Annotation of embedaddon/ipsec-tools/src/racoon/proposal.c, revision 1.1
1.1 ! misho 1: /* $NetBSD: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $ */
! 2:
! 3: /* $Id: proposal.c,v 1.17 2008/09/19 11:14:49 tteras Exp $ */
! 4:
! 5: /*
! 6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
! 7: * All rights reserved.
! 8: *
! 9: * Redistribution and use in source and binary forms, with or without
! 10: * modification, are permitted provided that the following conditions
! 11: * are met:
! 12: * 1. Redistributions of source code must retain the above copyright
! 13: * notice, this list of conditions and the following disclaimer.
! 14: * 2. Redistributions in binary form must reproduce the above copyright
! 15: * notice, this list of conditions and the following disclaimer in the
! 16: * documentation and/or other materials provided with the distribution.
! 17: * 3. Neither the name of the project nor the names of its contributors
! 18: * may be used to endorse or promote products derived from this software
! 19: * without specific prior written permission.
! 20: *
! 21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
! 22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
! 23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
! 24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
! 25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
! 26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
! 27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
! 28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
! 30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
! 31: * SUCH DAMAGE.
! 32: */
! 33:
! 34: #include "config.h"
! 35:
! 36: #include <sys/param.h>
! 37: #include <sys/types.h>
! 38: #include <sys/socket.h>
! 39: #include <sys/queue.h>
! 40:
! 41: #include <netinet/in.h>
! 42: #include PATH_IPSEC_H
! 43:
! 44: #include <stdlib.h>
! 45: #include <stdio.h>
! 46: #include <string.h>
! 47: #include <errno.h>
! 48:
! 49: #include "var.h"
! 50: #include "misc.h"
! 51: #include "vmbuf.h"
! 52: #include "plog.h"
! 53: #include "sockmisc.h"
! 54: #include "debug.h"
! 55:
! 56: #include "policy.h"
! 57: #include "pfkey.h"
! 58: #include "isakmp_var.h"
! 59: #include "isakmp.h"
! 60: #include "ipsec_doi.h"
! 61: #include "algorithm.h"
! 62: #include "proposal.h"
! 63: #include "sainfo.h"
! 64: #include "localconf.h"
! 65: #include "remoteconf.h"
! 66: #include "oakley.h"
! 67: #include "handler.h"
! 68: #include "strnames.h"
! 69: #include "gcmalloc.h"
! 70: #ifdef ENABLE_NATT
! 71: #include "nattraversal.h"
! 72: #endif
! 73:
! 74: static uint g_nextreqid = 1;
! 75:
! 76: /* %%%
! 77: * modules for ipsec sa spec
! 78: */
! 79: struct saprop *
! 80: newsaprop()
! 81: {
! 82: struct saprop *new;
! 83:
! 84: new = racoon_calloc(1, sizeof(*new));
! 85: if (new == NULL)
! 86: return NULL;
! 87:
! 88: return new;
! 89: }
! 90:
! 91: struct saproto *
! 92: newsaproto()
! 93: {
! 94: struct saproto *new;
! 95:
! 96: new = racoon_calloc(1, sizeof(*new));
! 97: if (new == NULL)
! 98: return NULL;
! 99:
! 100: return new;
! 101: }
! 102:
! 103: /* set saprop to last part of the prop tree */
! 104: void
! 105: inssaprop(head, new)
! 106: struct saprop **head;
! 107: struct saprop *new;
! 108: {
! 109: struct saprop *p;
! 110:
! 111: if (*head == NULL) {
! 112: *head = new;
! 113: return;
! 114: }
! 115:
! 116: for (p = *head; p->next; p = p->next)
! 117: ;
! 118: p->next = new;
! 119:
! 120: return;
! 121: }
! 122:
! 123: /* set saproto to the end of the proto tree in saprop */
! 124: void
! 125: inssaproto(pp, new)
! 126: struct saprop *pp;
! 127: struct saproto *new;
! 128: {
! 129: struct saproto *p;
! 130:
! 131: for (p = pp->head; p && p->next; p = p->next)
! 132: ;
! 133: if (p == NULL)
! 134: pp->head = new;
! 135: else
! 136: p->next = new;
! 137:
! 138: return;
! 139: }
! 140:
! 141: /* set saproto to the top of the proto tree in saprop */
! 142: void
! 143: inssaprotorev(pp, new)
! 144: struct saprop *pp;
! 145: struct saproto *new;
! 146: {
! 147: new->next = pp->head;
! 148: pp->head = new;
! 149:
! 150: return;
! 151: }
! 152:
! 153: struct satrns *
! 154: newsatrns()
! 155: {
! 156: struct satrns *new;
! 157:
! 158: new = racoon_calloc(1, sizeof(*new));
! 159: if (new == NULL)
! 160: return NULL;
! 161:
! 162: return new;
! 163: }
! 164:
! 165: /* set saproto to last part of the proto tree in saprop */
! 166: void
! 167: inssatrns(pr, new)
! 168: struct saproto *pr;
! 169: struct satrns *new;
! 170: {
! 171: struct satrns *tr;
! 172:
! 173: for (tr = pr->head; tr && tr->next; tr = tr->next)
! 174: ;
! 175: if (tr == NULL)
! 176: pr->head = new;
! 177: else
! 178: tr->next = new;
! 179:
! 180: return;
! 181: }
! 182:
! 183: /*
! 184: * take a single match between saprop. allocate a new proposal and return it
! 185: * for future use (like picking single proposal from a bundle).
! 186: * pp1: peer's proposal.
! 187: * pp2: my proposal.
! 188: * NOTE: In the case of initiator, must be ensured that there is no
! 189: * modification of the proposal by calling cmp_aproppair_i() before
! 190: * this function.
! 191: * XXX cannot understand the comment!
! 192: */
! 193: struct saprop *
! 194: cmpsaprop_alloc(ph1, pp1, pp2, side)
! 195: struct ph1handle *ph1;
! 196: const struct saprop *pp1, *pp2;
! 197: int side;
! 198: {
! 199: struct saprop *newpp = NULL;
! 200: struct saproto *pr1, *pr2, *newpr = NULL;
! 201: struct satrns *tr1, *tr2, *newtr;
! 202: const int ordermatters = 0;
! 203: int npr1, npr2;
! 204: int spisizematch;
! 205:
! 206: newpp = newsaprop();
! 207: if (newpp == NULL) {
! 208: plog(LLV_ERROR, LOCATION, NULL,
! 209: "failed to allocate saprop.\n");
! 210: return NULL;
! 211: }
! 212: newpp->prop_no = pp1->prop_no;
! 213:
! 214: /* see proposal.h about lifetime/key length and PFS selection. */
! 215:
! 216: /* check time/bytes lifetime and PFS */
! 217: switch (ph1->rmconf->pcheck_level) {
! 218: case PROP_CHECK_OBEY:
! 219: newpp->lifetime = pp1->lifetime;
! 220: newpp->lifebyte = pp1->lifebyte;
! 221: newpp->pfs_group = pp1->pfs_group;
! 222: break;
! 223:
! 224: case PROP_CHECK_STRICT:
! 225: if (pp1->lifetime > pp2->lifetime) {
! 226: plog(LLV_ERROR, LOCATION, NULL,
! 227: "long lifetime proposed: "
! 228: "my:%d peer:%d\n",
! 229: (int)pp2->lifetime, (int)pp1->lifetime);
! 230: goto err;
! 231: }
! 232: if (pp1->lifebyte > pp2->lifebyte) {
! 233: plog(LLV_ERROR, LOCATION, NULL,
! 234: "long lifebyte proposed: "
! 235: "my:%d peer:%d\n",
! 236: pp2->lifebyte, pp1->lifebyte);
! 237: goto err;
! 238: }
! 239: newpp->lifetime = pp1->lifetime;
! 240: newpp->lifebyte = pp1->lifebyte;
! 241:
! 242: prop_pfs_check:
! 243: if (pp2->pfs_group != 0 && pp1->pfs_group != pp2->pfs_group) {
! 244: plog(LLV_ERROR, LOCATION, NULL,
! 245: "pfs group mismatched: "
! 246: "my:%d peer:%d\n",
! 247: pp2->pfs_group, pp1->pfs_group);
! 248: goto err;
! 249: }
! 250: newpp->pfs_group = pp1->pfs_group;
! 251: break;
! 252:
! 253: case PROP_CHECK_CLAIM:
! 254: /* lifetime */
! 255: if (pp1->lifetime <= pp2->lifetime) {
! 256: newpp->lifetime = pp1->lifetime;
! 257: } else {
! 258: newpp->lifetime = pp2->lifetime;
! 259: newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC;
! 260: plog(LLV_NOTIFY, LOCATION, NULL,
! 261: "use own lifetime: "
! 262: "my:%d peer:%d\n",
! 263: (int)pp2->lifetime, (int)pp1->lifetime);
! 264: }
! 265:
! 266: /* lifebyte */
! 267: if (pp1->lifebyte > pp2->lifebyte) {
! 268: newpp->lifebyte = pp2->lifebyte;
! 269: newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC;
! 270: plog(LLV_NOTIFY, LOCATION, NULL,
! 271: "use own lifebyte: "
! 272: "my:%d peer:%d\n",
! 273: pp2->lifebyte, pp1->lifebyte);
! 274: }
! 275: newpp->lifebyte = pp1->lifebyte;
! 276:
! 277: goto prop_pfs_check;
! 278: break;
! 279:
! 280: case PROP_CHECK_EXACT:
! 281: if (pp1->lifetime != pp2->lifetime) {
! 282: plog(LLV_ERROR, LOCATION, NULL,
! 283: "lifetime mismatched: "
! 284: "my:%d peer:%d\n",
! 285: (int)pp2->lifetime, (int)pp1->lifetime);
! 286: goto err;
! 287: }
! 288:
! 289: if (pp1->lifebyte != pp2->lifebyte) {
! 290: plog(LLV_ERROR, LOCATION, NULL,
! 291: "lifebyte mismatched: "
! 292: "my:%d peer:%d\n",
! 293: pp2->lifebyte, pp1->lifebyte);
! 294: goto err;
! 295: }
! 296: if (pp1->pfs_group != pp2->pfs_group) {
! 297: plog(LLV_ERROR, LOCATION, NULL,
! 298: "pfs group mismatched: "
! 299: "my:%d peer:%d\n",
! 300: pp2->pfs_group, pp1->pfs_group);
! 301: goto err;
! 302: }
! 303: newpp->lifetime = pp1->lifetime;
! 304: newpp->lifebyte = pp1->lifebyte;
! 305: newpp->pfs_group = pp1->pfs_group;
! 306: break;
! 307:
! 308: default:
! 309: plog(LLV_ERROR, LOCATION, NULL,
! 310: "invalid pcheck_level why?.\n");
! 311: goto err;
! 312: }
! 313:
! 314: #ifdef HAVE_SECCTX
! 315: /* check the security_context properties.
! 316: * It is possible for one side to have a security context
! 317: * and the other side doesn't. If so, this is an error.
! 318: */
! 319:
! 320: if (*pp1->sctx.ctx_str && !(*pp2->sctx.ctx_str)) {
! 321: plog(LLV_ERROR, LOCATION, NULL,
! 322: "My proposal missing security context\n");
! 323: goto err;
! 324: }
! 325: if (!(*pp1->sctx.ctx_str) && *pp2->sctx.ctx_str) {
! 326: plog(LLV_ERROR, LOCATION, NULL,
! 327: "Peer is missing security context\n");
! 328: goto err;
! 329: }
! 330:
! 331: if (*pp1->sctx.ctx_str && *pp2->sctx.ctx_str) {
! 332: if (pp1->sctx.ctx_doi == pp2->sctx.ctx_doi)
! 333: newpp->sctx.ctx_doi = pp1->sctx.ctx_doi;
! 334: else {
! 335: plog(LLV_ERROR, LOCATION, NULL,
! 336: "sec doi mismatched: my:%d peer:%d\n",
! 337: pp2->sctx.ctx_doi, pp1->sctx.ctx_doi);
! 338: goto err;
! 339: }
! 340:
! 341: if (pp1->sctx.ctx_alg == pp2->sctx.ctx_alg)
! 342: newpp->sctx.ctx_alg = pp1->sctx.ctx_alg;
! 343: else {
! 344: plog(LLV_ERROR, LOCATION, NULL,
! 345: "sec alg mismatched: my:%d peer:%d\n",
! 346: pp2->sctx.ctx_alg, pp1->sctx.ctx_alg);
! 347: goto err;
! 348: }
! 349:
! 350: if ((pp1->sctx.ctx_strlen != pp2->sctx.ctx_strlen) ||
! 351: memcmp(pp1->sctx.ctx_str, pp2->sctx.ctx_str,
! 352: pp1->sctx.ctx_strlen) != 0) {
! 353: plog(LLV_ERROR, LOCATION, NULL,
! 354: "sec ctx string mismatched: my:%s peer:%s\n",
! 355: pp2->sctx.ctx_str, pp1->sctx.ctx_str);
! 356: goto err;
! 357: } else {
! 358: newpp->sctx.ctx_strlen = pp1->sctx.ctx_strlen;
! 359: memcpy(newpp->sctx.ctx_str, pp1->sctx.ctx_str,
! 360: pp1->sctx.ctx_strlen);
! 361: }
! 362: }
! 363: #endif /* HAVE_SECCTX */
! 364:
! 365: npr1 = npr2 = 0;
! 366: for (pr1 = pp1->head; pr1; pr1 = pr1->next)
! 367: npr1++;
! 368: for (pr2 = pp2->head; pr2; pr2 = pr2->next)
! 369: npr2++;
! 370: if (npr1 != npr2)
! 371: goto err;
! 372:
! 373: /* check protocol order */
! 374: pr1 = pp1->head;
! 375: pr2 = pp2->head;
! 376:
! 377: while (1) {
! 378: if (!ordermatters) {
! 379: /*
! 380: * XXX does not work if we have multiple proposals
! 381: * with the same proto_id
! 382: */
! 383: switch (side) {
! 384: case RESPONDER:
! 385: if (!pr2)
! 386: break;
! 387: for (pr1 = pp1->head; pr1; pr1 = pr1->next) {
! 388: if (pr1->proto_id == pr2->proto_id)
! 389: break;
! 390: }
! 391: break;
! 392: case INITIATOR:
! 393: if (!pr1)
! 394: break;
! 395: for (pr2 = pp2->head; pr2; pr2 = pr2->next) {
! 396: if (pr2->proto_id == pr1->proto_id)
! 397: break;
! 398: }
! 399: break;
! 400: }
! 401: }
! 402: if (!pr1 || !pr2)
! 403: break;
! 404:
! 405: if (pr1->proto_id != pr2->proto_id) {
! 406: plog(LLV_ERROR, LOCATION, NULL,
! 407: "proto_id mismatched: "
! 408: "my:%s peer:%s\n",
! 409: s_ipsecdoi_proto(pr2->proto_id),
! 410: s_ipsecdoi_proto(pr1->proto_id));
! 411: goto err;
! 412: }
! 413: spisizematch = 0;
! 414: if (pr1->spisize == pr2->spisize)
! 415: spisizematch = 1;
! 416: else if (pr1->proto_id == IPSECDOI_PROTO_IPCOMP) {
! 417: /*
! 418: * draft-shacham-ippcp-rfc2393bis-05.txt:
! 419: * need to accept 16bit and 32bit SPI (CPI) for IPComp.
! 420: */
! 421: if (pr1->spisize == sizeof(u_int16_t) &&
! 422: pr2->spisize == sizeof(u_int32_t)) {
! 423: spisizematch = 1;
! 424: } else if (pr2->spisize == sizeof(u_int16_t) &&
! 425: pr1->spisize == sizeof(u_int32_t)) {
! 426: spisizematch = 1;
! 427: }
! 428: if (spisizematch) {
! 429: plog(LLV_ERROR, LOCATION, NULL,
! 430: "IPComp SPI size promoted "
! 431: "from 16bit to 32bit\n");
! 432: }
! 433: }
! 434: if (!spisizematch) {
! 435: plog(LLV_ERROR, LOCATION, NULL,
! 436: "spisize mismatched: "
! 437: "my:%d peer:%d\n",
! 438: (int)pr2->spisize, (int)pr1->spisize);
! 439: goto err;
! 440: }
! 441:
! 442: #ifdef ENABLE_NATT
! 443: if ((ph1->natt_flags & NAT_DETECTED) &&
! 444: natt_udp_encap (pr2->encmode))
! 445: {
! 446: plog(LLV_INFO, LOCATION, NULL, "Adjusting my encmode %s->%s\n",
! 447: s_ipsecdoi_encmode(pr2->encmode),
! 448: s_ipsecdoi_encmode(pr2->encmode - ph1->natt_options->mode_udp_diff));
! 449: pr2->encmode -= ph1->natt_options->mode_udp_diff;
! 450: pr2->udp_encap = 1;
! 451: }
! 452:
! 453: if ((ph1->natt_flags & NAT_DETECTED) &&
! 454: natt_udp_encap (pr1->encmode))
! 455: {
! 456: plog(LLV_INFO, LOCATION, NULL, "Adjusting peer's encmode %s(%d)->%s(%d)\n",
! 457: s_ipsecdoi_encmode(pr1->encmode),
! 458: pr1->encmode,
! 459: s_ipsecdoi_encmode(pr1->encmode - ph1->natt_options->mode_udp_diff),
! 460: pr1->encmode - ph1->natt_options->mode_udp_diff);
! 461: pr1->encmode -= ph1->natt_options->mode_udp_diff;
! 462: pr1->udp_encap = 1;
! 463: }
! 464: #endif
! 465:
! 466: if (pr1->encmode != pr2->encmode) {
! 467: plog(LLV_ERROR, LOCATION, NULL,
! 468: "encmode mismatched: "
! 469: "my:%s peer:%s\n",
! 470: s_ipsecdoi_encmode(pr2->encmode),
! 471: s_ipsecdoi_encmode(pr1->encmode));
! 472: goto err;
! 473: }
! 474:
! 475: for (tr1 = pr1->head; tr1; tr1 = tr1->next) {
! 476: for (tr2 = pr2->head; tr2; tr2 = tr2->next) {
! 477: if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0)
! 478: goto found;
! 479: }
! 480: }
! 481:
! 482: goto err;
! 483:
! 484: found:
! 485: newpr = newsaproto();
! 486: if (newpr == NULL) {
! 487: plog(LLV_ERROR, LOCATION, NULL,
! 488: "failed to allocate saproto.\n");
! 489: goto err;
! 490: }
! 491: newpr->proto_id = pr1->proto_id;
! 492: newpr->spisize = pr1->spisize;
! 493: newpr->encmode = pr1->encmode;
! 494: newpr->spi = pr2->spi; /* copy my SPI */
! 495: newpr->spi_p = pr1->spi; /* copy peer's SPI */
! 496: newpr->reqid_in = pr2->reqid_in;
! 497: newpr->reqid_out = pr2->reqid_out;
! 498: #ifdef ENABLE_NATT
! 499: newpr->udp_encap = pr1->udp_encap | pr2->udp_encap;
! 500: #endif
! 501:
! 502: newtr = newsatrns();
! 503: if (newtr == NULL) {
! 504: plog(LLV_ERROR, LOCATION, NULL,
! 505: "failed to allocate satrns.\n");
! 506: racoon_free(newpr);
! 507: goto err;
! 508: }
! 509: newtr->trns_no = tr1->trns_no;
! 510: newtr->trns_id = tr1->trns_id;
! 511: newtr->encklen = tr1->encklen;
! 512: newtr->authtype = tr1->authtype;
! 513:
! 514: inssatrns(newpr, newtr);
! 515: inssaproto(newpp, newpr);
! 516:
! 517: pr1 = pr1->next;
! 518: pr2 = pr2->next;
! 519: }
! 520:
! 521: /* XXX should check if we have visited all items or not */
! 522: if (!ordermatters) {
! 523: switch (side) {
! 524: case RESPONDER:
! 525: if (!pr2)
! 526: pr1 = NULL;
! 527: break;
! 528: case INITIATOR:
! 529: if (!pr1)
! 530: pr2 = NULL;
! 531: break;
! 532: }
! 533: }
! 534:
! 535: /* should be matched all protocols in a proposal */
! 536: if (pr1 != NULL || pr2 != NULL)
! 537: goto err;
! 538:
! 539: return newpp;
! 540:
! 541: err:
! 542: flushsaprop(newpp);
! 543: return NULL;
! 544: }
! 545:
! 546: /* take a single match between saprop. returns 0 if pp1 equals to pp2. */
! 547: int
! 548: cmpsaprop(pp1, pp2)
! 549: const struct saprop *pp1, *pp2;
! 550: {
! 551: if (pp1->pfs_group != pp2->pfs_group) {
! 552: plog(LLV_WARNING, LOCATION, NULL,
! 553: "pfs_group mismatch. mine:%d peer:%d\n",
! 554: pp1->pfs_group, pp2->pfs_group);
! 555: /* FALLTHRU */
! 556: }
! 557:
! 558: if (pp1->lifetime > pp2->lifetime) {
! 559: plog(LLV_WARNING, LOCATION, NULL,
! 560: "less lifetime proposed. mine:%d peer:%d\n",
! 561: (int)pp1->lifetime, (int)pp2->lifetime);
! 562: /* FALLTHRU */
! 563: }
! 564: if (pp1->lifebyte > pp2->lifebyte) {
! 565: plog(LLV_WARNING, LOCATION, NULL,
! 566: "less lifebyte proposed. mine:%d peer:%d\n",
! 567: pp1->lifebyte, pp2->lifebyte);
! 568: /* FALLTHRU */
! 569: }
! 570:
! 571: return 0;
! 572: }
! 573:
! 574: /*
! 575: * take a single match between satrns. returns 0 if tr1 equals to tr2.
! 576: * tr1: peer's satrns
! 577: * tr2: my satrns
! 578: */
! 579: int
! 580: cmpsatrns(proto_id, tr1, tr2, check_level)
! 581: int proto_id;
! 582: const struct satrns *tr1, *tr2;
! 583: int check_level;
! 584: {
! 585: if (tr1->trns_id != tr2->trns_id) {
! 586: plog(LLV_WARNING, LOCATION, NULL,
! 587: "trns_id mismatched: "
! 588: "my:%s peer:%s\n",
! 589: s_ipsecdoi_trns(proto_id, tr2->trns_id),
! 590: s_ipsecdoi_trns(proto_id, tr1->trns_id));
! 591: return 1;
! 592: }
! 593:
! 594: if (tr1->authtype != tr2->authtype) {
! 595: plog(LLV_WARNING, LOCATION, NULL,
! 596: "authtype mismatched: "
! 597: "my:%s peer:%s\n",
! 598: s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr2->authtype),
! 599: s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr1->authtype));
! 600: return 1;
! 601: }
! 602:
! 603: /* Check key length regarding checkmode
! 604: * XXX Shall we send some kind of notify message when key length rejected ?
! 605: */
! 606: switch(check_level){
! 607: case PROP_CHECK_OBEY:
! 608: return 0;
! 609: break;
! 610:
! 611: case PROP_CHECK_STRICT:
! 612: /* FALLTHROUGH */
! 613: case PROP_CHECK_CLAIM:
! 614: if (tr1->encklen < tr2->encklen) {
! 615: plog(LLV_WARNING, LOCATION, NULL,
! 616: "low key length proposed, "
! 617: "mine:%d peer:%d.\n",
! 618: tr2->encklen, tr1->encklen);
! 619: return 1;
! 620: }
! 621: break;
! 622: case PROP_CHECK_EXACT:
! 623: if (tr1->encklen != tr2->encklen) {
! 624: plog(LLV_WARNING, LOCATION, NULL,
! 625: "key length mismatched, "
! 626: "mine:%d peer:%d.\n",
! 627: tr2->encklen, tr1->encklen);
! 628: return 1;
! 629: }
! 630: break;
! 631: }
! 632:
! 633: return 0;
! 634: }
! 635:
! 636: int
! 637: set_satrnsbysainfo(pr, sainfo)
! 638: struct saproto *pr;
! 639: struct sainfo *sainfo;
! 640: {
! 641: struct sainfoalg *a, *b;
! 642: struct satrns *newtr;
! 643: int t;
! 644:
! 645: switch (pr->proto_id) {
! 646: case IPSECDOI_PROTO_IPSEC_AH:
! 647: if (sainfo->algs[algclass_ipsec_auth] == NULL) {
! 648: plog(LLV_ERROR, LOCATION, NULL,
! 649: "no auth algorithm found\n");
! 650: goto err;
! 651: }
! 652: t = 1;
! 653: for (a = sainfo->algs[algclass_ipsec_auth]; a; a = a->next) {
! 654:
! 655: if (a->alg == IPSECDOI_ATTR_AUTH_NONE)
! 656: continue;
! 657:
! 658: /* allocate satrns */
! 659: newtr = newsatrns();
! 660: if (newtr == NULL) {
! 661: plog(LLV_ERROR, LOCATION, NULL,
! 662: "failed to allocate satrns.\n");
! 663: goto err;
! 664: }
! 665:
! 666: newtr->trns_no = t++;
! 667: newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg);
! 668: newtr->authtype = a->alg;
! 669:
! 670: inssatrns(pr, newtr);
! 671: }
! 672: break;
! 673: case IPSECDOI_PROTO_IPSEC_ESP:
! 674: if (sainfo->algs[algclass_ipsec_enc] == NULL) {
! 675: plog(LLV_ERROR, LOCATION, NULL,
! 676: "no encryption algorithm found\n");
! 677: goto err;
! 678: }
! 679: t = 1;
! 680: for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) {
! 681: for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) {
! 682: /* allocate satrns */
! 683: newtr = newsatrns();
! 684: if (newtr == NULL) {
! 685: plog(LLV_ERROR, LOCATION, NULL,
! 686: "failed to allocate satrns.\n");
! 687: goto err;
! 688: }
! 689:
! 690: newtr->trns_no = t++;
! 691: newtr->trns_id = a->alg;
! 692: newtr->encklen = a->encklen;
! 693: newtr->authtype = b->alg;
! 694:
! 695: inssatrns(pr, newtr);
! 696: }
! 697: }
! 698: break;
! 699: case IPSECDOI_PROTO_IPCOMP:
! 700: if (sainfo->algs[algclass_ipsec_comp] == NULL) {
! 701: plog(LLV_ERROR, LOCATION, NULL,
! 702: "no ipcomp algorithm found\n");
! 703: goto err;
! 704: }
! 705: t = 1;
! 706: for (a = sainfo->algs[algclass_ipsec_comp]; a; a = a->next) {
! 707:
! 708: /* allocate satrns */
! 709: newtr = newsatrns();
! 710: if (newtr == NULL) {
! 711: plog(LLV_ERROR, LOCATION, NULL,
! 712: "failed to allocate satrns.\n");
! 713: goto err;
! 714: }
! 715:
! 716: newtr->trns_no = t++;
! 717: newtr->trns_id = a->alg;
! 718: newtr->authtype = IPSECDOI_ATTR_AUTH_NONE; /*no auth*/
! 719:
! 720: inssatrns(pr, newtr);
! 721: }
! 722: break;
! 723: default:
! 724: plog(LLV_ERROR, LOCATION, NULL,
! 725: "unknown proto_id (%d).\n", pr->proto_id);
! 726: goto err;
! 727: }
! 728:
! 729: /* no proposal found */
! 730: if (pr->head == NULL) {
! 731: plog(LLV_ERROR, LOCATION, NULL, "no algorithms found.\n");
! 732: return -1;
! 733: }
! 734:
! 735: return 0;
! 736:
! 737: err:
! 738: flushsatrns(pr->head);
! 739: return -1;
! 740: }
! 741:
! 742: struct saprop *
! 743: aproppair2saprop(p0)
! 744: struct prop_pair *p0;
! 745: {
! 746: struct prop_pair *p, *t;
! 747: struct saprop *newpp;
! 748: struct saproto *newpr;
! 749: struct satrns *newtr;
! 750: u_int8_t *spi;
! 751:
! 752: if (p0 == NULL)
! 753: return NULL;
! 754:
! 755: /* allocate ipsec a sa proposal */
! 756: newpp = newsaprop();
! 757: if (newpp == NULL) {
! 758: plog(LLV_ERROR, LOCATION, NULL,
! 759: "failed to allocate saprop.\n");
! 760: return NULL;
! 761: }
! 762: newpp->prop_no = p0->prop->p_no;
! 763: /* lifetime & lifebyte must be updated later */
! 764:
! 765: for (p = p0; p; p = p->next) {
! 766:
! 767: /* allocate ipsec sa protocol */
! 768: newpr = newsaproto();
! 769: if (newpr == NULL) {
! 770: plog(LLV_ERROR, LOCATION, NULL,
! 771: "failed to allocate saproto.\n");
! 772: goto err;
! 773: }
! 774:
! 775: /* check spi size */
! 776: /* XXX should be handled isakmp cookie */
! 777: if (sizeof(newpr->spi) < p->prop->spi_size) {
! 778: plog(LLV_ERROR, LOCATION, NULL,
! 779: "invalid spi size %d.\n", p->prop->spi_size);
! 780: racoon_free(newpr);
! 781: goto err;
! 782: }
! 783:
! 784: /*
! 785: * XXX SPI bits are left-filled, for use with IPComp.
! 786: * we should be switching to variable-length spi field...
