| version 1.11, 2006/10/09 06:32:59 |
version 1.11.2.2, 2007/08/28 11:14:47 |
|
|
| #include <sys/queue.h> |
#include <sys/queue.h> |
| |
|
| #include <netinet/in.h> |
#include <netinet/in.h> |
| #ifdef HAVE_NETINET6_IPSEC |
#include PATH_IPSEC_H |
| # include <netinet6/ipsec.h> |
|
| #else |
|
| # include <netinet/ipsec.h> |
|
| #endif |
|
| |
|
| #include <stdlib.h> |
#include <stdlib.h> |
| #include <stdio.h> |
#include <stdio.h> |
| Line 315 cmpsaprop_alloc(ph1, pp1, pp2, side) |
|
| Line 311 cmpsaprop_alloc(ph1, pp1, pp2, side) |
|
| goto err; |
goto err; |
| } |
} |
| |
|
| |
#ifdef HAVE_SECCTX |
| |
/* check the security_context properties. |
| |
* It is possible for one side to have a security context |
| |
* and the other side doesn't. If so, this is an error. |
| |
*/ |
| |
|
| |
if (*pp1->sctx.ctx_str && !(*pp2->sctx.ctx_str)) { |
| |
plog(LLV_ERROR, LOCATION, NULL, |
| |
"My proposal missing security context\n"); |
| |
goto err; |
| |
} |
| |
if (!(*pp1->sctx.ctx_str) && *pp2->sctx.ctx_str) { |
| |
plog(LLV_ERROR, LOCATION, NULL, |
| |
"Peer is missing security context\n"); |
| |
goto err; |
| |
} |
| |
|
| |
if (*pp1->sctx.ctx_str && *pp2->sctx.ctx_str) { |
| |
if (pp1->sctx.ctx_doi == pp2->sctx.ctx_doi) |
| |
newpp->sctx.ctx_doi = pp1->sctx.ctx_doi; |
| |
else { |
| |
plog(LLV_ERROR, LOCATION, NULL, |
| |
"sec doi mismatched: my:%d peer:%d\n", |
| |
pp2->sctx.ctx_doi, pp1->sctx.ctx_doi); |
| |
goto err; |
| |
} |
| |
|
| |
if (pp1->sctx.ctx_alg == pp2->sctx.ctx_alg) |
| |
newpp->sctx.ctx_alg = pp1->sctx.ctx_alg; |
| |
else { |
| |
plog(LLV_ERROR, LOCATION, NULL, |
| |
"sec alg mismatched: my:%d peer:%d\n", |
| |
pp2->sctx.ctx_alg, pp1->sctx.ctx_alg); |
| |
goto err; |
| |
} |
| |
|
| |
if ((pp1->sctx.ctx_strlen != pp2->sctx.ctx_strlen) || |
| |
memcmp(pp1->sctx.ctx_str, pp2->sctx.ctx_str, |
| |
pp1->sctx.ctx_strlen) != 0) { |
| |
plog(LLV_ERROR, LOCATION, NULL, |
| |
"sec ctx string mismatched: my:%s peer:%s\n", |
| |
pp2->sctx.ctx_str, pp1->sctx.ctx_str); |
| |
goto err; |
| |
} else { |
| |
newpp->sctx.ctx_strlen = pp1->sctx.ctx_strlen; |
| |
memcpy(newpp->sctx.ctx_str, pp1->sctx.ctx_str, |
| |
pp1->sctx.ctx_strlen); |
| |
} |
| |
} |
| |
#endif /* HAVE_SECCTX */ |
| |
|
| npr1 = npr2 = 0; |
npr1 = npr2 = 0; |
| for (pr1 = pp1->head; pr1; pr1 = pr1->next) |
for (pr1 = pp1->head; pr1; pr1 = pr1->next) |
| npr1++; |
npr1++; |
| Line 427 cmpsaprop_alloc(ph1, pp1, pp2, side) |
|
| Line 474 cmpsaprop_alloc(ph1, pp1, pp2, side) |
|
| |
|
| for (tr1 = pr1->head; tr1; tr1 = tr1->next) { |
for (tr1 = pr1->head; tr1; tr1 = tr1->next) { |
| for (tr2 = pr2->head; tr2; tr2 = tr2->next) { |
for (tr2 = pr2->head; tr2; tr2 = tr2->next) { |
| if (cmpsatrns(pr1->proto_id, tr1, tr2) == 0) |
if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0) |
| goto found; |
goto found; |
| } |
} |
| } |
} |
| Line 529 cmpsaprop(pp1, pp2) |
|
| Line 576 cmpsaprop(pp1, pp2) |
|
| * tr2: my satrns |
* tr2: my satrns |
| */ |
*/ |
| int |
int |
| cmpsatrns(proto_id, tr1, tr2) |
cmpsatrns(proto_id, tr1, tr2, check_level) |
| int proto_id; |
int proto_id; |
| const struct satrns *tr1, *tr2; |
const struct satrns *tr1, *tr2; |
| |
int check_level; |
| { |
{ |
| if (tr1->trns_id != tr2->trns_id) { |
if (tr1->trns_id != tr2->trns_id) { |
| plog(LLV_WARNING, LOCATION, NULL, |
plog(LLV_WARNING, LOCATION, NULL, |
| Line 551 cmpsatrns(proto_id, tr1, tr2) |
|
| Line 599 cmpsatrns(proto_id, tr1, tr2) |
|
| return 1; |
return 1; |
| } |
} |
| |
|
| /* XXX |
/* Check key length regarding checkmode |
| * At this moment for interoperability, the responder obey |
* XXX Shall we send some kind of notify message when key length rejected ? |
| * the initiator. It should be defined a notify message. |
|
| */ |
*/ |
| if (tr1->encklen > tr2->encklen) { |
switch(check_level){ |
| |
case PROP_CHECK_OBEY: |
| |
return 0; |
| |
break; |
| |
|
| |
case PROP_CHECK_STRICT: |
| |
/* FALLTHROUGH */ |
| |
case PROP_CHECK_CLAIM: |
| |
if (tr1->encklen < tr2->encklen) { |
| plog(LLV_WARNING, LOCATION, NULL, |
plog(LLV_WARNING, LOCATION, NULL, |
| "less key length proposed, " |
"low key length proposed, " |
| "mine:%d peer:%d. Use initiaotr's one.\n", |
"mine:%d peer:%d.\n", |
| tr2->encklen, tr1->encklen); |
tr2->encklen, tr1->encklen); |
| /* FALLTHRU */ |
return 1; |
| |
} |
| |
break; |
| |
case PROP_CHECK_EXACT: |
| |
if (tr1->encklen != tr2->encklen) { |
| |
plog(LLV_WARNING, LOCATION, NULL, |
| |
"key length mismatched, " |
| |
"mine:%d peer:%d.\n", |
| |
tr2->encklen, tr1->encklen); |
| |
return 1; |
| |
} |
| |
break; |
| } |
} |
| |
|
| return 0; |
return 0; |
| Line 1137 set_proposal_from_proposal(iph2) |
|
| Line 1203 set_proposal_from_proposal(iph2) |
|
| pp0->lifebyte = iph2->sainfo->lifebyte; |
pp0->lifebyte = iph2->sainfo->lifebyte; |
| pp0->pfs_group = iph2->sainfo->pfs_group; |
pp0->pfs_group = iph2->sainfo->pfs_group; |
| |
|
| |
#ifdef HAVE_SECCTX |
| |
if (*pp_peer->sctx.ctx_str) { |
| |
pp0->sctx.ctx_doi = pp_peer->sctx.ctx_doi; |
| |
pp0->sctx.ctx_alg = pp_peer->sctx.ctx_alg; |
| |
pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen; |
| |
memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str, |
| |
pp_peer->sctx.ctx_strlen); |
| |
} |
| |
#endif /* HAVE_SECCTX */ |
| |
|
| if (pp_peer->next != NULL) { |
if (pp_peer->next != NULL) { |
| plog(LLV_ERROR, LOCATION, NULL, |
plog(LLV_ERROR, LOCATION, NULL, |
![[BACK]](/icons/back.gif){kind=icon}
Return to proposal.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon