debian/0000775000000000000000000000000012123204373007165 5ustar debian/rules0000775000000000000000000000233612123203626010251 0ustar #!/usr/bin/make -f UPSTREAM_VERSION ?=20041012 b := $(CURDIR)/debian/isakmpd DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) export MULTIARCHLIB := /usr/lib/$(DEB_HOST_MULTIARCH) %: dh $@ .PHONY: override_dh_auto_install override_dh_auto_install: dh_auto_install dh_installdocs -n DESIGN-NOTES QUESTIONS README README.PKI TO-DO $(CURDIR)/debian/README.Debian x509v3.cnf cp $(CURDIR)/samples/*.conf $(b)/usr/share/doc/isakmpd/samples/ cp $(CURDIR)/samples/VPN-east.conf $(b)/etc/isakmpd/isakmpd.conf cp $(CURDIR)/samples/policy $(b)/etc/isakmpd/isakmpd.policy cp $(CURDIR)/isakmpd $(b)/usr/sbin/ cp $(CURDIR)/apps/certpatch/certpatch $(b)/usr/bin cp $(CURDIR)/debian/isakmpd.lintian $(b)/usr/share/lintian/overrides/isakmpd .PHONY: override_dh_fixperms override_dh_fixperms: dh_fixperms find $(b)/etc/isakmpd -type d | xargs chmod 0700 find $(b)/etc/isakmpd -type f | xargs chmod 0600 .PHONY: get-orig-source get-orig-source: @cd /tmp; cvs -d ":pserver:anoncvs@anoncvs.jp.openbsd.org:/cvs" co -D ${UPSTREAM_VERSION} src/sbin/isakmpd @cd /tmp/src/sbin; mv isakmpd isakmpd-${UPSTREAM_VERSION}; tar czf /tmp/isakmpd_${UPSTREAM_VERSION}.orig.tar.gz --exclude CVS isakmpd-${UPSTREAM_VERSION} @rm -rf /tmp/src debian/isakmpd.dirs0000664000000000000000000000040212123203626011474 0ustar usr/sbin usr/bin etc/isakmpd etc/isakmpd/certs etc/isakmpd/crls etc/isakmpd/ca etc/isakmpd/pubkeys/ipv4 etc/isakmpd/pubkeys/ipv6 etc/isakmpd/pubkeys/fqdn etc/isakmpd/pubkeys/ufqdn etc/isakmpd/private usr/share/doc/isakmpd/samples usr/share/lintian/overrides debian/changelog0000664000000000000000000001741212123204344011042 0ustar isakmpd (20041012-7.2ubuntu1) raring; urgency=low * Merge from Debian unstable. Remaining changes: - 08_fix_no_add_needed_build.patch, 09_fix_as_needed_build.patch: Fix FTBFS with Ubuntu default linker options. - debian/rules: Add multiarch-related rules. * debian/patches/10_multiarch-libs.patch: Drop, as the same changes were made in 01_makefile.patch in Debian. -- Logan Rosen Fri, 22 Mar 2013 21:40:30 -0400 isakmpd (20041012-7.2) unstable; urgency=low * Non-maintainer upload. * Fix FTBFS, fix for multiarched gmp (Closes: #654285) - Thanks to Philippe De Swert for patch. -- Hector Oron Wed, 22 Feb 2012 00:35:49 +0000 isakmpd (20041012-7.1ubuntu2) precise; urgency=low * 10_multiarch-libs.patch: update, adding libgmp. -- Ilya Barygin Mon, 05 Dec 2011 21:10:37 +0400 isakmpd (20041012-7.1ubuntu1) oneiric; urgency=low * 08_fix_no_add_needed_build.patch, 09_fix_as_needed_build.patch: fix FTBFS with Ubuntu default linker options (LP: #770958). Patches by Julian Taylor. * 10_multiarch-libcrypto.patch, debian/rules: determine location of libcrypto.a at build time and pass it to makefiles. -- Ilya Barygin Sat, 20 Aug 2011 13:11:13 +0400 isakmpd (20041012-7.1) unstable; urgency=low * NMU. Change dependency libgmp3-dev --> libgmp-dev. -- Steve M. Robbins Thu, 17 Mar 2011 21:40:04 -0500 isakmpd (20041012-7) unstable; urgency=low * Switch to dpkg-source 3.0 (quilt) format * Bump Standards version to 3.8.4 * Add sysdep/common/libsysdep/.depend to clean target * Rename README.source to README.Debian-source -- Jochen Friedrich Fri, 11 Jun 2010 17:49:04 +0200 isakmpd (20041012-6) unstable; urgency=low * Bumped standards version to 3.8.3. * Convert package to debhelper 7 and quilt patches. * Add patch to correct ifreq length. (Closes: #542641) * Depend on $network start and implement status command in init.d script -- Jochen Friedrich Fri, 30 Oct 2009 17:53:02 +0100 isakmpd (20041012-5) unstable; urgency=low * Disable support for keynote as it seems to be broken. * Add dependency info to init.d script (Closes: #412893) Thanks to Petter Reinholdtsen for the patch. * Bumped standards version to 3.7.3 (No changes). -- Jochen Friedrich Tue, 01 Apr 2008 17:30:53 +0200 isakmpd (20041012-4) unstable; urgency=high * Fix replay protection (CVE-2006-4436) Thanks to Stefan Fritsch (Closes: #385894) -- Jochen Friedrich Mon, 4 Sep 2006 18:41:00 +0200 isakmpd (20041012-3) unstable; urgency=low * Fix NAT-T RFC support. * Remove superfluos header from packet dump so tcpdump and ethereal can read the dump. -- Jochen Friedrich Mon, 28 Aug 2006 17:14:47 +0200 sakmpd (20041012-2) unstable; urgency=low * New maintainer (Closes: #358800) * Replace SADB_X_SPDADD by SADB_X_SPDUPDATE (Closes: #346214) * Fix NAT-T (Closes: #324753) * Fix openssl incompatibility with version 0.9.8b (Closes: #334624) * Fix dependencies (Closes: #320393, #325849) * gcc compiler fixes (Closes: #318241) * Update standards version to 3.7.2 -- Jochen Friedrich Tue, 21 Feb 2006 14:26:40 +0100 isakmpd (20041012-1) unstable; urgency=high * new upstream cvs merge. * add setsockopt to properly configure udp encap socket. * add proper source port in nat-t sadb set (thanks to Thomas Walpuski). * DPD now works (closes: #258479). * NAT-T now works (closes: #269851). * remove double dependency on libkeynote0 (closes: #272377). -- Jean-Francois Dive Tue, 7 Sep 2004 11:28:18 +0200 isakmpd (20040628-1) unstable; urgency=high * New upstream cvs merge. * Enabled DPD. * Enabled NAT-T + added support for linux nat-t pfkey msgs. * Fix payload handling denial-of-service vuln (closes: #239739); * Add spd cleartext entry (thanks to Vincent Bernat). (closes: #243990). * Add dependency on linux-kernel-headers (closes: #238793). * Add man page for isakmpd.policy. * No issue with Renegotiate-on-HUP (closes: #255507). * x509v3.cnf provided (closes: #238542). * Added certpatch utility (closes: #231743). * Fixed pcap support (closes: #238543). -- Jean-Francois Dive Mon, 5 Jul 2004 23:32:47 +0200 isakmpd (20040204-1) unstable; urgency=low * Provide ike-server (closes: #223784). * Fixes for big indian systems (thanks to Sebastian Klemke). (closes: #223845). * Fix for certificates file access on non ext2 enabled kernel systems, thanks to jochen. (closes: #225474). * Update kernel version informations. (closes: #229795). * New upstream cvs merge. * Added missing man page isakmpd.policy(5) (thanks to Toni Mueller). (closes: #231123). -- Jean-Francois Dive Sun, 8 Feb 2004 20:55:34 +0100 isakmpd (20031107-2) unstable; urgency=high * SECURITY fix for INITIAL_CONTACT handeling. (previous release actually did fixed INVALID_SPI informational exchange security issue). The problem is the exact same nature for both type of informational messages: because the end result is SA deletation, the HASH payload should be in the message and checked. -- Jean-Francois Dive Thu, 13 Nov 2003 14:54:01 +0100 isakmpd (20031107-1) unstable; urgency=high * new upstream cvs merge. * SECURITY fix for HASH payload handeling (closes: #219864). * SECURITY fix handeling of quick mode exchange encryption (it now does require quick mode to be encrypted both Rx/Tx). * SECURITY fix for INITIAL_CONTACT handeling (did not check for mandatory HASH payload). * Updated linux kernel header for interop with debian x86 kernels. * Fix issues with policy handeling in keynote. -- Jean-Francois Dive Thu, 13 Nov 2003 11:05:09 +0100 isakmpd (20030907-1) unstable; urgency=high * new upstream cvs merge. * Fixed kernel interface due to ABI changes in linux IPSec. * Fixed keynote issue. -- Jean-Francois Dive Wed, 10 Sep 2003 22:47:17 +0200 isakmpd (20030718-1) unstable; urgency=high * New upstream version. * Merged new upstream linux native build support. * Added fine grained selector support to upstream linux native sysdep. * Removed useless libc and kernel headers. * Removed libdes. * Added generated upstream changelog (generated by cvs2cl.pl). -- Jean-Francois Dive Tue, 22 Jul 2003 12:15:30 +0200 isakmpd (20030119-2) unstable; urgency=low * Fixed init script (closes: #188086). * Added support for Protocol and Port text definition in ID handeling. (expl: Protocol = icmp instead of Protocol = 1). -- Jean-Francois Dive Mon, 9 Jun 2003 14:11:02 +0200 isakmpd (20030119-1) unstable; urgency=low * Changed version number to a sane format. -- Jean-Francois Dive Thu, 20 Mar 2003 18:46:56 +0100 isakmpd (19012003-4) unstable; urgency=low * Fixed source tree clean issues (libdes, libsysdep) (closes: #184295). * Added diff to package upload. -- Jean-Francois Dive Tue, 18 Mar 2003 17:30:57 +0100 isakmpd (19012003-3) unstable; urgency=low * switched libdes copyright from copyright.libdes to copyright file. -- Jean-Francois Dive Thu, 20 Feb 2003 13:10:54 +1100 isakmpd (19012003-2) unstable; urgency=low * Added reference to BSD license and libdes license. * Renmoved double dependency on libssl. * Removed /usr/doc link. * Added lintian overrides. -- Jean-Francois Dive Sun, 26 Jan 2003 00:36:40 +1100 isakmpd (19012003-1) unstable; urgency=low * Inital debianization (Closes: #163904). -- Jean-Francois Dive Sun, 26 Jan 2003 00:36:40 +1100 debian/isakmpd.manpages0000664000000000000000000000010512123203626012326 0ustar isakmpd.policy.5 isakmpd.conf.5 apps/certpatch/certpatch.8 isakmpd.8 debian/compat0000664000000000000000000000000212123203626010363 0ustar 7 debian/README.Debian-source0000664000000000000000000000022212123203626012520 0ustar This package uses the OpenBSD CVS repository as upstream source. To download the source, please run the command debian/rules get-orig-source debian/copyright0000664000000000000000000000447612123203626011133 0ustar This package have been packaged by Jean-Francois Dive as isakmpd. The upstream source of isakmpd can be found at www.openbsd.org This package is now maintained by Jochen Friedrich - This package links against openssl. - This package include libdes from the openbsd tree which have the same license as openssl, please refer to the following license statement for details. * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) implementation. It's written by Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems AB. Isakmpd's home is in the OpenBSD main source tree under src/sbin/isakmpd. Look at http://www.openbsd.org/ for details on how to get OpenBSD source. The isakmpd license is the BSD license, please refer to /usr/share/common-license/BSD for details. The few code modification in isakmpd (Linux support) are authored by Jean-Francois Dive and Jochen Friedrich and are release on the same license as isakmpd itself. debian/source/0000775000000000000000000000000012123204373010465 5ustar debian/source/format0000664000000000000000000000001412123203626011673 0ustar 3.0 (quilt) debian/README.Debian0000664000000000000000000000104512123203626011226 0ustar State of the package / isakmpd port to linux -------------------------------------------- The port is operational and is included in upstream, from various sources. Where to start -------------- - isakmpd.conf man pages. - configuration examples. - openbsd isakmpd documentation. caution note ------------ - keynote is used to check for all policy components. For exemple, if acting as initiator, isakmpd will send the isakmpd.conf configured proposals but will only check the received proposal with the rules enforced in isakmpd.policy. debian/ChangeLog0000664000000000000000000012653012123203626010746 0ustar End of changelog debian package isakmpd.20041012-1 -------------------------------------------------- 2004-10-08 17:18 hshoexer * sysdep/common/libsysdep/arc4random.c: pull in some changes from libc arc4random (only relevant for non-OpenBSD systems): ansify, discard first 256 output bytes, make key schedule more arc4 stream ciper like. ok djm ho 2004-10-01 06:08 jsg * monitor_fdpass.c: add some missing $, ok djm@ 'That looks fine to me' millert@ 2004-09-24 15:31 ho * udp_encap.c: Don't process NAT-T keepalives. Noted by Kamel Messaoudi. hshoexer@ ok 2004-09-20 23:36 hshoexer * virtual.c: compile cleanly with -Wsign-compare ok ho 2004-09-20 23:35 hshoexer * monitor_fdpass.c: Remove __func__ ok ho deraadt 2004-09-17 16:54 hshoexer * isakmpd.c: avoid signal race. ok ho@ otto@ 2004-09-17 15:53 ho * exchange.c, ike_quick_mode.c, ipsec.c, key.c, pf_key_v2.c: Missing #ifdefs. 2004-09-17 15:46 ho * init.c: #include for srandom(). 2004-09-17 15:45 ho * message.c: Permit next payload type NAT-OA. Noted by Kamel Messaoudi. 2004-08-23 13:53 ho * exchange.c: We need to set sa->initiator before checking if the newly created SA replaces an old one, or the id_i/id_r check will mismatch. Previous behaviour was mostly harmless, but wasted some resources (until normal SA expiration). hshoexer@ "haven't tried, but think it's ok" 2004-08-23 13:16 ho * Makefile: Default enable DPD (Dead Peer Detection) support. hshoexer@ ok 2004-08-23 13:13 ho * exchange.h: Indent nit. 2004-08-17 16:48 hshoexer * message.c: check for msg->isakmpg_sa being NULL before referencing ok ho@ 2004-08-14 15:29 hshoexer * ike_quick_mode.c: When using -K (keynote disabled), check peers' proposal against isakmpd.conf. ok ho@ henning@ 2004-08-13 04:51 djm * monitor_fdpass.c: extra check for no message case; ok markus, deraadt, hshoexer, henning 2004-08-12 13:21 hshoexer * monitor.c: Fix compiler warning on alpha. Noted by and ok ho@ 2004-08-12 13:08 ho * pf_key_v2.c: Avoid memleak on error (Linux/KAME). Found by Benjamin Pineau. 2004-08-10 21:21 deraadt * virtual.c, x509.c: spacing 2004-08-10 17:59 ho * dpd.c, dpd.h, exchange.c, ipsec.c, isakmp_num.cst, isakmpd.conf.5, message.c, message.h, pf_key_v2.c, pf_key_v2.h, sa.c, sa.h, sysdep.h, udp_encap.c, sysdep/bsdi/sysdep.c, sysdep/darwin/sysdep.c, sysdep/freebsd/sysdep.c, sysdep/freeswan/sysdep.c, sysdep/linux/sysdep.c, sysdep/netbsd/sysdep.c, sysdep/openbsd/sysdep.c: Better implementation of the Dead Peer Detection protocol, RFC 3706. hshoexer@ ok. 2004-08-10 11:49 ho * sysdep/linux/GNUmakefile.sysdep: Linux has AES (and DES). From Benjamin Pineau. 2004-08-10 11:47 ho * sysdep/common/libsysdep/arc4random.c: If opening /dev/arandom fails, try /dev/random. Suggested by Benjamin Pineau. 2004-08-08 21:11 deraadt * GNUmakefile, conf.c, dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, log.c, message.c, monitor.c, nat_traversal.c, pf_key_v2.c, policy.c, sa.c, sysdep.h, transport.c, udp.c, udp_encap.c, ui.c, util.c, virtual.c, x509.c: spacing 2004-08-03 12:54 ho * nat_traversal.c, transport.c, udp.c, udp.h, udp_encap.c, virtual.c: Rewrite the transport reference count code to avoid leaks. hshoexer@ ok. 2004-08-02 17:48 hshoexer * sa.c: Do not expire unestablished phase 2 SAs on SIGHUP. ok ho@ 2004-08-02 17:30 ho * GNUmakefile: Missed to add virtual.c here. Noted by Benjamin Pineau. 2004-07-30 12:45 ho * Makefile, sysdep.h, util.c: Style. 2004-07-29 22:02 ho * conf.c: Less noise while debugging. 2004-07-29 10:54 ho * ike_aggressive.c, ike_phase_1.c, nat_traversal.c: Repair NAT-T using Aggressive mode, NAT-D checks were in the wrong place. Noted by Yvan VANHULLEBUS. 2004-07-09 18:06 deraadt * doi.c, exchange.c: ansi 2004-07-08 21:53 hshoexer * virtual.c: free() and close() in error path. ok ho@ 2004-07-08 12:37 jmc * isakmpd.8, isakmpd.conf.5: typo, and line adjustment; 2004-07-08 00:25 hshoexer * isakmpd.8, isakmpd.conf.5: document -a/-K and "Acquire-Only"/"Use-Keynote". ok markus@ henning@ ho@ english polish and mdoc help and ok jmc@ 2004-07-07 11:16 hshoexer * message.c: plug memleak when receiving an INVALID_HASH_INFORMATION notify. Found by Patrick Latifi, thanks! ok ho@ 2004-07-07 11:13 hshoexer * udp_encap.c: compile cleanly with -Wsign-compare; while around, kill a space ok ho@ 2004-07-05 19:33 pvalchev * ike_phase_1.c: %lu and cast to unsigned long to print a size_t; ok ho 2004-06-30 12:07 hshoexer * nat_traversal.c: Compile cleanly with gcc3.3.2. ok ho@ 2004-06-26 13:32 jmc * isakmpd.conf.5: new sentence, new line; 2004-06-26 08:07 hshoexer * monitor.c, monitor.h, pf_key_v2.c, pf_key_v2.h, sysdep/openbsd/sysdep.c: Narrow down privsep interface. Move pf_key_v2_open() to monitor. Work in progress. ok ho@ 2004-06-26 05:40 mcbride * sysdep/: bsdi/Makefile.sysdep, darwin/GNUmakefile.sysdep, darwin/Makefile.sysdep, freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep, linux/GNUmakefile.sysdep, netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep, openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep: Remove -DHAVE_GETNAMEINFO frome makefiles. Pointed out by ho@ 2004-06-25 22:25 hshoexer * conf.c, conf.h, ike_quick_mode.c, isakmpd.c, policy.c, policy.h: Keynote policy checking can now be disabled by "-K" switch and config tag "Use-Keynote". Default is to use keynote. ok henning@ ho@ 2004-06-25 21:42 mcbride * udp.c, util.c: Remove HAVE_GETNAMEINFO alternate code. Compiled binary is unchanged. ok msf@ hshoexer@ itojun@ ho@ 2004-06-25 02:58 hshoexer * init.c, log.c, monitor.c, monitor.h, ui.c: Narrow down privsep interface. Remove ui_init to monitor. So we can get rid of monitor_mkfifo. Work in progress. ok ho@ 2004-06-24 19:02 hshoexer * monitor.c: Remove some unused code. Fix handling of sigchild. Now it's possible to sigstop/sigcont isakmpd correclty. ok ho@ 2004-06-24 17:58 hshoexer * policy.c: Also handle keys from x509-certificates embedded in keynote credentials. with msf@ ok ho@ 2004-06-24 01:36 ho * pf_key_v2.c: Print corrent prefix. Found and tested by alex at vbone.net. 2004-06-23 05:01 hshoexer * ike_auth.c, util.c, util.h: Avoid stat before open. Do open and fstat instead. Remove check_file_secrecy() as it is obsoleted be check_file_secrecy_fd(). ok ho@ 2004-06-23 03:17 ho * Makefile, sysdep.h, util.c: Make compiling with Boehm's gc possible again. 2004-06-23 02:56 ho * ike_phase_1.c: Support IPV{4,6}_ADDR_SUBNET IDs in Phase 1, just like the man page says we do. Noted and tested by alex at vbone.net. Also avoid a potential SEGV here. hshoexer@ok 2004-06-23 02:55 hshoexer * ipsec.c, isakmpd.c: Add commandline switch -a / config tag "Acquire-Only" to tell isakmpd to not touch flows. initial work by markus ok markus@ ho@ henning@ 2004-06-22 20:22 hshoexer * ike_auth.c: kn_get_string() may return NULL on failure. Handle this corrctly. with msf@, ok ho@ markus@ 2004-06-22 05:44 ho * virtual.c: The NAT-T drafts suggest we should drop incoming messages arriving on the old port (500) after we've switched to the new one. 2004-06-22 01:42 ho * isakmpd.conf.5: Describe the [Default]:NAT-T-Keepalive configuration parameter. 2004-06-22 01:28 ho * Makefile: Enable NAT-T support. 2004-06-22 01:27 ho * ipsec.c, nat_traversal.c, nat_traversal.h, sa.c, sa.h, udp_encap.c: Implement NAT-T keepalive messages. 2004-06-21 20:41 ho * pf_key_v2.c: udpencap_port should be taken from dst transport 2004-06-21 20:40 ho * virtual.c: When switching from main to encap transport, copy dst port if translated (NAT). 2004-06-21 20:34 ho * monitor.c: Strip away umask bits in monitor_fopen(). hshoexer@ ok. 2004-06-21 20:29 ho * ipsec.c: style nit 2004-06-21 19:02 markus * features/nat_traversal: undo double-patch; Dries Schellekens 2004-06-21 18:37 ho * log.c: Don't write too much IKE data in packet capture 2004-06-21 18:01 ho * log.c, message.c: Packet capture should add the ESP-marker when NAT-T is active. 2004-06-21 17:15 ho * pf_key_v2.c: Tell the kernel to enable ESP-in-UDP encapsulation when we have SAs negotiated with NAT-T. 2004-06-21 15:09 ho * exchange.c, sa.h, transport.c, udp.c, udp_encap.c, virtual.c: Port floating (500->4500) for p1 and p2 exchanges. 2004-06-20 19:44 ho * message.c: message_parse_payloads should accept payloads in the private range. While here, also cleanup some messages. 2004-06-20 19:17 ho * dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, init.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, message.h, nat_traversal.c: Make the payload array in struct message dynamic, since we need to handle payloads in the private range, such as the pre-RFC NAT-D/NAT-OA. Replace TAILQ_FIRST(&msg->payload[i]) instances with function calls. 2004-06-20 17:24 ho * Makefile, exchange.h, ike_phase_1.c, init.c, ipsec.c, isakmp.h, isakmp_fld.fld, message.c, nat_traversal.c, nat_traversal.h, policy.c, transport.c, transport.h, udp.c, udp.h, udp_encap.c, udp_encap.h, util.c, util.h, virtual.c, virtual.h, features/nat_traversal: NAT-Traversal for isakmpd. Work in progress... hshoexer@ ok. 2004-06-20 17:20 ho * dpd.c, dpd.h, exchange.c, isakmp_num.cst, sa.h, features/dpd: A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706 2004-06-20 17:11 ho * message.c: Some vendors send the last Aggressive Mode message unencrypted, which we should accept. Problem noted by alex at vbone.net. hshoexer@ ok. 2004-06-20 17:03 ho * isakmpd.c, monitor.c, monitor.h: To make debugging the unprivileged child process easier, make 'isakmpd -dd' pause just after privsep; print the PIDs and wait for SIGCONT. hshoexer@ ok 2004-06-17 21:39 hshoexer * ipsec.c: Yet another bunch of memleask found and fixed by Patrick Latifi. Thanks! ok ho@ 2004-06-17 21:36 hshoexer * udp.c: Plug a memleak. Found and fixed (and some cleanup) by Patrick Latifi. Thanks! ok ho@ 2004-06-17 21:32 hshoexer * x509.c: Evaluate result of X509_verify_cert() more carefully. ok cloder@ 2004-06-16 17:08 hshoexer * util.c: Fix wrong pointer dereference and plug memleak. Found and patch by Patrick Latifi. Thanks! ok ho@ 2004-06-16 17:05 hshoexer * ipsec.c: fix ipv6-address and ipv6-address-mask mixup. Found by Patrick Latifi. Thanks! ok ho@ 2004-06-15 17:53 hshoexer * ike_quick_mode.c, isakmp_cfg.c: also use MSG_AUTHENTICATED flag. ok ho@ 2004-06-14 15:53 hshoexer * conf.c, ike_auth.c, x509.c: avoid stat before open ok ho@ 2004-06-14 12:04 hshoexer * message.c: added a missing message_free(). ok ho@ 2004-06-14 11:55 ho * cert.c, conf.c, connection.c, crypto.c, dnssec.c, exchange.c, field.c, hash.c, if.c, ike_auth.c, ike_main_mode.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, isakmpd.c, key.c, log.c, math_2n.c, math_group.c, message.c, monitor.c, pf_key_v2.c, policy.c, timer.c, transport.c, udp.c, util.c, x509.c: KNF, style, 80c, etc. hshoexer@ ok 2004-06-11 12:17 brad * message.c: typo in comment 2004-06-11 05:08 brad * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: MFC: Fix by hshoexer@ Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! 2004-06-11 04:34 brad * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: MFC: Fix by hshoexer@ Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! 2004-06-10 14:54 hshoexer * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: Mark authenticated messages explicitly. Better check for authentication before deleteing SAs. This fix is needed to solve the problems reported by Thomas Walpuski, previous diff was not sufficient. Pointed out by Thomas. Thanks! ok ho@ niklas@, testing and spellcheck by todd@ msf@ 2004-06-09 23:15 brad * message.c: MFC: Fix by hshoexer@ only accept DELETEs during an authenticated INFORMATIONAL exchange. Fix for recent problem disclosed by Thomas Walpuski. 2004-06-09 22:48 brad * message.c: MFC: Fix by hshoexer@ only accept DELETEs during an authenticated INFORMATIONAL exchange. Fix for recent problem disclosed by Thomas Walpuski. 2004-06-09 16:02 ho * conf.c, exchange.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, message.c, pf_key_v2.c, transport.c, udp.c: Style nits. hshoexer@ ok 2004-06-09 14:59 hshoexer * message.c: only accept DELETEs during an authenticated INFORMATIONAL exchange. Fix for recent problem disclosed by Thomas Walpuski. ok ho@ 2004-06-06 15:05 ho * ike_phase_1.c: Style (KNF, 80c). No binary change. 2004-06-02 18:19 hshoexer * ike_auth.c, x509.c: remove unused BIO-functions. ok markus@ ho@ 2004-05-27 00:17 hshoexer * ike_auth.c: do not leak fd on error path. ok ho@ 2004-05-24 16:54 hshoexer * util.c: Use correct function names in log messages. Kill some spaces. ok deraadt@ ho@ 2004-05-23 20:17 hshoexer * field.c, field.h, hash.c, if.c, ike_aggressive.c, ike_aggressive.h, ike_auth.c, ike_main_mode.c, ike_main_mode.h, ipsec.c, ipsec.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmpd.c, key.c, log.c, log.h, math_2n.c, math_ec2n.c, math_ec2n.h, math_group.c, message.c, message.h, monitor.c, monitor_fdpass.c, pf_key_v2.h, policy.c, prf.c, sa.c, sa.h, timer.c, timer.h, udp.c, ui.c, util.c, x509.c, x509.h: More KNF. Mainly spaces and line-wraps, no binary change. ok ho@ 2004-05-23 18:14 deraadt * if.c, udp.c: remove excessive monitor_ prefixes 2004-05-23 18:14 deraadt * policy.c, util.c, util.h: stat before open is flawed 2004-05-23 18:13 deraadt * key.c: greater care with arguments 2004-05-19 16:30 ho * ipsec.c, isakmpd.c: Permit symbolic protocol and service names, such as "Protocol= tcp", in the sections. hshoexer@ ok 2004-05-14 10:42 hshoexer * attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, connection.c, cookie.c, cookie.h, crypto.c, crypto.h, dh.h, dnssec.c, dnssec.h, doi.c, doi.h: Some more KNF, no binary change. ok ho@ 2004-05-13 08:56 ho * connection.c, isakmpd.8, sa.c, sa.h, ui.c, ui.h: Extensions to the FIFO interface: "C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" command destination file changed. Various KNF cleanups. hshoexer@ ok. 2004-05-10 20:34 deraadt * monitor.c: 64bit gcc saw missing cast 2004-05-06 12:40 ho * exchange.c: KNF cleanup. hshoexer@ ok 2004-05-03 23:23 hshoexer * exchange.c, exchange.h: KNF. ok ho@ 2004-04-30 00:36 hshoexer * message.c: Better checking of minimum payload lengths. Drop out safely when an unknown payload type is encountered. While around, do some KNF. ok ho@ 2004-04-28 22:20 hshoexer * ike_quick_mode.c, policy.c, policy.h: remove unused variable and shorten names of two other. Removed some spaces while around. ok ho@ markus@ 2004-04-28 16:40 ho * ipsec_num.cst, isakmp_num.cst: Reserve some payload numbers for RFC 3547 and the earlier NAT-T drafts. hshoexer@ ok. 2004-04-23 16:15 ho * conf.c, conf.h: Make sure KEY_LENGTH attribute is present when checking AES proposals, required when acting as responder to SafeNet peers. Also make conf_load_defaults() readable again (KNF). hshoexer@ ok. 2004-04-15 22:20 deraadt * conf.c: more knf; ok hshoexer 2004-04-15 20:53 deraadt * conf.c: knf 2004-04-15 20:39 deraadt * app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, connection.c, connection.h, constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h, field.c, field.h, genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h, ike_aggressive.c, ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h, ike_phase_1.c, ike_phase_1.h, ike_quick_mode.c, ike_quick_mode.h, init.c, init.h, ipsec.c, ipsec.h, ipsec_doi.h, isakmp.