ *
+ * This routine is used by main_inI1_outR1() and main_inR1_outI2().
+ */
+notification_t
+parse_isakmp_sa_body(u_int32_t ipsecdoisit
+ , pb_stream *proposal_pbs
+ , struct isakmp_proposal *proposal
+ , pb_stream *r_sa_pbs
+ , struct state *st
+ , bool initiator)
+{
+ struct connection *c = st->st_connection;
+ unsigned no_trans_left;
+
+ /* for each transform payload... */
+ no_trans_left = proposal->isap_notrans;
+
+ for (;;)
+ {
+ pb_stream trans_pbs;
+ u_char *attr_start;
+ size_t attr_len;
+ struct isakmp_transform trans;
+ lset_t seen_attrs = 0;
+ lset_t seen_durations = 0;
+ u_int16_t life_type = 0;
+ struct oakley_trans_attrs ta;
+ err_t ugh = NULL; /* set to diagnostic when problem detected */
+
+ /* initialize only optional field in ta */
+ ta.life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT; /* When this SA expires (seconds) */
+
+ if (no_trans_left == 0)
+ {
+ loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
+ attr_start = trans_pbs.cur;
+ attr_len = pbs_left(&trans_pbs);
+
+ /* process all the attributes that make up the transform */
+
+ while (pbs_left(&trans_pbs) != 0)
+ {
+ struct isakmp_attribute a;
+ pb_stream attr_pbs;
+ u_int32_t val; /* room for larger values */
+
+ if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+ return BAD_PROPOSAL_SYNTAX;
+
+ passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+
+ if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
+ {
+ loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
+ , enum_show(&oakley_attr_names, a.isaat_af_type)
+ , trans.isat_transnum);
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
+
+ val = a.isaat_lv;
+
+ DBG(DBG_PARSING,
+ {
+ enum_names *vdesc = oakley_attr_val_descs
+ [a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
+
+ if (vdesc != NULL)
+ {
+ const char *nm = enum_name(vdesc, val);
+
+ if (nm != NULL)
+ DBG_log(" [%u is %s]", (unsigned)val, nm);
+ }
+ });
+
+ switch (a.isaat_af_type)
+ {
+ case OAKLEY_ENCRYPTION_ALGORITHM | ISAKMP_ATTR_AF_TV:
+ if (ike_alg_enc_present(val))
+ {
+ ta.encrypt = val;
+ ta.encrypter = ike_alg_get_encrypter(val);
+ ta.enckeylen = ta.encrypter->keydeflen;
+ }
+ else
+ {
+ ugh = builddiag("%s is not supported"
+ , enum_show(&oakley_enc_names, val));
+ }
+ break;
+
+ case OAKLEY_HASH_ALGORITHM | ISAKMP_ATTR_AF_TV:
+ if (ike_alg_hash_present(val))
+ {
+ ta.hash = val;
+ ta.hasher = ike_alg_get_hasher(val);
+ }
+ else
+ {
+ ugh = builddiag("%s is not supported"
+ , enum_show(&oakley_hash_names, val));
+ }
+ break;
+
+ case OAKLEY_AUTHENTICATION_METHOD | ISAKMP_ATTR_AF_TV:
+ {
+ /* check that authentication method is acceptable */
+ lset_t iap = st->st_policy & POLICY_ID_AUTH_MASK;
+
+ /* is the initiator the XAUTH client? */
+ bool xauth_init = initiator && (st->st_policy & POLICY_XAUTH_SERVER) == LEMPTY
+ || !initiator && (st->st_policy & POLICY_XAUTH_SERVER) != LEMPTY;
+
+ switch (val)
+ {
+ case OAKLEY_PRESHARED_KEY:
+ if ((iap & POLICY_PSK) == LEMPTY)
+ {
+ ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication";
+ }
+ else
+ {
+ ugh = find_preshared_key(st);
+ ta.auth = OAKLEY_PRESHARED_KEY;
+ }
+ break;
+ case XAUTHInitPreShared:
+ if ((iap & POLICY_XAUTH_PSK) == LEMPTY || !xauth_init)
+ {
+ ugh = "policy does not allow XAUTHInitPreShared authentication";
+ }
+ else
+ {
+ ugh = find_preshared_key(st);
+ ta.auth = XAUTHInitPreShared;
+ }
+ break;
+ case XAUTHRespPreShared:
+ if ((iap & POLICY_XAUTH_PSK) == LEMPTY || xauth_init)
+ {
+ ugh = "policy does not allow XAUTHRespPreShared authentication";
+ }
+ else
+ {
+ ugh = find_preshared_key(st);
+ ta.auth = XAUTHRespPreShared;
+ }
+ break;
+ case OAKLEY_RSA_SIG:
+ /* Accept if policy specifies RSASIG or is default */
+ if ((iap & POLICY_RSASIG) == LEMPTY)
+ {
+ ugh = "policy does not allow OAKLEY_RSA_SIG authentication";
+ }
+ else
+ {
+ ta.auth = OAKLEY_RSA_SIG;
+ }
+ break;
+ case XAUTHInitRSA:
+ if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || !xauth_init)
+ {
+ ugh = "policy does not allow XAUTHInitRSA authentication";
+ }
+ else
+ {
+ ta.auth = XAUTHInitRSA;
+ }
+ break;
+ case XAUTHRespRSA:
+ if ((iap & POLICY_XAUTH_RSASIG) == LEMPTY || xauth_init)
+ {
+ ugh = "policy does not allow XAUTHRespRSA authentication";
+ }
+ else
+ {
+ ta.auth = XAUTHRespRSA;
+ }
+ break;
+ default:
+ ugh = builddiag("Pluto does not support %s authentication"
+ , enum_show(&oakley_auth_names, val));
+ break;
+ }
+ }
+ break;
+
+ case OAKLEY_GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
+ ta.group = lookup_group(val);
+ if (ta.group == NULL)
+ {
+ ugh = "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported";
+ }
+ break;
+
+ case OAKLEY_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
+ switch (val)
+ {
+ case OAKLEY_LIFE_SECONDS:
+ case OAKLEY_LIFE_KILOBYTES:
+ if (LHAS(seen_durations, val))
+ {
+ loglog(RC_LOG_SERIOUS
+ , "attribute OAKLEY_LIFE_TYPE value %s repeated"
+ , enum_show(&oakley_lifetime_names, val));
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ seen_durations |= LELEM(val);
+ life_type = val;
+ break;
+ default:
+ ugh = builddiag("unknown value %s"
+ , enum_show(&oakley_lifetime_names, val));
+ break;
+ }
+ break;
+
+ case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+ val = decode_long_duration(&attr_pbs);
+ /* fall through */
+ case OAKLEY_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
+ if (!LHAS(seen_attrs, OAKLEY_LIFE_TYPE))
+ {
+ ugh = "OAKLEY_LIFE_DURATION attribute not preceded by OAKLEY_LIFE_TYPE attribute";
+ break;
+ }
+ seen_attrs &= ~(LELEM(OAKLEY_LIFE_DURATION) | LELEM(OAKLEY_LIFE_TYPE));
+
+ switch (life_type)
+ {
+ case OAKLEY_LIFE_SECONDS:
+ if (val > OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM)
+ {
+#ifdef CISCO_QUIRKS
+ plog("peer requested %lu seconds"
+ " which exceeds our limit %d seconds"
+ , (long) val
+ , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+ plog("lifetime reduced to %d seconds "
+ "(todo: IPSEC_RESPONDER_LIFETIME notification)"
+ , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+ val = OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM;
+#else
+ ugh = builddiag("peer requested %lu seconds"
+ " which exceeds our limit %d seconds"
+ , (long) val
+ , OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM);
+#endif
+ }
+ ta.life_seconds = val;
+ break;
+ case OAKLEY_LIFE_KILOBYTES:
+ ta.life_kilobytes = val;
+ break;
+ default:
+ bad_case(life_type);
+ }
+ break;
+
+ case OAKLEY_KEY_LENGTH | ISAKMP_ATTR_AF_TV:
+ if ((seen_attrs & LELEM(OAKLEY_ENCRYPTION_ALGORITHM)) == 0)
+ {
+ ugh = "OAKLEY_KEY_LENGTH attribute not preceded by "
+ "OAKLEY_ENCRYPTION_ALGORITHM attribute";
+ break;
+ }
+ if (ta.encrypter == NULL)
+ {
+ ugh = "NULL encrypter with seen OAKLEY_ENCRYPTION_ALGORITHM";
+ break;
+ }
+ /*
+ * check if this keylen is compatible with specified algorithm
+ */
+ if (val
+ && (val < ta.encrypter->keyminlen || val > ta.encrypter->keymaxlen))
+ {
+ ugh = "peer proposed key length not valid for "
+ "encryption algorithm specified";
+ }
+ ta.enckeylen = val;
+ break;
+#if 0 /* not yet supported */
+ case OAKLEY_GROUP_TYPE | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_PRF | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_FIELD_SIZE | ISAKMP_ATTR_AF_TV:
+
+ case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_PRIME | ISAKMP_ATTR_AF_TLV:
+ case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_GENERATOR_ONE | ISAKMP_ATTR_AF_TLV:
+ case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_GENERATOR_TWO | ISAKMP_ATTR_AF_TLV:
+ case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_CURVE_A | ISAKMP_ATTR_AF_TLV:
+ case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_CURVE_B | ISAKMP_ATTR_AF_TLV:
+ case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TV:
+ case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
+#endif
+ default:
+ ugh = "unsupported OAKLEY attribute";
+ break;
+ }
+
+ if (ugh != NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "%s. Attribute %s"
+ , ugh, enum_show(&oakley_attr_names, a.isaat_af_type));
+ break;
+ }
+ }
+
+ /*
+ * ML: at last check for allowed transforms in alg_info_ike
+ * (ALG_INFO_F_STRICT flag)
+ */
+ if (ugh == NULL)
+ {
+ if (!ike_alg_ok_final(ta.encrypt, ta.enckeylen, ta.hash,
+ ta.group ? ta.group->group : -1, c->alg_info_ike))
+ {
+ ugh = "OAKLEY proposal refused";
+ }
+ }
+
+ if (ugh == NULL)
+ {
+ /* a little more checking is in order */
+ {
+ lset_t missing
+ = ~seen_attrs
+ & (LELEM(OAKLEY_ENCRYPTION_ALGORITHM)
+ | LELEM(OAKLEY_HASH_ALGORITHM)
+ | LELEM(OAKLEY_AUTHENTICATION_METHOD)
+ | LELEM(OAKLEY_GROUP_DESCRIPTION));
+
+ if (missing)
+ {
+ loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
+ , bitnamesof(oakley_attr_bit_names, missing)
+ , trans.isat_transnum);
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ }
+ /* We must have liked this transform.
+ * Lets finish early and leave.
+ */
+
+ DBG(DBG_PARSING | DBG_CRYPT
+ , DBG_log("Oakley Transform %u accepted", trans.isat_transnum));
+
+ if (r_sa_pbs != NULL)
+ {
+ struct isakmp_proposal r_proposal = *proposal;
+ pb_stream r_proposal_pbs;
+ struct isakmp_transform r_trans = trans;
+ pb_stream r_trans_pbs;
+
+ /* Situation */
+ if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
+ impossible();
+
+ /* Proposal */
+#ifdef EMIT_ISAKMP_SPI
+ r_proposal.isap_spisize = COOKIE_SIZE;
+#else
+ r_proposal.isap_spisize = 0;
+#endif
+ r_proposal.isap_notrans = 1;
+ if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
+ impossible();
+
+ /* SPI */
+#ifdef EMIT_ISAKMP_SPI
+ if (!out_raw(my_cookie, COOKIE_SIZE, &r_proposal_pbs, "SPI"))
+ impossible();
+ r_proposal.isap_spisize = COOKIE_SIZE;
+#else
+ /* none (0) */
+#endif
+
+ /* Transform */
+ r_trans.isat_np = ISAKMP_NEXT_NONE;
+ if (!out_struct(&r_trans, &isakmp_isakmp_transform_desc, &r_proposal_pbs, &r_trans_pbs))
+ impossible();
+
+ if (!out_raw(attr_start, attr_len, &r_trans_pbs, "attributes"))
+ impossible();
+ close_output_pbs(&r_trans_pbs);
+ close_output_pbs(&r_proposal_pbs);
+ close_output_pbs(r_sa_pbs);
+ }
+
+ /* copy over the results */
+ st->st_oakley = ta;
+ return NOTHING_WRONG;
+ }
+
+ /* on to next transform */
+ no_trans_left--;
+
+ if (trans.isat_np == ISAKMP_NEXT_NONE)
+ {
+ if (no_trans_left != 0)
+ {
+ loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ break;
+ }
+ if (trans.isat_np != ISAKMP_NEXT_T)
+ {
+ loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
+ , enum_show(&payload_names, proposal->isap_np));
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ }
+ loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
+ return NO_PROPOSAL_CHOSEN;
+}
+
+/* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
+ *
+ * The main routine is parse_ipsec_sa_body; other functions defined
+ * between here and there are just helpers.
+ *
+ * Various shortcuts are taken. In particular, the policy, such as
+ * it is, is hardwired.
+ *
+ * If r_sa is non-NULL, the body of an SA representing the selected
+ * proposal is emitted into it.
+ *
+ * If "selection" is true, the SA is supposed to represent the
+ * single tranform that the peer has accepted.
+ * ??? We only check that it is acceptable, not that it is one that we offered!
+ *
+ * Only IPsec DOI is accepted (what is the ISAKMP DOI?).
+ * Error response is rudimentary.
+ *
+ * Since all ISAKMP groups in all SA Payloads must match, st->st_pfs_group
+ * holds this across multiple payloads.
+ * &unset_group signifies not yet "set"; NULL signifies NONE.
+ *
+ * This routine is used by quick_inI1_outR1() and quick_inR1_outI2().
+ */
+
+static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
+ 0, /* transid (NULL, for now) */
+ 0, /* spi */
+ SA_LIFE_DURATION_DEFAULT, /* life_seconds */
+ SA_LIFE_DURATION_K_DEFAULT, /* life_kilobytes */
+ ENCAPSULATION_MODE_UNSPECIFIED, /* encapsulation */
+ AUTH_ALGORITHM_NONE, /* auth */
+ 0, /* key_len */
+ 0, /* key_rounds */
+};
+
+static bool
+parse_ipsec_transform(struct isakmp_transform *trans
+, struct ipsec_trans_attrs *attrs
+, pb_stream *prop_pbs
+, pb_stream *trans_pbs
+, struct_desc *trans_desc
+, int previous_transnum /* or -1 if none */
+, bool selection
+, bool is_last
+, bool is_ipcomp
+, struct state *st) /* current state object */
+{
+ lset_t seen_attrs = 0;
+ lset_t seen_durations = 0;
+ u_int16_t life_type = 0;
+ const struct oakley_group_desc *pfs_group = NULL;
+
+ if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
+ return FALSE;
+
+ if (trans->isat_transnum <= previous_transnum)
+ {
+ loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
+ return FALSE;
+ }
+
+ switch (trans->isat_np)
+ {
+ case ISAKMP_NEXT_T:
+ if (is_last)
+ {
+ loglog(RC_LOG_SERIOUS, "Proposal Payload has more Transforms than specified");
+ return FALSE;
+ }
+ break;
+ case ISAKMP_NEXT_NONE:
+ if (!is_last)
+ {
+ loglog(RC_LOG_SERIOUS, "Proposal Payload has fewer Transforms than specified");
+ return FALSE;
+ }
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "expecting Transform Payload, but found %s in Proposal"
+ , enum_show(&payload_names, trans->isat_np));
+ return FALSE;
+ }
+
+ *attrs = null_ipsec_trans_attrs;
+ attrs->transid = trans->isat_transid;
+
+ while (pbs_left(trans_pbs) != 0)
+ {
+ struct isakmp_attribute a;
+ pb_stream attr_pbs;
+ enum_names *vdesc;
+ u_int32_t val; /* room for larger value */
+ bool ipcomp_inappropriate = is_ipcomp; /* will get reset if OK */
+
+ if (!in_struct(&a, &isakmp_ipsec_attribute_desc, trans_pbs, &attr_pbs))
+ return FALSE;
+
+ passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
+
+ if (LHAS(seen_attrs, a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK))
+ {
+ loglog(RC_LOG_SERIOUS, "repeated %s attribute in IPsec Transform %u"
+ , enum_show(&ipsec_attr_names, a.isaat_af_type)
+ , trans->isat_transnum);
+ return FALSE;
+ }
+
+ seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
+
+ val = a.isaat_lv;
+
+ vdesc = ipsec_attr_val_descs[a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK];
+ if (vdesc != NULL)
+ {
+ if (enum_name(vdesc, val) == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "invalid value %u for attribute %s in IPsec Transform"
+ , (unsigned)val, enum_show(&ipsec_attr_names, a.isaat_af_type));
+ return FALSE;
+ }
+ DBG(DBG_PARSING
+ , if ((a.isaat_af_type & ISAKMP_ATTR_AF_MASK) == ISAKMP_ATTR_AF_TV)
+ DBG_log(" [%u is %s]"
+ , (unsigned)val, enum_show(vdesc, val)));
+ }
+
+ switch (a.isaat_af_type)
+ {
+ case SA_LIFE_TYPE | ISAKMP_ATTR_AF_TV:
+ ipcomp_inappropriate = FALSE;
+ if (LHAS(seen_durations, val))
+ {
+ loglog(RC_LOG_SERIOUS, "attribute SA_LIFE_TYPE value %s repeated in message"
+ , enum_show(&sa_lifetime_names, val));
+ return FALSE;
+ }
+ seen_durations |= LELEM(val);
+ life_type = val;
+ break;
+ case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+ val = decode_long_duration(&attr_pbs);
+ /* fall through */
+ case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TV:
+ ipcomp_inappropriate = FALSE;
+ if (!LHAS(seen_attrs, SA_LIFE_DURATION))
+ {
+ loglog(RC_LOG_SERIOUS, "SA_LIFE_DURATION IPsec attribute not preceded by SA_LIFE_TYPE attribute");
+ return FALSE;
+ }
+ seen_attrs &= ~(LELEM(SA_LIFE_DURATION) | LELEM(SA_LIFE_TYPE));
+
+ switch (life_type)
+ {
+ case SA_LIFE_TYPE_SECONDS:
+ /* silently limit duration to our maximum */
+ attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
+ ? val : SA_LIFE_DURATION_MAXIMUM;
+ break;
+ case SA_LIFE_TYPE_KBYTES:
+ attrs->life_kilobytes = val;
+ break;
+ default:
+ bad_case(life_type);
+ }
+ break;
+ case GROUP_DESCRIPTION | ISAKMP_ATTR_AF_TV:
+ if (is_ipcomp)
+ {
+ /* Accept reluctantly. Should not happen, according to
+ * draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
+ */
+ ipcomp_inappropriate = FALSE;
+ loglog(RC_COMMENT
+ , "IPCA (IPcomp SA) contains GROUP_DESCRIPTION."
+ " Ignoring inapproprate attribute.");
+ }
+ pfs_group = lookup_group(val);
+ if (pfs_group == NULL)
+ {
+ loglog(RC_LOG_SERIOUS, "only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported for PFS");
+ return FALSE;
+ }
+ break;
+ case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
+ ipcomp_inappropriate = FALSE;
+ switch (val)
+ {
+ case ENCAPSULATION_MODE_TUNNEL:
+ case ENCAPSULATION_MODE_TRANSPORT:
+ if (st->nat_traversal & NAT_T_DETECTED)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "%s must only be used if NAT-Traversal is not detected"
+ , enum_name(&enc_mode_names, val));
+ /*
+ * Accept it anyway because SSH-Sentinel does not
+ * use UDP_TUNNEL or UDP_TRANSPORT for the diagnostic.
+ *
+ * remove when SSH-Sentinel is fixed
+ */
+#ifdef I_DONT_CARE_OF_SSH_SENTINEL
+ return FALSE;
+#endif
+ }
+ attrs->encapsulation = val;
+ break;
+ case ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS:
+#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+ loglog(RC_LOG_SERIOUS
+ , "NAT-Traversal: Transport mode disabled due to security concerns");
+ return FALSE;
+#endif
+ case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
+ if (st->nat_traversal & NAT_T_WITH_RFC_VALUES)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "%s must only be used with old IETF drafts"
+ , enum_name(&enc_mode_names, val));
+ return FALSE;
+ }
+ else if (st->nat_traversal & NAT_T_DETECTED)
+ {
+ attrs->encapsulation = val
+ - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS
+ + ENCAPSULATION_MODE_TUNNEL;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "%s must only be used if NAT-Traversal is detected"
+ , enum_name(&enc_mode_names, val));
+ return FALSE;
+ }
+ break;
+ case ENCAPSULATION_MODE_UDP_TRANSPORT_RFC:
+#ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+ loglog(RC_LOG_SERIOUS
+ , "NAT-Traversal: Transport mode disabled due "
+ "to security concerns");
+ return FALSE;
+#endif
+ case ENCAPSULATION_MODE_UDP_TUNNEL_RFC:
+ if ((st->nat_traversal & NAT_T_DETECTED)
+ && (st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+ {
+ attrs->encapsulation = val
+ - ENCAPSULATION_MODE_UDP_TUNNEL_RFC
+ + ENCAPSULATION_MODE_TUNNEL;
+ }
+ else if (st->nat_traversal & NAT_T_DETECTED)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "%s must only be used with NAT-T RFC"
+ , enum_name(&enc_mode_names, val));
+ return FALSE;
+ }
+ else
+ {
+ loglog(RC_LOG_SERIOUS
+ , "%s must only be used if NAT-Traversal is detected"
+ , enum_name(&enc_mode_names, val));
+ return FALSE;
+ }
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS
+ , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
+ return FALSE;
+ }
+ break;
+ case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
+ attrs->auth = val;
+ break;
+ case KEY_LENGTH | ISAKMP_ATTR_AF_TV:
+ attrs->key_len = val;
+ break;
+ case KEY_ROUNDS | ISAKMP_ATTR_AF_TV:
+ attrs->key_rounds = val;
+ break;
+#if 0 /* not yet implemented */
+ case COMPRESS_DICT_SIZE | ISAKMP_ATTR_AF_TV:
+ break;
+ case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TV:
+ break;
+
+ case SA_LIFE_DURATION | ISAKMP_ATTR_AF_TLV:
+ break;
+ case COMPRESS_PRIVATE_ALG | ISAKMP_ATTR_AF_TLV:
+ break;
+#endif
+ default:
+ loglog(RC_LOG_SERIOUS, "unsupported IPsec attribute %s"
+ , enum_show(&ipsec_attr_names, a.isaat_af_type));
+ return FALSE;
+ }
+ if (ipcomp_inappropriate)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec attribute %s inappropriate for IPCOMP"
+ , enum_show(&ipsec_attr_names, a.isaat_af_type));
+ return FALSE;
+ }
+ }
+
+ /* Although an IPCOMP SA (IPCA) ought not to have a pfs_group,
+ * if it does, demand that it be consistent.
+ * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1.
+ */
+ if (!is_ipcomp || pfs_group != NULL)
+ {
+ if (st->st_pfs_group == &unset_group)
+ st->st_pfs_group = pfs_group;
+
+ if (st->st_pfs_group != pfs_group)
+ {
+ loglog(RC_LOG_SERIOUS, "GROUP_DESCRIPTION inconsistent with that of %s in IPsec SA"
+ , selection? "the Proposal" : "a previous Transform");
+ return FALSE;
+ }
+ }
+
+ if (LHAS(seen_attrs, SA_LIFE_DURATION))
+ {
+ loglog(RC_LOG_SERIOUS, "SA_LIFE_TYPE IPsec attribute not followed by SA_LIFE_DURATION attribute in message");
+ return FALSE;
+ }
+
+ if (!LHAS(seen_attrs, ENCAPSULATION_MODE))
+ {
+ if (is_ipcomp)
+ {
+ /* draft-shacham-ippcp-rfc2393bis-05.txt 4.1:
+ * "If the Encapsulation Mode is unspecified,
+ * the default value of Transport Mode is assumed."
+ * This contradicts/overrides the DOI (quuoted below).
+ */
+ attrs->encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+ }
+ else
+ {
+ /* ??? Technically, RFC 2407 (IPSEC DOI) 4.5 specifies that
+ * the default is "unspecified (host-dependent)".
+ * This makes little sense, so we demand that it be specified.
+ */
+ loglog(RC_LOG_SERIOUS, "IPsec Transform must specify ENCAPSULATION_MODE");
+ return FALSE;
+ }
+ }
+
+ /* ??? should check for key_len and/or key_rounds if required */
+
+ return TRUE;
+}
+
+static void
+echo_proposal(
+ struct isakmp_proposal r_proposal, /* proposal to emit */
+ struct isakmp_transform r_trans, /* winning transformation within it */
+ u_int8_t np, /* Next Payload for proposal */
+ pb_stream *r_sa_pbs, /* SA PBS into which to emit */
+ struct ipsec_proto_info *pi, /* info about this protocol instance */
+ struct_desc *trans_desc, /* descriptor for this transformation */
+ pb_stream *trans_pbs, /* PBS for incoming transform */
+ struct spd_route *sr, /* host details for the association */
+ bool tunnel_mode) /* true for inner most tunnel SA */
+{
+ pb_stream r_proposal_pbs;
+ pb_stream r_trans_pbs;
+
+ /* Proposal */
+ r_proposal.isap_np = np;
+ r_proposal.isap_notrans = 1;
+ if (!out_struct(&r_proposal, &isakmp_proposal_desc, r_sa_pbs, &r_proposal_pbs))
+ impossible();
+
+ /* allocate and emit our CPI/SPI */
+ if (r_proposal.isap_protoid == PROTO_IPCOMP)
+ {
+ /* CPI is stored in network low order end of an
+ * ipsec_spi_t. So we start a couple of bytes in.
+ * Note: we may fail to generate a satisfactory CPI,
+ * but we'll ignore that.
+ */
+ pi->our_spi = get_my_cpi(sr, tunnel_mode);
+ out_raw((u_char *) &pi->our_spi
+ + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+ , IPCOMP_CPI_SIZE
+ , &r_proposal_pbs, "CPI");
+ }
+ else
+ {
+ pi->our_spi = get_ipsec_spi(pi->attrs.spi
+ , r_proposal.isap_protoid == PROTO_IPSEC_AH ?
+ IPPROTO_AH : IPPROTO_ESP
+ , sr
+ , tunnel_mode);
+ /* XXX should check for errors */
+ out_raw((u_char *) &pi->our_spi, IPSEC_DOI_SPI_SIZE
+ , &r_proposal_pbs, "SPI");
+ }
+
+ /* Transform */
+ r_trans.isat_np = ISAKMP_NEXT_NONE;
+ if (!out_struct(&r_trans, trans_desc, &r_proposal_pbs, &r_trans_pbs))
+ impossible();
+
+ /* Transform Attributes: pure echo */
+ trans_pbs->cur = trans_pbs->start + sizeof(struct isakmp_transform);
+ if (!out_raw(trans_pbs->cur, pbs_left(trans_pbs)
+ , &r_trans_pbs, "attributes"))
+ impossible();
+
+ close_output_pbs(&r_trans_pbs);
+ close_output_pbs(&r_proposal_pbs);
+}
+
+notification_t
+parse_ipsec_sa_body(
+ pb_stream *sa_pbs, /* body of input SA Payload */
+ const struct isakmp_sa *sa, /* header of input SA Payload */
+ pb_stream *r_sa_pbs, /* if non-NULL, where to emit body of winning SA */
+ bool selection, /* if this SA is a selection, only one transform may appear */
+ struct state *st) /* current state object */
+{
+ const struct connection *c = st->st_connection;
+ u_int32_t ipsecdoisit;
+ pb_stream next_proposal_pbs;
+
+ struct isakmp_proposal next_proposal;
+ ipsec_spi_t next_spi;
+
+ bool next_full = TRUE;
+
+ /* DOI */
+ if (sa->isasa_doi != ISAKMP_DOI_IPSEC)
+ {
+ loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
+ /* XXX Could send notification back */
+ return DOI_NOT_SUPPORTED;
+ }
+
+ /* Situation */
+ if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+ return SITUATION_NOT_SUPPORTED;
+
+ if (ipsecdoisit != SIT_IDENTITY_ONLY)
+ {
+ loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
+ , bitnamesof(sit_bit_names, ipsecdoisit));
+ /* XXX Could send notification back */
+ return SITUATION_NOT_SUPPORTED;
+ }
+
+ /* The rules for IPsec SAs are scattered.
+ * RFC 2408 "ISAKMP" section 4.2 gives some info.
+ * There may be multiple proposals. Those with identical proposal
+ * numbers must be considered as conjuncts. Those with different
+ * numbers are disjuncts.
+ * Each proposal may have several transforms, each considered
+ * an alternative.
+ * Each transform may have several attributes, all applying.
+ *
+ * To handle the way proposals are combined, we need to do a
+ * look-ahead.
+ */
+
+ if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
+ return BAD_PROPOSAL_SYNTAX;
+
+ /* for each conjunction of proposals... */
+ while (next_full)
+ {
+ int propno = next_proposal.isap_proposal;
+ pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
+ struct isakmp_proposal ah_proposal, esp_proposal, ipcomp_proposal;
+ ipsec_spi_t ah_spi = 0;
+ ipsec_spi_t esp_spi = 0;
+ ipsec_spi_t ipcomp_cpi = 0;
+ bool ah_seen = FALSE;
+ bool esp_seen = FALSE;
+ bool ipcomp_seen = FALSE;
+ bool tunnel_mode = FALSE;
+ int inner_proto = 0;
+ u_int16_t well_known_cpi = 0;
+
+ pb_stream ah_trans_pbs, esp_trans_pbs, ipcomp_trans_pbs;
+ struct isakmp_transform ah_trans, esp_trans, ipcomp_trans;
+ struct ipsec_trans_attrs ah_attrs, esp_attrs, ipcomp_attrs;
+
+ /* for each proposal in the conjunction */
+ do {
+
+ if (next_proposal.isap_protoid == PROTO_IPCOMP)
+ {
+ /* IPCOMP CPI */
+ if (next_proposal.isap_spisize == IPSEC_DOI_SPI_SIZE)
+ {
+ /* This code is to accommodate those peculiar
+ * implementations that send a CPI in the bottom of an
+ * SPI-sized field.
+ * See draft-shacham-ippcp-rfc2393bis-05.txt 4.1
+ */
+ u_int8_t filler[IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE];
+
+ if (!in_raw(filler, sizeof(filler)
+ , &next_proposal_pbs, "CPI filler")
+ || !all_zero(filler, sizeof(filler)))
+ return INVALID_SPI;
+ }
+ else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
+ , next_proposal.isap_spisize);
+ return INVALID_SPI;
+ }
+
+ /* We store CPI in the low order of a network order
+ * ipsec_spi_t. So we start a couple of bytes in.
+ */
+ zero(&next_spi);
+ if (!in_raw((u_char *)&next_spi
+ + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
+ , IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
+ return INVALID_SPI;
+
+ /* If sanity ruled, CPIs would have to be such that
+ * the SAID (the triple (CPI, IPCOM, destination IP))
+ * would be unique, just like for SPIs. But there is a
+ * perversion where CPIs can be well-known and consequently
+ * the triple is not unique. We hide this fact from
+ * ourselves by fudging the top 16 bits to make
+ * the property true internally!
+ */
+ switch (ntohl(next_spi))
+ {
+ case IPCOMP_DEFLATE:
+ well_known_cpi = ntohl(next_spi);
+ next_spi = uniquify_his_cpi(next_spi, st);
+ if (next_spi == 0)
+ {
+ loglog(RC_LOG_SERIOUS
+ , "IPsec Proposal contains well-known CPI that I cannot uniquify");
+ return INVALID_SPI;
+ }
+ break;
+ default:
+ if (ntohl(next_spi) < IPCOMP_FIRST_NEGOTIATED
+ || ntohl(next_spi) > IPCOMP_LAST_NEGOTIATED)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
+ , (unsigned long) ntohl(next_spi));
+ return INVALID_SPI;
+ }
+ break;
+ }
+ }
+ else
+ {
+ /* AH or ESP SPI */
+ if (next_proposal.isap_spisize != IPSEC_DOI_SPI_SIZE)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
+ , next_proposal.isap_spisize);
+ return INVALID_SPI;
+ }
+
+ if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
+ return INVALID_SPI;
+
+ /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
+ * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
+ * IPCOMP???
+ */
+ if (ntohl(next_spi) < IPSEC_DOI_SPI_MIN)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
+ , (unsigned long) ntohl(next_spi));
+ return INVALID_SPI;
+ }
+ }
+
+ if (next_proposal.isap_notrans == 0)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ switch (next_proposal.isap_protoid)
+ {
+ case PROTO_IPSEC_AH:
+ if (ah_seen)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ ah_seen = TRUE;
+ ah_prop_pbs = next_proposal_pbs;
+ ah_proposal = next_proposal;
+ ah_spi = next_spi;
+ break;
+
+ case PROTO_IPSEC_ESP:
+ if (esp_seen)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ esp_seen = TRUE;
+ esp_prop_pbs = next_proposal_pbs;
+ esp_proposal = next_proposal;
+ esp_spi = next_spi;
+ break;
+
+ case PROTO_IPCOMP:
+ if (ipcomp_seen)
+ {
+ loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ ipcomp_seen = TRUE;
+ ipcomp_prop_pbs = next_proposal_pbs;
+ ipcomp_proposal = next_proposal;
+ ipcomp_cpi = next_spi;
+ break;
+
+ default:
+ loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
+ , enum_show(&protocol_names, next_proposal.isap_protoid));
+ return INVALID_PROTOCOL_ID;
+ }
+
+ /* refill next_proposal */
+ if (next_proposal.isap_np == ISAKMP_NEXT_NONE)
+ {
+ next_full = FALSE;
+ break;
+ }
+ else if (next_proposal.isap_np != ISAKMP_NEXT_P)
+ {
+ loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
+ , enum_show(&payload_names, next_proposal.isap_np));
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
+ return BAD_PROPOSAL_SYNTAX;
+ } while (next_proposal.isap_proposal == propno);
+
+ /* Now that we have all conjuncts, we should try
+ * the Cartesian product of eachs tranforms!
+ * At the moment, we take short-cuts on account of
+ * our rudimentary hard-wired policy.
+ * For now, we find an acceptable AH (if any)
+ * and then an acceptable ESP. The only interaction
+ * is that the ESP acceptance can know whether there
+ * was an acceptable AH and hence not require an AUTH.
+ */
+
+ if (ah_seen)
+ {
+ int previous_transnum = -1;
+ int tn;
+
+ for (tn = 0; tn != ah_proposal.isap_notrans; tn++)
+ {
+ int ok_transid = 0;
+ bool ok_auth = FALSE;
+
+ if (!parse_ipsec_transform(&ah_trans
+ , &ah_attrs
+ , &ah_prop_pbs
+ , &ah_trans_pbs
+ , &isakmp_ah_transform_desc
+ , previous_transnum
+ , selection
+ , tn == ah_proposal.isap_notrans - 1
+ , FALSE
+ , st))
+ return BAD_PROPOSAL_SYNTAX;
+
+ previous_transnum = ah_trans.isat_transnum;
+
+ /* we must understand ah_attrs.transid
+ * COMBINED with ah_attrs.auth.
+ * See RFC 2407 "IPsec DOI" section 4.4.3
+ * The following combinations are legal,
+ * but we don't implement all of them:
+ * It seems as if each auth algorithm
+ * only applies to one ah transid.
+ * AH_MD5, AUTH_ALGORITHM_HMAC_MD5
+ * AH_MD5, AUTH_ALGORITHM_KPDK (unimplemented)
+ * AH_SHA, AUTH_ALGORITHM_HMAC_SHA1
+ * AH_DES, AUTH_ALGORITHM_DES_MAC (unimplemented)
+ */
+ switch (ah_attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
+ return BAD_PROPOSAL_SYNTAX;
+
+ case AUTH_ALGORITHM_HMAC_MD5:
+ ok_auth = TRUE;
+ /* fall through */
+ case AUTH_ALGORITHM_KPDK:
+ ok_transid = AH_MD5;
+ break;
+
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ ok_auth = TRUE;
+ ok_transid = AH_SHA;
+ break;
+
+ case AUTH_ALGORITHM_DES_MAC:
+ ok_transid = AH_DES;
+ break;
+ }
+ if (ah_attrs.transid != ok_transid)
+ {
+ loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
+ , enum_name(&auth_alg_names, ah_attrs.auth)
+ , enum_show(&ah_transformid_names, ah_attrs.transid));
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ if (!ok_auth)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("%s attribute unsupported"
+ " in %s Transform from %s"
+ , enum_name(&auth_alg_names, ah_attrs.auth)
+ , enum_show(&ah_transformid_names, ah_attrs.transid)
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+ break; /* we seem to be happy */
+ }
+ if (tn == ah_proposal.isap_notrans)
+ continue; /* we didn't find a nice one */
+ ah_attrs.spi = ah_spi;
+ inner_proto = IPPROTO_AH;
+ if (ah_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ tunnel_mode = TRUE;
+ }
+
+ if (esp_seen)
+ {
+ int previous_transnum = -1;
+ int tn;
+
+ for (tn = 0; tn != esp_proposal.isap_notrans; tn++)
+ {
+ if (!parse_ipsec_transform(&esp_trans
+ , &esp_attrs
+ , &esp_prop_pbs
+ , &esp_trans_pbs
+ , &isakmp_esp_transform_desc
+ , previous_transnum
+ , selection
+ , tn == esp_proposal.isap_notrans - 1
+ , FALSE
+ , st))
+ return BAD_PROPOSAL_SYNTAX;
+
+ previous_transnum = esp_trans.isat_transnum;
+
+ /* set default key length for AES encryption */
+ if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
+ {
+ esp_attrs.key_len = 128 / BITS_PER_BYTE;
+ }
+
+ if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
+ ,c->alg_info_esp))
+ {
+ switch (esp_attrs.transid)
+ {
+ case ESP_3DES:
+ break;
+#ifdef SUPPORT_ESP_NULL /* should be about as secure as AH-only */
+ case ESP_NULL:
+ if (esp_attrs.auth == AUTH_ALGORITHM_NONE)
+ {
+ loglog(RC_LOG_SERIOUS, "ESP_NULL requires auth algorithm");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+ if (st->st_policy & POLICY_ENCRYPT)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("ESP_NULL Transform Proposal from %s"
+ " does not satisfy POLICY_ENCRYPT"
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+ break;
+#endif
+ default:
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("unsupported ESP Transform %s from %s"
+ , enum_show(&esp_transformid_names, esp_attrs.transid)
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+ }
+
+ if (!kernel_alg_esp_auth_ok(esp_attrs.auth, c->alg_info_esp))
+ {
+ switch (esp_attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ if (!ah_seen)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("ESP from %s must either have AUTH or be combined with AH"
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+ break;
+ case AUTH_ALGORITHM_HMAC_MD5:
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ break;
+ default:
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("unsupported ESP auth alg %s from %s"
+ , enum_show(&auth_alg_names, esp_attrs.auth)
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+ }
+
+ /* A last check for allowed transforms in alg_info_esp
+ * (ALG_INFO_F_STRICT flag)
+ */
+ if (!kernel_alg_esp_ok_final(esp_attrs.transid, esp_attrs.key_len
+ ,esp_attrs.auth, c->alg_info_esp))
+ {
+ continue;
+ }
+
+ if (ah_seen && ah_attrs.encapsulation != esp_attrs.encapsulation)
+ {
+ /* ??? This should be an error, but is it? */
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("AH and ESP transforms disagree about encapsulation; TUNNEL presumed"));
+ }
+
+ break; /* we seem to be happy */
+ }
+ if (tn == esp_proposal.isap_notrans)
+ continue; /* we didn't find a nice one */
+
+ esp_attrs.spi = esp_spi;
+ inner_proto = IPPROTO_ESP;
+ if (esp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ tunnel_mode = TRUE;
+ }
+ else if (st->st_policy & POLICY_ENCRYPT)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("policy for \"%s\" requires encryption but ESP not in Proposal from %s"
+ , c->name, ip_str(&c->spd.that.host_addr)));
+ continue; /* we needed encryption, but didn't find ESP */
+ }
+ else if ((st->st_policy & POLICY_AUTHENTICATE) && !ah_seen)
+ {
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("policy for \"%s\" requires authentication"
+ " but none in Proposal from %s"
+ , c->name, ip_str(&c->spd.that.host_addr)));
+ continue; /* we need authentication, but we found neither ESP nor AH */
+ }
+
+ if (ipcomp_seen)
+ {
+ int previous_transnum = -1;
+ int tn;
+
+#ifdef NEVER /* we think IPcomp is working now */
+ /**** FUDGE TO PREVENT UNREQUESTED IPCOMP:
+ **** NEEDED BECAUSE OUR IPCOMP IS EXPERIMENTAL (UNSTABLE).
+ ****/
+ if (!(st->st_policy & POLICY_COMPRESS))
+ {
+ plog("compression proposed by %s, but policy for \"%s\" forbids it"
+ , ip_str(&c->spd.that.host_addr), c->name);
+ continue; /* unwanted compression proposal */
+ }
+#endif
+ if (!can_do_IPcomp)
+ {
+ plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
+ , ip_str(&c->spd.that.host_addr));
+ continue;
+ }
+
+ if (well_known_cpi != 0 && !ah_seen && !esp_seen)
+ {
+ plog("illegal proposal: bare IPCOMP used with well-known CPI");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
+ {
+ if (!parse_ipsec_transform(&ipcomp_trans
+ , &ipcomp_attrs
+ , &ipcomp_prop_pbs
+ , &ipcomp_trans_pbs
+ , &isakmp_ipcomp_transform_desc
+ , previous_transnum
+ , selection
+ , tn == ipcomp_proposal.isap_notrans - 1
+ , TRUE
+ , st))
+ return BAD_PROPOSAL_SYNTAX;
+
+ previous_transnum = ipcomp_trans.isat_transnum;
+
+ if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
+ {
+ plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
+ return BAD_PROPOSAL_SYNTAX;
+ }
+
+ switch (ipcomp_attrs.transid)
+ {
+ case IPCOMP_DEFLATE: /* all we can handle! */
+ break;
+
+ default:
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("unsupported IPCOMP Transform %s from %s"
+ , enum_show(&ipcomp_transformid_names, ipcomp_attrs.transid)
+ , ip_str(&c->spd.that.host_addr)));
+ continue; /* try another */
+ }
+
+ if (ah_seen && ah_attrs.encapsulation != ipcomp_attrs.encapsulation)
+ {
+ /* ??? This should be an error, but is it? */
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("AH and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
+ } else if (esp_seen && esp_attrs.encapsulation != ipcomp_attrs.encapsulation)
+ {
+ /* ??? This should be an error, but is it? */
+ DBG(DBG_CONTROL | DBG_CRYPT
+ , DBG_log("ESP and IPCOMP transforms disagree about encapsulation; TUNNEL presumed"));
+ }
+
+ break; /* we seem to be happy */
+ }
+ if (tn == ipcomp_proposal.isap_notrans)
+ continue; /* we didn't find a nice one */
+ ipcomp_attrs.spi = ipcomp_cpi;
+ inner_proto = IPPROTO_COMP;
+ if (ipcomp_attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
+ tunnel_mode = TRUE;
+ }
+
+ /* Eureka: we liked what we saw -- accept it. */
+
+ if (r_sa_pbs != NULL)
+ {
+ /* emit what we've accepted */
+
+ /* Situation */
+ if (!out_struct(&ipsecdoisit, &ipsec_sit_desc, r_sa_pbs, NULL))
+ impossible();
+
+ /* AH proposal */
+ if (ah_seen)
+ echo_proposal(ah_proposal
+ , ah_trans
+ , esp_seen || ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
+ , r_sa_pbs
+ , &st->st_ah
+ , &isakmp_ah_transform_desc
+ , &ah_trans_pbs
+ , &st->st_connection->spd
+ , tunnel_mode && inner_proto == IPPROTO_AH);
+
+ /* ESP proposal */
+ if (esp_seen)
+ echo_proposal(esp_proposal
+ , esp_trans
+ , ipcomp_seen? ISAKMP_NEXT_P : ISAKMP_NEXT_NONE
+ , r_sa_pbs
+ , &st->st_esp
+ , &isakmp_esp_transform_desc
+ , &esp_trans_pbs
+ , &st->st_connection->spd
+ , tunnel_mode && inner_proto == IPPROTO_ESP);
+
+ /* IPCOMP proposal */
+ if (ipcomp_seen)
+ echo_proposal(ipcomp_proposal
+ , ipcomp_trans
+ , ISAKMP_NEXT_NONE
+ , r_sa_pbs
+ , &st->st_ipcomp
+ , &isakmp_ipcomp_transform_desc
+ , &ipcomp_trans_pbs
+ , &st->st_connection->spd
+ , tunnel_mode && inner_proto == IPPROTO_COMP);
+
+ close_output_pbs(r_sa_pbs);
+ }
+
+ /* save decoded version of winning SA in state */
+
+ st->st_ah.present = ah_seen;
+ if (ah_seen)
+ st->st_ah.attrs = ah_attrs;
+
+ st->st_esp.present = esp_seen;
+ if (esp_seen)
+ st->st_esp.attrs = esp_attrs;
+
+ st->st_ipcomp.present = ipcomp_seen;
+ if (ipcomp_seen)
+ st->st_ipcomp.attrs = ipcomp_attrs;
+
+ return NOTHING_WRONG;
+ }
+
+ loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
+ return NO_PROPOSAL_CHOSEN;
+}
diff --git a/src/pluto/spdb.h b/src/pluto/spdb.h
new file mode 100644
index 000000000..0df488841
--- /dev/null
+++ b/src/pluto/spdb.h
@@ -0,0 +1,112 @@
+/* Security Policy Data Base (such as it is)
+ * Copyright (C) 1998, 1999 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: spdb.h,v 1.4 2006/04/22 21:59:20 as Exp $
+ */
+
+#ifndef _SPDB_H
+#define _SPDB_H
+
+#include "packet.h"
+
+/* database of SA properties */
+
+/* Attribute type and value pair.
+ * Note: only "basic" values are represented so far.
+ */
+struct db_attr {
+ u_int16_t type; /* ISAKMP_ATTR_AF_TV is implied; 0 for end */
+ u_int16_t val;
+};
+
+/* transform */
+struct db_trans {
+ u_int8_t transid; /* Transform-Id */
+ struct db_attr *attrs; /* array */
+ int attr_cnt; /* number of elements */
+};
+
+/* proposal */
+struct db_prop {
+ u_int8_t protoid; /* Protocol-Id */
+ struct db_trans *trans; /* array (disjunction) */
+ int trans_cnt; /* number of elements */
+ /* SPI size and value isn't part of DB */
+};
+
+/* conjunction of proposals */
+struct db_prop_conj {
+ struct db_prop *props; /* array */
+ int prop_cnt; /* number of elements */
+};
+
+/* security association */
+struct db_sa {
+ struct db_prop_conj *prop_conjs; /* array */
+ int prop_conj_cnt; /* number of elements */
+ /* Hardwired for now;
+ * DOI: ISAKMP_DOI_IPSEC
+ * Situation: SIT_IDENTITY_ONLY
+ */
+};
+
+/* The oakley sadb */
+extern struct db_sa oakley_sadb;
+
+/* The ipsec sadb is subscripted by a bitset with members
+ * from POLICY_ENCRYPT, POLICY_AUTHENTICATE, POLICY_COMPRESS
+ */
+extern struct db_sa ipsec_sadb[1 << 3];
+
+/* forward declaration */
+struct state;
+
+extern bool out_sa(
+ pb_stream *outs,
+ struct db_sa *sadb,
+ struct state *st,
+ bool oakley_mode,
+ u_int8_t np);
+
+extern notification_t preparse_isakmp_sa_body(
+ const struct isakmp_sa *sa, /* header of input SA Payload */
+ pb_stream *sa_pbs, /* body of input SA Payload */
+ u_int32_t *ipsecdoisit, /* IPsec DOI SIT bitset */
+ pb_stream *proposal_pbs, /* body of proposal Payload */
+ struct isakmp_proposal *proposal);
+
+extern notification_t parse_isakmp_policy(
+ pb_stream *proposal_pbs, /* body of proposal Payload */
+ u_int notrans, /* number of transforms */
+ lset_t *policy); /* RSA, PSK or XAUTH policy */
+
+extern notification_t parse_isakmp_sa_body(
+ u_int32_t ipsecdoisit, /* IPsec DOI SIT bitset */
+ pb_stream *proposal_pbs, /* body of proposal Payload */
+ struct isakmp_proposal *proposal,
+ pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
+ struct state *st, /* current state object */
+ bool initiator); /* is caller initiator? */
+
+extern notification_t parse_ipsec_sa_body(
+ pb_stream *sa_pbs, /* body of input SA Payload */
+ const struct isakmp_sa *sa, /* header of input SA Payload */
+ pb_stream *r_sa_pbs, /* if non-NULL, where to emit winning SA */
+ bool selection, /* if this SA is a selection, only one tranform can appear */
+ struct state *st); /* current state object */
+
+extern void backup_pbs(pb_stream *pbs);
+extern void restore_pbs(pb_stream *pbs);
+
+#endif /* _SPDB_H */
+
diff --git a/src/pluto/state.c b/src/pluto/state.c
new file mode 100644
index 000000000..80c3156b1
--- /dev/null
+++ b/src/pluto/state.c
@@ -0,0 +1,1012 @@
+/* routines for state objects
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: state.c,v 1.13 2006/04/29 18:16:02 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <fcntl.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "connections.h"
+#include "state.h"
+#include "kernel.h"
+#include "log.h"
+#include "packet.h" /* so we can calculate sizeof(struct isakmp_hdr) */
+#include "keys.h" /* for free_public_key */
+#include "rnd.h"
+#include "timer.h"
+#include "whack.h"
+#include "demux.h" /* needs packet.h */
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+
+#include "sha1.h"
+#include "md5.h"
+#include "crypto.h" /* requires sha1.h and md5.h */
+
+/*
+ * Global variables: had to go somewhere, might as well be this file.
+ */
+
+u_int16_t pluto_port = IKE_UDP_PORT; /* Pluto's port */
+
+/*
+ * This file has the functions that handle the
+ * state hash table and the Message ID list.
+ */
+
+/* Message-IDs
+ *
+ * A Message ID is contained in each IKE message header.
+ * For Phase 1 exchanges (Main and Aggressive), it will be zero.
+ * For other exchanges, which must be under the protection of an
+ * ISAKMP SA, the Message ID must be unique within that ISAKMP SA.
+ * Effectively, this labels the message as belonging to a particular
+ * exchange.
+ * BTW, we feel this uniqueness allows rekeying to be somewhat simpler
+ * than specified by draft-jenkins-ipsec-rekeying-06.txt.
+ *
+ * A MessageID is a 32 bit unsigned number. We represent the value
+ * internally in network order -- they are just blobs to us.
+ * They are unsigned numbers to make hashing and comparing easy.
+ *
+ * The following mechanism is used to allocate message IDs. This
+ * requires that we keep track of which numbers have already been used
+ * so that we don't allocate one in use.
+ */
+
+struct msgid_list
+{
+ msgid_t msgid; /* network order */
+ struct msgid_list *next;
+};
+
+bool
+reserve_msgid(struct state *isakmp_sa, msgid_t msgid)
+{
+ struct msgid_list *p;
+
+ passert(msgid != MAINMODE_MSGID);
+ passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
+
+ for (p = isakmp_sa->st_used_msgids; p != NULL; p = p->next)
+ if (p->msgid == msgid)
+ return FALSE;
+
+ p = alloc_thing(struct msgid_list, "msgid");
+ p->msgid = msgid;
+ p->next = isakmp_sa->st_used_msgids;
+ isakmp_sa->st_used_msgids = p;
+ return TRUE;
+}
+
+msgid_t
+generate_msgid(struct state *isakmp_sa)
+{
+ int timeout = 100; /* only try so hard for unique msgid */
+ msgid_t msgid;
+
+ passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
+
+ for (;;)
+ {
+ get_rnd_bytes((void *) &msgid, sizeof(msgid));
+ if (msgid != 0 && reserve_msgid(isakmp_sa, msgid))
+ break;
+
+ if (--timeout == 0)
+ {
+ plog("gave up looking for unique msgid; using 0x%08lx"
+ , (unsigned long) msgid);
+ break;
+ }
+ }
+ return msgid;
+}
+
+
+/* state table functions */
+
+#define STATE_TABLE_SIZE 32
+
+static struct state *statetable[STATE_TABLE_SIZE];
+
+static struct state **
+state_hash(const u_char *icookie, const u_char *rcookie, const ip_address *peer)
+{
+ u_int i = 0, j;
+ const unsigned char *byte_ptr;
+ size_t length = addrbytesptr(peer, &byte_ptr);
+
+ DBG(DBG_RAW | DBG_CONTROL,
+ DBG_dump("ICOOKIE:", icookie, COOKIE_SIZE);
+ DBG_dump("RCOOKIE:", rcookie, COOKIE_SIZE);
+ DBG_dump("peer:", byte_ptr, length));
+
+ /* XXX the following hash is pretty pathetic */
+
+ for (j = 0; j < COOKIE_SIZE; j++)
+ i = i * 407 + icookie[j] + rcookie[j];
+
+ for (j = 0; j < length; j++)
+ i = i * 613 + byte_ptr[j];
+
+ i = i % STATE_TABLE_SIZE;
+
+ DBG(DBG_CONTROL, DBG_log("state hash entry %d", i));
+
+ return &statetable[i];
+}
+
+/* Get a state object.
+ * Caller must schedule an event for this object so that it doesn't leak.
+ * Caller must insert_state().
+ */
+struct state *
+new_state(void)
+{
+ static const struct state blank_state; /* initialized all to zero & NULL */
+ static so_serial_t next_so = SOS_FIRST;
+ struct state *st;
+
+ st = clone_thing(blank_state, "struct state in new_state()");
+ st->st_serialno = next_so++;
+ passert(next_so > SOS_FIRST); /* overflow can't happen! */
+ st->st_whack_sock = NULL_FD;
+ DBG(DBG_CONTROL, DBG_log("creating state object #%lu at %p",
+ st->st_serialno, (void *) st));
+ return st;
+}
+
+/*
+ * Initialize the state table (and mask*).
+ */
+void
+init_states(void)
+{
+ int i;
+
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ statetable[i] = (struct state *) NULL;
+}
+
+/* Find the state object with this serial number.
+ * This allows state object references that don't turn into dangerous
+ * dangling pointers: reference a state by its serial number.
+ * Returns NULL if there is no such state.
+ * If this turns out to be a significant CPU hog, it could be
+ * improved to use a hash table rather than sequential seartch.
+ */
+struct state *
+state_with_serialno(so_serial_t sn)
+{
+ if (sn >= SOS_FIRST)
+ {
+ struct state *st;
+ int i;
+
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ if (st->st_serialno == sn)
+ return st;
+ }
+ return NULL;
+}
+
+/* Insert a state object in the hash table. The object is inserted
+ * at the begining of list.
+ * Needs cookies, connection, and msgid.
+ */
+void
+insert_state(struct state *st)
+{
+ struct state **p = state_hash(st->st_icookie, st->st_rcookie
+ , &st->st_connection->spd.that.host_addr);
+
+ passert(st->st_hashchain_prev == NULL && st->st_hashchain_next == NULL);
+
+ if (*p != NULL)
+ {
+ passert((*p)->st_hashchain_prev == NULL);
+ (*p)->st_hashchain_prev = st;
+ }
+ st->st_hashchain_next = *p;
+ *p = st;
+
+ /* Ensure that somebody is in charge of killing this state:
+ * if no event is scheduled for it, schedule one to discard the state.
+ * If nothing goes wrong, this event will be replaced by
+ * a more appropriate one.
+ */
+ if (st->st_event == NULL)
+ event_schedule(EVENT_SO_DISCARD, 0, st);
+}
+
+/* unlink a state object from the hash table, but don't free it
+ */
+void
+unhash_state(struct state *st)
+{
+ /* unlink from forward chain */
+ struct state **p = st->st_hashchain_prev == NULL
+ ? state_hash(st->st_icookie, st->st_rcookie
+ , &st->st_connection->spd.that.host_addr)
+ : &st->st_hashchain_prev->st_hashchain_next;
+
+ /* unlink from forward chain */
+ passert(*p == st);
+ *p = st->st_hashchain_next;
+
+ /* unlink from backward chain */
+ if (st->st_hashchain_next != NULL)
+ {
+ passert(st->st_hashchain_next->st_hashchain_prev == st);
+ st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
+ }
+
+ st->st_hashchain_next = st->st_hashchain_prev = NULL;
+}
+
+/* Free the Whack socket file descriptor.
+ * This has the side effect of telling Whack that we're done.
+ */
+void
+release_whack(struct state *st)
+{
+ close_any(st->st_whack_sock);
+}
+
+/* delete a state object */
+void
+delete_state(struct state *st)
+{
+ struct connection *const c = st->st_connection;
+ struct state *old_cur_state = cur_state == st? NULL : cur_state;
+
+ set_cur_state(st);
+
+ /* If DPD is enabled on this state object, clear any pending events */
+ if(st->st_dpd_event != NULL)
+ delete_dpd_event(st);
+
+ /* if there is a suspended state transition, disconnect us */
+ if (st->st_suspended_md != NULL)
+ {
+ passert(st->st_suspended_md->st == st);
+ st->st_suspended_md->st = NULL;
+ }
+
+ /* tell the other side of any IPSEC SAs that are going down */
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+ || IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+ send_delete(st);
+
+ delete_event(st); /* delete any pending timer event */
+
+ /* Ditch anything pending on ISAKMP SA being established.
+ * Note: this must be done before the unhash_state to prevent
+ * flush_pending_by_state inadvertently and prematurely
+ * deleting our connection.
+ */
+ flush_pending_by_state(st);
+
+ /* effectively, this deletes any ISAKMP SA that this state represents */
+ unhash_state(st);
+
+ /* tell kernel to delete any IPSEC SA
+ * ??? we ought to tell peer to delete IPSEC SAs
+ */
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ delete_ipsec_sa(st, FALSE);
+ else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+ delete_ipsec_sa(st, TRUE);
+
+ if (c->newest_ipsec_sa == st->st_serialno)
+ c->newest_ipsec_sa = SOS_NOBODY;
+
+ if (c->newest_isakmp_sa == st->st_serialno)
+ c->newest_isakmp_sa = SOS_NOBODY;
+
+ st->st_connection = NULL; /* we might be about to free it */
+ cur_state = old_cur_state; /* without st_connection, st isn't complete */
+ connection_discard(c);
+
+ release_whack(st);
+
+ /* from here on we are just freeing RAM */
+
+ {
+ struct msgid_list *p = st->st_used_msgids;
+
+ while (p != NULL)
+ {
+ struct msgid_list *q = p;
+ p = p->next;
+ pfree(q);
+ }
+ }
+
+ unreference_key(&st->st_peer_pubkey);
+
+ if (st->st_sec_in_use)
+ mpz_clear(&(st->st_sec));
+
+ pfreeany(st->st_tpacket.ptr);
+ pfreeany(st->st_rpacket.ptr);
+ pfreeany(st->st_p1isa.ptr);
+ pfreeany(st->st_gi.ptr);
+ pfreeany(st->st_gr.ptr);
+ pfreeany(st->st_shared.ptr);
+ pfreeany(st->st_ni.ptr);
+ pfreeany(st->st_nr.ptr);
+ pfreeany(st->st_skeyid.ptr);
+ pfreeany(st->st_skeyid_d.ptr);
+ pfreeany(st->st_skeyid_a.ptr);
+ pfreeany(st->st_skeyid_e.ptr);
+ pfreeany(st->st_enc_key.ptr);
+ pfreeany(st->st_ah.our_keymat);
+ pfreeany(st->st_ah.peer_keymat);
+ pfreeany(st->st_esp.our_keymat);
+ pfreeany(st->st_esp.peer_keymat);
+
+ pfree(st);
+}
+
+/*
+ * Is a connection in use by some state?
+ */
+bool
+states_use_connection(struct connection *c)
+{
+ /* are there any states still using it? */
+ struct state *st = NULL;
+ int i;
+
+ for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ if (st->st_connection == c)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
+ * delete all states that were created for a given connection.
+ * if relations == TRUE, then also delete states that share
+ * the same phase 1 SA.
+ */
+void
+delete_states_by_connection(struct connection *c, bool relations)
+{
+ int pass;
+ /* this kludge avoids an n^2 algorithm */
+ enum connection_kind ck = c->kind;
+ struct spd_route *sr;
+
+ /* save this connection's isakmp SA, since it will get set to later SOS_NOBODY */
+ so_serial_t parent_sa = c->newest_isakmp_sa;
+
+ if (ck == CK_INSTANCE)
+ c->kind = CK_GOING_AWAY;
+
+ /* We take two passes so that we delete any ISAKMP SAs last.
+ * This allows Delete Notifications to be sent.
+ * ?? We could probably double the performance by caching any
+ * ISAKMP SA states found in the first pass, avoiding a second.
+ */
+ for (pass = 0; pass != 2; pass++)
+ {
+ int i;
+
+ /* For each hash chain... */
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *st;
+
+ /* For each state in the hash chain... */
+ for (st = statetable[i]; st != NULL; )
+ {
+ struct state *this = st;
+
+ st = st->st_hashchain_next; /* before this is deleted */
+
+
+ if ((this->st_connection == c
+ || (relations && parent_sa != SOS_NOBODY
+ && this->st_clonedfrom == parent_sa))
+ && (pass == 1 || !IS_ISAKMP_SA_ESTABLISHED(this->st_state)))
+ {
+ struct state *old_cur_state
+ = cur_state == this? NULL : cur_state;
+#ifdef DEBUG
+ lset_t old_cur_debugging = cur_debugging;
+#endif
+
+ set_cur_state(this);
+ plog("deleting state (%s)"
+ , enum_show(&state_names, this->st_state));
+ delete_state(this);
+ cur_state = old_cur_state;
+#ifdef DEBUG
+ cur_debugging = old_cur_debugging;
+#endif
+ }
+ }
+ }
+ }
+
+ sr = &c->spd;
+ while (sr != NULL)
+ {
+ passert(sr->eroute_owner == SOS_NOBODY);
+ passert(sr->routing != RT_ROUTED_TUNNEL);
+ sr = sr->next;
+ }
+
+ if (ck == CK_INSTANCE)
+ {
+ c->kind = ck;
+ delete_connection(c, relations);
+ }
+}
+
+/* Walk through the state table, and delete each state whose phase 1 (IKE)
+ * peer is among those given.
+ */
+void
+delete_states_by_peer(ip_address *peer)
+{
+ char peerstr[ADDRTOT_BUF];
+ int i;
+
+ addrtot(peer, 0, peerstr, sizeof(peerstr));
+
+ /* For each hash chain... */
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *st;
+
+ /* For each state in the hash chain... */
+ for (st = statetable[i]; st != NULL; )
+ {
+ struct state *this = st;
+ struct spd_route *sr;
+ struct connection *c = this->st_connection;
+
+ st = st->st_hashchain_next; /* before this is deleted */
+
+ /* ??? Is it not the case that the peer is the same for all spds? */
+ for (sr = &c->spd; sr != NULL; sr = sr->next)
+ {
+ if (sameaddr(&sr->that.host_addr, peer))
+ {
+ plog("peer %s for connection %s deleting - claimed to have crashed"
+ , peerstr
+ , c->name);
+ delete_states_by_connection(c, TRUE);
+ break; /* can only delete it once */
+ }
+ }
+ }
+ }
+}
+
+/* Duplicate a Phase 1 state object, to create a Phase 2 object.
+ * Caller must schedule an event for this object so that it doesn't leak.
+ * Caller must insert_state().
+ */
+struct state *
+duplicate_state(struct state *st)
+{
+ struct state *nst;
+
+ DBG(DBG_CONTROL, DBG_log("duplicating state object #%lu",
+ st->st_serialno));
+
+ /* record use of the Phase 1 state */
+ st->st_outbound_count++;
+ st->st_outbound_time = now();
+
+ nst = new_state();
+
+ memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
+ memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
+
+ nst->st_connection = st->st_connection;
+ nst->st_doi = st->st_doi;
+ nst->st_situation = st->st_situation;
+ nst->st_clonedfrom = st->st_serialno;
+ nst->st_oakley = st->st_oakley;
+ nst->st_modecfg = st->st_modecfg;
+
+# define clone_chunk(ch, name) \
+ clonetochunk(nst->ch, st->ch.ptr, st->ch.len, name)
+
+ clone_chunk(st_skeyid_d, "st_skeyid_d in duplicate_state");
+ clone_chunk(st_skeyid_a, "st_skeyid_a in duplicate_state");
+ clone_chunk(st_skeyid_e, "st_skeyid_e in duplicate_state");
+ clone_chunk(st_enc_key, "st_enc_key in duplicate_state");
+
+# undef clone_chunk
+
+ return nst;
+}
+
+#if 1
+void for_each_state(void *(f)(struct state *, void *data), void *data)
+{
+ struct state *st, *ocs = cur_state;
+ int i;
+ for (i=0; i<STATE_TABLE_SIZE; i++) {
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
+ set_cur_state(st);
+ f(st, data);
+ }
+ }
+ cur_state = ocs;
+}
+#endif
+
+/*
+ * Find a state object.
+ */
+struct state *
+find_state(const u_char *icookie
+, const u_char *rcookie
+, const ip_address *peer
+, msgid_t /*network order*/ msgid)
+{
+ struct state *st = *state_hash(icookie, rcookie, peer);
+
+ while (st != (struct state *) NULL)
+ if (sameaddr(peer, &st->st_connection->spd.that.host_addr)
+ && memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
+ && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0
+ && msgid == st->st_msgid)
+ break;
+ else
+ st = st->st_hashchain_next;
+
+ DBG(DBG_CONTROL,
+ if (st == NULL)
+ DBG_log("state object not found");
+ else
+ DBG_log("state object #%lu found, in %s"
+ , st->st_serialno
+ , enum_show(&state_names, st->st_state)));
+
+ return st;
+}
+
+/* Find the state that sent a packet
+ * ??? this could be expensive -- it should be rate-limited to avoid DoS
+ */
+struct state *
+find_sender(size_t packet_len, u_char *packet)
+{
+ int i;
+ struct state *st;
+
+ if (packet_len >= sizeof(struct isakmp_hdr))
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ if (st->st_tpacket.ptr != NULL
+ && st->st_tpacket.len == packet_len
+ && memcmp(st->st_tpacket.ptr, packet, packet_len) == 0)
+ return st;
+
+ return NULL;
+}
+
+struct state *
+find_phase2_state_to_delete(const struct state *p1st
+, u_int8_t protoid
+, ipsec_spi_t spi
+, bool *bogus)
+{
+ struct state *st;
+ int i;
+
+ *bogus = FALSE;
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ {
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+ && p1st->st_connection->host_pair == st->st_connection->host_pair
+ && same_peer_ids(p1st->st_connection, st->st_connection, NULL))
+ {
+ struct ipsec_proto_info *pr = protoid == PROTO_IPSEC_AH
+ ? &st->st_ah : &st->st_esp;
+
+ if (pr->present)
+ {
+ if (pr->attrs.spi == spi)
+ return st;
+ if (pr->our_spi == spi)
+ *bogus = TRUE;
+ }
+ }
+ }
+ }
+ return NULL;
+}
+
+/* Find newest Phase 1 negotiation state object for suitable for connection c
+ */
+struct state *
+find_phase1_state(const struct connection *c, lset_t ok_states)
+{
+ struct state
+ *st,
+ *best = NULL;
+ int i;
+
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ if (LHAS(ok_states, st->st_state)
+ && c->host_pair == st->st_connection->host_pair
+ && same_peer_ids(c, st->st_connection, NULL)
+ && (best == NULL || best->st_serialno < st->st_serialno))
+ best = st;
+
+ return best;
+}
+
+void
+state_eroute_usage(ip_subnet *ours, ip_subnet *his
+, unsigned long count, time_t nw)
+{
+ struct state *st;
+ int i;
+
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ {
+ struct connection *c = st->st_connection;
+
+ /* XXX spd-enum */
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
+ && c->spd.eroute_owner == st->st_serialno
+ && c->spd.routing == RT_ROUTED_TUNNEL
+ && samesubnet(&c->spd.this.client, ours)
+ && samesubnet(&c->spd.that.client, his))
+ {
+ if (st->st_outbound_count != count)
+ {
+ st->st_outbound_count = count;
+ st->st_outbound_time = nw;
+ }
+ return;
+ }
+ }
+ }
+ DBG(DBG_CONTROL,
+ {
+ char ourst[SUBNETTOT_BUF];
+ char hist[SUBNETTOT_BUF];
+
+ subnettot(ours, 0, ourst, sizeof(ourst));
+ subnettot(his, 0, hist, sizeof(hist));
+ DBG_log("unknown tunnel eroute %s -> %s found in scan"
+ , ourst, hist);
+ });
+}
+
+void fmt_state(bool all, struct state *st, time_t n
+, char *state_buf, size_t state_buf_len
+, char *state_buf2, size_t state_buf2_len)
+{
+ /* what the heck is interesting about a state? */
+ const struct connection *c = st->st_connection;
+
+ long delta = st->st_event->ev_time >= n
+ ? (long)(st->st_event->ev_time - n)
+ : -(long)(n - st->st_event->ev_time);
+
+ char inst[CONN_INST_BUF];
+ const char *np1 = c->newest_isakmp_sa == st->st_serialno
+ ? "; newest ISAKMP" : "";
+ const char *np2 = c->newest_ipsec_sa == st->st_serialno
+ ? "; newest IPSEC" : "";
+ /* XXX spd-enum */
+ const char *eo = c->spd.eroute_owner == st->st_serialno
+ ? "; eroute owner" : "";
+ const char *dpd = (all && st->st_dpd && c->dpd_action != DPD_ACTION_NONE)
+ ? "; DPD active" : "";
+
+ passert(st->st_event != 0);
+
+ fmt_conn_instance(c, inst);
+
+ snprintf(state_buf, state_buf_len
+ , "#%lu: \"%s\"%s %s (%s); %s in %lds%s%s%s%s"
+ , st->st_serialno
+ , c->name, inst
+ , enum_name(&state_names, st->st_state)
+ , state_story[st->st_state - STATE_MAIN_R0]
+ , enum_name(&timer_event_names, st->st_event->ev_type)
+ , delta
+ , np1, np2, eo, dpd);
+
+ /* print out SPIs if SAs are established */
+ if (state_buf2_len != 0)
+ state_buf2[0] = '\0'; /* default to empty */
+ if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+ {
+
+ bool tunnel;
+ char buf[SATOT_BUF*6 + 2*20 + 1];
+ const char *p_end = buf + sizeof(buf);
+ char *p = buf;
+
+# define add_said(adst, aspi, aproto) { \
+ ip_said s; \
+ \
+ initsaid(adst, aspi, aproto, &s); \
+ if (p < p_end - 1) \
+ { \
+ *p++ = ' '; \
+ p += satot(&s, 0, p, p_end - p) - 1; \
+ } \
+ }
+
+# define add_sa_info(st, inbound) { \
+ u_int bytes; \
+ time_t use_time; \
+ \
+ if (get_sa_info(st, inbound, &bytes, &use_time)) \
+ { \
+ p += snprintf(p, p_end - p, " (%'u bytes", bytes); \
+ if (bytes > 0 && use_time != UNDEFINED_TIME) \
+ p += snprintf(p, p_end - p, ", %ds ago", (int)(now - use_time)); \
+ p += snprintf(p, p_end - p, ")"); \
+ } \
+ }
+
+ *p = '\0';
+ if (st->st_ah.present)
+ {
+ add_said(&c->spd.that.host_addr, st->st_ah.attrs.spi, SA_AH);
+ add_said(&c->spd.this.host_addr, st->st_ah.our_spi, SA_AH);
+ }
+ if (st->st_esp.present)
+ {
+ time_t now = time(NULL);
+
+ add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
+ add_sa_info(st, FALSE);
+ add_said(&c->spd.this.host_addr, st->st_esp.our_spi, SA_ESP);
+ add_sa_info(st, TRUE);
+ }
+ if (st->st_ipcomp.present)
+ {
+ add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
+ add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
+ }
+#ifdef KLIPS
+ tunnel = st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
+ || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
+ p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
+#endif
+
+ snprintf(state_buf2, state_buf2_len
+ , "#%lu: \"%s\"%s%s"
+ , st->st_serialno
+ , c->name, inst
+ , buf);
+
+# undef add_said
+# undef add_sa_info
+ }
+}
+
+/*
+ * sorting logic is:
+ *
+ * name
+ * type
+ * instance#
+ * isakmp_sa (XXX probably wrong)
+ *
+ */
+static int
+state_compare(const void *a, const void *b)
+{
+ const struct state *sap = *(const struct state *const *)a;
+ struct connection *ca = sap->st_connection;
+ const struct state *sbp = *(const struct state *const *)b;
+ struct connection *cb = sbp->st_connection;
+
+ /* DBG_log("comparing %s to %s", ca->name, cb->name); */
+
+ return connection_compare(ca, cb);
+}
+
+void
+show_states_status(bool all, const char *name)
+{
+ time_t n = now();
+ int i;
+ char state_buf[LOG_WIDTH];
+ char state_buf2[LOG_WIDTH];
+ int count;
+ struct state **array;
+
+ /* make count of states */
+ count = 0;
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *st;
+
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ {
+ if (name == NULL || streq(name, st->st_connection->name))
+ count++;
+ }
+ }
+
+ /* build the array */
+ array = alloc_bytes(sizeof(struct state *)*count, "state array");
+ count = 0;
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *st;
+
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ {
+ if (name == NULL || streq(name, st->st_connection->name))
+ array[count++]=st;
+ }
+ }
+
+ /* sort it! */
+ qsort(array, count, sizeof(struct state *), state_compare);
+
+ /* now print sorted results */
+ for (i = 0; i < count; i++)
+ {
+ struct state *st;
+
+ st = array[i];
+
+ fmt_state(all, st, n
+ , state_buf, sizeof(state_buf)
+ , state_buf2, sizeof(state_buf2));
+ whack_log(RC_COMMENT, state_buf);
+ if (state_buf2[0] != '\0')
+ whack_log(RC_COMMENT, state_buf2);
+
+ /* show any associated pending Phase 2s */
+ if (IS_PHASE1(st->st_state))
+ show_pending_phase2(st->st_connection->host_pair, st);
+ }
+ if (count > 0)
+ whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
+
+ /* free the array */
+ pfree(array);
+}
+
+/* Given that we've used up a range of unused CPI's,
+ * search for a new range of currently unused ones.
+ * Note: this is very expensive when not trivial!
+ * If we can't find one easily, choose 0 (a bad SPI,
+ * no matter what order) indicating failure.
+ */
+void
+find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
+{
+ int tries = 0;
+ cpi_t base = *latest_cpi;
+ cpi_t closest;
+ int i;
+
+startover:
+ closest = ~0; /* not close at all */
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *st;
+
+ for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
+ {
+ if (st->st_ipcomp.present)
+ {
+ cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
+
+ if (c < closest)
+ {
+ if (c == 0)
+ {
+ /* oops: next spot is occupied; start over */
+ if (++tries == 20)
+ {
+ /* FAILURE */
+ *latest_cpi = *first_busy_cpi = 0;
+ return;
+ }
+ base++;
+ if (base > IPCOMP_LAST_NEGOTIATED)
+ base = IPCOMP_FIRST_NEGOTIATED;
+ goto startover; /* really a tail call */
+ }
+ closest = c;
+ }
+ }
+ }
+ }
+ *latest_cpi = base; /* base is first in next free range */
+ *first_busy_cpi = closest + base; /* and this is the roof */
+}
+
+/* Muck with high-order 16 bits of this SPI in order to make
+ * the corresponding SAID unique.
+ * Its low-order 16 bits hold a well-known IPCOMP CPI.
+ * Oh, and remember that SPIs are stored in network order.
+ * Kludge!!! So I name it with the non-English word "uniquify".
+ * If we can't find one easily, return 0 (a bad SPI,
+ * no matter what order) indicating failure.
+ */
+ipsec_spi_t
+uniquify_his_cpi(ipsec_spi_t cpi, struct state *st)
+{
+ int tries = 0;
+ int i;
+
+startover:
+
+ /* network order makes first two bytes our target */
+ get_rnd_bytes((u_char *)&cpi, 2);
+
+ /* Make sure that the result is unique.
+ * Hard work. If there is no unique value, we'll loop forever!
+ */
+ for (i = 0; i < STATE_TABLE_SIZE; i++)
+ {
+ struct state *s;
+
+ for (s = statetable[i]; s != NULL; s = s->st_hashchain_next)
+ {
+ if (s->st_ipcomp.present
+ && sameaddr(&s->st_connection->spd.that.host_addr
+ , &st->st_connection->spd.that.host_addr)
+ && cpi == s->st_ipcomp.attrs.spi)
+ {
+ if (++tries == 20)
+ return 0; /* FAILURE */
+ goto startover;
+ }
+ }
+ }
+ return cpi;
+}
+
+/*
+ * Local Variables:
+ * c-basic-offset:4
+ * End:
+ */
diff --git a/src/pluto/state.h b/src/pluto/state.h
new file mode 100644
index 000000000..d3a980564
--- /dev/null
+++ b/src/pluto/state.h
@@ -0,0 +1,273 @@
+/* state and event objects
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: state.h,v 1.11 2006/03/08 22:12:37 as Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <gmp.h> /* GNU MP library */
+
+#include "connections.h"
+
+/* Message ID mechanism.
+ *
+ * A Message ID is contained in each IKE message header.
+ * For Phase 1 exchanges (Main and Aggressive), it will be zero.
+ * For other exchanges, which must be under the protection of an
+ * ISAKMP SA, the Message ID must be unique within that ISAKMP SA.
+ * Effectively, this labels the message as belonging to a particular
+ * exchange.
+ *
+ * RFC2408 "ISAKMP" 3.1 "ISAKMP Header Format" (near end) states that
+ * the Message ID must be unique. We interpret this to be "unique within
+ * one ISAKMP SA".
+ *
+ * BTW, we feel this uniqueness allows rekeying to be somewhat simpler
+ * than specified by draft-jenkins-ipsec-rekeying-06.txt.
+ */
+
+typedef u_int32_t msgid_t; /* Network order! */
+#define MAINMODE_MSGID ((msgid_t) 0)
+
+struct state; /* forward declaration of tag */
+extern bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid);
+extern msgid_t generate_msgid(struct state *isakmp_sa);
+
+
+/* Oakley (Phase 1 / Main Mode) transform and attributes
+ * This is a flattened/decoded version of what is represented
+ * in the Transaction Payload.
+ * Names are chosen to match corresponding names in state.
+ */
+struct oakley_trans_attrs {
+ u_int16_t encrypt; /* Encryption algorithm */
+ u_int16_t enckeylen; /* encryption key len (bits) */
+ const struct encrypt_desc *encrypter; /* package of encryption routines */
+ u_int16_t hash; /* Hash algorithm */
+ const struct hash_desc *hasher; /* package of hashing routines */
+ u_int16_t auth; /* Authentication method */
+ const struct oakley_group_desc *group; /* Oakley group */
+ time_t life_seconds; /* When this SA expires (seconds) */
+ u_int32_t life_kilobytes; /* When this SA is exhausted (kilobytes) */
+#if 0 /* not yet */
+ u_int16_t prf; /* Pseudo Random Function */
+#endif
+};
+
+/* IPsec (Phase 2 / Quick Mode) transform and attributes
+ * This is a flattened/decoded version of what is represented
+ * by a Transaction Payload. There may be one for AH, one
+ * for ESP, and a funny one for IPCOMP.
+ */
+struct ipsec_trans_attrs {
+ u_int8_t transid; /* transform id */
+ ipsec_spi_t spi; /* his SPI */
+ time_t life_seconds; /* When this SA expires */
+ u_int32_t life_kilobytes; /* When this SA expires */
+ u_int16_t encapsulation;
+ u_int16_t auth;
+ u_int16_t key_len;
+ u_int16_t key_rounds;
+#if 0 /* not implemented yet */
+ u_int16_t cmprs_dict_sz;
+ u_int32_t cmprs_alg;
+#endif
+};
+
+/* IPsec per protocol state information */
+struct ipsec_proto_info {
+ bool present; /* was this transform specified? */
+ struct ipsec_trans_attrs attrs;
+ ipsec_spi_t our_spi;
+ u_int16_t keymat_len; /* same for both */
+ u_char *our_keymat;
+ u_char *peer_keymat;
+};
+
+/* state object: record the state of a (possibly nascent) SA
+ *
+ * Invariants (violated only during short transitions):
+ * - each state object will be in statetable exactly once.
+ * - each state object will always have a pending event.
+ * This prevents leaks.
+ */
+struct state
+{
+ so_serial_t st_serialno; /* serial number (for seniority) */
+ so_serial_t st_clonedfrom; /* serial number of parent */
+
+ struct connection *st_connection; /* connection for this SA */
+
+ int st_whack_sock; /* fd for our Whack TCP socket.
+ * Single copy: close when freeing struct.
+ */
+
+ struct msg_digest *st_suspended_md; /* suspended state-transition */
+
+ struct oakley_trans_attrs st_oakley;
+
+ struct ipsec_proto_info st_ah;
+ struct ipsec_proto_info st_esp;
+ struct ipsec_proto_info st_ipcomp;
+#ifdef KLIPS
+ ipsec_spi_t st_tunnel_in_spi; /* KLUDGE */
+ ipsec_spi_t st_tunnel_out_spi; /* KLUDGE */
+#endif
+
+ const struct oakley_group_desc *st_pfs_group; /* group for Phase 2 PFS */
+
+ u_int32_t st_doi; /* Domain of Interpretation */
+ u_int32_t st_situation;
+
+ lset_t st_policy; /* policy for IPsec SA */
+
+ msgid_t st_msgid; /* MSG-ID from header. Network Order! */
+
+ /* only for a state representing an ISAKMP SA */
+ struct msgid_list *st_used_msgids; /* used-up msgids */
+
+/* symmetric stuff */
+
+ /* initiator stuff */
+ chunk_t st_gi; /* Initiator public value */
+ u_int8_t st_icookie[COOKIE_SIZE];/* Initiator Cookie */
+ chunk_t st_ni; /* Ni nonce */
+
+ /* responder stuff */
+ chunk_t st_gr; /* Responder public value */
+ u_int8_t st_rcookie[COOKIE_SIZE];/* Responder Cookie */
+ chunk_t st_nr; /* Nr nonce */
+
+
+ /* my stuff */
+
+ chunk_t st_tpacket; /* Transmitted packet */
+
+ /* Phase 2 ID payload info about my user */
+ u_int8_t st_myuserprotoid; /* IDcx.protoid */
+ u_int16_t st_myuserport;
+
+ /* his stuff */
+
+ chunk_t st_rpacket; /* Received packet */
+
+ /* Phase 2 ID payload info about peer's user */
+ u_int8_t st_peeruserprotoid; /* IDcx.protoid */
+ u_int16_t st_peeruserport;
+
+/* end of symmetric stuff */
+
+ u_int8_t st_sec_in_use; /* bool: does st_sec hold a value */
+ MP_INT st_sec; /* Our local secret value */
+
+ chunk_t st_shared; /* Derived shared secret
+ * Note: during Quick Mode,
+ * presence indicates PFS
+ * selected.
+ */
+
+ /* In a Phase 1 state, preserve peer's public key after authentication */
+ struct pubkey *st_peer_pubkey;
+
+ enum state_kind st_state; /* State of exchange */
+ u_int8_t st_retransmit; /* Number of retransmits */
+ unsigned long st_try; /* number of times rekeying attempted */
+ /* 0 means the only time */
+ time_t st_margin; /* life after EVENT_SA_REPLACE */
+ unsigned long st_outbound_count; /* traffic through eroute */
+ time_t st_outbound_time; /* time of last change to st_outbound_count */
+ chunk_t st_p1isa; /* Phase 1 initiator SA (Payload) for HASH */
+ chunk_t st_skeyid; /* Key material */
+ chunk_t st_skeyid_d; /* KM for non-ISAKMP key derivation */
+ chunk_t st_skeyid_a; /* KM for ISAKMP authentication */
+ chunk_t st_skeyid_e; /* KM for ISAKMP encryption */
+ u_char st_iv[MAX_DIGEST_LEN]; /* IV for encryption */
+ u_char st_new_iv[MAX_DIGEST_LEN];
+ u_char st_ph1_iv[MAX_DIGEST_LEN]; /* IV at end if phase 1 */
+ unsigned int st_iv_len;
+ unsigned int st_new_iv_len;
+ unsigned int st_ph1_iv_len;
+
+ chunk_t st_enc_key; /* Oakley Encryption key */
+
+ struct event *st_event; /* backpointer for certain events */
+ struct state *st_hashchain_next; /* Next in list */
+ struct state *st_hashchain_prev; /* Previous in list */
+
+ struct {
+ bool vars_set;
+ bool started;
+ } st_modecfg;
+
+ struct {
+ int attempt;
+ bool started;
+ bool status;
+ } st_xauth;
+
+ u_int32_t nat_traversal;
+ ip_address nat_oa;
+
+ /* RFC 3706 Dead Peer Detection */
+ bool st_dpd; /* Peer supports DPD */
+ time_t st_last_dpd; /* Time of last DPD transmit */
+ u_int32_t st_dpd_seqno; /* Next R_U_THERE to send */
+ u_int32_t st_dpd_expectseqno; /* Next R_U_THERE_ACK to receive */
+ u_int32_t st_dpd_peerseqno; /* global variables */
+ struct event *st_dpd_event; /* backpointer for DPD events */
+
+ u_int32_t st_seen_vendorid; /* Bit field about recognized Vendor ID */
+};
+
+/* global variables */
+
+extern u_int16_t pluto_port; /* Pluto's port */
+
+extern bool states_use_connection(struct connection *c);
+
+/* state functions */
+
+extern struct state *new_state(void);
+extern void init_states(void);
+extern void insert_state(struct state *st);
+extern void unhash_state(struct state *st);
+extern void release_whack(struct state *st);
+extern void state_eroute_usage(ip_subnet *ours, ip_subnet *his
+ , unsigned long count, time_t nw);
+extern void delete_state(struct state *st);
+extern void delete_states_by_connection(struct connection *c, bool relations);
+
+extern struct state
+ *duplicate_state(struct state *st),
+ *find_state(const u_char *icookie
+ , const u_char *rcookie
+ , const ip_address *peer
+ , msgid_t msgid),
+ *state_with_serialno(so_serial_t sn),
+ *find_phase2_state_to_delete(const struct state *p1st, u_int8_t protoid
+ , ipsec_spi_t spi, bool *bogus),
+ *find_phase1_state(const struct connection *c, lset_t ok_states),
+ *find_sender(size_t packet_len, u_char *packet);
+
+extern void show_states_status(bool all, const char *name);
+extern void for_each_state(void *(f)(struct state *, void *data), void *data);
+extern void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi);
+extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st);
+extern void fmt_state(bool all, struct state *st, time_t n
+ , char *state_buf, size_t state_buf_len
+ , char *state_buf2, size_t state_buf_len2);
+extern void delete_states_by_peer(ip_address *peer);
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
new file mode 100644
index 000000000..9d3f90ce3
--- /dev/null
+++ b/src/pluto/timer.c
@@ -0,0 +1,532 @@
+/* timer event handling
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: timer.c,v 1.5 2004/09/17 21:36:57 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/queue.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "connections.h"
+#include "state.h"
+#include "demux.h"
+#include "ipsec_doi.h" /* needs demux.h and state.h */
+#include "kernel.h"
+#include "server.h"
+#include "log.h"
+#include "rnd.h"
+#include "timer.h"
+#include "whack.h"
+#include "nat_traversal.h"
+
+/* monotonic version of time(3) */
+time_t
+now(void)
+{
+ static time_t delta = 0
+ , last_time = 0;
+ time_t n = time((time_t)NULL);
+
+ passert(n != (time_t)-1);
+ if (last_time > n)
+ {
+ plog("time moved backwards %ld seconds", (long)(last_time - n));
+ delta += last_time - n;
+ }
+ last_time = n;
+ return n + delta;
+}
+
+/* This file has the event handling routines. Events are
+ * kept as a linked list of event structures. These structures
+ * have information like event type, expiration time and a pointer
+ * to event specific data (for example, to a state structure).
+ */
+
+static struct event *evlist = (struct event *) NULL;
+
+/*
+ * This routine places an event in the event list.
+ */
+void
+event_schedule(enum event_type type, time_t tm, struct state *st)
+{
+ struct event *ev = alloc_thing(struct event, "struct event in event_schedule()");
+
+ ev->ev_type = type;
+ ev->ev_time = tm + now();
+ ev->ev_state = st;
+
+ /* If the event is associated with a state, put a backpointer to the
+ * event in the state object, so we can find and delete the event
+ * if we need to (for example, if we receive a reply).
+ */
+ if (st != NULL)
+ {
+ if (type == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
+ {
+ passert(st->st_dpd_event == NULL);
+ st->st_dpd_event = ev;
+ }
+ else
+ {
+ passert(st->st_event == NULL);
+ st->st_event = ev;
+ }
+ }
+
+ DBG(DBG_CONTROL,
+ if (st == NULL)
+ DBG_log("inserting event %s, timeout in %lu seconds"
+ , enum_show(&timer_event_names, type), (unsigned long)tm);
+ else
+ DBG_log("inserting event %s, timeout in %lu seconds for #%lu"
+ , enum_show(&timer_event_names, type), (unsigned long)tm
+ , ev->ev_state->st_serialno));
+
+ if (evlist == (struct event *) NULL
+ || evlist->ev_time >= ev->ev_time)
+ {
+ ev->ev_next = evlist;
+ evlist = ev;
+ }
+ else
+ {
+ struct event *evt;
+
+ for (evt = evlist; evt->ev_next != NULL; evt = evt->ev_next)
+ if (evt->ev_next->ev_time >= ev->ev_time)
+ break;
+
+#ifdef NEVER /* this seems to be overkill */
+ DBG(DBG_CONTROL,
+ if (evt->ev_state == NULL)
+ DBG_log("event added after event %s"
+ , enum_show(&timer_event_names, evt->ev_type));
+ else
+ DBG_log("event added after event %s for #%lu"
+ , enum_show(&timer_event_names, evt->ev_type)
+ , evt->ev_state->st_serialno));
+#endif /* NEVER */
+
+ ev->ev_next = evt->ev_next;
+ evt->ev_next = ev;
+ }
+}
+
+/*
+ * Handle the first event on the list.
+ */
+void
+handle_timer_event(void)
+{
+ time_t tm;
+ struct event *ev = evlist;
+ int type;
+ struct state *st;
+ struct connection *c = NULL;
+ ip_address peer;
+
+ if (ev == (struct event *) NULL) /* Just paranoid */
+ {
+ DBG(DBG_CONTROL, DBG_log("empty event list, yet we're called"));
+ return;
+ }
+
+ type = ev->ev_type;
+ st = ev->ev_state;
+
+ tm = now();
+
+ if (tm < ev->ev_time)
+ {
+ DBG(DBG_CONTROL, DBG_log("called while no event expired (%lu/%lu, %s)"
+ , (unsigned long)tm, (unsigned long)ev->ev_time
+ , enum_show(&timer_event_names, type)));
+
+ /* This will happen if the most close-to-expire event was
+ * a retransmission or cleanup, and we received a packet
+ * at the same time as the event expired. Due to the processing
+ * order in call_server(), the packet processing will happen first,
+ * and the event will be removed.
+ */
+ return;
+ }
+
+ evlist = evlist->ev_next; /* Ok, we'll handle this event */
+
+ DBG(DBG_CONTROL,
+ if (evlist != (struct event *) NULL)
+ DBG_log("event after this is %s in %ld seconds"
+ , enum_show(&timer_event_names, evlist->ev_type)
+ , (long) (evlist->ev_time - tm)));
+
+ /* for state-associated events, pick up the state pointer
+ * and remove the backpointer from the state object.
+ * We'll eventually either schedule a new event, or delete the state.
+ */
+ passert(GLOBALS_ARE_RESET());
+ if (st != NULL)
+ {
+ c = st->st_connection;
+ if (type == EVENT_DPD || type == EVENT_DPD_TIMEOUT)
+ {
+ passert(st->st_dpd_event == ev);
+ st->st_dpd_event = NULL;
+ }
+ else
+ {
+ passert(st->st_event == ev);
+ st->st_event = NULL;
+ }
+ peer = c->spd.that.host_addr;
+ set_cur_state(st);
+ }
+
+ switch (type)
+ {
+ case EVENT_REINIT_SECRET:
+ passert(st == NULL);
+ DBG(DBG_CONTROL, DBG_log("event EVENT_REINIT_SECRET handled"));
+ init_secret();
+ break;
+
+#ifdef KLIPS
+ case EVENT_SHUNT_SCAN:
+ passert(st == NULL);
+ scan_proc_shunts();
+ break;
+#endif
+
+ case EVENT_LOG_DAILY:
+ daily_log_event();
+ break;
+
+ case EVENT_RETRANSMIT:
+ /* Time to retransmit, or give up.
+ *
+ * Generally, we'll only try to send the message
+ * MAXIMUM_RETRANSMISSIONS times. Each time we double
+ * our patience.
+ *
+ * As a special case, if this is the first initiating message
+ * of a Main Mode exchange, and we have been directed to try
+ * forever, we'll extend the number of retransmissions to
+ * MAXIMUM_RETRANSMISSIONS_INITIAL times, with all these
+ * extended attempts having the same patience. The intention
+ * is to reduce the bother when nobody is home.
+ */
+ {
+ time_t delay = 0;
+
+ DBG(DBG_CONTROL, DBG_log(
+ "handling event EVENT_RETRANSMIT for %s \"%s\" #%lu"
+ , ip_str(&peer), c->name, st->st_serialno));
+
+ if (st->st_retransmit < MAXIMUM_RETRANSMISSIONS)
+ delay = EVENT_RETRANSMIT_DELAY_0 << (st->st_retransmit + 1);
+ else if (st->st_state == STATE_MAIN_I1
+ && c->sa_keying_tries == 0
+ && st->st_retransmit < MAXIMUM_RETRANSMISSIONS_INITIAL)
+ delay = EVENT_RETRANSMIT_DELAY_0 << MAXIMUM_RETRANSMISSIONS;
+
+ if (delay != 0)
+ {
+ st->st_retransmit++;
+ whack_log(RC_RETRANSMISSION
+ , "%s: retransmission; will wait %lus for response"
+ , enum_name(&state_names, st->st_state)
+ , (unsigned long)delay);
+ send_packet(st, "EVENT_RETRANSMIT");
+ event_schedule(EVENT_RETRANSMIT, delay, st);
+ }
+ else
+ {
+ /* check if we've tried rekeying enough times.
+ * st->st_try == 0 means that this should be the only try.
+ * c->sa_keying_tries == 0 means that there is no limit.
+ */
+ unsigned long try = st->st_try;
+ unsigned long try_limit = c->sa_keying_tries;
+ const char *details = "";
+
+ switch (st->st_state)
+ {
+ case STATE_MAIN_I3:
+ details = ". Possible authentication failure:"
+ " no acceptable response to our"
+ " first encrypted message";
+ break;
+ case STATE_MAIN_I1:
+ details = ". No response (or no acceptable response) to our"
+ " first IKE message";
+ break;
+ case STATE_QUICK_I1:
+ if (c->newest_ipsec_sa == SOS_NOBODY)
+ details = ". No acceptable response to our"
+ " first Quick Mode message:"
+ " perhaps peer likes no proposal";
+ break;
+ default:
+ break;
+ }
+ loglog(RC_NORETRANSMISSION
+ , "max number of retransmissions (%d) reached %s%s"
+ , st->st_retransmit
+ , enum_show(&state_names, st->st_state), details);
+ if (try != 0 && try != try_limit)
+ {
+ /* A lot like EVENT_SA_REPLACE, but over again.
+ * Since we know that st cannot be in use,
+ * we can delete it right away.
+ */
+ char story[80]; /* arbitrary limit */
+
+ try++;
+ snprintf(story, sizeof(story), try_limit == 0
+ ? "starting keying attempt %ld of an unlimited number"
+ : "starting keying attempt %ld of at most %ld"
+ , try, try_limit);
+
+ if (st->st_whack_sock != NULL_FD)
+ {
+ /* Release whack because the observer will get bored. */
+ loglog(RC_COMMENT, "%s, but releasing whack"
+ , story);
+ release_pending_whacks(st, story);
+ }
+ else
+ {
+ /* no whack: just log to syslog */
+ plog("%s", story);
+ }
+ ipsecdoi_replace(st, try);
+ }
+ delete_state(st);
+ }
+ }
+ break;
+
+ case EVENT_SA_REPLACE:
+ case EVENT_SA_REPLACE_IF_USED:
+ {
+ so_serial_t newest = IS_PHASE1(st->st_state)
+ ? c->newest_isakmp_sa : c->newest_ipsec_sa;
+
+ if (newest != st->st_serialno
+ && newest != SOS_NOBODY)
+ {
+ /* not very interesting: no need to replace */
+ DBG(DBG_LIFECYCLE
+ , plog("not replacing stale %s SA: #%lu will do"
+ , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
+ , newest));
+ }
+ else if (type == EVENT_SA_REPLACE_IF_USED
+ && st->st_outbound_time <= tm - c->sa_rekey_margin)
+ {
+ /* we observed no recent use: no need to replace
+ *
+ * The sampling effects mean that st_outbound_time
+ * could be up to SHUNT_SCAN_INTERVAL more recent
+ * than actual traffic because the sampler looks at change
+ * over that interval.
+ * st_outbound_time could also not yet reflect traffic
+ * in the last SHUNT_SCAN_INTERVAL.
+ * We expect that SHUNT_SCAN_INTERVAL is smaller than
+ * c->sa_rekey_margin so that the effects of this will
+ * be unimportant.
+ * This is just an optimization: correctness is not
+ * at stake.
+ *
+ * Note: we are abusing the DBG mechanism to control
+ * normal log output.
+ */
+ DBG(DBG_LIFECYCLE
+ , plog("not replacing stale %s SA: inactive for %lus"
+ , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"
+ , (unsigned long)(tm - st->st_outbound_time)));
+ }
+ else
+ {
+ DBG(DBG_LIFECYCLE
+ , plog("replacing stale %s SA"
+ , IS_PHASE1(st->st_state)? "ISAKMP" : "IPsec"));
+ ipsecdoi_replace(st, 1);
+ }
+ delete_dpd_event(st);
+ event_schedule(EVENT_SA_EXPIRE, st->st_margin, st);
+ }
+ break;
+
+ case EVENT_SA_EXPIRE:
+ {
+ const char *satype;
+ so_serial_t latest;
+
+ if (IS_PHASE1(st->st_state))
+ {
+ satype = "ISAKMP";
+ latest = c->newest_isakmp_sa;
+ }
+ else
+ {
+ satype = "IPsec";
+ latest = c->newest_ipsec_sa;
+ }
+
+ if (st->st_serialno != latest)
+ {
+ /* not very interesting: already superseded */
+ DBG(DBG_LIFECYCLE
+ , plog("%s SA expired (superseded by #%lu)"
+ , satype, latest));
+ }
+ else
+ {
+ plog("%s SA expired (%s)", satype
+ , (c->policy & POLICY_DONT_REKEY)
+ ? "--dontrekey"
+ : "LATEST!"
+ );
+ }
+ }
+ /* FALLTHROUGH */
+ case EVENT_SO_DISCARD:
+ /* Delete this state object. It must be in the hash table. */
+ delete_state(st);
+ break;
+
+ case EVENT_DPD:
+ dpd_outI(st);
+ break;
+ case EVENT_DPD_TIMEOUT:
+ dpd_timeout(st);
+ break;
+ case EVENT_NAT_T_KEEPALIVE:
+ nat_traversal_ka_event();
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %s"
+ , enum_show(&timer_event_names, type));
+ }
+
+ pfree(ev);
+ reset_cur_state();
+}
+
+/*
+ * Return the time until the next event in the queue
+ * expires (never negative), or -1 if no jobs in queue.
+ */
+long
+next_event(void)
+{
+ time_t tm;
+
+ if (evlist == (struct event *) NULL)
+ return -1;
+
+ tm = now();
+
+ DBG(DBG_CONTROL,
+ if (evlist->ev_state == NULL)
+ DBG_log("next event %s in %ld seconds"
+ , enum_show(&timer_event_names, evlist->ev_type)
+ , (long)evlist->ev_time - (long)tm);
+ else
+ DBG_log("next event %s in %ld seconds for #%lu"
+ , enum_show(&timer_event_names, evlist->ev_type)
+ , (long)evlist->ev_time - (long)tm
+ , evlist->ev_state->st_serialno));
+
+ if (evlist->ev_time - tm <= 0)
+ return 0;
+ else
+ return evlist->ev_time - tm;
+}
+
+/*
+ * Delete an event.
+ */
+void
+delete_event(struct state *st)
+{
+ if (st->st_event != (struct event *) NULL)
+ {
+ struct event **ev;
+
+ for (ev = &evlist; ; ev = &(*ev)->ev_next)
+ {
+ if (*ev == NULL)
+ {
+ DBG(DBG_CONTROL, DBG_log("event %s to be deleted not found",
+ enum_show(&timer_event_names, st->st_event->ev_type)));
+ break;
+ }
+ if ((*ev) == st->st_event)
+ {
+ *ev = (*ev)->ev_next;
+
+ if (st->st_event->ev_type == EVENT_RETRANSMIT)
+ st->st_retransmit = 0;
+ pfree(st->st_event);
+ st->st_event = (struct event *) NULL;
+
+ break;
+ }
+ }
+ }
+}
+
+/*
+ * Delete a DPD event.
+ */
+void
+delete_dpd_event(struct state *st)
+{
+ if (st->st_dpd_event != (struct event *) NULL)
+ {
+ struct event **ev;
+
+ for (ev = &evlist; ; ev = &(*ev)->ev_next)
+ {
+ if (*ev == NULL)
+ {
+ DBG(DBG_CONTROL, DBG_log("event %s to be deleted not found",
+ enum_show(&timer_event_names, st->st_dpd_event->ev_type)));
+ break;
+ }
+ if ((*ev) == st->st_dpd_event)
+ {
+ *ev = (*ev)->ev_next;
+ pfree(st->st_dpd_event);
+ st->st_dpd_event = (struct event *) NULL;
+ break;
+ }
+ }
+ }
+}
+
+
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
new file mode 100644
index 000000000..92464192c
--- /dev/null
+++ b/src/pluto/timer.h
@@ -0,0 +1,34 @@
+/* timing machinery
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: timer.h,v 1.2 2004/07/29 18:33:45 as Exp $
+ */
+
+extern time_t now(void); /* careful version of time(2) */
+
+struct state; /* forward declaration */
+
+struct event
+{
+ time_t ev_time;
+ int ev_type; /* Event type */
+ struct state *ev_state; /* Pointer to relevant state (if any) */
+ struct event *ev_next; /* Pointer to next event */
+};
+
+extern void event_schedule(enum event_type type, time_t tm, struct state *st);
+extern void handle_timer_event(void);
+extern long next_event(void);
+extern void delete_event(struct state *st);
+extern void delete_dpd_event(struct state *st);
+extern void daily_log_event(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
new file mode 100644
index 000000000..e888d5e16
--- /dev/null
+++ b/src/pluto/vendor.c
@@ -0,0 +1,528 @@
+/* ISAKMP VendorID
+ * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: vendor.c,v 1.35 2006/04/12 16:44:28 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/queue.h>
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "md5.h"
+#include "connections.h"
+#include "packet.h"
+#include "demux.h"
+#include "whack.h"
+#include "vendor.h"
+#include "kernel.h"
+#include "nat_traversal.h"
+
+/**
+ * Unknown/Special VID:
+ *
+ * SafeNet SoftRemote 8.0.0:
+ * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e302e3020284275696c6420313029000000
+ * >> 382e302e3020284275696c6420313029 = '8.0.0 (Build 10)'
+ * da8e937880010000
+ *
+ * SafeNet SoftRemote 9.0.1
+ * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310392e302e3120284275696c6420313229000000
+ * >> 392e302e3120284275696c6420313229 = '9.0.1 (Build 12)'
+ * da8e937880010000
+ *
+ * Netscreen:
+ * d6b45f82f24bacb288af59a978830ab7
+ * cf49908791073fb46439790fdeb6aeed981101ab0000000500000300
+ *
+ * Cisco:
+ * 1f07f70eaa6514d3b0fa96542a500300 (VPN 3000 version 3.0.0)
+ * 1f07f70eaa6514d3b0fa96542a500301 (VPN 3000 version 3.0.1)
+ * 1f07f70eaa6514d3b0fa96542a500305 (VPN 3000 version 3.0.5)
+ * 1f07f70eaa6514d3b0fa96542a500407 (VPN 3000 version 4.0.7)
+ * (Can you see the pattern?)
+ * afcad71368a1f1c96b8696fc77570100 (Non-RFC Dead Peer Detection ?)
+ * c32364b3b4f447eb17c488ab2a480a57
+ * 6d761ddc26aceca1b0ed11fabbb860c4
+ * 5946c258f99a1a57b03eb9d1759e0f24 (From a Cisco VPN 3k)
+ * ebbc5b00141d0c895e11bd395902d690 (From a Cisco VPN 3k)
+ *
+ * Microsoft L2TP (???):
+ * 47bbe7c993f1fc13b4e6d0db565c68e5010201010201010310382e312e3020284275696c6420313029000000
+ * >> 382e312e3020284275696c6420313029 = '8.1.0 (Build 10)'
+ * 3025dbd21062b9e53dc441c6aab5293600000000
+ * da8e937880010000
+ *
+ * 3COM-superstack
+ * da8e937880010000
+ * 404bf439522ca3f6
+ *
+
+ * If someone know what they mean, mail me.
