Module Name: src
Committed By: tteras
Date: Fri Sep 18 10:31:11 UTC 2009
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp_agg.c isakmp_ident.c
Log Message:
>From Tomas Mraz: Fix gssapi error checking.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c:1.15 src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c:1.16
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c:1.15 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c Fri Sep 18 10:31:11 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: isakmp_agg.c,v 1.15 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: isakmp_agg.c,v 1.16 2009/09/18 10:31:11 tteras Exp $ */
/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -186,10 +186,10 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"Xauth vendor ID generation failed\n");
if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"Unity vendor ID generation failed\n");
break;
default:
@@ -206,7 +206,7 @@
if (vid_frag == NULL)
plog(LLV_ERROR, LOCATION, NULL,
"Frag vendorID construction failed\n");
- }
+ }
#endif
plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
@@ -230,7 +230,11 @@
#ifdef HAVE_GSSAPI
if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
}
#endif
@@ -243,19 +247,19 @@
plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
#endif
#ifdef ENABLE_NATT
- /*
- * set VID payload for NAT-T if NAT-T
- * support allowed in the config file
+ /*
+ * set VID payload for NAT-T if NAT-T
+ * support allowed in the config file
*/
- if (iph1->rmconf->nat_traversal)
+ if (iph1->rmconf->nat_traversal)
plist = isakmp_plist_append_natt_vids(plist, vid_natt);
#endif
#ifdef ENABLE_HYBRID
if (vid_xauth)
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_xauth, ISAKMP_NPTYPE_VID);
if (vid_unity)
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_unity, ISAKMP_NPTYPE_VID);
#endif
#ifdef ENABLE_DPD
@@ -484,7 +488,7 @@
if (NATT_AVAILABLE(iph1)) {
struct natd_payload *natd = NULL;
int natd_verified;
-
+
plog(LLV_INFO, LOCATION, iph1->remote,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
@@ -492,9 +496,9 @@
/* set both bits first so that we can clear them
upon verifying hashes */
iph1->natt_flags |= NAT_DETECTED;
-
+
while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
- /* this function will clear appropriate bits bits
+ /* this function will clear appropriate bits bits
from iph1->natt_flags */
natd_verified = natt_compare_addr_hash (iph1,
natd->payload, natd->seq);
@@ -502,7 +506,7 @@
plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
natd->seq - 1,
natd_verified ? "verified" : "doesn't match");
-
+
vfree (natd->payload);
TAILQ_REMOVE(&natd_tree, natd, chain);
@@ -510,7 +514,7 @@
}
plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
+ iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
@@ -626,9 +630,9 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
+#endif
/* set HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->hash, ISAKMP_NPTYPE_HASH);
break;
@@ -677,7 +681,7 @@
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gsshash, ISAKMP_NPTYPE_HASH);
break;
#endif
@@ -688,26 +692,26 @@
if (NATT_AVAILABLE(iph1)) {
vchar_t *natd[2] = { NULL, NULL };
- plog(LLV_INFO, LOCATION,
+ plog(LLV_INFO, LOCATION,
NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
+ "NAT-D hashing failed for %s\n",
saddr2str(iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
+ "NAT-D hashing failed for %s\n",
saddr2str(iph1->local));
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
natd[1], iph1->natt_options->payload_nat_d);
}
#endif
@@ -1035,23 +1039,23 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
#endif
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->sa_ret, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->hash, ISAKMP_NPTYPE_HASH);
/* create isakmp CR payload if needed */
@@ -1078,19 +1082,19 @@
need_cert = 1;
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->sa_ret, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* add ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* add CERT payload if there */
@@ -1122,9 +1126,9 @@
plog(LLV_ERROR, LOCATION, NULL,
"failed to wrap hash\n");
/*
- * This is probably due to the GSS
- * roundtrips not being finished yet.
- * Return this error in the hope that
+ * This is probably due to the GSS
+ * roundtrips not being finished yet.
+ * Return this error in the hope that
* a fallback to main mode will be done.
*/
isakmp_info_send_n1(iph1,
@@ -1141,28 +1145,32 @@
free_gss_sa = 1;
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gss_sa, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* create GSS payload */
- gssapi_get_token_to_send(iph1, &gsstoken);
- plist = isakmp_plist_append(plist,
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
+ plist = isakmp_plist_append(plist,
gsstoken, ISAKMP_NPTYPE_GSS);
/* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gsshash, ISAKMP_NPTYPE_HASH);
/* append vendor id, if needed */
@@ -1178,7 +1186,7 @@
"Cannot create Xauth vendor ID\n");
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
xauth_vid, ISAKMP_NPTYPE_VID);
}
@@ -1188,7 +1196,7 @@
"Cannot create Unity vendor ID\n");
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
unity_vid, ISAKMP_NPTYPE_VID);
}
#endif
@@ -1340,20 +1348,20 @@
{
vchar_t *natd_received = NULL;
int natd_verified;
-
+
if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
goto end;
-
+
if (natd_seq == 0)
iph1->natt_flags |= NAT_DETECTED;
-
+
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
-
+
plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
-
+
vfree (natd_received);
break;
}
@@ -1373,7 +1381,7 @@
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1))
plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
+ iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.12 src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.13
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c:1.12 Thu Mar 12 10:57:26 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c Fri Sep 18 10:31:11 2009
@@ -1,11 +1,11 @@
-/* $NetBSD: isakmp_ident.c,v 1.12 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: isakmp_ident.c,v 1.13 2009/09/18 10:31:11 tteras Exp $ */
/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -86,7 +86,7 @@
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
-#ifdef ENABLE_FRAG
+#ifdef ENABLE_FRAG
#include "isakmp_frag.h"
#endif
@@ -115,13 +115,13 @@
vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
int i;
#endif
-#ifdef ENABLE_HYBRID
+#ifdef ENABLE_HYBRID
vchar_t *vid_xauth = NULL;
vchar_t *vid_unity = NULL;
#endif
-#ifdef ENABLE_FRAG
+#ifdef ENABLE_FRAG
vchar_t *vid_frag = NULL;
-#endif
+#endif
#ifdef ENABLE_DPD
vchar_t *vid_dpd = NULL;
#endif
@@ -152,7 +152,7 @@
#ifdef ENABLE_NATT
/* set VID payload for NAT-T if NAT-T support allowed in the config file */
- if (iph1->rmconf->nat_traversal)
+ if (iph1->rmconf->nat_traversal)
plist = isakmp_plist_append_natt_vids(plist, vid_natt);
#endif
#ifdef ENABLE_HYBRID
@@ -171,7 +171,7 @@
else
plist = isakmp_plist_append(plist,
vid_xauth, ISAKMP_NPTYPE_VID);
-
+
if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
plog(LLV_ERROR, LOCATION, NULL,
"Unity vendor ID generation failed\n");
@@ -191,7 +191,7 @@
} else {
vid_frag = isakmp_frag_addcap(vid_frag,
VENDORID_FRAG_IDENT);
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_frag, ISAKMP_NPTYPE_VID);
}
}
@@ -221,9 +221,9 @@
end:
#ifdef ENABLE_FRAG
- if (vid_frag)
+ if (vid_frag)
vfree(vid_frag);
-#endif
+#endif
#ifdef ENABLE_NATT
for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
vfree(vid_natt[i]);
@@ -482,21 +482,21 @@
natd_received = NULL;
if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
goto end;
-
+
/* set both bits first so that we can clear them
upon verifying hashes */
if (natd_seq == 0)
iph1->natt_flags |= NAT_DETECTED;
-
- /* this function will clear appropriate bits bits
+
+ /* this function will clear appropriate bits bits
from iph1->natt_flags */
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
-
+
plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
-
+
vfree (natd_received);
break;
}
@@ -516,7 +516,7 @@
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1)) {
plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
+ iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
@@ -784,7 +784,7 @@
* If we got a GSS token, we need to this roundtrip again.
*/
#ifdef HAVE_GSSAPI
- iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
+ iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
PHASE1ST_MSG4RECEIVED;
#else
iph1->status = PHASE1ST_MSG4RECEIVED;
@@ -967,13 +967,13 @@
#ifdef ENABLE_HYBRID
vchar_t *vid_xauth = NULL;
vchar_t *vid_unity = NULL;
-#endif
+#endif
#ifdef ENABLE_DPD
vchar_t *vid_dpd = NULL;
#endif
-#ifdef ENABLE_FRAG
+#ifdef ENABLE_FRAG
vchar_t *vid_frag = NULL;
-#endif
+#endif
/* validity check */
if (iph1->status != PHASE1ST_MSG1RECEIVED) {
@@ -990,7 +990,7 @@
gss_sa = ipsecdoi_setph1proposal(iph1->rmconf, iph1->approval);
if (gss_sa != iph1->sa_ret)
free_gss_sa = 1;
- } else
+ } else
#endif
gss_sa = iph1->sa_ret;
@@ -1044,7 +1044,7 @@
plog(LLV_ERROR, LOCATION, NULL,
"Frag vendorID construction failed\n");
else
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_frag, ISAKMP_NPTYPE_VID);
}
#endif
@@ -1169,20 +1169,20 @@
{
vchar_t *natd_received = NULL;
int natd_verified;
-
+
if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
goto end;
-
+
if (natd_seq == 0)
iph1->natt_flags |= NAT_DETECTED;
-
+
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
-
+
plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
-
+
vfree (natd_received);
break;
}
@@ -1202,7 +1202,7 @@
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1))
plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
+ iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
@@ -1644,8 +1644,13 @@
#endif
#ifdef HAVE_GSSAPI
- if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
+ }
#endif
/* create isakmp KE payload */
@@ -1689,9 +1694,9 @@
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
}
#endif
-
+
buf = isakmp_plist_set_all (&plist, iph1);
-
+
error = 0;
end:
@@ -1768,7 +1773,7 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
+#endif
if (oakley_getmycert(iph1) < 0)
goto end;
@@ -1800,7 +1805,11 @@
if (gsshash == NULL)
goto end;
} else {
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
}
if (!gssapi_id_sent(iph1)) {
@@ -1836,7 +1845,7 @@
}
buf = isakmp_plist_set_all (&plist, iph1);
-
+
#ifdef HAVE_PRINT_ISAKMP_C
isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
#endif