! 787: */
! 788: newpr->proto_id = p->prop->proto_id;
! 789: newpr->spisize = p->prop->spi_size;
! 790: memset(&newpr->spi, 0, sizeof(newpr->spi));
! 791: spi = (u_int8_t *)&newpr->spi;
! 792: spi += sizeof(newpr->spi);
! 793: spi -= p->prop->spi_size;
! 794: memcpy(spi, p->prop + 1, p->prop->spi_size);
! 795: newpr->reqid_in = 0;
! 796: newpr->reqid_out = 0;
! 797:
! 798: for (t = p; t; t = t->tnext) {
! 799:
! 800: plog(LLV_DEBUG, LOCATION, NULL,
! 801: "prop#=%d prot-id=%s spi-size=%d "
! 802: "#trns=%d trns#=%d trns-id=%s\n",
! 803: t->prop->p_no,
! 804: s_ipsecdoi_proto(t->prop->proto_id),
! 805: t->prop->spi_size, t->prop->num_t,
! 806: t->trns->t_no,
! 807: s_ipsecdoi_trns(t->prop->proto_id,
! 808: t->trns->t_id));
! 809:
! 810: /* allocate ipsec sa transform */
! 811: newtr = newsatrns();
! 812: if (newtr == NULL) {
! 813: plog(LLV_ERROR, LOCATION, NULL,
! 814: "failed to allocate satrns.\n");
! 815: racoon_free(newpr);
! 816: goto err;
! 817: }
! 818:
! 819: if (ipsecdoi_t2satrns(t->trns,
! 820: newpp, newpr, newtr) < 0) {
! 821: flushsaprop(newpp);
! 822: racoon_free(newtr);
! 823: racoon_free(newpr);
! 824: return NULL;
! 825: }
! 826:
! 827: inssatrns(newpr, newtr);
! 828: }
! 829:
! 830: /*
! 831: * If the peer does not specify encryption mode, use
! 832: * transport mode by default. This is to conform to
! 833: * draft-shacham-ippcp-rfc2393bis-08.txt (explicitly specifies
! 834: * that unspecified == transport), as well as RFC2407
! 835: * (unspecified == implementation dependent default).
! 836: */
! 837: if (newpr->encmode == 0)
! 838: newpr->encmode = IPSECDOI_ATTR_ENC_MODE_TRNS;
! 839:
! 840: inssaproto(newpp, newpr);
! 841: }
! 842:
! 843: return newpp;
! 844:
! 845: err:
! 846: flushsaprop(newpp);
! 847: return NULL;
! 848: }
! 849:
! 850: void
! 851: flushsaprop(head)
! 852: struct saprop *head;
! 853: {
! 854: struct saprop *p, *save;
! 855:
! 856: for (p = head; p != NULL; p = save) {
! 857: save = p->next;
! 858: flushsaproto(p->head);
! 859: racoon_free(p);
! 860: }
! 861:
! 862: return;
! 863: }
! 864:
! 865: void
! 866: flushsaproto(head)
! 867: struct saproto *head;
! 868: {
! 869: struct saproto *p, *save;
! 870:
! 871: for (p = head; p != NULL; p = save) {
! 872: save = p->next;
! 873: flushsatrns(p->head);
! 874: vfree(p->keymat);
! 875: vfree(p->keymat_p);
! 876: racoon_free(p);
! 877: }
! 878:
! 879: return;
! 880: }
! 881:
! 882: void
! 883: flushsatrns(head)
! 884: struct satrns *head;
! 885: {
! 886: struct satrns *p, *save;
! 887:
! 888: for (p = head; p != NULL; p = save) {
! 889: save = p->next;
! 890: racoon_free(p);
! 891: }
! 892:
! 893: return;
! 894: }
! 895:
! 896: /*
! 897: * print multiple proposals
! 898: */
! 899: void
! 900: printsaprop(pri, pp)
! 901: const int pri;
! 902: const struct saprop *pp;
! 903: {
! 904: const struct saprop *p;
! 905:
! 906: if (pp == NULL) {
! 907: plog(pri, LOCATION, NULL, "(null)");
! 908: return;
! 909: }
! 910:
! 911: for (p = pp; p; p = p->next) {
! 912: printsaprop0(pri, p);
! 913: }
! 914:
! 915: return;
! 916: }
! 917:
! 918: /*
! 919: * print one proposal.
! 920: */
! 921: void
! 922: printsaprop0(pri, pp)
! 923: int pri;
! 924: const struct saprop *pp;
! 925: {
! 926: const struct saproto *p;
! 927:
! 928: if (pp == NULL)
! 929: return;
! 930:
! 931: for (p = pp->head; p; p = p->next) {
! 932: printsaproto(pri, p);
! 933: }
! 934:
! 935: return;
! 936: }
! 937:
! 938: void
! 939: printsaproto(pri, pr)
! 940: const int pri;
! 941: const struct saproto *pr;
! 942: {
! 943: struct satrns *tr;
! 944:
! 945: if (pr == NULL)
! 946: return;
! 947:
! 948: plog(pri, LOCATION, NULL,
! 949: " (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx "
! 950: "encmode=%s reqid=%d:%d)\n",
! 951: s_ipsecdoi_proto(pr->proto_id),
! 952: (int)pr->spisize,
! 953: (unsigned long)ntohl(pr->spi),
! 954: (unsigned long)ntohl(pr->spi_p),
! 955: s_ipsecdoi_attr_v(IPSECDOI_ATTR_ENC_MODE, pr->encmode),
! 956: (int)pr->reqid_in, (int)pr->reqid_out);
! 957:
! 958: for (tr = pr->head; tr; tr = tr->next) {
! 959: printsatrns(pri, pr->proto_id, tr);
! 960: }
! 961:
! 962: return;
! 963: }
! 964:
! 965: void
! 966: printsatrns(pri, proto_id, tr)
! 967: const int pri;
! 968: const int proto_id;
! 969: const struct satrns *tr;
! 970: {
! 971: if (tr == NULL)
! 972: return;
! 973:
! 974: switch (proto_id) {
! 975: case IPSECDOI_PROTO_IPSEC_AH:
! 976: plog(pri, LOCATION, NULL,
! 977: " (trns_id=%s authtype=%s)\n",
! 978: s_ipsecdoi_trns(proto_id, tr->trns_id),
! 979: s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype));
! 980: break;
! 981: case IPSECDOI_PROTO_IPSEC_ESP:
! 982: plog(pri, LOCATION, NULL,
! 983: " (trns_id=%s encklen=%d authtype=%s)\n",
! 984: s_ipsecdoi_trns(proto_id, tr->trns_id),
! 985: tr->encklen,
! 986: s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype));
! 987: break;
! 988: case IPSECDOI_PROTO_IPCOMP:
! 989: plog(pri, LOCATION, NULL,
! 990: " (trns_id=%s)\n",
! 991: s_ipsecdoi_trns(proto_id, tr->trns_id));
! 992: break;
! 993: default:
! 994: plog(pri, LOCATION, NULL,
! 995: "(unknown proto_id %d)\n", proto_id);
! 996: }
! 997:
! 998: return;
! 999: }
! 1000:
! 1001: void
! 1002: print_proppair0(pri, p, level)
! 1003: int pri;
! 1004: struct prop_pair *p;
! 1005: int level;
! 1006: {
! 1007: char spc[21];
! 1008:
! 1009: memset(spc, ' ', sizeof(spc));
! 1010: spc[sizeof(spc) - 1] = '\0';
! 1011: if (level < 20) {
! 1012: spc[level] = '\0';
! 1013: }
! 1014:
! 1015: plog(pri, LOCATION, NULL,
! 1016: "%s%p: next=%p tnext=%p\n", spc, p, p->next, p->tnext);
! 1017: if (p->next)
! 1018: print_proppair0(pri, p->next, level + 1);
! 1019: if (p->tnext)
! 1020: print_proppair0(pri, p->tnext, level + 1);
! 1021: }
! 1022:
! 1023: void
! 1024: print_proppair(pri, p)
! 1025: int pri;
! 1026: struct prop_pair *p;
! 1027: {
! 1028: print_proppair0(pri, p, 1);
! 1029: }
! 1030:
! 1031: int
! 1032: set_proposal_from_policy(iph2, sp_main, sp_sub)
! 1033: struct ph2handle *iph2;
! 1034: struct secpolicy *sp_main, *sp_sub;
! 1035: {
! 1036: struct saprop *newpp;
! 1037: struct ipsecrequest *req;
! 1038: int encmodesv = IPSECDOI_ATTR_ENC_MODE_TRNS; /* use only when complex_bundle */
! 1039:
! 1040: newpp = newsaprop();
! 1041: if (newpp == NULL) {
! 1042: plog(LLV_ERROR, LOCATION, NULL,
! 1043: "failed to allocate saprop.\n");
! 1044: goto err;
! 1045: }
! 1046: newpp->prop_no = 1;
! 1047: newpp->lifetime = iph2->sainfo->lifetime;
! 1048: newpp->lifebyte = iph2->sainfo->lifebyte;
! 1049: newpp->pfs_group = iph2->sainfo->pfs_group;
! 1050:
! 1051: if (lcconf->complex_bundle)
! 1052: goto skip1;
! 1053:
! 1054: /*
! 1055: * decide the encryption mode of this SA bundle.
! 1056: * the mode becomes tunnel mode when there is even one policy
! 1057: * of tunnel mode in the SPD. otherwise the mode becomes
! 1058: * transport mode.
! 1059: */
! 1060: for (req = sp_main->req; req; req = req->next) {
! 1061: if (req->saidx.mode == IPSEC_MODE_TUNNEL) {
! 1062: encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode);
! 1063: #ifdef ENABLE_NATT
! 1064: if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED))
! 1065: encmodesv += iph2->ph1->natt_options->mode_udp_diff;
! 1066: #endif
! 1067: break;
! 1068: }
! 1069: }
! 1070:
! 1071: skip1:
! 1072: for (req = sp_main->req; req; req = req->next) {
! 1073: struct saproto *newpr;
! 1074: caddr_t paddr = NULL;
! 1075:
! 1076: /*
! 1077: * check if SA bundle ?
! 1078: * nested SAs negotiation is NOT supported.
! 1079: * me +--- SA1 ---+ peer1
! 1080: * me +--- SA2 --------------+ peer2
! 1081: */
! 1082: #ifdef __linux__
! 1083: if (req->saidx.src.ss_family && req->saidx.dst.ss_family) {
! 1084: #else
! 1085: if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
! 1086: #endif
! 1087: /* check the end of ip addresses of SA */
! 1088: if (iph2->side == INITIATOR)
! 1089: paddr = (caddr_t)&req->saidx.dst;
! 1090: else
! 1091: paddr = (caddr_t)&req->saidx.src;
! 1092: }
! 1093:
! 1094: /* allocate ipsec sa protocol */
! 1095: newpr = newsaproto();
! 1096: if (newpr == NULL) {
! 1097: plog(LLV_ERROR, LOCATION, NULL,
! 1098: "failed to allocate saproto.\n");
! 1099: goto err;
! 1100: }
! 1101:
! 1102: newpr->proto_id = ipproto2doi(req->saidx.proto);
! 1103: if (newpr->proto_id == IPSECDOI_PROTO_IPCOMP)
! 1104: newpr->spisize = 2;
! 1105: else
! 1106: newpr->spisize = 4;
! 1107: if (lcconf->complex_bundle) {
! 1108: newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
! 1109: #ifdef ENABLE_NATT
! 1110: if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED))
! 1111: newpr->encmode +=
! 1112: iph2->ph1->natt_options->mode_udp_diff;
! 1113: #endif
! 1114: }
! 1115: else
! 1116: newpr->encmode = encmodesv;
! 1117:
! 1118: if (iph2->side == INITIATOR)
! 1119: newpr->reqid_out = req->saidx.reqid;
! 1120: else
! 1121: newpr->reqid_in = req->saidx.reqid;
! 1122:
! 1123: if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
! 1124: plog(LLV_ERROR, LOCATION, NULL,
! 1125: "failed to get algorithms.\n");
! 1126: racoon_free(newpr);
! 1127: goto err;
! 1128: }
! 1129:
! 1130: /* set new saproto */
! 1131: inssaprotorev(newpp, newpr);
! 1132: }
! 1133:
! 1134: /* get reqid_in from inbound policy */
! 1135: if (sp_sub) {
! 1136: struct saproto *pr;
! 1137:
! 1138: req = sp_sub->req;
! 1139: pr = newpp->head;
! 1140: while (req && pr) {
! 1141: if (iph2->side == INITIATOR)
! 1142: pr->reqid_in = req->saidx.reqid;
! 1143: else
! 1144: pr->reqid_out = req->saidx.reqid;
! 1145: pr = pr->next;
! 1146: req = req->next;
! 1147: }
! 1148: if (pr || req) {
! 1149: plog(LLV_NOTIFY, LOCATION, NULL,
! 1150: "There is a difference "
! 1151: "between the in/out bound policies in SPD.\n");
! 1152: }
! 1153: }
! 1154:
! 1155: iph2->proposal = newpp;
! 1156:
! 1157: printsaprop0(LLV_DEBUG, newpp);
! 1158:
! 1159: return 0;
! 1160: err:
! 1161: flushsaprop(newpp);
! 1162: return -1;
! 1163: }
! 1164:
! 1165: /*
! 1166: * generate a policy from peer's proposal.
