📄 spdb.c

📁 This a good VPN source
💻 C
📖 第 1 页 / 共 3 页
字号:
12 3 下一页
/* Security Policy Data Base (such as it is) * Copyright (C) 1998-2001  D. Hugh Redelmeier. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License * for more details. * * RCSID $Id: spdb.c,v 1.117 2004/11/30 02:28:28 mcr Exp $ */#include <stdio.h>#include <string.h>#include <stdlib.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <sys/queue.h>#include <openswan.h>#include <openswan/ipsec_policy.h>#include "constants.h"#include "oswlog.h"#include "defs.h"#include "id.h"#include "x509.h"#include "pgp.h"#include "certs.h"#include "smartcard.h"#ifdef XAUTH_USEPAM#include <security/pam_appl.h>#endif#include "connections.h"	/* needs id.h */#include "state.h"#include "packet.h"#include "keys.h"#include "kernel.h"	/* needs connections.h */#include "log.h"#include "spdb.h"#include "whack.h"	/* for RC_LOG_SERIOUS */#include "sha1.h"#include "md5.h"#include "crypto.h" /* requires sha1.h and md5.h */#include "alg_info.h"#include "kernel_alg.h"#include "ike_alg.h"#include "db_ops.h"#define AD(x) x, elemsof(x)	/* Array Description */#define AD_NULL NULL, 0#ifdef NAT_TRAVERSAL#include "nat_traversal.h"#endif/**************** Oakley (main mode) SA database ****************//** * the XAUTH server/client stuff is a bit confusing. *  * XAUTH overloads the RSA/PSK types with four more types which * mean RSA or PSK, but also include whether one is negotiating * that the inititator with be the XAUTH client, or the responder will be * XAUTH client. It seems unusual that the responder would be the one * to undergo XAUTH, since usually it is a roadwarrior to a gateway, * * however, the gateway may decide it needs to do a new phase 1, for * instance. * * So, when reading this, say "I'm an XAUTH client and I'm initiating", * or "I'm an XAUTH server and I'm initiating". Responses for the responder * (and validation of the response by the initiator) are determined by the * parse_sa_isakmp() part, which folds the XAUTH types into their native * types to figure out if it is acceptable to us. * * *//* arrays of attributes for transforms, preshared key */static struct db_attr otpsk1024des3md5[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3md5[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otpsk1024des3sha[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3sha[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};/* arrays of attributes for transforms, preshared key, Xauth version */#ifdef XAUTHstatic struct db_attr otpsk1024des3md5_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3md5_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otpsk1024des3sha_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3sha_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otpsk1024des3md5_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3md5_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otpsk1024des3sha_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otpsk1536des3sha_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespPreShared },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};#endif/* arrays of attributes for transforms, RSA signatures */static struct db_attr otrsasig1024des3md5[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3md5[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otrsasig1024des3sha[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3sha[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};#ifdef XAUTH/* arrays of attributes for transforms, RSA signatures, with/Xauth *//* xauth c is when Initiator will be the xauth client */static struct db_attr otrsasig1024des3md5_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3md5_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otrsasig1024des3sha_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3sha_xauthc[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};/* arrays of attributes for transforms, RSA signatures, with/Xauth *//* * xauth s is when the Responder will be the xauth client * the only time we do this is when we are initiating to a client * that we lost contact with. this is rare. */static struct db_attr otrsasig1024des3md5_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3md5_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_MD5 },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHInitRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};static struct db_attr otrsasig1024des3sha_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};static struct db_attr otrsasig1536des3sha_xauths[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_SHA },	{ OAKLEY_AUTHENTICATION_METHOD, XAUTHRespRSA },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1536 },	};#endif/* We won't accept this, but by proposing it, we get to test * our rejection.  We better not propose it to an IKE daemon * that will accept it! */#ifdef TEST_INDECENT_PROPOSALstatic struct db_attr otpsk1024des3tiger[] = {	{ OAKLEY_ENCRYPTION_ALGORITHM, OAKLEY_3DES_CBC },	{ OAKLEY_HASH_ALGORITHM, OAKLEY_TIGER },	{ OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY },	{ OAKLEY_GROUP_DESCRIPTION, OAKLEY_GROUP_MODP1024 },	};#endif /* TEST_INDECENT_PROPOSAL *//* tables of transforms, in preference order (select based on AUTH) */static struct db_trans oakley_trans_psk[] = {#ifdef TEST_INDECENT_PROPOSAL	{ KEY_IKE, AD(otpsk1024des3tiger) },#endif	{ KEY_IKE, AD(otpsk1536des3md5) },	{ KEY_IKE, AD(otpsk1536des3sha) },	{ KEY_IKE, AD(otpsk1024des3sha) },	{ KEY_IKE, AD(otpsk1024des3md5) },    };#ifdef XAUTHstatic struct db_trans oakley_trans_psk_xauthc[] = {	{ KEY_IKE, AD(otpsk1536des3md5_xauthc) },	{ KEY_IKE, AD(otpsk1536des3sha_xauthc) },	{ KEY_IKE, AD(otpsk1024des3sha_xauthc) },	{ KEY_IKE, AD(otpsk1024des3md5_xauthc) },    };static struct db_trans oakley_trans_psk_xauths[] = {	{ KEY_IKE, AD(otpsk1536des3md5_xauths) },	{ KEY_IKE, AD(otpsk1536des3sha_xauths) },	{ KEY_IKE, AD(otpsk1024des3sha_xauths) },	{ KEY_IKE, AD(otpsk1024des3md5_xauths) },    };#endifstatic struct db_trans oakley_trans_rsasig[] = {	{ KEY_IKE, AD(otrsasig1536des3md5) },	{ KEY_IKE, AD(otrsasig1536des3sha) },	{ KEY_IKE, AD(otrsasig1024des3sha) },	{ KEY_IKE, AD(otrsasig1024des3md5) },    };#ifdef XAUTHstatic struct db_trans oakley_trans_rsasig_xauthc[] = {	{ KEY_IKE, AD(otrsasig1536des3md5_xauthc) },	{ KEY_IKE, AD(otrsasig1536des3sha_xauthc) },	{ KEY_IKE, AD(otrsasig1024des3sha_xauthc) },	{ KEY_IKE, AD(otrsasig1024des3md5_xauthc) },    };static struct db_trans oakley_trans_rsasig_xauths[] = {	{ KEY_IKE, AD(otrsasig1536des3md5_xauths) },	{ KEY_IKE, AD(otrsasig1536des3sha_xauths) },	{ KEY_IKE, AD(otrsasig1024des3sha_xauths) },	{ KEY_IKE, AD(otrsasig1024des3md5_xauths) },
12 3 下一页
💿 文件大小 4878 K
👤 上传用户 xhaibo
📂 所属分类网络
🏷️ 相关标签

#source #This #good #VPN
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -