diff options
| -rw-r--r-- | sbin/isakmpd/cert.c | 8 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_auth.c | 24 | ||||
| -rw-r--r-- | sbin/isakmpd/ike_phase_1.c | 16 | ||||
| -rw-r--r-- | sbin/isakmpd/init.c | 10 | ||||
| -rw-r--r-- | sbin/isakmpd/ipsec.c | 33 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmpd.c | 10 | ||||
| -rw-r--r-- | sbin/isakmpd/math_group.c | 20 |
7 files changed, 70 insertions, 51 deletions
diff --git a/sbin/isakmpd/cert.c b/sbin/isakmpd/cert.c index 4f0c5b041a4..e1bd5092d32 100644 --- a/sbin/isakmpd/cert.c +++ b/sbin/isakmpd/cert.c @@ -1,9 +1,9 @@ -/* $OpenBSD: cert.c,v 1.11 1999/08/26 22:30:46 niklas Exp $ */ -/* $EOM: cert.c,v 1.12 1999/08/12 22:34:26 niklas Exp $ */ +/* $OpenBSD: cert.c,v 1.12 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: cert.c,v 1.14 2000/02/19 07:58:54 niklas Exp $ */ /* * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -50,7 +50,7 @@ #include "x509.h" struct cert_handler cert_handler[] = { -#if defined (USE_LIBCRYPTO) || defined (USE_DLOPEN) +#ifdef USE_X509 { ISAKMP_CERTENC_X509_SIG, x509_cert_init, x509_cert_get, x509_cert_validate, diff --git a/sbin/isakmpd/ike_auth.c b/sbin/isakmpd/ike_auth.c index 14d492adf10..c7c82e89ad2 100644 --- a/sbin/isakmpd/ike_auth.c +++ b/sbin/isakmpd/ike_auth.c @@ -1,8 +1,8 @@ -/* $OpenBSD: ike_auth.c,v 1.20 2000/02/01 02:46:18 niklas Exp $ */ -/* $EOM: ike_auth.c,v 1.41 2000/01/31 22:33:45 niklas Exp $ */ +/* $OpenBSD: ike_auth.c,v 1.21 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: ike_auth.c,v 1.43 2000/02/19 07:58:54 niklas Exp $ */ /* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. * Copyright (c) 1999 Niels Provos. All rights reserved. * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. * @@ -70,7 +70,7 @@ static int rsa_sig_decode_hash (struct message *); static int pre_shared_encode_hash (struct message *); static int rsa_sig_encode_hash (struct message *); -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 static int ike_auth_hash (struct exchange *, u_int8_t *); #endif @@ -116,7 +116,7 @@ static void * ike_auth_get_key (int type, char *id, size_t *keylen) { char *key, *buf; -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 char *keyfile; BIO *keyh; RSA *rsakey; @@ -156,7 +156,7 @@ ike_auth_get_key (int type, char *id, size_t *keylen) break; case IKE_AUTH_RSA_SIG: -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 #ifdef HAVE_DLOPEN if (!libcrypto) return 0; @@ -418,7 +418,7 @@ pre_shared_decode_hash (struct message *msg) static int rsa_sig_decode_hash (struct message *msg) { -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 struct cert_handler *handler; struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; @@ -623,13 +623,13 @@ rsa_sig_decode_hash (struct message *msg) return 0; #else return -1; -#endif /* USE_LIBCRYPTO || HAVE_DLOPEN */ +#endif /* USE_X509 */ } static int pre_shared_encode_hash (struct message *msg) { -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; size_t hashsize = ie->hash->hashsize; @@ -657,7 +657,7 @@ pre_shared_encode_hash (struct message *msg) static int rsa_sig_encode_hash (struct message *msg) { -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 struct exchange *exchange = msg->exchange; struct ipsec_exch *ie = exchange->data; size_t hashsize = ie->hash->hashsize; @@ -774,10 +774,10 @@ rsa_sig_encode_hash (struct message *msg) return 0; #else return -1; -#endif /* USE_LIBCRYPTO || HAVE_DLOPEN */ +#endif /* USE_X509 */ } -#if defined (USE_LIBCRYPTO) || defined (HAVE_DLOPEN) +#ifdef USE_X509 int ike_auth_hash (struct exchange *exchange, u_int8_t *buf) { diff --git a/sbin/isakmpd/ike_phase_1.c b/sbin/isakmpd/ike_phase_1.c index 04018f331a6..7e137ca9933 100644 --- a/sbin/isakmpd/ike_phase_1.c +++ b/sbin/isakmpd/ike_phase_1.c @@ -1,8 +1,8 @@ -/* $OpenBSD: ike_phase_1.c,v 1.13 2000/02/11 10:22:25 niklas Exp $ */ -/* $EOM: ike_phase_1.c,v 1.19 2000/02/07 02:08:13 ho Exp $ */ +/* $OpenBSD: ike_phase_1.c,v 1.14 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: ike_phase_1.c,v 1.21 2000/02/19 07:58:55 niklas Exp $ */ /* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -234,6 +234,16 @@ ike_phase_1_initiator_send_SA (struct message *msg) goto bail_out; } } + + /* We need to check that we actually support our configuration. */ + if (attribute_map (transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + transform_len[i] - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + exchange->doi->is_attribute_incompatible, msg)) + { + log_error ("ike_phase_1_initiator_send_SA: " + "section [%s] has unsupported attribute(s)"); + goto bail_out; + } } /* XXX I don't like exchange-specific stuff in here. */ diff --git a/sbin/isakmpd/init.c b/sbin/isakmpd/init.c index 2deeba43d36..1697b73d3e4 100644 --- a/sbin/isakmpd/init.c +++ b/sbin/isakmpd/init.c @@ -1,8 +1,8 @@ -/* $OpenBSD: init.c,v 1.13 2000/02/01 02:46:18 niklas Exp $ */ -/* $EOM: init.c,v 1.22 2000/01/31 22:33:46 niklas Exp $ */ +/* $OpenBSD: init.c,v 1.14 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: init.c,v 1.24 2000/02/19 07:58:55 niklas Exp $ */ /* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -57,7 +57,7 @@ #include "udp.h" #include "ui.h" -#if defined (USE_KEYNOTE) || defined (HAVE_DLOPEN) +#ifdef USE_POLICY #include "policy.h" #endif @@ -81,7 +81,7 @@ init () connection_init (); cookie_init (); -#if defined (USE_KEYNOTE) || defined (HAVE_DLOPEN) +#ifdef USE_POLICY /* policy_init depends on conf_init having run. */ policy_init (); #endif diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index 36f4996ec25..e1700211c97 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,8 +1,8 @@ -/* $OpenBSD: ipsec.c,v 1.23 2000/01/26 15:23:32 niklas Exp $ */ -/* $EOM: ipsec.c,v 1.115 1999/12/20 10:12:17 ho Exp $ */ +/* $OpenBSD: ipsec.c,v 1.24 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: ipsec.c,v 1.117 2000/02/19 07:58:55 niklas Exp $ */ /* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -683,25 +683,23 @@ ipsec_initiator (struct message *msg) switch (exchange->type) { - case ISAKMP_EXCH_BASE: - break; case ISAKMP_EXCH_ID_PROT: script = ike_main_mode_initiator; break; - case ISAKMP_EXCH_AUTH_ONLY: - log_print ("ipsec_initiator: unuspported exchange type %d", - exchange->type); - return -1; +#ifdef USE_AGGRESSIVE case ISAKMP_EXCH_AGGRESSIVE: script = ike_aggressive_initiator; break; +#endif case ISAKMP_EXCH_INFO: return message_send_info (msg); case IKE_EXCH_QUICK_MODE: script = ike_quick_mode_initiator; break; - case IKE_EXCH_NEW_GROUP_MODE: - break; + default: + log_print ("ipsec_initiator: unuspported exchange type %d", + exchange->type); + return -1; } /* Run the script code for this step. */ @@ -734,18 +732,15 @@ ipsec_responder (struct message *msg) exchange->type, exchange->step); switch (exchange->type) { - case ISAKMP_EXCH_BASE: - case ISAKMP_EXCH_AUTH_ONLY: - message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); - return -1; - case ISAKMP_EXCH_ID_PROT: script = ike_main_mode_responder; break; +#ifdef USE_AGGRESSIVE case ISAKMP_EXCH_AGGRESSIVE: script = ike_aggressive_responder; break; +#endif case ISAKMP_EXCH_INFO: for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p; @@ -769,9 +764,9 @@ ipsec_responder (struct message *msg) script = ike_quick_mode_responder; break; - case IKE_EXCH_NEW_GROUP_MODE: - /* XXX Not implemented yet. */ - break; + default: + message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + return -1; } /* Run the script code for this step. */ diff --git a/sbin/isakmpd/isakmpd.c b/sbin/isakmpd/isakmpd.c index 1cac9249bb1..3466c2601ae 100644 --- a/sbin/isakmpd/isakmpd.c +++ b/sbin/isakmpd/isakmpd.c @@ -1,8 +1,8 @@ -/* $OpenBSD: isakmpd.c,v 1.18 2000/02/01 02:46:18 niklas Exp $ */ -/* $EOM: isakmpd.c,v 1.42 2000/01/31 22:33:46 niklas Exp $ */ +/* $OpenBSD: isakmpd.c,v 1.19 2000/02/19 19:32:53 niklas Exp $ */ +/* $EOM: isakmpd.c,v 1.44 2000/02/19 07:58:56 niklas Exp $ */ /* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -57,7 +57,7 @@ #include "util.h" #include "cert.h" -#if defined (USE_KEYNOTE) || defined (HAVE_DLOPEN) +#ifdef USE_POLICY #include "policy.h" #endif @@ -182,7 +182,7 @@ reinit (void) /* Set timezone */ tzset (); -#if defined (USE_KEYNOTE) || defined (HAVE_DLOPEN) +#ifdef USE_POLICY /* Reread the policies. */ policy_init (); #endif diff --git a/sbin/isakmpd/math_group.c b/sbin/isakmpd/math_group.c index d6592d9699d..ab725ac2738 100644 --- a/sbin/isakmpd/math_group.c +++ b/sbin/isakmpd/math_group.c @@ -1,9 +1,9 @@ -/* $OpenBSD: math_group.c,v 1.9 1999/07/13 15:46:43 niklas Exp $ */ -/* $EOM: math_group.c,v 1.20 1999/07/13 15:43:21 niklas Exp $ */ +/* $OpenBSD: math_group.c,v 1.10 2000/02/19 19:32:54 niklas Exp $ */ +/* $EOM: math_group.c,v 1.22 2000/02/19 07:58:56 niklas Exp $ */ /* * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -123,6 +123,7 @@ struct modp_dscr oakley_modp[] = } }; +#ifdef USE_EC /* Describe preconfigured EC2N groups */ /* @@ -142,6 +143,7 @@ struct ec2n_dscr oakley_ec2n[] = { "0x00", "0x1ee9" }, }; +#endif /* USE_EC */ /* XXX I want to get rid of the casting here. */ struct group groups[] = { @@ -161,6 +163,7 @@ struct group groups[] = { (int (*) (struct group *, void *))modp_setrandom, (int (*) (struct group *, void *, void *, void *))modp_operation }, +#ifdef USE_EC { EC2N, OAKLEY_GRP_3, 0, &oakley_ec2n[0], 0, 0, 0, 0, 0, (int (*) (struct group *))ec2n_getlen, @@ -177,6 +180,7 @@ struct group groups[] = { (int (*) (struct group *, void *))ec2n_setrandom, (int (*) (struct group *, void *, void *, void *))ec2n_operation }, +#endif /* USE_EC */ { MODP, OAKLEY_GRP_5, 0, &oakley_modp[2], 0, 0, 0, 0, 0, (int (*) (struct group *))modp_getlen, @@ -200,9 +204,11 @@ group_init (void) for (i = sizeof (groups) / sizeof (groups[0]) - 1; i >= 0; i--) switch (groups[i].type) { +#ifdef USE_EC case EC2N: /* Initalize an Elliptic Curve over GF(2**n) */ ec2n_init (&groups[i]); break; +#endif case MODP: /* Initalize an over GF(p) */ modp_init (&groups[i]); @@ -237,9 +243,11 @@ group_get (int id) switch (clone->type) { +#ifdef USE_EC case EC2N: new = ec2n_clone (new, clone); break; +#endif case MODP: new = modp_clone (new, clone); break; @@ -258,9 +266,11 @@ group_free (struct group *grp) { switch (grp->type) { +#ifdef USE_EC case EC2N: ec2n_free (grp); break; +#endif case MODP: modp_free (grp); break; @@ -345,6 +355,7 @@ modp_init (struct group *group) group->group = grp; } +#ifdef USE_EC struct group * ec2n_clone (struct group *new, struct group *clone) { @@ -452,6 +463,7 @@ ec2n_init (struct group *group) fail: log_fatal ("ec2n_init: general failure"); } +#endif /* USE_EC */ int modp_getlen (struct group *group) @@ -503,6 +515,7 @@ modp_operation (struct group *group, mpz_ptr d, mpz_ptr a, mpz_ptr e) return 0; } +#ifdef USE_EC int ec2n_getlen (struct group *group) { @@ -590,3 +603,4 @@ ec2n_operation (struct group *grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e) return ec2np_mul (d, a, ex, group->grp); } +#endif /* USE_EC */ |