+ */
+
+#define MAX_LOG_VID_LEN 32
+
+#define VID_KEEP 0x0000
+#define VID_MD5HASH 0x0001
+#define VID_STRING 0x0002
+#define VID_FSWAN_HASH 0x0004
+
+#define VID_SUBSTRING_DUMPHEXA 0x0100
+#define VID_SUBSTRING_DUMPASCII 0x0200
+#define VID_SUBSTRING_MATCH 0x0400
+#define VID_SUBSTRING (VID_SUBSTRING_DUMPHEXA | VID_SUBSTRING_DUMPASCII | VID_SUBSTRING_MATCH)
+
+struct vid_struct {
+ enum known_vendorid id;
+ unsigned short flags;
+ const char *data;
+ const char *descr;
+ const char *vid;
+ u_int vid_len;
+};
+
+#define DEC_MD5_VID_D(id,str,descr) \
+ { VID_##id, VID_MD5HASH, str, descr, NULL, 0 },
+#define DEC_MD5_VID(id,str) \
+ { VID_##id, VID_MD5HASH, str, NULL, NULL, 0 },
+#define DEC_FSWAN_VID(id,str,descr) \
+ { VID_##id, VID_FSWAN_HASH, str, descr, NULL, 0 },
+
+static struct vid_struct _vid_tab[] = {
+
+ /* Implementation names */
+
+ { VID_OPENPGP, VID_STRING, "OpenPGP10171", "OpenPGP", NULL, 0 },
+
+ DEC_MD5_VID(KAME_RACOON, "KAME/racoon")
+
+ { VID_MS_NT5, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
+ "MS NT5 ISAKMPOAKLEY", NULL, NULL, 0 },
+
+ DEC_MD5_VID(SSH_SENTINEL, "SSH Sentinel")
+ DEC_MD5_VID(SSH_SENTINEL_1_1, "SSH Sentinel 1.1")
+ DEC_MD5_VID(SSH_SENTINEL_1_2, "SSH Sentinel 1.2")
+ DEC_MD5_VID(SSH_SENTINEL_1_3, "SSH Sentinel 1.3")
+ DEC_MD5_VID(SSH_SENTINEL_1_4, "SSH Sentinel 1.4")
+ DEC_MD5_VID(SSH_SENTINEL_1_4_1, "SSH Sentinel 1.4.1")
+
+ /* These ones come from SSH vendors.txt */
+ DEC_MD5_VID(SSH_IPSEC_1_1_0,
+ "Ssh Communications Security IPSEC Express version 1.1.0")
+ DEC_MD5_VID(SSH_IPSEC_1_1_1,
+ "Ssh Communications Security IPSEC Express version 1.1.1")
+ DEC_MD5_VID(SSH_IPSEC_1_1_2,
+ "Ssh Communications Security IPSEC Express version 1.1.2")
+ DEC_MD5_VID(SSH_IPSEC_1_2_1,
+ "Ssh Communications Security IPSEC Express version 1.2.1")
+ DEC_MD5_VID(SSH_IPSEC_1_2_2,
+ "Ssh Communications Security IPSEC Express version 1.2.2")
+ DEC_MD5_VID(SSH_IPSEC_2_0_0,
+ "SSH Communications Security IPSEC Express version 2.0.0")
+ DEC_MD5_VID(SSH_IPSEC_2_1_0,
+ "SSH Communications Security IPSEC Express version 2.1.0")
+ DEC_MD5_VID(SSH_IPSEC_2_1_1,
+ "SSH Communications Security IPSEC Express version 2.1.1")
+ DEC_MD5_VID(SSH_IPSEC_2_1_2,
+ "SSH Communications Security IPSEC Express version 2.1.2")
+ DEC_MD5_VID(SSH_IPSEC_3_0_0,
+ "SSH Communications Security IPSEC Express version 3.0.0")
+ DEC_MD5_VID(SSH_IPSEC_3_0_1,
+ "SSH Communications Security IPSEC Express version 3.0.1")
+ DEC_MD5_VID(SSH_IPSEC_4_0_0,
+ "SSH Communications Security IPSEC Express version 4.0.0")
+ DEC_MD5_VID(SSH_IPSEC_4_0_1,
+ "SSH Communications Security IPSEC Express version 4.0.1")
+ DEC_MD5_VID(SSH_IPSEC_4_1_0,
+ "SSH Communications Security IPSEC Express version 4.1.0")
+ DEC_MD5_VID(SSH_IPSEC_4_2_0,
+ "SSH Communications Security IPSEC Express version 4.2.0")
+
+ /* note: md5('CISCO-UNITY') = 12f5f28c457168a9702d9fe274cc02d4 */
+ { VID_CISCO_UNITY, VID_KEEP, NULL, "Cisco-Unity",
+ "\x12\xf5\xf2\x8c\x45\x71\x68\xa9\x70\x2d\x9f\xe2\x74\xcc\x01\x00",
+ 16 },
+
+ { VID_CISCO3K, VID_KEEP | VID_SUBSTRING_MATCH,
+ NULL, "Cisco VPN 3000 Series" , "\x1f\x07\xf7\x0e\xaa\x65\x14\xd3\xb0\xfa\x96\x54\x2a\x50", 14},
+
+ { VID_CISCO_IOS, VID_KEEP | VID_SUBSTRING_MATCH,
+ NULL, "Cisco IOS Device", "\x3e\x98\x40\x48", 4},
+
+ /*
+ * Timestep VID seen:
+ * - 54494d455354455020312053475720313532302033313520322e303145303133
+ * = 'TIMESTEP 1 SGW 1520 315 2.01E013'
+ */
+ { VID_TIMESTEP, VID_STRING | VID_SUBSTRING_DUMPASCII, "TIMESTEP",
+ NULL, NULL, 0 },
+
+ /*
+ * Netscreen:
+ * 4865617274426561745f4e6f74696679386b0100 (HeartBeat_Notify + 386b0100)
+ */
+ { VID_MISC_HEARTBEAT_NOTIFY, VID_STRING | VID_SUBSTRING_DUMPHEXA,
+ "HeartBeat_Notify", "HeartBeat Notify", NULL, 0 },
+
+ /*
+ * MacOS X
+ */
+ { VID_MACOSX, VID_STRING|VID_SUBSTRING_DUMPHEXA, "Mac OSX 10.x",
+ "\x4d\xf3\x79\x28\xe9\xfc\x4f\xd1\xb3\x26\x21\x70\xd5\x15\xc6\x62", NULL, 0},
+
+ /*
+ * Openswan
+ */
+ DEC_FSWAN_VID(OPENSWAN2, "Openswan 2.2.0", "Openswan 2.2.0")
+
+ /* NCP */
+ { VID_NCP_SERVER, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Server",
+ "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12},
+ { VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
+ "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12},
+
+ /*
+ * Windows Vista (and Longhorn?)
+ */
+ DEC_MD5_VID(VISTA_AUTHIP, "MS-Negotiation Discovery Capable")
+ DEC_MD5_VID(VISTA_AUTHIP2, "IKE CGA version 1")
+
+ /*
+ * strongSwan
+ */
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.1")
+ DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
+ DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
+ DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
+ DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
+ DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
+ DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
+ DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
+ DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
+ DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+
+ DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
+ DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
+ DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
+ DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
+ DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
+ DEC_MD5_VID(STRONGSWAN_2_7_3, "strongSwan 2.7.3")
+ DEC_MD5_VID(STRONGSWAN_2_7_2, "strongSwan 2.7.2")
+ DEC_MD5_VID(STRONGSWAN_2_7_1, "strongSwan 2.7.1")
+ DEC_MD5_VID(STRONGSWAN_2_7_0, "strongSwan 2.7.0")
+ DEC_MD5_VID(STRONGSWAN_2_6_4, "strongSwan 2.6.4")
+ DEC_MD5_VID(STRONGSWAN_2_6_3, "strongSwan 2.6.3")
+ DEC_MD5_VID(STRONGSWAN_2_6_2, "strongSwan 2.6.2")
+ DEC_MD5_VID(STRONGSWAN_2_6_1, "strongSwan 2.6.1")
+ DEC_MD5_VID(STRONGSWAN_2_6_0, "strongSwan 2.6.0")
+ DEC_MD5_VID(STRONGSWAN_2_5_7, "strongSwan 2.5.7")
+ DEC_MD5_VID(STRONGSWAN_2_5_6, "strongSwan 2.5.6")
+ DEC_MD5_VID(STRONGSWAN_2_5_5, "strongSwan 2.5.5")
+ DEC_MD5_VID(STRONGSWAN_2_5_4, "strongSwan 2.5.4")
+ DEC_MD5_VID(STRONGSWAN_2_5_3, "strongSwan 2.5.3")
+ DEC_MD5_VID(STRONGSWAN_2_5_2, "strongSwan 2.5.2")
+ DEC_MD5_VID(STRONGSWAN_2_5_1, "strongSwan 2.5.1")
+ DEC_MD5_VID(STRONGSWAN_2_5_0, "strongSwan 2.5.0")
+ DEC_MD5_VID(STRONGSWAN_2_4_4, "strongSwan 2.4.4")
+ DEC_MD5_VID(STRONGSWAN_2_4_3, "strongSwan 2.4.3")
+ DEC_MD5_VID(STRONGSWAN_2_4_2, "strongSwan 2.4.2")
+ DEC_MD5_VID(STRONGSWAN_2_4_1, "strongSwan 2.4.1")
+ DEC_MD5_VID(STRONGSWAN_2_4_0, "strongSwan 2.4.0")
+ DEC_MD5_VID(STRONGSWAN_2_3_2, "strongSwan 2.3.2")
+ DEC_MD5_VID(STRONGSWAN_2_3_1, "strongSwan 2.3.1")
+ DEC_MD5_VID(STRONGSWAN_2_3_0, "strongSwan 2.3.0")
+ DEC_MD5_VID(STRONGSWAN_2_2_2, "strongSwan 2.2.2")
+ DEC_MD5_VID(STRONGSWAN_2_2_1, "strongSwan 2.2.1")
+ DEC_MD5_VID(STRONGSWAN_2_2_0, "strongSwan 2.2.0")
+
+ /* NAT-Traversal */
+
+ DEC_MD5_VID(NATT_STENBERG_01, "draft-stenberg-ipsec-nat-traversal-01")
+ DEC_MD5_VID(NATT_STENBERG_02, "draft-stenberg-ipsec-nat-traversal-02")
+ DEC_MD5_VID(NATT_HUTTUNEN, "ESPThruNAT")
+ DEC_MD5_VID(NATT_HUTTUNEN_ESPINUDP, "draft-huttunen-ipsec-esp-in-udp-00.txt")
+ DEC_MD5_VID(NATT_IETF_00, "draft-ietf-ipsec-nat-t-ike-00")
+ DEC_MD5_VID(NATT_IETF_02, "draft-ietf-ipsec-nat-t-ike-02")
+ /* hash in draft-ietf-ipsec-nat-t-ike-02 contains '\n'... Accept both */
+ DEC_MD5_VID_D(NATT_IETF_02_N, "draft-ietf-ipsec-nat-t-ike-02\n", "draft-ietf-ipsec-nat-t-ike-02_n")
+ DEC_MD5_VID(NATT_IETF_03, "draft-ietf-ipsec-nat-t-ike-03")
+ DEC_MD5_VID(NATT_RFC, "RFC 3947")
+
+ /* misc */
+
+ { VID_MISC_XAUTH, VID_KEEP, NULL, "XAUTH",
+ "\x09\x00\x26\x89\xdf\xd6\xb7\x12", 8 },
+
+ { VID_MISC_DPD, VID_KEEP, NULL, "Dead Peer Detection",
+ "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00", 16 },
+
+ DEC_MD5_VID(MISC_FRAGMENTATION, "FRAGMENTATION")
+
+ DEC_MD5_VID(INITIAL_CONTACT, "Vid-Initial-Contact")
+
+ /**
+ * Cisco VPN 3000
+ */
+ { VID_MISC_FRAGMENTATION, VID_MD5HASH | VID_SUBSTRING_DUMPHEXA,
+ "FRAGMENTATION", NULL, NULL, 0 },
+
+ /* -- */
+ { 0, 0, NULL, NULL, NULL, 0 }
+
+};
+
+static const char _hexdig[] = "0123456789abcdef";
+
+static int _vid_struct_init = 0;
+
+void
+init_vendorid(void)
+{
+ struct vid_struct *vid;
+ MD5_CTX ctx;
+ int i;
+
+ for (vid = _vid_tab; vid->id; vid++)
+ {
+ if (vid->flags & VID_STRING)
+ {
+ /** VendorID is a string **/
+ vid->vid = strdup(vid->data);
+ vid->vid_len = strlen(vid->data);
+ }
+ else if (vid->flags & VID_MD5HASH)
+ {
+ /** VendorID is a string to hash with MD5 **/
+ char *vidm = malloc(MD5_DIGEST_SIZE);
+
+ vid->vid = vidm;
+ if (vidm)
+ {
+ MD5Init(&ctx);
+ MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
+ MD5Final(vidm, &ctx);
+ vid->vid_len = MD5_DIGEST_SIZE;
+ }
+ }
+ else if (vid->flags & VID_FSWAN_HASH)
+ {
+ /** FreeS/WAN 2.00+ specific hash **/
+#define FSWAN_VID_SIZE 12
+ unsigned char hash[MD5_DIGEST_SIZE];
+ char *vidm = malloc(FSWAN_VID_SIZE);
+
+ vid->vid = vidm;
+ if (vidm)
+ {
+ MD5Init(&ctx);
+ MD5Update(&ctx, (const u_char *)vid->data, strlen(vid->data));
+ MD5Final(hash, &ctx);
+ vidm[0] = 'O';
+ vidm[1] = 'E';
+#if FSWAN_VID_SIZE - 2 <= MD5_DIGEST_SIZE
+ memcpy(vidm + 2, hash, FSWAN_VID_SIZE - 2);
+#else
+ memcpy(vidm + 2, hash, MD5_DIGEST_SIZE);
+ memset(vidm + 2 + MD5_DIGEST_SIZE, '\0',
+ FSWAN_VID_SIZE - 2 - MD5_DIGEST_SIZE);
+#endif
+ for (i = 2; i < FSWAN_VID_SIZE; i++)
+ {
+ vidm[i] &= 0x7f;
+ vidm[i] |= 0x40;
+ }
+ vid->vid_len = FSWAN_VID_SIZE;
+ }
+ }
+
+ if (vid->descr == NULL)
+ {
+ /** Find something to display **/
+ vid->descr = vid->data;
+ }
+ }
+ _vid_struct_init = 1;
+}
+
+static void
+handle_known_vendorid (struct msg_digest *md
+, const char *vidstr, size_t len, struct vid_struct *vid)
+{
+ char vid_dump[128];
+ bool vid_useful = FALSE;
+ size_t i, j;
+
+ switch (vid->id) {
+ /* Remote side supports OpenPGP certificates */
+ case VID_OPENPGP:
+ md->openpgp = TRUE;
+ vid_useful = TRUE;
+ break;
+
+ /*
+ * Use most recent supported NAT-Traversal method and ignore the
+ * other ones (implementations will send all supported methods but
+ * only one will be used)
+ *
+ * Note: most recent == higher id in vendor.h
+ */
+ case VID_NATT_IETF_00:
+ if (!nat_traversal_support_non_ike)
+ break;
+ if ((nat_traversal_enabled) && (!md->nat_traversal_vid))
+ {
+ md->nat_traversal_vid = vid->id;
+ vid_useful = TRUE;
+ }
+ break;
+ case VID_NATT_IETF_02:
+ case VID_NATT_IETF_02_N:
+ case VID_NATT_IETF_03:
+ case VID_NATT_RFC:
+ if (nat_traversal_support_port_floating
+ && md->nat_traversal_vid < vid->id)
+ {
+ md->nat_traversal_vid = vid->id;
+ vid_useful = TRUE;
+ }
+ break;
+
+ /* Remote side would like to do DPD with us on this connection */
+ case VID_MISC_DPD:
+ md->dpd = TRUE;
+ vid_useful = TRUE;
+ break;
+ case VID_MISC_XAUTH:
+ vid_useful = TRUE;
+ break;
+ default:
+ break;
+ }
+
+ if (vid->flags & VID_SUBSTRING_DUMPHEXA)
+ {
+ /* Dump description + Hexa */
+ memset(vid_dump, 0, sizeof(vid_dump));
+ snprintf(vid_dump, sizeof(vid_dump), "%s ",
+ vid->descr ? vid->descr : "");
+ for (i = strlen(vid_dump), j = vid->vid_len;
+ j < len && i < sizeof(vid_dump) - 2;
+ i += 2, j++)
+ {
+ vid_dump[i] = _hexdig[(vidstr[j] >> 4) & 0xF];
+ vid_dump[i+1] = _hexdig[vidstr[j] & 0xF];
+ }
+ }
+ else if (vid->flags & VID_SUBSTRING_DUMPASCII)
+ {
+ /* Dump ASCII content */
+ memset(vid_dump, 0, sizeof(vid_dump));
+ for (i = 0; i < len && i < sizeof(vid_dump) - 1; i++)
+ {
+ vid_dump[i] = (isprint(vidstr[i])) ? vidstr[i] : '.';
+ }
+ }
+ else
+ {
+ /* Dump description (descr) */
+ snprintf(vid_dump, sizeof(vid_dump), "%s",
+ vid->descr ? vid->descr : "");
+ }
+
+ loglog(RC_LOG_SERIOUS, "%s Vendor ID payload [%s]",
+ vid_useful ? "received" : "ignoring", vid_dump);
+}
+
+void
+handle_vendorid (struct msg_digest *md, const char *vid, size_t len)
+{
+ struct vid_struct *pvid;
+
+ if (!_vid_struct_init)
+ init_vendorid();
+
+ /*
+ * Find known VendorID in _vid_tab
+ */
+ for (pvid = _vid_tab; pvid->id; pvid++)
+ {
+ if (pvid->vid && vid && pvid->vid_len && len)
+ {
+ if (pvid->vid_len == len)
+ {
+ if (memcmp(pvid->vid, vid, len) == 0)
+ {
+ handle_known_vendorid(md, vid, len, pvid);
+ return;
+ }
+ }
+ else if ((pvid->vid_len < len) && (pvid->flags & VID_SUBSTRING))
+ {
+ if (memcmp(pvid->vid, vid, pvid->vid_len) == 0)
+ {
+ handle_known_vendorid(md, vid, len, pvid);
+ return;
+ }
+ }
+ }
+ }
+
+ /*
+ * Unknown VendorID. Log the beginning.
+ */
+ {
+ char log_vid[2*MAX_LOG_VID_LEN+1];
+ size_t i;
+
+ memset(log_vid, 0, sizeof(log_vid));
+
+ for (i = 0; i < len && i < MAX_LOG_VID_LEN; i++)
+ {
+ log_vid[2*i] = _hexdig[(vid[i] >> 4) & 0xF];
+ log_vid[2*i+1] = _hexdig[vid[i] & 0xF];
+ }
+ loglog(RC_LOG_SERIOUS, "ignoring Vendor ID payload [%s%s]",
+ log_vid, (len>MAX_LOG_VID_LEN) ? "..." : "");
+ }
+}
+
+/**
+ * Add a vendor id payload to the msg
+ */
+bool
+out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid)
+{
+ struct vid_struct *pvid;
+
+ if (!_vid_struct_init)
+ init_vendorid();
+
+ for (pvid = _vid_tab; pvid->id && pvid->id != vid; pvid++);
+
+ if (pvid->id != vid)
+ return STF_INTERNAL_ERROR; /* not found */
+ if (!pvid->vid)
+ return STF_INTERNAL_ERROR; /* not initialized */
+
+ DBG(DBG_EMITTING,
+ DBG_log("out_vendorid(): sending [%s]", pvid->descr)
+ )
+ return out_generic_raw(np, &isakmp_vendor_id_desc, outs,
+ pvid->vid, pvid->vid_len, "V_ID");
+}
+
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
new file mode 100644
index 000000000..8e0444f4d
--- /dev/null
+++ b/src/pluto/vendor.h
@@ -0,0 +1,131 @@
+/* FreeS/WAN ISAKMP VendorID
+ * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: vendor.h,v 1.30 2006/04/12 16:44:28 as Exp $
+ */
+
+#ifndef _VENDOR_H_
+#define _VENDOR_H_
+
+enum known_vendorid {
+/* 1 - 100 : Implementation names */
+ VID_OPENPGP = 1,
+ VID_KAME_RACOON = 2,
+ VID_MS_NT5 = 3,
+ VID_SSH_SENTINEL = 4,
+ VID_SSH_SENTINEL_1_1 = 5,
+ VID_SSH_SENTINEL_1_2 = 6,
+ VID_SSH_SENTINEL_1_3 = 7,
+ VID_SSH_SENTINEL_1_4 = 8,
+ VID_SSH_SENTINEL_1_4_1 = 9,
+ VID_SSH_IPSEC_1_1_0 = 10,
+ VID_SSH_IPSEC_1_1_1 = 11,
+ VID_SSH_IPSEC_1_1_2 = 12,
+ VID_SSH_IPSEC_1_2_1 = 13,
+ VID_SSH_IPSEC_1_2_2 = 14,
+ VID_SSH_IPSEC_2_0_0 = 15,
+ VID_SSH_IPSEC_2_1_0 = 16,
+ VID_SSH_IPSEC_2_1_1 = 17,
+ VID_SSH_IPSEC_2_1_2 = 18,
+ VID_SSH_IPSEC_3_0_0 = 19,
+ VID_SSH_IPSEC_3_0_1 = 20,
+ VID_SSH_IPSEC_4_0_0 = 21,
+ VID_SSH_IPSEC_4_0_1 = 22,
+ VID_SSH_IPSEC_4_1_0 = 23,
+ VID_SSH_IPSEC_4_2_0 = 24,
+ VID_CISCO_UNITY = 25,
+ VID_CISCO3K = 26,
+ VID_CISCO_IOS = 27,
+ VID_TIMESTEP = 28,
+ VID_SAFENET = 29,
+ VID_MACOSX = 30,
+ VID_OPENSWAN2 = 31,
+ VID_NCP_SERVER = 32,
+ VID_NCP_CLIENT = 33,
+ VID_VISTA_AUTHIP = 34,
+ VID_VISTA_AUTHIP2 = 35,
+
+ VID_STRONGSWAN = 36,
+ VID_STRONGSWAN_2_2_0 = 37,
+ VID_STRONGSWAN_2_2_1 = 38,
+ VID_STRONGSWAN_2_2_2 = 39,
+ VID_STRONGSWAN_2_3_0 = 40,
+ VID_STRONGSWAN_2_3_1 = 41,
+ VID_STRONGSWAN_2_3_2 = 42,
+ VID_STRONGSWAN_2_4_0 = 43,
+ VID_STRONGSWAN_2_4_1 = 44,
+ VID_STRONGSWAN_2_4_2 = 45,
+ VID_STRONGSWAN_2_4_3 = 46,
+ VID_STRONGSWAN_2_4_4 = 47,
+ VID_STRONGSWAN_2_5_0 = 48,
+ VID_STRONGSWAN_2_5_1 = 49,
+ VID_STRONGSWAN_2_5_2 = 50,
+ VID_STRONGSWAN_2_5_3 = 51,
+ VID_STRONGSWAN_2_5_4 = 52,
+ VID_STRONGSWAN_2_5_5 = 53,
+ VID_STRONGSWAN_2_5_6 = 54,
+ VID_STRONGSWAN_2_5_7 = 55,
+ VID_STRONGSWAN_2_6_0 = 56,
+ VID_STRONGSWAN_2_6_1 = 57,
+ VID_STRONGSWAN_2_6_2 = 58,
+ VID_STRONGSWAN_2_6_3 = 59,
+ VID_STRONGSWAN_2_6_4 = 60,
+ VID_STRONGSWAN_2_7_0 = 61,
+ VID_STRONGSWAN_2_7_1 = 62,
+ VID_STRONGSWAN_2_7_2 = 63,
+ VID_STRONGSWAN_2_7_3 = 64,
+ VID_STRONGSWAN_2_8_0 = 65,
+ VID_STRONGSWAN_2_8_1 = 66,
+ VID_STRONGSWAN_2_8_2 = 67,
+ VID_STRONGSWAN_2_8_3 = 68,
+ VID_STRONGSWAN_2_8_4 = 69,
+
+ VID_STRONGSWAN_4_0_0 = 70,
+ VID_STRONGSWAN_4_0_1 = 71,
+ VID_STRONGSWAN_4_0_2 = 72,
+ VID_STRONGSWAN_4_0_3 = 73,
+ VID_STRONGSWAN_4_0_4 = 74,
+ VID_STRONGSWAN_4_0_5 = 75,
+ VID_STRONGSWAN_4_0_6 = 76,
+ VID_STRONGSWAN_4_0_7 = 77,
+ VID_STRONGSWAN_4_1_0 = 78,
+
+ /* 101 - 200 : NAT-Traversal */
+ VID_NATT_STENBERG_01 =101,
+ VID_NATT_STENBERG_02 =102,
+ VID_NATT_HUTTUNEN =103,
+ VID_NATT_HUTTUNEN_ESPINUDP =104,
+ VID_NATT_IETF_00 =105,
+ VID_NATT_IETF_02_N =106,
+ VID_NATT_IETF_02 =107,
+ VID_NATT_IETF_03 =108,
+ VID_NATT_RFC =109,
+
+ /* 201 - 300 : Misc */
+ VID_MISC_XAUTH =201,
+ VID_MISC_DPD =202,
+ VID_MISC_HEARTBEAT_NOTIFY =203,
+ VID_MISC_FRAGMENTATION =204,
+ VID_INITIAL_CONTACT =205,
+ VID_CISCO3K_FRAGMENTATION =206
+};
+
+void init_vendorid(void);
+
+struct msg_digest;
+void handle_vendorid (struct msg_digest *md, const char *vid, size_t len);
+
+bool out_vendorid (u_int8_t np, pb_stream *outs, enum known_vendorid vid);
+
+#endif /* _VENDOR_H_ */
+
diff --git a/src/pluto/virtual.c b/src/pluto/virtual.c
new file mode 100644
index 000000000..d1553364e
--- /dev/null
+++ b/src/pluto/virtual.c
@@ -0,0 +1,334 @@
+/* FreeS/WAN Virtual IP Management
+ * Copyright (C) 2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: virtual.c,v 1.4 2004/04/02 10:38:52 as Exp $
+ */
+
+#include <freeswan.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/queue.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "log.h"
+#include "connections.h"
+#include "whack.h"
+#include "virtual.h"
+
+#define F_VIRTUAL_NO 1
+#define F_VIRTUAL_DHCP 2
+#define F_VIRTUAL_IKE_CONFIG 4
+#define F_VIRTUAL_PRIVATE 8
+#define F_VIRTUAL_ALL 16
+#define F_VIRTUAL_HOST 32
+
+struct virtual_t {
+ unsigned short flags;
+ unsigned short n_net;
+ ip_subnet net[0];
+};
+
+static ip_subnet *private_net_ok=NULL, *private_net_ko=NULL;
+static unsigned short private_net_ok_len=0, private_net_ko_len=0;
+
+/**
+ * read %v4:x.x.x.x/y or %v6:xxxxxxxxx/yy
+ * or %v4:!x.x.x.x/y if dstko not NULL
+ */
+static bool
+_read_subnet(const char *src, size_t len, ip_subnet *dst, ip_subnet *dstko,
+ bool *isok)
+{
+ bool ok;
+ int af;
+
+ if ((len > 4) && (strncmp(src, "%v4:", 4)==0))
+ {
+ af = AF_INET;
+ }
+ else if ((len > 4) && (strncmp(src, "%v6:", 4)==0))
+ {
+ af = AF_INET6;
+ }
+ else
+ {
+ return FALSE;
+ }
+
+ ok = (src[4] != '!');
+ src += ok ? 4 : 5;
+ len -= ok ? 4 : 5;
+
+ if (!len)
+ return FALSE;
+ if (!ok && !dstko)
+ return FALSE;
+
+ passert ( ((ok)?(dst):(dstko))!=NULL );
+
+ if (ttosubnet(src, len, af, ((ok)?(dst):(dstko))))
+ {
+ return FALSE;
+ }
+ if (isok)
+ *isok = ok;
+ return TRUE;
+}
+
+void
+init_virtual_ip(const char *private_list)
+{
+ const char *next, *str=private_list;
+ unsigned short ign = 0, i_ok, i_ko;
+ ip_subnet sub;
+ bool ok;
+
+ /** Count **/
+ private_net_ok_len=0;
+ private_net_ko_len=0;
+
+ while (str)
+ {
+ next = strchr(str,',');
+ if (!next)
+ next = str + strlen(str);
+ if (_read_subnet(str, next-str, &sub, &sub, &ok))
+ if (ok)
+ private_net_ok_len++;
+ else
+ private_net_ko_len++;
+ else
+ ign++;
+ str = *next ? next+1 : NULL;
+ }
+
+ if (!ign)
+ {
+ /** Allocate **/
+ if (private_net_ok_len)
+ {
+ private_net_ok = (ip_subnet *)alloc_bytes(
+ (private_net_ok_len*sizeof(ip_subnet)),
+ "private_net_ok subnets");
+ }
+ if (private_net_ko_len)
+ {
+ private_net_ko = (ip_subnet *)alloc_bytes(
+ (private_net_ko_len*sizeof(ip_subnet)),
+ "private_net_ko subnets");
+ }
+ if ((private_net_ok_len && !private_net_ok)
+ || (private_net_ko_len && !private_net_ko))
+ {
+ loglog(RC_LOG_SERIOUS,
+ "can't alloc in init_virtual_ip");
+ pfreeany(private_net_ok);
+ private_net_ok = NULL;
+ pfreeany(private_net_ko);
+ private_net_ko = NULL;
+ }
+ else
+ {
+ /** Fill **/
+ str = private_list;
+ i_ok = 0;
+ i_ko = 0;
+
+ while (str)
+ {
+ next = strchr(str,',');
+ if (!next)
+ next = str + strlen(str);
+ if (_read_subnet(str, next-str,
+ &(private_net_ok[i_ok]), &(private_net_ko[i_ko]), &ok))
+ {
+ if (ok)
+ i_ok++;
+ else
+ i_ko++;
+ }
+ str = *next ? next+1 : NULL;
+ }
+ }
+ }
+ else
+ loglog(RC_LOG_SERIOUS,
+ "%d bad entries in virtual_private - none loaded", ign);
+}
+
+/**
+ * virtual string must be :
+ * {vhost,vnet}:[%method]*
+ *
+ * vhost = accept only a host (/32)
+ * vnet = accept any network
+ *
+ * %no = no virtual IP (accept public IP)
+ * %dhcp = accept DHCP SA (0.0.0.0/0) of affected IP [not implemented]
+ * %ike = accept affected IKE Config Mode IP [not implemented]
+ * %priv = accept system-wide private net list
+ * %v4:x = accept ipv4 in list 'x'
+ * %v6:x = accept ipv6 in list 'x'
+ * %all = accept all ips [only for testing]
+ *
+ * ex: vhost:%no,%dhcp,%priv,%v4:192.168.1.0/24
+ */
+struct virtual_t
+*create_virtual(const struct connection *c, const char *string)
+{
+ unsigned short flags=0, n_net=0, i;
+ const char *str = string, *next, *first_net=NULL;
+ ip_subnet sub;
+ struct virtual_t *v;
+
+ if (!string || string[0] == '\0')
+ return NULL;
+
+ if (strlen(string) >= 6 && strncmp(string,"vhost:",6) == 0)
+ {
+ flags |= F_VIRTUAL_HOST;
+ str += 6;
+ }
+ else if (strlen(string) >= 5 && strncmp(string,"vnet:",5) == 0)
+ str += 5;
+ else
+ goto fail;
+
+ /**
+ * Parse string : fill flags & count subnets
+ */
+ while ((str) && (*str))
+ {
+ next = strchr(str,',');
+ if (!next) next = str + strlen(str);
+ if (next-str == 3 && strncmp(str, "%no", 3) == 0)
+ flags |= F_VIRTUAL_NO;
+#if 0
+ else if (next-str == 4 && strncmp(str, "%ike", 4) == 0)
+ flags |= F_VIRTUAL_IKE_CONFIG;
+ else if (next-str == 5 && strncmp(str, "%dhcp", 5) == 0)
+ flags |= F_VIRTUAL_DHCP;
+#endif
+ else if (next-str == 5 && strncmp(str, "%priv", 5) == 0)
+ flags |= F_VIRTUAL_PRIVATE;
+ else if (next-str == 4 && strncmp(str, "%all", 4) == 0)
+ flags |= F_VIRTUAL_ALL;
+ else if (_read_subnet(str, next-str, &sub, NULL, NULL))
+ {
+ n_net++;
+ if (!first_net)
+ first_net = str;
+ }
+ else
+ goto fail;
+
+ str = *next ? next+1 : NULL;
+ }
+
+ v = (struct virtual_t *)alloc_bytes(
+ sizeof(struct virtual_t) + (n_net*sizeof(ip_subnet)),
+ "virtual description");
+ if (!v) goto fail;
+
+ v->flags = flags;
+ v->n_net = n_net;
+ if (n_net && first_net)
+ {
+ /**
+ * Save subnets in newly allocated struct
+ */
+ for (str = first_net, i = 0; str && *str; )
+ {
+ next = strchr(str,',');
+ if (!next) next = str + strlen(str);
+ if (_read_subnet(str, next-str, &(v->net[i]), NULL, NULL))
+ i++;
+ str = *next ? next+1 : NULL;
+ }
+ }
+
+ return v;
+
+fail:
+ plog("invalid virtual string [%s] - "
+ "virtual selection disabled for connection '%s'", string, c->name);
+ return NULL;
+}
+
+bool
+is_virtual_end(const struct end *that)
+{
+ return ((that->virt)?TRUE:FALSE);
+}
+
+bool
+is_virtual_connection(const struct connection *c)
+{
+ return ((c->spd.that.virt)?TRUE:FALSE);
+}
+
+static bool
+net_in_list(const ip_subnet *peer_net, const ip_subnet *list,
+ unsigned short len)
+{
+ unsigned short i;
+
+ if (!list || !len)
+ return FALSE;
+
+ for (i = 0; i < len; i++)
+ {
+ if (subnetinsubnet(peer_net, &(list[i])))
+ return TRUE;
+ }
+ return FALSE;
+}
+
+bool
+is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
+ const ip_address *his_addr)
+{
+ if (c->spd.that.virt == NULL)
+ return FALSE;
+
+ if ((c->spd.that.virt->flags & F_VIRTUAL_HOST)
+ && !subnetishost(peer_net))
+ return FALSE;
+
+ if ((c->spd.that.virt->flags & F_VIRTUAL_NO)
+ && subnetishost(peer_net) && addrinsubnet(his_addr, peer_net))
+ return TRUE;
+
+ if ((c->spd.that.virt->flags & F_VIRTUAL_PRIVATE)
+ && net_in_list(peer_net, private_net_ok, private_net_ok_len)
+ && !net_in_list(peer_net, private_net_ko, private_net_ko_len))
+ return TRUE;
+
+ if (c->spd.that.virt->n_net
+ && net_in_list(peer_net, c->spd.that.virt->net, c->spd.that.virt->n_net))
+ return TRUE;
+
+ if (c->spd.that.virt->flags & F_VIRTUAL_ALL)
+ {
+ /** %all must only be used for testing - log it **/
+ loglog(RC_LOG_SERIOUS, "Warning - "
+ "v%s:%%all must only be used for testing",
+ (c->spd.that.virt->flags & F_VIRTUAL_HOST) ? "host" : "net");
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
diff --git a/src/pluto/virtual.h b/src/pluto/virtual.h
new file mode 100644
index 000000000..2d5bf27ae
--- /dev/null
+++ b/src/pluto/virtual.h
@@ -0,0 +1,31 @@
+/* FreeS/WAN Virtual IP Management
+ * Copyright (C) 2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: virtual.h,v 1.2 2004/03/22 21:53:20 as Exp $
+ */
+
+#ifndef _VIRTUAL_IP_H
+#define _VIRTUAL_IP_H
+
+extern void init_virtual_ip(const char *private_list);
+
+extern struct virtual_t *create_virtual(const struct connection *c,
+ const char *string);
+
+extern bool is_virtual_end(const struct end *that);
+extern bool is_virtual_connection(const struct connection *c);
+extern bool is_virtual_net_allowed(const struct connection *c,
+ const ip_subnet *peer_net, const ip_address *his_addr);
+
+#endif /* _VIRTUAL_IP_H */
+
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
new file mode 100644
index 000000000..2521244f7
--- /dev/null
+++ b/src/pluto/x509.c
@@ -0,0 +1,2241 @@
+/* Support of X.509 certificates
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: x509.c,v 1.36 2006/04/10 16:08:33 as Exp $
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <time.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+#include <ipsec_policy.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "mp_defs.h"
+#include "log.h"
+#include "id.h"
+#include "asn1.h"
+#include "oid.h"
+#include "pkcs1.h"
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "certs.h"
+#include "keys.h"
+#include "whack.h"
+#include "fetch.h"
+#include "ocsp.h"
+#include "sha1.h"
+
+/* chained lists of X.509 end certificates */
+
+static x509cert_t *x509certs = NULL;
+
+/* ASN.1 definition of a basicConstraints extension */
+
+static const asn1Object_t basicConstraintsObjects[] = {
+ { 0, "basicConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "CA", ASN1_BOOLEAN, ASN1_DEF |
+ ASN1_BODY }, /* 1 */
+ { 1, "pathLenConstraint", ASN1_INTEGER, ASN1_OPT |
+ ASN1_BODY }, /* 2 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
+};
+
+#define BASIC_CONSTRAINTS_CA 1
+#define BASIC_CONSTRAINTS_ROOF 4
+
+/* ASN.1 definition of time */
+
+static const asn1Object_t timeObjects[] = {
+ { 0, "utcTime", ASN1_UTCTIME, ASN1_OPT |
+ ASN1_BODY }, /* 0 */
+ { 0, "end opt", ASN1_EOC, ASN1_END }, /* 1 */
+ { 0, "generalizeTime", ASN1_GENERALIZEDTIME, ASN1_OPT |
+ ASN1_BODY }, /* 2 */
+ { 0, "end opt", ASN1_EOC, ASN1_END } /* 3 */
+};
+
+#define TIME_UTC 0
+#define TIME_GENERALIZED 2
+#define TIME_ROOF 4
+
+/* ASN.1 definition of a keyIdentifier */
+
+static const asn1Object_t keyIdentifierObjects[] = {
+ { 0, "keyIdentifier", ASN1_OCTET_STRING, ASN1_BODY } /* 0 */
+};
+
+/* ASN.1 definition of a authorityKeyIdentifier extension */
+
+static const asn1Object_t authorityKeyIdentifierObjects[] = {
+ { 0, "authorityKeyIdentifier", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "keyIdentifier", ASN1_CONTEXT_S_0, ASN1_OPT |
+ ASN1_OBJ }, /* 1 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 2 */
+ { 1, "authorityCertIssuer", ASN1_CONTEXT_C_1, ASN1_OPT |
+ ASN1_OBJ }, /* 3 */
+ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 4 */
+ { 1, "authorityCertSerialNumber", ASN1_CONTEXT_S_2, ASN1_OPT |
+ ASN1_BODY }, /* 5 */
+ { 1, "end opt", ASN1_EOC, ASN1_END } /* 6 */
+};
+
+#define AUTH_KEY_ID_KEY_ID 1
+#define AUTH_KEY_ID_CERT_ISSUER 3
+#define AUTH_KEY_ID_CERT_SERIAL 5
+#define AUTH_KEY_ID_ROOF 7
+
+/* ASN.1 definition of a authorityInfoAccess extension */
+
+static const asn1Object_t authorityInfoAccessObjects[] = {
+ { 0, "authorityInfoAccess", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "accessDescription", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "accessMethod", ASN1_OID, ASN1_BODY }, /* 2 */
+ { 2, "accessLocation", ASN1_EOC, ASN1_RAW }, /* 3 */
+ { 0, "end loop", ASN1_EOC, ASN1_END } /* 4 */
+};
+
+#define AUTH_INFO_ACCESS_METHOD 2
+#define AUTH_INFO_ACCESS_LOCATION 3
+#define AUTH_INFO_ACCESS_ROOF 5
+
+/* ASN.1 definition of a extendedKeyUsage extension */
+
+static const asn1Object_t extendedKeyUsageObjects[] = {
+ { 0, "extendedKeyUsage", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "keyPurposeID", ASN1_OID, ASN1_BODY }, /* 1 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 2 */
+};
+
+#define EXT_KEY_USAGE_PURPOSE_ID 1
+#define EXT_KEY_USAGE_ROOF 3
+
+/* ASN.1 definition of generalNames */
+
+static const asn1Object_t generalNamesObjects[] = {
+ { 0, "generalNames", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "generalName", ASN1_EOC, ASN1_RAW }, /* 1 */
+ { 0, "end loop", ASN1_EOC, ASN1_END } /* 2 */
+};
+
+#define GENERAL_NAMES_GN 1
+#define GENERAL_NAMES_ROOF 3
+
+/* ASN.1 definition of generalName */
+
+static const asn1Object_t generalNameObjects[] = {
+ { 0, "otherName", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_BODY }, /* 0 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 1 */
+ { 0, "rfc822Name", ASN1_CONTEXT_S_1, ASN1_OPT |
+ ASN1_BODY }, /* 2 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 3 */
+ { 0, "dnsName", ASN1_CONTEXT_S_2, ASN1_OPT |
+ ASN1_BODY }, /* 4 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 5 */
+ { 0, "x400Address", ASN1_CONTEXT_S_3, ASN1_OPT |
+ ASN1_BODY }, /* 6 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+ { 0, "directoryName", ASN1_CONTEXT_C_4, ASN1_OPT |
+ ASN1_BODY }, /* 8 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 9 */
+ { 0, "ediPartyName", ASN1_CONTEXT_C_5, ASN1_OPT |
+ ASN1_BODY }, /* 10 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
+ { 0, "uniformResourceIdentifier", ASN1_CONTEXT_S_6, ASN1_OPT |
+ ASN1_BODY }, /* 12 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 13 */
+ { 0, "ipAddress", ASN1_CONTEXT_S_7, ASN1_OPT |
+ ASN1_BODY }, /* 14 */
+ { 0, "end choice", ASN1_EOC, ASN1_END }, /* 15 */
+ { 0, "registeredID", ASN1_CONTEXT_S_8, ASN1_OPT |
+ ASN1_BODY }, /* 16 */
+ { 0, "end choice", ASN1_EOC, ASN1_END } /* 17 */
+};
+
+#define GN_OBJ_OTHER_NAME 0
+#define GN_OBJ_RFC822_NAME 2
+#define GN_OBJ_DNS_NAME 4
+#define GN_OBJ_X400_ADDRESS 6
+#define GN_OBJ_DIRECTORY_NAME 8
+#define GN_OBJ_EDI_PARTY_NAME 10
+#define GN_OBJ_URI 12
+#define GN_OBJ_IP_ADDRESS 14
+#define GN_OBJ_REGISTERED_ID 16
+#define GN_OBJ_ROOF 18
+
+/* ASN.1 definition of otherName */
+
+static const asn1Object_t otherNameObjects[] = {
+ {0, "type-id", ASN1_OID, ASN1_BODY }, /* 0 */
+ {0, "value", ASN1_CONTEXT_C_0, ASN1_BODY } /* 1 */
+};
+
+#define ON_OBJ_ID_TYPE 0
+#define ON_OBJ_VALUE 1
+#define ON_OBJ_ROOF 2
+
+/* ASN.1 definition of crlDistributionPoints */
+
+static const asn1Object_t crlDistributionPointsObjects[] = {
+ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_LOOP }, /* 2 */
+ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT |
+ ASN1_OBJ }, /* 3 */
+ { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
+ { 3, "nameRelativeToCRLIssuer", ASN1_CONTEXT_C_1, ASN1_OPT |
+ ASN1_BODY }, /* 5 */
+ { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
+ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT |
+ ASN1_BODY }, /* 8 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
+ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT |
+ ASN1_BODY }, /* 10 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
+};
+
+#define CRL_DIST_POINTS_FULLNAME 3
+#define CRL_DIST_POINTS_ROOF 13
+
+/* ASN.1 definition of an X.509v3 certificate */
+
+static const asn1Object_t certObjects[] = {
+ { 0, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
+ { 1, "tbsCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */
+ { 2, "DEFAULT v1", ASN1_CONTEXT_C_0, ASN1_DEF }, /* 2 */
+ { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */
+ { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 4 */
+ { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 5 */
+ { 2, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
+ { 2, "validity", ASN1_SEQUENCE, ASN1_NONE }, /* 7 */
+ { 3, "notBefore", ASN1_EOC, ASN1_RAW }, /* 8 */
+ { 3, "notAfter", ASN1_EOC, ASN1_RAW }, /* 9 */
+ { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
+ { 2, "subjectPublicKeyInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 11 */
+ { 3, "algorithm", ASN1_EOC, ASN1_RAW }, /* 12 */
+ { 3, "subjectPublicKey", ASN1_BIT_STRING, ASN1_NONE }, /* 13 */
+ { 4, "RSAPublicKey", ASN1_SEQUENCE, ASN1_OBJ }, /* 14 */
+ { 5, "modulus", ASN1_INTEGER, ASN1_BODY }, /* 15 */
+ { 5, "publicExponent", ASN1_INTEGER, ASN1_BODY }, /* 16 */
+ { 2, "issuerUniqueID", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 17 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 18 */
+ { 2, "subjectUniqueID", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 19 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
+ { 2, "optional extensions", ASN1_CONTEXT_C_3, ASN1_OPT }, /* 21 */
+ { 3, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 22 */
+ { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 23 */
+ { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 24 */
+ { 5, "critical", ASN1_BOOLEAN, ASN1_DEF |
+ ASN1_BODY }, /* 25 */
+ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 26 */
+ { 3, "end loop", ASN1_EOC, ASN1_END }, /* 27 */
+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 28 */
+ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 29 */
+ { 1, "signatureValue", ASN1_BIT_STRING, ASN1_BODY } /* 30 */
+};
+
+#define X509_OBJ_CERTIFICATE 0
+#define X509_OBJ_TBS_CERTIFICATE 1
+#define X509_OBJ_VERSION 3
+#define X509_OBJ_SERIAL_NUMBER 4
+#define X509_OBJ_SIG_ALG 5
+#define X509_OBJ_ISSUER 6
+#define X509_OBJ_NOT_BEFORE 8
+#define X509_OBJ_NOT_AFTER 9
+#define X509_OBJ_SUBJECT 10
+#define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM 12
+#define X509_OBJ_SUBJECT_PUBLIC_KEY 13
+#define X509_OBJ_RSA_PUBLIC_KEY 14
+#define X509_OBJ_MODULUS 15
+#define X509_OBJ_PUBLIC_EXPONENT 16
+#define X509_OBJ_EXTN_ID 24
+#define X509_OBJ_CRITICAL 25
+#define X509_OBJ_EXTN_VALUE 26
+#define X509_OBJ_ALGORITHM 29
+#define X509_OBJ_SIGNATURE 30
+#define X509_OBJ_ROOF 31
+
+
+const x509cert_t empty_x509cert = {
+ NULL , /* *next */
+ UNDEFINED_TIME, /* installed */
+ 0 , /* count */
+ FALSE , /* smartcard */
+ AUTH_NONE , /* authority_flags */
+ { NULL, 0 } , /* certificate */
+ { NULL, 0 } , /* tbsCertificate */
+ 1 , /* version */
+ { NULL, 0 } , /* serialNumber */
+ OID_UNKNOWN , /* sigAlg */
+ { NULL, 0 } , /* issuer */
+ /* validity */
+ 0 , /* notBefore */
+ 0 , /* notAfter */
+ { NULL, 0 } , /* subject */
+ /* subjectPublicKeyInfo */
+ OID_UNKNOWN , /* subjectPublicKeyAlgorithm */
+ { NULL, 0 } , /* subjectPublicKey */
+ { NULL, 0 } , /* modulus */
+ { NULL, 0 } , /* publicExponent */
+ /* issuerUniqueID */
+ /* subjectUniqueID */
+ /* extensions */
+ /* extension */
+ /* extnID */
+ /* critical */
+ /* extnValue */
+ FALSE , /* isCA */
+ FALSE , /* isOcspSigner */
+ { NULL, 0 } , /* subjectKeyID */
+ { NULL, 0 } , /* authKeyID */
+ { NULL, 0 } , /* authKeySerialNumber */
+ { NULL, 0 } , /* accessLocation */
+ NULL , /* subjectAltName */
+ NULL , /* crlDistributionPoints */
+ OID_UNKNOWN , /* algorithm */
+ { NULL, 0 } /* signature */
+};
+
+/* coding of X.501 distinguished name */
+
+typedef struct {
+ const u_char *name;
+ chunk_t oid;
+ u_char type;
+} x501rdn_t;
+
+/* X.501 acronyms for well known object identifiers (OIDs) */
+
+static u_char oid_ND[] = {0x02, 0x82, 0x06, 0x01,
+ 0x0A, 0x07, 0x14};
+static u_char oid_UID[] = {0x09, 0x92, 0x26, 0x89, 0x93,
+ 0xF2, 0x2C, 0x64, 0x01, 0x01};
+static u_char oid_DC[] = {0x09, 0x92, 0x26, 0x89, 0x93,
+ 0xF2, 0x2C, 0x64, 0x01, 0x19};
+static u_char oid_CN[] = {0x55, 0x04, 0x03};
+static u_char oid_S[] = {0x55, 0x04, 0x04};
+static u_char oid_SN[] = {0x55, 0x04, 0x05};
+static u_char oid_C[] = {0x55, 0x04, 0x06};
+static u_char oid_L[] = {0x55, 0x04, 0x07};
+static u_char oid_ST[] = {0x55, 0x04, 0x08};
+static u_char oid_O[] = {0x55, 0x04, 0x0A};
+static u_char oid_OU[] = {0x55, 0x04, 0x0B};
+static u_char oid_T[] = {0x55, 0x04, 0x0C};
+static u_char oid_D[] = {0x55, 0x04, 0x0D};
+static u_char oid_N[] = {0x55, 0x04, 0x29};
+static u_char oid_G[] = {0x55, 0x04, 0x2A};
+static u_char oid_I[] = {0x55, 0x04, 0x2B};
+static u_char oid_ID[] = {0x55, 0x04, 0x2D};
+static u_char oid_EN[] = {0x60, 0x86, 0x48, 0x01, 0x86,
+ 0xF8, 0x42, 0x03, 0x01, 0x03};
+static u_char oid_E[] = {0x2A, 0x86, 0x48, 0x86, 0xF7,
+ 0x0D, 0x01, 0x09, 0x01};
+static u_char oid_UN[] = {0x2A, 0x86, 0x48, 0x86, 0xF7,
+ 0x0D, 0x01, 0x09, 0x02};
+static u_char oid_TCGID[] = {0x2B, 0x06, 0x01, 0x04, 0x01, 0x89,
+ 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B};
+
+static const x501rdn_t x501rdns[] = {
+ {"ND" , {oid_ND, 7}, ASN1_PRINTABLESTRING},
+ {"UID" , {oid_UID, 10}, ASN1_PRINTABLESTRING},
+ {"DC" , {oid_DC, 10}, ASN1_PRINTABLESTRING},
+ {"CN" , {oid_CN, 3}, ASN1_PRINTABLESTRING},
+ {"S" , {oid_S, 3}, ASN1_PRINTABLESTRING},
+ {"SN" , {oid_SN, 3}, ASN1_PRINTABLESTRING},
+ {"serialNumber" , {oid_SN, 3}, ASN1_PRINTABLESTRING},
+ {"C" , {oid_C, 3}, ASN1_PRINTABLESTRING},
+ {"L" , {oid_L, 3}, ASN1_PRINTABLESTRING},
+ {"ST" , {oid_ST, 3}, ASN1_PRINTABLESTRING},
+ {"O" , {oid_O, 3}, ASN1_PRINTABLESTRING},
+ {"OU" , {oid_OU, 3}, ASN1_PRINTABLESTRING},
+ {"T" , {oid_T, 3}, ASN1_PRINTABLESTRING},
+ {"D" , {oid_D, 3}, ASN1_PRINTABLESTRING},
+ {"N" , {oid_N, 3}, ASN1_PRINTABLESTRING},
+ {"G" , {oid_G, 3}, ASN1_PRINTABLESTRING},
+ {"I" , {oid_I, 3}, ASN1_PRINTABLESTRING},
+ {"ID" , {oid_ID, 3}, ASN1_PRINTABLESTRING},
+ {"EN" , {oid_EN, 10}, ASN1_PRINTABLESTRING},
+ {"employeeNumber" , {oid_EN, 10}, ASN1_PRINTABLESTRING},
+ {"E" , {oid_E, 9}, ASN1_IA5STRING},
+ {"Email" , {oid_E, 9}, ASN1_IA5STRING},
+ {"emailAddress" , {oid_E, 9}, ASN1_IA5STRING},
+ {"UN" , {oid_UN, 9}, ASN1_IA5STRING},
+ {"unstructuredName", {oid_UN, 9}, ASN1_IA5STRING},
+ {"TCGID" , {oid_TCGID, 12}, ASN1_PRINTABLESTRING}
+};
+
+#define X501_RDN_ROOF 26
+
+static u_char ASN1_subjectAltName_oid_str[] = {
+ 0x06, 0x03, 0x55, 0x1D, 0x11
+};
+
+static const chunk_t ASN1_subjectAltName_oid = strchunk(ASN1_subjectAltName_oid_str);
+
+static void
+update_chunk(chunk_t *ch, int n)
+{
+ n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
+ ch->ptr += n; ch->len -= n;
+}
+
+
+/*
+ * Pointer is set to the first RDN in a DN
+ */
+static err_t
+init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+{
+ *rdn = empty_chunk;
+ *attribute = empty_chunk;
+
+ /* a DN is a SEQUENCE OF RDNs */
+
+ if (*dn.ptr != ASN1_SEQUENCE)
+ {
+ return "DN is not a SEQUENCE";
+ }
+
+ rdn->len = asn1_length(&dn);
+
+ if (rdn->len == ASN1_INVALID_LENGTH)
+ return "Invalid RDN length";
+
+ rdn->ptr = dn.ptr;
+
+ /* are there any RDNs ? */
+ *next = rdn->len > 0;
+
+ return NULL;
+}
+
+/*
+ * Fetches the next RDN in a DN
+ */
+static err_t
+get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value
+, asn1_t *type, bool *next)
+{
+ chunk_t body;
+
+ /* initialize return values */
+ *oid = empty_chunk;
+ *value = empty_chunk;
+
+ /* if all attributes have been parsed, get next rdn */
+ if (attribute->len <= 0)
+ {
+ /* an RDN is a SET OF attributeTypeAndValue */
+ if (*rdn->ptr != ASN1_SET)
+ return "RDN is not a SET";
+
+ attribute->len = asn1_length(rdn);
+
+ if (attribute->len == ASN1_INVALID_LENGTH)
+ return "Invalid attribute length";
+
+ attribute->ptr = rdn->ptr;
+
+ /* advance to start of next RDN */
+ rdn->ptr += attribute->len;
+ rdn->len -= attribute->len;
+ }
+
+ /* an attributeTypeAndValue is a SEQUENCE */
+ if (*attribute->ptr != ASN1_SEQUENCE)
+ return "attributeTypeAndValue is not a SEQUENCE";
+
+ /* extract the attribute body */
+ body.len = asn1_length(attribute);
+
+ if (body.len == ASN1_INVALID_LENGTH)
+ return "Invalid attribute body length";
+
+ body.ptr = attribute->ptr;
+
+ /* advance to start of next attribute */
+ attribute->ptr += body.len;
+ attribute->len -= body.len;
+
+ /* attribute type is an OID */
+ if (*body.ptr != ASN1_OID)
+ return "attributeType is not an OID";
+
+ /* extract OID */
+ oid->len = asn1_length(&body);
+
+ if (oid->len == ASN1_INVALID_LENGTH)
+ return "Invalid attribute OID length";
+
+ oid->ptr = body.ptr;
+
+ /* advance to the attribute value */
+ body.ptr += oid->len;
+ body.len -= oid->len;
+
+ /* extract string type */
+ *type = *body.ptr;
+
+ /* extract string value */
+ value->len = asn1_length(&body);
+
+ if (value->len == ASN1_INVALID_LENGTH)
+ return "Invalid attribute string length";
+
+ value->ptr = body.ptr;
+
+ /* are there any RDNs left? */
+ *next = rdn->len > 0 || attribute->len > 0;
+
+ return NULL;
+}
+
+/*
+ * Parses an ASN.1 distinguished name int its OID/value pairs
+ */
+static err_t
+dn_parse(chunk_t dn, chunk_t *str)
+{
+ chunk_t rdn, oid, attribute, value;
+ asn1_t type;
+ int oid_code;
+ bool next;
+ bool first = TRUE;
+
+ err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
+
+ if (ugh != NULL) /* a parsing error has occured */
+ return ugh;
+
+ while (next)
+ {
+ ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+
+ if (ugh != NULL) /* a parsing error has occured */
+ return ugh;
+
+ if (first) /* first OID/value pair */
+ first = FALSE;
+ else /* separate OID/value pair by a comma */
+ update_chunk(str, snprintf(str->ptr,str->len,", "));
+
+ /* print OID */
+ oid_code = known_oid(oid);
+ if (oid_code == OID_UNKNOWN) /* OID not found in list */
+ hex_str(oid, str);
+ else
+ update_chunk(str, snprintf(str->ptr,str->len,"%s",
+ oid_names[oid_code].name));
+
+ /* print value */
+ update_chunk(str, snprintf(str->ptr,str->len,"=%.*s",
+ (int)value.len,value.ptr));
+ }
+ return NULL;
+}
+
+/*
+ * Count the number of wildcard RDNs in a distinguished name
+ */
+int
+dn_count_wildcards(chunk_t dn)
+{
+ chunk_t rdn, attribute, oid, value;
+ asn1_t type;
+ bool next;
+ int wildcards = 0;
+
+ err_t ugh = init_rdn(dn, &rdn, &attribute, &next);
+
+ if (ugh != NULL) /* a parsing error has occured */
+ return -1;
+
+ while (next)
+ {
+ ugh = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+
+ if (ugh != NULL) /* a parsing error has occured */
+ return -1;
+ if (value.len == 1 && *value.ptr == '*')
+ wildcards++; /* we have found a wildcard RDN */
+ }
+ return wildcards;
+}
+
+/*
+ * Prints a binary string in hexadecimal form
+ */
+void
+hex_str(chunk_t bin, chunk_t *str)
+{
+ u_int i;
+ update_chunk(str, snprintf(str->ptr,str->len,"0x"));
+ for (i=0; i < bin.len; i++)
+ update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
+}
+
+
+/* Converts a binary DER-encoded ASN.1 distinguished name
+ * into LDAP-style human-readable ASCII format
+ */
+int
+dntoa(char *dst, size_t dstlen, chunk_t dn)
+{
+ err_t ugh = NULL;
+ chunk_t str;
+
+ str.ptr = dst;
+ str.len = dstlen;
+ ugh = dn_parse(dn, &str);
+
+ if (ugh != NULL) /* error, print DN as hex string */
+ {
+ DBG(DBG_PARSING,
+ DBG_log("error in DN parsing: %s", ugh)
+ )
+ str.ptr = dst;
+ str.len = dstlen;
+ hex_str(dn, &str);
+ }
+ return (int)(dstlen - str.len);
+}
+
+/*
+ * Same as dntoa but prints a special string for a null dn
+ */
+int
+dntoa_or_null(char *dst, size_t dstlen, chunk_t dn, const char* null_dn)
+{
+ if (dn.ptr == NULL)
+ return snprintf(dst, dstlen, "%s", null_dn);
+ else
+ return dntoa(dst, dstlen, dn);
+}
+
+/* Converts an LDAP-style human-readable ASCII-encoded
+ * ASN.1 distinguished name into binary DER-encoded format
+ */
+err_t
+atodn(char *src, chunk_t *dn)
+{
+ /* finite state machine for atodn */
+
+ typedef enum {
+ SEARCH_OID = 0,
+ READ_OID = 1,
+ SEARCH_NAME = 2,
+ READ_NAME = 3,
+ UNKNOWN_OID = 4
+ } state_t;
+
+ u_char oid_len_buf[3];
+ u_char name_len_buf[3];
+ u_char rdn_seq_len_buf[3];
+ u_char rdn_set_len_buf[3];
+ u_char dn_seq_len_buf[3];
+
+ chunk_t asn1_oid_len = { oid_len_buf, 0 };
+ chunk_t asn1_name_len = { name_len_buf, 0 };
+ chunk_t asn1_rdn_seq_len = { rdn_seq_len_buf, 0 };
+ chunk_t asn1_rdn_set_len = { rdn_set_len_buf, 0 };
+ chunk_t asn1_dn_seq_len = { dn_seq_len_buf, 0 };
+ chunk_t oid = empty_chunk;
+ chunk_t name = empty_chunk;
+
+ int whitespace = 0;
+ int rdn_seq_len = 0;
+ int rdn_set_len = 0;
+ int dn_seq_len = 0;
+ int pos = 0;
+
+ err_t ugh = NULL;
+
+ u_char *dn_ptr = dn->ptr + 4;
+
+ state_t state = SEARCH_OID;
+
+ do
+ {
+ switch (state)
+ {
+ case SEARCH_OID:
+ if (*src != ' ' && *src != '/' && *src != ',')
+ {
+ oid.ptr = src;
+ oid.len = 1;
+ state = READ_OID;
+ }
+ break;
+ case READ_OID:
+ if (*src != ' ' && *src != '=')
+ oid.len++;
+ else
+ {
+ for (pos = 0; pos < X501_RDN_ROOF; pos++)
+ {
+ if (strlen(x501rdns[pos].name) == oid.len &&
+ strncasecmp(x501rdns[pos].name, oid.ptr, oid.len) == 0)
+ break; /* found a valid OID */
+ }
+ if (pos == X501_RDN_ROOF)
+ {
+ ugh = "unknown OID in distinguished name";
+ state = UNKNOWN_OID;
+ break;
+ }
+ code_asn1_length(x501rdns[pos].oid.len, &asn1_oid_len);
+
+ /* reset oid and change state */
+ oid = empty_chunk;
+ state = SEARCH_NAME;
+ }
+ break;
+ case SEARCH_NAME:
+ if (*src != ' ' && *src != '=')
+ {
+ name.ptr = src;
+ name.len = 1;
+ whitespace = 0;
+ state = READ_NAME;
+ }
+ break;
+ case READ_NAME:
+ if (*src != ',' && *src != '/' && *src != '\0')
+ {
+ name.len++;
+ if (*src == ' ')
+ whitespace++;
+ else
+ whitespace = 0;
+ }
+ else
+ {
+ name.len -= whitespace;
+ code_asn1_length(name.len, &asn1_name_len);
+
+ /* compute the length of the relative distinguished name sequence */
+ rdn_seq_len = 1 + asn1_oid_len.len + x501rdns[pos].oid.len +
+ 1 + asn1_name_len.len + name.len;
+ code_asn1_length(rdn_seq_len, &asn1_rdn_seq_len);
+
+ /* compute the length of the relative distinguished name set */
+ rdn_set_len = 1 + asn1_rdn_seq_len.len + rdn_seq_len;
+ code_asn1_length(rdn_set_len, &asn1_rdn_set_len);
+
+ /* encode the relative distinguished name */
+ *dn_ptr++ = ASN1_SET;
+ chunkcpy(dn_ptr, asn1_rdn_set_len);
+ *dn_ptr++ = ASN1_SEQUENCE;
+ chunkcpy(dn_ptr, asn1_rdn_seq_len);
+ *dn_ptr++ = ASN1_OID;
+ chunkcpy(dn_ptr, asn1_oid_len);
+ chunkcpy(dn_ptr, x501rdns[pos].oid);
+ /* encode the ASN.1 character string type of the name */
+ *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING
+ && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type;
+ chunkcpy(dn_ptr, asn1_name_len);
+ chunkcpy(dn_ptr, name);
+
+ /* accumulate the length of the distinguished name sequence */
+ dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len;
+
+ /* reset name and change state */
+ name = empty_chunk;
+ state = SEARCH_OID;
+ }
+ break;
+ case UNKNOWN_OID:
+ break;
+ }
+ } while (*src++ != '\0');
+
+ /* complete the distinguished name sequence*/
+ code_asn1_length(dn_seq_len, &asn1_dn_seq_len);
+ dn->ptr += 3 - asn1_dn_seq_len.len;
+ dn->len = 1 + asn1_dn_seq_len.len + dn_seq_len;
+ dn_ptr = dn->ptr;
+ *dn_ptr++ = ASN1_SEQUENCE;
+ chunkcpy(dn_ptr, asn1_dn_seq_len);
+ return ugh;
+}
+
+/* compare two distinguished names by
+ * comparing the individual RDNs
+ */
+bool
+same_dn(chunk_t a, chunk_t b)
+{
+ chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+ chunk_t oid_a, oid_b, value_a, value_b;
+ asn1_t type_a, type_b;
+ bool next_a, next_b;
+
+ /* same lengths for the DNs */
+ if (a.len != b.len)
+ return FALSE;
+
+ /* try a binary comparison first */
+ if (memcmp(a.ptr, b.ptr, b.len) == 0)
+ return TRUE;
+
+ /* initialize DN parsing */
+ if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
+ || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
+ return FALSE;
+
+ /* fetch next RDN pair */
+ while (next_a && next_b)
+ {
+ /* parse next RDNs and check for errors */
+ if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
+ || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+ {
+ return FALSE;
+ }
+
+ /* OIDs must agree */
+ if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+ return FALSE;
+
+ /* same lengths for values */
+ if (value_a.len != value_b.len)
+ return FALSE;
+
+ /* printableStrings and email RDNs require uppercase comparison */
+ if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
+ (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+ {
+ if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+ return FALSE;
+ }
+ else
+ {
+ if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+ return FALSE;
+ }
+ }
+ /* both DNs must have same number of RDNs */
+ if (next_a || next_b)
+ return FALSE;
+
+ /* the two DNs are equal! */
+ return TRUE;
+}
+
+
+/* compare two distinguished names by comparing the individual RDNs.
+ * A single'*' character designates a wildcard RDN in DN b.
+ */
+bool
+match_dn(chunk_t a, chunk_t b, int *wildcards)
+{
+ chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+ chunk_t oid_a, oid_b, value_a, value_b;
+ asn1_t type_a, type_b;
+ bool next_a, next_b;
+
+ /* initialize wildcard counter */
+ *wildcards = 0;
+
+ /* initialize DN parsing */
+ if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != NULL
+ || init_rdn(b, &rdn_b, &attribute_b, &next_b) != NULL)
+ return FALSE;
+
+ /* fetch next RDN pair */
+ while (next_a && next_b)
+ {
+ /* parse next RDNs and check for errors */
+ if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != NULL
+ || get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != NULL)
+ {
+ return FALSE;
+ }
+
+ /* OIDs must agree */
+ if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+ return FALSE;
+
+ /* does rdn_b contain a wildcard? */
+ if (value_b.len == 1 && *value_b.ptr == '*')
+ {
+ (*wildcards)++;
+ continue;
+ }
+
+ /* same lengths for values */
+ if (value_a.len != value_b.len)
+ return FALSE;
+
+ /* printableStrings and email RDNs require uppercase comparison */
+ if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
+ (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+ {
+ if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+ return FALSE;
+ }
+ else
+ {
+ if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+ return FALSE;
+ }
+ }
+ /* both DNs must have same number of RDNs */
+ if (next_a || next_b)
+ return FALSE;
+
+ /* the two DNs match! */
+ return TRUE;
+}
+
+/*
+ * compare two X.509 certificates by comparing their signatures
+ */
+bool
+same_x509cert(const x509cert_t *a, const x509cert_t *b)
+{
+ return same_chunk(a->signature, b->signature);
+}
+
+/* for each link pointing to the certificate
+ " increase the count by one
+ */
+void
+share_x509cert(x509cert_t *cert)
+{
+ if (cert != NULL)
+ cert->count++;
+}
+
+/*
+ * add a X.509 user/host certificate to the chained list
+ */
+x509cert_t*
+add_x509cert(x509cert_t *cert)
+{
+ x509cert_t *c = x509certs;
+
+ while (c != NULL)
+ {
+ if (same_x509cert(c, cert)) /* already in chain, free cert */
+ {
+ free_x509cert(cert);
+ return c;
+ }
+ c = c->next;
+ }
+
+ /* insert new cert at the root of the chain */
+ lock_certs_and_keys("add_x509cert");
+ cert->next = x509certs;
+ x509certs = cert;
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log(" x509 cert inserted")
+ )
+ unlock_certs_and_keys("add_x509cert");
+ return cert;
+}
+
+/*
+ * choose either subject DN or a subjectAltName as connection end ID
+ */
+void
+select_x509cert_id(x509cert_t *cert, struct id *end_id)
+{
+ bool copy_subject_dn = TRUE; /* ID is subject DN */
+
+ if (end_id->kind != ID_NONE) /* check for matching subjectAltName */
+ {
+ generalName_t *gn = cert->subjectAltName;
+
+ while (gn != NULL)
+ {
+ struct id id = empty_id;
+
+ gntoid(&id, gn);
+ if (same_id(&id, end_id))
+ {
+ copy_subject_dn = FALSE; /* take subjectAltName instead */
+ break;
+ }
+ gn = gn->next;
+ }
+ }
+
+ if (copy_subject_dn)
+ {
+ if (end_id->kind != ID_NONE && end_id->kind != ID_DER_ASN1_DN)
+ {
+ char buf[BUF_LEN];
+
+ idtoa(end_id, buf, BUF_LEN);
+ plog(" no subjectAltName matches ID '%s', replaced by subject DN", buf);
+ }
+ end_id->kind = ID_DER_ASN1_DN;
+ end_id->name.len = cert->subject.len;
+ end_id->name.ptr = temporary_cyclic_buffer();
+ memcpy(end_id->name.ptr, cert->subject.ptr, cert->subject.len);
+ }
+}
+
+/*
+ * check for equality between two key identifiers
+ */
+bool
+same_keyid(chunk_t a, chunk_t b)
+{
+ if (a.ptr == NULL || b.ptr == NULL)
+ return FALSE;
+
+ return same_chunk(a, b);
+}
+
+/*
+ * check for equality between two serial numbers
+ */
+bool
+same_serial(chunk_t a, chunk_t b)
+{
+ /* do not compare serial numbers if one of them is not defined */
+ if (a.ptr == NULL || b.ptr == NULL)
+ return TRUE;
+
+ return same_chunk(a, b);
+}
+
+/*
+ * get a X.509 certificate with a given issuer found at a certain position
+ */
+x509cert_t*
+get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid, x509cert_t *chain)
+{
+ x509cert_t *cert = (chain != NULL)? chain->next : x509certs;
+
+ while (cert != NULL)
+ {
+ if ((keyid.ptr != NULL) ? same_keyid(keyid, cert->authKeyID)
+ : (same_dn(issuer, cert->issuer)
+ && same_serial(serial, cert->authKeySerialNumber)))
+ {
+ return cert;
+ }
+ cert = cert->next;
+ }
+ return NULL;
+}
+
+/*
+ * encode a linked list of subjectAltNames
+ */
+chunk_t
+build_subjectAltNames(generalName_t *subjectAltNames)
+{
+ u_char *pos;
+ chunk_t names;
+ size_t len = 0;
+ generalName_t *gn = subjectAltNames;
+
+ /* compute the total size of the ASN.1 attributes object */
+ while (gn != NULL)
+ {
+ len += gn->name.len;
+ gn = gn->next;
+ }
+
+ pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
+
+ gn = subjectAltNames;
+ while (gn != NULL)
+ {
+ chunkcpy(pos, gn->name);
+ gn = gn->next;
+ }
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_subjectAltName_oid
+ , asn1_wrap(ASN1_OCTET_STRING, "m", names));
+}
+
+/*
+ * build a to-be-signed X.509 certificate body
+ */
+static chunk_t
+build_tbs_x509cert(x509cert_t *cert, const RSA_public_key_t *rsa)
+{
+ /* version is always X.509v3 */
+ chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2);
+
+ chunk_t extensions = empty_chunk;
+
+ if (cert->subjectAltName != NULL)
+ {
+ extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m"
+ , asn1_wrap(ASN1_SEQUENCE, "m"
+ , build_subjectAltNames(cert->subjectAltName)));
+ }
+
+ return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm"
+ , version
+ , asn1_simple_object(ASN1_INTEGER, cert->serialNumber)
+ , asn1_algorithmIdentifier(cert->sigAlg)
+ , cert->issuer
+ , asn1_wrap(ASN1_SEQUENCE, "mm"
+ , timetoasn1(&cert->notBefore, ASN1_UTCTIME)
+ , timetoasn1(&cert->notAfter, ASN1_UTCTIME)
+ )
+ , cert->subject
+ , pkcs1_build_publicKeyInfo(rsa)
+ , extensions
+ );
+}
+
+/*
+ * build a DER-encoded X.509 certificate
+ */
+void
+build_x509cert(x509cert_t *cert, const RSA_public_key_t *cert_key
+, const RSA_private_key_t *signer_key)
+{
+ chunk_t tbs_cert = build_tbs_x509cert(cert, cert_key);
+
+ chunk_t signature = pkcs1_build_signature(tbs_cert, cert->sigAlg
+ , signer_key, TRUE);
+
+ cert->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm"
+ , tbs_cert
+ , asn1_algorithmIdentifier(cert->sigAlg)
+ , signature);
+}
+
+/*
+ * free the dynamic memory used to store generalNames
+ */
+void
+free_generalNames(generalName_t* gn, bool free_name)
+{
+ while (gn != NULL)
+ {
+ generalName_t *gn_top = gn;
+ if (free_name)
+ {
+ pfree(gn->name.ptr);
+ }
+ gn = gn->next;
+ pfree(gn_top);
+ }
+}
+
+/*
+ * free a X.509 certificate
+ */
+void
+free_x509cert(x509cert_t *cert)
+{
+ if (cert != NULL)
+ {
+ free_generalNames(cert->subjectAltName, FALSE);
+ free_generalNames(cert->crlDistributionPoints, FALSE);
+ pfreeany(cert->certificate.ptr);
+ pfree(cert);
+ cert = NULL;
+ }
+}
+
+/* release of a certificate decreases the count by one
+ " the certificate is freed when the counter reaches zero
+ */
+void
+release_x509cert(x509cert_t *cert)
+{
+ if (cert != NULL && --cert->count == 0)
+ {
+ x509cert_t **pp = &x509certs;
+ while (*pp != cert)
+ pp = &(*pp)->next;
+ *pp = cert->next;
+ free_x509cert(cert);
+ }
+}
+
+
+/*
+ * stores a chained list of end certs and CA certs
+ */
+void
+store_x509certs(x509cert_t **firstcert, bool strict)
+{
+ x509cert_t *cacerts = NULL;
+ x509cert_t **pp = firstcert;
+
+ /* first extract CA certs, discarding root CA certs */
+
+ while (*pp != NULL)
+ {
+ x509cert_t *cert = *pp;
+
+ if (cert->isCA)
+ {
+ *pp = cert->next;
+
+ /* we don't accept self-signed CA certs */
+ if (same_dn(cert->issuer, cert->subject))
+ {
+ plog("self-signed cacert rejected");
+ free_x509cert(cert);
+ }
+ else
+ {
+ /* insertion into temporary chain of candidate CA certs */
+ cert->next = cacerts;
+ cacerts = cert;
+ }
+ }
+ else
+ pp = &cert->next;
+ }
+
+ /* now verify the candidate CA certs */
+
+ while (cacerts != NULL)
+ {
+ x509cert_t *cert = cacerts;
+
+ cacerts = cacerts->next;
+
+ if (trust_authcert_candidate(cert, cacerts))
+ {
+ add_authcert(cert, AUTH_CA);
+ }
+ else
+ {
+ plog("intermediate cacert rejected");
+ free_x509cert(cert);
+ }
+ }
+
+ /* now verify the end certificates */
+
+ pp = firstcert;
+
+ while (*pp != NULL)
+ {
+ time_t valid_until;
+ x509cert_t *cert = *pp;
+
+ if (verify_x509cert(cert, strict, &valid_until))
+ {
+ DBG(DBG_CONTROL | DBG_PARSING,
+ DBG_log("public key validated")
+ )
+ add_x509_public_key(cert, valid_until, DAL_SIGNED);
+ }
+ else
+ {
+ plog("X.509 certificate rejected");
+ }
+ *pp = cert->next;
+ free_x509cert(cert);
+ }
+}
+
+/*
+ * decrypts an RSA signature using the issuer's certificate
+ */
+static bool
+decrypt_sig(chunk_t sig, int alg, const x509cert_t *issuer_cert,
+ chunk_t *digest)
+{
+ switch (alg)
+ {
+ chunk_t decrypted;
+
+ case OID_RSA_ENCRYPTION:
+ case OID_MD2_WITH_RSA:
+ case OID_MD5_WITH_RSA:
+ case OID_SHA1_WITH_RSA:
+ case OID_SHA1_WITH_RSA_OIW:
+ case OID_SHA256_WITH_RSA:
+ case OID_SHA384_WITH_RSA:
+ case OID_SHA512_WITH_RSA:
+ {
+ mpz_t s;
+ RSA_public_key_t rsa;
+
+ init_RSA_public_key(&rsa, issuer_cert->publicExponent
+ , issuer_cert->modulus);
+
+ /* decrypt the signature s = s^e mod n */
+ n_to_mpz(s, sig.ptr, sig.len);
+ mpz_powm(s, s, &rsa.e, &rsa.n);
+
+ /* convert back to bytes */
+ decrypted = mpz_to_n(s, rsa.k);
+ DBG(DBG_PARSING,
+ DBG_dump_chunk(" decrypted signature: ", decrypted)
+ )
+
+ /* copy the least significant bits of decrypted signature
+ * into the digest string
+ */
+ memcpy(digest->ptr, decrypted.ptr + decrypted.len - digest->len,
+ digest->len);
+
+ /* free memory */
+ free_RSA_public_content(&rsa);
+ pfree(decrypted.ptr);
+ mpz_clear(s);
+ return TRUE;
+ }
+ default:
+ digest->len = 0;
+ return FALSE;
+ }
+}
+
+/*
+ * Check if a signature over binary blob is genuine
+ */
+bool
+check_signature(chunk_t tbs, chunk_t sig, int digest_alg, int enc_alg
+, const x509cert_t *issuer_cert)
+{
+ u_char digest_buf[MAX_DIGEST_LEN];
+ u_char decrypted_buf[MAX_DIGEST_LEN];
+ chunk_t digest = {digest_buf, MAX_DIGEST_LEN};
+ chunk_t decrypted = {decrypted_buf, MAX_DIGEST_LEN};
+
+ DBG(DBG_PARSING,
+ if (digest_alg != OID_UNKNOWN)
+ DBG_log("signature digest algorithm: '%s'",oid_names[digest_alg].name);
+ else
+ DBG_log("unknown signature digest algorithm");
+ )
+
+ if (!compute_digest(tbs, digest_alg, &digest))
+ {
+ plog(" digest algorithm not supported");
+ return FALSE;
+ }
+
+ DBG(DBG_PARSING,
+ DBG_dump_chunk(" digest:", digest)
+ )
+
+ decrypted.len = digest.len; /* we want the same digest length */
+
+ DBG(DBG_PARSING,
+ if (enc_alg != OID_UNKNOWN)
+ DBG_log("signature encryption algorithm: '%s'",oid_names[enc_alg].name);
+ else
+ DBG_log("unknown signature encryption algorithm");
+ )
+
+ if (!decrypt_sig(sig, enc_alg, issuer_cert, &decrypted))
+ {
+ plog(" decryption algorithm not supported");
+ return FALSE;
+ }
+
+ /* check if digests are equal */
+ return !memcmp(decrypted.ptr, digest.ptr, digest.len);
+}
+
+/*
+ * extracts the basicConstraints extension
+ */
+static bool
+parse_basicConstraints(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+ bool isCA = FALSE;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < BASIC_CONSTRAINTS_ROOF) {
+
+ if (!extract_object(basicConstraintsObjects, &objectID,
+ &object,&level, &ctx))
+ break;
+
+ if (objectID == BASIC_CONSTRAINTS_CA)
+ {
+ isCA = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(isCA)?"TRUE":"FALSE");
+ )
+ }
+ objectID++;
+ }
+ return isCA;
+}
+
+/*
+ * Converts a X.500 generalName into an ID
+ */
+void
+gntoid(struct id *id, const generalName_t *gn)
+{
+ switch(gn->kind)
+ {
+ case GN_DNS_NAME: /* ID type: ID_FQDN */
+ id->kind = ID_FQDN;
+ id->name = gn->name;
+ break;
+ case GN_IP_ADDRESS: /* ID type: ID_IPV4_ADDR */
+ {
+ const struct af_info *afi = &af_inet4_info;
+ err_t ugh = NULL;
+
+ id->kind = afi->id_addr;
+ ugh = initaddr(gn->name.ptr, gn->name.len, afi->af, &id->ip_addr);
+ }
+ break;
+ case GN_RFC822_NAME: /* ID type: ID_USER_FQDN */
+ id->kind = ID_USER_FQDN;
+ id->name = gn->name;
+ break;
+ default:
+ id->kind = ID_NONE;
+ id->name = empty_chunk;
+ }
+}
+
+/* compute the subjectKeyIdentifier according to section 4.2.1.2 of RFC 3280
+ * as the 160 bit SHA-1 hash of the public key
+ */
+void
+compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID)
+{
+ SHA1_CTX context;
+
+ SHA1Init(&context);
+ SHA1Update(&context
+ , cert->subjectPublicKey.ptr
+ , cert->subjectPublicKey.len);
+ SHA1Final(subjectKeyID.ptr, &context);
+ subjectKeyID.len = SHA1_DIGEST_SIZE;
+}
+
+/*
+ * extracts an otherName
+ */
+static bool
+parse_otherName(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ int objectID = 0;
+ u_int level;
+ int oid = OID_UNKNOWN;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < ON_OBJ_ROOF)
+ {
+ if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ switch (objectID)
+ {
+ case ON_OBJ_ID_TYPE:
+ oid = known_oid(object);
+ break;
+ case ON_OBJ_VALUE:
+ if (oid == OID_XMPP_ADDR)
+ {
+ if (!parse_asn1_simple_object(&object, ASN1_UTF8STRING
+ , level + 1, "xmppAddr"))
+ {
+ return FALSE;
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+ return TRUE;
+}
+
+
+/*
+ * extracts a generalName
+ */
+static generalName_t*
+parse_generalName(chunk_t blob, int level0)
+{
+ u_char buf[BUF_LEN];
+ asn1_ctx_t ctx;
+ chunk_t object;
+ int objectID = 0;
+ u_int level;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < GN_OBJ_ROOF)
+ {
+ bool valid_gn = FALSE;
+
+ if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx))
+ return NULL;
+
+ switch (objectID) {
+ case GN_OBJ_RFC822_NAME:
+ case GN_OBJ_DNS_NAME:
+ case GN_OBJ_URI:
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'", (int)object.len, object.ptr);
+ )
+ valid_gn = TRUE;
+ break;
+ case GN_OBJ_DIRECTORY_NAME:
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'", buf)
+ )
+ valid_gn = TRUE;
+ break;
+ case GN_OBJ_IP_ADDRESS:
+ DBG(DBG_PARSING,
+ DBG_log(" '%d.%d.%d.%d'", *object.ptr, *(object.ptr+1),
+ *(object.ptr+2), *(object.ptr+3));
+ )
+ valid_gn = TRUE;
+ break;
+ case GN_OBJ_OTHER_NAME:
+ if (!parse_otherName(object, level + 1))
+ return NULL;
+ break;
+ case GN_OBJ_X400_ADDRESS:
+ case GN_OBJ_EDI_PARTY_NAME:
+ case GN_OBJ_REGISTERED_ID:
+ break;
+ default:
+ break;
+ }
+
+ if (valid_gn)
+ {
+ generalName_t *gn = alloc_thing(generalName_t, "generalName");
+ gn->kind = (objectID - GN_OBJ_OTHER_NAME) / 2;
+ gn->name = object;
+ gn->next = NULL;
+ return gn;
+ }
+ objectID++;
+ }
+ return NULL;
+}
+
+
+/*
+ * extracts one or several GNs and puts them into a chained list
+ */
+static generalName_t*
+parse_generalNames(chunk_t blob, int level0, bool implicit)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ generalName_t *top_gn = NULL;
+
+ asn1_init(&ctx, blob, level0, implicit, DBG_RAW);
+
+ while (objectID < GENERAL_NAMES_ROOF)
+ {
+ if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
+ return NULL;
+
+ if (objectID == GENERAL_NAMES_GN)
+ {
+ generalName_t *gn = parse_generalName(object, level+1);
+ if (gn != NULL)
+ {
+ gn->next = top_gn;
+ top_gn = gn;
+ }
+ }
+ objectID++;
+ }
+ return top_gn;
+}
+
+/*
+ * returns a directoryName
+ */
+chunk_t get_directoryName(chunk_t blob, int level, bool implicit)
+{
+ chunk_t name = empty_chunk;
+ generalName_t * gn = parse_generalNames(blob, level, implicit);
+
+ if (gn != NULL && gn->kind == GN_DIRECTORY_NAME)
+ name= gn->name;
+
+ free_generalNames(gn, FALSE);
+
+ return name;
+}
+
+/*
+ * extracts and converts a UTCTIME or GENERALIZEDTIME object
+ */
+time_t
+parse_time(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < TIME_ROOF)
+ {
+ if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
+ return UNDEFINED_TIME;
+
+ if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
+ {
+ return asn1totime(&object, (objectID == TIME_UTC)
+ ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
+ }
+ objectID++;
+ }
+ return UNDEFINED_TIME;
+ }
+
+/*
+ * extracts a keyIdentifier
+ */
+static chunk_t
+parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, implicit, DBG_RAW);
+
+ extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
+ return object;
+}
+
+/*
+ * extracts an authoritykeyIdentifier
+ */
+void
+parse_authorityKeyIdentifier(chunk_t blob, int level0
+ , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < AUTH_KEY_ID_ROOF)
+ {
+ if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
+ return;
+
+ switch (objectID) {
+ case AUTH_KEY_ID_KEY_ID:
+ *authKeyID = parse_keyIdentifier(object, level+1, TRUE);
+ break;
+ case AUTH_KEY_ID_CERT_ISSUER:
+ {
+ generalName_t * gn = parse_generalNames(object, level+1, TRUE);
+
+ free_generalNames(gn, FALSE);
+ }
+ break;
+ case AUTH_KEY_ID_CERT_SERIAL:
+ *authKeySerialNumber = object;
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+}
+
+/*
+ * extracts an authorityInfoAcess location
+ */
+static void
+parse_authorityInfoAccess(chunk_t blob, int level0, chunk_t *accessLocation)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ u_int accessMethod = OID_UNKNOWN;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < AUTH_INFO_ACCESS_ROOF)
+ {
+ if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
+ return;
+
+ switch (objectID) {
+ case AUTH_INFO_ACCESS_METHOD:
+ accessMethod = known_oid(object);
+ break;
+ case AUTH_INFO_ACCESS_LOCATION:
+ {
+ switch (accessMethod)
+ {
+ case OID_OCSP:
+ if (*object.ptr == ASN1_CONTEXT_S_6)
+ {
+ if (asn1_length(&object) == ASN1_INVALID_LENGTH)
+ return;
+
+ DBG(DBG_PARSING,
+ DBG_log(" '%.*s'",(int)object.len, object.ptr)
+ )
+
+ /* only HTTP(S) URIs accepted */
+ if (strncasecmp(object.ptr, "http", 4) == 0)
+ {
+ *accessLocation = object;
+ return;
+ }
+ }
+ plog("warning: ignoring OCSP InfoAccessLocation with unkown protocol");
+ break;
+ default:
+ /* unkown accessMethod, ignoring */
+ break;
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+
+}
+
+/*
+ * extracts extendedKeyUsage OIDs
+ */
+static bool
+parse_extendedKeyUsage(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < EXT_KEY_USAGE_ROOF)
+ {
+ if (!extract_object(extendedKeyUsageObjects, &objectID
+ , &object, &level, &ctx))
+ return FALSE;
+
+ if (objectID == EXT_KEY_USAGE_PURPOSE_ID
+ && known_oid(object) == OID_OCSP_SIGNING)
+ return TRUE;
+ objectID++;
+ }
+ return FALSE;
+}
+
+/* extracts one or several crlDistributionPoints and puts them into
+ * a chained list
+ */
+static generalName_t*
+parse_crlDistributionPoints(chunk_t blob, int level0)
+{
+ asn1_ctx_t ctx;
+ chunk_t object;
+ u_int level;
+ int objectID = 0;
+
+ generalName_t *top_gn = NULL; /* top of the chained list */
+ generalName_t **tail_gn = &top_gn; /* tail of the chained list */
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < CRL_DIST_POINTS_ROOF)
+ {
+ if (!extract_object(crlDistributionPointsObjects, &objectID,
+ &object, &level, &ctx))
+ return NULL;
+
+ if (objectID == CRL_DIST_POINTS_FULLNAME)
+ {
+ generalName_t *gn = parse_generalNames(object, level+1, TRUE);
+ /* append extracted generalNames to existing chained list */
+ *tail_gn = gn;
+ /* find new tail of the chained list */
+ while (gn != NULL)
+ {
+ tail_gn = &gn->next; gn = gn->next;
+ }
+ }
+ objectID++;
+ }
+ return top_gn;
+}
+
+
+/*
+ * Parses an X.509v3 certificate
+ */
+bool
+parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert)
+{
+ u_char buf[BUF_LEN];
+ asn1_ctx_t ctx;
+ bool critical;
+ chunk_t object;
+ u_int level;
+ u_int extn_oid = OID_UNKNOWN;
+ int objectID = 0;
+
+ asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+ while (objectID < X509_OBJ_ROOF)
+ {
+ if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
+ return FALSE;
+
+ /* those objects which will parsed further need the next higher level */
+ level++;
+
+ switch (objectID) {
+ case X509_OBJ_CERTIFICATE:
+ cert->certificate = object;
+ break;
+ case X509_OBJ_TBS_CERTIFICATE:
+ cert->tbsCertificate = object;
+ break;
+ case X509_OBJ_VERSION:
+ cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+ DBG(DBG_PARSING,
+ DBG_log(" v%d", cert->version);
+ )
+ break;
+ case X509_OBJ_SERIAL_NUMBER:
+ cert->serialNumber = object;
+ break;
+ case X509_OBJ_SIG_ALG:
+ cert->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case X509_OBJ_ISSUER:
+ cert->issuer = object;
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'",buf)
+ )
+ break;
+ case X509_OBJ_NOT_BEFORE:
+ cert->notBefore = parse_time(object, level);
+ break;
+ case X509_OBJ_NOT_AFTER:
+ cert->notAfter = parse_time(object, level);
+ break;
+ case X509_OBJ_SUBJECT:
+ cert->subject = object;
+ DBG(DBG_PARSING,
+ dntoa(buf, BUF_LEN, object);
+ DBG_log(" '%s'",buf)
+ )
+ break;
+ case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
+ if (parse_algorithmIdentifier(object, level, NULL) == OID_RSA_ENCRYPTION)
+ cert->subjectPublicKeyAlgorithm = PUBKEY_ALG_RSA;
+ else
+ {
+ plog(" unsupported public key algorithm");
+ return FALSE;
+ }
+ break;
+ case X509_OBJ_SUBJECT_PUBLIC_KEY:
+ if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
+ {
+ /* skip initial bit string octet defining 0 unused bits */
+ ctx.blobs[4].ptr++; ctx.blobs[4].len--;
+ }
+ else
+ {
+ plog(" invalid RSA public key format");
+ return FALSE;
+ }
+ break;
+ case X509_OBJ_RSA_PUBLIC_KEY:
+ cert->subjectPublicKey = object;
+ break;
+ case X509_OBJ_MODULUS:
+ if (object.len < RSA_MIN_OCTETS + 1)
+ {
+ plog(" " RSA_MIN_OCTETS_UGH);
+ return FALSE;
+ }
+ if (object.len > RSA_MAX_OCTETS + (size_t)(*object.ptr == 0x00))
+ {
+ plog(" " RSA_MAX_OCTETS_UGH);
+ return FALSE;
+ }
+ cert->modulus = object;
+ break;
+ case X509_OBJ_PUBLIC_EXPONENT:
+ cert->publicExponent = object;
+ break;
+ case X509_OBJ_EXTN_ID:
+ extn_oid = known_oid(object);
+ break;
+ case X509_OBJ_CRITICAL:
+ critical = object.len && *object.ptr;
+ DBG(DBG_PARSING,
+ DBG_log(" %s",(critical)?"TRUE":"FALSE");
+ )
+ break;
+ case X509_OBJ_EXTN_VALUE:
+ {
+ switch (extn_oid) {
+ case OID_SUBJECT_KEY_ID:
+ cert->subjectKeyID =
+ parse_keyIdentifier(object, level, FALSE);
+ break;
+ case OID_SUBJECT_ALT_NAME:
+ cert->subjectAltName =
+ parse_generalNames(object, level, FALSE);
+ break;
+ case OID_BASIC_CONSTRAINTS:
+ cert->isCA =
+ parse_basicConstraints(object, level);
+ break;
+ case OID_CRL_DISTRIBUTION_POINTS:
+ cert->crlDistributionPoints =
+ parse_crlDistributionPoints(object, level);
+ break;
+ case OID_AUTHORITY_KEY_ID:
+ parse_authorityKeyIdentifier(object, level
+ , &cert->authKeyID, &cert->authKeySerialNumber);
+ break;
+ case OID_AUTHORITY_INFO_ACCESS:
+ parse_authorityInfoAccess(object, level, &cert->accessLocation);
+ break;
+ case OID_EXTENDED_KEY_USAGE:
+ cert->isOcspSigner = parse_extendedKeyUsage(object, level);
+ break;
+ case OID_NS_REVOCATION_URL:
+ case OID_NS_CA_REVOCATION_URL:
+ case OID_NS_CA_POLICY_URL:
+ case OID_NS_COMMENT:
+ if (!parse_asn1_simple_object(&object, ASN1_IA5STRING
+ , level, oid_names[extn_oid].name))
+ {
+ return FALSE;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ break;
+ case X509_OBJ_ALGORITHM:
+ cert->algorithm = parse_algorithmIdentifier(object, level, NULL);
+ break;
+ case X509_OBJ_SIGNATURE:
+ cert->signature = object;
+ break;
+ default:
+ break;
+ }
+ objectID++;
+ }
+ time(&cert->installed);
+ return TRUE;
+}
+
+/* verify the validity of a certificate by
+ * checking the notBefore and notAfter dates
+ */
+err_t
+check_validity(const x509cert_t *cert, time_t *until)
+{
+ time_t current_time;
+
+ time(&current_time);
+ DBG(DBG_CONTROL | DBG_PARSING ,
+ DBG_log(" not before : %s", timetoa(&cert->notBefore, TRUE));
+ DBG_log(" current time: %s", timetoa(&current_time, TRUE));
+ DBG_log(" not after : %s", timetoa(&cert->notAfter, TRUE));
+ )
+
+ if (cert->notAfter < *until) *until = cert->notAfter;
+
+ if (current_time < cert->notBefore)
+ return "certificate is not valid yet";
+ if (current_time > cert->notAfter)
+ return "certificate has expired";
+ else
+ return NULL;
+}
+
+/*
+ * verifies a X.509 certificate
+ */
+bool
+verify_x509cert(const x509cert_t *cert, bool strict, time_t *until)
+{
+ int pathlen;
+
+ *until = cert->notAfter;
+
+ for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ {
+ x509cert_t *issuer_cert;
+ u_char buf[BUF_LEN];
+ err_t ugh = NULL;
+
+ DBG(DBG_CONTROL,
+ dntoa(buf, BUF_LEN, cert->subject);
+ DBG_log("subject: '%s'",buf);
+ dntoa(buf, BUF_LEN, cert->issuer);
+ DBG_log("issuer: '%s'",buf);
+ if (cert->authKeyID.ptr != NULL)
+ {
+ datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ DBG_log("authkey: %s", buf);
+ }
+ )
+
+ ugh = check_validity(cert, until);
+
+ if (ugh != NULL)
+ {
+ plog("%s", ugh);
+ return FALSE;
+ }
+
+ DBG(DBG_CONTROL,
+ DBG_log("certificate is valid")
+ )
+
+ lock_authcert_list("verify_x509cert");
+ issuer_cert = get_authcert(cert->issuer, cert->authKeySerialNumber
+ , cert->authKeyID, AUTH_CA);
+
+ if (issuer_cert == NULL)
+ {
+ plog("issuer cacert not found");
+ unlock_authcert_list("verify_x509cert");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("issuer cacert found")
+ )
+
+ if (!check_signature(cert->tbsCertificate, cert->signature
+ , cert->algorithm, cert->algorithm, issuer_cert))
+ {
+ plog("certificate signature is invalid");
+ unlock_authcert_list("verify_x509cert");
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("certificate signature is valid")
+ )
+ unlock_authcert_list("verify_x509cert");
+
+ /* check if cert is a self-signed root ca */
+ if (pathlen > 0 && same_dn(cert->issuer, cert->subject))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("reached self-signed root ca")
+ )
+ return TRUE;
+ }
+ else
+ {
+ time_t nextUpdate = *until;
+ time_t revocationDate = UNDEFINED_TIME;
+ crl_reason_t revocationReason = REASON_UNSPECIFIED;
+
+ /* first check certificate revocation using ocsp */
+ cert_status_t status = verify_by_ocsp(cert, &nextUpdate
+ , &revocationDate, &revocationReason);
+
+ /* if ocsp service is not available then fall back to crl */
+ if ((status == CERT_UNDEFINED)
+ || (status == CERT_UNKNOWN && strict))
+ {
+ status = verify_by_crl(cert, &nextUpdate, &revocationDate
+ , &revocationReason);
+ }
+
+ switch (status)
+ {
+ case CERT_GOOD:
+ /* if status information is stale */
+ if (strict && nextUpdate < time(NULL))
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("certificate is good but status is stale")
+ )
+ remove_x509_public_key(cert);
+ return FALSE;
+ }
+ DBG(DBG_CONTROL,
+ DBG_log("certificate is good")
+ )
+
+ /* with strict crl policy the public key must have the same
+ * lifetime as the validity of the ocsp status or crl lifetime
+ */
+ if (strict && nextUpdate < *until)
+ *until = nextUpdate;
+ break;
+ case CERT_REVOKED:
+ plog("certificate was revoked on %s, reason: %s"
+ , timetoa(&revocationDate, TRUE)
+ , enum_name(&crl_reason_names, revocationReason));
+ remove_x509_public_key(cert);
+ return FALSE;
+ case CERT_UNKNOWN:
+ case CERT_UNDEFINED:
+ default:
+ plog("certificate status unknown");
+ if (strict)
+ {
+ remove_x509_public_key(cert);
+ return FALSE;
+ }
+ break;
+ }
+ }
+
+ /* go up one step in the trust chain */
+ cert = issuer_cert;
+ }
+ plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+ return FALSE;
+}
+
+/*
+ * list all X.509 certs in a chained list
+ */
+void
+list_x509cert_chain(const char *caption, x509cert_t* cert, u_char auth_flags
+ , bool utc)
+{
+ bool first = TRUE;
+ time_t now;
+
+ /* determine the current time */
+ time(&now);
+
+ while (cert != NULL)
+ {
+ if (auth_flags == AUTH_NONE || (auth_flags & cert->authority_flags))
+ {
+ unsigned keysize;
+ char keyid[KEYID_BUF];
+ u_char buf[BUF_LEN];
+ cert_t c;
+
+ c.type = CERT_X509_SIGNATURE;
+ c.u.x509 = cert;
+
+ if (first)
+ {
+ whack_log(RC_COMMENT, " ");
+ whack_log(RC_COMMENT, "List of X.509 %s Certificates:", caption);
+ whack_log(RC_COMMENT, " ");
+ first = FALSE;
+ }
+
+ whack_log(RC_COMMENT, "%s, count: %d", timetoa(&cert->installed, utc),
+ cert->count);
+ dntoa(buf, BUF_LEN, cert->subject);
+ whack_log(RC_COMMENT, " subject: '%s'", buf);
+ dntoa(buf, BUF_LEN, cert->issuer);
+ whack_log(RC_COMMENT, " issuer: '%s'", buf);
+ datatot(cert->serialNumber.ptr, cert->serialNumber.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " serial: %s", buf);
+ form_keyid(cert->publicExponent, cert->modulus, keyid, &keysize);
+ whack_log(RC_COMMENT, " pubkey: %4d RSA Key %s%s"
+ , 8*keysize, keyid
+ , cert->smartcard ? ", on smartcard" :
+ (has_private_key(c)? ", has private key" : ""));
+ whack_log(RC_COMMENT, " validity: not before %s %s",
+ timetoa(&cert->notBefore, utc),
+ (cert->notBefore < now)?"ok":"fatal (not valid yet)");
+ whack_log(RC_COMMENT, " not after %s %s",
+ timetoa(&cert->notAfter, utc),
+ check_expiry(cert->notAfter, CA_CERT_WARNING_INTERVAL, TRUE));
+ if (cert->subjectKeyID.ptr != NULL)
+ {
+ datatot(cert->subjectKeyID.ptr, cert->subjectKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " subjkey: %s", buf);
+ }
+ if (cert->authKeyID.ptr != NULL)
+ {
+ datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+ , buf, BUF_LEN);
+ whack_log(RC_COMMENT, " authkey: %s", buf);
+ }
+ if (cert->authKeySerialNumber.ptr != NULL)
+ {
+ datatot(cert->authKeySerialNumber.ptr, cert->authKeySerialNumber.len
+ , ':', buf, BUF_LEN);
+ whack_log(RC_COMMENT, " aserial: %s", buf);
+ }
+ }
+ cert = cert->next;
+ }
+}
+
+/*
+ * list all X.509 end certificates in a chained list
+ */
+void
+list_x509_end_certs(bool utc)
+{
+ list_x509cert_chain("End", x509certs, AUTH_NONE, utc);
+}
diff --git a/src/pluto/x509.h b/src/pluto/x509.h
new file mode 100644
index 000000000..d15b3da53
--- /dev/null
+++ b/src/pluto/x509.h
@@ -0,0 +1,138 @@
+/* Support of X.509 certificates
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: x509.h,v 1.10 2005/12/06 22:52:44 as Exp $
+ */
+
+#ifndef _X509_H
+#define _X509_H
+
+#include "pkcs1.h"
+#include "id.h"
+
+/* Definition of generalNames kinds */
+
+typedef enum {
+ GN_OTHER_NAME = 0,
+ GN_RFC822_NAME = 1,
+ GN_DNS_NAME = 2,
+ GN_X400_ADDRESS = 3,
+ GN_DIRECTORY_NAME = 4,
+ GN_EDI_PARTY_NAME = 5,
+ GN_URI = 6,
+ GN_IP_ADDRESS = 7,
+ GN_REGISTERED_ID = 8
+} generalNames_t;
+
+/* access structure for a GeneralName */
+
+typedef struct generalName generalName_t;
+
+struct generalName {
+ generalName_t *next;
+ generalNames_t kind;
+ chunk_t name;
+};
+
+/* access structure for an X.509v3 certificate */
+
+typedef struct x509cert x509cert_t;
+
+struct x509cert {
+ x509cert_t *next;
+ time_t installed;
+ int count;
+ bool smartcard;
+ u_char authority_flags;
+ chunk_t certificate;
+ chunk_t tbsCertificate;
+ u_int version;
+ chunk_t serialNumber;
+ /* signature */
+ int sigAlg;
+ chunk_t issuer;
+ /* validity */
+ time_t notBefore;
+ time_t notAfter;
+ chunk_t subject;
+ /* subjectPublicKeyInfo */
+ enum pubkey_alg subjectPublicKeyAlgorithm;
+ chunk_t subjectPublicKey;
+ chunk_t modulus;
+ chunk_t publicExponent;
+ /* issuerUniqueID */
+ /* subjectUniqueID */
+ /* v3 extensions */
+ /* extension */
+ /* extension */
+ /* extnID */
+ /* critical */
+ /* extnValue */
+ bool isCA;
+ bool isOcspSigner; /* ocsp */
+ chunk_t subjectKeyID;
+ chunk_t authKeyID;
+ chunk_t authKeySerialNumber;
+ chunk_t accessLocation; /* ocsp */
+ generalName_t *subjectAltName;
+ generalName_t *crlDistributionPoints;
+ /* signatureAlgorithm */
+ int algorithm;
+ chunk_t signature;
+};
+
+/* used for initialization */
+extern const x509cert_t empty_x509cert;
+
+extern bool same_serial(chunk_t a, chunk_t b);
+extern bool same_keyid(chunk_t a, chunk_t b);
+extern bool same_dn(chunk_t a, chunk_t b);
+extern bool match_dn(chunk_t a, chunk_t b, int *wildcards);
+extern bool same_x509cert(const x509cert_t *a, const x509cert_t *b);
+extern void hex_str(chunk_t bin, chunk_t *str);
+extern int dn_count_wildcards(chunk_t dn);
+extern int dntoa(char *dst, size_t dstlen, chunk_t dn);
+extern int dntoa_or_null(char *dst, size_t dstlen, chunk_t dn
+ , const char* null_dn);
+extern err_t atodn(char *src, chunk_t *dn);
+extern void gntoid(struct id *id, const generalName_t *gn);
+extern void compute_subjectKeyID(x509cert_t *cert, chunk_t subjectKeyID);
+extern void select_x509cert_id(x509cert_t *cert, struct id *end_id);
+extern bool parse_x509cert(chunk_t blob, u_int level0, x509cert_t *cert);
+extern time_t parse_time(chunk_t blob, int level0);
+extern void parse_authorityKeyIdentifier(chunk_t blob, int level0
+ , chunk_t *authKeyID, chunk_t *authKeySerialNumber);
+extern chunk_t get_directoryName(chunk_t blob, int level, bool implicit);
+extern err_t check_validity(const x509cert_t *cert, time_t *until);
+extern bool check_signature(chunk_t tbs, chunk_t sig, int digest_alg
+ , int enc_alg, const x509cert_t *issuer_cert);
+extern bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until);
+extern x509cert_t* add_x509cert(x509cert_t *cert);
+extern x509cert_t* get_x509cert(chunk_t issuer, chunk_t serial, chunk_t keyid
+ , x509cert_t* chain);
+extern void build_x509cert(x509cert_t *cert, const RSA_public_key_t *cert_key
+ , const RSA_private_key_t *signer_key);
+extern chunk_t build_subjectAltNames(generalName_t *subjectAltNames);
+extern void share_x509cert(x509cert_t *cert);
+extern void release_x509cert(x509cert_t *cert);
+extern void free_x509cert(x509cert_t *cert);
+extern void store_x509certs(x509cert_t **firstcert, bool strict);
+extern void list_x509cert_chain(const char *caption, x509cert_t* cert
+ , u_char auth_flags, bool utc);
+extern void list_x509_end_certs(bool utc);
+extern void free_generalNames(generalName_t* gn, bool free_name);
+
+#endif /* _X509_H */
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
new file mode 100644
index 000000000..3d30ad227
--- /dev/null
+++ b/src/pluto/xauth.c
@@ -0,0 +1,79 @@
+/* Initialization and finalization of the dynamic XAUTH module
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: xauth.c,v 1.1 2005/01/06 22:10:15 as Exp $
+ */
+
+#include <dlfcn.h>
+
+#include <freeswan.h>
+
+#include "constants.h"
+#include "defs.h"
+#include "xauth.h"
+#include "keys.h"
+#include "log.h"
+
+void
+xauth_init(void)
+{
+#ifdef XAUTH_DEFAULT_LIB
+ xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW);
+
+ if (xauth_module.handle != NULL)
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB)
+ )
+ xauth_module.get_secret = (bool (*) (const xauth_t*))
+ dlsym(xauth_module.handle, "get_secret");
+ DBG(DBG_CONTROL,
+ if (xauth_module.get_secret != NULL)
+ {
+ DBG_log("xauth module: found get_secret() function");
+ }
+ )
+ xauth_module.verify_secret = (bool (*) (const xauth_t*))
+ dlsym(xauth_module.handle, "verify_secret");
+ DBG(DBG_CONTROL,
+ if (xauth_module.verify_secret != NULL)
+ {
+ DBG_log("xauth module: found verify_secret() function");
+ }
+ )
+ }
+#endif
+ /* any null function pointers will be filled in by default functions */
+ xauth_defaults();
+}
+
+void
+xauth_finalize(void)
+{
+#ifdef XAUTH_DEFAULT_LIB
+ if (xauth_module.handle != NULL)
+ {
+ if (dlclose(xauth_module.handle))
+ {
+ plog("failed to unload xauth module");
+ }
+ else
+ {
+ DBG(DBG_CONTROL,
+ DBG_log("xauth module unloaded")
+ )
+ }
+ }
+#endif
+}
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
new file mode 100644
index 000000000..1f06aefd9
--- /dev/null
+++ b/src/pluto/xauth.h
@@ -0,0 +1,41 @@
+/* Interface definition of the XAUTH server and|or client module
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: xauth.h,v 1.1 2005/01/06 22:10:15 as Exp $
+ */
+
+#ifndef _XAUTH_H
+#define _XAUTH_H
+
+/* XAUTH credentials */
+
+struct chunk_t;
+
+typedef struct {
+ chunk_t user_name;
+ chunk_t user_password;
+} xauth_t;
+
+typedef struct {
+ void *handle;
+ bool (*get_secret) (xauth_t *xauth_secret);
+ bool (*verify_secret) (const xauth_t *xauth_secret);
+} xauth_module_t;
+
+extern xauth_module_t xauth_module;
+
+extern void xauth_init(void);
+extern void xauth_finalize(void);
+
+#endif /* _XAUTH_H */