From a535a36837e31f31a64055e5756518c9de056f9c Mon Sep 17 00:00:00 2001 From: Steffen Vogel Date: Wed, 13 Dec 2017 22:17:10 +0100 Subject: [PATCH] initial import form http://iec61850.ucaiug.org/90-5/default.aspx --- GDOI_PRIMER | 359 + INSTALL | 22 + LICENSE | 60 + Makefile.am | 75 + Makefile.in | 680 ++ aclocal.m4 | 874 ++ app_client/Makefile.am | 71 + app_client/Makefile.in | 484 ++ app_client/app_stub.c | 879 ++ config.h | 242 + config.h.in | 241 + config/README | 4 + config/config.guess | 1500 ++++ config/config.sub | 1616 ++++ config/depcomp | 584 ++ config/install-sh | 507 ++ config/missing | 367 + configure | 8422 +++++++++++++++++++ configure.in | 439 + samples/iec90-5/CVS/Entries | 5 + samples/iec90-5/CVS/Repository | 1 + samples/iec90-5/CVS/Root | 1 + samples/iec90-5/CVS/Tag | 1 + samples/iec90-5/START_CLIENT | 6 + samples/iec90-5/START_KS | 19 + samples/iec90-5/gdoi_client.conf | 73 + samples/iec90-5/gdoi_ks.conf | 94 + samples/loopback/CVS/Entries | 7 + samples/loopback/CVS/Repository | 1 + samples/loopback/CVS/Root | 1 + samples/loopback/CVS/Tag | 1 + samples/loopback/START_CLIENT | 5 + samples/loopback/START_KS | 18 + samples/loopback/gdoi_client.conf | 69 + samples/loopback/gdoi_ks.conf | 110 + samples/loopback/sample_output_client | 3332 ++++++++ samples/loopback/sample_output_ks | 3408 ++++++++ samples/three-clients/CVS/Entries | 11 + samples/three-clients/CVS/Repository | 1 + samples/three-clients/CVS/Root | 1 + samples/three-clients/CVS/Tag | 1 + samples/three-clients/START_CLIENT1 | 5 + samples/three-clients/START_CLIENT2 | 5 + samples/three-clients/START_CLIENT3 | 5 + samples/three-clients/START_KS | 5 + samples/three-clients/gdoi_client1.conf | 102 + samples/three-clients/gdoi_client2.conf | 102 + samples/three-clients/gdoi_client3.conf | 102 + samples/three-clients/gdoi_ks.conf | 194 + samples/three-clients/sample_output_client1 | 1110 +++ samples/three-clients/sample_output_ks | 3022 +++++++ src/Makefile.am | 214 + src/Makefile.in | 820 ++ src/app.c | 71 + src/app.h | 50 + src/attribute.c | 123 + src/attribute.h | 56 + src/cert.c | 139 + src/cert.h | 88 + src/conf.c | 1019 +++ src/conf.h | 98 + src/connection.c | 618 ++ src/connection.h | 120 + src/constants.c | 109 + src/constants.h | 55 + src/cookie.c | 132 + src/cookie.h | 54 + src/crypto.c | 307 + src/crypto.h | 148 + src/dh.c | 90 + src/dh.h | 51 + src/doi.c | 70 + src/doi.h | 110 + src/dyn.h | 57 + src/exchange.c | 1834 ++++ src/exchange.h | 215 + src/exchange_num.cst | 50 + src/field.c | 266 + src/field.h | 60 + src/gdoi.h | 177 + src/gdoi_app_client.c | 693 ++ src/gdoi_app_client.h | 80 + src/gdoi_app_iec90_5_attr.h | 77 + src/gdoi_app_num.cst | 76 + src/gdoi_doi.c | 1213 +++ src/gdoi_fld.fld | 135 + src/gdoi_iec90_5.c | 609 ++ src/gdoi_iec90_5.h | 154 + src/gdoi_iec90_5_protos.h | 76 + src/gdoi_num.cst | 162 + src/gdoi_phase2.c | 5185 ++++++++++++ src/gdoi_phase2.h | 178 + src/gdoi_rekey.c | 2162 +++++ src/gdoi_srtp.c | 761 ++ src/gdoi_srtp.h | 154 + src/gdoi_srtp_attr.h | 87 + src/gdoi_srtp_protos.h | 76 + src/gdoid.8 | 250 + src/gdoid.conf.5 | 792 ++ src/genconstants.sh | 121 + src/genfields.sh | 253 + src/gmp_util.c | 115 + src/gmp_util.h | 50 + src/hash.c | 149 + src/hash.h | 80 + src/iec90_5_fld.fld | 95 + src/iec90_5_num.cst | 90 + src/if.c | 143 + src/if.h | 51 + src/ike_aggressive.c | 171 + src/ike_aggressive.h | 48 + src/ike_auth.c | 916 ++ src/ike_auth.h | 56 + src/ike_main_mode.c | 133 + src/ike_main_mode.h | 48 + src/ike_phase_1.c | 1344 +++ src/ike_phase_1.h | 61 + src/init.c | 171 + src/init.h | 45 + src/ipsec.c | 2189 +++++ src/ipsec.h | 280 + src/ipsec_doi.h | 52 + src/ipsec_fld.fld | 68 + src/ipsec_num.cst | 342 + src/isakmp.h | 67 + src/isakmp_doi.c | 273 + src/isakmp_doi.h | 45 + src/isakmp_fld.fld | 152 + src/isakmp_num.cst | 170 + src/isakmpd.c | 562 ++ src/key_api.c | 289 + src/libcrypto.c | 287 + src/libcrypto.h | 63 + src/log.c | 619 ++ src/log.h | 99 + src/math_2n.c | 1152 +++ src/math_2n.h | 140 + src/math_ec2n.c | 402 + src/math_ec2n.h | 102 + src/math_group.c | 650 ++ src/math_group.h | 101 + src/math_mp.h | 64 + src/message.c | 2222 +++++ src/message.h | 259 + src/pcap.h | 126 + src/pf_encap.h | 75 + src/pf_key_v2.c | 3318 ++++++++ src/pf_key_v2.h | 63 + src/prf.c | 182 + src/prf.h | 67 + src/sa.c | 867 ++ src/sa.h | 212 + src/srtp_num.cst | 73 + src/sysdep.h | 102 + src/sysdep/linux/pfkeyv2.h | 398 + src/sysdep/openbsd/pf_key_ext.h | 72 + src/timer.c | 151 + src/timer.h | 63 + src/transport.c | 348 + src/transport.h | 139 + src/udp.c | 649 ++ src/udp.h | 58 + src/ui.c | 394 + src/ui.h | 52 + src/util.c | 297 + src/util.h | 66 + src/x509.c | 889 ++ src/x509.h | 90 + 168 files changed, 72905 insertions(+) create mode 100644 GDOI_PRIMER create mode 100644 INSTALL create mode 100644 LICENSE create mode 100644 Makefile.am create mode 100644 Makefile.in create mode 100644 aclocal.m4 create mode 100644 app_client/Makefile.am create mode 100644 app_client/Makefile.in create mode 100644 app_client/app_stub.c create mode 100644 config.h create mode 100644 config.h.in create mode 100644 config/README create mode 100755 config/config.guess create mode 100755 config/config.sub create mode 100755 config/depcomp create mode 100755 config/install-sh create mode 100755 config/missing create mode 100755 configure create mode 100644 configure.in create mode 100644 samples/iec90-5/CVS/Entries create mode 100644 samples/iec90-5/CVS/Repository create mode 100644 samples/iec90-5/CVS/Root create mode 100644 samples/iec90-5/CVS/Tag create mode 100755 samples/iec90-5/START_CLIENT create mode 100755 samples/iec90-5/START_KS create mode 100644 samples/iec90-5/gdoi_client.conf create mode 100644 samples/iec90-5/gdoi_ks.conf create mode 100644 samples/loopback/CVS/Entries create mode 100644 samples/loopback/CVS/Repository create mode 100644 samples/loopback/CVS/Root create mode 100644 samples/loopback/CVS/Tag create mode 100755 samples/loopback/START_CLIENT create mode 100755 samples/loopback/START_KS create mode 100644 samples/loopback/gdoi_client.conf create mode 100644 samples/loopback/gdoi_ks.conf create mode 100644 samples/loopback/sample_output_client create mode 100644 samples/loopback/sample_output_ks create mode 100644 samples/three-clients/CVS/Entries create mode 100644 samples/three-clients/CVS/Repository create mode 100644 samples/three-clients/CVS/Root create mode 100644 samples/three-clients/CVS/Tag create mode 100755 samples/three-clients/START_CLIENT1 create mode 100755 samples/three-clients/START_CLIENT2 create mode 100755 samples/three-clients/START_CLIENT3 create mode 100755 samples/three-clients/START_KS create mode 100644 samples/three-clients/gdoi_client1.conf create mode 100644 samples/three-clients/gdoi_client2.conf create mode 100644 samples/three-clients/gdoi_client3.conf create mode 100644 samples/three-clients/gdoi_ks.conf create mode 100644 samples/three-clients/sample_output_client1 create mode 100644 samples/three-clients/sample_output_ks create mode 100644 src/Makefile.am create mode 100644 src/Makefile.in create mode 100644 src/app.c create mode 100644 src/app.h create mode 100644 src/attribute.c create mode 100644 src/attribute.h create mode 100644 src/cert.c create mode 100644 src/cert.h create mode 100644 src/conf.c create mode 100644 src/conf.h create mode 100644 src/connection.c create mode 100644 src/connection.h create mode 100644 src/constants.c create mode 100644 src/constants.h create mode 100644 src/cookie.c create mode 100644 src/cookie.h create mode 100644 src/crypto.c create mode 100644 src/crypto.h create mode 100644 src/dh.c create mode 100644 src/dh.h create mode 100644 src/doi.c create mode 100644 src/doi.h create mode 100644 src/dyn.h create mode 100644 src/exchange.c create mode 100644 src/exchange.h create mode 100644 src/exchange_num.cst create mode 100644 src/field.c create mode 100644 src/field.h create mode 100644 src/gdoi.h create mode 100644 src/gdoi_app_client.c create mode 100644 src/gdoi_app_client.h create mode 100644 src/gdoi_app_iec90_5_attr.h create mode 100644 src/gdoi_app_num.cst create mode 100644 src/gdoi_doi.c create mode 100644 src/gdoi_fld.fld create mode 100644 src/gdoi_iec90_5.c create mode 100644 src/gdoi_iec90_5.h create mode 100644 src/gdoi_iec90_5_protos.h create mode 100644 src/gdoi_num.cst create mode 100644 src/gdoi_phase2.c create mode 100644 src/gdoi_phase2.h create mode 100644 src/gdoi_rekey.c create mode 100644 src/gdoi_srtp.c create mode 100644 src/gdoi_srtp.h create mode 100644 src/gdoi_srtp_attr.h create mode 100644 src/gdoi_srtp_protos.h create mode 100644 src/gdoid.8 create mode 100644 src/gdoid.conf.5 create mode 100644 src/genconstants.sh create mode 100644 src/genfields.sh create mode 100644 src/gmp_util.c create mode 100644 src/gmp_util.h create mode 100644 src/hash.c create mode 100644 src/hash.h create mode 100644 src/iec90_5_fld.fld create mode 100644 src/iec90_5_num.cst create mode 100644 src/if.c create mode 100644 src/if.h create mode 100644 src/ike_aggressive.c create mode 100644 src/ike_aggressive.h create mode 100644 src/ike_auth.c create mode 100644 src/ike_auth.h create mode 100644 src/ike_main_mode.c create mode 100644 src/ike_main_mode.h create mode 100644 src/ike_phase_1.c create mode 100644 src/ike_phase_1.h create mode 100644 src/init.c create mode 100644 src/init.h create mode 100644 src/ipsec.c create mode 100644 src/ipsec.h create mode 100644 src/ipsec_doi.h create mode 100644 src/ipsec_fld.fld create mode 100644 src/ipsec_num.cst create mode 100644 src/isakmp.h create mode 100644 src/isakmp_doi.c create mode 100644 src/isakmp_doi.h create mode 100644 src/isakmp_fld.fld create mode 100644 src/isakmp_num.cst create mode 100644 src/isakmpd.c create mode 100644 src/key_api.c create mode 100644 src/libcrypto.c create mode 100644 src/libcrypto.h create mode 100644 src/log.c create mode 100644 src/log.h create mode 100644 src/math_2n.c create mode 100644 src/math_2n.h create mode 100644 src/math_ec2n.c create mode 100644 src/math_ec2n.h create mode 100644 src/math_group.c create mode 100644 src/math_group.h create mode 100644 src/math_mp.h create mode 100644 src/message.c create mode 100644 src/message.h create mode 100644 src/pcap.h create mode 100644 src/pf_encap.h create mode 100644 src/pf_key_v2.c create mode 100644 src/pf_key_v2.h create mode 100644 src/prf.c create mode 100644 src/prf.h create mode 100644 src/sa.c create mode 100644 src/sa.h create mode 100644 src/srtp_num.cst create mode 100644 src/sysdep.h create mode 100644 src/sysdep/linux/pfkeyv2.h create mode 100644 src/sysdep/openbsd/pf_key_ext.h create mode 100644 src/timer.c create mode 100644 src/timer.h create mode 100644 src/transport.c create mode 100644 src/transport.h create mode 100644 src/udp.c create mode 100644 src/udp.h create mode 100644 src/ui.c create mode 100644 src/ui.h create mode 100644 src/util.c create mode 100644 src/util.h create mode 100644 src/x509.c create mode 100644 src/x509.h diff --git a/GDOI_PRIMER b/GDOI_PRIMER new file mode 100644 index 0000000..6157b12 --- /dev/null +++ b/GDOI_PRIMER @@ -0,0 +1,359 @@ +$Id: GDOI_PRIMER,v 1.12.2.2 2011/12/12 23:24:16 bew Exp $ +$Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/GDOI_PRIMER,v $ + + GDOI Reference Implementation Primer + ------------------------------------ + +A. Introduction + +The purpose of this reference implementation is to provide a base vehicle for +testing the GDOI group key management protocol. GDOI was first specified in RFC 3547, and +re-published with corrections and updates in RFC 6407. This primer shows +the very basics of configuring GDOI on a pair of systems with known-working +configurations. + +GDOI is a key management system for groups. It is primarily designed for use +with secure broadcast applications, but many other types of applications can +take advantage of GDOI as well for their keying. + +B. System Requirements + +You will need two systems, either Linux (based on a 2.6 kernel ONLY) or +BSD systems. This code was developed on Linux and OS/X. The following +releases have been tested and are safe to use: + +Linux: Fedora 14 +OS X: 10.6.8 + +You will need to have version of OpenSSL that has support for SHA256. This is +currently release openssl-0.9.8a or later. Some hints if you install this +version in a non-standard location (e.g., the default is /usr/local/ssl): + +* If you have shared library version of libcrypto installed in /usr/lib then + you may need to generate a shared library version in the non-standard + location. +* If you are using a shared library be sure that the shared library is + included in your LD_LIBRARY_PATH environment variable. + +For help with gdoid configuration,see gdoid.conf.5. Note that the page must be +formated with "nroff -mandoc" macros. + +For Ubuntu, you may need to install the libssl-dev package. E.g., + "sudo apt-get install libssl-dev" + +C. System Roles + +It is most efficient for many group applications to have a rendezvous point +where group members can get keys. With that in mind, GDOI was developed to +have two distinct roles in the protocol: the role of a key server, and the +role of a group member. + +C.1 Key Server + +A GDOI key server has the responsibility of keeping keys for the group, and +releasing them on demand to authenticated and authorized group members. +GDOI authenticates group members using the definition of an IKE Phase 1 +exchange (see RFC 2409). The GDOI registration exchange follows the IKE Phase 1 +exchange. It contains liveliness checks, confidentiality, and authorization +checks. + +This GDOI reference implementation does not provide any level of authorization +check. As long as the group member passes the IKE Phase 1 authentication he is +granted access to whatever groups are available on the key server. + +The key server does support the GDOI "push" (or rekey) message by which a +key server can update the keys and policy for the entire group. An IP multicast +message is used for this purpose. + +C.2 Group Member + +A group member is a host in which some cryptosystem which needs +keys. This version supports IPsec, and also an incomplete version of +IEC 61850-90-5. + +C.2.1 IPSec + +Applications are not aware of IPSec protecting applications; it's +all done transparently in the kernel. In this reference implementation +the GDOI group member code is pre-configured with which groups to +join, and it contacts the key server at startup time. This ensures +that the SAs will be loaded into the kernel when the application +is started. + +To test IPsec, you can use a Linux system (with a 2.6 kernel) without +modification. I have demonstrated that the kernel will accept SAs for +multicast destinations and match incoming and outgoing packets against them. + +Ciphers 3DES and AES have been validated to work with OpenBSD. + +C.2.2 IEC 61850-90-5 + +This package comes with a framework for supporting IEC 61850-90-5, a standard for +distrubuting PMU traffic as IP multicast packets. IT does NOT contain the actual +protocol support needed to protect that standard. + +D. Initial Setup + +Choose which system will be your key server, and which system will be your +group member and note their IP addresses. + +D.1 Key Server Setup + +It would be best of find sample configurations in the samples document +and use one of them. To test between two or three systems use the samples in +the "three-clients" sample directory. A quick test can be made using the samples +in the "loopback" diectory. (Be sure to uncomment the appropriate line to create +additional loopback interfaces in loopback/START_KS.) + +To setup the key server, copy the "gdoi_ks.conf" file and change the IP +addresses in the following lines: + + Listen-on= + + = GDOI-group-member-1 + + [GDOI-group-member-1] + Local-address= + Address= + +(You can ignore the configuration lines for GDOI-group-member-2 and +GDOI-group-member-3 until you're ready to test with those systems.) + +That's it! The rest of the policy defines the IKE Phase 1 policy, and one +group which contains two IPSec SAs. You can leave those as is. + +D.2 Group Member Setup + +Edit gdoi_client1.conf and change the IP addresses in these configuration +statements: + + Listen-on= + + = GDOI-key-server + + [GDOI-key-server] + Local-address= + Address= + +E. Using the sample configuration + +Start the test by completing the following steps: + +E.1. On the key server, become "root". Be sure the gdoi_gcks.conf file is +owned by root and has a mode of 600. Then start isakmpd as follows: + + # ./START_KS + +This prepares the key server to accept requests from GDOI group members. +You will see some debug messages. + +E.2. On the group member, become "root". Be sure the gdoi_client1.conf file +is owned by root and has a mode of 600. Then start isakmpd as follows: + + # ./START_CLIENT1 + +This causes the group member to initiate a GDOI exchange to the key server. +You will see some debug messages. + +If you wish to load SAs into the kernel, remove the "-n" flag from the call +to isakmpd in START_CLIENT1. + +E.3. The exchange is successful if you see the following string near the end +of the debugging statements on both systems: DONE WITH PHASE 2!!! + +You can compare your output to two sample output scripts in the "three-clients" +directory. + +E.4. If you are on OpenBSD systems, you can check if the SAs were loaded into +the kernel with this command: + + # cat /kern/ipsec + +and you can manually delete the SAs with this command: + + # ipsecadm flush + +On other systems, use the setkey command to view SAs: + + # setkey -D; setkey -D -P + +And you can manually delete the SAs with the -F option: + + # setkey -F; setkey -F -P + +E.5. More debugging + +The sample scripts may not show all of the debugging statements possible. More +debugging can be shown by increasing the number on the -DA= flag. The +maximum amount of debugging can be gotten with -DA=99. + +F. IKE Phase 1 Configuration Statements. + +The following examples are taken from the accompanying sample configurations. + +F.1. In IKE Phase 1, define the DOI to be "GROUP". This must be done on both +the key server and the group member. + +EXAMPLE +------- +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +F.2. For the GDOI exchange, define a Group-ID which is an IKE Phase 2 identity +type. Only KEY_ID is supported at the moment. + +For more information on the IKE Phase 1 configuration see isakmpd.conf.5. + +G. GDOI Configuration Statements. + +To run the GDOI functionality, the following configuration is needed in the +configuration files. These examples are taken from the accompanying sample +configurations. + +For more information, see the gdoid.conf(5) manual page included in this +distribution. Other example configurations can be found in the samples +directory. + +G.1 Key Server + +The key server stores the crypto policy and keys for a group. In this +reference implementation all keys and policy are static. Dynamic changing of +keys is not available. + +The key server must define a security policy for the group. EXAMPLE 1 shows the +base policy definition to define group "1234". It defines the peer +(GDOI-group-member) and exact group policy (Default-group-mode) by +reference. + +EXAMPLE 1 +--------- +[IPsec-group-policy] +Phase= 2 +ISAKMP-peer= GDOI-group-member +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +The actual policy for Default-group-mode is shown in EXAMPLE 2. It defines the +Exchange to be a PULL_MODE (which is exchange number 32, see RFC 3547). +It also lists two Traffic Encryption Key policy groups to be part of this +group. (If this were keying a real application, perhaps one TEK would be +the audio stream and one the video stream). + +EXAMPLE 2 +--------- +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +SA-TEKS= GROUP1-TEK1, GROUP1-TEK2 + +Finally, policy must be specified for each TEK. EXAMPLE 3 shows the policy for +GROUP1-TEK1. This defines a subset of the ESP policy information required. + +EXAMPLE 3 +--------- +[GROUP1-TEK1] +Crypto-protocol= PROTO_IPSEC_ESP +Src-ID= Group-tek1-src +Dst-ID= Group-tek1-dst +TEK_Suite= GDOI-ESP-3DES-SHA-SUITE + +[Group-tek1-src] +ID-type= IPV4_ADDR +Address= 172.19.193.37 +Port= 1024 + +[Group-tek1-dst] +ID-type= IPV4_ADDR +Address= 239.192.1.1 +Port= 1024 + +G.2 Group Member + +On the group member side, the following configuration needs to be setup: + +First, a policy must be defined based on the group name as shown in EXAMPLE 4. +This special naming allows the GDOI group member to find the appropriate IKE +Phase 1 policy when the crypto system gives it a group number. + +EXAMPLE 4 +--------- +[Group-1234] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-gcks +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +The policy for Default-group-mode is shown in EXAMPLE 5. + +EXAMPLE 5 +--------- +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +Suites= GM-ESP + +H. Hints + +Here are some things to keep in mind using this package. + +1. The configuration (*.conf) files that you use MUST be owned by root and + have a mode of 600. If not, isakmpd will quickly abort. The configuration + files included in the samples directory may not be set correctly -- that + depends on how you extracted the files, + +2. If the IKE Phase 1 connections don't seem to be working, restart both + isakmpd daemons and try again. That usually eliminates any confusion + between them. + +3. A report of the current running gdoid state can be gotten by sending a +SIGUSR1 signal to gdoid. E.g., + kill -SIGUSR1 + +I. Generating and using RSA Public Keys with OpenSSL + +To create an RSA keypair to use with the rekey messages, follow the following +steps. + +1. Generate a keypair of at least 1024 bits. + + openssl genrsa 1024 > rsakeys.pem + +2. The keys are generated in PEM format, and GDOI would like them to be in + DER format, so they must be converted + + openssl rsa -in rsakeys.pem -outform DER -out rsakeys.der + + NOTE: The keys are not in a displayable format. + +J. Acknowledgments + +Thanks to the following individuals for contributing to gdoid: + +Sebastien.Josset at space dot alcatel dot fr contributed code which enabled +gdoid to support AES as an IPsec transform, as well as the new OpenBSD PF_KEY +extensions. + +nico_kth at hotmail dot com provided modifications to the pf_key code, which +enabled pushing of SAD and SPD table entries into a Linux 2.6 kernel. This +gave gdoid the ablity of supportng IPsec on Linux, whereas previously Linux +could only be used as a key server. + +reet79 at ggs.ch provided code that caused gdoid to clean up the SAs and SPD +entries it installed before exiting. He also provided code that allows +X.509 certificates to reside on an XFS file system. + +K. Known Bugs + +1. Configuring IPsec tunnel mode SAs actually end up as transport mode SAs. + +2. ECDSA has not been tested. Enabling #define USE_EC is sure to fail! diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..1f053f1 --- /dev/null +++ b/INSTALL @@ -0,0 +1,22 @@ +$Id: INSTALL,v 1.7.4.1 2011/12/05 20:26:53 bew Exp $ +$Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/INSTALL,v $ + + Compiling GDOI source + --------------------- + 10/17/11 + +This package now uses a configure script for installation. Use the following +steps to make gdoid: + +./configure +make +make install + +The following packages are required: + +Configure looks for OpenSSL in the typical places on the system, but if it +isn't found you will need to specify its location explicitely using: + + --with-ssl-dir=PATH + +If you need to install OpenSSL, find it at http://www.openssl.org. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..460e712 --- /dev/null +++ b/LICENSE @@ -0,0 +1,60 @@ +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..c09ec66 --- /dev/null +++ b/Makefile.am @@ -0,0 +1,75 @@ +# $Id: Makefile.am,v 1.3.4.2 2011/12/05 20:26:53 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +noinst_HEADERS = config.h + +EXTRA_DIST = GDOI_PRIMER INSTALL LICENSE samples \ + src/sysdep/openbsd/pf_key_ext.h \ + src/sysdep/linux/pfkeyv2.h + +SUBDIRS = src app_client + +# +# Remove CVS files from the samples directory +# +dist-hook: + (cd ${distdir}/samples; rm -rf `find -name CVS`) diff --git a/Makefile.in b/Makefile.in new file mode 100644 index 0000000..f364c0a --- /dev/null +++ b/Makefile.in @@ -0,0 +1,680 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# $Id: Makefile.am,v 1.3.4.2 2011/12/05 20:26:53 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = . +DIST_COMMON = $(am__configure_deps) $(noinst_HEADERS) \ + $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + $(srcdir)/config.h.in $(top_srcdir)/configure INSTALL \ + config/README config/config.guess config/config.sub \ + config/depcomp config/install-sh config/missing +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ + configure.lineno config.status.lineno +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = config.h +CONFIG_CLEAN_FILES = +SOURCES = +DIST_SOURCES = +RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ + html-recursive info-recursive install-data-recursive \ + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive +HEADERS = $(noinst_HEADERS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +distdir = $(PACKAGE)-$(VERSION) +top_distdir = $(distdir) +am__remove_distdir = \ + { test ! -d $(distdir) \ + || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \ + && rm -fr $(distdir); }; } +DIST_ARCHIVES = $(distdir).tar.gz +GZIP_ENV = --best +distuninstallcheck_listfiles = find . -type f -print +distcleancheck_listfiles = find . -type f -print +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +noinst_HEADERS = config.h +EXTRA_DIST = GDOI_PRIMER INSTALL LICENSE samples \ + src/sysdep/openbsd/pf_key_ext.h \ + src/sysdep/linux/pfkeyv2.h + +SUBDIRS = src app_client +all: config.h + $(MAKE) $(AM_MAKEFLAGS) all-recursive + +.SUFFIXES: +am--refresh: + @: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + echo ' cd $(srcdir) && $(AUTOMAKE) --foreign '; \ + cd $(srcdir) && $(AUTOMAKE) --foreign \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + echo ' $(SHELL) ./config.status'; \ + $(SHELL) ./config.status;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + $(SHELL) ./config.status --recheck + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(srcdir) && $(AUTOCONF) +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) + +config.h: stamp-h1 + @if test ! -f $@; then \ + rm -f stamp-h1; \ + $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \ + else :; fi + +stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status + @rm -f stamp-h1 + cd $(top_builddir) && $(SHELL) ./config.status config.h +$(srcdir)/config.h.in: $(am__configure_deps) + cd $(top_srcdir) && $(AUTOHEADER) + rm -f stamp-h1 + touch $@ + +distclean-hdr: + -rm -f config.h stamp-h1 + +# This directory's subdirectories are mostly independent; you can cd +# into them and run `make' without going through this Makefile. +# To change the values of `make' variables: instead of editing Makefiles, +# (1) if the variable is set in `config.status', edit `config.status' +# (which will cause the Makefiles to be regenerated when you run `make'); +# (2) otherwise, pass the desired values on the `make' command line. +$(RECURSIVE_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +$(RECURSIVE_CLEAN_TARGETS): + @failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + rev=''; for subdir in $$list; do \ + if test "$$subdir" = "."; then :; else \ + rev="$$subdir $$rev"; \ + fi; \ + done; \ + rev="$$rev ."; \ + target=`echo $@ | sed s/-recursive//`; \ + for subdir in $$rev; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done && test -z "$$fail" +tags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + done +ctags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: tags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + $(am__remove_distdir) + test -d $(distdir) || mkdir $(distdir) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + distdir=`$(am__cd) $(distdir) && pwd`; \ + top_distdir=`$(am__cd) $(top_distdir) && pwd`; \ + (cd $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$top_distdir" \ + distdir="$$distdir/$$subdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + distdir) \ + || exit 1; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-hook + -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ + ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ + ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ + ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ + || chmod -R a+r $(distdir) +dist-gzip: distdir + tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz + $(am__remove_distdir) + +dist-bzip2: distdir + tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 + $(am__remove_distdir) + +dist-tarZ: distdir + tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z + $(am__remove_distdir) + +dist-shar: distdir + shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz + $(am__remove_distdir) + +dist-zip: distdir + -rm -f $(distdir).zip + zip -rq $(distdir).zip $(distdir) + $(am__remove_distdir) + +dist dist-all: distdir + tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz + $(am__remove_distdir) + +# This target untars the dist file and tries a VPATH configuration. Then +# it guarantees that the distribution is self-contained by making another +# tarfile. +distcheck: dist + case '$(DIST_ARCHIVES)' in \ + *.tar.gz*) \ + GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\ + *.tar.bz2*) \ + bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\ + *.tar.Z*) \ + uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ + *.shar.gz*) \ + GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\ + *.zip*) \ + unzip $(distdir).zip ;;\ + esac + chmod -R a-w $(distdir); chmod a+w $(distdir) + mkdir $(distdir)/_build + mkdir $(distdir)/_inst + chmod a-w $(distdir) + dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ + && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ + && cd $(distdir)/_build \ + && ../configure --srcdir=.. --prefix="$$dc_install_base" \ + $(DISTCHECK_CONFIGURE_FLAGS) \ + && $(MAKE) $(AM_MAKEFLAGS) \ + && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) check \ + && $(MAKE) $(AM_MAKEFLAGS) install \ + && $(MAKE) $(AM_MAKEFLAGS) installcheck \ + && $(MAKE) $(AM_MAKEFLAGS) uninstall \ + && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ + distuninstallcheck \ + && chmod -R a-w "$$dc_install_base" \ + && ({ \ + (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ + distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ + } || { rm -rf "$$dc_destdir"; exit 1; }) \ + && rm -rf "$$dc_destdir" \ + && $(MAKE) $(AM_MAKEFLAGS) dist \ + && rm -rf $(DIST_ARCHIVES) \ + && $(MAKE) $(AM_MAKEFLAGS) distcleancheck + $(am__remove_distdir) + @(echo "$(distdir) archives ready for distribution: "; \ + list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ + sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' +distuninstallcheck: + @cd $(distuninstallcheck_dir) \ + && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ + || { echo "ERROR: files left after uninstall:" ; \ + if test -n "$(DESTDIR)"; then \ + echo " (check DESTDIR support)"; \ + fi ; \ + $(distuninstallcheck_listfiles) ; \ + exit 1; } >&2 +distcleancheck: distclean + @if test '$(srcdir)' = . ; then \ + echo "ERROR: distcleancheck can only run from a VPATH build" ; \ + exit 1 ; \ + fi + @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ + || { echo "ERROR: files left in build directory after distclean:" ; \ + $(distcleancheck_listfiles) ; \ + exit 1; } >&2 +check-am: all-am +check: check-recursive +all-am: Makefile $(HEADERS) config.h +installdirs: installdirs-recursive +installdirs-am: +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-recursive + +clean-am: clean-generic mostlyclean-am + +distclean: distclean-recursive + -rm -f $(am__CONFIG_DISTCLEAN_FILES) + -rm -f Makefile +distclean-am: clean-am distclean-generic distclean-hdr distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +info: info-recursive + +info-am: + +install-data-am: + +install-dvi: install-dvi-recursive + +install-exec-am: + +install-html: install-html-recursive + +install-info: install-info-recursive + +install-man: + +install-pdf: install-pdf-recursive + +install-ps: install-ps-recursive + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -f $(am__CONFIG_DISTCLEAN_FILES) + -rm -rf $(top_srcdir)/autom4te.cache + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-generic + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: + +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) install-am \ + install-strip + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am am--refresh check check-am clean clean-generic \ + ctags ctags-recursive dist dist-all dist-bzip2 dist-gzip \ + dist-hook dist-shar dist-tarZ dist-zip distcheck distclean \ + distclean-generic distclean-hdr distclean-tags distcleancheck \ + distdir distuninstallcheck dvi dvi-am html html-am info \ + info-am install install-am install-data install-data-am \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic pdf \ + pdf-am ps ps-am tags tags-recursive uninstall uninstall-am + + +# +# Remove CVS files from the samples directory +# +dist-hook: + (cd ${distdir}/samples; rm -rf `find -name CVS`) +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/aclocal.m4 b/aclocal.m4 new file mode 100644 index 0000000..c4e07fa --- /dev/null +++ b/aclocal.m4 @@ -0,0 +1,874 @@ +# generated automatically by aclocal 1.10 -*- Autoconf -*- + +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, +# 2005, 2006 Free Software Foundation, Inc. +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +m4_if(m4_PACKAGE_VERSION, [2.62],, +[m4_fatal([this file was generated for autoconf 2.62. +You have another version of autoconf. If you want to use that, +you should regenerate the build system entirely.], [63])]) + +# Copyright (C) 2002, 2003, 2005, 2006 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_AUTOMAKE_VERSION(VERSION) +# ---------------------------- +# Automake X.Y traces this macro to ensure aclocal.m4 has been +# generated from the m4 files accompanying Automake X.Y. +# (This private macro should not be called outside this file.) +AC_DEFUN([AM_AUTOMAKE_VERSION], +[am__api_version='1.10' +dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to +dnl require some minimum version. Point them to the right macro. +m4_if([$1], [1.10], [], + [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl +]) + +# _AM_AUTOCONF_VERSION(VERSION) +# ----------------------------- +# aclocal traces this macro to find the Autoconf version. +# This is a private macro too. Using m4_define simplifies +# the logic in aclocal, which can simply ignore this definition. +m4_define([_AM_AUTOCONF_VERSION], []) + +# AM_SET_CURRENT_AUTOMAKE_VERSION +# ------------------------------- +# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. +# This function is AC_REQUIREd by AC_INIT_AUTOMAKE. +AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], +[AM_AUTOMAKE_VERSION([1.10])dnl +_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)]) + +# AM_AUX_DIR_EXPAND -*- Autoconf -*- + +# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets +# $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to +# `$srcdir', `$srcdir/..', or `$srcdir/../..'. +# +# Of course, Automake must honor this variable whenever it calls a +# tool from the auxiliary directory. The problem is that $srcdir (and +# therefore $ac_aux_dir as well) can be either absolute or relative, +# depending on how configure is run. This is pretty annoying, since +# it makes $ac_aux_dir quite unusable in subdirectories: in the top +# source directory, any form will work fine, but in subdirectories a +# relative path needs to be adjusted first. +# +# $ac_aux_dir/missing +# fails when called from a subdirectory if $ac_aux_dir is relative +# $top_srcdir/$ac_aux_dir/missing +# fails if $ac_aux_dir is absolute, +# fails when called from a subdirectory in a VPATH build with +# a relative $ac_aux_dir +# +# The reason of the latter failure is that $top_srcdir and $ac_aux_dir +# are both prefixed by $srcdir. In an in-source build this is usually +# harmless because $srcdir is `.', but things will broke when you +# start a VPATH build or use an absolute $srcdir. +# +# So we could use something similar to $top_srcdir/$ac_aux_dir/missing, +# iff we strip the leading $srcdir from $ac_aux_dir. That would be: +# am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` +# and then we would define $MISSING as +# MISSING="\${SHELL} $am_aux_dir/missing" +# This will work as long as MISSING is not called from configure, because +# unfortunately $(top_srcdir) has no meaning in configure. +# However there are other variables, like CC, which are often used in +# configure, and could therefore not use this "fixed" $ac_aux_dir. +# +# Another solution, used here, is to always expand $ac_aux_dir to an +# absolute PATH. The drawback is that using absolute paths prevent a +# configured tree to be moved without reconfiguration. + +AC_DEFUN([AM_AUX_DIR_EXPAND], +[dnl Rely on autoconf to set up CDPATH properly. +AC_PREREQ([2.50])dnl +# expand $ac_aux_dir to an absolute path +am_aux_dir=`cd $ac_aux_dir && pwd` +]) + +# AM_CONDITIONAL -*- Autoconf -*- + +# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 8 + +# AM_CONDITIONAL(NAME, SHELL-CONDITION) +# ------------------------------------- +# Define a conditional. +AC_DEFUN([AM_CONDITIONAL], +[AC_PREREQ(2.52)dnl + ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], + [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl +AC_SUBST([$1_TRUE])dnl +AC_SUBST([$1_FALSE])dnl +_AM_SUBST_NOTMAKE([$1_TRUE])dnl +_AM_SUBST_NOTMAKE([$1_FALSE])dnl +if $2; then + $1_TRUE= + $1_FALSE='#' +else + $1_TRUE='#' + $1_FALSE= +fi +AC_CONFIG_COMMANDS_PRE( +[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then + AC_MSG_ERROR([[conditional "$1" was never defined. +Usually this means the macro was only invoked conditionally.]]) +fi])]) + +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 9 + +# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be +# written in clear, in which case automake, when reading aclocal.m4, +# will think it sees a *use*, and therefore will trigger all it's +# C support machinery. Also note that it means that autoscan, seeing +# CC etc. in the Makefile, will ask for an AC_PROG_CC use... + + +# _AM_DEPENDENCIES(NAME) +# ---------------------- +# See how the compiler implements dependency checking. +# NAME is "CC", "CXX", "GCJ", or "OBJC". +# We try a few techniques and use that to set a single cache variable. +# +# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was +# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular +# dependency, and given that the user is not expected to run this macro, +# just rely on AC_PROG_CC. +AC_DEFUN([_AM_DEPENDENCIES], +[AC_REQUIRE([AM_SET_DEPDIR])dnl +AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl +AC_REQUIRE([AM_MAKE_INCLUDE])dnl +AC_REQUIRE([AM_DEP_TRACK])dnl + +ifelse([$1], CC, [depcc="$CC" am_compiler_list=], + [$1], CXX, [depcc="$CXX" am_compiler_list=], + [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'], + [$1], UPC, [depcc="$UPC" am_compiler_list=], + [$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'], + [depcc="$$1" am_compiler_list=]) + +AC_CACHE_CHECK([dependency style of $depcc], + [am_cv_$1_dependencies_compiler_type], +[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then + # We make a subdir and do the tests there. Otherwise we can end up + # making bogus files that we don't know about and never remove. For + # instance it was reported that on HP-UX the gcc test will end up + # making a dummy file named `D' -- because `-MD' means `put the output + # in D'. + mkdir conftest.dir + # Copy depcomp to subdir because otherwise we won't find it if we're + # using a relative directory. + cp "$am_depcomp" conftest.dir + cd conftest.dir + # We will build objects and dependencies in a subdirectory because + # it helps to detect inapplicable dependency modes. For instance + # both Tru64's cc and ICC support -MD to output dependencies as a + # side effect of compilation, but ICC will put the dependencies in + # the current directory while Tru64 will put them in the object + # directory. + mkdir sub + + am_cv_$1_dependencies_compiler_type=none + if test "$am_compiler_list" = ""; then + am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` + fi + for depmode in $am_compiler_list; do + # Setup a source with many dependencies, because some compilers + # like to wrap large dependency lists on column 80 (with \), and + # we should not choose a depcomp mode which is confused by this. + # + # We need to recreate these files for each test, as the compiler may + # overwrite some of them when testing with obscure command lines. + # This happens at least with the AIX C compiler. + : > sub/conftest.c + for i in 1 2 3 4 5 6; do + echo '#include "conftst'$i'.h"' >> sub/conftest.c + # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with + # Solaris 8's {/usr,}/bin/sh. + touch sub/conftst$i.h + done + echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + + case $depmode in + nosideeffect) + # after this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested + if test "x$enable_dependency_tracking" = xyes; then + continue + else + break + fi + ;; + none) break ;; + esac + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. + if depmode=$depmode \ + source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ + $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + ${MAKE-make} -s -f confmf > /dev/null 2>&1; then + # icc doesn't choke on unknown options, it will just issue warnings + # or remarks (even with -Werror). So we grep stderr for any message + # that says an option was ignored or not supported. + # When given -MP, icc 7.0 and 7.1 complain thusly: + # icc: Command line warning: ignoring option '-M'; no argument required + # The diagnosis changed in icc 8.0: + # icc: Command line remark: option '-MP' not supported + if (grep 'ignoring option' conftest.err || + grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else + am_cv_$1_dependencies_compiler_type=$depmode + break + fi + fi + done + + cd .. + rm -rf conftest.dir +else + am_cv_$1_dependencies_compiler_type=none +fi +]) +AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type]) +AM_CONDITIONAL([am__fastdep$1], [ + test "x$enable_dependency_tracking" != xno \ + && test "$am_cv_$1_dependencies_compiler_type" = gcc3]) +]) + + +# AM_SET_DEPDIR +# ------------- +# Choose a directory name for dependency files. +# This macro is AC_REQUIREd in _AM_DEPENDENCIES +AC_DEFUN([AM_SET_DEPDIR], +[AC_REQUIRE([AM_SET_LEADING_DOT])dnl +AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl +]) + + +# AM_DEP_TRACK +# ------------ +AC_DEFUN([AM_DEP_TRACK], +[AC_ARG_ENABLE(dependency-tracking, +[ --disable-dependency-tracking speeds up one-time build + --enable-dependency-tracking do not reject slow dependency extractors]) +if test "x$enable_dependency_tracking" != xno; then + am_depcomp="$ac_aux_dir/depcomp" + AMDEPBACKSLASH='\' +fi +AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) +AC_SUBST([AMDEPBACKSLASH])dnl +_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl +]) + +# Generate code to set up dependency tracking. -*- Autoconf -*- + +# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +#serial 3 + +# _AM_OUTPUT_DEPENDENCY_COMMANDS +# ------------------------------ +AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], +[for mf in $CONFIG_FILES; do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then + dirpart=`AS_DIRNAME("$mf")` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`AS_DIRNAME(["$file"])` + AS_MKDIR_P([$dirpart/$fdir]) + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done +done +])# _AM_OUTPUT_DEPENDENCY_COMMANDS + + +# AM_OUTPUT_DEPENDENCY_COMMANDS +# ----------------------------- +# This macro should only be invoked once -- use via AC_REQUIRE. +# +# This code is only required when automatic dependency tracking +# is enabled. FIXME. This creates each `.P' file that we will +# need in order to bootstrap the dependency handling code. +AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], +[AC_CONFIG_COMMANDS([depfiles], + [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], + [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) +]) + +# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 8 + +# AM_CONFIG_HEADER is obsolete. It has been replaced by AC_CONFIG_HEADERS. +AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)]) + +# Do all the work for Automake. -*- Autoconf -*- + +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, +# 2005, 2006 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 12 + +# This macro actually does too much. Some checks are only needed if +# your package does certain things. But this isn't really a big deal. + +# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) +# AM_INIT_AUTOMAKE([OPTIONS]) +# ----------------------------------------------- +# The call with PACKAGE and VERSION arguments is the old style +# call (pre autoconf-2.50), which is being phased out. PACKAGE +# and VERSION should now be passed to AC_INIT and removed from +# the call to AM_INIT_AUTOMAKE. +# We support both call styles for the transition. After +# the next Automake release, Autoconf can make the AC_INIT +# arguments mandatory, and then we can depend on a new Autoconf +# release and drop the old call support. +AC_DEFUN([AM_INIT_AUTOMAKE], +[AC_PREREQ([2.60])dnl +dnl Autoconf wants to disallow AM_ names. We explicitly allow +dnl the ones we care about. +m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl +AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl +AC_REQUIRE([AC_PROG_INSTALL])dnl +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) + fi +fi + +# test whether we have cygpath +if test -z "$CYGPATH_W"; then + if (cygpath --version) >/dev/null 2>/dev/null; then + CYGPATH_W='cygpath -w' + else + CYGPATH_W=echo + fi +fi +AC_SUBST([CYGPATH_W]) + +# Define the identity of the package. +dnl Distinguish between old-style and new-style calls. +m4_ifval([$2], +[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl + AC_SUBST([PACKAGE], [$1])dnl + AC_SUBST([VERSION], [$2])], +[_AM_SET_OPTIONS([$1])dnl +dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. +m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,, + [m4_fatal([AC_INIT should be called with package and version arguments])])dnl + AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl + AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl + +_AM_IF_OPTION([no-define],, +[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package]) + AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl + +# Some tools Automake needs. +AC_REQUIRE([AM_SANITY_CHECK])dnl +AC_REQUIRE([AC_ARG_PROGRAM])dnl +AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version}) +AM_MISSING_PROG(AUTOCONF, autoconf) +AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) +AM_MISSING_PROG(AUTOHEADER, autoheader) +AM_MISSING_PROG(MAKEINFO, makeinfo) +AM_PROG_INSTALL_SH +AM_PROG_INSTALL_STRIP +AC_REQUIRE([AM_PROG_MKDIR_P])dnl +# We need awk for the "check" target. The system "awk" is bad on +# some platforms. +AC_REQUIRE([AC_PROG_AWK])dnl +AC_REQUIRE([AC_PROG_MAKE_SET])dnl +AC_REQUIRE([AM_SET_LEADING_DOT])dnl +_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], + [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], + [_AM_PROG_TAR([v7])])]) +_AM_IF_OPTION([no-dependencies],, +[AC_PROVIDE_IFELSE([AC_PROG_CC], + [_AM_DEPENDENCIES(CC)], + [define([AC_PROG_CC], + defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl +AC_PROVIDE_IFELSE([AC_PROG_CXX], + [_AM_DEPENDENCIES(CXX)], + [define([AC_PROG_CXX], + defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl +AC_PROVIDE_IFELSE([AC_PROG_OBJC], + [_AM_DEPENDENCIES(OBJC)], + [define([AC_PROG_OBJC], + defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl +]) +]) + + +# When config.status generates a header, we must update the stamp-h file. +# This file resides in the same directory as the config header +# that is generated. The stamp files are numbered to have different names. + +# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the +# loop where config.status creates the headers, so we can generate +# our stamp files there. +AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], +[# Compute $1's index in $config_headers. +_am_stamp_count=1 +for _am_header in $config_headers :; do + case $_am_header in + $1 | $1:* ) + break ;; + * ) + _am_stamp_count=`expr $_am_stamp_count + 1` ;; + esac +done +echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) + +# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_INSTALL_SH +# ------------------ +# Define $install_sh. +AC_DEFUN([AM_PROG_INSTALL_SH], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"} +AC_SUBST(install_sh)]) + +# Copyright (C) 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 2 + +# Check whether the underlying file-system supports filenames +# with a leading dot. For instance MS-DOS doesn't. +AC_DEFUN([AM_SET_LEADING_DOT], +[rm -rf .tst 2>/dev/null +mkdir .tst 2>/dev/null +if test -d .tst; then + am__leading_dot=. +else + am__leading_dot=_ +fi +rmdir .tst 2>/dev/null +AC_SUBST([am__leading_dot])]) + +# Check to see how 'make' treats includes. -*- Autoconf -*- + +# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 3 + +# AM_MAKE_INCLUDE() +# ----------------- +# Check to see how make treats includes. +AC_DEFUN([AM_MAKE_INCLUDE], +[am_make=${MAKE-make} +cat > confinc << 'END' +am__doit: + @echo done +.PHONY: am__doit +END +# If we don't find an include directive, just comment out the code. +AC_MSG_CHECKING([for style of include used by $am_make]) +am__include="#" +am__quote= +_am_result=none +# First try GNU make style include. +echo "include confinc" > confmf +# We grep out `Entering directory' and `Leaving directory' +# messages which can occur if `w' ends up in MAKEFLAGS. +# In particular we don't look at `^make:' because GNU make might +# be invoked under some other name (usually "gmake"), in which +# case it prints its new name instead of `make'. +if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then + am__include=include + am__quote= + _am_result=GNU +fi +# Now try BSD make style include. +if test "$am__include" = "#"; then + echo '.include "confinc"' > confmf + if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then + am__include=.include + am__quote="\"" + _am_result=BSD + fi +fi +AC_SUBST([am__include]) +AC_SUBST([am__quote]) +AC_MSG_RESULT([$_am_result]) +rm -f confinc confmf +]) + +# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- + +# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 5 + +# AM_MISSING_PROG(NAME, PROGRAM) +# ------------------------------ +AC_DEFUN([AM_MISSING_PROG], +[AC_REQUIRE([AM_MISSING_HAS_RUN]) +$1=${$1-"${am_missing_run}$2"} +AC_SUBST($1)]) + + +# AM_MISSING_HAS_RUN +# ------------------ +# Define MISSING if not defined so far and test if it supports --run. +# If it does, set am_missing_run to use it, otherwise, to nothing. +AC_DEFUN([AM_MISSING_HAS_RUN], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([missing])dnl +test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +# Use eval to expand $SHELL +if eval "$MISSING --run true"; then + am_missing_run="$MISSING --run " +else + am_missing_run= + AC_MSG_WARN([`missing' script is too old or missing]) +fi +]) + +# Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_MKDIR_P +# --------------- +# Check for `mkdir -p'. +AC_DEFUN([AM_PROG_MKDIR_P], +[AC_PREREQ([2.60])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl +dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, +dnl while keeping a definition of mkdir_p for backward compatibility. +dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile. +dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of +dnl Makefile.ins that do not define MKDIR_P, so we do our own +dnl adjustment using top_builddir (which is defined more often than +dnl MKDIR_P). +AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl +case $mkdir_p in + [[\\/$]]* | ?:[[\\/]]*) ;; + */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; +esac +]) + +# Helper functions for option handling. -*- Autoconf -*- + +# Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 3 + +# _AM_MANGLE_OPTION(NAME) +# ----------------------- +AC_DEFUN([_AM_MANGLE_OPTION], +[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) + +# _AM_SET_OPTION(NAME) +# ------------------------------ +# Set option NAME. Presently that only means defining a flag for this option. +AC_DEFUN([_AM_SET_OPTION], +[m4_define(_AM_MANGLE_OPTION([$1]), 1)]) + +# _AM_SET_OPTIONS(OPTIONS) +# ---------------------------------- +# OPTIONS is a space-separated list of Automake options. +AC_DEFUN([_AM_SET_OPTIONS], +[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) + +# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) +# ------------------------------------------- +# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. +AC_DEFUN([_AM_IF_OPTION], +[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) + +# Check to make sure that the build environment is sane. -*- Autoconf -*- + +# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005 +# Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 4 + +# AM_SANITY_CHECK +# --------------- +AC_DEFUN([AM_SANITY_CHECK], +[AC_MSG_CHECKING([whether build environment is sane]) +# Just in case +sleep 1 +echo timestamp > conftest.file +# Do `set' in a subshell so we don't clobber the current shell's +# arguments. Must try -L first in case configure is actually a +# symlink; some systems play weird games with the mod time of symlinks +# (eg FreeBSD returns the mod time of the symlink's containing +# directory). +if ( + set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + if test "$[*]" = "X"; then + # -L didn't work. + set X `ls -t $srcdir/configure conftest.file` + fi + rm -f conftest.file + if test "$[*]" != "X $srcdir/configure conftest.file" \ + && test "$[*]" != "X conftest.file $srcdir/configure"; then + + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken +alias in your environment]) + fi + + test "$[2]" = conftest.file + ) +then + # Ok. + : +else + AC_MSG_ERROR([newly created file is older than distributed files! +Check your system clock]) +fi +AC_MSG_RESULT(yes)]) + +# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_INSTALL_STRIP +# --------------------- +# One issue with vendor `install' (even GNU) is that you can't +# specify the program used to strip binaries. This is especially +# annoying in cross-compiling environments, where the build's strip +# is unlikely to handle the host's binaries. +# Fortunately install-sh will honor a STRIPPROG variable, so we +# always use install-sh in `make install-strip', and initialize +# STRIPPROG with the value of the STRIP variable (set by the user). +AC_DEFUN([AM_PROG_INSTALL_STRIP], +[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl +# Installed binaries are usually stripped using `strip' when the user +# run `make install-strip'. However `strip' might not be the right +# tool to use in cross-compilation environments, therefore Automake +# will honor the `STRIP' environment variable to overrule this program. +dnl Don't test for $cross_compiling = yes, because it might be `maybe'. +if test "$cross_compiling" != no; then + AC_CHECK_TOOL([STRIP], [strip], :) +fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" +AC_SUBST([INSTALL_STRIP_PROGRAM])]) + +# Copyright (C) 2006 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_SUBST_NOTMAKE(VARIABLE) +# --------------------------- +# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in. +# This macro is traced by Automake. +AC_DEFUN([_AM_SUBST_NOTMAKE]) + +# Check how to create a tarball. -*- Autoconf -*- + +# Copyright (C) 2004, 2005 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# serial 2 + +# _AM_PROG_TAR(FORMAT) +# -------------------- +# Check how to create a tarball in format FORMAT. +# FORMAT should be one of `v7', `ustar', or `pax'. +# +# Substitute a variable $(am__tar) that is a command +# writing to stdout a FORMAT-tarball containing the directory +# $tardir. +# tardir=directory && $(am__tar) > result.tar +# +# Substitute a variable $(am__untar) that extract such +# a tarball read from stdin. +# $(am__untar) < result.tar +AC_DEFUN([_AM_PROG_TAR], +[# Always define AMTAR for backward compatibility. +AM_MISSING_PROG([AMTAR], [tar]) +m4_if([$1], [v7], + [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'], + [m4_case([$1], [ustar],, [pax],, + [m4_fatal([Unknown tar format])]) +AC_MSG_CHECKING([how to create a $1 tar archive]) +# Loop over all known methods to create a tar archive until one works. +_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' +_am_tools=${am_cv_prog_tar_$1-$_am_tools} +# Do not fold the above two line into one, because Tru64 sh and +# Solaris sh will not grok spaces in the rhs of `-'. +for _am_tool in $_am_tools +do + case $_am_tool in + gnutar) + for _am_tar in tar gnutar gtar; + do + AM_RUN_LOG([$_am_tar --version]) && break + done + am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' + am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' + am__untar="$_am_tar -xf -" + ;; + plaintar) + # Must skip GNU tar: if it does not support --format= it doesn't create + # ustar tarball either. + (tar --version) >/dev/null 2>&1 && continue + am__tar='tar chf - "$$tardir"' + am__tar_='tar chf - "$tardir"' + am__untar='tar xf -' + ;; + pax) + am__tar='pax -L -x $1 -w "$$tardir"' + am__tar_='pax -L -x $1 -w "$tardir"' + am__untar='pax -r' + ;; + cpio) + am__tar='find "$$tardir" -print | cpio -o -H $1 -L' + am__tar_='find "$tardir" -print | cpio -o -H $1 -L' + am__untar='cpio -i -H $1 -d' + ;; + none) + am__tar=false + am__tar_=false + am__untar=false + ;; + esac + + # If the value was cached, stop now. We just wanted to have am__tar + # and am__untar set. + test -n "${am_cv_prog_tar_$1}" && break + + # tar/untar a dummy directory, and stop if the command works + rm -rf conftest.dir + mkdir conftest.dir + echo GrepMe > conftest.dir/file + AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) + rm -rf conftest.dir + if test -s conftest.tar; then + AM_RUN_LOG([$am__untar /dev/null 2>&1 && break + fi +done +rm -rf conftest.dir + +AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) +AC_MSG_RESULT([$am_cv_prog_tar_$1])]) +AC_SUBST([am__tar]) +AC_SUBST([am__untar]) +]) # _AM_PROG_TAR + diff --git a/app_client/Makefile.am b/app_client/Makefile.am new file mode 100644 index 0000000..4c93ab7 --- /dev/null +++ b/app_client/Makefile.am @@ -0,0 +1,71 @@ +# $Id: Makefile.am,v 1.1.2.1 2011/12/05 20:31:06 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/app_client/Attic/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2002 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + + +# +# Makefile.am for gdoid. +# + +bin_PROGRAMS = app_stub + +app_stub_SOURCES = app_stub.c + diff --git a/app_client/Makefile.in b/app_client/Makefile.in new file mode 100644 index 0000000..c6b7185 --- /dev/null +++ b/app_client/Makefile.in @@ -0,0 +1,484 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# $Id: Makefile.am,v 1.1.2.1 2011/12/05 20:31:06 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/app_client/Attic/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2002 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# Makefile.am for gdoid. +# + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +bin_PROGRAMS = app_stub$(EXEEXT) +subdir = app_client +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__installdirs = "$(DESTDIR)$(bindir)" +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(bin_PROGRAMS) +am_app_stub_OBJECTS = app_stub.$(OBJEXT) +app_stub_OBJECTS = $(am_app_stub_OBJECTS) +app_stub_LDADD = $(LDADD) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/config/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +SOURCES = $(app_stub_SOURCES) +DIST_SOURCES = $(app_stub_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +app_stub_SOURCES = app_stub.c +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign app_client/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign app_client/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-binPROGRAMS: $(bin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-binPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ + rm -f "$(DESTDIR)$(bindir)/$$f"; \ + done + +clean-binPROGRAMS: + -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) +app_stub$(EXEEXT): $(app_stub_OBJECTS) $(app_stub_DEPENDENCIES) + @rm -f app_stub$(EXEEXT) + $(LINK) $(app_stub_OBJECTS) $(app_stub_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/app_stub.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(bindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-binPROGRAMS clean-generic mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-exec-am: install-binPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-binPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \ + clean-generic ctags distclean distclean-compile \ + distclean-generic distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-binPROGRAMS \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-binPROGRAMS + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/app_client/app_stub.c b/app_client/app_stub.c new file mode 100644 index 0000000..27a84c9 --- /dev/null +++ b/app_client/app_stub.c @@ -0,0 +1,879 @@ +/* $Id: app_stub.c,v 1.1.2.2 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/app_client/Attic/app_stub.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * app_stub -- This program demonstrates how an application + * contacts a GDOI client daemon for keys and policy. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "../src/gdoi_app_num.h" +#ifdef IEC90_5_SUPPORT +#include "../src/gdoi_app_iec90_5_attr.h" +#endif +#ifdef SRTP_SUPPORT +#include "../src/gdoi_srtp_attr.h" +#endif + +#define APPS_CLIENT_PIPE "/tmp/apps_to_gdoi" +#define GDOI_CLIENT_PIPE "/tmp/gdoi_to_app" + +#define MAX_MSG_SIZE 500 /* Guess */ +#define MAX_PRINT_BUF_LEN 80 + +#define ATTR_HDR_SZ 4 + +#define GET_RETRY_VALUE 30 +#define NORMAL_POLL_VALUE 15 + +#define GET_NEW_KEYS_BEFORE_EXPIRATION_PERIOD 5 + +/* + * Supported applications + * List must match the list in ../src/gdoi_app_num.cst. + */ +#ifdef SRTP_SUPPORT +#define APP_SRTP "srtp" +#endif +#define APP_IEC90_5 "iec90-5" + +unsigned int apptype; + +/* + * HEADER TYPE + */ +struct cmd_header { + short version; + short command; +#define COMMAND_ADD 3 +#define COMMAND_GET 5 + u_int32_t app_proto; + int peer_errno; + int sequence; + int pid; +}; + +int retry_secs; +int poll_for_pushed_policy_secs; +int current_state; +unsigned int key_expiration_time; + +#define INVALID_VALUE 0x0fffffff + +typedef enum states_ { + ERROR, + NO_KEYS, + HAVE_KEYS, + ASKING_FOR_MORE_KEYS +} states; + +#define GDOI_CLIENT_ATTR_GROUP_ID 101 +#define GDOI_CLIENT_ATTR_RETURN_PIPE 102 +#define GDOI_CLIENT_ATTR_GROUP_ADDRESS 103 + +/* + * The following + */ +#ifdef SRTP_SUPPORT +#define GDOI_PROTO_SRTP 100 +#endif +#ifdef IEC90_5_SUPPORT +#define GDOI_PROTO_IEC90_5 101 +#endif + +/* + * STRUCTURES + * + * Generic Header + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Version | Command | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Errno | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | PID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +int group; + +int s_to_gdoi; + +void shutmedown (int sig) +{ + printf("error: shutting down due to signal %d\n", sig); + close(s_to_gdoi); + exit(1); +} + +void err (char *tag) +{ + printf("error: %s", tag); + if (errno) { + printf(", errno=%s", strerror(errno)); + } + printf("\n"); + exit(1); +} + +u_int8_t *grow_buf (u_int8_t *old_buf, int *old_buf_sz, u_int8_t *build_buf, + int build_buf_sz) +{ + u_int8_t *new_buf; + int new_buf_sz = *old_buf_sz + build_buf_sz; + + new_buf = realloc(old_buf, new_buf_sz); + if (!new_buf) + { + err("realloc failed"); + } + memcpy((new_buf+*old_buf_sz), build_buf, build_buf_sz); + *old_buf_sz = new_buf_sz; + + return new_buf; +} + +void +encode_16 (u_int8_t *cp, short x) +{ + *cp++ = x >> 8; + *cp = x & 0xff; +} + +u_int16_t +decode_16 (u_int8_t *cp) +{ + return cp[0] << 8 | cp[1]; +} + +u_int32_t +decode_32 (u_int8_t *cp) +{ + return cp[0] << 24 | cp[1] << 16 | cp[2] << 8 | cp[3]; +} + +u_int8_t * +attribute_add_var (u_int8_t *buf, int *buf_sz, short type, char *value, short len) +{ + u_int8_t *new_buf, *ptr; + int new_buf_sz; + + /* + * Calculate size of new buffer needed + */ + new_buf_sz = *buf_sz + len + ATTR_HDR_SZ; + new_buf = realloc(buf, new_buf_sz); + if (!new_buf) + { + err("realloc failed"); + } + ptr = new_buf + *buf_sz; + encode_16(ptr, type); + ptr += 2; + encode_16(ptr, len); + ptr += 2; + + memcpy(ptr, value, len); + + *buf_sz = new_buf_sz; + return new_buf; +} + +int +print_generic_attributes (u_int8_t *buf, size_t sz, int *lifetime) +{ + u_int8_t *attr; + int fmt; + u_int16_t type; + u_int8_t *value; + u_int16_t len; + int i; + u_int8_t display_buf[MAX_PRINT_BUF_LEN]; + + printf("Generic Attributes:\n"); + for (attr = buf; attr < buf + sz; attr = value + len) + { + if (attr + 4 > buf + sz) + return -1; + type = decode_16(attr) & 0x7fff; + fmt = *attr >> 7; + value = attr + (fmt ? 2 : 4); + len = (fmt ? 2 : decode_16(attr+2)); + printf(" Format: %d, Type: %03d, Length: %02d Value: ", fmt, type, len); + if (value + len > buf + sz) + return -1; + switch (type) { + case GDOI_CLIENT_ATTR_GROUP_ID: + printf("Group ID %d (%#x)\n", + ntohl(decode_32(value)), ntohl(decode_32(value))); + break; + case GDOI_CLIENT_ATTR_RETURN_PIPE: + if (len >= MAX_PRINT_BUF_LEN) { + len = MAX_PRINT_BUF_LEN - 1; + } + memcpy(display_buf, value, len); + display_buf[len] = 0; + printf("Return Pipe %s\n", display_buf); + break; + case GDOI_CLIENT_ATTR_GROUP_ADDRESS: + if (4 == len) { + printf("Address: %x\n", decode_32(value)); + } else { + printf("Address lenggh %d not supported\n", len); + } + break; + default: + printf("Unknown Attribute: %d\n", type); + break; + } + } + printf("\n"); + return 0; +} + +#ifdef IEC90_5_SUPPORT +static void +print_attribute_hex (u_int8_t *value, u_int16_t len) +{ + int i; + + for (i=0; i buf + sz) + return -1; + type = decode_16(attr) & 0x7fff; + fmt = *attr >> 7; + value = attr + (fmt ? 2 : 4); + len = (fmt ? 2 : decode_16(attr+2)); + printf(" Format: %d, Type: %03d, Length: %02d Value: ", fmt, type, len); + if (value + len > buf + sz) + return -1; + switch (type) { + case IEC90_5_OID: + printf("OID:\n\t"); + print_attribute_hex(value, len); + break; + case IEC90_5_LIFETIME_SECS: + printf("Lifetime of IEC90-5 keys: %d\n", htonl(decode_32(value))); + /* + * Return the lifetime if requested. + */ + if (lifetime) { + *lifetime = 2< buf + sz) + return -1; + type = decode_16(attr) & 0x7fff; + fmt = *attr >> 7; + value = attr + (fmt ? 2 : 4); + len = (fmt ? 2 : decode_16(attr+2)); + printf(" Format: %d, Type: %03d, Length: %02d Value: ", fmt, type, len); + if (value + len > buf + sz) + return -1; + switch (type) { + case SRTP_SOURCE_ID: + printf("Source Address"); + break; + case SRTP_DEST_ID: + printf("Destination Address"); + break; + case SRTP_MASTER_KEY: + printf("Master Key:\n\t"); + for (i=0; iversion); + printf(" Command: %d\n", hdr->command); + printf(" App Proto:%d\n", hdr->app_proto); + printf(" Errno: %d\n", hdr->peer_errno); + printf(" Sequence: %d\n", hdr->sequence); + printf(" Pid: %d\n", hdr->pid); + printf("\n"); +} + +u_int8_t *create_initial_GET_packet (int *len) +{ + u_int8_t *buf, *start_attr; + struct cmd_header *hdr; + int buf_sz; + + /* + * Create header. It's a fixed size. + * + * NOTE: A real application would want to save the header for comparison to + * IPC replies from the GDOI GM. + */ + hdr = calloc(1, sizeof(struct cmd_header)); + if (!hdr) + { + err("calloc failure"); + } + hdr->version = 1; + hdr->command = COMMAND_GET; + hdr->app_proto = apptype; + srand(time(NULL)); + hdr->sequence = rand(); + hdr->pid = (int) getpid(); + + printf("Sending packet:\n"); + print_hdr(hdr); + + buf = (u_int8_t *) hdr; + buf_sz = sizeof(struct cmd_header); + + /* + * Add attributes + */ + start_attr = buf + buf_sz; + buf = attribute_add_var(buf, &buf_sz, + GDOI_CLIENT_ATTR_GROUP_ID, + (char *)&group, 4); + buf = attribute_add_var(buf, &buf_sz, + GDOI_CLIENT_ATTR_RETURN_PIPE, GDOI_CLIENT_PIPE, + strlen(GDOI_CLIENT_PIPE)); + + print_generic_attributes(buf + sizeof(struct cmd_header), + buf_sz - sizeof(struct cmd_header), NULL); + printf("\n"); + + *len = buf_sz; + return buf; +} + +void +analyze_returned_ADD_packet (u_int8_t *buf, int len, unsigned int *lifetime) +{ + struct cmd_header *hdr; + + hdr = (struct cmd_header *) buf; + + printf("Returned Packet:\n"); + print_hdr(hdr); + + switch (hdr->app_proto) { +#ifdef IEC90_5_SUPPORT + case GDOI_PROTO_IEC90_5: + print_iec90_5_attributes(buf + sizeof(struct cmd_header), + len - sizeof(struct cmd_header), + lifetime); + break; +#endif +#ifdef SRTP_SUPPORT + case GDOI_PROTO_SRTP: + print_srtp_attributes(buf + sizeof(struct cmd_header), + len - sizeof(struct cmd_header), + lifetime); + break; +#endif + default: + printf("Unsupported protocol %d\n", hdr->app_proto); + break; + } +} + +int +connect_to_gdoi (void) +{ + int s, ret; + struct sockaddr_un pipe; + + s = socket (AF_LOCAL, SOCK_STREAM, 0); + if (s < 0) + { + err("socket open failed"); + return -1; + } + + bzero(&pipe, sizeof(struct sockaddr_un)); + pipe.sun_family = AF_LOCAL; + strncpy(pipe.sun_path, APPS_CLIENT_PIPE, sizeof(pipe.sun_path)-1); + + ret = connect(s, (struct sockaddr *)&pipe, sizeof(pipe)); + if (ret < 0) + { + err("connect failed"); + return -1; + } + + return s; +} + +int +create_return_sock (void) +{ + int s, ret; + struct sockaddr_un pipe; + + s = socket (AF_LOCAL, SOCK_STREAM, 0); + if (s < 0) + { + err("socket open failed"); + return; + } + + unlink(GDOI_CLIENT_PIPE); + + bzero(&pipe, sizeof(struct sockaddr_un)); + pipe.sun_family = AF_LOCAL; + strncpy(pipe.sun_path, GDOI_CLIENT_PIPE, sizeof(pipe.sun_path)-1); + + ret = bind(s, (struct sockaddr *)&pipe, sizeof(pipe)); + if (ret < 0) + { + err("bind failed"); + return; + } + + ret = listen(s, 1024); + if (ret < 0) + { + err("listen failed"); + return; + } + + return s; +} + +/* + * Send a request for keys. + */ +void +ask_for_keys (int s) +{ + int ret; + u_int8_t *data_out; + int data_out_len; + struct msghdr msg; + struct iovec iov[1]; + + data_out = create_initial_GET_packet(&data_out_len); + + msg.msg_name = NULL; + msg.msg_namelen = 0; + iov[0].iov_base = data_out; + iov[0].iov_len = data_out_len; + msg.msg_control = 0; + msg.msg_controllen = 0; + msg.msg_iov = iov; + msg.msg_iovlen = 1; + + ret = sendmsg(s, &msg, 0); + if (ret < 0) { + err("sendmsg failed"); + return; + } + + /* + * Set the retry timer. + */ + retry_secs = GET_RETRY_VALUE; + + /* + * Cleanup + */ + free(data_out); + data_out_len = 0; +} + +void +handle_ADD_packet (u_int8_t *data_in, int num_bytes) +{ + unsigned int lifetime; + + if (num_bytes) { + analyze_returned_ADD_packet(data_in, num_bytes, &lifetime); + /* + * Now that we have keys, reset the timer to reflect the lifetime of + * the keys. + * + * It may be that we get an un-requested update before + * that time. + */ + current_state = HAVE_KEYS; + if (lifetime) { + key_expiration_time = time(NULL) + lifetime; + /* + * Don't need to retry anymore + */ + retry_secs = INVALID_VALUE; + } else { + printf("WARNING: No lifetime given by GDOI. Re-trying.\n"); + } + } else { + printf("\nGDOI closed the connection\n"); + exit(0); + } +} + +/* + * Decide how long to sleep based on the the current state. + */ +int +until_next_event (void) +{ + int sleep_time; + + if (retry_secs < poll_for_pushed_policy_secs) { + sleep_time = retry_secs; + } else { + sleep_time = poll_for_pushed_policy_secs; + } + printf("Sleeping for %d seconds.\n", sleep_time); + return sleep_time; +} + +main (argc, argv) +int argc; +char **argv; +{ + int s_from_gdoi, c; + int ret; + u_int8_t data_in[1024]; + int data_in_len; + int cc; + char *usage="[ -a ] -g "; + char *appname; + + struct sockaddr_un from; + int from_len; + + int flags; + + /* + * Option processing + */ + while (1) { + cc = getopt(argc, argv, "a:g:"); + if (cc == -1) { + break; + } + switch (cc) { + case 'a': + appname = optarg; + apptype = 0; +#ifdef IEC90_5_SUPPORT + if (!strncmp(APP_IEC90_5, appname, strlen(APP_IEC90_5))) + apptype = GDOI_PROTO_IEC90_5; +#endif +#ifdef SRTP_SUPPORT + if (!strncmp(APP_SRTP, appname, strlen(APP_SRTP))) + apptype = GDOI_PROTO_SRTP; +#endif + if (!apptype) { + printf("Unknown GDOI app %s\n", appname); + } + break; + case 'g': + group = atoi(optarg); + break; + default: + printf("Unknown option %c\n", cc); + printf("Usage: %s %s\n", argv[0], usage); + exit(1); + } + } + + if (!group || !apptype) { + printf("Usage: %s %s\n", argv[0], usage); + exit(1); + } + + current_state = NO_KEYS; + + s_to_gdoi = connect_to_gdoi(); + if (s_to_gdoi < 0) { + return; + } + + signal(SIGTERM, shutmedown); + signal(SIGHUP, shutmedown); + + s_from_gdoi = create_return_sock(); + + /* + * Make the first request for keys. + */ + ask_for_keys(s_to_gdoi); + + /* + * Setup the return pipe. + */ + c = accept(s_from_gdoi, (struct sockaddr *)&from, (socklen_t *)&from_len); + if (c < 0) { + err("accept failed"); + exit(1); + } + + /* + * Make it non-blocking so we can poll it later. + */ + if ((flags = fcntl(c, F_GETFL, 0)) < 0) { + err("F_GETFL error"); + } + flags |= O_NONBLOCK; + if (fcntl(c, F_SETFL, flags) < 0) { + err("F_SETFL error"); + } + + /* + * Setup initial timer values. + */ + poll_for_pushed_policy_secs = NORMAL_POLL_VALUE; + key_expiration_time = 0; + + /* + * Wait for something to happen. + * 1. If no keys are returned within n seconds, try again. + * 2. If an ADD message with keys is returned: + * a. handle them + * b. set a timer slightly before the lifetime ends + * 3. If an unsolicited ADD message with new keys is received: + * a. stop the timer. + * b. handle them. + * c. reset the timer to slightly before th next lifetime ends. + */ + while (1) { + /* + * Sleep until we need to check the socket or ask for keys. + */ + sleep(until_next_event()); + + /* + * Read in non-blocking mode. + */ + ret = recvfrom(c, &data_in, MAX_MSG_SIZE, 0, NULL, NULL); + if (ret < 1) { + switch (errno) { + case EAGAIN: + /* + * GDOI hasn't sent anything yet. + */ + if ((current_state == NO_KEYS) || + (current_state == ASKING_FOR_MORE_KEYS)) { + printf("\nAsking for Keys Again.\n"); + ask_for_keys(s_to_gdoi); + } + /* + * Nothing to do if we already have keys -- we were just + * checking in case GDOI pushed new keys to us. + */ + break; + default: + err("recvfrom failed"); + return; + } + } else { + /* + * BUG! It could be the GDOI was interrupted while sending us + * a response, in which case we may have only some of the + * payload. We're ignoring that this in this sample. + */ + handle_ADD_packet(data_in, ret); + } + + /* + * Check if we need to ask for new keys. I.e., GDOI didn't give us any + * replacement keys so we need to ask for them. + * + * We want to ask for new keys GET_NEW_KEYS_BEFORE_EXPIRATION_PERIOD + * seconds before the end of the actual lifetime, which gives us some + * time to get another update before the current keys expire. + */ + printf("Key Expiration time: %d, Current time: %lld\n", + key_expiration_time, (long long int) time(NULL)); + printf("Currrent State: %d\n", current_state); + + if ((key_expiration_time - time(NULL)) <= + GET_NEW_KEYS_BEFORE_EXPIRATION_PERIOD) { + ask_for_keys(s_to_gdoi); + current_state = ASKING_FOR_MORE_KEYS; + } + + /* + * If the keys expire without replacement, then we need to change state + * and ask again. + */ + if (key_expiration_time < time(NULL)) { + ask_for_keys(s_to_gdoi); + current_state = NO_KEYS; + } + } +} diff --git a/config.h b/config.h new file mode 100644 index 0000000..0cdb602 --- /dev/null +++ b/config.h @@ -0,0 +1,242 @@ +/* config.h. Generated from config.h.in by configure. */ +/* config.h.in. Generated from configure.in by autoheader. */ + +/* Define to 1 if the `closedir' function returns void instead of `int'. */ +/* #undef CLOSEDIR_VOID */ + +/* Use missing queue.h definitions */ +/* #undef DEFINE_EXTRA_QUEUE_FUNCTIONS */ + +/* Sockaddr Length */ +#define DEFINE_SA_LEN 1 + +/* GDOI Application Interface support */ +#define GDOI_APP_SUPPORT 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_ARPA_INET_H 1 + +/* Define to 1 if you have the `bzero' function. */ +#define HAVE_BZERO 1 + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +#define HAVE_DIRENT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_FCNTL_H 1 + +/* Define to 1 if you have the `gettimeofday' function. */ +#define HAVE_GETTIMEOFDAY 1 + +/* Define to 1 if you have the `inet_ntoa' function. */ +#define HAVE_INET_NTOA 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_INTTYPES_H 1 + +/* Define to 1 if you have the `dl' library (-ldl). */ +#define HAVE_LIBDL 1 + +/* Define to 1 if you have the `memmove' function. */ +#define HAVE_MEMMOVE 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_MEMORY_H 1 + +/* Define to 1 if you have the `memset' function. */ +#define HAVE_MEMSET 1 + +/* Define to 1 if you have the `mkfifo' function. */ +#define HAVE_MKFIFO 1 + +/* Define to 1 if you have the header file, and it defines `DIR'. */ +/* #undef HAVE_NDIR_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_NETDB_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_NETINET_IN_H 1 + +/* Define to 1 if you have the `select' function. */ +#define HAVE_SELECT 1 + +/* Define to 1 if you have the `socket' function. */ +#define HAVE_SOCKET 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDDEF_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDINT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STDLIB_H 1 + +/* Define to 1 if you have the `strcasecmp' function. */ +#define HAVE_STRCASECMP 1 + +/* Define to 1 if you have the `strcspn' function. */ +#define HAVE_STRCSPN 1 + +/* Define to 1 if you have the `strdup' function. */ +#define HAVE_STRDUP 1 + +/* Define to 1 if you have the `strerror' function. */ +#define HAVE_STRERROR 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRINGS_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the `strlcpy' function. */ +#define HAVE_STRLCPY 1 + +/* Define to 1 if you have the `strncasecmp' function. */ +#define HAVE_STRNCASECMP 1 + +/* Define to 1 if you have the `strspn' function. */ +#define HAVE_STRSPN 1 + +/* Define to 1 if you have the `strstr' function. */ +#define HAVE_STRSTR 1 + +/* Define to 1 if you have the `strtol' function. */ +#define HAVE_STRTOL 1 + +/* Define to 1 if you have the `strtoul' function. */ +#define HAVE_STRTOUL 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYSLOG_H 1 + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +/* #undef HAVE_SYS_DIR_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_IOCTL_H 1 + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +/* #undef HAVE_SYS_NDIR_H */ + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_PARAM_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SELECT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_SOCKET_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_STAT_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TIME_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_SYS_TYPES_H 1 + +/* Define to 1 if you have the `tzset' function. */ +#define HAVE_TZSET 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_UNISTD_H 1 + +/* IEC 57-61850-90-5 Support */ +#define IEC90_5_SUPPORT 1 + +/* Old OpenBSD PF_KEY Extensions */ +/* #undef OLD_OPENBSD_PFKEY_EXT */ + +/* Need to open FIFO with O_RDRW */ +/* #undef OPEN_FIFO_RDRW */ + +/* Name of package */ +#define PACKAGE "gdoid" + +/* Define to the address where bug reports for this package should be sent. */ +#define PACKAGE_BUGREPORT "" + +/* Define to the full name of this package. */ +#define PACKAGE_NAME "gdoi.h" + +/* Define to the full name and version of this package. */ +#define PACKAGE_STRING "gdoi.h 1.5iec" + +/* Define to the one symbol short name of this package. */ +#define PACKAGE_TARNAME "gdoi-h" + +/* Define to the version of this package. */ +#define PACKAGE_VERSION "1.5iec" + +/* Define as the return type of signal handlers (`int' or `void'). */ +#define RETSIGTYPE void + +/* Initialize the RNG */ +/* #undef SEED_RNG */ + +/* Define to the type of arg 1 for `select'. */ +#define SELECT_TYPE_ARG1 int + +/* Define to the type of args 2, 3 and 4 for `select'. */ +#define SELECT_TYPE_ARG234 (fd_set *) + +/* Define to the type of arg 5 for `select'. */ +#define SELECT_TYPE_ARG5 (struct timeval *) + +/* SRTP Support */ +#define SRTP_SUPPORT 1 + +/* Define to 1 if you have the ANSI C header files. */ +#define STDC_HEADERS 1 + +/* Define to 1 if you can safely include both and . */ +#define TIME_WITH_SYS_TIME 1 + +/* Define to 1 if your declares `struct tm'. */ +/* #undef TM_IN_SYS_TIME */ + +/* Phase 1 Agressive Support */ +/* #undef USE_AGGRESSIVE */ + +/* Debugging */ +#define USE_DEBUG 1 + +/* Old Sockaddr Definition */ +/* #undef USE_OLD_SOCKADDR */ + +/* 3DES Support */ +#define USE_TRIPLEDES 1 + +/* Version number of package */ +#define VERSION "1.5iec" + +/* Define to empty if `const' does not conform to ANSI C. */ +/* #undef const */ + +/* Not defined in */ +/* #undef in_addr_t */ + +/* Not defined in */ +/* #undef in_port_t */ + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +/* #undef inline */ +#endif + +/* Define to `int' if does not define. */ +/* #undef mode_t */ + +/* Define to `long int' if does not define. */ +/* #undef off_t */ + +/* Define to `unsigned int' if does not define. */ +/* #undef size_t */ diff --git a/config.h.in b/config.h.in new file mode 100644 index 0000000..d4e2fc1 --- /dev/null +++ b/config.h.in @@ -0,0 +1,241 @@ +/* config.h.in. Generated from configure.in by autoheader. */ + +/* Define to 1 if the `closedir' function returns void instead of `int'. */ +#undef CLOSEDIR_VOID + +/* Use missing queue.h definitions */ +#undef DEFINE_EXTRA_QUEUE_FUNCTIONS + +/* Sockaddr Length */ +#undef DEFINE_SA_LEN + +/* GDOI Application Interface support */ +#undef GDOI_APP_SUPPORT + +/* Define to 1 if you have the header file. */ +#undef HAVE_ARPA_INET_H + +/* Define to 1 if you have the `bzero' function. */ +#undef HAVE_BZERO + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +#undef HAVE_DIRENT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_FCNTL_H + +/* Define to 1 if you have the `gettimeofday' function. */ +#undef HAVE_GETTIMEOFDAY + +/* Define to 1 if you have the `inet_ntoa' function. */ +#undef HAVE_INET_NTOA + +/* Define to 1 if you have the header file. */ +#undef HAVE_INTTYPES_H + +/* Define to 1 if you have the `dl' library (-ldl). */ +#undef HAVE_LIBDL + +/* Define to 1 if you have the `memmove' function. */ +#undef HAVE_MEMMOVE + +/* Define to 1 if you have the header file. */ +#undef HAVE_MEMORY_H + +/* Define to 1 if you have the `memset' function. */ +#undef HAVE_MEMSET + +/* Define to 1 if you have the `mkfifo' function. */ +#undef HAVE_MKFIFO + +/* Define to 1 if you have the header file, and it defines `DIR'. */ +#undef HAVE_NDIR_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_NETDB_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_NETINET_IN_H + +/* Define to 1 if you have the `select' function. */ +#undef HAVE_SELECT + +/* Define to 1 if you have the `socket' function. */ +#undef HAVE_SOCKET + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDDEF_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDINT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDLIB_H + +/* Define to 1 if you have the `strcasecmp' function. */ +#undef HAVE_STRCASECMP + +/* Define to 1 if you have the `strcspn' function. */ +#undef HAVE_STRCSPN + +/* Define to 1 if you have the `strdup' function. */ +#undef HAVE_STRDUP + +/* Define to 1 if you have the `strerror' function. */ +#undef HAVE_STRERROR + +/* Define to 1 if you have the header file. */ +#undef HAVE_STRINGS_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STRING_H + +/* Define to 1 if you have the `strlcpy' function. */ +#undef HAVE_STRLCPY + +/* Define to 1 if you have the `strncasecmp' function. */ +#undef HAVE_STRNCASECMP + +/* Define to 1 if you have the `strspn' function. */ +#undef HAVE_STRSPN + +/* Define to 1 if you have the `strstr' function. */ +#undef HAVE_STRSTR + +/* Define to 1 if you have the `strtol' function. */ +#undef HAVE_STRTOL + +/* Define to 1 if you have the `strtoul' function. */ +#undef HAVE_STRTOUL + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYSLOG_H + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +#undef HAVE_SYS_DIR_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_IOCTL_H + +/* Define to 1 if you have the header file, and it defines `DIR'. + */ +#undef HAVE_SYS_NDIR_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_PARAM_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_SELECT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_SOCKET_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_STAT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TIME_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TYPES_H + +/* Define to 1 if you have the `tzset' function. */ +#undef HAVE_TZSET + +/* Define to 1 if you have the header file. */ +#undef HAVE_UNISTD_H + +/* IEC 57-61850-90-5 Support */ +#undef IEC90_5_SUPPORT + +/* Old OpenBSD PF_KEY Extensions */ +#undef OLD_OPENBSD_PFKEY_EXT + +/* Need to open FIFO with O_RDRW */ +#undef OPEN_FIFO_RDRW + +/* Name of package */ +#undef PACKAGE + +/* Define to the address where bug reports for this package should be sent. */ +#undef PACKAGE_BUGREPORT + +/* Define to the full name of this package. */ +#undef PACKAGE_NAME + +/* Define to the full name and version of this package. */ +#undef PACKAGE_STRING + +/* Define to the one symbol short name of this package. */ +#undef PACKAGE_TARNAME + +/* Define to the version of this package. */ +#undef PACKAGE_VERSION + +/* Define as the return type of signal handlers (`int' or `void'). */ +#undef RETSIGTYPE + +/* Initialize the RNG */ +#undef SEED_RNG + +/* Define to the type of arg 1 for `select'. */ +#undef SELECT_TYPE_ARG1 + +/* Define to the type of args 2, 3 and 4 for `select'. */ +#undef SELECT_TYPE_ARG234 + +/* Define to the type of arg 5 for `select'. */ +#undef SELECT_TYPE_ARG5 + +/* SRTP Support */ +#undef SRTP_SUPPORT + +/* Define to 1 if you have the ANSI C header files. */ +#undef STDC_HEADERS + +/* Define to 1 if you can safely include both and . */ +#undef TIME_WITH_SYS_TIME + +/* Define to 1 if your declares `struct tm'. */ +#undef TM_IN_SYS_TIME + +/* Phase 1 Agressive Support */ +#undef USE_AGGRESSIVE + +/* Debugging */ +#undef USE_DEBUG + +/* Old Sockaddr Definition */ +#undef USE_OLD_SOCKADDR + +/* 3DES Support */ +#undef USE_TRIPLEDES + +/* Version number of package */ +#undef VERSION + +/* Define to empty if `const' does not conform to ANSI C. */ +#undef const + +/* Not defined in */ +#undef in_addr_t + +/* Not defined in */ +#undef in_port_t + +/* Define to `__inline__' or `__inline' if that's what the C compiler + calls it, or to nothing if 'inline' is not supported under any name. */ +#ifndef __cplusplus +#undef inline +#endif + +/* Define to `int' if does not define. */ +#undef mode_t + +/* Define to `long int' if does not define. */ +#undef off_t + +/* Define to `unsigned int' if does not define. */ +#undef size_t diff --git a/config/README b/config/README new file mode 100644 index 0000000..c2e9ffd --- /dev/null +++ b/config/README @@ -0,0 +1,4 @@ +# $Id: README,v 1.1 2003/09/05 21:37:22 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/config/README,v $ + +This directory stores automatically copied scripts used by configure. diff --git a/config/config.guess b/config/config.guess new file mode 100755 index 0000000..396482d --- /dev/null +++ b/config/config.guess @@ -0,0 +1,1500 @@ +#! /bin/sh +# Attempt to guess a canonical system name. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, +# Inc. + +timestamp='2006-07-02' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Originally written by Per Bothner . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. +# +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. +# +# The plan is that this can be called by configure scripts if you +# don't specify an explicit build system type. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system \`$me' is run on. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +trap 'exit 1' 1 2 15 + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still +# use `HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then + CC_FOR_BUILD="$c"; break ; + fi ; + done ; + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found ; + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; +esac ; set_cc_for_build= ;' + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently, or will in the future. + case "${UNAME_MACHINE_ARCH}" in + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval $set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep __ELF__ >/dev/null + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + echo "${machine}-${os}${release}" + exit ;; + *:OpenBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; + *:SolidBSD:*:*) + echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + exit ;; + macppc:MirBSD:*:*) + echo powerpc-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; + alpha:OSF1:*:*) + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-unknown-sysv4 + exit ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit ;; + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos + exit ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit ;; + arm:riscos:*:*|arm:RISCOS:*:*) + echo arm-unknown-riscos + exit ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7; exit ;; + esac ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + i86pc:SunOS:5.*:*) + echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && + dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`$dummy $dummyarg` && + { echo "$SYSTEM_NAME"; exit; } + echo mips-mips-riscos${UNAME_RELEASE} + exit ;; + Motorola:PowerMAX_OS:*:*) + echo powerpc-motorola-powermax + exit ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + echo i386-ibm-aix + exit ;; + ia64:AIX:*:*) + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + exit ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + then + echo "$SYSTEM_NAME" + else + echo rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit ;; + *:AIX:*:[45]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + esac ;; + esac + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + eval $set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux${HPUX_REV} + exit ;; + 3050*:HI-UX:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + echo unknown-hitachi-hiuxwe2 + exit ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit ;; + i*86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*T3E:*:*:*) + echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*SV1:*:*:*) + echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:FreeBSD:*:*) + case ${UNAME_MACHINE} in + pc98) + echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + amd64) + echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + *) + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + esac + exit ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit ;; + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; + i*:PW*:*) + echo ${UNAME_MACHINE}-pc-pw32 + exit ;; + x86:Interix*:[3456]*) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + EM64T:Interix*:[3456]*) + echo x86_64-unknown-interix${UNAME_RELEASE} + exit ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i586-pc-interix + exit ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + *:GNU:*:*) + # the GNU system + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit ;; + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; + arm*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + avr32*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit ;; + ia64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m68*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + mips:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips + #undef mipsel + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mipsel + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips + #else + CPU= + #endif + #endif +EOF + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif +EOF + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + or32:Linux:*:*) + echo or32-unknown-linux-gnu + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-gnu + exit ;; + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-gnu + exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + exit ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) echo hppa1.1-unknown-linux-gnu ;; + PA8*) echo hppa2.0-unknown-linux-gnu ;; + *) echo hppa-unknown-linux-gnu ;; + esac + exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-gnu + exit ;; + s390:Linux:*:* | s390x:Linux:*:*) + echo ${UNAME_MACHINE}-ibm-linux + exit ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sh*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; + x86_64:Linux:*:*) + echo x86_64-unknown-linux-gnu + exit ;; + i*86:Linux:*:*) + # The BFD linker knows what the default object file format is, so + # first see if it will tell us. cd to the root directory to prevent + # problems with other programs or directories called `ld' in the path. + # Set LC_ALL=C to ensure ld outputs messages in English. + ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ + | sed -ne '/supported targets:/!d + s/[ ][ ]*/ /g + s/.*supported targets: *// + s/ .*// + p'` + case "$ld_supported_targets" in + elf32-i386) + TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" + ;; + a.out-i386-linux) + echo "${UNAME_MACHINE}-pc-linux-gnuaout" + exit ;; + coff-i386) + echo "${UNAME_MACHINE}-pc-linux-gnucoff" + exit ;; + "") + # Either a pre-BFD a.out linker (linux-gnuoldld) or + # one that does not give us useful --help. + echo "${UNAME_MACHINE}-pc-linux-gnuoldld" + exit ;; + esac + # Determine whether the default compiler is a.out or elf + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + #ifdef __ELF__ + # ifdef __GLIBC__ + # if __GLIBC__ >= 2 + LIBC=gnu + # else + LIBC=gnulibc1 + # endif + # else + LIBC=gnulibc1 + # endif + #else + #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) + LIBC=gnu + #else + LIBC=gnuaout + #endif + #endif + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^LIBC/{ + s: ::g + p + }'`" + test x"${LIBC}" != x && { + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit + } + test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } + ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + echo i386-sequent-sysv4 + exit ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit ;; + i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + exit ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. + echo i386-pc-msdosdjgpp + exit ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit ;; + rs6000:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + echo powerpc-unknown-lynxos${UNAME_RELEASE} + exit ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + echo hppa1.1-stratus-vos + exit ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit ;; + news*:NEWS-OS:6*:*) + echo mips-sony-newsos6 + exit ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + exit ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + exit ;; + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; + NSR-?:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit ;; + *:NonStop-UX:*:*) + echo mips-compaq-nonstopux + exit ;; + BS2000:POSIX*:*:*) + echo bs2000-siemens-sysv + exit ;; + DS/*:UNIX_System_V:*:*) + echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + exit ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "$cputype" = "386"; then + UNAME_MACHINE=i386 + else + UNAME_MACHINE="$cputype" + fi + echo ${UNAME_MACHINE}-unknown-plan9 + exit ;; + *:TOPS-10:*:*) + echo pdp10-unknown-tops10 + exit ;; + *:TENEX:*:*) + echo pdp10-unknown-tenex + exit ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + echo pdp10-dec-tops20 + exit ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + echo pdp10-xkl-tops20 + exit ;; + *:TOPS-20:*:*) + echo pdp10-unknown-tops20 + exit ;; + *:ITS:*:*) + echo pdp10-unknown-its + exit ;; + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; + V*) echo vax-dec-vms ; exit ;; + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos + exit ;; +esac + +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + +eval $set_cc_for_build +cat >$dummy.c < +# include +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (__arm) && defined (__acorn) && defined (__unix) + printf ("arm-acorn-riscix\n"); exit (0); +#endif + +#if defined (hp300) && !defined (hpux) + printf ("m68k-hp-bsd\n"); exit (0); +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); + +#endif + +#if defined (vax) +# if !defined (ultrix) +# include +# if defined (BSD) +# if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +# else +# if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# endif +# else + printf ("vax-dec-bsd\n"); exit (0); +# endif +# else + printf ("vax-dec-ultrix\n"); exit (0); +# endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. + +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } + +# Convex versions that predate uname can use getsysinfo(1) + +if [ -x /usr/convex/getsysinfo ] +then + case `getsysinfo -f cpu_type` in + c1*) + echo c1-convex-bsd + exit ;; + c2*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + c34*) + echo c34-convex-bsd + exit ;; + c38*) + echo c38-convex-bsd + exit ;; + c4*) + echo c4-convex-bsd + exit ;; + esac +fi + +cat >&2 < in order to provide the needed +information to handle your system. + +config.guess timestamp = $timestamp + +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = ${UNAME_MACHINE} +UNAME_RELEASE = ${UNAME_RELEASE} +UNAME_SYSTEM = ${UNAME_SYSTEM} +UNAME_VERSION = ${UNAME_VERSION} +EOF + +exit 1 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/config/config.sub b/config/config.sub new file mode 100755 index 0000000..fab0aa3 --- /dev/null +++ b/config/config.sub @@ -0,0 +1,1616 @@ +#! /bin/sh +# Configuration validation subroutine script. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, +# Inc. + +timestamp='2006-09-20' + +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + + +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS + $0 [OPTION] ALIAS + +Canonicalize a configuration name. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo $1 + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ + uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ + storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple | -axis | -knuth | -cray) + os= + basic_machine=$1 + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -chorusos*) + os=-chorusos + basic_machine=$1 + ;; + -chorusrdb) + os=-chorusrdb + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco6) + os=-sco5v6 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; + -mint | -mint[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ + | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | bfin \ + | c4x | clipper \ + | d10v | d30v | dlx | dsp16xx \ + | fr30 | frv \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | i370 | i860 | i960 | ia64 \ + | ip2k | iq2000 \ + | m32c | m32r | m32rle | m68000 | m68k | m88k \ + | maxq | mb | microblaze | mcore \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64vr | mips64vrel \ + | mips64orion | mips64orionel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ + | mn10200 | mn10300 \ + | mt \ + | msp430 \ + | nios | nios2 \ + | ns16k | ns32k \ + | or32 \ + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ + | pyramid \ + | score \ + | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ + | spu | strongarm \ + | tahoe | thumb | tic4x | tic80 | tron \ + | v850 | v850e \ + | we32k \ + | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | z8k) + basic_machine=$basic_machine-unknown + ;; + m6811 | m68hc11 | m6812 | m68hc12) + # Motorola 68HC11/12. + basic_machine=$basic_machine-unknown + os=-none + ;; + m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + ;; + ms1) + basic_machine=mt-unknown + ;; + + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i*86 | x86_64) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ + | elxsi-* \ + | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | i*86-* | i860-* | i960-* | ia64-* \ + | ip2k-* | iq2000-* \ + | m32c-* | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ + | m88110-* | m88k-* | maxq-* | mcore-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mips64vr5900-* | mips64vr5900el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | mt-* \ + | msp430-* \ + | nios-* | nios2-* \ + | none-* | np1-* | ns16k-* | ns32k-* \ + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ + | pyramid-* \ + | romp-* | rs6000-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tron-* \ + | v850-* | v850e-* | vax-* \ + | we32k-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | xstormy16-* | xtensa-* \ + | ymp-* \ + | z8k-*) + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + abacus) + basic_machine=abacus-unknown + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-unknown + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | j90) + basic_machine=j90-cray + os=-unicos + ;; + craynv) + basic_machine=craynv-cray + os=-unicosmp + ;; + cr16c) + basic_machine=cr16c-unknown + os=-elf + ;; + crds | unos) + basic_machine=m68k-crds + ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; + cris | cris-* | etrax*) + basic_machine=cris-axis + ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + go32) + basic_machine=i386-pc + os=-go32 + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i*86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i*86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i*86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i*86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + mingw32) + basic_machine=i386-pc + os=-mingw32 + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; + msdos) + basic_machine=i386-pc + os=-msdos + ;; + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=-nonstopux + ;; + np1) + basic_machine=np1-gould + ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + openrisc | openrisc-*) + basic_machine=or32-unknown + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pc98) + basic_machine=i386-pc + ;; + pc98-*) + basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium | p5 | k5 | k6 | nexgen | viac3) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86 | athlon | athlon_*) + basic_machine=i686-pc + ;; + pentiumii | pentium2 | pentiumiii | pentium3) + basic_machine=i686-pc + ;; + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-* | athlon-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=power-ibm + ;; + ppc) basic_machine=powerpc-unknown + ;; + ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64) basic_machine=powerpc64-unknown + ;; + ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64le | powerpc64little | ppc64-le | powerpc64-little) + basic_machine=powerpc64le-unknown + ;; + ppc64le-* | powerpc64little-*) + basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + pw32) + basic_machine=i586-unknown + os=-pw32 + ;; + rdos) + basic_machine=i386-pc + os=-rdos + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sde) + basic_machine=mipsisa32-sde + os=-elf + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + sv1) + basic_machine=sv1-cray + os=-unicos + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray + os=-unicos + ;; + tic54x | c54x*) + basic_machine=tic54x-unknown + os=-coff + ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xbox) + basic_machine=i686-pc + os=-mingw32 + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + ymp) + basic_machine=ymp-cray + os=-unicos + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + romp) + basic_machine=romp-ibm + ;; + mmix) + basic_machine=mmix-knuth + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp10) + # there are many clones, so DEC is not a safe bet + basic_machine=pdp10-unknown + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele) + basic_machine=sh-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + *-unknown) + # Make sure to match an already-canonicalized machine name. + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -openbsd* | -solidbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ + | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ + | -skyos* | -haiku* | -rdos* | -toppers*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) + case $basic_machine in + x86-* | i*86-*) + ;; + *) + os=-nto$os + ;; + esac + ;; + -nto-qnx*) + ;; + -nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ + | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -os400*) + os=-os400 + ;; + -wince*) + os=-wince + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -nova*) + os=-rtmk-nova + ;; + -ns2 ) + os=-nextstep2 + ;; + -nsk*) + os=-nsk + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -tpf*) + os=-tpf + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos + ;; + -zvmoe) + os=-zvmoe + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + score-*) + os=-elf + ;; + spu-*) + os=-elf + ;; + *-acorn) + os=-riscix1.2 + ;; + arm*-rebel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + c4x-* | tic4x-*) + os=-coff + ;; + # This must come before the *-dec entry. + pdp10-*) + os=-tops20 + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 + ;; + m68*-cisco) + os=-aout + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + or32-*) + os=-coff + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + *-be) + os=-beos + ;; + *-haiku) + os=-haiku + ;; + *-ibm) + os=-aix + ;; + *-knuth) + os=-mmixware + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f30[01]-fujitsu | f700-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -os400*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + vendor=atari + ;; + -vos*) + vendor=stratus + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os +exit + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/config/depcomp b/config/depcomp new file mode 100755 index 0000000..ca5ea4e --- /dev/null +++ b/config/depcomp @@ -0,0 +1,584 @@ +#! /bin/sh +# depcomp - compile a program generating dependencies as side-effects + +scriptversion=2006-10-15.18 + +# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006 Free Software +# Foundation, Inc. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Originally written by Alexandre Oliva . + +case $1 in + '') + echo "$0: No command. Try \`$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: depcomp [--help] [--version] PROGRAM [ARGS] + +Run PROGRAMS ARGS to compile a file, generating dependencies +as side-effects. + +Environment variables: + depmode Dependency tracking mode. + source Source file read by `PROGRAMS ARGS'. + object Object file output by `PROGRAMS ARGS'. + DEPDIR directory where to store dependencies. + depfile Dependency file to output. + tmpdepfile Temporary file to use when outputing dependencies. + libtool Whether libtool is used (yes/no). + +Report bugs to . +EOF + exit $? + ;; + -v | --v*) + echo "depcomp $scriptversion" + exit $? + ;; +esac + +if test -z "$depmode" || test -z "$source" || test -z "$object"; then + echo "depcomp: Variables source, object and depmode must be set" 1>&2 + exit 1 +fi + +# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. +depfile=${depfile-`echo "$object" | + sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} +tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} + +rm -f "$tmpdepfile" + +# Some modes work just like other modes, but use different flags. We +# parameterize here, but still list the modes in the big case below, +# to make depend.m4 easier to write. Note that we *cannot* use a case +# here, because this file can only contain one case statement. +if test "$depmode" = hp; then + # HP compiler uses -M and no extra arg. + gccflag=-M + depmode=gcc +fi + +if test "$depmode" = dashXmstdout; then + # This is just like dashmstdout with a different argument. + dashmflag=-xM + depmode=dashmstdout +fi + +case "$depmode" in +gcc3) +## gcc 3 implements dependency tracking that does exactly what +## we want. Yay! Note: for some reason libtool 1.4 doesn't like +## it if -MD -MP comes after the -MF stuff. Hmm. +## Unfortunately, FreeBSD c89 acceptance of flags depends upon +## the command line argument order; so add the flags where they +## appear in depend2.am. Note that the slowdown incurred here +## affects only configure: in makefiles, %FASTDEP% shortcuts this. + for arg + do + case $arg in + -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; + *) set fnord "$@" "$arg" ;; + esac + shift # fnord + shift # $arg + done + "$@" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + mv "$tmpdepfile" "$depfile" + ;; + +gcc) +## There are various ways to get dependency output from gcc. Here's +## why we pick this rather obscure method: +## - Don't want to use -MD because we'd like the dependencies to end +## up in a subdir. Having to rename by hand is ugly. +## (We might end up doing this anyway to support other compilers.) +## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like +## -MM, not -M (despite what the docs say). +## - Using -M directly means running the compiler twice (even worse +## than renaming). + if test -z "$gccflag"; then + gccflag=-MD, + fi + "$@" -Wp,"$gccflag$tmpdepfile" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + echo "$object : \\" > "$depfile" + alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz +## The second -e expression handles DOS-style file names with drive letters. + sed -e 's/^[^:]*: / /' \ + -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" +## This next piece of magic avoids the `deleted header file' problem. +## The problem is that when a header file which appears in a .P file +## is deleted, the dependency causes make to die (because there is +## typically no way to rebuild the header). We avoid this by adding +## dummy dependencies for each header file. Too bad gcc doesn't do +## this for us directly. + tr ' ' ' +' < "$tmpdepfile" | +## Some versions of gcc put a space before the `:'. On the theory +## that the space means something, we add a space to the output as +## well. +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +sgi) + if test "$libtool" = yes; then + "$@" "-Wp,-MDupdate,$tmpdepfile" + else + "$@" -MDupdate "$tmpdepfile" + fi + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + + if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files + echo "$object : \\" > "$depfile" + + # Clip off the initial element (the dependent). Don't try to be + # clever and replace this with sed code, as IRIX sed won't handle + # lines with more than a fixed number of characters (4096 in + # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; + # the IRIX cc adds comments like `#:fec' to the end of the + # dependency line. + tr ' ' ' +' < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ + tr ' +' ' ' >> $depfile + echo >> $depfile + + # The second pass generates a dummy entry for each header file. + tr ' ' ' +' < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ + >> $depfile + else + # The sourcefile does not contain any dependencies, so just + # store a dummy comment line, to avoid errors with the Makefile + # "include basename.Plo" scheme. + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +aix) + # The C for AIX Compiler uses -M and outputs the dependencies + # in a .u file. In older versions, this file always lives in the + # current directory. Also, the AIX compiler puts `$object:' at the + # start of each line; $object doesn't have directory information. + # Version 6 uses the directory in both cases. + stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'` + tmpdepfile="$stripped.u" + if test "$libtool" = yes; then + "$@" -Wc,-M + else + "$@" -M + fi + stat=$? + + if test -f "$tmpdepfile"; then : + else + stripped=`echo "$stripped" | sed 's,^.*/,,'` + tmpdepfile="$stripped.u" + fi + + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + + if test -f "$tmpdepfile"; then + outname="$stripped.o" + # Each line is of the form `foo.o: dependent.h'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile" + sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile" + else + # The sourcefile does not contain any dependencies, so just + # store a dummy comment line, to avoid errors with the Makefile + # "include basename.Plo" scheme. + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +icc) + # Intel's C compiler understands `-MD -MF file'. However on + # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c + # ICC 7.0 will fill foo.d with something like + # foo.o: sub/foo.c + # foo.o: sub/foo.h + # which is wrong. We want: + # sub/foo.o: sub/foo.c + # sub/foo.o: sub/foo.h + # sub/foo.c: + # sub/foo.h: + # ICC 7.1 will output + # foo.o: sub/foo.c sub/foo.h + # and will wrap long lines using \ : + # foo.o: sub/foo.c ... \ + # sub/foo.h ... \ + # ... + + "$@" -MD -MF "$tmpdepfile" + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + # Each line is of the form `foo.o: dependent.h', + # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process this invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | + sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp2) + # The "hp" stanza above does not work with aCC (C++) and HP's ia64 + # compilers, which have integrated preprocessors. The correct option + # to use with these is +Maked; it writes dependencies to a file named + # 'foo.d', which lands next to the object file, wherever that + # happens to be. + # Much of this is similar to the tru64 case; see comments there. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir.libs/$base.d + "$@" -Wc,+Maked + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + "$@" +Maked + fi + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile" + # Add `dependent.h:' lines. + sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile" + else + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" "$tmpdepfile2" + ;; + +tru64) + # The Tru64 compiler uses -MD to generate dependencies as a side + # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. + # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put + # dependencies in `foo.d' instead, so we check for that too. + # Subdirectories are respected. + dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` + test "x$dir" = "x$object" && dir= + base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + + if test "$libtool" = yes; then + # With Tru64 cc, shared objects can also be used to make a + # static library. This mechanism is used in libtool 1.4 series to + # handle both shared and static libraries in a single compilation. + # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d. + # + # With libtool 1.5 this exception was removed, and libtool now + # generates 2 separate objects for the 2 libraries. These two + # compilations output dependencies in $dir.libs/$base.o.d and + # in $dir$base.o.d. We have to check for both files, because + # one of the two compilations can be disabled. We should prefer + # $dir$base.o.d over $dir.libs/$base.o.d because the latter is + # automatically cleaned when .libs/ is deleted, while ignoring + # the former would cause a distcleancheck panic. + tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4 + tmpdepfile2=$dir$base.o.d # libtool 1.5 + tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5 + tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504 + "$@" -Wc,-MD + else + tmpdepfile1=$dir$base.o.d + tmpdepfile2=$dir$base.d + tmpdepfile3=$dir$base.d + tmpdepfile4=$dir$base.d + "$@" -MD + fi + + stat=$? + if test $stat -eq 0; then : + else + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" + # That's a tab and a space in the []. + sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" + else + echo "#dummy" > "$depfile" + fi + rm -f "$tmpdepfile" + ;; + +#nosideeffect) + # This comment above is used by automake to tell side-effect + # dependency tracking mechanisms from slower ones. + +dashmstdout) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout, regardless of -o. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test $1 != '--mode=compile'; do + shift + done + shift + fi + + # Remove `-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + test -z "$dashmflag" && dashmflag=-M + # Require at least two characters before searching for `:' + # in the target name. This is to cope with DOS-style filenames: + # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. + "$@" $dashmflag | + sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" + rm -f "$depfile" + cat < "$tmpdepfile" > "$depfile" + tr ' ' ' +' < "$tmpdepfile" | \ +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +dashXmstdout) + # This case only exists to satisfy depend.m4. It is never actually + # run, as this mode is specially recognized in the preamble. + exit 1 + ;; + +makedepend) + "$@" || exit $? + # Remove any Libtool call + if test "$libtool" = yes; then + while test $1 != '--mode=compile'; do + shift + done + shift + fi + # X makedepend + shift + cleared=no + for arg in "$@"; do + case $cleared in + no) + set ""; shift + cleared=yes ;; + esac + case "$arg" in + -D*|-I*) + set fnord "$@" "$arg"; shift ;; + # Strip any option that makedepend may not understand. Remove + # the object too, otherwise makedepend will parse it as a source file. + -*|$object) + ;; + *) + set fnord "$@" "$arg"; shift ;; + esac + done + obj_suffix="`echo $object | sed 's/^.*\././'`" + touch "$tmpdepfile" + ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" + rm -f "$depfile" + cat < "$tmpdepfile" > "$depfile" + sed '1,2d' "$tmpdepfile" | tr ' ' ' +' | \ +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" "$tmpdepfile".bak + ;; + +cpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test $1 != '--mode=compile'; do + shift + done + shift + fi + + # Remove `-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + "$@" -E | + sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | + sed '$ s: \\$::' > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + cat < "$tmpdepfile" >> "$depfile" + sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +msvisualcpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout, regardless of -o, + # because we must use -o when running libtool. + "$@" || exit $? + IFS=" " + for arg + do + case "$arg" in + "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") + set fnord "$@" + shift + shift + ;; + *) + set fnord "$@" "$arg" + shift + shift + ;; + esac + done + "$@" -E | + sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" + echo " " >> "$depfile" + . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +none) + exec "$@" + ;; + +*) + echo "Unknown depmode $depmode" 1>&2 + exit 1 + ;; +esac + +exit 0 + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-end: "$" +# End: diff --git a/config/install-sh b/config/install-sh new file mode 100755 index 0000000..4fbbae7 --- /dev/null +++ b/config/install-sh @@ -0,0 +1,507 @@ +#!/bin/sh +# install - install a program, script, or datafile + +scriptversion=2006-10-14.15 + +# This originates from X11R5 (mit/util/scripts/install.sh), which was +# later released in X11R6 (xc/config/util/install.sh) with the +# following copyright and license. +# +# Copyright (C) 1994 X Consortium +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- +# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Except as contained in this notice, the name of the X Consortium shall not +# be used in advertising or otherwise to promote the sale, use or other deal- +# ings in this Software without prior written authorization from the X Consor- +# tium. +# +# +# FSF changes to this file are in the public domain. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. + +nl=' +' +IFS=" "" $nl" + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" +if test -z "$doit"; then + doit_exec=exec +else + doit_exec=$doit +fi + +# Put in absolute file names if you don't have them in your path; +# or use environment vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +posix_glob= +posix_mkdir= + +# Desired mode of installed file. +mode=0755 + +chmodcmd=$chmodprog +chowncmd= +chgrpcmd= +stripcmd= +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src= +dst= +dir_arg= +dstarg= +no_target_directory= + +usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE + or: $0 [OPTION]... SRCFILES... DIRECTORY + or: $0 [OPTION]... -t DIRECTORY SRCFILES... + or: $0 [OPTION]... -d DIRECTORIES... + +In the 1st form, copy SRCFILE to DSTFILE. +In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. +In the 4th, create DIRECTORIES. + +Options: +-c (ignored) +-d create directories instead of installing files. +-g GROUP $chgrpprog installed files to GROUP. +-m MODE $chmodprog installed files to MODE. +-o USER $chownprog installed files to USER. +-s $stripprog installed files. +-t DIRECTORY install into DIRECTORY. +-T report an error if DSTFILE is a directory. +--help display this help and exit. +--version display version info and exit. + +Environment variables override the default commands: + CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG +" + +while test $# -ne 0; do + case $1 in + -c) shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + --help) echo "$usage"; exit $?;; + + -m) mode=$2 + shift + shift + case $mode in + *' '* | *' '* | *' +'* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -s) stripcmd=$stripprog + shift + continue;; + + -t) dstarg=$2 + shift + shift + continue;; + + -T) no_target_directory=true + shift + continue;; + + --version) echo "$0 $scriptversion"; exit $?;; + + --) shift + break;; + + -*) echo "$0: invalid option: $1" >&2 + exit 1;; + + *) break;; + esac +done + +if test $# -ne 0 && test -z "$dir_arg$dstarg"; then + # When -d is used, all remaining arguments are directories to create. + # When -t is used, the destination is already specified. + # Otherwise, the last argument is the destination. Remove it from $@. + for arg + do + if test -n "$dstarg"; then + # $@ is not empty: it contains at least $arg. + set fnord "$@" "$dstarg" + shift # fnord + fi + shift # arg + dstarg=$arg + done +fi + +if test $# -eq 0; then + if test -z "$dir_arg"; then + echo "$0: no input file specified." >&2 + exit 1 + fi + # It's OK to call `install-sh -d' without argument. + # This can happen when creating conditional directories. + exit 0 +fi + +if test -z "$dir_arg"; then + trap '(exit $?); exit' 1 2 13 15 + + # Set umask so as not to create temps with too-generous modes. + # However, 'strip' requires both read and write access to temps. + case $mode in + # Optimize common cases. + *644) cp_umask=133;; + *755) cp_umask=22;; + + *[0-7]) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw='% 200' + fi + cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; + *) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw=,u+rw + fi + cp_umask=$mode$u_plus_rw;; + esac +fi + +for src +do + # Protect names starting with `-'. + case $src in + -*) src=./$src ;; + esac + + if test -n "$dir_arg"; then + dst=$src + dstdir=$dst + test -d "$dstdir" + dstdir_status=$? + else + + # Waiting for this to be detected by the "$cpprog $src $dsttmp" command + # might cause directories to be created, which would be especially bad + # if $src (and thus $dsttmp) contains '*'. + if test ! -f "$src" && test ! -d "$src"; then + echo "$0: $src does not exist." >&2 + exit 1 + fi + + if test -z "$dstarg"; then + echo "$0: no destination specified." >&2 + exit 1 + fi + + dst=$dstarg + # Protect names starting with `-'. + case $dst in + -*) dst=./$dst ;; + esac + + # If destination is a directory, append the input filename; won't work + # if double slashes aren't ignored. + if test -d "$dst"; then + if test -n "$no_target_directory"; then + echo "$0: $dstarg: Is a directory" >&2 + exit 1 + fi + dstdir=$dst + dst=$dstdir/`basename "$src"` + dstdir_status=0 + else + # Prefer dirname, but fall back on a substitute if dirname fails. + dstdir=` + (dirname "$dst") 2>/dev/null || + expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$dst" : 'X\(//\)[^/]' \| \ + X"$dst" : 'X\(//\)$' \| \ + X"$dst" : 'X\(/\)' \| . 2>/dev/null || + echo X"$dst" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q' + ` + + test -d "$dstdir" + dstdir_status=$? + fi + fi + + obsolete_mkdir_used=false + + if test $dstdir_status != 0; then + case $posix_mkdir in + '') + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi + + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 + + if (umask $mkdir_umask && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writeable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + ls_ld_tmpdir=`ls -ld "$tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/d" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + fi + trap '' 0;; + esac;; + esac + + if + $posix_mkdir && ( + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + ) + then : + else + + # The umask is ridiculous, or mkdir does not conform to POSIX, + # or it failed possibly due to a race condition. Create the + # directory the slow way, step by step, checking for races as we go. + + case $dstdir in + /*) prefix=/ ;; + -*) prefix=./ ;; + *) prefix= ;; + esac + + case $posix_glob in + '') + if (set -f) 2>/dev/null; then + posix_glob=true + else + posix_glob=false + fi ;; + esac + + oIFS=$IFS + IFS=/ + $posix_glob && set -f + set fnord $dstdir + shift + $posix_glob && set +f + IFS=$oIFS + + prefixes= + + for d + do + test -z "$d" && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ + done + + if test -n "$prefixes"; then + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true + fi + fi + fi + + if test -n "$dir_arg"; then + { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && + { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || + test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 + else + + # Make a couple of temp file names in the proper directory. + dsttmp=$dstdir/_inst.$$_ + rmtmp=$dstdir/_rm.$$_ + + # Trap to clean up those temp files at exit. + trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 + + # Copy the file name to the temp name. + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + + # and set any options; do chmod last to preserve setuid bits. + # + # If any of these fail, we abort the whole thing. If we want to + # ignore errors from any of these, just make sure not to ignore + # errors from the above "$doit $cpprog $src $dsttmp" command. + # + { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \ + && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \ + && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \ + && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && + + # Now rename the file to the real destination. + { $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null \ + || { + # The rename failed, perhaps because mv can't rename something else + # to itself, or perhaps because mv is so ancient that it does not + # support -f. + + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + if test -f "$dst"; then + $doit $rmcmd -f "$dst" 2>/dev/null \ + || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null \ + && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }; }\ + || { + echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + else + : + fi + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" + } + } || exit 1 + + trap '' 0 + fi +done + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-end: "$" +# End: diff --git a/config/missing b/config/missing new file mode 100755 index 0000000..1c8ff70 --- /dev/null +++ b/config/missing @@ -0,0 +1,367 @@ +#! /bin/sh +# Common stub for a few missing GNU programs while installing. + +scriptversion=2006-05-10.23 + +# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006 +# Free Software Foundation, Inc. +# Originally by Fran,cois Pinard , 1996. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +if test $# -eq 0; then + echo 1>&2 "Try \`$0 --help' for more information" + exit 1 +fi + +run=: +sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' +sed_minuso='s/.* -o \([^ ]*\).*/\1/p' + +# In the cases where this matters, `missing' is being run in the +# srcdir already. +if test -f configure.ac; then + configure_ac=configure.ac +else + configure_ac=configure.in +fi + +msg="missing on your system" + +case $1 in +--run) + # Try to run requested program, and just exit if it succeeds. + run= + shift + "$@" && exit 0 + # Exit code 63 means version mismatch. This often happens + # when the user try to use an ancient version of a tool on + # a file that requires a minimum version. In this case we + # we should proceed has if the program had been absent, or + # if --run hadn't been passed. + if test $? = 63; then + run=: + msg="probably too old" + fi + ;; + + -h|--h|--he|--hel|--help) + echo "\ +$0 [OPTION]... PROGRAM [ARGUMENT]... + +Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an +error status if there is no known handling for PROGRAM. + +Options: + -h, --help display this help and exit + -v, --version output version information and exit + --run try to run the given command, and emulate it if it fails + +Supported PROGRAM values: + aclocal touch file \`aclocal.m4' + autoconf touch file \`configure' + autoheader touch file \`config.h.in' + autom4te touch the output file, or create a stub one + automake touch all \`Makefile.in' files + bison create \`y.tab.[ch]', if possible, from existing .[ch] + flex create \`lex.yy.c', if possible, from existing .c + help2man touch the output file + lex create \`lex.yy.c', if possible, from existing .c + makeinfo touch the output file + tar try tar, gnutar, gtar, then tar without non-portable flags + yacc create \`y.tab.[ch]', if possible, from existing .[ch] + +Send bug reports to ." + exit $? + ;; + + -v|--v|--ve|--ver|--vers|--versi|--versio|--version) + echo "missing $scriptversion (GNU Automake)" + exit $? + ;; + + -*) + echo 1>&2 "$0: Unknown \`$1' option" + echo 1>&2 "Try \`$0 --help' for more information" + exit 1 + ;; + +esac + +# Now exit if we have it, but it failed. Also exit now if we +# don't have it and --version was passed (most likely to detect +# the program). +case $1 in + lex|yacc) + # Not GNU programs, they don't have --version. + ;; + + tar) + if test -n "$run"; then + echo 1>&2 "ERROR: \`tar' requires --run" + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + exit 1 + fi + ;; + + *) + if test -z "$run" && ($1 --version) > /dev/null 2>&1; then + # We have it, but it failed. + exit 1 + elif test "x$2" = "x--version" || test "x$2" = "x--help"; then + # Could not run --version or --help. This is probably someone + # running `$TOOL --version' or `$TOOL --help' to check whether + # $TOOL exists and not knowing $TOOL uses missing. + exit 1 + fi + ;; +esac + +# If it does not exist, or fails to run (possibly an outdated version), +# try to emulate it. +case $1 in + aclocal*) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified \`acinclude.m4' or \`${configure_ac}'. You might want + to install the \`Automake' and \`Perl' packages. Grab them from + any GNU archive site." + touch aclocal.m4 + ;; + + autoconf) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified \`${configure_ac}'. You might want to install the + \`Autoconf' and \`GNU m4' packages. Grab them from any GNU + archive site." + touch configure + ;; + + autoheader) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified \`acconfig.h' or \`${configure_ac}'. You might want + to install the \`Autoconf' and \`GNU m4' packages. Grab them + from any GNU archive site." + files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` + test -z "$files" && files="config.h" + touch_files= + for f in $files; do + case $f in + *:*) touch_files="$touch_files "`echo "$f" | + sed -e 's/^[^:]*://' -e 's/:.*//'`;; + *) touch_files="$touch_files $f.in";; + esac + done + touch $touch_files + ;; + + automake*) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. + You might want to install the \`Automake' and \`Perl' packages. + Grab them from any GNU archive site." + find . -type f -name Makefile.am -print | + sed 's/\.am$/.in/' | + while read f; do touch "$f"; done + ;; + + autom4te) + echo 1>&2 "\ +WARNING: \`$1' is needed, but is $msg. + You might have modified some files without having the + proper tools for further handling them. + You can get \`$1' as part of \`Autoconf' from any GNU + archive site." + + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then + touch $file + else + test -z "$file" || exec >$file + echo "#! /bin/sh" + echo "# Created by GNU Automake missing as a replacement of" + echo "# $ $@" + echo "exit 0" + chmod +x $file + exit 1 + fi + ;; + + bison|yacc) + echo 1>&2 "\ +WARNING: \`$1' $msg. You should only need it if + you modified a \`.y' file. You may need the \`Bison' package + in order for those modifications to take effect. You can get + \`Bison' from any GNU archive site." + rm -f y.tab.c y.tab.h + if test $# -ne 1; then + eval LASTARG="\${$#}" + case $LASTARG in + *.y) + SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` + if test -f "$SRCFILE"; then + cp "$SRCFILE" y.tab.c + fi + SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` + if test -f "$SRCFILE"; then + cp "$SRCFILE" y.tab.h + fi + ;; + esac + fi + if test ! -f y.tab.h; then + echo >y.tab.h + fi + if test ! -f y.tab.c; then + echo 'main() { return 0; }' >y.tab.c + fi + ;; + + lex|flex) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified a \`.l' file. You may need the \`Flex' package + in order for those modifications to take effect. You can get + \`Flex' from any GNU archive site." + rm -f lex.yy.c + if test $# -ne 1; then + eval LASTARG="\${$#}" + case $LASTARG in + *.l) + SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` + if test -f "$SRCFILE"; then + cp "$SRCFILE" lex.yy.c + fi + ;; + esac + fi + if test ! -f lex.yy.c; then + echo 'main() { return 0; }' >lex.yy.c + fi + ;; + + help2man) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified a dependency of a manual page. You may need the + \`Help2man' package in order for those modifications to take + effect. You can get \`Help2man' from any GNU archive site." + + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -f "$file"; then + touch $file + else + test -z "$file" || exec >$file + echo ".ab help2man is required to generate this page" + exit 1 + fi + ;; + + makeinfo) + echo 1>&2 "\ +WARNING: \`$1' is $msg. You should only need it if + you modified a \`.texi' or \`.texinfo' file, or any other file + indirectly affecting the aspect of the manual. The spurious + call might also be the consequence of using a buggy \`make' (AIX, + DU, IRIX). You might want to install the \`Texinfo' package or + the \`GNU make' package. Grab either from any GNU archive site." + # The file to touch is that specified with -o ... + file=`echo "$*" | sed -n "$sed_output"` + test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` + if test -z "$file"; then + # ... or it is the one specified with @setfilename ... + infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` + file=`sed -n ' + /^@setfilename/{ + s/.* \([^ ]*\) *$/\1/ + p + q + }' $infile` + # ... or it is derived from the source name (dir/f.texi becomes f.info) + test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info + fi + # If the file does not exist, the user really needs makeinfo; + # let's fail without touching anything. + test -f $file || exit 1 + touch $file + ;; + + tar) + shift + + # We have already tried tar in the generic part. + # Look for gnutar/gtar before invocation to avoid ugly error + # messages. + if (gnutar --version > /dev/null 2>&1); then + gnutar "$@" && exit 0 + fi + if (gtar --version > /dev/null 2>&1); then + gtar "$@" && exit 0 + fi + firstarg="$1" + if shift; then + case $firstarg in + *o*) + firstarg=`echo "$firstarg" | sed s/o//` + tar "$firstarg" "$@" && exit 0 + ;; + esac + case $firstarg in + *h*) + firstarg=`echo "$firstarg" | sed s/h//` + tar "$firstarg" "$@" && exit 0 + ;; + esac + fi + + echo 1>&2 "\ +WARNING: I can't seem to be able to run \`tar' with the given arguments. + You may want to install GNU tar or Free paxutils, or check the + command line arguments." + exit 1 + ;; + + *) + echo 1>&2 "\ +WARNING: \`$1' is needed, and is $msg. + You might have modified some files without having the + proper tools for further handling them. Check the \`README' file, + it often tells you about the needed prerequisites for installing + this package. You may also peek at any GNU archive site, in case + some other package would contain this missing \`$1' program." + exit 1 + ;; +esac + +exit 0 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-end: "$" +# End: diff --git a/configure b/configure new file mode 100755 index 0000000..7ce3980 --- /dev/null +++ b/configure @@ -0,0 +1,8422 @@ +#! /bin/sh +# Guess values for system-dependent variables and create Makefiles. +# Generated by GNU Autoconf 2.62 for gdoi.h 1.5iec. +# +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + + + +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + { (exit 1); exit 1; } +fi + +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# Required to use basename. +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + + +# Name of the executable. +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# CDPATH. +$as_unset CDPATH + + +if test "x$CONFIG_SHELL" = x; then + if (eval ":") 2>/dev/null; then + as_have_required=yes +else + as_have_required=no +fi + + if test $as_have_required = yes && (eval ": +(as_func_return () { + (exit \$1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 +} + +exitcode=0 +if as_func_success; then + : +else + exitcode=1 + echo as_func_success failed. +fi + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. +fi + +if as_func_ret_success; then + : +else + exitcode=1 + echo as_func_ret_success failed. +fi + +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then + : +else + exitcode=1 + echo positional parameters were not saved. +fi + +test \$exitcode = 0) || { (exit 1); exit 1; } + +( + as_lineno_1=\$LINENO + as_lineno_2=\$LINENO + test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" && + test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; } +") 2> /dev/null; then + : +else + as_candidate_shells= + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + case $as_dir in + /*) + for as_base in sh bash ksh sh5; do + as_candidate_shells="$as_candidate_shells $as_dir/$as_base" + done;; + esac +done +IFS=$as_save_IFS + + + for as_shell in $as_candidate_shells $SHELL; do + # Try only shells that exist, to save several forks. + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { ("$as_shell") 2> /dev/null <<\_ASEOF +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + +: +_ASEOF +}; then + CONFIG_SHELL=$as_shell + as_have_required=yes + if { "$as_shell" 2> /dev/null <<\_ASEOF +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + +: +(as_func_return () { + (exit $1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 +} + +exitcode=0 +if as_func_success; then + : +else + exitcode=1 + echo as_func_success failed. +fi + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. +fi + +if as_func_ret_success; then + : +else + exitcode=1 + echo as_func_ret_success failed. +fi + +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = "$1" ); then + : +else + exitcode=1 + echo positional parameters were not saved. +fi + +test $exitcode = 0) || { (exit 1); exit 1; } + +( + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; } + +_ASEOF +}; then + break +fi + +fi + + done + + if test "x$CONFIG_SHELL" != x; then + for as_var in BASH_ENV ENV + do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var + done + export CONFIG_SHELL + exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"} +fi + + + if test $as_have_required = no; then + echo This script requires a shell more modern than all the + echo shells that I found on your system. Please install a + echo modern shell, or manually run the script under such a + echo shell if you do have one. + { (exit 1); exit 1; } +fi + + +fi + +fi + + + +(eval "as_func_return () { + (exit \$1) +} +as_func_success () { + as_func_return 0 +} +as_func_failure () { + as_func_return 1 +} +as_func_ret_success () { + return 0 +} +as_func_ret_failure () { + return 1 +} + +exitcode=0 +if as_func_success; then + : +else + exitcode=1 + echo as_func_success failed. +fi + +if as_func_failure; then + exitcode=1 + echo as_func_failure succeeded. +fi + +if as_func_ret_success; then + : +else + exitcode=1 + echo as_func_ret_success failed. +fi + +if as_func_ret_failure; then + exitcode=1 + echo as_func_ret_failure succeeded. +fi + +if ( set x; as_func_ret_success y && test x = \"\$1\" ); then + : +else + exitcode=1 + echo positional parameters were not saved. +fi + +test \$exitcode = 0") || { + echo No shell found that supports shell functions. + echo Please tell bug-autoconf@gnu.org about your system, + echo including any error possibly output before this message. + echo This can help us improve future autoconf versions. + echo Configuration will now proceed without shell functions. +} + + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in +-n*) + case `echo 'x\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + *) ECHO_C='\c';; + esac;; +*) + ECHO_N='-n';; +esac +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' + fi +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p=: +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + + +exec 7<&0 &1 + +# Name of the host. +# hostname on some systems (SVR3.2, Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +# +# Initializations. +# +ac_default_prefix=/usr/local +ac_clean_files= +ac_config_libobj_dir=. +LIBOBJS= +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} + +# Identity of this package. +PACKAGE_NAME='gdoi.h' +PACKAGE_TARNAME='gdoi-h' +PACKAGE_VERSION='1.5iec' +PACKAGE_STRING='gdoi.h 1.5iec' +PACKAGE_BUGREPORT='' + +# Factoring default headers for most tests. +ac_includes_default="\ +#include +#ifdef HAVE_SYS_TYPES_H +# include +#endif +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif +#ifdef HAVE_STRING_H +# if !defined STDC_HEADERS && defined HAVE_MEMORY_H +# include +# endif +# include +#endif +#ifdef HAVE_STRINGS_H +# include +#endif +#ifdef HAVE_INTTYPES_H +# include +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#ifdef HAVE_UNISTD_H +# include +#endif" + +ac_subst_vars='SHELL +PATH_SEPARATOR +PACKAGE_NAME +PACKAGE_TARNAME +PACKAGE_VERSION +PACKAGE_STRING +PACKAGE_BUGREPORT +exec_prefix +prefix +program_transform_name +bindir +sbindir +libexecdir +datarootdir +datadir +sysconfdir +sharedstatedir +localstatedir +includedir +oldincludedir +docdir +infodir +htmldir +dvidir +pdfdir +psdir +libdir +localedir +mandir +DEFS +ECHO_C +ECHO_N +ECHO_T +LIBS +build_alias +host_alias +target_alias +INSTALL_PROGRAM +INSTALL_SCRIPT +INSTALL_DATA +am__isrc +CYGPATH_W +PACKAGE +VERSION +ACLOCAL +AUTOCONF +AUTOMAKE +AUTOHEADER +MAKEINFO +install_sh +STRIP +INSTALL_STRIP_PROGRAM +MKDIR_P +mkdir_p +AWK +SET_MAKE +am__leading_dot +AMTAR +am__tar +am__untar +build +build_cpu +build_vendor +build_os +host +host_cpu +host_vendor +host_os +CC +CFLAGS +LDFLAGS +CPPFLAGS +ac_ct_CC +EXEEXT +OBJEXT +DEPDIR +am__include +am__quote +AMDEP_TRUE +AMDEP_FALSE +AMDEPBACKSLASH +CCDEPMODE +am__fastdepCC_TRUE +am__fastdepCC_FALSE +HAVE_FREESWAN_TRUE +HAVE_FREESWAN_FALSE +HAVE_PF_KEY_V2_TRUE +HAVE_PF_KEY_V2_FALSE +USE_LIBCRYPTO_TRUE +USE_LIBCRYPTO_FALSE +CPP +GREP +EGREP +LIBOBJS +IEC90_5_SUPPORT_TRUE +IEC90_5_SUPPORT_FALSE +GDOI_APP_SUPPORT_TRUE +GDOI_APP_SUPPORT_FALSE +SRTP_SUPPORT_TRUE +SRTP_SUPPORT_FALSE +USE_AGGRESSIVE_TRUE +USE_AGGRESSIVE_FALSE +LTLIBOBJS' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +enable_dependency_tracking +with_ssl_dir +enable_tripledes +enable_iec90_5 +enable_srtp +enable_aggressive +enable_debug +' + ac_precious_vars='build_alias +host_alias +target_alias +CC +CFLAGS +LDFLAGS +LIBS +CPPFLAGS +CPP' + + +# Initialize some variables set by options. +ac_init_help= +ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= +# The variables have the same names as the options, with +# dashes changed to underlines. +cache_file=/dev/null +exec_prefix=NONE +no_create= +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +verbose= +x_includes=NONE +x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. +# (The list follows the same order as the GNU Coding Standards.) +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datarootdir='${prefix}/share' +datadir='${datarootdir}' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +includedir='${prefix}/include' +oldincludedir='/usr/include' +docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +infodir='${datarootdir}/info' +htmldir='${docdir}' +dvidir='${docdir}' +pdfdir='${docdir}' +psdir='${docdir}' +libdir='${exec_prefix}/lib' +localedir='${datarootdir}/locale' +mandir='${datarootdir}/man' + +ac_prev= +ac_dashdash= +for ac_option +do + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval $ac_prev=\$ac_option + ac_prev= + continue + fi + + case $ac_option in + *=*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *) ac_optarg=yes ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case $ac_dashdash$ac_option in + --) + ac_dashdash=yes ;; + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir=$ac_optarg ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build_alias ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build_alias=$ac_optarg ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; + + -datadir | --datadir | --datadi | --datad) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=*) + datadir=$ac_optarg ;; + + -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ + | --dataroo | --dataro | --datar) + ac_prev=datarootdir ;; + -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ + | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) + datarootdir=$ac_optarg ;; + + -disable-* | --disable-*) + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; + + -docdir | --docdir | --docdi | --doc | --do) + ac_prev=docdir ;; + -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) + docdir=$ac_optarg ;; + + -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) + ac_prev=dvidir ;; + -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) + dvidir=$ac_optarg ;; + + -enable-* | --enable-*) + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix=$ac_optarg ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; + + -host | --host | --hos | --ho) + ac_prev=host_alias ;; + -host=* | --host=* | --hos=* | --ho=*) + host_alias=$ac_optarg ;; + + -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) + ac_prev=htmldir ;; + -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ + | --ht=*) + htmldir=$ac_optarg ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir=$ac_optarg ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir=$ac_optarg ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir=$ac_optarg ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir=$ac_optarg ;; + + -localedir | --localedir | --localedi | --localed | --locale) + ac_prev=localedir ;; + -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) + localedir=$ac_optarg ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst | --locals) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) + localstatedir=$ac_optarg ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir=$ac_optarg ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir=$ac_optarg ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix=$ac_optarg ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix=$ac_optarg ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix=$ac_optarg ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name=$ac_optarg ;; + + -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) + ac_prev=pdfdir ;; + -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) + pdfdir=$ac_optarg ;; + + -psdir | --psdir | --psdi | --psd | --ps) + ac_prev=psdir ;; + -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) + psdir=$ac_optarg ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir=$ac_optarg ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir=$ac_optarg ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site=$ac_optarg ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir=$ac_optarg ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir=$ac_optarg ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target_alias ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target_alias=$ac_optarg ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; + + -with-* | --with-*) + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; + + -without-* | --without-*) + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2 + { (exit 1); exit 1; }; } + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes=$ac_optarg ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries=$ac_optarg ;; + + -*) { $as_echo "$as_me: error: unrecognized option: $ac_option +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } + ;; + + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null && + { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2 + { (exit 1); exit 1; }; } + eval $ac_envvar=\$ac_optarg + export $ac_envvar ;; + + *) + # FIXME: should be removed in autoconf 3.0. + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option} + ;; + + esac +done + +if test -n "$ac_prev"; then + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + { $as_echo "$as_me: error: missing argument to $ac_option" >&2 + { (exit 1); exit 1; }; } +fi + +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) { $as_echo "$as_me: error: Unrecognized options: $ac_unrecognized_opts" >&2 + { (exit 1); exit 1; }; } ;; + *) $as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. +for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ + libdir localedir mandir +do + eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. + case $ac_val in + [\\/$]* | ?:[\\/]* ) continue;; + NONE | '' ) case $ac_var in *prefix ) continue;; esac;; + esac + { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2 + { (exit 1); exit 1; }; } +done + +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used." >&2 + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null + + +ac_pwd=`pwd` && test -n "$ac_pwd" && +ac_ls_di=`ls -di .` && +ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || + { $as_echo "$as_me: error: Working directory cannot be determined" >&2 + { (exit 1); exit 1; }; } +test "X$ac_ls_di" = "X$ac_pwd_ls_di" || + { $as_echo "$as_me: error: pwd does not report name of working directory" >&2 + { (exit 1); exit 1; }; } + + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then the parent directory. + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + srcdir=$ac_confdir + if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r "$srcdir/$ac_unique_file"; then + test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." + { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2 + { (exit 1); exit 1; }; } +fi +ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_abs_confdir=`( + cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2 + { (exit 1); exit 1; }; } + pwd)` +# When building in place, set srcdir=. +if test "$ac_abs_confdir" = "$ac_pwd"; then + srcdir=. +fi +# Remove unnecessary trailing slashes from srcdir. +# Double slashes in file names in object file debugging info +# mess up M-x gdb in Emacs. +case $srcdir in +*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +esac +for ac_var in $ac_precious_vars; do + eval ac_env_${ac_var}_set=\${${ac_var}+set} + eval ac_env_${ac_var}_value=\$${ac_var} + eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} + eval ac_cv_env_${ac_var}_value=\$${ac_var} +done + +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures gdoi.h 1.5iec to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/gdoi-h] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] +_ACEOF + + cat <<\_ACEOF + +Program names: + --program-prefix=PREFIX prepend PREFIX to installed program names + --program-suffix=SUFFIX append SUFFIX to installed program names + --program-transform-name=PROGRAM run sed PROGRAM on installed program names + +System types: + --build=BUILD configure for building on BUILD [guessed] + --host=HOST cross-compile to build programs to run on HOST [BUILD] +_ACEOF +fi + +if test -n "$ac_init_help"; then + case $ac_init_help in + short | recursive ) echo "Configuration of gdoi.h 1.5iec:";; + esac + cat <<\_ACEOF + +Optional Features: + --disable-option-checking ignore unrecognized --enable/--with options + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --disable-dependency-tracking speeds up one-time build + --enable-dependency-tracking do not reject slow dependency extractors + --enable-tripledes Enable support of 3DES yes + --enable-iec90-5 Enable support of IEC 57-61850-90-5 yes + --enable-srtp Enable support of SRTP no + --enable-aggressive Enable support of Phase 1 Aggressive Mode no + --enable-debug Enable debug yes + +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --with-ssl-dir=PATH Specify path to OpenSSL installation + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L if you have libraries in a + nonstandard directory + LIBS libraries to pass to the linker, e.g. -l + CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if + you have headers in a nonstandard directory + CPP C preprocessor + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +_ACEOF +ac_status=$? +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + cd "$ac_dir" || { ac_status=$?; continue; } + # Check for guested configure. + if test -f "$ac_srcdir/configure.gnu"; then + echo && + $SHELL "$ac_srcdir/configure.gnu" --help=recursive + elif test -f "$ac_srcdir/configure"; then + echo && + $SHELL "$ac_srcdir/configure" --help=recursive + else + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi || ac_status=$? + cd "$ac_pwd" || { ac_status=$?; break; } + done +fi + +test -n "$ac_init_help" && exit $ac_status +if $ac_init_version; then + cat <<\_ACEOF +gdoi.h configure 1.5iec +generated by GNU Autoconf 2.62 + +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit +fi +cat >config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by gdoi.h $as_me 1.5iec, which was +generated by GNU Autoconf 2.62. Invocation command line was + + $ $0 $@ + +_ACEOF +exec 5>>config.log +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" +done +IFS=$as_save_IFS + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;; + 2) + ac_configure_args1="$ac_configure_args1 '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + ac_configure_args="$ac_configure_args '$ac_arg'" + ;; + esac + done +done +$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; } +$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; } + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + cat <<\_ASBOX +## ---------------- ## +## Cache variables. ## +## ---------------- ## +_ASBOX + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 +$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) $as_unset $ac_var ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo + + cat <<\_ASBOX +## ----------------- ## +## Output variables. ## +## ----------------- ## +_ASBOX + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + + if test -n "$ac_subst_files"; then + cat <<\_ASBOX +## ------------------- ## +## File substitutions. ## +## ------------------- ## +_ASBOX + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi + + if test -s confdefs.h; then + cat <<\_ASBOX +## ----------- ## +## confdefs.h. ## +## ----------- ## +_ASBOX + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + ac_site_file1=$CONFIG_SITE +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site +else + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site +fi +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test -r "$ac_site_file"; then + { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" + fi +done + +if test -r "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special + # files actually), so we avoid doing that. + if test -f "$cache_file"; then + { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi +else + { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:$LINENO: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:$LINENO: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) ac_configure_args="$ac_configure_args '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 +$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} + { (exit 1); exit 1; }; } +fi + + + + + + + + + + + + + + + + + + + + + + + + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +ac_aux_dir= +for ac_dir in config "$srcdir"/config; do + if test -f "$ac_dir/install-sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install-sh -c" + break + elif test -f "$ac_dir/install.sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install.sh -c" + break + elif test -f "$ac_dir/shtool"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/shtool install -c" + break + fi +done +if test -z "$ac_aux_dir"; then + { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in config \"$srcdir\"/config" >&5 +$as_echo "$as_me: error: cannot find install-sh or install.sh in config \"$srcdir\"/config" >&2;} + { (exit 1); exit 1; }; } +fi + +# These three variables are undocumented and unsupported, +# and are intended to be withdrawn in a future Autoconf release. +# They can cause serious problems if a builder's source tree is in a directory +# whose full name contains unusual characters. +ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. +ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. +ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. + + +am__api_version='1.10' + +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AmigaOS /C/install, which installs bootblocks on floppy discs +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# OS/2's system install, which has a completely different semantic +# ./install, which can be erroneously created by make from ./install.sh. +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } +if test -z "$INSTALL"; then +if test "${ac_cv_path_install+set}" = set; then + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in + ./ | .// | /cC/* | \ + /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ + ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \ + /usr/ucb/* ) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + elif test $ac_prog = install && + grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # program-specific install script used by HP pwplus--don't use. + : + else + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi + fi + fi + done + done + ;; +esac + +done +IFS=$as_save_IFS + +rm -rf conftest.one conftest.two conftest.dir + +fi + if test "${ac_cv_path_install+set}" = set; then + INSTALL=$ac_cv_path_install + else + # As a last resort, use the slow shell script. Don't cache a + # value for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + INSTALL=$ac_install_sh + fi +fi +{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } + +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' + +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + +{ $as_echo "$as_me:$LINENO: checking whether build environment is sane" >&5 +$as_echo_n "checking whether build environment is sane... " >&6; } +# Just in case +sleep 1 +echo timestamp > conftest.file +# Do `set' in a subshell so we don't clobber the current shell's +# arguments. Must try -L first in case configure is actually a +# symlink; some systems play weird games with the mod time of symlinks +# (eg FreeBSD returns the mod time of the symlink's containing +# directory). +if ( + set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null` + if test "$*" = "X"; then + # -L didn't work. + set X `ls -t $srcdir/configure conftest.file` + fi + rm -f conftest.file + if test "$*" != "X $srcdir/configure conftest.file" \ + && test "$*" != "X conftest.file $srcdir/configure"; then + + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + { { $as_echo "$as_me:$LINENO: error: ls -t appears to fail. Make sure there is not a broken +alias in your environment" >&5 +$as_echo "$as_me: error: ls -t appears to fail. Make sure there is not a broken +alias in your environment" >&2;} + { (exit 1); exit 1; }; } + fi + + test "$2" = conftest.file + ) +then + # Ok. + : +else + { { $as_echo "$as_me:$LINENO: error: newly created file is older than distributed files! +Check your system clock" >&5 +$as_echo "$as_me: error: newly created file is older than distributed files! +Check your system clock" >&2;} + { (exit 1); exit 1; }; } +fi +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +test "$program_prefix" != NONE && + program_transform_name="s&^&$program_prefix&;$program_transform_name" +# Use a double $ so make ignores it. +test "$program_suffix" != NONE && + program_transform_name="s&\$&$program_suffix&;$program_transform_name" +# Double any \ or $. +# By default was `s,x,x', remove it if useless. +ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' +program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` + +# expand $ac_aux_dir to an absolute path +am_aux_dir=`cd $ac_aux_dir && pwd` + +test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing" +# Use eval to expand $SHELL +if eval "$MISSING --run true"; then + am_missing_run="$MISSING --run " +else + am_missing_run= + { $as_echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5 +$as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} +fi + +{ $as_echo "$as_me:$LINENO: checking for a thread-safe mkdir -p" >&5 +$as_echo_n "checking for a thread-safe mkdir -p... " >&6; } +if test -z "$MKDIR_P"; then + if test "${ac_cv_path_mkdir+set}" = set; then + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in mkdir gmkdir; do + for ac_exec_ext in '' $ac_executable_extensions; do + { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue + case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( + 'mkdir (GNU coreutils) '* | \ + 'mkdir (coreutils) '* | \ + 'mkdir (fileutils) '4.1*) + ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext + break 3;; + esac + done + done +done +IFS=$as_save_IFS + +fi + + if test "${ac_cv_path_mkdir+set}" = set; then + MKDIR_P="$ac_cv_path_mkdir -p" + else + # As a last resort, use the slow shell script. Don't cache a + # value for MKDIR_P within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + test -d ./--version && rmdir ./--version + MKDIR_P="$ac_install_sh -d" + fi +fi +{ $as_echo "$as_me:$LINENO: result: $MKDIR_P" >&5 +$as_echo "$MKDIR_P" >&6; } + +mkdir_p="$MKDIR_P" +case $mkdir_p in + [\\/$]* | ?:[\\/]*) ;; + */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; +esac + +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_AWK+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:$LINENO: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + +{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5 +$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } +set x ${MAKE-make} +ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` +if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.make <<\_ACEOF +SHELL = /bin/sh +all: + @echo '@@@%%%=$(MAKE)=@@@%%%' +_ACEOF +# GNU make sometimes prints "make[1]: Entering...", which would confuse us. +case `${MAKE-make} -f conftest.make 2>/dev/null` in + *@@@%%%=?*=@@@%%%*) + eval ac_cv_prog_make_${ac_make}_set=yes;; + *) + eval ac_cv_prog_make_${ac_make}_set=no;; +esac +rm -f conftest.make +fi +if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + SET_MAKE= +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + SET_MAKE="MAKE=${MAKE-make}" +fi + +rm -rf .tst 2>/dev/null +mkdir .tst 2>/dev/null +if test -d .tst; then + am__leading_dot=. +else + am__leading_dot=_ +fi +rmdir .tst 2>/dev/null + +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + am__isrc=' -I$(srcdir)' + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + { { $as_echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5 +$as_echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;} + { (exit 1); exit 1; }; } + fi +fi + +# test whether we have cygpath +if test -z "$CYGPATH_W"; then + if (cygpath --version) >/dev/null 2>/dev/null; then + CYGPATH_W='cygpath -w' + else + CYGPATH_W=echo + fi +fi + + +# Define the identity of the package. + PACKAGE=gdoid + VERSION=1.5iec + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE "$PACKAGE" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define VERSION "$VERSION" +_ACEOF + +# Some tools Automake needs. + +ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} + + +AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} + + +AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} + + +AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} + + +MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} + +install_sh=${install_sh-"\$(SHELL) $am_aux_dir/install-sh"} + +# Installed binaries are usually stripped using `strip' when the user +# run `make install-strip'. However `strip' might not be the right +# tool to use in cross-compilation environments, therefore Automake +# will honor the `STRIP' environment variable to overrule this program. +if test "$cross_compiling" != no; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. +set dummy ${ac_tool_prefix}strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$STRIP"; then + ac_cv_prog_STRIP="$STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +STRIP=$ac_cv_prog_STRIP +if test -n "$STRIP"; then + { $as_echo "$as_me:$LINENO: result: $STRIP" >&5 +$as_echo "$STRIP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_STRIP"; then + ac_ct_STRIP=$STRIP + # Extract the first word of "strip", so it can be a program name with args. +set dummy strip; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_STRIP"; then + ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP +if test -n "$ac_ct_STRIP"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5 +$as_echo "$ac_ct_STRIP" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_STRIP" = x; then + STRIP=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&5 +$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&2;} +ac_tool_warned=yes ;; +esac + STRIP=$ac_ct_STRIP + fi +else + STRIP="$ac_cv_prog_STRIP" +fi + +fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" + +# We need awk for the "check" target. The system "awk" is bad on +# some platforms. +# Always define AMTAR for backward compatibility. + +AMTAR=${AMTAR-"${am_missing_run}tar"} + +am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -' + + + + + +ac_config_headers="$ac_config_headers config.h" + +# Make sure we can run config.sub. +$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || + { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 +$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} + { (exit 1); exit 1; }; } + +{ $as_echo "$as_me:$LINENO: checking build system type" >&5 +$as_echo_n "checking build system type... " >&6; } +if test "${ac_cv_build+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_build_alias=$build_alias +test "x$ac_build_alias" = x && + ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` +test "x$ac_build_alias" = x && + { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 +$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} + { (exit 1); exit 1; }; } +ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} + { (exit 1); exit 1; }; } + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 +$as_echo "$ac_cv_build" >&6; } +case $ac_cv_build in +*-*-*) ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 +$as_echo "$as_me: error: invalid value of canonical build" >&2;} + { (exit 1); exit 1; }; };; +esac +build=$ac_cv_build +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_build +shift +build_cpu=$1 +build_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +build_os=$* +IFS=$ac_save_IFS +case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac + + +{ $as_echo "$as_me:$LINENO: checking host system type" >&5 +$as_echo_n "checking host system type... " >&6; } +if test "${ac_cv_host+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "x$host_alias" = x; then + ac_cv_host=$ac_cv_build +else + ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} + { (exit 1); exit 1; }; } +fi + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 +$as_echo "$ac_cv_host" >&6; } +case $ac_cv_host in +*-*-*) ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 +$as_echo "$as_me: error: invalid value of canonical host" >&2;} + { (exit 1); exit 1; }; };; +esac +host=$ac_cv_host +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_host +shift +host_cpu=$1 +host_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +host_os=$* +IFS=$ac_save_IFS +case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac + + + +# Checks for programs. + +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_AWK+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:$LINENO: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&5 +$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +else + CC="$ac_cv_prog_CC" +fi + +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + ac_prog_rejected=no +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# != 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" + fi +fi +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl.exe + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:$LINENO: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl.exe +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_CC+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_CC" && break +done + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&5 +$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools +whose name does not start with the host triplet. If you think this +configuration is useful to you, please write to autoconf@gnu.org." >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +fi + +fi + + +test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: no acceptable C compiler found in \$PATH +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; } + +# Provide some information about the compiler. +$as_echo "$as_me:$LINENO: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 +{ (ac_try="$ac_compiler --version >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler --version >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -v >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -v >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } +{ (ac_try="$ac_compiler -V >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compiler -V >&5") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { (ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi + +{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +if test -z "$ac_file"; then + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C compiler cannot create executables +See \`config.log' for more details." >&2;} + { (exit 77); exit 77; }; } +fi + +ac_exeext=$ac_cv_exeext + +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +# FIXME: These cross compiler hacks should be removed for Autoconf 3.0 +# If not cross compiling, check that we can run a simple program. +if test "$cross_compiling" != yes; then + if { ac_try='./$ac_file' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; } + fi + fi +fi +{ $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; } +fi + +rm -f conftest$ac_cv_exeext +{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if test "${ac_cv_objext+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; } +fi + +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +if test "${ac_cv_c_compiler_gnu+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_compiler_gnu=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_compiler_gnu=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } +if test "${ac_cv_prog_cc_g+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_save_c_werror_flag=$ac_c_werror_flag + ac_c_werror_flag=yes + ac_cv_prog_cc_g=no + CFLAGS="-g" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_prog_cc_g=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + CFLAGS="" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_c_werror_flag=$ac_save_c_werror_flag + CFLAGS="-g" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_prog_cc_g=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_c_werror_flag=$ac_save_c_werror_flag +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } +if test "$ac_test_CFLAGS" = set; then + CFLAGS=$ac_save_CFLAGS +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi +{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +if test "${ac_cv_prog_cc_c89+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c89=no +ac_save_CC=$CC +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#include +#include +/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +struct buf { int x; }; +FILE * (*rcsopen) (struct buf *, struct stat *, int); +static char *e (p, i) + char **p; + int i; +{ + return p[i]; +} +static char *f (char * (*g) (char **, int), char **p, ...) +{ + char *s; + va_list v; + va_start (v,p); + s = g (p, va_arg (v,int)); + va_end (v); + return s; +} + +/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has + function prototypes and stuff, but not '\xHH' hex character constants. + These don't provoke an error unfortunately, instead are silently treated + as 'x'. The following induces an error, until -std is added to get + proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an + array size at least. It's necessary to write '\x00'==0 to get something + that's true only with -std. */ +int osf4_cc_array ['\x00' == 0 ? 1 : -1]; + +/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters + inside strings and character constants. */ +#define FOO(x) 'x' +int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; + +int test (int i, double x); +struct s1 {int (*f) (int a);}; +struct s2 {int (*f) (double a);}; +int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +int argc; +char **argv; +int +main () +{ +return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; + ; + return 0; +} +_ACEOF +for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ + -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +do + CC="$ac_save_CC $ac_arg" + rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_prog_cc_c89=$ac_arg +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c89" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c89" in + x) + { $as_echo "$as_me:$LINENO: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:$LINENO: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c89" + { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +esac + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +DEPDIR="${am__leading_dot}deps" + +ac_config_commands="$ac_config_commands depfiles" + + +am_make=${MAKE-make} +cat > confinc << 'END' +am__doit: + @echo done +.PHONY: am__doit +END +# If we don't find an include directive, just comment out the code. +{ $as_echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5 +$as_echo_n "checking for style of include used by $am_make... " >&6; } +am__include="#" +am__quote= +_am_result=none +# First try GNU make style include. +echo "include confinc" > confmf +# We grep out `Entering directory' and `Leaving directory' +# messages which can occur if `w' ends up in MAKEFLAGS. +# In particular we don't look at `^make:' because GNU make might +# be invoked under some other name (usually "gmake"), in which +# case it prints its new name instead of `make'. +if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then + am__include=include + am__quote= + _am_result=GNU +fi +# Now try BSD make style include. +if test "$am__include" = "#"; then + echo '.include "confinc"' > confmf + if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then + am__include=.include + am__quote="\"" + _am_result=BSD + fi +fi + + +{ $as_echo "$as_me:$LINENO: result: $_am_result" >&5 +$as_echo "$_am_result" >&6; } +rm -f confinc confmf + +# Check whether --enable-dependency-tracking was given. +if test "${enable_dependency_tracking+set}" = set; then + enableval=$enable_dependency_tracking; +fi + +if test "x$enable_dependency_tracking" != xno; then + am_depcomp="$ac_aux_dir/depcomp" + AMDEPBACKSLASH='\' +fi + if test "x$enable_dependency_tracking" != xno; then + AMDEP_TRUE= + AMDEP_FALSE='#' +else + AMDEP_TRUE='#' + AMDEP_FALSE= +fi + + + +depcc="$CC" am_compiler_list= + +{ $as_echo "$as_me:$LINENO: checking dependency style of $depcc" >&5 +$as_echo_n "checking dependency style of $depcc... " >&6; } +if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then + # We make a subdir and do the tests there. Otherwise we can end up + # making bogus files that we don't know about and never remove. For + # instance it was reported that on HP-UX the gcc test will end up + # making a dummy file named `D' -- because `-MD' means `put the output + # in D'. + mkdir conftest.dir + # Copy depcomp to subdir because otherwise we won't find it if we're + # using a relative directory. + cp "$am_depcomp" conftest.dir + cd conftest.dir + # We will build objects and dependencies in a subdirectory because + # it helps to detect inapplicable dependency modes. For instance + # both Tru64's cc and ICC support -MD to output dependencies as a + # side effect of compilation, but ICC will put the dependencies in + # the current directory while Tru64 will put them in the object + # directory. + mkdir sub + + am_cv_CC_dependencies_compiler_type=none + if test "$am_compiler_list" = ""; then + am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` + fi + for depmode in $am_compiler_list; do + # Setup a source with many dependencies, because some compilers + # like to wrap large dependency lists on column 80 (with \), and + # we should not choose a depcomp mode which is confused by this. + # + # We need to recreate these files for each test, as the compiler may + # overwrite some of them when testing with obscure command lines. + # This happens at least with the AIX C compiler. + : > sub/conftest.c + for i in 1 2 3 4 5 6; do + echo '#include "conftst'$i'.h"' >> sub/conftest.c + # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with + # Solaris 8's {/usr,}/bin/sh. + touch sub/conftst$i.h + done + echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + + case $depmode in + nosideeffect) + # after this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested + if test "x$enable_dependency_tracking" = xyes; then + continue + else + break + fi + ;; + none) break ;; + esac + # We check with `-c' and `-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle `-M -o', and we need to detect this. + if depmode=$depmode \ + source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \ + depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ + $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \ + >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 && + ${MAKE-make} -s -f confmf > /dev/null 2>&1; then + # icc doesn't choke on unknown options, it will just issue warnings + # or remarks (even with -Werror). So we grep stderr for any message + # that says an option was ignored or not supported. + # When given -MP, icc 7.0 and 7.1 complain thusly: + # icc: Command line warning: ignoring option '-M'; no argument required + # The diagnosis changed in icc 8.0: + # icc: Command line remark: option '-MP' not supported + if (grep 'ignoring option' conftest.err || + grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else + am_cv_CC_dependencies_compiler_type=$depmode + break + fi + fi + done + + cd .. + rm -rf conftest.dir +else + am_cv_CC_dependencies_compiler_type=none +fi + +fi +{ $as_echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5 +$as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } +CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type + + if + test "x$enable_dependency_tracking" != xno \ + && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then + am__fastdepCC_TRUE= + am__fastdepCC_FALSE='#' +else + am__fastdepCC_TRUE='#' + am__fastdepCC_FALSE= +fi + + + +# Host-specific checks + +case "$build_os" in + linux*) + CFLAGS="$CFLAGS -DSYMBOL_PREFIX='\"_\"' -DKAME -DLINUX_PFKEY" + # No more support for FreeS/WAN ... require a 2.6 kernel and ipsec_tools. + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + +cat >>confdefs.h <<\_ACEOF +#define SEED_RNG 1 +_ACEOF + + ;; + darwin*) + CFLAGS="$CFLAGS -DHAVE_GETNAMEINFO -DHAVE_PCAP -DOPENBSD_PFKEY_EXT -DOSX" + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + ;; + openbsd*) + CFLAGS="$CFLAGS -DHAVE_GETNAMEINFO -DHAVE_PCAP -DOPENBSD_PFKEY_EXT" + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + + # Determine if this release has the old or new PF_KEY extension symbols. + { $as_echo "$as_me:$LINENO: checking whether old PF_KEY Extension symbols are defined" >&5 +$as_echo_n "checking whether old PF_KEY Extension symbols are defined... " >&6; } + +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +#if !defined FLOW_X_TYPE_REQUIRE +#error FLOW_X_TYPE_REQUIRE not defined +#endif +main() { return 0;} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<\_ACEOF +#define OLD_OPENBSD_PFKEY_EXT 1 +_ACEOF + +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +{ $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + ;; + freebsd*) + CFLAGS="$CFLAGS -DKAME -DFREEBSD_PFKEY_EXT" + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + +cat >>confdefs.h <<\_ACEOF +#define OPEN_FIFO_RDRW 1 +_ACEOF + + ;; + bsdi*) + CFLAGS="$CFLAGS -DKAME -DNETBSD_PFKEY_EXT" + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + ;; + *) + # Set the basics for a BSD system + if true; then + HAVE_PF_KEY_V2_TRUE= + HAVE_PF_KEY_V2_FALSE='#' +else + HAVE_PF_KEY_V2_TRUE='#' + HAVE_PF_KEY_V2_FALSE= +fi + + if false; then + HAVE_FREESWAN_TRUE= + HAVE_FREESWAN_FALSE='#' +else + HAVE_FREESWAN_TRUE='#' + HAVE_FREESWAN_FALSE= +fi + + ;; +esac + +# Checks for libraries. + +# +# Libcrypto is required +# +# The --with-ssl-dir option and associated code was taken from OpenSSH. +# + +# The big search for OpenSSL + +# Check whether --with-ssl-dir was given. +if test "${with_ssl_dir+set}" = set; then + withval=$with_ssl_dir; + if test "x$withval" != "xno" ; then + tryssldir=$withval + fi + + +fi + + +saved_LIBS="$LIBS" +saved_LDFLAGS="$LDFLAGS" +saved_CPPFLAGS="$CPPFLAGS" +if test "x$prefix" != "xNONE" ; then + tryssldir="$tryssldir $prefix" +fi +{ $as_echo "$as_me:$LINENO: checking for OpenSSL directory" >&5 +$as_echo_n "checking for OpenSSL directory... " >&6; } +if test "${ac_cv_openssldir+set}" = set; then + $as_echo_n "(cached) " >&6 +else + + for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + CPPFLAGS="$saved_CPPFLAGS" + LDFLAGS="$saved_LDFLAGS" + LIBS="$saved_LIBS -lcrypto" + + # Skip directories if they don't exist + if test ! -z "$ssldir" -a ! -d "$ssldir" ; then + continue; + fi + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir/lib $LDFLAGS" + fi + else + LDFLAGS="-L$ssldir $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir $LDFLAGS" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" + else + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" + fi + fi + + # Basic test to check for compatible version and correct linking + # *does not* test for RSA - that comes later. + if test "$cross_compiling" = yes; then + + { { $as_echo "$as_me:$LINENO: error: Cross-compiling not supported" >&5 +$as_echo "$as_me: error: Cross-compiling not supported" >&2;} + { (exit 1); exit 1; }; } + + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +#include +int main(void) +{ + char a[2048]; + SHA256_CTX c; + SHA256_Init(&c); + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); +} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + found_crypto=1 + break; + +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + + if test ! -z "$found_crypto" ; then + break; + fi + done + + if test -z "$found_crypto" ; then + { { $as_echo "$as_me:$LINENO: error: Could not find working + OpenSSL library, including SHA256. + Must have openssl-0.9.8a or higher. + please install, or check config.log. + If it is installed in an unusual place, + specify the path --with-ssl-dir=" >&5 +$as_echo "$as_me: error: Could not find working + OpenSSL library, including SHA256. + Must have openssl-0.9.8a or higher. + please install, or check config.log. + If it is installed in an unusual place, + specify the path --with-ssl-dir=" >&2;} + { (exit 1); exit 1; }; } + fi + if test -z "$ssldir" ; then + ssldir="(system)" + fi + + ac_cv_openssldir=$ssldir + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_openssldir" >&5 +$as_echo "$ac_cv_openssldir" >&6; } + +if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then + ssldir=$ac_cv_openssldir + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir/lib $LDFLAGS" + fi + else + LDFLAGS="-L$ssldir $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir $LDFLAGS" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" + else + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" + fi + fi +fi +LIBS="-lc $saved_LIBS -lcrypto" + + if true; then + USE_LIBCRYPTO_TRUE= + USE_LIBCRYPTO_FALSE='#' +else + USE_LIBCRYPTO_TRUE='#' + USE_LIBCRYPTO_FALSE= +fi + + +# +# Check for dlopen, which might be needed by libcrypto. If present, use +# dynamic libraries. +# +have_dl=yes + +{ $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if test "${ac_cv_lib_dl_dlopen+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_lib_dl_dlopen=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_dl_dlopen=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test $ac_cv_lib_dl_dlopen = yes; then + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBDL 1 +_ACEOF + + LIBS="-ldl $LIBS" + +else + have_dl=no +fi + +if test $have_dl = yes; then + LIBS="$LIBS -ldl" +fi + +# Checks for header files. + + + + + +ac_header_dirent=no +for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do + as_ac_Header=`$as_echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5 +$as_echo_n "checking for $ac_hdr that defines DIR... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include <$ac_hdr> + +int +main () +{ +if ((DIR *) 0) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_Header=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test `eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_hdr" | $as_tr_cpp` 1 +_ACEOF + +ac_header_dirent=$ac_hdr; break +fi + +done +# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. +if test $ac_header_dirent = dirent.h; then + { $as_echo "$as_me:$LINENO: checking for library containing opendir" >&5 +$as_echo_n "checking for library containing opendir... " >&6; } +if test "${ac_cv_search_opendir+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char opendir (); +int +main () +{ +return opendir (); + ; + return 0; +} +_ACEOF +for ac_lib in '' dir; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_search_opendir=$ac_res +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_opendir+set}" = set; then + break +fi +done +if test "${ac_cv_search_opendir+set}" = set; then + : +else + ac_cv_search_opendir=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5 +$as_echo "$ac_cv_search_opendir" >&6; } +ac_res=$ac_cv_search_opendir +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +else + { $as_echo "$as_me:$LINENO: checking for library containing opendir" >&5 +$as_echo_n "checking for library containing opendir... " >&6; } +if test "${ac_cv_search_opendir+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char opendir (); +int +main () +{ +return opendir (); + ; + return 0; +} +_ACEOF +for ac_lib in '' x; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_search_opendir=$ac_res +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_opendir+set}" = set; then + break +fi +done +if test "${ac_cv_search_opendir+set}" = set; then + : +else + ac_cv_search_opendir=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5 +$as_echo "$ac_cv_search_opendir" >&6; } +ac_res=$ac_cv_search_opendir +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if test "${ac_cv_prog_CPP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + # Broken: fails on valid input. +continue +fi + +rm -f conftest.err conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + # Broken: success on invalid input. +continue +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + # Passes both tests. +ac_preproc_ok=: +break +fi + +rm -f conftest.err conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then + break +fi + + done + ac_cv_prog_CPP=$CPP + +fi + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:$LINENO: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + # Broken: fails on valid input. +continue +fi + +rm -f conftest.err conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + # Broken: success on invalid input. +continue +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + # Passes both tests. +ac_preproc_ok=: +break +fi + +rm -f conftest.err conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.err conftest.$ac_ext +if $ac_preproc_ok; then + : +else + { { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&5 +$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details." >&2;} + { (exit 1); exit 1; }; } +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5 +$as_echo_n "checking for grep that handles long lines and -e... " >&6; } +if test "${ac_cv_path_GREP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -z "$GREP"; then + ac_path_GREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue +# Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP +case `"$ac_path_GREP" --version 2>&1` in +*GNU*) + ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'GREP' >> "conftest.nl" + "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + ac_count=`expr $ac_count + 1` + if test $ac_count -gt ${ac_path_GREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_GREP="$ac_path_GREP" + ac_path_GREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_GREP_found && break 3 + done + done +done +IFS=$as_save_IFS + if test -z "$ac_cv_path_GREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } + fi +else + ac_cv_path_GREP=$GREP +fi + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5 +$as_echo "$ac_cv_path_GREP" >&6; } + GREP="$ac_cv_path_GREP" + + +{ $as_echo "$as_me:$LINENO: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if test "${ac_cv_path_EGREP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + ac_count=`expr $ac_count + 1` + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done +done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5 +$as_echo_n "checking for ANSI C header files... " >&6; } +if test "${ac_cv_header_stdc+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#include +#include + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_header_stdc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_header_stdc=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "memchr" >/dev/null 2>&1; then + : +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "free" >/dev/null 2>&1; then + : +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. + if test "$cross_compiling" = yes; then + : +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#if ((' ' & 0x0FF) == 0x020) +# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#else +# define ISLOWER(c) \ + (('a' <= (c) && (c) <= 'i') \ + || ('j' <= (c) && (c) <= 'r') \ + || ('s' <= (c) && (c) <= 'z')) +# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) +#endif + +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) +int +main () +{ + int i; + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) + return 2; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + : +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_header_stdc=no +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + +fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then + +cat >>confdefs.h <<\_ACEOF +#define STDC_HEADERS 1 +_ACEOF + +fi + +# On IRIX 5.3, sys/types and inttypes.h are conflicting. + + + + + + + + + +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default + +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + eval "$as_ac_Header=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_Header=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test `eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + + + + + + + + + + + + + + +for ac_header in arpa/inet.h fcntl.h memory.h netdb.h netinet/in.h stddef.h stdlib.h string.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h syslog.h unistd.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +if test `eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + +# Checks for typedefs, structures, and compiler characteristics. +{ $as_echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5 +$as_echo_n "checking for an ANSI C-conforming const... " >&6; } +if test "${ac_cv_c_const+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ +/* FIXME: Include the comments suggested by Paul. */ +#ifndef __cplusplus + /* Ultrix mips cc rejects this. */ + typedef int charset[2]; + const charset cs; + /* SunOS 4.1.1 cc rejects this. */ + char const *const *pcpcc; + char **ppc; + /* NEC SVR4.0.2 mips cc rejects this. */ + struct point {int x, y;}; + static struct point const zero = {0,0}; + /* AIX XL C 1.02.0.0 rejects this. + It does not let you subtract one const X* pointer from another in + an arm of an if-expression whose if-part is not a constant + expression */ + const char *g = "string"; + pcpcc = &g + (g ? g-g : 0); + /* HPUX 7.0 cc rejects these. */ + ++pcpcc; + ppc = (char**) pcpcc; + pcpcc = (char const *const *) ppc; + { /* SCO 3.2v4 cc rejects this. */ + char *t; + char const *s = 0 ? (char *) 0 : (char const *) 0; + + *t++ = 0; + if (s) return 0; + } + { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ + int x[] = {25, 17}; + const int *foo = &x[0]; + ++foo; + } + { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ + typedef const int *iptr; + iptr p = 0; + ++p; + } + { /* AIX XL C 1.02.0.0 rejects this saying + "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ + struct s { int j; const int *ap[3]; }; + struct s *b; b->j = 5; + } + { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ + const int foo = 10; + if (!foo) return 0; + } + return !cs[0] && !zero.x; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_const=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_c_const=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5 +$as_echo "$ac_cv_c_const" >&6; } +if test $ac_cv_c_const = no; then + +cat >>confdefs.h <<\_ACEOF +#define const /**/ +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking for inline" >&5 +$as_echo_n "checking for inline... " >&6; } +if test "${ac_cv_c_inline+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_c_inline=no +for ac_kw in inline __inline__ __inline; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifndef __cplusplus +typedef int foo_t; +static $ac_kw foo_t static_foo () {return 0; } +$ac_kw foo_t foo () {return 0; } +#endif + +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_c_inline=$ac_kw +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + test "$ac_cv_c_inline" != no && break +done + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5 +$as_echo "$ac_cv_c_inline" >&6; } + + +case $ac_cv_c_inline in + inline | yes) ;; + *) + case $ac_cv_c_inline in + no) ac_val=;; + *) ac_val=$ac_cv_c_inline;; + esac + cat >>confdefs.h <<_ACEOF +#ifndef __cplusplus +#define inline $ac_val +#endif +_ACEOF + ;; +esac + +{ $as_echo "$as_me:$LINENO: checking for mode_t" >&5 +$as_echo_n "checking for mode_t... " >&6; } +if test "${ac_cv_type_mode_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_mode_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (mode_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((mode_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_mode_t=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_mode_t" >&5 +$as_echo "$ac_cv_type_mode_t" >&6; } +if test $ac_cv_type_mode_t = yes; then + : +else + +cat >>confdefs.h <<_ACEOF +#define mode_t int +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking for off_t" >&5 +$as_echo_n "checking for off_t... " >&6; } +if test "${ac_cv_type_off_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_off_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (off_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((off_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_off_t=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_off_t" >&5 +$as_echo "$ac_cv_type_off_t" >&6; } +if test $ac_cv_type_off_t = yes; then + : +else + +cat >>confdefs.h <<_ACEOF +#define off_t long int +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking for size_t" >&5 +$as_echo_n "checking for size_t... " >&6; } +if test "${ac_cv_type_size_t+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_cv_type_size_t=no +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof (size_t)) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ +if (sizeof ((size_t))) + return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + : +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_size_t=yes +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5 +$as_echo "$ac_cv_type_size_t" >&6; } +if test $ac_cv_type_size_t = yes; then + : +else + +cat >>confdefs.h <<_ACEOF +#define size_t unsigned int +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5 +$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } +if test "${ac_cv_header_time+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include +#include + +int +main () +{ +if ((struct tm *) 0) +return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_header_time=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_header_time=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5 +$as_echo "$ac_cv_header_time" >&6; } +if test $ac_cv_header_time = yes; then + +cat >>confdefs.h <<\_ACEOF +#define TIME_WITH_SYS_TIME 1 +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5 +$as_echo_n "checking whether struct tm is in sys/time.h or time.h... " >&6; } +if test "${ac_cv_struct_tm+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include + +int +main () +{ +struct tm tm; + int *p = &tm.tm_sec; + return !p; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_struct_tm=time.h +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_struct_tm=sys/time.h +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5 +$as_echo "$ac_cv_struct_tm" >&6; } +if test $ac_cv_struct_tm = sys/time.h; then + +cat >>confdefs.h <<\_ACEOF +#define TM_IN_SYS_TIME 1 +_ACEOF + +fi + + +{ $as_echo "$as_me:$LINENO: checking whether sockaddr_in.sin_len is defined" >&5 +$as_echo_n "checking whether sockaddr_in.sin_len is defined... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +main() +{ + struct sockaddr_in foo; + foo.sin_len = 0; + return 0; +} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define USE_OLD_SOCKADDR 1 +_ACEOF + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +{ $as_echo "$as_me:$LINENO: checking whether in_port_t is defined" >&5 +$as_echo_n "checking whether in_port_t is defined... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +main() +{ + in_port_t foo; + return 0; +} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define in_port_t u_int16_t +_ACEOF + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +{ $as_echo "$as_me:$LINENO: checking whether in_addr_t is defined" >&5 +$as_echo_n "checking whether in_addr_t is defined... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +main() +{ + in_addr_t foo; + return 0; +} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define in_addr_t u_int32_t +_ACEOF + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +{ $as_echo "$as_me:$LINENO: checking whether SA_LEN is defined" >&5 +$as_echo_n "checking whether SA_LEN is defined... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#include +#include +#if !defined SA_LEN +# error _SA_LEN not defined +#endif +main() { return 0;} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define DEFINE_SA_LEN 1 +_ACEOF + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +{ $as_echo "$as_me:$LINENO: checking whether LIST_FIRST is defined" >&5 +$as_echo_n "checking whether LIST_FIRST is defined... " >&6; } +if test "$cross_compiling" = yes; then + { { $as_echo "$as_me:$LINENO: error: cannot cross-compile, bailing out" >&5 +$as_echo "$as_me: error: cannot cross-compile, bailing out" >&2;} + { (exit 1); exit 1; }; } + +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +#include +#if !defined LIST_FIRST +# error LIST_FIRST not defined +#endif +main() { return 0;} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) + +cat >>confdefs.h <<\_ACEOF +#define DEFINE_EXTRA_QUEUE_FUNCTIONS 1 +_ACEOF + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + + +# Checks for library functions. + +{ $as_echo "$as_me:$LINENO: checking whether closedir returns void" >&5 +$as_echo_n "checking whether closedir returns void... " >&6; } +if test "${ac_cv_func_closedir_void+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + ac_cv_func_closedir_void=yes +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header_dirent> +#ifndef __cplusplus +int closedir (); +#endif + +int +main () +{ +return closedir (opendir (".")) != 0; + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_closedir_void=no +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_func_closedir_void=yes +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5 +$as_echo "$ac_cv_func_closedir_void" >&6; } +if test $ac_cv_func_closedir_void = yes; then + +cat >>confdefs.h <<\_ACEOF +#define CLOSEDIR_VOID 1 +_ACEOF + +fi + +if test $ac_cv_c_compiler_gnu = yes; then + { $as_echo "$as_me:$LINENO: checking whether $CC needs -traditional" >&5 +$as_echo_n "checking whether $CC needs -traditional... " >&6; } +if test "${ac_cv_prog_gcc_traditional+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_pattern="Autoconf.*'x'" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +Autoconf TIOCGETP +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "$ac_pattern" >/dev/null 2>&1; then + ac_cv_prog_gcc_traditional=yes +else + ac_cv_prog_gcc_traditional=no +fi +rm -f conftest* + + + if test $ac_cv_prog_gcc_traditional = no; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +Autoconf TCGETA +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "$ac_pattern" >/dev/null 2>&1; then + ac_cv_prog_gcc_traditional=yes +fi +rm -f conftest* + + fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_gcc_traditional" >&5 +$as_echo "$ac_cv_prog_gcc_traditional" >&6; } + if test $ac_cv_prog_gcc_traditional = yes; then + CC="$CC -traditional" + fi +fi + +{ $as_echo "$as_me:$LINENO: checking for working memcmp" >&5 +$as_echo_n "checking for working memcmp... " >&6; } +if test "${ac_cv_func_memcmp_working+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + ac_cv_func_memcmp_working=no +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ + + /* Some versions of memcmp are not 8-bit clean. */ + char c0 = '\100', c1 = '\200', c2 = '\201'; + if (memcmp(&c0, &c2, 1) >= 0 || memcmp(&c1, &c2, 1) >= 0) + return 1; + + /* The Next x86 OpenStep bug shows up only when comparing 16 bytes + or more and with at least one buffer not starting on a 4-byte boundary. + William Lewis provided this test program. */ + { + char foo[21]; + char bar[21]; + int i; + for (i = 0; i < 4; i++) + { + char *a = foo + i; + char *b = bar + i; + strcpy (a, "--------01111111"); + strcpy (b, "--------10000000"); + if (memcmp (a, b, 16) >= 0) + return 1; + } + return 0; + } + + ; + return 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_func_memcmp_working=yes +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_func_memcmp_working=no +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_memcmp_working" >&5 +$as_echo "$ac_cv_func_memcmp_working" >&6; } +test $ac_cv_func_memcmp_working = no && case " $LIBOBJS " in + *" memcmp.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS memcmp.$ac_objext" + ;; +esac + + + + +for ac_header in sys/select.h sys/socket.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +if test `eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +{ $as_echo "$as_me:$LINENO: checking types of arguments for select" >&5 +$as_echo_n "checking types of arguments for select... " >&6; } +if test "${ac_cv_func_select_args+set}" = set; then + $as_echo_n "(cached) " >&6 +else + for ac_arg234 in 'fd_set *' 'int *' 'void *'; do + for ac_arg1 in 'int' 'size_t' 'unsigned long int' 'unsigned int'; do + for ac_arg5 in 'struct timeval *' 'const struct timeval *'; do + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#ifdef HAVE_SYS_SELECT_H +# include +#endif +#ifdef HAVE_SYS_SOCKET_H +# include +#endif + +int +main () +{ +extern int select ($ac_arg1, + $ac_arg234, $ac_arg234, $ac_arg234, + $ac_arg5); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_func_select_args="$ac_arg1,$ac_arg234,$ac_arg5"; break 3 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + done +done +# Provide a safe default value. +: ${ac_cv_func_select_args='int,int *,struct timeval *'} + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_select_args" >&5 +$as_echo "$ac_cv_func_select_args" >&6; } +ac_save_IFS=$IFS; IFS=',' +set dummy `echo "$ac_cv_func_select_args" | sed 's/\*/\*/g'` +IFS=$ac_save_IFS +shift + +cat >>confdefs.h <<_ACEOF +#define SELECT_TYPE_ARG1 $1 +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define SELECT_TYPE_ARG234 ($2) +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define SELECT_TYPE_ARG5 ($3) +_ACEOF + +rm -f conftest* + +{ $as_echo "$as_me:$LINENO: checking return type of signal handlers" >&5 +$as_echo_n "checking return type of signal handlers... " >&6; } +if test "${ac_cv_type_signal+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include +#include + +int +main () +{ +return *(signal (0, 0)) (0) == 1; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_cv_type_signal=int +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_type_signal=void +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_signal" >&5 +$as_echo "$ac_cv_type_signal" >&6; } + +cat >>confdefs.h <<_ACEOF +#define RETSIGTYPE $ac_cv_type_signal +_ACEOF + + + + + + + + + + + + + + + + + + + + + +for ac_func in bzero gettimeofday inet_ntoa memmove memset mkfifo select socket strcasecmp strcspn strdup strerror strncasecmp strspn strstr strtol strtoul tzset strlcpy +do +as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test `eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +# Optional Arguments + +# Check whether --enable-tripledes was given. +if test "${enable_tripledes+set}" = set; then + enableval=$enable_tripledes; +else + enable_tripledes=yes +fi + +{ $as_echo "$as_me:$LINENO: checking whether to use 3DES" >&5 +$as_echo_n "checking whether to use 3DES... " >&6; } +if test "${enable_tripledes+set}" = set; then + $as_echo_n "(cached) " >&6 +else + enable_tripledes=yes +fi +{ $as_echo "$as_me:$LINENO: result: $enable_tripledes" >&5 +$as_echo "$enable_tripledes" >&6; } +if test $enable_tripledes = yes; then + +cat >>confdefs.h <<\_ACEOF +#define USE_TRIPLEDES 1 +_ACEOF + +fi + +# +# APPSUPPORT is define implicitely when a client of APPSUPPORT is defined. +# +enable_appsupport=no; + +# Check whether --enable-iec90_5 was given. +if test "${enable_iec90_5+set}" = set; then + enableval=$enable_iec90_5; +else + enable_iec90_5=yes +fi + +{ $as_echo "$as_me:$LINENO: checking whether to support IEC 57-61850-90-5" >&5 +$as_echo_n "checking whether to support IEC 57-61850-90-5... " >&6; } +if test "${enable_iec90_5+set}" = set; then + $as_echo_n "(cached) " >&6 +else + enable_iec90_5=no +fi +{ $as_echo "$as_me:$LINENO: result: $enable_iec90_5" >&5 +$as_echo "$enable_iec90_5" >&6; } +if test $enable_iec90_5 = yes; then + +cat >>confdefs.h <<\_ACEOF +#define IEC90_5_SUPPORT 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define GDOI_APP_SUPPORT 1 +_ACEOF + + enable_appsupport=yes; +fi + if test $enable_iec90_5 = yes; then + IEC90_5_SUPPORT_TRUE= + IEC90_5_SUPPORT_FALSE='#' +else + IEC90_5_SUPPORT_TRUE='#' + IEC90_5_SUPPORT_FALSE= +fi + + if test $enable_appsupport = yes; then + GDOI_APP_SUPPORT_TRUE= + GDOI_APP_SUPPORT_FALSE='#' +else + GDOI_APP_SUPPORT_TRUE='#' + GDOI_APP_SUPPORT_FALSE= +fi + + +# Check whether --enable-srtp was given. +if test "${enable_srtp+set}" = set; then + enableval=$enable_srtp; +else + enable_srtp=no +fi + +{ $as_echo "$as_me:$LINENO: checking whether to support SRTP" >&5 +$as_echo_n "checking whether to support SRTP... " >&6; } +if test "${enable_srtp+set}" = set; then + $as_echo_n "(cached) " >&6 +else + enable_srtp=no +fi +{ $as_echo "$as_me:$LINENO: result: $enable_srtp" >&5 +$as_echo "$enable_srtp" >&6; } +if test $enable_srtp = yes; then + +cat >>confdefs.h <<\_ACEOF +#define SRTP_SUPPORT 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define GDOI_APP_SUPPORT 1 +_ACEOF + + enable_appsupport=yes; +fi + if test $enable_srtp = yes; then + SRTP_SUPPORT_TRUE= + SRTP_SUPPORT_FALSE='#' +else + SRTP_SUPPORT_TRUE='#' + SRTP_SUPPORT_FALSE= +fi + + if test $enable_appsupport = yes; then + GDOI_APP_SUPPORT_TRUE= + GDOI_APP_SUPPORT_FALSE='#' +else + GDOI_APP_SUPPORT_TRUE='#' + GDOI_APP_SUPPORT_FALSE= +fi + + +# Check whether --enable-aggressive was given. +if test "${enable_aggressive+set}" = set; then + enableval=$enable_aggressive; +else + enable_aggressive=no +fi + +{ $as_echo "$as_me:$LINENO: checking whether to use Phase 1 Agressive Mode" >&5 +$as_echo_n "checking whether to use Phase 1 Agressive Mode... " >&6; } +if test "${enable_aggressive+set}" = set; then + $as_echo_n "(cached) " >&6 +else + enable_aggressive=no +fi +{ $as_echo "$as_me:$LINENO: result: $enable_aggressive" >&5 +$as_echo "$enable_aggressive" >&6; } +if test $enable_aggressive = yes; then + +cat >>confdefs.h <<\_ACEOF +#define USE_AGGRESSIVE 1 +_ACEOF + +fi + if test $enable_aggressive = yes; then + USE_AGGRESSIVE_TRUE= + USE_AGGRESSIVE_FALSE='#' +else + USE_AGGRESSIVE_TRUE='#' + USE_AGGRESSIVE_FALSE= +fi + + +# Check whether --enable-debug was given. +if test "${enable_debug+set}" = set; then + enableval=$enable_debug; +else + enable_debug=yes +fi + +{ $as_echo "$as_me:$LINENO: checking whether to use debug" >&5 +$as_echo_n "checking whether to use debug... " >&6; } +if test "${enable_debug+set}" = set; then + $as_echo_n "(cached) " >&6 +else + enable_debug=yes +fi +{ $as_echo "$as_me:$LINENO: result: $enable_debug" >&5 +$as_echo "$enable_debug" >&6; } +if test $enable_debug = yes; then + +cat >>confdefs.h <<\_ACEOF +#define USE_DEBUG 1 +_ACEOF + +fi + +ac_config_files="$ac_config_files Makefile src/Makefile app_client/Makefile" + +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5 +$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) $as_unset $ac_var ;; + esac ;; + esac + done + + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + test "x$cache_file" != "x/dev/null" && + { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + cat confcache >$cache_file + else + { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +DEFS=-DHAVE_CONFIG_H + +ac_libobjs= +ac_ltlibobjs= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext" + ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs + +LTLIBOBJS=$ac_ltlibobjs + + +if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_PF_KEY_V2_TRUE}" && test -z "${HAVE_PF_KEY_V2_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_PF_KEY_V2\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${HAVE_FREESWAN_TRUE}" && test -z "${HAVE_FREESWAN_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"HAVE_FREESWAN\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${USE_LIBCRYPTO_TRUE}" && test -z "${USE_LIBCRYPTO_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LIBCRYPTO\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"USE_LIBCRYPTO\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${IEC90_5_SUPPORT_TRUE}" && test -z "${IEC90_5_SUPPORT_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"IEC90_5_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"IEC90_5_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${GDOI_APP_SUPPORT_TRUE}" && test -z "${GDOI_APP_SUPPORT_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"GDOI_APP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"GDOI_APP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${SRTP_SUPPORT_TRUE}" && test -z "${SRTP_SUPPORT_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"SRTP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"SRTP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${GDOI_APP_SUPPORT_TRUE}" && test -z "${GDOI_APP_SUPPORT_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"GDOI_APP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"GDOI_APP_SUPPORT\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi +if test -z "${USE_AGGRESSIVE_TRUE}" && test -z "${USE_AGGRESSIVE_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"USE_AGGRESSIVE\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"USE_AGGRESSIVE\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi + +: ${CONFIG_STATUS=./config.status} +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false +SHELL=\${CONFIG_SHELL-$SHELL} +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +## --------------------- ## +## M4sh Initialization. ## +## --------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in + *posix*) set -o posix ;; +esac + +fi + + + + +# PATH needs CR +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + +# Support unset when possible. +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + as_unset=unset +else + as_unset=false +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +case $0 in + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + { (exit 1); exit 1; } +fi + +# Work around bugs in pre-3.0 UWIN ksh. +for as_var in ENV MAIL MAILPATH +do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# Required to use basename. +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + + +# Name of the executable. +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# CDPATH. +$as_unset CDPATH + + + + as_lineno_1=$LINENO + as_lineno_2=$LINENO + test "x$as_lineno_1" != "x$as_lineno_2" && + test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || { + + # Create $as_me.lineno as a copy of $as_myself, but with $LINENO + # uniformly replaced by the line number. The first 'sed' inserts a + # line-number line after each line using $LINENO; the second 'sed' + # does the real work. The second script uses 'N' to pair each + # line-number line with the line containing $LINENO, and appends + # trailing '-' during substitution so that $LINENO is not a special + # case at line end. + # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the + # scripts with optimization help from Paolo Bonzini. Blame Lee + # E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2 + { (exit 1); exit 1; }; } + + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in +-n*) + case `echo 'x\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + *) ECHO_C='\c';; + esac;; +*) + ECHO_N='-n';; +esac +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -p'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -p' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -p' + fi +else + as_ln_s='cp -p' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p=: +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 + +# Save the log message, to keep $[0] and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by gdoi.h $as_me 1.5iec, which was +generated by GNU Autoconf 2.62. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +_ACEOF + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" +config_commands="$ac_config_commands" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files from templates according to the +current configuration. + +Usage: $0 [OPTIONS] [FILE]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + -q, --quiet do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Configuration commands: +$config_commands + +Report bugs to ." + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_version="\\ +gdoi.h config.status 1.5iec +configured by $0, generated by GNU Autoconf 2.62, + with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" + +Copyright (C) 2008 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='$ac_pwd' +srcdir='$srcdir' +INSTALL='$INSTALL' +MKDIR_P='$MKDIR_P' +AWK='$AWK' +test -n "\$AWK" || AWK=awk +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + CONFIG_FILES="$CONFIG_FILES '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + CONFIG_HEADERS="$CONFIG_HEADERS '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + { $as_echo "$as_me: error: ambiguous option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; };; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) { $as_echo "$as_me: error: unrecognized option: $1 +Try \`$0 --help' for more information." >&2 + { (exit 1); exit 1; }; } ;; + + *) ac_config_targets="$ac_config_targets $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# +# INIT-COMMANDS +# +AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; + "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; + "app_client/Makefile") CONFIG_FILES="$CONFIG_FILES app_client/Makefile" ;; + + *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5 +$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;} + { (exit 1); exit 1; }; };; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers + test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= + trap 'exit_status=$? + { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status +' 0 + trap '{ (exit 1); exit 1; }' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -n "$tmp" && test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || +{ + $as_echo "$as_me: cannot create a temporary directory in ." >&2 + { (exit 1); exit 1; } +} + +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then + + +ac_cr=' ' +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' +else + ac_cs_awk_cr=$ac_cr +fi + +echo 'BEGIN {' >"$tmp/subs1.awk" && +_ACEOF + + +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } +ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } + + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` = $ac_delim_num; then + break + elif $ac_last_try; then + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$tmp/subs1.awk" <<\\_ACAWK && +_ACEOF +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\).*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\).*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' >$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" + +} +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \ + || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5 +$as_echo "$as_me: error: could not setup config files machinery" >&2;} + { (exit 1); exit 1; }; } +_ACEOF + +# VPATH may cause trouble with some makes, so we remove $(srcdir), +# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=/{ +s/:*\$(srcdir):*/:/ +s/:*\${srcdir}:*/:/ +s/:*@srcdir@:*/:/ +s/^\([^=]*=[ ]*\):*/\1/ +s/:*$// +s/^[^=]*=[ ]*$// +}' +fi + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$tmp/defines.awk" <<\_ACAWK || +BEGIN { +_ACEOF + +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. + +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_t=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_t"; then + break + elif $ac_last_try; then + { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_HEADERS" >&5 +$as_echo "$as_me: error: could not make $CONFIG_HEADERS" >&2;} + { (exit 1); exit 1; }; } + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done + +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' >$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + prefix = substr(line, 1, index(line, defundef) - 1) + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", line, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + { { $as_echo "$as_me:$LINENO: error: could not setup config headers machinery" >&5 +$as_echo "$as_me: error: could not setup config headers machinery" >&2;} + { (exit 1); exit 1; }; } +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5 +$as_echo "$as_me: error: Invalid tag $ac_tag." >&2;} + { (exit 1); exit 1; }; };; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5 +$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;} + { (exit 1); exit 1; }; };; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + ac_file_inputs="$ac_file_inputs '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:$LINENO: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} + fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$tmp/stdin" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + { as_dir="$ac_dir" + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + + case $INSTALL in + [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; + *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; + esac + ac_MKDIR_P=$MKDIR_P + case $MKDIR_P in + [\\/$]* | ?:[\\/]* ) ;; + */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; + esac +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= + +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p +' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac +_ACEOF + +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +s&@INSTALL@&$ac_INSTALL&;t t +s&@MKDIR_P@&$ac_MKDIR_P&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined." >&2;} + + rm -f "$tmp/stdin" + case $ac_file in + -) cat "$tmp/out" && rm -f "$tmp/out";; + *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";; + esac \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" + } >"$tmp/config.h" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:$LINENO: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$tmp/config.h" "$ac_file" \ + || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5 +$as_echo "$as_me: error: could not create $ac_file" >&2;} + { (exit 1); exit 1; }; } + fi + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \ + || { { $as_echo "$as_me:$LINENO: error: could not create -" >&5 +$as_echo "$as_me: error: could not create -" >&2;} + { (exit 1); exit 1; }; } + fi +# Compute "$ac_file"'s index in $config_headers. +_am_stamp_count=1 +for _am_header in $config_headers :; do + case $_am_header in + "$ac_file" | "$ac_file":* ) + break ;; + * ) + _am_stamp_count=`expr $_am_stamp_count + 1` ;; + esac +done +echo "timestamp for "$ac_file"" >`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'`/stamp-h$_am_stamp_count + ;; + + :C) { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5 +$as_echo "$as_me: executing $ac_file commands" >&6;} + ;; + esac + + + case $ac_file$ac_mode in + "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named `Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then + dirpart=`$as_dirname -- "$mf" || +$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$mf" : 'X\(//\)[^/]' \| \ + X"$mf" : 'X\(//\)$' \| \ + X"$mf" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$mf" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running `make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # When using ansi2knr, U may be empty or an underscore; expand it + U=`sed -n 's/^U = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`$as_dirname -- "$file" || +$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$file" : 'X\(//\)[^/]' \| \ + X"$file" : 'X\(//\)$' \| \ + X"$file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + { as_dir=$dirpart/$fdir + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5 +$as_echo "$as_me: error: cannot create directory $as_dir" >&2;} + { (exit 1); exit 1; }; }; } + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done +done + ;; + + esac +done # for ac_tag + + +{ (exit 0); exit 0; } +_ACEOF +chmod +x $CONFIG_STATUS +ac_clean_files=$ac_clean_files_save + +test $ac_write_fail = 0 || + { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;} + { (exit 1); exit 1; }; } + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + ac_config_status_args= + test "$silent" = yes && + ac_config_status_args="$ac_config_status_args --quiet" + exec 5>/dev/null + $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || { (exit 1); exit 1; } +fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:$LINENO: WARNING: Unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2;} +fi + diff --git a/configure.in b/configure.in new file mode 100644 index 0000000..43ded19 --- /dev/null +++ b/configure.in @@ -0,0 +1,439 @@ +dnl $Id: configure.in,v 1.6.2.4 2011/12/12 23:15:28 bew Exp $ +dnl $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/configure.in,v $ + +dnl +dnl The license applies to all software incorporated in the "Cisco GDOI reference +dnl implementation" except for those portions incorporating third party software +dnl specifically identified as being licensed under separate license. +dnl +dnl +dnl The Cisco Systems Public Software License, Version 1.0 +dnl Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +dnl Subject to the following terms and conditions, Cisco Systems, Inc., +dnl hereby grants you a worldwide, royalty-free, nonexclusive, license, +dnl subject to third party intellectual property claims, to create +dnl derivative works of the Licensed Code and to reproduce, display, +dnl perform, sublicense, distribute such Licensed Code and derivative works. +dnl All rights not expressly granted herein are reserved. +dnl 1. Redistributions of source code must retain the above +dnl copyright notice, this list of conditions and the following +dnl disclaimer. +dnl 2. Redistributions in binary form must reproduce the above +dnl copyright notice, this list of conditions and the following +dnl disclaimer in the documentation and/or other materials +dnl provided with the distribution. +dnl 3. The names Cisco and "Cisco GDOI reference implementation" must not +dnl be used to endorse or promote products derived from this software without +dnl prior written permission. For written permission, please contact +dnl opensource@cisco.com. +dnl 4. Products derived from this software may not be called +dnl "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +dnl "Cisco GDOI reference implementation" appear in +dnl their name, without prior written permission of Cisco Systems, Inc. +dnl THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +dnl WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +dnl WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +dnl PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +dnl SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +dnl INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +dnl DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +dnl SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +dnl BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +dnl LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +dnl (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +dnl THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +dnl SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +dnl LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +dnl PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +dnl LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +dnl LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +dnl EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +dnl AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +dnl THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +dnl (US$5,000). +dnl +dnl ==================================================================== +dnl This software consists of voluntary contributions made by Cisco Systems, +dnl Inc. and many individuals on behalf of Cisco Systems, Inc. For more +dnl information on Cisco Systems, Inc., please see . +dnl +dnl This product includes software developed by Ericsson Radio Systems. +dnl + +AC_PREREQ(2.13) +AC_INIT(gdoi.h, 1.5iec) +AC_CONFIG_AUX_DIR(config) +AM_INIT_AUTOMAKE(gdoid, 1.5iec) +AM_CONFIG_HEADER(config.h) +AC_CANONICAL_HOST + +# Checks for programs. + +AC_PROG_AWK +AC_PROG_CC + +# Host-specific checks + +case "$build_os" in + linux*) + CFLAGS="$CFLAGS -DSYMBOL_PREFIX='\"_\"' -DKAME -DLINUX_PFKEY" + # No more support for FreeS/WAN ... require a 2.6 kernel and ipsec_tools. + AM_CONDITIONAL(HAVE_FREESWAN, false) + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AC_DEFINE(SEED_RNG, 1, Initialize the RNG) + ;; + darwin*) + CFLAGS="$CFLAGS -DHAVE_GETNAMEINFO -DHAVE_PCAP -DOPENBSD_PFKEY_EXT -DOSX" + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AM_CONDITIONAL(HAVE_FREESWAN, false) + ;; + openbsd*) + CFLAGS="$CFLAGS -DHAVE_GETNAMEINFO -DHAVE_PCAP -DOPENBSD_PFKEY_EXT" + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AM_CONDITIONAL(HAVE_FREESWAN, false) + + # Determine if this release has the old or new PF_KEY extension symbols. + AC_MSG_CHECKING(whether old PF_KEY Extension symbols are defined) + AC_TRY_RUN( + [ +#include +#include +#if !defined FLOW_X_TYPE_REQUIRE +#error FLOW_X_TYPE_REQUIRE not defined +#endif +main() { return 0;} + ], + [AC_MSG_RESULT(yes) + AC_DEFINE(OLD_OPENBSD_PFKEY_EXT, 1, [Old OpenBSD PF_KEY Extensions])], + [AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])]) + ;; + freebsd*) + CFLAGS="$CFLAGS -DKAME -DFREEBSD_PFKEY_EXT" + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AM_CONDITIONAL(HAVE_FREESWAN, false) + AC_DEFINE(OPEN_FIFO_RDRW, 1, [Need to open FIFO with O_RDRW]) + ;; +dnl Should be bsdi and netbsd. +dnl Actually, should be replaced with a few tests. + bsdi*) + CFLAGS="$CFLAGS -DKAME -DNETBSD_PFKEY_EXT" + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AM_CONDITIONAL(HAVE_FREESWAN, false) + ;; + *) + # Set the basics for a BSD system + AM_CONDITIONAL(HAVE_PF_KEY_V2, true) + AM_CONDITIONAL(HAVE_FREESWAN, false) + ;; +esac + +# Checks for libraries. + +# +# Libcrypto is required +# +# The --with-ssl-dir option and associated code was taken from OpenSSH. +# + +# The big search for OpenSSL +AC_ARG_WITH(ssl-dir, + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ + if test "x$withval" != "xno" ; then + tryssldir=$withval + fi + ] +) + +saved_LIBS="$LIBS" +saved_LDFLAGS="$LDFLAGS" +saved_CPPFLAGS="$CPPFLAGS" +if test "x$prefix" != "xNONE" ; then + tryssldir="$tryssldir $prefix" +fi +AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ + for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do + CPPFLAGS="$saved_CPPFLAGS" + LDFLAGS="$saved_LDFLAGS" + LIBS="$saved_LIBS -lcrypto" + + # Skip directories if they don't exist + if test ! -z "$ssldir" -a ! -d "$ssldir" ; then + continue; + fi + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir/lib $LDFLAGS" + fi + else + LDFLAGS="-L$ssldir $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir $LDFLAGS" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" + else + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" + fi + fi + + # Basic test to check for compatible version and correct linking + # *does not* test for RSA - that comes later. + AC_TRY_RUN( + [ +#include +#include +#include +int main(void) +{ + char a[2048]; + SHA256_CTX c; + SHA256_Init(&c); + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); +} + ], + [ + found_crypto=1 + break; + ], + [], + [ + AC_MSG_ERROR([Cross-compiling not supported]) + ] + ) + + if test ! -z "$found_crypto" ; then + break; + fi + done + + if test -z "$found_crypto" ; then + AC_MSG_ERROR([Could not find working + OpenSSL library, including SHA256. + Must have openssl-0.9.8a or higher. + please install, or check config.log. + If it is installed in an unusual place, + specify the path --with-ssl-dir=]) + fi + if test -z "$ssldir" ; then + ssldir="(system)" + fi + + ac_cv_openssldir=$ssldir +]) + +if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then + dnl Need to recover ssldir - test above runs in subshell + ssldir=$ac_cv_openssldir + if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then + # Try to use $ssldir/lib if it exists, otherwise + # $ssldir + if test -d "$ssldir/lib" ; then + LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir/lib $LDFLAGS" + fi + else + LDFLAGS="-L$ssldir $saved_LDFLAGS" + if test ! -z "$need_dash_r" ; then + LDFLAGS="-R$ssldir $LDFLAGS" + fi + fi + # Try to use $ssldir/include if it exists, otherwise + # $ssldir + if test -d "$ssldir/include" ; then + CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" + else + CPPFLAGS="-I$ssldir $saved_CPPFLAGS" + fi + fi +fi +LIBS="-lc $saved_LIBS -lcrypto" + +AM_CONDITIONAL(USE_LIBCRYPTO, true) + +# +# Check for dlopen, which might be needed by libcrypto. If present, use +# dynamic libraries. +# +have_dl=yes +AC_CHECK_LIB(dl, dlopen, , [have_dl=no]) +if test $have_dl = yes; then + LIBS="$LIBS -ldl" +fi + +# Checks for header files. +AC_HEADER_DIRENT +AC_HEADER_STDC +AC_CHECK_HEADERS([arpa/inet.h fcntl.h memory.h netdb.h netinet/in.h stddef.h stdlib.h string.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h syslog.h unistd.h]) + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_C_INLINE +AC_TYPE_MODE_T +AC_TYPE_OFF_T +AC_TYPE_SIZE_T +AC_HEADER_TIME +AC_STRUCT_TM + +AC_MSG_CHECKING(whether sockaddr_in.sin_len is defined) +AC_TRY_RUN([ +#include +#include +main() +{ + struct sockaddr_in foo; + foo.sin_len = 0; + return 0; +} + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(USE_OLD_SOCKADDR, 1, [Old Sockaddr Definition]) + AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])] + ) + +AC_MSG_CHECKING(whether in_port_t is defined) +AC_TRY_RUN([ +#include +#include +main() +{ + in_port_t foo; + return 0; +} + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE([in_port_t], u_int16_t, [Not defined in ]) + AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])] + ) + +AC_MSG_CHECKING(whether in_addr_t is defined) +AC_TRY_RUN([ +#include +#include +main() +{ + in_addr_t foo; + return 0; +} +], + [AC_MSG_RESULT(yes)], + [AC_DEFINE([in_addr_t], u_int32_t, [Not defined in ]) + AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])] + ) + +AC_MSG_CHECKING(whether SA_LEN is defined) +AC_TRY_RUN([ +#include +#include +#include +#if !defined SA_LEN +# error _SA_LEN not defined +#endif +main() { return 0;} +], + [AC_MSG_RESULT(yes)], + [AC_DEFINE([DEFINE_SA_LEN], 1, [Sockaddr Length]) + AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])] + ) + +AC_MSG_CHECKING(whether LIST_FIRST is defined) +AC_TRY_RUN([ +#include +#if !defined LIST_FIRST +# error LIST_FIRST not defined +#endif +main() { return 0;} +], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(DEFINE_EXTRA_QUEUE_FUNCTIONS, 1, + [Use missing queue.h definitions]) + AC_MSG_RESULT(no)], + [AC_MSG_ERROR([cannot cross-compile, bailing out])] + ) + +# Checks for library functions. + +AC_FUNC_CLOSEDIR_VOID +AC_PROG_GCC_TRADITIONAL +AC_FUNC_MEMCMP +AC_FUNC_SELECT_ARGTYPES +AC_TYPE_SIGNAL +AC_CHECK_FUNCS([bzero gettimeofday inet_ntoa memmove memset mkfifo select socket strcasecmp strcspn strdup strerror strncasecmp strspn strstr strtol strtoul tzset strlcpy]) + +# Optional Arguments + +AC_ARG_ENABLE(tripledes, + [ --enable-tripledes Enable support of 3DES [yes]], + [], [enable_tripledes=yes]) +AC_CACHE_CHECK([whether to use 3DES], enable_tripledes, [enable_tripledes=yes]) +if test $enable_tripledes = yes; then + AC_DEFINE(USE_TRIPLEDES, 1, [3DES Support]) +fi + +# +# APPSUPPORT is define implicitely when a client of APPSUPPORT is defined. +# +enable_appsupport=no; + +AC_ARG_ENABLE(iec90_5, + [ --enable-iec90-5 Enable support of IEC 57-61850-90-5 [yes]], + [], [enable_iec90_5=yes]) +AC_CACHE_CHECK([whether to support IEC 57-61850-90-5], + enable_iec90_5, + [enable_iec90_5=no]) +if test $enable_iec90_5 = yes; then + AC_DEFINE(IEC90_5_SUPPORT, 1, [IEC 57-61850-90-5 Support]) + AC_DEFINE(GDOI_APP_SUPPORT, 1, [GDOI Application Interface support]) + enable_appsupport=yes; +fi +AM_CONDITIONAL(IEC90_5_SUPPORT, test $enable_iec90_5 = yes) +AM_CONDITIONAL(GDOI_APP_SUPPORT, test $enable_appsupport = yes) + +AC_ARG_ENABLE(srtp, + [ --enable-srtp Enable support of SRTP [no]], + [], [enable_srtp=no]) +AC_CACHE_CHECK([whether to support SRTP], + enable_srtp, + [enable_srtp=no]) +if test $enable_srtp = yes; then + AC_DEFINE(SRTP_SUPPORT, 1, [SRTP Support]) + AC_DEFINE(GDOI_APP_SUPPORT, 1, [GDOI Application Interface support]) + enable_appsupport=yes; +fi +AM_CONDITIONAL(SRTP_SUPPORT, test $enable_srtp = yes) +AM_CONDITIONAL(GDOI_APP_SUPPORT, test $enable_appsupport = yes) + +AC_ARG_ENABLE(aggressive, + [ --enable-aggressive Enable support of Phase 1 Aggressive Mode [no]], + [], [enable_aggressive=no]) +AC_CACHE_CHECK([whether to use Phase 1 Agressive Mode], enable_aggressive, + [enable_aggressive=no]) +if test $enable_aggressive = yes; then + AC_DEFINE(USE_AGGRESSIVE, 1, [Phase 1 Agressive Support]) +fi +AM_CONDITIONAL(USE_AGGRESSIVE, test $enable_aggressive = yes) + +AC_ARG_ENABLE(debug, + [ --enable-debug Enable debug [yes]], + [], [enable_debug=yes]) +AC_CACHE_CHECK([whether to use debug], enable_debug, [enable_debug=yes]) +if test $enable_debug = yes; then + AC_DEFINE(USE_DEBUG, 1, [Debugging]) +fi + +AC_OUTPUT(Makefile src/Makefile app_client/Makefile) diff --git a/samples/iec90-5/CVS/Entries b/samples/iec90-5/CVS/Entries new file mode 100644 index 0000000..dd94352 --- /dev/null +++ b/samples/iec90-5/CVS/Entries @@ -0,0 +1,5 @@ +/START_CLIENT/1.1.2.1/Mon Dec 12 23:49:35 2011//TIEC90-5 +/START_KS/1.1.2.1/Mon Dec 12 23:49:35 2011//TIEC90-5 +/gdoi_client.conf/1.1.2.1/Mon Dec 12 23:49:35 2011//TIEC90-5 +/gdoi_ks.conf/1.1.2.1/Mon Dec 12 23:49:35 2011//TIEC90-5 +D diff --git a/samples/iec90-5/CVS/Repository b/samples/iec90-5/CVS/Repository new file mode 100644 index 0000000..a987af5 --- /dev/null +++ b/samples/iec90-5/CVS/Repository @@ -0,0 +1 @@ +gdoi/samples/iec90-5 diff --git a/samples/iec90-5/CVS/Root b/samples/iec90-5/CVS/Root new file mode 100644 index 0000000..6311e3e --- /dev/null +++ b/samples/iec90-5/CVS/Root @@ -0,0 +1 @@ +:ext:bew@irp-view12.cisco.com:/nfs/cscbz/gdoi/gdoicvs diff --git a/samples/iec90-5/CVS/Tag b/samples/iec90-5/CVS/Tag new file mode 100644 index 0000000..6586d9e --- /dev/null +++ b/samples/iec90-5/CVS/Tag @@ -0,0 +1 @@ +TIEC90-5 diff --git a/samples/iec90-5/START_CLIENT b/samples/iec90-5/START_CLIENT new file mode 100755 index 0000000..d8864bc --- /dev/null +++ b/samples/iec90-5/START_CLIENT @@ -0,0 +1,6 @@ +#!/bin/sh +# $Id: START_CLIENT,v 1.1.2.1 2011/12/12 23:49:35 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/iec90-5/Attic/START_CLIENT,v $ + +DIR=../.. +${DIR}/src/gdoid -d -n -DA=99 -f/tmp/isakmpd.fifo -cgdoi_client.conf diff --git a/samples/iec90-5/START_KS b/samples/iec90-5/START_KS new file mode 100755 index 0000000..42375eb --- /dev/null +++ b/samples/iec90-5/START_KS @@ -0,0 +1,19 @@ +#!/bin/sh +# $Id: START_KS,v 1.1.2.1 2011/12/12 23:49:35 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/iec90-5/Attic/START_KS,v $ + +# +# Create a second loopback. The syntax varies per system. Uncomment the +# appropriate line below. +# For OS X, use the following line +ifconfig lo0 127.0.0.2 alias +# +# For Linux, use the following line +# ifconfig lo:1 127.0.0.2 +# +# For BSD, use the following line +# ifconfig lo1 127.0.0.2 +# + +DIR=../.. +${DIR}/src/gdoid -d -n -DA=99 -f/tmp/isakmpd2.fifo -cgdoi_ks.conf diff --git a/samples/iec90-5/gdoi_client.conf b/samples/iec90-5/gdoi_client.conf new file mode 100644 index 0000000..1bef0b9 --- /dev/null +++ b/samples/iec90-5/gdoi_client.conf @@ -0,0 +1,73 @@ +# $Id: gdoi_client.conf,v 1.1.2.1 2011/12/12 23:49:35 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/iec90-5/Attic/gdoi_client.conf,v $ + +# +# A configuration sample for testing GDOI over loopback interfaces. +# This is the client (group member) side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.1 +check-interval= 60 +GDOI-application-client-support= 1 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.2= GDOI-key-server + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +#Connections= Group-1234 +# +# Make passive for TIDP becasuse we don't start until the client asks for +# keys. +# +Passive-Connections= Group-1234 + +[GDOI-key-server] +Phase= 1 +Transport= udp +Local-address= 127.0.0.1 +Address= 127.0.0.2 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= GDOI-key-server +Configuration= Default-group-mode +ID-type= IEC90_5 +OID= 61850_UDP_ADDR_GOOSE +Address= 239.192.1.1 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,30:120 + +# Group mode description + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE diff --git a/samples/iec90-5/gdoi_ks.conf b/samples/iec90-5/gdoi_ks.conf new file mode 100644 index 0000000..f82ff54 --- /dev/null +++ b/samples/iec90-5/gdoi_ks.conf @@ -0,0 +1,94 @@ +# $Id: gdoi_ks.conf,v 1.1.2.1 2011/12/12 23:49:35 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/iec90-5/Attic/gdoi_ks.conf,v $ + +# +# A configuration sample for testing GDOI over loopback interfaces. +# This is the key server side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.2 +#GDOI-application-client-support= 1 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.1= ISAKMP-peer-client + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Passive-Connections= Group-1234 + +[ISAKMP-peer-client] +Phase= 1 +Transport= udp +Local-address= 127.0.0.2 +Address= 127.0.0.1 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +Configuration= IEC90_5_group_1 +ID-type= IEC90_5 +OID= 61850_UDP_ADDR_GOOSE +Address= 239.192.1.1 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,30:120 + +[LIFE_120_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 120,90:180 + +# GDOI description + +# Group mode description + +[IEC90_5_group_1] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +Crypto-protocol= PROTO_IEC90_5 +# +# No SA-KEK is defined for the loopback sample. +# Rekey messages don't always work across the loopbacks. +# +SA-TEKS= GROUP1-TEK1 + +# Src-ID and Dst-ID are the addresses/posrts for the UDP packet. +[GROUP1-TEK1] +Src-ID= Group-tek1-src +Dst-ID= Group-tek1-dst + +[Group-tek1-src] +ID-type= IPV4_ADDR +Address= 172.19.137.42 +Port= 1024 + +[Group-tek1-dst] +ID-type= IPV4_ADDR +Address= 239.192.1.1 +Port= 1024 + diff --git a/samples/loopback/CVS/Entries b/samples/loopback/CVS/Entries new file mode 100644 index 0000000..194c5a8 --- /dev/null +++ b/samples/loopback/CVS/Entries @@ -0,0 +1,7 @@ +/START_CLIENT/1.3/Tue Oct 11 17:57:25 2005//TIEC90-5 +/START_KS/1.4/Wed Mar 21 20:02:55 2007//TIEC90-5 +/gdoi_client.conf/1.4/Tue Oct 11 17:57:25 2005//TIEC90-5 +/gdoi_ks.conf/1.5.2.1/Mon Dec 5 20:26:53 2011//TIEC90-5 +/sample_output_client/1.3/Fri Jul 25 03:56:19 2003//TIEC90-5 +/sample_output_ks/1.3/Fri Jul 25 03:56:20 2003//TIEC90-5 +D diff --git a/samples/loopback/CVS/Repository b/samples/loopback/CVS/Repository new file mode 100644 index 0000000..2546d69 --- /dev/null +++ b/samples/loopback/CVS/Repository @@ -0,0 +1 @@ +gdoi/samples/loopback diff --git a/samples/loopback/CVS/Root b/samples/loopback/CVS/Root new file mode 100644 index 0000000..6311e3e --- /dev/null +++ b/samples/loopback/CVS/Root @@ -0,0 +1 @@ +:ext:bew@irp-view12.cisco.com:/nfs/cscbz/gdoi/gdoicvs diff --git a/samples/loopback/CVS/Tag b/samples/loopback/CVS/Tag new file mode 100644 index 0000000..6586d9e --- /dev/null +++ b/samples/loopback/CVS/Tag @@ -0,0 +1 @@ +TIEC90-5 diff --git a/samples/loopback/START_CLIENT b/samples/loopback/START_CLIENT new file mode 100755 index 0000000..67088e5 --- /dev/null +++ b/samples/loopback/START_CLIENT @@ -0,0 +1,5 @@ +#!/bin/sh +# $Id: START_CLIENT,v 1.3 2005/10/11 17:57:25 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/START_CLIENT,v $ + +../../src/gdoid -d -n -DA=59 -f/tmp/isakmpd.fifo -cgdoi_client.conf diff --git a/samples/loopback/START_KS b/samples/loopback/START_KS new file mode 100755 index 0000000..6be2d2a --- /dev/null +++ b/samples/loopback/START_KS @@ -0,0 +1,18 @@ +#!/bin/sh +# $Id: START_KS,v 1.4 2007/03/21 20:02:55 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/START_KS,v $ + +# +# Create a second loopback. The syntax varies per system. Uncomment the +# appropriate line below. +# For OS X, use the following line +# ifconfig lo0 127.0.0.2 alias +# +# For Linux, use the following line +# ifconfig lo:1 127.0.0.2 +# +# For BSD, use the following line +# ifconfig lo1 127.0.0.2 +# + +../../src/gdoid -d -n -DA=59 -f/tmp/isakmpd2.fifo -cgdoi_ks.conf diff --git a/samples/loopback/gdoi_client.conf b/samples/loopback/gdoi_client.conf new file mode 100644 index 0000000..c44d302 --- /dev/null +++ b/samples/loopback/gdoi_client.conf @@ -0,0 +1,69 @@ +# $Id: gdoi_client.conf,v 1.4 2005/10/11 17:57:25 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/gdoi_client.conf,v $ + +# +# A configuration sample for testing GDOI over loopback interfaces. +# This is the client (group member) side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.1 +check-interval= 60 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.2= GDOI-key-server + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= Group-1234 + +[GDOI-key-server] +Phase= 1 +Transport= udp +Local-address= 127.0.0.1 +Address= 127.0.0.2 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= GDOI-key-server +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,30:120 + +# Group mode description + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE diff --git a/samples/loopback/gdoi_ks.conf b/samples/loopback/gdoi_ks.conf new file mode 100644 index 0000000..b497bd6 --- /dev/null +++ b/samples/loopback/gdoi_ks.conf @@ -0,0 +1,110 @@ +# $Id: gdoi_ks.conf,v 1.5.2.1 2011/12/05 20:26:53 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/loopback/gdoi_ks.conf,v $ + +# +# A configuration sample for testing GDOI over loopback interfaces. +# This is the key server side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.2 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.1= ISAKMP-peer-client + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Passive-Connections= Group-1234 + +[ISAKMP-peer-client] +Phase= 1 +Transport= udp +Local-address= 127.0.0.2 +Address= 127.0.0.1 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +Configuration= Default-group-mode +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Group mode description + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +# Mark this as an IPsec group. TEKs can then be either ESP or AH. +Crypto-protocol= PROTO_IPSEC_ESP + +SA-TEKS= GROUP1-TEK1 +GROUP-POLICY= GROUP1-GP + +[GROUP1-GP] +ATD= 60 +DTD= 90 +SID-SIZE= 16 + +# Src-ID and Dst-ID are the addresses for the IP ESP packet. +[GROUP1-TEK1] +Src-ID= Group-tek1-src +Dst-ID= Group-tek1-dst +TEK_Suite= GDOI-ESP-3DES-SHA-SUITE + +[Group-tek1-src] +ID-type= IPV4_ADDR +Address= 172.19.137.42 +Port= 1024 + +[Group-tek1-dst] +ID-type= IPV4_ADDR +Address= 239.192.1.1 +Port= 1024 + +# Main mode transforms + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,30:120 + +[LIFE_120_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 120,90:180 + +# GDOI description + +[GDOI-ESP-3DES-SHA-SUITE] +PROTOCOL_ID= IPSEC_ESP +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_120_SECS +ADDRESS_PRESERVATION= DESTINATION_ONLY +SA_DIRECTION= RECEIVER_ONLY + +# Certificates stored in PEM format +# NOTE: Directory name must have trailing "/"! +#[X509-certificates] +#CA-directory= /Some/Directory diff --git a/samples/loopback/sample_output_client b/samples/loopback/sample_output_client new file mode 100644 index 0000000..49a19d7 --- /dev/null +++ b/samples/loopback/sample_output_client @@ -0,0 +1,3332 @@ +121653.668940 Default log_debug_cmd: log level changed from 0 to 99 for class 0 +121653.670087 Default log_debug_cmd: log level changed from 0 to 99 for class 1 +121653.670145 Default log_debug_cmd: log level changed from 0 to 99 for class 2 +121653.670188 Default log_debug_cmd: log level changed from 0 to 99 for class 3 +121653.670230 Default log_debug_cmd: log level changed from 0 to 99 for class 4 +121653.670271 Default log_debug_cmd: log level changed from 0 to 99 for class 5 +121653.670313 Default log_debug_cmd: log level changed from 0 to 99 for class 6 +121653.670354 Default log_debug_cmd: log level changed from 0 to 99 for class 7 +121653.670396 Default log_debug_cmd: log level changed from 0 to 99 for class 8 +121653.670437 Default log_debug_cmd: log level changed from 0 to 99 for class 9 +121653.951293 Misc 40 conf_load_defaults : main mode DES-MD5 +121653.951423 Misc 40 conf_load_defaults : main mode DES-MD5-DSS +121653.951521 Misc 40 conf_load_defaults : main mode DES-MD5-RSA_SIG +121653.951616 Misc 40 conf_load_defaults : main mode DES-SHA +121653.951711 Misc 40 conf_load_defaults : main mode DES-SHA-DSS +121653.951862 Misc 40 conf_load_defaults : main mode DES-SHA-RSA_SIG +121653.951970 Misc 40 conf_load_defaults : main mode BLF-MD5 +121653.952070 Misc 40 conf_load_defaults : main mode BLF-MD5-DSS +121653.952169 Misc 40 conf_load_defaults : main mode BLF-MD5-RSA_SIG +121653.952268 Misc 40 conf_load_defaults : main mode BLF-SHA +121653.952367 Misc 40 conf_load_defaults : main mode BLF-SHA-DSS +121653.952466 Misc 40 conf_load_defaults : main mode BLF-SHA-RSA_SIG +121653.952622 Misc 40 conf_load_defaults : main mode 3DES-MD5 +121653.952731 Misc 40 conf_load_defaults : main mode 3DES-MD5-DSS +121653.952828 Misc 40 conf_load_defaults : main mode 3DES-MD5-RSA_SIG +121653.952924 Misc 40 conf_load_defaults : main mode 3DES-SHA +121653.953068 Misc 40 conf_load_defaults : main mode 3DES-SHA-DSS +121653.953146 Misc 40 conf_load_defaults : main mode 3DES-SHA-RSA_SIG +121653.953265 Misc 40 conf_load_defaults : main mode CAST-MD5 +121653.953340 Misc 40 conf_load_defaults : main mode CAST-MD5-DSS +121653.953406 Misc 40 conf_load_defaults : main mode CAST-MD5-RSA_SIG +121653.953471 Misc 40 conf_load_defaults : main mode CAST-SHA +121653.953536 Misc 40 conf_load_defaults : main mode CAST-SHA-DSS +121653.953602 Misc 40 conf_load_defaults : main mode CAST-SHA-RSA_SIG +121653.953719 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-MD5-SUITE +121653.953804 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SHA-SUITE +121653.953883 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-RIPEMD-SUITE +121653.954019 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SUITE +121653.954105 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-MD5-PFS-SUITE +121653.954189 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SHA-PFS-SUITE +121653.954273 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-RIPEMD-PFS-SUITE +121653.987548 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-PFS-SUITE +121653.987633 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-MD5-SUITE +121653.987714 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SHA-SUITE +121653.987896 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-RIPEMD-SUITE +121653.987988 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SUITE +121653.988122 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-MD5-PFS-SUITE +121653.988216 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SHA-PFS-SUITE +121653.988300 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-RIPEMD-PFS-SUITE +121653.988385 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-PFS-SUITE +121653.988460 Misc 40 conf_load_defaults : quick mode QM-AH-DES-MD5-SUITE +121653.988536 Misc 40 conf_load_defaults : quick mode QM-AH-DES-SHA-SUITE +121653.988615 Misc 40 conf_load_defaults : quick mode QM-AH-DES-RIPEMD-SUITE +121653.988695 Misc 40 conf_load_defaults : quick mode QM-AH-DES-MD5-PFS-SUITE +121654.089665 Misc 40 conf_load_defaults : quick mode QM-AH-DES-SHA-PFS-SUITE +121654.089823 Misc 40 conf_load_defaults : quick mode QM-AH-DES-RIPEMD-PFS-SUITE +121654.089975 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-MD5-SUITE +121654.090069 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-SHA-SUITE +121654.090152 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-RIPEMD-SUITE +121654.090233 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-MD5-PFS-SUITE +121654.090317 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-SHA-PFS-SUITE +121654.090403 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-RIPEMD-PFS-SUITE +121654.090487 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-MD5-SUITE +121654.090629 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SHA-SUITE +121654.090719 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-RIPEMD-SUITE +121654.090799 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SUITE +121654.184462 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-MD5-PFS-SUITE +121654.184615 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SHA-PFS-SUITE +121654.184766 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-RIPEMD-PFS-SUITE +121654.184860 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-PFS-SUITE +121654.184936 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-MD5-SUITE +121654.185016 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SHA-SUITE +121654.185179 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-RIPEMD-SUITE +121654.185268 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SUITE +121654.185344 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-MD5-PFS-SUITE +121654.185428 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SHA-PFS-SUITE +121654.185514 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE +121654.185598 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-PFS-SUITE +121654.185673 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-MD5-SUITE +121654.303937 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-SHA-SUITE +121654.304088 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-RIPEMD-SUITE +121654.304238 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-MD5-PFS-SUITE +121654.304332 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-SHA-PFS-SUITE +121654.304417 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-RIPEMD-PFS-SUITE +121654.304502 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-MD5-SUITE +121654.304583 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-SHA-SUITE +121654.304663 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-RIPEMD-SUITE +121654.304743 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-MD5-PFS-SUITE +121654.304828 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-SHA-PFS-SUITE +121654.304914 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-RIPEMD-PFS-SUITE +121654.305152 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-MD5-SUITE +121654.305243 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SHA-SUITE +121654.410946 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-RIPEMD-SUITE +121654.411035 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SUITE +121654.411110 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-MD5-PFS-SUITE +121654.411192 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SHA-PFS-SUITE +121654.411276 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-RIPEMD-PFS-SUITE +121654.411360 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-PFS-SUITE +121654.411499 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-MD5-SUITE +121654.411590 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SHA-SUITE +121654.411697 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-RIPEMD-SUITE +121654.411777 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SUITE +121654.411853 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-MD5-PFS-SUITE +121654.411998 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SHA-PFS-SUITE +121654.517674 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE +121654.517771 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-PFS-SUITE +121654.517848 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-MD5-SUITE +121654.517993 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-SHA-SUITE +121654.518083 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-RIPEMD-SUITE +121654.518165 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-MD5-PFS-SUITE +121654.518248 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-SHA-PFS-SUITE +121654.518333 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-RIPEMD-PFS-SUITE +121654.518474 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-MD5-SUITE +121654.518564 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-SHA-SUITE +121654.518646 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-RIPEMD-SUITE +121654.518782 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-MD5-PFS-SUITE +121654.518935 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-SHA-PFS-SUITE +121654.635676 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-RIPEMD-PFS-SUITE +121654.635770 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-MD5-SUITE +121654.635854 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SHA-SUITE +121654.635937 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-RIPEMD-SUITE +121654.636019 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SUITE +121654.636097 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-MD5-PFS-SUITE +121654.636185 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SHA-PFS-SUITE +121654.636341 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-RIPEMD-PFS-SUITE +121654.636440 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-PFS-SUITE +121654.636578 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-MD5-SUITE +121654.636672 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SHA-SUITE +121654.636757 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-RIPEMD-SUITE +121654.636840 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SUITE +121654.741126 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-MD5-PFS-SUITE +121654.741228 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SHA-PFS-SUITE +121654.741430 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE +121654.741531 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-PFS-SUITE +121654.741613 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-MD5-SUITE +121654.741695 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-SHA-SUITE +121654.741778 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-RIPEMD-SUITE +121654.741918 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-MD5-PFS-SUITE +121654.742016 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-SHA-PFS-SUITE +121654.742162 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-RIPEMD-PFS-SUITE +121654.742260 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-MD5-SUITE +121654.742345 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-SHA-SUITE +121654.742429 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-RIPEMD-SUITE +121654.859058 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-MD5-PFS-SUITE +121654.859157 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-SHA-PFS-SUITE +121654.859246 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-RIPEMD-PFS-SUITE +121654.859337 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-MD5-SUITE +121654.859527 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SHA-SUITE +121654.859618 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-RIPEMD-SUITE +121654.859698 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SUITE +121654.859773 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-MD5-PFS-SUITE +121654.859857 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SHA-PFS-SUITE +121654.860000 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-RIPEMD-PFS-SUITE +121654.860117 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-PFS-SUITE +121654.860194 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-MD5-SUITE +121654.964532 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SHA-SUITE +121654.964686 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-RIPEMD-SUITE +121654.964776 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SUITE +121654.964852 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-MD5-PFS-SUITE +121654.964938 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SHA-PFS-SUITE +121654.965080 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-RIPEMD-PFS-SUITE +121654.965175 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-PFS-SUITE +121654.965251 Misc 40 conf_load_defaults : quick mode QM-AH-AES-MD5-SUITE +121654.965330 Misc 40 conf_load_defaults : quick mode QM-AH-AES-SHA-SUITE +121654.965409 Misc 40 conf_load_defaults : quick mode QM-AH-AES-RIPEMD-SUITE +121654.965548 Misc 40 conf_load_defaults : quick mode QM-AH-AES-MD5-PFS-SUITE +121654.965642 Misc 40 conf_load_defaults : quick mode QM-AH-AES-SHA-PFS-SUITE +121654.965727 Misc 40 conf_load_defaults : quick mode QM-AH-AES-RIPEMD-PFS-SUITE +121655.078179 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-MD5-SUITE +121655.078269 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-SHA-SUITE +121655.078350 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-RIPEMD-SUITE +121655.078493 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-MD5-PFS-SUITE +121655.078590 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-SHA-PFS-SUITE +121655.078735 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-RIPEMD-PFS-SUITE +121655.078834 Misc 60 conf_get_str: configuration value not found [General]:Retransmits +121655.078884 Misc 70 conf_set: [General]:Retransmits->5 +121655.078934 Misc 60 conf_get_str: configuration value not found [General]:Exchange-max-time +121655.078982 Misc 70 conf_set: [General]:Exchange-max-time->120 +121655.079029 Misc 60 conf_get_str: configuration value not found [General]:Listen-on +121655.079076 Misc 70 conf_set: [General]:Listen-on->127.0.0.1 +121655.079122 Misc 60 conf_get_str: configuration value not found [Phase 1]:127.0.0.2 +121655.191404 Misc 70 conf_set: [Phase 1]:127.0.0.2->ISAKMP-peer-gcks +121655.191461 Misc 60 conf_get_str: configuration value not found [Phase 2]:Connections +121655.191509 Misc 70 conf_set: [Phase 2]:Connections->Group-1234 +121655.191555 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Phase +121655.191603 Misc 70 conf_set: [ISAKMP-peer-gcks]:Phase->1 +121655.191649 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Transport +121655.191698 Misc 70 conf_set: [ISAKMP-peer-gcks]:Transport->udp +121655.191745 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Local-address +121655.191794 Misc 70 conf_set: [ISAKMP-peer-gcks]:Local-address->127.0.0.1 +121655.191841 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Address +121655.191889 Misc 70 conf_set: [ISAKMP-peer-gcks]:Address->127.0.0.2 +121655.191937 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Configuration +121655.191986 Misc 70 conf_set: [ISAKMP-peer-gcks]:Configuration->Default-main-mode +121655.304349 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Authentication +121655.304409 Misc 70 conf_set: [ISAKMP-peer-gcks]:Authentication->mekmitasdigoat +121655.304456 Misc 60 conf_get_str: configuration value not found [Group-1234]:Phase +121655.304504 Misc 70 conf_set: [Group-1234]:Phase->2 +121655.304549 Misc 60 conf_get_str: configuration value not found [Group-1234]:ISAKMP-peer +121655.304597 Misc 70 conf_set: [Group-1234]:ISAKMP-peer->ISAKMP-peer-gcks +121655.304644 Misc 60 conf_get_str: configuration value not found [Group-1234]:Configuration +121655.304692 Misc 70 conf_set: [Group-1234]:Configuration->Default-group-mode +121655.304740 Misc 60 conf_get_str: configuration value not found [Group-1234]:Group-ID +121655.304787 Misc 70 conf_set: [Group-1234]:Group-ID->Group-1 +121655.304832 Misc 60 conf_get_str: configuration value not found [Group-1]:ID-type +121655.304879 Misc 70 conf_set: [Group-1]:ID-type->KEY_ID +121655.430055 Misc 60 conf_get_str: configuration value not found [Group-1]:Key-value +121655.430113 Misc 70 conf_set: [Group-1]:Key-value->1234 +121655.430160 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:DOI +121655.430208 Misc 70 conf_set: [Default-main-mode]:DOI->GROUP +121655.430255 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:EXCHANGE_TYPE +121655.430303 Misc 70 conf_set: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +121655.430351 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:Transforms +121655.430399 Misc 70 conf_set: [Default-main-mode]:Transforms->3DES-SHA +121655.430445 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:ENCRYPTION_ALGORITHM +121655.430494 Misc 70 conf_set: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121655.430540 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:HASH_ALGORITHM +121655.430587 Misc 70 conf_set: [3DES-SHA]:HASH_ALGORITHM->SHA +121655.430634 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:AUTHENTICATION_METHOD +121655.549657 Misc 70 conf_set: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121655.549716 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_DESCRIPTION +121655.549766 Misc 70 conf_set: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121655.549814 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:Life +121655.549861 Misc 70 conf_set: [3DES-SHA]:Life->LIFE_3600_SECS +121655.549907 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_TYPE +121655.549954 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121655.550000 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_DURATION +121655.550201 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121655.550250 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:DOI +121655.550298 Misc 70 conf_set: [Default-group-mode]:DOI->GROUP +121655.550345 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:EXCHANGE_TYPE +121655.688788 Misc 70 conf_set: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +121655.688851 Misc 60 conf_get_str: configuration value not found [X509-certificates]:CA-directory +121655.688900 Misc 70 conf_set: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121655.688947 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Cert-directory +121655.688997 Misc 70 conf_set: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121655.689044 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Private-key +121655.689093 Misc 70 conf_set: [X509-certificates]:Private-key->/etc/isakmpd/private/local.key +121655.689139 Misc 60 conf_get_str: [General]:Retransmits->5 +121655.689184 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121655.689231 Misc 60 conf_get_str: configuration value not found [General]:Policy-file +121655.689280 Misc 70 conf_set: [General]:Policy-file->/etc/isakmpd/isakmpd.policy +121655.689327 Misc 60 conf_get_str: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121655.813059 Misc 60 conf_get_str: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121655.813117 Misc 60 conf_get_str: [X509-certificates]:Private-key->/etc/isakmpd/private/local.key +121655.813164 Misc 60 conf_get_str: configuration value not found [KeyNote]:Credential-directory +121655.813213 Misc 70 conf_set: [KeyNote]:Credential-directory->/etc/isakmpd/keynote/ +121655.813260 Misc 60 conf_get_str: configuration value not found [LIFE_MAIN_MODE]:LIFE_TYPE +121655.813308 Misc 70 conf_set: [LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS +121655.813354 Misc 60 conf_get_str: configuration value not found [LIFE_MAIN_MODE]:LIFE_DURATION +121655.813402 Misc 70 conf_set: [LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400 +121655.813448 Misc 60 conf_get_str: configuration value not found [LIFE_QUICK_MODE]:LIFE_TYPE +121655.813496 Misc 70 conf_set: [LIFE_QUICK_MODE]:LIFE_TYPE->SECONDS +121655.813542 Misc 60 conf_get_str: configuration value not found [LIFE_QUICK_MODE]:LIFE_DURATION +121655.939549 Misc 70 conf_set: [LIFE_QUICK_MODE]:LIFE_DURATION->1200,60:86400 +121655.939611 Misc 60 conf_get_str: configuration value not found [DES-MD5]:ENCRYPTION_ALGORITHM +121655.939659 Misc 70 conf_set: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC +121655.939706 Misc 60 conf_get_str: configuration value not found [DES-MD5]:HASH_ALGORITHM +121655.939753 Misc 70 conf_set: [DES-MD5]:HASH_ALGORITHM->MD5 +121655.939799 Misc 60 conf_get_str: configuration value not found [DES-MD5]:AUTHENTICATION_METHOD +121655.939848 Misc 70 conf_set: [DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121655.939894 Misc 60 conf_get_str: configuration value not found [DES-MD5]:GROUP_DESCRIPTION +121655.939942 Misc 70 conf_set: [DES-MD5]:GROUP_DESCRIPTION->MODP_768 +121655.939989 Misc 60 conf_get_str: configuration value not found [DES-MD5]:Life +121655.940041 Misc 70 conf_set: [DES-MD5]:Life->LIFE_MAIN_MODE +121655.940088 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:ENCRYPTION_ALGORITHM +121655.940137 Misc 70 conf_set: [DES-MD5-DSS]:ENCRYPTION_ALGORITHM->DES_CBC +121656.059144 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:HASH_ALGORITHM +121656.059204 Misc 70 conf_set: [DES-MD5-DSS]:HASH_ALGORITHM->MD5 +121656.059251 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:AUTHENTICATION_METHOD +121656.059302 Misc 70 conf_set: [DES-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121656.059349 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:GROUP_DESCRIPTION +121656.059398 Misc 70 conf_set: [DES-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121656.059445 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:Life +121656.059493 Misc 70 conf_set: [DES-MD5-DSS]:Life->LIFE_MAIN_MODE +121656.059538 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121656.059588 Misc 70 conf_set: [DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->DES_CBC +121656.059637 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:HASH_ALGORITHM +121656.203167 Misc 70 conf_set: [DES-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121656.203227 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121656.203278 Misc 70 conf_set: [DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121656.203326 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:GROUP_DESCRIPTION +121656.203376 Misc 70 conf_set: [DES-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121656.203424 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:Life +121656.203472 Misc 70 conf_set: [DES-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121656.203518 Misc 60 conf_get_str: configuration value not found [DES-SHA]:ENCRYPTION_ALGORITHM +121656.203566 Misc 70 conf_set: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC +121656.203612 Misc 60 conf_get_str: configuration value not found [DES-SHA]:HASH_ALGORITHM +121656.203660 Misc 70 conf_set: [DES-SHA]:HASH_ALGORITHM->SHA +121656.203706 Misc 60 conf_get_str: configuration value not found [DES-SHA]:AUTHENTICATION_METHOD +121656.316511 Misc 70 conf_set: [DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121656.316573 Misc 60 conf_get_str: configuration value not found [DES-SHA]:GROUP_DESCRIPTION +121656.316621 Misc 70 conf_set: [DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121656.316668 Misc 60 conf_get_str: configuration value not found [DES-SHA]:Life +121656.316715 Misc 70 conf_set: [DES-SHA]:Life->LIFE_MAIN_MODE +121656.316761 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:ENCRYPTION_ALGORITHM +121656.316810 Misc 70 conf_set: [DES-SHA-DSS]:ENCRYPTION_ALGORITHM->DES_CBC +121656.316857 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:HASH_ALGORITHM +121656.316905 Misc 70 conf_set: [DES-SHA-DSS]:HASH_ALGORITHM->SHA +121656.316951 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:AUTHENTICATION_METHOD +121656.317001 Misc 70 conf_set: [DES-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121656.317048 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:GROUP_DESCRIPTION +121656.317096 Misc 70 conf_set: [DES-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121656.435859 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:Life +121656.435919 Misc 70 conf_set: [DES-SHA-DSS]:Life->LIFE_MAIN_MODE +121656.435965 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121656.436016 Misc 70 conf_set: [DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->DES_CBC +121656.436064 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:HASH_ALGORITHM +121656.436112 Misc 70 conf_set: [DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121656.436159 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121656.436209 Misc 70 conf_set: [DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121656.436257 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:GROUP_DESCRIPTION +121656.436307 Misc 70 conf_set: [DES-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121656.436354 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:Life +121656.555593 Misc 70 conf_set: [DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121656.555649 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:ENCRYPTION_ALGORITHM +121656.555697 Misc 70 conf_set: [BLF-MD5]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121656.555744 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:KEY_LENGTH +121656.555792 Misc 70 conf_set: [BLF-MD5]:KEY_LENGTH->128,96:192 +121656.555839 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:HASH_ALGORITHM +121656.555886 Misc 70 conf_set: [BLF-MD5]:HASH_ALGORITHM->MD5 +121656.555932 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:AUTHENTICATION_METHOD +121656.555981 Misc 70 conf_set: [BLF-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121656.556028 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:GROUP_DESCRIPTION +121656.556076 Misc 70 conf_set: [BLF-MD5]:GROUP_DESCRIPTION->MODP_768 +121656.556124 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:Life +121656.556171 Misc 70 conf_set: [BLF-MD5]:Life->LIFE_MAIN_MODE +121656.669272 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:ENCRYPTION_ALGORITHM +121656.669334 Misc 70 conf_set: [BLF-MD5-DSS]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121656.669408 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:KEY_LENGTH +121656.669457 Misc 70 conf_set: [BLF-MD5-DSS]:KEY_LENGTH->128,96:192 +121656.669504 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:HASH_ALGORITHM +121656.669552 Misc 70 conf_set: [BLF-MD5-DSS]:HASH_ALGORITHM->MD5 +121656.669599 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:AUTHENTICATION_METHOD +121656.669649 Misc 70 conf_set: [BLF-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121656.669697 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:GROUP_DESCRIPTION +121656.669745 Misc 70 conf_set: [BLF-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121656.669793 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:Life +121656.669841 Misc 70 conf_set: [BLF-MD5-DSS]:Life->LIFE_MAIN_MODE +121656.789266 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121656.789327 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121656.789377 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:KEY_LENGTH +121656.789426 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:KEY_LENGTH->128,96:192 +121656.789473 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:HASH_ALGORITHM +121656.789521 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121656.789568 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121656.789618 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121656.789667 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:GROUP_DESCRIPTION +121656.789717 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121656.789766 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:Life +121656.908836 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121656.908895 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:ENCRYPTION_ALGORITHM +121656.908944 Misc 70 conf_set: [BLF-SHA]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121656.908992 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:KEY_LENGTH +121656.909039 Misc 70 conf_set: [BLF-SHA]:KEY_LENGTH->128,96:192 +121656.909086 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:HASH_ALGORITHM +121656.909205 Misc 70 conf_set: [BLF-SHA]:HASH_ALGORITHM->SHA +121656.909263 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:AUTHENTICATION_METHOD +121656.909312 Misc 70 conf_set: [BLF-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121656.909359 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:GROUP_DESCRIPTION +121656.909407 Misc 70 conf_set: [BLF-SHA]:GROUP_DESCRIPTION->MODP_1024 +121656.909455 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:Life +121656.909502 Misc 70 conf_set: [BLF-SHA]:Life->LIFE_MAIN_MODE +121657.029437 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:ENCRYPTION_ALGORITHM +121657.029499 Misc 70 conf_set: [BLF-SHA-DSS]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121657.029547 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:KEY_LENGTH +121657.029596 Misc 70 conf_set: [BLF-SHA-DSS]:KEY_LENGTH->128,96:192 +121657.029642 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:HASH_ALGORITHM +121657.029690 Misc 70 conf_set: [BLF-SHA-DSS]:HASH_ALGORITHM->SHA +121657.029737 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:AUTHENTICATION_METHOD +121657.029787 Misc 70 conf_set: [BLF-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121657.029835 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:GROUP_DESCRIPTION +121657.029883 Misc 70 conf_set: [BLF-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121657.029931 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:Life +121657.029979 Misc 70 conf_set: [BLF-SHA-DSS]:Life->LIFE_MAIN_MODE +121657.147821 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121657.147883 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121657.147933 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:KEY_LENGTH +121657.147982 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:KEY_LENGTH->128,96:192 +121657.148029 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:HASH_ALGORITHM +121657.148077 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121657.148124 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121657.148174 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121657.148223 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:GROUP_DESCRIPTION +121657.148273 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121657.148321 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:Life +121657.148369 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121657.273462 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:ENCRYPTION_ALGORITHM +121657.273522 Misc 70 conf_set: [3DES-MD5]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.273570 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:HASH_ALGORITHM +121657.273618 Misc 70 conf_set: [3DES-MD5]:HASH_ALGORITHM->MD5 +121657.273665 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:AUTHENTICATION_METHOD +121657.273713 Misc 70 conf_set: [3DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121657.273760 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:GROUP_DESCRIPTION +121657.273808 Misc 70 conf_set: [3DES-MD5]:GROUP_DESCRIPTION->MODP_768 +121657.273855 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:Life +121657.273903 Misc 70 conf_set: [3DES-MD5]:Life->LIFE_MAIN_MODE +121657.273949 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:ENCRYPTION_ALGORITHM +121657.273998 Misc 70 conf_set: [3DES-MD5-DSS]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.386912 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:HASH_ALGORITHM +121657.386971 Misc 70 conf_set: [3DES-MD5-DSS]:HASH_ALGORITHM->MD5 +121657.387019 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:AUTHENTICATION_METHOD +121657.387070 Misc 70 conf_set: [3DES-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121657.387117 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:GROUP_DESCRIPTION +121657.387166 Misc 70 conf_set: [3DES-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121657.387213 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:Life +121657.387261 Misc 70 conf_set: [3DES-MD5-DSS]:Life->LIFE_MAIN_MODE +121657.387307 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121657.387358 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.387405 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:HASH_ALGORITHM +121657.387453 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121657.505135 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121657.505197 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121657.505247 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:GROUP_DESCRIPTION +121657.505323 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121657.505373 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:Life +121657.505422 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121657.505471 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.505517 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +121657.505562 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121657.505610 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121657.505656 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121657.505702 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:ENCRYPTION_ALGORITHM +121657.637872 Misc 70 conf_set: [3DES-SHA-DSS]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.637932 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:HASH_ALGORITHM +121657.637981 Misc 70 conf_set: [3DES-SHA-DSS]:HASH_ALGORITHM->SHA +121657.638027 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:AUTHENTICATION_METHOD +121657.638077 Misc 70 conf_set: [3DES-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121657.638150 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:GROUP_DESCRIPTION +121657.638198 Misc 70 conf_set: [3DES-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121657.638246 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:Life +121657.638294 Misc 70 conf_set: [3DES-SHA-DSS]:Life->LIFE_MAIN_MODE +121657.638339 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121657.638390 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC +121657.638436 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:HASH_ALGORITHM +121657.757241 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121657.757301 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121657.757352 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121657.757400 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:GROUP_DESCRIPTION +121657.757450 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121657.757499 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:Life +121657.757548 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121657.757594 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:ENCRYPTION_ALGORITHM +121657.757642 Misc 70 conf_set: [CAST-MD5]:ENCRYPTION_ALGORITHM->CAST_CBC +121657.757689 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:HASH_ALGORITHM +121657.757737 Misc 70 conf_set: [CAST-MD5]:HASH_ALGORITHM->MD5 +121657.757783 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:AUTHENTICATION_METHOD +121657.869930 Misc 70 conf_set: [CAST-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121657.869990 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:GROUP_DESCRIPTION +121657.870043 Misc 70 conf_set: [CAST-MD5]:GROUP_DESCRIPTION->MODP_768 +121657.870094 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:Life +121657.870141 Misc 70 conf_set: [CAST-MD5]:Life->LIFE_MAIN_MODE +121657.870187 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:ENCRYPTION_ALGORITHM +121657.870237 Misc 70 conf_set: [CAST-MD5-DSS]:ENCRYPTION_ALGORITHM->CAST_CBC +121657.870284 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:HASH_ALGORITHM +121657.870331 Misc 70 conf_set: [CAST-MD5-DSS]:HASH_ALGORITHM->MD5 +121657.870377 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:AUTHENTICATION_METHOD +121657.870427 Misc 70 conf_set: [CAST-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121657.870474 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:GROUP_DESCRIPTION +121657.983746 Misc 70 conf_set: [CAST-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121657.983805 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:Life +121657.983853 Misc 70 conf_set: [CAST-MD5-DSS]:Life->LIFE_MAIN_MODE +121657.983900 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121657.983950 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->CAST_CBC +121657.983997 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:HASH_ALGORITHM +121657.984045 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121657.984092 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121657.984143 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121657.984191 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:GROUP_DESCRIPTION +121657.984241 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121658.115517 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:Life +121658.115577 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121658.115625 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:ENCRYPTION_ALGORITHM +121658.115673 Misc 70 conf_set: [CAST-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC +121658.115719 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:HASH_ALGORITHM +121658.115767 Misc 70 conf_set: [CAST-SHA]:HASH_ALGORITHM->SHA +121658.115814 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:AUTHENTICATION_METHOD +121658.115862 Misc 70 conf_set: [CAST-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121658.115910 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:GROUP_DESCRIPTION +121658.115958 Misc 70 conf_set: [CAST-SHA]:GROUP_DESCRIPTION->MODP_1024 +121658.116006 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:Life +121658.116053 Misc 70 conf_set: [CAST-SHA]:Life->LIFE_MAIN_MODE +121658.116099 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:ENCRYPTION_ALGORITHM +121658.235154 Misc 70 conf_set: [CAST-SHA-DSS]:ENCRYPTION_ALGORITHM->CAST_CBC +121658.235212 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:HASH_ALGORITHM +121658.235261 Misc 70 conf_set: [CAST-SHA-DSS]:HASH_ALGORITHM->SHA +121658.235308 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:AUTHENTICATION_METHOD +121658.235358 Misc 70 conf_set: [CAST-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121658.235405 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:GROUP_DESCRIPTION +121658.235454 Misc 70 conf_set: [CAST-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121658.235502 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:Life +121658.235550 Misc 70 conf_set: [CAST-SHA-DSS]:Life->LIFE_MAIN_MODE +121658.235595 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121658.235646 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->CAST_CBC +121658.366917 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:HASH_ALGORITHM +121658.366977 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121658.367025 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121658.367076 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121658.367124 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:GROUP_DESCRIPTION +121658.367175 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121658.367223 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:Life +121658.367272 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121658.367319 Misc 60 conf_get_str: configuration value not found [Phase 1]:Default +121658.367366 Misc 70 conf_set: [Phase 1]:Default->Default-phase-1 +121658.367412 Misc 60 conf_get_str: configuration value not found [Default-phase-1]:Phase +121658.367460 Misc 70 conf_set: [Default-phase-1]:Phase->1 +121658.480429 Misc 60 conf_get_str: configuration value not found [Default-phase-1]:Configuration +121658.480490 Misc 70 conf_set: [Default-phase-1]:Configuration->Default-phase-1-configuration +121658.480538 Misc 60 conf_get_str: configuration value not found [Default-phase-1-configuration]:EXCHANGE_TYPE +121658.480590 Misc 70 conf_set: [Default-phase-1-configuration]:EXCHANGE_TYPE->ID_PROT +121658.480638 Misc 60 conf_get_str: configuration value not found [Default-phase-1-configuration]:Transforms +121658.480690 Misc 70 conf_set: [Default-phase-1-configuration]:Transforms->3DES-SHA-RSA_SIG +121658.480737 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-SUITE]:Protocols +121658.480785 Misc 70 conf_set: [QM-ESP-DES-MD5-SUITE]:Protocols->QM-ESP-DES-MD5 +121658.480832 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5]:PROTOCOL_ID +121658.480880 Misc 70 conf_set: [QM-ESP-DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121658.480926 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5]:Transforms +121658.605463 Misc 70 conf_set: [QM-ESP-DES-MD5]:Transforms->QM-ESP-DES-MD5-XF +121658.605522 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:TRANSFORM_ID +121658.605571 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:TRANSFORM_ID->DES +121658.605618 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:ENCAPSULATION_MODE +121658.605669 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121658.605718 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121658.605768 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121658.605816 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:Life +121658.605865 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121658.605911 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-SUITE]:Protocols +121658.605959 Misc 70 conf_set: [QM-ESP-DES-SHA-SUITE]:Protocols->QM-ESP-DES-SHA +121658.730417 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA]:PROTOCOL_ID +121658.730479 Misc 70 conf_set: [QM-ESP-DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121658.730527 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA]:Transforms +121658.730576 Misc 70 conf_set: [QM-ESP-DES-SHA]:Transforms->QM-ESP-DES-SHA-XF +121658.730623 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:TRANSFORM_ID +121658.730671 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:TRANSFORM_ID->DES +121658.730718 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:ENCAPSULATION_MODE +121658.730769 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121658.730818 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121658.730868 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121658.730917 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:Life +121658.730965 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121658.861404 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-SUITE]:Protocols +121658.861471 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-SUITE]:Protocols->QM-ESP-DES-RIPEMD +121658.861519 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD]:PROTOCOL_ID +121658.861568 Misc 70 conf_set: [QM-ESP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121658.861615 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD]:Transforms +121658.861664 Misc 70 conf_set: [QM-ESP-DES-RIPEMD]:Transforms->QM-ESP-DES-RIPEMD-XF +121658.861714 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:TRANSFORM_ID +121658.861765 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121658.861813 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121658.861864 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121658.861913 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121658.981230 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121658.981291 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:Life +121658.981340 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121658.981388 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SUITE]:Protocols +121658.981436 Misc 70 conf_set: [QM-ESP-DES-SUITE]:Protocols->QM-ESP-DES +121658.981482 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES]:PROTOCOL_ID +121658.981529 Misc 70 conf_set: [QM-ESP-DES]:PROTOCOL_ID->IPSEC_ESP +121658.981575 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES]:Transforms +121658.981623 Misc 70 conf_set: [QM-ESP-DES]:Transforms->QM-ESP-DES-XF +121658.981669 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:TRANSFORM_ID +121658.981716 Misc 70 conf_set: [QM-ESP-DES-XF]:TRANSFORM_ID->DES +121658.981763 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:ENCAPSULATION_MODE +121659.101281 Misc 70 conf_set: [QM-ESP-DES-XF]:ENCAPSULATION_MODE->TUNNEL +121659.101341 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:Life +121659.101389 Misc 70 conf_set: [QM-ESP-DES-XF]:Life->LIFE_QUICK_MODE +121659.101437 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-SUITE]:Protocols +121659.101487 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-SUITE]:Protocols->QM-ESP-DES-MD5-PFS +121659.101534 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS]:PROTOCOL_ID +121659.101582 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121659.101629 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS]:Transforms +121659.101678 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS]:Transforms->QM-ESP-DES-MD5-PFS-XF +121659.101725 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:TRANSFORM_ID +121659.101775 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121659.227295 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121659.227357 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121659.227406 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121659.227457 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121659.227506 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121659.227557 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121659.227606 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:Life +121659.227656 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121659.227702 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-SUITE]:Protocols +121659.227753 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-SUITE]:Protocols->QM-ESP-DES-SHA-PFS +121659.227800 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS]:PROTOCOL_ID +121659.358766 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121659.358825 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS]:Transforms +121659.358875 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS]:Transforms->QM-ESP-DES-SHA-PFS-XF +121659.358923 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:TRANSFORM_ID +121659.358974 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121659.359023 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121659.359073 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121659.359122 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121659.359173 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121659.359223 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121659.359273 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121659.484029 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:Life +121659.484089 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121659.484137 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-SUITE]:Protocols +121659.484188 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-DES-RIPEMD-PFS +121659.484236 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS]:PROTOCOL_ID +121659.484286 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121659.484333 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS]:Transforms +121659.484384 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS]:Transforms->QM-ESP-DES-RIPEMD-PFS-XF +121659.484432 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121659.484481 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121659.484529 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121659.610104 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121659.610166 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121659.610218 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121659.610267 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121659.610318 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121659.610367 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:Life +121659.610416 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121659.610462 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-SUITE]:Protocols +121659.610511 Misc 70 conf_set: [QM-ESP-DES-PFS-SUITE]:Protocols->QM-ESP-DES-PFS +121659.610557 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS]:PROTOCOL_ID +121659.740973 Misc 70 conf_set: [QM-ESP-DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121659.741032 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS]:Transforms +121659.741081 Misc 70 conf_set: [QM-ESP-DES-PFS]:Transforms->QM-ESP-DES-PFS-XF +121659.741128 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:TRANSFORM_ID +121659.741179 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:TRANSFORM_ID->DES +121659.741226 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:ENCAPSULATION_MODE +121659.741276 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121659.741325 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:Life +121659.741373 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:Life->LIFE_QUICK_MODE +121659.741421 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-SUITE]:Protocols +121659.741472 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-SUITE]:Protocols->QM-ESP-TRP-DES-MD5 +121659.741521 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5]:PROTOCOL_ID +121659.867405 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121659.867465 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5]:Transforms +121659.867515 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5]:Transforms->QM-ESP-TRP-DES-MD5-XF +121659.867564 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:TRANSFORM_ID +121659.867614 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:TRANSFORM_ID->DES +121659.867663 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:ENCAPSULATION_MODE +121659.867714 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121659.867762 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121659.867813 