! 1167: * this function unconditionally choices first proposal in SA payload
! 1168: * passed by peer.
! 1169: */
! 1170: int
! 1171: set_proposal_from_proposal(iph2)
! 1172: struct ph2handle *iph2;
! 1173: {
! 1174: struct saprop *newpp = NULL, *pp0, *pp_peer = NULL;
! 1175: struct saproto *newpr = NULL, *pr;
! 1176: struct prop_pair **pair;
! 1177: int error = -1;
! 1178: int i;
! 1179:
! 1180: /* get proposal pair */
! 1181: pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
! 1182: if (pair == NULL)
! 1183: goto end;
! 1184:
! 1185: /*
! 1186: * make my proposal according as the client proposal.
! 1187: * XXX assumed there is only one proposal even if it's the SA bundle.
! 1188: */
! 1189: for (i = 0; i < MAXPROPPAIRLEN; i++) {
! 1190: if (pair[i] == NULL)
! 1191: continue;
! 1192:
! 1193: if (pp_peer != NULL)
! 1194: flushsaprop(pp_peer);
! 1195:
! 1196: pp_peer = aproppair2saprop(pair[i]);
! 1197: if (pp_peer == NULL)
! 1198: goto end;
! 1199:
! 1200: pp0 = newsaprop();
! 1201: if (pp0 == NULL) {
! 1202: plog(LLV_ERROR, LOCATION, NULL,
! 1203: "failed to allocate saprop.\n");
! 1204: goto end;
! 1205: }
! 1206: pp0->prop_no = 1;
! 1207: pp0->lifetime = iph2->sainfo->lifetime;
! 1208: pp0->lifebyte = iph2->sainfo->lifebyte;
! 1209: pp0->pfs_group = iph2->sainfo->pfs_group;
! 1210:
! 1211: #ifdef HAVE_SECCTX
! 1212: if (*pp_peer->sctx.ctx_str) {
! 1213: pp0->sctx.ctx_doi = pp_peer->sctx.ctx_doi;
! 1214: pp0->sctx.ctx_alg = pp_peer->sctx.ctx_alg;
! 1215: pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
! 1216: memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
! 1217: pp_peer->sctx.ctx_strlen);
! 1218: }
! 1219: #endif /* HAVE_SECCTX */
! 1220:
! 1221: if (pp_peer->next != NULL) {
! 1222: plog(LLV_ERROR, LOCATION, NULL,
! 1223: "pp_peer is inconsistency, ignore it.\n");
! 1224: /*FALLTHROUGH*/
! 1225: }
! 1226:
! 1227: for (pr = pp_peer->head; pr; pr = pr->next)
! 1228: {
! 1229: newpr = newsaproto();
! 1230: if (newpr == NULL)
! 1231: {
! 1232: plog(LLV_ERROR, LOCATION, NULL,
! 1233: "failed to allocate saproto.\n");
! 1234: racoon_free(pp0);
! 1235: goto end;
! 1236: }
! 1237: newpr->proto_id = pr->proto_id;
! 1238: newpr->spisize = pr->spisize;
! 1239: newpr->encmode = pr->encmode;
! 1240: newpr->spi = 0;
! 1241: newpr->spi_p = pr->spi; /* copy peer's SPI */
! 1242: newpr->reqid_in = 0;
! 1243: newpr->reqid_out = 0;
! 1244:
! 1245: if (iph2->ph1->rmconf->gen_policy == GENERATE_POLICY_UNIQUE){
! 1246: newpr->reqid_in = g_nextreqid ;
! 1247: newpr->reqid_out = g_nextreqid ++;
! 1248: /*
! 1249: * XXX there is a (very limited)
! 1250: * risk of reusing the same reqid
! 1251: * as another SP entry for the same peer
! 1252: */
! 1253: if(g_nextreqid >= IPSEC_MANUAL_REQID_MAX)
! 1254: g_nextreqid = 1;
! 1255: }else{
! 1256: newpr->reqid_in = 0;
! 1257: newpr->reqid_out = 0;
! 1258: }
! 1259:
! 1260: if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0)
! 1261: {
! 1262: plog(LLV_ERROR, LOCATION, NULL,
! 1263: "failed to get algorithms.\n");
! 1264: racoon_free(newpr);
! 1265: racoon_free(pp0);
! 1266: goto end;
! 1267: }
! 1268: inssaproto(pp0, newpr);
! 1269: }
! 1270:
! 1271: inssaprop(&newpp, pp0);
! 1272: }
! 1273:
! 1274: plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n");
! 1275: printsaprop0(LLV_DEBUG, newpp);
! 1276:
! 1277: iph2->proposal = newpp;
! 1278:
! 1279: error = 0;
! 1280:
! 1281: end:
! 1282: if (error && newpp)
! 1283: flushsaprop(newpp);
! 1284:
! 1285: if (pp_peer)
! 1286: flushsaprop(pp_peer);
! 1287: if (pair)
! 1288: free_proppair(pair);
! 1289: return error;
! 1290: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to proposal.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon