Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/kame/racoon Apply patches as discussed on:
details: https://anonhg.NetBSD.org/src/rev/8c9fa422c812
branches: trunk
changeset: 571086:8c9fa422c812
user: thorpej <thorpej%NetBSD.org@localhost>
date: Wed Nov 10 20:23:28 2004 +0000
description:
Apply patches as discussed on:
http://mail-index.netbsd.org/tech-net/2004/11/05/0004.html
Slightly modified to differentiate the version string from a stock racoon.
* auth_gssapi.h (GSSAPI_DEF_NAME): Change from "ike" to "host".
(gssapi_get_default_id): Rename to gssapi_get_id.
(gssapi_get_default_gss_id): New prototype.
* cfparse.y (GSSAPI_ID): Rename to GSS_ID.
(GSS_ID_ENC, GSS_ID_ENCTYPE): New tokens.
(gssenc_statement): New statement.
(isakmpproposal_spec): Use GSS_ID token.
(expand_isakmpspec): Fill in gssid in the new proposal only
if authmethod is OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB. If the
GSS ID is not provided, call gssapi_get_default_gss_id() to
place the default ID in the proposal.
* cftoken.l (S_GSSENC): New start condition.
(<S_RMTP>gss_id): New, return the GSS_ID token.
(<S_RMTP>gssapi_id): Return the GSS_ID token.
(<S_INI>gss_id_enc, <S_GSSENC>latin1, <S_GSSENC>utf-16le)
(<S_GSSENC>{semi}): New, tokenize the "gss_id_enc enctype;"
statement.
* gssapi.c: Include <unistd.h>.
(gssapi_get_default_gss_id): New function.
(gssapi_init): Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
(gssapi_get_default_id): Rename to...
(gssapi_get_id): ...this. If the proposal has a gssid, vdup()
that and return it. Disable a broken debugging message. Make
printf formats consistent in their handling of non-NUL-terminated
strings.
* ipsec_doi.c: Include <iconv.h>.
(get_ph1approval): Make printf formats consistent in their handling
of non-NUL-terminated strings. Call gssapi_get_id() instead of
gssapi_get_default_id(), and remove some complexity that has been
pushed into that function.
(t2isakmpsa): When parsing the OAKLEY_ATTR_GSS_ID attribute,
check convert the attribute from UTF-16LE to ISO-Latin-1, unless
we are configured to assume the attribute is already ISO-Latin-1
encoded.
(setph1attr): When setting the OAKLEY_ATTR_GSS_ID attribute,
convert the attribute from ISO-Latin-1 to UTF-16LE, unless we
are configured to encode the attribute in ISO-Latin-1.
* localconf.c (setdefault): Set the default GSS ID encoding type
to UTF-16LE.
* localconf.h (LC_GSSENC_UTF16LE, LC_GSSENC_LATIN1)
(LC_GSSENC_MAX): New constants.
(struct localconf): Add gss_id_enc member.
* main.c (RACOON_VERSION): Append " - NetBSD 20041110" to the
version string.
* racoon.conf.5: Document changes to GSS ID encoding and default
GSS ID computation. Document "gss_id_enc enctype;" statement.
* samples/racoon.conf.sample-gssapi: Update and add comments to
provide more information.
diffstat:
crypto/dist/kame/racoon/auth_gssapi.h | 5 +-
crypto/dist/kame/racoon/cfparse.y | 41 ++-
crypto/dist/kame/racoon/cftoken.l | 14 +-
crypto/dist/kame/racoon/gssapi.c | 53 +++-
crypto/dist/kame/racoon/ipsec_doi.c | 165 ++++++++++++-
crypto/dist/kame/racoon/localconf.c | 3 +-
crypto/dist/kame/racoon/localconf.h | 6 +
crypto/dist/kame/racoon/main.c | 4 +-
crypto/dist/kame/racoon/racoon.conf.5 | 42 +++-
crypto/dist/kame/racoon/samples/racoon.conf.sample-gssapi | 30 +-
10 files changed, 299 insertions(+), 64 deletions(-)
diffs (truncated from 686 to 300 lines):
diff -r 211a4b691768 -r 8c9fa422c812 crypto/dist/kame/racoon/auth_gssapi.h
--- a/crypto/dist/kame/racoon/auth_gssapi.h Wed Nov 10 18:18:25 2004 +0000
+++ b/crypto/dist/kame/racoon/auth_gssapi.h Wed Nov 10 20:23:28 2004 +0000
@@ -42,7 +42,7 @@
#include <gssapi/gssapi.h>
#endif
-#define GSSAPI_DEF_NAME "ike"
+#define GSSAPI_DEF_NAME "host"
struct ph1handle;
struct isakmpsa;
@@ -89,4 +89,5 @@
void gssapi_set_id_rcvd __P((struct ph1handle *));
int gssapi_id_rcvd __P((struct ph1handle *));
void gssapi_free_state __P((struct ph1handle *));
-vchar_t *gssapi_get_default_id __P((struct ph1handle *));
+vchar_t *gssapi_get_id __P((struct ph1handle *));
+vchar_t *gssapi_get_default_gss_id __P((void));
diff -r 211a4b691768 -r 8c9fa422c812 crypto/dist/kame/racoon/cfparse.y
--- a/crypto/dist/kame/racoon/cfparse.y Wed Nov 10 18:18:25 2004 +0000
+++ b/crypto/dist/kame/racoon/cfparse.y Wed Nov 10 20:23:28 2004 +0000
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: cfparse.y,v 1.20 2004/04/12 03:34:05 itojun Exp $");
+__RCSID("$NetBSD: cfparse.y,v 1.21 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -192,7 +192,7 @@
%token GENERATE_POLICY SUPPORT_PROXY
%token PROPOSAL
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
-%token GSSAPI_ID
+%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
%token COMPLEX_BUNDLE
%token PREFIX PORT PORTANY UL_PROTO ANY
@@ -205,7 +205,7 @@
%token EOS BOC EOC COMMA
%type <num> NUMBER BOOLEAN SWITCH keylength
-%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
+%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV GSS_ID_ENCTYPE
%type <num> ALGORITHM_CLASS dh_group_num
%type <num> ALGORITHMTYPE STRENGTHTYPE
%type <num> PREFIX prefix PORT port ike_port
@@ -227,6 +227,7 @@
statement
: path_statement
| include_statement
+ | gssenc_statement
| identifier_statement
| logging_statement
| padding_statement
@@ -276,6 +277,18 @@
}
;
+ /* gss_id_enc */
+gssenc_statement
+ : GSS_ID_ENC GSS_ID_ENCTYPE EOS
+ {
+ if ($2 >= LC_GSSENC_MAX) {
+ yyerror("invalid GSS ID encoding %d", $2);
+ return -1;
+ }
+ lcconf->gss_id_enc = $2;
+ }
+ ;
+
/* self infomation */
identifier_statement
: IDENTIFIER identifier_stmt
@@ -1011,7 +1024,7 @@
prhead->spspec->algclass[algclass_isakmp_dh] = $2;
}
EOS
- | GSSAPI_ID QUOTEDSTRING
+ | GSS_ID QUOTEDSTRING
{
if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
yyerror("wrong Vendor ID for gssapi_id");
@@ -1364,12 +1377,20 @@
new->dh_group = types[algclass_isakmp_dh];
new->vendorid = vendorid;
#ifdef HAVE_GSSAPI
- if (gssid != NULL) {
- new->gssid = vmalloc(strlen(gssid) + 1);
- memcpy(new->gssid->v, gssid, new->gssid->l);
- racoon_free(gssid);
- } else
- new->gssid = NULL;
+ if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
+ if (gssid != NULL) {
+ new->gssid = vmalloc(strlen(gssid));
+ memcpy(new->gssid->v, gssid, new->gssid->l);
+ racoon_free(gssid);
+ } else {
+ /*
+ * Allocate the default ID so that it gets put
+ * into a GSS ID attribute during the Phase 1
+ * exchange.
+ */
+ new->gssid = gssapi_get_default_gss_id();
+ }
+ }
#endif
insisakmpsa(new, rmconf);
diff -r 211a4b691768 -r 8c9fa422c812 crypto/dist/kame/racoon/cftoken.l
--- a/crypto/dist/kame/racoon/cftoken.l Wed Nov 10 18:18:25 2004 +0000
+++ b/crypto/dist/kame/racoon/cftoken.l Wed Nov 10 20:23:28 2004 +0000
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: cftoken.l,v 1.14 2004/04/12 03:34:06 itojun Exp $");
+__RCSID("$NetBSD: cftoken.l,v 1.15 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -137,6 +137,7 @@
%s S_SAINF S_SAINFS
%s S_RMT S_RMTS S_RMTP
%s S_SA
+%s S_GSSENC
%%
%{
@@ -282,7 +283,16 @@
<S_RMTP>authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); }
<S_RMTP>hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); }
<S_RMTP>dh_group { YYD; return(DH_GROUP); }
-<S_RMTP>gssapi_id { YYD; return(GSSAPI_ID); }
+<S_RMTP>gss_id { YYD; return(GSS_ID); }
+<S_RMTP>gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */
+
+ /* GSS ID encoding type (global) */
+<S_INI>gss_id_enc { BEGIN S_GSSENC; YYDB; return(GSS_ID_ENC); }
+<S_GSSENC>latin1 { YYD; yylval.num = LC_GSSENC_LATIN1;
+ return(GSS_ID_ENCTYPE); }
+<S_GSSENC>utf-16le { YYD; yylval.num = LC_GSSENC_UTF16LE;
+ return(GSS_ID_ENCTYPE); }
+<S_GSSENC>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* parameter */
on { YYD; yylval.num = TRUE; return(SWITCH); }
diff -r 211a4b691768 -r 8c9fa422c812 crypto/dist/kame/racoon/gssapi.c
--- a/crypto/dist/kame/racoon/gssapi.c Wed Nov 10 18:18:25 2004 +0000
+++ b/crypto/dist/kame/racoon/gssapi.c Wed Nov 10 20:23:28 2004 +0000
@@ -37,13 +37,14 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: gssapi.c,v 1.3 2004/04/12 03:34:07 itojun Exp $");
+__RCSID("$NetBSD: gssapi.c,v 1.4 2004/11/10 20:23:28 thorpej Exp $");
#ifdef HAVE_GSSAPI
#include <sys/types.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <netdb.h>
+#include <unistd.h>
#include <stdlib.h>
#include <string.h>
@@ -132,6 +133,25 @@
return 0;
}
+vchar_t *
+gssapi_get_default_gss_id(void)
+{
+ char name[NI_MAXHOST];
+ vchar_t *gssid;
+
+ if (gethostname(name, sizeof(name)) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n",
+ strerror(errno));
+ return (NULL);
+ }
+ name[sizeof(name) - 1] = '\0';
+
+ gssid = racoon_malloc(sizeof(*gssid));
+ gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name);
+
+ return (gssid);
+}
+
static int
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
@@ -220,8 +240,15 @@
return -1;
}
- plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n",
+#if 0
+ /*
+ * XXXJRT Did this debug message ever work? This is a GSS name
+ * blob at this point.
+ */
+ plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
cred->length, cred->value);
+#endif
+
maj_stat = gss_release_buffer(&min_stat, cred);
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release cred buffer\n");
@@ -263,15 +290,16 @@
dummy = ∅
if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
- plog(LLV_DEBUG, LOCATION, NULL, "using provided service '%s'\n",
- iph1->approval->gssid->v);
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "using provided service '%.*s'\n",
+ iph1->approval->gssid->l, iph1->approval->gssid->v);
name_token.length = iph1->approval->gssid->l;
name_token.value = iph1->approval->gssid->v;
maj_stat = gss_import_name(&min_stat, &name_token,
GSS_C_NO_OID, &partner);
if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "import of %s\n",
- name_token.value);
+ gssapi_error(min_stat, LOCATION, "import of '%.*s'\n",
+ name_token.length, name_token.value);
return -1;
}
} else
@@ -653,7 +681,7 @@
}
vchar_t *
-gssapi_get_default_id(struct ph1handle *iph1)
+gssapi_get_id(struct ph1handle *iph1)
{
gss_buffer_desc id_buffer;
gss_buffer_t id = &id_buffer;
@@ -661,6 +689,9 @@
OM_uint32 min_stat, maj_stat;
vchar_t *vmbuf;
+ if (iph1->rmconf->proposal->gssid != NULL)
+ return (vdup(iph1->rmconf->proposal->gssid));
+
if (gssapi_get_default_name(iph1, 0, &defname) < 0)
return NULL;
@@ -691,8 +722,14 @@
if (GSS_ERROR(maj_stat))
gssapi_error(min_stat, LOCATION, "release canonical name\n");
- plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n",
+#if 0
+ /*
+ * XXXJRT Did this debug message ever work? This is a GSS name
+ * blob at this point.
+ */
+ plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s'\n",
id->length, id->value);
+#endif
if (gssapi_gss2vmbuf(id, &vmbuf) < 0) {
plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
diff -r 211a4b691768 -r 8c9fa422c812 crypto/dist/kame/racoon/ipsec_doi.c
--- a/crypto/dist/kame/racoon/ipsec_doi.c Wed Nov 10 18:18:25 2004 +0000
+++ b/crypto/dist/kame/racoon/ipsec_doi.c Wed Nov 10 20:23:28 2004 +0000
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: ipsec_doi.c,v 1.15 2004/04/12 03:34:07 itojun Exp $");
+__RCSID("$NetBSD: ipsec_doi.c,v 1.16 2004/11/10 20:23:28 thorpej Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -85,6 +85,7 @@
#include "gcmalloc.h"
#ifdef HAVE_GSSAPI
+#include <iconv.h>
#include "auth_gssapi.h"
#endif
@@ -269,8 +270,8 @@
saok:
#ifdef HAVE_GSSAPI
if (sa->gssid != NULL)
- plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%s'\n",
- sa->gssid->v);
+ plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n",
+ sa->gssid->l, sa->gssid->v);
if (iph1-> side == INITIATOR) {
if (iph1->rmconf->proposal->gssid != NULL)
iph1->gi_i = vdup(iph1->rmconf->proposal->gssid);
@@ -280,21 +281,17 @@
Home |
Main Index |
Thread Index |
Old Index