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, isakmpd.c, key.c, key.h, libcrypto.c, libcrypto.h, log.c, log.h, math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, math_group.h, math_mp.h, message.c, message.h, monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, pf_key_v2.h, policy.c, policy.h, prf.c, prf.h, sa.c, sa.h, sysdep.h, timer.c, timer.h, transport.c, transport.h, udp.c, udp.h, ui.c, ui.h, util.c, util.h, x509.c, x509.h, sysdep/openbsd/keynote_compat.c, sysdep/openbsd/sysdep.c: partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer 2004-04-15 02:27 deraadt * isakmpd.8: spaces 2004-04-13 23:48 hshoexer * if.c: Add missing #include. Found by Stefan Paletta. ok henning@ ho@ 2004-04-08 18:08 henning * sysdep/linux/sys/queue.h: swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do. ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@ 2004-04-08 12:05 hshoexer * init.c, isakmpd.c: Set timezone before privsep, child uses now correct timezone. Noticed by david@ ok ho@ david@ 2004-04-08 00:45 ho * conf.h, exchange.h, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, math_2n.c, math_group.c, math_group.h, message.c, monitor.c, pf_key_v2.c, policy.c, sa.c, udp.c, ui.c, util.c, x509.c, regress/crypto/cryptotest.c: -Wsign-compare nits. hshoexer@ ok. 2004-04-08 00:45 ho * key.c: Reset *data in case of unknown key types 2004-04-08 00:43 ho * Makefile: -Wmissing-declarations 2004-04-07 22:04 ho * sa.c: More careful when walking LIST queues. hshoexer@, david@ ok. 2004-03-31 12:54 ho * cert.c, crypto.c, exchange.c, hash.c, ike_auth.c: -Wsign-compare nits. hshoexer@ ok. 2004-03-31 12:53 ho * monitor.c: Use sysdep_sa_len() instead of sa->sa_len, also correct a log_fatal() message. hshoexer@ ok. 2004-03-31 12:47 ho * isakmpd.c, sysdep/openbsd/Makefile.sysdep: Don't assume closefrom(2) exists everywhere. hshoexer@, markus@ ok. 2004-03-29 19:07 deraadt * monitor.c: use malloc (oops) 2004-03-29 18:32 deraadt * monitor.c: wrong FD_ZERO(); from ho, hshoexer, markus 2004-03-29 18:32 deraadt * udp.c: memory mishandling; from ho 2004-03-24 17:44 hshoexer * isakmpd.8: Add some notes about privsep to manpage. ok ho@ jmc@ deraadt@ 2004-03-23 19:20 hshoexer * monitor.c: Remove erroneous null termination. ok ho@ deraadt@ 2004-03-19 15:04 hshoexer * Makefile, conf.c, conf.h, if.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h, policy.c, sa.c, udp.c, ui.c, x509.c: Add missing bits to make already present privsep code work. Enable privsep. ok ho@ deraadt@ markus@ 2004-03-17 16:05 brad * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, util.h: MFC: Fix by hshoexer@ Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. ok deraadt@ hshoexer@ 2004-03-17 15:59 brad * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, util.h: MFC: Fix by hshoexer@ Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. ok deraadt@ hshoexer@ 2004-03-17 12:10 ho * ike_auth.c: For consistency and to avoid a rare memory leak, the result from ike_auth_get_key() should always be released after use. Found and ok hshoexer@. 2004-03-15 17:34 hshoexer * monitor.c: Properly check succes of chroot(). ok ho@ 2004-03-15 17:29 hshoexer * monitor.c, monitor.h: Remove unused code. ok ho@ 2004-03-11 17:56 hshoexer * isakmp_cfg.c: Fix a memleak. ok ho@ 2004-03-11 00:08 hshoexer * doi.h, ipsec.c, isakmp_doi.c, message.c, util.h: Fix payload handling flaws found by cloder@. Based on initial patch by cloder@. Testing by markus@ cloder@ hshoexer@. ok ho@ 2004-03-10 17:10 hshoexer * message.c: Plug up memory leak. ok ho@ 2004-03-10 12:17 hshoexer * message.c: Reduce some noise on receipt of an invalid spi. ok ho@ 2004-03-10 10:28 ho * pf_key_v2.c: Fix for PR2429, from Clemens Wittinger. 2004-03-09 22:42 hshoexer * message.c: Plug memleaks, found by cloder@. ok ho@ 2004-02-27 20:14 hshoexer * ipsec.c: Remove dead code. ok ho@ 2004-02-27 20:07 hshoexer * conf.c, isakmpd.conf.5: Add group 14 (modp2048) to predefined suites. Manpage also updated. ok ho@ 2004-02-27 11:16 ho * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: (C)-2004 2004-02-27 10:01 ho * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: Follow RFC 2408 more closely regarding how to better check the proposal returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With certain proposal combinations this caused us to setup the wrong SA resulting in us being unable to process incoming IPsec traffic (over this tunnel). Tested against a number of different IKE implementations. hshoexer@ ok. 2004-02-26 16:27 hshoexer * regress/rsakeygen/rsakeygen.c: remove unused code. noticed by ho@ ok ho@ 2004-02-26 06:52 jmc * isakmpd.conf.5: tweak; ok hshoexer@ 2004-02-25 17:01 hshoexer * init.c, isakmpd.conf.5, log.c, log.h, regress/b2n/Makefile, regress/crypto/Makefile, regress/crypto/cryptotest.c, regress/dh/Makefile, regress/ec2n/Makefile, regress/group/Makefile, regress/prf/Makefile, regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c, regress/util/Makefile: Add and document configuration options Logverbose and Loglevel. As log.c now depends on conf.c and some regression tests use log.c, add conf.c to Makefiles where necessary. ok ho@ 2004-02-20 12:31 hshoexer * ike_quick_mode.c: More small adjustments of log messages. 2004-02-20 10:46 hshoexer * ike_quick_mode.c: Fix some double free errors. While around, adjust a log message. ok ho@ 2004-02-19 16:35 hshoexer * isakmpd.c: small cleanup of log messages. ok ho@ 2004-02-19 10:54 ho * isakmpd.c, log.c, log.h: With -d, SIGINT should do a clean shutdown. Without -d, logs should be sent to syslog, level LOG_INFO. 2004-02-19 10:46 ho * isakmpd.c: Cleanup. 2004-02-16 21:40 markus * exchange.c: check for isakmp_sa->transport != NULL; noticed by bluhm at genua.de ok hshoexer@ 2004-02-11 09:55 jmc * samples/VPN-3way-template.conf: typo; from Olivier Cherrier; 2004-02-05 12:01 hshoexer * exchange.c: small logging cleanup and improvement requested by markus ok ho@ markus@ 2004-01-26 15:56 niklas * regress/exchange/run.pl: Added 2-clause license 2004-01-24 00:08 jmc * isakmpd.8: `Ns' implies `No', so `Ns No' -> `Ns'; (even simpler in adduser(8)) discussed with todd@ 2004-01-16 11:51 hshoexer * exchange.c, ike_quick_mode.c, isakmpd.8, isakmpd.c, log.c, log.h: Added -v option. Enables logging of successful exchange completion. ok ho@ 2004-01-16 01:00 brad * exchange.c, ipsec.c, message.c: Fixes a few message handling flaws in isakmpd as reported by Thomas Walpuski. ok deraadt@ hshoexer@ 2004-01-13 23:50 brad * crypto.c, crypto.h, exchange.c, ipsec.c, message.c: Fixes a few message handling flaws in isakmpd as reported by Thomas Walpuski. ok deraadt@ hshoexer@ 2004-01-09 11:03 hshoexer * regress/exchange/run.sh: call nc correctly (nc has changed a while ago). ok markus@ 2004-01-06 01:22 hshoexer * conf.c, sa.c: small typos fixed. ok markus@ 2004-01-06 01:09 hshoexer * x509.c: Remove redundant test for file types. Noted by Stefan Paletta. While around, fix typos in log messages. Both ok markus@ 2004-01-03 17:38 ho * ipsec.c: Be more careful with INITIAL-CONTACT and do not delete SPIs when getting an INVALID-SPI notification. Issues noted by Thomas Walpuski. markus@ ok. 2003-12-22 19:13 markus * crypto.h: use AES_BLOCK_SIZE only for USE_AES; report martti.kuparinen@iki.fi; ok ho@ 2003-12-18 03:03 ho * transport.c: Mention the exchange name when giving up on a message. Suggested by Michael Coulter. 2003-12-15 11:06 hshoexer * ipsec.c, ipsec_num.cst, math_group.c, math_group.h: Support for groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs 14 to 18). ok ho@ 2003-12-14 15:50 ho * log.c, util.c, util.h: Log the actual port for src and dst, don't assume it's always 500. 2003-12-14 15:34 ho * sysdep/linux/sysdep.c: Make isakmpd work on big endian linux machines. From Sebastian Klemke. Also, a few style nits and a better error message text. 2003-12-05 14:17 ho * message.c: Style nits 2003-12-04 23:44 hshoexer * message.c: Validate SPIs presented in DELETE messages of the informational exchange. ok markus@ 2003-12-04 22:13 miod * ike_phase_1.c, isakmp_cfg.c: Typos 2003-11-20 12:23 jmc * isakmpd.8: use .Dv for AF_INET and AF_INET6 (kills ugly line break); spotted by Alexey E. Suslikov; also kill some .Pp's before displays/lists for better PostScript output; 2003-11-08 20:17 jmc * init.c: typos from Jonathon Gray; 2003-11-07 11:16 jmc * x509.c, samples/VPN-3way-template.conf: adress -> address, and a few more; all from Jonathon Gray; (mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok ho@ End of changelog debian package isakmpd.20031107-1 -------------------------------------------------- 2003-11-06 17:12 ho * dnssec.c, exchange.c, field.c, if.c, ike_auth.c, ipsec.c, key.c, log.c, message.c, message.h, monitor_fdpass.c, pf_key_v2.c, policy.c, ui.c, x509.c, x509.h: Style nits. 2003-11-06 16:55 ho * exchange.c, message.c: Require encrypted messages are soon as we have the keystate for it. Require DELETE payloads to be accompanied by HASHes, and add validation for HASH payloads without active exchanges. From Hans-Joerg Hoexer with various modifications and suggestions from me and markus@. Ok markus@. 2003-11-06 16:50 ho * ipsec.c: spis[] type tweak. From Hans-Joerg Hoexer. 2003-11-05 13:55 jmc * isakmpd.conf.5: PFS: Perfect Forward Secrecy (RFC 2409); from misc@ and ok markus@ 2003-11-05 13:31 jmc * QUESTIONS: updated URL from Jared Yanovich; 2003-10-25 22:47 mcbride * isakmpd.policy.5: OpenSSL generates DNs with emailAddress, not Email. 2003-10-25 09:47 jmc * isakmpd.8: receiveing -> receiving; from Jared Yanovich; 2003-10-14 16:29 ho * exchange.c, ike_auth.c, ike_phase_1.c, ipsec.c, isakmp_doi.c: constant_lookup() to constant_name() cleanup. markus@ ok. 2003-10-13 15:57 ho * isakmpd.8, log.h, ui.c: Add a UI FIFO debug class. ok markus@ plus I think henning@ 2003-10-04 19:29 cloder * ike_phase_1.c: Avoid crash on invalid config file (missing value for LIFE_DURATION). OK ho@ 2003-09-26 17:59 aaron * sysdep/freeswan/klips.c: Fix off-by-ones in format string for 's' specifier; millert@, deraadt@ ok 2003-09-26 13:29 cedric * udp.c: don't listen to INADDR_ANY if Listen-on is specified. patch from markus@, ok ho@ 2003-09-26 00:28 aaron * monitor.c: Fix off-by-one out-of-bounds write; millert@ ok 2003-09-25 16:15 cloder * exchange.c, if.c: Fix one case of set length before realloc. Fix another case of foo = realloc(foo...) and avoid possible memory leaks. Avoid leaving things pointing to freed memory on failure. 2003-09-24 13:12 markus * crypto.c, crypto.h, regress/crypto/cryptotest.c: re-add AES, but without using EVP; patch from Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@ (interops with isakmpd+AES in OpenBSD 3.4) 2003-09-24 12:13 markus * crypto.c, crypto.h, regress/crypto/cryptotest.c: back out EVP change; causes fd leaks; ok cedric@ End of changelog debian package isakmpd.20030907-1 -------------------------------------------------- 2003-09-05 09:50 tedu * monitor.c: socket leak on error paths. from Patrick Latifi. ok deraadt@ ho@ 2003-09-02 20:15 ho * conf.c, ipsec.c: A couple of nits. deraadt@ ok. 2003-09-02 20:14 ho * message.c: Require ISAKMP_FLAGS_ENC on phase 2 messages. ok markus@, deraadt@. 2003-09-02 20:11 ho * sysdep/linux/: bitstring.h, sys/queue.h: For easier compilation on linux systems. Requested by Thomas Walpuski. 2003-08-28 16:43 markus * Makefile, TO-DO, conf.c, crypto.c, crypto.h, isakmpd.conf.5, regress/crypto/Makefile, regress/crypto/cryptotest.c: support AES in phase 1, too. switch to OpenSSL EVP interface; with Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@ 2003-08-20 16:43 ho * samples/singlehost-west.conf: Zap an old "Identification" tag in this sample config. I have no idea what it was supposed to do and in any case there is no reference to this tag in current code. Pointed out by Fridtjof Busse. 2003-08-20 14:25 ho * isakmpd.8: certpatch(8) can be used to create FQDN X509v3 extensions too. From Fridtjof Busse, via henning@. Thanks. End of changelog debian package isakmpd.20030820-1 -------------------------------------------------- 2003-07-09 10:16 jmc * isakmpd.conf.5, isakmpd.policy.5: - remove some .Ss's that worked around the old blank line bug - remove some unnecessary .Pp's - mdoc a list ok ho@ 2003-06-20 11:14 ho * transport.c: Be a bit more verbose when we give up on ever seeing a response to the last message we sent out. In case we initiated the exchange, one possible and common reason is a network level problem (pf, routing, whatnot), if we're the responder, there is also the possibility we were scanned by something like ike-scan. markus@ ok. 2003-06-17 23:56 millert * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Sync with share/misc/license.template and add missing DARPA credit where applicable. 2003-06-15 12:32 ho * exchange.c: ID copying should happen earlier in exchange_finalize so that we won't lose data during rekeying. From Jean-Francois Dive. 2003-06-14 13:47 ho * message.c: allocate payload_node with calloc instead of malloc 2003-06-13 05:50 brad * ipsec.c: MFC: Fix from ho@ Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand. deraadt@ millert@ ok 2003-06-13 05:34 brad * ipsec.c: MFC: Fix from ho@ Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand. deraadt@ millert@ ok 2003-06-10 18:41 deraadt * conf.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, isakmp_cfg.c, log.c, monitor.c, monitor.h, pf_key_v2.c, policy.c, transport.c, udp.c, x509.c: boring cleanups 2003-06-10 14:21 ho * ipsec.c: Do not crash on unsupported IPSec ID types, as noted by Eric Boudrand. 2003-06-04 09:31 ho * exchange.c, ike_aggressive.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, init.c, ipsec.c, ipsec.h, isakmpd.8, isakmpd.c, isakmpd.policy.5, libcrypto.c, libcrypto.h, message.c, message.h, pf_key_v2.c, policy.c, policy.h, sa.c, sa.h, udp.c, x509.c, x509.h, apps/certpatch/certpatch.8, apps/certpatch/certpatch.c, regress/ec2n/ec2ntest.c, regress/hmac/hmactest.c: Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos. 2003-06-04 09:27 ho * DESIGN-NOTES: Remove 3 and 4 from the "license to use" 2003-06-03 17:20 ho * sysdep/linux/: GNUmakefile.sysdep, sysdep-os.h, sysdep.c: Remove clause 3. Approved by niklas@ and Thomas Walpuski. 2003-06-03 17:02 ho * sysdep/linux/README: Obsolete. 2003-06-03 16:53 ho * sysdep/: bsdi/GNUmakefile.sysdep, bsdi/Makefile.sysdep, bsdi/sysdep-os.h, bsdi/sysdep.c, darwin/GNUmakefile.sysdep, darwin/Makefile.sysdep, darwin/sysdep-os.h, darwin/sysdep.c, freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep, freebsd/sysdep-os.h, freebsd/sysdep.c, freeswan/GNUmakefile.sysdep, freeswan/Makefile.sysdep, freeswan/klips.c, freeswan/klips.h, freeswan/sysdep-os.h, freeswan/sysdep.c, netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep, netbsd/sysdep-os.h, netbsd/sysdep.c, openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep, openbsd/keynote_compat.c, openbsd/sysdep-os.h, openbsd/sysdep.c: Remove clauses 3 and 4. Approved by markus@ and niklas@. 2003-06-03 16:52 ho * sysdep/common/: blf.h, libsysdep/GNUmakefile, libsysdep/Makefile, libsysdep/blowfish.c: Remove clauses 3 and 4. Approved by Niklas Hallqvist and Niels Provos. 2003-06-03 16:39 ho * regress/Makefile, regress/check.sh, regress/b2n/b2ntest.c, regress/crypto/cryptotest.c, regress/dh/dhtest.c, regress/exchange/Makefile, regress/exchange/run.sh, samples/Makefile, regress/group/grouptest.c, regress/prf/prftest.c, regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c, regress/util/utiltest.c, regress/x509/Makefile, regress/x509/x509test.c: Remove clauses 3 and 4. Approved by Niklas Hallqvist and Niels Provos. 2003-06-03 16:35 ho * apps/: Makefile, certpatch/Makefile: Remove clauses 3 and 4. Approved by Niklas Hallqvist and Niels Provos. 2003-06-03 16:34 ho * apps/keyconv/: Makefile, keyconv.8, keyconv.c, keyvalues.h: Remove clause 3. 2003-06-03 16:29 ho * features/: aggressive, dnssec, ec, isakmp_cfg, policy, privsep, x509: Remove clause 3. Approved by niklas@ 2003-06-03 16:28 ho * GNUmakefile, Makefile, app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, connection.c, connection.h, constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h, exchange_num.cst, field.c, field.h, genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h, ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h, ike_phase_1.h, ike_quick_mode.h, init.c, init.h, ipsec_doi.h, ipsec_fld.fld, ipsec_num.cst, isakmp.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, isakmp_fld.fld, isakmp_num.cst, isakmpd.conf.5, log.c, log.h, math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, math_group.h, math_mp.h, monitor.c, monitor.h, pf_key_v2.h, prf.c, prf.h, sysdep.h, timer.c, timer.h, transport.c, transport.h, udp.h, ui.c, ui.h, util.c, util.h: Remove clauses 3 and 4. With approval from Niklas Hallqvist and Niels Provos. 2003-06-03 15:16 jmc * isakmpd.8, isakmpd.conf.5, isakmpd.policy.5: - section reorder - some mdoc fixes 2003-06-03 14:51 ho * conf.c, constants.c, dnssec.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, message.c, policy.c, sa.c, udp.c, x509.c: Cleanup. Use 'sizeof variable' instead of magic constants. 2003-06-03 03:52 millert * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Use an ISC-tyle license for all my code; it is simpler and more permissive. 2003-06-02 22:06 millert * sysdep/freeswan/sys/queue.h: Remove the advertising clause in the UCB license which Berkeley rescinded 22 July 1999. Proofed by myself and Theo. 2003-05-18 23:26 ho * monitor.c: Add some path sanitation; only permit write operations to /tmp, /var/tmp and /var/run. Opens in /etc/isakmpd/ are read-only. Any other path is invalid. markus@ ok. 2003-05-18 22:46 ho * init.c: Style tweak. 2003-05-18 22:39 ho * sa.c: Add a debug message to sa_reinit() to indicate when we renegotiate active connections. 2003-05-18 22:09 ho * monitor_fdpass.c: Forgot to remove a couple of debug messages 2003-05-18 22:06 ho * udp.c: struct sockaddr is not large enough in itself to contain the address value. Switching to sockaddr_storage makes interface rescanning work properly. niklas@ ok. 2003-05-18 21:37 ho * conf.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c: More isakmpd privsep work. X509 private keys are now kept in the privileged process only. Various cleanup and bugfixes. markus@ ok 2003-05-18 20:16 ho * GNUmakefile, pf_key_v2.c, udp.c, sysdep/linux/GNUmakefile.sysdep, sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Sysdep for native Linux IPSec, 2.5 and later. From Thomas Walpuski, with various tweaks by me. niklas@ ok. 2003-05-17 19:39 ho * monitor.h, monitor_fdpass.c: Better return codes from mm_send_fd and mm_receive_fd 2003-05-17 19:32 ho * monitor_fdpass.c: Use log_error(), not log_fatal(). Style. 2003-05-17 19:26 jmc * isakmpd.conf.5: tweak; ok ho@ 2003-05-16 22:31 ho * init.c, isakmpd.conf.5, sa.c, sa.h: If the "Renegotiate-on-HUP" tag is defined in the [General] section, a HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@. 2003-05-15 05:20 ho * ike_auth.c: Correct a two year old typo, which might actually make setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working. 2003-05-15 04:28 ho * exchange.c, ike_auth.c, sa.c, sa.h: Cleanup. Do not store the private key in either the exchange or sa structs. 2003-05-15 04:08 ho * ike_auth.c: Work around some OpenSSL BIO "features" to read the key correctly. 2003-05-15 04:04 ho * monitor.c: Proper exit of the monitor process. 2003-05-15 03:51 ho * monitor.c: wait() for the child process 2003-05-15 02:28 ho * Makefile, conf.c, conf.h, ike_auth.c, init.c, isakmpd.c, log.c, monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c, udp.c, ui.c, util.c, features/privsep, sysdep/openbsd/sysdep.c: Start of privilege separation for isakmpd. There are some kinks left, so keep it default disabled for now. markus@ says ok to commit. 2003-05-15 02:24 ho * log.h: (c) 2003-05-15 01:44 kjell * pf_key_v2.c: properly terminate debug string (levels >=40) Use "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@. lost by kjell again. oked ho@ 2003-05-15 01:29 ho * features/policy: Remove the .if/.endif stuff that gmake does not understand. Replace with a comment about needing keynote for policy. 2003-05-14 22:49 ho * GNUmakefile, Makefile, sysdep/freeswan/GNUmakefile.sysdep, sysdep/freeswan/Makefile.sysdep, sysdep/freeswan/README, sysdep/freeswan/klips.c, sysdep/freeswan/klips.h, sysdep/freeswan/sysdep-os.h, sysdep/freeswan/sysdep.c, sysdep/freeswan/sys/queue.h, sysdep/linux/GNUmakefile.sysdep, sysdep/linux/Makefile.sysdep, sysdep/linux/README, sysdep/linux/klips.c, sysdep/linux/klips.h, sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Call the FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native Linux IPSec. 2003-05-14 20:11 ho * conf.c, conf.h, ike_auth.c: Default public key directory definition sanity. 2003-05-14 20:10 ho * policy.c, policy.h: Policy file default defined twice, kill the local copy. 2003-05-14 20:08 ho * isakmpd.c: Fix a typo (in unused code). 2003-05-14 19:37 ho * ipsec.c, ipsec_num.cst, pf_key_v2.c, policy.c, sa.c: I did not test this enough. Unbreak. 2003-05-12 23:48 ho * isakmp_num.cst: Update with some data for NAT-T specific payload types, IKEv2 notifications, ISAKMP EAP code and types, plus fix an old typo. 2003-05-12 23:43 ho * ipsec.c, pf_key_v2.c, policy.c, sa.c: AES -> AES_128_CBC 2003-05-12 23:42 ho * ipsec_num.cst: Add two more encapsulation types (UDP encap, potential future NAT-T) Add BLOCK_SIZE attribute Rename IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC. 2003-05-12 01:17 ho * genconstants.sh: Slight style fix for .cst files. Permit comments also after a definition. 2003-05-11 04:16 markus * pf_key_v2.c: fix ID-type for ipv6; ok niklas; report fries 2003-05-10 23:13 jmc * isakmpd.8, isakmpd.conf.5: typos; 2003-04-30 17:15 jason * conf.c: cast size_t to unsigned long and use %lu;ok ho 2003-04-27 13:17 ho * isakmpd.8: Describe the 'C set' FIFO command better. (PR#3148, also) 2003-04-27 13:16 ho * ui.c: Make the 'C set' FIFO command work as expected. PR#3148. 2003-04-14 15:08 ho * isakmpd.c: Unlink FIFO and pid files on clean shutdown. PR#3199 2003-04-14 12:22 ho * pf_key_v2.c: More snprintf style 2003-04-14 12:14 ho * pf_key_v2.c: A "%d" is 12 chars, not 10. Use sizeof num instead of '10' in snprintf. From Theo. 2003-04-09 17:46 ho * x509.c: Less noise for missing crl dir, demoted to debug message. 2003-03-21 16:13 markus * isakmpd.conf.5: document [initiator-id] section; richb@timestone.com.au; ok ho@, jmc@ 2003-03-20 20:39 margarida * isakmp_cfg.c: Pull patch from current: Fix by ho@. Proper id_string for SET/ACK responder, plus attr payload fixes. ok millert@ markus@ ho@ 2003-03-16 09:13 matthieu * samples/: VPN-east.conf, VPN-west.conf: secrity -> security. Ok ho@ 2003-03-14 15:49 ho * math_group.c, transport.c, sysdep/common/blf.h, sysdep/common/libsysdep/blowfish.c: Spelling fixes from david@. jmc@ ok. 2003-03-13 14:24 ho * ike_auth.c: Might as well do blinding here too. 2003-03-13 11:31 ho * util.c: Avoid "j += snprintf()". niklas@ ok. 2003-03-06 21:29 jmc * isakmpd.conf.5, isakmpd.policy.5: .Xr typos; ok deraadt@ 2003-03-06 15:22 cedric * util.c: fix text2sockaddr() when HAVE_GETNAMEINFO is false and port is NULL. ok ho@ 2003-03-06 14:48 cedric * field.c: "len" is decremented too early, so the second argument of the snprintf call is too small on last run of the loop. ok ho@ 2003-03-06 14:32 ho * exchange.c: Bad cut'n'paste msg plus style fixes. 2003-03-06 10:56 ho * util.c: Less ambiguous l-value usage. Noted by cedric@ 2003-03-06 05:07 david * apps/keyconv/keyconv.8: date should be written formally: .Dd Month day, year ok henning@ jmc@ 2003-03-03 17:51 ho * isakmpd.conf.5: Re-add the BUGS section; the RFCs still do not permit differing DH groups in the same proposal. This time, mention that this also applies to mixing PFS and non-PFS suites. 2003-02-26 23:55 ho * samples/VPN-west.conf: Typo/pasto. Spotted by Tim Donahue. 2003-02-26 09:17 david * exchange.c: IPsec is written ``IPsec'', not ``IPSec''. ok ho@ 2003-02-24 13:01 markus * pf_key_v2.c: pf_key_v2_flow: typo in debug msg (KAME) 2003-02-22 07:57 kjell * README: typo: noneheless->nontheless 2003-02-22 07:56 kjell * isakmpd.8, isakmpd.conf.5: Clarify some language, grammar. ho@ okayed this many moons ago, and I forgot all about it. 2003-02-12 16:11 markus * if.c, if.h, udp.c: better error checking on bind(); from Alexander_Bluhm at genua.de; ok ho@ 2003-02-05 11:29 jmc * isakmpd.8: typos; isakmpd(8) ok niklas@, mailwrapper(8) help kjell@ 2003-02-04 21:02 markus * conf.c: don't set the Transform for Default-phase-1-configuration twice, ok ho@ 2003-02-04 21:02 markus * conf.h: default to 3DES-SHA-RSA_SIG (same as in OpenBSD 3.2); ok ho@ 2003-01-22 16:13 ho * ike_auth.c: Typo. 2003-01-20 20:52 deraadt * isakmpd.policy.5: typos; alan@alanday.com debian/isakmpd.lintian0000664000000000000000000000007712123203626012201 0ustar isakmpd: non-standard-dir-perm isakmpd: non-standard-file-perm debian/clean0000664000000000000000000000051512123203626010173 0ustar .depend apps/certpatch/certpatch sysdep/common/libsysdep/arc4random.o sysdep/common/libsysdep/blowfish.o sysdep/common/libsysdep/cast.o sysdep/common/libsysdep/md5.o sysdep/common/libsysdep/sha1.o sysdep/common/libsysdep/strlcat.o sysdep/common/libsysdep/strlcpy.o sysdep/common/libsysdep/libsysdep.a sysdep/common/libsysdep/.depend debian/control0000664000000000000000000000123712123203626010573 0ustar Source: isakmpd Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Jochen Friedrich Priority: optional Section: net Standards-Version: 3.8.4 Build-Depends: debhelper (>= 7.0.50~), libssl-dev, libgmp-dev, libpcap-dev, linux-kernel-headers Package: isakmpd Priority: optional Section: net Architecture: any Provides: ike-server Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.0-6) Description: The Internet Key Exchange protocol openbsd implementation IKE is a protocol which allow to exchange security information between to peers. This implementation requires the native Linux ipsec support. debian/isakmpd.init0000664000000000000000000000250612123203626011505 0ustar #!/bin/sh # ### BEGIN INIT INFO # Provides: isakmpd # Required-Start: $remote_fs $network $syslog # Required-Stop: $remote_fs $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Internet Key Exchange protocol daemon from OpenBSD ### END INIT INFO PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/isakmpd PIDFILE=/var/run/isakmpd.pid # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions test -f $DAEMON || exit 0 case "$1" in start) echo -n "Starting OpenBSD isakmpd: " start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 echo "done" ;; stop) echo -n "Stopping OpenBSD isakmpd: " start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 echo "done" ;; restart|force-reload) echo -n "Restarting OpenBSD isakmpd: " start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 echo "done" ;; status) ret=0 status_of_proc -p ${PIDFILE} ${DAEMON} isakmpd 2>/dev/null || ret=$? ;; *) echo "Usage: /etc/init.d/isakmpd {start|stop|restart|force-reload|status}" exit 1 ;; esac exit 0 debian/patches/0000775000000000000000000000000012123204373010614 5ustar debian/patches/05_openssl.patch0000664000000000000000000000100412123203626013617 0ustar --- isakmpd-20041012.orig/x509.c +++ isakmpd-20041012/x509.c @@ -910,7 +910,11 @@ X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00907000L /* XXX See comment in x509_read_crls_from_dir. */ +#if OPENSSL_VERSION_NUMBER >= 0x00908000L + if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) { +#else if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) { +#endif X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); } debian/patches/series0000664000000000000000000000027412123204002012021 0ustar 01_makefile.patch 02_natt.patch 03_compile_fix.patch 04_logging.patch 05_openssl.patch 06_sysdep.patch 07_fix_ifreq_len.patch 08_fix_no_add_needed_build.patch 09_fix_as_needed_build.patch debian/patches/04_logging.patch0000664000000000000000000000465112123203626013574 0ustar --- isakmpd-20041012.orig/log.c +++ isakmpd-20041012/log.c @@ -79,7 +79,6 @@ struct packhdr { struct pcap_pkthdr pcap;/* pcap file packet header */ - u_int32_t sa_family; /* address family */ union { struct ip ip4; /* IPv4 header (w/o options) */ struct ip6_hdr ip6; /* IPv6 header */ @@ -97,7 +96,7 @@ static u_int8_t *packet_buf = NULL; static int udp_cksum(struct packhdr *, const struct udphdr *, - u_int16_t *); + u_int16_t *, int); static u_int16_t in_cksum(const u_int16_t *, int); #endif /* USE_DEBUG */ @@ -539,11 +538,9 @@ udp.uh_ulen = htons(datalen); /* ip */ - hdr.sa_family = htonl(src->sa_family); switch (src->sa_family) { default: /* Assume IPv4. XXX Can 'default' ever happen here? */ - hdr.sa_family = htonl(AF_INET); hdr.ip.ip4.ip_src.s_addr = 0x02020202; hdr.ip.ip4.ip_dst.s_addr = 0x01010101; /* The rest of the setup is common to AF_INET. */ @@ -584,9 +581,7 @@ } /* Calculate UDP checksum. */ - udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf); - hdrlen += sizeof hdr.sa_family; - + udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family); /* pcap file packet header */ gettimeofday(&tv, 0); hdr.pcap.ts.tv_sec = tv.tv_sec; @@ -610,7 +605,7 @@ /* Copied from tcpdump/print-udp.c, mostly rewritten. */ static int -udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d) +udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af) { struct ip *ip4; struct ip6_hdr *ip6; @@ -639,7 +634,7 @@ /* Setup pseudoheader. */ memset(phu.pa, 0, sizeof phu); - switch (ntohl(hdr->sa_family)) { + switch (af) { case AF_INET: ip4 = &hdr->ip.ip4; memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr)); @@ -664,7 +659,7 @@ /* IPv6 wants a 0xFFFF checksum "on error", not 0x0. */ if (tlen < 0) - return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF); + return (af == AF_INET ? 0 : 0xFFFF); sum = 0; for (i = 0; i < hdrlen; i += 2) --- isakmpd-20041012.orig/ike_phase_1.c +++ isakmpd-20041012/ike_phase_1.c @@ -1040,9 +1040,9 @@ /* Compare expected/desired and received remote ID */ if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) { - free(rid); log_print("ike_phase_1_recv_ID: " - "received remote ID other than expected %s", p); + "received remote ID other than expected %s - %s", p, payload->p); + free(rid); return -1; } free(rid); debian/patches/08_fix_no_add_needed_build.patch0000664000000000000000000000111312123203626016715 0ustar Description: explicitly link with needed libz and libdl required when building with ld --no-add-needed Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622051 Author: Julian Taylor --- isakmpd-20041012.orig/GNUmakefile +++ isakmpd-20041012/GNUmakefile @@ -207,7 +207,7 @@ ${PROG} beforedepend: ${GENERATED} ${PROG}: ${OBJS} ${DPADD} - ${CC} ${DEBUG} ${LDFLAGS} ${LDSTATIC} -o $@ ${OBJS} ${LDADD} + ${CC} ${DEBUG} ${LDFLAGS} ${LDSTATIC} -o $@ ${OBJS} ${LDADD} -lz -ldl # Depend rules depend: beforedepend .depend mksubdirs afterdepend debian/patches/06_sysdep.patch0000664000000000000000000005272112123203626013460 0ustar --- isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h +++ isakmpd-20041012/sysdep/linux/include/sys/queue.h @@ -0,0 +1,453 @@ +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)queue.h 8.5 (Berkeley) 8/20/94 + * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $ + */ + +#ifndef _SYS_QUEUE_H_ +#define _SYS_QUEUE_H_ + +//#include /* for __offsetof */ + +/* + * This file defines four types of data structures: singly-linked lists, + * singly-linked tail queues, lists and tail queues. + * + * A singly-linked list is headed by a single forward pointer. The elements + * are singly linked for minimum space and pointer manipulation overhead at + * the expense of O(n) removal for arbitrary elements. New elements can be + * added to the list after an existing element or at the head of the list. + * Elements being removed from the head of the list should use the explicit + * macro for this purpose for optimum efficiency. A singly-linked list may + * only be traversed in the forward direction. Singly-linked lists are ideal + * for applications with large datasets and few or no removals or for + * implementing a LIFO queue. + * + * A singly-linked tail queue is headed by a pair of pointers, one to the + * head of the list and the other to the tail of the list. The elements are + * singly linked for minimum space and pointer manipulation overhead at the + * expense of O(n) removal for arbitrary elements. New elements can be added + * to the list after an existing element, at the head of the list, or at the + * end of the list. Elements being removed from the head of the tail queue + * should use the explicit macro for this purpose for optimum efficiency. + * A singly-linked tail queue may only be traversed in the forward direction. + * Singly-linked tail queues are ideal for applications with large datasets + * and few or no removals or for implementing a FIFO queue. + * + * A list is headed by a single forward pointer (or an array of forward + * pointers for a hash table header). The elements are doubly linked + * so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before + * or after an existing element or at the head of the list. A list + * may only be traversed in the forward direction. + * + * A tail queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are doubly + * linked so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before or + * after an existing element, at the head of the list, or at the end of + * the list. A tail queue may be traversed in either direction. + * + * For details on the use of these macros, see the queue(3) manual page. + * + * + * SLIST LIST STAILQ TAILQ + * _HEAD + + + + + * _HEAD_INITIALIZER + + + + + * _ENTRY + + + + + * _INIT + + + + + * _EMPTY + + + + + * _FIRST + + + + + * _NEXT + + + + + * _PREV - - - + + * _LAST - - + + + * _FOREACH + + + + + * _FOREACH_REVERSE - - - + + * _INSERT_HEAD + + + + + * _INSERT_BEFORE - + - + + * _INSERT_AFTER + + + + + * _INSERT_TAIL - - + + + * _REMOVE_HEAD + - + - + * _REMOVE + + + + + * + */ + +/* + * Singly-linked List declarations. + */ +#define SLIST_HEAD(name, type) \ +struct name { \ + struct type *slh_first; /* first element */ \ +} + +#define SLIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define SLIST_ENTRY(type) \ +struct { \ + struct type *sle_next; /* next element */ \ +} + +/* + * Singly-linked List functions. + */ +#define SLIST_EMPTY(head) ((head)->slh_first == NULL) + +#define SLIST_FIRST(head) ((head)->slh_first) + +#define SLIST_FOREACH(var, head, field) \ + for ((var) = SLIST_FIRST((head)); \ + (var); \ + (var) = SLIST_NEXT((var), field)) + +#define SLIST_INIT(head) do { \ + SLIST_FIRST((head)) = NULL; \ +} while (0) + +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ + SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \ + SLIST_NEXT((slistelm), field) = (elm); \ +} while (0) + +#define SLIST_INSERT_HEAD(head, elm, field) do { \ + SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \ + SLIST_FIRST((head)) = (elm); \ +} while (0) + +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) + +#define SLIST_REMOVE(head, elm, type, field) do { \ + if (SLIST_FIRST((head)) == (elm)) { \ + SLIST_REMOVE_HEAD((head), field); \ + } \ + else { \ + struct type *curelm = SLIST_FIRST((head)); \ + while (SLIST_NEXT(curelm, field) != (elm)) \ + curelm = SLIST_NEXT(curelm, field); \ + SLIST_NEXT(curelm, field) = \ + SLIST_NEXT(SLIST_NEXT(curelm, field), field); \ + } \ +} while (0) + +#define SLIST_REMOVE_HEAD(head, field) do { \ + SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \ +} while (0) + +/* + * Singly-linked Tail queue declarations. + */ +#define STAILQ_HEAD(name, type) \ +struct name { \ + struct type *stqh_first;/* first element */ \ + struct type **stqh_last;/* addr of last next element */ \ +} + +#define STAILQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).stqh_first } + +#define STAILQ_ENTRY(type) \ +struct { \ + struct type *stqe_next; /* next element */ \ +} + +/* + * Singly-linked Tail queue functions. + */ +#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL) + +#define STAILQ_FIRST(head) ((head)->stqh_first) + +#define STAILQ_FOREACH(var, head, field) \ + for((var) = STAILQ_FIRST((head)); \ + (var); \ + (var) = STAILQ_NEXT((var), field)) + +#define STAILQ_INIT(head) do { \ + STAILQ_FIRST((head)) = NULL; \ + (head)->stqh_last = &STAILQ_FIRST((head)); \ +} while (0) + +#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \ + if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\ + (head)->stqh_last = &STAILQ_NEXT((elm), field); \ + STAILQ_NEXT((tqelm), field) = (elm); \ +} while (0) + +#define STAILQ_INSERT_HEAD(head, elm, field) do { \ + if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \ + (head)->stqh_last = &STAILQ_NEXT((elm), field); \ + STAILQ_FIRST((head)) = (elm); \ +} while (0) + +#define STAILQ_INSERT_TAIL(head, elm, field) do { \ + STAILQ_NEXT((elm), field) = NULL; \ + *(head)->stqh_last = (elm); \ + (head)->stqh_last = &STAILQ_NEXT((elm), field); \ +} while (0) + +#define STAILQ_LAST(head, type, field) \ + (STAILQ_EMPTY(head) ? \ + NULL : \ + ((struct type *) \ + ((char *)((head)->stqh_last) - __offsetof(struct type, field)))) + +#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next) + +#define STAILQ_REMOVE(head, elm, type, field) do { \ + if (STAILQ_FIRST((head)) == (elm)) { \ + STAILQ_REMOVE_HEAD(head, field); \ + } \ + else { \ + struct type *curelm = STAILQ_FIRST((head)); \ + while (STAILQ_NEXT(curelm, field) != (elm)) \ + curelm = STAILQ_NEXT(curelm, field); \ + if ((STAILQ_NEXT(curelm, field) = \ + STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\ + (head)->stqh_last = &STAILQ_NEXT((curelm), field);\ + } \ +} while (0) + +#define STAILQ_REMOVE_HEAD(head, field) do { \ + if ((STAILQ_FIRST((head)) = \ + STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \ + (head)->stqh_last = &STAILQ_FIRST((head)); \ +} while (0) + +#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \ + if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \ + (head)->stqh_last = &STAILQ_FIRST((head)); \ +} while (0) + +/* + * List declarations. + */ +#define LIST_HEAD(name, type) \ +struct name { \ + struct type *lh_first; /* first element */ \ +} + +#define LIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define LIST_ENTRY(type) \ +struct { \ + struct type *le_next; /* next element */ \ + struct type **le_prev; /* address of previous next element */ \ +} + +/* + * List functions. + */ + +#define LIST_EMPTY(head) ((head)->lh_first == NULL) + +#define LIST_FIRST(head) ((head)->lh_first) + +#define LIST_FOREACH(var, head, field) \ + for ((var) = LIST_FIRST((head)); \ + (var); \ + (var) = LIST_NEXT((var), field)) + +#define LIST_INIT(head) do { \ + LIST_FIRST((head)) = NULL; \ +} while (0) + +#define LIST_INSERT_AFTER(listelm, elm, field) do { \ + if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\ + LIST_NEXT((listelm), field)->field.le_prev = \ + &LIST_NEXT((elm), field); \ + LIST_NEXT((listelm), field) = (elm); \ + (elm)->field.le_prev = &LIST_NEXT((listelm), field); \ +} while (0) + +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.le_prev = (listelm)->field.le_prev; \ + LIST_NEXT((elm), field) = (listelm); \ + *(listelm)->field.le_prev = (elm); \ + (listelm)->field.le_prev = &LIST_NEXT((elm), field); \ +} while (0) + +#define LIST_INSERT_HEAD(head, elm, field) do { \ + if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \ + LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\ + LIST_FIRST((head)) = (elm); \ + (elm)->field.le_prev = &LIST_FIRST((head)); \ +} while (0) + +#define LIST_NEXT(elm, field) ((elm)->field.le_next) + +#define LIST_REMOVE(elm, field) do { \ + if (LIST_NEXT((elm), field) != NULL) \ + LIST_NEXT((elm), field)->field.le_prev = \ + (elm)->field.le_prev; \ + *(elm)->field.le_prev = LIST_NEXT((elm), field); \ +} while (0) + +/* + * Tail queue declarations. + */ +#define TAILQ_HEAD(name, type) \ +struct name { \ + struct type *tqh_first; /* first element */ \ + struct type **tqh_last; /* addr of last next element */ \ +} + +#define TAILQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).tqh_first } + +#define TAILQ_ENTRY(type) \ +struct { \ + struct type *tqe_next; /* next element */ \ + struct type **tqe_prev; /* address of previous next element */ \ +} + +/* + * Tail queue functions. + */ +#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL) + +#define TAILQ_FIRST(head) ((head)->tqh_first) + +#define TAILQ_FOREACH(var, head, field) \ + for ((var) = TAILQ_FIRST((head)); \ + (var); \ + (var) = TAILQ_NEXT((var), field)) + +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ + for ((var) = TAILQ_LAST((head), headname); \ + (var); \ + (var) = TAILQ_PREV((var), headname, field)) + +#define TAILQ_INIT(head) do { \ + TAILQ_FIRST((head)) = NULL; \ + (head)->tqh_last = &TAILQ_FIRST((head)); \ +} while (0) + +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\ + TAILQ_NEXT((elm), field)->field.tqe_prev = \ + &TAILQ_NEXT((elm), field); \ + else \ + (head)->tqh_last = &TAILQ_NEXT((elm), field); \ + TAILQ_NEXT((listelm), field) = (elm); \ + (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \ +} while (0) + +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ + TAILQ_NEXT((elm), field) = (listelm); \ + *(listelm)->field.tqe_prev = (elm); \ + (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \ +} while (0) + +#define TAILQ_INSERT_HEAD(head, elm, field) do { \ + if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \ + TAILQ_FIRST((head))->field.tqe_prev = \ + &TAILQ_NEXT((elm), field); \ + else \ + (head)->tqh_last = &TAILQ_NEXT((elm), field); \ + TAILQ_FIRST((head)) = (elm); \ + (elm)->field.tqe_prev = &TAILQ_FIRST((head)); \ +} while (0) + +#define TAILQ_INSERT_TAIL(head, elm, field) do { \ + TAILQ_NEXT((elm), field) = NULL; \ + (elm)->field.tqe_prev = (head)->tqh_last; \ + *(head)->tqh_last = (elm); \ + (head)->tqh_last = &TAILQ_NEXT((elm), field); \ +} while (0) + +#define TAILQ_LAST(head, headname) \ + (*(((struct headname *)((head)->tqh_last))->tqh_last)) + +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) + +#define TAILQ_PREV(elm, headname, field) \ + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) + +#define TAILQ_REMOVE(head, elm, field) do { \ + if ((TAILQ_NEXT((elm), field)) != NULL) \ + TAILQ_NEXT((elm), field)->field.tqe_prev = \ + (elm)->field.tqe_prev; \ + else \ + (head)->tqh_last = (elm)->field.tqe_prev; \ + *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \ +} while (0) + + +#ifdef _KERNEL + +/* + * XXX insque() and remque() are an old way of handling certain queues. + * They bogusly assumes that all queue heads look alike. + */ + +struct quehead { + struct quehead *qh_link; + struct quehead *qh_rlink; +}; + +#ifdef __GNUC__ + +static __inline void +insque(void *a, void *b) +{ + struct quehead *element = (struct quehead *)a, + *head = (struct quehead *)b; + + element->qh_link = head->qh_link; + element->qh_rlink = head; + head->qh_link = element; + element->qh_link->qh_rlink = element; +} + +static __inline void +remque(void *a) +{ + struct quehead *element = (struct quehead *)a; + + element->qh_link->qh_rlink = element->qh_rlink; + element->qh_rlink->qh_link = element->qh_link; + element->qh_rlink = 0; +} + +#else /* !__GNUC__ */ + +void insque __P((void *a, void *b)); +void remque __P((void *a)); + +#endif /* __GNUC__ */ + +#endif /* _KERNEL */ + +#endif /* !_SYS_QUEUE_H_ */ --- isakmpd-20041012.orig/sysdep/linux/include/bitstring.h +++ isakmpd-20041012/sysdep/linux/include/bitstring.h @@ -0,0 +1,132 @@ +/* $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $ */ +/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */ + +/* + * Copyright (c) 1989, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Paul Vixie. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)bitstring.h 8.1 (Berkeley) 7/19/93 + */ + +#ifndef _BITSTRING_H_ +#define _BITSTRING_H_ + +/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91 + * bitstr_size changed gratuitously, but shorter + * bit_alloc spelling error fixed + * the following were efficient, but didn't work, they've been made to + * work, but are no longer as efficient :-) + * bit_nclear, bit_nset, bit_ffc, bit_ffs + */ +typedef unsigned char bitstr_t; + +/* internal macros */ + /* byte of the bitstring bit is in */ +#define _bit_byte(bit) \ + ((bit) >> 3) + + /* mask for the bit within its byte */ +#define _bit_mask(bit) \ + (1 << ((bit)&0x7)) + +/* external macros */ + /* bytes in a bitstring of nbits bits */ +#define bitstr_size(nbits) \ + (((nbits) + 7) >> 3) + + /* allocate a bitstring */ +#define bit_alloc(nbits) \ + (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t)) + + /* allocate a bitstring on the stack */ +#define bit_decl(name, nbits) \ + ((name)[bitstr_size(nbits)]) + + /* is bit N of bitstring name set? */ +#define bit_test(name, bit) \ + ((name)[_bit_byte(bit)] & _bit_mask(bit)) + + /* set bit N of bitstring name */ +#define bit_set(name, bit) \ + ((name)[_bit_byte(bit)] |= _bit_mask(bit)) + + /* clear bit N of bitstring name */ +#define bit_clear(name, bit) \ + ((name)[_bit_byte(bit)] &= ~_bit_mask(bit)) + + /* clear bits start ... stop in bitstring */ +#define bit_nclear(name, start, stop) do { \ + register bitstr_t *_name = name; \ + register int _start = start, _stop = stop; \ + while (_start <= _stop) { \ + bit_clear(_name, _start); \ + _start++; \ + } \ +} while(0) + + /* set bits start ... stop in bitstring */ +#define bit_nset(name, start, stop) do { \ + register bitstr_t *_name = name; \ + register int _start = start, _stop = stop; \ + while (_start <= _stop) { \ + bit_set(_name, _start); \ + _start++; \ + } \ +} while(0) + + /* find first bit clear in name */ +#define bit_ffc(name, nbits, value) do { \ + register bitstr_t *_name = name; \ + register int _bit, _nbits = nbits, _value = -1; \ + for (_bit = 0; _bit < _nbits; ++_bit) \ + if (!bit_test(_name, _bit)) { \ + _value = _bit; \ + break; \ + } \ + *(value) = _value; \ +} while(0) + + /* find first bit set in name */ +#define bit_ffs(name, nbits, value) do { \ + register bitstr_t *_name = name; \ + register int _bit, _nbits = nbits, _value = -1; \ + for (_bit = 0; _bit < _nbits; ++_bit) \ + if (bit_test(_name, _bit)) { \ + _value = _bit; \ + break; \ + } \ + *(value) = _value; \ +} while(0) + +#endif /* !_BITSTRING_H_ */ --- isakmpd-20041012.orig/sysdep/common/pcap.h +++ isakmpd-20041012/sysdep/common/pcap.h @@ -55,8 +55,13 @@ u_int32_t linktype; /* data link type (DLT_*) */ }; +struct pcap_timeval { + int32_t tv_sec; /* seconds */ + int32_t tv_usec; /* microseconds */ +}; + struct pcap_pkthdr { - struct timeval ts; /* time stamp */ + struct pcap_timeval ts; /* time stamp */ u_int32_t caplen; /* length of portion present */ u_int32_t len; /* length this packet (off wire) */ }; --- isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c +++ isakmpd-20041012/sysdep/common/libsysdep/arc4random.c @@ -78,7 +78,7 @@ static void arc4_stir(struct arc4_stream *as) { - int fd; + int fd, i; struct { struct timeval tv; u_int8_t rnd[128 - sizeof(struct timeval)]; --- isakmpd-20041012.orig/x509v3.cnf +++ isakmpd-20041012/x509v3.cnf @@ -0,0 +1,26 @@ +# default settings +CERTPATHLEN = 1 +CERTUSAGE = digitalSignature,keyCertSign +CERTIP = 0.0.0.0 +CERTFQDN = nohost.nodomain + +# This section should be referenced when building an x509v3 CA +# Certificate. +# The default path length and the key usage can be overriden +# modified by setting the CERTPATHLEN and CERTUSAGE environment +# variables. +[x509v3_CA] +basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN +keyUsage=$ENV::CERTUSAGE + +# This section should be referenced to add an IP Address +# as an alternate subject name, needed by isakmpd +# The address must be provided in the CERTIP environment variable +[x509v3_IPAddr] +subjectAltName=IP:$ENV::CERTIP + +# This section should be referenced to add a FQDN hostname +# as an alternate subject name, needed by isakmpd +# The address must be provided in the CERTFQDN environment variable +[x509v3_FQDN] +subjectAltName=DNS:$ENV::CERTFQDN debian/patches/01_makefile.patch0000664000000000000000000001236612123203654013723 0ustar --- isakmpd-20041012.orig/GNUmakefile +++ isakmpd-20041012/GNUmakefile @@ -40,12 +40,12 @@ # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec. # darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5 # and later with native IPSec support. -OS= openbsd +#OS= openbsd #OS= netbsd #OS= freebsd #OS= freeswan #OS= darwin -#OS= linux +OS= linux .CURDIR:= $(shell pwd) VPATH= ${.CURDIR}/sysdep/${OS} @@ -55,9 +55,10 @@ ifndef BINDIR BINDIR= /sbin endif -ifndef LDSTATIC -LDSTATIC= -static -endif + +#ifndef LDSTATIC +#LDSTATIC= -static +#endif SRCS= app.c attribute.c cert.c connection.c \ constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \ @@ -131,11 +132,14 @@ ifneq ($(findstring install,$(MAKECMDGOALS)),install) # Skip 'regress' until the regress/ structure has gmake makefiles for it. #SUBDIR:= regress -SUBDIR:= +SUBDIR:= apps/certpatch mksubdirs: $(foreach DIR, ${SUBDIR}, \ - cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \ - MKDEP="${MKDEP}" ${MAKECMDGOALS}) + cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};) + +# $(foreach DIR, ${SUBDIR}, \ +# cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \ +# MKDEP="${MKDEP}" ${MAKECMDGOALS}) else mksubdirs: endif @@ -173,7 +177,7 @@ endif SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \ - $(ISAKMP_CFG) + $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL} CFLAGS+= ${IPSEC_CFLAGS} LDADD+= ${DESLIB} DPADD+= ${DESLIBDEP} --- isakmpd-20041012.orig/apps/certpatch/GNUmakefile +++ isakmpd-20041012/apps/certpatch/GNUmakefile @@ -0,0 +1,55 @@ +# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $ +# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ + +# +# Copyright (c) 1999 Niels Provos. All rights reserved. +# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +PROG= certpatch +SRCS= certpatch.c +BINDIR?= /usr/sbin +TOPSRC= ${.CURDIR}../.. +TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- +OS= linux +FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' +.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} +CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall +LDFLAGS+= -lcrypto -lssl -lgmp +MAN= certpatch.8 + +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP +LDADD+= -lgmp +DPADD+= ${LIBGMP} + +# Override LIBSYSDEPDIR definition from Makefile.sysdep +LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep + +all: ${PROG} + +clean: + rm -f ${PROG} --- isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep +++ isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep @@ -25,33 +25,33 @@ # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -LIBGMP:= /usr/lib/libgmp.a -LIBCRYPTO:= /usr/lib/libcrypto.a +#LIBGMP:= /usr/lib/libgmp.a +#LIBCRYPTO:= /usr/lib/libcrypto.a LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a -LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO} +LDADD+= -lgmp -ldl -lcrypto ${LIBSYSDEP} ${LIBCRYPTO} DPADD+= ${LIBGMP} ${LIBSYSDEP} -CFLAGS+= -DUSE_OLD_SOCKADDR -DHAVE_PCAP \ - -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \ - -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \ +CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \ + -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \ + -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \ -I/usr/include/openssl -FEATURES= debug tripledes blowfish cast ec aggressive x509 policy -FEATURES+= des aes +FEATURES= debug tripledes blowfish cast ec aggressive x509 +FEATURES+= dpd nat_traversal isakmp_cfg des aes IPSEC_SRCS= pf_key_v2.c IPSEC_CFLAGS= -DUSE_PF_KEY_V2 USE_LIBCRYPO= defined HAVE_DLOPEN= defined -USE_KEYNOTE= defined +# USE_KEYNOTE= defined # hack libsysdep.a dependenc ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}: cd ${LIBSYSDEPDIR} && \ - ${MAKE} --no-print-directory ${MAKEFLAGS} \ + ${MAKE} --no-print-directory \ CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS} ifeq ($(findstring clean,$(MAKECMDGOALS)),clean) debian/patches/03_compile_fix.patch0000664000000000000000000000405412123203626014440 0ustar --- isakmpd-20041012.orig/dpd.c +++ isakmpd-20041012/dpd.c @@ -26,6 +26,7 @@ #include #include +#include #include "sysdep.h" @@ -174,6 +175,7 @@ } break; default: + ; } /* Mark handled. */ @@ -223,6 +225,7 @@ dpd_check_event, sa, &tv); break; default: + ; } if (!sa->dpd_event) log_print("dpd_timer_reset: timer_add_event failed"); --- isakmpd-20041012.orig/ike_quick_mode.c +++ isakmpd-20041012/ike_quick_mode.c @@ -1740,7 +1740,7 @@ goto cleanup; } } else if ( -#ifdef USE_X509 +#if defined (USE_X509) && defined (USE_POLICY) ignore_policy || #endif strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) { --- isakmpd-20041012.orig/apps/Makefile +++ isakmpd-20041012/apps/Makefile @@ -31,4 +31,4 @@ SUBDIR= certpatch -.include +#.include --- isakmpd-20041012.orig/sysdep/linux/sysdep.c +++ isakmpd-20041012/sysdep/linux/sysdep.c @@ -169,22 +169,22 @@ return 0; if (!(af == AF_INET || af == AF_INET6)) - { + { log_print ("sysdep_cleartext: unsupported protocol family %d", af); return -1; } if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6, - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, - &pol_in, sizeof pol_in) < 0 || + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, + &pol_in, sizeof pol_in) < 0 || setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6, - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, - &pol_out, sizeof pol_out) < 0) - { + af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, + &pol_out, sizeof pol_out) < 0) + { log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " - "failed", fd, af == AF_INET ? "" : "V6", - af == AF_INET ? "" : "V6"); + "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " + "failed", fd, af == AF_INET ? "" : "V6", + af == AF_INET ? "" : "V6"); return -1; } return 0; debian/patches/09_fix_as_needed_build.patch0000664000000000000000000000151012123203626016076 0ustar Description: fix build with ld --as-needed libraries must be placed behind the objects needing them, else their symbols will not be registered as needed leading to undefined references when compiling with ld --as-needed LDFLAGS is placed before the objects, LOADLIBES is the correct implicit rule variable for library linking Author: Julian Taylor --- isakmpd-20041012.orig/apps/certpatch/GNUmakefile +++ isakmpd-20041012/apps/certpatch/GNUmakefile @@ -39,7 +39,7 @@ FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' .PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -LDFLAGS+= -lcrypto -lssl -lgmp +LOADLIBES+= -lcrypto -lssl -lgmp MAN= certpatch.8 CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP debian/patches/07_fix_ifreq_len.patch0000664000000000000000000000100112123203626014745 0ustar Index: isakmpd-20041012/if.c =================================================================== --- isakmpd-20041012.orig/if.c 2009-10-30 17:52:06.000000000 +0100 +++ isakmpd-20041012/if.c 2009-10-30 17:52:30.000000000 +0100 @@ -143,8 +143,7 @@ ifrp = (struct ifreq *)p; if ((*func)(ifrp->ifr_name, &ifrp->ifr_addr, arg) == -1) err = -1; - len = sizeof ifrp->ifr_name + - MAX(sysdep_sa_len(&ifrp->ifr_addr), sizeof ifrp->ifr_addr); + len = sizeof(struct ifreq); } free(ifc.ifc_buf); #endif debian/patches/02_natt.patch0000664000000000000000000005524012123203626013112 0ustar --- isakmpd-20041012.orig/exchange.h +++ isakmpd-20041012/exchange.h @@ -221,6 +221,8 @@ #define EXCHANGE_FLAG_NAT_T_ENABLE 0x10 /* We are doing NAT-T. */ #define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20 /* We are the NAT:ed peer. */ #define EXCHANGE_FLAG_DPD_CAP_PEER 0x40 /* Peer is DPD capable. */ +#define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */ +#define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/ extern int exchange_add_certs(struct message *); extern void exchange_finalize(struct message *); --- isakmpd-20041012.orig/nat_traversal.c +++ isakmpd-20041012/nat_traversal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $ */ +/* $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -48,40 +48,40 @@ #include "util.h" #include "virtual.h" +int disable_nat_t = 0; + /* - * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T - * capability of the other peer is determined by a particular vendor ID - * sent as the first message. This vendor ID string is supposed to be a - * MD5 hash of "RFC XXXX", where XXXX is the future RFC number. + * NAT-T capability of the other peer is determined by a particular vendor + * ID sent in the first message. This vendor ID string is supposed to be a + * MD5 hash of "RFC 3947". * * These seem to be the "well" known variants of this string in use by * products today. */ -static const char *isakmp_nat_t_cap_text[] = { - "draft-ietf-ipsec-nat-t-ike-00", /* V1 (XXX: may be obsolete) */ - "draft-ietf-ipsec-nat-t-ike-02\n", /* V2 */ - "draft-ietf-ipsec-nat-t-ike-03", /* V3 */ -#ifdef notyet - "RFC XXXX", -#endif + +static struct nat_t_cap isakmp_nat_t_cap[] = { + { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT, + "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 }, + { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT, + "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 }, + { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC, + "RFC 3947", NULL, 0 }, }; +#define NUMNATTCAP (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0]) + /* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09. */ #define NAT_T_KEEPALIVE_INTERVAL 20 -/* The MD5 hashes of the above strings is put in this array. */ -static char **nat_t_hashes; -static size_t nat_t_hashsize; - static int nat_t_setup_hashes(void); -static int nat_t_add_vendor_payload(struct message *, char *); +static int nat_t_add_vendor_payload(struct message *, struct nat_t_cap *); static int nat_t_add_nat_d(struct message *, struct sockaddr *); static int nat_t_match_nat_d_payload(struct message *, struct sockaddr *); void nat_t_init(void) { - nat_t_hashes = (char **)NULL; + nat_t_setup_hashes(); } /* Generate the NAT-T capability marker hashes. Executed only once. */ @@ -89,7 +89,7 @@ nat_t_setup_hashes(void) { struct hash *hash; - int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0]; + int n = NUMNATTCAP; int i; /* The draft says to use MD5. */ @@ -100,56 +100,49 @@ "could not find MD5 hash structure!"); return -1; } - nat_t_hashsize = hash->hashsize; - /* Allocate one more than is necessary, i.e NULL terminated. */ - nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *)); - if (!nat_t_hashes) { - log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed", - (unsigned long)n, (unsigned long)sizeof(char *)); - return -1; - } - - /* Populate with hashes. */ + /* Populate isakmp_nat_t_cap with hashes. */ for (i = 0; i < n; i++) { - nat_t_hashes[i] = (char *)malloc(nat_t_hashsize); - if (!nat_t_hashes[i]) { + isakmp_nat_t_cap[i].hashsize = hash->hashsize; + isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize); + if (!isakmp_nat_t_cap[i].hash) { log_error("nat_t_setup_hashes: malloc (%lu) failed", - (unsigned long)nat_t_hashsize); + (unsigned long)hash->hashsize); goto errout; } hash->Init(hash->ctx); hash->Update(hash->ctx, - (unsigned char *)isakmp_nat_t_cap_text[i], - strlen(isakmp_nat_t_cap_text[i])); - hash->Final(nat_t_hashes[i], hash->ctx); + (unsigned char *)isakmp_nat_t_cap[i].text, + strlen(isakmp_nat_t_cap[i].text)); + hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx); LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: " - "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i], - (unsigned long)nat_t_hashsize)); + "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text, + (unsigned long)hash->hashsize)); LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes", - nat_t_hashes[i], nat_t_hashsize)); + isakmp_nat_t_cap[i].hash, hash->hashsize)); } return 0; - errout: +errout: for (i = 0; i < n; i++) - if (nat_t_hashes[i]) - free(nat_t_hashes[i]); - free(nat_t_hashes); - nat_t_hashes = NULL; + if (isakmp_nat_t_cap[i].hash) + free(isakmp_nat_t_cap[i].hash); return -1; } /* Add one NAT-T VENDOR payload. */ static int -nat_t_add_vendor_payload(struct message *msg, char *hash) +nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap) { - size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ; + size_t buflen = cap->hashsize + ISAKMP_GEN_SZ; u_int8_t *buf; + if (disable_nat_t) + return 0; + buf = malloc(buflen); if (!buf) { log_error("nat_t_add_vendor_payload: malloc (%lu) failed", @@ -158,12 +151,11 @@ } SET_ISAKMP_GEN_LENGTH(buf, buflen); - memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize); + memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize); if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) { free(buf); return -1; } - return 0; } @@ -171,16 +163,14 @@ int nat_t_add_vendor_payloads(struct message *msg) { - int i = 0; + int i; - if (!nat_t_hashes) - if (nat_t_setup_hashes()) - return 0; /* XXX should this be an error? */ + if (disable_nat_t) + return 0; - while (nat_t_hashes[i]) - if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++])) + for (i = 0; i < NUMNATTCAP; i++) + if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i])) return -1; - return 0; } @@ -192,36 +182,31 @@ { u_int8_t *pbuf = p->p; size_t vlen; - int i = 0; + int i; - /* Already checked? */ - if (p->flags & PL_MARK || - msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) + if (disable_nat_t) return; - if (!nat_t_hashes) - if (nat_t_setup_hashes()) - return; - vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ; - if (vlen != nat_t_hashsize) { - LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: " - "bad size %lu != %lu", (unsigned long)vlen, - (unsigned long)nat_t_hashsize)); - return; - } - while (nat_t_hashes[i]) - if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ, + for (i = 0; i < NUMNATTCAP; i++) { + if (vlen != isakmp_nat_t_cap[i].hashsize) { + LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: " + "bad size %lu != %lu", (unsigned long)vlen, + (unsigned long)isakmp_nat_t_cap[i].hashsize)); + continue; + } + if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ, vlen) == 0) { /* This peer is NAT-T capable. */ msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER; + msg->exchange->flags |= isakmp_nat_t_cap[i].flags; LOG_DBG((LOG_EXCHANGE, 10, "nat_t_check_vendor_payload: " "NAT-T capable peer detected")); p->flags |= PL_MARK; - return; } + } return; } @@ -233,10 +218,8 @@ { struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data; struct hash *hash; - struct prf *prf; u_int8_t *res; in_port_t port; - int prf_type = PRF_HMAC; /* XXX */ hash = hash_get(ie->hash->type); if (hash == NULL) { @@ -244,31 +227,25 @@ return NULL; } - prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies, - ISAKMP_HDR_COOKIES_LEN); - if(!prf) { - log_print("nat_t_generate_nat_d_hash: prf_alloc failed"); - return NULL; - } + *hashlen = hash->hashsize; - *hashlen = prf->blocksize; res = (u_int8_t *)malloc((unsigned long)*hashlen); if (!res) { log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed", (unsigned long)*hashlen); - prf_free(prf); *hashlen = 0; return NULL; } port = sockaddr_port(sa); - memset(res, 0, *hashlen); - - prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa)); - prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port); - prf->Final(res, prf->prfctx); - prf_free (prf); + bzero(res, *hashlen); + hash->Init(hash->ctx); + hash->Update(hash->ctx, msg->exchange->cookies, + sizeof msg->exchange->cookies); + hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa)); + hash->Update(hash->ctx, (unsigned char *)&port, sizeof port); + hash->Final(res, hash->ctx); return res; } @@ -276,6 +253,7 @@ static int nat_t_add_nat_d(struct message *msg, struct sockaddr *sa) { + int ret; u_int8_t *hbuf, *buf; size_t hbuflen, buflen; @@ -298,11 +276,19 @@ memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen); free(hbuf); - if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) { + if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC) + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, + buflen, 1); + else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT) + ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT, + buf, buflen, 1); + else + ret = -1; + + if (ret) { free(buf); return -1; } - return 0; } @@ -312,14 +298,14 @@ { struct sockaddr *sa; - msg->transport->vtbl->get_src(msg->transport, &sa); + /* Remote address first. */ + msg->transport->vtbl->get_dst(msg->transport, &sa); if (nat_t_add_nat_d(msg, sa)) return -1; - msg->transport->vtbl->get_dst(msg->transport, &sa); + msg->transport->vtbl->get_src(msg->transport, &sa); if (nat_t_add_nat_d(msg, sa)) return -1; - return 0; } @@ -336,8 +322,8 @@ * If there are no NAT-D payloads in the message, return "found" * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()). */ - p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D); - if (!p) + if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL && + (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL) return 1; hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen); --- isakmpd-20041012.orig/udp_encap.c +++ isakmpd-20041012/udp_encap.c @@ -61,6 +61,11 @@ #define UDP_SIZE 65536 +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC) +#include +#include +#endif + /* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ #ifndef SO_REUSEPORT #define SO_REUSEPORT SO_REUSEADDR @@ -134,6 +139,18 @@ if (sysdep_cleartext(s, laddr->sa_family) == -1) goto err; +#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC) + { +#ifndef SOL_UDP +#define SOL_UDP 17 +#endif + int option = UDP_ENCAP_ESPINUDP; + if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option, + sizeof (option)) < 0) + goto err; + } +#endif + /* Wildcard address ? */ switch (laddr->sa_family) { case AF_INET: --- isakmpd-20041012.orig/pf_key_v2.c +++ isakmpd-20041012/pf_key_v2.c @@ -1055,6 +1055,10 @@ #endif #if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP) struct sadb_x_udpencap udpencap; +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE) + struct sadb_x_nat_t_type nat_t_type; + struct sadb_x_nat_t_port nat_t_sport; + struct sadb_x_nat_t_port nat_t_dport; #endif #ifdef USE_DEBUG char *addr_str; @@ -1273,10 +1277,15 @@ log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto); goto cleanup; } - if (incoming) + if (incoming) { sa->transport->vtbl->get_src(sa->transport, &dst); - else + sa->transport->vtbl->get_dst(sa->transport, &src); + } + else { sa->transport->vtbl->get_dst(sa->transport, &dst); + sa->transport->vtbl->get_src(sa->transport, &src); + } + #ifdef KAME msg.sadb_msg_seq = (incoming ? pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi, @@ -1319,12 +1328,13 @@ ssa.sadb_sa_flags = 0; #ifdef SADB_X_SAFLAGS_TUNNEL if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL || - iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL) + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL || + iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL; #endif -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP) if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) { +#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP) memset(&udpencap, 0, sizeof udpencap); ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; @@ -1334,8 +1344,40 @@ if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0) == -1) goto cleanup; - } +#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE) +#ifndef UDP_ENCAP_ESPINUDP +#define UDP_ENCAP_ESPINUDP 2 +#endif + memset(&nat_t_type, 0, sizeof nat_t_type); + memset(&nat_t_sport, 0, sizeof nat_t_sport); + memset(&nat_t_dport, 0, sizeof nat_t_dport); + + /* type = draft-udp-encap-06 */ + nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK; + nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; + nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP; + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1) + goto cleanup; + + /* source port */ + nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport / + PF_KEY_V2_CHUNK; + nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT; + nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src); + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1) + goto cleanup; + + /* destination port */ + nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport / + PF_KEY_V2_CHUNK; + nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT; + nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst); + if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1) + goto cleanup; + + /* original address (transport mode checksum missing info) goes here */ #endif + } if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1) goto cleanup; @@ -1395,10 +1437,6 @@ /* * Setup the ADDRESS extensions. */ - if (incoming) - sa->transport->vtbl->get_dst(sa->transport, &src); - else - sa->transport->vtbl->get_src(sa->transport, &src); len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src)); addr = calloc(1, len); if (!addr) @@ -2167,7 +2205,7 @@ pf_key_v2_msg_free(ret); return -1; -#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE) +#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE) struct sadb_msg msg; struct sadb_x_policy *policy = 0; struct sadb_x_ipsecrequest *ipsecrequest; @@ -2181,7 +2219,7 @@ struct sockaddr_in *ip4_sa; struct sockaddr_in6 *ip6_sa; - msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD; + msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE; msg.sadb_msg_satype = SADB_SATYPE_UNSPEC; msg.sadb_msg_seq = 0; flow = pf_key_v2_msg_new(&msg, 0); --- isakmpd-20041012.orig/isakmp_num.cst +++ isakmpd-20041012/isakmp_num.cst @@ -57,15 +57,18 @@ KD 17 # RFC 3547, Key Download SEQ 18 # RFC 3547, Sequence Number POP 19 # RFC 3547, Proof of possession - RESERVED_MIN 20 + NAT_D 20 # RFC 3947, NAT Discovery payload + NAT_OA 21 # RFC 3947, NAT Original Address payload + RESERVED_MIN 22 RESERVED_MAX 127 PRIVATE_MIN 128 # XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify # XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC # XXX 3547 as seen above. - NAT_D 130 # NAT Discovery payload - NAT_OA 131 # NAT Original Address payload + NAT_D_DRAFT 130 # NAT Discovery payload + NAT_OA_DRAFT 131 # NAT Original Address payload PRIVATE_MAX 255 + MAX 255 . # ISAKMP exchange types. --- isakmpd-20041012.orig/ipsec_num.cst +++ isakmpd-20041012/ipsec_num.cst @@ -62,10 +62,10 @@ IPSEC_ENCAP TUNNEL 1 TRANSPORT 2 - FUTURE_UDP_ENCAP_TUNNEL 3 # XXX Not yet assigned - FUTURE_UDP_ENCAP_TRANSPORT 4 # XXX Not yet assigned - UDP_ENCAP_TUNNEL 61443 # draft-ietf-ipsec-nat-t-ike - UDP_ENCAP_TRANSPORT 61443 # draft-ietf-ipsec-nat-t-ike + UDP_ENCAP_TUNNEL 3 + UDP_ENCAP_TRANSPORT 4 + UDP_ENCAP_TUNNEL_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike + UDP_ENCAP_TRANSPORT_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike . # IPSEC authentication algorithm. --- isakmpd-20041012.orig/nat_traversal.h +++ isakmpd-20041012/nat_traversal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */ +/* $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -27,6 +27,24 @@ #ifndef _NAT_TRAVERSAL_H_ #define _NAT_TRAVERSAL_H_ +#define VID_DRAFT_V2 0 +#define VID_DRAFT_V2_N 1 +#define VID_DRAFT_V3 2 +#define VID_RFC3947 3 + +struct nat_t_cap { + int id; + u_int32_t flags; + const char *text; + char *hash; + size_t hashsize; +}; + +/* + * Set if -T is given on the command line to disable NAT-T support. + */ +extern int disable_nat_t; + void nat_t_init(void); int nat_t_add_vendor_payloads(struct message *); void nat_t_check_vendor_payload(struct message *, struct payload *); --- isakmpd-20041012.orig/message.c +++ isakmpd-20041012/message.c @@ -112,6 +112,7 @@ message_validate_hash, message_validate_sig, message_validate_nonce, message_validate_notify, message_validate_delete, message_validate_vendor, message_validate_attribute, + message_validate_nat_d, message_validate_nat_oa, message_validate_nat_d, message_validate_nat_oa }; @@ -120,7 +121,7 @@ isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld, isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld, isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld, - isakmp_nat_oa_fld + isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld }; /* @@ -138,7 +139,8 @@ ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD, ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP #endif - ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA + ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA, + ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT }; static u_int8_t payload_map[256]; @@ -347,8 +349,8 @@ } /* Ignore most private payloads. */ if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN && - next != ISAKMP_PAYLOAD_NAT_D && - next != ISAKMP_PAYLOAD_NAT_OA) { + next != ISAKMP_PAYLOAD_NAT_D_DRAFT && + next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) { LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: " "private next payload type %s in payload of " "type %d ignored", @@ -460,8 +462,10 @@ return ISAKMP_ATTRIBUTE_SZ; #if defined (USE_NAT_TRAVERSAL) case ISAKMP_PAYLOAD_NAT_D: + case ISAKMP_PAYLOAD_NAT_D_DRAFT: return ISAKMP_NAT_D_SZ; case ISAKMP_PAYLOAD_NAT_OA: + case ISAKMP_PAYLOAD_NAT_OA_DRAFT: return ISAKMP_NAT_OA_SZ; #endif /* Not yet supported and any other unknown payloads. */ --- isakmpd-20041012.orig/policy.c +++ isakmpd-20041012/policy.c @@ -511,7 +511,10 @@ break; } #if defined (USE_NAT_TRAVERSAL) - else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL) + else if (decode_16(value) == + IPSEC_ENCAP_UDP_ENCAP_TUNNEL || + decode_16(value) == + IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) switch (proto->proto) { case IPSEC_PROTO_IPSEC_AH: ah_encapsulation = "udp-encap-tunnel"; @@ -1932,7 +1935,7 @@ void policy_init(void) { - char *ptr, *policy_file; + char *ptr, *policy_file, *use_keynote; char **asserts; size_t sz, len; int fd, i; @@ -1940,10 +1943,11 @@ LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); /* Do we want to use the policy modules? */ - if (ignore_policy || - strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) - return; - + use_keynote = conf_get_str("General", "Use-Keynote"); + if (ignore_policy || + (use_keynote && strncmp("yes", use_keynote, 3))) + return; + /* Get policy file from configuration. */ policy_file = conf_get_str("General", "Policy-file"); if (!policy_file) --- isakmpd-20041012.orig/ipsec.c +++ isakmpd-20041012/ipsec.c @@ -1020,6 +1020,52 @@ } } +/* + * deal with a NOTIFY of INVALID_SPI + */ +static void +ipsec_invalid_spi (struct message *msg, struct payload *p) +{ + struct sockaddr *dst; + int invspisz, off; + u_int32_t spi; + u_int16_t totsiz; + u_int8_t spisz; + + /* Any notification that make us do something should be protected */ + if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH])) + { + LOG_DBG ((LOG_SA, 40, + "ipsec_invalid_spi: missing HASH payload in INVALID_SPI" + " notification")); + return; + } + + /* + * get the invalid spi out of the variable sized notification data + * field, which is after the variable sized SPI field [which specifies + * the receiving entity's phase-1 SPI, not the invalid spi] + */ + totsiz = GET_ISAKMP_GEN_LENGTH (p->p); + spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p); + off = ISAKMP_NOTIFY_SPI_OFF + spisz; + invspisz = totsiz - off; + + if (invspisz != sizeof spi) + { + LOG_DBG ((LOG_SA, 40, + "ipsec_invalid_spi: SPI size %d in INVALID_SPI " + "payload unsupported", spisz)); + return; + } + memcpy (&spi, p->p + off, sizeof spi); + + msg->transport->vtbl->get_dst (msg->transport, &dst); + + /* delete matching SPI's from this peer */ + ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI"); +} + static int ipsec_responder(struct message *msg) { @@ -1205,7 +1251,9 @@ return dv != IPSEC_ENCAP_TUNNEL && dv != IPSEC_ENCAP_TRANSPORT && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL - && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT; + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT + && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT + && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT; #else return dv < IPSEC_ENCAP_TUNNEL || dv > IPSEC_ENCAP_TRANSPORT; @@ -1837,7 +1885,7 @@ ipsec_get_id(char *section, int *id, struct sockaddr **addr, struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port) { - char *type, *address, *netmask; + char *type, *address, *netmask; type = conf_get_str(section, "ID-type"); if (!type) { @@ -2128,9 +2176,10 @@ { struct ipsec_proto *iproto = proto->data; - if (proto->sa->phase == 2 && section) - iproto->replay_window = conf_get_num(section, "ReplayWindow", - DEFAULT_REPLAY_WINDOW); + if (proto->sa->phase == 2) + iproto->replay_window = section ? conf_get_num(section, + "ReplayWindow", DEFAULT_REPLAY_WINDOW) : + DEFAULT_REPLAY_WINDOW; } /*