diff options
68 files changed, 0 insertions, 13495 deletions
diff --git a/sbin/photurisd/Makefile b/sbin/photurisd/Makefile deleted file mode 100644 index b5cf1712878..00000000000 --- a/sbin/photurisd/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2001/01/28 22:45:05 niklas Exp $ - -PROG= photurisd -LDADD= -lcrypto -ldes -DPADD= ${LIBCRYPTO} ${LIBDES} -SRCS= photuris_cookie_request.c photuris_cookie_response.c \ - photuris_value_request.c photuris_value_response.c \ - photuris_identity_request.c photuris_identity_response.c \ - photuris_spi_needed.c photuris_spi_update.c photuris_error_message.c \ - photuris_packet_encrypt.c \ - handle_cookie_request.c handle_value_request.c \ - handle_cookie_response.c handle_value_response.c \ - handle_identity_request.c handle_identity_response.c \ - handle_spi_needed.c handle_spi_update.c\ - handle_bad_cookie.c handle_resource_limit.c \ - handle_verification_failure.c handle_message_reject.c \ - log.c config.c scheme.c schedule.c server.c \ - buffer.c compute_secrets.c cookie.c exchange.c identity.c \ - modulus.c spi.c state.c validity.c attributes.c \ - photurisd.c packet.c api.c kernel.c - -CFLAGS+= -I. -DIPSEC -MAN= photurisd.8 - -.include <bsd.prog.mk> diff --git a/sbin/photurisd/README b/sbin/photurisd/README deleted file mode 100644 index b831f5786f7..00000000000 --- a/sbin/photurisd/README +++ /dev/null @@ -1,18 +0,0 @@ -This is an implementation of the Photuris keymanagement protocol -according to the drafts: - draft-simpson-photuris-18.txt - draft-simpson-photuris-schemes-04.txt - -For quick installation instructions read INSTALL, or otherwise -README.howtouse for more complete information. - -At the moment only the PF_ENCAP kernel interface for John Ioannidis' -and Angelos D. Keromytis' IPsec as to be found in OpenBSD is supported. -It should be fairly easy to adapt the daemon to other implementations, -just look at the sections found by 'grep IPSEC *.c' - -I am grateful for the help provided by Angelos D. Keromytis -and Theo de Raadt. - -This software was written in Germany May 1997 by Niels Provos. -Any questions are welcome at provos@physnet.uni-hamburg.de diff --git a/sbin/photurisd/README.howtouse b/sbin/photurisd/README.howtouse deleted file mode 100644 index a1045acf10d..00000000000 --- a/sbin/photurisd/README.howtouse +++ /dev/null @@ -1,76 +0,0 @@ - - How to use Photuris with IPsec ? - -What is IPsec ? - - IP Security is a framework providing authentication/integrity and - privacy to network traffic. Authenticated data can not be modified by - third parties and encryption conceals the content of packets. - -What has Photuris to do with IPsec ? - - In order to transmit encrypted or authenticated data between two - hosts, those two hosts have to agree on session keys which are used - as input for the encryption and authentication functions. - - The Photuris protocol exchanges keys in such a way that no - eavesdropper will have knowledge of the session keys. It also allows - for frequent changes of the session keys, forward secrecy and party - privacy protection. - -How to get it working ? - - Compiling the daemon - - Get the Photuris sources and also the following libraries: - gmp-2.0.2 and libdes-4.01. Put those libraries in one dir and if - you like you can do the following steps afterwards: - -1. tar -xvzf Photuris-src.tar.gz -2. tar -xvzf gmp-2.0.2.tar.gz; cd gmp-2.0.2; ./configure; make -3. mkdir des; cd des; tar -xvzf ../libdes-4.01.tar.gz; make -4. cd Photuris -5. make (edit the Makefile and remove -DDEBUG, if you dont want to see what - happens, or remove -DIPSEC if you dont want to actually setup encrypted - and authenticated connections within the kernel) -6. start ./photurid on two hosts. -7. ./startkey dst=host1 (for example ./startkey dst=134.100.33.22) - - If you compiled the photuris daemon with -DDEBUG you should see an - exchange of values now and finally the shared secret from which the - session keys are derived. - - If you compiled the photuris daemon with -DIPSEC and also have a kernel - with IPsec compiled into it, you could start for example - -8. tcpdump proto 51 & -9. telnet host1 - - and see the authenticated packets flowing between the two hosts. Look - at the output of - -10. cat /kern/ipsec -11. netstat -rn - - will show you some information also. - - Enabling IPsec in the OpenBSD kernel - - Add the following two lines into your kernel config file: -config IPSEC -pseudo-device enc 1 - - Possible configuration - - There are three files which can be configured locally. - * photuris.conf - contains the moduli for the Diffie-Hellmann - Keyexchange, the offered schemes and various timeouts. - * attributes.conf - the attributes which are offered to different - parties - * secrets.conf - the preconfigured symmetric secrets which should - hopefully soon be replaced by public keys. - - _________________________________________________________________ - - If you have any questions write mail to - provos@physnet.uni-hamburg.de diff --git a/sbin/photurisd/api.c b/sbin/photurisd/api.c deleted file mode 100644 index 40ac12fa7be..00000000000 --- a/sbin/photurisd/api.c +++ /dev/null @@ -1,104 +0,0 @@ -/* $OpenBSD: api.c,v 1.7 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Parts derived from code by Angelos D. Keromytis, kermit@forthnet.gr - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * This is an experimental implementation of the Photuris Session Key Management - * Protocol, as of draft-ietf-ipsec-photuris-06.txt. - * - * The usual disclaimers/non-guarantees etc. etc. apply. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: api.c,v 1.7 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _API_C_ - -#include <stdio.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <sys/time.h> -#include <arpa/inet.h> -#include <unistd.h> -#include <stdlib.h> -#include <string.h> -#include "state.h" -#include "photuris.h" -#include "config.h" -#include "api.h" -#include "log.h" -#include "buffer.h" -#include "schedule.h" -#include "server.h" -#include "packet.h" - -int -start_exchange(int sd, struct stateob *st, char *address, int port) -{ - struct sockaddr_in sin; - - /* Now fill it in */ - strncpy(st->address, address, 15); - st->address[15] = '\0'; - st->port = port; - st->initiator = 1; - - - /* Determine sender address before we invalidate buffer */ - sin.sin_addr.s_addr = inet_addr(st->address); - sin.sin_port = htons(st->port); - sin.sin_family = AF_INET; - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_cookie_request(st, packet_buffer, &packet_size) == -1) { - log_print("photuris_cookie_request() in start_exchange() " - "for %s:%d", st->address, st->port); - return -1; - } - - /* Save the packets for later retransmits */ - packet_save(st, packet_buffer, packet_size); - - if (sendto(sd, packet_buffer, packet_size, 0, - (struct sockaddr *) &sin, sizeof(sin)) != packet_size) { - /* XXX Code to notify kernel of failure */ - log_error("sendto() in start_exchange() for %s:%d", - st->address, st->port); - return -1; - } - - schedule_insert(TIMEOUT, retrans_timeout, st->icookie, COOKIE_SIZE); - - return 0; -} diff --git a/sbin/photurisd/api.h b/sbin/photurisd/api.h deleted file mode 100644 index 50a30566580..00000000000 --- a/sbin/photurisd/api.h +++ /dev/null @@ -1,48 +0,0 @@ -/* $OpenBSD: api.h,v 1.3 2001/01/28 22:45:06 niklas Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * This code is originally from Angelos D. Keromytis, kermit@forthnet.gr - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _API_H_ -#define _API_H_ - -#undef EXTERN -#ifdef _API_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN void process_api(int, int); -EXTERN int start_exchange(int sd, struct stateob *st, char *address, int port); - -#endif /* _API_H_ */ diff --git a/sbin/photurisd/attributes.c b/sbin/photurisd/attributes.c deleted file mode 100644 index 1a59b9ab4a1..00000000000 --- a/sbin/photurisd/attributes.c +++ /dev/null @@ -1,259 +0,0 @@ -/* $OpenBSD: attributes.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * attributes.c: - * functions for handling attributess - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: attributes.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _ATTRIBUTES_C_ - -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include "config.h" -#include "attributes.h" - -static attribute_list *attribob = NULL; -static attrib_t *attribhash[ATTRIBHASHMOD]; - -/* Put or get attribute properties from the hashtable */ - -void -putattrib(attrib_t *attrib) -{ - int hashval = attrib->id % ATTRIBHASHMOD; - attrib->next = attribhash[hashval]; - attribhash[hashval] = attrib; -} - -attrib_t * -getattrib(u_int8_t id) -{ - u_int8_t hashval = id % ATTRIBHASHMOD; - attrib_t *attrib; - - for(attrib=attribhash[hashval]; attrib; attrib = attrib->next) - if (attrib->id == id) - break; - - return attrib; -} - -void -clearattrib(void) -{ - int i; - attrib_t *attrib; - - for (i=0; i<ATTRIBHASHMOD; i++) - while ((attrib=attribhash[i]) != NULL) { - attribhash[i] = attrib->next; - free(attrib); - } -} - -int -isinattrib(u_int8_t *attributes, u_int16_t attribsize, u_int8_t attribute) -{ - while(attribsize>0) { - if(*attributes==attribute) - return 1; - if(attribsize - (*(attributes+1)+2) > attribsize) - return 0; - - attribsize -= *(attributes+1)+2; - attributes += *(attributes+1)+2; - } - return 0; -} - -void -get_attrib_section(u_int8_t *set, u_int16_t setsize, - u_int8_t **subset, u_int16_t *subsetsize, - u_int8_t section) -{ - int i = 0; - u_int8_t *tset; - u_int16_t tsetsize; - - while (i < setsize) { - if (set[i] == section) - break; - i += set[i+1] + 2; - } - - if ((i >= setsize) || (i+set[i+1] + 2 > setsize)) { - *subset = NULL; - *subsetsize = 0; - return; - } - - tset = *subset = set+i+set[i+1]+2; - tsetsize = *subsetsize = setsize - i - set[i+1] - 2; - - i = 0; - while (i < tsetsize) { - if (tset[i] == AT_ESP_ATTRIB || tset[i] == AT_AH_ATTRIB) { - *subsetsize = i; - return; - } - i += tset[i+1]+2; - } -} - - -int -isattribsubset(u_int8_t *set, u_int16_t setsize, - u_int8_t *subset, u_int16_t subsetsize) -{ - while(subsetsize>0) { - if (!isinattrib(set, setsize, *subset)) - return 0; - if (subsetsize - (*(subset+1)+2) > subsetsize) - return 0; - subsetsize -= *(subset+1)+2; - subset += *(subset+1)+2; - } - return 1; -} - -int -attrib_insert(attribute_list *ob) -{ - attribute_list *tmp; - - ob->next = NULL; - - if(attribob == NULL) { - attribob = ob; - return 1; - } - - tmp=attribob; - while(tmp->next!=NULL) - tmp = tmp->next; - - tmp->next = ob; - return 1; -} - -int -attrib_unlink(attribute_list *ob) -{ - attribute_list *tmp; - if(attribob == ob) { - attribob = ob->next; - free(ob); - return 1; - } - - for(tmp=attribob; tmp!=NULL; tmp=tmp->next) { - if(tmp->next==ob) { - tmp->next=ob->next; - free(ob); - return 1; - } - } - return 0; -} - -attribute_list * -attrib_new(void) -{ - attribute_list *p; - - if((p = calloc(1, sizeof(attribute_list)))==NULL) - return NULL; - - return p; -} - -int -attrib_value_reset(attribute_list *ob) -{ - if (ob->address != NULL) - free(ob->address); - if (ob->attributes != NULL) - free(ob->attributes); - - bzero(ob, sizeof(attribute_list)); - return 1; -} - -/* - * find the attributes to the address or 0 address. - * if passed a null pointer as first argument we return our default - * list. - */ - -attribute_list * -attrib_find(char *address) -{ - attribute_list *tmp = attribob; - attribute_list *null = NULL; - while(tmp!=NULL) { - if (tmp->address == NULL) { - null = tmp; - if (address == NULL) - break; - } - else if (address != NULL && - (tmp->netmask & inet_addr(address)) == - inet_addr(tmp->address)) - return tmp; - - tmp = tmp->next; - } - return null; -} - -void -attrib_cleanup() -{ - attribute_list *p; - attribute_list *tmp = attribob; - while(tmp!=NULL) { - p = tmp; - tmp = tmp->next; - attrib_value_reset(p); - free(p); - } - attribob = NULL; -} - diff --git a/sbin/photurisd/attributes.h b/sbin/photurisd/attributes.h deleted file mode 100644 index 51d82821262..00000000000 --- a/sbin/photurisd/attributes.h +++ /dev/null @@ -1,105 +0,0 @@ -/* $OpenBSD: attributes.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * attributes.h: - * attributes for a security association - */ - -#ifndef _ATTRIBUTES_H_ -#define _ATTRIBUTES_H_ - -#undef EXTERN -#ifdef _ATTRIBUTES_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -#define AT_ID 1 -#define AT_ENC 2 -#define AT_AUTH 4 - -#define AT_PAD 0 -#define AT_AH_ATTRIB 1 -#define AT_ESP_ATTRIB 2 -#define AT_HMAC 254 - -/* XXX - Only for the moment */ -#define DH_G_2_MD5 2 -#define DH_G_3_MD5 3 -#define DH_G_2_DES_MD5 4 -#define DH_G_5_MD5 5 -#define DH_G_3_DES_MD5 6 -#define DH_G_VAR_MD5 7 -#define DH_G_2_3DES_SHA1 8 -#define DH_G_5_DES_MD5 10 -#define DH_G_3_3DES_SHA1 12 -#define DH_G_VAR_DES_MD5 14 -#define DH_G_5_3DES_SHA1 20 -#define DH_G_VAR_3DES_SHA1 28 - -typedef struct _attribute_list { - struct _attribute_list *next; - char *address; - in_addr_t netmask; - u_int8_t *attributes; - u_int16_t attribsize; -} attribute_list; - -typedef struct _attrib_t { - struct _attrib_t *next; - u_int16_t id; /* Photuris Attribute ID */ - int type; /* Type of attribute: ident, enc, auth */ - int klen; /* required key length */ -} attrib_t; - -#define ATTRIBHASHMOD 17 - -EXTERN void putattrib(attrib_t *attrib); -EXTERN attrib_t *getattrib(u_int8_t id); -EXTERN void clearattrib(void); - -EXTERN void get_attrib_section(u_int8_t *, u_int16_t, u_int8_t **, u_int16_t *, - u_int8_t); - -EXTERN int isinattrib(u_int8_t *attributes, u_int16_t attribsize, - u_int8_t attribute); -EXTERN int isattribsubset(u_int8_t *set, u_int16_t setsize, - u_int8_t *subset, u_int16_t subsetsize); -EXTERN attribute_list *attrib_new(void); -EXTERN int attrib_insert(attribute_list *); -EXTERN int attrib_unlink(attribute_list *); -EXTERN int attrib_value_reset(attribute_list *); -EXTERN attribute_list *attrib_find(char *); -EXTERN void attrib_cleanup(void); - -#endif /* ATTRIBUTES_H */ diff --git a/sbin/photurisd/buffer.c b/sbin/photurisd/buffer.c deleted file mode 100644 index 164316123dc..00000000000 --- a/sbin/photurisd/buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* $OpenBSD: buffer.c,v 1.3 2001/01/28 22:45:06 niklas Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * buffer.c: - * buffer variables. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: buffer.c,v 1.3 2001/01/28 22:45:06 niklas Exp $"; -#endif - -#include <sys/types.h> - -#define _BUFFER_C -#include "buffer.h" - -int packet_size; -u_char buffer[BUFFER_SIZE]; -u_char packet_buffer[PACKET_BUFFER_SIZE]; diff --git a/sbin/photurisd/buffer.h b/sbin/photurisd/buffer.h deleted file mode 100644 index c780ca85022..00000000000 --- a/sbin/photurisd/buffer.h +++ /dev/null @@ -1,48 +0,0 @@ -/* $OpenBSD: buffer.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * buffer.h: - * variables with buffers. - */ - -#ifndef _BUFFER_H_ -#define _BUFFER_H_ - -#define PACKET_BUFFER_SIZE 8192 -#define BUFFER_SIZE 8192 - -#ifndef _BUFFER_C -extern u_char buffer[]; -extern u_char packet_buffer[]; -extern int packet_size; -#endif - -#endif /* _BUFFER_H */ diff --git a/sbin/photurisd/compute_secrets.c b/sbin/photurisd/compute_secrets.c deleted file mode 100644 index 23cc60e15b4..00000000000 --- a/sbin/photurisd/compute_secrets.c +++ /dev/null @@ -1,435 +0,0 @@ -/* $OpenBSD: compute_secrets.c,v 1.7 2002/12/06 02:17:42 deraadt Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * compute_secrets.c: - * shared secret with diffie-hellman key exchange - * cryptographic hashes for session keys - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: compute_secrets.c,v 1.7 2002/12/06 02:17:42 deraadt Exp $"; -#endif - -#define _SECRETS_C_ - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ssl/bn.h> -#include <md5.h> -#include "state.h" -#include <sha1.h> -#include "config.h" -#include "identity.h" -#include "attributes.h" -#include "modulus.h" -#include "secrets.h" -#include "buffer.h" -#include "spi.h" -#include "exchange.h" -#include "scheme.h" -#include "log.h" - -int privacykey(struct stateob *st, struct idxform *hash, u_int8_t *key, - u_int8_t *packet, u_int16_t bytes, u_int16_t *order, int owner); - -int -compute_shared_secret(struct stateob *st, - u_int8_t **shared, size_t *sharedsize) -{ - struct moduli_cache *mod; - int header, res; - BIGNUM *tmp, *tex; - BN_CTX *ctx; - - if ((mod = mod_find_modgen(st->modulus, st->generator)) == NULL) { - log_print("Can't find exchange information in cache in compute_shared_secret()"); - return (-1); - } - - /* Compute Diffie-Hellmann a^(xy) (mod n) */ - tex = BN_new(); - BN_varpre2bn(st->texchange, st->texchangesize, tex); - - tmp = BN_new(); - ctx = BN_CTX_new(); - BN_mod_exp(tmp, tex, mod->private_value, mod->modulus, ctx); - BN_CTX_free(ctx); - - BN_clear_free(tex); - - *sharedsize = BUFFER_SIZE; - res = BN_bn2varpre(tmp, buffer, sharedsize); - BN_clear_free(tmp); - - if (res == -1) - return -1; - - /* The shared secret is not used with the size part */ - if (buffer[0] == 255) - header = 4; - else - header = 2; - - *sharedsize -= header; - - if ((*shared = calloc(*sharedsize,sizeof(u_int8_t))) == NULL) { - log_print("Not enough memory for shared secret in compute_shared_secret()"); - return (-1); - } - bcopy(buffer + header, *shared, *sharedsize); - - return (0); -} - -/* - * Generate session keys for all attributes in given SPI. - */ - -int -make_session_keys(struct stateob *st, struct spiob *spi) -{ - u_int8_t *p, *attributes, **secret; - u_int16_t attribsize, *secretsize; - u_int16_t i, count = 0; - int bits; - - attributes = spi->attributes; - attribsize = spi->attribsize; - secret = &(spi->sessionkey); - secretsize = &(spi->sessionkeysize); - - if (*secret != NULL) - return 0; /* Already calculated */ - - p = attributes; - for (i = 0; i<attribsize; i += p[i+1] + 2) { - if (p[i] != AT_AH_ATTRIB && p[i] != AT_ESP_ATTRIB) { - bits = get_session_key_length(p+i); - if (bits == -1) { - log_print("Invalid attribute choice for SPI in make_session_keys()"); - return -1; - } - count += bits & 7 ? (bits >> 3) + 1 : bits >> 3; - } - } - if ((*secret = calloc(count, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in make_session_keys()"); - return -1; - } - *secretsize = count; - - count = 0; - p = *secret; - for (i = 0; i<attribsize; i += attributes[i+1] + 2) { - if (attributes[i] != AT_AH_ATTRIB && - attributes[i] != AT_ESP_ATTRIB) { - bits = compute_session_key(st, p, attributes+i, - spi->flags & SPI_OWNER, - &count); - if (bits == -1) - return -1; - if (bits > 0) { -#ifdef DEBUG - { - int d = BUFFER_SIZE; - printf("%s session key for AT %d: ", - spi->flags & SPI_OWNER ? - "Owner" : "User", (int)attributes[i]); - bin2hex(buffer, &d, p, - bits & 7 ? (bits >> 3) + 1 : bits >> 3); - printf("0x%s\n", buffer); - } -#endif /* DEBUG */ - - p += bits & 7 ? (bits >> 3) + 1 : bits >> 3; - } - } - } - - return 0; -} - -/* - * Return length of requried session key in bits. - * DES would be 64 bits. - */ - -int -get_session_key_length(u_int8_t *attribute) -{ - attrib_t *ob; - - if ((ob = getattrib(*attribute)) == NULL) { - log_print("Unknown attribute %d in get_session_key_length()", - *attribute); - return -1; - } - - return ob->klen << 3; -} - -/* - * Compute session keys for the attributes in the security association. - * owner determines the direction of the spi session key. - * order is the amount of bits we already used for other session keys. - */ - -int -compute_session_key(struct stateob *st, u_int8_t *key, - u_int8_t *attribute, int owner, - u_int16_t *order) -{ - struct idxform *hash; - u_int16_t size, i, n; - u_int8_t digest[HASH_MAX]; - int bits; - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_2_DES_MD5: - case DH_G_5_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - case DH_G_VAR_MD5: - case DH_G_VAR_DES_MD5: - hash = get_hash(HASH_MD5); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - case DH_G_VAR_3DES_SHA1: - hash = get_hash(HASH_SHA1); - break; - default: - log_print("Unknown scheme %d in compute_session_key()", - ntohs(*((u_int16_t *)st->scheme))); - return -1; - } - - - if ((bits = get_session_key_length(attribute)) == -1) - return -1; - if (bits == 0) - return 0; - - size = bits >> 3; - if(bits & 0x7) - size++; - - /* As many shared secrets we used already */ - n = *order; - - hash->Init(hash->ctx); - hash->Update(hash->ctx, st->icookie, COOKIE_SIZE); - hash->Update(hash->ctx, st->rcookie, COOKIE_SIZE); - if(owner) { /* Session key for Owner SPI */ - hash->Update(hash->ctx,st->oSPIsecret,st->oSPIsecretsize); - hash->Update(hash->ctx,st->uSPIsecret,st->uSPIsecretsize); - } else { /* Session key for User SPI */ - hash->Update(hash->ctx,st->uSPIsecret,st->uSPIsecretsize); - hash->Update(hash->ctx,st->oSPIsecret,st->oSPIsecretsize); - } - - /* Message Verification field */ - hash->Update(hash->ctx, st->verification, st->versize); - - for (i=0; i<n; i++) - hash->Update(hash->ctx, st->shared, st->sharedsize); - - do { - bcopy(hash->ctx, hash->ctx2, hash->ctxsize); - hash->Update(hash->ctx2,st->shared, st->sharedsize); - bcopy(hash->ctx2, hash->ctx, hash->ctxsize); - - hash->Final(digest, hash->ctx2); - /* One iteration more */ - n++; - - bcopy(digest, key, size>hash->hashsize ? hash->hashsize : size); - key += size>hash->hashsize ? hash->hashsize : size; - - /* Unsigned integer arithmetic */ - size -= size>hash->hashsize ? hash->hashsize : size; - } while(size > 0); - - *order = n; - - return bits; -} - -/* - * Initializes the hash contexts for privacy key computation. - */ - -int -init_privacy_key(struct stateob *st, int owner) -{ - void **ctx; - struct idxform *hash; - u_int8_t *first, *second; - u_int16_t firstsize, secondsize; - - if (owner) { - ctx = &st->oSPIprivacyctx; - first = st->exchangevalue; - firstsize = st->exchangesize; - second = st->texchange; - secondsize = st->texchangesize; - } else { - ctx = &st->uSPIprivacyctx; - first = st->texchange; - firstsize = st->texchangesize; - second = st->exchangevalue; - secondsize = st->exchangesize; - } - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - hash = get_hash(HASH_MD5); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - hash = get_hash(HASH_SHA1); - break; - default: - log_print("Unknown exchange scheme in init_privacy_key()"); - return -1; - } - - if (hash == NULL) - return -1; - - if (*ctx != NULL) - free(*ctx); - - if ((*ctx = calloc(hash->ctxsize, sizeof(char))) == NULL) { - log_error("calloc() in init_privacy_key()"); - return -1; - } - hash->Init(*ctx); - hash->Update(*ctx, first, firstsize); - hash->Update(*ctx, second, secondsize); - return 1; -} - -/* - * order gives the number of iterations already done for keys - */ - -int -compute_privacy_key(struct stateob *st, u_int8_t *key, u_int8_t *packet, - u_int16_t bits, u_int16_t *order, int owner) -{ - u_int16_t size; - struct idxform *hash; - - size = bits >> 3; - if(bits & 0x7) - size++; - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - hash = get_hash(HASH_MD5); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - hash = get_hash(HASH_SHA1); - break; - default: - log_print("Unknown exchange scheme in compute_privacy_key()"); - return -1; - } - - if (hash == NULL) - return -1; - - return privacykey(st, hash, key, packet, size, order, owner); -} - - -int -privacykey(struct stateob *st, struct idxform *hash, - u_int8_t *key, u_int8_t *packet, - u_int16_t bytes, u_int16_t *order, int owner) -{ - u_int16_t i, n; - u_int8_t digest[HASH_MAX]; - - /* SPIprivacyctx contains the hashed exchangevalues */ - bcopy(owner ? st->oSPIprivacyctx : st->uSPIprivacyctx, - hash->ctx2, hash->ctxsize); - - hash->Update(hash->ctx2, packet, 2*COOKIE_SIZE + 4 + SPI_SIZE); - - /* As many shared secrets we used already */ - n = *order; - for(i=0; i<n; i++) - hash->Update(hash->ctx2, st->shared, st->sharedsize); - - do { - bcopy(hash->ctx2, hash->ctx, hash->ctxsize); - hash->Update(hash->ctx, st->shared, st->sharedsize); - bcopy(hash->ctx, hash->ctx2, hash->ctxsize); - - hash->Final(digest, hash->ctx); - bcopy(digest, key, bytes>hash->hashsize ? hash->hashsize : bytes); - key += bytes>hash->hashsize ? hash->hashsize : bytes; - - /* Unsigned integer arithmetic */ - bytes -= bytes>hash->hashsize ? hash->hashsize : bytes; - - /* Increment the times we called Final */ - i++; - } while(bytes > 0); - - *order = i; - return 0; -} - diff --git a/sbin/photurisd/config.c b/sbin/photurisd/config.c deleted file mode 100644 index 9bc292d5378..00000000000 --- a/sbin/photurisd/config.c +++ /dev/null @@ -1,1178 +0,0 @@ -/* $OpenBSD: config.c,v 1.10 2002/12/06 02:17:42 deraadt Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * config.c: - * config handling functions - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: config.c,v 1.10 2002/12/06 02:17:42 deraadt Exp $"; -#endif - -#define _CONFIG_C_ - -#include <stdlib.h> -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include <signal.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> -#include <time.h> -#include <pwd.h> -#include <ssl/bn.h> -#if defined(_AIX) || defined(NEED_STRSEP) -#include "strsep.h" -#endif -#include "config.h" -#include "photuris.h" -#include "modulus.h" -#include "exchange.h" -#include "attributes.h" -#include "buffer.h" -#include "state.h" -#include "identity.h" -#include "spi.h" -#include "server.h" -#include "log.h" -#include "buffer.h" -#include "scheme.h" -#include "api.h" -#ifdef IPSEC -#include "kernel.h" -#endif - - -static FILE *config_fp; -static struct cfgx *cfgxroot; - -static void -open_config_file(char *file) -{ - char *p; - - if (file != NULL) - p = file; - else - p = config_file; - - if (p == NULL) - log_fatal("no file in open_config_file()"); - - config_fp = fopen(p, "r"); - if (config_fp == (FILE *) NULL) - log_fatal("can't open file %s in open_config_file()", p); -} - -static void -close_config_file(void) -{ - fclose(config_fp); -} - -static char * -config_get(char *token) -{ - char *p; - while(fgets(buffer, BUFFER_SIZE, config_fp)) { - p = buffer; - chomp(p); - while(isspace(*p)) - p++; - while(isspace(p[strlen(p)-1])) - p[strlen(p)-1] = '\0'; - - if (*p == '#') - continue; - - if (!strncmp(p, token, strlen(token))) - return p; - - } - - return NULL; -} - -int -cfgx_insert(char *name, int id) -{ - struct cfgx *ob; - - if ((ob = malloc(sizeof(struct cfgx))) == NULL) - return -1; - - ob->name = strdup(name); - ob->id = id; - - ob->next = cfgxroot; - cfgxroot = ob; - - return 0; -} - -struct cfgx * -cfgx_get(char *name) -{ - struct cfgx *ob; - - for(ob = cfgxroot; ob; ob = ob->next) - if (ob->name && !strcmp(name, ob->name)) - break; - - return ob; -} - -void -cfgx_clear(void) -{ - struct cfgx *ob; - while(cfgxroot) { - ob = cfgxroot; - cfgxroot = cfgxroot->next; - free(ob); - } -} - -/* - * Parses the type of an attribute: ident|enc|auth. - */ - -int -parse_type(char *line) -{ - - int type = 0; - while (*line) { - if (!strncmp(line, "ident", 5)) { - type |= AT_ID; - line += 5; - } else if (!strncmp(line, "enc", 3)) { - type |= AT_ENC; - line += 3; - } else if (!strncmp(line, "auth", 4)) { - type |= AT_AUTH; - line += 4; - } else - return -1; - while (isspace(*line)) - line++; - if (*line && *line++ != '|') - return -1; - } - - return type; -} - -int -init_attributes(void) -{ - char *p, *p2; - attribute_list *ob = NULL; - struct in_addr in; - int i, def_flag = 0; - char attrib[257]; - struct cfgx *cfgattrib = NULL; - u_int8_t *newbuf; - -#ifdef DEBUG - printf("[Setting up attributes]\n"); -#endif - - /* Set up attribute delimeter */ - cfgx_insert("AT_AH_ATTRIB", AT_AH_ATTRIB); - cfgx_insert("AT_ESP_ATTRIB", AT_ESP_ATTRIB); - - open_config_file(attrib_file); - while((p2 = config_get("")) != NULL) { - p = strsep(&p2, " "); - if (p == NULL) - continue; - - if (p2 == NULL || inet_addr(p) == -1 || - inet_network(p2) == -1) { /* Attributes follow now */ - - cfgattrib = cfgx_get(p); - if (cfgattrib == NULL && strchr(p, ',') != NULL) { - char *name, *p3, *p4; - attrib_t tmpatt, *ob; - - p4 = p; - - if (p2 != NULL) - p4[strlen(p4)] = ' '; - - name = strsep(&p4, ","); - while (isspace(*name)) - name++; - i = strlen(name) - 1; - while (isspace(name[i]) && i > 0) - name[i--] = 0; - - if ((p2 = strsep(&p4, ",")) == NULL || - (p3 = strsep(&p4, ",")) == NULL) { - log_print("Mal formated attribute definition for %s in init_attributess()", name); - continue; - } - - if ((tmpatt.id = atoi(p2)) <= 0) { - log_print("Bad id %s for %s in init_attributes()", p2, name); - continue; - } - - if ((tmpatt.klen = atoi(p4)) < 0) { - log_print("Bad key length %s for %s in init_attributes()", p4, name); - continue; - } - - while (isspace(*p3)) - p3++; - i = strlen(p3) - 1; - while (isspace(p3[i]) && i > 0) - p3[i--] = 0; - - if ((tmpatt.type = parse_type(p3)) == -1) { - log_print("Unknown attribute type %s for %s in init_attributes()", p3, name); - continue; - } - -#ifdef IPSEC - if ((tmpatt.type & ~AT_ID) && - kernel_known_transform(tmpatt.id) == -1) { - log_print("Attribute %s not supported by kernel in init_attributes()", name); - continue; - } -#endif - - if ((ob = calloc(1, sizeof(attrib_t))) == NULL) - log_fatal("calloc() in init_attributes()"); - - *ob = tmpatt; - putattrib(ob); - cfgx_insert(name, ob->id); - cfgattrib = cfgx_get(name); -#ifdef DEBUG - printf("New attribute: %s, id: %d, type: %d, klen: %d\n", name, ob->id, ob->type, ob->klen); -#endif - } - - if (cfgattrib == NULL) { - log_print("Unknown attribute %s in init_attributes()", - p); - continue; - } - - if (ob == NULL && (ob = attrib_new()) == NULL) - log_fatal("attribute_new() in init_attributes()"); - else - def_flag = 1; - - attrib[0] = cfgattrib->id; - attrib[1] = 0; - - /* Copy attributes in object */ - newbuf = realloc(ob->attributes, - ob->attribsize + attrib[1] +2); - if (newbuf == NULL) { - if (ob->attributes != NULL) - free (ob->attributes); - log_fatal("realloc() in init_attributes()"); - } - ob->attributes = newbuf; - - bcopy(attrib, ob->attributes + ob->attribsize, attrib[1] + 2); - ob->attribsize += attrib[1] + 2; - - } else { -#ifdef DEBUG - printf("Reading attributes for %s / %s\n", - p, p2); -#endif - /* Insert previous attribute */ - if (ob != NULL) { - attrib_insert(ob); - if (ob->address == NULL) - def_flag = 1; - } - - /* Get a new attribute object */ - if ((ob = attrib_new()) == NULL) - log_fatal("attribute_new() in init_attributes()"); - - ob->netmask = inet_addr(p2); - in.s_addr = inet_addr(p) & ob->netmask; - if ((ob->address = calloc(strlen(inet_ntoa(in))+1, - sizeof(char))) == NULL) - log_fatal("calloc() in init_attributes()"); - strcpy(ob->address, inet_ntoa(in)); - } - } - if (ob != NULL) - attrib_insert(ob); - close_config_file(); - - if (!def_flag) - log_fatal("No default attribute list in init_attributes()"); - - cfgx_clear(); - return 1; -} - -int -init_schemes(void) -{ - struct moduli_cache *tmp; - BIGNUM *generator; - size_t scheme_bits; - u_int8_t *newbuf; - - char *p, *p2; - size_t size; - int gen_flag = 0; - -#ifdef DEBUG - printf("[Setting up exchange schemes]\n"); -#endif - - open_config_file(NULL); - - generator = BN_new(); - - while ((p = config_get(CONFIG_EXCHANGE)) != NULL) { - p2 = p + strlen(CONFIG_EXCHANGE); - if (!isspace(*p2)) - continue; - while(isspace(*p2)) - p2++; - - /* Get exchange Scheme */ - if (!strncmp(p2, "DH_G_2_MD5", 10)) { - p = p2 + 11; - BN_set_word(generator, 2); - *(u_int16_t *)buffer = htons(DH_G_2_MD5); - } else if (!strncmp(p2, "DH_G_2_DES_MD5", 14)) { - p = p2 + 15; - BN_set_word(generator, 2); - *(u_int16_t *)buffer = htons(DH_G_2_DES_MD5); - } else if (!strncmp(p2, "DH_G_2_3DES_SHA1", 16)) { - p = p2 + 17; - BN_set_word(generator, 2); - *(u_int16_t *)buffer = htons(DH_G_2_3DES_SHA1); - } else { - log_print("Unknown scheme %s in init_schemes()", p2); - continue; - } - - /* Base schemes need a modulus */ - if ((scheme_bits = strtol(p, NULL, 10)) == 0 && - ntohs(*(u_int16_t *)buffer) == scheme_get_ref(buffer) ) { - log_print("No bits in scheme %s in init_schemes()", p2); - continue; - } - - if (scheme_bits != 0) { - if ((tmp = mod_find_generator(generator)) == NULL) - continue; - - while (tmp != NULL) { - if (BN_num_bits(tmp->modulus) == scheme_bits) - break; - tmp = mod_find_generator_next(tmp, generator); - } - if (tmp == NULL) { - log_print("Could not find %d bit modulus in init_schemes()", - scheme_bits); - continue; - } - - size = BUFFER_SIZE - 2; - if (BN_bn2varpre(tmp->modulus, buffer+2, &size) == -1) - continue; - } else { - size = 2; - buffer[2] = buffer[3] = 0; - } - - newbuf = realloc(global_schemes, global_schemesize + size + 2); - if (newbuf == NULL) { - if (global_schemes != NULL) - free (global_schemes); - log_fatal("out of memory in init_schems()"); - } - global_schemes = newbuf; - - /* DH_G_2_MD5 is a MUST, so we generate it if gen_flag == 0 */ - if (*(u_int16_t *)buffer == htons(DH_G_2_MD5)) - gen_flag = 1; - - bcopy(buffer, global_schemes + global_schemesize, size + 2); - global_schemesize += size + 2; - } -#ifdef DEBUG - printf("Read %d bytes of exchange schemes.\n", global_schemesize); -#endif - close_config_file(); - - if (!gen_flag) { - log_print("DH_G_2_MD5 not in config file, inserting it"); - BN_set_word(generator, 2); - if ((tmp = mod_find_generator(generator)) == NULL) - log_fatal("no modulus for generator 2 in init_schemes()"); - - size = BUFFER_SIZE - 2; - if (BN_bn2varpre(tmp->modulus, buffer+2, &size) == -1) - log_fatal("BN_bn2varpre() in init_schemes()"); - - *(u_int16_t *)buffer = htons(DH_G_2_MD5); - } - - BN_clear_free(generator); - - return 1; -} - -int -init_moduli(int primes) -{ - struct moduli_cache *tmp; - char *p, *p2; - BIGNUM *m, *g, *a; - - mod_init(); - - open_config_file(NULL); - -#ifdef DEBUG - printf("[Bootstrapping moduli]\n"); -#endif - - m = BN_new(); - g = BN_new(); - - while((p = config_get(CONFIG_MODULUS)) != NULL) { - p2 = p + strlen(CONFIG_MODULUS); - while (isspace(*p2)) - p2++; - - /* Get generator */ - if ((p = strsep(&p2, " ")) == NULL) - continue; - - /* Convert an hex string to bignum */ - a = g; - if (!strncmp(p, "0x", 2)) - p += 2; - if (!BN_hex2bn(&a, p)) - continue; - - /* Get modulus */ - a = m; - if (!strncmp(p2, "0x", 2)) - p2 += 2; - if (!BN_hex2bn(&a, p2)) - continue; - - if ((tmp = mod_new_modgen(m, g)) == NULL) - log_fatal("no memory in init_moduli()"); - - mod_insert(tmp); - - if (!primes) { - tmp->iterations = MOD_PRIME_MAX; - tmp->status = MOD_PRIME; - } - } - - close_config_file(); - - BN_free(m); - BN_free(g); - - /* Now check primality */ - if (primes) - mod_check_prime(MOD_PRIME_MAX, 0); - - return 0; -} - -int -init_times(void) -{ - char *p, *p2; - int i, *value; - open_config_file(NULL); - -#ifdef DEBUG - printf("[Setting up times]\n"); -#endif - - while((p2 = config_get(CONFIG_CONFIG)) != NULL) { - p2 += sizeof(CONFIG_CONFIG); - - if ((p=strsep(&p2, " ")) == NULL) - continue; - if (p2 == NULL) - continue; - - if (!strcmp(p, CONFIG_MAX_RETRIES)) - value = &max_retries; - else if (!strcmp(p, CONFIG_RET_TIMEOUT)) - value = &retrans_timeout; - else if (!strcmp(p, CONFIG_EX_TIMEOUT)) - value = &exchange_timeout; - else if (!strcmp(p, CONFIG_EX_LIFETIME)) - value = &exchange_lifetime; - else if (!strcmp(p, CONFIG_SPI_LIFETIME)) - value = &spi_lifetime; - else { - log_print("unknown options %s in init_times()", p); - continue; - } - - if ((i = atoi(p2)) < 1) { - log_print("value %d too small in init_times()", i); - continue; - } - - *value = i; - } - - close_config_file(); - - /* Now some hard coded checks */ - if (exchange_timeout < max_retries*retrans_timeout) - log_fatal("Exchange Timeout < Retransmission * Retrans. Timeout"); - if (exchange_lifetime < 2*exchange_timeout) - log_fatal("Exchange Lifetime < 2 * Exchange Timeout"); - if (spi_lifetime < 3*exchange_timeout) - log_fatal("SPI Lifetime < 3 * Exchange Timeout"); - - return 0; -} - -void -startup_parse(struct stateob *st, char *p2) -{ - char *p, *p3; - struct hostent *hp; - - while((p=strsep(&p2, " ")) != NULL && strlen(p)) { - if ((p3 = strchr(p, '=')) == NULL) { - log_print("missing = in %s in startup_parse()", p); - continue; - } - if (strlen(++p3) == 0) { - log_print("option missing after %s in startup_parse()", p); - continue; - } - if (!strncmp(p, OPT_DST, strlen(OPT_DST))) { - hp = NULL; - if (inet_addr(p3) == -1 && (hp = gethostbyname(p3)) == NULL) { - log_error("invalid destination address: %s", p3); - continue; - } - if (hp == NULL) - strncpy(st->address, p3, 15); - else { - struct sockaddr_in sin; - bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); - strncpy(st->address, inet_ntoa(sin.sin_addr), 15); - } - st->address[15] = '\0'; - } else if (!strncmp(p, OPT_PORT, strlen(OPT_PORT))) { - if ((st->port = atoi(p3)) == 0) { - log_print("invalid port number: %s", p3); - continue; - } - } else if (!strncmp(p, CONFIG_EX_LIFETIME, strlen(CONFIG_EX_LIFETIME))) { - if ((st->exchange_lifetime = atol(p3)) == 0) { - log_print("invalid exchange lifetime: %s", p3); - continue; - } - } else if (!strncmp(p, CONFIG_SPI_LIFETIME, strlen(CONFIG_SPI_LIFETIME))) { - if ((st->spi_lifetime = atol(p3)) == 0) { - log_print("invalid spi lifetime: %s", p3); - continue; - } - } else if (!strncmp(p, OPT_USER, strlen(OPT_USER))) { - struct passwd *pwd; - if ((st->user = strdup(p3)) == NULL) { - log_error("strdup() in startup_parse()"); - continue; - } - if ((pwd = getpwnam(st->user)) == NULL) { - log_error("getpwnam() in startup_parse()"); - free(st->user); - st->user = NULL; - continue; - } - } else if (!strncmp(p, OPT_OPTIONS, strlen(OPT_OPTIONS))) { - while((p = strsep(&p3, ",")) != NULL) { - if(!strcmp(p, OPT_ENC)) - st->flags |= IPSEC_OPT_ENC; - else if(!strcmp(p, OPT_AUTH)) - st->flags |= IPSEC_OPT_AUTH; - else { - log_print("Unknown options %s in startup_parse()", p); - continue; - } - } - } - } -} - -void -startup_end(struct stateob *st) -{ - if (!strlen(st->address)) { - log_print("no destination given in startup_end()"); - state_value_reset(st); - free(st); - return; - } - if (st->port == 0) - st->port = global_port; - - if (st->flags == 0) - st->flags = IPSEC_OPT_ENC | IPSEC_OPT_AUTH; - -#ifdef DEBUG - printf("Starting exchange with: %s:%d and options:", - st->address, st->port); - if (st->flags & IPSEC_OPT_ENC) - printf("%s ", OPT_ENC); - if (st->flags & IPSEC_OPT_AUTH) - printf("%s ", OPT_AUTH); - if (st->user != NULL) - printf("for user %s", st->user); - printf("\n"); -#endif - if (start_exchange(global_socket, st, - st->address, st->port) == -1) { - log_print("start_exchange in startup_end()"); - state_value_reset(st); - free(st); - } else - state_insert(st); -} - -int -init_startup(void) -{ - char *p2; - struct stateob *st = NULL; - -#ifdef DEBUG - printf("[Starting initial exchanges]\n"); -#endif - - open_config_file(PHOTURIS_STARTUP); - while(1) { - p2 = config_get(""); - /* We read a newline or end of file */ - if((p2 == NULL || strlen(p2) == 0) && st != NULL) { - startup_end(st); - st = NULL; - if (p2 != NULL) - continue; - else - break; - } - if (p2 == NULL) - break; - if (!strlen(p2)) - continue; - - if (st == NULL && ((st = state_new()) == NULL)) - log_fatal("state_new() in init_startup()"); - - startup_parse(st, p2); - - } - close_config_file(); - - return 0; -} - -#ifndef DEBUG -void -reconfig(int sig) -{ - log_print("Reconfiguring on SIGHUP"); - - clearattrib(); /* Clear attribute id hash */ - attrib_cleanup(); /* Clear list of offered attributes */ - - identity_cleanup(NULL); - mod_cleanup(); - - free(global_schemes); global_schemes = NULL; - global_schemesize = 0; - - state_cleanup(); - - init_times(); - init_moduli(0); - init_schemes(); - init_attributes(); - init_identities(NULL, NULL); -} - -volatile sig_atomic_t wantconfig; - -void -sigconfig(int sig) -{ - wantconfig = 1; -} - -int -init_signals(void) -{ - struct sigaction sa, osa; - - bzero(&sa, sizeof(sa)); - sigemptyset(&sa.sa_mask); - sigaddset(&sa.sa_mask, SIGHUP); - sa.sa_handler = sigconfig; - sigaction(SIGHUP, &sa, &osa); - - return 1; -} -#endif - -int -pick_scheme(u_int8_t **scheme, u_int16_t *schemesize, - u_int8_t *offered, u_int16_t offeredsize) -{ - u_int32_t size = 0; - u_int32_t osize, asize = 0; - u_int8_t *schemep = NULL; - u_int8_t *modp = NULL; /* Pointer to the modulus */ - u_int32_t modsize = 0, actsize = 0, gensize = 0; - u_int8_t scheme_ref[2]; - u_int8_t *p = NULL; - - while(size < global_schemesize) { - osize = 0; - while(osize < offeredsize) { - /* XXX - Policy? now take bigger moduli */ - p = scheme_get_mod(offered + osize); - actsize = varpre2octets(p); - - if (schemep == NULL && - !bcmp(offered+osize, global_schemes + size, 2)) { - /* We found a scheme we want use, now we need to get the - * modulus for it. - */ - schemep = offered + osize; - break; - } - osize += scheme_get_len(offered + osize); - } - if (schemep != NULL) - break; - size += scheme_get_len(global_schemes + size); - } - - if (schemep == NULL) { - log_print("Found no scheme in pick_scheme()"); - return -1; - } - - if (actsize <= 2) { - if (ntohs(*(u_int16_t *)schemep) == scheme_get_ref(schemep)) { - log_print("Base scheme has no modulus in pick_scheme()"); - return -1; - } - *(u_int16_t *)scheme_ref = htons(scheme_get_ref(schemep)); - osize = 0; - while(osize < offeredsize) { - /* XXX - Policy? now take bigger moduli */ - p = scheme_get_mod(offered + osize); - actsize = varpre2octets(p); - if (!bcmp(offered + osize, scheme_ref,2) && actsize > 2) { - if (actsize > modsize) { - modp = p; - modsize = actsize; - } - } - - osize += scheme_get_len(offered + osize); - } - } else { - modsize = actsize; - modp = p; - } - - if (*scheme != NULL) - free(*scheme); - - p = scheme_get_gen(schemep); - if (p != NULL) { - gensize = varpre2octets(p); - - /* XXX - VPN this works only for small numbers */ - asize = 2 + 2 + modsize + gensize; - - } else { - asize = 2 + modsize; - } - - if ((*scheme = calloc(asize, sizeof(u_int8_t))) == NULL) { - log_error("No memory in pick_scheme()"); - return -1; - } - - bcopy(schemep, *scheme, 2); - /* XXX - VPN this works only for small numbers */ - if (p != NULL) { - (*scheme)[2] = gensize >> 8; - (*scheme)[3] = gensize & 0xFF; - bcopy(p, *scheme+2+2, gensize); - } - bcopy(modp, *scheme+2+(p == NULL ? 0 : 2 + gensize), modsize); - - *schemesize = asize; - return 0; -} - -/* - * Fills attrib, with attributes we offer to other parties, - * read the necessary values from some config file - */ - -int -pick_attrib(struct stateob *st, u_int8_t **attrib, u_int16_t *attribsize) -{ - attribute_list *ob; - int mode = 0, i, n, count, first; - - if ((ob = attrib_find(st->address)) == NULL) { - log_print("attrib_find() in pick_attrib()"); - return -1; - } - - - /* Get the attributes in the right order */ - count = 0; - for (n=0; n<=AT_ESP_ATTRIB; n++) { - first = 1; mode = 0; - for (i=0; i<ob->attribsize; i += ob->attributes[i+1]+2) { - if (ob->attributes[i] == AT_AH_ATTRIB ) - mode = AT_AH_ATTRIB; - else if (ob->attributes[i] == AT_ESP_ATTRIB) - mode = AT_ESP_ATTRIB; - else if (n == mode) { - if (first && n > 0) { - buffer[count] = n; - buffer[count+1] = 0; - count += 2; - first = 0; - } - bcopy(ob->attributes+i, buffer+count, - ob->attributes[i+1]+2); - count += ob->attributes[i+1]+2; - } - } - } - if (count == 0) { - log_print("no attributes in attribute list for %s in pick_attrib()", - st->address); - return -1; - } - - if ((*attrib = calloc(count, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in in pick_attrib()"); - return -1; - } - bcopy(buffer, *attrib, count); - *attribsize = count; - - return 0; -} - - -/* - * Select attributes we actually want to use for the SA. - */ - -int -select_attrib(struct stateob *st, u_int8_t **attributes, u_int16_t *attribsize) -{ - u_int16_t count = 0; - u_int8_t *wantesp, *wantah, *offeresp, *offerah, *p; - u_int16_t wantespsize, wantahsize, offerespsize, offerahsize; - attribute_list *ob; - attrib_t *attprop; - - if ((ob = attrib_find(NULL)) == NULL) { - log_print("attrib_find() for default in select_attrib() in " - "exchange to %s", st->address); - return -1; - } - - /* Take from Owner */ - get_attrib_section(ob->attributes, ob->attribsize, - &wantesp, &wantespsize, AT_ESP_ATTRIB); - get_attrib_section(ob->attributes, ob->attribsize, - &wantah, &wantahsize, AT_AH_ATTRIB); - - - /* Take from User */ - get_attrib_section(st->uSPIoattrib, st->uSPIoattribsize, - &offeresp, &offerespsize, AT_ESP_ATTRIB); - get_attrib_section(st->uSPIoattrib, st->uSPIoattribsize, - &offerah, &offerahsize, AT_AH_ATTRIB); - - p = buffer; - if (wantesp != NULL && offeresp != NULL && (st->flags & IPSEC_OPT_ENC)) { - /* Take the ESP section */ - char *tp = wantesp, *ta = wantesp; - u_int16_t tpsize = 0, tasize = 0; - u_int8_t flag[20], flagc, hmac = 0; - int res; - attrib_t *attah = NULL; - - /* - * We travers the ESP section and look for flags, - * perhaps mutually exclusive flags should be handled - * but at the moment we only support the HMAC indicator - */ - - flagc = 0; - while (tpsize < wantespsize && flagc < sizeof(flag)) { - if (isinattrib(offeresp, offerespsize, tp[tpsize])) { - attprop = getattrib(tp[tpsize]); - /* A simple flag has no type */ - if (attprop != NULL && attprop->type == 0) { - flag[flagc++] = attprop->id; - switch(attprop->id) { - case AT_HMAC: - hmac = 1; - break; - default: - break; - } - } - } - tpsize += tp[tpsize+1]+2; - } - - tpsize = 0; - attprop = NULL; - /* We travers the ESP section and look for the first ENC attribute */ - while (tpsize < wantespsize) { - if (isinattrib(offeresp, offerespsize, tp[tpsize])) { - attprop = getattrib(tp[tpsize]); - if (attprop != NULL && attprop->type == AT_ENC) - break; - } - tpsize += tp[tpsize+1]+2; - } - if (tpsize >= wantespsize) - attprop = NULL; - - /* If we find a fitting AH, we take it */ - while (hmac && attprop != NULL && tasize < wantespsize) { - if (isinattrib(offeresp, offerespsize, ta[tasize])) { - attah = getattrib(ta[tasize]); - if (attah != NULL && (attah->type & AT_AUTH)) { -#ifdef IPSEC - res = kernel_valid(attprop, attah); -#else - res = 0; -#endif - if (res == AT_ENC) { - /* - * Our ESP attribute does not allow AH, but - * since the ESP attribute is our first choice, - * dont try for other. - */ - attah = NULL; - break; - } else if (res != AT_AUTH) - break; - } - } - - tasize += ta[tasize+1]+2; - } - if (tasize >= wantespsize) - attah = NULL; - - if (attprop != NULL) { - /* Put proper header in there */ - p[0] = AT_ESP_ATTRIB; - p[1] = 0; - count += 2; - p += 2; - - /* We are using our own attributes, safe to proceed */ - bcopy(wantesp+tpsize, p, wantesp[tpsize+1] + 2); - count += wantesp[tpsize+1] + 2; - p += wantesp[tpsize+1] + 2; - - if (attah != NULL) { - /* We are using our own attributes, safe to proceed */ - bcopy(wantesp+tasize, p, wantesp[tasize+1] + 2); - count += wantesp[tasize+1] + 2; - p += wantesp[tasize+1] + 2; - } - - /* Insert the flags also */ - while (flagc--) { - p[0] = flag[flagc]; - p[1] = 0; - p += 2; - count += 2; - } - } - } - - if (wantah != NULL && offerah != NULL && (st->flags & IPSEC_OPT_AUTH)) { - /* Take the AH section */ - u_int8_t *tp = wantah; - u_int16_t tpsize = 0; - u_int8_t flag[20], flagc; - - flagc = 0; - /* Look for flags */ - while (tpsize < wantahsize && flagc < sizeof(flag)) { - if (isinattrib(offerah, offerahsize, tp[tpsize])) { - attprop = getattrib(tp[tpsize]); - if (attprop != NULL && attprop->type == 0) - flag[flagc++] = attprop->id; - } - tpsize += tp[tpsize+1]+2; - } - - tpsize = 0; - attprop = NULL; - /* We travers the AH section and look for the first AH attribute */ - while (tpsize < wantahsize) { - if (isinattrib(offerah, offerahsize, tp[tpsize])) { - attprop = getattrib(tp[tpsize]); - if (attprop != NULL && (attprop->type & AT_AUTH) -#ifdef IPSEC - && (kernel_valid_auth(attprop, flag, flagc) != -1) -#endif - ) - break; - } - tpsize += tp[tpsize+1]+2; - } - if (tpsize >= wantahsize) - attprop = NULL; - - if (attprop != NULL) { - /* Put proper header in there */ - p[0] = AT_AH_ATTRIB; - p[1] = 0; - count += 2; - p += 2; - - /* We are using our own attributes, safe to proceed */ - bcopy(wantah+tpsize, p, wantah[tpsize+1] + 2); - count += wantah[tpsize+1] + 2; - p += wantah[tpsize+1] + 2; - - /* Insert flags also */ - while (flagc--) { - p[0] = flag[flagc]; - p[1] = 0; - p += 2; - count += 2; - } - } - } - - if (count == 0) { - log_print("Offered and wanted list of attributes did not have a common subset in select_attrib()"); - return -1; - } - - if ((*attributes=calloc(count,sizeof(u_int8_t))) == NULL) { - log_error("Out of memory for SPI attributes (%d)", count); - return -1; - } - *attribsize = count; - bcopy(buffer, *attributes, count); - - return 0; -} -/* - * Removes whitespace from the end of a string - */ - -char * -chomp(char *p) -{ - if (!*p) - return p; - - while (*(p+1)) - p++; - - if (isspace(*p)) - *p = '\0'; - - return p; -} - -static const char hextab[] = { - '0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' -}; - -int -bin2hex(char *buffer, int *size, u_int8_t *data, u_int16_t len) -{ - u_int16_t off; - - if (*size < 2*len+1) - return -1; - - off = 0; - while(len > 0) { - buffer[off++] = hextab[*data >> 4]; - buffer[off++] = hextab[*data & 0xF]; - data++; - len--; - } - buffer[off++] = '\0'; - - *size = off; - return 0; -} diff --git a/sbin/photurisd/config.h b/sbin/photurisd/config.h deleted file mode 100644 index 1685879a90b..00000000000 --- a/sbin/photurisd/config.h +++ /dev/null @@ -1,121 +0,0 @@ -/* $OpenBSD: config.h,v 1.6 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * config.h: - * handling config - */ - -#ifndef _CONFIG_H_ -#define _CONFIG_H_ - -#include "userdefs.h" - -#ifdef MACHINE_ENDIAN -#include <machine/endian.h> -#endif - -#ifdef ENDIAN -#include <endian.h> -#endif - -#ifdef SYS_MACHINE -#include <sys/machine.h> -#endif - -#ifdef SYS_LTYPES -#include <sys/ltypes.h> -#endif - -#ifdef NEED_UTYPES -#include "utypes.h" -#endif - -#ifdef NEED_IN_ADDR -# ifndef _IN_ADDR_T_ -# define _IN_ADDR_T_ - typedef unsigned long in_addr_t; -# endif -#endif - - - -#include "state.h" - -#undef EXTERN -#ifdef _CONFIG_C_ -#define EXTERN - -#else -#define EXTERN extern -#endif - -#define CONFIG_MODULUS "modulus" -#define CONFIG_EXCHANGE "exchange" -#define CONFIG_CONFIG "config" -#define CONFIG_MAX_RETRIES "exchange_max_retransmits" -#define CONFIG_RET_TIMEOUT "exchange_retransmit_timeout" -#define CONFIG_EX_TIMEOUT "exchange_timeout" -#define CONFIG_EX_LIFETIME "exchange_lifetime" -#define CONFIG_SPI_LIFETIME "spi_lifetime" - -#define OPT_DST "dst" -#define OPT_PORT "port" -#define OPT_OPTIONS "options" -# define OPT_ENC "enc" -# define OPT_AUTH "auth" -#define OPT_USER "user" - -struct cfgx { - struct cfgx *next; - char *name; - int id; -}; - -EXTERN int bin2hex(char *, int *, u_int8_t *, u_int16_t); -EXTERN char *chomp(char *); - -EXTERN int init_moduli(int); -EXTERN int init_schemes(void); -EXTERN int init_attributes(void); -EXTERN int init_times(void); -EXTERN void startup_parse(struct stateob *st, char *line); -EXTERN void startup_end(struct stateob *st); -EXTERN int init_startup(void); -EXTERN int init_signals(void); - -EXTERN int pick_scheme(u_int8_t **, u_int16_t *, u_int8_t *, u_int16_t); -EXTERN int pick_attrib(struct stateob *, u_int8_t **, u_int16_t *); -EXTERN int select_attrib(struct stateob *, u_int8_t **, u_int16_t *); - -EXTERN void reconfig(int sig); - -#endif /* _CONFIG_H_ */ - diff --git a/sbin/photurisd/cookie.c b/sbin/photurisd/cookie.c deleted file mode 100644 index 052c3a83051..00000000000 --- a/sbin/photurisd/cookie.c +++ /dev/null @@ -1,106 +0,0 @@ -/* $OpenBSD: cookie.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * cookie.c: - * cookie generation - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: cookie.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _COOKIE_C_ - -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <md5.h> -#include "state.h" -#include "cookie.h" - -void -reset_secret(void) -{ - secret_generate(rsecret, SECRET_SIZE); -} - -int -secret_generate(u_int8_t *secret, u_int16_t size) -{ - int i = 0; - long tmp = 0; - - while(size > 0) { - size--; - if (i++ % 4 == 0) - tmp = arc4random(); - - secret[size] = tmp & 0xFF; - tmp = tmp >> 8; - } - return 1; -} - -int -cookie_generate(struct stateob *st, u_int8_t *cookie, u_int16_t size, - u_int8_t *data, u_int16_t dsize) -{ - MD5_CTX ctx; - u_int8_t digest[16]; - u_int8_t tmpsecret[SECRET_SIZE], *secret; - - if (st->initiator) { - secret = tmpsecret; - secret_generate(tmpsecret, SECRET_SIZE); /* New secret each CookieReq */ - } else - secret = rsecret; - - /* Generate a cookie which depends on both parties and on local - * information, which is fast computed. - */ - MD5Init(&ctx); - MD5Update(&ctx, st->address, strlen(st->address)); - MD5Update(&ctx, (u_int8_t *)&st->port, sizeof(st->port)); - MD5Update(&ctx, (u_int8_t *)&st->counter, sizeof(st->counter)); - MD5Update(&ctx, secret, SECRET_SIZE); - MD5Update(&ctx, st->icookie, COOKIE_SIZE); - - /* For the responder cookie we also hash the schemes */ - if (data != NULL && dsize) - MD5Update(&ctx, data, dsize); - - MD5Final(digest, &ctx); - - bcopy(digest, cookie, size); - return 1; -} - diff --git a/sbin/photurisd/cookie.h b/sbin/photurisd/cookie.h deleted file mode 100644 index e41828c0791..00000000000 --- a/sbin/photurisd/cookie.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: cookie.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * cookie.h: - * cookie generation header file - */ - -#ifndef _COOKIE_H_ -#define _COOKIE_H_ -#include "state.h" - -#define SECRET_SIZE 16 - -#undef EXTERN -#ifdef _COOKIE_C_ -#define EXTERN - -static u_int8_t rsecret[SECRET_SIZE]; /* Responder secret */ -#else -#define EXTERN extern -#endif - -EXTERN void reset_secret(void); -EXTERN int secret_generate(u_int8_t *secret, u_int16_t size); -EXTERN int cookie_generate(struct stateob *st, - u_int8_t *cookie, u_int16_t size, - u_int8_t *data, u_int16_t dsize); -#endif diff --git a/sbin/photurisd/encrypt.h b/sbin/photurisd/encrypt.h deleted file mode 100644 index f40411ceb5c..00000000000 --- a/sbin/photurisd/encrypt.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: encrypt.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * encrypt.h: - * prototypes for photuris_packet_encrypt.c - */ - -#ifndef _ENCRYPT_H_ -#define _ENCRYPT_H_ - -#include "state.h" - -#undef EXTERN - -#ifdef _ENCRYPT_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN int packet_create_padding(struct stateob *st, u_int16_t size, - u_int8_t *padd, u_int16_t *rsize); -EXTERN int packet_encrypt(struct stateob *st, - u_int8_t *payload, u_int16_t payloadlen); -EXTERN int packet_decrypt(struct stateob *st, - u_int8_t *payload, u_int16_t *payloadlen); - -#endif /* _ENCRYPT_H_ */ diff --git a/sbin/photurisd/exchange.c b/sbin/photurisd/exchange.c deleted file mode 100644 index 40fdd5f013f..00000000000 --- a/sbin/photurisd/exchange.c +++ /dev/null @@ -1,395 +0,0 @@ -/* $OpenBSD: exchange.c,v 1.6 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * exchange.c: - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: exchange.c,v 1.6 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _EXCHANGE_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <time.h> -#include <string.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ssl/bn.h> - -#include "config.h" -#include "state.h" -#include "exchange.h" -#include "modulus.h" -#include "attributes.h" -#include "buffer.h" -#include "cookie.h" -#include "schedule.h" -#include "scheme.h" -#include "log.h" - -/* - * Get the number of bits from a variable precision number - * according to draft-simpson-photuris-11 - */ - -u_int8_t * -varpre_get_number_bits(size_t *nbits, u_int8_t *varpre) -{ - int blocks; - size_t bits; - - if (varpre == NULL) - return (NULL); - - /* We don't support numbers, that long */ - if (*varpre == 255 && *(varpre+1) == 255) - return (NULL); - - bits = 0; - if (*varpre == 255) { - blocks = 3; - bits = 65280; - varpre++; - } else - blocks = 2; - - while (blocks-- > 0) { - bits = (bits << 8) + *varpre; - varpre++; - } - - *nbits = bits; - - return (varpre); -} - -/* - * Convert a variable precision number to a bignum - */ - -u_int8_t * -BN_varpre2bn(u_int8_t *varpre, size_t size, BIGNUM *a) -{ - u_int8_t *p; - size_t bytes; - - BN_zero(a); - p = varpre_get_number_bits(&bytes, varpre); - if (p == NULL) - return (NULL); - - bytes = (bytes + 7) / 8; - - if (p + bytes != varpre + size) - return (NULL); - - while (bytes > 0) { - BN_lshift(a, a, 8); - BN_add_word(a, *p); - - bytes--; - p++; - } - - return (p); -} - -int -BN_bn2varpre(BIGNUM *p, u_int8_t *value, size_t *size) -{ - size_t bits, bytes; - int header; - BIGNUM *a; - - bits = BN_num_bits(p); - bytes = (bits + 7) / 8; - - /* We only support 4 octets */ - if (bits > 65279) { - bits -= 65280; - value[0] = 255; - value[1] = (bits >> 16) & 0xFF; - value[2] = (bits >> 8) & 0xFF; - value[3] = bits & 0xFF; - header = 4; - } else { - value[0] = (bits >> 8) & 0xFF; - value[1] = bits & 0xFF; - header = 2; - } - - /* Check if the buffer is big enough */ - if (bytes + header > (*size - header)) - return (-1); - - a = BN_new(); - BN_copy(a, p); - - *size = bytes + header; - - while (bytes > 0) { - bytes--; - value[bytes + header] = BN_mod_word(a, 256); - BN_rshift(a, a, 8); - } - BN_clear_free(a); - - return (0); -} - - -int -exchange_check_value(BIGNUM *exchange, BIGNUM *gen, BIGNUM *mod) -{ - size_t bits; - BIGNUM *test; - - bits = BN_num_bits(mod); - if (BN_num_bits(exchange) < bits/2) - return (0); - - test = BN_new(); - BN_copy(test, mod); - BN_sub_word(test, 1); - if (!BN_cmp(exchange, test)) { - BN_free(test); - return (0); - } - - /* XXX - more tests need to go here */ - - BN_free(test); - return (1); -} - -/* - * Finds to a given modulus and generator cached information - * which is used to create the private value and exchange value - */ - -int -exchange_make_values(struct stateob *st, BIGNUM *modulus, BIGNUM *generator) -{ - struct moduli_cache *p, *tmp; - u_int8_t *mod; - time_t tm; - - tm = time(NULL); - - /* See if we have this cached already */ - if ((p = mod_find_modgen(modulus,generator)) == NULL) { - /* Create a new modulus, generator pair */ - if((p = mod_new_modgen(modulus,generator)) == NULL) { - BN_clear_free(generator); - BN_clear_free(modulus); - log_error("Not enough memory in exchange_make_values()"); - return (-1); - } - mod_insert(p); - } - /* If we don't have a private value calculate a new one */ - if (p->lifetime < tm || BN_is_zero(p->private_value)) { - if (p->exchangevalue != NULL) - free(p->exchangevalue); - - /* See if we can find a cached private value */ - if ((tmp = mod_find_modulus(modulus)) != NULL && - tmp->lifetime > tm && !BN_is_zero(tmp->private_value)) { - BN_copy(p->private_value, tmp->private_value); - - /* Keep exchange value on same (gen,mod) pair */ - if (!BN_cmp(p->generator, tmp->generator)) { - p->exchangevalue = calloc(tmp->exchangesize,sizeof(u_int8_t)); - if (p->exchangevalue == NULL) { - log_error("calloc() in exchange_make_values()"); - return (-1); - } - bcopy(tmp->exchangevalue, p->exchangevalue, - tmp->exchangesize); - p->exchangesize = tmp->exchangesize; - } else - p->exchangevalue = NULL; - - p->iterations = tmp->iterations; - p->status = tmp->status; - p->lifetime = tmp->lifetime; - } else { - size_t bits; - - /* - * Make a new private value and change responder secrets - * as required by draft. - */ - - schedule_remove(REKEY, NULL); - schedule_insert(REKEY, REKEY_TIMEOUT, NULL, 0); - reset_secret(); - - p->lifetime = tm + MOD_TIMEOUT; - p->exchangevalue = NULL; - - /* Find pointer to the VPN containing the modulus */ - mod = scheme_get_mod(st->scheme); - varpre_get_number_bits(&bits, mod); - BN_rand(p->private_value, bits, 0, 0); - } - /* Do we need to generate a new exchange value */ - if (p->exchangevalue == NULL) { - BIGNUM *tmp; - BN_CTX *ctx; - size_t bits; - - mod = scheme_get_mod(st->scheme); - varpre_get_number_bits(&bits, mod); - - tmp = BN_new(); - ctx = BN_CTX_new(); - BN_mod_exp(tmp, p->generator, p->private_value, p->modulus, - ctx); - - /* - * If our exchange value is defective we need to make a new one - * to avoid subgroup confinement. - */ - while (!exchange_check_value(tmp, p->generator, p->modulus)) { - BN_rand(p->private_value, bits, 0, 0); - BN_mod_exp(tmp, p->generator, p->private_value, p->modulus, - ctx); - } - - BN_CTX_free(ctx); - - p->exchangesize = BUFFER_SIZE; - BN_bn2varpre(tmp, buffer, &(p->exchangesize)); - - p->exchangevalue = calloc(p->exchangesize, sizeof(u_int8_t)); - if (p->exchangevalue == NULL) { - log_error("calloc() in exchange_make_value()"); - BN_clear_free(tmp); - return (-1); - } - bcopy(buffer, p->exchangevalue, p->exchangesize); - - BN_clear_free(tmp); - } - } - - if (st->exchangevalue != NULL) - free(st->exchangevalue); - - st->exchangevalue = calloc(p->exchangesize, sizeof(u_int8_t)); - if (st->exchangevalue == NULL) { - log_error("calloc() in exchange_make_values()"); - return (-1); - } - bcopy(p->exchangevalue, st->exchangevalue, p->exchangesize); - - st->exchangesize = p->exchangesize; - BN_copy(st->modulus, p->modulus); - BN_copy(st->generator, p->generator); - - return (0); -} - -int -exchange_set_generator(BIGNUM *generator, u_int8_t *scheme, u_int8_t *gen) -{ - switch (ntohs(*((u_int16_t *)scheme))) { - case DH_G_2_MD5: /* DH: Generator of 2 */ - case DH_G_2_DES_MD5: /* DH: Generator of 2 + privacy */ - case DH_G_2_3DES_SHA1: - BN_set_word(generator,2); - break; - case DH_G_3_MD5: - case DH_G_3_DES_MD5: - case DH_G_3_3DES_SHA1: - BN_set_word(generator,3); - break; - case DH_G_5_MD5: - case DH_G_5_DES_MD5: - case DH_G_5_3DES_SHA1: - BN_set_word(generator,5); - break; - default: - log_print("Unsupported exchange scheme %d", - *((u_int16_t *)scheme)); - return (-1); - } - return (0); -} - -/* - * Generates the exchange values needed for the value_request - * and value_response packets. - */ - -int -exchange_value_generate(struct stateob *st, u_int8_t *value, u_int16_t *size) -{ - BIGNUM *modulus, *generator; - struct moduli_cache *p; - u_int8_t *varpre; - - if ((varpre = scheme_get_mod(st->scheme)) == NULL) - return (-1); - - generator = BN_new(); - if (exchange_set_generator(generator, st->scheme, - scheme_get_gen(st->scheme)) == -1) { - BN_clear_free(generator); - return (-1); - } - - modulus = BN_new(); - BN_varpre2bn(varpre, varpre2octets(varpre), modulus); - - if(exchange_make_values(st, modulus, generator) == -1) { - BN_clear_free(modulus); - BN_clear_free(generator); - return (-1); - } - - p = mod_find_modgen(modulus,generator); - if (*size < p->exchangesize) - return (-1); - - bcopy(p->exchangevalue, value, p->exchangesize); - BN_clear_free(modulus); - BN_clear_free(generator); - - *size = p->exchangesize; - return (1); -} diff --git a/sbin/photurisd/exchange.h b/sbin/photurisd/exchange.h deleted file mode 100644 index 7d3b365496b..00000000000 --- a/sbin/photurisd/exchange.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: exchange.h,v 1.5 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * exchange.h: - * exchange generation header file - */ - -#ifndef _EXCHANGE_H_ -#define _EXCHANGE_H_ - -#undef EXTERN - -#ifdef _EXCHANGE_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN u_int8_t *varpre_get_number_bits(size_t *, u_int8_t *); -EXTERN u_int8_t *BN_varpre2bn(u_int8_t *, size_t, BIGNUM *); -EXTERN int BN_bn2varpre(BIGNUM *, u_int8_t *, size_t *); - -EXTERN int exchange_set_generator(BIGNUM *, u_int8_t *, u_int8_t *); -EXTERN int exchange_check_value(BIGNUM *, BIGNUM *, BIGNUM *); -EXTERN int exchange_make_values(struct stateob *, BIGNUM *, BIGNUM *); -EXTERN int exchange_value_generate(struct stateob *, u_int8_t *, u_int16_t *); - -#endif diff --git a/sbin/photurisd/handle_bad_cookie.c b/sbin/photurisd/handle_bad_cookie.c deleted file mode 100644 index 53b5420f824..00000000000 --- a/sbin/photurisd/handle_bad_cookie.c +++ /dev/null @@ -1,119 +0,0 @@ -/* $OpenBSD: handle_bad_cookie.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_bad_cookie: - * receive a BAD_COOKIE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_bad_cookie.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/time.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" -#include "server.h" -#include "packet.h" -#include "api.h" - -int -handle_bad_cookie(u_char *packet, int size, char *address) -{ - struct error_message *header; - struct stateob *st, *newst; - - if (size != ERROR_MESSAGE_PACKET_SIZE) - return -1; /* packet too small/big */ - - header = (struct error_message *) packet; - - if ((st = state_find_cookies(address, header->icookie, - header->rcookie)) == NULL) { - log_print("No state for BAD_COOKIE message from %s", - address); - return -1; - } - - if ((st->retries < max_retries && - (st->phase == VALUE_REQUEST || st->phase == IDENTITY_REQUEST)) || - (st->phase != VALUE_REQUEST && st->phase != IDENTITY_REQUEST && - st->phase != SPI_NEEDED && st->phase != SPI_UPDATE)) { - log_print("Ignored BAD_COOKIE message from %s", address); - - return 0; /* Nothing needs to be done */ - } - - if (st->phase == SPI_UPDATE) { - st->lifetime = time(NULL); - - log_print("Expired exchange on BAD_COOKIE from %s", - address); - return 0; - } - - schedule_remove(TIMEOUT, st->icookie); - state_unlink(st); - - /* Set up a new state object */ - if ((newst = state_new()) == NULL) { - log_error("state_new() in handle_bad_cookie()"); - return -1; - } - - newst->flags = st->flags; - if (st->user != NULL) - newst->user = strdup(st->user); - - state_value_reset(st); - - if (start_exchange(global_socket, newst, address, global_port) == -1) { - log_print("start_exchange() in handle_bad_cookie()"); - state_value_reset(st); - return -1; - } - - state_insert(newst); - - return 0; -} diff --git a/sbin/photurisd/handle_cookie_request.c b/sbin/photurisd/handle_cookie_request.c deleted file mode 100644 index e6a0839d6b7..00000000000 --- a/sbin/photurisd/handle_cookie_request.c +++ /dev/null @@ -1,123 +0,0 @@ -/* $OpenBSD: handle_cookie_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - - /* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_cookie_request: - * receive a COOKIE_REQUEST packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_cookie_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include <time.h> -#include <sys/time.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" - -int -handle_cookie_request(u_char *packet, int size, - u_int8_t *address, u_int16_t port, - u_int8_t *schemes, u_int16_t ssize) - -{ - struct cookie_request *header; - struct stateob *prev_st, *st = NULL; - time_t tm = 0; - - u_int8_t icookie[COOKIE_SIZE]; - - /* XXX - check resource limit */ - - if (size != COOKIE_REQUEST_PACKET_SIZE) - return -1; /* packet too small/big */ - - header = (struct cookie_request *) packet; - - if ((prev_st=state_find(address)) != NULL) { - int exceeded = 1, match = 0; - - st = prev_st; - - /* - * Find exchanges which are not timed out and the rcookie doesnt - * match any exchange -> resource limit. - */ - - tm = time(NULL); - while(prev_st != NULL) { - if (prev_st->lifetime > tm) - exceeded = 0; - - if (prev_st->lifetime > st->lifetime) - st = prev_st; - - if ((!prev_st->initiator && - !bcmp(prev_st->rcookie, header->rcookie, COOKIE_SIZE))|| - (prev_st->initiator && - !bcmp(prev_st->icookie, header->rcookie, COOKIE_SIZE))) - match = 1; - prev_st = state_find_next(prev_st, address); - } - if (!match && !exceeded) { - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - header->counter, RESOURCE_LIMIT); - send_packet(); - return 0; - } - } - - - bcopy(header->icookie, icookie, COOKIE_SIZE); - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_cookie_response(st != NULL && - st->lifetime > tm ? st : NULL, - packet_buffer, &packet_size, - icookie, header->counter, - address, port, - schemes, ssize) == -1 ) - return -1; /* Some error happened */ - - send_packet(); - - return 0; -} diff --git a/sbin/photurisd/handle_cookie_response.c b/sbin/photurisd/handle_cookie_response.c deleted file mode 100644 index b83ecfa629f..00000000000 --- a/sbin/photurisd/handle_cookie_response.c +++ /dev/null @@ -1,142 +0,0 @@ -/* $OpenBSD: handle_cookie_response.c,v 1.7 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_cookie_response: - * receive a COOKIE_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_cookie_response.c,v 1.7 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "scheme.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" -#include "config.h" - -int -handle_cookie_response(u_char *packet, int size, - char *address, int port) - -{ - struct cookie_response *header; - struct stateob *st; - u_int8_t *p; - u_int16_t i, n; - - if (size < COOKIE_RESPONSE_MIN) - return -1; /* packet too small */ - - header = (struct cookie_response *) packet; - - /* Take multi home hosts into account */ - st = state_find_icookie(header->icookie); - if (st == NULL) - return -1; /* Silently discard - XXX log perhaps ? */ - - if (st->phase != COOKIE_REQUEST) - return -1; /* We didn't want a cookie response */ - - if (strcmp(address, st->address)) { - /* XXX - is this a sane thing to do ? */ - log_print("Response from multihomed host, address %s will " - "be changed to %s.", st->address, address); - strncpy(st->address, address, 15); - st->address[15] = '\0'; - } - - /* Check scheme size */ - p = COOKIE_RESPONSE_SCHEMES(header); - i = 0; - while (i < size - COOKIE_RESPONSE_MIN) { - if ((n = scheme_get_len(p + i)) == 0) - break; - i += n; - } - - if (i != size - COOKIE_RESPONSE_MIN) { - log_print("schemes corrupt in handle_cookie_response()"); - return (-1); /* Size didn't match UDP size */ - } - - /* Copy responder cookies and offered schemes */ - bcopy(header->rcookie, st->rcookie, COOKIE_SIZE); - if ((st->roschemes = calloc(i, sizeof(u_int8_t))) == NULL) { - state_value_reset(st); - state_unlink(st); - return -1; /* Not enough memory */ - } - bcopy(p, st->roschemes, i); - st->roschemesize = i; - - if (pick_scheme(&(st->scheme), &(st->schemesize), p, i) == -1) { - state_value_reset(st); - state_unlink(st); - return -1; - } - - if (pick_attrib(st, &(st->oSPIoattrib), - &(st->oSPIoattribsize)) == -1) { - state_value_reset(st); - state_unlink(st); - return -1; - } - - /* Take the counter from the cookie response */ - st->counter = header->counter; - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_value_request(st, packet_buffer, &packet_size) == -1) - return -1; - - packet_save(st, packet_buffer, packet_size); - - send_packet(); - - st->retries = 0; - st->phase = VALUE_REQUEST; - - schedule_remove(TIMEOUT, st->icookie); - schedule_insert(TIMEOUT, retrans_timeout, st->icookie, COOKIE_SIZE); - return 0; -} diff --git a/sbin/photurisd/handle_identity_request.c b/sbin/photurisd/handle_identity_request.c deleted file mode 100644 index 1f2b777b1d1..00000000000 --- a/sbin/photurisd/handle_identity_request.c +++ /dev/null @@ -1,342 +0,0 @@ -/* $OpenBSD: handle_identity_request.c,v 1.7 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_identity_request: - * receive a IDENTITY_REQUEST packet; return -1 on failure, 0 on success - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_identity_request.c,v 1.7 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "encrypt.h" -#include "identity.h" -#include "spi.h" -#include "secrets.h" -#include "scheme.h" -#include "log.h" -#include "attributes.h" -#include "md5.h" -#ifdef IPSEC -#include "kernel.h" -#endif -#ifdef DEBUG -#include "packet.h" -#endif - -int -handle_identity_request(u_char *packet, int size, char *address, - char *local_address) -{ - struct packet_sub parts[] = { - { "IDChoice", FLD_ATTRIB, FMD_ATT_ONE, 0, }, - { "Identity", FLD_VARPRE, 0, 0, }, - { "Verification", FLD_VARPRE, 0, 0, }, - { "Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - - struct packet id_msg = { - "Identity Request", - IDENTITY_MESSAGE_MIN, 0, parts - }; - - struct identity_message *header; - struct stateob *st; - struct spiob *spi; - MD5_CTX ctx; - u_int8_t *p, *attributes; - u_int16_t i, attribsize, tmp; - u_int8_t signature[22]; /* XXX - constant */ - - if (size < IDENTITY_MESSAGE_MIN) - return -1; /* packet too small */ - - header = (struct identity_message *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) { - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, BAD_COOKIE); - send_packet(); - return 0; - } - - if (st->phase != VALUE_RESPONSE && st->phase != SPI_UPDATE) - return -1; /* We don't want this packet */ - - /* Decrypt message */ - tmp = size - IDENTITY_MESSAGE_MIN; - if (packet_decrypt(st, IDENTITY_MESSAGE_CHOICE(header), &tmp) == -1) { - log_print("packet_decrypt() in handle_identity_request()"); - goto verification_failed; - } - -#ifdef DEBUG2 - printf("Identity-Request (after decryption):\n"); - packet_dump(packet, size, 0); -#endif - /* Verify message structure */ - if (packet_check((u_int8_t *)header, size - packet[size-1], &id_msg) == -1) { - log_print("bad packet structure in handle_identity_request()"); - return -1; - } - -#ifdef DEBUG - packet_ordered_dump(packet, size - packet[size-1], &id_msg); -#endif - - /* Create a signature of this packet */ - MD5Init(&ctx); - MD5Update(&ctx, packet, size); - MD5Final(signature, &ctx); - - if (st->phase != VALUE_RESPONSE) { - /* - * Compare with the identity request which got verified - * initially. If matching resend our response. - */ - - if (bcmp(signature, st->packetsig, sizeof(st->packetsig))) - goto verification_failed; - - /* We got send the old packet again */ - bcopy(st->packet, packet_buffer, st->packetlen); - packet_size = st->packetlen; - - send_packet(); - return 0; - } else - bcopy(signature, st->packetsig, sizeof(st->packetsig)); - - attributes = parts[3].where; - attribsize = parts[3].size; - - if (!isattribsubset(st->oSPIoattrib,st->oSPIoattribsize, - attributes, attribsize)) { - log_print("attributes are not a subset in handle_identity_request()"); - return 0; - } - - i = get_identity_verification_size(st, IDENTITY_MESSAGE_CHOICE(header)); - if (!i || i != parts[2].size || i > sizeof(signature)) { - log_print("verification size mismatch in handle_identity_request()"); - goto verification_failed; - } - - bcopy(parts[2].where, signature, i); - - /* Fill the state object, but only if we have not dont so before */ - if (st->uSPIidentver == NULL) { - if((st->uSPIidentver = calloc(i, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_request()"); - goto verification_failed; - } - bcopy(signature, st->uSPIidentver, i); - st->uSPIidentversize = i; - } - - p = IDENTITY_MESSAGE_CHOICE(header); - if (st->uSPIidentchoice == NULL) { - if((st->uSPIidentchoice = calloc(p[1]+2, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_request()"); - goto verification_failed; - } - bcopy(p, st->uSPIidentchoice, p[1]+2); - st->uSPIidentchoicesize = p[1]+2; - } - - p += p[1] + 2; - if (st->uSPIident == NULL) { - if((st->uSPIident = calloc(varpre2octets(p), sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_request()"); - goto verification_failed; - } - bcopy(p, st->uSPIident, varpre2octets(p)); - } - - if (st->uSPIattrib == NULL) { - if((st->uSPIattrib = calloc(attribsize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_request()"); - return -1; - } - bcopy(attributes, st->uSPIattrib, attribsize); - st->uSPIattribsize = attribsize; - } - - if (st->oSPIident == NULL && - get_secrets(st, (ID_REMOTE|ID_LOCAL)) == -1) { - log_print("get_secrets() in in handle_identity_request()"); - goto verification_failed; - } - - if (!verify_identity_verification(st, signature, packet, size)) { - /* - * Clean up everything used from this packet - * but only if we did not get a valid packet before. - * Otherwise this could be used as Denial of Service. - */ - free(st->uSPIidentchoice); - st->uSPIidentchoice = NULL; st->uSPIidentchoicesize = 0; - free(st->uSPIidentver); - st->uSPIidentver = NULL; st->uSPIidentversize = 0; - free(st->uSPIattrib); - st->uSPIattrib = NULL; st->uSPIattribsize = 0; - free(st->uSPIident); - st->uSPIident = NULL; - free(st->oSPIident); - st->oSPIident = NULL; - - /* Clean up secrets */ - free(st->oSPIsecret); - st->oSPIsecret = NULL; st->oSPIsecretsize = 0; - free(st->uSPIsecret); - st->uSPIsecret = NULL; st->uSPIsecretsize = 0; - - verification_failed: - log_print("verification failed in handle_identity_request()"); - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, VERIFICATION_FAILURE); - send_packet(); - return 0; - } - - /* Create SPI + choice of attributes */ - if(make_spi(st, local_address, st->oSPI, &(st->olifetime), - &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) { - log_print("make_spi() in handle_identity_request()"); - return -1; - } - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_identity_response(st, packet_buffer, &packet_size) == -1) - return -1; - - send_packet(); - - packet_save(st, packet_buffer, packet_size); - - /* At this point we do not need the exchange values any longer */ - free(st->texchange); st->texchange = NULL; - free(st->exchangevalue); st->exchangevalue = NULL; - - bcopy(header->SPI, st->uSPI, SPI_SIZE); - st->ulifetime = (header->lifetime[0] << 16) + - (header->lifetime[1] << 8) + header->lifetime[2]; - - if (st->oSPI[0] || st->oSPI[1] || st->oSPI[2] || st->oSPI[3]) { - /* Insert Owner SPI */ - if ((spi = spi_new(st->address, st->oSPI)) == NULL) { - log_print("spi_new() in handle_identity_request()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_print("strdup() in handle_identity_request()"); - return -1; - } - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->flags |= SPI_OWNER; - spi->attribsize = st->oSPIattribsize; - spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); - if (spi->attributes == NULL) { - log_error("calloc() in handle_identity_request()"); - spi_value_reset(spi); - return -1; - } - bcopy(st->oSPIattrib, spi->attributes, spi->attribsize); - spi->lifetime = time(NULL) + st->olifetime; - - /* Cludge for getting the right verification field */ - state_save_verification(st, st->oSPIidentver, st->oSPIidentversize); - /* Make session keys for Owner */ - make_session_keys(st, spi); - - spi_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - spi_update_insert(spi); - } - - if (st->uSPI[0] || st->uSPI[1] || st->uSPI[2] || st->uSPI[3]) { - /* Insert User SPI */ - if ((spi = spi_new(st->address, st->uSPI)) == NULL) { - log_print("spi_new() in handle_identity_request()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_error("strdup() in handle_identity_request()"); - return -1; - } - spi->flags |= st->flags & IPSEC_NOTIFY ? SPI_NOTIFY : 0; - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->attribsize = st->uSPIattribsize; - spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); - if (spi->attributes == NULL) { - log_error("calloc() in handle_identity_request()"); - spi_value_reset(spi); - return -1; - } - bcopy(st->uSPIattrib, spi->attributes, spi->attribsize); - spi->lifetime = time(NULL) + st->ulifetime; - - /* Cludge for getting the right verification field */ - state_save_verification(st, st->uSPIidentver, st->uSPIidentversize); - /* Make session keys for User */ - make_session_keys(st, spi); - - spi_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - } - - st->lifetime = st->exchange_lifetime + time(NULL) + random() % 20; - - st->retries = 0; - st->phase = SPI_UPDATE; - return 0; -} diff --git a/sbin/photurisd/handle_identity_response.c b/sbin/photurisd/handle_identity_response.c deleted file mode 100644 index b9a216533a2..00000000000 --- a/sbin/photurisd/handle_identity_response.c +++ /dev/null @@ -1,285 +0,0 @@ -/* $OpenBSD: handle_identity_response.c,v 1.7 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_identity_response: - * receive a IDENTITY_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_identity_response.c,v 1.7 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/time.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "schedule.h" -#include "encrypt.h" -#include "identity.h" -#include "attributes.h" -#include "secrets.h" -#include "scheme.h" -#include "log.h" -#include "spi.h" -#ifdef IPSEC -#include "kernel.h" -#endif -#ifdef DEBUG -#include "packet.h" -#endif - -int -handle_identity_response(u_char *packet, int size, char *address, - char *local_address) -{ - struct packet_sub parts[] = { - { "IDChoice", FLD_ATTRIB, FMD_ATT_ONE, 0, }, - { "Identity", FLD_VARPRE, 0, 0, }, - { "Verification", FLD_VARPRE, 0, 0, }, - { "Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - - struct packet id_msg = { - "Identity Response", - IDENTITY_MESSAGE_MIN, 0, parts - }; - - struct identity_message *header; - struct stateob *st; - struct spiob *spi; - u_int8_t *attributes; - u_int16_t i, attribsize, tmp; - u_int8_t signature[22]; /* XXX - constant */ - - if (size < IDENTITY_MESSAGE_MIN) - return -1; /* packet too small */ - - header = (struct identity_message *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) - return -1; /* Silently discard */ - - if (st->phase != IDENTITY_REQUEST) - return 0; /* We don't want this packet */ - - /* Decrypt message */ - tmp = size - IDENTITY_MESSAGE_MIN; - if (packet_decrypt(st, IDENTITY_MESSAGE_CHOICE(header), &tmp) == -1) { - log_print("packet_decrypt() in handle_identity_response()"); - goto verification_failed; - } - -#ifdef DEBUG2 - printf("Identity Response (after decryption):\n"); - packet_dump((u_int8_t *)header, size, 0); -#endif - /* Verify message structure */ - if (packet_check(packet, size - packet[size-1], &id_msg) == -1) { - log_print("bad packet structure in handle_identity_response()"); - return -1; - } - - i = get_identity_verification_size(st, IDENTITY_MESSAGE_CHOICE(header)); - if (!i || i != parts[2].size || i >sizeof(signature)) { - log_print("verification size mismatch in handle_identity_response()"); - goto verification_failed; - } - bcopy(parts[2].where, signature, parts[2].size); - - attributes = parts[3].where; - attribsize = parts[3].size; - - if (!isattribsubset(st->oSPIoattrib,st->oSPIoattribsize, - attributes, attribsize)) { - log_print("attributes are not a subset in handle_identity_response()"); - return 0; - } - - - /* Fill the state object */ - if((st->uSPIidentver = calloc(i, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_response()"); - goto verification_failed; - } - bcopy(signature, st->uSPIidentver, i); - st->uSPIidentversize = i; - - if((st->uSPIidentchoice = calloc(parts[0].size, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_response()"); - goto verification_failed; - } - bcopy(parts[0].where, st->uSPIidentchoice, parts[0].size); - st->uSPIidentchoicesize = parts[0].size; - - if((st->uSPIident = calloc(parts[1].size, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_response()"); - goto verification_failed; - } - bcopy(parts[1].where, st->uSPIident, parts[1].size); - - if((st->uSPIattrib = calloc(attribsize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_identity_response()"); - goto verification_failed; - } - bcopy(attributes, st->uSPIattrib, attribsize); - st->uSPIattribsize = attribsize; - - if (get_secrets(st, ID_REMOTE) == -1) { - log_print("get_secrets() in in handle_identity_response()"); - goto verification_failed; - } - - if (!verify_identity_verification(st, signature, packet, size)) { - /* - * Clean up everything used from this packet - */ - free(st->uSPIidentchoice); - st->uSPIidentchoice = NULL; st->uSPIidentchoicesize = 0; - free(st->uSPIidentver); - st->uSPIidentver = NULL; st->uSPIidentversize = 0; - free(st->uSPIattrib); - st->uSPIattrib = NULL; st->uSPIattribsize = 0; - free(st->uSPIident); - st->uSPIident = NULL; - - /* Clean up secrets */ - free(st->uSPIsecret); - st->uSPIsecret = NULL; st->uSPIsecretsize = 0; - verification_failed: - log_print("verification failed in handle_identity_response()"); - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, VERIFICATION_FAILURE); - send_packet(); - return 0; - } - - bcopy(header->SPI, st->uSPI, SPI_SIZE); - st->ulifetime = (header->lifetime[0] << 16) + - (header->lifetime[1] << 8) + header->lifetime[2]; - - st->lifetime = st->exchange_lifetime + time(NULL) + random() % 20; - st->retries = 0; - st->phase = SPI_UPDATE; - - schedule_remove(TIMEOUT, st->icookie); - - /* We don't need the packet buffer anylonger */ - if (st->packet != NULL) { - free(st->packet); - st->packet = NULL; - st->packetlen = 0; - } - - /* At this point we do not need the exchange values any longer */ - free(st->texchange); st->texchange = NULL; - free(st->exchangevalue); st->exchangevalue = NULL; - - if (st->oSPI[0] || st->oSPI[1] || st->oSPI[2] || st->oSPI[3]) { - /* Insert Owner SPI */ - if ((spi = spi_new(st->address, st->oSPI)) == NULL) { - log_print("spi_new() in handle_identity_response()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_error("strdup() in handle_identity_response()"); - return -1; - } - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->flags |= SPI_OWNER; - spi->attribsize = st->oSPIattribsize; - spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); - if (spi->attributes == NULL) { - log_print("calloc() in handle_identity_response()"); - spi_value_reset(spi); - return -1; - } - bcopy(st->oSPIattrib, spi->attributes, spi->attribsize); - spi->lifetime = time(NULL) + st->olifetime; - - /* Cludge for getting the right verification field */ - state_save_verification(st, st->oSPIidentver, st->oSPIidentversize); - /* Make session keys for Owner */ - make_session_keys(st, spi); - - spi_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - spi_update_insert(spi); - } - if (st->uSPI[0] || st->uSPI[1] || st->uSPI[2] || st->uSPI[3]) { - /* Insert User SPI */ - if ((spi = spi_new(st->address, st->uSPI)) == NULL) { - log_print("spi_new() in handle_identity_response()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_error("strdup() in handle_identity_response()"); - return -1; - } - spi->flags |= st->flags & IPSEC_NOTIFY ? SPI_NOTIFY : 0; - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->attribsize = st->uSPIattribsize; - spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); - if (spi->attributes == NULL) { - log_error("calloc() in handle_identity_response()"); - spi_value_reset(spi); - return -1; - } - bcopy(st->uSPIattrib, spi->attributes, spi->attribsize); - spi->lifetime = time(NULL) + st->ulifetime; - - /* Cludge for getting the right verification field */ - state_save_verification(st, st->uSPIidentver, st->uSPIidentversize); - /* Session keys for User */ - make_session_keys(st, spi); - - spi_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - } - return 0; -} diff --git a/sbin/photurisd/handle_message_reject.c b/sbin/photurisd/handle_message_reject.c deleted file mode 100644 index 74f477d0dd8..00000000000 --- a/sbin/photurisd/handle_message_reject.c +++ /dev/null @@ -1,77 +0,0 @@ -/* $OpenBSD: handle_message_reject.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_message_reject: - * receive a MESSAGE_REJECT packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_message_reject.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" - -int -handle_message_reject(u_char *packet, int size, char *address) -{ - struct message_reject *header; - struct stateob *st; - - if (size != MESSAGE_REJECT_PACKET_SIZE) - return -1; /* packet too small/big */ - - header = (struct message_reject *) packet; - - if ((st = state_find_cookies(address, header->icookie, - header->rcookie)) == NULL) { - log_print("No state for MESSAGE_REJECT message from %s", - address); - return -1; - } - - log_print("Received MESSAGE_REJECT from %s on message type %d " - "offending offset %d", address, header->badtype, - header->offset); - return 0; -} diff --git a/sbin/photurisd/handle_resource_limit.c b/sbin/photurisd/handle_resource_limit.c deleted file mode 100644 index 566d1b069f6..00000000000 --- a/sbin/photurisd/handle_resource_limit.c +++ /dev/null @@ -1,111 +0,0 @@ -/* $OpenBSD: handle_resource_limit.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_resource_limit: - * receive a RESOURCE_LIMIT packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_resource_limit.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" - -int -handle_resource_limit(u_char *packet, int size, char *address) -{ - struct error_message *header; - struct stateob *st; - int offset, counter; - - if (size != ERROR_MESSAGE_PACKET_SIZE + 1) - return -1; /* packet too small/big */ - - header = (struct error_message *) packet; - counter = packet[ERROR_MESSAGE_PACKET_SIZE]; - - if ((st = state_find_cookies(NULL, header->icookie, NULL)) == NULL) { - log_print("No state for RESOURCE_LIMIT message from %s", - address); - return -1; - } - - switch(st->phase) { - case COOKIE_REQUEST: - /* - * The other party has still an exchange which has been - * purged on our side. - */ - if (counter != 0) { - bcopy(header->rcookie, st->rcookie, COOKIE_SIZE); - st->counter = counter; - } - - /* We crank the timeout, so we can start a new exchange */ - st->lifetime += exchange_timeout; - st->resource = 1; - case VALUE_REQUEST: - offset = schedule_offset(TIMEOUT, st->icookie); - if (offset == -1) - offset = retrans_timeout; - else { - offset *= 2; - if (offset > exchange_timeout/2) - offset = exchange_timeout/2; - } - - schedule_remove(TIMEOUT, st->icookie); - schedule_insert(TIMEOUT, offset, st->icookie, COOKIE_SIZE); - break; - case SPI_UPDATE: - /* XXX - we have to wait for expiring of another SPI */ - break; - default: - log_print("Wrong phase for RESOURCE_LIMIT from %s", - address); - return 0; - } - - return 0; -} diff --git a/sbin/photurisd/handle_spi_needed.c b/sbin/photurisd/handle_spi_needed.c deleted file mode 100644 index a44e576e898..00000000000 --- a/sbin/photurisd/handle_spi_needed.c +++ /dev/null @@ -1,197 +0,0 @@ -/* $OpenBSD: handle_spi_needed.c,v 1.6 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_spi_needed: - * receive a SPI_NEEDED packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_spi_needed.c,v 1.6 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "encrypt.h" -#include "validity.h" -#include "attributes.h" -#include "secrets.h" -#include "scheme.h" -#include "log.h" -#include "spi.h" -#ifdef IPSEC -#include "kernel.h" -#endif - -int -handle_spi_needed(u_char *packet, int size, char *address, - char *local_address) -{ - struct packet_sub parts[] = { - { "Verification", FLD_VARPRE, 0, 0, }, - { "Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - struct packet spi_msg = { - "SPI Needed", - SPI_NEEDED_MIN, 0, parts - }; - struct spi_needed *header; - struct stateob *st; - struct spiob *spi; - u_int8_t *attributes; - u_int16_t i, attribsize, tmp; - u_int8_t signature[22]; /* XXX - constant */ - - if (size < SPI_NEEDED_MIN) - return -1; /* packet too small */ - - header = (struct spi_needed *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) { - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, BAD_COOKIE); - send_packet(); - return 0; - } - - if (st->phase != SPI_UPDATE && st->phase != SPI_NEEDED) - return 0; /* We don't want this packet */ - - /* Decrypt message */ - tmp = size - SPI_NEEDED_MIN; - if (packet_decrypt(st, SPI_NEEDED_VERIFICATION(header), &tmp) == -1) { - log_print("packet_decrypt() in handle_spi_needed()"); - goto verification_failed; - } - - /* Verify message structure*/ - if (packet_check((u_int8_t *)header, size - packet[size-1], &spi_msg) == -1) { - log_print("bad packet structure in handle_spi_update()"); - return -1; - } - - i = get_validity_verification_size(st); - if (!i || i != parts[0].size || i > sizeof(signature)) { - log_print("verification size mismatch in handle_spi_needed()"); - goto verification_failed; - } - bcopy(parts[0].where, signature, i); - - attributes = parts[1].where; - attribsize = parts[1].size; - - if (!isattribsubset(st->oSPIoattrib,st->oSPIoattribsize, - attributes, attribsize)) { - log_print("attributes are not a subset in handle_spi_needed()"); - return 0; - } - - if (!verify_validity_verification(st, signature, packet, size)) { - verification_failed: - log_print("verification failed in handle_spi_needed()"); - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, VERIFICATION_FAILURE); - send_packet(); - return 0; - } - - if (st->uSPIoattrib != NULL) - free(st->uSPIoattrib); - - if((st->uSPIoattrib = calloc(attribsize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_spi_needed()"); - return -1; - } - bcopy(attributes, st->uSPIoattrib, attribsize); - st->uSPIoattribsize = attribsize; - - /* Delete old attributes, make_spi will make new */ - if (st->oSPIattrib != NULL) { - free(st->oSPIattrib); - st->oSPIattrib = NULL; - st->oSPIattribsize = 0; - } - if (make_spi(st, local_address, st->oSPI, &(st->olifetime), - &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) - return -1; - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_spi_update(st, packet_buffer, &packet_size) == -1) { - log_print("photuris_spi_update() in handle_spi_needed()"); - return -1; - } - send_packet(); - - /* Insert Owner SPI */ - if ((spi = spi_new(st->address, st->oSPI)) == NULL) { - log_print("spi_new() in handle_spi_needed()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_error("strdup() in handle_spi_needed()"); - return -1; - } - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->flags |= SPI_OWNER; - spi->attribsize = st->oSPIattribsize; - spi->attributes = calloc(spi->attribsize, sizeof(u_int8_t)); - if (spi->attributes == NULL) { - log_error("calloc() in handle_spi_needed()"); - spi_value_reset(spi); - return -1; - } - bcopy(st->oSPIattrib, spi->attributes, spi->attribsize); - spi->lifetime = time(NULL) + st->olifetime; - - make_session_keys(st, spi); - - spi_insert(spi); - spi_update_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - return 0; -} diff --git a/sbin/photurisd/handle_spi_update.c b/sbin/photurisd/handle_spi_update.c deleted file mode 100644 index 7e39d73e68b..00000000000 --- a/sbin/photurisd/handle_spi_update.c +++ /dev/null @@ -1,188 +0,0 @@ -/* $OpenBSD: handle_spi_update.c,v 1.8 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_spi_update: - * receive a SPI_UPDATE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_spi_update.c,v 1.8 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "encrypt.h" -#include "validity.h" -#include "attributes.h" -#include "secrets.h" -#include "schedule.h" -#include "scheme.h" -#include "log.h" -#include "spi.h" -#ifdef IPSEC -#include "kernel.h" -#endif - -int -handle_spi_update(u_char *packet, int size, char *address, - char *local_address) -{ - struct packet_sub parts[] = { - { "Verification", FLD_VARPRE, 0, 0, }, - { "Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - struct packet spi_msg = { - "SPI Update", - SPI_UPDATE_MIN, 0, parts - }; - struct spi_update *header; - struct stateob *st; - struct spiob *spi; - time_t lifetime; - u_int8_t *attributes; - u_int16_t i, attribsize, tmp; - u_int8_t signature[22]; /* XXX - constant */ - - if (size < SPI_UPDATE_MIN) - return -1; /* packet too small */ - - header = (struct spi_update *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) { - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, BAD_COOKIE); - send_packet(); - return 0; - } - - if (st->phase != SPI_UPDATE && st->phase != SPI_NEEDED) - return 0; /* We don't want this packet */ - - /* Decrypt message */ - tmp = size - SPI_UPDATE_MIN; - if (packet_decrypt(st, SPI_UPDATE_VERIFICATION(header), &tmp) == -1) { - log_print("packet_decrypt() in handle_spi_update()"); - goto verification_failed; - } - - /* Verify message structure*/ - if (packet_check((u_int8_t *)header, size - packet[size-1], &spi_msg) == -1) { - log_print("bad packet structure in handle_spi_update()"); - return -1; - } - - i = get_validity_verification_size(st); - if (!i || i != parts[0].size || i > sizeof(signature)) { - log_print("verification size mismatch in handle_spi_update()"); - goto verification_failed; - } - bcopy(parts[0].where, signature, i); - - attributes = parts[1].where; - attribsize = parts[1].size; - - if (!isattribsubset(st->oSPIoattrib,st->oSPIoattribsize, - attributes, attribsize)) { - log_print("attributes are not a subset in handle_spi_update()"); - return 0; - } - - if (!verify_validity_verification(st, signature, packet, size)) { - verification_failed: - log_print("verification failed in handle_spi_update()"); - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - 0, VERIFICATION_FAILURE); - send_packet(); - return 0; - } - - lifetime = (header->lifetime[0]<<16) + (header->lifetime[1]<<8) + - header->lifetime[2]; - - if (lifetime == 0) { - /* Delete specified security association */ - if ((spi = spi_find(st->address, header->SPI)) == NULL) { - log_print("spi_find() in handle_spi_update()"); - return -1; - } -#ifdef IPSEC - kernel_unlink_spi(spi); -#endif - spi_value_reset(spi); - spi_unlink(spi); - return 0; - } - - /* The State object always retains the latest SPI pairs */ - bcopy(header->SPI, st->uSPI, SPI_SIZE); - - if ((spi = spi_new(st->address, header->SPI)) == NULL) { - log_print("spi_new() in handle_spi_update()"); - return -1; - } - if ((spi->local_address = strdup(local_address)) == NULL) { - log_error("strdup() in handle_spi_update()"); - return -1; - } - if((spi->attributes = calloc(attribsize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_spi_update()"); - return -1; - } - spi->flags |= st->flags & IPSEC_NOTIFY ? SPI_NOTIFY : 0; - bcopy(attributes, spi->attributes, attribsize); - spi->attribsize = attribsize; - bcopy(st->icookie, spi->icookie, COOKIE_SIZE); - spi->lifetime = time(NULL) + lifetime; - - make_session_keys(st, spi); - - spi_insert(spi); -#ifdef IPSEC - kernel_insert_spi(st, spi); -#endif - return 0; -} diff --git a/sbin/photurisd/handle_value_request.c b/sbin/photurisd/handle_value_request.c deleted file mode 100644 index 6b5ecc01a8f..00000000000 --- a/sbin/photurisd/handle_value_request.c +++ /dev/null @@ -1,310 +0,0 @@ -/* $OpenBSD: handle_value_request.c,v 1.9 2002/06/10 19:58:20 espie Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_value_request: - * receive a VALUE_REQUEST packet; return (-1) on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_value_request.c,v 1.9 2002/06/10 19:58:20 espie Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <ssl/bn.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "config.h" -#include "buffer.h" -#include "scheme.h" -#include "packet.h" -#include "exchange.h" -#include "secrets.h" -#include "server.h" -#include "log.h" - -int -handle_value_request(u_char *packet, int size, - char *address, u_short port, - u_int8_t *schemes, u_int16_t ssize) - -{ - struct packet_sub parts[] = { - { "Exchange Value", FLD_VARPRE, 0, 0, }, - { "Offered Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - struct packet vr_msg = { - "Value Request", - VALUE_REQUEST_MIN, 0, parts - }; - struct value_request *header; - struct stateob *st; - BIGNUM *test, *gen, *mod; - u_int8_t *p, *modp, *refp, *genp = NULL; - size_t sstart, vsize, modsize, modpsize, refpsize; - int modflag; - u_int8_t scheme_ref[2]; - u_int8_t rcookie[COOKIE_SIZE]; - - if (size < VALUE_REQUEST_MIN) - return (-1); /* packet too small */ - - if (packet_check(packet, size, &vr_msg) == -1) { - log_print("bad packet structure in handle_value_request()"); - return (-1); - } - - header = (struct value_request *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) { - struct stateob tempst; - bzero((char *)&tempst, sizeof(tempst)); /* Set up temp. state */ - tempst.initiator = 0; /* We are the Responder */ - bcopy(header->icookie, tempst.icookie, COOKIE_SIZE); - strncpy(tempst.address, address, 15); - tempst.port = global_port; - tempst.counter = header->counter; - - cookie_generate(&tempst, rcookie, COOKIE_SIZE, schemes, ssize); - - /* Check for invalid cookie */ - if (bcmp(rcookie, header->rcookie, COOKIE_SIZE)) { - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(&tempst, packet_buffer, &packet_size, - header->icookie, header->rcookie, - header->counter, BAD_COOKIE); - send_packet(); - return (0); - } - - /* Check exchange value - XXX doesn't check long form */ - vsize = parts[0].size; - - /* Check schemes - selected length is in exchange value*/ - sstart = 0; - modflag = 0; - refp = modp = NULL; - *(u_int16_t *)scheme_ref = htons(scheme_get_ref(header->scheme)); - while (sstart < ssize) { - p = scheme_get_mod(schemes + sstart); - modsize = varpre2octets(p); - if (!bcmp(header->scheme, schemes + sstart, 2)) { - modflag = 1; - if (modsize == vsize) { - genp = scheme_get_gen(schemes+sstart); - modp = p; - modpsize = modsize; - break; /* On right scheme + right size */ - } else if (modsize <= 2 && refp != NULL) { - modp = refp; - modpsize = refpsize; - break; - } - } else if (!bcmp(scheme_ref, schemes + sstart, 2) && - modsize == vsize) { - genp = scheme_get_gen(schemes + sstart); - if (modflag) { - modp = p; - modpsize = modsize; - break; - } - refp = p; - refpsize = modsize; - } - - sstart += scheme_get_len(schemes+sstart); - } - if (sstart >= ssize) - return (-1); /* Did not find a scheme - XXX log */ - - /* now check the exchange value */ - test = BN_new(); - if (BN_varpre2bn(parts[0].where, parts[0].size, test) == NULL) { - BN_free(test); - return (-1); - } - - mod = BN_new(); - if (BN_varpre2bn(modp, modpsize, mod) == NULL) { - BN_free(test); - BN_free(mod); - return (-1); - } - - gen = BN_new(); - if (exchange_set_generator(gen, header->scheme, genp) == -1 || - !exchange_check_value(test, gen, mod)) { - BN_free(test); - BN_free(gen); - BN_free(mod); - return 0; - } - BN_free(test); - BN_free(gen); - BN_free(mod); - - if ((st = state_new()) == NULL) - goto resourcefail; - - /* Default options */ - st->flags = IPSEC_OPT_ENC|IPSEC_OPT_AUTH; - - /* Fill the state object */ - st->uSPIoattrib = calloc(parts[1].size, sizeof(u_int8_t)); - if (st->uSPIoattrib == NULL) { - state_value_reset(st); - goto resourcefail; - } - bcopy(parts[1].where, st->uSPIoattrib, parts[1].size); - st->uSPIoattribsize = parts[1].size; - - /* Save scheme, which will be used by both parties */ - vsize = 2 + varpre2octets(modp); - - /* XXX - VPN - only support two octets */ - if (genp != NULL) - vsize += 2 + varpre2octets(genp); - - st->scheme = calloc(vsize, sizeof(u_int8_t)); - if (st->scheme == NULL) { - state_value_reset(st); - goto resourcefail; - } - bcopy(header->scheme, st->scheme, 2); - if (genp != NULL) { - st->scheme[2] = (vsize-4) >> 8; - st->scheme[3] = (vsize-4) & 0xFF; - bcopy(genp, st->scheme+2+2, varpre2octets(genp)); - } - bcopy(modp, st->scheme + 2 + (genp == NULL ? 0 : 2 + varpre2octets(genp)), - varpre2octets(modp));; - - st->schemesize = vsize; - -#ifdef DEBUG - { - int i = BUFFER_SIZE; - bin2hex(buffer, &i, parts[0].where, varpre2octets(VALUE_REQUEST_VALUE(header))); - printf("Got exchange value 0x%s\n", buffer); - } -#endif - - /* Set exchange value */ - st->texchangesize = parts[0].size; - st->texchange = calloc(st->texchangesize, sizeof(u_int8_t)); - if (st->texchange == NULL) { - log_error("calloc() in handle_value_request()"); - state_value_reset(st); - goto resourcefail; - } - bcopy(parts[0].where, st->texchange, st->texchangesize); - - - /* Fill in the state object with generic data */ - strncpy(st->address, address, 15); - st->port = port; - st->counter = header->counter; - bcopy(header->icookie, st->icookie, COOKIE_SIZE); - bcopy(header->rcookie, st->rcookie, COOKIE_SIZE); - bcopy(&header->counter, st->uSPITBV, 3); - - if ((st->roschemes = calloc(ssize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in handle_value_request()"); - state_value_reset(st); - goto resourcefail; - } - bcopy(schemes, st->roschemes, ssize); - st->roschemesize = ssize; - - if (pick_attrib(st, &(st->oSPIoattrib), - &(st->oSPIoattribsize)) == -1) { - state_value_reset(st); - goto resourcefail; - } - - st->lifetime = exchange_timeout + time(NULL); - - /* Now put the filled state object in the chain */ - state_insert(st); - } else if (st->phase != VALUE_RESPONSE) { - LOG_DBG((LOG_PROTOCOL, 55, - "%s: value request from %s, but we are in state %d", - __func__, - st->address, st->phase)); - return (-1); - } - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_value_response(st, packet_buffer, &packet_size) == -1) - return (-1); - - send_packet(); - - /* Compute the shared secret now */ - compute_shared_secret(st, &(st->shared), &(st->sharedsize)); -#ifdef DEBUG - { - int i = BUFFER_SIZE; - bin2hex(buffer, &i, st->shared, st->sharedsize); - printf("Shared secret is: 0x%s\n", buffer); - } -#endif - - if (st->oSPIprivacyctx == NULL) { - /* Initialize Privacy Keys from Exchange Values */ - init_privacy_key(st, 0); /* User -> Owner direction */ - init_privacy_key(st, 1); /* Owner -> User direction */ - } - - st->retries = 0; - st->phase = VALUE_RESPONSE; - return (0); - - resourcefail: - packet_size = PACKET_BUFFER_SIZE; - photuris_error_message(st, packet_buffer, &packet_size, - header->icookie, header->rcookie, - header->counter, RESOURCE_LIMIT); - send_packet(); - return (0); -} diff --git a/sbin/photurisd/handle_value_response.c b/sbin/photurisd/handle_value_response.c deleted file mode 100644 index 31b875a1aa0..00000000000 --- a/sbin/photurisd/handle_value_response.c +++ /dev/null @@ -1,171 +0,0 @@ -/* $OpenBSD: handle_value_response.c,v 1.6 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_value_response: - * receive a VALUE_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_value_response.c,v 1.6 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "scheme.h" -#include "packet.h" -#include "schedule.h" -#include "exchange.h" -#include "secrets.h" -#include "spi.h" -#include "log.h" -#ifdef DEBUG -#include "config.h" -#endif - -int -handle_value_response(u_char *packet, int size, char *address, - char *local_address) - -{ - struct packet_sub parts[] = { - { "Exchange Value", FLD_VARPRE, 0, 0, }, - { "Offered Attributes", FLD_ATTRIB, FMD_ATT_FILL, 0, }, - { NULL } - }; - struct packet vr_msg = { - "Value Response", - VALUE_RESPONSE_MIN, 0, parts - }; - struct value_response *header; - struct stateob *st; - BIGNUM *test; - - if (size < VALUE_RESPONSE_MIN) - return -1; /* packet too small */ - - if (packet_check(packet, size, &vr_msg) == -1) { - log_print("bad packet structure in handle_value_response()"); - return -1; - } - - header = (struct value_response *) packet; - - st = state_find_cookies(address, header->icookie, header->rcookie); - if (st == NULL) - return -1; /* Silently discard */ - - if (st->phase != VALUE_REQUEST) - return -1; /* We don't want this packet */ - - /* Now check the exchange value for defects */ - test = BN_new(); - BN_varpre2bn(parts[0].where, parts[0].size, test); - if (!exchange_check_value(test, st->generator, st->modulus)) { - BN_clear_free(test); - return 0; - } - BN_clear_free(test); - - /* Reserved Field for TBV */ - bcopy(header->reserved, st->uSPITBV, 3); - - /* Fill the state object */ - st->uSPIoattrib = calloc(parts[1].size, sizeof(u_int8_t)); - if (st->uSPIoattrib == NULL) { - state_value_reset(st); - state_unlink(st); - return -1; - } - bcopy(parts[1].where, st->uSPIoattrib, parts[1].size); - st->uSPIoattribsize = parts[1].size; - -#ifdef DEBUG - { - int i = BUFFER_SIZE; - bin2hex(buffer, &i, parts[0].where, parts[0].size); - printf("Got exchange value 0x%s\n", buffer); - } -#endif - - /* Set exchange value */ - st->texchangesize = parts[0].size; - st->texchange = calloc(st->texchangesize, sizeof(u_int8_t)); - if (st->texchange == NULL) { - log_error("calloc() in handle_value_response()"); - return -1; - } - bcopy(parts[0].where, st->texchange, st->texchangesize); - - /* Compute the shared secret now */ - compute_shared_secret(st, &(st->shared), &(st->sharedsize)); -#ifdef DEBUG - { - int i = BUFFER_SIZE; - bin2hex(buffer, &i, st->shared, st->sharedsize); - printf("Shared secret is: 0x%s\n", buffer); - } -#endif - - /* Create SPI + choice of attributes */ - if (make_spi(st, local_address, st->oSPI, &(st->olifetime), - &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) { - log_print("make_spi() in handle_value_response()"); - return -1; - } - - /* Initialize Privacy Keys from Exchange Values */ - init_privacy_key(st, 0); /* User -> Owner direction */ - init_privacy_key(st, 1); /* Owner -> User direction */ - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_identity_request(st, packet_buffer, &packet_size) == -1) - return -1; - - packet_save(st, packet_buffer, packet_size); - - send_packet(); - - st->retries = 0; - st->phase = IDENTITY_REQUEST; - - schedule_remove(TIMEOUT, st->icookie); - schedule_insert(TIMEOUT, retrans_timeout, st->icookie, COOKIE_SIZE); - return 0; -} diff --git a/sbin/photurisd/handle_verification_failure.c b/sbin/photurisd/handle_verification_failure.c deleted file mode 100644 index 1bd9d86d6ba..00000000000 --- a/sbin/photurisd/handle_verification_failure.c +++ /dev/null @@ -1,76 +0,0 @@ -/* $OpenBSD: handle_verification_failure.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_verification_failure: - * receive a VERIFICATION_FAILURE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: handle_verification_failure.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "buffer.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" - -int -handle_verification_failure(u_char *packet, int size, char *address) -{ - struct error_message *header; - struct stateob *st; - - if (size != ERROR_MESSAGE_PACKET_SIZE) - return -1; /* packet too small/big */ - - header = (struct error_message *) packet; - - if ((st = state_find_cookies(address, header->icookie, - header->rcookie)) == NULL) { - log_print("No state for VERIFICATION_FAILURE message from %s", - address); - return -1; - } - - log_print("Received VERIFICATION_FAILURE from %s", address); - - return 0; -} diff --git a/sbin/photurisd/identity.c b/sbin/photurisd/identity.c deleted file mode 100644 index 936c5843c1d..00000000000 --- a/sbin/photurisd/identity.c +++ /dev/null @@ -1,825 +0,0 @@ -/* $OpenBSD: identity.c,v 1.8 2002/12/06 02:17:42 deraadt Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * identity.c: - * handling identity choices and creation of the before mentioned. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: identity.c,v 1.8 2002/12/06 02:17:42 deraadt Exp $"; -#endif - -#define _IDENTITY_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <string.h> -#include <ctype.h> -#include <sys/types.h> -#include <pwd.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <md5.h> -#include <ssl/bn.h> -#include <sha1.h> -#include "config.h" -#include "photuris.h" -#include "state.h" -#include "attributes.h" -#include "modulus.h" -#include "exchange.h" -#include "identity.h" -#include "buffer.h" -#include "scheme.h" -#include "log.h" - -#ifdef NEED_STRSEP -#include "strsep.h" -#endif - -static struct identity *idob = NULL; - -static union { - MD5_CTX md5ctx; - SHA1_CTX sha1ctx; -} Ctx, Ctx2; - -/* Identity transforms */ -/* XXX - argh, cast the funtions */ - -static struct idxform idxform[] = { - { HASH_MD5, 5, MD5_SIZE, (void *)&Ctx.md5ctx, - sizeof(MD5_CTX), (void *)&Ctx2.md5ctx, - (void (*)(void *))MD5Init, - (void (*)(void *, unsigned char *, unsigned int))MD5Update, - (void (*)(unsigned char *, void *))MD5Final }, - { HASH_SHA1, 6, SHA1_SIZE, (void *)&Ctx.sha1ctx, - sizeof(SHA1_CTX), (void *)&Ctx2.sha1ctx, - (void (*)(void *))SHA1Init, - (void (*)(void *, unsigned char *, unsigned int))SHA1Update, - (void (*)(unsigned char *, void *))SHA1Final }, -}; - -int -init_identities(char *name, struct identity *root) -{ - FILE *fp; - char *p, *p2, *file = secret_file; - struct identity *tmp, **ob; - struct passwd *pwd; - struct stat sb; - int type; - - if (name != NULL) { - ob = (struct identity **)&root->object; - file = name; - } else - ob = &idob; - - if (lstat(file, &sb) == -1) { - log_error("lstat() on %s in init_identities()", file); - return -1; - } - if (((sb.st_mode & S_IFMT) & ~S_IFREG)) { - log_print("no regular file %s in init_identities()", file); - return -1; - } - fp = fopen(file, "r"); - if (fp == (FILE *) NULL) - { - log_error("no hash secrets file %s", file); - return -1; - } - -#ifdef DEBUG - if (name == NULL) - printf("[Reading identities + secrets]\n"); -#endif - - while(fgets(buffer, BUFFER_SIZE,fp)) { - p=buffer; - while(isspace(*p)) /* Get rid of leading spaces */ - p++; - if(*p == '#') /* Ignore comments */ - continue; - if(!strlen(p)) - continue; - - if (!strncmp(p, IDENT_LOCAL, strlen(IDENT_LOCAL))) { - type = ID_LOCAL; - p += strlen(IDENT_LOCAL); - } else if (!strncmp(p, IDENT_LOCALPAIR, strlen(IDENT_LOCALPAIR))) { - type = ID_LOCALPAIR; - p += strlen(IDENT_LOCALPAIR); - } else if (!strncmp(p, IDENT_REMOTE, strlen(IDENT_REMOTE))) { - type = ID_REMOTE; - p += strlen(IDENT_REMOTE); - } else if (!strncmp(p, IDENT_LOOKUP, strlen(IDENT_LOOKUP))) { - type = ID_LOOKUP; - p += strlen(IDENT_LOOKUP); - } else { - log_print("Unknown tag %s in %s", p, file); - continue; - } - - if ((tmp = identity_new()) == NULL) { - log_print("identity_new() in init_identities()"); - continue; - } - - p2 = p; - if (!isspace(*p2)) - continue; - - /* Tokens are braced with "token" */ - if((p=strsep(&p2, "\"\'")) == NULL || - (p=strsep(&p2, "\"\'")) == NULL) - continue; - - tmp->type = type; - tmp->tag = strdup(p); - tmp->root = root; - - switch(type) { - case ID_LOCAL: - case ID_REMOTE: - if (type == ID_REMOTE) { - /* Search for duplicates */ - if (identity_find(idob, tmp->tag, ID_REMOTE) != NULL) { - log_print("Duplicate id \"%s\" found in %s", - tmp->tag, name != NULL ? name : "root"); - identity_value_reset(tmp); - continue; - } - } - /* Tokens are braced with "token" */ - if((p=strsep(&p2, "\"\'")) == NULL || - (p=strsep(&p2, "\"\'")) == NULL) { - identity_value_reset(tmp); - continue; - } - tmp->object = strdup(p); - break; - case ID_LOCALPAIR: - /* Tokens are braced with "token" */ - if((p=strsep(&p2, "\"\'")) == NULL || - (p=strsep(&p2, "\"\'")) == NULL) { - identity_value_reset(tmp); - continue; - } - tmp->pairid = strdup(p); - /* Tokens are braced with "token" */ - if((p=strsep(&p2, "\"\'")) == NULL || - (p=strsep(&p2, "\"\'")) == NULL) { - identity_value_reset(tmp); - continue; - } - tmp->object = strdup(p); - break; - case ID_LOOKUP: - if (name != NULL) { - log_print("lookup in user file %s in init_identities()", - name); - continue; - } - while(isspace(*p2)) p2++; - - while(isspace(p2[strlen(p2)-1])) - p2[strlen(p2)-1] = 0; - - if ((pwd = getpwnam(p2)) == NULL) { - log_error("getpwnam() in init_identities()"); - identity_value_reset(tmp); - continue; - } else { - char *dir = calloc(strlen(PHOTURIS_USER_SECRET)+ - strlen(pwd->pw_dir) + 2, - sizeof(char)); - - /* This is the user name */ - tmp->pairid = strdup(p2); - - if (dir == NULL) { - log_error("calloc() in init_identities()"); - identity_value_reset(tmp); - continue; - } - sprintf(dir,"%s/%s", pwd->pw_dir, PHOTURIS_USER_SECRET); - if (init_identities(dir, (struct identity *)tmp) == -1) { - free(dir); - identity_value_reset(tmp); - continue; - } - - free(dir); - } - break; - } - identity_insert(ob, tmp); - } - fclose(fp); - - return 0; -} - -/* - * Get shared symmetric keys and identity, put the values in - * the state object. If a SPI User ident is given, we look up - * the matching remote secret. - */ - -int -get_secrets(struct stateob *st, int mode) -{ - u_int8_t local_ident[MAX_IDENT]; - u_int8_t local_secret[MAX_IDENT_SECRET]; - u_int8_t remote_secret[MAX_IDENT_SECRET]; - - struct identity *id, *root = idob; - - local_ident[0] = '\0'; - local_secret[0] = '\0'; - remote_secret[0] = '\0'; - - /* - * Remote secret first, if we find the remote secret in - * a user secret file, we restrict our local searches - * to that tree. - */ - - if(st->uSPIident != NULL && st->uSPIsecret == NULL && - (mode & ID_REMOTE)) { - int skip; - - if (st->uSPIident[0] == 255 && st->uSPIident[1] == 255) - skip = 8; - else if (st->uSPIident[0] == 255) - skip = 4; - else - skip = 2; - - id = identity_find(root, st->uSPIident+skip, ID_REMOTE); - if (id != NULL) { - strncpy(remote_secret, id->object, MAX_IDENT_SECRET-1); - remote_secret[MAX_IDENT_SECRET-1] = '\0'; - - if (id->root) - root = (struct identity *)id->root->object; - } - } - - if (st->user != NULL && - (id = identity_find(idob, st->user, ID_LOOKUP)) != NULL) { - /* User keying */ - id = identity_find((struct identity *)id->object, NULL, ID_LOCAL); - } else - id = NULL; - - if (id == NULL) { - /* Host keying */ - id = identity_find(root, NULL, ID_LOCAL); - } - - if (id != NULL && (mode & (ID_LOCAL|ID_LOCALPAIR))) { - /* Namespace: root->tag + user->tag */ - if (id->root) { - strncpy(local_ident, id->root->tag, MAX_IDENT-1); - local_ident[MAX_IDENT-1] = '\0'; - } - strncpy(local_ident+strlen(local_ident), id->tag, - MAX_IDENT-1-strlen(local_ident)); - local_ident[MAX_IDENT_SECRET-1] = '\0'; - - strncpy(local_secret, id->object, MAX_IDENT_SECRET-1); - local_secret[MAX_IDENT_SECRET-1] = '\0'; - } - if (st->uSPIident != NULL && st->oSPIident == NULL && - (mode & (ID_LOCAL|ID_LOCALPAIR))) { - int skip; - if (st->uSPIident[0] == 255 && st->uSPIident[1] == 255) - skip = 8; - else if (st->uSPIident[0] == 255) - skip = 4; - else - skip = 2; - - id = identity_find(root, st->uSPIident+skip, ID_LOCALPAIR); - if (id != NULL) { - local_ident[0] = '\0'; - /* Namespace: root->tag + user->tag */ - if (id->root) { - strncpy(local_ident, id->root->tag, MAX_IDENT-1); - local_ident[MAX_IDENT-1] = '\0'; - } - strncpy(local_ident+strlen(local_ident), id->pairid, - MAX_IDENT-1-strlen(local_ident)); - local_ident[MAX_IDENT-1] = '\0'; - - strncpy(local_secret, id->object, MAX_IDENT_SECRET-1); - local_secret[MAX_IDENT_SECRET-1] = '\0'; - } - } - - if(strlen(remote_secret) == 0 && (mode & ID_REMOTE)) { - log_print("Can't find remote secret for %s in get_secrets()", - st->uSPIident+2); - return -1; - } - - if (strlen(local_ident) == 0 && (mode & (ID_LOCAL|ID_LOCALPAIR)) ) { - log_print("Can't find local identity in get_secrets()"); - return -1; - } - - if(st->oSPIident == NULL && (mode & (ID_LOCAL|ID_LOCALPAIR))) { - st->oSPIident = calloc(2+strlen(local_ident)+1,sizeof(u_int8_t)); - if(st->oSPIident == NULL) - return -1; - strcpy(st->oSPIident+2,local_ident); - st->oSPIident[0] = ((strlen(local_ident)+1) >> 5) & 0xFF; - st->oSPIident[1] = ((strlen(local_ident)+1) << 3) & 0xFF; - - st->oSPIsecretsize = strlen(local_secret); - st->oSPIsecret = calloc(st->oSPIsecretsize,sizeof(u_int8_t)); - if(st->oSPIsecret == NULL) - return -1; - strncpy(st->oSPIsecret, local_secret, st->oSPIsecretsize); - } - if(st->uSPIident != NULL && st->uSPIsecret == NULL && - (mode & ID_REMOTE)) { - st->uSPIsecretsize = strlen(remote_secret); - st->uSPIsecret = calloc(st->uSPIsecretsize,sizeof(u_int8_t)); - if(st->uSPIsecret == NULL) - return -1; - strncpy(st->uSPIsecret, remote_secret, st->uSPIsecretsize); - } - return 0; -} - -int -choose_identity(struct stateob *st, u_int8_t *packet, u_int16_t *size, - u_int8_t *attributes, u_int16_t attribsize) -{ - u_int16_t rsize, asize, tmp; - attrib_t *ob; - int mode = 0; - rsize = *size; - - /* XXX - preference of identity choice ? */ - tmp = 0; - while(attribsize>0) { - /* Check if we support this identity choice */ - if ((ob = getattrib(*attributes)) != NULL && - (ob->type & AT_ID)) - break; - - if(attribsize -(*(attributes+1)+2) > attribsize) { - attribsize=0; - break; - } - attribsize -= *(attributes+1)+2; - attributes += *(attributes+1)+2; - } - - if(attribsize == 0) { - log_print("No identity choice found in offered attributes " - "in choose_identity()"); - return -1; - } - - if(rsize < *(attributes+1)+2) - return -1; - - asize = *(attributes+1)+2; - rsize -= asize; - bcopy(attributes, packet, asize); - - /* Now put identity in state object */ - if (st->oSPIidentchoice == NULL) { - if ((st->oSPIidentchoice = calloc(asize, sizeof(u_int8_t))) == NULL) - return -1; - bcopy(attributes, st->oSPIidentchoice, asize); - st->oSPIidentchoicesize = asize; - } - - packet += asize; - - /* Choose identity and secrets for Owner and User */ - if (st->uSPIsecret == NULL && st->uSPIident != NULL) - mode |= ID_REMOTE; - if (st->oSPIsecret == NULL) - mode |= ID_LOCAL; - if(get_secrets(st, mode) == -1) - return -1; - - /* oSPIident is varpre already */ - tmp = varpre2octets(st->oSPIident); - if(rsize < tmp) - return -1; - - bcopy(st->oSPIident, packet, tmp); - - *size = asize + tmp; - - return 0; -} - - -u_int16_t -get_identity_verification_size(struct stateob *st, u_int8_t *choice) -{ - struct idxform *hash; - - if ((hash = get_hash_id(*choice)) == NULL) { - log_print("Unknown identity choice: %d\n", *choice); - return 0; - } - - return hash->hashsize+2; -} - -/* - * Gets a hash corresponding with a Photuris ID - */ - -struct idxform *get_hash_id(int id) -{ - int i; - for (i=0; i<sizeof(idxform)/sizeof(idxform[0]); i++) - if (id == idxform[i].id) - return &idxform[i]; - return NULL; -} - -struct idxform *get_hash(enum hashes hashtype) -{ - int i; - for (i=0; i<sizeof(idxform)/sizeof(idxform[0]); i++) - if (hashtype == idxform[i].type) - return &idxform[i]; - log_print("Unknown hash type: %d in get_hash()", hashtype); - return NULL; -} - -int -create_verification_key(struct stateob *st, u_int8_t *buffer, u_int16_t *size, - int owner) -{ - struct idxform *hash; - int id = owner ? *(st->oSPIidentchoice) : *(st->uSPIidentchoice); - - if ((hash = get_hash_id(id)) == NULL) { - log_print("Unknown identity choice %d in create_verification_key", id); - return -1; - } - - if (*size < hash->hashsize) - return -1; - - hash->Init(hash->ctx); - if (owner) - hash->Update(hash->ctx, st->oSPIsecret, st->oSPIsecretsize); - else - hash->Update(hash->ctx, st->uSPIsecret, st->uSPIsecretsize); - - hash->Update(hash->ctx, st->shared, st->sharedsize); - hash->Final(buffer, hash->ctx); - *size = hash->hashsize; - - return 0; -} - -int -create_identity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size) -{ - int hash_size; - struct idxform *hash; - - if ((hash = get_hash_id(*(st->oSPIidentchoice))) == NULL) { - log_print("Unknown identity choice %d in create_verification_key", - *(st->oSPIidentchoice)); - return 0; - } - - hash_size = idsign(st, hash, buffer+2, packet,size); - - if(hash_size) { - /* Create varpre number from digest */ - buffer[0] = hash_size >> 5 & 0xFF; - buffer[1] = hash_size << 3 & 0xFF; - - if(st->oSPIidentver != NULL) - free(st->oSPIidentver); - - st->oSPIidentver = calloc(hash_size+2,sizeof(u_int8_t)); - if(st->oSPIidentver == NULL) { - log_error("Not enough memory in create_identity_verification()"); - return 0; - } - - bcopy(buffer, st->oSPIidentver, hash_size+2); - st->oSPIidentversize = hash_size+2; - - state_save_verification(st, st->oSPIidentver, hash_size+2); - } - return hash_size+2; -} - -int -verify_identity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size) -{ - struct idxform *hash; - - if ((hash = get_hash_id(*(st->uSPIidentchoice))) == NULL) { - log_print("Unknown identity choice %d in create_verification_key", - *(st->uSPIidentchoice)); - return 0; - } - - if (varpre2octets(buffer) != hash->hashsize +2) - return 0; - - state_save_verification(st, buffer, hash->hashsize+2); - - return idverify(st, hash, buffer+2, packet, size); -} - - -int -idsign(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize) -{ - u_int8_t key[HASH_MAX]; - u_int16_t keylen = HASH_MAX; - - create_verification_key(st, key, &keylen, 1); /* Owner direction */ - - hash->Init(hash->ctx); - - /* Our verification key */ - hash->Update(hash->ctx, key, keylen); - /* Key fill */ - hash->Final(NULL, hash->ctx); - - /* - * Hash Cookies, type, lifetime + spi fields + - * SPI owner Identity Choice + Identity - */ - hash->Update(hash->ctx, packet, IDENTITY_MESSAGE_MIN + - st->oSPIidentchoicesize + varpre2octets(st->oSPIident)); - - if(st->uSPIident != NULL) { - hash->Update(hash->ctx, st->uSPIidentver, st->uSPIidentversize); - } - - /* Hash attribute choice, padding */ - packet += IDENTITY_MESSAGE_MIN; - psize -= IDENTITY_MESSAGE_MIN + packet[1] + 2; - packet += packet[1] + 2; - psize -= varpre2octets(packet) + 2 + hash->hashsize; - packet += varpre2octets(packet) + 2 + hash->hashsize; - - hash->Update(hash->ctx, packet, psize); - - /* Our exchange value */ - hash->Update(hash->ctx, st->oSPITBV, 3); - hash->Update(hash->ctx, st->exchangevalue, st->exchangesize); - hash->Update(hash->ctx, st->oSPIoattrib, st->oSPIoattribsize); - - /* Their exchange value */ - hash->Update(hash->ctx, st->uSPITBV, 3); - hash->Update(hash->ctx, st->texchange, st->texchangesize); - hash->Update(hash->ctx, st->uSPIoattrib, st->uSPIoattribsize); - - /* Responder offered schemes */ - hash->Update(hash->ctx, st->roschemes, st->roschemesize); - - /* Data fill */ - hash->Final(NULL, hash->ctx); - - /* And finally the trailing key */ - hash->Update(hash->ctx, key, keylen); - - hash->Final(signature, hash->ctx); - - return hash->hashsize; -} - -int -idverify(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize) -{ - u_int8_t digest[HASH_MAX]; - u_int8_t key[HASH_MAX]; - u_int16_t keylen = HASH_MAX; - struct identity_message *p = (struct identity_message *)packet; - - create_verification_key(st, key, &keylen, 0); /* User direction */ - - hash->Init(hash->ctx); - - /* Their verification key */ - hash->Update(hash->ctx, key, keylen); - /* Key fill */ - hash->Final(NULL, hash->ctx); - - /* - * Hash Cookies, type, lifetime + spi fields + - * SPI owner Identity Choice + Identity - */ - hash->Update(hash->ctx, packet, IDENTITY_MESSAGE_MIN + - st->uSPIidentchoicesize + varpre2octets(st->uSPIident)); - - /* Determine if the sender knew our secret already */ - if(p->type != IDENTITY_REQUEST) { - hash->Update(hash->ctx, st->oSPIidentver, st->oSPIidentversize); - } - - packet += IDENTITY_MESSAGE_MIN; - psize -= IDENTITY_MESSAGE_MIN + packet[1] + 2; - packet += packet[1] + 2; - psize -= varpre2octets(packet) + 2 + hash->hashsize; - packet += varpre2octets(packet) + 2 + hash->hashsize; - hash->Update(hash->ctx, packet, psize); - - /* Their exchange value */ - hash->Update(hash->ctx, st->uSPITBV, 3); - hash->Update(hash->ctx, st->texchange, st->texchangesize); - hash->Update(hash->ctx, st->uSPIoattrib, st->uSPIoattribsize); - - /* Our exchange value */ - hash->Update(hash->ctx, st->oSPITBV, 3); - hash->Update(hash->ctx, st->exchangevalue, st->exchangesize); - hash->Update(hash->ctx, st->oSPIoattrib, st->oSPIoattribsize); - - /* Responder offered schemes */ - hash->Update(hash->ctx, st->roschemes, st->roschemesize); - - /* Data fill */ - hash->Final(NULL, hash->ctx); - - /* And finally the trailing key */ - hash->Update(hash->ctx, key, keylen); - - hash->Final(digest, hash->ctx); - - return !bcmp(digest, signature, hash->hashsize); -} - -/* Functions for handling the linked list of identities */ - -int -identity_insert(struct identity **idob, struct identity *ob) -{ - struct identity *tmp; - - ob->next = NULL; - - if(*idob == NULL) { - *idob = ob; - return 1; - } - - tmp=*idob; - while(tmp->next!=NULL) - tmp = tmp->next; - - tmp->next = ob; - return 1; -} - -int -identity_unlink(struct identity **idob, struct identity *ob) -{ - struct identity *tmp; - if(*idob == ob) { - *idob = ob->next; - free(ob); - return 1; - } - - for(tmp=*idob; tmp!=NULL; tmp=tmp->next) { - if(tmp->next==ob) { - tmp->next=ob->next; - free(ob); - return 1; - } - } - return 0; -} - -struct identity * -identity_new(void) -{ - struct identity *p; - - if((p = calloc(1, sizeof(struct identity)))==NULL) - return NULL; - - return p; -} - -int -identity_value_reset(struct identity *ob) -{ - if (ob->tag != NULL) - free(ob->tag); - if (ob->pairid != NULL) - free(ob->pairid); - if (ob->object != NULL) - free(ob->object); - - return 1; -} - -/* - * find the state ob with matching address - */ - -struct identity * -identity_root(void) -{ - return idob; -} - -/* On ID_LOOKUP match pairid, on ID_LOCAL only match type */ - -struct identity * -identity_find(struct identity *idob, char *id, int type) -{ - struct identity *tmp = idob, *p; - while(tmp!=NULL) { - if(((type == ID_LOCAL && id == NULL) || - (type != ID_LOOKUP && !strcmp(id, tmp->tag)) || - (type == ID_LOOKUP && tmp->pairid != NULL && !strcmp(id, tmp->pairid))) && - type == tmp->type) - return tmp; - if (tmp->type == ID_LOOKUP && tmp->object != NULL) { - p = identity_find((struct identity *)tmp->object, id, type); - if (p != NULL) - return p; - } - tmp = tmp->next; - } - return NULL; -} - -void -identity_cleanup(struct identity **root) -{ - struct identity *p; - struct identity *tmp; - - if (root == NULL) - tmp = idob; - else - tmp = *root; - - while(tmp!=NULL) { - if (tmp->type == ID_LOOKUP) - identity_cleanup((struct identity **)&tmp->object); - p = tmp; - tmp = tmp->next; - identity_value_reset(p); - free(p); - } - - if (root != NULL) - *root = NULL; - else - idob = NULL; -} diff --git a/sbin/photurisd/identity.h b/sbin/photurisd/identity.h deleted file mode 100644 index c4d7adf09a1..00000000000 --- a/sbin/photurisd/identity.h +++ /dev/null @@ -1,121 +0,0 @@ -/* $OpenBSD */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * identity.h: - * identity for a security association - */ - -#ifndef _IDENTITY_H_ -#define _IDENTITY_H_ -#include "state.h" - -struct identity { - struct identity *next; - struct identity *root; - int type; - char *tag; - char *pairid; - void *object; -}; - -enum hashes { - HASH_MD5 = 0, - HASH_SHA1 }; - -struct idxform { - enum hashes type; /* Type of the transform */ - int id; /* Photuris Attribute ID */ - u_int8_t hashsize; /* Size of the hash */ - void *ctx; /* Pointer to a context */ - int ctxsize; - void *ctx2; /* Pointer to a 2nd context for speedup */ - void (*Init)(void *); - void (*Update)(void *, unsigned char *, unsigned int); - void (*Final)(unsigned char *, void *); -}; - -#undef EXTERN -#ifdef _IDENTITY_C_ -#define EXTERN - -char *secret_file = NULL; - -#else -#define EXTERN extern - -extern char *secret_file; -#endif - -#define ID_LOCAL 1 -#define ID_LOCALPAIR 2 -#define ID_REMOTE 4 -#define ID_LOOKUP 8 - -#define IDENT_LOCAL "identity local" -#define IDENT_LOCALPAIR "identity pair local" -#define IDENT_REMOTE "identity remote" -#define IDENT_LOOKUP "identity lookup" - -#define MAX_IDENT 120 -#define MAX_IDENT_SECRET 120 - -#define MD5_SIZE 16 -#define SHA1_SIZE 20 - -#define HASH_MAX 20 /* Keep this uptodate with hashsizes */ - -int init_identities(char *name, struct identity *ob); -int identity_insert(struct identity **idob, struct identity *ob); -int identity_unlink(struct identity **idob, struct identity *ob); -struct identity *identity_new(void); -struct identity *identity_root(void); -int identity_value_reset(struct identity *ob); -struct identity *identity_find(struct identity *ob, char *id, int type); -void identity_cleanup(struct identity **idob); - -int get_secrets(struct stateob *st, int mode); -int choose_identity(struct stateob *st, u_int8_t *packet, u_int16_t *size, - u_int8_t *attributes, u_int16_t attribsize); -u_int16_t get_identity_verification_size(struct stateob *st, u_int8_t *choice); -int create_identity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size); -int verify_identity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size); - -struct idxform *get_hash_id(int id); -struct idxform *get_hash(enum hashes hashtype); -int create_verification_key(struct stateob *, u_int8_t *, u_int16_t *, int); - -int idsign(struct stateob *, struct idxform *, u_int8_t *, - u_int8_t *, u_int16_t); -int idverify(struct stateob *, struct idxform *, u_int8_t *, - u_int8_t *, u_int16_t); -#endif diff --git a/sbin/photurisd/kernel.c b/sbin/photurisd/kernel.c deleted file mode 100644 index c8c5c8d3af0..00000000000 --- a/sbin/photurisd/kernel.c +++ /dev/null @@ -1,1533 +0,0 @@ -/* $OpenBSD: kernel.c,v 1.27 2002/08/08 20:17:34 aaron Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - - -/* - * The following functions handle the interaction of the Photuris daemon - * with the PF_ENCAP interface as used by OpenBSD's IPsec implementation. - * This is the only file which needs to be changed for making Photuris - * work with other kernel interfaces. - * The SPI object here can actually hold two SPIs, one for encryption - * and one for authentication. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: kernel.c,v 1.27 2002/08/08 20:17:34 aaron Exp $"; -#endif - -#include <time.h> -#include <sys/time.h> - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/uio.h> - -#include <net/if.h> -#include <net/route.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <errno.h> -#include <unistd.h> -#include <stdio.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> -#include <paths.h> -#include <poll.h> - -#include <net/pfkeyv2.h> -#include <netinet/ip_ipsp.h> -#include <netinet/ip_esp.h> -#include <netinet/ip_ah.h> - -#define _KERNEL_C_ -#include "photuris.h" -#include "state.h" -#include "attributes.h" -#include "buffer.h" -#include "api.h" -#include "spi.h" -#include "kernel.h" -#include "log.h" -#include "server.h" -#ifdef DEBUG -#include "config.h" -#endif - -#define POLL_TIMEOUT 500 - -#define SPITOINT(x) (((x)[0]<<24) + ((x)[1]<<16) + ((x)[2]<<8) + (x)[3]) -#define KERNEL_XF_SET(x) kernel_xf_set(sd, buffer, BUFFER_SIZE, iov, cnt, x) - -static int sd; /* normal PFKEY socket */ -static int regsd; /* PFKEY socket for Register and Acquire */ -static int pfkey_seq; -static pid_t pfkey_pid; - -struct pfmsg { - TAILQ_ENTRY(pfmsg) next; - - struct sadb_msg *smsg; -}; - -TAILQ_HEAD(pflist, pfmsg) pfqueue; - -/* - * Translate a Photuris ID into a data structure for the - * corresponding Kernel transform. - */ - -transform * -kernel_get_transform(int id) -{ - int i; - - for (i=sizeof(xf)/sizeof(transform)-1; i >= 0; i--) - if (xf[i].photuris_id == id) - return &xf[i]; - return NULL; -} - -/* - * Mark a transform as supported by the kernel - */ - -void -kernel_transform_seen(int id, int type) -{ - int i; - - for (i=sizeof(xf)/sizeof(transform)-1; i >= 0; i--) - if (xf[i].kernel_id == id && (xf[i].flags & type)) { - LOG_DBG((LOG_KERNEL, 50, - "%s: %s algorithm %d", __func__ - type == XF_ENC ? "enc" : "auth", id)); - xf[i].flags |= XF_SUP; - return; - } -} - -/* - * Parse the supported transforms returned in the SADB_REGISTER response - */ - -void -kernel_transform_parse(struct sadb_supported *ssup) -{ - struct sadb_alg *salg = (struct sadb_alg *)(ssup + 1); - int i, type; - - type = ssup->sadb_supported_exttype == SADB_EXT_SUPPORTED_AUTH ? - XF_AUTH : XF_ENC; - - for (i = 0; i < ssup->sadb_supported_len - 1; i++, salg++) - kernel_transform_seen(salg->sadb_alg_id, type); -} - -/* - * See if we know about this transform and if it is supported - * by the kernel. - */ - -int -kernel_known_transform(int id) -{ - transform *xf = kernel_get_transform(id); - - return (xf == NULL || !(xf->flags & XF_SUP)) ? -1 : 0; -} - -/* - * For ESP, we can specify an additional AH transform. - * Not all combinations are possible. - * Returns AT_ENC, when the ESP transform does not allow this AH. - * Returns AT_AUTH, when the AH transform does not work with ESP. - */ - -int -kernel_valid(attrib_t *enc, attrib_t *auth) -{ - transform *xf_enc, *xf_auth; - - xf_enc = kernel_get_transform(enc->id); - xf_auth = kernel_get_transform(auth->id); - - if (xf_enc->flags & ESP_OLD) - return AT_ENC; - if (!(xf_auth->flags & ESP_NEW)) - return AT_AUTH; - return (0); -} - -/* - * Check if the chosen authentication transform, satisfies the - * selected flags. - */ - -int -kernel_valid_auth(attrib_t *auth, u_int8_t *flag, u_int16_t size) -{ - int i, hmac = 0; - transform *xf_auth = kernel_get_transform(auth->id); - - if (xf_auth == NULL) - return (-1); /* We don't know this attribute */ - - for (i=0; i<size; i++) { - switch (flag[i]) { - case AT_HMAC: - hmac = 1; - break; - default: - break; - } - } - - if (!hmac && !(xf_auth->flags & AH_OLD)) - return (-1); - if (hmac && !(xf_auth->flags & AH_NEW)) - return (-1); - - return (0); -} - -int -init_kernel(void) -{ - TAILQ_INIT(&pfqueue); - - if ((sd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) - log_fatal("%s: socket(PF_KEY) for IPsec key engine", __func__); - if ((regsd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) - log_fatal("%s: socket() for PFKEY register", __func__); - - pfkey_seq = 0; - pfkey_pid = getpid(); - - if (kernel_register(regsd) == -1) - log_fatal("%s: PFKEY socket registration failed", __func__); - - return (1); -} - -int -kernel_get_socket(void) -{ - return regsd; -} - -void -kernel_set_socket_policy(int sd) -{ - int level; - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - - level = IPSEC_LEVEL_BYPASS; /* Did I mention I'm privileged? */ - if (setsockopt(sd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, - sizeof (int)) == -1) - log_fatal("setsockopt: can not bypass IPsec authentication policy"); - if (setsockopt(sd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, - (char *)&level, sizeof (int)) == -1) - log_fatal("setsockopt: can not bypass IPsec ESP transport policy"); - if (setsockopt(sd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, - (char *)&level, sizeof (int)) == -1) - log_fatal("setsockopt: can not bypass IPsec ESP network policy"); -} - -struct sadb_ext * -pfkey_find_extension(struct sadb_ext *start, void *end, u_int16_t type) -{ - struct sadb_ext *p = start; - - while ((void *)p < end) { - if (p->sadb_ext_type == type) - return (p); - p = (struct sadb_ext *)((u_char *)p + p->sadb_ext_len * 8); - } - - return (NULL); -} - -int -kernel_xf_set(int sd, char *buffer, int blen, struct iovec *iov, - int cnt, int len) -{ - struct sadb_msg *sres; - int seq; - - sres = (struct sadb_msg *)iov[0].iov_base; - seq = sres->sadb_msg_seq; - - if (writev(sd, iov, cnt) != len) { - perror("writev() in kernel_xf_set()"); - return (0); - } - - if (buffer) - return kernel_xf_read(sd, buffer, blen, seq); - return (1); -} - -void -kernel_queue_msg(struct sadb_msg *smsg) -{ - struct pfmsg *pfmsg; - - LOG_DBG((LOG_KERNEL, 50, "%s: queuing message type %d", - __func__, smsg->sadb_msg_type)); - - pfmsg = malloc(sizeof(*pfmsg)); - if (pfmsg == NULL) { - log_error("%s: malloc", __func__); - return; - } - - pfmsg->smsg = malloc(smsg->sadb_msg_len * 8); - if (pfmsg->smsg == NULL) { - log_error("%s: malloc", __func__); - free(pfmsg); - return; - } - - memcpy(pfmsg->smsg, smsg, smsg->sadb_msg_len * 8); - - TAILQ_INSERT_TAIL(&pfqueue, pfmsg, next); -} - -int -kernel_xf_read(int sd, char *buffer, int blen, int seq) -{ - struct sadb_msg *sres = (struct sadb_msg *)buffer; - int len, forus; - - /* - * Read in response from the kernel. If seq number and/or PID are - * given, we need to check PID and sequence number to see if it - * really is a message for us. - */ - do { - struct pollfd pfd; - - pfd.fd = sd; - pfd.events = POLLIN; - pfd.revents = 0; - - if (poll(&pfd, 1, POLL_TIMEOUT) == -1) { - log_error("%s: poll", __func__); - return (0); - } - - if (!(pfd.revents & POLLIN)) { - log_print("%s: no reply from pfkey", __func__); - return (0); - } - - if (recv(sd, sres, sizeof(*sres), MSG_PEEK) != sizeof(*sres)) { - log_error("%s: read()", __func__); - return (0); - } - len = sres->sadb_msg_len * 8; - if (len >= BUFFER_SIZE) { - log_print("%s: PFKEYV2 message len %d too big", - __func__, len); - return (0); - } - if (read(sd, sres, len) != len) { - log_error("%s: read()", __func__); - return (0); - } - - forus = !(sres->sadb_msg_pid && - sres->sadb_msg_pid != pfkey_pid) && - !(seq && sres->sadb_msg_seq != seq); - - if (!forus) { - switch (sres->sadb_msg_type) { - case SADB_ACQUIRE: - case SADB_EXPIRE: - kernel_queue_msg(sres); - break; - default: - LOG_DBG((LOG_KERNEL, 50, - "%s: skipping message type %d", __func__, - sres->sadb_msg_type)); - break; - } - } - - } while (!forus); - - if (sres->sadb_msg_errno) { - LOG_DBG((LOG_KERNEL, 40, "%s: PFKEYV2 result: %s", - __func__, strerror(sres->sadb_msg_errno))); - errno = sres->sadb_msg_errno; - return (0); - } - - return (1); -} - -int -kernel_register(int sd) -{ - struct sadb_msg smsg, *sres; - struct sadb_supported *ssup; - struct sadb_ext *ext; - void *end; - int encfound, authfound; - struct iovec iov[1]; - int cnt = 0; - - LOG_DBG((LOG_KERNEL, 20, "%s: fd %d", __func__, sd)); - - encfound = authfound = 0; - - bzero(&smsg, sizeof(smsg)); - - smsg.sadb_msg_len = sizeof(smsg) / 8; - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_REGISTER; - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - /* Register for ESP */ - smsg.sadb_msg_satype = SADB_SATYPE_ESP; - if (!kernel_xf_set(regsd, buffer, BUFFER_SIZE, iov, cnt, - smsg.sadb_msg_len*8)) { - log_error("%s: kernel_xf_set()", __func__); - return (-1); - } - - sres = (struct sadb_msg *)buffer; - ext = (struct sadb_ext *)(sres + 1); - end = (u_char *)sres + sres->sadb_msg_len * 8; - ssup = (struct sadb_supported *) - pfkey_find_extension(ext, end, SADB_EXT_SUPPORTED_AUTH); - if (ssup) { - kernel_transform_parse(ssup); - authfound = 1; - } - ssup = (struct sadb_supported *) - pfkey_find_extension(ext, end, SADB_EXT_SUPPORTED_ENCRYPT); - if (ssup) { - kernel_transform_parse(ssup); - encfound = 1; - } - - /* Register for AH */ - smsg.sadb_msg_satype = SADB_SATYPE_AH; - smsg.sadb_msg_seq = pfkey_seq++; - if (!kernel_xf_set(regsd, buffer, BUFFER_SIZE, iov, cnt, - smsg.sadb_msg_len*8)) { - log_error("%s: kernel_xf_set()", __func__); - return (-1); - } - - ext = (struct sadb_ext *)(sres + 1); - end = (u_char *)sres + sres->sadb_msg_len * 8; - - ssup = (struct sadb_supported *) - pfkey_find_extension(ext, end, SADB_EXT_SUPPORTED_AUTH); - if (ssup) { - kernel_transform_parse(ssup); - authfound = 1; - } - ssup = (struct sadb_supported *) - pfkey_find_extension(ext, end, SADB_EXT_SUPPORTED_ENCRYPT); - if (ssup) { - kernel_transform_parse(ssup); - encfound = 1; - } - - if (!authfound || !encfound) { - log_print("%s: SADB_REGISTER without supported algs %s %s", - __func__, encfound == 0 ? "encryption" : "", - authfound == 0 ? "authentication" : ""); - return (-1); - } - - return (0); -} - -u_int32_t -kernel_reserve_spi(char *src, char *dst, int options) -{ - u_int32_t spi; - int proto; - - LOG_DBG((LOG_KERNEL, 40, "%s: %s %s %s", __func__, src, - options & IPSEC_OPT_ENC ? "ESP" : "", - options & IPSEC_OPT_AUTH ? "AH" : "")); - - if ((options & (IPSEC_OPT_ENC|IPSEC_OPT_AUTH)) != - (IPSEC_OPT_ENC|IPSEC_OPT_AUTH)) { - switch(options & (IPSEC_OPT_ENC|IPSEC_OPT_AUTH)) { - case IPSEC_OPT_ENC: - proto = IPPROTO_ESP; - break; - default: - proto = IPPROTO_AH; - break; - } - return kernel_reserve_single_spi(src, dst, 0, proto); - } - - if (!(spi = kernel_reserve_single_spi(src, dst, 0, IPPROTO_ESP))) - return spi; - - /* Try to get the same spi for ah and esp */ - while (!kernel_reserve_single_spi(src, dst, spi, IPPROTO_AH)) { - kernel_delete_spi(src, spi, IPPROTO_ESP); - if (!(spi = kernel_reserve_single_spi(src, dst, 0, IPPROTO_ESP))) - return spi; - } - - return spi; -} - -u_int32_t -kernel_reserve_single_spi(char *srcaddress, char *dstaddress, u_int32_t spi, - int proto) -{ - struct sadb_msg smsg, *sres; - struct sadb_address sad1, sad2; /* src and dst */ - struct sadb_spirange sspi; - struct sadb_sa *ssa; - union sockaddr_union src, dst; - struct iovec iov[6]; - int cnt = 0; - - bzero(&src, sizeof(union sockaddr_union)); - bzero(&dst, sizeof(union sockaddr_union)); - bzero(iov, sizeof(iov)); - - bzero(&smsg, sizeof(smsg)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sspi, sizeof(sspi)); - - smsg.sadb_msg_len = sizeof(smsg) / 8; - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_GETSPI; - smsg.sadb_msg_satype = proto == IPPROTO_AH ? - SADB_SATYPE_AH : SADB_SATYPE_ESP; - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - /* Source Address */ - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - sad1.sadb_address_len = (sizeof(sad1) + sizeof(struct sockaddr_in)) / 8; - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - - src.sin.sin_family = AF_INET; - src.sin.sin_len = sizeof(struct sockaddr_in); - src.sin.sin_addr.s_addr = inet_addr(dstaddress); - - iov[cnt].iov_base = &src; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - smsg.sadb_msg_len += sad1.sadb_address_len; - - /* Destination Address */ - sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - sad2.sadb_address_len = (sizeof(sad2) + sizeof(struct sockaddr_in)) / 8; - - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - - dst.sin.sin_family = AF_INET; - dst.sin.sin_len = sizeof(struct sockaddr_in); - dst.sin.sin_addr.s_addr = inet_addr(srcaddress); - - iov[cnt].iov_base = &dst; - iov[cnt++].iov_len = sizeof(struct sockaddr_in); - smsg.sadb_msg_len += sad2.sadb_address_len; - - sspi.sadb_spirange_exttype = SADB_EXT_SPIRANGE; - sspi.sadb_spirange_len = sizeof(sspi) / 8; - if (spi) { - sspi.sadb_spirange_min = spi; - sspi.sadb_spirange_max = spi; - } else { - sspi.sadb_spirange_min = 0x100; - sspi.sadb_spirange_max = -1; - } - iov[cnt].iov_base = &sspi; - iov[cnt++].iov_len = sizeof(sspi); - smsg.sadb_msg_len += sspi.sadb_spirange_len; - - /* get back SADB_EXT_SA */ - - if (!KERNEL_XF_SET(smsg.sadb_msg_len*8)) { - log_error("%s: kernel_xf_set()", __func__); - return (0); - } - - sres = (struct sadb_msg *)buffer; - ssa = (struct sadb_sa *)(sres + 1); - if (ssa->sadb_sa_exttype != SADB_EXT_SA) { - log_print( - "%s: SADB_GETSPI did not return a SADB_EXT_SA struct: %d", - __func__, ssa->sadb_sa_exttype); - return (0); - } - - LOG_DBG((LOG_KERNEL, 40, "%s: %s, %08x -> %08x", __func__, - srcaddress, spi, ntohl(ssa->sadb_sa_spi))); - - return (ntohl(ssa->sadb_sa_spi)); -} - -int -kernel_add_lifetime(struct sadb_msg *sa, struct iovec *iov, int seconds) -{ - static struct sadb_lifetime slh, sls; - int cnt = 0; - - bzero(&slh, sizeof(slh)); - bzero(&sls, sizeof(sls)); - - slh.sadb_lifetime_len = sizeof(slh) / 8; - slh.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - slh.sadb_lifetime_allocations = 0; - slh.sadb_lifetime_bytes = 10000000; /* lots of bytes */ - slh.sadb_lifetime_addtime = seconds; - sa->sadb_msg_len += slh.sadb_lifetime_len; - - iov[cnt].iov_base = &slh; - iov[cnt++].iov_len = sizeof(slh); - - sls.sadb_lifetime_len = sizeof(sls) / 8; - sls.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - sls.sadb_lifetime_allocations = 0; - sls.sadb_lifetime_bytes = 9000000; /* lots of bytes */ - sls.sadb_lifetime_addtime = seconds * 9 / 10; - sa->sadb_msg_len += slh.sadb_lifetime_len; - - iov[cnt].iov_base = &sls; - iov[cnt++].iov_len = sizeof(sls); - - return (cnt); -} - -int -kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets, int hmac) -{ - struct sadb_msg sa; - struct sadb_address sad1; - struct sadb_address sad2; - struct sadb_sa sr; - struct sadb_key sk; - struct sockaddr_in src; - struct sockaddr_in dst; - struct iovec iov[20]; - int cnt = 0; - transform *xf = kernel_get_transform(ob->id); - time_t now = time(NULL); - - if (xf == NULL || !(xf->flags & XF_AUTH)) { - log_print("%s: %d is not an auth transform", __func__, ob->id); - return (-1); - } - - bzero(&sa, sizeof(sa)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sr, sizeof(sr)); - bzero(&sk, sizeof(sk)); - bzero(&src, sizeof(src)); - bzero(&dst, sizeof(dst)); - - sa.sadb_msg_len = sizeof(sa) / 8; - sa.sadb_msg_version = PF_KEY_V2; - sa.sadb_msg_type = SPI->flags & SPI_OWNER ? - SADB_UPDATE : SADB_ADD; - sa.sadb_msg_satype = SADB_SATYPE_AH; - sa.sadb_msg_seq = pfkey_seq++; - sa.sadb_msg_pid = pfkey_pid; - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - /* Source Address */ - sad1.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - src.sin_family = AF_INET; - src.sin_len = sizeof(struct sockaddr_in); - src.sin_addr.s_addr = inet_addr(SPI->flags & SPI_OWNER ? - SPI->address : SPI->local_address); - sa.sadb_msg_len += sad1.sadb_address_len; - - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - iov[cnt].iov_base = &src; - iov[cnt++].iov_len = sizeof(struct sockaddr); - - /* Destination Address */ - sad2.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - dst.sin_family = AF_INET; - dst.sin_len = sizeof(struct sockaddr_in); - dst.sin_addr.s_addr = inet_addr(SPI->flags & SPI_OWNER ? - SPI->local_address : SPI->address); - sa.sadb_msg_len += sad2.sadb_address_len; - - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - iov[cnt].iov_base = &dst; - iov[cnt++].iov_len = sizeof(struct sockaddr); - - sr.sadb_sa_len = sizeof(sr) / 8; - sr.sadb_sa_exttype = SADB_EXT_SA; - sr.sadb_sa_spi = htonl(SPITOINT(SPI->SPI)); - sr.sadb_sa_replay = !hmac ? 0 : 32; - sr.sadb_sa_state = SADB_SASTATE_MATURE; - sr.sadb_sa_auth = xf->kernel_id; - sr.sadb_sa_encrypt = 0; - if (!hmac) - sr.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; - sa.sadb_msg_len += sr.sadb_sa_len; - - iov[cnt].iov_base = &sr; - iov[cnt++].iov_len = sizeof(sr); - - cnt += kernel_add_lifetime(&sa, &iov[cnt], SPI->lifetime - now); - - sk.sadb_key_len = (sizeof(sk) + ob->klen + 7) / 8; - sk.sadb_key_exttype = SADB_EXT_KEY_AUTH; - sk.sadb_key_bits = ob->klen * 8; - sa.sadb_msg_len += sk.sadb_key_len; - - iov[cnt].iov_base = &sk; - iov[cnt++].iov_len = sizeof(sk); - iov[cnt].iov_base = secrets; - iov[cnt++].iov_len = ((ob->klen + 7) / 8) * 8; - - LOG_DBG((LOG_KERNEL, 35, "%s: %08x", __func__, ntohl(sr.sadb_sa_spi))); - - if (!KERNEL_XF_SET(sa.sadb_msg_len * 8)) { - log_error("%s: kernel_xf_set()", __func__); - return (-1); - } - return (ob->klen); -} - -int -kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, u_int8_t *secrets) -{ - struct sadb_msg sa; - struct sadb_address sad1; - struct sadb_address sad2; - struct sadb_sa sr; - struct sadb_key sk1; - struct sadb_key sk2; - struct sockaddr_in src; - struct sockaddr_in dst; - struct iovec iov[20]; - attrib_t *attenc, *attauth = NULL; - u_int8_t *sec1, *sec2 = NULL; - transform *xf_enc, *xf_auth = NULL; - int cnt = 0; - time_t now = time(NULL); - - if (ob->type & AT_AUTH) { - if (ob2 == NULL || ob2->type != AT_ENC) { - log_print("%s: No encryption after auth given", __func__); - return (-1); - } - attenc = ob2; - attauth = ob; - sec2 = secrets; - sec1 = secrets + ob->klen; - } else if (ob->type == AT_ENC) { - attenc = ob; - sec1 = secrets; - if (ob2 != NULL && (ob2->type & AT_AUTH)) { - attauth = ob2; - sec2 = secrets + ob->klen; - } - } else { - log_print("%s: No encryption transform given", __func__); - return (-1); - } - - xf_enc = kernel_get_transform(attenc->id); - if ((xf_enc->flags & ESP_OLD) && attauth != NULL) { - log_print("%s: Old ESP does not support AH", __func__); - return (-1); - } - - if (attauth != NULL) - xf_auth = kernel_get_transform(attauth->id); - - bzero(&sa, sizeof(sa)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sr, sizeof(sr)); - bzero(&sk1, sizeof(sk1)); - bzero(&sk2, sizeof(sk2)); - bzero(&src, sizeof(src)); - bzero(&dst, sizeof(dst)); - - sa.sadb_msg_len = sizeof(sa) / 8; - sa.sadb_msg_version = PF_KEY_V2; - sa.sadb_msg_type = SPI->flags & SPI_OWNER ? - SADB_UPDATE : SADB_ADD; - sa.sadb_msg_satype = SADB_SATYPE_ESP; - sa.sadb_msg_seq = pfkey_seq++; - sa.sadb_msg_pid = pfkey_pid; - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - - sr.sadb_sa_len = sizeof(sr) / 8; - sr.sadb_sa_exttype = SADB_EXT_SA; - sr.sadb_sa_spi = htonl(SPITOINT(SPI->SPI)); - sr.sadb_sa_replay = xf_enc->flags & ESP_OLD ? 0 : 32; - sr.sadb_sa_state = SADB_SASTATE_MATURE; - sr.sadb_sa_auth = attauth ? xf_auth->kernel_id : 0; - sr.sadb_sa_encrypt = xf_enc->kernel_id; - if (xf_enc->flags & ESP_OLD) { - sr.sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV; - sr.sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING; - sr.sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY; - } - sa.sadb_msg_len += sr.sadb_sa_len; - - iov[cnt].iov_base = &sr; - iov[cnt++].iov_len = sizeof(sr); - - /* Source Address */ - sad1.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - src.sin_family = AF_INET; - src.sin_len = sizeof(struct sockaddr_in); - src.sin_addr.s_addr = inet_addr(SPI->flags & SPI_OWNER ? - SPI->address : SPI->local_address); - sa.sadb_msg_len += sad1.sadb_address_len; - - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - iov[cnt].iov_base = &src; - iov[cnt++].iov_len = sizeof(struct sockaddr); - - /* Destination Address */ - sad2.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - dst.sin_family = AF_INET; - dst.sin_len = sizeof(struct sockaddr_in); - dst.sin_addr.s_addr = inet_addr(SPI->flags & SPI_OWNER ? - SPI->local_address : SPI->address); - sa.sadb_msg_len += sad2.sadb_address_len; - - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - iov[cnt].iov_base = &dst; - iov[cnt++].iov_len = sizeof(struct sockaddr); - - cnt += kernel_add_lifetime(&sa, &iov[cnt], SPI->lifetime - now); - - sk1.sadb_key_len = (sizeof(sk1) + attenc->klen + 7) / 8; - sk1.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - sk1.sadb_key_bits = attenc->klen * 8; - sa.sadb_msg_len += sk1.sadb_key_len; - - iov[cnt].iov_base = &sk1; - iov[cnt++].iov_len = sizeof(sk1); - iov[cnt].iov_base = sec1; - iov[cnt++].iov_len = ((attenc->klen + 7) / 8) * 8; - - if (attauth != NULL) { - sk2.sadb_key_len = (sizeof(sk2) + attauth->klen + 7) / 8; - sk2.sadb_key_exttype = SADB_EXT_KEY_AUTH; - sk2.sadb_key_bits = attauth->klen * 8; - sa.sadb_msg_len += sk2.sadb_key_len; - - iov[cnt].iov_base = &sk2; - iov[cnt++].iov_len = sizeof(sk2); - iov[cnt].iov_base = sec2; - iov[cnt++].iov_len = ((attauth->klen + 7) / 8) * 8; - } - - LOG_DBG((LOG_KERNEL, 35, "%s: %08x", __func__, ntohl(sr.sadb_sa_spi))); - - if (!KERNEL_XF_SET(sa.sadb_msg_len * 8)) { - log_error("%s: kernel_xf_set()", __func__); - return (-1); - } - - return attenc->klen + (attauth ? attauth->klen : 0); -} - -/* - * Remove a single SPI from the kernel database. - */ - -int -kernel_delete_spi(char *address, u_int32_t spi, int proto) -{ - struct sadb_msg sa; - struct sadb_sa sr; - struct sadb_address sad1; - struct sadb_address sad2; - union sockaddr_union src, dst; - struct iovec iov[10]; - int cnt = 0; - - bzero(&sa, sizeof(sa)); - bzero(&sad1, sizeof(sad1)); - bzero(&sad2, sizeof(sad2)); - bzero(&sr, sizeof(sr)); - bzero(&src, sizeof(src)); - bzero(&dst, sizeof(dst)); - - sa.sadb_msg_version = PF_KEY_V2; - sa.sadb_msg_type = SADB_DELETE; - sa.sadb_msg_satype = proto == IPPROTO_ESP ? - SADB_SATYPE_ESP : SADB_SATYPE_AH; - sa.sadb_msg_seq = pfkey_seq++; - sa.sadb_msg_pid = pfkey_pid; - - /* Source Address */ - sad1.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad1.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - - src.sin.sin_family = AF_INET; - src.sin.sin_len = sizeof(struct sockaddr_in); - - /* Destination Address */ - sad2.sadb_address_len = 1 + sizeof(struct sockaddr_in) / 8; - sad2.sadb_address_exttype = SADB_EXT_ADDRESS_DST; - - dst.sin.sin_family = AF_INET; - dst.sin.sin_len = sizeof(struct sockaddr_in); - dst.sin.sin_addr.s_addr = inet_addr(address); - - sr.sadb_sa_exttype = SADB_EXT_SA; - sr.sadb_sa_spi = htonl(spi); - sr.sadb_sa_len = sizeof(sr) / 8; - - sa.sadb_msg_len = 2 + sr.sadb_sa_len + sad2.sadb_address_len + - sad1.sadb_address_len; - - iov[cnt].iov_base = &sa; - iov[cnt++].iov_len = sizeof(sa); - iov[cnt].iov_base = &sad1; - iov[cnt++].iov_len = sizeof(sad1); - iov[cnt].iov_base = &src; - iov[cnt++].iov_len = sizeof(struct sockaddr); - iov[cnt].iov_base = &sad2; - iov[cnt++].iov_len = sizeof(sad2); - iov[cnt].iov_base = &dst; - iov[cnt++].iov_len = sizeof(struct sockaddr); - iov[cnt].iov_base = &sr; - iov[cnt++].iov_len = sizeof(sr); - - - LOG_DBG((LOG_KERNEL, 30, "%s: %08x", __func__, spi)); - - if (!KERNEL_XF_SET(sa.sadb_msg_len * 8) && errno != ESRCH) { - log_error("%s: kernel_xf_set()", __func__); - return (-1); - } - - return (1); -} - -/* - * Creates the correspondings SPI's with the kernel and establishes - * routing if necessary, i.e. when the SPIs were not created by - * kernel notifies. - */ - -int -kernel_insert_spi(struct stateob *st, struct spiob *SPI) -{ - u_int8_t *spi; - u_int8_t *attributes; - u_int16_t attribsize, ahsize, espsize; - u_int8_t *secrets, *ah, *esp; - attrib_t *attprop; - int offset, proto = 0; - - spi = SPI->SPI; - attributes = SPI->attributes; - attribsize = SPI->attribsize; - secrets = SPI->sessionkey; - - get_attrib_section(attributes, attribsize, &esp, &espsize, - AT_ESP_ATTRIB); - get_attrib_section(attributes, attribsize, &ah, &ahsize, - AT_AH_ATTRIB); - - if (esp != NULL) { - int count = 0; - attrib_t *atesp = NULL, *atah = NULL; - - while (count < espsize && (atesp == NULL || atah == NULL)) { - if ((attprop = getattrib(esp[count])) == NULL) { - log_print("%s: Unknown attribute %d for ESP", - __func__, esp[count]); - return (-1); - } - if (atesp == NULL && attprop->type == AT_ENC) - atesp = attprop; - else if(atah == NULL && (attprop->type & AT_AUTH)) - atah = attprop; - - count += esp[count+1]+2; - } - if (atesp == NULL) { - log_print("%s: No encryption attribute in ESP section for SA(%08x, %s->%s)", - __func__, - SPITOINT(SPI->SPI), SPI->local_address, SPI->address); - return (-1); - } - - offset = kernel_esp(atesp, atah, SPI, secrets); - if (offset == -1) - return (-1); - secrets += offset; - } - - if (ah != NULL) { - int count = 0, hmac = 0; - attrib_t *atah = NULL; - - while (count < ahsize) { - if ((attprop = getattrib(ah[count])) == NULL) { - log_print("%s: Unknown attribute %d for AH", __func__, - ah[count]); - return (-1); - } - if(atah == NULL && (attprop->type & AT_AUTH)) - atah = attprop; - else if (attprop->type == 0) { - switch (attprop->id) { - case AT_HMAC: - hmac = 1; - break; - default: - break; - } - } - - count += ah[count+1]+2; - } - - if (atah == NULL) { - log_print("%s: No authentication attribute in AH section for SA(%08x, %s->%s)", - __func__, - SPITOINT(SPI->SPI), SPI->local_address, SPI->address); - return (-1); - } - - offset = kernel_ah(atah, SPI, secrets, hmac); - if (offset == -1) - return (-1); - secrets += offset; - } - - if (esp != NULL) { - proto = IPPROTO_ESP; - SPI->flags |= SPI_ESP; - } else { - proto = IPPROTO_AH; - SPI->flags &= ~SPI_ESP; - } - - /* - * Inform the kernel that we obtained the requested SA - */ - kernel_notify_result(st, SPI, proto); - - /* Erase keys */ - bzero(SPI->sessionkey, SPI->sessionkeysize); - free(SPI->sessionkey); - SPI->sessionkey = NULL; SPI->sessionkeysize = 0; - - return (1); -} - -/* - * Deletes an SPI object, which means removing the SPIs from the - * kernel database and the deletion of all routes which were - * established on our behalf. Routes for SA's which were created by - * kernel notifies also get removed, since they are not any longer - * valid anyway. - */ - -int -kernel_unlink_spi(struct spiob *ospi) -{ - u_int8_t *p, *ah, *esp; - u_int16_t ahsize, espsize; - - if (!(ospi->flags & SPI_OWNER)) - p = ospi->address; - else - p = ospi->local_address; - - get_attrib_section(ospi->attributes, ospi->attribsize, &esp, &espsize, - AT_ESP_ATTRIB); - get_attrib_section(ospi->attributes, ospi->attribsize, &ah, &ahsize, - AT_AH_ATTRIB); - - if (esp != NULL) { - if (kernel_delete_spi(p, SPITOINT(ospi->SPI), IPPROTO_ESP) == -1) - log_print("%s: kernel_delete_spi() failed", __func__); - } - - if (ah != NULL) { - if (kernel_delete_spi(p, SPITOINT(ospi->SPI), IPPROTO_AH) == -1) - log_print("%s: kernel_delete_spi() failed", __func__); - } - - return (1); -} - -void -kernel_dispatch_notify(struct sadb_msg *sres) -{ - LOG_DBG((LOG_KERNEL, 60, "%s: Got PFKEYV2 message: type %d", - __func__, sres->sadb_msg_type)); - - switch (sres->sadb_msg_type) { - case SADB_EXPIRE: - LOG_DBG((LOG_KERNEL, 55, "%s: Got SA Expiration", __func__)); - kernel_handle_expire(sres); - break; - case SADB_ACQUIRE: - LOG_DBG((LOG_KERNEL, 55, - "%s: Got Notify SA Request (SADB_ACQUIRE): %d", - __func__, - sres->sadb_msg_len * 8)); - LOG_DBG_BUF((LOG_KERNEL, 60, "acquire buf", - (u_char *)sres, sres->sadb_msg_len * 8)); - - - kernel_request_sa(sres); - break; - default: - /* discard silently */ - return; - } -} - -void -kernel_handle_queue() -{ - struct pfmsg *pfmsg; - - while ((pfmsg = TAILQ_FIRST(&pfqueue))) { - TAILQ_REMOVE(&pfqueue, pfmsg, next); - - kernel_dispatch_notify(pfmsg->smsg); - - free(pfmsg->smsg); - free(pfmsg); - } -} - -/* - * Handles Notifies from the kernel, which can include Requests for new - * SAs, soft and hard expirations for already established SAs. - */ - -void -kernel_handle_notify(int sd) -{ - struct sadb_msg *sres = (struct sadb_msg *)buffer; - size_t len; - - if (!kernel_xf_read(regsd, buffer, BUFFER_SIZE, 0)) { - LOG_DBG((LOG_KERNEL, 65, "%s: nothing to read", __func__)); - return; - } - - len = sres->sadb_msg_len * 8; - sres = malloc(len); - if (!sres) { - log_error("%s: malloc", __func__); - return; - } - memcpy(sres, buffer, len); - - kernel_dispatch_notify(sres); - - free(sres); -} - -struct sadb_msg * -pfkey_askpolicy(int seq) -{ - struct sadb_msg smsg; - struct sadb_x_policy policy; - struct iovec iov[2]; - int cnt = 0; - - bzero(&smsg, sizeof(smsg)); - - /* Ask the kernel for the matching policy */ - smsg.sadb_msg_len = sizeof(smsg) / 8; - smsg.sadb_msg_version = PF_KEY_V2; - smsg.sadb_msg_seq = pfkey_seq++; - smsg.sadb_msg_pid = pfkey_pid; - smsg.sadb_msg_type = SADB_X_ASKPOLICY; - iov[cnt].iov_base = &smsg; - iov[cnt++].iov_len = sizeof(smsg); - - memset(&policy, 0, sizeof(policy)); - policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; - policy.sadb_x_policy_len = sizeof(policy) / 8; - policy.sadb_x_policy_seq = seq; - iov[cnt].iov_base = &policy; - iov[cnt++].iov_len = sizeof(policy); - smsg.sadb_msg_len += sizeof(policy) / 8; - - if (!kernel_xf_set(regsd, buffer, BUFFER_SIZE, iov, cnt, - smsg.sadb_msg_len*8)) { - log_error("%s: kernel_xf_set", __func__); - return (NULL); - } - - return ((struct sadb_msg *)buffer); -} - -int -kernel_handle_expire(struct sadb_msg *sadb) -{ - struct sadb_sa *sa; - struct sadb_address *dst; - char dstbuf[NI_MAXHOST]; - struct stateob *st; - time_t tm; - struct sockaddr *dstaddr; - struct sadb_lifetime *life; - struct sadb_ext *ext = (struct sadb_ext *)(sadb + 1); - struct spiob *spi; - void *end; - - end = (struct sadb_ext *)((u_char *)sadb + sadb->sadb_msg_len * 8); - - sa = (struct sadb_sa *)pfkey_find_extension(ext, end, SADB_EXT_SA); - if (sa == NULL) { - log_print("%s: no SA extension found", __func__); - return (-1); - } - - dst = (struct sadb_address *) - pfkey_find_extension(ext, end, SADB_EXT_ADDRESS_DST); - if (dst == NULL) { - log_print( - "%s: no destination address extension found", - __func__); - return (-1); - } - dstaddr = (struct sockaddr *)(dst + 1); - - life = (struct sadb_lifetime *) - pfkey_find_extension(ext, end, SADB_EXT_LIFETIME_HARD); - if (life == NULL) - life = (struct sadb_lifetime *) - pfkey_find_extension(ext, end, SADB_EXT_LIFETIME_SOFT); - if (life == NULL) { - log_print( - "%s: no lifetime extension found", - __func__); - return (-1); - } - - switch (dstaddr->sa_family) { - case AF_INET: - if (inet_ntop (AF_INET, &((struct sockaddr_in *)dstaddr)->sin_addr, - dstbuf, sizeof(dstbuf)) == NULL) { - log_error ("%s: inet_ntop failed", __func__); - return (-1); - } - break; - default: - log_error( - "%s: unsupported address family %d", - __func__, - dstaddr->sa_family); - return (-1); - } - - LOG_DBG((LOG_KERNEL, 30, "%s: %s dst %s SPI %x sproto %d", __func__, - life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" - : "HARD", dstbuf, - ntohl (sa->sadb_sa_spi), sadb->sadb_msg_satype)); - - spi = spi_find(dstbuf, (u_char *)&sa->sadb_sa_spi); - if (spi == NULL) { - LOG_DBG((LOG_KERNEL, 35, - "%s: can't find %s SPI %x", __func__, - dstbuf, ntohl(sa->sadb_sa_spi))); - return (-1); - } - - switch(life->sadb_lifetime_exttype) { - case SADB_EXT_LIFETIME_HARD: - LOG_DBG((LOG_KERNEL, 35, "%s: removing %s SPI %x", __func__, - dstbuf, ntohl(sa->sadb_sa_spi))); - spi_unlink(spi); - break; - case SADB_EXT_LIFETIME_SOFT: - life = (struct sadb_lifetime *) - pfkey_find_extension(ext, end, - SADB_EXT_LIFETIME_CURRENT); - if (life == NULL) { - log_print("%s: no current lifetime", __func__); - return (-1); - } - - if (!life->sadb_lifetime_bytes) { - LOG_DBG((LOG_KERNEL, 45, - "%s: SPI %x not been used, skipping update", - __func__, - ntohl(sa->sadb_sa_spi))); - return (0); - } - - if (spi->flags & SPI_OWNER) { - spi_update(global_socket, - (u_int8_t *)&sa->sadb_sa_spi); - return (0); - } - - /* - * Try to find an already established exchange which is - * still valid. - */ - - st = state_find(dstbuf); - - tm = time(NULL); - while (st != NULL && - (st->lifetime <= tm || st->phase < SPI_UPDATE)) - st = state_find_next(st, dstbuf); - - if (st == NULL) { - int type = spi->flags & SPI_ESP ? - IPSEC_OPT_ENC : IPSEC_OPT_AUTH; - - LOG_DBG((LOG_KERNEL, 45, - "%s: starting new exchange to %s", - __func__, - spi->address)); - kernel_new_exchange(spi->address, type); - } - - break; - default: - log_print("%s: unknown extension type %d", __func__, - life->sadb_lifetime_exttype); - return (-1); - } - - return (0); -} - -int -kernel_new_exchange(char *address, int type) -{ - struct stateob *st; - - /* No established exchange found, start a new one */ - if ((st = state_new()) == NULL) { - log_print( - "%s: state_new() failed for remote ip %s", __func__, - address); - return (-1); - } - - /* Set up the state information */ - strncpy(st->address, address, sizeof(st->address) - 1); - st->port = global_port; - st->sport = 0; - st->dport = 0; - st->protocol = 0; - - st->flags = IPSEC_NOTIFY; - - st->flags |= type; - - if (start_exchange(global_socket, st, st->address, - st->port) == -1) { - log_print("%s: start_exchange() - informing kernel of failure", - __func__); - /* Inform kernel of our failure */ - kernel_notify_result(st, NULL, 0); - state_value_reset(st); - free(st); - return (-1); - } else - state_insert(st); - - return (0); -} - -/* - * Tries to establish a new SA according to the information in a - * REQUEST_SA notify message received from the kernel. - */ - -int -kernel_request_sa(struct sadb_msg *sadb) -{ - struct stateob *st; - time_t tm; - struct sadb_address *dst, *src; - struct sockaddr *dstaddr; - struct sadb_ext *ext = (struct sadb_ext *)(sadb + 1); - char srcbuf[NI_MAXHOST], dstbuf[NI_MAXHOST]; - void *end; - - memset(srcbuf, 0, sizeof(srcbuf)); - memset(dstbuf, 0, sizeof(dstbuf)); - - end = (struct sadb_ext *)((u_char *)sadb + sadb->sadb_msg_len * 8); - - dst = (struct sadb_address *) - pfkey_find_extension(ext, end, SADB_EXT_ADDRESS_DST); - src = (struct sadb_address *) - pfkey_find_extension(ext, end, SADB_EXT_ADDRESS_SRC); - - if (!dst) - return (-1); - - dstaddr = (struct sockaddr *)(dst + 1); - switch (dstaddr->sa_family) { - case AF_INET: - if (inet_ntop(AF_INET, - &((struct sockaddr_in *)dstaddr)->sin_addr, - dstbuf, sizeof(dstbuf)) == NULL) { - log_error ("%s: inet_ntop failed", __func__); - return (-1); - } - break; - default: - log_error("%s: unsupported address family %d", __func__, - dstaddr->sa_family); - return (-1); - } - - LOG_DBG((LOG_KERNEL, 20, "%s: dst: %s", __func__, dstbuf)); - - /* Try to find an already established exchange which is still valid */ - st = state_find(dstbuf); - - tm = time(NULL); - while (st != NULL && (st->lifetime <= tm || st->phase < SPI_UPDATE)) - st = state_find_next(st, dstbuf); - - if (st) { - struct sockaddr_in sin; - - /* - * We need different attributes for this exchange, send - * an SPI_NEEDED message. - */ - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_spi_needed(st, packet_buffer, &packet_size, - st->uSPIattrib, - st->uSPIattribsize) == -1) { - log_print("%s: photuris_spi_update()", __func__); - return (-1); - } - - /* Send the packet */ - sin.sin_port = htons(st->port); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = inet_addr(st->address); - - if (sendto(global_socket, packet_buffer, packet_size, 0, - (struct sockaddr *)&sin, sizeof(sin)) != packet_size) { - log_error("%s: sendto()", __func__); - } - } else { - int type = sadb->sadb_msg_satype == SADB_SATYPE_ESP ? - IPSEC_OPT_ENC : IPSEC_OPT_AUTH; - - return (kernel_new_exchange(dstbuf, type)); - } - - - return (0); -} - -/* - * Report the established SA or either our failure to create an SA - * to the kernel. - * Passing a SPI of NULL means failure. - */ - -void -kernel_notify_result(struct stateob *st, struct spiob *spi, int proto) -{ - - /* struct encap_msghdr em; - - bzero((char *)&em, sizeof(em)); - em.em_type = EMT_NOTIFY; - em.em_msglen = EMT_NOTIFY_FLEN; - em.em_version = PFENCAP_VERSION_1; - em.em_not_type = NOTIFY_REQUEST_SA; - if (spi != NULL) { - em.em_not_spi = htonl((spi->SPI[0]<<24) + (spi->SPI[1]<<16) + - (spi->SPI[2]<<8) + spi->SPI[3]); - em.em_not_dst.s_addr = inet_addr(spi->address); - em.em_not_src.s_addr = inet_addr(spi->local_address); - em.em_not_sproto = proto; - } - if (st != NULL) { - em.em_not_dst.s_addr = inet_addr(st->address); - em.em_not_sport = st->sport; - em.em_not_dport = st->dport; - em.em_not_protocol = st->protocol; - } - - if (!kernel_xf_set(&em)) - log_error("kernel_xf_set() in kernel_notify_result()"); */ -} diff --git a/sbin/photurisd/kernel.h b/sbin/photurisd/kernel.h deleted file mode 100644 index 3903ba476d5..00000000000 --- a/sbin/photurisd/kernel.h +++ /dev/null @@ -1,121 +0,0 @@ -/* $OpenBSD: kernel.h,v 1.13 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * kernel.h: - * security paramter index creation. - */ - -#ifndef _KERNEL_H_ -#define _KERNEL_H_ - -#undef EXTERN -#ifdef _KERNEL_C_ -#define EXTERN - -#define ESP_OLD 0x01 -#define ESP_NEW 0x02 -#define AH_OLD 0x04 -#define AH_NEW 0x08 - -#define XF_ENC 0x10 -#define XF_AUTH 0x20 - -#define XF_SUP 0x80 /* Mark the transforms as supported */ - -typedef struct { - int photuris_id; - int kernel_id, flags; -} transform; - -/* - * Translation from Photuris Attributes to Kernel Transforms. - * For the actual ids see: draft-simpson-photuris-*.txt and - * draft-simpson-photuris-schemes-*.txt - */ - -transform xf[] = { - { 5, SADB_X_AALG_MD5, XF_AUTH|AH_OLD}, - { 6, SADB_X_AALG_SHA1, XF_AUTH|AH_OLD}, - { 5, SADB_AALG_MD5HMAC, XF_AUTH|AH_NEW|ESP_NEW}, - { 6, SADB_AALG_SHA1HMAC, XF_AUTH|AH_NEW|ESP_NEW}, - { 7, SADB_AALG_RIPEMD160HMAC, XF_AUTH|AH_NEW|ESP_NEW}, - { 8, SADB_EALG_DESCBC, XF_ENC|ESP_OLD}, - { 18, SADB_EALG_3DESCBC, XF_ENC|ESP_NEW}, - { 16, SADB_X_EALG_BLF, XF_ENC|ESP_NEW}, - { 17, SADB_X_EALG_CAST, XF_ENC|ESP_NEW}, - { 19, SADB_X_EALG_SKIPJACK, XF_ENC|ESP_NEW}, -}; - -transform *kernel_get_transform(int id); -void kernel_transform_seen(int id, int type); - -int kernel_register(int sd); - -int kernel_xf_set(int sd, char *buf, int blen, struct iovec *io, int cnt, - int len); -int kernel_xf_read(int sd, char *buf, int blen, int seq); - -int kernel_ah(attrib_t *ob, struct spiob *SPI, u_int8_t *secrets, int hmac); -int kernel_esp(attrib_t *ob, attrib_t *ob2, struct spiob *SPI, - u_int8_t *secrets); - -int kernel_group_spi(char *address, u_int8_t *spi); -int kernel_bind_spis(struct spiob *spi1, struct spiob *spi2); - -int kernel_delete_spi(char *address, u_int32_t spi, int proto); - -struct sadb_msg; -int kernel_request_sa(struct sadb_msg *); -int kernel_handle_expire(struct sadb_msg *); -int kernel_new_exchange(char *, int); -#else -#define EXTERN extern -#endif - -EXTERN int kernel_known_transform(int id); -EXTERN int kernel_valid(attrib_t *enc, attrib_t *auth); -EXTERN int kernel_valid_auth(attrib_t *auth, u_int8_t *flag, u_int16_t size); - -EXTERN u_int32_t kernel_reserve_spi(char *srcaddress, char *dstaddress, - int options); -EXTERN u_int32_t kernel_reserve_single_spi(char *srcaddress, char *dstaddress, - u_int32_t spi, int proto); - -EXTERN int kernel_insert_spi(struct stateob *st, struct spiob *SPI); -EXTERN int kernel_unlink_spi(struct spiob *ospi); -EXTERN int init_kernel(void); -EXTERN int kernel_get_socket(void); -EXTERN void kernel_set_socket_policy(int sd); -EXTERN void kernel_handle_notify(int sd); -EXTERN void kernel_notify_result(struct stateob *, struct spiob *, int); -EXTERN void kernel_handle_queue(void); - -#endif /* _KERNEL_H */ diff --git a/sbin/photurisd/log.c b/sbin/photurisd/log.c deleted file mode 100644 index 73f8912803a..00000000000 --- a/sbin/photurisd/log.c +++ /dev/null @@ -1,257 +0,0 @@ -/* $OpenBSD: log.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Ericsson Radio Systems. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/time.h> -#include <errno.h> -#include <stdio.h> -#include <string.h> -#include <syslog.h> -#include <stdarg.h> - -#include "log.h" - -static void _log_print (int, int, const char *, va_list, int, int); - -static FILE *log_output; -#ifdef USE_DEBUG -static int log_level[LOG_ENDCLASS]; -#endif - -void -log_init (void) -{ - log_output = stderr; -} - -void -log_to (FILE *f) -{ - if (!log_output && f) - closelog (); - log_output = f; - if (!f) - openlog ("isakmpd", LOG_CONS, LOG_DAEMON); -} - -FILE * -log_current (void) -{ - return log_output; -} - -static char * -_log_get_class (int error_class) -{ - /* XXX For test purposes. To be removed later on? */ - static char *class_text[] = LOG_CLASSES_TEXT; - - if (error_class < 0) - return "Dflt"; - else if (error_class >= LOG_ENDCLASS) - return "Unkn"; - else - return class_text[error_class]; -} - -static void -_log_print (int error, int syslog_level, const char *fmt, va_list ap, - int class, int level) -{ - char buffer[LOG_SIZE], nbuf[LOG_SIZE + 32]; - static const char fallback_msg[] = - "write to log file failed (errno %d), redirecting output to syslog"; - int len; - struct tm *tm; - struct timeval now; - time_t t; - - len = vsnprintf (buffer, LOG_SIZE, fmt, ap); - if (len > 0 && len < LOG_SIZE - 1 && error) - snprintf (buffer + len, LOG_SIZE - len, ": %s", strerror (errno)); - if (log_output) - { - gettimeofday (&now, 0); - t = now.tv_sec; - tm = localtime (&t); - if (class >= 0) - sprintf (nbuf, "%02d%02d%02d.%06ld %s %02d ", tm->tm_hour, - tm->tm_min, tm->tm_sec, now.tv_usec, _log_get_class (class), - level); - else /* LOG_PRINT (-1) or LOG_REPORT (-2) */ - sprintf (nbuf, "%02d%02d%02d.%06ld %s ", tm->tm_hour, - tm->tm_min, tm->tm_sec, now.tv_usec, - class == LOG_PRINT ? "Default" : "Report>"); - strcat (nbuf, buffer); - strcat (nbuf, "\n"); - - if (fwrite (nbuf, strlen (nbuf), 1, log_output) == 0) - { - /* Report fallback. */ - syslog (LOG_ALERT, fallback_msg, errno); - fprintf (log_output, fallback_msg, errno); - - /* - * Close log_output to prevent isakmpd from locking the file. - * We may need to explicitly close stdout to do this properly. - * XXX - Figure out how to match two FILE *'s and rewrite. - */ - if (fileno (log_output) != -1) - if (fileno (stdout) == fileno (log_output)) - fclose (stdout); - fclose (log_output); - - /* Fallback to syslog. */ - log_to (0); - - /* (Re)send current message to syslog(). */ - syslog (class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s", buffer); - } - } - else - syslog (class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s", buffer); -} - -#ifdef USE_DEBUG -void -log_debug (int cls, int level, const char *fmt, ...) -{ - va_list ap; - - /* - * If we are not debugging this class, or the level is too low, just return. - */ - if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) - return; - va_start (ap, fmt); - _log_print (0, LOG_DEBUG, fmt, ap, cls, level); - va_end (ap); -} - -void -log_debug_buf (int cls, int level, const char *header, const u_int8_t *buf, - size_t sz) -{ - char s[73]; - int i, j; - - /* - * If we are not debugging this class, or the level is too low, just return. - */ - if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) - return; - - log_debug (cls, level, "%s:", header); - for (i = j = 0; i < sz;) - { - sprintf (s + j, "%02x", buf[i++]); - j += 2; - if (i % 4 == 0) - { - if (i % 32 == 0) - { - s[j] = '\0'; - log_debug (cls, level, "%s", s); - j = 0; - } - else - s[j++] = ' '; - } - } - if (j) - { - s[j] = '\0'; - log_debug (cls, level, "%s", s); - } -} - -void -log_debug_cmd (int cls, int level) -{ - if (cls < 0 || cls >= LOG_ENDCLASS) - { - log_print ("log_debug_cmd: invalid debugging class %d", cls); - return; - } - - if (level < 0) - { - log_print ("log_debug_cmd: invalid debugging level %d for class %d", - level, cls); - return; - } - - if (level == log_level[cls]) - log_print ("log_debug_cmd: log level unchanged for class %d", cls); - else - { - log_print ("log_debug_cmd: log level changed from %d to %d for class %d", - log_level[cls], level, cls); - log_level[cls] = level; - } -} -#endif /* USE_DEBUG */ - -void -log_print (const char *fmt, ...) -{ - va_list ap; - - va_start (ap, fmt); - _log_print (0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0); - va_end (ap); -} - -void -log_error (const char *fmt, ...) -{ - va_list ap; - - va_start (ap, fmt); - _log_print (1, LOG_ERR, fmt, ap, LOG_PRINT, 0); - va_end (ap); -} - -void -log_fatal (const char *fmt, ...) -{ - va_list ap; - - va_start (ap, fmt); - _log_print (1, LOG_CRIT, fmt, ap, LOG_PRINT, 0); - va_end (ap); - exit (1); -} diff --git a/sbin/photurisd/log.h b/sbin/photurisd/log.h deleted file mode 100644 index 1e09525cc70..00000000000 --- a/sbin/photurisd/log.h +++ /dev/null @@ -1,95 +0,0 @@ -/* $OpenBSD: log.h,v 1.5 2002/06/10 19:58:20 espie Exp $ */ -/* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Ericsson Radio Systems. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _LOG_H_ -#define _LOG_H_ - -#include <sys/types.h> -#include <stdio.h> - -/* - * We cannot do the log strings dynamically sizeable as out of memory is one - * of the situations we need to report about. - */ -#define LOG_SIZE 200 - -enum log_classes { - LOG_MISC, LOG_PROTOCOL, LOG_CRYPTO, LOG_TIMER, LOG_SPI, LOG_KERNEL, - LOG_ENDCLASS -}; -#define LOG_CLASSES_TEXT \ - { "Misc", "Prot", "Cryp", "Timr", "SPI ", "Kern" } - -/* - * "Class" LOG_REPORT will always be logged to the current log channel, - * regardless of level. - */ -#define LOG_PRINT -1 -#define LOG_REPORT -2 - -#ifdef USE_DEBUG - -#define LOG_DBG(x) log_debug x -#define LOG_DBG_BUF(x) log_debug_buf x - -extern void log_debug (int, int, const char *, ...); -extern void log_debug_buf (int, int, const char *, const u_int8_t *, size_t); -extern void log_debug_cmd (int, int); - -#else /* USE_DEBUG */ - -#define LOG_DBG(x) -#define LOG_DBG_BUF(x) - -#endif /* USE_DEBUG */ - -extern FILE *log_current (void); -#if defined(__GNUC__) -extern void log_error (const char *, ...) - __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__(1))); -extern void log_fatal (const char *, ...) - __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__(1))); -extern void log_print (const char *, ...) - __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__(1))); -#else -extern void log_error (const char *, ...); -extern void log_fatal (const char *, ...); -extern void log_print (const char *, ...); -#endif -extern void log_to (FILE *); -extern void log_init (void); - -#endif /* _LOG_H_ */ diff --git a/sbin/photurisd/modulus.c b/sbin/photurisd/modulus.c deleted file mode 100644 index a9c5de021a9..00000000000 --- a/sbin/photurisd/modulus.c +++ /dev/null @@ -1,295 +0,0 @@ -/* $OpenBSD: modulus.c,v 1.8 2002/06/10 19:58:20 espie Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * modulus.c: - * functions for handling moduli - */ - -#define _MODULUS_C_ - -#ifdef DEBUG -#include <stdio.h> -#endif - -#include <stdlib.h> -#include <time.h> -#include <ssl/bn.h> -#include "config.h" -#include "modulus.h" -#include "log.h" - -TAILQ_HEAD(modlist, moduli_cache) modhead; - -void -mod_init(void) -{ - TAILQ_INIT(&modhead); -} - -int -mod_insert(struct moduli_cache *ob) -{ - TAILQ_INSERT_TAIL(&modhead, ob, next); - - return (1); -} - -int -mod_unlink(struct moduli_cache *ob) -{ - TAILQ_REMOVE(&modhead, ob, next); - free(ob); - - return (0); -} - -/* - * Check moduli for primality: - * check iter iterations, remain at max tm seconds here - * tm == 0, check all. - */ - -void -mod_check_prime(int iter, int tm) -{ - struct moduli_cache *p, *tmp = NULL, *next; - time_t now; - int flag; - BN_CTX *ctx; - - ctx = BN_CTX_new(); - - now = time(NULL); - for (p = TAILQ_FIRST(&modhead); - p != NULL && (tm == 0 || (time(NULL) - now < tm)); p = next) { - next = TAILQ_NEXT(p, next); - - if (p->iterations < MOD_PRIME_MAX && - (p->status == MOD_UNUSED || p->status == MOD_COMPUTING)) { - flag = BN_is_prime(p->modulus, iter, NULL, ctx, NULL); - if (!flag) - log_print("%s: found a non prime", __func__); - - tmp = mod_find_modulus(p->modulus); - while (tmp != NULL) { - if (!flag) { - tmp->status = MOD_NOTPRIME; - tmp->lifetime = now + 2*MOD_TIMEOUT; - } else { - tmp->iterations += iter; - if (tmp->iterations >= MOD_PRIME_MAX) - tmp->status = MOD_PRIME; - else - tmp->status = MOD_COMPUTING; - } - tmp = mod_find_modulus_next(tmp, p->modulus); - } -#ifdef USE_DEBUG - { - char *hex, *msg; - if (!flag) - msg = "not prime."; - else if (p->iterations >= MOD_PRIME_MAX) - msg = "probably prime."; - else - msg = "undecided."; - hex = BN_bn2hex(p->modulus); - LOG_DBG((LOG_CRYPTO, 50, - "%s: check prime: %s: %s", - __func__, hex, msg)); - free(hex); - } -#endif - } - - if (p->status == MOD_NOTPRIME && p->lifetime < now) { - LOG_DBG((LOG_CRYPTO, 40, - "%s: unlinking non prime modulus", __func__)); - mod_value_reset(tmp); - mod_unlink(tmp); - } - } - - BN_CTX_free(ctx); -} - -struct moduli_cache * -mod_new_modgen(BIGNUM *m, BIGNUM *g) -{ - struct moduli_cache *p; - - if((p = calloc(1, sizeof(struct moduli_cache)))==NULL) - return NULL; - - p->modulus = BN_new(); BN_copy(p->modulus, m); - p->generator = BN_new(); BN_copy(p->generator, g); - p->private_value = BN_new(); - - /* XXX - change lifetime later */ - p->lifetime = time(NULL) + MOD_TIMEOUT; - p->status = MOD_UNUSED; - - return p; -} - -struct moduli_cache * -mod_new_modulus(BIGNUM *m) -{ - struct moduli_cache *tmp; - - BIGNUM *generator; - generator = BN_new(); - tmp = mod_new_modgen(m, generator); - BN_clear_free(generator); - - return (tmp); -} - -int -mod_value_reset(struct moduli_cache *ob) -{ - BN_clear_free(ob->private_value); - BN_clear_free(ob->modulus); - BN_clear_free(ob->generator); - - if (ob->exchangevalue != NULL) - free(ob->exchangevalue); - - return (1); -} - -/* Find a proper modulus and generator in the queue. - * 0 matches everything. - */ - -struct moduli_cache * -mod_find_modgen_next(struct moduli_cache *ob, BIGNUM *modulus, - BIGNUM *generator) -{ - if (ob != NULL) - ob = TAILQ_NEXT(ob, next); - else - ob = TAILQ_FIRST(&modhead); - - for ( ; ob; ob = TAILQ_NEXT(ob, next)) { - if ((BN_is_zero(generator) || - !BN_cmp(ob->generator, generator)) && - (BN_is_zero(modulus) || !BN_cmp(modulus, ob->modulus))) - break; - } - - return (ob); -} - -struct moduli_cache * -mod_find_modgen(BIGNUM *modulus, BIGNUM *generator) -{ - return (mod_find_modgen_next(NULL, modulus, generator)); -} - -struct moduli_cache * -mod_find_generator_next(struct moduli_cache *ob, BIGNUM *generator) -{ - struct moduli_cache *tmp; - BIGNUM *modulus; - - modulus = BN_new(); - BN_zero(modulus); - - tmp = mod_find_modgen_next(ob, modulus, generator); - - BN_free(modulus); - - return (tmp); -} - -struct moduli_cache * -mod_find_generator(BIGNUM *generator) -{ - struct moduli_cache *tmp; - BIGNUM *modulus; - - modulus = BN_new(); - BN_zero(modulus); - - tmp = mod_find_modgen(modulus,generator); - - BN_free(modulus); - - return (tmp); -} - -struct moduli_cache * -mod_find_modulus_next(struct moduli_cache *ob, BIGNUM *modulus) -{ - struct moduli_cache *tmp; - BIGNUM *generator; - - generator = BN_new(); - BN_zero(generator); - - tmp = mod_find_modgen_next(ob, modulus, generator); - - BN_free(generator); - - return (tmp); -} - -struct moduli_cache * -mod_find_modulus(BIGNUM *modulus) -{ - struct moduli_cache *tmp; - BIGNUM *generator; - - generator = BN_new(); - BN_zero(generator); - - tmp = mod_find_modgen(modulus,generator); - - BN_free(generator); - - return (tmp); -} - - -void -mod_cleanup(void) -{ - struct moduli_cache *p; - - while ((p = TAILQ_FIRST(&modhead))) { - TAILQ_REMOVE(&modhead, p, next); - mod_value_reset(p); - free(p); - } -} - diff --git a/sbin/photurisd/modulus.h b/sbin/photurisd/modulus.h deleted file mode 100644 index 8fdf7539230..00000000000 --- a/sbin/photurisd/modulus.h +++ /dev/null @@ -1,90 +0,0 @@ -/* $OpenBSD: modulus.h,v 1.5 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * modulus.h: - * modulus handling functions - */ - -#ifndef _MODULUS_H_ -#define _MODULUS_H_ -#include <sys/queue.h> - -/* Possible values for the status field */ - -#define MOD_UNUSED 0 -#define MOD_COMPUTING 1 -#define MOD_PRIME 2 -#define MOD_NOTPRIME 3 - -#define MOD_PRIME_ITER 5 /* Do each cycle */ -#define MOD_PRIME_MAX 20 /* > => Is prime */ -#define MOD_PRIME_TIME 4 /* max time in mod_check_prime */ - -#define MOD_TIMEOUT 120 - -struct moduli_cache { - TAILQ_ENTRY(moduli_cache) next; /* Link to next member */ - - BIGNUM *modulus; /* Modulus for computation */ - BIGNUM *generator; /* Used generator */ - BIGNUM *private_value; /* Our own private value */ - u_int8_t *exchangevalue; /* Our own exchange value */ - size_t exchangesize; - int iterations; /* primality check iterations */ - int status; /* Status of the modulus */ - time_t lifetime; /* For modulus + exchange value */ -}; - -/* Prototypes */ -void mod_init(void); - -int mod_insert(struct moduli_cache *ob); -int mod_unlink(struct moduli_cache *ob); - -struct moduli_cache *mod_new_modgen(BIGNUM *, BIGNUM *); -struct moduli_cache *mod_new_modulus(BIGNUM *); - -int mod_value_reset(struct moduli_cache *ob); - -struct moduli_cache *mod_find_modgen(BIGNUM *, BIGNUM *); -struct moduli_cache *mod_find_modgen_next(struct moduli_cache *, BIGNUM *, - BIGNUM *); -struct moduli_cache *mod_find_modulus(BIGNUM *); -struct moduli_cache *mod_find_generator(BIGNUM *); -struct moduli_cache *mod_find_modulus_next(struct moduli_cache *, BIGNUM *); -struct moduli_cache *mod_find_generator_next(struct moduli_cache *, BIGNUM *); - -void mod_check_prime(int iter, int tm); - -void mod_cleanup(void); - - -#endif diff --git a/sbin/photurisd/packet.c b/sbin/photurisd/packet.c deleted file mode 100644 index 2b2d6c141ef..00000000000 --- a/sbin/photurisd/packet.c +++ /dev/null @@ -1,343 +0,0 @@ -/* $OpenBSD: packet.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * handle_packet.c: - * handle messages from other photuris daemons. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: packet.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _PACKET_C_ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <ctype.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <sys/time.h> -#include <arpa/inet.h> -#include "state.h" -#include "photuris.h" -#include "packets.h" -#include "log.h" -#include "buffer.h" -#include "config.h" -#include "scheme.h" -#include "packet.h" -#include "server.h" - -#define RECV_BUFFER_SIZE 8192 - -/* We have a serialised daemon */ -static struct sockaddr_in sin; - -int handle_packet(int sock, char *address) -{ - struct cookie_request *header; - static char recv_buffer[RECV_BUFFER_SIZE]; - int i, size; - - bzero(recv_buffer, RECV_BUFFER_SIZE); - - i = sizeof(struct sockaddr_in); - if ((size = recvfrom(sock, recv_buffer, RECV_BUFFER_SIZE, 0, - (struct sockaddr *) &sin, &i)) == -1) - log_fatal("recvfrom() in handle_packet()"); - - header = (struct cookie_request *)recv_buffer; -#ifdef DEBUG - i = BUFFER_SIZE; - bin2hex(buffer, &i, header->icookie, 16); - printf("%s: Received %d bytes from %s, type %d with icookie: 0x%s\n", - address, size, - inet_ntoa(sin.sin_addr), header->type, buffer); -#endif - - switch(header->type) { - case COOKIE_REQUEST: - if (handle_cookie_request(recv_buffer, size, - inet_ntoa(sin.sin_addr), - ntohs(sin.sin_port), - global_schemes, global_schemesize) - == -1) { - log_print("handle_cookie_request() in handle_packet()"); - return -1; - } - break; - case COOKIE_RESPONSE: - if (handle_cookie_response(recv_buffer, size, - inet_ntoa(sin.sin_addr), - ntohs(sin.sin_port)) == -1) { - log_print("handle_cookie_response() in handle_packet()"); - return -1; - } - break; - case VALUE_REQUEST: - if (handle_value_request(recv_buffer, size, - inet_ntoa(sin.sin_addr), - ntohs(sin.sin_port), - global_schemes, global_schemesize) - == -1) { - log_print("handle_value_request() in handle_packet()"); - return -1; - } - break; - case VALUE_RESPONSE: - if (handle_value_response(recv_buffer, size, - inet_ntoa(sin.sin_addr), - address) == -1) { - log_print("handle_value_response() in handle_packet()"); - return -1; - } - break; - case IDENTITY_REQUEST: - if (handle_identity_request(recv_buffer, size, - inet_ntoa(sin.sin_addr), - address) == -1) { - log_print("handle_identity_request() in handle_packet()"); - return -1; - } - break; - case IDENTITY_RESPONSE: - if (handle_identity_response(recv_buffer, size, - inet_ntoa(sin.sin_addr), - address) == -1) { - log_print("handle_identity_response() in handle_packet()"); - return -1; - } - break; - case SPI_UPDATE: - if (handle_spi_update(recv_buffer, size, - inet_ntoa(sin.sin_addr), - address) == -1) { - log_print("handle_spi_update() in handle_packet()"); - return -1; - } - break; - case SPI_NEEDED: - if (handle_spi_needed(recv_buffer, size, - inet_ntoa(sin.sin_addr), - address) == -1) { - log_print("handle_spi_needed() in handle_packet()"); - return -1; - } - break; - case BAD_COOKIE: - if (handle_bad_cookie(recv_buffer, size, - inet_ntoa(sin.sin_addr)) == -1) { - log_print("handle_bad_cookie() in handle_packet()"); - return -1; - } - break; - case RESOURCE_LIMIT: - if (handle_resource_limit(recv_buffer, size, - inet_ntoa(sin.sin_addr)) == -1) { - log_print("handle_resource_limit() in handle_packet()"); - return -1; - } - break; - case VERIFICATION_FAILURE: - if (handle_verification_failure(recv_buffer, size, - inet_ntoa(sin.sin_addr)) == -1) { - log_print("handle_verification_failure() in handle_packet()"); - return -1; - } - break; - case MESSAGE_REJECT: - if (handle_message_reject(recv_buffer, size, - inet_ntoa(sin.sin_addr)) == -1) { - log_print("handle_message_reject() in handle_packet()"); - return -1; - } - break; - default: - log_print("Unknown packet type %d in handle_packet()", - header->type); - return 0; - } - - return 0; -} - -void -send_packet(void) -{ -#ifdef DEBUG - struct cookie_request *header = (struct cookie_request *)packet_buffer; - int i = BUFFER_SIZE; - bin2hex(buffer, &i, header->icookie, 16); - printf("Sending %d bytes to %s, type %d with icookie: 0x%s\n", - packet_size, inet_ntoa(sin.sin_addr), header->type, buffer); -#endif - /* We constructed a valid response packet here, send it off. */ - if (sendto(global_socket, packet_buffer, packet_size, 0, - (struct sockaddr *) &sin, sizeof(sin)) != packet_size) { - /* XXX Code to notify kernel of failure */ - log_error("sendto() in handle_packet()"); - return; - } -} - -/* - * packet_check() checks the format of the received packet against - * the specified logical format. The position and size of the fields - * are returned. - */ - -int -packet_check(u_char *packet, u_int16_t size, struct packet *format) -{ - struct packet_sub *parts = format->parts; - u_int16_t off, val, fsize; - - if (format->max != 0 && size > format->max) - return -1; - if (size < format->min) - return -1; - - off = format->min; - packet += off; - - while (off < size && parts != NULL && parts->field != NULL) { - parts->where = packet; - switch (parts->type) { - case FLD_CONST: - off += parts->size; - packet += parts->size; - fsize = parts->size; - break; - case FLD_VARPRE: - val = varpre2octets(packet); - off += val; - packet += val; - fsize = val; - break; - case FLD_ATTRIB: - if (parts->mod == FMD_ATT_FILL) { - fsize = 0; - while (off < size) { - val = packet[1] + 2; - off += val; - packet += val; - fsize += val; - } - } else { - val = packet[1] + 2; - off += val; - packet += val; - fsize = val; - } - break; - default: - return -1; - } - if (parts->size == 0) - parts->size = fsize; - else if(parts->size != fsize) - return -1; - parts++; - } - - if (off != size || (parts != NULL && parts->field != NULL)) - return -1; - - return 0; -} - -void -packet_save(struct stateob *st, u_int8_t *buffer, u_int16_t len) -{ - if (st->packet != NULL) - free(st->packet); - - if ((st->packet = calloc(len, sizeof(u_int8_t))) == NULL) { - st->packetlen = 0; - return; - } - - bcopy(buffer, st->packet, len); - st->packetlen = len; -} - -#ifdef DEBUG -void -packet_ordered_dump(u_int8_t *packet, u_int16_t size, struct packet *format) -{ - struct packet_sub *parts = format->parts; - u_int16_t off = 0; - - printf("Packet Header (%s):\n", format->name); - packet_dump(packet, format->min, off); - - off += format->min; - packet += format->min; - while (off < size) { - printf("%s (%d):\n", parts->field, parts->size); - packet_dump(packet, parts->size, off); - off += parts->size; - packet += parts->size; - - parts++; - } -} - -void -packet_dump(u_int8_t *packet, u_int16_t plen, u_int16_t start) -{ - char tmp[73], dump[33]; - int i, size, len, off; - - off = 0; - while (off < plen) { - memset(tmp, ' ', sizeof(tmp)); - tmp[72] = 0; - - sprintf(tmp, "%04x ", (u_int32_t)(off + start)); - - len = 33; - size = plen - off > 16 ? 16 : plen - off; - bin2hex(dump, &len, packet, size); - for (i=0; i<size; i++) { - bcopy(dump+i*2, tmp+5+i*3, 2); - tmp[5 + 16*3 + 3 + i] = isprint(packet[i]) ? packet[i] : '.'; - } - printf("%s\n", tmp); - - off += size; - packet += size; - } -} -#endif diff --git a/sbin/photurisd/packet.h b/sbin/photurisd/packet.h deleted file mode 100644 index f87b2311c10..00000000000 --- a/sbin/photurisd/packet.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $OpenBSD: packet.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * packet.h: - * prototyped for receiving and anwsering packets - */ - -#ifndef _PACKET_H_ -#define _PACKET_H_ - -#undef EXTERN -#ifdef _PACKET_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN int handle_packet(int, char *); -EXTERN void send_packet(void); -EXTERN int packet_check(u_char *packet, u_int16_t size, struct packet *format); -EXTERN void packet_save(struct stateob *, u_int8_t *, u_int16_t); -#ifdef DEBUG -EXTERN void packet_ordered_dump(u_int8_t *packet, u_int16_t size, struct packet *format); -EXTERN void packet_dump(u_int8_t *packet, u_int16_t plen, u_int16_t start); -#endif - -#endif /* _STATE_H */ diff --git a/sbin/photurisd/packets.h b/sbin/photurisd/packets.h deleted file mode 100644 index 6ff00dd7da7..00000000000 --- a/sbin/photurisd/packets.h +++ /dev/null @@ -1,172 +0,0 @@ -/* $OpenBSD: packets.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * packets.h: - */ - -#ifndef _PACKETS_H_ -#define _PACKETS_H_ - -#define COOKIE_REQUEST 0 -#define COOKIE_RESPONSE 1 -#define VALUE_REQUEST 2 -#define VALUE_RESPONSE 3 -#define IDENTITY_REQUEST 4 -#define SECRET_RESPONSE 5 -#define SECRET_REQUEST 6 -#define IDENTITY_RESPONSE 7 -#define SPI_NEEDED 8 -#define SPI_UPDATE 9 -#define BAD_COOKIE 10 -#define RESOURCE_LIMIT 11 -#define VERIFICATION_FAILURE 12 -#define MESSAGE_REJECT 13 - -#define COOKIE_SIZE 16 -#define SPI_SIZE 4 - -/* General packet definition */ - -#define FLD_CONST 0 -#define FLD_VARPRE 1 -#define FLD_ATTRIB 2 - -#define FMD_ATT_ONE 0 -#define FMD_ATT_FILL 1 - -struct packet_sub { - char *field; /* Name of Field */ - int type; /* Type of Field */ - int mod; /* Modifier: */ - u_int16_t size; /* Pointer to start of Field */ - void *where; /* Pointer to start of Field */ -}; - -struct packet { - char *name; - int min, max; - struct packet_sub *parts; -}; - -struct cookie_request { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t counter; -}; - -#define COOKIE_REQUEST_PACKET_SIZE sizeof(struct cookie_request) - -struct cookie_response { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t counter; -}; - -#define COOKIE_RESPONSE_MIN sizeof(struct cookie_response) -#define COOKIE_RESPONSE_SCHEMES(p) (((u_int8_t *)(p))+COOKIE_RESPONSE_MIN) - -#define SCHEME_SIZE(p) (4 + ((u_int16_t)*((p)+2))*256 + (*((p)+3))) - -struct value_request { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t counter; - u_int8_t scheme[2]; -}; - -#define VALUE_REQUEST_MIN sizeof(struct value_request) -#define VALUE_REQUEST_VALUE(p) (((u_int8_t *)(p))+VALUE_REQUEST_MIN) - -struct value_response { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t reserved[3]; -}; - -#define VALUE_RESPONSE_MIN sizeof(struct value_response) -#define VALUE_RESPONSE_VALUE(p) (((u_int8_t *)(p))+VALUE_RESPONSE_MIN) - -struct identity_message { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t lifetime[3]; - u_int8_t SPI[SPI_SIZE]; -}; - -#define IDENTITY_MESSAGE_MIN sizeof(struct identity_message) -#define IDENTITY_MESSAGE_CHOICE(p) (((u_int8_t *)(p))+IDENTITY_MESSAGE_MIN) -#define IDENTITY_MESSAGE_IDENT(p) (IDENTITY_MESSAGE_CHOICE(p)+*((u_int8_t *)(p)+1)) - -struct spi_needed { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t reserved[7]; -}; - -#define SPI_NEEDED_MIN sizeof(struct spi_needed) -#define SPI_NEEDED_VERIFICATION(p) (((u_int8_t *)(p))+SPI_NEEDED_MIN) - -struct spi_update { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t lifetime[3]; - u_int8_t SPI[SPI_SIZE]; -}; - -#define SPI_UPDATE_MIN sizeof(struct spi_update) -#define SPI_UPDATE_VERIFICATION(p) (((u_int8_t *)(p))+SPI_UPDATE_MIN) - -struct error_message { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; -}; - -#define ERROR_MESSAGE_PACKET_SIZE sizeof(struct error_message) - -struct message_reject { - u_int8_t icookie[COOKIE_SIZE]; - u_int8_t rcookie[COOKIE_SIZE]; - u_int8_t type; - u_int8_t badtype; - u_int16_t offset; -}; - -#define MESSAGE_REJECT_PACKET_SIZE sizeof(struct message_reject) - -#endif /* _PACKETS_H_ */ diff --git a/sbin/photurisd/photuris.h b/sbin/photurisd/photuris.h deleted file mode 100644 index dca40e0bae2..00000000000 --- a/sbin/photurisd/photuris.h +++ /dev/null @@ -1,110 +0,0 @@ -/* $OpenBSD: photuris.h,v 1.5 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris.h: - * general header file - */ - -#ifndef _PHOTURIS_H_ -#define _PHOTURIS_H_ - -#include "state.h" - -#undef EXTERN -#ifdef _PHOTURIS_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -#define PHOTURIS_DIR "/etc/photuris" -#define PHOTURIS_STARTUP "photuris.startup" -#define PHOTURIS_CONFIG "photuris.conf" -#define PHOTURIS_SECRET "secrets.conf" -#define PHOTURIS_USER_SECRET ".photuris_secrets" -#define PHOTURIS_ATTRIB "attributes.conf" - -EXTERN char *config_file; -EXTERN char *attrib_file; -EXTERN u_int8_t *global_schemes; -EXTERN u_int16_t global_schemesize; -EXTERN int max_retries; -EXTERN int retrans_timeout; -EXTERN int exchange_timeout; -EXTERN int exchange_lifetime; -EXTERN int spi_lifetime; -EXTERN int vpn_mode; - -EXTERN int daemon_mode; - -/* Infos about our interfaces */ -EXTERN char **addresses; -EXTERN int *sockets; -EXTERN int num_ifs; - - -/* Packet creation functions */ - -int photuris_cookie_request(struct stateob *, u_char *, int *); -int photuris_cookie_response(struct stateob *, u_char *, int *, u_int8_t *, - u_int8_t, u_int8_t *, u_int16_t, u_int8_t *, u_int16_t); -int photuris_value_request(struct stateob *, u_char *, int *); -int photuris_value_response(struct stateob *, u_char *, int *); -int photuris_identity_request(struct stateob *, u_char *, int *); -int photuris_identity_response(struct stateob *, u_char *, int *); -int photuris_spi_update(struct stateob *, u_char *, int *); -int photuris_spi_needed(struct stateob *, u_char *, int *, u_int8_t *, - u_int16_t); -int photuris_error_message(struct stateob *, u_char *, int *, char *, char *, - u_int8_t, u_int8_t); - -/* Packet handling functions */ - -int handle_cookie_request(u_char *, int, u_int8_t *, u_int16_t, u_int8_t *, u_int16_t); -int handle_cookie_response(u_char *, int , char *, int); -int handle_value_request(u_char *, int, char *, u_short, u_int8_t *, u_int16_t ); -int handle_value_response(u_char *, int , char *, char *); -int handle_identity_request(u_char *, int , char *, char *); -int handle_identity_response(u_char *, int, char *, char *); -int handle_spi_needed(u_char *, int , char *, char *); -int handle_spi_update(u_char *, int, char *, char *); -int handle_bad_cookie(u_char *, int, char *); -int handle_resource_limit(u_char *, int, char *); -int handle_verification_failure(u_char *, int, char *); -int handle_message_reject(u_char *, int, char *); - -#if defined(DEBUG) && !defined(IPSEC) -#define PHOTURIS_PORT 7468 -#else -#define PHOTURIS_PORT 468 -#endif - -#endif /* _PHOTURIS_H */ diff --git a/sbin/photurisd/photuris_cookie_request.c b/sbin/photurisd/photuris_cookie_request.c deleted file mode 100644 index efda3a57021..00000000000 --- a/sbin/photurisd/photuris_cookie_request.c +++ /dev/null @@ -1,100 +0,0 @@ -/* $OpenBSD: photuris_cookie_request.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_cookie_request: - * create a COOKIE_REQUEST packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_cookie_request.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> /* XXX - get header files right */ -#include <strings.h> -#include <time.h> -#include <sys/time.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" - -int -photuris_cookie_request(struct stateob *st, u_char *buffer, int *size) -{ - struct cookie_request *header; - struct stateob *prev_st, *old_st; - time_t timeout = 0; - - if (*size < COOKIE_REQUEST_PACKET_SIZE) - return -1; /* buffer not large enough */ - - header = (struct cookie_request *) buffer; - *size = COOKIE_REQUEST_PACKET_SIZE; /* fixed size */ - - if (st->counter == 0) { - old_st = NULL; - for (prev_st = state_find(st->address); prev_st; - prev_st = TAILQ_NEXT(prev_st, next)) { - if (prev_st->lifetime >= timeout) { - timeout = prev_st->lifetime; - old_st = prev_st; - } - } - - /* Check if we have an exchange going already */ - if (old_st != NULL && old_st != st && timeout > time(NULL)) { - if (old_st->initiator) { - bcopy(old_st->rcookie, st->rcookie, COOKIE_SIZE); - st->counter = old_st->counter; - } else { - bcopy(old_st->icookie, st->rcookie, COOKIE_SIZE); - st->counter = 0; - } - } - } - - cookie_generate(st, st->icookie, COOKIE_SIZE, NULL, 0); - st->phase = COOKIE_REQUEST; - st->lifetime = exchange_timeout + time(NULL); - - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - header->counter = st->counter; /* set to zero or prev. */ - - header->type = COOKIE_REQUEST; - - return 0; -} diff --git a/sbin/photurisd/photuris_cookie_response.c b/sbin/photurisd/photuris_cookie_response.c deleted file mode 100644 index 3b51fa21dd0..00000000000 --- a/sbin/photurisd/photuris_cookie_response.c +++ /dev/null @@ -1,96 +0,0 @@ -/* $OpenBSD: photuris_cookie_response.c,v 1.3 2001/01/28 22:45:13 niklas Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_cookie_response: - * create a COOKIE_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_cookie_response.c,v 1.3 2001/01/28 22:45:13 niklas Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" -#include "server.h" - - -/* XXX - on value_request receive we need to set the responder schemes */ - -int -photuris_cookie_response(struct stateob *st, u_char *buffer, int *size, - u_int8_t *icookie, u_int8_t counter, - u_int8_t *address, u_int16_t port, - u_int8_t *schemes, u_int16_t ssize) -{ - struct cookie_response *header; - struct stateob tempst; - - if (*size < COOKIE_RESPONSE_MIN + ssize) - return -1; /* buffer not large enough */ - - header = (struct cookie_response *) buffer; - - /* Copy list of schemes */ - bcopy(schemes, COOKIE_RESPONSE_SCHEMES(header), ssize); - - /* XXX - There are no state information at this phase */ - bzero((char *)&tempst, sizeof(tempst)); /* Set up temp. state */ - tempst.initiator = 0; /* We are the Responder */ - bcopy(icookie, tempst.icookie, COOKIE_SIZE); - strncpy(tempst.address, address, 15); - tempst.port = global_port; - - bcopy(tempst.icookie, header->icookie, COOKIE_SIZE); - - if (st == NULL) - tempst.counter = counter + 1; - else - tempst.counter = st->counter + 1; - - if (tempst.counter == 0) - tempst.counter = 1; - - cookie_generate(&tempst, header->rcookie, COOKIE_SIZE, schemes, ssize); - - header->counter = tempst.counter; - - header->type = COOKIE_RESPONSE; - - *size = COOKIE_RESPONSE_MIN + ssize; - return 0; -} diff --git a/sbin/photurisd/photuris_error_message.c b/sbin/photurisd/photuris_error_message.c deleted file mode 100644 index e673225b792..00000000000 --- a/sbin/photurisd/photuris_error_message.c +++ /dev/null @@ -1,88 +0,0 @@ -/* $OpenBSD: photuris_error_message.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_error_message: - * create a ERROR_MESSAGE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_error_message.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "cookie.h" - -int -photuris_error_message(struct stateob *st, u_char *buffer, int *size, - char *icookie, char *rcookie, u_int8_t counter, - u_int8_t error_type) -{ - struct error_message *header; - - if (*size < ERROR_MESSAGE_PACKET_SIZE + - (error_type == RESOURCE_LIMIT ? 1 : 0)) - return -1; /* buffer not large enough */ - - header = (struct error_message *) buffer; - *size = ERROR_MESSAGE_PACKET_SIZE + - (error_type == RESOURCE_LIMIT ? 1 : 0); - - bcopy(icookie, header->icookie, COOKIE_SIZE); - bcopy(rcookie, header->rcookie, COOKIE_SIZE); - - header->type = error_type; - - if (error_type == RESOURCE_LIMIT) { - int i; - buffer[ERROR_MESSAGE_PACKET_SIZE] = counter; - - for(i = 0; i<COOKIE_SIZE; i++) - if (rcookie[i] != 0) - break; - - if (i != COOKIE_SIZE || counter != 0) - return 0; - - if (st != NULL) { - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - buffer[ERROR_MESSAGE_PACKET_SIZE] = st->counter; - } - } - - return 0; -} diff --git a/sbin/photurisd/photuris_identity_request.c b/sbin/photurisd/photuris_identity_request.c deleted file mode 100644 index ee3a7d971a4..00000000000 --- a/sbin/photurisd/photuris_identity_request.c +++ /dev/null @@ -1,134 +0,0 @@ -/* $OpenBSD: photuris_identity_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_identity_request: - * create a IDENTITY_REQUEST packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_identity_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "identity.h" -#include "encrypt.h" -#ifdef DEBUG -#include "packet.h" -#endif - -int -photuris_identity_request(struct stateob *st, u_char *buffer, int *size) -{ - struct identity_message *header; - u_int16_t rsize, asize, tmp; - u_int8_t *p, *verifyp; - - rsize = *size; - if (rsize < IDENTITY_MESSAGE_MIN) - return -1; /* buffer not large enough */ - - asize = IDENTITY_MESSAGE_MIN; /* Actual size */ - rsize -= asize; /* Remaining size */ - - header = (struct identity_message *) buffer; - header->type = IDENTITY_REQUEST; - - /* Copy the cookies */ - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - header->lifetime[0] = (st->olifetime >> 16) & 0xFF; - header->lifetime[1] = (st->olifetime >> 8) & 0xFF; - header->lifetime[2] = st->olifetime & 0xFF; - bcopy(st->oSPI, header->SPI, SPI_SIZE ); - - /* Choose identity parameters (choice + value) */ - p = IDENTITY_MESSAGE_CHOICE(header); /* To Identity choice */ - tmp = rsize; /* Remaining size */ - - /* Choose and Copy choice */ - if (choose_identity(st, p, &tmp, st->uSPIoattrib, - st->uSPIoattribsize) == -1 ) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - verifyp = p; - - /* Leave space for verification data */ - tmp = get_identity_verification_size(st, IDENTITY_MESSAGE_CHOICE(header)); - - if (rsize < tmp) - return -1; /* buffer not large enough */ - - /* Zero the buffer, so we can hash over it */ - bzero(verifyp, tmp); - - p += tmp; asize += tmp; rsize -= tmp; - - if (rsize < st->oSPIattribsize) - return -1; /* buffer not large enough */ - - /* Copy attributes and padding */ - bcopy(st->oSPIattrib, p, st->oSPIattribsize); - asize += st->oSPIattribsize; - rsize -= st->oSPIattribsize; - p += st->oSPIattribsize; - - tmp = rsize; - if(packet_create_padding(st, asize - IDENTITY_MESSAGE_MIN, - p, &tmp) == -1) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - /* Create verification data */ - create_identity_verification(st, verifyp, (u_int8_t *)header, asize); - -#ifdef DEBUG2 - printf("Identity-Request (before encryption):\n"); - packet_dump((u_int8_t *)header, asize, 0); -#endif - - /* Encrypt the packet after SPI if wished for */ - packet_encrypt(st, IDENTITY_MESSAGE_CHOICE(header), - asize - IDENTITY_MESSAGE_MIN); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photuris_identity_response.c b/sbin/photurisd/photuris_identity_response.c deleted file mode 100644 index 822dc69d4bc..00000000000 --- a/sbin/photurisd/photuris_identity_response.c +++ /dev/null @@ -1,134 +0,0 @@ -/* $OpenBSD: photuris_identity_response.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_identity_response: - * create a IDENTITY_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_identity_response.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "identity.h" -#include "encrypt.h" -#ifdef DEBUG -#include "packet.h" -#endif - -int -photuris_identity_response(struct stateob *st, u_char *buffer, int *size) -{ - struct identity_message *header; - u_int16_t rsize, asize, tmp; - u_int8_t *p, *verifyp; - - rsize = *size; - if (rsize < IDENTITY_MESSAGE_MIN) - return -1; /* buffer not large enough */ - - asize = IDENTITY_MESSAGE_MIN; /* Actual size */ - rsize -= asize; /* Remaining size */ - - header = (struct identity_message *) buffer; - header->type = IDENTITY_RESPONSE; - - /* Copy the cookies */ - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - header->lifetime[0] = (st->olifetime >> 16) & 0xFF; - header->lifetime[1] = (st->olifetime >> 8) & 0xFF; - header->lifetime[2] = st->olifetime & 0xFF; - bcopy(st->oSPI, header->SPI, SPI_SIZE ); - - /* Choose identity parameters (choice + value) */ - p = IDENTITY_MESSAGE_CHOICE(header); /* To Identity choice */ - tmp = rsize; /* Remaining size */ - - /* Choose and Copy choice */ - if (choose_identity(st, p, &tmp, st->uSPIoattrib, - st->uSPIoattribsize) == -1 ) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - verifyp = p; - - /* Leave space for verification data */ - tmp = get_identity_verification_size(st, IDENTITY_MESSAGE_CHOICE(header)); - - if (rsize < tmp) - return -1; /* buffer not large enough */ - - /* Zero the buffer, so we can hash over it */ - bzero(verifyp, tmp); - - p += tmp; asize += tmp; rsize -= tmp; - - if (rsize < st->oSPIattribsize) - return -1; /* buffer not large enough */ - - /* Copy attributes and padding */ - bcopy(st->oSPIattrib, p, st->oSPIattribsize); - asize += st->oSPIattribsize; - rsize -= st->oSPIattribsize; - p += st->oSPIattribsize; - - tmp = rsize; - if(packet_create_padding(st, asize - IDENTITY_MESSAGE_MIN, - p, &tmp) == -1) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - /* Create verification data */ - create_identity_verification(st, verifyp, (u_int8_t *)header, asize); - -#ifdef DEBUG2 - printf("Identity-Response (before encryption):\n"); - packet_dump((u_int8_t *)header, asize, 0); -#endif - - /* Encrypt the packet after SPI if wished for */ - packet_encrypt(st, IDENTITY_MESSAGE_CHOICE(header), - asize - IDENTITY_MESSAGE_MIN); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photuris_packet_encrypt.c b/sbin/photurisd/photuris_packet_encrypt.c deleted file mode 100644 index 579be12941f..00000000000 --- a/sbin/photurisd/photuris_packet_encrypt.c +++ /dev/null @@ -1,396 +0,0 @@ -/* $OpenBSD: photuris_packet_encrypt.c,v 1.5 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_packet_encrypt: - * encrypts packets with the privacy choice. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_packet_encrypt.c,v 1.5 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _ENCRYPT_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <des.h> -#include "config.h" -#include "packets.h" -#include "state.h" -#include "attributes.h" -#include "encrypt.h" -#include "secrets.h" -#include "log.h" -#ifdef DEBUG -#include "config.h" -#endif - -void -packet_mask(u_int8_t *packet, u_int16_t len, u_int8_t *key) -{ - int i; - for (i=0; i<len; i++) - packet[i] ^= key[i]; -} - -int -packet_create_padding(struct stateob *st, u_int16_t size, u_int8_t *padd, - u_int16_t *rsize) -{ - u_int8_t padlength, i; - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - padlength = (arc4random() & 0xf0) - (size%16); - if (padlength < 8) - padlength += 8; - break; - default: - padlength = (arc4random() & 0xf0) - (size%16); - if (padlength < 8) - padlength += 8; - break; - } - - if(*rsize < padlength) - return -1; - - /* Pad the rest of the payload */ - for(i=1;i<=padlength;i++) - padd[i-1] = i; - - *rsize = padlength; - - return 0; -} - -int -packet_encrypt(struct stateob *st, u_int8_t *payload, u_int16_t payloadlen) -{ - des_cblock keys[4], *input; - des_key_schedule key1,key2,key3; - u_int8_t *pkey; - u_int16_t order = 0; - int i; - - input = (des_cblock *)payload; - - /* No encryption needed */ - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: -#ifdef DEBUG - printf("[Packet encryption: None]\n"); -#endif - pkey = calloc(payloadlen,sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for privacy secret"); - return -1; - } - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - payloadlen*8, &order, 1) == -1) - return -1; -#ifdef DEBUG - { - int i; - char buffer[3000]; - i = 3000; - bin2hex(buffer, &i, pkey, payloadlen); - printf("Encrypt key: %s\n", buffer ); - } -#endif - packet_mask(payload, payloadlen, pkey); - return 0; - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: -#ifdef DEBUG - printf("[Packet encryption: DES]\n"); -#endif - pkey = calloc(payloadlen + 8, sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for privacy secret"); - return -1; - } - /* XOR Mask */ - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - payloadlen*8, &order, 1) == -1) - return -1; - /* DES Key */ - if(compute_privacy_key(st, pkey+payloadlen, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - 64, &order, 1) == -1) - return -1; -#ifdef DEBUG - { - int i; - char buffer[3000]; - i = 3000; - bin2hex(buffer, &i, pkey, payloadlen+8); - printf("Encrypt key: %s\n", buffer ); - } -#endif - bcopy(pkey+payloadlen, &keys[0], 8); - des_set_odd_parity(&keys[0]); - - /* Zero IV, we will mask the packet instead */ - bzero(&keys[1], 8); - - des_set_key(&keys[0], key1); - - packet_mask(payload, payloadlen, pkey); - - des_cbc_encrypt(input,input,payloadlen, key1,&keys[1], DES_ENCRYPT); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: -#ifdef DEBUG - printf("[Packet encryption: 3DES]\n"); -#endif - pkey = calloc(payloadlen+24, sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for owner privacy secret"); - return -1; - } - /* XOR Mask */ - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - payloadlen*8, &order, 1) == -1) - return -1; - /* 3 DES Keys */ - for (i=0; i<3; i++) { - if(compute_privacy_key(st, pkey+payloadlen + (i<<3), - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - 64, &order, 1) == -1) - return -1; - } -#ifdef DEBUG - { - int i; - char buffer[3000]; - i = 3000; - bin2hex(buffer, &i, pkey, payloadlen+24); - printf("Encrypt key: %s\n", buffer ); - } -#endif - bcopy(pkey+payloadlen , &keys[0], 8); - des_set_odd_parity(&keys[0]); - bcopy(pkey+payloadlen+8 , &keys[1], 8); - des_set_odd_parity(&keys[1]); - bcopy(pkey+payloadlen+16, &keys[2], 8); - des_set_odd_parity(&keys[2]); - - /* Zero IV, we will make the packet instead */ - bzero(&keys[3], 8); - - des_set_key(&keys[0], key1); - des_set_key(&keys[1], key2); - des_set_key(&keys[2], key3); - - packet_mask(payload, payloadlen, pkey); - - des_ede3_cbc_encrypt(input, input, payloadlen, - key1, key2, key3, &keys[3], DES_ENCRYPT); - break; - default: - log_print("Unknown exchange scheme: %d\n", - *((u_int16_t *)st->scheme)); - return -1; - } - - free(pkey); - - return 0; -} - -int -packet_decrypt(struct stateob *st, u_int8_t *payload, u_int16_t *payloadlen) -{ - u_int8_t padlength, i; - des_cblock keys[4], *input; - des_key_schedule key1,key2,key3; - u_int8_t *pkey; - u_int16_t order = 0; - - input = (des_cblock *)payload; - - /* No encryption needed */ - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: -#ifdef DEBUG - printf("[Packet decryption: None]\n"); -#endif - pkey = calloc(*payloadlen, sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for privacy secret"); - return -1; - } - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - *payloadlen*8, &order, 0) == -1) - return -1; -#ifdef DEBUG - { - int i = 3000; - char buffer[3000]; - bin2hex(buffer, &i, pkey, *payloadlen); - printf("Decrypt key: %s\n", buffer ); - } -#endif - packet_mask(payload, *payloadlen, pkey); - return 0; - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: -#ifdef DEBUG - printf("[Packet decryption: DES]\n"); -#endif - pkey = calloc(*payloadlen+8, sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for privacy secret"); - return -1; - } - /* XOR Mask */ - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - *payloadlen*8, &order, 0) == -1) - return -1; - /* DES Key */ - if(compute_privacy_key(st, pkey + *payloadlen, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - 64, &order, 0) == -1) - return -1; -#ifdef DEBUG - { - int i = 3000; - char buffer[3000]; - bin2hex(buffer, &i, pkey, *payloadlen + 8); - printf("Decrypt key: %s\n", buffer ); - } -#endif - bcopy(pkey+*payloadlen, &keys[0], 8); - des_set_odd_parity(&keys[0]); - - /* Zero IV, we will mask the packet instead */ - bzero(&keys[1], 8); - - des_set_key(&keys[0], key1); - - des_cbc_encrypt(input,input,*payloadlen, key1,&keys[1], DES_DECRYPT); - - packet_mask(payload, *payloadlen, pkey); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: -#ifdef DEBUG - printf("[Packet decryption: 3DES]\n"); -#endif - pkey = calloc(*payloadlen + 24, sizeof(u_int8_t)); - if(pkey == NULL) { - log_error("Not enough memory for privacy secret"); - return -1; - } - /* XOR Mask */ - if(compute_privacy_key(st, pkey, - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - *payloadlen*8, &order, 0) == -1) - return -1; - /* 3 DES keys + 1 DES IV */ - for (i=0; i<3; i++) { - if(compute_privacy_key(st, pkey + *payloadlen + (i<<3), - payload - 2*COOKIE_SIZE - 4 - SPI_SIZE, - 64, &order, 0) == -1) - return -1; - } -#ifdef DEBUG - { - int i = 3000; - char buffer[3000]; - bin2hex(buffer, &i, pkey, *payloadlen+24); - printf("Decrypt key: %s\n", buffer ); - } -#endif - bcopy(pkey+*payloadlen , &keys[0], 8); - des_set_odd_parity(&keys[0]); - bcopy(pkey+*payloadlen+8 , &keys[1], 8); - des_set_odd_parity(&keys[1]); - bcopy(pkey+*payloadlen+16, &keys[2], 8); - des_set_odd_parity(&keys[2]); - - /* Zero IV, we will mask the packet instead */ - bzero(&keys[3], 8); - - des_set_key(&keys[0], key1); - des_set_key(&keys[1], key2); - des_set_key(&keys[2], key3); - - des_ede3_cbc_encrypt(input, input, *payloadlen, - key1, key2, key3, &keys[3], DES_DECRYPT); - - packet_mask(payload, *payloadlen, pkey); - break; - default: - log_error("Unknown exchange scheme: %d\n", - *((u_int16_t *)st->scheme)); - return -1; - } - - padlength = *(payload+(*payloadlen)-1); - - /* Check the padding */ - - if(padlength > 255 || padlength < 8) - return -1; - - *payloadlen = *payloadlen - padlength; - - for(i=1;i<=padlength;i++) - if(payload[*payloadlen+i-1] != i) - return -1; - - return 0; -} - diff --git a/sbin/photurisd/photuris_spi_needed.c b/sbin/photurisd/photuris_spi_needed.c deleted file mode 100644 index d84166eb5ad..00000000000 --- a/sbin/photurisd/photuris_spi_needed.c +++ /dev/null @@ -1,108 +0,0 @@ -/* $OpenBSD: photuris_spi_needed.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_spi_needed: - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_spi_needed.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "packets.h" -#include "state.h" -#include "validity.h" -#include "encrypt.h" - -int -photuris_spi_needed(struct stateob *st, u_char *buffer, int *size, - u_int8_t *attributes, u_int16_t attribsize) -{ - struct spi_needed *header; - u_int16_t rsize, asize, tmp; - u_int8_t *p; - - rsize = *size; - if (rsize < SPI_NEEDED_MIN) - return -1; /* buffer not large enough */ - - asize = SPI_NEEDED_MIN; /* Actual size */ - rsize -= asize; /* Remaining size */ - - header = (struct spi_needed *) buffer; - header->type = SPI_NEEDED; - - bzero(header->reserved, sizeof(header->reserved)); - - /* Copy the cookies */ - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - p = SPI_NEEDED_VERIFICATION(header); - - /* Leave space for verification data */ - tmp = get_validity_verification_size(st); - - if (rsize < tmp) - return -1; /* buffer not large enough */ - - p += tmp; asize += tmp; rsize -= tmp; - - if (rsize < attribsize) - return -1; /* buffer not large enough */ - - /* Copy attributes and padding */ - bcopy(attributes, p, attribsize); - asize += attribsize; - rsize -= attribsize; - p += attribsize; - - tmp = rsize; - if(packet_create_padding(st, asize - SPI_NEEDED_MIN, p, &tmp) == -1) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - /* Create verification data */ - create_validity_verification(st,SPI_UPDATE_VERIFICATION(header), - (u_int8_t *)header,asize); - - /* Encrypt the packet after header if wished for */ - packet_encrypt(st, SPI_NEEDED_VERIFICATION(header), - asize - SPI_NEEDED_MIN); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photuris_spi_update.c b/sbin/photurisd/photuris_spi_update.c deleted file mode 100644 index 5a680186ae3..00000000000 --- a/sbin/photurisd/photuris_spi_update.c +++ /dev/null @@ -1,114 +0,0 @@ -/* $OpenBSD: photuris_spi_update.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_spi_update: - * create a SPI_UPDATE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_spi_update.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "packets.h" -#include "state.h" -#include "validity.h" -#include "encrypt.h" - -/* XXX - the SPI needs to be put into a new state object */ - -int -photuris_spi_update(struct stateob *st, u_char *buffer, int *size) -{ - struct spi_update *header; - u_int16_t rsize, asize, tmp; - u_int8_t *p; - - rsize = *size; - if (rsize < SPI_UPDATE_MIN) - return -1; /* buffer not large enough */ - - asize = SPI_UPDATE_MIN; /* Actual size */ - rsize -= asize; /* Remaining size */ - - header = (struct spi_update *) buffer; - header->type = SPI_UPDATE; - - /* Copy the cookies */ - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - /* Copy SPI and life time */ - bcopy(st->oSPI, header->SPI, SPI_SIZE ); - header->lifetime[0] = (st->olifetime >> 16) & 0xFF; - header->lifetime[1] = (st->olifetime >> 8) & 0xFF; - header->lifetime[2] = st->olifetime & 0xFF; - - p = SPI_UPDATE_VERIFICATION(header); - - /* Leave space for verification data */ - tmp = get_validity_verification_size(st); - - if (rsize < tmp) - return -1; /* buffer not large enough */ - - p += tmp; asize += tmp; rsize -= tmp; - - if (rsize < st->oSPIattribsize) - return -1; /* buffer not large enough */ - - /* Copy attributes and padding */ - bcopy(st->oSPIattrib, p, st->oSPIattribsize); - asize += st->oSPIattribsize; - rsize -= st->oSPIattribsize; - p += st->oSPIattribsize; - - tmp = rsize; - if(packet_create_padding(st, asize - SPI_UPDATE_MIN, p, &tmp) == -1) - return -1; - - p += tmp; asize += tmp; rsize -= tmp; - - /* Create validity verification data */ - create_validity_verification(st,SPI_UPDATE_VERIFICATION(header), - (u_int8_t *)header,asize); - - /* Encrypt the packet after SPI if wished for */ - packet_encrypt(st, SPI_UPDATE_VERIFICATION(header), - asize - SPI_UPDATE_MIN); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photuris_value_request.c b/sbin/photurisd/photuris_value_request.c deleted file mode 100644 index d145ba923e1..00000000000 --- a/sbin/photurisd/photuris_value_request.c +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: photuris_value_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_value_request: - * create a VALUE_REQUEST packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_value_request.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "exchange.h" - -int -photuris_value_request(struct stateob *st, u_char *buffer, int *size) - -{ - struct value_request *header; - u_int16_t rsize, asize, tmp; - - rsize = *size; - - if (rsize < VALUE_REQUEST_MIN + st->oSPIoattribsize) - return -1; /* buffer not large enough */ - - header = (struct value_request *)buffer; - - asize = VALUE_REQUEST_MIN + st->oSPIoattribsize; - rsize -= asize; - - /* Generate an exchangevalue if not done already */ - tmp = rsize; - if(exchange_value_generate(st, VALUE_REQUEST_VALUE(header), &tmp) == -1) - return -1; - - asize += tmp; - bcopy(st->oSPIoattrib, VALUE_REQUEST_VALUE(header)+tmp, - st->oSPIoattribsize); - - header = (struct value_request *) buffer; - header->type = VALUE_REQUEST; - - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - header->counter = st->counter; - bcopy(st->scheme, header->scheme, 2 ); /* Only scheme */ - - bcopy(&header->counter, st->oSPITBV, 3); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photuris_value_response.c b/sbin/photurisd/photuris_value_response.c deleted file mode 100644 index 7589aea5d7c..00000000000 --- a/sbin/photurisd/photuris_value_response.c +++ /dev/null @@ -1,87 +0,0 @@ -/* $OpenBSD: photuris_value_response.c,v 1.4 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photuris_value_response: - * create a VALUE_RESPONSE packet; return -1 on failure, 0 on success - * - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photuris_value_response.c,v 1.4 2002/06/09 08:13:08 todd Exp $"; -#endif - -#include <stdio.h> -#include <string.h> -#include "config.h" -#include "photuris.h" -#include "packets.h" -#include "state.h" -#include "exchange.h" - -int -photuris_value_response(struct stateob *st, u_char *buffer, int *size) - -{ - struct value_response *header; - u_int16_t asize, rsize, tmp; - - rsize = *size; - if (rsize < VALUE_RESPONSE_MIN + st->oSPIoattribsize) - return -1; /* buffer not large enough */ - - header = (struct value_response *)buffer; - - asize = VALUE_RESPONSE_MIN + st->oSPIoattribsize; - rsize -= asize; - - /* Generate an exchangevalue if not done already */ - tmp = rsize; - if(exchange_value_generate(st, VALUE_RESPONSE_VALUE(header), &tmp) == -1\ -) - return -1; - - asize += tmp; - bcopy(st->oSPIoattrib, VALUE_RESPONSE_VALUE(header)+tmp, - st->oSPIoattribsize); - - header = (struct value_response *) buffer; - header->type = VALUE_RESPONSE; - - bcopy(st->icookie, header->icookie, COOKIE_SIZE); - bcopy(st->rcookie, header->rcookie, COOKIE_SIZE); - - bzero(header->reserved, sizeof(header->reserved)); /* zero for now */ - bzero(st->oSPITBV, 3); - - *size = asize; - return 0; -} diff --git a/sbin/photurisd/photurisd.8 b/sbin/photurisd/photurisd.8 deleted file mode 100644 index 8727e1f6658..00000000000 --- a/sbin/photurisd/photurisd.8 +++ /dev/null @@ -1,261 +0,0 @@ -.\" $OpenBSD: photurisd.8,v 1.11 2002/07/01 15:52:37 deraadt Exp $ -.\" -.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Niels Provos. -.\" 4. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd July 18, 1997 -.Dt PHOTURISD 8 -.Os -.Sh NAME -.Nm photurisd -.Nd IPsec key management daemon -.Sh SYNOPSIS -.Nm photurisd -.Op Fl ci -.Op Fl d Ar directory -.Op Fl p Ar port -.Sh DESCRIPTION -The -.Nm -daemon establishes security associations for encrypted -and/or authenticated network traffic. -.Pp -The daemon listens to a named pipe -.Pa photuris.pipe -for user requests and on a -.Dv PF_ENCAP -socket for kernel requests. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl c -The -.Fl c -option is used to force a primality check of the bootstrapped moduli. -.It Fl i -The -.Fl i -option can be used to ignore the -.Pa photuris.startup -file. -Otherwise the exchanges in that file will be initiated on startup. -.It Fl d Ar directory -The -.Fl d -option specifies the -.Ar directory -in which -.Nm -looks for its startup files. -The default is -.Pa /etc/photuris/ . -.It Fl p Ar port -The -.Fl p -option specifies the local -.Ar port -the daemon shall bind to. -.El -.Pp -The file -.Pa photuris.conf -contains the moduli for the DH exchange and the actual exchange -schemes used to establish a shared secret. -The following keywords are understood: -.Bl -tag -width exchange -offset indent -.It Ic modulus -This keyword is followed by the numeric generator and modulus. -Those two values describe the group in which exchange values for the -.Dq Diffie-Hellmann -key exchange are generated. -The modulus needs to be a -.Dq safe prime . -.It Ic exchange -This keyword is used to specify the supported exchange schemes. -The scheme is -followed by either zero or the number of bits of the modulus to be used -with this scheme. -If zero is specified the given scheme acts as modifier to the base -scheme. -The base scheme is -.Dq DH_G_2_MD5 -(generator of two and MD5 identification). -Extended schemes are -.Dq DH_G_2_DES_MD5 -and -.Dq DH_G_2_3DES_SHA1 . -An exchange can only be configured if an apropriate modulus has be given -before. -.It Ic config -This is used to configure the LifeTimes of SPIs and exchanges. -The configurable values are: -.Ic exchange_max_retries , -.Ic exchange_retransmit_timeout , -.Ic exchange_timeout , -.Ic exchange_lifetime -and -.Ic spi_lifetime . -They are followed by an integer. -.El -.Pp -The file -.Pa attributes.conf -contains the attributes, i.e., different choices of encryption -and authentication, offered to the other peer. -If a line starts with an ip -address and a space separated netmask the following attributes are only -offered to hosts lying in that net range. -Only one attribute per line is allowed. -An attribute can either be an already defined tag or -a new definition of an attribute. -In that case the line is followed by a comma-separated list: -.Ar attribute name , -.Ar Photuris ID , -.Ar type of attribute -and -.Ar key length . -The name is only used as reference. -A list of possible Photuris IDs can be found in -.Pa /usr/share/ipsec/attributes.conf . -The attribute type is one of the following: -.Dq enc , -.Dq ident , -.Dq auth -or -.Dq ident|auth . -The key length is so far only used by the encryption attributes and -specifies the number of keying bytes the daemon has to generate. -Predefined attributes are: -.Bl -tag -width AT_ESP_ATTRIB -offset indent -.It AT_AH_ATTRIB -Starts the list of authentication attributes. -.It AT_ESP_ATTRIB -Starts the list of encryption attributes. -.El -.Pp -The file -.Pa secrets.conf -contains the party preconfigured symmetric secrets for the -identity exchange. -.Bl -tag -width identity_pair_local -offset indent -.It Ic identity local -Defines the identity the local daemon will assume and the according -password. -Both name and secret are braced by quotation marks and follow the -.Ic identity local -directive. -.It Ic identity remote -Defines the parties the daemon can communicate with and their secrets. -Both name and secret are braced by quotation marks and follow the -.Ic identity remote -directive. -The name and secret are the same as the identity local on the remote site. -.It Ic identity pair local -If the identity of the remote site is already known, -.Ic identity pair local -enables the daemon to assume an identity and secret based on -the remote identity. -The directive is followed by the -remote identity, a new local identity and an according secret. -In that way the secrets are not shared with all other parties. -.El -.Pp -Once DNSSEC or other public key infrastructures are available, those will -be supported also. -.Pp -Finally the file -.Pa photuris.startup -contains parameters for exchanges which are created during -startup. -.Pp -The keywords -.Ic dst , -.Ic port , -.Ic options , -.Ic tsrc , -.Ic tdst , -.Ic exchange_lifetime , -.Ic spi_lifetime -and -.Ic user -are understood in the -.Pa photuris.startup -file. -The values are as follows: -.Bl -tag -width exchange_lifetime -offset indent -.It Ic dst -The destination IP address with which the exchange is to be established. -.It Ic port -The port number of the destination -.Nm -daemon. -.It Ic options -The options to be used in the exchange. -Possible values are -.Dq enc -and -.Dq auth . -.It Ic exchange_lifetime -Determines the lifetime of the exchange. -After an exchange expires -no new SPIs are created, which means the transport or tunnel is torn down -as soon as the current SPI times out (see -.Ic spi_lifetime -below). -The default value is gotten from the -.Ic exchange_lifetime -parameter given in -.Pa photuris.conf . -If it is not given there the default is 1800 seconds. -.It Ic spi_lifetime -Determines the lifetime of each created SPI in the exchange. -.It Ic user -The user name for whom the keying shall be done. -Preconfigured secrets are taken from the users secret file. -.El -.Pp -Exchanges are separated by newlines. -.Sh EXAMPLES -A sample -.Pa photuris.startup -entry: -.Pp -.Bd -literal -dst=134.100.106.2 port=468 options=auth -.Ed -.Sh SEE ALSO -.Xr ipsec 4 , -.Xr vpn 8 -.Sh HISTORY -The photuris keymanagement protocol is described in the internet draft -.%T draft-simpson-photuris -by the authors Phil Karn and William Allen Simpson. -This implementation was done 1997 by Niels Provos and appeared in -.Ox 2.1 . diff --git a/sbin/photurisd/photurisd.c b/sbin/photurisd/photurisd.c deleted file mode 100644 index 53dba24f774..00000000000 --- a/sbin/photurisd/photurisd.c +++ /dev/null @@ -1,207 +0,0 @@ -/* $OpenBSD: photurisd.c,v 1.13 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * photurisd.c: photuris daemon and stuff. - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: photurisd.c,v 1.13 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _PHOTURIS_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <signal.h> -#include <errno.h> -#include <string.h> -#include <unistd.h> -#include "config.h" -#include "photuris.h" -#include "server.h" -#include "buffer.h" -#include "cookie.h" -#include "identity.h" -#include "spi.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" -#ifdef IPSEC -#include "attributes.h" -#include "kernel.h" -#endif - -static int init_vars(void); -static void usage(void); - -static void -usage(void) -{ - FILE *f = stderr; - - fprintf(f, "usage: photurisd [-cvi] [-d directory] [-p port]\n"); - fprintf(f, "\t-c check primes on startup\n"); - fprintf(f, "\t-i ignore startup file %s\n", PHOTURIS_STARTUP); - fprintf(f, "\t-d specifies the startup dir\n"); - fprintf(f, "\t-p specifies the local port to bind to\n"); - exit(1); -} - - -static int -init_vars(void) -{ - global_schemes = NULL; - global_schemesize = 0; - - config_file = NULL; - attrib_file = NULL; - - if ((config_file = calloc(1, sizeof(PHOTURIS_CONFIG))) == NULL) - log_fatal("no memory in init_vars()" ); - strcpy(config_file, PHOTURIS_CONFIG); - - if ((secret_file = calloc(1, sizeof(PHOTURIS_SECRET))) == NULL) - log_fatal("no memory in init_vars()" ); - strcpy(secret_file, PHOTURIS_SECRET); - - if ((attrib_file = calloc(1, sizeof(PHOTURIS_ATTRIB))) == NULL) - log_fatal("no memory in init_vars()"); - strcpy(attrib_file, PHOTURIS_ATTRIB); - - reset_secret(); - - max_retries = MAX_RETRIES; - retrans_timeout = RETRANS_TIMEOUT; - exchange_timeout = EXCHANGE_TIMEOUT; - exchange_lifetime = EXCHANGE_LIFETIME; - spi_lifetime = SPI_LIFETIME; - - return 1; -} - -int -main(int argc, char **argv) -{ - int ch; - int primes = 0, ignore = 0; - char *dir = PHOTURIS_DIR; -#ifdef USE_DEBUG - int cls, level = 0; -#endif - - daemon_mode = 0; - global_port = 0; - - log_init(); - - while ((ch = getopt(argc, argv, "D:cid:p:")) != -1) - switch((char)ch) { - case 'c': - primes = 1; - break; -#ifdef USE_DEBUG - case 'D': - if (sscanf(optarg, "%d=%d", &cls, &level) != 2) { - if (sscanf(optarg, "A=%d", &level) == 1) { - for (cls = 0; cls < LOG_ENDCLASS; cls++) - log_debug_cmd(cls, level); - } else - log_print("parse_args: -D argument unparseable: %s", optarg); - } - else - log_debug_cmd(cls, level); - break; -#endif /* USE_DEBUG */ - case 'i': - ignore = 1; - break; - case 'd': - dir = optarg; - break; - case 'p': - global_port = atoi(optarg); - break; - case '?': - default: - usage(); - } - - if (chdir(dir) == -1) - log_fatal("chdir(\"%s\") in main()", dir); - - - argc -= optind; - argv += optind; - - spi_init(); - state_init(); - - init_vars(); - - init_times(); - - init_moduli(primes); - - init_schemes(); - -#ifndef USE_DEBUG - init_signals(); - if (fork()) - exit(0); - daemon_mode = 1; -#endif /* USE_DEBUG */ - -#ifdef IPSEC - init_kernel(); -#endif - - /* Depends on the available attributes in the kernel, init_kernel() */ - init_attributes(); - - if (init_identities(NULL,NULL) == -1) - exit(1); - - init_schedule(); - - init_server(); - - /* Startup preconfigured exchanges */ - if(!ignore) - init_startup(); - - server(); - exit(0); -} diff --git a/sbin/photurisd/schedule.c b/sbin/photurisd/schedule.c deleted file mode 100644 index b42c047b662..00000000000 --- a/sbin/photurisd/schedule.c +++ /dev/null @@ -1,315 +0,0 @@ -/* $OpenBSD: schedule.c,v 1.8 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Parts derived from code by Angelos D. Keromytis, kermit@forthnet.gr - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * schedule.c: - * SCHEDULE handling functions - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: schedule.c,v 1.8 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _SCHEDULE_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <sys/time.h> -#include <arpa/inet.h> -#include "state.h" -#include "spi.h" -#include "photuris.h" -#include "buffer.h" -#include "schedule.h" -#include "log.h" -#include "cookie.h" -#include "modulus.h" -#include "api.h" -#ifdef IPSEC -#include "attributes.h" -#include "kernel.h" -#endif -#ifdef DEBUG -#include "config.h" -#endif - -static struct schedule *schedob = NULL; - -void -schedule_insert(int type, int off, u_int8_t *cookie, u_int16_t cookie_size) -{ - struct schedule *tmp; - -#ifdef DEBUG - { - if( cookie != NULL) { - int i = BUFFER_SIZE; - bin2hex(buffer, &i, cookie, cookie_size); - } - printf("Adding event type %d, due in %d seconds, cookie %s\n", - type, off, cookie == NULL ? "None" : (char *)buffer); - } -#endif - - if ((tmp = calloc(1, sizeof(struct schedule))) == NULL) { - log_error("calloc() in schedule_insert()"); - return; - } - - tmp->event = type; - tmp->offset = off; - tmp->tm = time(NULL) + off; - - if (cookie != NULL) { - tmp->cookie = calloc(cookie_size, sizeof(u_int8_t)); - if (tmp->cookie == NULL) { - log_error("calloc() in schedule_insert()"); - free(tmp); - return; - } - bcopy(cookie, tmp->cookie, cookie_size); - tmp->cookie_size = cookie_size; - } - - tmp->next = NULL; - - if (schedob == NULL) - schedob = tmp; - else { - tmp->next = schedob; - schedob = tmp; - } -} - -int -schedule_next(void) -{ - struct schedule *tmp; - time_t tm; - - if (schedob == NULL) - return -1; - - tm = schedob->tm; - tmp = schedob->next; - while (tmp != NULL) { - if (tmp->tm < tm) - tm = tmp->tm; - tmp = tmp->next; - } - - if ((tm -= time(NULL)) < 0) - return 0; - - return((int) tm); -} - -int -schedule_offset(int type, u_int8_t *cookie) -{ - struct schedule *tmp = schedob; - while (tmp != NULL) { - if (tmp->event == type && - ((tmp->cookie == NULL && cookie == NULL) || - !bcmp(tmp->cookie, cookie, tmp->cookie_size))) - return tmp->offset; - tmp = tmp->next; - } - - return -1; -} - -void -schedule_remove(int type, u_int8_t *cookie) -{ - struct schedule *tmp, *otmp = NULL; - - tmp = schedob; - while (tmp != NULL) { - if (tmp->event == type && - ((tmp->cookie == NULL && cookie == NULL) || - !bcmp(tmp->cookie, cookie, tmp->cookie_size))) { - if (tmp == schedob) - schedob = tmp->next; - else - otmp->next = tmp->next; - - if (tmp->cookie != NULL) - free(tmp->cookie); - free(tmp); - return; - } - otmp = tmp; - tmp = tmp->next; - } -} - -void -schedule_process(int sock) -{ - struct schedule *tmp, *tmp2; - struct sockaddr_in sin; - struct stateob *st; - time_t tm; - int remove; - - tm = time(NULL); - tmp = schedob; - while (tmp != NULL) { - if (tmp->tm > tm) { - tmp = tmp->next; - continue; - } - - remove = 0; - switch(tmp->event) { - case REKEY: - reset_secret(); - tmp->tm = time(NULL) + REKEY_TIMEOUT; - break; - case MODULUS: -#ifdef DEBUG2 - printf("Checking moduli\n"); -#endif - mod_check_prime(MOD_PRIME_ITER, MOD_PRIME_TIME); - tmp->tm = time(NULL) + MODULUS_TIMEOUT; - break; - case CLEANUP: -#ifdef DEBUG2 - printf("Cleaning up states\n"); -#endif - state_expire(); -#ifdef DEBUG2 - printf("Cleaning up SPI's\n"); -#endif - spi_expire(); - tmp->tm = time(NULL) + CLEANUP_TIMEOUT; - break; - case TIMEOUT: - st = state_find_cookies(NULL, tmp->cookie, NULL); - if (st == NULL) { - remove = 1; - break; - } else if (st->retries >= max_retries) { - remove = 1; - if (st->phase == COOKIE_REQUEST && st->resource == 0) { - log_print("no anwser for cookie request to %s:%d", - st->address, st->port); -#ifdef IPSEC - if (st->flags & IPSEC_NOTIFY) - kernel_notify_result(st, NULL, 0); -#endif - break; - } else if(st->phase == COOKIE_REQUEST) { - /* Try again with updated counters */ - struct stateob *newst; - if ((newst = state_new()) == NULL) { - log_error("state_new() in schedule_process()"); - break; - } - state_copy_flags(st, newst); -#ifdef DEBUG - printf("Starting a new exchange to %s:%d with updated rcookie and" - " counter.\n", newst->address, newst->port); -#endif /* DEBUG */ - start_exchange(sock, newst, st->address, st->port); - state_insert(newst); - break; - } else { - log_print("exchange terminated, phase %d to %s:%d", - st->phase, st->address, st->port); - break; - } - } - - - if (st->packet == NULL || st->packetlen == 0) { - log_print("no packet in schedule_process()"); - remove = 1; - break; - } - - /* Only send the packet when no error occurred */ - if (!remove) { - st->retries++; - - sin.sin_port = htons(st->port); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = inet_addr(st->address); - - if (sendto(sock, st->packet, st->packetlen, 0, - (struct sockaddr *) &sin, sizeof(sin)) - != st->packetlen) { - log_error("sendto() in schedule_process()"); - remove = 1; - break; - } - -#ifdef DEBUG - printf("Resending packet to %s type %d, length %d.\n", - st->address, st->phase, st->packetlen); -#endif - tmp->tm = tm + retrans_timeout; - } - break; - case UPDATE: - spi_update(sock, tmp->cookie); - remove = 1; - break; - default: - remove = 1; - log_print("Unknown event in schedule_process()"); - break; - } - - if (remove) { - tmp2 = tmp; - tmp = tmp->next; - schedule_remove(tmp2->event, tmp2->cookie); - } else - tmp = tmp->next; - } -} - -void -init_schedule(void) -{ - schedule_insert(REKEY, REKEY_TIMEOUT, NULL, 0); - schedule_insert(CLEANUP, CLEANUP_TIMEOUT, NULL, 0); - schedule_insert(MODULUS, MODULUS_TIMEOUT, NULL, 0); -} diff --git a/sbin/photurisd/schedule.h b/sbin/photurisd/schedule.h deleted file mode 100644 index 2e14412c726..00000000000 --- a/sbin/photurisd/schedule.h +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: schedule.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * schedule.h: - * schedule events like retransmission and clean ups. - */ - -#ifndef _SCHEDULE_H_ -#define _SCHEDULE_H_ - -#include "state.h" -#include "packets.h" - -#undef EXTERN - -#ifdef _SCHEDULE_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -#define REKEY 0 -#define TIMEOUT 1 -#define CLEANUP 2 -#define MODULUS 3 -#define UPDATE 4 - -#define MAX_RETRIES 3 /* Resend a packet max. as often */ - -#define CLEANUP_TIMEOUT 60 -#define MODULUS_TIMEOUT 75 -#define RESPONDER_TIMEOUT 300 -#define RETRANS_TIMEOUT 10 -#define REKEY_TIMEOUT 360 - -struct schedule { - struct schedule *next; - time_t tm; - int offset; - int event; - u_int8_t *cookie; - u_int16_t cookie_size; -}; - -EXTERN void schedule_process(int sock); -EXTERN int schedule_next(void); -EXTERN int schedule_offset(int type, u_int8_t *cookie); -EXTERN void schedule_insert(int type, int off, u_int8_t *cookie, - u_int16_t cookie_size); -EXTERN void schedule_remove(int type, u_int8_t *cookie); -EXTERN void init_schedule(void); - -#endif /* _SCHEDULE_H */ diff --git a/sbin/photurisd/scheme.c b/sbin/photurisd/scheme.c deleted file mode 100644 index 19268828303..00000000000 --- a/sbin/photurisd/scheme.c +++ /dev/null @@ -1,182 +0,0 @@ -/* $OpenBSD: scheme.c,v 1.6 2002/06/09 08:13:08 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * scheme.c: - * SCHEME handling functions - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: scheme.c,v 1.6 2002/06/09 08:13:08 todd Exp $"; -#endif - -#define _SCHEME_C_ - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include "config.h" -#include "attributes.h" -#include "buffer.h" -#include "scheme.h" -#include "log.h" - -u_int8_t * -scheme_get_gen(u_int8_t *scheme) -{ - int header; - switch(ntohs(*(u_int16_t *)scheme)) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_2_DES_MD5: - case DH_G_5_MD5: - case DH_G_3_DES_MD5: - case DH_G_2_3DES_SHA1: - case DH_G_5_DES_MD5: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - return NULL; - case DH_G_VAR_MD5: - case DH_G_VAR_DES_MD5: - case DH_G_VAR_3DES_SHA1: - if (scheme[2] == 255 && scheme[3] == 255) - header = 8; - else if (scheme[2] == 255) - header = 4; - else - header = 2; - return scheme+2+header; - default: - log_print("Unknown scheme in scheme_get_gen()"); - return NULL; - } -} - -u_int8_t * -scheme_get_mod(u_int8_t *scheme) -{ - int header; - switch(ntohs(*(u_int16_t *)scheme)) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_2_DES_MD5: - case DH_G_5_MD5: - case DH_G_3_DES_MD5: - case DH_G_2_3DES_SHA1: - case DH_G_5_DES_MD5: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - return scheme+2; - break; - case DH_G_VAR_MD5: - case DH_G_VAR_DES_MD5: - case DH_G_VAR_3DES_SHA1: - if (scheme[2] == 255 && scheme[3] == 255) - header = 8; - else if (scheme[2] == 255) - header = 4; - else - header = 2; - if (varpre2octets(scheme+2) > 2) - return scheme+2+header+varpre2octets(scheme+2+header); - else - return scheme+2; - break; - default: - log_print("Unknown scheme in scheme_get_mod()"); - return NULL; - } -} - -size_t -scheme_get_len(u_int8_t *scheme) -{ - return 2 + varpre2octets(scheme + 2); -} - -u_int16_t -scheme_get_ref(u_int8_t *scheme) -{ - switch(ntohs(*(u_int16_t *)scheme)) { - case DH_G_2_MD5: - case DH_G_2_DES_MD5: - case DH_G_2_3DES_SHA1: - return DH_G_2_MD5; - case DH_G_3_MD5: - case DH_G_3_DES_MD5: - case DH_G_3_3DES_SHA1: - return DH_G_3_MD5; - case DH_G_5_MD5: - case DH_G_5_DES_MD5: - case DH_G_5_3DES_SHA1: - return DH_G_5_MD5; - case DH_G_VAR_MD5: - case DH_G_VAR_DES_MD5: - case DH_G_VAR_3DES_SHA1: - return DH_G_VAR_MD5; - default: - log_print("Unknown scheme in scheme_get_ref()"); - return 0; - } -} - -size_t -varpre2octets(u_int8_t *varpre) -{ - int blocks, header; - size_t size; - - /* XXX - only support a few octets at the moment */ - if(varpre[0] == 255 && varpre[1] == 255) - return (0); - - size = 0; - if (varpre[0] == 255) { - blocks = 3; - varpre++; - size = 65280; - header = 4; - } else { - header = 2; - blocks = 2; - } - - while (blocks--) { - size = (size << 8) + *varpre; - varpre++; - } - size = (size + 7) / 8; - - return (size + header); -} - diff --git a/sbin/photurisd/scheme.h b/sbin/photurisd/scheme.h deleted file mode 100644 index ecd7a054213..00000000000 --- a/sbin/photurisd/scheme.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $OpenBSD: scheme.h,v 1.4 2002/06/09 08:13:08 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * scheme.h: - * security paramter index creation. - */ - -#ifndef _SCHEME_H_ -#define _SCHEME_H_ - -#include <sys/types.h> -#include "state.h" - -#undef EXTERN - -#ifdef _SCHEME_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN u_int8_t *scheme_get_mod(u_int8_t *scheme); -EXTERN u_int8_t *scheme_get_gen(u_int8_t *scheme); -EXTERN u_int16_t scheme_get_ref(u_int8_t *scheme); -EXTERN size_t scheme_get_len(u_int8_t *scheme); -EXTERN size_t varpre2octets(u_int8_t *varpre); -#endif /* _SCHEME_H */ diff --git a/sbin/photurisd/secrets.h b/sbin/photurisd/secrets.h deleted file mode 100644 index e884649166f..00000000000 --- a/sbin/photurisd/secrets.h +++ /dev/null @@ -1,62 +0,0 @@ -/* $OpenBSD: secrets.h,v 1.5 2002/06/09 08:13:09 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * secrets.h: - * prototypes for compute_secrets.c - */ - -#ifndef _SECRETS_H_ -#define _SECRETS_H_ - -#include "state.h" -#include "spi.h" - -#undef EXTERN - -#ifdef _SECRETS_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN int compute_shared_secret(struct stateob *, u_int8_t **, size_t *); -EXTERN int compute_session_key(struct stateob *st, u_int8_t *key, - u_int8_t *attribute, int owner, - u_int16_t *order); -EXTERN int get_session_key_length(u_int8_t *attribute); - -EXTERN int init_privacy_key(struct stateob *st, int owner); -EXTERN int compute_privacy_key(struct stateob *st, u_int8_t *key, - u_int8_t *packet, u_int16_t bits, - u_int16_t *order, int owner); -EXTERN int make_session_keys(struct stateob *st, struct spiob *spi); - -#endif /* _SECRETS_H_ */ diff --git a/sbin/photurisd/server.c b/sbin/photurisd/server.c deleted file mode 100644 index 85881f5fe4b..00000000000 --- a/sbin/photurisd/server.c +++ /dev/null @@ -1,315 +0,0 @@ -/* $OpenBSD: server.c,v 1.13 2002/06/09 08:13:09 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Parts derived from code by Angelos D. Keromytis, kermit@forthnet.gr - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * server.c: - * SERVER handling functions - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: server.c,v 1.13 2002/06/09 08:13:09 todd Exp $"; -#endif - -#define _SERVER_C_ -#include <stdio.h> -#include <stdlib.h> -#include <fcntl.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> -#include <sys/ioctl.h> -#include <net/if.h> -#include <string.h> -#include <unistd.h> -#ifdef _AIX -#include <sys/select.h> -#endif -#include <errno.h> -#include "config.h" -#include "photuris.h" -#include "server.h" -#include "api.h" -#include "packet.h" -#include "schedule.h" -#include "log.h" -#include "buffer.h" -#ifdef IPSEC -#include "spi.h" -#include "attributes.h" -#include "kernel.h" -#endif - -int -init_server(void) -{ - struct sockaddr_in sin, *sin2; - struct protoent *proto; - int sock, d, i, ip, on = 1; - struct ifconf ifconf; - void *newbuf; - char buf[4096]; - - readfds = normfds = NULL; - - if (global_port == 0) { -#ifndef PHOTURIS_PORT - struct servent *ser; - - if ((ser = getservbyname("photuris", "udp")) == (struct servent *) NULL) - log_fatal("getservbyname(\"photuris\") in init_server()"); - - global_port = ser->s_port; -#else - global_port = PHOTURIS_PORT; -#endif - } - - if ((proto = getprotobyname("udp")) == (struct protoent *) NULL) - log_fatal("getprotobyname() in init_server()"); - - if ((global_socket = socket(PF_INET, SOCK_DGRAM, proto->p_proto)) < 0) - log_fatal("socket() in init_server()"); - - setsockopt(global_socket, SOL_SOCKET, SO_REUSEADDR, (void *)&on, - sizeof(on)); -#ifdef IPSEC - kernel_set_socket_policy(global_socket); -#endif - - /* get the local addresses */ - - ifconf.ifc_len = sizeof(buf); - ifconf.ifc_buf = buf; - bzero(buf, 1024); - - if (ioctl(global_socket, SIOCGIFCONF, &ifconf) == -1) - log_fatal("ioctl() in init_server()"); - - sin.sin_port = htons(global_port); - sin.sin_addr.s_addr = INADDR_ANY; - sin.sin_family = AF_INET; - - if (bind(global_socket, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 0) - log_fatal("bind() in init_server()"); - - /* Save interfaces addresses here */ - addresses = NULL; - sockets = NULL; - i = 0; - -#ifdef IPSEC - /* We also listen on pfkeyv2 for notify messages */ - newbuf = realloc(addresses, (i + 1) * sizeof(char *)); - if (newbuf == NULL) { - if (addresses != NULL) - free (addresses); - log_fatal("realloc() in init_server()"); - } - addresses = (char **) newbuf; - - addresses[i + 1] = (char *) NULL; - - newbuf = realloc(sockets, (i + 1) * sizeof(int)); - if (newbuf == NULL) { - if (sockets != NULL) - free (sockets); - log_fatal("realloc() in init_server()"); - } - sockets = (int *) newbuf; - - sockets[i] = kernel_get_socket(); - - i++; /* Next interface */ -#endif - - for (ip = 0, d = 0; d < ifconf.ifc_len; d += IFNAMSIZ + -#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(_AIX) - buf[IFNAMSIZ + d] -#else - sizeof(struct sockaddr) -#endif - , i++, ip++) { - sin2 = (struct sockaddr_in *) &buf[IFNAMSIZ + d]; - - if (sin2->sin_family != AF_INET) { - i--; ip--; - continue; - } - - newbuf = realloc(addresses, (i + 1) * sizeof(char *)); - if (newbuf == NULL) { - if (addresses != NULL) - free (addresses); - log_fatal("realloc() in init_server()"); - } - addresses = (char **) newbuf; - - addresses[i] = strdup(inet_ntoa(sin2->sin_addr)); - if (addresses[i] == (char *) NULL) - log_fatal("strdup() in init_server()"); - - newbuf = realloc(sockets, (i + 1)* sizeof(int)); - if (newbuf == NULL) { - if (sockets != NULL) - free (sockets); - log_fatal("realloc() in init_server()"); - } - sockets = (int *) newbuf; - - if ((sock = socket(PF_INET, SOCK_DGRAM, proto->p_proto)) < 0) - log_fatal("socket() in init_server()"); - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, - sizeof(on)); -#ifdef IPSEC - kernel_set_socket_policy(sock); -#endif - sockets[i] = sock; - -#ifdef DEBUG - printf("Local interface %s, address %s.\n", buf + d, - addresses[i]); -#endif - - bzero((void *)&sin, sizeof(sin)); - sin.sin_port = htons(global_port); - sin.sin_addr.s_addr = inet_addr(addresses[i]); - sin.sin_family = AF_INET; - - if (bind(sockets[i], (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 0) - log_fatal("bind() in init_server()"); - - } - - num_ifs = i; - -#ifdef DEBUG - printf("%d local interfaces supporting IP found.\n", ip); -#endif - - return 1; -} - -int -server(void) -{ - struct sockaddr_in sin; - struct timeval timeout; - int i, d, size; - - setvbuf(stdout, (char *)NULL, _IOLBF, 0); - - size = howmany(sockets[num_ifs-1], NFDBITS) * sizeof(fd_mask); - normfds = (fd_set *)malloc(size); - if (normfds == NULL) - log_fatal("malloc(%d) for fd_set", size); - - readfds = (fd_set *)malloc(size); - if (readfds == NULL) - log_fatal("malloc(%d) for fd_set", size); - - memset((void *)normfds, 0, size); - - for (i = 0; i < num_ifs; i++) - FD_SET(sockets[i], normfds); - - while (1) { - extern volatile sig_atomic_t wantconfig; - - if (wantconfig) { - reconfig(0); - wantconfig = 0; - } - - bcopy(normfds, readfds, size); - - /* Timeout till next job */ - timeout.tv_usec = 0; - timeout.tv_sec = schedule_next(); - -#ifdef DEBUG2 - printf("Sleeping for %ld seconds\n", timeout.tv_sec); -#endif - - if (select(sockets[num_ifs-1]+1, - readfds, (fd_set *) NULL, (fd_set *) NULL, - (timeout.tv_sec == -1 ? NULL : &timeout)) < 0) { - if (errno == EINTR) - continue; - else - log_fatal("select() in server()"); - } - - for (i=0; i<num_ifs; i++) { - if (FD_ISSET(sockets[i], readfds)) { -#ifdef IPSEC - if (i == 1) /* PF_ENCAP NOTIFIES */ - kernel_handle_notify(sockets[i]); - else { -#endif - d = sizeof(struct sockaddr_in); - if (recvfrom(sockets[i], -#ifdef BROKEN_RECVFROM - (char *) buffer, 1, -#else - (char *) NULL, 0, -#endif - MSG_PEEK, - (struct sockaddr *)&sin, &d) == -1) { - log_error("recvfrom() in server()"); - return -1; - } - handle_packet(sockets[i], addresses[i]); - } - } - } - -#ifdef IPSEC - /* - * Deal with queue acquire and expire message, since we - * dont have proper timeout code, it needs to go here. - */ - kernel_handle_queue(); -#endif - - schedule_process(global_socket); - fflush(stdout); - fflush(stderr); - } - - /* We will never reach this place - it's called limbo */ - -} diff --git a/sbin/photurisd/server.h b/sbin/photurisd/server.h deleted file mode 100644 index cf0f3adfc4e..00000000000 --- a/sbin/photurisd/server.h +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: server.h,v 1.4 2002/06/09 08:13:09 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * server.h: - * handling interfaces and communication - */ - -#ifndef _SERVER_H_ -#define _SERVER_H_ - -#undef EXTERN -#ifdef _SERVER_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -EXTERN int init_server(void); -EXTERN int server(void); -EXTERN int global_port; -EXTERN int global_socket; -EXTERN fd_set *readfds, *normfds; - -#endif /* _SERVER_H */ diff --git a/sbin/photurisd/spi.c b/sbin/photurisd/spi.c deleted file mode 100644 index 4fa7bc191aa..00000000000 --- a/sbin/photurisd/spi.c +++ /dev/null @@ -1,379 +0,0 @@ -/* $OpenBSD: spi.c,v 1.10 2002/06/10 19:58:20 espie Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * spi.c: - * SPI handling functions - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: spi.c,v 1.10 2002/06/10 19:58:20 espie Exp $"; -#endif - -#define _SPI_C_ - -#include <sys/types.h> -#include <sys/queue.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include "config.h" -#include "photuris.h" -#include "state.h" -#include "attributes.h" -#include "buffer.h" -#include "spi.h" -#include "secrets.h" -#include "schedule.h" -#include "log.h" -#ifdef IPSEC -#include "kernel.h" -#endif - - -TAILQ_HEAD(spilist, spiob) spihead; - -void -spi_init(void) -{ - TAILQ_INIT(&spihead); -} - -time_t -getspilifetime(struct stateob *st) -{ - /* XXX - destination depend lifetimes */ - return (st->spi_lifetime); -} - -int -make_spi(struct stateob *st, char *local_address, - u_int8_t *SPI, time_t *lifetime, - u_int8_t **attributes, u_int16_t *attribsize) -{ - u_int32_t tmp = 0; - int i, flags = 0; - - if(*attributes == NULL) { /* We are in need of attributes */ - if (select_attrib(st, attributes, attribsize) == -1) { - log_print("select_attrib() in make_spi()"); - return (-1); - } - } - -#ifdef IPSEC - /* Let the kernel reserve a SPI for us */ - for (i=0; i<*attribsize; i += (*attributes)[i+1]+2) - if ((*attributes)[i] == AT_ESP_ATTRIB) - flags |= IPSEC_OPT_ENC; - else if ((*attributes)[i] == AT_AH_ATTRIB) - flags |= IPSEC_OPT_AUTH; - - tmp = kernel_reserve_spi(local_address, st->address, flags); -#else - /* Just grab a random number, this should be uniq */ - tmp = arc4random(); -#endif - for (i = SPI_SIZE - 1; i >= 0; i--) { - SPI[i] = tmp & 0xFF; - tmp = tmp >> 8; - } - - *lifetime = getspilifetime(st) + (arc4random() & 0x1F); - - return (0); -} - - -int -spi_insert(struct spiob *ob) -{ - TAILQ_INSERT_TAIL(&spihead, ob, next); - - return (1); -} - -int -spi_unlink(struct spiob *ob) -{ - LOG_DBG((LOG_SPI, 45, "%s: unlinking %s spi %x", __func__, - ob->flags & SPI_OWNER ? "Owner" : "User", - ntohl(*(u_int32_t *)ob->SPI))); - - TAILQ_REMOVE(&spihead, ob, next); - free(ob); - - return (1); -} - -struct spiob * -spi_new(char *address, u_int8_t *spi) -{ - struct spiob *p; - - if (spi_find(address, spi) != NULL) - return (NULL); - if ((p = calloc(1, sizeof(struct spiob))) == NULL) - return (NULL); - - if ((p->address = strdup(address)) == NULL) { - free(p); - return (NULL); - } - bcopy(spi, p->SPI, SPI_SIZE); - - return (p); -} - -int -spi_value_reset(struct spiob *ob) -{ - if (ob->address != NULL) { - free(ob->address); - ob->address = NULL; - } - if (ob->local_address != NULL) { - free(ob->local_address); - ob->local_address = NULL; - } - if (ob->attributes != NULL) { - free(ob->attributes); - ob->attributes = NULL; - } - if (ob->sessionkey != NULL) { - memset(ob->sessionkey, 0, ob->sessionkeysize); - free(ob->sessionkey); - ob->sessionkey = NULL; - } - - return (1); -} - - -struct spiob * -spi_find_attrib(char *address, u_int8_t *attrib, u_int16_t attribsize) -{ - struct spiob *tmp; - u_int16_t i; - - for (tmp = TAILQ_FIRST(&spihead); tmp; tmp = TAILQ_NEXT(tmp, next)) { - if (!strcmp(address, tmp->address)) { - for (i = 0; i < attribsize; i += attrib[i + 1] + 2) { - if (attrib[i] == AT_AH_ATTRIB || - attrib[i] == AT_ESP_ATTRIB) - continue; - if (!isinattrib(tmp->attributes, tmp->attribsize, attrib[i])) - break; - } - if (i == attribsize) - return (tmp); - } - } - - return (NULL); -} - -/* - * find the spi ob with matching address - * Alas this is tweaked, for SPI_OWNER compare with local_address - * and for user compare with address. - */ - -struct spiob * -spi_find(char *address, u_int8_t *spi) -{ - struct spiob *tmp; - - for (tmp = TAILQ_FIRST(&spihead); tmp; tmp = TAILQ_NEXT(tmp, next)) { - if (bcmp(spi, tmp->SPI, SPI_SIZE)) - continue; - - if (address == NULL) - break; - - if (tmp->flags & SPI_OWNER ? - !strcmp(address, tmp->local_address) : - !strcmp(address, tmp->address)) - break; - } - - return (tmp); -} - -void -spi_expire(void) -{ - struct spiob *tmp, *next; - time_t tm; - - tm = time(NULL); - for (tmp = TAILQ_FIRST(&spihead); tmp; tmp = next) { - next = TAILQ_NEXT(tmp, next); - - if (tmp->lifetime == -1 || tmp->lifetime > tm) - continue; - - LOG_DBG((LOG_SPI, 30, - "%s: expiring %s spi %x to %s", __func__, - tmp->flags & SPI_OWNER ? "Owner" : "User", - ntohl(*(u_int32_t *)tmp->SPI), tmp->address)); - -#ifdef IPSEC - kernel_unlink_spi(tmp); -#endif - spi_value_reset(tmp); - spi_unlink(tmp); - } -} - -void -spi_update_insert(struct spiob *spi) -{ - time_t tm = time(NULL); - int seconds; - - seconds = spi->lifetime - tm; - if (seconds < 0) - seconds = 0; - seconds = seconds * 9 / 10; - - schedule_insert(UPDATE, seconds, spi->SPI, SPI_SIZE); -} - -void -spi_update(int sock, u_int8_t *spinr) -{ - struct stateob *st; - struct spiob *spi, *nspi; - struct sockaddr_in sin; - - /* We are to create a new SPI */ - if ((spi = spi_find(NULL, spinr)) == NULL) { - log_print("spi_find() in schedule_process()"); - return; - } - - if (!(spi->flags & SPI_OWNER)) - return; - - if (spi->flags & SPI_UPDATED) { - LOG_DBG((LOG_SPI, 55, "%s: SPI %x already updated", __func__, - ntohl(*(u_int32_t *)spinr))); - return; - } - - LOG_DBG((LOG_SPI, 45, "%s: updating SPI %x", __func__, - ntohl(*(u_int32_t *)spinr))); - - - if ((st = state_find_cookies(spi->address, spi->icookie, NULL)) == NULL) { - /* - * This happens always when an exchange expires but - * updates are still scheduled for it. - */ - LOG_DBG((LOG_SPI, 65, "%s: state_find_cookies()", __func__)); - return; - } - - if (st->oSPIattrib != NULL) - free(st->oSPIattrib); - if ((st->oSPIattrib = calloc(spi->attribsize, sizeof(u_int8_t))) == NULL) { - log_error("calloc() in schedule_process()"); - return; - } - st->oSPIattribsize = spi->attribsize; - bcopy(spi->attributes, st->oSPIattrib, st->oSPIattribsize); - - /* We can keep our old attributes, this is only an update */ - if (make_spi(st, spi->local_address, st->oSPI, &(st->olifetime), - &(st->oSPIattrib), &(st->oSPIattribsize)) == -1) { - log_print("%s: make_spi()", __func__); - return; - } - - packet_size = PACKET_BUFFER_SIZE; - if (photuris_spi_update(st, packet_buffer, &packet_size) == -1) { - log_print("%s: photuris_spi_update()", __func__); - return; - } - - /* Send the packet */ - sin.sin_port = htons(st->port); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = inet_addr(st->address); - - if (sendto(sock, packet_buffer, packet_size, 0, - (struct sockaddr *) &sin, sizeof(sin)) != packet_size) { - log_error("sendto() in schedule_process()"); - return; - } - -#ifdef DEBUG - printf("Sending SPI UPDATE to %s.\n", st->address); -#endif - /* Insert Owner SPI */ - if ((nspi = spi_new(st->address, st->oSPI)) == NULL) { - log_error("spi_new() in handle_spi_needed()"); - return; - } - if ((nspi->local_address = strdup(spi->local_address)) == NULL) { - log_error("strdup() in handle_spi_needed()"); - spi_value_reset(nspi); - return; - } - bcopy(st->icookie, nspi->icookie, COOKIE_SIZE); - nspi->flags |= SPI_OWNER; - nspi->attribsize = st->oSPIattribsize; - nspi->attributes = calloc(nspi->attribsize, sizeof(u_int8_t)); - if (nspi->attributes == NULL) { - log_error("calloc() in handle_spi_needed()"); - spi_value_reset(nspi); - return; - } - bcopy(st->oSPIattrib, nspi->attributes, nspi->attribsize); - nspi->lifetime = time(NULL) + st->olifetime; - - make_session_keys(st, nspi); - - spi_insert(nspi); - spi_update_insert(nspi); - -#ifdef IPSEC - kernel_insert_spi(st, nspi); -#endif - - /* Our old SPI has been updated, dont update it again */ - spi->flags |= SPI_UPDATED; -} diff --git a/sbin/photurisd/spi.h b/sbin/photurisd/spi.h deleted file mode 100644 index 8a1fffca164..00000000000 --- a/sbin/photurisd/spi.h +++ /dev/null @@ -1,88 +0,0 @@ -/* $OpenBSD: spi.h,v 1.8 2002/06/09 08:13:09 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * spi.h: - * security paramter index creation. - */ - -#ifndef _SPI_H_ -#define _SPI_H_ -#include <sys/queue.h> -#include "state.h" - -#undef EXTERN - -#ifdef _SPI_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -#define SPI_LIFETIME 1800 /* 30 minutes default lifetime */ - -#define SPI_OWNER 0x0001 -#define SPI_NOTIFY 0x0002 -#define SPI_UPDATED 0x0004 -#define SPI_ESP 0x0008 /* Is used for ESP */ - -struct spiob { - TAILQ_ENTRY(spiob) next; /* Linked list */ - - char *address; - char *local_address; - int flags; - u_int8_t SPI[SPI_SIZE]; /* SPI */ - u_int8_t icookie[COOKIE_SIZE]; /* Initator cookie */ - u_int8_t *attributes; /* SPI attributes */ - u_int16_t attribsize; - u_int8_t *sessionkey; /* to be delete after use */ - u_int16_t sessionkeysize; - time_t lifetime; /* Lifetime for the SPI */ -}; - -EXTERN void spi_init(void); -EXTERN time_t getspilifetime(struct stateob *st); -EXTERN int make_spi(struct stateob *st, char *local_address, - u_int8_t *SPI, time_t *lifetime, - u_int8_t **attributes, u_int16_t *attribsize); - -EXTERN int spi_insert(struct spiob *); -EXTERN int spi_unlink(struct spiob *); -EXTERN struct spiob *spi_new(char *, u_int8_t *); -EXTERN int spi_value_reset(struct spiob *); -EXTERN struct spiob *spi_find_attrib(char *address, - u_int8_t *attrib, u_int16_t attribsize); -EXTERN struct spiob *spi_find(char *, u_int8_t *); -EXTERN void spi_expire(void); -EXTERN void spi_update(int, u_int8_t *); -EXTERN void spi_update_insert(struct spiob *); - -#endif /* _SPI_H */ diff --git a/sbin/photurisd/state.c b/sbin/photurisd/state.c deleted file mode 100644 index 5dbcd7b9159..00000000000 --- a/sbin/photurisd/state.c +++ /dev/null @@ -1,290 +0,0 @@ -/* $OpenBSD: state.c,v 1.10 2002/06/10 19:58:20 espie Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * state.c: - * functions for handling states - */ - -#include <sys/types.h> -#include <sys/queue.h> - -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <sys/time.h> - -#define _STATE_C_ - -#include "photuris.h" -#include "state.h" -#include "schedule.h" -#include "log.h" - -TAILQ_HEAD(statelist, stateob) statehead; - -void -state_init(void) -{ - TAILQ_INIT(&statehead); -} - -int -state_insert(struct stateob *ob) -{ - TAILQ_INSERT_TAIL(&statehead, ob, next); - - return (1); -} - -int -state_unlink(struct stateob *ob) -{ - TAILQ_REMOVE(&statehead, ob, next); - - return (1); -} - -int -state_save_verification(struct stateob *st, u_int8_t *buf, u_int16_t len) -{ - if (st->verification == NULL || len > st->versize) { - if (st->verification != NULL) - free(st->verification); - - st->verification = calloc(len, sizeof(u_int8_t)); - if (st->verification == NULL) { - log_error("%s: calloc()", __func__); - return (-1); - } - } - - bcopy(buf, st->verification, len); - st->versize = len; - - return (0); -} - - -/* - * Copies configuration flags from one state to the other - */ - -void -state_copy_flags(struct stateob *src, struct stateob *dst) -{ - dst->initiator = src->initiator; - - if (src->user != NULL) - dst->user = strdup(src->user); - - dst->flags = src->flags; - - strncpy(dst->address, src->address, sizeof(src->address)-1); - dst->address[sizeof(dst->address)-1] = 0; - - dst->lifetime = src->lifetime; - dst->exchange_lifetime = src->exchange_lifetime; - dst->spi_lifetime = src->spi_lifetime; -} - -struct stateob * -state_new(void) -{ - struct stateob *p; - - if((p = calloc(1, sizeof(struct stateob)))==NULL) { - log_error("%s: calloc", __func__); - return (NULL); - } - - p->modulus = BN_new(); - p->generator = BN_new(); - - p->exchange_lifetime = exchange_lifetime; - p->spi_lifetime = spi_lifetime; - - return (p); -} - -int -state_value_reset(struct stateob *ob) -{ - BN_clear_free(ob->modulus); - BN_clear_free(ob->generator); - - if (ob->texchange != NULL) - free(ob->texchange); - if (ob->exchangevalue != NULL) - free(ob->exchangevalue); - - if (ob->verification != NULL) - free(ob->verification); - if (ob->roschemes != NULL) - free(ob->roschemes); - if (ob->scheme != NULL) - free(ob->scheme); - if (ob->shared != NULL) - free(ob->shared); - - if (ob->user != NULL) - free(ob->user); - - if (ob->oSPIident != NULL) - free(ob->oSPIident); - if (ob->oSPIattrib != NULL) - free(ob->oSPIattrib); - if (ob->oSPIoattrib != NULL) - free(ob->oSPIoattrib); - if (ob->oSPIsecret != NULL) - free(ob->oSPIsecret); - if (ob->oSPIidentver != NULL) - free(ob->oSPIidentver); - if (ob->oSPIidentchoice != NULL) - free(ob->oSPIidentchoice); - if (ob->oSPIprivacyctx != NULL) - free(ob->oSPIprivacyctx); - - if (ob->uSPIident != NULL) - free(ob->uSPIident); - if (ob->uSPIattrib != NULL) - free(ob->uSPIattrib); - if (ob->uSPIoattrib != NULL) - free(ob->uSPIoattrib); - if (ob->uSPIsecret != NULL) - free(ob->uSPIsecret); - if (ob->uSPIidentver != NULL) - free(ob->uSPIidentver); - if (ob->uSPIidentchoice != NULL) - free(ob->uSPIidentchoice); - if (ob->uSPIprivacyctx != NULL) - free(ob->uSPIprivacyctx); - - if (ob->packet != NULL) - free(ob->packet); - - return (1); -} - -/* - * find the state ob with matching address - */ - -struct stateob * -state_find(char *address) -{ - struct stateob *tmp; - - for (tmp = TAILQ_FIRST(&statehead); tmp; tmp = TAILQ_NEXT(tmp, next)) { - if (address == NULL || !strcmp(address, tmp->address)) - break; - } - - return (tmp); -} - -struct stateob * -state_find_next(struct stateob *prev, char *address) -{ - struct stateob *tmp; - - for (tmp = TAILQ_NEXT(prev, next); tmp; tmp = TAILQ_NEXT(tmp, next)) { - if (address == NULL || !strcmp(address, tmp->address)) - break; - } - - return (tmp); -} - -struct stateob * -state_find_icookie(u_int8_t *cookie) -{ - struct stateob *tmp; - - for (tmp = TAILQ_FIRST(&statehead); tmp; tmp = TAILQ_NEXT(tmp, next)) { - if (!bcmp(tmp->icookie, cookie, COOKIE_SIZE)) - break; - } - - return (tmp); -} - -struct stateob * -state_find_cookies(char *address, u_int8_t *icookie, u_int8_t *rcookie) -{ - struct stateob *tmp; - - - for (tmp = state_find(address); tmp; - tmp = state_find_next(tmp, address)) { - if (!bcmp(tmp->icookie, icookie, COOKIE_SIZE) && - (rcookie == NULL || !bcmp(tmp->rcookie, rcookie, COOKIE_SIZE))) - break; - } - - return (tmp); -} - -void -state_cleanup(void) -{ - struct stateob *p; - - while ((p = TAILQ_FIRST(&statehead))) { - TAILQ_REMOVE(&statehead, p, next); - - state_value_reset(p); - free(p); - } -} - -void -state_expire(void) -{ - struct stateob *tmp, *next; - time_t tm; - - tm = time(NULL); - for (tmp = TAILQ_FIRST(&statehead); tmp; tmp = next) { - next = TAILQ_NEXT(tmp, next); - - if ((tmp->retries < max_retries || tmp->resource) && - (tmp->lifetime == -1 || tmp->lifetime > tm)) - continue; - - LOG_DBG((LOG_MISC, 35, - "%s: Expiring state to %s in phase %d", - __func__, tmp->address, tmp->phase)); - - state_value_reset(tmp); - state_unlink(tmp); - } -} diff --git a/sbin/photurisd/state.h b/sbin/photurisd/state.h deleted file mode 100644 index 962cd002759..00000000000 --- a/sbin/photurisd/state.h +++ /dev/null @@ -1,159 +0,0 @@ -/* $OpenBSD: state.h,v 1.8 2002/06/09 08:13:09 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * state.h: - * state object - */ - -#ifndef _STATE_H_ -#define _STATE_H_ - -#include <sys/queue.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <ssl/bn.h> -#include <time.h> -#include "userdefs.h" -#ifdef NEED_UTYPES -#include "utypes.h" -#endif - -#include "packets.h" - -/* Possible values of flags */ -#define IPSEC_OPT_ENC 0x0001 /* Negotiate encryption */ -#define IPSEC_OPT_AUTH 0x0002 /* Negotiate authentication */ -#define IPSEC_OPT_REPLAY 0x0100 /* Encryption with replay protection */ -#define IPSEC_OPT_ENC_AUTH 0x0200 /* Encryption with authentication */ -#define IPSEC_OPT_XOR 0x0400 /* Encryption with XOR */ -#define IPSEC_OPT_COMPRESS 0x0800 /* Encryption with COMPRESS */ -#define IPSEC_NOTIFY 0x1000 /* State created by kernel notify */ - -struct stateob { - TAILQ_ENTRY(stateob) next; /* Linked list */ - - int initiator; /* Boolean */ - int phase; /* Actual phase in the exchange */ - - char *user; /* User name for which do the exchange */ - int flags; /* Possible flags for this exchange */ - - char address[16]; /* Remote address */ - u_int16_t port; /* Remote port for Photuris daemon */ - u_int16_t sport, dport; /* Only used by notify at the moment */ - u_int8_t protocol; /* to pass back to the kernel */ - - u_int8_t icookie[COOKIE_SIZE]; /* Initator cookie */ - u_int8_t rcookie[COOKIE_SIZE]; /* Responder cookie */ - u_int8_t counter; /* Connection counter */ - u_int8_t resource; /* Received a resource limit */ - - u_int8_t *verification; /* Verification field of last touched message */ - u_int16_t versize; - - u_int8_t *scheme; /* Selected exchange scheme, holds gen. */ - u_int16_t schemesize; /* Size including value ... */ - - u_int8_t *roschemes; /* Responder offered schemes */ - u_int16_t roschemesize; /* Responder offered schemes size */ - - u_int8_t oSPI[SPI_SIZE]; /* Owner SPI */ - u_int8_t oSPITBV[3]; /* Three Byte Value */ - u_int8_t *oSPIident; /* Owner SPI identification */ - u_int8_t *oSPIattrib; /* Owner SPI attributes */ - u_int16_t oSPIattribsize; - u_int8_t *oSPIoattrib; /* Owner SPI offered attributes */ - u_int16_t oSPIoattribsize; - u_int8_t *oSPIsecret; /* Owner SPI secret keys */ - u_int16_t oSPIsecretsize; - u_int8_t *oSPIidentver; /* Owner SPI Identity Verification */ - u_int16_t oSPIidentversize; - u_int8_t *oSPIidentchoice; /* Owner SPI Identity Choice */ - u_int16_t oSPIidentchoicesize; - void *oSPIprivacyctx; - time_t olifetime; /* Owner SPI lifetime */ - - u_int8_t uSPI[SPI_SIZE]; /* User SPI */ - u_int8_t uSPITBV[3]; /* Three Byte Value */ - u_int8_t *uSPIident; /* User SPI identification */ - u_int8_t *uSPIattrib; /* User SPI attributes */ - u_int16_t uSPIattribsize; - u_int8_t *uSPIoattrib; /* User SPI offered attributes */ - u_int16_t uSPIoattribsize; - u_int8_t *uSPIsecret; /* User SPI secret keys */ - u_int16_t uSPIsecretsize; - u_int8_t *uSPIidentver; /* User SPI Identity Verification */ - u_int16_t uSPIidentversize; - u_int8_t *uSPIidentchoice; /* User SPI Identity Choice */ - u_int16_t uSPIidentchoicesize; - void *uSPIprivacyctx; - time_t ulifetime; /* User SPI lifetime */ - - BIGNUM *modulus; /* Modulus for look up in cache */ - BIGNUM *generator; /* Generator for look up in cache */ - u_int8_t *texchange; /* Their exchange value */ - size_t texchangesize; - u_int8_t *exchangevalue; /* Our exchange value */ - size_t exchangesize; - u_int8_t *shared; /* Shared secret */ - size_t sharedsize; - - int retries; /* Number of retransmits */ - u_int8_t *packet; /* Buffer for retransmits */ - size_t packetlen; - u_int8_t packetsig[16]; /* MD5 hash of an old packet */ - - time_t lifetime; /* Lifetime for the exchange */ - time_t exchange_lifetime; /* Use this as default */ - time_t spi_lifetime; /* Use this as default */ -}; - -/* Prototypes */ -void state_init(void); - -int state_insert(struct stateob *); -int state_unlink(struct stateob *); -struct stateob *state_new(void); -int state_value_reset(struct stateob *); -struct stateob *state_root(void); -struct stateob *state_find(char *); -struct stateob *state_find_next(struct stateob *, char *); -struct stateob *state_find_icookie(u_int8_t *); -struct stateob *state_find_cookies(char *, u_int8_t *, u_int8_t *); -int state_save_verification(struct stateob *st, u_int8_t *buf, u_int16_t len); -void state_copy_flags(struct stateob *src, struct stateob *dst); -void state_cleanup(void); -void state_expire(void); - -#define EXCHANGE_TIMEOUT 60 -#define EXCHANGE_LIFETIME 1800 - -#endif diff --git a/sbin/photurisd/userdefs.h b/sbin/photurisd/userdefs.h deleted file mode 100644 index c69bbd5eefd..00000000000 --- a/sbin/photurisd/userdefs.h +++ /dev/null @@ -1,64 +0,0 @@ -/* $OpenBSD: userdefs.h,v 1.5 2002/06/09 08:13:09 todd Exp $ */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * userdefs.h: - * handling userdefs - */ - -#ifndef _USERDEFS_H_ -#define _USERDEFS_H_ - -/* #define MACHINE_ENDIAN */ - -/* #define ENDIAN */ - -/* #define LITTLE_ENDIAN */ - -/* #define SYS_MACHINE */ - -/* #define NEED_UTYPES */ - -/* #define NEED_IN_ADDR */ - -/* #define NEED_STRSEP */ - -/* #define IPSEC */ - -#ifdef _AIX -#define NEED_UTYPES -#define SYS_MACHINE -#define SYS_LTYPES -#define NEED_STRSEP -#define NEED_SNPRINTF -#endif - -#endif /* _USERDEFS_H_ */ - diff --git a/sbin/photurisd/utypes.h b/sbin/photurisd/utypes.h deleted file mode 100644 index 68386c11cee..00000000000 --- a/sbin/photurisd/utypes.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $OpenBSD: utypes.h,v 1.3 2001/01/28 22:45:18 niklas Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -#ifndef _UTYPES_H_ -#define _UTYPES_H_ - -#ifdef SYS_LTYPES -#include <sys/ltypes.h> -#endif -#ifdef SYS_MACHINE -#include <sys/machine.h> -#endif - -#ifdef _AIX -typedef uint32 u_int32_t; -typedef uchar u_int8_t; -typedef ushort u_int16_t; -#else -typedef unsigned long u_int32_t; -typedef unsigned char u_int8_t; -typedef unsigned short u_int16_t; -#endif - -#endif /* _UTYPES_H_ */ - diff --git a/sbin/photurisd/validity.c b/sbin/photurisd/validity.c deleted file mode 100644 index c5b182f180d..00000000000 --- a/sbin/photurisd/validity.c +++ /dev/null @@ -1,233 +0,0 @@ -/* $OpenBSD: validity.c,v 1.5 2002/06/09 08:13:09 todd Exp $ */ - -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * validity.c: - * validity verification - */ - -#ifndef lint -static char rcsid[] = "$OpenBSD: validity.c,v 1.5 2002/06/09 08:13:09 todd Exp $"; -#endif - -#define _VALIDITY_C_ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <md5.h> -#include <sha1.h> -#include "config.h" -#include "scheme.h" -#include "exchange.h" -#include "log.h" -#include "state.h" -#include "attributes.h" -#include "validity.h" -#include "identity.h" -#include "buffer.h" - -int valsign(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize); -int valverify(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize); - -u_int16_t -get_validity_verification_size(struct stateob *st) -{ - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - return (128/8)+2; /* Two octets for varpre size */ - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - return (160/8)+2; - default: - log_print("validitiy.c: Unknown exchange scheme: %d\n", - *((u_int16_t *)st->scheme)); - return 0; - } -} - -int -create_validity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size) -{ - struct idxform *hash; - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - hash = get_hash(HASH_MD5); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - hash = get_hash(HASH_SHA1); - break; - default: - log_print("validity.c: Unknown exchange scheme: %d\n", - *((u_int16_t *)st->scheme)); - return 0; - } - - if(valsign(st, hash, buffer+2, packet, size)) { - /* Create varpre number from digest */ - buffer[0] = (hash->hashsize >> 5) & 0xFF; - buffer[1] = (hash->hashsize << 3) & 0xFF; - } - - state_save_verification(st, buffer, hash->hashsize+2); - - return hash->hashsize+2; -} - -int -verify_validity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size) -{ - struct idxform *hash; - - switch(ntohs(*((u_int16_t *)st->scheme))) { - case DH_G_2_MD5: - case DH_G_3_MD5: - case DH_G_5_MD5: - case DH_G_2_DES_MD5: - case DH_G_3_DES_MD5: - case DH_G_5_DES_MD5: - if (varpre2octets(buffer) != 18) - return 0; - hash = get_hash(HASH_MD5); - break; - case DH_G_2_3DES_SHA1: - case DH_G_3_3DES_SHA1: - case DH_G_5_3DES_SHA1: - if (varpre2octets(buffer) != 22) - return 0; - hash = get_hash(HASH_SHA1); - break; - default: - log_print("validity.c: Unknown exchange scheme: %d\n", - *((u_int16_t *)st->scheme)); - return 0; - } - - state_save_verification(st, buffer, hash->hashsize+2); - - return valverify(st, hash, buffer+2, packet, size); -} - - -int -valsign(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize) -{ - u_int8_t key[HASH_MAX]; - u_int16_t keylen = HASH_MAX; - - create_verification_key(st, key, &keylen, 1); /* Owner direction */ - - hash->Init(hash->ctx); - - hash->Update(hash->ctx, key, keylen); - - hash->Update(hash->ctx, st->icookie, COOKIE_SIZE); - hash->Update(hash->ctx, st->rcookie, COOKIE_SIZE); - - packet += 2*COOKIE_SIZE; psize -= 2*COOKIE_SIZE; - hash->Update(hash->ctx, packet, 4 + SPI_SIZE); - - hash->Update(hash->ctx, st->oSPIidentver, st->oSPIidentversize); - hash->Update(hash->ctx, st->uSPIidentver, st->uSPIidentversize); - - packet += 4 + SPI_SIZE + hash->hashsize + 2; - psize -= 4 + SPI_SIZE + hash->hashsize + 2; - hash->Update(hash->ctx, packet, psize); - - /* Data fill */ - hash->Final(NULL, hash->ctx); - - hash->Update(hash->ctx, key, keylen); - hash->Final(signature, hash->ctx); - - return hash->hashsize; -} - -/* We assume that the verification field is zeroed */ - -int -valverify(struct stateob *st, struct idxform *hash, u_int8_t *signature, - u_int8_t *packet, u_int16_t psize) -{ - u_int8_t digest[HASH_MAX]; - u_int8_t key[HASH_MAX]; - u_int16_t keylen = HASH_MAX; - - create_verification_key(st, key, &keylen, 0); /* User direction */ - - hash->Init(hash->ctx); - - hash->Update(hash->ctx, key, keylen); - - hash->Update(hash->ctx, st->icookie, COOKIE_SIZE); - hash->Update(hash->ctx, st->rcookie, COOKIE_SIZE); - - packet += 2*COOKIE_SIZE; psize -= 2*COOKIE_SIZE; - hash->Update(hash->ctx, packet, 4 + SPI_SIZE); - - hash->Update(hash->ctx, st->uSPIidentver, st->uSPIidentversize); - hash->Update(hash->ctx, st->oSPIidentver, st->oSPIidentversize); - - packet += 4 + SPI_SIZE + hash->hashsize + 2; - psize -= 4 + SPI_SIZE + hash->hashsize + 2; - hash->Update(hash->ctx, packet, psize); - - /* Data fill */ - hash->Final(NULL, hash->ctx); - - hash->Update(hash->ctx, key, keylen); - hash->Final(digest, hash->ctx); - - return !bcmp(digest,signature,hash->hashsize); -} diff --git a/sbin/photurisd/validity.h b/sbin/photurisd/validity.h deleted file mode 100644 index 69407bc06af..00000000000 --- a/sbin/photurisd/validity.h +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD */ -/* - * Copyright 1997-2000 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Niels Provos. - * 4. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * validity.h: - * validity for a security association - */ - -#ifndef _VALIDITY_H_ -#define _VALIDITY_H_ -#include "state.h" - -#undef EXTERN - -#ifdef _VALIDITY_C_ -#define EXTERN -#else -#define EXTERN extern -#endif - -#ifndef MD5_SIZE -#define MD5_SIZE 16 -#endif -#ifndef SHA1_SIZE -#define SHA1_SIZE 20 -#endif - -EXTERN u_int16_t get_validity_verification_size(struct stateob *st); -EXTERN int create_validity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size); -EXTERN int verify_validity_verification(struct stateob *st, u_int8_t *buffer, - u_int8_t *packet, u_int16_t size); - -#endif |