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121659.867863 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:Life +121659.867912 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121659.993483 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-SUITE]:Protocols +121659.993545 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-SUITE]:Protocols->QM-ESP-TRP-DES-SHA +121659.993593 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA]:PROTOCOL_ID +121659.993642 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121659.993689 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA]:Transforms +121659.993738 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA]:Transforms->QM-ESP-TRP-DES-SHA-XF +121659.993785 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:TRANSFORM_ID +121659.993835 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:TRANSFORM_ID->DES +121659.993883 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:ENCAPSULATION_MODE +121659.993934 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121659.993982 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121700.113390 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121700.113452 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:Life +121700.113501 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121700.113548 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-SUITE]:Protocols +121700.113599 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-DES-RIPEMD +121700.113646 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD]:PROTOCOL_ID +121700.113696 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121700.113743 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD]:Transforms +121700.113794 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD]:Transforms->QM-ESP-TRP-DES-RIPEMD-XF +121700.113841 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:TRANSFORM_ID +121700.238466 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121700.238526 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121700.238578 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121700.238627 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121700.238678 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121700.238727 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:Life +121700.238776 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121700.238823 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SUITE]:Protocols +121700.238871 Misc 70 conf_set: [QM-ESP-TRP-DES-SUITE]:Protocols->QM-ESP-TRP-DES +121700.238919 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES]:PROTOCOL_ID +121700.238967 Misc 70 conf_set: [QM-ESP-TRP-DES]:PROTOCOL_ID->IPSEC_ESP +121700.363817 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES]:Transforms +121700.363877 Misc 70 conf_set: [QM-ESP-TRP-DES]:Transforms->QM-ESP-TRP-DES-XF +121700.363927 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:TRANSFORM_ID +121700.363976 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:TRANSFORM_ID->DES +121700.364025 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:ENCAPSULATION_MODE +121700.364076 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:ENCAPSULATION_MODE->TRANSPORT +121700.364125 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:Life +121700.364173 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:Life->LIFE_QUICK_MODE +121700.364221 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-SUITE]:Protocols +121700.364272 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-MD5-PFS +121700.364321 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS]:PROTOCOL_ID +121700.496291 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121700.496352 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS]:Transforms +121700.496403 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS]:Transforms->QM-ESP-TRP-DES-MD5-PFS-XF +121700.496453 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID +121700.496503 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121700.496550 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121700.496601 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121700.496650 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121700.496701 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121700.496750 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121700.622610 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121700.622674 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:Life +121700.622724 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121700.622771 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-SUITE]:Protocols +121700.622822 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-SHA-PFS +121700.622871 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS]:PROTOCOL_ID +121700.622921 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121700.622969 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS]:Transforms +121700.623019 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS]:Transforms->QM-ESP-TRP-DES-SHA-PFS-XF +121700.623066 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID +121700.623116 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121700.741982 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121700.742044 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121700.742094 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121700.742145 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121700.742194 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121700.742245 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121700.742294 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:Life +121700.742343 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121700.742390 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-SUITE]:Protocols +121700.742441 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-RIPEMD-PFS +121700.861624 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID +121700.861689 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121700.861737 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS]:Transforms +121700.861789 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-DES-RIPEMD-PFS-XF +121700.861839 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121700.861889 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121700.861937 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121700.861989 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121700.862037 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121700.862089 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121700.999947 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121701.000015 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121701.000068 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:Life +121701.000119 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121701.000167 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-SUITE]:Protocols +121701.000217 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-PFS +121701.000263 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS]:PROTOCOL_ID +121701.000311 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121701.000357 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS]:Transforms +121701.000406 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS]:Transforms->QM-ESP-TRP-DES-PFS-XF +121701.000452 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:TRANSFORM_ID +121701.125800 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:TRANSFORM_ID->DES +121701.125859 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:ENCAPSULATION_MODE +121701.125911 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121701.125959 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:Life +121701.126008 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:Life->LIFE_QUICK_MODE +121701.126056 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-SUITE]:Protocols +121701.126104 Misc 70 conf_set: [QM-AH-DES-MD5-SUITE]:Protocols->QM-AH-DES-MD5 +121701.126153 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5]:PROTOCOL_ID +121701.126201 Misc 70 conf_set: [QM-AH-DES-MD5]:PROTOCOL_ID->IPSEC_AH +121701.126248 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5]:Transforms +121701.126297 Misc 70 conf_set: [QM-AH-DES-MD5]:Transforms->QM-AH-DES-MD5-XF +121701.252009 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:TRANSFORM_ID +121701.252070 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:TRANSFORM_ID->DES +121701.252119 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:ENCAPSULATION_MODE +121701.252169 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121701.252218 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121701.252268 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121701.252317 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:Life +121701.252365 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121701.252412 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-SUITE]:Protocols +121701.252460 Misc 70 conf_set: [QM-AH-DES-SHA-SUITE]:Protocols->QM-AH-DES-SHA +121701.252506 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA]:PROTOCOL_ID +121701.252554 Misc 70 conf_set: [QM-AH-DES-SHA]:PROTOCOL_ID->IPSEC_AH +121701.384526 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA]:Transforms +121701.384586 Misc 70 conf_set: [QM-AH-DES-SHA]:Transforms->QM-AH-DES-SHA-XF +121701.384633 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:TRANSFORM_ID +121701.384681 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:TRANSFORM_ID->DES +121701.384728 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:ENCAPSULATION_MODE +121701.384778 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121701.384825 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121701.384875 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121701.384923 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:Life +121701.384971 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121701.385018 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-SUITE]:Protocols +121701.509369 Misc 70 conf_set: [QM-AH-DES-RIPEMD-SUITE]:Protocols->QM-AH-DES-RIPEMD +121701.509429 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD]:PROTOCOL_ID +121701.509478 Misc 70 conf_set: [QM-AH-DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121701.509525 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD]:Transforms +121701.509573 Misc 70 conf_set: [QM-AH-DES-RIPEMD]:Transforms->QM-AH-DES-RIPEMD-XF +121701.509622 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:TRANSFORM_ID +121701.509672 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121701.509719 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121701.509770 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121701.509818 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121701.509870 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121701.509919 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:Life +121701.629234 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121701.629296 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-SUITE]:Protocols +121701.629347 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-SUITE]:Protocols->QM-AH-DES-MD5-PFS +121701.629396 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS]:PROTOCOL_ID +121701.629444 Misc 70 conf_set: [QM-AH-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121701.629491 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS]:Transforms +121701.629539 Misc 70 conf_set: [QM-AH-DES-MD5-PFS]:Transforms->QM-AH-DES-MD5-PFS-XF +121701.629586 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:TRANSFORM_ID +121701.629635 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121701.629682 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121701.629733 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121701.749061 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121701.749124 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121701.749173 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121701.749224 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121701.749273 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:Life +121701.749322 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121701.749369 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-SUITE]:Protocols +121701.749419 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-SUITE]:Protocols->QM-AH-DES-SHA-PFS +121701.749466 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS]:PROTOCOL_ID +121701.749514 Misc 70 conf_set: [QM-AH-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121701.749564 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS]:Transforms +121701.874760 Misc 70 conf_set: [QM-AH-DES-SHA-PFS]:Transforms->QM-AH-DES-SHA-PFS-XF +121701.874820 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:TRANSFORM_ID +121701.874871 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121701.874919 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121701.874969 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121701.875017 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121701.875068 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121701.875116 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121701.875166 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121701.875215 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:Life +121701.875263 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121702.006900 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-SUITE]:Protocols +121702.006962 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-DES-RIPEMD-PFS +121702.007012 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS]:PROTOCOL_ID +121702.007062 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121702.007109 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS]:Transforms +121702.007158 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS]:Transforms->QM-AH-DES-RIPEMD-PFS-XF +121702.007205 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121702.007256 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121702.007304 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121702.007355 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121702.138125 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121702.138188 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121702.138238 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121702.138289 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121702.138338 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:Life +121702.138387 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121702.138434 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-SUITE]:Protocols +121702.138485 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-SUITE]:Protocols->QM-AH-TRP-DES-MD5 +121702.138534 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5]:PROTOCOL_ID +121702.138582 Misc 70 conf_set: [QM-AH-TRP-DES-MD5]:PROTOCOL_ID->IPSEC_AH +121702.138629 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5]:Transforms +121702.264123 Misc 70 conf_set: [QM-AH-TRP-DES-MD5]:Transforms->QM-AH-TRP-DES-MD5-XF +121702.264181 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:TRANSFORM_ID +121702.264232 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:TRANSFORM_ID->DES +121702.264279 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:ENCAPSULATION_MODE +121702.264330 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121702.264379 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121702.264430 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121702.264478 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:Life +121702.264528 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121702.264574 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-SUITE]:Protocols +121702.264625 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-SUITE]:Protocols->QM-AH-TRP-DES-SHA +121702.396026 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA]:PROTOCOL_ID +121702.396086 Misc 70 conf_set: [QM-AH-TRP-DES-SHA]:PROTOCOL_ID->IPSEC_AH +121702.396135 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA]:Transforms +121702.396184 Misc 70 conf_set: [QM-AH-TRP-DES-SHA]:Transforms->QM-AH-TRP-DES-SHA-XF +121702.396231 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:TRANSFORM_ID +121702.396281 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:TRANSFORM_ID->DES +121702.396329 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:ENCAPSULATION_MODE +121702.396380 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121702.396428 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121702.396479 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121702.396528 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:Life +121702.527880 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121702.527938 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-SUITE]:Protocols +121702.527989 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-DES-RIPEMD +121702.528038 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD]:PROTOCOL_ID +121702.528087 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121702.528136 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD]:Transforms +121702.528185 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD]:Transforms->QM-AH-TRP-DES-RIPEMD-XF +121702.528232 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:TRANSFORM_ID +121702.528282 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121702.528331 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121702.528381 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121702.660059 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121702.660123 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121702.660173 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:Life +121702.660222 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121702.660269 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-SUITE]:Protocols +121702.660320 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-DES-MD5-PFS +121702.660367 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS]:PROTOCOL_ID +121702.660417 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121702.660464 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS]:Transforms +121702.660517 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS]:Transforms->QM-AH-TRP-DES-MD5-PFS-XF +121702.785543 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID +121702.785605 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121702.785654 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121702.785705 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121702.785754 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121702.785805 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121702.785854 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121702.785905 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121702.785954 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:Life +121702.786003 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121702.786050 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-SUITE]:Protocols +121702.910958 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-DES-SHA-PFS +121702.911019 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS]:PROTOCOL_ID +121702.911070 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121702.911119 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS]:Transforms +121702.911170 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS]:Transforms->QM-AH-TRP-DES-SHA-PFS-XF +121702.911221 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID +121702.911271 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121702.911319 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121702.911370 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121702.911446 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121703.036758 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121703.036820 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121703.036872 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121703.036923 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:Life +121703.036972 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121703.037019 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-SUITE]:Protocols +121703.037070 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-DES-RIPEMD-PFS +121703.037119 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID +121703.037169 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121703.037218 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS]:Transforms +121703.037269 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS]:Transforms->QM-AH-TRP-DES-RIPEMD-PFS-XF +121703.162036 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121703.162098 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121703.162147 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121703.162198 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121703.162247 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121703.162299 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121703.162349 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121703.162400 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121703.162449 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:Life +121703.162500 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121703.282216 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-SUITE]:Protocols +121703.282278 Misc 70 conf_set: [QM-ESP-3DES-MD5-SUITE]:Protocols->QM-ESP-3DES-MD5 +121703.282325 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5]:PROTOCOL_ID +121703.282373 Misc 70 conf_set: [QM-ESP-3DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121703.282420 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5]:Transforms +121703.282469 Misc 70 conf_set: [QM-ESP-3DES-MD5]:Transforms->QM-ESP-3DES-MD5-XF +121703.282517 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:TRANSFORM_ID +121703.282565 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121703.282613 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:ENCAPSULATION_MODE +121703.282663 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121703.282715 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121703.413389 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121703.413451 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:Life +121703.413500 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121703.413548 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-SUITE]:Protocols +121703.413597 Misc 70 conf_set: [QM-ESP-3DES-SHA-SUITE]:Protocols->QM-ESP-3DES-SHA +121703.413644 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA]:PROTOCOL_ID +121703.413692 Misc 70 conf_set: [QM-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121703.413739 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA]:Transforms +121703.413788 Misc 70 conf_set: [QM-ESP-3DES-SHA]:Transforms->QM-ESP-3DES-SHA-XF +121703.413837 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:TRANSFORM_ID +121703.413885 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121703.533246 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE +121703.533308 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121703.533358 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121703.533409 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121703.533458 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:Life +121703.533507 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121703.533554 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-SUITE]:Protocols +121703.533604 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-SUITE]:Protocols->QM-ESP-3DES-RIPEMD +121703.533655 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD]:PROTOCOL_ID +121703.533704 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121703.533753 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD]:Transforms +121703.665881 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD]:Transforms->QM-ESP-3DES-RIPEMD-XF +121703.665944 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:TRANSFORM_ID +121703.665995 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121703.666045 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121703.666096 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121703.666144 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121703.666196 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121703.666245 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:Life +121703.666294 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121703.666342 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SUITE]:Protocols +121703.666390 Misc 70 conf_set: [QM-ESP-3DES-SUITE]:Protocols->QM-ESP-3DES +121703.791051 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES]:PROTOCOL_ID +121703.791110 Misc 70 conf_set: [QM-ESP-3DES]:PROTOCOL_ID->IPSEC_ESP +121703.791159 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES]:Transforms +121703.791207 Misc 70 conf_set: [QM-ESP-3DES]:Transforms->QM-ESP-3DES-XF +121703.791254 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:TRANSFORM_ID +121703.791302 Misc 70 conf_set: [QM-ESP-3DES-XF]:TRANSFORM_ID->3DES +121703.791349 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:ENCAPSULATION_MODE +121703.791399 Misc 70 conf_set: [QM-ESP-3DES-XF]:ENCAPSULATION_MODE->TUNNEL +121703.791446 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:Life +121703.791494 Misc 70 conf_set: [QM-ESP-3DES-XF]:Life->LIFE_QUICK_MODE +121703.791540 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-SUITE]:Protocols +121703.791591 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-SUITE]:Protocols->QM-ESP-3DES-MD5-PFS +121703.910496 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS]:PROTOCOL_ID +121703.910561 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121703.910610 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS]:Transforms +121703.910660 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS]:Transforms->QM-ESP-3DES-MD5-PFS-XF +121703.910707 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121703.910758 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121703.910806 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121703.910856 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121703.910905 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121703.910956 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121703.911005 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121704.042491 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121704.042554 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:Life +121704.042604 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121704.042651 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-SUITE]:Protocols +121704.042702 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-SUITE]:Protocols->QM-ESP-3DES-SHA-PFS +121704.042749 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS]:PROTOCOL_ID +121704.042798 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121704.042844 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS]:Transforms +121704.042894 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS]:Transforms->QM-ESP-3DES-SHA-PFS-XF +121704.042942 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121704.042993 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121704.161498 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121704.161561 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121704.161611 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121704.161662 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121704.161712 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121704.161762 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121704.161812 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:Life +121704.161861 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121704.161910 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-SUITE]:Protocols +121704.161962 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-3DES-RIPEMD-PFS +121704.293635 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121704.293696 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121704.293745 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS]:Transforms +121704.293796 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS]:Transforms->QM-ESP-3DES-RIPEMD-PFS-XF +121704.293843 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121704.293893 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121704.293941 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121704.293992 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121704.294040 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121704.294092 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121704.294141 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121704.419659 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121704.419721 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:Life +121704.419771 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121704.419818 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-SUITE]:Protocols +121704.419867 Misc 70 conf_set: [QM-ESP-3DES-PFS-SUITE]:Protocols->QM-ESP-3DES-PFS +121704.419914 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS]:PROTOCOL_ID +121704.419962 Misc 70 conf_set: [QM-ESP-3DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121704.420013 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS]:Transforms +121704.420065 Misc 70 conf_set: [QM-ESP-3DES-PFS]:Transforms->QM-ESP-3DES-PFS-XF +121704.420115 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:TRANSFORM_ID +121704.420164 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:TRANSFORM_ID->3DES +121704.546053 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:ENCAPSULATION_MODE +121704.546114 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121704.546164 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:Life +121704.546212 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:Life->LIFE_QUICK_MODE +121704.546259 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-SUITE]:Protocols +121704.546310 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-SUITE]:Protocols->QM-ESP-TRP-3DES-MD5 +121704.546360 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5]:PROTOCOL_ID +121704.546409 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121704.546458 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5]:Transforms +121704.546507 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5]:Transforms->QM-ESP-TRP-3DES-MD5-XF +121704.546556 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:TRANSFORM_ID +121704.671976 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121704.672038 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE +121704.672090 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121704.672139 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121704.672190 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121704.672240 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:Life +121704.672288 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121704.672335 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-SUITE]:Protocols +121704.672385 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-SUITE]:Protocols->QM-ESP-TRP-3DES-SHA +121704.672432 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA]:PROTOCOL_ID +121704.672480 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121704.803844 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA]:Transforms +121704.803905 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA]:Transforms->QM-ESP-TRP-3DES-SHA-XF +121704.803953 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:TRANSFORM_ID +121704.804003 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121704.804051 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE +121704.804102 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121704.804153 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121704.804204 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121704.804254 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:Life +121704.804303 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121704.923854 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-SUITE]:Protocols +121704.923922 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-3DES-RIPEMD +121704.923970 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD]:PROTOCOL_ID +121704.924021 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121704.924070 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD]:Transforms +121704.924121 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD]:Transforms->QM-ESP-TRP-3DES-RIPEMD-XF +121704.924168 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID +121704.924218 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121704.924266 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121704.924317 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121704.924366 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121705.048061 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121705.048123 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:Life +121705.048173 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121705.048221 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SUITE]:Protocols +121705.048270 Misc 70 conf_set: [QM-ESP-TRP-3DES-SUITE]:Protocols->QM-ESP-TRP-3DES +121705.048317 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES]:PROTOCOL_ID +121705.048364 Misc 70 conf_set: [QM-ESP-TRP-3DES]:PROTOCOL_ID->IPSEC_ESP +121705.048411 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES]:Transforms +121705.048459 Misc 70 conf_set: [QM-ESP-TRP-3DES]:Transforms->QM-ESP-TRP-3DES-XF +121705.048505 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:TRANSFORM_ID +121705.048553 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:TRANSFORM_ID->3DES +121705.180366 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:ENCAPSULATION_MODE +121705.180428 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:ENCAPSULATION_MODE->TRANSPORT +121705.180477 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:Life +121705.180525 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:Life->LIFE_QUICK_MODE +121705.180572 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-SUITE]:Protocols +121705.180623 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-MD5-PFS +121705.180670 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS]:PROTOCOL_ID +121705.180720 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121705.180768 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS]:Transforms +121705.180818 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS]:Transforms->QM-ESP-TRP-3DES-MD5-PFS-XF +121705.180870 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121705.300731 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121705.300793 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121705.300845 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121705.300895 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121705.300946 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121705.300997 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121705.301048 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121705.301098 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:Life +121705.301148 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121705.301194 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-SUITE]:Protocols +121705.431081 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-SHA-PFS +121705.431141 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS]:PROTOCOL_ID +121705.431191 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121705.431239 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS]:Transforms +121705.431290 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS]:Transforms->QM-ESP-TRP-3DES-SHA-PFS-XF +121705.431340 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121705.431390 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121705.431438 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121705.431489 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121705.431538 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121705.557619 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121705.557682 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121705.557734 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121705.557784 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:Life +121705.557833 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121705.557882 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols +121705.557934 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-RIPEMD-PFS +121705.557983 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121705.558034 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121705.558082 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS]:Transforms +121705.684955 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-3DES-RIPEMD-PFS-XF +121705.685019 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121705.685070 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121705.685118 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121705.685170 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121705.685219 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121705.685270 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121705.685321 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121705.685374 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121705.685423 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:Life +121705.808656 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121705.808718 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-SUITE]:Protocols +121705.808769 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-PFS +121705.808818 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS]:PROTOCOL_ID +121705.808867 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121705.808915 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS]:Transforms +121705.808964 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS]:Transforms->QM-ESP-TRP-3DES-PFS-XF +121705.809012 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:TRANSFORM_ID +121705.809062 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:TRANSFORM_ID->3DES +121705.809110 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:ENCAPSULATION_MODE +121705.809160 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121705.934996 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:Life +121705.935058 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:Life->LIFE_QUICK_MODE +121705.935106 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-SUITE]:Protocols +121705.935155 Misc 70 conf_set: [QM-AH-3DES-MD5-SUITE]:Protocols->QM-AH-3DES-MD5 +121705.935202 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5]:PROTOCOL_ID +121705.935251 Misc 70 conf_set: [QM-AH-3DES-MD5]:PROTOCOL_ID->IPSEC_AH +121705.935298 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5]:Transforms +121705.935346 Misc 70 conf_set: [QM-AH-3DES-MD5]:Transforms->QM-AH-3DES-MD5-XF +121705.935393 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:TRANSFORM_ID +121705.935441 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:TRANSFORM_ID->3DES +121705.935488 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:ENCAPSULATION_MODE +121706.072644 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121706.072705 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121706.072757 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121706.072804 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:Life +121706.072853 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121706.072900 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-SUITE]:Protocols +121706.072949 Misc 70 conf_set: [QM-AH-3DES-SHA-SUITE]:Protocols->QM-AH-3DES-SHA +121706.072996 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA]:PROTOCOL_ID +121706.073044 Misc 70 conf_set: [QM-AH-3DES-SHA]:PROTOCOL_ID->IPSEC_AH +121706.073091 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA]:Transforms +121706.073139 Misc 70 conf_set: [QM-AH-3DES-SHA]:Transforms->QM-AH-3DES-SHA-XF +121706.073190 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:TRANSFORM_ID +121706.198026 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:TRANSFORM_ID->3DES +121706.198086 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:ENCAPSULATION_MODE +121706.198138 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121706.198189 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121706.198239 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121706.198289 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:Life +121706.198337 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121706.198385 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-SUITE]:Protocols +121706.198435 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-SUITE]:Protocols->QM-AH-3DES-RIPEMD +121706.198484 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD]:PROTOCOL_ID +121706.198532 Misc 70 conf_set: [QM-AH-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121706.317912 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD]:Transforms +121706.317972 Misc 70 conf_set: [QM-AH-3DES-RIPEMD]:Transforms->QM-AH-3DES-RIPEMD-XF +121706.318021 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:TRANSFORM_ID +121706.318071 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121706.318118 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121706.318169 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121706.318218 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121706.318269 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121706.318317 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:Life +121706.318366 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121706.318413 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-SUITE]:Protocols +121706.437747 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-SUITE]:Protocols->QM-AH-3DES-MD5-PFS +121706.437805 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS]:PROTOCOL_ID +121706.437855 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121706.437902 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS]:Transforms +121706.437951 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS]:Transforms->QM-AH-3DES-MD5-PFS-XF +121706.438000 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:TRANSFORM_ID +121706.438050 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121706.438098 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121706.438149 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121706.438197 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121706.438248 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121706.563505 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121706.563566 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121706.563617 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:Life +121706.563666 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121706.563715 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-SUITE]:Protocols +121706.563766 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-SUITE]:Protocols->QM-AH-3DES-SHA-PFS +121706.563813 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS]:PROTOCOL_ID +121706.563862 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121706.563908 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS]:Transforms +121706.563957 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS]:Transforms->QM-AH-3DES-SHA-PFS-XF +121706.564005 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:TRANSFORM_ID +121706.696006 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121706.696070 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121706.696122 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121706.696171 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121706.696222 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121706.696271 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121706.696321 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121706.696371 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:Life +121706.696419 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121706.696470 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-SUITE]:Protocols +121706.820938 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-3DES-RIPEMD-PFS +121706.820997 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS]:PROTOCOL_ID +121706.821048 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121706.821096 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS]:Transforms +121706.821146 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS]:Transforms->QM-AH-3DES-RIPEMD-PFS-XF +121706.821195 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121706.821246 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121706.821293 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121706.821344 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121706.821393 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121706.821445 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121706.947087 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121706.947162 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121706.947213 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:Life +121706.947263 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121706.947310 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-SUITE]:Protocols +121706.947360 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-SUITE]:Protocols->QM-AH-TRP-3DES-MD5 +121706.947407 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5]:PROTOCOL_ID +121706.947456 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5]:PROTOCOL_ID->IPSEC_AH +121706.947502 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5]:Transforms +121706.947552 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5]:Transforms->QM-AH-TRP-3DES-MD5-XF +121706.947601 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:TRANSFORM_ID +121707.078442 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121707.078504 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE +121707.078556 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.078606 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121707.078657 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121707.078706 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:Life +121707.078755 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121707.078803 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-SUITE]:Protocols +121707.078853 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-SUITE]:Protocols->QM-AH-TRP-3DES-SHA +121707.078900 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA]:PROTOCOL_ID +121707.211146 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA]:PROTOCOL_ID->IPSEC_AH +121707.211205 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA]:Transforms +121707.211255 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA]:Transforms->QM-AH-TRP-3DES-SHA-XF +121707.211303 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:TRANSFORM_ID +121707.211353 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121707.211400 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE +121707.211451 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.211499 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121707.211550 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121707.211599 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:Life +121707.211647 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121707.330183 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-SUITE]:Protocols +121707.330246 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-3DES-RIPEMD +121707.330295 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD]:PROTOCOL_ID +121707.330346 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121707.330393 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD]:Transforms +121707.330443 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD]:Transforms->QM-AH-TRP-3DES-RIPEMD-XF +121707.330495 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID +121707.330546 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121707.330595 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121707.330645 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.330695 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121707.456007 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121707.456072 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:Life +121707.456122 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121707.456168 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-SUITE]:Protocols +121707.456219 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-MD5-PFS +121707.456266 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS]:PROTOCOL_ID +121707.456316 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121707.456364 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS]:Transforms +121707.456415 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS]:Transforms->QM-AH-TRP-3DES-MD5-PFS-XF +121707.456462 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121707.593891 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121707.593951 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121707.594003 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.594051 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121707.594103 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121707.594152 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121707.594202 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121707.594251 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:Life +121707.594300 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121707.594347 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-SUITE]:Protocols +121707.594398 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-SHA-PFS +121707.713882 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS]:PROTOCOL_ID +121707.713946 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121707.713994 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS]:Transforms +121707.714045 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS]:Transforms->QM-AH-TRP-3DES-SHA-PFS-XF +121707.714092 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121707.714142 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121707.714190 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121707.714241 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.714290 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121707.714341 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121707.838883 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121707.838945 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121707.838996 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:Life +121707.839045 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121707.839097 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols +121707.839150 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-RIPEMD-PFS +121707.839199 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121707.839249 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121707.839296 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS]:Transforms +121707.839348 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS]:Transforms->QM-AH-TRP-3DES-RIPEMD-PFS-XF +121707.958550 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121707.958614 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121707.958663 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121707.958715 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121707.958764 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121707.958816 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121707.958866 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121707.958917 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121707.958967 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:Life +121707.959018 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121708.096513 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-SUITE]:Protocols +121708.096574 Misc 70 conf_set: [QM-ESP-CAST-MD5-SUITE]:Protocols->QM-ESP-CAST-MD5 +121708.096622 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5]:PROTOCOL_ID +121708.096670 Misc 70 conf_set: [QM-ESP-CAST-MD5]:PROTOCOL_ID->IPSEC_ESP +121708.096717 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5]:Transforms +121708.096766 Misc 70 conf_set: [QM-ESP-CAST-MD5]:Transforms->QM-ESP-CAST-MD5-XF +121708.096814 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:TRANSFORM_ID +121708.096863 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121708.096910 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:ENCAPSULATION_MODE +121708.096961 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121708.097009 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121708.120148 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121708.120210 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:Life +121708.120259 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121708.120310 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-SUITE]:Protocols +121708.120359 Misc 70 conf_set: [QM-ESP-CAST-SHA-SUITE]:Protocols->QM-ESP-CAST-SHA +121708.120406 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA]:PROTOCOL_ID +121708.120454 Misc 70 conf_set: [QM-ESP-CAST-SHA]:PROTOCOL_ID->IPSEC_ESP +121708.120501 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA]:Transforms +121708.120549 Misc 70 conf_set: [QM-ESP-CAST-SHA]:Transforms->QM-ESP-CAST-SHA-XF +121708.120598 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:TRANSFORM_ID +121708.120647 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121708.120695 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:ENCAPSULATION_MODE +121708.228216 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121708.228278 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121708.228330 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121708.228379 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:Life +121708.228428 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121708.228474 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-SUITE]:Protocols +121708.228524 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-SUITE]:Protocols->QM-ESP-CAST-RIPEMD +121708.228571 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD]:PROTOCOL_ID +121708.228619 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121708.228666 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD]:Transforms +121708.228715 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD]:Transforms->QM-ESP-CAST-RIPEMD-XF +121708.360245 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:TRANSFORM_ID +121708.360307 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121708.360356 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121708.360407 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121708.360455 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121708.360507 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121708.360556 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:Life +121708.360605 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121708.360652 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SUITE]:Protocols +121708.360701 Misc 70 conf_set: [QM-ESP-CAST-SUITE]:Protocols->QM-ESP-CAST +121708.360747 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST]:PROTOCOL_ID +121708.479955 Misc 70 conf_set: [QM-ESP-CAST]:PROTOCOL_ID->IPSEC_ESP +121708.480016 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST]:Transforms +121708.480068 Misc 70 conf_set: [QM-ESP-CAST]:Transforms->QM-ESP-CAST-XF +121708.480115 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:TRANSFORM_ID +121708.480162 Misc 70 conf_set: [QM-ESP-CAST-XF]:TRANSFORM_ID->CAST +121708.480209 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:ENCAPSULATION_MODE +121708.480259 Misc 70 conf_set: [QM-ESP-CAST-XF]:ENCAPSULATION_MODE->TUNNEL +121708.480306 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:Life +121708.480354 Misc 70 conf_set: [QM-ESP-CAST-XF]:Life->LIFE_QUICK_MODE +121708.480404 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-SUITE]:Protocols +121708.480456 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-SUITE]:Protocols->QM-ESP-CAST-MD5-PFS +121708.480503 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS]:PROTOCOL_ID +121708.606015 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121708.606074 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS]:Transforms +121708.606125 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS]:Transforms->QM-ESP-CAST-MD5-PFS-XF +121708.606171 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121708.606221 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121708.606268 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121708.606321 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121708.606369 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121708.606420 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121708.606469 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121708.731490 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121708.731575 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:Life +121708.731626 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121708.731678 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-SUITE]:Protocols +121708.731729 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-SUITE]:Protocols->QM-ESP-CAST-SHA-PFS +121708.731780 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS]:PROTOCOL_ID +121708.731830 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121708.731878 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS]:Transforms +121708.731928 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS]:Transforms->QM-ESP-CAST-SHA-PFS-XF +121708.731975 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121708.732025 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121708.857126 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121708.857189 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121708.857238 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121708.857290 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121708.857339 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121708.857390 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121708.857439 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:Life +121708.857488 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121708.857535 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-SUITE]:Protocols +121708.857587 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-CAST-RIPEMD-PFS +121708.857635 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121708.983557 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121708.983616 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS]:Transforms +121708.983668 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS]:Transforms->QM-ESP-CAST-RIPEMD-PFS-XF +121708.983717 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121708.983767 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121708.983814 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121708.983865 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121708.983914 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121708.983965 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121708.984014 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121709.109655 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121709.109718 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:Life +121709.109768 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121709.109815 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-SUITE]:Protocols +121709.109863 Misc 70 conf_set: [QM-ESP-CAST-PFS-SUITE]:Protocols->QM-ESP-CAST-PFS +121709.109912 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS]:PROTOCOL_ID +121709.109960 Misc 70 conf_set: [QM-ESP-CAST-PFS]:PROTOCOL_ID->IPSEC_ESP +121709.110011 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS]:Transforms +121709.110063 Misc 70 conf_set: [QM-ESP-CAST-PFS]:Transforms->QM-ESP-CAST-PFS-XF +121709.110111 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:TRANSFORM_ID +121709.110160 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:TRANSFORM_ID->CAST +121709.234883 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:ENCAPSULATION_MODE +121709.234944 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121709.234997 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:Life +121709.235047 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:Life->LIFE_QUICK_MODE +121709.235095 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-SUITE]:Protocols +121709.235147 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-SUITE]:Protocols->QM-ESP-TRP-CAST-MD5 +121709.235195 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5]:PROTOCOL_ID +121709.235244 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5]:PROTOCOL_ID->IPSEC_ESP +121709.235292 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5]:Transforms +121709.235341 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5]:Transforms->QM-ESP-TRP-CAST-MD5-XF +121709.235395 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:TRANSFORM_ID +121709.367422 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121709.367484 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE +121709.367537 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121709.367588 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121709.367639 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121709.367691 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:Life +121709.367740 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121709.367786 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-SUITE]:Protocols +121709.367836 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-SUITE]:Protocols->QM-ESP-TRP-CAST-SHA +121709.367883 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA]:PROTOCOL_ID +121709.367931 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA]:PROTOCOL_ID->IPSEC_ESP +121709.486665 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA]:Transforms +121709.486725 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA]:Transforms->QM-ESP-TRP-CAST-SHA-XF +121709.486774 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:TRANSFORM_ID +121709.486825 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121709.486873 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE +121709.486924 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121709.486973 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121709.487024 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121709.487073 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:Life +121709.487122 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121709.487170 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-SUITE]:Protocols +121709.618414 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-CAST-RIPEMD +121709.618475 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD]:PROTOCOL_ID +121709.618527 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121709.618575 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD]:Transforms +121709.618626 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD]:Transforms->QM-ESP-TRP-CAST-RIPEMD-XF +121709.618678 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID +121709.618728 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121709.618777 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121709.618829 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121709.618879 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121709.745018 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121709.745082 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:Life +121709.745132 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121709.745179 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SUITE]:Protocols +121709.745227 Misc 70 conf_set: [QM-ESP-TRP-CAST-SUITE]:Protocols->QM-ESP-TRP-CAST +121709.745274 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST]:PROTOCOL_ID +121709.745322 Misc 70 conf_set: [QM-ESP-TRP-CAST]:PROTOCOL_ID->IPSEC_ESP +121709.745369 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST]:Transforms +121709.745417 Misc 70 conf_set: [QM-ESP-TRP-CAST]:Transforms->QM-ESP-TRP-CAST-XF +121709.745464 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:TRANSFORM_ID +121709.745513 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:TRANSFORM_ID->CAST +121709.870666 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:ENCAPSULATION_MODE +121709.870729 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:ENCAPSULATION_MODE->TRANSPORT +121709.870778 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:Life +121709.870826 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:Life->LIFE_QUICK_MODE +121709.870873 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-SUITE]:Protocols +121709.870925 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-MD5-PFS +121709.870974 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS]:PROTOCOL_ID +121709.871025 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121709.871073 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS]:Transforms +121709.871124 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS]:Transforms->QM-ESP-TRP-CAST-MD5-PFS-XF +121709.871173 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121709.996173 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121709.996233 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121709.996286 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121709.996335 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121709.996387 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121709.996437 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121709.996488 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121709.996539 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:Life +121709.996588 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121709.996640 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-SUITE]:Protocols +121710.110295 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-SHA-PFS +121710.110356 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS]:PROTOCOL_ID +121710.110406 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121710.110455 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS]:Transforms +121710.110505 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS]:Transforms->QM-ESP-TRP-CAST-SHA-PFS-XF +121710.110553 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121710.110604 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121710.110652 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121710.110702 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121710.110751 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121710.247066 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121710.247130 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121710.247207 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121710.247258 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:Life +121710.247307 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121710.247355 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols +121710.247407 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-RIPEMD-PFS +121710.247460 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121710.247513 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121710.247562 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS]:Transforms +121710.247613 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS]:Transforms->QM-ESP-TRP-CAST-RIPEMD-PFS-XF +121710.373060 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121710.373122 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121710.373172 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121710.373224 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121710.373275 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121710.373327 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121710.373380 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121710.373431 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121710.373483 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:Life +121710.492800 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121710.492860 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-SUITE]:Protocols +121710.492911 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-PFS +121710.492958 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS]:PROTOCOL_ID +121710.493007 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS]:PROTOCOL_ID->IPSEC_ESP +121710.493054 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS]:Transforms +121710.493103 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS]:Transforms->QM-ESP-TRP-CAST-PFS-XF +121710.493150 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:TRANSFORM_ID +121710.493200 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:TRANSFORM_ID->CAST +121710.493247 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:ENCAPSULATION_MODE +121710.493298 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121710.624415 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:Life +121710.624474 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:Life->LIFE_QUICK_MODE +121710.624521 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-SUITE]:Protocols +121710.624570 Misc 70 conf_set: [QM-AH-CAST-MD5-SUITE]:Protocols->QM-AH-CAST-MD5 +121710.624617 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5]:PROTOCOL_ID +121710.624665 Misc 70 conf_set: [QM-AH-CAST-MD5]:PROTOCOL_ID->IPSEC_AH +121710.624712 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5]:Transforms +121710.624760 Misc 70 conf_set: [QM-AH-CAST-MD5]:Transforms->QM-AH-CAST-MD5-XF +121710.624807 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:TRANSFORM_ID +121710.624856 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:TRANSFORM_ID->CAST +121710.624903 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:ENCAPSULATION_MODE +121710.624953 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121710.762509 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121710.762571 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121710.762622 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:Life +121710.762670 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121710.762718 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-SUITE]:Protocols +121710.762791 Misc 70 conf_set: [QM-AH-CAST-SHA-SUITE]:Protocols->QM-AH-CAST-SHA +121710.762839 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA]:PROTOCOL_ID +121710.762888 Misc 70 conf_set: [QM-AH-CAST-SHA]:PROTOCOL_ID->IPSEC_AH +121710.762934 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA]:Transforms +121710.762983 Misc 70 conf_set: [QM-AH-CAST-SHA]:Transforms->QM-AH-CAST-SHA-XF +121710.763031 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:TRANSFORM_ID +121710.882022 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:TRANSFORM_ID->CAST +121710.882083 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:ENCAPSULATION_MODE +121710.882134 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121710.882184 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121710.882234 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121710.882283 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:Life +121710.882331 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121710.882380 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-SUITE]:Protocols +121710.882430 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-SUITE]:Protocols->QM-AH-CAST-RIPEMD +121710.882477 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD]:PROTOCOL_ID +121710.882526 Misc 70 conf_set: [QM-AH-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121711.014177 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD]:Transforms +121711.014240 Misc 70 conf_set: [QM-AH-CAST-RIPEMD]:Transforms->QM-AH-CAST-RIPEMD-XF +121711.014288 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:TRANSFORM_ID +121711.014338 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121711.014385 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121711.014436 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121711.014484 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121711.014535 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121711.014584 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:Life +121711.014633 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121711.014681 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-SUITE]:Protocols +121711.140216 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-SUITE]:Protocols->QM-AH-CAST-MD5-PFS +121711.140278 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS]:PROTOCOL_ID +121711.140328 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121711.140375 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS]:Transforms +121711.140424 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS]:Transforms->QM-AH-CAST-MD5-PFS-XF +121711.140471 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:TRANSFORM_ID +121711.140521 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121711.140568 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121711.140618 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121711.140667 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121711.140718 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121711.253708 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121711.253770 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121711.253820 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:Life +121711.253869 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121711.253917 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-SUITE]:Protocols +121711.253968 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-SUITE]:Protocols->QM-AH-CAST-SHA-PFS +121711.254016 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS]:PROTOCOL_ID +121711.254064 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121711.254111 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS]:Transforms +121711.254160 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS]:Transforms->QM-AH-CAST-SHA-PFS-XF +121711.254206 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:TRANSFORM_ID +121711.379663 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121711.379722 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121711.379773 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121711.379821 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121711.379872 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121711.379921 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121711.379997 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121711.380053 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:Life +121711.380103 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121711.380157 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-SUITE]:Protocols +121711.380209 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-AH-CAST-RIPEMD-PFS +121711.512142 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS]:PROTOCOL_ID +121711.512203 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121711.512252 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS]:Transforms +121711.512303 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS]:Transforms->QM-AH-CAST-RIPEMD-PFS-XF +121711.512355 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121711.512406 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121711.512455 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121711.512506 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121711.512557 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121711.512609 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121711.637948 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121711.638010 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121711.638063 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:Life +121711.638112 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121711.638160 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-SUITE]:Protocols +121711.638213 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-SUITE]:Protocols->QM-AH-TRP-CAST-MD5 +121711.638261 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5]:PROTOCOL_ID +121711.638310 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5]:PROTOCOL_ID->IPSEC_AH +121711.638357 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5]:Transforms +121711.638405 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5]:Transforms->QM-AH-TRP-CAST-MD5-XF +121711.638454 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:TRANSFORM_ID +121711.763238 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121711.763297 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE +121711.763349 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121711.763398 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121711.763449 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121711.763499 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:Life +121711.763548 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121711.763597 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-SUITE]:Protocols +121711.763648 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-SUITE]:Protocols->QM-AH-TRP-CAST-SHA +121711.763695 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA]:PROTOCOL_ID +121711.763743 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA]:PROTOCOL_ID->IPSEC_AH +121711.900930 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA]:Transforms +121711.900991 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA]:Transforms->QM-AH-TRP-CAST-SHA-XF +121711.901039 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:TRANSFORM_ID +121711.901088 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121711.901136 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE +121711.901186 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121711.901235 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121711.901285 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121711.901334 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:Life +121711.901382 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121711.901430 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-SUITE]:Protocols +121712.020587 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-SUITE]:Protocols->QM-AH-TRP-CAST-RIPEMD +121712.020648 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD]:PROTOCOL_ID +121712.020699 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121712.020747 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD]:Transforms +121712.020797 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD]:Transforms->QM-AH-TRP-CAST-RIPEMD-XF +121712.020847 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID +121712.020897 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121712.020945 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121712.020996 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121712.021045 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121712.147002 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121712.147064 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:Life +121712.147113 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121712.147160 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-SUITE]:Protocols +121712.147211 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-MD5-PFS +121712.147259 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS]:PROTOCOL_ID +121712.147309 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121712.147356 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS]:Transforms +121712.147407 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS]:Transforms->QM-AH-TRP-CAST-MD5-PFS-XF +121712.147458 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121712.147509 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121712.284431 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121712.284494 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121712.284544 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121712.284595 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121712.284645 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121712.284696 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121712.284745 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:Life +121712.284794 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121712.284843 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-SUITE]:Protocols +121712.284894 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-SHA-PFS +121712.409616 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS]:PROTOCOL_ID +121712.409677 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121712.409726 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS]:Transforms +121712.409777 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS]:Transforms->QM-AH-TRP-CAST-SHA-PFS-XF +121712.409825 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121712.409876 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121712.409924 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121712.409975 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121712.410032 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121712.410086 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121712.535803 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121712.535864 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121712.535915 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:Life +121712.535964 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121712.536011 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols +121712.536062 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-RIPEMD-PFS +121712.536111 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121712.536185 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121712.536233 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS]:Transforms +121712.536284 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS]:Transforms->QM-AH-TRP-CAST-RIPEMD-PFS-XF +121712.536335 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121712.662455 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121712.662514 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121712.662566 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121712.662615 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121712.662667 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121712.662717 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121712.662768 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121712.662818 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:Life +121712.662869 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121712.662918 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-SUITE]:Protocols +121712.787510 Misc 70 conf_set: [QM-ESP-BLF-MD5-SUITE]:Protocols->QM-ESP-BLF-MD5 +121712.787569 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5]:PROTOCOL_ID +121712.787617 Misc 70 conf_set: [QM-ESP-BLF-MD5]:PROTOCOL_ID->IPSEC_ESP +121712.787664 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5]:Transforms +121712.787712 Misc 70 conf_set: [QM-ESP-BLF-MD5]:Transforms->QM-ESP-BLF-MD5-XF +121712.787760 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:TRANSFORM_ID +121712.787808 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121712.787855 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:KEY_LENGTH +121712.787904 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121712.787952 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:ENCAPSULATION_MODE +121712.788002 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121712.907243 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121712.907306 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121712.907356 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:Life +121712.907405 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121712.907452 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-SUITE]:Protocols +121712.907501 Misc 70 conf_set: [QM-ESP-BLF-SHA-SUITE]:Protocols->QM-ESP-BLF-SHA +121712.907550 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA]:PROTOCOL_ID +121712.907599 Misc 70 conf_set: [QM-ESP-BLF-SHA]:PROTOCOL_ID->IPSEC_ESP +121712.907646 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA]:Transforms +121712.907694 Misc 70 conf_set: [QM-ESP-BLF-SHA]:Transforms->QM-ESP-BLF-SHA-XF +121712.907744 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:TRANSFORM_ID +121713.052007 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121713.052067 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:KEY_LENGTH +121713.052117 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121713.052166 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:ENCAPSULATION_MODE +121713.052216 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121713.052267 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121713.052318 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121713.052368 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:Life +121713.052417 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121713.052466 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-SUITE]:Protocols +121713.052517 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-SUITE]:Protocols->QM-ESP-BLF-RIPEMD +121713.052564 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD]:PROTOCOL_ID +121713.178253 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121713.178313 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD]:Transforms +121713.178363 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD]:Transforms->QM-ESP-BLF-RIPEMD-XF +121713.178410 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:TRANSFORM_ID +121713.178460 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121713.178507 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:KEY_LENGTH +121713.178555 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121713.178603 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121713.178653 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121713.178701 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121713.178752 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121713.296645 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:Life +121713.296706 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121713.296758 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SUITE]:Protocols +121713.296807 Misc 70 conf_set: [QM-ESP-BLF-SUITE]:Protocols->QM-ESP-BLF +121713.296854 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF]:PROTOCOL_ID +121713.296902 Misc 70 conf_set: [QM-ESP-BLF]:PROTOCOL_ID->IPSEC_ESP +121713.296948 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF]:Transforms +121713.296996 Misc 70 conf_set: [QM-ESP-BLF]:Transforms->QM-ESP-BLF-XF +121713.297047 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:TRANSFORM_ID +121713.297094 Misc 70 conf_set: [QM-ESP-BLF-XF]:TRANSFORM_ID->BLOWFISH +121713.297142 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:KEY_LENGTH +121713.297190 Misc 70 conf_set: [QM-ESP-BLF-XF]:KEY_LENGTH->128,96:192 +121713.416492 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:ENCAPSULATION_MODE +121713.416554 Misc 70 conf_set: [QM-ESP-BLF-XF]:ENCAPSULATION_MODE->TUNNEL +121713.416605 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:Life +121713.416655 Misc 70 conf_set: [QM-ESP-BLF-XF]:Life->LIFE_QUICK_MODE +121713.416703 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-SUITE]:Protocols +121713.416754 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-SUITE]:Protocols->QM-ESP-BLF-MD5-PFS +121713.416802 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS]:PROTOCOL_ID +121713.416851 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121713.416898 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS]:Transforms +121713.416947 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS]:Transforms->QM-ESP-BLF-MD5-PFS-XF +121713.416996 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121713.535872 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121713.535932 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:KEY_LENGTH +121713.535982 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121713.536032 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121713.536083 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121713.536157 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121713.536209 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121713.536259 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121713.536310 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121713.536360 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:Life +121713.536409 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121713.667090 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-SUITE]:Protocols +121713.667153 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-SUITE]:Protocols->QM-ESP-BLF-SHA-PFS +121713.667206 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS]:PROTOCOL_ID +121713.667255 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121713.667305 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS]:Transforms +121713.667355 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS]:Transforms->QM-ESP-BLF-SHA-PFS-XF +121713.667408 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121713.667459 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121713.667508 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:KEY_LENGTH +121713.667558 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121713.667607 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121713.793364 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121713.793426 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121713.793477 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121713.793528 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121713.793578 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121713.793629 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:Life +121713.793677 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121713.793726 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-SUITE]:Protocols +121713.793777 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-BLF-RIPEMD-PFS +121713.793828 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121713.793879 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121713.906496 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS]:Transforms +121713.906558 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS]:Transforms->QM-ESP-BLF-RIPEMD-PFS-XF +121713.906609 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121713.906660 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121713.906708 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121713.906759 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121713.906808 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121713.906859 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121713.906909 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121713.906961 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121714.043970 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121714.044033 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121714.044084 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:Life +121714.044134 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121714.044181 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-SUITE]:Protocols +121714.044230 Misc 70 conf_set: [QM-ESP-BLF-PFS-SUITE]:Protocols->QM-ESP-BLF-PFS +121714.044277 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS]:PROTOCOL_ID +121714.044326 Misc 70 conf_set: [QM-ESP-BLF-PFS]:PROTOCOL_ID->IPSEC_ESP +121714.044373 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS]:Transforms +121714.044421 Misc 70 conf_set: [QM-ESP-BLF-PFS]:Transforms->QM-ESP-BLF-PFS-XF +121714.044469 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:TRANSFORM_ID +121714.163405 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:TRANSFORM_ID->BLOWFISH +121714.163466 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:KEY_LENGTH +121714.163515 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:KEY_LENGTH->128,96:192 +121714.163564 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:ENCAPSULATION_MODE +121714.163614 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121714.163664 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:Life +121714.163712 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:Life->LIFE_QUICK_MODE +121714.163760 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-SUITE]:Protocols +121714.163811 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-SUITE]:Protocols->QM-ESP-TRP-BLF-MD5 +121714.163858 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5]:PROTOCOL_ID +121714.163906 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5]:PROTOCOL_ID->IPSEC_ESP +121714.163953 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5]:Transforms +121714.301957 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5]:Transforms->QM-ESP-TRP-BLF-MD5-XF +121714.302017 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:TRANSFORM_ID +121714.302068 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121714.302116 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:KEY_LENGTH +121714.302165 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121714.302215 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE +121714.302266 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121714.302315 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121714.302366 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121714.302416 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:Life +121714.427554 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121714.427615 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-SUITE]:Protocols +121714.427666 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-SUITE]:Protocols->QM-ESP-TRP-BLF-SHA +121714.427715 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA]:PROTOCOL_ID +121714.427763 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA]:PROTOCOL_ID->IPSEC_ESP +121714.427810 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA]:Transforms +121714.427859 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA]:Transforms->QM-ESP-TRP-BLF-SHA-XF +121714.427908 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:TRANSFORM_ID +121714.427959 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121714.428007 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:KEY_LENGTH +121714.428056 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121714.428105 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE +121714.547117 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121714.547179 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121714.547231 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121714.547281 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:Life +121714.547330 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121714.547379 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-SUITE]:Protocols +121714.547430 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-BLF-RIPEMD +121714.547480 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD]:PROTOCOL_ID +121714.547530 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121714.547578 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD]:Transforms +121714.673688 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD]:Transforms->QM-ESP-TRP-BLF-RIPEMD-XF +121714.673751 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID +121714.673802 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121714.673851 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:KEY_LENGTH +121714.673901 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121714.673951 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121714.674001 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121714.674052 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121714.674103 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121714.674155 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:Life +121714.674204 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121714.799005 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SUITE]:Protocols +121714.799064 Misc 70 conf_set: [QM-ESP-TRP-BLF-SUITE]:Protocols->QM-ESP-TRP-BLF +121714.799117 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF]:PROTOCOL_ID +121714.799166 Misc 70 conf_set: [QM-ESP-TRP-BLF]:PROTOCOL_ID->IPSEC_ESP +121714.799216 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF]:Transforms +121714.799264 Misc 70 conf_set: [QM-ESP-TRP-BLF]:Transforms->QM-ESP-TRP-BLF-XF +121714.799312 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:TRANSFORM_ID +121714.799361 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:TRANSFORM_ID->BLOWFISH +121714.799409 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:KEY_LENGTH +121714.799457 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:KEY_LENGTH->128,96:192 +121714.799505 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:ENCAPSULATION_MODE +121714.924354 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:ENCAPSULATION_MODE->TRANSPORT +121714.924417 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:Life +121714.924466 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:Life->LIFE_QUICK_MODE +121714.924514 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-SUITE]:Protocols +121714.924565 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-MD5-PFS +121714.924617 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS]:PROTOCOL_ID +121714.924667 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121714.924715 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS]:Transforms +121714.924766 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS]:Transforms->QM-ESP-TRP-BLF-MD5-PFS-XF +121714.924815 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121714.924866 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121715.043619 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH +121715.043682 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121715.043733 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121715.043784 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121715.043834 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121715.043912 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121715.043963 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121715.044015 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121715.044066 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:Life +121715.044115 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121715.188791 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-SUITE]:Protocols +121715.188856 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-SHA-PFS +121715.188907 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS]:PROTOCOL_ID +121715.188958 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121715.189009 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS]:Transforms +121715.189061 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS]:Transforms->QM-ESP-TRP-BLF-SHA-PFS-XF +121715.189110 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121715.189161 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121715.189209 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH +121715.189259 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121715.189310 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121715.295847 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121715.295909 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121715.295962 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121715.296012 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121715.296064 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121715.296114 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:Life +121715.296163 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121715.296213 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols +121715.296264 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-RIPEMD-PFS +121715.296314 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121715.428477 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121715.428536 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS]:Transforms +121715.428588 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS]:Transforms->QM-ESP-TRP-BLF-RIPEMD-PFS-XF +121715.428641 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121715.428692 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121715.428740 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121715.428791 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121715.428840 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121715.428892 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121715.428942 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121715.559651 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121715.559714 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121715.559766 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121715.559817 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:Life +121715.559868 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121715.559917 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-SUITE]:Protocols +121715.559967 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-PFS +121715.560021 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS]:PROTOCOL_ID +121715.560073 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS]:PROTOCOL_ID->IPSEC_ESP +121715.560123 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS]:Transforms +121715.692049 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS]:Transforms->QM-ESP-TRP-BLF-PFS-XF +121715.692108 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:TRANSFORM_ID +121715.692159 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:TRANSFORM_ID->BLOWFISH +121715.692206 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:KEY_LENGTH +121715.692256 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:KEY_LENGTH->128,96:192 +121715.692330 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:ENCAPSULATION_MODE +121715.692381 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121715.692431 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:Life +121715.692479 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:Life->LIFE_QUICK_MODE +121715.692527 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-SUITE]:Protocols +121715.692575 Misc 70 conf_set: [QM-AH-BLF-MD5-SUITE]:Protocols->QM-AH-BLF-MD5 +121715.692621 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5]:PROTOCOL_ID +121715.829284 Misc 70 conf_set: [QM-AH-BLF-MD5]:PROTOCOL_ID->IPSEC_AH +121715.829340 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5]:Transforms +121715.829390 Misc 70 conf_set: [QM-AH-BLF-MD5]:Transforms->QM-AH-BLF-MD5-XF +121715.829436 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:TRANSFORM_ID +121715.829484 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121715.829530 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:KEY_LENGTH +121715.829578 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121715.829625 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:ENCAPSULATION_MODE +121715.829675 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121715.829723 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121715.829774 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121715.961030 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:Life +121715.961095 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121715.961146 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-SUITE]:Protocols +121715.961195 Misc 70 conf_set: [QM-AH-BLF-SHA-SUITE]:Protocols->QM-AH-BLF-SHA +121715.961242 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA]:PROTOCOL_ID +121715.961290 Misc 70 conf_set: [QM-AH-BLF-SHA]:PROTOCOL_ID->IPSEC_AH +121715.961336 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA]:Transforms +121715.961384 Misc 70 conf_set: [QM-AH-BLF-SHA]:Transforms->QM-AH-BLF-SHA-XF +121715.961431 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:TRANSFORM_ID +121715.961479 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121715.961526 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:KEY_LENGTH +121715.961574 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121716.093281 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:ENCAPSULATION_MODE +121716.093343 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121716.093392 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121716.093443 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121716.093492 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:Life +121716.093540 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121716.093587 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-SUITE]:Protocols +121716.093636 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-SUITE]:Protocols->QM-AH-BLF-RIPEMD +121716.093684 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD]:PROTOCOL_ID +121716.093732 Misc 70 conf_set: [QM-AH-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121716.093779 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD]:Transforms +121716.219030 Misc 70 conf_set: [QM-AH-BLF-RIPEMD]:Transforms->QM-AH-BLF-RIPEMD-XF +121716.219091 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:TRANSFORM_ID +121716.219141 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121716.219190 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:KEY_LENGTH +121716.219238 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121716.219286 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121716.219336 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121716.219384 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121716.219435 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121716.219485 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:Life +121716.219533 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121716.219580 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-SUITE]:Protocols +121716.332909 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-SUITE]:Protocols->QM-AH-BLF-MD5-PFS +121716.332995 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS]:PROTOCOL_ID +121716.333044 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121716.333091 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS]:Transforms +121716.333140 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS]:Transforms->QM-AH-BLF-MD5-PFS-XF +121716.333189 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:TRANSFORM_ID +121716.333239 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121716.333287 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:KEY_LENGTH +121716.333336 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121716.333385 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121716.333435 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121716.458722 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121716.458785 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121716.458836 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121716.458887 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121716.458937 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:Life +121716.458986 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121716.459035 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-SUITE]:Protocols +121716.459086 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-SUITE]:Protocols->QM-AH-BLF-SHA-PFS +121716.459133 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS]:PROTOCOL_ID +121716.459181 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121716.459227 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS]:Transforms +121716.583846 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS]:Transforms->QM-AH-BLF-SHA-PFS-XF +121716.583905 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:TRANSFORM_ID +121716.583956 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121716.584003 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:KEY_LENGTH +121716.584052 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121716.584100 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121716.584151 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121716.584200 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121716.584251 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121716.584300 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121716.710581 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121716.710645 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:Life +121716.710695 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121716.710744 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-SUITE]:Protocols +121716.710794 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-AH-BLF-RIPEMD-PFS +121716.710845 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS]:PROTOCOL_ID +121716.710895 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121716.710942 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS]:Transforms +121716.710992 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS]:Transforms->QM-AH-BLF-RIPEMD-PFS-XF +121716.711038 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121716.711088 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121716.836374 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121716.836436 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121716.836485 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121716.836537 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121716.836585 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121716.836636 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121716.836686 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121716.836737 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121716.836786 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:Life +121716.836835 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121716.836885 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-SUITE]:Protocols +121716.968034 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-SUITE]:Protocols->QM-AH-TRP-BLF-MD5 +121716.968095 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5]:PROTOCOL_ID +121716.968145 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5]:PROTOCOL_ID->IPSEC_AH +121716.968192 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5]:Transforms +121716.968241 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5]:Transforms->QM-AH-TRP-BLF-MD5-XF +121716.968287 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:TRANSFORM_ID +121716.968337 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121716.968384 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:KEY_LENGTH +121716.968433 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121716.968481 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE +121716.968531 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.093143 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121717.093205 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121717.093255 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:Life +121717.093305 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121717.093352 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-SUITE]:Protocols +121717.093402 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-SUITE]:Protocols->QM-AH-TRP-BLF-SHA +121717.093449 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA]:PROTOCOL_ID +121717.093497 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA]:PROTOCOL_ID->IPSEC_AH +121717.093544 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA]:Transforms +121717.093593 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA]:Transforms->QM-AH-TRP-BLF-SHA-XF +121717.093641 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:TRANSFORM_ID +121717.218878 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121717.218939 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:KEY_LENGTH +121717.218989 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121717.219039 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE +121717.219090 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.219139 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121717.219190 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121717.219240 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:Life +121717.219289 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121717.219335 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-SUITE]:Protocols +121717.219386 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-SUITE]:Protocols->QM-AH-TRP-BLF-RIPEMD +121717.344686 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD]:PROTOCOL_ID +121717.344747 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121717.344796 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD]:Transforms +121717.344845 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD]:Transforms->QM-AH-TRP-BLF-RIPEMD-XF +121717.344893 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID +121717.344944 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121717.344993 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:KEY_LENGTH +121717.345043 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121717.345092 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121717.345142 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.345192 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121717.470264 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121717.470326 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:Life +121717.470375 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121717.470422 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-SUITE]:Protocols +121717.470473 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-MD5-PFS +121717.470521 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS]:PROTOCOL_ID +121717.470571 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121717.470619 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS]:Transforms +121717.470669 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS]:Transforms->QM-AH-TRP-BLF-MD5-PFS-XF +121717.470717 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121717.595585 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121717.595643 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH +121717.595695 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121717.595744 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121717.595795 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.595844 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121717.595897 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121717.595948 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121717.595999 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121717.596049 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:Life +121717.726740 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121717.726803 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-SUITE]:Protocols +121717.726855 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-SHA-PFS +121717.726903 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS]:PROTOCOL_ID +121717.726953 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121717.727001 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS]:Transforms +121717.727051 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS]:Transforms->QM-AH-TRP-BLF-SHA-PFS-XF +121717.727101 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121717.727151 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121717.727200 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH +121717.727251 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121717.847257 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121717.847320 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.847371 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121717.847423 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121717.847474 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121717.847525 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121717.847576 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:Life +121717.847625 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121717.847673 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols +121717.847724 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-RIPEMD-PFS +121717.972131 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121717.972194 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121717.972245 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS]:Transforms +121717.972297 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS]:Transforms->QM-AH-TRP-BLF-RIPEMD-PFS-XF +121717.972346 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121717.972397 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121717.972445 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121717.972496 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121717.972545 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121717.972597 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121717.972647 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121718.110460 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121718.110523 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121718.110574 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121718.110625 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:Life +121718.110675 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121718.110724 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-SUITE]:Protocols +121718.110772 Misc 70 conf_set: [QM-ESP-AES-MD5-SUITE]:Protocols->QM-ESP-AES-MD5 +121718.110819 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5]:PROTOCOL_ID +121718.110867 Misc 70 conf_set: [QM-ESP-AES-MD5]:PROTOCOL_ID->IPSEC_ESP +121718.110914 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5]:Transforms +121718.237045 Misc 70 conf_set: [QM-ESP-AES-MD5]:Transforms->QM-ESP-AES-MD5-XF +121718.237110 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:TRANSFORM_ID +121718.237161 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:TRANSFORM_ID->AES +121718.237209 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:ENCAPSULATION_MODE +121718.237259 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121718.237308 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121718.237359 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121718.237406 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:Life +121718.237455 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121718.237502 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-SUITE]:Protocols +121718.237551 Misc 70 conf_set: [QM-ESP-AES-SHA-SUITE]:Protocols->QM-ESP-AES-SHA +121718.237598 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA]:PROTOCOL_ID +121718.369337 Misc 70 conf_set: [QM-ESP-AES-SHA]:PROTOCOL_ID->IPSEC_ESP +121718.369396 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA]:Transforms +121718.369445 Misc 70 conf_set: [QM-ESP-AES-SHA]:Transforms->QM-ESP-AES-SHA-XF +121718.369491 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:TRANSFORM_ID +121718.369539 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:TRANSFORM_ID->AES +121718.369586 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:ENCAPSULATION_MODE +121718.369636 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121718.369685 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121718.369735 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121718.369783 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:Life +121718.369831 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121718.501379 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-SUITE]:Protocols +121718.501441 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-SUITE]:Protocols->QM-ESP-AES-RIPEMD +121718.501491 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD]:PROTOCOL_ID +121718.501539 Misc 70 conf_set: [QM-ESP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121718.501587 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD]:Transforms +121718.501636 Misc 70 conf_set: [QM-ESP-AES-RIPEMD]:Transforms->QM-ESP-AES-RIPEMD-XF +121718.501683 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:TRANSFORM_ID +121718.501733 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121718.501780 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121718.501831 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121718.501879 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121718.620602 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121718.620663 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:Life +121718.620713 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121718.620764 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SUITE]:Protocols +121718.620813 Misc 70 conf_set: [QM-ESP-AES-SUITE]:Protocols->QM-ESP-AES +121718.620860 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES]:PROTOCOL_ID +121718.620908 Misc 70 conf_set: [QM-ESP-AES]:PROTOCOL_ID->IPSEC_ESP +121718.620955 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES]:Transforms +121718.621003 Misc 70 conf_set: [QM-ESP-AES]:Transforms->QM-ESP-AES-XF +121718.621049 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:TRANSFORM_ID +121718.621098 Misc 70 conf_set: [QM-ESP-AES-XF]:TRANSFORM_ID->AES +121718.621144 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:ENCAPSULATION_MODE +121718.746645 Misc 70 conf_set: [QM-ESP-AES-XF]:ENCAPSULATION_MODE->TUNNEL +121718.746705 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:Life +121718.746754 Misc 70 conf_set: [QM-ESP-AES-XF]:Life->LIFE_QUICK_MODE +121718.746801 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-SUITE]:Protocols +121718.746851 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-SUITE]:Protocols->QM-ESP-AES-MD5-PFS +121718.746898 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS]:PROTOCOL_ID +121718.746973 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121718.747021 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS]:Transforms +121718.747069 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS]:Transforms->QM-ESP-AES-MD5-PFS-XF +121718.747118 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:TRANSFORM_ID +121718.747168 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121718.747215 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121718.866332 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121718.866393 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121718.866445 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121718.866494 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121718.866545 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121718.866594 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:Life +121718.866642 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121718.866690 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-SUITE]:Protocols +121718.866741 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-SUITE]:Protocols->QM-ESP-AES-SHA-PFS +121718.866792 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS]:PROTOCOL_ID +121718.985815 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121718.985876 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS]:Transforms +121718.985925 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS]:Transforms->QM-ESP-AES-SHA-PFS-XF +121718.985972 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:TRANSFORM_ID +121718.986022 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121718.986071 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121718.986122 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121718.986170 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121718.986221 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121718.986269 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121718.986320 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121719.117611 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:Life +121719.117673 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121719.117721 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-SUITE]:Protocols +121719.117773 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-AES-RIPEMD-PFS +121719.117822 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS]:PROTOCOL_ID +121719.117873 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121719.117920 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS]:Transforms +121719.117970 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS]:Transforms->QM-ESP-AES-RIPEMD-PFS-XF +121719.118018 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121719.118068 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121719.118115 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121719.250242 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121719.250303 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121719.250355 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121719.250404 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121719.250455 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121719.250504 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:Life +121719.250553 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121719.250601 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-SUITE]:Protocols +121719.250650 Misc 70 conf_set: [QM-ESP-AES-PFS-SUITE]:Protocols->QM-ESP-AES-PFS +121719.250696 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS]:PROTOCOL_ID +121719.369352 Misc 70 conf_set: [QM-ESP-AES-PFS]:PROTOCOL_ID->IPSEC_ESP +121719.369410 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS]:Transforms +121719.369460 Misc 70 conf_set: [QM-ESP-AES-PFS]:Transforms->QM-ESP-AES-PFS-XF +121719.369506 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:TRANSFORM_ID +121719.369554 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:TRANSFORM_ID->AES +121719.369601 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:ENCAPSULATION_MODE +121719.369650 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121719.369699 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:Life +121719.369747 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:Life->LIFE_QUICK_MODE +121719.369793 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-SUITE]:Protocols +121719.369844 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-SUITE]:Protocols->QM-ESP-TRP-AES-MD5 +121719.369891 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5]:PROTOCOL_ID +121719.506622 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5]:PROTOCOL_ID->IPSEC_ESP +121719.506680 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5]:Transforms +121719.506730 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5]:Transforms->QM-ESP-TRP-AES-MD5-XF +121719.506777 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:TRANSFORM_ID +121719.506826 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:TRANSFORM_ID->AES +121719.506873 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:ENCAPSULATION_MODE +121719.506923 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121719.506971 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121719.507022 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121719.507070 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:Life +121719.507119 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121719.632270 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-SUITE]:Protocols +121719.632332 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-SUITE]:Protocols->QM-ESP-TRP-AES-SHA +121719.632382 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA]:PROTOCOL_ID +121719.632431 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA]:PROTOCOL_ID->IPSEC_ESP +121719.632479 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA]:Transforms +121719.632528 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA]:Transforms->QM-ESP-TRP-AES-SHA-XF +121719.632580 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:TRANSFORM_ID +121719.632632 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:TRANSFORM_ID->AES +121719.632680 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:ENCAPSULATION_MODE +121719.632731 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121719.632781 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121719.757890 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121719.757951 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:Life +121719.758000 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121719.758050 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-SUITE]:Protocols +121719.758101 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-AES-RIPEMD +121719.758148 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD]:PROTOCOL_ID +121719.758198 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121719.758245 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD]:Transforms +121719.758295 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD]:Transforms->QM-ESP-TRP-AES-RIPEMD-XF +121719.758344 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:TRANSFORM_ID +121719.872067 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121719.872127 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121719.872179 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121719.872227 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121719.872279 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121719.872328 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:Life +121719.872377 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121719.872424 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SUITE]:Protocols +121719.872473 Misc 70 conf_set: [QM-ESP-TRP-AES-SUITE]:Protocols->QM-ESP-TRP-AES +121719.872521 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES]:PROTOCOL_ID +121719.872569 Misc 70 conf_set: [QM-ESP-TRP-AES]:PROTOCOL_ID->IPSEC_ESP +121720.009088 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES]:Transforms +121720.009148 Misc 70 conf_set: [QM-ESP-TRP-AES]:Transforms->QM-ESP-TRP-AES-XF +121720.009197 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:TRANSFORM_ID +121720.009246 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:TRANSFORM_ID->AES +121720.009293 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:ENCAPSULATION_MODE +121720.009344 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:ENCAPSULATION_MODE->TRANSPORT +121720.009393 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:Life +121720.009442 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:Life->LIFE_QUICK_MODE +121720.009492 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-SUITE]:Protocols +121720.009543 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-MD5-PFS +121720.009592 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS]:PROTOCOL_ID +121720.128880 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121720.128939 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS]:Transforms +121720.128991 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS]:Transforms->QM-ESP-TRP-AES-MD5-PFS-XF +121720.129039 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID +121720.129089 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121720.129136 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121720.129187 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121720.129235 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121720.129287 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121720.129336 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121720.129387 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121720.260542 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:Life +121720.260604 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121720.260655 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-SUITE]:Protocols +121720.260706 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-SHA-PFS +121720.260757 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS]:PROTOCOL_ID +121720.260807 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121720.260856 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS]:Transforms +121720.260907 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS]:Transforms->QM-ESP-TRP-AES-SHA-PFS-XF +121720.260955 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID +121720.261005 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121720.379793 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121720.379855 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121720.379906 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121720.379957 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121720.380012 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121720.380066 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121720.380117 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:Life +121720.380165 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121720.380214 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-SUITE]:Protocols +121720.380266 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-RIPEMD-PFS +121720.505719 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID +121720.505781 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121720.505830 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS]:Transforms +121720.505881 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-AES-RIPEMD-PFS-XF +121720.505933 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121720.505983 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121720.506032 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121720.506083 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121720.506133 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121720.506185 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121720.631162 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121720.631231 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121720.631283 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:Life +121720.631335 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121720.631383 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-SUITE]:Protocols +121720.631434 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-PFS +121720.631483 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS]:PROTOCOL_ID +121720.631531 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS]:PROTOCOL_ID->IPSEC_ESP +121720.631579 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS]:Transforms +121720.631628 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS]:Transforms->QM-ESP-TRP-AES-PFS-XF +121720.631678 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:TRANSFORM_ID +121720.757291 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:TRANSFORM_ID->AES +121720.757350 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:ENCAPSULATION_MODE +121720.757402 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121720.757451 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:Life +121720.757500 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:Life->LIFE_QUICK_MODE +121720.757547 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-SUITE]:Protocols +121720.757596 Misc 70 conf_set: [QM-AH-AES-MD5-SUITE]:Protocols->QM-AH-AES-MD5 +121720.757644 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5]:PROTOCOL_ID +121720.757692 Misc 70 conf_set: [QM-AH-AES-MD5]:PROTOCOL_ID->IPSEC_AH +121720.757739 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5]:Transforms +121720.757787 Misc 70 conf_set: [QM-AH-AES-MD5]:Transforms->QM-AH-AES-MD5-XF +121720.757835 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:TRANSFORM_ID +121720.889616 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:TRANSFORM_ID->AES +121720.889676 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:ENCAPSULATION_MODE +121720.889727 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121720.889775 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121720.889825 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121720.889874 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:Life +121720.889922 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121720.889974 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-SUITE]:Protocols +121720.890026 Misc 70 conf_set: [QM-AH-AES-SHA-SUITE]:Protocols->QM-AH-AES-SHA +121720.890076 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA]:PROTOCOL_ID +121720.890124 Misc 70 conf_set: [QM-AH-AES-SHA]:PROTOCOL_ID->IPSEC_AH +121721.016004 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA]:Transforms +121721.016064 Misc 70 conf_set: [QM-AH-AES-SHA]:Transforms->QM-AH-AES-SHA-XF +121721.016112 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:TRANSFORM_ID +121721.016161 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:TRANSFORM_ID->AES +121721.016208 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:ENCAPSULATION_MODE +121721.016258 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121721.016306 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121721.016357 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121721.016405 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:Life +121721.016453 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121721.016505 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-SUITE]:Protocols +121721.016555 Misc 70 conf_set: [QM-AH-AES-RIPEMD-SUITE]:Protocols->QM-AH-AES-RIPEMD +121721.142677 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD]:PROTOCOL_ID +121721.142739 Misc 70 conf_set: [QM-AH-AES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121721.142787 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD]:Transforms +121721.142837 Misc 70 conf_set: [QM-AH-AES-RIPEMD]:Transforms->QM-AH-AES-RIPEMD-XF +121721.142887 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:TRANSFORM_ID +121721.142937 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121721.142984 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121721.143035 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121721.143083 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121721.143134 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121721.143183 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:Life +121721.274127 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121721.274188 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-SUITE]:Protocols +121721.274239 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-SUITE]:Protocols->QM-AH-AES-MD5-PFS +121721.274286 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS]:PROTOCOL_ID +121721.274334 Misc 70 conf_set: [QM-AH-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121721.274381 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS]:Transforms +121721.274429 Misc 70 conf_set: [QM-AH-AES-MD5-PFS]:Transforms->QM-AH-AES-MD5-PFS-XF +121721.274477 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:TRANSFORM_ID +121721.274528 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121721.274575 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121721.274626 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121721.393455 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121721.393519 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121721.393569 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121721.393621 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121721.393670 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:Life +121721.393719 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121721.393766 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-SUITE]:Protocols +121721.393816 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-SUITE]:Protocols->QM-AH-AES-SHA-PFS +121721.393863 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS]:PROTOCOL_ID +121721.393911 Misc 70 conf_set: [QM-AH-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121721.393958 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS]:Transforms +121721.519674 Misc 70 conf_set: [QM-AH-AES-SHA-PFS]:Transforms->QM-AH-AES-SHA-PFS-XF +121721.519732 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:TRANSFORM_ID +121721.519783 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121721.519830 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121721.519880 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121721.519928 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121721.519979 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121721.520032 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121721.520084 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121721.520133 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:Life +121721.520182 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121721.644947 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-SUITE]:Protocols +121721.645009 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-AES-RIPEMD-PFS +121721.645064 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS]:PROTOCOL_ID +121721.645114 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121721.645163 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS]:Transforms +121721.645212 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS]:Transforms->QM-AH-AES-RIPEMD-PFS-XF +121721.645262 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121721.645338 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121721.645388 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121721.645439 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121721.645489 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121721.770531 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121721.770593 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121721.770645 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121721.770695 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:Life +121721.770744 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121721.770792 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-SUITE]:Protocols +121721.770843 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-SUITE]:Protocols->QM-AH-TRP-AES-MD5 +121721.770890 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5]:PROTOCOL_ID +121721.770939 Misc 70 conf_set: [QM-AH-TRP-AES-MD5]:PROTOCOL_ID->IPSEC_AH +121721.770985 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5]:Transforms +121721.902337 Misc 70 conf_set: [QM-AH-TRP-AES-MD5]:Transforms->QM-AH-TRP-AES-MD5-XF +121721.902400 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:TRANSFORM_ID +121721.902451 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:TRANSFORM_ID->AES +121721.902499 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:ENCAPSULATION_MODE +121721.902550 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121721.902599 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121721.902650 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121721.902699 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:Life +121721.902748 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121721.902796 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-SUITE]:Protocols +121721.902847 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-SUITE]:Protocols->QM-AH-TRP-AES-SHA +121722.040271 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA]:PROTOCOL_ID +121722.040332 Misc 70 conf_set: [QM-AH-TRP-AES-SHA]:PROTOCOL_ID->IPSEC_AH +121722.040380 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA]:Transforms +121722.040428 Misc 70 conf_set: [QM-AH-TRP-AES-SHA]:Transforms->QM-AH-TRP-AES-SHA-XF +121722.040476 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:TRANSFORM_ID +121722.040526 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:TRANSFORM_ID->AES +121722.040573 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:ENCAPSULATION_MODE +121722.040624 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121722.040672 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121722.040723 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121722.040771 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:Life +121722.160635 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121722.160695 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-SUITE]:Protocols +121722.160747 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-AES-RIPEMD +121722.160797 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD]:PROTOCOL_ID +121722.160846 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121722.160919 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD]:Transforms +121722.160969 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD]:Transforms->QM-AH-TRP-AES-RIPEMD-XF +121722.161019 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:TRANSFORM_ID +121722.161070 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121722.161120 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121722.161172 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121722.285749 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121722.285814 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121722.285865 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:Life +121722.285941 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121722.285990 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-SUITE]:Protocols +121722.286041 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-AES-MD5-PFS +121722.286089 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS]:PROTOCOL_ID +121722.286139 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121722.286187 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS]:Transforms +121722.286237 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS]:Transforms->QM-AH-TRP-AES-MD5-PFS-XF +121722.286286 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID +121722.417564 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121722.417624 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121722.417676 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121722.417725 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121722.417776 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121722.417826 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121722.417877 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121722.417927 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:Life +121722.417976 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121722.418026 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-SUITE]:Protocols +121722.543664 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-AES-SHA-PFS +121722.543752 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS]:PROTOCOL_ID +121722.543804 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121722.543852 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS]:Transforms +121722.543901 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS]:Transforms->QM-AH-TRP-AES-SHA-PFS-XF +121722.543953 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID +121722.544003 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121722.544051 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121722.544102 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121722.544151 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121722.674798 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121722.674860 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121722.674913 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121722.674967 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:Life +121722.675017 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121722.675069 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-SUITE]:Protocols +121722.675121 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-AES-RIPEMD-PFS +121722.675174 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID +121722.675224 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121722.675275 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS]:Transforms +121722.675326 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS]:Transforms->QM-AH-TRP-AES-RIPEMD-PFS-XF +121722.807185 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121722.807247 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121722.807298 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121722.807349 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121722.807400 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121722.807451 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121722.807502 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121722.807553 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121722.807605 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life +121722.807654 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121722.926172 Misc 60 conf_get_str: [Phase 2]:Connections->Group-1234 +121722.926253 Timr 10 timer_add_event: event connection_checker(0x142e20) added last, expiration in 0s +121722.926309 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +121722.926361 Misc 60 conf_get_str: configuration value not found [Group-1234]:Local-ID +121722.926408 Misc 60 conf_get_str: configuration value not found [Group-1234]:Remote-ID +121722.926452 Misc 60 conf_get_str: [Group-1234]:Group-ID->Group-1 +121722.926527 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +121722.926576 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +121722.926627 Misc 60 connection_record_passive: passive connection "Group-1234" added +121722.926677 Misc 60 conf_get_str: configuration value not found [Phase 2]:Passive-Connections +121722.926890 Timr 10 timer_add_event: event cookie_reset_event(0x0) added last, expiration in 360s +121722.926937 Plcy 30 policy_init: initializing +121723.052346 Misc 60 conf_get_str: [General]:Policy-file->/etc/isakmpd/isakmpd.policy +121723.052521 Misc 60 conf_get_str: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121723.052585 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ +121723.052782 Misc 60 conf_get_str: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121723.052841 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/ +121723.053741 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.1 +121723.053875 Trpt 70 transport_add: adding 0x11d180 +121723.053929 Trpt 90 transport_reference: transport 0x11d180 now has 1 references +121723.054009 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.1 +121723.054100 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.1 +121723.054181 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.1 +121723.054244 Trpt 70 transport_add: adding 0x11d200 +121723.054293 Trpt 90 transport_reference: transport 0x11d200 now has 1 references +121723.054337 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.1 +121723.181836 Misc 60 conf_get_str: configuration value not found [General]:SRTP-client +121723.184992 Timr 10 timer_handle_expirations: event connection_checker(0x142e20) +121723.185053 Misc 60 conf_get_str: configuration value not found [General]:check-interval +121723.185111 Timr 10 timer_add_event: event connection_checker(0x142e20) added before cookie_reset_event(0x0), expiration in 60s +121723.185247 SA 90 sa_find: no SA matched query +121723.185301 Sdep 70 pf_key_v2_connection_check: SA for Group-1234 missing +121723.231644 Misc 60 conf_get_str: [Group-1234]:Phase->2 +121723.231712 Misc 60 conf_get_str: [Group-1234]:ISAKMP-peer->ISAKMP-peer-gcks +121723.231752 SA 90 sa_find: no SA matched query +121723.231804 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Phase->1 +121723.231849 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Phase->1 +121723.231896 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Transport->udp +121723.231944 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Port +121723.306739 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Address->127.0.0.2 +121723.306797 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Local-address->127.0.0.1 +121723.306843 Trpt 70 transport_add: adding 0x11d280 +121723.306970 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Configuration->Default-main-mode +121723.307030 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +121723.307075 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +121723.307130 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121723.307189 Timr 10 timer_add_event: event exchange_free_aux(0x11b800) added before cookie_reset_event(0x0), expiration in 120s +121723.307239 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Configuration->Default-main-mode +121723.307336 Exch 10 exchange_establish_p1: 0x11b800 ISAKMP-peer-gcks Default-main-mode policy initiator phase 1 doi 2 exchange 2 step 0 +121723.307391 Exch 10 exchange_establish_p1: icookie a91b9d5035d8fc4f rcookie 0000000000000000 +121723.307433 Exch 10 exchange_establish_p1: msgid 00000000 +121723.438554 Trpt 90 transport_reference: transport 0x11d280 now has 1 references +121723.438607 Mesg 90 message_alloc: allocated 0x136000 +121723.438656 SA 80 sa_reference: SA 0x11b900 now has 1 references +121723.438697 SA 70 sa_enter: SA 0x11b900 added to SA list +121723.438739 SA 80 sa_reference: SA 0x11b900 now has 2 references +121723.438785 SA 60 sa_create: sa 0x11b900 phase 1 added to exchange 0x11b800 (ISAKMP-peer-gcks) +121723.438828 SA 80 sa_reference: SA 0x11b900 now has 3 references +121723.444507 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +121723.444585 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121723.444636 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +121723.444681 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121723.444726 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121723.444772 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121723.444824 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121723.557963 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121723.558027 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:PRF +121723.558072 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA section +121723.558118 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:KEY_LENGTH +121723.558163 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:FIELD_SIZE +121723.558209 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_ORDER +121723.558283 Exch 90 exchange_validate: checking for required SA +121723.558412 Mesg 70 message_send: message 0x136000 +121723.558476 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121723.558531 Mesg 70 RCOOKIE: 0x0000000000000000 +121723.558573 Mesg 70 NEXT_PAYLOAD: SA +121723.558617 Mesg 70 VERSION: 16 +121723.558658 Mesg 70 EXCH_TYPE: ID_PROT +121723.558699 Mesg 70 FLAGS: [ ] +121723.558746 Mesg 70 MESSAGE_ID: 0x00000000 +121723.558788 Mesg 70 LENGTH: 80 +121723.558881 Mesg 70 message_send: a91b9d50 35d8fc4f 00000000 00000000 01100200 00000000 00000050 00000034 +121723.676064 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121723.676141 Mesg 70 message_send: 80030001 80040002 800b0001 800c0e10 +121723.676187 Exch 40 exchange_run: exchange 0x11b800 finished step 0, advancing... +121723.676255 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121723.676302 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121723.676346 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121723.677856 Misc 60 conf_get_str: [General]:retransmits->5 +121723.677919 Trpt 30 transport_send_messages: message 0x136000 scheduled for retransmission 1 in 7 secs +121723.677978 Timr 10 timer_add_event: event message_send_expire(0x136000) added before connection_checker(0x142e20), expiration in 7s +121723.678028 Trpt 90 transport_release: transport 0x11d280 had 2 references +121723.678071 Trpt 90 transport_release: transport 0x11d200 had 2 references +121723.894994 Trpt 90 transport_release: transport 0x11d180 had 2 references +121724.142537 Trpt 70 transport_add: adding 0x11d400 +121724.142610 Trpt 90 transport_reference: transport 0x11d400 now has 1 references +121724.142655 Mesg 90 message_alloc: allocated 0x139000 +121724.142713 Mesg 70 message_recv: message 0x139000 +121724.142771 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121724.142823 Mesg 70 RCOOKIE: 0x272325e695db688b +121724.142866 Mesg 70 NEXT_PAYLOAD: SA +121724.142909 Mesg 70 VERSION: 16 +121724.142951 Mesg 70 EXCH_TYPE: ID_PROT +121724.142992 Mesg 70 FLAGS: [ ] +121724.143040 Mesg 70 MESSAGE_ID: 0x00000000 +121724.143082 Mesg 70 LENGTH: 80 +121724.143172 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 01100200 00000000 00000050 00000034 +121724.143269 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121724.143336 Mesg 70 message_recv: 80030001 80040002 800b0001 800c0e10 +121724.143386 SA 70 sa_remove: SA 0x11b900 removed from SA list +121724.143428 SA 80 sa_release: SA 0x11b900 had 3 references +121724.143471 SA 80 sa_release: SA 0x11b900 had 2 references +121724.347781 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121724.347836 SA 80 sa_reference: SA 0x11b900 now has 2 references +121724.347876 SA 70 sa_enter: SA 0x11b900 added to SA list +121724.347919 Mesg 90 message_check_duplicate: last_received 0x0 +121724.347958 Mesg 20 message_free: freeing 0x136000 +121724.348004 Timr 10 timer_remove_event: removing event message_send_expire(0x136000) +121724.348051 Trpt 90 transport_release: transport 0x11d280 had 1 references +121724.348091 Trpt 70 transport_release: freeing 0x11d280 +121724.348134 SA 80 sa_release: SA 0x11b900 had 2 references +121724.348190 Mesg 50 message_parse_payloads: offset 0x1c payload SA +121724.348245 Mesg 60 message_validate_payloads: payload SA at 0x11d49c of message 0x139000 +121724.348290 Mesg 70 DOI: 2 +121724.348360 SA 80 sa_reference: SA 0x11b900 now has 2 references +121724.348408 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +121724.348492 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +121724.579957 Mesg 50 Transform 0's attributes +121724.580026 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x11d4a8 of message 0x139000 +121724.580072 Mesg 70 NO: 1 +121724.580115 Mesg 70 PROTO: ISAKMP +121724.580156 Mesg 70 SPI_SZ: 0 +121724.580197 Mesg 70 NTRANSFORMS: 1 +121724.580247 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x11d4b0 of message 0x139000 +121724.580290 Mesg 70 NO: 0 +121724.580330 Mesg 70 ID: 1 +121724.580391 Exch 90 exchange_validate: checking for required SA +121724.580448 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +121724.580502 SA 80 sa_add_transform: proto 0x12e180 no 1 proto 1 chosen 0x1463a0 sa 0x11b900 id 1 +121724.580577 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +121724.580642 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121724.580695 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +121724.580744 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121724.824762 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121724.824826 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121724.824903 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121724.824950 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121724.825001 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121724.825052 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121724.825096 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121724.825139 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121724.825208 Misc 90 conf_match_num: LIFE_3600_SECS:LIFE_DURATION 1800<=3600<=7200? +121724.825284 Negt 20 ike_phase_1_validate_prop: success +121724.825333 Negt 30 message_negotiate_sa: proposal 1 succeeded +121724.825399 Misc 20 ipsec_decode_transform: transform 0 chosen +121724.825469 Misc 70 group_get: returning 0x12e200 of group 2 +121724.825527 Exch 40 exchange_run: exchange 0x11b800 finished step 1, advancing... +121725.045335 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121725.045389 Mesg 90 message_alloc: allocated 0x136000 +121725.045432 SA 80 sa_reference: SA 0x11b900 now has 3 references +121725.177215 Misc 80 ipsec_g_x: g^xi: +121725.177324 Misc 80 dc3805d3 83333156 c9377ebb 9edcbf1e f47a3568 35f919a1 c001bced 4200a7f1 +121725.177407 Misc 80 ea756842 6f179a39 2bec73b5 a5ab53a4 2e23f6f8 d267445e e4162bdc 0383bf9f +121725.177489 Misc 80 413288a5 ca001eb0 03f4ac01 6aca97bb b2141f25 762db6bd 4c2553a9 a053dfa7 +121725.177570 Misc 80 a4f3ea21 47859eba 999122da a3959ff7 37b276fd 1d610b88 f073296d 0899c928 +121725.177626 Exch 80 exchange_nonce: NONCE_i: +121725.177687 Exch 80 8dabce1d 9668bad7 f285a090 9fe43631 +121725.177733 Exch 90 exchange_validate: checking for required KEY_EXCH +121725.177775 Exch 90 exchange_validate: checking for required NONCE +121725.177819 Mesg 70 message_send: message 0x136000 +121725.177869 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121725.177920 Mesg 70 RCOOKIE: 0x272325e695db688b +121725.356082 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +121725.356162 Mesg 70 VERSION: 16 +121725.356205 Mesg 70 EXCH_TYPE: ID_PROT +121725.356247 Mesg 70 FLAGS: [ ] +121725.356295 Mesg 70 MESSAGE_ID: 0x00000000 +121725.356337 Mesg 70 LENGTH: 180 +121725.356428 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121725.356516 Mesg 70 message_send: dc3805d3 83333156 c9377ebb 9edcbf1e f47a3568 35f919a1 c001bced 4200a7f1 +121725.356601 Mesg 70 message_send: ea756842 6f179a39 2bec73b5 a5ab53a4 2e23f6f8 d267445e e4162bdc 0383bf9f +121725.356687 Mesg 70 message_send: 413288a5 ca001eb0 03f4ac01 6aca97bb b2141f25 762db6bd 4c2553a9 a053dfa7 +121725.356773 Mesg 70 message_send: a4f3ea21 47859eba 999122da a3959ff7 37b276fd 1d610b88 f073296d 0899c928 +121725.356842 Mesg 70 message_send: 00000014 8dabce1d 9668bad7 f285a090 9fe43631 +121725.356887 Exch 40 exchange_run: exchange 0x11b800 finished step 2, advancing... +121725.356936 Trpt 90 transport_reference: transport 0x11d400 now has 4 references +121725.469408 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121725.469462 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121725.469507 Trpt 90 transport_release: transport 0x11d400 had 4 references +121725.469550 Trpt 90 transport_release: transport 0x11d200 had 2 references +121725.469593 Trpt 90 transport_release: transport 0x11d180 had 2 references +121725.469656 Trpt 90 transport_reference: transport 0x11d400 now has 4 references +121725.469703 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121725.469747 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121725.550137 Misc 60 conf_get_str: [General]:retransmits->5 +121725.550204 Trpt 30 transport_send_messages: message 0x136000 scheduled for retransmission 1 in 7 secs +121725.550265 Timr 10 timer_add_event: event message_send_expire(0x136000) added before connection_checker(0x142e20), expiration in 7s +121725.550316 Trpt 90 transport_release: transport 0x11d400 had 4 references +121725.801550 Trpt 90 transport_release: transport 0x11d200 had 2 references +121725.801604 Trpt 90 transport_release: transport 0x11d180 had 2 references +121726.021807 Trpt 70 transport_add: adding 0x11d380 +121726.021880 Trpt 90 transport_reference: transport 0x11d380 now has 1 references +121726.021925 Mesg 90 message_alloc: allocated 0x13a000 +121726.021965 Mesg 70 message_recv: message 0x13a000 +121726.022017 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121726.022070 Mesg 70 RCOOKIE: 0x272325e695db688b +121726.022113 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +121726.022156 Mesg 70 VERSION: 16 +121726.022198 Mesg 70 EXCH_TYPE: ID_PROT +121726.022239 Mesg 70 FLAGS: [ ] +121726.022286 Mesg 70 MESSAGE_ID: 0x00000000 +121726.022329 Mesg 70 LENGTH: 180 +121726.022419 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121726.022505 Mesg 70 message_recv: a7af4111 7b9995e6 60aee99e 47a6768e 643adad7 a97dcb1b 702ce452 15f17e6b +121726.144970 Mesg 70 message_recv: 965190a9 992bcfaf 4d60ec3d ffa36cc6 66c47b8f c54057d3 63a9fdd3 f21c6f20 +121726.145066 Mesg 70 message_recv: 82e52265 2ffcc71d 6831fd89 406d3594 d049da95 7bd84063 e0b7e5ab be9521b8 +121726.145153 Mesg 70 message_recv: fe09fea9 731031b8 f6a47b64 5e820c6d 139f6411 369bcb52 dab74e37 aeacc2e1 +121726.145249 Mesg 70 message_recv: 00000014 f4eab493 b1a92507 4050d5ba 598f3613 +121726.145296 SA 80 sa_reference: SA 0x11b900 now has 4 references +121726.145340 Mesg 90 message_check_duplicate: last_received 0x139000 +121726.145377 Mesg 95 message_check_duplicate: last_received: +121726.145463 Mesg 95 a91b9d50 35d8fc4f 272325e6 95db688b 01100200 00000000 00000050 00000034 +121726.145553 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121726.145615 Mesg 95 80030001 80040002 800b0001 800c0e10 +121726.145653 Mesg 20 message_free: freeing 0x136000 +121726.145697 Timr 10 timer_remove_event: removing event message_send_expire(0x136000) +121726.145745 Trpt 90 transport_release: transport 0x11d400 had 3 references +121726.412777 SA 80 sa_release: SA 0x11b900 had 4 references +121726.412847 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +121726.412899 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +121726.412950 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x11bc1c of message 0x13a000 +121726.413002 Mesg 60 message_validate_payloads: payload NONCE at 0x11bca0 of message 0x13a000 +121726.413060 Exch 90 exchange_validate: checking for required KEY_EXCH +121726.413102 Exch 90 exchange_validate: checking for required NONCE +121726.413173 Misc 80 ipsec_g_x: g^xr: +121726.413260 Misc 80 a7af4111 7b9995e6 60aee99e 47a6768e 643adad7 a97dcb1b 702ce452 15f17e6b +121726.413340 Misc 80 965190a9 992bcfaf 4d60ec3d ffa36cc6 66c47b8f c54057d3 63a9fdd3 f21c6f20 +121726.413420 Misc 80 82e52265 2ffcc71d 6831fd89 406d3594 d049da95 7bd84063 e0b7e5ab be9521b8 +121726.413502 Misc 80 fe09fea9 731031b8 f6a47b64 5e820c6d 139f6411 369bcb52 dab74e37 aeacc2e1 +121726.645219 Exch 80 exchange_nonce: NONCE_r: +121726.645289 Exch 80 f4eab493 b1a92507 4050d5ba 598f3613 +121726.748844 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +121726.748945 Negt 80 e78e53b2 bb018782 ec0d0626 c4e31b2f 261b235d 897a7639 1f8017f7 3775f020 +121726.749029 Negt 80 49d794b8 a8da3bd0 6c7b0852 dae2ed0c 3dc639ca 9d2608d0 739606bc e618a703 +121726.749112 Negt 80 bf40a86d 7df260f5 c1fb2bb6 4bb8a8a1 6ea350d3 2dbcd253 2e16799b 1eaae30d +121726.749193 Negt 80 30147fc2 49c13169 9f18f9cc e0d441ac e0067fb5 e150c978 96b1dd2f 27023d7f +121726.749262 Misc 60 conf_get_str: [ISAKMP-peer-gcks]:Authentication->mekmitasdigoat +121726.749375 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +121726.749447 Negt 80 0a1ce288 962c79ce f60cf60d 5d446fd5 aa233cce +121726.749553 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +121726.749621 Negt 80 a0196db2 779136c5 44a59880 acb75ed4 34bc82de +121726.749705 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +121726.749774 Negt 80 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121726.981336 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +121726.981420 Negt 80 0ce6eb14 700dc3b1 030da7c7 12eb684e 065f3b0c +121726.981581 Cryp 40 crypto_init: key: +121726.981656 Cryp 40 80cdab03 c1105d2b 48ab436d de73f5b1 bbbe5544 9c1efe69 +121726.981790 Cryp 50 crypto_update_iv: initialized IV: +121726.981846 Cryp 50 553ed9a2 39f300e2 +121726.981897 Mesg 20 message_free: freeing 0x139000 +121726.981946 Trpt 90 transport_release: transport 0x11d400 had 2 references +121726.981990 SA 80 sa_release: SA 0x11b900 had 3 references +121726.982036 Exch 40 exchange_run: exchange 0x11b800 finished step 3, advancing... +121726.982095 Trpt 90 transport_reference: transport 0x11d380 now has 2 references +121726.982139 Mesg 90 message_alloc: allocated 0x136000 +121726.982181 SA 80 sa_reference: SA 0x11b900 now has 3 references +121726.982237 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:ID +121726.982286 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +121727.202222 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +121727.202280 Negt 40 7f000001 +121727.202423 Misc 80 pre_shared_encode_hash: HASH_I: +121727.202497 Misc 80 a9b24331 62a99ee6 0736c4f5 de6e1a59 1a415f5a +121727.202647 Exch 90 exchange_validate: checking for required ID +121727.202700 Exch 90 exchange_validate: checking for required AUTH +121727.202752 Cryp 10 crypto_encrypt: before encryption: +121727.202843 Cryp 10 0800000c 01000000 7f000001 0b000018 a9b24331 62a99ee6 0736c4f5 de6e1a59 +121727.202927 Cryp 10 1a415f5a 0000001c 00000001 01106002 a91b9d50 35d8fc4f 272325e6 95db688b +121727.204311 Cryp 30 crypto_encrypt: after encryption: +121727.204410 Cryp 30 1dbe68d8 9cb1fadd ac9ce755 92ebee87 22241f8f 0b3893fb d51cfa4a 67bfc2d6 +121727.204493 Cryp 30 3387a344 db9a05ab d81b2da0 7fde6d17 3fd77a41 a3112203 519c8757 4c1fe705 +121727.204531 Cryp 50 crypto_update_iv: updated IV: +121727.204578 Cryp 50 519c8757 4c1fe705 +121727.204617 Mesg 70 message_send: message 0x136000 +121727.448393 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121727.448455 Mesg 70 RCOOKIE: 0x272325e695db688b +121727.448499 Mesg 70 NEXT_PAYLOAD: ID +121727.448542 Mesg 70 VERSION: 16 +121727.448585 Mesg 70 EXCH_TYPE: ID_PROT +121727.448631 Mesg 70 FLAGS: [ ENC ] +121727.448679 Mesg 70 MESSAGE_ID: 0x00000000 +121727.448721 Mesg 70 LENGTH: 92 +121727.448810 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 05100201 00000000 0000005c 1dbe68d8 +121727.448897 Mesg 70 message_send: 9cb1fadd ac9ce755 92ebee87 22241f8f 0b3893fb d51cfa4a 67bfc2d6 3387a344 +121727.448977 Mesg 70 message_send: db9a05ab d81b2da0 7fde6d17 3fd77a41 a3112203 519c8757 4c1fe705 +121727.449024 Exch 40 exchange_run: exchange 0x11b800 finished step 4, advancing... +121727.449073 Trpt 90 transport_reference: transport 0x11d380 now has 3 references +121727.449118 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121727.449161 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121727.449204 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121727.668429 Trpt 90 transport_release: transport 0x11d380 had 3 references +121727.668483 Trpt 90 transport_release: transport 0x11d400 had 2 references +121727.668526 Trpt 90 transport_release: transport 0x11d200 had 2 references +121727.668594 Trpt 90 transport_release: transport 0x11d180 had 2 references +121727.668659 Trpt 90 transport_reference: transport 0x11d380 now has 3 references +121727.668706 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121727.668749 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121727.668792 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121727.669451 Misc 60 conf_get_str: [General]:retransmits->5 +121727.669515 Trpt 30 transport_send_messages: message 0x136000 scheduled for retransmission 1 in 7 secs +121727.669574 Timr 10 timer_add_event: event message_send_expire(0x136000) added before connection_checker(0x142e20), expiration in 7s +121727.669626 Trpt 90 transport_release: transport 0x11d380 had 3 references +121727.917863 Trpt 90 transport_release: transport 0x11d400 had 2 references +121727.917920 Trpt 90 transport_release: transport 0x11d200 had 2 references +121727.917964 Trpt 90 transport_release: transport 0x11d180 had 2 references +121728.563867 Trpt 70 transport_add: adding 0x11d480 +121728.565049 Trpt 90 transport_reference: transport 0x11d480 now has 1 references +121728.565100 Mesg 90 message_alloc: allocated 0x139000 +121728.565141 Mesg 70 message_recv: message 0x139000 +121728.565192 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121728.565243 Mesg 70 RCOOKIE: 0x272325e695db688b +121728.565286 Mesg 70 NEXT_PAYLOAD: ID +121728.565329 Mesg 70 VERSION: 16 +121728.565372 Mesg 70 EXCH_TYPE: ID_PROT +121728.565417 Mesg 70 FLAGS: [ ENC ] +121728.565466 Mesg 70 MESSAGE_ID: 0x00000000 +121728.565508 Mesg 70 LENGTH: 92 +121728.565597 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 05100201 00000000 0000005c 737cbd6c +121728.565685 Mesg 70 message_recv: 179b2f71 8d5b4840 0754148a 39814c80 aedfa085 e20fdc36 6e62cf5c ad99ce22 +121728.565766 Mesg 70 message_recv: 59e22476 a63766f2 689bfd0d 24c374ec 51506b08 a659dffb 7a720843 +121728.565813 SA 80 sa_reference: SA 0x11b900 now has 4 references +121728.565856 Mesg 90 message_check_duplicate: last_received 0x13a000 +121728.565893 Mesg 95 message_check_duplicate: last_received: +121728.566019 Mesg 95 a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121728.566102 Mesg 95 a7af4111 7b9995e6 60aee99e 47a6768e 643adad7 a97dcb1b 702ce452 15f17e6b +121728.566182 Mesg 95 965190a9 992bcfaf 4d60ec3d ffa36cc6 66c47b8f c54057d3 63a9fdd3 f21c6f20 +121728.566262 Mesg 95 82e52265 2ffcc71d 6831fd89 406d3594 d049da95 7bd84063 e0b7e5ab be9521b8 +121728.566343 Mesg 95 fe09fea9 731031b8 f6a47b64 5e820c6d 139f6411 369bcb52 dab74e37 aeacc2e1 +121728.566408 Mesg 95 00000014 f4eab493 b1a92507 4050d5ba 598f3613 +121728.566446 Mesg 20 message_free: freeing 0x136000 +121728.566492 Timr 10 timer_remove_event: removing event message_send_expire(0x136000) +121728.566542 Trpt 90 transport_release: transport 0x11d380 had 2 references +121728.566585 SA 80 sa_release: SA 0x11b900 had 4 references +121728.566745 Cryp 10 crypto_decrypt: before decryption: +121728.566842 Cryp 10 737cbd6c 179b2f71 8d5b4840 0754148a 39814c80 aedfa085 e20fdc36 6e62cf5c +121728.566924 Cryp 10 ad99ce22 59e22476 a63766f2 689bfd0d 24c374ec 51506b08 a659dffb 7a720843 +121728.567327 Cryp 30 crypto_decrypt: after decryption: +121728.567423 Cryp 30 0800000c 01000000 7f000002 0b000018 6e77c752 90bb6817 569faa79 1579756f +121728.567508 Cryp 30 9658f47f 0000001c 00000001 01106002 a91b9d50 35d8fc4f 272325e6 95db688b +121728.567560 Mesg 50 message_parse_payloads: offset 0x1c payload ID +121728.567607 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +121728.567653 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +121728.567704 Mesg 60 message_validate_payloads: payload ID at 0x11d61c of message 0x139000 +121728.567747 Mesg 70 TYPE: 1 +121728.567793 Mesg 70 DOI_DATA: 0x000000 +121728.567842 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +121728.567880 Mesg 40 gdoi_validate_id_information: IPv4: +121728.567923 Mesg 40 7f000002 +121728.567967 Mesg 60 message_validate_payloads: payload HASH at 0x11d628 of message 0x139000 +121728.568014 Mesg 60 message_validate_payloads: payload NOTIFY at 0x11d640 of message 0x139000 +121728.568121 Mesg 70 DOI: IPSEC +121728.568166 Mesg 70 PROTO: ISAKMP +121728.568208 Mesg 70 SPI_SZ: 16 +121728.568252 Mesg 70 MSG_TYPE: INITIAL_CONTACT +121728.568311 Exch 90 exchange_validate: checking for required ID +121728.568356 Exch 90 exchange_validate: checking for required AUTH +121728.568403 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +121728.568448 Negt 40 7f000002 +121728.568492 Misc 80 pre_shared_decode_hash: HASH_R: +121728.568557 Misc 80 6e77c752 90bb6817 569faa79 1579756f 9658f47f +121728.568701 Negt 80 ike_phase_1_recv_AUTH: computed HASH_R: +121728.568770 Negt 80 6e77c752 90bb6817 569faa79 1579756f 9658f47f +121728.568812 Exch 10 exchange_run: unexpected payload NOTIFY +121728.568856 Mesg 20 message_free: freeing 0x13a000 +121728.568903 Trpt 90 transport_release: transport 0x11d380 had 1 references +121728.568942 Trpt 70 transport_release: freeing 0x11d380 +121728.568985 SA 80 sa_release: SA 0x11b900 had 3 references +121728.569026 Cryp 50 crypto_update_iv: updated IV: +121728.807635 Cryp 50 a659dffb 7a720843 +121728.807701 Exch 10 exchange_finalize: 0x11b800 ISAKMP-peer-gcks Default-main-mode policy initiator phase 1 doi 2 exchange 2 step 5 +121728.807750 Exch 10 exchange_finalize: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121728.807792 Exch 10 exchange_finalize: msgid 00000000 +121728.807836 SA 90 sa_find: no SA matched query +121728.807891 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-gcks]:Flags +121728.808021 Exch 10 exchange_finalize: phase 1 done: initiator id 7f000001: 127.0.0.1, responder id 7f000002: 127.0.0.2, src: 127.0.0.1 dst: 127.0.0.2 +121728.808084 Timr 95 sa_setup_expirations: SA 0x11b900 soft timeout in 3128 seconds +121728.808136 Timr 10 timer_add_event: event sa_soft_expire(0x11b900) added last, expiration in 3128s +121728.808182 SA 80 sa_reference: SA 0x11b900 now has 3 references +121728.808230 Timr 95 sa_setup_expirations: SA 0x11b900 hard timeout in 3600 seconds +121728.808280 Timr 10 timer_add_event: event sa_hard_expire(0x11b900) added last, expiration in 3600s +121729.051563 SA 80 sa_reference: SA 0x11b900 now has 4 references +121729.051616 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +121729.051668 Exch 20 exchange_establish_finalize: finalizing exchange 0x11b800 with arg 0x142ec0 (Group-1234) & fail = 0 +121729.051722 Misc 60 conf_get_str: [Group-1234]:Phase->2 +121729.051771 Exch 90 exchange_lookup_by_name: Group-1234 == ISAKMP-peer-gcks && 2 == 1? +121729.051819 Misc 60 conf_get_str: [Group-1234]:ISAKMP-peer->ISAKMP-peer-gcks +121729.051860 SA 90 sa_find: return SA 0x11b900 +121729.051904 Misc 60 conf_get_str: [Group-1234]:Configuration->Default-group-mode +121729.051950 Misc 60 conf_get_str: configuration value not found [Group-1234]:Acquire-ID +121729.051997 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +121729.052040 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +121729.052097 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121729.052156 Timr 10 timer_add_event: event exchange_free_aux(0x11bb00) added before cookie_reset_event(0x0), expiration in 120s +121729.284451 Misc 60 conf_get_str: [Group-1234]:Configuration->Default-group-mode +121729.284522 Exch 10 exchange_establish_p2: 0x11bb00 Group-1234 Default-group-mode policy initiator phase 2 doi 2 exchange 32 step 0 +121729.284572 Exch 10 exchange_establish_p2: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121729.284615 Exch 10 exchange_establish_p2: msgid 483c11c0 sa_list +121729.284672 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121729.284715 Mesg 90 message_alloc: allocated 0x136000 +121729.284757 SA 80 sa_reference: SA 0x11b900 now has 5 references +121729.293350 Exch 80 exchange_nonce: NONCE_i: +121729.293429 Exch 80 69d181ef e0b9580e 4106b883 719b382a +121729.293474 Misc 60 conf_get_str: [Group-1234]:Group-ID->Group-1 +121729.293546 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +121729.293592 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +121729.293635 Misc 90 initiator_send_HASH_NONCE_ID: ID: +121729.517665 Misc 90 00000000 0b000000 000004d2 +121729.517861 Misc 90 group_do_hash: SKEYID_a: +121729.517940 Misc 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121729.518012 Misc 90 group_do_hash: message_id: +121729.518056 Misc 90 483c11c0 +121729.518099 Misc 90 group_fill_in_hash: payload 1 after HASH: +121729.518164 Misc 90 05000014 69d181ef e0b9580e 4106b883 719b382a +121729.518207 Misc 90 group_fill_in_hash: payload 2 after HASH: +121729.518293 Misc 90 0000000c 0b000000 000004d2 +121729.518372 Misc 80 group_fill_in_hash: HASH: +121729.518438 Misc 80 cbcd9b40 2b21b9a9 83718913 9d6bb0f7 3b3272e3 +121729.518481 Exch 90 exchange_validate: checking for required HASH +121729.518522 Exch 90 exchange_validate: checking for required NONCE +121729.518562 Exch 90 exchange_validate: checking for required ID +121729.518632 Cryp 80 gdoi_get_keystate: final phase 1 IV: +121729.518684 Cryp 80 a659dffb 7a720843 +121729.518720 Cryp 80 gdoi_get_keystate: message ID: +121729.743810 Cryp 80 483c11c0 +121729.743890 Cryp 50 crypto_update_iv: initialized IV: +121729.743939 Cryp 50 4be9d7f1 44ba8c2e +121729.743974 Cryp 80 gdoi_get_keystate: phase 2 IV: +121729.744019 Cryp 80 4be9d7f1 44ba8c2e +121729.744067 Cryp 10 crypto_encrypt: before encryption: +121729.744152 Cryp 10 0a000018 cbcd9b40 2b21b9a9 83718913 9d6bb0f7 3b3272e3 05000014 69d181ef +121729.744227 Cryp 10 e0b9580e 4106b883 719b382a 0000000c 0b000000 000004d2 +121729.744307 Cryp 30 crypto_encrypt: after encryption: +121729.744390 Cryp 30 9b257ede 8c855951 8f905539 855b58e8 d17cb277 bdde509e eedc0ecf 673bf505 +121729.744459 Cryp 30 e07d6026 a4e31df8 2fec55cd a62d62b2 b231f5b2 4155d6d6 +121729.744496 Cryp 50 crypto_update_iv: updated IV: +121729.744541 Cryp 50 b231f5b2 4155d6d6 +121729.744580 Mesg 70 message_send: message 0x136000 +121729.744630 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121729.744681 Mesg 70 RCOOKIE: 0x272325e695db688b +121729.744724 Mesg 70 NEXT_PAYLOAD: HASH +121729.744768 Mesg 70 VERSION: 16 +121729.886019 Mesg 70 EXCH_TYPE: QUICK_MODE +121729.886078 Mesg 70 FLAGS: [ ENC ] +121729.886126 Mesg 70 MESSAGE_ID: 0x483c11c0 +121729.886170 Mesg 70 LENGTH: 84 +121729.886259 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 00000054 9b257ede +121729.886346 Mesg 70 message_send: 8c855951 8f905539 855b58e8 d17cb277 bdde509e eedc0ecf 673bf505 e07d6026 +121729.886414 Mesg 70 message_send: a4e31df8 2fec55cd a62d62b2 b231f5b2 4155d6d6 +121729.886460 Exch 40 exchange_run: exchange 0x11bb00 finished step 0, advancing... +121729.886512 SA 80 sa_release: SA 0x11b900 had 5 references +121729.886558 Timr 10 timer_remove_event: removing event exchange_free_aux(0x11b800) +121729.886600 Exch 80 exchange_free_aux: freeing exchange 0x11b800 +121729.886640 Mesg 20 message_free: freeing 0x139000 +121729.886688 Trpt 90 transport_release: transport 0x11d480 had 1 references +121729.886728 Trpt 70 transport_release: freeing 0x11d480 +121729.886771 SA 80 sa_release: SA 0x11b900 had 4 references +121730.005703 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121730.005759 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121730.005802 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121730.005848 Trpt 90 transport_release: transport 0x11d400 had 3 references +121730.005892 Trpt 90 transport_release: transport 0x11d200 had 2 references +121730.005934 Trpt 90 transport_release: transport 0x11d180 had 2 references +121730.005997 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121730.006044 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121730.006087 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121730.006823 Misc 60 conf_get_str: [General]:retransmits->5 +121730.006886 Trpt 30 transport_send_messages: message 0x136000 scheduled for retransmission 1 in 7 secs +121730.006945 Timr 10 timer_add_event: event message_send_expire(0x136000) added before connection_checker(0x142e20), expiration in 7s +121730.215011 Trpt 90 transport_release: transport 0x11d400 had 3 references +121730.215070 Trpt 90 transport_release: transport 0x11d200 had 2 references +121730.215113 Trpt 90 transport_release: transport 0x11d180 had 2 references +121731.482125 Trpt 70 transport_add: adding 0x11d300 +121731.483056 Trpt 90 transport_reference: transport 0x11d300 now has 1 references +121731.483109 Mesg 90 message_alloc: allocated 0x139000 +121731.483150 Mesg 70 message_recv: message 0x139000 +121731.483201 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121731.483254 Mesg 70 RCOOKIE: 0x272325e695db688b +121731.483297 Mesg 70 NEXT_PAYLOAD: HASH +121731.483340 Mesg 70 VERSION: 16 +121731.483381 Mesg 70 EXCH_TYPE: QUICK_MODE +121731.483426 Mesg 70 FLAGS: [ ENC ] +121731.483472 Mesg 70 MESSAGE_ID: 0x483c11c0 +121731.483514 Mesg 70 LENGTH: 180 +121731.483602 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 000000b4 99ca3b06 +121731.483692 Mesg 70 message_recv: 00345ffd 7df14316 86cf0f6d 703260ba 807123ab bf70bf2a bfc5003b 0b8b235f +121731.483779 Mesg 70 message_recv: 9083d54f 460f4e62 ce04b4b7 07f2865e 61e1a13e b4600e2b 97312fa6 817aefb1 +121731.483864 Mesg 70 message_recv: b4a8c147 cb9147ca b1f3604e e68b10e5 17e0e6f2 8be8b1e0 1b65af61 8aa95e55 +121731.483949 Mesg 70 message_recv: 1b233623 efeb05db 74f074a2 54c31a71 b15b8493 7fd5b651 d1d80596 f436a2fe +121731.484060 Mesg 70 message_recv: 0cc3ab56 7cbad36b da9916a8 0ed13bd9 4832d2c0 +121731.484110 SA 80 sa_reference: SA 0x11b900 now has 4 references +121731.484155 Mesg 90 message_check_duplicate: last_received 0x0 +121731.484193 Mesg 20 message_free: freeing 0x136000 +121731.484239 Timr 10 timer_remove_event: removing event message_send_expire(0x136000) +121731.484291 Trpt 90 transport_release: transport 0x11d400 had 2 references +121731.484334 SA 80 sa_release: SA 0x11b900 had 4 references +121731.484501 Cryp 10 crypto_decrypt: before decryption: +121731.484599 Cryp 10 99ca3b06 00345ffd 7df14316 86cf0f6d 703260ba 807123ab bf70bf2a bfc5003b +121731.484683 Cryp 10 0b8b235f 9083d54f 460f4e62 ce04b4b7 07f2865e 61e1a13e b4600e2b 97312fa6 +121731.484763 Cryp 10 817aefb1 b4a8c147 cb9147ca b1f3604e e68b10e5 17e0e6f2 8be8b1e0 1b65af61 +121731.484844 Cryp 10 8aa95e55 1b233623 efeb05db 74f074a2 54c31a71 b15b8493 7fd5b651 d1d80596 +121731.484914 Cryp 10 f436a2fe 0cc3ab56 7cbad36b da9916a8 0ed13bd9 4832d2c0 +121731.485324 Cryp 30 crypto_decrypt: after decryption: +121731.485418 Cryp 30 0a000018 065807de a32536fd 1ddb1acf afd74ee8 9218f32e 01000014 da43c65f +121731.485507 Cryp 30 2ef1bf20 76c00d1e bab8cd0e 00000066 00000002 00000000 00100000 1000002b +121731.485595 Cryp 30 01000100 0404ac13 892a0100 0404efc0 01010311 22aabb80 04000180 05000280 +121731.485684 Cryp 30 01000180 020e1000 00002b01 00010002 04ac1389 2a010002 04efc001 02033344 +121731.485759 Cryp 30 ccdd8004 00018005 00028001 00018002 0e100000 00000000 +121731.485811 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +121731.485858 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +121731.485905 Mesg 50 message_parse_payloads: offset 0x48 payload SA +121731.485956 Mesg 60 message_validate_payloads: payload SA at 0x11b848 of message 0x139000 +121731.486000 Mesg 70 DOI: 2 +121731.486053 Mesg 60 message_validate_payloads: payload HASH at 0x11b81c of message 0x139000 +121731.486102 Mesg 60 message_validate_payloads: payload NONCE at 0x11b834 of message 0x139000 +121731.486221 Exch 90 exchange_validate: checking for required HASH +121731.486268 Exch 90 exchange_validate: checking for required NONCE +121731.486309 Exch 90 exchange_validate: checking for required SA +121731.486359 Exch 80 exchange_nonce: NONCE_r: +121731.486420 Exch 80 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121731.486458 Negt 90 group_check_hash: SKEYID_a: +121731.486521 Negt 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121731.486589 Negt 90 group_check_hash: message_id: +121731.486633 Negt 90 483c11c0 +121731.486668 Negt 90 group_check_hash: NONCE_I_b: +121731.486727 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121731.486765 Negt 90 group_check_hash: payloads after HASH: +121731.486852 Negt 90 01000014 da43c65f 2ef1bf20 76c00d1e bab8cd0e 00000066 00000002 00000000 +121731.486940 Negt 90 00100000 1000002b 01000100 0404ac13 892a0100 0404efc0 01010311 22aabb80 +121731.487029 Negt 90 04000180 05000280 01000180 020e1000 00002b01 00010002 04ac1389 2a010002 +121731.726149 Negt 90 04efc001 02033344 ccdd8004 00018005 00028001 00018002 0e10 +121731.726259 Negt 80 group_check_hash: computed HASH: +121731.726327 Negt 80 065807de a32536fd 1ddb1acf afd74ee8 9218f32e +121731.726370 Default Payload type: 16 + +121731.726417 Trpt 90 transport_reference: transport 0x11d300 now has 2 references +121731.726466 SA 80 sa_reference: SA 0x11bf00 now has 1 references +121731.726507 SA 70 sa_enter: SA 0x11bf00 added to SA list +121731.726549 SA 80 sa_reference: SA 0x11bf00 now has 2 references +121731.726594 SA 60 sa_create: sa 0x11bf00 phase 2 added to exchange 0x11bb00 (Group-1234) +121731.726656 Default SPI found (SA) 287484603 287484603 (0x1122aabb) for sa 0x11bf00 +121731.726702 Default Payload type: 16 + +121731.726750 Trpt 90 transport_reference: transport 0x11d300 now has 3 references +121731.726798 SA 80 sa_reference: SA 0x136000 now has 1 references +121731.726838 SA 70 sa_enter: SA 0x136000 added to SA list +121731.726880 SA 80 sa_reference: SA 0x136000 now has 2 references +121731.970520 SA 60 sa_create: sa 0x136000 phase 2 added to exchange 0x11bb00 (Group-1234) +121731.970599 Default SPI found (SA) 860146909 860146909 (0x3344ccdd) for sa 0x136000 +121731.970658 Cryp 50 crypto_update_iv: updated IV: +121731.970708 Cryp 50 0ed13bd9 4832d2c0 +121731.970751 Exch 40 exchange_run: exchange 0x11bb00 finished step 1, advancing... +121731.970809 Trpt 90 transport_reference: transport 0x11d300 now has 4 references +121731.970853 Mesg 90 message_alloc: allocated 0x13a000 +121731.970895 SA 80 sa_reference: SA 0x11b900 now has 4 references +121731.970946 Misc 90 group_do_hash: SKEYID_a: +121731.971014 Misc 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121731.971081 Misc 90 group_do_hash: message_id: +121731.971127 Misc 90 483c11c0 +121731.971162 Negt 90 group_fill_in_hash: NONCE_I_b: +121731.971221 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121731.971257 Negt 90 group_fill_in_hash: NONCE_R_b: +121731.971315 Negt 90 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121732.203645 Misc 80 group_fill_in_hash: HASH: +121732.203723 Misc 80 790dd7c4 d8b721ad b6efdb0b 6b9b0ee2 48428536 +121732.203766 Exch 90 exchange_validate: checking for required HASH +121732.203812 Cryp 10 crypto_encrypt: before encryption: +121732.203886 Cryp 10 00000018 790dd7c4 d8b721ad b6efdb0b 6b9b0ee2 48428536 +121732.203949 Cryp 30 crypto_encrypt: after encryption: +121732.204022 Cryp 30 38cdefae a5068ac2 2b8eed31 3516a90a 136ee6cc 1ebb09f5 +121732.204059 Cryp 50 crypto_update_iv: updated IV: +121732.204105 Cryp 50 136ee6cc 1ebb09f5 +121732.204143 Mesg 70 message_send: message 0x13a000 +121732.204193 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121732.204245 Mesg 70 RCOOKIE: 0x272325e695db688b +121732.204287 Mesg 70 NEXT_PAYLOAD: HASH +121732.204330 Mesg 70 VERSION: 16 +121732.204371 Mesg 70 EXCH_TYPE: QUICK_MODE +121732.204415 Mesg 70 FLAGS: [ ENC ] +121732.204462 Mesg 70 MESSAGE_ID: 0x483c11c0 +121732.204504 Mesg 70 LENGTH: 52 +121732.204591 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 00000034 38cdefae +121732.424970 Mesg 70 message_send: a5068ac2 2b8eed31 3516a90a 136ee6cc 1ebb09f5 +121732.425026 Exch 40 exchange_run: exchange 0x11bb00 finished step 2, advancing... +121732.425075 Trpt 90 transport_reference: transport 0x11d300 now has 5 references +121732.425119 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121732.425163 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121732.425206 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121732.425250 Trpt 90 transport_release: transport 0x11d300 had 5 references +121732.425293 Trpt 90 transport_release: transport 0x11d400 had 2 references +121732.425336 Trpt 90 transport_release: transport 0x11d200 had 2 references +121732.425378 Trpt 90 transport_release: transport 0x11d180 had 2 references +121732.425441 Trpt 90 transport_reference: transport 0x11d300 now has 5 references +121732.425487 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121732.692795 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121732.692849 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121732.693488 Misc 60 conf_get_str: [General]:retransmits->5 +121732.693550 Trpt 30 transport_send_messages: message 0x13a000 scheduled for retransmission 1 in 7 secs +121732.693609 Timr 10 timer_add_event: event message_send_expire(0x13a000) added before connection_checker(0x142e20), expiration in 7s +121732.693658 Trpt 90 transport_release: transport 0x11d300 had 5 references +121732.693702 Trpt 90 transport_release: transport 0x11d400 had 2 references +121732.693744 Trpt 90 transport_release: transport 0x11d200 had 2 references +121732.693786 Trpt 90 transport_release: transport 0x11d180 had 2 references +121733.694878 Trpt 70 transport_add: adding 0x11d480 +121733.696191 Trpt 90 transport_reference: transport 0x11d480 now has 1 references +121733.696241 Mesg 90 message_alloc: allocated 0x13c000 +121733.696283 Mesg 70 message_recv: message 0x13c000 +121733.696337 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121733.696389 Mesg 70 RCOOKIE: 0x272325e695db688b +121733.696433 Mesg 70 NEXT_PAYLOAD: HASH +121733.696477 Mesg 70 VERSION: 16 +121733.696517 Mesg 70 EXCH_TYPE: QUICK_MODE +121733.696562 Mesg 70 FLAGS: [ ENC ] +121733.696609 Mesg 70 MESSAGE_ID: 0x483c11c0 +121733.696651 Mesg 70 LENGTH: 188 +121733.696739 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 000000bc 5fa0a653 +121733.696827 Mesg 70 message_recv: cb56424e 71a0d15a d11ea5d9 783d11d9 9a97bb08 4cb2ddc1 cc3ce34f 3a6adc0e +121733.696913 Mesg 70 message_recv: 95f33f94 e790e8f5 704e82dd b6c4be6b 8ba5775f 0b83f10d c20d2690 af87c98a +121733.696999 Mesg 70 message_recv: 4bc97cce 82843a85 2269d4a6 e5c92b64 6076bb06 bcf060b1 db468ef0 6a515f7d +121733.697085 Mesg 70 message_recv: cdf4d954 d49c0170 5bddfe8d bc928909 87a75294 4fc3882b 52f5c798 dfbfa8b8 +121733.697205 Mesg 70 message_recv: f4933c66 6da9efba 545f90bd bbc5f93f 47f86de7 b2ba1eef 28e8ae0b +121733.697257 SA 80 sa_reference: SA 0x11b900 now has 5 references +121733.697301 Mesg 90 message_check_duplicate: last_received 0x139000 +121733.697338 Mesg 95 message_check_duplicate: last_received: +121733.697421 Mesg 95 a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 000000b4 99ca3b06 +121733.697503 Mesg 95 00345ffd 7df14316 86cf0f6d 703260ba 807123ab bf70bf2a bfc5003b 0b8b235f +121733.697585 Mesg 95 9083d54f 460f4e62 ce04b4b7 07f2865e 61e1a13e b4600e2b 97312fa6 817aefb1 +121733.697664 Mesg 95 b4a8c147 cb9147ca b1f3604e e68b10e5 17e0e6f2 8be8b1e0 1b65af61 8aa95e55 +121733.697745 Mesg 95 1b233623 efeb05db 74f074a2 54c31a71 b15b8493 7fd5b651 d1d80596 f436a2fe +121733.697809 Mesg 95 0cc3ab56 7cbad36b da9916a8 0ed13bd9 4832d2c0 +121733.697847 Mesg 20 message_free: freeing 0x13a000 +121733.697892 Timr 10 timer_remove_event: removing event message_send_expire(0x13a000) +121733.698229 Trpt 90 transport_release: transport 0x11d300 had 4 references +121733.698279 SA 80 sa_release: SA 0x11b900 had 5 references +121733.698356 Cryp 10 crypto_decrypt: before decryption: +121733.698442 Cryp 10 5fa0a653 cb56424e 71a0d15a d11ea5d9 783d11d9 9a97bb08 4cb2ddc1 cc3ce34f +121733.698525 Cryp 10 3a6adc0e 95f33f94 e790e8f5 704e82dd b6c4be6b 8ba5775f 0b83f10d c20d2690 +121733.698605 Cryp 10 af87c98a 4bc97cce 82843a85 2269d4a6 e5c92b64 6076bb06 bcf060b1 db468ef0 +121733.698686 Cryp 10 6a515f7d cdf4d954 d49c0170 5bddfe8d bc928909 87a75294 4fc3882b 52f5c798 +121733.698766 Cryp 10 dfbfa8b8 f4933c66 6da9efba 545f90bd bbc5f93f 47f86de7 b2ba1eef 28e8ae0b +121733.698886 Cryp 30 crypto_decrypt: after decryption: +121733.698974 Cryp 30 11000018 5c669c6a 1de36700 2c908a25 b14d3720 0b98a036 00000082 00020000 +121733.699058 Cryp 30 0100003d 041122aa bb000100 18414243 44454647 48494a4b 4c4d4e4f 50515253 +121733.699140 Cryp 30 54555657 58000200 14313233 34353637 38393031 32333435 36373839 30010000 +121733.699286 Cryp 30 3d043344 ccdd0001 00184645 44434241 31314c4b 4a494847 32325251 504f4e4d +121733.699375 Cryp 30 33330002 00143031 32333435 36373839 30313233 34353637 38390000 00000000 +121733.699428 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +121733.699476 Mesg 50 message_parse_payloads: offset 0x34 payload KD +121733.699527 Mesg 60 message_validate_payloads: payload HASH at 0x13611c of message 0x13c000 +121733.699577 Mesg 60 message_validate_payloads: payload KD at 0x136134 of message 0x13c000 +121733.699620 Mesg 70 NUM_PACKETS: 2 +121733.699702 Exch 90 exchange_validate: checking for required HASH +121733.699746 Exch 90 exchange_validate: checking for required KD +121733.699813 Negt 90 group_check_hash: SKEYID_a: +121733.699884 Negt 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121733.699954 Negt 90 group_check_hash: message_id: +121733.699999 Negt 90 483c11c0 +121733.700042 Negt 90 group_check_hash: NONCE_I_b: +121733.700100 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121733.938879 Negt 90 group_check_hash: NONCE_R_b: +121733.938952 Negt 90 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121733.938992 Negt 90 group_check_hash: payloads after HASH: +121733.939078 Negt 90 00000082 00020000 0100003d 041122aa bb000100 18414243 44454647 48494a4b +121733.939160 Negt 90 4c4d4e4f 50515253 54555657 58000200 14313233 34353637 38393031 32333435 +121733.939243 Negt 90 36373839 30010000 3d043344 ccdd0001 00184645 44434241 31314c4b 4a494847 +121733.939324 Negt 90 32325251 504f4e4d 33330002 00143031 32333435 36373839 30313233 34353637 +121733.939362 Negt 90 3839 +121733.939451 Negt 80 group_check_hash: computed HASH: +121733.939519 Negt 80 5c669c6a 1de36700 2c908a25 b14d3720 0b98a036 +121733.939559 Default GOT # of packets: 2 +121733.939611 Default SPI found (KD) 287484603 287484603 (0x1122aabb) for sa 0x11bf00 +121733.939651 Default Found a secrecy attribute +121733.939689 Default Found an integrity attribute +121733.939749 Default SPI found (KD) 860146909 860146909 (0x3344ccdd) for sa 0x136000 +121734.170819 Default Found a secrecy attribute +121734.170872 Default Found an integrity attribute +121734.184374 Default decode_kd_tek_attribute: Unknown attribute: 0: No such file or directory +121734.184451 Mesg 20 message_free: freeing 0x139000 +121734.184504 Trpt 90 transport_release: transport 0x11d300 had 3 references +121734.184548 SA 80 sa_release: SA 0x11b900 had 4 references +121734.184588 Cryp 50 crypto_update_iv: updated IV: +121734.184638 Cryp 50 b2ba1eef 28e8ae0b +121734.184690 Exch 10 exchange_finalize: 0x11bb00 Group-1234 Default-group-mode policy initiator phase 2 doi 2 exchange 32 step 3 +121734.184738 Exch 10 exchange_finalize: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121734.184788 Exch 10 exchange_finalize: msgid 483c11c0 sa_list 0x11bf00 0x136000 +121734.184833 SA 90 sa_find: no SA matched query +121734.184887 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +121734.184967 Exch 30 checking whether new SA replaces existing SA with IDs +121734.415177 SA 90 sa_find: return SA 0x11bf00 +121734.415232 SA 60 sa_mark_replaced: SA 0x11bf00 (Group-1234) marked as replaced +121734.415273 SA 90 sa_find: no SA matched query +121734.415323 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +121734.415379 Exch 50 gdoi_finalize_exchange: src ac13892a ffffffff dst efc00101 ffffffff +121734.415423 SA 90 sa_find: no SA matched query +121734.415469 Exch 50 gdoi_finalize_exchange: src ac13892a ffffffff dst efc00102 ffffffff +121734.415511 SA 90 sa_find: no SA matched query +121734.415551 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +121734.415602 SA 80 sa_release: SA 0x11bf00 had 2 references +121734.415647 SA 80 sa_release: SA 0x136000 had 2 references +121734.415690 Timr 10 timer_remove_event: removing event exchange_free_aux(0x11bb00) +121734.415733 Exch 80 exchange_free_aux: freeing exchange 0x11bb00 +121734.415772 Mesg 20 message_free: freeing 0x13c000 +121734.415819 Trpt 90 transport_release: transport 0x11d480 had 1 references +121734.660280 Trpt 70 transport_release: freeing 0x11d480 +121734.660340 SA 80 sa_release: SA 0x11b900 had 3 references +121734.660403 Trpt 90 transport_reference: transport 0x11d300 now has 3 references +121734.660449 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121734.660493 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121734.660538 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121734.660608 Trpt 90 transport_release: transport 0x11d300 had 3 references +121734.660651 Trpt 90 transport_release: transport 0x11d400 had 2 references +121734.660694 Trpt 90 transport_release: transport 0x11d200 had 2 references +121734.660736 Trpt 90 transport_release: transport 0x11d180 had 2 references +^C diff --git a/samples/loopback/sample_output_ks b/samples/loopback/sample_output_ks new file mode 100644 index 0000000..edbc753 --- /dev/null +++ b/samples/loopback/sample_output_ks @@ -0,0 +1,3408 @@ +121625.488449 Default log_debug_cmd: log level changed from 0 to 99 for class 0 +121625.489588 Default log_debug_cmd: log level changed from 0 to 99 for class 1 +121625.489646 Default log_debug_cmd: log level changed from 0 to 99 for class 2 +121625.489688 Default log_debug_cmd: log level changed from 0 to 99 for class 3 +121625.489730 Default log_debug_cmd: log level changed from 0 to 99 for class 4 +121625.489771 Default log_debug_cmd: log level changed from 0 to 99 for class 5 +121625.489813 Default log_debug_cmd: log level changed from 0 to 99 for class 6 +121625.489854 Default log_debug_cmd: log level changed from 0 to 99 for class 7 +121625.489896 Default log_debug_cmd: log level changed from 0 to 99 for class 8 +121625.489938 Default log_debug_cmd: log level changed from 0 to 99 for class 9 +121625.815816 Misc 40 conf_load_defaults : main mode DES-MD5 +121625.816674 Misc 40 conf_load_defaults : main mode DES-MD5-DSS +121625.822734 Misc 40 conf_load_defaults : main mode DES-MD5-RSA_SIG +121625.829148 Misc 40 conf_load_defaults : main mode DES-SHA +121625.835670 Misc 40 conf_load_defaults : main mode DES-SHA-DSS +121625.841726 Misc 40 conf_load_defaults : main mode DES-SHA-RSA_SIG +121625.848620 Misc 40 conf_load_defaults : main mode BLF-MD5 +121625.854560 Misc 40 conf_load_defaults : main mode BLF-MD5-DSS +121625.861463 Misc 40 conf_load_defaults : main mode BLF-MD5-RSA_SIG +121625.867555 Misc 40 conf_load_defaults : main mode BLF-SHA +121625.874434 Misc 40 conf_load_defaults : main mode BLF-SHA-DSS +121625.880445 Misc 40 conf_load_defaults : main mode BLF-SHA-RSA_SIG +121625.887247 Misc 40 conf_load_defaults : main mode 3DES-MD5 +121625.893332 Misc 40 conf_load_defaults : main mode 3DES-MD5-DSS +121625.899732 Misc 40 conf_load_defaults : main mode 3DES-MD5-RSA_SIG +121625.906352 Misc 40 conf_load_defaults : main mode 3DES-SHA +121625.912391 Misc 40 conf_load_defaults : main mode 3DES-SHA-DSS +121625.919169 Misc 40 conf_load_defaults : main mode 3DES-SHA-RSA_SIG +121625.925277 Misc 40 conf_load_defaults : main mode CAST-MD5 +121625.932092 Misc 40 conf_load_defaults : main mode CAST-MD5-DSS +121625.938202 Misc 40 conf_load_defaults : main mode CAST-MD5-RSA_SIG +121625.945043 Misc 40 conf_load_defaults : main mode CAST-SHA +121625.950219 Misc 40 conf_load_defaults : main mode CAST-SHA-DSS +121625.951039 Misc 40 conf_load_defaults : main mode CAST-SHA-RSA_SIG +121625.964017 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-MD5-SUITE +121625.970658 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SHA-SUITE +121625.978058 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-RIPEMD-SUITE +121625.984672 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SUITE +121625.992035 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-MD5-PFS-SUITE +121625.998701 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-SHA-PFS-SUITE +121626.005575 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-RIPEMD-PFS-SUITE +121626.012964 Misc 40 conf_load_defaults : quick mode QM-ESP-DES-PFS-SUITE +121626.013449 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-MD5-SUITE +121626.026185 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SHA-SUITE +121626.032735 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-RIPEMD-SUITE +121626.032886 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SUITE +121626.033017 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-MD5-PFS-SUITE +121626.033157 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-SHA-PFS-SUITE +121626.033297 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-RIPEMD-PFS-SUITE +121626.033438 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-DES-PFS-SUITE +121626.033630 Misc 40 conf_load_defaults : quick mode QM-AH-DES-MD5-SUITE +121626.033776 Misc 40 conf_load_defaults : quick mode QM-AH-DES-SHA-SUITE +121626.033910 Misc 40 conf_load_defaults : quick mode QM-AH-DES-RIPEMD-SUITE +121626.034045 Misc 40 conf_load_defaults : quick mode QM-AH-DES-MD5-PFS-SUITE +121626.034185 Misc 40 conf_load_defaults : quick mode QM-AH-DES-SHA-PFS-SUITE +121626.034419 Misc 40 conf_load_defaults : quick mode QM-AH-DES-RIPEMD-PFS-SUITE +121626.034571 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-MD5-SUITE +121626.034703 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-SHA-SUITE +121626.034817 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-RIPEMD-SUITE +121626.035038 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-MD5-PFS-SUITE +121626.035167 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-SHA-PFS-SUITE +121626.035284 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-DES-RIPEMD-PFS-SUITE +121626.035400 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-MD5-SUITE +121626.035511 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SHA-SUITE +121626.035622 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-RIPEMD-SUITE +121626.035733 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SUITE +121626.035839 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-MD5-PFS-SUITE +121626.036059 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-SHA-PFS-SUITE +121626.036188 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-RIPEMD-PFS-SUITE +121626.036305 Misc 40 conf_load_defaults : quick mode QM-ESP-3DES-PFS-SUITE +121626.036405 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-MD5-SUITE +121626.036491 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SHA-SUITE +121626.036573 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-RIPEMD-SUITE +121626.036652 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SUITE +121626.036729 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-MD5-PFS-SUITE +121626.036815 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-SHA-PFS-SUITE +121626.036960 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE +121626.037057 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-3DES-PFS-SUITE +121626.037192 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-MD5-SUITE +121626.037281 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-SHA-SUITE +121626.037362 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-RIPEMD-SUITE +121626.037530 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-MD5-PFS-SUITE +121626.037624 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-SHA-PFS-SUITE +121626.044081 Misc 40 conf_load_defaults : quick mode QM-AH-3DES-RIPEMD-PFS-SUITE +121626.044174 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-MD5-SUITE +121626.044314 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-SHA-SUITE +121626.044406 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-RIPEMD-SUITE +121626.044488 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-MD5-PFS-SUITE +121626.044573 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-SHA-PFS-SUITE +121626.044718 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-3DES-RIPEMD-PFS-SUITE +121626.044814 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-MD5-SUITE +121626.044894 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SHA-SUITE +121626.044975 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-RIPEMD-SUITE +121626.045114 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SUITE +121626.045227 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-MD5-PFS-SUITE +121626.045314 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-SHA-PFS-SUITE +121626.150781 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-RIPEMD-PFS-SUITE +121626.150875 Misc 40 conf_load_defaults : quick mode QM-ESP-CAST-PFS-SUITE +121626.150952 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-MD5-SUITE +121626.151031 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SHA-SUITE +121626.151111 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-RIPEMD-SUITE +121626.151192 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SUITE +121626.151335 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-MD5-PFS-SUITE +121626.151486 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-SHA-PFS-SUITE +121626.151636 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE +121626.151731 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-CAST-PFS-SUITE +121626.151808 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-MD5-SUITE +121626.151886 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-SHA-SUITE +121626.257903 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-RIPEMD-SUITE +121626.257991 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-MD5-PFS-SUITE +121626.258075 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-SHA-PFS-SUITE +121626.258222 Misc 40 conf_load_defaults : quick mode QM-AH-CAST-RIPEMD-PFS-SUITE +121626.258318 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-MD5-SUITE +121626.258455 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-SHA-SUITE +121626.258545 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-RIPEMD-SUITE +121626.258628 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-MD5-PFS-SUITE +121626.258712 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-SHA-PFS-SUITE +121626.258797 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-CAST-RIPEMD-PFS-SUITE +121626.258883 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-MD5-SUITE +121626.259026 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SHA-SUITE +121626.259121 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-RIPEMD-SUITE +121626.375819 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SUITE +121626.375909 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-MD5-PFS-SUITE +121626.375998 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-SHA-PFS-SUITE +121626.376087 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-RIPEMD-PFS-SUITE +121626.376319 Misc 40 conf_load_defaults : quick mode QM-ESP-BLF-PFS-SUITE +121626.376411 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-MD5-SUITE +121626.376554 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SHA-SUITE +121626.376646 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-RIPEMD-SUITE +121626.376730 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SUITE +121626.376810 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-MD5-PFS-SUITE +121626.376898 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-SHA-PFS-SUITE +121626.376987 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE +121626.377075 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-BLF-PFS-SUITE +121626.488977 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-MD5-SUITE +121626.489144 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-SHA-SUITE +121626.489296 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-RIPEMD-SUITE +121626.489390 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-MD5-PFS-SUITE +121626.489480 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-SHA-PFS-SUITE +121626.489568 Misc 40 conf_load_defaults : quick mode QM-AH-BLF-RIPEMD-PFS-SUITE +121626.489657 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-MD5-SUITE +121626.489741 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-SHA-SUITE +121626.489826 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-RIPEMD-SUITE +121626.489974 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-MD5-PFS-SUITE +121626.490078 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-SHA-PFS-SUITE +121626.490246 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-BLF-RIPEMD-PFS-SUITE +121626.490397 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-MD5-SUITE +121626.613767 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SHA-SUITE +121626.613860 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-RIPEMD-SUITE +121626.613938 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SUITE +121626.614012 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-MD5-PFS-SUITE +121626.614168 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-SHA-PFS-SUITE +121626.614263 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-RIPEMD-PFS-SUITE +121626.614347 Misc 40 conf_load_defaults : quick mode QM-ESP-AES-PFS-SUITE +121626.614424 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-MD5-SUITE +121626.614504 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SHA-SUITE +121626.614583 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-RIPEMD-SUITE +121626.614683 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SUITE +121626.614820 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-MD5-PFS-SUITE +121626.614916 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-SHA-PFS-SUITE +121626.733744 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-RIPEMD-PFS-SUITE +121626.733845 Misc 40 conf_load_defaults : quick mode QM-ESP-TRP-AES-PFS-SUITE +121626.733922 Misc 40 conf_load_defaults : quick mode QM-AH-AES-MD5-SUITE +121626.734002 Misc 40 conf_load_defaults : quick mode QM-AH-AES-SHA-SUITE +121626.734082 Misc 40 conf_load_defaults : quick mode QM-AH-AES-RIPEMD-SUITE +121626.734161 Misc 40 conf_load_defaults : quick mode QM-AH-AES-MD5-PFS-SUITE +121626.734246 Misc 40 conf_load_defaults : quick mode QM-AH-AES-SHA-PFS-SUITE +121626.734390 Misc 40 conf_load_defaults : quick mode QM-AH-AES-RIPEMD-PFS-SUITE +121626.734487 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-MD5-SUITE +121626.734673 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-SHA-SUITE +121626.734765 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-RIPEMD-SUITE +121626.734846 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-MD5-PFS-SUITE +121626.834917 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-SHA-PFS-SUITE +121626.835009 Misc 40 conf_load_defaults : quick mode QM-AH-TRP-AES-RIPEMD-PFS-SUITE +121626.835197 Misc 60 conf_get_str: configuration value not found [General]:Retransmits +121626.835259 Misc 70 conf_set: [General]:Retransmits->5 +121626.835310 Misc 60 conf_get_str: configuration value not found [General]:Exchange-max-time +121626.835358 Misc 70 conf_set: [General]:Exchange-max-time->120 +121626.835406 Misc 60 conf_get_str: configuration value not found [General]:Listen-on +121626.835454 Misc 70 conf_set: [General]:Listen-on->127.0.0.2 +121626.835500 Misc 60 conf_get_str: configuration value not found [Phase 1]:127.0.0.1 +121626.835547 Misc 70 conf_set: [Phase 1]:127.0.0.1->ISAKMP-peer-client +121626.835593 Misc 60 conf_get_str: configuration value not found [Phase 2]:Passive-Connections +121626.835642 Misc 70 conf_set: [Phase 2]:Passive-Connections->Group-1234 +121626.835689 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Phase +121626.940528 Misc 70 conf_set: [ISAKMP-peer-client]:Phase->1 +121626.940586 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Transport +121626.940636 Misc 70 conf_set: [ISAKMP-peer-client]:Transport->udp +121626.940683 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Local-address +121626.940733 Misc 70 conf_set: [ISAKMP-peer-client]:Local-address->127.0.0.2 +121626.940782 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Address +121626.940830 Misc 70 conf_set: [ISAKMP-peer-client]:Address->127.0.0.1 +121626.940879 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Configuration +121626.940929 Misc 70 conf_set: [ISAKMP-peer-client]:Configuration->Default-main-mode +121626.940978 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Authentication +121626.941028 Misc 70 conf_set: [ISAKMP-peer-client]:Authentication->mekmitasdigoat +121626.941075 Misc 60 conf_get_str: configuration value not found [Group-1234]:Phase +121627.052107 Misc 70 conf_set: [Group-1234]:Phase->2 +121627.052165 Misc 60 conf_get_str: configuration value not found [Group-1234]:Configuration +121627.052215 Misc 70 conf_set: [Group-1234]:Configuration->Default-group-mode +121627.052262 Misc 60 conf_get_str: configuration value not found [Group-1234]:Group-ID +121627.052310 Misc 70 conf_set: [Group-1234]:Group-ID->Group-1 +121627.052356 Misc 60 conf_get_str: configuration value not found [Group-1]:ID-type +121627.052403 Misc 70 conf_set: [Group-1]:ID-type->KEY_ID +121627.052449 Misc 60 conf_get_str: configuration value not found [Group-1]:Key-value +121627.052496 Misc 70 conf_set: [Group-1]:Key-value->1234 +121627.052542 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:DOI +121627.052590 Misc 70 conf_set: [Default-main-mode]:DOI->GROUP +121627.052637 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:EXCHANGE_TYPE +121627.052686 Misc 70 conf_set: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +121627.158372 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:Transforms +121627.158431 Misc 70 conf_set: [Default-main-mode]:Transforms->3DES-SHA +121627.158479 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:ENCRYPTION_ALGORITHM +121627.158527 Misc 70 conf_set: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121627.158574 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:HASH_ALGORITHM +121627.158622 Misc 70 conf_set: [3DES-SHA]:HASH_ALGORITHM->SHA +121627.158668 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:AUTHENTICATION_METHOD +121627.158717 Misc 70 conf_set: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121627.158765 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_DESCRIPTION +121627.158813 Misc 70 conf_set: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121627.158860 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:Life +121627.158908 Misc 70 conf_set: [3DES-SHA]:Life->LIFE_3600_SECS +121627.296834 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_TYPE +121627.296896 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121627.296943 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_DURATION +121627.296992 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121627.297039 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-XF]:TRANSFORM_ID +121627.297090 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121627.297137 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE +121627.297189 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121627.297237 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121627.297288 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121627.297336 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-XF]:Life +121627.297385 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-XF]:Life->LIFE_3600_SECS +121627.416729 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:DOI +121627.416793 Misc 70 conf_set: [Default-group-mode]:DOI->GROUP +121627.416841 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:EXCHANGE_TYPE +121627.416891 Misc 70 conf_set: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +121627.416938 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:SA-TEKS +121627.416988 Misc 70 conf_set: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +121627.417035 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Crypto-protocol +121627.417084 Misc 70 conf_set: [GROUP1-TEK1]:Crypto-protocol->PROTO_IPSEC_ESP +121627.417130 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Src-ID +121627.417178 Misc 70 conf_set: [GROUP1-TEK1]:Src-ID->Group-tek1-src +121627.417224 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Dst-ID +121627.417272 Misc 70 conf_set: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +121627.561107 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:SPI +121627.561167 Misc 70 conf_set: [GROUP1-TEK1]:SPI->287484603 +121627.561216 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:TEK_Suite +121627.561266 Misc 70 conf_set: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +121627.561315 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY1 +121627.561363 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY1->ABCDEFGH +121627.561412 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY2 +121627.561460 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY2->IJKLMNOP +121627.561508 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY3 +121627.561556 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY3->QRSTUVWX +121627.561605 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:SHA_KEY +121627.561653 Misc 70 conf_set: [GROUP1-TEK1]:SHA_KEY->12345678901234567890 +121627.561699 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:ID-type +121627.675407 Misc 70 conf_set: [Group-tek1-src]:ID-type->IPV4_ADDR +121627.675465 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:Address +121627.675514 Misc 70 conf_set: [Group-tek1-src]:Address->172.19.137.42 +121627.675561 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:Port +121627.675608 Misc 70 conf_set: [Group-tek1-src]:Port->1024 +121627.675655 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:ID-type +121627.675703 Misc 70 conf_set: [Group-tek1-dst]:ID-type->IPV4_ADDR +121627.675750 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:Address +121627.675798 Misc 70 conf_set: [Group-tek1-dst]:Address->239.192.1.1 +121627.675846 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:Port +121627.675894 Misc 70 conf_set: [Group-tek1-dst]:Port->1024 +121627.675940 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:Src-ID +121627.793589 Misc 70 conf_set: [GROUP1-TEK2]:Src-ID->Group-tek2-src +121627.793647 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:Dst-ID +121627.793696 Misc 70 conf_set: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +121627.793745 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:SPI +121627.793792 Misc 70 conf_set: [GROUP1-TEK2]:SPI->860146909 +121627.793840 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:TEK_Suite +121627.793888 Misc 70 conf_set: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +121627.793937 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY1 +121627.793985 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY1->FEDCBA11 +121627.794033 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY2 +121627.794081 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY2->LKJIHG22 +121627.794130 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY3 +121627.794177 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY3->RQPONM33 +121627.924414 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:SHA_KEY +121627.924479 Misc 70 conf_set: [GROUP1-TEK2]:SHA_KEY->01234567890123456789 +121627.924527 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:ID-type +121627.924577 Misc 70 conf_set: [Group-tek2-src]:ID-type->IPV4_ADDR +121627.924624 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:Address +121627.924672 Misc 70 conf_set: [Group-tek2-src]:Address->172.19.137.42 +121627.924719 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:Port +121627.924768 Misc 70 conf_set: [Group-tek2-src]:Port->512 +121627.924813 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:ID-type +121627.924861 Misc 70 conf_set: [Group-tek2-dst]:ID-type->IPV4_ADDR +121627.924908 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:Address +121627.924956 Misc 70 conf_set: [Group-tek2-dst]:Address->239.192.1.2 +121627.925003 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:Port +121628.049586 Misc 70 conf_set: [Group-tek2-dst]:Port->512 +121628.049642 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-SUITE]:Protocols +121628.049693 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +121628.049743 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA]:PROTOCOL_ID +121628.049791 Misc 70 conf_set: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121628.049839 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA]:Transforms +121628.049959 Misc 70 conf_set: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-3DES-SHA-XF +121628.050200 Misc 60 conf_get_str: configuration value not found [X509-certificates]:CA-directory +121628.050261 Misc 70 conf_set: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121628.050310 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Cert-directory +121628.050359 Misc 70 conf_set: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121628.050407 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Private-key +121628.180955 Misc 70 conf_set: [X509-certificates]:Private-key->/etc/isakmpd/private/local.key +121628.181014 Misc 60 conf_get_str: [General]:Retransmits->5 +121628.181061 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121628.181109 Misc 60 conf_get_str: configuration value not found [General]:Policy-file +121628.181157 Misc 70 conf_set: [General]:Policy-file->/etc/isakmpd/isakmpd.policy +121628.181204 Misc 60 conf_get_str: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121628.181251 Misc 60 conf_get_str: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121628.181299 Misc 60 conf_get_str: [X509-certificates]:Private-key->/etc/isakmpd/private/local.key +121628.181347 Misc 60 conf_get_str: configuration value not found [KeyNote]:Credential-directory +121628.181395 Misc 70 conf_set: [KeyNote]:Credential-directory->/etc/isakmpd/keynote/ +121628.181441 Misc 60 conf_get_str: configuration value not found [LIFE_MAIN_MODE]:LIFE_TYPE +121628.306567 Misc 70 conf_set: [LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS +121628.306623 Misc 60 conf_get_str: configuration value not found [LIFE_MAIN_MODE]:LIFE_DURATION +121628.306673 Misc 70 conf_set: [LIFE_MAIN_MODE]:LIFE_DURATION->3600,60:86400 +121628.306719 Misc 60 conf_get_str: configuration value not found [LIFE_QUICK_MODE]:LIFE_TYPE +121628.306767 Misc 70 conf_set: [LIFE_QUICK_MODE]:LIFE_TYPE->SECONDS +121628.306813 Misc 60 conf_get_str: configuration value not found [LIFE_QUICK_MODE]:LIFE_DURATION +121628.306862 Misc 70 conf_set: [LIFE_QUICK_MODE]:LIFE_DURATION->1200,60:86400 +121628.306909 Misc 60 conf_get_str: configuration value not found [DES-MD5]:ENCRYPTION_ALGORITHM +121628.306957 Misc 70 conf_set: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC +121628.307003 Misc 60 conf_get_str: configuration value not found [DES-MD5]:HASH_ALGORITHM +121628.307051 Misc 70 conf_set: [DES-MD5]:HASH_ALGORITHM->MD5 +121628.307097 Misc 60 conf_get_str: configuration value not found [DES-MD5]:AUTHENTICATION_METHOD +121628.437691 Misc 70 conf_set: [DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121628.437753 Misc 60 conf_get_str: configuration value not found [DES-MD5]:GROUP_DESCRIPTION +121628.437802 Misc 70 conf_set: [DES-MD5]:GROUP_DESCRIPTION->MODP_768 +121628.437849 Misc 60 conf_get_str: configuration value not found [DES-MD5]:Life +121628.437898 Misc 70 conf_set: [DES-MD5]:Life->LIFE_MAIN_MODE +121628.437943 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:ENCRYPTION_ALGORITHM +121628.437992 Misc 70 conf_set: [DES-MD5-DSS]:ENCRYPTION_ALGORITHM->DES_CBC +121628.438039 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:HASH_ALGORITHM +121628.438087 Misc 70 conf_set: [DES-MD5-DSS]:HASH_ALGORITHM->MD5 +121628.438134 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:AUTHENTICATION_METHOD +121628.438184 Misc 70 conf_set: [DES-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121628.438231 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:GROUP_DESCRIPTION +121628.569350 Misc 70 conf_set: [DES-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121628.569409 Misc 60 conf_get_str: configuration value not found [DES-MD5-DSS]:Life +121628.569457 Misc 70 conf_set: [DES-MD5-DSS]:Life->LIFE_MAIN_MODE +121628.569503 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121628.569553 Misc 70 conf_set: [DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->DES_CBC +121628.569602 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:HASH_ALGORITHM +121628.569650 Misc 70 conf_set: [DES-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121628.569697 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121628.569748 Misc 70 conf_set: [DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121628.569796 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:GROUP_DESCRIPTION +121628.569846 Misc 70 conf_set: [DES-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121628.569895 Misc 60 conf_get_str: configuration value not found [DES-MD5-RSA_SIG]:Life +121628.708386 Misc 70 conf_set: [DES-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121628.708444 Misc 60 conf_get_str: configuration value not found [DES-SHA]:ENCRYPTION_ALGORITHM +121628.708493 Misc 70 conf_set: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC +121628.708540 Misc 60 conf_get_str: configuration value not found [DES-SHA]:HASH_ALGORITHM +121628.708588 Misc 70 conf_set: [DES-SHA]:HASH_ALGORITHM->SHA +121628.708635 Misc 60 conf_get_str: configuration value not found [DES-SHA]:AUTHENTICATION_METHOD +121628.708684 Misc 70 conf_set: [DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121628.708732 Misc 60 conf_get_str: configuration value not found [DES-SHA]:GROUP_DESCRIPTION +121628.708780 Misc 70 conf_set: [DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121628.708827 Misc 60 conf_get_str: configuration value not found [DES-SHA]:Life +121628.708875 Misc 70 conf_set: [DES-SHA]:Life->LIFE_MAIN_MODE +121628.708921 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:ENCRYPTION_ALGORITHM +121628.708970 Misc 70 conf_set: [DES-SHA-DSS]:ENCRYPTION_ALGORITHM->DES_CBC +121628.833080 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:HASH_ALGORITHM +121628.833139 Misc 70 conf_set: [DES-SHA-DSS]:HASH_ALGORITHM->SHA +121628.833186 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:AUTHENTICATION_METHOD +121628.833237 Misc 70 conf_set: [DES-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121628.833284 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:GROUP_DESCRIPTION +121628.833333 Misc 70 conf_set: [DES-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121628.833381 Misc 60 conf_get_str: configuration value not found [DES-SHA-DSS]:Life +121628.833429 Misc 70 conf_set: [DES-SHA-DSS]:Life->LIFE_MAIN_MODE +121628.833475 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121628.833525 Misc 70 conf_set: [DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->DES_CBC +121628.833574 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:HASH_ALGORITHM +121628.946310 Misc 70 conf_set: [DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121628.946367 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121628.946419 Misc 70 conf_set: [DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121628.946468 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:GROUP_DESCRIPTION +121628.946518 Misc 70 conf_set: [DES-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121628.946566 Misc 60 conf_get_str: configuration value not found [DES-SHA-RSA_SIG]:Life +121628.946615 Misc 70 conf_set: [DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121628.946661 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:ENCRYPTION_ALGORITHM +121628.946709 Misc 70 conf_set: [BLF-MD5]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121628.946755 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:KEY_LENGTH +121628.946803 Misc 70 conf_set: [BLF-MD5]:KEY_LENGTH->128,96:192 +121628.946849 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:HASH_ALGORITHM +121629.066318 Misc 70 conf_set: [BLF-MD5]:HASH_ALGORITHM->MD5 +121629.066377 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:AUTHENTICATION_METHOD +121629.066426 Misc 70 conf_set: [BLF-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121629.066476 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:GROUP_DESCRIPTION +121629.066524 Misc 70 conf_set: [BLF-MD5]:GROUP_DESCRIPTION->MODP_768 +121629.066571 Misc 60 conf_get_str: configuration value not found [BLF-MD5]:Life +121629.066619 Misc 70 conf_set: [BLF-MD5]:Life->LIFE_MAIN_MODE +121629.066666 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:ENCRYPTION_ALGORITHM +121629.066715 Misc 70 conf_set: [BLF-MD5-DSS]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121629.066763 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:KEY_LENGTH +121629.066811 Misc 70 conf_set: [BLF-MD5-DSS]:KEY_LENGTH->128,96:192 +121629.066858 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:HASH_ALGORITHM +121629.066906 Misc 70 conf_set: [BLF-MD5-DSS]:HASH_ALGORITHM->MD5 +121629.179828 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:AUTHENTICATION_METHOD +121629.179891 Misc 70 conf_set: [BLF-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121629.179941 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:GROUP_DESCRIPTION +121629.179990 Misc 70 conf_set: [BLF-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121629.180045 Misc 60 conf_get_str: configuration value not found [BLF-MD5-DSS]:Life +121629.180094 Misc 70 conf_set: [BLF-MD5-DSS]:Life->LIFE_MAIN_MODE +121629.180141 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121629.180191 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121629.180240 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:KEY_LENGTH +121629.180288 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:KEY_LENGTH->128,96:192 +121629.180335 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:HASH_ALGORITHM +121629.180383 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121629.299149 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121629.299209 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121629.299259 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:GROUP_DESCRIPTION +121629.299310 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121629.299360 Misc 60 conf_get_str: configuration value not found [BLF-MD5-RSA_SIG]:Life +121629.299408 Misc 70 conf_set: [BLF-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121629.299457 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:ENCRYPTION_ALGORITHM +121629.299506 Misc 70 conf_set: [BLF-SHA]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121629.299553 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:KEY_LENGTH +121629.299601 Misc 70 conf_set: [BLF-SHA]:KEY_LENGTH->128,96:192 +121629.299648 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:HASH_ALGORITHM +121629.299695 Misc 70 conf_set: [BLF-SHA]:HASH_ALGORITHM->SHA +121629.418901 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:AUTHENTICATION_METHOD +121629.418965 Misc 70 conf_set: [BLF-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121629.419013 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:GROUP_DESCRIPTION +121629.419062 Misc 70 conf_set: [BLF-SHA]:GROUP_DESCRIPTION->MODP_1024 +121629.419109 Misc 60 conf_get_str: configuration value not found [BLF-SHA]:Life +121629.419157 Misc 70 conf_set: [BLF-SHA]:Life->LIFE_MAIN_MODE +121629.419203 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:ENCRYPTION_ALGORITHM +121629.419253 Misc 70 conf_set: [BLF-SHA-DSS]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121629.419300 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:KEY_LENGTH +121629.419348 Misc 70 conf_set: [BLF-SHA-DSS]:KEY_LENGTH->128,96:192 +121629.419394 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:HASH_ALGORITHM +121629.419442 Misc 70 conf_set: [BLF-SHA-DSS]:HASH_ALGORITHM->SHA +121629.539012 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:AUTHENTICATION_METHOD +121629.539074 Misc 70 conf_set: [BLF-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121629.539123 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:GROUP_DESCRIPTION +121629.539172 Misc 70 conf_set: [BLF-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121629.539220 Misc 60 conf_get_str: configuration value not found [BLF-SHA-DSS]:Life +121629.539268 Misc 70 conf_set: [BLF-SHA-DSS]:Life->LIFE_MAIN_MODE +121629.539318 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121629.539369 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->BLOWFISH_CBC +121629.539419 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:KEY_LENGTH +121629.539468 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:KEY_LENGTH->128,96:192 +121629.539516 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:HASH_ALGORITHM +121629.539565 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121629.658720 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121629.658781 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121629.658832 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:GROUP_DESCRIPTION +121629.658883 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121629.658933 Misc 60 conf_get_str: configuration value not found [BLF-SHA-RSA_SIG]:Life +121629.658982 Misc 70 conf_set: [BLF-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121629.659028 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:ENCRYPTION_ALGORITHM +121629.659077 Misc 70 conf_set: [3DES-MD5]:ENCRYPTION_ALGORITHM->3DES_CBC +121629.659123 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:HASH_ALGORITHM +121629.659171 Misc 70 conf_set: [3DES-MD5]:HASH_ALGORITHM->MD5 +121629.659218 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:AUTHENTICATION_METHOD +121629.659267 Misc 70 conf_set: [3DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121629.778199 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:GROUP_DESCRIPTION +121629.778259 Misc 70 conf_set: [3DES-MD5]:GROUP_DESCRIPTION->MODP_768 +121629.778307 Misc 60 conf_get_str: configuration value not found [3DES-MD5]:Life +121629.778355 Misc 70 conf_set: [3DES-MD5]:Life->LIFE_MAIN_MODE +121629.778401 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:ENCRYPTION_ALGORITHM +121629.778452 Misc 70 conf_set: [3DES-MD5-DSS]:ENCRYPTION_ALGORITHM->3DES_CBC +121629.778499 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:HASH_ALGORITHM +121629.778547 Misc 70 conf_set: [3DES-MD5-DSS]:HASH_ALGORITHM->MD5 +121629.778594 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:AUTHENTICATION_METHOD +121629.778644 Misc 70 conf_set: [3DES-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121629.778692 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:GROUP_DESCRIPTION +121629.778741 Misc 70 conf_set: [3DES-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121629.904671 Misc 60 conf_get_str: configuration value not found [3DES-MD5-DSS]:Life +121629.904729 Misc 70 conf_set: [3DES-MD5-DSS]:Life->LIFE_MAIN_MODE +121629.904777 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121629.904827 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC +121629.904875 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:HASH_ALGORITHM +121629.904924 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121629.904971 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121629.905022 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121629.905071 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:GROUP_DESCRIPTION +121629.905121 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121629.905170 Misc 60 conf_get_str: configuration value not found [3DES-MD5-RSA_SIG]:Life +121630.023687 Misc 70 conf_set: [3DES-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121630.023747 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121630.023794 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +121630.023840 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121630.023886 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121630.023932 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121630.023978 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:ENCRYPTION_ALGORITHM +121630.024028 Misc 70 conf_set: [3DES-SHA-DSS]:ENCRYPTION_ALGORITHM->3DES_CBC +121630.024077 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:HASH_ALGORITHM +121630.024125 Misc 70 conf_set: [3DES-SHA-DSS]:HASH_ALGORITHM->SHA +121630.024172 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:AUTHENTICATION_METHOD +121630.024222 Misc 70 conf_set: [3DES-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121630.024269 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:GROUP_DESCRIPTION +121630.143508 Misc 70 conf_set: [3DES-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121630.143566 Misc 60 conf_get_str: configuration value not found [3DES-SHA-DSS]:Life +121630.143615 Misc 70 conf_set: [3DES-SHA-DSS]:Life->LIFE_MAIN_MODE +121630.143661 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121630.143711 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->3DES_CBC +121630.143759 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:HASH_ALGORITHM +121630.143807 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121630.143855 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121630.143906 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121630.143954 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:GROUP_DESCRIPTION +121630.144004 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121630.263224 Misc 60 conf_get_str: configuration value not found [3DES-SHA-RSA_SIG]:Life +121630.263285 Misc 70 conf_set: [3DES-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121630.263332 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:ENCRYPTION_ALGORITHM +121630.263381 Misc 70 conf_set: [CAST-MD5]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.263428 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:HASH_ALGORITHM +121630.263476 Misc 70 conf_set: [CAST-MD5]:HASH_ALGORITHM->MD5 +121630.263522 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:AUTHENTICATION_METHOD +121630.263571 Misc 70 conf_set: [CAST-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +121630.263619 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:GROUP_DESCRIPTION +121630.263668 Misc 70 conf_set: [CAST-MD5]:GROUP_DESCRIPTION->MODP_768 +121630.263715 Misc 60 conf_get_str: configuration value not found [CAST-MD5]:Life +121630.263763 Misc 70 conf_set: [CAST-MD5]:Life->LIFE_MAIN_MODE +121630.263808 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:ENCRYPTION_ALGORITHM +121630.389300 Misc 70 conf_set: [CAST-MD5-DSS]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.389359 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:HASH_ALGORITHM +121630.389408 Misc 70 conf_set: [CAST-MD5-DSS]:HASH_ALGORITHM->MD5 +121630.389456 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:AUTHENTICATION_METHOD +121630.389506 Misc 70 conf_set: [CAST-MD5-DSS]:AUTHENTICATION_METHOD->DSS +121630.389554 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:GROUP_DESCRIPTION +121630.389603 Misc 70 conf_set: [CAST-MD5-DSS]:GROUP_DESCRIPTION->MODP_768 +121630.389650 Misc 60 conf_get_str: configuration value not found [CAST-MD5-DSS]:Life +121630.389698 Misc 70 conf_set: [CAST-MD5-DSS]:Life->LIFE_MAIN_MODE +121630.389744 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM +121630.389795 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.502994 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:HASH_ALGORITHM +121630.503055 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:HASH_ALGORITHM->MD5 +121630.503104 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:AUTHENTICATION_METHOD +121630.503155 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121630.503203 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:GROUP_DESCRIPTION +121630.503254 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:GROUP_DESCRIPTION->MODP_768 +121630.503302 Misc 60 conf_get_str: configuration value not found [CAST-MD5-RSA_SIG]:Life +121630.503351 Misc 70 conf_set: [CAST-MD5-RSA_SIG]:Life->LIFE_MAIN_MODE +121630.503397 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:ENCRYPTION_ALGORITHM +121630.503446 Misc 70 conf_set: [CAST-SHA]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.503495 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:HASH_ALGORITHM +121630.503544 Misc 70 conf_set: [CAST-SHA]:HASH_ALGORITHM->SHA +121630.628329 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:AUTHENTICATION_METHOD +121630.628388 Misc 70 conf_set: [CAST-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121630.628437 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:GROUP_DESCRIPTION +121630.628486 Misc 70 conf_set: [CAST-SHA]:GROUP_DESCRIPTION->MODP_1024 +121630.628534 Misc 60 conf_get_str: configuration value not found [CAST-SHA]:Life +121630.628582 Misc 70 conf_set: [CAST-SHA]:Life->LIFE_MAIN_MODE +121630.628628 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:ENCRYPTION_ALGORITHM +121630.628679 Misc 70 conf_set: [CAST-SHA-DSS]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.628726 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:HASH_ALGORITHM +121630.628774 Misc 70 conf_set: [CAST-SHA-DSS]:HASH_ALGORITHM->SHA +121630.628821 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:AUTHENTICATION_METHOD +121630.628871 Misc 70 conf_set: [CAST-SHA-DSS]:AUTHENTICATION_METHOD->DSS +121630.746172 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:GROUP_DESCRIPTION +121630.746240 Misc 70 conf_set: [CAST-SHA-DSS]:GROUP_DESCRIPTION->MODP_1024 +121630.746289 Misc 60 conf_get_str: configuration value not found [CAST-SHA-DSS]:Life +121630.746337 Misc 70 conf_set: [CAST-SHA-DSS]:Life->LIFE_MAIN_MODE +121630.746384 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM +121630.746435 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:ENCRYPTION_ALGORITHM->CAST_CBC +121630.746482 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:HASH_ALGORITHM +121630.746531 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:HASH_ALGORITHM->SHA +121630.746579 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:AUTHENTICATION_METHOD +121630.746630 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:AUTHENTICATION_METHOD->RSA_SIG +121630.746678 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:GROUP_DESCRIPTION +121630.746728 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:GROUP_DESCRIPTION->MODP_1024 +121630.871978 Misc 60 conf_get_str: configuration value not found [CAST-SHA-RSA_SIG]:Life +121630.872043 Misc 70 conf_set: [CAST-SHA-RSA_SIG]:Life->LIFE_MAIN_MODE +121630.872091 Misc 60 conf_get_str: configuration value not found [Phase 1]:Default +121630.872139 Misc 70 conf_set: [Phase 1]:Default->Default-phase-1 +121630.872186 Misc 60 conf_get_str: configuration value not found [Default-phase-1]:Phase +121630.872233 Misc 70 conf_set: [Default-phase-1]:Phase->1 +121630.872280 Misc 60 conf_get_str: configuration value not found [Default-phase-1]:Configuration +121630.872329 Misc 70 conf_set: [Default-phase-1]:Configuration->Default-phase-1-configuration +121630.872377 Misc 60 conf_get_str: configuration value not found [Default-phase-1-configuration]:EXCHANGE_TYPE +121630.872428 Misc 70 conf_set: [Default-phase-1-configuration]:EXCHANGE_TYPE->ID_PROT +121630.872477 Misc 60 conf_get_str: configuration value not found [Default-phase-1-configuration]:Transforms +121631.007671 Misc 70 conf_set: [Default-phase-1-configuration]:Transforms->3DES-SHA-RSA_SIG +121631.007735 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-SUITE]:Protocols +121631.007785 Misc 70 conf_set: [QM-ESP-DES-MD5-SUITE]:Protocols->QM-ESP-DES-MD5 +121631.007831 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5]:PROTOCOL_ID +121631.007899 Misc 70 conf_set: [QM-ESP-DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121631.007946 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5]:Transforms +121631.007996 Misc 70 conf_set: [QM-ESP-DES-MD5]:Transforms->QM-ESP-DES-MD5-XF +121631.008043 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:TRANSFORM_ID +121631.008091 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:TRANSFORM_ID->DES +121631.008138 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:ENCAPSULATION_MODE +121631.008188 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121631.008237 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121631.130369 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121631.130433 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-XF]:Life +121631.130483 Misc 70 conf_set: [QM-ESP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121631.130530 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-SUITE]:Protocols +121631.130578 Misc 70 conf_set: [QM-ESP-DES-SHA-SUITE]:Protocols->QM-ESP-DES-SHA +121631.130625 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA]:PROTOCOL_ID +121631.130673 Misc 70 conf_set: [QM-ESP-DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121631.130719 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA]:Transforms +121631.130768 Misc 70 conf_set: [QM-ESP-DES-SHA]:Transforms->QM-ESP-DES-SHA-XF +121631.130814 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:TRANSFORM_ID +121631.130863 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:TRANSFORM_ID->DES +121631.257634 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:ENCAPSULATION_MODE +121631.257700 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121631.257749 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121631.257800 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121631.257848 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-XF]:Life +121631.257897 Misc 70 conf_set: [QM-ESP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121631.257944 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-SUITE]:Protocols +121631.257994 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-SUITE]:Protocols->QM-ESP-DES-RIPEMD +121631.258041 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD]:PROTOCOL_ID +121631.258090 Misc 70 conf_set: [QM-ESP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121631.258137 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD]:Transforms +121631.377657 Misc 70 conf_set: [QM-ESP-DES-RIPEMD]:Transforms->QM-ESP-DES-RIPEMD-XF +121631.377718 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:TRANSFORM_ID +121631.377768 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121631.377816 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121631.377868 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121631.377916 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121631.377967 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121631.378016 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-XF]:Life +121631.378065 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121631.378113 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SUITE]:Protocols +121631.378161 Misc 70 conf_set: [QM-ESP-DES-SUITE]:Protocols->QM-ESP-DES +121631.378207 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES]:PROTOCOL_ID +121631.502521 Misc 70 conf_set: [QM-ESP-DES]:PROTOCOL_ID->IPSEC_ESP +121631.502581 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES]:Transforms +121631.502630 Misc 70 conf_set: [QM-ESP-DES]:Transforms->QM-ESP-DES-XF +121631.502675 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:TRANSFORM_ID +121631.502723 Misc 70 conf_set: [QM-ESP-DES-XF]:TRANSFORM_ID->DES +121631.502771 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:ENCAPSULATION_MODE +121631.502820 Misc 70 conf_set: [QM-ESP-DES-XF]:ENCAPSULATION_MODE->TUNNEL +121631.502867 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-XF]:Life +121631.502915 Misc 70 conf_set: [QM-ESP-DES-XF]:Life->LIFE_QUICK_MODE +121631.502961 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-SUITE]:Protocols +121631.503012 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-SUITE]:Protocols->QM-ESP-DES-MD5-PFS +121631.503059 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS]:PROTOCOL_ID +121631.530166 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121631.530224 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS]:Transforms +121631.530274 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS]:Transforms->QM-ESP-DES-MD5-PFS-XF +121631.530321 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:TRANSFORM_ID +121631.530372 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121631.530419 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121631.530470 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121631.530518 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121631.530569 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121631.530617 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121631.630649 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121631.630711 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-MD5-PFS-XF]:Life +121631.630760 Misc 70 conf_set: [QM-ESP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121631.630807 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-SUITE]:Protocols +121631.630858 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-SUITE]:Protocols->QM-ESP-DES-SHA-PFS +121631.630905 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS]:PROTOCOL_ID +121631.630954 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121631.631028 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS]:Transforms +121631.631078 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS]:Transforms->QM-ESP-DES-SHA-PFS-XF +121631.631126 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:TRANSFORM_ID +121631.631177 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121631.631224 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121631.749908 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121631.749968 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121631.750067 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121631.750123 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121631.750174 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121631.750224 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-SHA-PFS-XF]:Life +121631.750273 Misc 70 conf_set: [QM-ESP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121631.750319 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-SUITE]:Protocols +121631.750370 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-DES-RIPEMD-PFS +121631.750417 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS]:PROTOCOL_ID +121631.875550 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121631.875615 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS]:Transforms +121631.875667 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS]:Transforms->QM-ESP-DES-RIPEMD-PFS-XF +121631.875717 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121631.875768 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121631.875816 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121631.875867 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121631.875915 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121631.875967 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121631.876016 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121632.003195 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121632.003262 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-RIPEMD-PFS-XF]:Life +121632.003312 Misc 70 conf_set: [QM-ESP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121632.003358 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-SUITE]:Protocols +121632.003407 Misc 70 conf_set: [QM-ESP-DES-PFS-SUITE]:Protocols->QM-ESP-DES-PFS +121632.003453 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS]:PROTOCOL_ID +121632.003501 Misc 70 conf_set: [QM-ESP-DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121632.003547 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS]:Transforms +121632.003596 Misc 70 conf_set: [QM-ESP-DES-PFS]:Transforms->QM-ESP-DES-PFS-XF +121632.003643 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:TRANSFORM_ID +121632.003691 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:TRANSFORM_ID->DES +121632.003737 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:ENCAPSULATION_MODE +121632.128286 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121632.128355 Misc 60 conf_get_str: configuration value not found [QM-ESP-DES-PFS-XF]:Life +121632.128405 Misc 70 conf_set: [QM-ESP-DES-PFS-XF]:Life->LIFE_QUICK_MODE +121632.128454 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-SUITE]:Protocols +121632.128505 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-SUITE]:Protocols->QM-ESP-TRP-DES-MD5 +121632.128554 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5]:PROTOCOL_ID +121632.128603 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121632.128651 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5]:Transforms +121632.128700 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5]:Transforms->QM-ESP-TRP-DES-MD5-XF +121632.128749 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:TRANSFORM_ID +121632.128799 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:TRANSFORM_ID->DES +121632.232340 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:ENCAPSULATION_MODE +121632.232406 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.232457 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121632.232508 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121632.232585 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-XF]:Life +121632.232635 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121632.232682 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-SUITE]:Protocols +121632.232733 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-SUITE]:Protocols->QM-ESP-TRP-DES-SHA +121632.232781 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA]:PROTOCOL_ID +121632.232830 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121632.232878 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA]:Transforms +121632.345499 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA]:Transforms->QM-ESP-TRP-DES-SHA-XF +121632.345558 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:TRANSFORM_ID +121632.345609 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:TRANSFORM_ID->DES +121632.345658 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:ENCAPSULATION_MODE +121632.345709 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.345758 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121632.345809 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121632.345858 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-XF]:Life +121632.345907 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121632.345955 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-SUITE]:Protocols +121632.346006 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-DES-RIPEMD +121632.459054 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD]:PROTOCOL_ID +121632.459143 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121632.459192 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD]:Transforms +121632.459242 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD]:Transforms->QM-ESP-TRP-DES-RIPEMD-XF +121632.459290 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:TRANSFORM_ID +121632.459341 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121632.459389 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121632.459440 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.459489 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121632.459541 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121632.557017 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-XF]:Life +121632.557077 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121632.557126 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SUITE]:Protocols +121632.557176 Misc 70 conf_set: [QM-ESP-TRP-DES-SUITE]:Protocols->QM-ESP-TRP-DES +121632.557224 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES]:PROTOCOL_ID +121632.557273 Misc 70 conf_set: [QM-ESP-TRP-DES]:PROTOCOL_ID->IPSEC_ESP +121632.557320 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES]:Transforms +121632.557369 Misc 70 conf_set: [QM-ESP-TRP-DES]:Transforms->QM-ESP-TRP-DES-XF +121632.557416 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:TRANSFORM_ID +121632.557464 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:TRANSFORM_ID->DES +121632.557511 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:ENCAPSULATION_MODE +121632.557562 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.664235 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-XF]:Life +121632.664295 Misc 70 conf_set: [QM-ESP-TRP-DES-XF]:Life->LIFE_QUICK_MODE +121632.664345 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-SUITE]:Protocols +121632.664396 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-MD5-PFS +121632.664445 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS]:PROTOCOL_ID +121632.664496 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121632.664545 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS]:Transforms +121632.664596 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS]:Transforms->QM-ESP-TRP-DES-MD5-PFS-XF +121632.664643 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID +121632.664694 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121632.664742 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121632.771497 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.771556 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121632.771636 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121632.771686 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121632.771737 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121632.771787 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-MD5-PFS-XF]:Life +121632.771836 Misc 70 conf_set: [QM-ESP-TRP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121632.771883 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-SUITE]:Protocols +121632.771934 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-SHA-PFS +121632.771984 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS]:PROTOCOL_ID +121632.884729 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121632.884788 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS]:Transforms +121632.884840 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS]:Transforms->QM-ESP-TRP-DES-SHA-PFS-XF +121632.884891 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID +121632.884942 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121632.884989 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121632.885041 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121632.885090 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121632.885142 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121632.885191 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121632.986478 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121632.986539 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-SHA-PFS-XF]:Life +121632.986589 Misc 70 conf_set: [QM-ESP-TRP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121632.986637 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-SUITE]:Protocols +121632.986688 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-RIPEMD-PFS +121632.986738 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID +121632.986788 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121632.986836 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS]:Transforms +121632.986887 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-DES-RIPEMD-PFS-XF +121632.986937 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121633.093711 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121633.093769 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121633.093822 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121633.093871 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121633.093923 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121633.093974 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121633.094025 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121633.094075 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:Life +121633.094126 Misc 70 conf_set: [QM-ESP-TRP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121633.094173 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-SUITE]:Protocols +121633.197981 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-SUITE]:Protocols->QM-ESP-TRP-DES-PFS +121633.198043 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS]:PROTOCOL_ID +121633.198094 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121633.198143 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS]:Transforms +121633.198192 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS]:Transforms->QM-ESP-TRP-DES-PFS-XF +121633.198240 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:TRANSFORM_ID +121633.198290 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:TRANSFORM_ID->DES +121633.198337 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:ENCAPSULATION_MODE +121633.198388 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121633.198436 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-DES-PFS-XF]:Life +121633.198485 Misc 70 conf_set: [QM-ESP-TRP-DES-PFS-XF]:Life->LIFE_QUICK_MODE +121633.316869 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-SUITE]:Protocols +121633.316930 Misc 70 conf_set: [QM-AH-DES-MD5-SUITE]:Protocols->QM-AH-DES-MD5 +121633.316980 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5]:PROTOCOL_ID +121633.317029 Misc 70 conf_set: [QM-AH-DES-MD5]:PROTOCOL_ID->IPSEC_AH +121633.317076 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5]:Transforms +121633.317124 Misc 70 conf_set: [QM-AH-DES-MD5]:Transforms->QM-AH-DES-MD5-XF +121633.317173 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:TRANSFORM_ID +121633.317222 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:TRANSFORM_ID->DES +121633.317269 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:ENCAPSULATION_MODE +121633.317320 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121633.317369 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121633.317420 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121633.419535 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-XF]:Life +121633.419594 Misc 70 conf_set: [QM-AH-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121633.419642 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-SUITE]:Protocols +121633.419691 Misc 70 conf_set: [QM-AH-DES-SHA-SUITE]:Protocols->QM-AH-DES-SHA +121633.419737 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA]:PROTOCOL_ID +121633.419786 Misc 70 conf_set: [QM-AH-DES-SHA]:PROTOCOL_ID->IPSEC_AH +121633.419832 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA]:Transforms +121633.419881 Misc 70 conf_set: [QM-AH-DES-SHA]:Transforms->QM-AH-DES-SHA-XF +121633.419928 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:TRANSFORM_ID +121633.419976 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:TRANSFORM_ID->DES +121633.420048 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:ENCAPSULATION_MODE +121633.420100 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121633.533420 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121633.533480 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121633.533530 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-XF]:Life +121633.533578 Misc 70 conf_set: [QM-AH-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121633.533625 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-SUITE]:Protocols +121633.533676 Misc 70 conf_set: [QM-AH-DES-RIPEMD-SUITE]:Protocols->QM-AH-DES-RIPEMD +121633.533723 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD]:PROTOCOL_ID +121633.533771 Misc 70 conf_set: [QM-AH-DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121633.533818 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD]:Transforms +121633.533869 Misc 70 conf_set: [QM-AH-DES-RIPEMD]:Transforms->QM-AH-DES-RIPEMD-XF +121633.533919 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:TRANSFORM_ID +121633.642142 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121633.642202 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121633.642254 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121633.642304 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121633.642355 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121633.642405 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-XF]:Life +121633.642455 Misc 70 conf_set: [QM-AH-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121633.642502 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-SUITE]:Protocols +121633.642552 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-SUITE]:Protocols->QM-AH-DES-MD5-PFS +121633.642599 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS]:PROTOCOL_ID +121633.642648 Misc 70 conf_set: [QM-AH-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121633.755276 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS]:Transforms +121633.755336 Misc 70 conf_set: [QM-AH-DES-MD5-PFS]:Transforms->QM-AH-DES-MD5-PFS-XF +121633.755384 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:TRANSFORM_ID +121633.755434 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121633.755482 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121633.755533 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121633.755581 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121633.755632 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121633.755681 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121633.755732 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121633.755780 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-MD5-PFS-XF]:Life +121633.856714 Misc 70 conf_set: [QM-AH-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121633.856774 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-SUITE]:Protocols +121633.856825 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-SUITE]:Protocols->QM-AH-DES-SHA-PFS +121633.856875 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS]:PROTOCOL_ID +121633.856923 Misc 70 conf_set: [QM-AH-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121633.856970 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS]:Transforms +121633.857019 Misc 70 conf_set: [QM-AH-DES-SHA-PFS]:Transforms->QM-AH-DES-SHA-PFS-XF +121633.857066 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:TRANSFORM_ID +121633.857115 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121633.857162 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121633.857213 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121633.963418 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121633.963479 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121633.963529 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121633.963580 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121633.963629 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-SHA-PFS-XF]:Life +121633.963678 Misc 70 conf_set: [QM-AH-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121633.963725 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-SUITE]:Protocols +121633.963776 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-DES-RIPEMD-PFS +121633.963825 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS]:PROTOCOL_ID +121633.963874 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121633.963921 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS]:Transforms +121634.072416 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS]:Transforms->QM-AH-DES-RIPEMD-PFS-XF +121634.072475 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121634.072526 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121634.072576 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121634.072627 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121634.072676 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121634.072728 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121634.072778 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121634.072829 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121634.072879 Misc 60 conf_get_str: configuration value not found [QM-AH-DES-RIPEMD-PFS-XF]:Life +121634.180593 Misc 70 conf_set: [QM-AH-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121634.180652 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-SUITE]:Protocols +121634.180704 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-SUITE]:Protocols->QM-AH-TRP-DES-MD5 +121634.180754 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5]:PROTOCOL_ID +121634.180804 Misc 70 conf_set: [QM-AH-TRP-DES-MD5]:PROTOCOL_ID->IPSEC_AH +121634.180851 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5]:Transforms +121634.180900 Misc 70 conf_set: [QM-AH-TRP-DES-MD5]:Transforms->QM-AH-TRP-DES-MD5-XF +121634.180947 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:TRANSFORM_ID +121634.180998 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:TRANSFORM_ID->DES +121634.181045 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:ENCAPSULATION_MODE +121634.181097 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.181146 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121634.293546 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121634.293607 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-XF]:Life +121634.293656 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-XF]:Life->LIFE_QUICK_MODE +121634.293703 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-SUITE]:Protocols +121634.293753 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-SUITE]:Protocols->QM-AH-TRP-DES-SHA +121634.293805 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA]:PROTOCOL_ID +121634.293854 Misc 70 conf_set: [QM-AH-TRP-DES-SHA]:PROTOCOL_ID->IPSEC_AH +121634.293902 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA]:Transforms +121634.293951 Misc 70 conf_set: [QM-AH-TRP-DES-SHA]:Transforms->QM-AH-TRP-DES-SHA-XF +121634.293998 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:TRANSFORM_ID +121634.294048 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:TRANSFORM_ID->DES +121634.401557 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:ENCAPSULATION_MODE +121634.401618 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.401667 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121634.401718 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121634.401767 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-XF]:Life +121634.401816 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-XF]:Life->LIFE_QUICK_MODE +121634.401866 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-SUITE]:Protocols +121634.401917 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-DES-RIPEMD +121634.401967 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD]:PROTOCOL_ID +121634.402016 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121634.402064 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD]:Transforms +121634.514697 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD]:Transforms->QM-AH-TRP-DES-RIPEMD-XF +121634.514757 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:TRANSFORM_ID +121634.514808 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:TRANSFORM_ID->DES +121634.514859 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE +121634.514910 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.514958 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121634.515010 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121634.515059 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-XF]:Life +121634.515109 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121634.515155 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-SUITE]:Protocols +121634.622163 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-DES-MD5-PFS +121634.622220 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS]:PROTOCOL_ID +121634.622271 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121634.622320 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS]:Transforms +121634.622371 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS]:Transforms->QM-AH-TRP-DES-MD5-PFS-XF +121634.622420 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID +121634.622471 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:TRANSFORM_ID->DES +121634.622518 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121634.622570 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.622618 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121634.730499 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121634.730559 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121634.730611 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121634.730661 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-MD5-PFS-XF]:Life +121634.730710 Misc 70 conf_set: [QM-AH-TRP-DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121634.730758 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-SUITE]:Protocols +121634.730809 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-DES-SHA-PFS +121634.730857 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS]:PROTOCOL_ID +121634.730907 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121634.730954 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS]:Transforms +121634.731004 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS]:Transforms->QM-AH-TRP-DES-SHA-PFS-XF +121634.854506 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID +121634.854569 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:TRANSFORM_ID->DES +121634.854619 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121634.854671 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.854720 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121634.854772 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121634.854822 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121634.854873 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121634.854922 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-SHA-PFS-XF]:Life +121634.854972 Misc 70 conf_set: [QM-AH-TRP-DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121634.957263 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-SUITE]:Protocols +121634.957328 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-DES-RIPEMD-PFS +121634.957378 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID +121634.957429 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121634.957478 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS]:Transforms +121634.957530 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS]:Transforms->QM-AH-TRP-DES-RIPEMD-PFS-XF +121634.957578 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121634.957629 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:TRANSFORM_ID->DES +121634.957677 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121634.957728 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121634.957777 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121635.070258 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121635.070321 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121635.070374 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121635.070424 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-DES-RIPEMD-PFS-XF]:Life +121635.070475 Misc 70 conf_set: [QM-AH-TRP-DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121635.070524 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-SUITE]:Protocols +121635.070573 Misc 70 conf_set: [QM-ESP-3DES-MD5-SUITE]:Protocols->QM-ESP-3DES-MD5 +121635.070619 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5]:PROTOCOL_ID +121635.070668 Misc 70 conf_set: [QM-ESP-3DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121635.070714 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5]:Transforms +121635.179315 Misc 70 conf_set: [QM-ESP-3DES-MD5]:Transforms->QM-ESP-3DES-MD5-XF +121635.179374 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:TRANSFORM_ID +121635.179424 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121635.179471 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:ENCAPSULATION_MODE +121635.179522 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121635.179570 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121635.179621 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121635.179670 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-XF]:Life +121635.179718 Misc 70 conf_set: [QM-ESP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121635.179765 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-SUITE]:Protocols +121635.179814 Misc 70 conf_set: [QM-ESP-3DES-SHA-SUITE]:Protocols->QM-ESP-3DES-SHA +121635.284867 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA]:PROTOCOL_ID +121635.284925 Misc 70 conf_set: [QM-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121635.284974 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA]:Transforms +121635.285023 Misc 70 conf_set: [QM-ESP-3DES-SHA]:Transforms->QM-ESP-3DES-SHA-XF +121635.285071 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:TRANSFORM_ID +121635.285119 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121635.285168 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE +121635.285219 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121635.285268 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121635.285319 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121635.285368 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-XF]:Life +121635.285417 Misc 70 conf_set: [QM-ESP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121635.392081 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-SUITE]:Protocols +121635.392142 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-SUITE]:Protocols->QM-ESP-3DES-RIPEMD +121635.392194 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD]:PROTOCOL_ID +121635.392244 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121635.392292 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD]:Transforms +121635.392342 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD]:Transforms->QM-ESP-3DES-RIPEMD-XF +121635.392390 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:TRANSFORM_ID +121635.392441 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121635.392489 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121635.392540 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121635.392589 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121635.500341 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121635.500403 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-XF]:Life +121635.500453 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121635.500501 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SUITE]:Protocols +121635.500549 Misc 70 conf_set: [QM-ESP-3DES-SUITE]:Protocols->QM-ESP-3DES +121635.500597 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES]:PROTOCOL_ID +121635.500645 Misc 70 conf_set: [QM-ESP-3DES]:PROTOCOL_ID->IPSEC_ESP +121635.500692 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES]:Transforms +121635.500740 Misc 70 conf_set: [QM-ESP-3DES]:Transforms->QM-ESP-3DES-XF +121635.500786 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:TRANSFORM_ID +121635.500834 Misc 70 conf_set: [QM-ESP-3DES-XF]:TRANSFORM_ID->3DES +121635.500881 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:ENCAPSULATION_MODE +121635.609651 Misc 70 conf_set: [QM-ESP-3DES-XF]:ENCAPSULATION_MODE->TUNNEL +121635.609711 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-XF]:Life +121635.609761 Misc 70 conf_set: [QM-ESP-3DES-XF]:Life->LIFE_QUICK_MODE +121635.609807 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-SUITE]:Protocols +121635.609858 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-SUITE]:Protocols->QM-ESP-3DES-MD5-PFS +121635.609905 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS]:PROTOCOL_ID +121635.609953 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121635.610000 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS]:Transforms +121635.610056 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS]:Transforms->QM-ESP-3DES-MD5-PFS-XF +121635.610105 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121635.610155 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121635.711569 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121635.711631 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121635.711681 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121635.711732 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121635.711785 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121635.711837 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121635.711888 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-MD5-PFS-XF]:Life +121635.711937 Misc 70 conf_set: [QM-ESP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121635.711984 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-SUITE]:Protocols +121635.712035 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-SUITE]:Protocols->QM-ESP-3DES-SHA-PFS +121635.825249 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS]:PROTOCOL_ID +121635.825308 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121635.825357 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS]:Transforms +121635.825406 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS]:Transforms->QM-ESP-3DES-SHA-PFS-XF +121635.825455 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121635.825506 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121635.825554 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121635.825605 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121635.825654 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121635.825706 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121635.825756 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121635.933539 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121635.933614 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-SHA-PFS-XF]:Life +121635.933664 Misc 70 conf_set: [QM-ESP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121635.933713 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-SUITE]:Protocols +121635.933765 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-3DES-RIPEMD-PFS +121635.933813 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121635.933863 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121635.933910 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS]:Transforms +121635.933962 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS]:Transforms->QM-ESP-3DES-RIPEMD-PFS-XF +121635.934009 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121635.934060 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121636.036241 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121636.036303 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121636.036353 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121636.036405 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121636.036455 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121636.036506 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121636.036556 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-RIPEMD-PFS-XF]:Life +121636.036606 Misc 70 conf_set: [QM-ESP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121636.036653 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-SUITE]:Protocols +121636.036703 Misc 70 conf_set: [QM-ESP-3DES-PFS-SUITE]:Protocols->QM-ESP-3DES-PFS +121636.149460 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS]:PROTOCOL_ID +121636.149522 Misc 70 conf_set: [QM-ESP-3DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121636.149571 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS]:Transforms +121636.149620 Misc 70 conf_set: [QM-ESP-3DES-PFS]:Transforms->QM-ESP-3DES-PFS-XF +121636.149669 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:TRANSFORM_ID +121636.149721 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:TRANSFORM_ID->3DES +121636.149770 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:ENCAPSULATION_MODE +121636.149821 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121636.149869 Misc 60 conf_get_str: configuration value not found [QM-ESP-3DES-PFS-XF]:Life +121636.149918 Misc 70 conf_set: [QM-ESP-3DES-PFS-XF]:Life->LIFE_QUICK_MODE +121636.149965 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-SUITE]:Protocols +121636.255042 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-SUITE]:Protocols->QM-ESP-TRP-3DES-MD5 +121636.255105 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5]:PROTOCOL_ID +121636.255155 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5]:PROTOCOL_ID->IPSEC_ESP +121636.255204 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5]:Transforms +121636.255253 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5]:Transforms->QM-ESP-TRP-3DES-MD5-XF +121636.255302 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:TRANSFORM_ID +121636.255353 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121636.255401 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE +121636.255452 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121636.255501 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121636.255552 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121636.368627 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-XF]:Life +121636.368690 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121636.368738 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-SUITE]:Protocols +121636.368789 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-SUITE]:Protocols->QM-ESP-TRP-3DES-SHA +121636.368836 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA]:PROTOCOL_ID +121636.368885 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121636.368932 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA]:Transforms +121636.368981 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA]:Transforms->QM-ESP-TRP-3DES-SHA-XF +121636.369029 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:TRANSFORM_ID +121636.369079 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121636.369127 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE +121636.482724 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121636.482785 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121636.482837 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121636.482886 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-XF]:Life +121636.482935 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121636.482985 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-SUITE]:Protocols +121636.483037 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-3DES-RIPEMD +121636.483085 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD]:PROTOCOL_ID +121636.483135 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121636.483182 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD]:Transforms +121636.483233 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD]:Transforms->QM-ESP-TRP-3DES-RIPEMD-XF +121636.591769 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID +121636.591863 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121636.591912 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121636.591964 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121636.592013 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121636.592065 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121636.592115 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-XF]:Life +121636.592164 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121636.592213 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SUITE]:Protocols +121636.592263 Misc 70 conf_set: [QM-ESP-TRP-3DES-SUITE]:Protocols->QM-ESP-TRP-3DES +121636.689319 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES]:PROTOCOL_ID +121636.689380 Misc 70 conf_set: [QM-ESP-TRP-3DES]:PROTOCOL_ID->IPSEC_ESP +121636.689428 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES]:Transforms +121636.689477 Misc 70 conf_set: [QM-ESP-TRP-3DES]:Transforms->QM-ESP-TRP-3DES-XF +121636.689525 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:TRANSFORM_ID +121636.689574 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:TRANSFORM_ID->3DES +121636.689621 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:ENCAPSULATION_MODE +121636.689672 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:ENCAPSULATION_MODE->TRANSPORT +121636.689720 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-XF]:Life +121636.689768 Misc 70 conf_set: [QM-ESP-TRP-3DES-XF]:Life->LIFE_QUICK_MODE +121636.689815 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-SUITE]:Protocols +121636.803711 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-MD5-PFS +121636.803773 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS]:PROTOCOL_ID +121636.803824 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121636.803872 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS]:Transforms +121636.803923 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS]:Transforms->QM-ESP-TRP-3DES-MD5-PFS-XF +121636.803975 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121636.804026 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121636.804075 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121636.804126 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121636.804176 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121636.804228 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121636.911680 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121636.911744 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121636.911796 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-MD5-PFS-XF]:Life +121636.911846 Misc 70 conf_set: [QM-ESP-TRP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121636.911893 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-SUITE]:Protocols +121636.911944 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-SHA-PFS +121636.911992 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS]:PROTOCOL_ID +121636.912042 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121636.912116 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS]:Transforms +121636.912167 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS]:Transforms->QM-ESP-TRP-3DES-SHA-PFS-XF +121637.025161 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121637.025224 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121637.025274 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121637.025325 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121637.025378 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121637.025430 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121637.025482 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121637.025533 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121637.025584 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-SHA-PFS-XF]:Life +121637.025634 Misc 70 conf_set: [QM-ESP-TRP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121637.133413 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols +121637.133475 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-RIPEMD-PFS +121637.133526 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121637.133578 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121637.133627 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS]:Transforms +121637.133678 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-3DES-RIPEMD-PFS-XF +121637.133728 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121637.133779 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121637.133827 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121637.133878 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121637.236067 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121637.236130 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121637.236182 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121637.236236 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121637.236286 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:Life +121637.236338 Misc 70 conf_set: [QM-ESP-TRP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121637.236387 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-SUITE]:Protocols +121637.236438 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-SUITE]:Protocols->QM-ESP-TRP-3DES-PFS +121637.236488 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS]:PROTOCOL_ID +121637.236537 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS]:PROTOCOL_ID->IPSEC_ESP +121637.350621 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS]:Transforms +121637.350684 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS]:Transforms->QM-ESP-TRP-3DES-PFS-XF +121637.350734 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:TRANSFORM_ID +121637.350785 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:TRANSFORM_ID->3DES +121637.350832 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:ENCAPSULATION_MODE +121637.350884 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121637.350932 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-3DES-PFS-XF]:Life +121637.350981 Misc 70 conf_set: [QM-ESP-TRP-3DES-PFS-XF]:Life->LIFE_QUICK_MODE +121637.351028 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-SUITE]:Protocols +121637.351077 Misc 70 conf_set: [QM-AH-3DES-MD5-SUITE]:Protocols->QM-AH-3DES-MD5 +121637.351124 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5]:PROTOCOL_ID +121637.458313 Misc 70 conf_set: [QM-AH-3DES-MD5]:PROTOCOL_ID->IPSEC_AH +121637.458373 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5]:Transforms +121637.458422 Misc 70 conf_set: [QM-AH-3DES-MD5]:Transforms->QM-AH-3DES-MD5-XF +121637.458469 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:TRANSFORM_ID +121637.458518 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:TRANSFORM_ID->3DES +121637.458565 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:ENCAPSULATION_MODE +121637.458616 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121637.458665 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121637.458716 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121637.458765 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-XF]:Life +121637.458813 Misc 70 conf_set: [QM-AH-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121637.458861 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-SUITE]:Protocols +121637.567810 Misc 70 conf_set: [QM-AH-3DES-SHA-SUITE]:Protocols->QM-AH-3DES-SHA +121637.567870 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA]:PROTOCOL_ID +121637.567920 Misc 70 conf_set: [QM-AH-3DES-SHA]:PROTOCOL_ID->IPSEC_AH +121637.567967 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA]:Transforms +121637.568016 Misc 70 conf_set: [QM-AH-3DES-SHA]:Transforms->QM-AH-3DES-SHA-XF +121637.568065 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:TRANSFORM_ID +121637.568114 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:TRANSFORM_ID->3DES +121637.568162 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:ENCAPSULATION_MODE +121637.568212 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121637.568263 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121637.568340 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121637.682256 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-XF]:Life +121637.682318 Misc 70 conf_set: [QM-AH-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121637.682368 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-SUITE]:Protocols +121637.682419 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-SUITE]:Protocols->QM-AH-3DES-RIPEMD +121637.682466 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD]:PROTOCOL_ID +121637.682515 Misc 70 conf_set: [QM-AH-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121637.682562 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD]:Transforms +121637.682612 Misc 70 conf_set: [QM-AH-3DES-RIPEMD]:Transforms->QM-AH-3DES-RIPEMD-XF +121637.682659 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:TRANSFORM_ID +121637.682709 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121637.682756 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121637.794841 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121637.794928 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121637.794981 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121637.795031 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-XF]:Life +121637.795080 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121637.795127 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-SUITE]:Protocols +121637.795178 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-SUITE]:Protocols->QM-AH-3DES-MD5-PFS +121637.795225 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS]:PROTOCOL_ID +121637.795273 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121637.795320 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS]:Transforms +121637.795369 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS]:Transforms->QM-AH-3DES-MD5-PFS-XF +121637.902084 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:TRANSFORM_ID +121637.902148 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121637.902197 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121637.902249 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121637.902298 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121637.902350 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121637.902400 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121637.902451 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121637.902501 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-MD5-PFS-XF]:Life +121637.902550 Misc 70 conf_set: [QM-AH-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121637.902599 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-SUITE]:Protocols +121638.005698 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-SUITE]:Protocols->QM-AH-3DES-SHA-PFS +121638.005757 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS]:PROTOCOL_ID +121638.005832 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121638.005880 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS]:Transforms +121638.005929 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS]:Transforms->QM-AH-3DES-SHA-PFS-XF +121638.005977 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:TRANSFORM_ID +121638.006027 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121638.006075 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121638.006126 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121638.006175 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121638.006226 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121638.103113 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121638.103177 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121638.103228 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-SHA-PFS-XF]:Life +121638.103277 Misc 70 conf_set: [QM-AH-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121638.103328 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-SUITE]:Protocols +121638.103381 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-3DES-RIPEMD-PFS +121638.103455 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS]:PROTOCOL_ID +121638.103507 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121638.103554 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS]:Transforms +121638.103605 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS]:Transforms->QM-AH-3DES-RIPEMD-PFS-XF +121638.103653 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121638.210976 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121638.211037 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121638.211089 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121638.211139 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121638.211190 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121638.211241 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121638.211292 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121638.211341 Misc 60 conf_get_str: configuration value not found [QM-AH-3DES-RIPEMD-PFS-XF]:Life +121638.211391 Misc 70 conf_set: [QM-AH-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121638.211438 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-SUITE]:Protocols +121638.329329 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-SUITE]:Protocols->QM-AH-TRP-3DES-MD5 +121638.329389 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5]:PROTOCOL_ID +121638.329439 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5]:PROTOCOL_ID->IPSEC_AH +121638.329487 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5]:Transforms +121638.329536 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5]:Transforms->QM-AH-TRP-3DES-MD5-XF +121638.329586 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:TRANSFORM_ID +121638.329637 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:TRANSFORM_ID->3DES +121638.329684 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE +121638.329736 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121638.329785 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM +121638.329836 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121638.444029 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-XF]:Life +121638.444089 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-XF]:Life->LIFE_QUICK_MODE +121638.444137 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-SUITE]:Protocols +121638.444188 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-SUITE]:Protocols->QM-AH-TRP-3DES-SHA +121638.444235 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA]:PROTOCOL_ID +121638.444284 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA]:PROTOCOL_ID->IPSEC_AH +121638.444331 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA]:Transforms +121638.444381 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA]:Transforms->QM-AH-TRP-3DES-SHA-XF +121638.444428 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:TRANSFORM_ID +121638.444478 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121638.444526 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE +121638.557133 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121638.557199 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM +121638.557252 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121638.557301 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-XF]:Life +121638.557351 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-XF]:Life->LIFE_QUICK_MODE +121638.557399 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-SUITE]:Protocols +121638.557450 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-3DES-RIPEMD +121638.557498 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD]:PROTOCOL_ID +121638.557549 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121638.557598 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD]:Transforms +121638.557648 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD]:Transforms->QM-AH-TRP-3DES-RIPEMD-XF +121638.670958 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID +121638.671021 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:TRANSFORM_ID->3DES +121638.671071 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE +121638.671124 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121638.671174 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121638.671226 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121638.671277 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-XF]:Life +121638.671326 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121638.671373 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-SUITE]:Protocols +121638.671424 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-MD5-PFS +121638.778856 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS]:PROTOCOL_ID +121638.778916 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121638.778965 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS]:Transforms +121638.779019 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS]:Transforms->QM-AH-TRP-3DES-MD5-PFS-XF +121638.779067 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID +121638.779118 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:TRANSFORM_ID->3DES +121638.779166 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE +121638.779218 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121638.779292 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121638.779344 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121638.889283 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION +121638.889349 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121638.889399 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-MD5-PFS-XF]:Life +121638.889449 Misc 70 conf_set: [QM-AH-TRP-3DES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121638.889496 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-SUITE]:Protocols +121638.889547 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-SHA-PFS +121638.889595 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS]:PROTOCOL_ID +121638.889645 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121638.889692 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS]:Transforms +121638.889743 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS]:Transforms->QM-AH-TRP-3DES-SHA-PFS-XF +121638.889791 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID +121638.997296 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:TRANSFORM_ID->3DES +121638.997357 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE +121638.997409 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121638.997458 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121638.997510 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121638.997559 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION +121638.997610 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121638.997660 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-SHA-PFS-XF]:Life +121638.997709 Misc 70 conf_set: [QM-AH-TRP-3DES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121638.997758 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols +121639.109679 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-3DES-RIPEMD-PFS +121639.109740 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID +121639.109791 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121639.109840 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS]:Transforms +121639.109891 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS]:Transforms->QM-AH-TRP-3DES-RIPEMD-PFS-XF +121639.109942 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID +121639.109992 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:TRANSFORM_ID->3DES +121639.110046 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121639.110099 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121639.110148 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121639.213623 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121639.213685 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121639.213737 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121639.213787 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:Life +121639.213838 Misc 70 conf_set: [QM-AH-TRP-3DES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121639.213889 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-SUITE]:Protocols +121639.213938 Misc 70 conf_set: [QM-ESP-CAST-MD5-SUITE]:Protocols->QM-ESP-CAST-MD5 +121639.213985 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5]:PROTOCOL_ID +121639.214033 Misc 70 conf_set: [QM-ESP-CAST-MD5]:PROTOCOL_ID->IPSEC_ESP +121639.214079 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5]:Transforms +121639.214128 Misc 70 conf_set: [QM-ESP-CAST-MD5]:Transforms->QM-ESP-CAST-MD5-XF +121639.315153 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:TRANSFORM_ID +121639.315213 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121639.315261 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:ENCAPSULATION_MODE +121639.315312 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121639.315361 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121639.315413 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121639.315462 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-XF]:Life +121639.315511 Misc 70 conf_set: [QM-ESP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121639.315562 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-SUITE]:Protocols +121639.315612 Misc 70 conf_set: [QM-ESP-CAST-SHA-SUITE]:Protocols->QM-ESP-CAST-SHA +121639.315659 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA]:PROTOCOL_ID +121639.433870 Misc 70 conf_set: [QM-ESP-CAST-SHA]:PROTOCOL_ID->IPSEC_ESP +121639.433928 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA]:Transforms +121639.433978 Misc 70 conf_set: [QM-ESP-CAST-SHA]:Transforms->QM-ESP-CAST-SHA-XF +121639.434029 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:TRANSFORM_ID +121639.434078 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121639.434127 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:ENCAPSULATION_MODE +121639.434178 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121639.434227 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121639.434278 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121639.434328 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-XF]:Life +121639.434377 Misc 70 conf_set: [QM-ESP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121639.543512 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-SUITE]:Protocols +121639.543572 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-SUITE]:Protocols->QM-ESP-CAST-RIPEMD +121639.543620 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD]:PROTOCOL_ID +121639.543669 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121639.543716 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD]:Transforms +121639.543766 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD]:Transforms->QM-ESP-CAST-RIPEMD-XF +121639.543814 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:TRANSFORM_ID +121639.543865 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121639.543912 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121639.543963 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121639.544012 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121639.656322 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121639.656385 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-XF]:Life +121639.656436 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121639.656487 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SUITE]:Protocols +121639.656536 Misc 70 conf_set: [QM-ESP-CAST-SUITE]:Protocols->QM-ESP-CAST +121639.656582 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST]:PROTOCOL_ID +121639.656631 Misc 70 conf_set: [QM-ESP-CAST]:PROTOCOL_ID->IPSEC_ESP +121639.656677 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST]:Transforms +121639.656726 Misc 70 conf_set: [QM-ESP-CAST]:Transforms->QM-ESP-CAST-XF +121639.656772 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:TRANSFORM_ID +121639.656820 Misc 70 conf_set: [QM-ESP-CAST-XF]:TRANSFORM_ID->CAST +121639.656866 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:ENCAPSULATION_MODE +121639.774323 Misc 70 conf_set: [QM-ESP-CAST-XF]:ENCAPSULATION_MODE->TUNNEL +121639.774383 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-XF]:Life +121639.774432 Misc 70 conf_set: [QM-ESP-CAST-XF]:Life->LIFE_QUICK_MODE +121639.774484 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-SUITE]:Protocols +121639.774535 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-SUITE]:Protocols->QM-ESP-CAST-MD5-PFS +121639.774583 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS]:PROTOCOL_ID +121639.774632 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121639.774679 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS]:Transforms +121639.774728 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS]:Transforms->QM-ESP-CAST-MD5-PFS-XF +121639.774775 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121639.774825 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121639.878327 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121639.878390 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121639.878440 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121639.878492 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121639.878541 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121639.878592 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121639.878642 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-MD5-PFS-XF]:Life +121639.878691 Misc 70 conf_set: [QM-ESP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121639.878743 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-SUITE]:Protocols +121639.878795 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-SUITE]:Protocols->QM-ESP-CAST-SHA-PFS +121639.878846 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS]:PROTOCOL_ID +121639.980474 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121639.980536 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS]:Transforms +121639.980586 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS]:Transforms->QM-ESP-CAST-SHA-PFS-XF +121639.980634 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121639.980685 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121639.980732 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121639.980784 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121639.980832 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121639.980884 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121639.980933 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121640.087495 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121640.087556 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-SHA-PFS-XF]:Life +121640.087606 Misc 70 conf_set: [QM-ESP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121640.087655 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-SUITE]:Protocols +121640.087706 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-CAST-RIPEMD-PFS +121640.087754 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121640.087804 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121640.087852 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS]:Transforms +121640.087903 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS]:Transforms->QM-ESP-CAST-RIPEMD-PFS-XF +121640.087950 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121640.088000 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121640.195092 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121640.195154 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121640.195204 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121640.195255 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121640.195305 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121640.195356 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121640.195406 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-RIPEMD-PFS-XF]:Life +121640.195455 Misc 70 conf_set: [QM-ESP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121640.195502 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-SUITE]:Protocols +121640.195551 Misc 70 conf_set: [QM-ESP-CAST-PFS-SUITE]:Protocols->QM-ESP-CAST-PFS +121640.302572 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS]:PROTOCOL_ID +121640.302659 Misc 70 conf_set: [QM-ESP-CAST-PFS]:PROTOCOL_ID->IPSEC_ESP +121640.302708 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS]:Transforms +121640.302757 Misc 70 conf_set: [QM-ESP-CAST-PFS]:Transforms->QM-ESP-CAST-PFS-XF +121640.302805 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:TRANSFORM_ID +121640.302854 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:TRANSFORM_ID->CAST +121640.302902 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:ENCAPSULATION_MODE +121640.302954 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121640.303002 Misc 60 conf_get_str: configuration value not found [QM-ESP-CAST-PFS-XF]:Life +121640.303051 Misc 70 conf_set: [QM-ESP-CAST-PFS-XF]:Life->LIFE_QUICK_MODE +121640.303099 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-SUITE]:Protocols +121640.303150 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-SUITE]:Protocols->QM-ESP-TRP-CAST-MD5 +121640.414659 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5]:PROTOCOL_ID +121640.414719 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5]:PROTOCOL_ID->IPSEC_ESP +121640.414768 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5]:Transforms +121640.414817 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5]:Transforms->QM-ESP-TRP-CAST-MD5-XF +121640.414871 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:TRANSFORM_ID +121640.414922 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121640.414973 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE +121640.415024 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121640.415075 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121640.415127 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121640.415179 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-XF]:Life +121640.517248 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121640.517307 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-SUITE]:Protocols +121640.517359 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-SUITE]:Protocols->QM-ESP-TRP-CAST-SHA +121640.517407 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA]:PROTOCOL_ID +121640.517455 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA]:PROTOCOL_ID->IPSEC_ESP +121640.517503 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA]:Transforms +121640.517553 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA]:Transforms->QM-ESP-TRP-CAST-SHA-XF +121640.517601 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:TRANSFORM_ID +121640.517651 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121640.517699 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE +121640.631492 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121640.631552 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121640.631604 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121640.631654 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-XF]:Life +121640.631703 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121640.631751 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-SUITE]:Protocols +121640.631803 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-CAST-RIPEMD +121640.631854 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD]:PROTOCOL_ID +121640.631905 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121640.631953 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD]:Transforms +121640.632004 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD]:Transforms->QM-ESP-TRP-CAST-RIPEMD-XF +121640.738983 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID +121640.739044 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121640.739095 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121640.739147 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121640.739197 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121640.739250 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121640.739301 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-XF]:Life +121640.739351 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121640.739397 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SUITE]:Protocols +121640.739447 Misc 70 conf_set: [QM-ESP-TRP-CAST-SUITE]:Protocols->QM-ESP-TRP-CAST +121640.846680 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST]:PROTOCOL_ID +121640.846742 Misc 70 conf_set: [QM-ESP-TRP-CAST]:PROTOCOL_ID->IPSEC_ESP +121640.846790 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST]:Transforms +121640.846840 Misc 70 conf_set: [QM-ESP-TRP-CAST]:Transforms->QM-ESP-TRP-CAST-XF +121640.846888 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:TRANSFORM_ID +121640.846937 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:TRANSFORM_ID->CAST +121640.846985 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:ENCAPSULATION_MODE +121640.847036 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:ENCAPSULATION_MODE->TRANSPORT +121640.847084 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-XF]:Life +121640.847133 Misc 70 conf_set: [QM-ESP-TRP-CAST-XF]:Life->LIFE_QUICK_MODE +121640.847183 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-SUITE]:Protocols +121640.847235 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-MD5-PFS +121640.959207 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS]:PROTOCOL_ID +121640.959271 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121640.959320 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS]:Transforms +121640.959372 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS]:Transforms->QM-ESP-TRP-CAST-MD5-PFS-XF +121640.959421 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121640.959472 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121640.959520 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121640.959571 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121640.959620 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121640.959672 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121641.067121 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121641.067184 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121641.067235 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-MD5-PFS-XF]:Life +121641.067285 Misc 70 conf_set: [QM-ESP-TRP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121641.067338 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-SUITE]:Protocols +121641.067390 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-SHA-PFS +121641.067438 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS]:PROTOCOL_ID +121641.067488 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121641.067536 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS]:Transforms +121641.067587 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS]:Transforms->QM-ESP-TRP-CAST-SHA-PFS-XF +121641.170383 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121641.170444 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121641.170494 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121641.170546 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121641.170595 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121641.170648 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121641.170698 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121641.170749 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121641.170799 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-SHA-PFS-XF]:Life +121641.170849 Misc 70 conf_set: [QM-ESP-TRP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121641.170898 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols +121641.277953 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-RIPEMD-PFS +121641.278018 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121641.278072 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121641.278121 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS]:Transforms +121641.278173 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS]:Transforms->QM-ESP-TRP-CAST-RIPEMD-PFS-XF +121641.278227 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121641.278278 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121641.278328 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121641.278380 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121641.390664 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121641.390732 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121641.390787 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121641.390841 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121641.390893 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:Life +121641.390944 Misc 70 conf_set: [QM-ESP-TRP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121641.390993 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-SUITE]:Protocols +121641.391044 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-SUITE]:Protocols->QM-ESP-TRP-CAST-PFS +121641.391091 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS]:PROTOCOL_ID +121641.391140 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS]:PROTOCOL_ID->IPSEC_ESP +121641.391187 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS]:Transforms +121641.494856 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS]:Transforms->QM-ESP-TRP-CAST-PFS-XF +121641.494915 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:TRANSFORM_ID +121641.494965 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:TRANSFORM_ID->CAST +121641.495014 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:ENCAPSULATION_MODE +121641.495064 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121641.495112 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-CAST-PFS-XF]:Life +121641.495161 Misc 70 conf_set: [QM-ESP-TRP-CAST-PFS-XF]:Life->LIFE_QUICK_MODE +121641.495207 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-SUITE]:Protocols +121641.495256 Misc 70 conf_set: [QM-AH-CAST-MD5-SUITE]:Protocols->QM-AH-CAST-MD5 +121641.495303 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5]:PROTOCOL_ID +121641.495351 Misc 70 conf_set: [QM-AH-CAST-MD5]:PROTOCOL_ID->IPSEC_AH +121641.602162 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5]:Transforms +121641.602221 Misc 70 conf_set: [QM-AH-CAST-MD5]:Transforms->QM-AH-CAST-MD5-XF +121641.602271 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:TRANSFORM_ID +121641.602320 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:TRANSFORM_ID->CAST +121641.602367 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:ENCAPSULATION_MODE +121641.602418 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121641.602468 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121641.602519 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121641.602567 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-XF]:Life +121641.602616 Misc 70 conf_set: [QM-AH-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121641.602663 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-SUITE]:Protocols +121641.711600 Misc 70 conf_set: [QM-AH-CAST-SHA-SUITE]:Protocols->QM-AH-CAST-SHA +121641.711659 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA]:PROTOCOL_ID +121641.711709 Misc 70 conf_set: [QM-AH-CAST-SHA]:PROTOCOL_ID->IPSEC_AH +121641.711756 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA]:Transforms +121641.711804 Misc 70 conf_set: [QM-AH-CAST-SHA]:Transforms->QM-AH-CAST-SHA-XF +121641.711852 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:TRANSFORM_ID +121641.711900 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:TRANSFORM_ID->CAST +121641.711947 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:ENCAPSULATION_MODE +121641.711998 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121641.712047 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121641.712098 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121641.712146 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-XF]:Life +121641.825668 Misc 70 conf_set: [QM-AH-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121641.825727 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-SUITE]:Protocols +121641.825779 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-SUITE]:Protocols->QM-AH-CAST-RIPEMD +121641.825829 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD]:PROTOCOL_ID +121641.825877 Misc 70 conf_set: [QM-AH-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121641.825924 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD]:Transforms +121641.825973 Misc 70 conf_set: [QM-AH-CAST-RIPEMD]:Transforms->QM-AH-CAST-RIPEMD-XF +121641.826046 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:TRANSFORM_ID +121641.826097 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121641.826145 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121641.826196 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121641.939602 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121641.939666 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121641.939716 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-XF]:Life +121641.939765 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121641.939815 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-SUITE]:Protocols +121641.939866 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-SUITE]:Protocols->QM-AH-CAST-MD5-PFS +121641.939916 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS]:PROTOCOL_ID +121641.939965 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121641.940015 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS]:Transforms +121641.940068 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS]:Transforms->QM-AH-CAST-MD5-PFS-XF +121641.940115 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:TRANSFORM_ID +121642.052223 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121642.052284 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121642.052336 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121642.052384 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121642.052436 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121642.052485 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121642.052536 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121642.052612 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-MD5-PFS-XF]:Life +121642.052662 Misc 70 conf_set: [QM-AH-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121642.052712 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-SUITE]:Protocols +121642.052764 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-SUITE]:Protocols->QM-AH-CAST-SHA-PFS +121642.149946 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS]:PROTOCOL_ID +121642.150173 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121642.150234 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS]:Transforms +121642.150285 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS]:Transforms->QM-AH-CAST-SHA-PFS-XF +121642.150332 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:TRANSFORM_ID +121642.150382 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121642.150433 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121642.150484 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121642.150534 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121642.150585 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121642.246643 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121642.246704 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121642.246754 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-SHA-PFS-XF]:Life +121642.246803 Misc 70 conf_set: [QM-AH-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121642.246856 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-SUITE]:Protocols +121642.246907 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-AH-CAST-RIPEMD-PFS +121642.246958 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS]:PROTOCOL_ID +121642.247008 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121642.247057 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS]:Transforms +121642.247107 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS]:Transforms->QM-AH-CAST-RIPEMD-PFS-XF +121642.247158 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121642.365319 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121642.365380 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121642.365432 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121642.365483 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121642.365534 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121642.365586 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121642.365637 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121642.365688 Misc 60 conf_get_str: configuration value not found [QM-AH-CAST-RIPEMD-PFS-XF]:Life +121642.365738 Misc 70 conf_set: [QM-AH-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121642.365786 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-SUITE]:Protocols +121642.477853 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-SUITE]:Protocols->QM-AH-TRP-CAST-MD5 +121642.477912 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5]:PROTOCOL_ID +121642.477962 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5]:PROTOCOL_ID->IPSEC_AH +121642.478009 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5]:Transforms +121642.478059 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5]:Transforms->QM-AH-TRP-CAST-MD5-XF +121642.478106 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:TRANSFORM_ID +121642.478157 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:TRANSFORM_ID->CAST +121642.478205 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE +121642.478257 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121642.478306 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM +121642.478358 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121642.590152 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-XF]:Life +121642.590212 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-XF]:Life->LIFE_QUICK_MODE +121642.590262 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-SUITE]:Protocols +121642.590314 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-SUITE]:Protocols->QM-AH-TRP-CAST-SHA +121642.590361 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA]:PROTOCOL_ID +121642.590410 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA]:PROTOCOL_ID->IPSEC_AH +121642.590457 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA]:Transforms +121642.590506 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA]:Transforms->QM-AH-TRP-CAST-SHA-XF +121642.590553 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:TRANSFORM_ID +121642.590603 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:TRANSFORM_ID->CAST +121642.590650 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE +121642.693755 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121642.693815 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM +121642.693867 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121642.693916 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-XF]:Life +121642.693964 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-XF]:Life->LIFE_QUICK_MODE +121642.694013 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-SUITE]:Protocols +121642.694065 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-SUITE]:Protocols->QM-AH-TRP-CAST-RIPEMD +121642.694114 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD]:PROTOCOL_ID +121642.694164 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121642.694213 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD]:Transforms +121642.694263 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD]:Transforms->QM-AH-TRP-CAST-RIPEMD-XF +121642.806933 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID +121642.806994 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:TRANSFORM_ID->CAST +121642.807043 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE +121642.807095 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121642.807144 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121642.807196 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121642.807246 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-XF]:Life +121642.807295 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121642.807342 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-SUITE]:Protocols +121642.807393 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-MD5-PFS +121642.919627 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS]:PROTOCOL_ID +121642.919692 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121642.919767 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS]:Transforms +121642.919819 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS]:Transforms->QM-AH-TRP-CAST-MD5-PFS-XF +121642.919870 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID +121642.919921 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:TRANSFORM_ID->CAST +121642.919969 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE +121642.920024 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121642.920075 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121642.920128 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121642.920178 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION +121643.023290 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121643.023353 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-MD5-PFS-XF]:Life +121643.023404 Misc 70 conf_set: [QM-AH-TRP-CAST-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121643.023453 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-SUITE]:Protocols +121643.023505 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-SHA-PFS +121643.023553 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS]:PROTOCOL_ID +121643.023603 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121643.023650 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS]:Transforms +121643.023701 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS]:Transforms->QM-AH-TRP-CAST-SHA-PFS-XF +121643.023751 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID +121643.130550 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:TRANSFORM_ID->CAST +121643.130609 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE +121643.130687 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121643.130738 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121643.130790 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121643.130841 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION +121643.130892 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121643.130942 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-SHA-PFS-XF]:Life +121643.130992 Misc 70 conf_set: [QM-AH-TRP-CAST-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121643.131039 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols +121643.243139 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-CAST-RIPEMD-PFS +121643.243199 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID +121643.243250 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121643.243298 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS]:Transforms +121643.243350 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS]:Transforms->QM-AH-TRP-CAST-RIPEMD-PFS-XF +121643.243400 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID +121643.243450 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:TRANSFORM_ID->CAST +121643.243498 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121643.243550 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121643.243599 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121643.345080 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121643.345142 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121643.345194 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121643.345244 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:Life +121643.345295 Misc 70 conf_set: [QM-AH-TRP-CAST-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121643.345346 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-SUITE]:Protocols +121643.345395 Misc 70 conf_set: [QM-ESP-BLF-MD5-SUITE]:Protocols->QM-ESP-BLF-MD5 +121643.345442 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5]:PROTOCOL_ID +121643.345490 Misc 70 conf_set: [QM-ESP-BLF-MD5]:PROTOCOL_ID->IPSEC_ESP +121643.345537 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5]:Transforms +121643.345586 Misc 70 conf_set: [QM-ESP-BLF-MD5]:Transforms->QM-ESP-BLF-MD5-XF +121643.459031 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:TRANSFORM_ID +121643.459093 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121643.459142 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:KEY_LENGTH +121643.459191 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121643.459240 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:ENCAPSULATION_MODE +121643.459291 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121643.459341 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121643.459392 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121643.459445 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-XF]:Life +121643.459495 Misc 70 conf_set: [QM-ESP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121643.459544 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-SUITE]:Protocols +121643.459593 Misc 70 conf_set: [QM-ESP-BLF-SHA-SUITE]:Protocols->QM-ESP-BLF-SHA +121643.566243 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA]:PROTOCOL_ID +121643.566302 Misc 70 conf_set: [QM-ESP-BLF-SHA]:PROTOCOL_ID->IPSEC_ESP +121643.566350 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA]:Transforms +121643.566399 Misc 70 conf_set: [QM-ESP-BLF-SHA]:Transforms->QM-ESP-BLF-SHA-XF +121643.566449 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:TRANSFORM_ID +121643.566498 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121643.566547 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:KEY_LENGTH +121643.566595 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121643.566644 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:ENCAPSULATION_MODE +121643.566695 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121643.566746 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121643.684371 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121643.684433 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-XF]:Life +121643.684482 Misc 70 conf_set: [QM-ESP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121643.684530 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-SUITE]:Protocols +121643.684581 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-SUITE]:Protocols->QM-ESP-BLF-RIPEMD +121643.684632 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD]:PROTOCOL_ID +121643.684681 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121643.684728 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD]:Transforms +121643.684777 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD]:Transforms->QM-ESP-BLF-RIPEMD-XF +121643.684824 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:TRANSFORM_ID +121643.684874 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121643.800288 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:KEY_LENGTH +121643.800350 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121643.800399 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121643.800450 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121643.800499 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121643.800550 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121643.800600 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-XF]:Life +121643.800649 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121643.800700 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SUITE]:Protocols +121643.800749 Misc 70 conf_set: [QM-ESP-BLF-SUITE]:Protocols->QM-ESP-BLF +121643.800797 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF]:PROTOCOL_ID +121643.904257 Misc 70 conf_set: [QM-ESP-BLF]:PROTOCOL_ID->IPSEC_ESP +121643.904319 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF]:Transforms +121643.904367 Misc 70 conf_set: [QM-ESP-BLF]:Transforms->QM-ESP-BLF-XF +121643.904417 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:TRANSFORM_ID +121643.904465 Misc 70 conf_set: [QM-ESP-BLF-XF]:TRANSFORM_ID->BLOWFISH +121643.904514 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:KEY_LENGTH +121643.904562 Misc 70 conf_set: [QM-ESP-BLF-XF]:KEY_LENGTH->128,96:192 +121643.904611 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:ENCAPSULATION_MODE +121643.904660 Misc 70 conf_set: [QM-ESP-BLF-XF]:ENCAPSULATION_MODE->TUNNEL +121643.904710 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-XF]:Life +121643.904758 Misc 70 conf_set: [QM-ESP-BLF-XF]:Life->LIFE_QUICK_MODE +121643.904806 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-SUITE]:Protocols +121643.904859 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-SUITE]:Protocols->QM-ESP-BLF-MD5-PFS +121644.011623 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS]:PROTOCOL_ID +121644.011682 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121644.011731 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS]:Transforms +121644.011781 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS]:Transforms->QM-ESP-BLF-MD5-PFS-XF +121644.011830 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121644.011881 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121644.011928 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:KEY_LENGTH +121644.011979 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121644.012027 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121644.012078 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121644.012128 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121644.103266 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121644.103329 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121644.103381 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121644.103432 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-MD5-PFS-XF]:Life +121644.103481 Misc 70 conf_set: [QM-ESP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121644.103530 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-SUITE]:Protocols +121644.103581 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-SUITE]:Protocols->QM-ESP-BLF-SHA-PFS +121644.103633 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS]:PROTOCOL_ID +121644.103683 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121644.103733 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS]:Transforms +121644.103782 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS]:Transforms->QM-ESP-BLF-SHA-PFS-XF +121644.216504 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121644.216565 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121644.216641 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:KEY_LENGTH +121644.216693 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121644.216742 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121644.216794 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121644.216844 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121644.216895 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121644.216946 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121644.216998 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121644.318891 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-SHA-PFS-XF]:Life +121644.318952 Misc 70 conf_set: [QM-ESP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121644.319001 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-SUITE]:Protocols +121644.319052 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-BLF-RIPEMD-PFS +121644.319105 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121644.319155 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121644.319204 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS]:Transforms +121644.319255 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS]:Transforms->QM-ESP-BLF-RIPEMD-PFS-XF +121644.319304 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121644.319354 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121644.319402 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121644.430571 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121644.430632 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121644.430685 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121644.430734 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121644.430786 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121644.430837 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121644.430888 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121644.430939 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-RIPEMD-PFS-XF]:Life +121644.430988 Misc 70 conf_set: [QM-ESP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121644.431035 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-SUITE]:Protocols +121644.539348 Misc 70 conf_set: [QM-ESP-BLF-PFS-SUITE]:Protocols->QM-ESP-BLF-PFS +121644.539409 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS]:PROTOCOL_ID +121644.539459 Misc 70 conf_set: [QM-ESP-BLF-PFS]:PROTOCOL_ID->IPSEC_ESP +121644.539506 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS]:Transforms +121644.539555 Misc 70 conf_set: [QM-ESP-BLF-PFS]:Transforms->QM-ESP-BLF-PFS-XF +121644.539603 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:TRANSFORM_ID +121644.539652 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:TRANSFORM_ID->BLOWFISH +121644.539700 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:KEY_LENGTH +121644.539748 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:KEY_LENGTH->128,96:192 +121644.539796 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:ENCAPSULATION_MODE +121644.539847 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121644.539897 Misc 60 conf_get_str: configuration value not found [QM-ESP-BLF-PFS-XF]:Life +121644.651678 Misc 70 conf_set: [QM-ESP-BLF-PFS-XF]:Life->LIFE_QUICK_MODE +121644.651739 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-SUITE]:Protocols +121644.651790 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-SUITE]:Protocols->QM-ESP-TRP-BLF-MD5 +121644.651838 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5]:PROTOCOL_ID +121644.651886 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5]:PROTOCOL_ID->IPSEC_ESP +121644.651933 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5]:Transforms +121644.651982 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5]:Transforms->QM-ESP-TRP-BLF-MD5-XF +121644.652031 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:TRANSFORM_ID +121644.652081 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121644.652129 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:KEY_LENGTH +121644.652179 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121644.754646 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE +121644.754708 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121644.754762 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121644.754814 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121644.754865 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-XF]:Life +121644.754915 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121644.754962 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-SUITE]:Protocols +121644.755012 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-SUITE]:Protocols->QM-ESP-TRP-BLF-SHA +121644.755061 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA]:PROTOCOL_ID +121644.755109 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA]:PROTOCOL_ID->IPSEC_ESP +121644.755157 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA]:Transforms +121644.868631 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA]:Transforms->QM-ESP-TRP-BLF-SHA-XF +121644.868692 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:TRANSFORM_ID +121644.868744 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121644.868792 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:KEY_LENGTH +121644.868842 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121644.868893 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE +121644.868944 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121644.868993 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121644.869045 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121644.869095 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-XF]:Life +121644.869144 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121644.980711 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-SUITE]:Protocols +121644.980772 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-BLF-RIPEMD +121644.980823 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD]:PROTOCOL_ID +121644.980873 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121644.980922 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD]:Transforms +121644.980973 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD]:Transforms->QM-ESP-TRP-BLF-RIPEMD-XF +121644.981024 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID +121644.981074 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121644.981123 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:KEY_LENGTH +121644.981174 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121644.981223 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121645.078467 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.078529 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121645.078582 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121645.078634 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-XF]:Life +121645.078683 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121645.078730 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SUITE]:Protocols +121645.078779 Misc 70 conf_set: [QM-ESP-TRP-BLF-SUITE]:Protocols->QM-ESP-TRP-BLF +121645.078831 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF]:PROTOCOL_ID +121645.078879 Misc 70 conf_set: [QM-ESP-TRP-BLF]:PROTOCOL_ID->IPSEC_ESP +121645.078928 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF]:Transforms +121645.186158 Misc 70 conf_set: [QM-ESP-TRP-BLF]:Transforms->QM-ESP-TRP-BLF-XF +121645.186219 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:TRANSFORM_ID +121645.186269 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:TRANSFORM_ID->BLOWFISH +121645.186317 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:KEY_LENGTH +121645.186366 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:KEY_LENGTH->128,96:192 +121645.186414 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:ENCAPSULATION_MODE +121645.186465 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.186515 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-XF]:Life +121645.186564 Misc 70 conf_set: [QM-ESP-TRP-BLF-XF]:Life->LIFE_QUICK_MODE +121645.186611 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-SUITE]:Protocols +121645.186663 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-MD5-PFS +121645.186714 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS]:PROTOCOL_ID +121645.294245 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121645.294305 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS]:Transforms +121645.294357 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS]:Transforms->QM-ESP-TRP-BLF-MD5-PFS-XF +121645.294409 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121645.294460 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121645.294508 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH +121645.294559 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121645.294609 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121645.294661 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.294736 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121645.406820 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121645.406882 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121645.406934 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121645.406985 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-MD5-PFS-XF]:Life +121645.407034 Misc 70 conf_set: [QM-ESP-TRP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121645.407082 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-SUITE]:Protocols +121645.407134 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-SHA-PFS +121645.407184 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS]:PROTOCOL_ID +121645.407235 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121645.407283 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS]:Transforms +121645.407333 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS]:Transforms->QM-ESP-TRP-BLF-SHA-PFS-XF +121645.508522 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121645.508585 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121645.508634 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH +121645.508685 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121645.508736 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121645.508787 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.508838 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121645.508889 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121645.508940 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121645.508991 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121645.617598 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-SHA-PFS-XF]:Life +121645.617658 Misc 70 conf_set: [QM-ESP-TRP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121645.617709 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols +121645.617761 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-RIPEMD-PFS +121645.617811 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121645.617862 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121645.617910 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS]:Transforms +121645.617961 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS]:Transforms->QM-ESP-TRP-BLF-RIPEMD-PFS-XF +121645.618014 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121645.618065 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121645.730680 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121645.730742 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121645.730794 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121645.730846 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.730897 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121645.730949 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121645.731002 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121645.731053 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121645.731105 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:Life +121645.731156 Misc 70 conf_set: [QM-ESP-TRP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121645.839377 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-SUITE]:Protocols +121645.839438 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-SUITE]:Protocols->QM-ESP-TRP-BLF-PFS +121645.839490 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS]:PROTOCOL_ID +121645.839539 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS]:PROTOCOL_ID->IPSEC_ESP +121645.839587 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS]:Transforms +121645.839637 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS]:Transforms->QM-ESP-TRP-BLF-PFS-XF +121645.839685 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:TRANSFORM_ID +121645.839736 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:TRANSFORM_ID->BLOWFISH +121645.839783 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:KEY_LENGTH +121645.839833 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:KEY_LENGTH->128,96:192 +121645.839882 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:ENCAPSULATION_MODE +121645.959372 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121645.959433 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-BLF-PFS-XF]:Life +121645.959483 Misc 70 conf_set: [QM-ESP-TRP-BLF-PFS-XF]:Life->LIFE_QUICK_MODE +121645.959531 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-SUITE]:Protocols +121645.959579 Misc 70 conf_set: [QM-AH-BLF-MD5-SUITE]:Protocols->QM-AH-BLF-MD5 +121645.959627 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5]:PROTOCOL_ID +121645.959675 Misc 70 conf_set: [QM-AH-BLF-MD5]:PROTOCOL_ID->IPSEC_AH +121645.959722 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5]:Transforms +121645.959770 Misc 70 conf_set: [QM-AH-BLF-MD5]:Transforms->QM-AH-BLF-MD5-XF +121645.959816 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:TRANSFORM_ID +121645.959865 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121645.959911 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:KEY_LENGTH +121646.072927 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121646.072990 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:ENCAPSULATION_MODE +121646.073043 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121646.073092 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121646.073144 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121646.073193 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-XF]:Life +121646.073242 Misc 70 conf_set: [QM-AH-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121646.073291 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-SUITE]:Protocols +121646.073341 Misc 70 conf_set: [QM-AH-BLF-SHA-SUITE]:Protocols->QM-AH-BLF-SHA +121646.073388 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA]:PROTOCOL_ID +121646.073437 Misc 70 conf_set: [QM-AH-BLF-SHA]:PROTOCOL_ID->IPSEC_AH +121646.189155 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA]:Transforms +121646.189214 Misc 70 conf_set: [QM-AH-BLF-SHA]:Transforms->QM-AH-BLF-SHA-XF +121646.189263 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:TRANSFORM_ID +121646.189312 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121646.189358 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:KEY_LENGTH +121646.189407 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121646.189455 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:ENCAPSULATION_MODE +121646.189505 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121646.189554 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121646.189605 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121646.189653 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-XF]:Life +121646.189702 Misc 70 conf_set: [QM-AH-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121646.302086 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-SUITE]:Protocols +121646.302147 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-SUITE]:Protocols->QM-AH-BLF-RIPEMD +121646.302196 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD]:PROTOCOL_ID +121646.302245 Misc 70 conf_set: [QM-AH-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121646.302292 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD]:Transforms +121646.302341 Misc 70 conf_set: [QM-AH-BLF-RIPEMD]:Transforms->QM-AH-BLF-RIPEMD-XF +121646.302389 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:TRANSFORM_ID +121646.302438 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121646.302513 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:KEY_LENGTH +121646.302563 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121646.302611 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121646.409199 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121646.409260 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121646.409313 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121646.409363 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-XF]:Life +121646.409412 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121646.409459 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-SUITE]:Protocols +121646.409510 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-SUITE]:Protocols->QM-AH-BLF-MD5-PFS +121646.409558 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS]:PROTOCOL_ID +121646.409607 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121646.409654 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS]:Transforms +121646.409703 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS]:Transforms->QM-AH-BLF-MD5-PFS-XF +121646.510915 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:TRANSFORM_ID +121646.510977 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121646.511026 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:KEY_LENGTH +121646.511078 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121646.511127 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121646.511178 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121646.511228 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121646.511280 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121646.511330 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121646.511381 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121646.511431 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-MD5-PFS-XF]:Life +121646.618390 Misc 70 conf_set: [QM-AH-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121646.618450 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-SUITE]:Protocols +121646.618501 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-SUITE]:Protocols->QM-AH-BLF-SHA-PFS +121646.618550 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS]:PROTOCOL_ID +121646.618598 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121646.618645 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS]:Transforms +121646.618694 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS]:Transforms->QM-AH-BLF-SHA-PFS-XF +121646.618743 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:TRANSFORM_ID +121646.618793 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121646.618841 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:KEY_LENGTH +121646.618890 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121646.714669 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121646.714730 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121646.714780 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121646.714831 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121646.714882 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121646.714933 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121646.714983 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-SHA-PFS-XF]:Life +121646.715032 Misc 70 conf_set: [QM-AH-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121646.715082 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-SUITE]:Protocols +121646.715133 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-AH-BLF-RIPEMD-PFS +121646.715185 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS]:PROTOCOL_ID +121646.827683 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121646.827745 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS]:Transforms +121646.827796 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS]:Transforms->QM-AH-BLF-RIPEMD-PFS-XF +121646.827843 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121646.827894 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121646.827942 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121646.827993 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121646.828041 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121646.828092 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121646.828141 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121646.936267 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121646.936331 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121646.936383 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121646.936434 Misc 60 conf_get_str: configuration value not found [QM-AH-BLF-RIPEMD-PFS-XF]:Life +121646.936483 Misc 70 conf_set: [QM-AH-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121646.936533 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-SUITE]:Protocols +121646.936584 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-SUITE]:Protocols->QM-AH-TRP-BLF-MD5 +121646.936633 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5]:PROTOCOL_ID +121646.936682 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5]:PROTOCOL_ID->IPSEC_AH +121646.936729 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5]:Transforms +121646.936778 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5]:Transforms->QM-AH-TRP-BLF-MD5-XF +121647.048820 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:TRANSFORM_ID +121647.048881 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:TRANSFORM_ID->BLOWFISH +121647.048930 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:KEY_LENGTH +121647.048980 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:KEY_LENGTH->128,96:192 +121647.049029 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE +121647.049080 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.049130 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM +121647.049181 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121647.049231 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-XF]:Life +121647.049280 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-XF]:Life->LIFE_QUICK_MODE +121647.049327 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-SUITE]:Protocols +121647.156054 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-SUITE]:Protocols->QM-AH-TRP-BLF-SHA +121647.156113 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA]:PROTOCOL_ID +121647.156163 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA]:PROTOCOL_ID->IPSEC_AH +121647.156210 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA]:Transforms +121647.156259 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA]:Transforms->QM-AH-TRP-BLF-SHA-XF +121647.156308 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:TRANSFORM_ID +121647.156359 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:TRANSFORM_ID->BLOWFISH +121647.156407 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:KEY_LENGTH +121647.156457 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:KEY_LENGTH->128,96:192 +121647.156505 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE +121647.156556 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.269568 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM +121647.269632 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121647.269683 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-XF]:Life +121647.269732 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-XF]:Life->LIFE_QUICK_MODE +121647.269779 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-SUITE]:Protocols +121647.269830 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-SUITE]:Protocols->QM-AH-TRP-BLF-RIPEMD +121647.269879 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD]:PROTOCOL_ID +121647.269929 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121647.269979 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD]:Transforms +121647.270035 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD]:Transforms->QM-AH-TRP-BLF-RIPEMD-XF +121647.270085 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID +121647.376945 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:TRANSFORM_ID->BLOWFISH +121647.377006 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:KEY_LENGTH +121647.377058 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:KEY_LENGTH->128,96:192 +121647.377106 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE +121647.377158 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.377207 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121647.377259 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121647.377309 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-XF]:Life +121647.377359 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121647.377407 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-SUITE]:Protocols +121647.377458 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-MD5-PFS +121647.482037 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS]:PROTOCOL_ID +121647.482098 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121647.482173 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS]:Transforms +121647.482224 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS]:Transforms->QM-AH-TRP-BLF-MD5-PFS-XF +121647.482273 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID +121647.482324 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:TRANSFORM_ID->BLOWFISH +121647.482372 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH +121647.482422 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:KEY_LENGTH->128,96:192 +121647.482471 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE +121647.482522 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.588958 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121647.589019 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121647.589071 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION +121647.589122 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121647.589173 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-MD5-PFS-XF]:Life +121647.589223 Misc 70 conf_set: [QM-AH-TRP-BLF-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121647.589275 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-SUITE]:Protocols +121647.589326 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-SHA-PFS +121647.589374 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS]:PROTOCOL_ID +121647.589424 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121647.589472 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS]:Transforms +121647.696250 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS]:Transforms->QM-AH-TRP-BLF-SHA-PFS-XF +121647.696314 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID +121647.696366 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:TRANSFORM_ID->BLOWFISH +121647.696414 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH +121647.696466 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:KEY_LENGTH->128,96:192 +121647.696515 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE +121647.696567 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.696617 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121647.696669 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121647.696720 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION +121647.810494 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121647.810556 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-SHA-PFS-XF]:Life +121647.810607 Misc 70 conf_set: [QM-AH-TRP-BLF-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121647.810655 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols +121647.810706 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-BLF-RIPEMD-PFS +121647.810760 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID +121647.810811 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121647.810861 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS]:Transforms +121647.810912 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS]:Transforms->QM-AH-TRP-BLF-RIPEMD-PFS-XF +121647.810961 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID +121647.917963 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:TRANSFORM_ID->BLOWFISH +121647.918024 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH +121647.918076 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:KEY_LENGTH->128,96:192 +121647.918125 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121647.918177 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121647.918227 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121647.918279 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121647.918330 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121647.918381 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121647.918432 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:Life +121648.027002 Misc 70 conf_set: [QM-AH-TRP-BLF-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121648.027062 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-SUITE]:Protocols +121648.027111 Misc 70 conf_set: [QM-ESP-AES-MD5-SUITE]:Protocols->QM-ESP-AES-MD5 +121648.027159 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5]:PROTOCOL_ID +121648.027208 Misc 70 conf_set: [QM-ESP-AES-MD5]:PROTOCOL_ID->IPSEC_ESP +121648.027254 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5]:Transforms +121648.027303 Misc 70 conf_set: [QM-ESP-AES-MD5]:Transforms->QM-ESP-AES-MD5-XF +121648.027350 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:TRANSFORM_ID +121648.027398 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:TRANSFORM_ID->AES +121648.027445 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:ENCAPSULATION_MODE +121648.027496 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121648.027544 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121648.141536 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121648.141596 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-XF]:Life +121648.141645 Misc 70 conf_set: [QM-ESP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121648.141694 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-SUITE]:Protocols +121648.141743 Misc 70 conf_set: [QM-ESP-AES-SHA-SUITE]:Protocols->QM-ESP-AES-SHA +121648.141790 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA]:PROTOCOL_ID +121648.141838 Misc 70 conf_set: [QM-ESP-AES-SHA]:PROTOCOL_ID->IPSEC_ESP +121648.141885 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA]:Transforms +121648.141933 Misc 70 conf_set: [QM-ESP-AES-SHA]:Transforms->QM-ESP-AES-SHA-XF +121648.141980 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:TRANSFORM_ID +121648.142028 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:TRANSFORM_ID->AES +121648.142074 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:ENCAPSULATION_MODE +121648.254087 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121648.254146 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121648.254197 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121648.254246 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-XF]:Life +121648.254294 Misc 70 conf_set: [QM-ESP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121648.254342 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-SUITE]:Protocols +121648.254393 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-SUITE]:Protocols->QM-ESP-AES-RIPEMD +121648.254444 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD]:PROTOCOL_ID +121648.254492 Misc 70 conf_set: [QM-ESP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121648.254540 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD]:Transforms +121648.254589 Misc 70 conf_set: [QM-ESP-AES-RIPEMD]:Transforms->QM-ESP-AES-RIPEMD-XF +121648.366986 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:TRANSFORM_ID +121648.367046 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121648.367094 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121648.367146 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121648.367194 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121648.367246 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121648.367295 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-XF]:Life +121648.367343 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121648.367395 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SUITE]:Protocols +121648.367444 Misc 70 conf_set: [QM-ESP-AES-SUITE]:Protocols->QM-ESP-AES +121648.367493 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES]:PROTOCOL_ID +121648.471226 Misc 70 conf_set: [QM-ESP-AES]:PROTOCOL_ID->IPSEC_ESP +121648.471285 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES]:Transforms +121648.471334 Misc 70 conf_set: [QM-ESP-AES]:Transforms->QM-ESP-AES-XF +121648.471381 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:TRANSFORM_ID +121648.471429 Misc 70 conf_set: [QM-ESP-AES-XF]:TRANSFORM_ID->AES +121648.471477 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:ENCAPSULATION_MODE +121648.471527 Misc 70 conf_set: [QM-ESP-AES-XF]:ENCAPSULATION_MODE->TUNNEL +121648.471576 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-XF]:Life +121648.471624 Misc 70 conf_set: [QM-ESP-AES-XF]:Life->LIFE_QUICK_MODE +121648.471670 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-SUITE]:Protocols +121648.471720 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-SUITE]:Protocols->QM-ESP-AES-MD5-PFS +121648.471767 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS]:PROTOCOL_ID +121648.579801 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121648.579860 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS]:Transforms +121648.579910 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS]:Transforms->QM-ESP-AES-MD5-PFS-XF +121648.579958 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:TRANSFORM_ID +121648.580012 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121648.580065 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121648.580119 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121648.580168 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121648.580220 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121648.580269 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121648.580320 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121648.682591 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-MD5-PFS-XF]:Life +121648.682651 Misc 70 conf_set: [QM-ESP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121648.682700 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-SUITE]:Protocols +121648.682752 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-SUITE]:Protocols->QM-ESP-AES-SHA-PFS +121648.682803 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS]:PROTOCOL_ID +121648.682852 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121648.682901 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS]:Transforms +121648.682950 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS]:Transforms->QM-ESP-AES-SHA-PFS-XF +121648.682997 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:TRANSFORM_ID +121648.683047 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121648.683095 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121648.794702 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121648.794761 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121648.794812 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121648.794862 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121648.794912 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121648.794961 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-SHA-PFS-XF]:Life +121648.795010 Misc 70 conf_set: [QM-ESP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121648.795060 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-SUITE]:Protocols +121648.795111 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-AES-RIPEMD-PFS +121648.795160 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS]:PROTOCOL_ID +121648.903515 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121648.903577 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS]:Transforms +121648.903629 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS]:Transforms->QM-ESP-AES-RIPEMD-PFS-XF +121648.903678 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121648.903728 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121648.903775 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121648.903827 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121648.903876 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121648.903927 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121648.904003 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121648.904055 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121649.011361 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-RIPEMD-PFS-XF]:Life +121649.011424 Misc 70 conf_set: [QM-ESP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121649.011474 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-SUITE]:Protocols +121649.011524 Misc 70 conf_set: [QM-ESP-AES-PFS-SUITE]:Protocols->QM-ESP-AES-PFS +121649.011572 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS]:PROTOCOL_ID +121649.011620 Misc 70 conf_set: [QM-ESP-AES-PFS]:PROTOCOL_ID->IPSEC_ESP +121649.011667 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS]:Transforms +121649.011716 Misc 70 conf_set: [QM-ESP-AES-PFS]:Transforms->QM-ESP-AES-PFS-XF +121649.011763 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:TRANSFORM_ID +121649.011811 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:TRANSFORM_ID->AES +121649.011858 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:ENCAPSULATION_MODE +121649.123226 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121649.123286 Misc 60 conf_get_str: configuration value not found [QM-ESP-AES-PFS-XF]:Life +121649.123335 Misc 70 conf_set: [QM-ESP-AES-PFS-XF]:Life->LIFE_QUICK_MODE +121649.123382 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-SUITE]:Protocols +121649.123432 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-SUITE]:Protocols->QM-ESP-TRP-AES-MD5 +121649.123479 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5]:PROTOCOL_ID +121649.123528 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5]:PROTOCOL_ID->IPSEC_ESP +121649.123575 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5]:Transforms +121649.123624 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5]:Transforms->QM-ESP-TRP-AES-MD5-XF +121649.123670 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:TRANSFORM_ID +121649.123721 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:TRANSFORM_ID->AES +121649.123768 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:ENCAPSULATION_MODE +121649.231738 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.231798 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121649.231850 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121649.231899 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-XF]:Life +121649.231948 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121649.231996 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-SUITE]:Protocols +121649.232046 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-SUITE]:Protocols->QM-ESP-TRP-AES-SHA +121649.232123 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA]:PROTOCOL_ID +121649.232172 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA]:PROTOCOL_ID->IPSEC_ESP +121649.232220 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA]:Transforms +121649.338915 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA]:Transforms->QM-ESP-TRP-AES-SHA-XF +121649.338975 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:TRANSFORM_ID +121649.339026 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:TRANSFORM_ID->AES +121649.339074 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:ENCAPSULATION_MODE +121649.339125 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.339174 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121649.339225 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121649.339274 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-XF]:Life +121649.339323 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121649.339374 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-SUITE]:Protocols +121649.339425 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-SUITE]:Protocols->QM-ESP-TRP-AES-RIPEMD +121649.451322 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD]:PROTOCOL_ID +121649.451384 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_ESP +121649.451434 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD]:Transforms +121649.451484 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD]:Transforms->QM-ESP-TRP-AES-RIPEMD-XF +121649.451534 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:TRANSFORM_ID +121649.451585 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121649.451633 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121649.451684 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.451734 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121649.451785 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121649.549378 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-XF]:Life +121649.549439 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121649.549487 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SUITE]:Protocols +121649.549537 Misc 70 conf_set: [QM-ESP-TRP-AES-SUITE]:Protocols->QM-ESP-TRP-AES +121649.549586 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES]:PROTOCOL_ID +121649.549634 Misc 70 conf_set: [QM-ESP-TRP-AES]:PROTOCOL_ID->IPSEC_ESP +121649.549682 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES]:Transforms +121649.549731 Misc 70 conf_set: [QM-ESP-TRP-AES]:Transforms->QM-ESP-TRP-AES-XF +121649.549779 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:TRANSFORM_ID +121649.549827 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:TRANSFORM_ID->AES +121649.549875 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:ENCAPSULATION_MODE +121649.549926 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.657023 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-XF]:Life +121649.657081 Misc 70 conf_set: [QM-ESP-TRP-AES-XF]:Life->LIFE_QUICK_MODE +121649.657133 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-SUITE]:Protocols +121649.657185 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-MD5-PFS +121649.657235 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS]:PROTOCOL_ID +121649.657286 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_ESP +121649.657335 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS]:Transforms +121649.657386 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS]:Transforms->QM-ESP-TRP-AES-MD5-PFS-XF +121649.657433 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID +121649.657484 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121649.657531 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121649.764255 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.764315 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121649.764368 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121649.764417 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121649.764468 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121649.764518 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-MD5-PFS-XF]:Life +121649.764567 Misc 70 conf_set: [QM-ESP-TRP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121649.764616 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-SUITE]:Protocols +121649.764668 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-SHA-PFS +121649.764718 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS]:PROTOCOL_ID +121649.876913 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_ESP +121649.876975 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS]:Transforms +121649.877027 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS]:Transforms->QM-ESP-TRP-AES-SHA-PFS-XF +121649.877081 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID +121649.877133 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121649.877182 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121649.877233 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121649.877282 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121649.877334 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121649.877384 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121649.978446 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121649.978507 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-SHA-PFS-XF]:Life +121649.978557 Misc 70 conf_set: [QM-ESP-TRP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121649.978606 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-SUITE]:Protocols +121649.978658 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-RIPEMD-PFS +121649.978708 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID +121649.978759 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_ESP +121649.978808 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS]:Transforms +121649.978859 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS]:Transforms->QM-ESP-TRP-AES-RIPEMD-PFS-XF +121649.978911 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121650.086686 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121650.086747 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121650.086800 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121650.086851 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121650.086903 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121650.086954 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121650.087006 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121650.087057 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:Life +121650.087108 Misc 70 conf_set: [QM-ESP-TRP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121650.087157 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-SUITE]:Protocols +121650.194700 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-SUITE]:Protocols->QM-ESP-TRP-AES-PFS +121650.194761 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS]:PROTOCOL_ID +121650.194811 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS]:PROTOCOL_ID->IPSEC_ESP +121650.194860 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS]:Transforms +121650.194909 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS]:Transforms->QM-ESP-TRP-AES-PFS-XF +121650.194958 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:TRANSFORM_ID +121650.195008 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:TRANSFORM_ID->AES +121650.195057 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:ENCAPSULATION_MODE +121650.195108 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121650.195157 Misc 60 conf_get_str: configuration value not found [QM-ESP-TRP-AES-PFS-XF]:Life +121650.195206 Misc 70 conf_set: [QM-ESP-TRP-AES-PFS-XF]:Life->LIFE_QUICK_MODE +121650.195253 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-SUITE]:Protocols +121650.307686 Misc 70 conf_set: [QM-AH-AES-MD5-SUITE]:Protocols->QM-AH-AES-MD5 +121650.307742 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5]:PROTOCOL_ID +121650.307791 Misc 70 conf_set: [QM-AH-AES-MD5]:PROTOCOL_ID->IPSEC_AH +121650.307838 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5]:Transforms +121650.307887 Misc 70 conf_set: [QM-AH-AES-MD5]:Transforms->QM-AH-AES-MD5-XF +121650.307936 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:TRANSFORM_ID +121650.307984 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:TRANSFORM_ID->AES +121650.308032 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:ENCAPSULATION_MODE +121650.308082 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:ENCAPSULATION_MODE->TUNNEL +121650.308131 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121650.308182 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121650.410402 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-XF]:Life +121650.410462 Misc 70 conf_set: [QM-AH-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121650.410516 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-SUITE]:Protocols +121650.410565 Misc 70 conf_set: [QM-AH-AES-SHA-SUITE]:Protocols->QM-AH-AES-SHA +121650.410613 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA]:PROTOCOL_ID +121650.410662 Misc 70 conf_set: [QM-AH-AES-SHA]:PROTOCOL_ID->IPSEC_AH +121650.410709 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA]:Transforms +121650.410757 Misc 70 conf_set: [QM-AH-AES-SHA]:Transforms->QM-AH-AES-SHA-XF +121650.410805 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:TRANSFORM_ID +121650.410854 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:TRANSFORM_ID->AES +121650.410901 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:ENCAPSULATION_MODE +121650.410951 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121650.533594 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121650.533656 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121650.533706 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-XF]:Life +121650.533754 Misc 70 conf_set: [QM-AH-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121650.533807 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-SUITE]:Protocols +121650.533857 Misc 70 conf_set: [QM-AH-AES-RIPEMD-SUITE]:Protocols->QM-AH-AES-RIPEMD +121650.533908 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD]:PROTOCOL_ID +121650.533957 Misc 70 conf_set: [QM-AH-AES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121650.534005 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD]:Transforms +121650.534054 Misc 70 conf_set: [QM-AH-AES-RIPEMD]:Transforms->QM-AH-AES-RIPEMD-XF +121650.534101 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:TRANSFORM_ID +121650.631799 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121650.631860 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121650.631911 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TUNNEL +121650.631959 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121650.632010 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121650.632059 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-XF]:Life +121650.632108 Misc 70 conf_set: [QM-AH-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121650.632156 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-SUITE]:Protocols +121650.632207 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-SUITE]:Protocols->QM-AH-AES-MD5-PFS +121650.632254 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS]:PROTOCOL_ID +121650.632302 Misc 70 conf_set: [QM-AH-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121650.744923 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS]:Transforms +121650.744985 Misc 70 conf_set: [QM-AH-AES-MD5-PFS]:Transforms->QM-AH-AES-MD5-PFS-XF +121650.745033 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:TRANSFORM_ID +121650.745084 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121650.745132 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121650.745183 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121650.745232 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121650.745284 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121650.745333 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121650.745384 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121650.745433 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-MD5-PFS-XF]:Life +121650.846859 Misc 70 conf_set: [QM-AH-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121650.846917 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-SUITE]:Protocols +121650.846969 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-SUITE]:Protocols->QM-AH-AES-SHA-PFS +121650.847017 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS]:PROTOCOL_ID +121650.847066 Misc 70 conf_set: [QM-AH-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121650.847114 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS]:Transforms +121650.847163 Misc 70 conf_set: [QM-AH-AES-SHA-PFS]:Transforms->QM-AH-AES-SHA-PFS-XF +121650.847210 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:TRANSFORM_ID +121650.847260 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121650.847307 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121650.847358 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121650.847406 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121650.953751 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121650.953812 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121650.953863 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121650.953913 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-SHA-PFS-XF]:Life +121650.953962 Misc 70 conf_set: [QM-AH-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121650.954012 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-SUITE]:Protocols +121650.954063 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-AES-RIPEMD-PFS +121650.954116 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS]:PROTOCOL_ID +121650.954166 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121650.954215 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS]:Transforms +121651.040214 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS]:Transforms->QM-AH-AES-RIPEMD-PFS-XF +121651.040277 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121651.040329 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121651.040380 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121651.040432 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TUNNEL +121651.040482 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121651.040534 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121651.040585 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121651.040636 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121651.040687 Misc 60 conf_get_str: configuration value not found [QM-AH-AES-RIPEMD-PFS-XF]:Life +121651.040737 Misc 70 conf_set: [QM-AH-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121651.061098 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-SUITE]:Protocols +121651.061160 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-SUITE]:Protocols->QM-AH-TRP-AES-MD5 +121651.061210 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5]:PROTOCOL_ID +121651.061259 Misc 70 conf_set: [QM-AH-TRP-AES-MD5]:PROTOCOL_ID->IPSEC_AH +121651.061307 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5]:Transforms +121651.061356 Misc 70 conf_set: [QM-AH-TRP-AES-MD5]:Transforms->QM-AH-TRP-AES-MD5-XF +121651.061405 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:TRANSFORM_ID +121651.061455 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:TRANSFORM_ID->AES +121651.061503 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:ENCAPSULATION_MODE +121651.061554 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.061603 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM +121651.169570 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121651.169631 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-XF]:Life +121651.169681 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-XF]:Life->LIFE_QUICK_MODE +121651.169730 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-SUITE]:Protocols +121651.169781 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-SUITE]:Protocols->QM-AH-TRP-AES-SHA +121651.169830 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA]:PROTOCOL_ID +121651.169878 Misc 70 conf_set: [QM-AH-TRP-AES-SHA]:PROTOCOL_ID->IPSEC_AH +121651.169925 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA]:Transforms +121651.169974 Misc 70 conf_set: [QM-AH-TRP-AES-SHA]:Transforms->QM-AH-TRP-AES-SHA-XF +121651.170027 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:TRANSFORM_ID +121651.170080 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:TRANSFORM_ID->AES +121651.282424 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:ENCAPSULATION_MODE +121651.282485 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.282535 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM +121651.282586 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121651.282635 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-XF]:Life +121651.282684 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-XF]:Life->LIFE_QUICK_MODE +121651.282734 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-SUITE]:Protocols +121651.282785 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-SUITE]:Protocols->QM-AH-TRP-AES-RIPEMD +121651.282837 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD]:PROTOCOL_ID +121651.282886 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD]:PROTOCOL_ID->IPSEC_AH +121651.282935 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD]:Transforms +121651.389857 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD]:Transforms->QM-AH-TRP-AES-RIPEMD-XF +121651.389919 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:TRANSFORM_ID +121651.389970 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:TRANSFORM_ID->AES +121651.390025 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE +121651.390080 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.390131 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM +121651.390183 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121651.390234 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-XF]:Life +121651.390283 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-XF]:Life->LIFE_QUICK_MODE +121651.390331 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-SUITE]:Protocols +121651.497428 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-SUITE]:Protocols->QM-AH-TRP-AES-MD5-PFS +121651.497488 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS]:PROTOCOL_ID +121651.497539 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS]:PROTOCOL_ID->IPSEC_AH +121651.497588 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS]:Transforms +121651.497667 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS]:Transforms->QM-AH-TRP-AES-MD5-PFS-XF +121651.497719 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID +121651.497770 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:TRANSFORM_ID->AES +121651.497818 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE +121651.497870 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.497919 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM +121651.497971 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_MD5 +121651.616378 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION +121651.616439 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:GROUP_DESCRIPTION->MODP_768 +121651.616490 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-MD5-PFS-XF]:Life +121651.616539 Misc 70 conf_set: [QM-AH-TRP-AES-MD5-PFS-XF]:Life->LIFE_QUICK_MODE +121651.616590 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-SUITE]:Protocols +121651.616641 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-SUITE]:Protocols->QM-AH-TRP-AES-SHA-PFS +121651.616692 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS]:PROTOCOL_ID +121651.616743 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS]:PROTOCOL_ID->IPSEC_AH +121651.616791 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS]:Transforms +121651.616841 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS]:Transforms->QM-AH-TRP-AES-SHA-PFS-XF +121651.723468 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID +121651.723529 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:TRANSFORM_ID->AES +121651.723578 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE +121651.723630 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.723680 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM +121651.723731 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121651.723782 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION +121651.723833 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121651.723883 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-SHA-PFS-XF]:Life +121651.723932 Misc 70 conf_set: [QM-AH-TRP-AES-SHA-PFS-XF]:Life->LIFE_QUICK_MODE +121651.723983 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-SUITE]:Protocols +121651.836365 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-SUITE]:Protocols->QM-AH-TRP-AES-RIPEMD-PFS +121651.836429 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID +121651.836482 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS]:PROTOCOL_ID->IPSEC_AH +121651.836533 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS]:Transforms +121651.836584 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS]:Transforms->QM-AH-TRP-AES-RIPEMD-PFS-XF +121651.836637 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID +121651.836689 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:TRANSFORM_ID->AES +121651.836738 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE +121651.836790 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:ENCAPSULATION_MODE->TRANSPORT +121651.836841 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM +121651.943295 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:AUTHENTICATION_ALGORITHM->HMAC_RIPEMD +121651.943360 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION +121651.943413 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024 +121651.943464 Misc 60 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life +121651.943515 Misc 70 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE +121651.943574 Misc 60 conf_get_str: configuration value not found [Phase 2]:Connections +121651.943626 Misc 60 conf_get_str: [Phase 2]:Passive-Connections->Group-1234 +121651.943684 Misc 60 conf_get_str: configuration value not found [Group-1234]:Local-ID +121651.943732 Misc 60 conf_get_str: configuration value not found [Group-1234]:Remote-ID +121651.943776 Misc 60 conf_get_str: [Group-1234]:Group-ID->Group-1 +121651.943826 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +121652.050448 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +121652.050511 Misc 60 connection_record_passive: passive connection "Group-1234" added +121652.050734 Timr 10 timer_add_event: event cookie_reset_event(0x0) added last, expiration in 360s +121652.050781 Plcy 30 policy_init: initializing +121652.050940 Misc 60 conf_get_str: [General]:Policy-file->/etc/isakmpd/isakmpd.policy +121652.051106 Misc 60 conf_get_str: [X509-certificates]:CA-directory->/etc/isakmpd/ca/ +121652.051169 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/ +121652.074691 Misc 60 conf_get_str: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/ +121652.074760 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/ +121652.075863 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.2 +121652.075966 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.2 +121652.076092 Trpt 70 transport_add: adding 0x11d180 +121652.076146 Trpt 90 transport_reference: transport 0x11d180 now has 1 references +121652.159879 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.2 +121652.159969 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.2 +121652.160042 Trpt 70 transport_add: adding 0x11d200 +121652.160092 Trpt 90 transport_reference: transport 0x11d200 now has 1 references +121652.160137 Misc 60 conf_get_str: [General]:Listen-on->127.0.0.2 +121652.162661 Misc 60 conf_get_str: configuration value not found [General]:SRTP-client +121723.677276 Trpt 70 transport_add: adding 0x11d280 +121723.678134 Trpt 90 transport_reference: transport 0x11d280 now has 1 references +121723.678185 Mesg 90 message_alloc: allocated 0x138000 +121723.678321 Mesg 70 message_recv: message 0x138000 +121723.678385 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121723.678441 Mesg 70 RCOOKIE: 0x0000000000000000 +121723.678484 Mesg 70 NEXT_PAYLOAD: SA +121723.678527 Mesg 70 VERSION: 16 +121723.678569 Mesg 70 EXCH_TYPE: ID_PROT +121723.678610 Mesg 70 FLAGS: [ ] +121723.678657 Mesg 70 MESSAGE_ID: 0x00000000 +121723.678700 Mesg 70 LENGTH: 80 +121723.678793 Mesg 70 message_recv: a91b9d50 35d8fc4f 00000000 00000000 01100200 00000000 00000050 00000034 +121723.678891 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121723.678958 Mesg 70 message_recv: 80030001 80040002 800b0001 800c0e10 +121723.679004 SA 90 sa_find: no SA matched query +121723.679057 Mesg 50 message_parse_payloads: offset 0x1c payload SA +121723.679110 Mesg 60 message_validate_payloads: payload SA at 0x11d31c of message 0x138000 +121723.679198 Mesg 70 DOI: 2 +121723.679279 Misc 60 conf_get_str: [Phase 1]:127.0.0.1->ISAKMP-peer-client +121723.679332 Misc 60 conf_get_str: [ISAKMP-peer-client]:Configuration->Default-main-mode +121723.679382 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +121723.679425 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +121723.679514 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121723.679581 Timr 10 timer_add_event: event exchange_free_aux(0x11b800) added before cookie_reset_event(0x0), expiration in 120s +121723.679693 Exch 10 exchange_setup_p1: 0x11b800 ISAKMP-peer-client Default-main-mode policy responder phase 1 doi 2 exchange 2 step 0 +121723.679747 Exch 10 exchange_setup_p1: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121723.679789 Exch 10 exchange_setup_p1: msgid 00000000 +121723.679835 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121723.679882 SA 80 sa_reference: SA 0x11b900 now has 1 references +121723.679923 SA 70 sa_enter: SA 0x11b900 added to SA list +121723.680329 SA 80 sa_reference: SA 0x11b900 now has 2 references +121723.680382 SA 60 sa_create: sa 0x11b900 phase 1 added to exchange 0x11b800 (ISAKMP-peer-client) +121723.680427 SA 80 sa_reference: SA 0x11b900 now has 3 references +121723.680474 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +121723.680522 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +121723.680566 Mesg 50 Transform 0's attributes +121723.680615 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x11d328 of message 0x138000 +121723.680658 Mesg 70 NO: 1 +121723.680700 Mesg 70 PROTO: ISAKMP +121723.680742 Mesg 70 SPI_SZ: 0 +121723.680783 Mesg 70 NTRANSFORMS: 1 +121723.680831 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x11d330 of message 0x138000 +121723.680874 Mesg 70 NO: 0 +121723.680914 Mesg 70 ID: 1 +121723.680970 Exch 90 exchange_validate: checking for required SA +121723.681016 Misc 30 gdoi_responder: phase 1 exchange 2 step 0 +121723.681088 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +121723.681281 SA 80 sa_add_transform: proto 0x12f180 no 1 proto 1 chosen 0x134400 sa 0x11b900 id 1 +121723.681415 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +121723.681486 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +121723.681662 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +121723.681724 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +121723.681773 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +121723.681823 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121723.681875 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121723.681920 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121723.681970 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121723.682021 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_3600_SECS +121723.682101 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121723.682147 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121723.682314 Misc 90 conf_match_num: LIFE_3600_SECS:LIFE_DURATION 1800<=3600<=7200? +121723.682396 Negt 20 ike_phase_1_validate_prop: success +121723.682445 Negt 30 message_negotiate_sa: proposal 1 succeeded +121723.686657 Misc 20 ipsec_decode_transform: transform 0 chosen +121723.686737 Misc 70 group_get: returning 0x12f1c0 of group 2 +121723.686796 Exch 40 exchange_run: exchange 0x11b800 finished step 0, advancing... +121723.686856 Trpt 90 transport_reference: transport 0x11d280 now has 3 references +121723.686900 Mesg 90 message_alloc: allocated 0x13a000 +121723.686942 SA 80 sa_reference: SA 0x11b900 now has 4 references +121723.686988 Misc 30 gdoi_responder: phase 1 exchange 2 step 1 +121723.687051 Exch 90 exchange_validate: checking for required SA +121723.687098 Mesg 70 message_send: message 0x13a000 +121723.687150 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121723.687201 Mesg 70 RCOOKIE: 0x272325e695db688b +121723.687243 Mesg 70 NEXT_PAYLOAD: SA +121723.687286 Mesg 70 VERSION: 16 +121723.687327 Mesg 70 EXCH_TYPE: ID_PROT +121723.687369 Mesg 70 FLAGS: [ ] +121723.687416 Mesg 70 MESSAGE_ID: 0x00000000 +121723.687458 Mesg 70 LENGTH: 80 +121723.687549 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 01100200 00000000 00000050 00000034 +121723.925133 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121723.925212 Mesg 70 message_send: 80030001 80040002 800b0001 800c0e10 +121723.925256 Exch 40 exchange_run: exchange 0x11b800 finished step 1, advancing... +121723.925305 Trpt 90 transport_reference: transport 0x11d280 now has 4 references +121723.925350 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121723.925393 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121723.925438 Trpt 90 transport_release: transport 0x11d280 had 4 references +121723.925480 Trpt 90 transport_release: transport 0x11d200 had 2 references +121723.925523 Trpt 90 transport_release: transport 0x11d180 had 2 references +121723.925584 Trpt 90 transport_reference: transport 0x11d280 now has 4 references +121723.925631 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121723.925675 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121724.143686 Misc 60 conf_get_str: [General]:retransmits->5 +121724.143750 Trpt 30 transport_send_messages: message 0x13a000 scheduled for retransmission 1 in 7 secs +121724.143808 Timr 10 timer_add_event: event message_send_expire(0x13a000) added before exchange_free_aux(0x11b800), expiration in 7s +121724.143859 Trpt 90 transport_release: transport 0x11d280 had 4 references +121724.143903 Trpt 90 transport_release: transport 0x11d200 had 2 references +121724.143945 Trpt 90 transport_release: transport 0x11d180 had 2 references +121725.469943 Trpt 70 transport_add: adding 0x11d400 +121725.470459 Trpt 90 transport_reference: transport 0x11d400 now has 1 references +121725.470513 Mesg 90 message_alloc: allocated 0x13d000 +121725.470555 Mesg 70 message_recv: message 0x13d000 +121725.470607 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121725.470658 Mesg 70 RCOOKIE: 0x272325e695db688b +121725.470701 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +121725.470744 Mesg 70 VERSION: 16 +121725.470785 Mesg 70 EXCH_TYPE: ID_PROT +121725.470826 Mesg 70 FLAGS: [ ] +121725.470874 Mesg 70 MESSAGE_ID: 0x00000000 +121725.470917 Mesg 70 LENGTH: 180 +121725.471006 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121725.471095 Mesg 70 message_recv: dc3805d3 83333156 c9377ebb 9edcbf1e f47a3568 35f919a1 c001bced 4200a7f1 +121725.471180 Mesg 70 message_recv: ea756842 6f179a39 2bec73b5 a5ab53a4 2e23f6f8 d267445e e4162bdc 0383bf9f +121725.471267 Mesg 70 message_recv: 413288a5 ca001eb0 03f4ac01 6aca97bb b2141f25 762db6bd 4c2553a9 a053dfa7 +121725.471353 Mesg 70 message_recv: a4f3ea21 47859eba 999122da a3959ff7 37b276fd 1d610b88 f073296d 0899c928 +121725.471465 Mesg 70 message_recv: 00000014 8dabce1d 9668bad7 f285a090 9fe43631 +121725.471515 SA 80 sa_reference: SA 0x11b900 now has 5 references +121725.471560 Mesg 90 message_check_duplicate: last_received 0x138000 +121725.471597 Mesg 95 message_check_duplicate: last_received: +121725.471686 Mesg 95 a91b9d50 35d8fc4f 00000000 00000000 01100200 00000000 00000050 00000034 +121725.471777 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +121725.471839 Mesg 95 80030001 80040002 800b0001 800c0e10 +121725.471877 Mesg 20 message_free: freeing 0x13a000 +121725.471923 Timr 10 timer_remove_event: removing event message_send_expire(0x13a000) +121725.471972 Trpt 90 transport_release: transport 0x11d280 had 3 references +121725.472015 SA 80 sa_release: SA 0x11b900 had 5 references +121725.472072 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +121725.472122 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +121725.472517 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x11bb1c of message 0x13d000 +121725.472576 Mesg 60 message_validate_payloads: payload NONCE at 0x11bba0 of message 0x13d000 +121725.472628 Exch 90 exchange_validate: checking for required KEY_EXCH +121725.472672 Exch 90 exchange_validate: checking for required NONCE +121725.472715 Misc 30 gdoi_responder: phase 1 exchange 2 step 2 +121725.472856 Misc 80 ipsec_g_x: g^xi: +121725.472950 Misc 80 dc3805d3 83333156 c9377ebb 9edcbf1e f47a3568 35f919a1 c001bced 4200a7f1 +121725.473032 Misc 80 ea756842 6f179a39 2bec73b5 a5ab53a4 2e23f6f8 d267445e e4162bdc 0383bf9f +121725.473114 Misc 80 413288a5 ca001eb0 03f4ac01 6aca97bb b2141f25 762db6bd 4c2553a9 a053dfa7 +121725.473195 Misc 80 a4f3ea21 47859eba 999122da a3959ff7 37b276fd 1d610b88 f073296d 0899c928 +121725.473240 Exch 80 exchange_nonce: NONCE_i: +121725.473323 Exch 80 8dabce1d 9668bad7 f285a090 9fe43631 +121725.473371 Mesg 20 message_free: freeing 0x138000 +121725.473420 Trpt 90 transport_release: transport 0x11d280 had 2 references +121725.473927 SA 80 sa_release: SA 0x11b900 had 4 references +121725.473983 Exch 40 exchange_run: exchange 0x11b800 finished step 2, advancing... +121725.474040 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121725.474084 Mesg 90 message_alloc: allocated 0x138000 +121725.474126 SA 80 sa_reference: SA 0x11b900 now has 4 references +121725.474172 Misc 30 gdoi_responder: phase 1 exchange 2 step 3 +121725.562253 Misc 80 ipsec_g_x: g^xr: +121725.562380 Misc 80 a7af4111 7b9995e6 60aee99e 47a6768e 643adad7 a97dcb1b 702ce452 15f17e6b +121725.562491 Misc 80 965190a9 992bcfaf 4d60ec3d ffa36cc6 66c47b8f c54057d3 63a9fdd3 f21c6f20 +121725.562600 Misc 80 82e52265 2ffcc71d 6831fd89 406d3594 d049da95 7bd84063 e0b7e5ab be9521b8 +121725.562712 Misc 80 fe09fea9 731031b8 f6a47b64 5e820c6d 139f6411 369bcb52 dab74e37 aeacc2e1 +121725.562795 Exch 80 exchange_nonce: NONCE_r: +121725.562886 Exch 80 f4eab493 b1a92507 4050d5ba 598f3613 +121725.562960 Exch 90 exchange_validate: checking for required KEY_EXCH +121725.563026 Exch 90 exchange_validate: checking for required NONCE +121725.563072 Mesg 70 message_send: message 0x138000 +121725.563124 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121725.563175 Mesg 70 RCOOKIE: 0x272325e695db688b +121725.563218 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +121725.563262 Mesg 70 VERSION: 16 +121725.563303 Mesg 70 EXCH_TYPE: ID_PROT +121725.563344 Mesg 70 FLAGS: [ ] +121725.563392 Mesg 70 MESSAGE_ID: 0x00000000 +121725.563434 Mesg 70 LENGTH: 180 +121725.563525 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121725.563611 Mesg 70 message_send: a7af4111 7b9995e6 60aee99e 47a6768e 643adad7 a97dcb1b 702ce452 15f17e6b +121725.563696 Mesg 70 message_send: 965190a9 992bcfaf 4d60ec3d ffa36cc6 66c47b8f c54057d3 63a9fdd3 f21c6f20 +121725.563781 Mesg 70 message_send: 82e52265 2ffcc71d 6831fd89 406d3594 d049da95 7bd84063 e0b7e5ab be9521b8 +121725.563866 Mesg 70 message_send: fe09fea9 731031b8 f6a47b64 5e820c6d 139f6411 369bcb52 dab74e37 aeacc2e1 +121725.563936 Mesg 70 message_send: 00000014 f4eab493 b1a92507 4050d5ba 598f3613 +121725.802451 Exch 40 exchange_run: exchange 0x11b800 finished step 3, advancing... +121725.802511 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121725.802556 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121725.802599 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121725.802642 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121725.802687 Trpt 90 transport_release: transport 0x11d400 had 3 references +121725.802730 Trpt 90 transport_release: transport 0x11d280 had 2 references +121725.802772 Trpt 90 transport_release: transport 0x11d200 had 2 references +121725.802815 Trpt 90 transport_release: transport 0x11d180 had 2 references +121725.802876 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121725.802923 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121725.802967 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121726.021607 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121726.022676 Misc 60 conf_get_str: [General]:retransmits->5 +121726.022738 Trpt 30 transport_send_messages: message 0x138000 scheduled for retransmission 1 in 7 secs +121726.022797 Timr 10 timer_add_event: event message_send_expire(0x138000) added before exchange_free_aux(0x11b800), expiration in 7s +121726.125513 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +121726.125615 Negt 80 e78e53b2 bb018782 ec0d0626 c4e31b2f 261b235d 897a7639 1f8017f7 3775f020 +121726.125700 Negt 80 49d794b8 a8da3bd0 6c7b0852 dae2ed0c 3dc639ca 9d2608d0 739606bc e618a703 +121726.125781 Negt 80 bf40a86d 7df260f5 c1fb2bb6 4bb8a8a1 6ea350d3 2dbcd253 2e16799b 1eaae30d +121726.125862 Negt 80 30147fc2 49c13169 9f18f9cc e0d441ac e0067fb5 e150c978 96b1dd2f 27023d7f +121726.126007 Misc 60 conf_get_str: [ISAKMP-peer-client]:Authentication->mekmitasdigoat +121726.126138 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +121726.126209 Negt 80 0a1ce288 962c79ce f60cf60d 5d446fd5 aa233cce +121726.365097 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +121726.365174 Negt 80 a0196db2 779136c5 44a59880 acb75ed4 34bc82de +121726.365259 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +121726.365328 Negt 80 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121726.365415 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +121726.365486 Negt 80 0ce6eb14 700dc3b1 030da7c7 12eb684e 065f3b0c +121726.365729 Cryp 40 crypto_init: key: +121726.365813 Cryp 40 80cdab03 c1105d2b 48ab436d de73f5b1 bbbe5544 9c1efe69 +121726.377324 Cryp 50 crypto_update_iv: initialized IV: +121726.377389 Cryp 50 553ed9a2 39f300e2 +121726.377437 Trpt 90 transport_release: transport 0x11d400 had 3 references +121726.377482 Trpt 90 transport_release: transport 0x11d280 had 2 references +121726.377524 Trpt 90 transport_release: transport 0x11d200 had 2 references +121726.377567 Trpt 90 transport_release: transport 0x11d180 had 2 references +121727.668987 Trpt 70 transport_add: adding 0x11d580 +121727.669686 Trpt 90 transport_reference: transport 0x11d580 now has 1 references +121727.669789 Mesg 90 message_alloc: allocated 0x13a000 +121727.669885 Mesg 70 message_recv: message 0x13a000 +121727.669987 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121727.670099 Mesg 70 RCOOKIE: 0x272325e695db688b +121727.670194 Mesg 70 NEXT_PAYLOAD: ID +121727.670289 Mesg 70 VERSION: 16 +121727.670382 Mesg 70 EXCH_TYPE: ID_PROT +121727.670477 Mesg 70 FLAGS: [ ENC ] +121727.670578 Mesg 70 MESSAGE_ID: 0x00000000 +121727.670672 Mesg 70 LENGTH: 92 +121727.670813 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 05100201 00000000 0000005c 1dbe68d8 +121727.670957 Mesg 70 message_recv: 9cb1fadd ac9ce755 92ebee87 22241f8f 0b3893fb d51cfa4a 67bfc2d6 3387a344 +121727.671095 Mesg 70 message_recv: db9a05ab d81b2da0 7fde6d17 3fd77a41 a3112203 519c8757 4c1fe705 +121727.671198 SA 80 sa_reference: SA 0x11b900 now has 5 references +121727.671294 Mesg 90 message_check_duplicate: last_received 0x13d000 +121727.671382 Mesg 95 message_check_duplicate: last_received: +121727.671513 Mesg 95 a91b9d50 35d8fc4f 272325e6 95db688b 04100200 00000000 000000b4 0a000084 +121727.671864 Mesg 95 dc3805d3 83333156 c9377ebb 9edcbf1e f47a3568 35f919a1 c001bced 4200a7f1 +121727.671986 Mesg 95 ea756842 6f179a39 2bec73b5 a5ab53a4 2e23f6f8 d267445e e4162bdc 0383bf9f +121727.672098 Mesg 95 413288a5 ca001eb0 03f4ac01 6aca97bb b2141f25 762db6bd 4c2553a9 a053dfa7 +121727.672208 Mesg 95 a4f3ea21 47859eba 999122da a3959ff7 37b276fd 1d610b88 f073296d 0899c928 +121727.672302 Mesg 95 00000014 8dabce1d 9668bad7 f285a090 9fe43631 +121727.672368 Mesg 20 message_free: freeing 0x138000 +121727.672443 Timr 10 timer_remove_event: removing event message_send_expire(0x138000) +121727.672520 Trpt 90 transport_release: transport 0x11d400 had 2 references +121727.672591 SA 80 sa_release: SA 0x11b900 had 5 references +121727.672788 Cryp 10 crypto_decrypt: before decryption: +121727.672955 Cryp 10 1dbe68d8 9cb1fadd ac9ce755 92ebee87 22241f8f 0b3893fb d51cfa4a 67bfc2d6 +121727.673069 Cryp 10 3387a344 db9a05ab d81b2da0 7fde6d17 3fd77a41 a3112203 519c8757 4c1fe705 +121727.673194 Cryp 30 crypto_decrypt: after decryption: +121727.673290 Cryp 30 0800000c 01000000 7f000001 0b000018 a9b24331 62a99ee6 0736c4f5 de6e1a59 +121727.673375 Cryp 30 1a415f5a 0000001c 00000001 01106002 a91b9d50 35d8fc4f 272325e6 95db688b +121727.673427 Mesg 50 message_parse_payloads: offset 0x1c payload ID +121727.673476 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +121727.673522 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +121727.673573 Mesg 60 message_validate_payloads: payload ID at 0x11d61c of message 0x13a000 +121727.673618 Mesg 70 TYPE: 1 +121727.673664 Mesg 70 DOI_DATA: 0x000000 +121727.673713 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +121727.673751 Mesg 40 gdoi_validate_id_information: IPv4: +121727.673794 Mesg 40 7f000001 +121727.673838 Mesg 60 message_validate_payloads: payload HASH at 0x11d628 of message 0x13a000 +121727.673885 Mesg 60 message_validate_payloads: payload NOTIFY at 0x11d640 of message 0x13a000 +121727.673928 Mesg 70 DOI: IPSEC +121727.673969 Mesg 70 PROTO: ISAKMP +121727.674656 Mesg 70 SPI_SZ: 16 +121727.674709 Mesg 70 MSG_TYPE: INITIAL_CONTACT +121727.674772 Exch 90 exchange_validate: checking for required ID +121727.674816 Exch 90 exchange_validate: checking for required AUTH +121727.674860 Misc 30 gdoi_responder: phase 1 exchange 2 step 4 +121727.674905 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +121727.674950 Negt 40 7f000001 +121727.674994 Misc 80 pre_shared_decode_hash: HASH_I: +121727.675059 Misc 80 a9b24331 62a99ee6 0736c4f5 de6e1a59 1a415f5a +121727.675204 Negt 80 ike_phase_1_recv_AUTH: computed HASH_I: +121727.675274 Negt 80 a9b24331 62a99ee6 0736c4f5 de6e1a59 1a415f5a +121727.675316 Exch 10 exchange_run: unexpected payload NOTIFY +121727.675360 Mesg 20 message_free: freeing 0x13d000 +121727.675408 Trpt 90 transport_release: transport 0x11d400 had 1 references +121727.675449 Trpt 70 transport_release: freeing 0x11d400 +121727.675492 SA 80 sa_release: SA 0x11b900 had 4 references +121727.675533 Cryp 50 crypto_update_iv: updated IV: +121727.919043 Cryp 50 519c8757 4c1fe705 +121727.919098 Exch 40 exchange_run: exchange 0x11b800 finished step 4, advancing... +121727.919158 Trpt 90 transport_reference: transport 0x11d580 now has 2 references +121727.919202 Mesg 90 message_alloc: allocated 0x138000 +121727.919245 SA 80 sa_reference: SA 0x11b900 now has 4 references +121727.919291 Misc 30 gdoi_responder: phase 1 exchange 2 step 5 +121727.919344 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:ID +121727.919394 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +121727.919450 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +121727.919496 Negt 40 7f000002 +121727.919638 Misc 80 pre_shared_encode_hash: HASH_R: +121727.919711 Misc 80 6e77c752 90bb6817 569faa79 1579756f 9658f47f +121727.919791 Exch 90 exchange_validate: checking for required ID +121727.919839 Exch 90 exchange_validate: checking for required AUTH +121727.919889 Cryp 10 crypto_encrypt: before encryption: +121727.919983 Cryp 10 0800000c 01000000 7f000002 0b000018 6e77c752 90bb6817 569faa79 1579756f +121728.162646 Cryp 10 9658f47f 0000001c 00000001 01106002 a91b9d50 35d8fc4f 272325e6 95db688b +121728.162736 Cryp 30 crypto_encrypt: after encryption: +121728.162820 Cryp 30 737cbd6c 179b2f71 8d5b4840 0754148a 39814c80 aedfa085 e20fdc36 6e62cf5c +121728.162901 Cryp 30 ad99ce22 59e22476 a63766f2 689bfd0d 24c374ec 51506b08 a659dffb 7a720843 +121728.162939 Cryp 50 crypto_update_iv: updated IV: +121728.162985 Cryp 50 a659dffb 7a720843 +121728.163024 Mesg 70 message_send: message 0x138000 +121728.163074 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121728.163124 Mesg 70 RCOOKIE: 0x272325e695db688b +121728.163167 Mesg 70 NEXT_PAYLOAD: ID +121728.163210 Mesg 70 VERSION: 16 +121728.163251 Mesg 70 EXCH_TYPE: ID_PROT +121728.163296 Mesg 70 FLAGS: [ ENC ] +121728.163343 Mesg 70 MESSAGE_ID: 0x00000000 +121728.163385 Mesg 70 LENGTH: 92 +121728.163474 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 05100201 00000000 0000005c 737cbd6c +121728.163561 Mesg 70 message_send: 179b2f71 8d5b4840 0754148a 39814c80 aedfa085 e20fdc36 6e62cf5c ad99ce22 +121728.391878 Mesg 70 message_send: 59e22476 a63766f2 689bfd0d 24c374ec 51506b08 a659dffb 7a720843 +121728.391932 Exch 40 exchange_run: exchange 0x11b800 finished step 5, advancing... +121728.391982 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121728.392027 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121728.392070 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121728.392114 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121728.392158 Trpt 90 transport_release: transport 0x11d580 had 3 references +121728.392201 Trpt 90 transport_release: transport 0x11d280 had 2 references +121728.392244 Trpt 90 transport_release: transport 0x11d200 had 2 references +121728.392286 Trpt 90 transport_release: transport 0x11d180 had 2 references +121728.392349 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121728.392396 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121728.563620 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121728.563673 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121728.564403 Exch 10 exchange_finalize: 0x11b800 ISAKMP-peer-client Default-main-mode policy responder phase 1 doi 2 exchange 2 step 6 +121728.564463 Exch 10 exchange_finalize: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121728.564505 Exch 10 exchange_finalize: msgid 00000000 +121728.564550 SA 90 sa_find: no SA matched query +121728.564603 Misc 60 conf_get_str: configuration value not found [ISAKMP-peer-client]:Flags +121728.564815 Exch 10 exchange_finalize: phase 1 done: initiator id 7f000001: 127.0.0.1, responder id 7f000002: 127.0.0.2, src: 127.0.0.2 dst: 127.0.0.1 +121728.564884 Timr 95 sa_setup_expirations: SA 0x11b900 soft timeout in 3258 seconds +121728.564938 Timr 10 timer_add_event: event sa_soft_expire(0x11b900) added last, expiration in 3258s +121728.564984 SA 80 sa_reference: SA 0x11b900 now has 5 references +121728.795868 Timr 95 sa_setup_expirations: SA 0x11b900 hard timeout in 3600 seconds +121728.795931 Timr 10 timer_add_event: event sa_hard_expire(0x11b900) added last, expiration in 3600s +121728.795977 SA 80 sa_reference: SA 0x11b900 now has 6 references +121728.796019 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +121728.796070 SA 80 sa_release: SA 0x11b900 had 6 references +121728.796119 Trpt 90 transport_release: transport 0x11d580 had 3 references +121728.796163 Trpt 90 transport_release: transport 0x11d280 had 2 references +121728.796206 Trpt 90 transport_release: transport 0x11d200 had 2 references +121728.796248 Trpt 90 transport_release: transport 0x11d180 had 2 references +121730.006283 Trpt 70 transport_add: adding 0x11d400 +121730.007012 Trpt 90 transport_reference: transport 0x11d400 now has 1 references +121730.007062 Mesg 90 message_alloc: allocated 0x13d000 +121730.007104 Mesg 70 message_recv: message 0x13d000 +121730.007155 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121730.007206 Mesg 70 RCOOKIE: 0x272325e695db688b +121730.007249 Mesg 70 NEXT_PAYLOAD: HASH +121730.007291 Mesg 70 VERSION: 16 +121730.007332 Mesg 70 EXCH_TYPE: QUICK_MODE +121730.007376 Mesg 70 FLAGS: [ ENC ] +121730.007423 Mesg 70 MESSAGE_ID: 0x483c11c0 +121730.007465 Mesg 70 LENGTH: 84 +121730.007552 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 00000054 9b257ede +121730.007640 Mesg 70 message_recv: 8c855951 8f905539 855b58e8 d17cb277 bdde509e eedc0ecf 673bf505 e07d6026 +121730.007708 Mesg 70 message_recv: a4e31df8 2fec55cd a62d62b2 b231f5b2 4155d6d6 +121730.007755 SA 80 sa_reference: SA 0x11b900 now has 6 references +121730.007834 Cryp 80 gdoi_get_keystate: final phase 1 IV: +121730.007887 Cryp 80 a659dffb 7a720843 +121730.007923 Cryp 80 gdoi_get_keystate: message ID: +121730.008005 Cryp 80 483c11c0 +121730.008077 Cryp 50 crypto_update_iv: initialized IV: +121730.008126 Cryp 50 4be9d7f1 44ba8c2e +121730.008161 Cryp 80 gdoi_get_keystate: phase 2 IV: +121730.008206 Cryp 80 4be9d7f1 44ba8c2e +121730.008244 Cryp 10 crypto_decrypt: before decryption: +121730.008325 Cryp 10 9b257ede 8c855951 8f905539 855b58e8 d17cb277 bdde509e eedc0ecf 673bf505 +121730.008393 Cryp 10 e07d6026 a4e31df8 2fec55cd a62d62b2 b231f5b2 4155d6d6 +121730.008470 Cryp 30 crypto_decrypt: after decryption: +121730.008555 Cryp 30 0a000018 cbcd9b40 2b21b9a9 83718913 9d6bb0f7 3b3272e3 05000014 69d181ef +121730.008629 Cryp 30 e0b9580e 4106b883 719b382a 0000000c 0b000000 000004d2 +121730.008679 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +121730.008727 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +121730.008772 Mesg 50 message_parse_payloads: offset 0x48 payload ID +121730.008824 Mesg 60 message_validate_payloads: payload ID at 0x11d748 of message 0x13d000 +121730.009387 Mesg 70 TYPE: 11 +121730.009440 Mesg 70 DOI_DATA: 0x000000 +121730.009501 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +121730.009561 Timr 10 timer_add_event: event exchange_free_aux(0x11bb00) added before cookie_reset_event(0x0), expiration in 120s +121730.009621 Exch 10 exchange_setup_p2: 0x11bb00 policy responder phase 2 doi 2 exchange 32 step 0 +121730.009669 Exch 10 exchange_setup_p2: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121730.009713 Exch 10 exchange_setup_p2: msgid 483c11c0 sa_list +121730.009759 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 11 +121730.009799 Mesg 40 gdoi_validate_id_information: key id +121730.009845 Mesg 60 message_validate_payloads: payload HASH at 0x11d71c of message 0x13d000 +121730.009893 Mesg 60 message_validate_payloads: payload NONCE at 0x11d734 of message 0x13d000 +121730.009945 Exch 90 exchange_validate: checking for required HASH +121730.009987 Exch 90 exchange_validate: checking for required NONCE +121730.010333 Exch 90 exchange_validate: checking for required ID +121730.010386 Misc 30 gdoi_responder: phase 2 exchange 32 step 0 +121730.010592 Negt 90 group_check_hash: SKEYID_a: +121730.010671 Negt 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121730.010734 Negt 90 group_check_hash: message_id: +121730.010779 Negt 90 483c11c0 +121730.010817 Negt 90 group_check_hash: payloads after HASH: +121730.010904 Negt 90 05000014 69d181ef e0b9580e 4106b883 719b382a 0000000c 0b000000 000004d2 +121730.011010 Negt 80 group_check_hash: computed HASH: +121730.011081 Negt 80 cbcd9b40 2b21b9a9 83718913 9d6bb0f7 3b3272e3 +121730.011126 Exch 80 exchange_nonce: NONCE_i: +121730.011185 Exch 80 69d181ef e0b9580e 4106b883 719b382a +121730.011225 Misc 90 responder_recv_HASH_NONCE_ID: ID: +121730.011275 Misc 90 0b000000 000004d2 +121730.011320 Cryp 50 crypto_update_iv: updated IV: +121730.011366 Cryp 50 b231f5b2 4155d6d6 +121730.011408 Exch 40 exchange_run: exchange 0x11bb00 finished step 0, advancing... +121730.011464 Trpt 90 transport_reference: transport 0x11d400 now has 2 references +121730.011606 Mesg 90 message_alloc: allocated 0x13e000 +121730.011654 SA 80 sa_reference: SA 0x11b900 now has 7 references +121730.011701 Misc 30 gdoi_responder: phase 2 exchange 32 step 1 +121730.011835 Exch 80 exchange_nonce: NONCE_r: +121730.011907 Exch 80 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121730.011952 Misc 60 connection_passive_lookup_by_group_id: returned "Group-1234" +121730.012078 Misc 60 conf_get_str: [Group-1234]:Configuration->Default-group-mode +121730.012140 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +121730.012184 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +121730.012230 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +121730.012316 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:SA-KEK +121730.012361 Default gdoi_add_sa_payload: No SA-KEK found -- no rekey will happen +121730.012409 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121730.012523 SA 80 sa_reference: SA 0x11bc00 now has 1 references +121730.012568 SA 70 sa_enter: SA 0x11bc00 added to SA list +121730.012610 SA 80 sa_reference: SA 0x11bc00 now has 2 references +121730.012657 SA 60 sa_create: sa 0x11bc00 phase 2 added to exchange 0x11bb00 (Group-1234) +121730.012707 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +121730.012749 Default gdoi_add_sa_payload: Assuming ESP +121730.012875 Misc 60 conf_get_str: [GROUP1-TEK1]:Src-ID->Group-tek1-src +121730.012939 Misc 60 conf_get_str: [Group-tek1-src]:ID-type->IPV4_ADDR +121730.012985 Misc 60 conf_get_str: [Group-tek1-src]:Address->172.19.137.42 +121730.013033 Misc 60 conf_get_str: [Group-tek1-src]:Port->1024 +121730.013087 Misc 60 conf_get_str: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +121730.013135 Misc 60 conf_get_str: [Group-tek1-dst]:ID-type->IPV4_ADDR +121730.013179 Misc 60 conf_get_str: [Group-tek1-dst]:Address->239.192.1.1 +121730.013223 Misc 60 conf_get_str: [Group-tek1-dst]:Port->1024 +121730.264613 Misc 60 conf_get_str: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +121730.264674 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +121730.264722 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121730.264765 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-3DES-SHA-XF +121730.264812 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121730.264861 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY1->ABCDEFGH +121730.264906 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY2->IJKLMNOP +121730.264948 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY3->QRSTUVWX +121730.264991 Misc 60 conf_get_str: [GROUP1-TEK1]:SPI->287484603 +121730.265041 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121730.265090 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121730.265138 Misc 60 conf_get_str: [GROUP1-TEK1]:SHA_KEY->12345678901234567890 +121730.265189 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:Life->LIFE_3600_SECS +121730.472189 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121730.472248 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121730.472320 Default SPI found (SA) 287484603 287484603 (0x1122aabb) for sa 0x11bc00 +121730.472380 Trpt 90 transport_reference: transport 0x11d400 now has 4 references +121730.472429 SA 80 sa_reference: SA 0x11bd00 now has 1 references +121730.472470 SA 70 sa_enter: SA 0x11bd00 added to SA list +121730.472512 SA 80 sa_reference: SA 0x11bd00 now has 2 references +121730.472558 SA 60 sa_create: sa 0x11bd00 phase 2 added to exchange 0x11bb00 (Group-1234) +121730.472609 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +121730.472651 Default gdoi_add_sa_payload: Assuming ESP +121730.472703 Misc 60 conf_get_str: [GROUP1-TEK2]:Src-ID->Group-tek2-src +121730.472751 Misc 60 conf_get_str: [Group-tek2-src]:ID-type->IPV4_ADDR +121730.472795 Misc 60 conf_get_str: [Group-tek2-src]:Address->172.19.137.42 +121730.704326 Misc 60 conf_get_str: [Group-tek2-src]:Port->512 +121730.704395 Misc 60 conf_get_str: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +121730.704447 Misc 60 conf_get_str: [Group-tek2-dst]:ID-type->IPV4_ADDR +121730.704491 Misc 60 conf_get_str: [Group-tek2-dst]:Address->239.192.1.2 +121730.704535 Misc 60 conf_get_str: [Group-tek2-dst]:Port->512 +121730.704587 Misc 60 conf_get_str: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +121730.704636 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +121730.704680 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +121730.704724 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-3DES-SHA-XF +121730.704771 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:TRANSFORM_ID->3DES +121730.704819 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY1->FEDCBA11 +121730.704865 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY2->LKJIHG22 +121730.704908 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY3->RQPONM33 +121730.946139 Misc 60 conf_get_str: [GROUP1-TEK2]:SPI->860146909 +121730.946210 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:ENCAPSULATION_MODE->TUNNEL +121730.946260 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:AUTHENTICATION_ALGORITHM->HMAC_SHA +121730.946309 Misc 60 conf_get_str: [GROUP1-TEK2]:SHA_KEY->01234567890123456789 +121730.946359 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-XF]:Life->LIFE_3600_SECS +121730.946413 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +121730.946459 Misc 60 conf_get_str: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +121730.946529 Default SPI found (SA) 860146909 860146909 (0x3344ccdd) for sa 0x11bd00 +121730.946595 Misc 90 group_do_hash: SKEYID_a: +121730.946666 Misc 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121730.946733 Misc 90 group_do_hash: message_id: +121730.946778 Misc 90 483c11c0 +121730.946813 Negt 90 group_fill_in_hash: NONCE_I_b: +121730.946872 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121730.946915 Misc 90 group_fill_in_hash: payload 1 after HASH: +121731.091678 Misc 90 01000014 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121731.091734 Misc 90 group_fill_in_hash: payload 2 after HASH: +121731.091825 Misc 90 00000066 00000002 00000000 00100000 1000002b 01000100 0404ac13 892a0100 +121731.091914 Misc 90 0404efc0 01010311 22aabb80 04000180 05000280 01000180 020e1000 00002b01 +121731.092003 Misc 90 00010002 04ac1389 2a010002 04efc001 02033344 ccdd8004 00018005 00028001 +121731.092048 Misc 90 00018002 0e10 +121731.092145 Misc 80 group_fill_in_hash: HASH: +121731.092213 Misc 80 065807de a32536fd 1ddb1acf afd74ee8 9218f32e +121731.092257 Exch 90 exchange_validate: checking for required HASH +121731.092298 Exch 90 exchange_validate: checking for required NONCE +121731.092338 Exch 90 exchange_validate: checking for required SA +121731.092390 Cryp 10 crypto_encrypt: before encryption: +121731.092479 Cryp 10 0a000018 065807de a32536fd 1ddb1acf afd74ee8 9218f32e 01000014 da43c65f +121731.092568 Cryp 10 2ef1bf20 76c00d1e bab8cd0e 00000066 00000002 00000000 00100000 1000002b +121731.186447 Cryp 10 01000100 0404ac13 892a0100 0404efc0 01010311 22aabb80 04000180 05000280 +121731.186547 Cryp 10 01000180 020e1000 00002b01 00010002 04ac1389 2a010002 04efc001 02033344 +121731.186623 Cryp 10 ccdd8004 00018005 00028001 00018002 0e100000 00000000 +121731.186744 Cryp 30 crypto_encrypt: after encryption: +121731.186829 Cryp 30 99ca3b06 00345ffd 7df14316 86cf0f6d 703260ba 807123ab bf70bf2a bfc5003b +121731.186911 Cryp 30 0b8b235f 9083d54f 460f4e62 ce04b4b7 07f2865e 61e1a13e b4600e2b 97312fa6 +121731.186991 Cryp 30 817aefb1 b4a8c147 cb9147ca b1f3604e e68b10e5 17e0e6f2 8be8b1e0 1b65af61 +121731.187072 Cryp 30 8aa95e55 1b233623 efeb05db 74f074a2 54c31a71 b15b8493 7fd5b651 d1d80596 +121731.187142 Cryp 30 f436a2fe 0cc3ab56 7cbad36b da9916a8 0ed13bd9 4832d2c0 +121731.187179 Cryp 50 crypto_update_iv: updated IV: +121731.187225 Cryp 50 0ed13bd9 4832d2c0 +121731.187263 Mesg 70 message_send: message 0x13e000 +121731.187314 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121731.187365 Mesg 70 RCOOKIE: 0x272325e695db688b +121731.294167 Mesg 70 NEXT_PAYLOAD: HASH +121731.294223 Mesg 70 VERSION: 16 +121731.294264 Mesg 70 EXCH_TYPE: QUICK_MODE +121731.294308 Mesg 70 FLAGS: [ ENC ] +121731.294356 Mesg 70 MESSAGE_ID: 0x483c11c0 +121731.294398 Mesg 70 LENGTH: 180 +121731.294488 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 000000b4 99ca3b06 +121731.294577 Mesg 70 message_send: 00345ffd 7df14316 86cf0f6d 703260ba 807123ab bf70bf2a bfc5003b 0b8b235f +121731.294663 Mesg 70 message_send: 9083d54f 460f4e62 ce04b4b7 07f2865e 61e1a13e b4600e2b 97312fa6 817aefb1 +121731.294748 Mesg 70 message_send: b4a8c147 cb9147ca b1f3604e e68b10e5 17e0e6f2 8be8b1e0 1b65af61 8aa95e55 +121731.294833 Mesg 70 message_send: 1b233623 efeb05db 74f074a2 54c31a71 b15b8493 7fd5b651 d1d80596 f436a2fe +121731.294902 Mesg 70 message_send: 0cc3ab56 7cbad36b da9916a8 0ed13bd9 4832d2c0 +121731.294947 Exch 40 exchange_run: exchange 0x11bb00 finished step 1, advancing... +121731.294997 Trpt 90 transport_reference: transport 0x11d400 now has 5 references +121731.391118 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121731.391171 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121731.391215 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121731.391258 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121731.391304 Trpt 90 transport_release: transport 0x11d400 had 5 references +121731.391347 Trpt 90 transport_release: transport 0x11d580 had 3 references +121731.391390 Trpt 90 transport_release: transport 0x11d280 had 2 references +121731.391433 Trpt 90 transport_release: transport 0x11d200 had 2 references +121731.391476 Trpt 90 transport_release: transport 0x11d180 had 2 references +121731.391539 Trpt 90 transport_reference: transport 0x11d400 now has 5 references +121731.391586 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121731.391630 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121731.481870 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121731.481922 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121731.482627 Misc 60 conf_get_str: [General]:retransmits->5 +121731.482690 Trpt 30 transport_send_messages: message 0x13e000 scheduled for retransmission 1 in 7 secs +121731.482750 Timr 10 timer_add_event: event message_send_expire(0x13e000) added before exchange_free_aux(0x11b800), expiration in 7s +121731.482800 Trpt 90 transport_release: transport 0x11d400 had 5 references +121731.482844 Trpt 90 transport_release: transport 0x11d580 had 3 references +121731.482886 Trpt 90 transport_release: transport 0x11d280 had 2 references +121731.482929 Trpt 90 transport_release: transport 0x11d200 had 2 references +121731.482971 Trpt 90 transport_release: transport 0x11d180 had 2 references +121732.693218 Trpt 70 transport_add: adding 0x11d880 +121732.693870 Trpt 90 transport_reference: transport 0x11d880 now has 1 references +121732.693923 Mesg 90 message_alloc: allocated 0x143000 +121732.693964 Mesg 70 message_recv: message 0x143000 +121732.694016 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121732.694067 Mesg 70 RCOOKIE: 0x272325e695db688b +121732.694110 Mesg 70 NEXT_PAYLOAD: HASH +121732.694154 Mesg 70 VERSION: 16 +121732.694194 Mesg 70 EXCH_TYPE: QUICK_MODE +121732.694239 Mesg 70 FLAGS: [ ENC ] +121732.694286 Mesg 70 MESSAGE_ID: 0x483c11c0 +121732.694328 Mesg 70 LENGTH: 52 +121732.694416 Mesg 70 message_recv: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 00000034 38cdefae +121732.694488 Mesg 70 message_recv: a5068ac2 2b8eed31 3516a90a 136ee6cc 1ebb09f5 +121732.694534 SA 80 sa_reference: SA 0x11b900 now has 8 references +121732.694578 Mesg 90 message_check_duplicate: last_received 0x13d000 +121732.694615 Mesg 95 message_check_duplicate: last_received: +121732.694698 Mesg 95 a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 00000054 9b257ede +121732.694818 Mesg 95 8c855951 8f905539 855b58e8 d17cb277 bdde509e eedc0ecf 673bf505 e07d6026 +121732.694885 Mesg 95 a4e31df8 2fec55cd a62d62b2 b231f5b2 4155d6d6 +121732.694926 Mesg 20 message_free: freeing 0x13e000 +121732.694973 Timr 10 timer_remove_event: removing event message_send_expire(0x13e000) +121732.695023 Trpt 90 transport_release: transport 0x11d400 had 4 references +121732.695066 SA 80 sa_release: SA 0x11b900 had 8 references +121732.695228 Cryp 10 crypto_decrypt: before decryption: +121732.695313 Cryp 10 38cdefae a5068ac2 2b8eed31 3516a90a 136ee6cc 1ebb09f5 +121732.695378 Cryp 30 crypto_decrypt: after decryption: +121732.695453 Cryp 30 00000018 790dd7c4 d8b721ad b6efdb0b 6b9b0ee2 48428536 +121732.695504 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +121732.695558 Mesg 60 message_validate_payloads: payload HASH at 0x12f35c of message 0x143000 +121732.695617 Exch 90 exchange_validate: checking for required HASH +121732.695664 Misc 30 gdoi_responder: phase 2 exchange 32 step 2 +121732.695812 Negt 90 group_check_hash: SKEYID_a: +121732.695883 Negt 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121732.695948 Negt 90 group_check_hash: message_id: +121732.695993 Negt 90 483c11c0 +121732.696029 Negt 90 group_check_hash: NONCE_I_b: +121732.696087 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121732.696123 Negt 90 group_check_hash: NONCE_R_b: +121732.696180 Negt 90 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121732.696218 Negt 90 group_check_hash: payloads after HASH: +121732.696293 Negt 80 group_check_hash: computed HASH: +121732.696362 Negt 80 790dd7c4 d8b721ad b6efdb0b 6b9b0ee2 48428536 +121732.696408 Mesg 20 message_free: freeing 0x13d000 +121732.696456 Trpt 90 transport_release: transport 0x11d400 had 3 references +121732.696499 SA 80 sa_release: SA 0x11b900 had 7 references +121732.696540 Cryp 50 crypto_update_iv: updated IV: +121732.696588 Cryp 50 136ee6cc 1ebb09f5 +121732.696630 Exch 40 exchange_run: exchange 0x11bb00 finished step 2, advancing... +121732.696685 Trpt 90 transport_reference: transport 0x11d880 now has 2 references +121732.696974 Mesg 90 message_alloc: allocated 0x13d000 +121732.697024 SA 80 sa_reference: SA 0x11b900 now has 7 references +121732.697072 Misc 30 gdoi_responder: phase 2 exchange 32 step 3 +121732.697161 Misc 90 group_do_hash: SKEYID_a: +121732.697232 Misc 90 83547d80 355b03c1 a3b332d8 0d6d60d8 d0aedc49 +121732.697293 Misc 90 group_do_hash: message_id: +121732.697337 Misc 90 483c11c0 +121732.697373 Negt 90 group_fill_in_hash: NONCE_I_b: +121732.697432 Negt 90 69d181ef e0b9580e 4106b883 719b382a +121732.697468 Negt 90 group_fill_in_hash: NONCE_R_b: +121732.697526 Negt 90 da43c65f 2ef1bf20 76c00d1e bab8cd0e +121732.697569 Misc 90 group_fill_in_hash: payload 1 after HASH: +121732.697656 Misc 90 00000082 00020000 0100003d 041122aa bb000100 18414243 44454647 48494a4b +121732.697738 Misc 90 4c4d4e4f 50515253 54555657 58000200 14313233 34353637 38393031 32333435 +121732.697821 Misc 90 36373839 30010000 3d043344 ccdd0001 00184645 44434241 31314c4b 4a494847 +121732.881346 Misc 90 32325251 504f4e4d 33330002 00143031 32333435 36373839 30313233 34353637 +121732.881396 Misc 90 3839 +121732.881485 Misc 80 group_fill_in_hash: HASH: +121732.881553 Misc 80 5c669c6a 1de36700 2c908a25 b14d3720 0b98a036 +121732.881596 Exch 90 exchange_validate: checking for required HASH +121732.881637 Exch 90 exchange_validate: checking for required KD +121732.881687 Cryp 10 crypto_encrypt: before encryption: +121732.881777 Cryp 10 11000018 5c669c6a 1de36700 2c908a25 b14d3720 0b98a036 00000082 00020000 +121732.881862 Cryp 10 0100003d 041122aa bb000100 18414243 44454647 48494a4b 4c4d4e4f 50515253 +121732.881944 Cryp 10 54555657 58000200 14313233 34353637 38393031 32333435 36373839 30010000 +121732.882026 Cryp 10 3d043344 ccdd0001 00184645 44434241 31314c4b 4a494847 32325251 504f4e4d +121732.882109 Cryp 10 33330002 00143031 32333435 36373839 30313233 34353637 38390000 00000000 +121732.882230 Cryp 30 crypto_encrypt: after encryption: +121732.882313 Cryp 30 5fa0a653 cb56424e 71a0d15a d11ea5d9 783d11d9 9a97bb08 4cb2ddc1 cc3ce34f +121733.125421 Cryp 30 3a6adc0e 95f33f94 e790e8f5 704e82dd b6c4be6b 8ba5775f 0b83f10d c20d2690 +121733.125512 Cryp 30 af87c98a 4bc97cce 82843a85 2269d4a6 e5c92b64 6076bb06 bcf060b1 db468ef0 +121733.125594 Cryp 30 6a515f7d cdf4d954 d49c0170 5bddfe8d bc928909 87a75294 4fc3882b 52f5c798 +121733.125674 Cryp 30 dfbfa8b8 f4933c66 6da9efba 545f90bd bbc5f93f 47f86de7 b2ba1eef 28e8ae0b +121733.125712 Cryp 50 crypto_update_iv: updated IV: +121733.125759 Cryp 50 b2ba1eef 28e8ae0b +121733.125797 Mesg 70 message_send: message 0x13d000 +121733.125849 Mesg 70 ICOOKIE: 0xa91b9d5035d8fc4f +121733.125900 Mesg 70 RCOOKIE: 0x272325e695db688b +121733.125943 Mesg 70 NEXT_PAYLOAD: HASH +121733.125986 Mesg 70 VERSION: 16 +121733.126027 Mesg 70 EXCH_TYPE: QUICK_MODE +121733.126071 Mesg 70 FLAGS: [ ENC ] +121733.126117 Mesg 70 MESSAGE_ID: 0x483c11c0 +121733.126160 Mesg 70 LENGTH: 188 +121733.126247 Mesg 70 message_send: a91b9d50 35d8fc4f 272325e6 95db688b 08102001 483c11c0 000000bc 5fa0a653 +121733.126334 Mesg 70 message_send: cb56424e 71a0d15a d11ea5d9 783d11d9 9a97bb08 4cb2ddc1 cc3ce34f 3a6adc0e +121733.343171 Mesg 70 message_send: 95f33f94 e790e8f5 704e82dd b6c4be6b 8ba5775f 0b83f10d c20d2690 af87c98a +121733.343267 Mesg 70 message_send: 4bc97cce 82843a85 2269d4a6 e5c92b64 6076bb06 bcf060b1 db468ef0 6a515f7d +121733.343353 Mesg 70 message_send: cdf4d954 d49c0170 5bddfe8d bc928909 87a75294 4fc3882b 52f5c798 dfbfa8b8 +121733.343433 Mesg 70 message_send: f4933c66 6da9efba 545f90bd bbc5f93f 47f86de7 b2ba1eef 28e8ae0b +121733.343479 Exch 40 exchange_run: exchange 0x11bb00 finished step 3, advancing... +121733.343529 Trpt 90 transport_reference: transport 0x11d880 now has 3 references +121733.343573 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121733.343617 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121733.343660 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121733.343703 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121733.549277 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121733.549333 Trpt 90 transport_release: transport 0x11d880 had 3 references +121733.549377 Trpt 90 transport_release: transport 0x11d400 had 3 references +121733.549420 Trpt 90 transport_release: transport 0x11d580 had 3 references +121733.549463 Trpt 90 transport_release: transport 0x11d280 had 2 references +121733.549505 Trpt 90 transport_release: transport 0x11d200 had 2 references +121733.549548 Trpt 90 transport_release: transport 0x11d180 had 2 references +121733.549612 Trpt 90 transport_reference: transport 0x11d880 now has 3 references +121733.549659 Trpt 90 transport_reference: transport 0x11d400 now has 3 references +121733.549703 Trpt 90 transport_reference: transport 0x11d580 now has 3 references +121733.549746 Trpt 90 transport_reference: transport 0x11d280 now has 2 references +121733.549789 Trpt 90 transport_reference: transport 0x11d200 now has 2 references +121733.549832 Trpt 90 transport_reference: transport 0x11d180 now has 2 references +121733.695429 Exch 10 exchange_finalize: 0x11bb00 Group-1234 Default-group-mode policy responder phase 2 doi 2 exchange 32 step 4 +121733.695491 Exch 10 exchange_finalize: icookie a91b9d5035d8fc4f rcookie 272325e695db688b +121733.695542 Exch 10 exchange_finalize: msgid 483c11c0 sa_list 0x11bc00 0x11bd00 +121733.695588 SA 90 sa_find: no SA matched query +121733.695642 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +121733.695816 Exch 30 checking whether new SA replaces existing SA with IDs +121733.695876 SA 90 sa_find: return SA 0x11bc00 +121733.695920 SA 60 sa_mark_replaced: SA 0x11bc00 (Group-1234) marked as replaced +121733.695960 SA 90 sa_find: no SA matched query +121733.696008 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +121733.696065 Timr 95 sa_setup_expirations: SA 0x11bc00 soft timeout in 3412 seconds +121733.696124 Timr 10 timer_add_event: event sa_soft_expire(0x11bc00) added before sa_hard_expire(0x11b900), expiration in 3412s +121733.952678 SA 80 sa_reference: SA 0x11bc00 now has 3 references +121733.952738 Timr 95 sa_setup_expirations: SA 0x11bc00 hard timeout in 3600 seconds +121733.952791 Timr 10 timer_add_event: event sa_hard_expire(0x11bc00) added last, expiration in 3600s +121733.952837 SA 80 sa_reference: SA 0x11bc00 now has 4 references +121733.952888 Timr 95 sa_setup_expirations: SA 0x11bd00 soft timeout in 3128 seconds +121733.952943 Timr 10 timer_add_event: event sa_soft_expire(0x11bd00) added before sa_soft_expire(0x11b900), expiration in 3128s +121733.952989 SA 80 sa_reference: SA 0x11bd00 now has 3 references +121733.953036 Timr 95 sa_setup_expirations: SA 0x11bd00 hard timeout in 3600 seconds +121733.953086 Timr 10 timer_add_event: event sa_hard_expire(0x11bd00) added last, expiration in 3600s +121733.953130 SA 80 sa_reference: SA 0x11bd00 now has 4 references +121733.953170 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +121733.953220 SA 80 sa_release: SA 0x11bc00 had 4 references +121734.208101 SA 80 sa_release: SA 0x11bd00 had 4 references +121734.208160 Trpt 90 transport_release: transport 0x11d880 had 3 references +121734.208205 Trpt 90 transport_release: transport 0x11d400 had 3 references +121734.208248 Trpt 90 transport_release: transport 0x11d580 had 3 references +121734.208291 Trpt 90 transport_release: transport 0x11d280 had 2 references +121734.208333 Trpt 90 transport_release: transport 0x11d200 had 2 references +121734.208376 Trpt 90 transport_release: transport 0x11d180 had 2 references diff --git a/samples/three-clients/CVS/Entries b/samples/three-clients/CVS/Entries new file mode 100644 index 0000000..fc03988 --- /dev/null +++ b/samples/three-clients/CVS/Entries @@ -0,0 +1,11 @@ +/START_CLIENT1/1.3/Tue Oct 11 17:57:26 2005//TIEC90-5 +/START_CLIENT2/1.3/Tue Oct 11 17:57:26 2005//TIEC90-5 +/START_CLIENT3/1.3/Tue Oct 11 17:57:27 2005//TIEC90-5 +/START_KS/1.3/Tue Oct 11 17:57:27 2005//TIEC90-5 +/gdoi_client1.conf/1.4/Tue Oct 11 17:57:27 2005//TIEC90-5 +/gdoi_client2.conf/1.4/Tue Oct 11 17:57:28 2005//TIEC90-5 +/gdoi_client3.conf/1.4/Tue Oct 11 17:57:28 2005//TIEC90-5 +/gdoi_ks.conf/1.6/Tue Jan 25 00:15:50 2011//TIEC90-5 +/sample_output_client1/1.3/Tue Oct 11 17:57:28 2005//TIEC90-5 +/sample_output_ks/1.3/Tue Oct 11 17:57:28 2005//TIEC90-5 +D diff --git a/samples/three-clients/CVS/Repository b/samples/three-clients/CVS/Repository new file mode 100644 index 0000000..9950743 --- /dev/null +++ b/samples/three-clients/CVS/Repository @@ -0,0 +1 @@ +gdoi/samples/three-clients diff --git a/samples/three-clients/CVS/Root b/samples/three-clients/CVS/Root new file mode 100644 index 0000000..6311e3e --- /dev/null +++ b/samples/three-clients/CVS/Root @@ -0,0 +1 @@ +:ext:bew@irp-view12.cisco.com:/nfs/cscbz/gdoi/gdoicvs diff --git a/samples/three-clients/CVS/Tag b/samples/three-clients/CVS/Tag new file mode 100644 index 0000000..6586d9e --- /dev/null +++ b/samples/three-clients/CVS/Tag @@ -0,0 +1 @@ +TIEC90-5 diff --git a/samples/three-clients/START_CLIENT1 b/samples/three-clients/START_CLIENT1 new file mode 100755 index 0000000..ee464fd --- /dev/null +++ b/samples/three-clients/START_CLIENT1 @@ -0,0 +1,5 @@ +#!/bin/sh +# $Id: START_CLIENT1,v 1.3 2005/10/11 17:57:26 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/START_CLIENT1,v $ + +../../src/gdoid -d -n -p848 -DA=99 -f/tmp/isakmpd.fifo -cgdoi_client1.conf diff --git a/samples/three-clients/START_CLIENT2 b/samples/three-clients/START_CLIENT2 new file mode 100755 index 0000000..fbb7863 --- /dev/null +++ b/samples/three-clients/START_CLIENT2 @@ -0,0 +1,5 @@ +#!/bin/sh +# $Id: START_CLIENT2,v 1.3 2005/10/11 17:57:26 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/START_CLIENT2,v $ + +../../src/gdoid -d -n -p848 -DA=99 -f/tmp/isakmpd.fifo -cgdoi_client2.conf diff --git a/samples/three-clients/START_CLIENT3 b/samples/three-clients/START_CLIENT3 new file mode 100755 index 0000000..62ef769 --- /dev/null +++ b/samples/three-clients/START_CLIENT3 @@ -0,0 +1,5 @@ +#!/bin/sh +# $Id: START_CLIENT3,v 1.3 2005/10/11 17:57:27 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/START_CLIENT3,v $ + +../../src/gdoid -d -n -p848 -DA=99 -f/tmp/isakmpd.fifo -cgdoi_client3.conf diff --git a/samples/three-clients/START_KS b/samples/three-clients/START_KS new file mode 100755 index 0000000..3596d17 --- /dev/null +++ b/samples/three-clients/START_KS @@ -0,0 +1,5 @@ +#!/bin/sh +# $Id: START_KS,v 1.3 2005/10/11 17:57:27 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/START_KS,v $ + +../../src/gdoid -d -n -p848 -DA=99 -f/tmp/isakmpd2.fifo -cgdoi_ks.conf diff --git a/samples/three-clients/gdoi_client1.conf b/samples/three-clients/gdoi_client1.conf new file mode 100644 index 0000000..12dc403 --- /dev/null +++ b/samples/three-clients/gdoi_client1.conf @@ -0,0 +1,102 @@ +# $Id: gdoi_client1.conf,v 1.4 2005/10/11 17:57:27 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/gdoi_client1.conf,v $ + +# +# A configuration sample for testing GDOI between systems passing IPSec policy. +# This is an example of a group member. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 10.0.224.37 +check-interval= 60 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.0.224.44= GDOI-key-server + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= Group-1234 + +[GDOI-key-server] +Phase= 1 +Transport= udp +Local-address= 10.0.224.37 +Address= 10.0.224.44 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= GDOI-key-server +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,45:72 + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +Suites= GM-ESP + +[GM-ESP] +PROTOCOL_ID= IPSEC_ESP diff --git a/samples/three-clients/gdoi_client2.conf b/samples/three-clients/gdoi_client2.conf new file mode 100644 index 0000000..a8af35b --- /dev/null +++ b/samples/three-clients/gdoi_client2.conf @@ -0,0 +1,102 @@ +# $Id: gdoi_client2.conf,v 1.4 2005/10/11 17:57:28 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/gdoi_client2.conf,v $ + +# +# A configuration sample for testing GDOI between systems passing IPSec policy. +# This is an example of a group member. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 10.0.224.40 +check-interval= 60 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.0.224.44= GDOI-key-server + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= Group-1234 + +[GDOI-key-server] +Phase= 1 +Transport= udp +Local-address= 10.0.224.40 +Address= 10.0.224.44 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= GDOI-key-server +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,45:72 + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +Suites= GM-ESP + +[GM-ESP] +PROTOCOL_ID= IPSEC_ESP diff --git a/samples/three-clients/gdoi_client3.conf b/samples/three-clients/gdoi_client3.conf new file mode 100644 index 0000000..37ed3ef --- /dev/null +++ b/samples/three-clients/gdoi_client3.conf @@ -0,0 +1,102 @@ +# $Id: gdoi_client3.conf,v 1.4 2005/10/11 17:57:28 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/gdoi_client3.conf,v $ + +# +# A configuration sample for testing GDOI between systems passing IPSec policy. +# This is an example of a group member. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 10.0.224.41 +check-interval= 60 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.0.224.44= GDOI-key-server + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= Group-1234 + +[GDOI-key-server] +Phase= 1 +Transport= udp +Local-address= 10.0.224.41 +Address= 10.0.224.44 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= GDOI-key-server +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,45:72 + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +Suites= GM-ESP + +[GM-ESP] +PROTOCOL_ID= IPSEC_ESP diff --git a/samples/three-clients/gdoi_ks.conf b/samples/three-clients/gdoi_ks.conf new file mode 100644 index 0000000..ada9aaa --- /dev/null +++ b/samples/three-clients/gdoi_ks.conf @@ -0,0 +1,194 @@ +# $Id: gdoi_ks.conf,v 1.6 2011/01/25 00:15:50 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/gdoi_ks.conf,v $ + +# +# A configuration sample for testing GDOI between systems passing IPSec policy. +# This is an example of the key server. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 10.0.224.44 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +10.0.224.37= GDOI-group-member-1 +10.0.224.40= GDOI-group-member-2 +10.0.224.41= GDOI-group-member-3 + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. Since this is the key server, it will wait for the group +# members to register usig these connections. +[Phase 2] +Passive-Connections= IPsec-group-policy + +[GDOI-group-member-1] +Phase= 1 +Transport= udp +Local-address= 10.0.224.44 +Address= 10.0.224.37 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[GDOI-group-member-2] +Phase= 1 +Transport= udp +Local-address= 10.0.224.44 +Address= 10.0.224.40 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[GDOI-group-member-3] +Phase= 1 +Transport= udp +Local-address= 10.0.224.44 +Address= 10.0.224.41 +Port= 848 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[IPsec-group-policy] +Phase= 2 +ISAKMP-peer= GDOI-group-member +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms + +# DES + +[DES-MD5] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= MD5 +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +[DES-SHA] +ENCRYPTION_ALGORITHM= DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_768 +Life= LIFE_600_SECS + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_60_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,45:72 + +[LIFE_600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 600,450:720 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# GDOI description + +# 3DES + +[GDOI-ESP-TRANSFORM-3DES-SHA] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TRANSPORT +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_60_SECS + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +SA-KEK= GROUP1-KEK +SA-TEKS= GROUP1-TEK1,GROUP1-TEK2 + +[GROUP1-KEK] +Src-ID= Group-kek-src +Dst-ID= Group-kek-dst +ENCRYPTION_ALGORITHM= 3DES +SIG_HASH_ALGORITHM= SHA +SIG_ALGORITHM= RSA +RSA-Keypair= /usr/local/gdoid/rsakeys.der +REKEY_PERIOD= 30 + +[Group-kek-src] +ID-type= IPV4_ADDR +Address= 10.0.224.44 +Port= 848 + +[Group-kek-dst] +ID-type= IPV4_ADDR +Address= 239.10.1.1 +Port= 848 + +# Src-ID and Dst-ID are the addresses for the IP ESP packet. +[GROUP1-TEK1] +Crypto-protocol= PROTO_IPSEC_ESP +Src-ID= Group-tek1-src +Dst-ID= Group-tek1-dst +TEK_Suite= GDOI-ESP-3DES-SHA-SUITE + +[Group-tek1-src] +ID-type= IPV4_ADDR +Address= 10.0.224.37 +Port= 0 + +[Group-tek1-dst] +ID-type= IPV4_ADDR +Address= 239.1.1.1 +Port= 0 + +# Src-ID and Dst-ID are the addresses for the IP ESP packet. +[GROUP1-TEK2] +Src-ID= Group-tek2-src +Dst-ID= Group-tek2-dst +TEK_Suite= GDOI-ESP-3DES-SHA-SUITE + +[Group-tek2-src] +ID-type= IPV4_ADDR +Address= 10.0.224.40 +Port= 0 + +[Group-tek2-dst] +ID-type= IPV4_ADDR +Address= 239.1.1.2 +Port= 0 + +[GDOI-ESP-3DES-SHA-SUITE] +Protocols= GDOI-ESP-3DES-SHA + +[GDOI-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= GDOI-ESP-TRANSFORM-3DES-SHA + +# Certificates stored in PEM format +[X509-certificates] +CA-directory= /etc/gdoid/ca/ +Cert-directory= /etc/gdoid/certs/ +Private-key= /etc/gdoid/private/local.key diff --git a/samples/three-clients/sample_output_client1 b/samples/three-clients/sample_output_client1 new file mode 100644 index 0000000..d4e570a --- /dev/null +++ b/samples/three-clients/sample_output_client1 @@ -0,0 +1,1110 @@ +$Id: sample_output_client1,v 1.3 2005/10/11 17:57:28 bew Exp $ +$Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/sample_output_client1,v $ + +client-pc1# ./START_CLIENT1 +110303.376149 Default log_debug_cmd: log level changed from 0 to 99 for class 0 +110303.377006 Default log_debug_cmd: log level changed from 0 to 99 for class 1 +110303.377135 Default log_debug_cmd: log level changed from 0 to 99 for class 2 +110303.377261 Default log_debug_cmd: log level changed from 0 to 99 for class 3 +110303.377398 Default log_debug_cmd: log level changed from 0 to 99 for class 4 +110303.377524 Default log_debug_cmd: log level changed from 0 to 99 for class 5 +110303.377649 Default log_debug_cmd: log level changed from 0 to 99 for class 6 +110303.377774 Default log_debug_cmd: log level changed from 0 to 99 for class 7 +110303.377901 Default log_debug_cmd: log level changed from 0 to 99 for class 8 +110303.378026 Default log_debug_cmd: log level changed from 0 to 99 for class 9 +110303.379845 Misc 60 conf_get_str: configuration value not found [General]:Retransmits +110303.380009 Misc 70 conf_set: [General]:Retransmits->5 +110303.380148 Misc 60 conf_get_str: configuration value not found [General]:Exchange-max-time +110303.380293 Misc 70 conf_set: [General]:Exchange-max-time->120 +110303.380441 Misc 60 conf_get_str: configuration value not found [General]:Listen-on +110303.380584 Misc 70 conf_set: [General]:Listen-on->10.0.224.37 +110303.380717 Misc 60 conf_get_str: configuration value not found [General]:check-interval +110303.380862 Misc 70 conf_set: [General]:check-interval->60 +110303.380994 Misc 60 conf_get_str: configuration value not found [Phase 1]:10.0.224.44 +110303.381135 Misc 70 conf_set: [Phase 1]:10.0.224.44->GDOI-key-server +110303.381267 Misc 60 conf_get_str: configuration value not found [Phase 2]:Connections +110303.381421 Misc 70 conf_set: [Phase 2]:Connections->Group-1234 +110303.381552 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Phase +110303.381696 Misc 70 conf_set: [GDOI-key-server]:Phase->1 +110303.381829 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Transport +110303.381974 Misc 70 conf_set: [GDOI-key-server]:Transport->udp +110303.382109 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Local-address +110303.382256 Misc 70 conf_set: [GDOI-key-server]:Local-address->10.0.224.37 +110303.382405 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Address +110303.382552 Misc 70 conf_set: [GDOI-key-server]:Address->10.0.224.44 +110303.382689 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Port +110303.382836 Misc 70 conf_set: [GDOI-key-server]:Port->848 +110303.382970 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Configuration +110303.383116 Misc 70 conf_set: [GDOI-key-server]:Configuration->Default-main-mode +110303.383261 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Authentication +110303.383419 Misc 70 conf_set: [GDOI-key-server]:Authentication->mekmitasdigoat +110303.383552 Misc 60 conf_get_str: configuration value not found [Group-1234]:Phase +110303.383695 Misc 70 conf_set: [Group-1234]:Phase->2 +110303.383828 Misc 60 conf_get_str: configuration value not found [Group-1234]:ISAKMP-peer +110303.383972 Misc 70 conf_set: [Group-1234]:ISAKMP-peer->GDOI-key-server +110303.384105 Misc 60 conf_get_str: configuration value not found [Group-1234]:Configuration +110303.384250 Misc 70 conf_set: [Group-1234]:Configuration->Default-group-mode +110303.384396 Misc 60 conf_get_str: configuration value not found [Group-1234]:Group-ID +110303.384541 Misc 70 conf_set: [Group-1234]:Group-ID->Group-1 +110303.384672 Misc 60 conf_get_str: configuration value not found [Group-1]:ID-type +110303.384815 Misc 70 conf_set: [Group-1]:ID-type->KEY_ID +110303.384948 Misc 60 conf_get_str: configuration value not found [Group-1]:Key-value +110303.385092 Misc 70 conf_set: [Group-1]:Key-value->1234 +110303.385478 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:DOI +110303.385630 Misc 70 conf_set: [Default-main-mode]:DOI->GROUP +110303.385765 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:EXCHANGE_TYPE +110303.385913 Misc 70 conf_set: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +110303.386034 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:Transforms +110303.386119 Misc 70 conf_set: [Default-main-mode]:Transforms->3DES-SHA +110303.386189 Misc 60 conf_get_str: configuration value not found [DES-MD5]:ENCRYPTION_ALGORITHM +110303.386265 Misc 70 conf_set: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC +110303.386343 Misc 60 conf_get_str: configuration value not found [DES-MD5]:HASH_ALGORITHM +110303.386420 Misc 70 conf_set: [DES-MD5]:HASH_ALGORITHM->MD5 +110303.386488 Misc 60 conf_get_str: configuration value not found [DES-MD5]:AUTHENTICATION_METHOD +110303.386567 Misc 70 conf_set: [DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +110303.386637 Misc 60 conf_get_str: configuration value not found [DES-MD5]:GROUP_DESCRIPTION +110303.386714 Misc 70 conf_set: [DES-MD5]:GROUP_DESCRIPTION->MODP_768 +110303.386783 Misc 60 conf_get_str: configuration value not found [DES-MD5]:Life +110303.386855 Misc 70 conf_set: [DES-MD5]:Life->LIFE_600_SECS +110303.386923 Misc 60 conf_get_str: configuration value not found [DES-SHA]:ENCRYPTION_ALGORITHM +110303.386998 Misc 70 conf_set: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC +110303.387066 Misc 60 conf_get_str: configuration value not found [DES-SHA]:HASH_ALGORITHM +110303.387141 Misc 70 conf_set: [DES-SHA]:HASH_ALGORITHM->SHA +110303.387209 Misc 60 conf_get_str: configuration value not found [DES-SHA]:AUTHENTICATION_METHOD +110303.387286 Misc 70 conf_set: [DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +110303.387369 Misc 60 conf_get_str: configuration value not found [DES-SHA]:GROUP_DESCRIPTION +110303.387445 Misc 70 conf_set: [DES-SHA]:GROUP_DESCRIPTION->MODP_768 +110303.387514 Misc 60 conf_get_str: configuration value not found [DES-SHA]:Life +110303.387585 Misc 70 conf_set: [DES-SHA]:Life->LIFE_600_SECS +110303.387652 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:ENCRYPTION_ALGORITHM +110303.387728 Misc 70 conf_set: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +110303.387797 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:HASH_ALGORITHM +110303.387875 Misc 70 conf_set: [3DES-SHA]:HASH_ALGORITHM->SHA +110303.387944 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:AUTHENTICATION_METHOD +110303.388022 Misc 70 conf_set: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +110303.388092 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_DESCRIPTION +110303.388168 Misc 70 conf_set: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +110303.388239 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:Life +110303.388327 Misc 70 conf_set: [3DES-SHA]:Life->LIFE_60_SECS +110303.388397 Misc 60 conf_get_str: configuration value not found [LIFE_60_SECS]:LIFE_TYPE +110303.388474 Misc 70 conf_set: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +110303.388543 Misc 60 conf_get_str: configuration value not found [LIFE_60_SECS]:LIFE_DURATION +110303.388621 Misc 70 conf_set: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +110303.388690 Misc 60 conf_get_str: configuration value not found [LIFE_600_SECS]:LIFE_TYPE +110303.388766 Misc 70 conf_set: [LIFE_600_SECS]:LIFE_TYPE->SECONDS +110303.388837 Misc 60 conf_get_str: configuration value not found [LIFE_600_SECS]:LIFE_DURATION +110303.388916 Misc 70 conf_set: [LIFE_600_SECS]:LIFE_DURATION->600,450:720 +110303.388984 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_TYPE +110303.389061 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +110303.389131 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_DURATION +110303.389209 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +110303.389279 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:DOI +110303.389371 Misc 70 conf_set: [Default-group-mode]:DOI->GROUP +110303.389441 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:EXCHANGE_TYPE +110303.389521 Misc 70 conf_set: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +110303.389591 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Suites +110303.389671 Misc 70 conf_set: [Default-group-mode]:Suites->GM-ESP +110303.406387 Misc 60 conf_get_str: configuration value not found [GM-ESP]:PROTOCOL_ID +110303.406507 Misc 70 conf_set: [GM-ESP]:PROTOCOL_ID->IPSEC_ESP +110303.406583 Misc 60 conf_get_str: [Phase 2]:Connections->Group-1234 +110303.406691 Timr 10 timer_add_event: event connection_checker(0x813f378) added last, expiration in 0s +110303.406769 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +110303.406863 Misc 60 conf_get_str: [Group-1234]:Group-ID->Group-1 +110303.406935 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +110303.407959 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +110303.408075 Misc 60 connection_record_passive: passive connection "Group-1234" added +110303.408154 Misc 60 conf_get_str: configuration value not found [Phase 2]:Passive-Connections +110303.408259 Timr 10 timer_add_event: event cookie_reset_event((nil)) added last, expiration in 360s +110303.408375 Misc 60 conf_get_str: configuration value not found [X509-certificates]:CA-directory +110303.408445 Default x509_cert_init: no CA-directory +110303.410252 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.37 +110303.410451 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.37 +110303.410629 Trpt 70 transport_add: adding 0x8140170 +110303.410701 Trpt 90 transport_reference: transport 0x8140170 now has 1 references +110303.410831 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.37 +110303.410935 Trpt 70 transport_add: adding 0x81401c0 +110303.411000 Trpt 90 transport_reference: transport 0x81401c0 now has 1 references +110303.411070 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.37 +110303.412614 Timr 10 timer_handle_expirations: event connection_checker(0x813f378) +110303.412706 Misc 60 conf_get_str: [General]:check-interval->60 +110303.412787 Timr 10 timer_add_event: event connection_checker(0x813f378) added before cookie_reset_event((nil)), expiration in 60s +110303.412881 SA 90 sa_find: no SA matched query +110303.412954 Sdep 70 pf_key_v2_connection_check: SA for Group-1234 missing +110303.413024 Misc 60 conf_get_str: [Group-1234]:Phase->2 +110303.413096 Misc 60 conf_get_str: [Group-1234]:ISAKMP-peer->GDOI-key-server +110303.413157 SA 90 sa_find: no SA matched query +110303.413229 Misc 60 conf_get_str: [GDOI-key-server]:Phase->1 +110303.413315 Misc 60 conf_get_str: [GDOI-key-server]:Phase->1 +110303.413389 Misc 60 conf_get_str: [GDOI-key-server]:Transport->udp +110303.413459 Misc 60 conf_get_str: [GDOI-key-server]:Port->848 +110303.413529 Misc 60 conf_get_str: [GDOI-key-server]:Address->10.0.224.44 +110303.413612 Misc 60 conf_get_str: [GDOI-key-server]:Local-address->10.0.224.37 +110303.413685 Trpt 70 transport_add: adding 0x8140880 +110303.413766 Misc 60 conf_get_str: [GDOI-key-server]:Configuration->Default-main-mode +110303.413858 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +110303.413939 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +110303.414022 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +110303.414104 Timr 10 timer_add_event: event exchange_free_aux(0x81408d0) added before cookie_reset_event((nil)), expiration in 120s +110303.414182 Misc 60 conf_get_str: [GDOI-key-server]:Configuration->Default-main-mode +110303.414326 Exch 10 exchange_establish_p1: 0x81408d0 GDOI-key-server Default-main-mode policy initiator phase 1 doi 2 exchange 2 step 0 +110303.414411 Exch 10 exchange_establish_p1: icookie 957e3b86f602b129 rcookie 0000000000000000 +110303.414483 Exch 10 exchange_establish_p1: msgid 00000000 +110303.414590 Trpt 90 transport_reference: transport 0x8140880 now has 1 references +110303.414667 Mesg 90 message_alloc: allocated 0x81409e0 +110303.414739 SA 80 sa_reference: SA 0x8141220 now has 1 references +110303.414822 SA 70 sa_enter: SA 0x8141220 added to SA list +110303.414888 SA 80 sa_reference: SA 0x8141220 now has 2 references +110303.414954 SA 60 sa_create: sa 0x8141220 phase 1 added to exchange 0x81408d0 (GDOI-key-server) +110303.415024 SA 80 sa_reference: SA 0x8141220 now has 3 references +110303.415110 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +110303.536327 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +110303.536418 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +110303.536489 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +110303.536559 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +110303.536642 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +110303.536719 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +110303.536808 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +110303.536884 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:PRF +110303.536950 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA section +110303.537017 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:KEY_LENGTH +110303.537090 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:FIELD_SIZE +110303.537162 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_ORDER +110303.537259 Exch 90 exchange_validate: checking for required SA +110303.537360 Mesg 70 message_send: message 0x81409e0 +110303.537445 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110303.537527 Mesg 70 RCOOKIE: 0x0000000000000000 +110303.537592 Mesg 70 NEXT_PAYLOAD: SA +110303.537670 Mesg 70 VERSION: 16 +110303.537737 Mesg 70 EXCH_TYPE: ID_PROT +110303.537817 Mesg 70 FLAGS: [ ] +110303.537891 Mesg 70 MESSAGE_ID: 0x00000000 +110303.537957 Mesg 70 LENGTH: 80 +110303.538084 Mesg 70 message_send: 957e3b86 f602b129 00000000 00000000 01100200 00000000 00000050 00000034 +110303.538216 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +110303.538328 Mesg 70 message_send: 80030001 80040002 800b0001 800c003c +110303.538395 Exch 40 exchange_run: exchange 0x81408d0 finished step 0, advancing... +110303.538508 Trpt 90 transport_reference: transport 0x8140880 now has 2 references +110303.538578 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110303.538646 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110303.538946 Misc 60 conf_get_str: [General]:retransmits->5 +110303.539031 Trpt 30 transport_send_messages: message 0x81409e0 scheduled for retransmission 1 in 7 secs +110303.539114 Timr 10 timer_add_event: event message_send_expire(0x81409e0) added before connection_checker(0x813f378), expiration in 7s +110303.539199 Trpt 90 transport_release: transport 0x8140880 had 2 references +110303.539274 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110303.539341 Trpt 90 transport_release: transport 0x8140170 had 2 references +110303.635998 Trpt 70 transport_add: adding 0x8141378 +110303.636099 Trpt 90 transport_reference: transport 0x8141378 now has 1 references +110303.636172 Mesg 90 message_alloc: allocated 0x81413c8 +110303.636234 Mesg 70 message_recv: message 0x81413c8 +110303.636339 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110303.636418 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110303.636481 Mesg 70 NEXT_PAYLOAD: SA +110303.636546 Mesg 70 VERSION: 16 +110303.636607 Mesg 70 EXCH_TYPE: ID_PROT +110303.636669 Mesg 70 FLAGS: [ ] +110303.636739 Mesg 70 MESSAGE_ID: 0x00000000 +110303.636823 Mesg 70 LENGTH: 80 +110303.636945 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 01100200 00000000 00000050 00000034 +110303.637078 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +110303.637178 Mesg 70 message_recv: 80030001 80040002 800b0001 800c003c +110303.637264 SA 70 sa_remove: SA 0x8141220 removed from SA list +110303.637334 SA 80 sa_release: SA 0x8141220 had 3 references +110303.637401 SA 80 sa_release: SA 0x8141220 now has 2 references (sa_release) +110303.637466 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110303.637536 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110303.637608 SA 80 sa_reference: SA 0x8141220 now has 3 references +110303.637670 SA 70 sa_enter: SA 0x8141220 added to SA list +110303.637733 Mesg 90 message_check_duplicate: last_received 0x0 +110303.637814 Mesg 20 message_free: freeing 0x81409e0 +110303.680187 Timr 10 timer_remove_event: removing event message_send_expire(0x81409e0) +110303.680290 Trpt 90 transport_release: transport 0x8140880 had 1 references +110303.680356 Trpt 70 transport_release: freeing 0x8140880 +110303.680423 SA 80 sa_release: SA 0x8141220 had 3 references +110303.680488 SA 80 sa_release: SA 0x8141220 now has 2 references (sa_release) +110303.680551 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110303.680633 Mesg 50 message_parse_payloads: offset 0x1c payload SA +110303.680707 Mesg 60 message_validate_payloads: payload SA at 0x8141c24 of message 0x81413c8 +110303.680798 Mesg 70 DOI: 2 +110303.680866 SA 80 sa_reference: SA 0x8141220 now has 3 references +110303.680934 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +110303.681004 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +110303.681070 Mesg 50 Transform 0's attributes +110303.681138 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x8141c30 of message 0x81413c8 +110303.681211 Mesg 70 NO: 1 +110303.681291 Mesg 70 PROTO: ISAKMP +110303.681359 Mesg 70 SPI_SZ: 0 +110303.681423 Mesg 70 NTRANSFORMS: 1 +110303.681489 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x8141c38 of message 0x81413c8 +110303.681561 Mesg 70 NO: 0 +110303.681624 Mesg 70 ID: 1 +110303.681697 Exch 90 exchange_validate: checking for required SA +110303.681794 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +110303.681870 SA 80 sa_add_transform: proto 0x813e8d0 no 1 proto 1 chosen 0x813e940 sa 0x8141220 id 1 +110303.681947 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +110303.682025 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +110303.682100 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +110303.682172 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +110303.682254 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +110303.682328 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +110303.682402 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +110303.682471 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +110303.682542 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +110303.682613 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +110303.682680 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +110303.682745 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +110303.682857 Misc 90 conf_match_num: LIFE_60_SECS:LIFE_DURATION 45<=60<=72? +110303.682955 Negt 20 ike_phase_1_validate_prop: success +110303.683022 Negt 30 message_negotiate_sa: proposal 1 succeeded +110303.683085 Misc 20 ipsec_decode_transform: transform 0 chosen +110303.683170 Misc 70 group_get: returning 0x81412f0 of group 2 +110303.683255 Exch 40 exchange_run: exchange 0x81408d0 finished step 1, advancing... +110303.683374 Trpt 90 transport_reference: transport 0x8141378 now has 3 references +110303.683451 Mesg 90 message_alloc: allocated 0x8141c60 +110303.683516 SA 80 sa_reference: SA 0x8141220 now has 4 references +110303.728970 Misc 80 ipsec_g_x: g^xi: +110303.729110 Misc 80 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +110303.729249 Misc 80 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +110303.729375 Misc 80 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +110303.729500 Misc 80 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +110303.729581 Exch 80 exchange_nonce: NONCE_i: +110303.729673 Exch 80 fb85e612 29a5c670 d1ed0e52 e63f4a37 +110303.729738 Exch 90 exchange_validate: checking for required KEY_EXCH +110303.729826 Exch 90 exchange_validate: checking for required NONCE +110303.729893 Mesg 70 message_send: message 0x8141c60 +110303.729974 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110303.730053 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110303.730117 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +110303.730183 Mesg 70 VERSION: 16 +110303.730257 Mesg 70 EXCH_TYPE: ID_PROT +110303.730322 Mesg 70 FLAGS: [ ] +110303.821014 Mesg 70 MESSAGE_ID: 0x00000000 +110303.821090 Mesg 70 LENGTH: 180 +110303.821229 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +110303.821360 Mesg 70 message_send: a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +110303.821487 Mesg 70 message_send: a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +110303.821614 Mesg 70 message_send: f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +110303.821760 Mesg 70 message_send: 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +110303.821868 Mesg 70 message_send: 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +110303.821940 Exch 40 exchange_run: exchange 0x81408d0 finished step 2, advancing... +110303.822016 Trpt 90 transport_reference: transport 0x8141378 now has 4 references +110303.822086 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110303.822153 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110303.822233 Trpt 90 transport_release: transport 0x8141378 had 4 references +110303.822299 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110303.822363 Trpt 90 transport_release: transport 0x8140170 had 2 references +110303.822474 Trpt 90 transport_reference: transport 0x8141378 now has 4 references +110303.822544 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110303.822613 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110303.822793 Misc 60 conf_get_str: [General]:retransmits->5 +110303.822878 Trpt 30 transport_send_messages: message 0x8141c60 scheduled for retransmission 1 in 7 secs +110303.822962 Timr 10 timer_add_event: event message_send_expire(0x8141c60) added before connection_checker(0x813f378), expiration in 7s +110303.823034 Trpt 90 transport_release: transport 0x8141378 had 4 references +110303.823097 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110303.823160 Trpt 90 transport_release: transport 0x8140170 had 2 references +110304.322073 Trpt 70 transport_add: adding 0x8140880 +110304.322271 Trpt 90 transport_reference: transport 0x8140880 now has 1 references +110304.322374 Mesg 90 message_alloc: allocated 0x81427e0 +110304.322445 Mesg 70 message_recv: message 0x81427e0 +110304.322536 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110304.322620 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110304.322700 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +110304.322780 Mesg 70 VERSION: 16 +110304.322848 Mesg 70 EXCH_TYPE: ID_PROT +110304.322916 Mesg 70 FLAGS: [ ] +110304.322993 Mesg 70 MESSAGE_ID: 0x00000000 +110304.323072 Mesg 70 LENGTH: 180 +110304.323217 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +110304.323354 Mesg 70 message_recv: 0aa827d3 ad52dbf1 db546aa5 56130eb3 c33786ab 7293b263 7cd64f96 8a7cd3fc +110304.323498 Mesg 70 message_recv: 4661c7c3 a1cccd81 e0c2b4a0 09900d55 412a27f9 8e2cf80d c91730ed 1f8d9d8b +110304.323633 Mesg 70 message_recv: 1aadc3f0 bd910223 1d151761 01699eca 92e8b85f ab32b442 7f91f163 d7e88648 +110304.323765 Mesg 70 message_recv: 745214e2 cf84cc80 e0f523ae 57176b94 564bebaf 55f142a5 2228798f 26d5082f +110304.323877 Mesg 70 message_recv: 00000014 fb40c23d fa26a01b aadea179 3ac3c675 +110304.323956 SA 80 sa_reference: SA 0x8141220 now has 5 references +110304.324027 Mesg 90 message_check_duplicate: last_received 0x81413c8 +110304.324094 Mesg 95 message_check_duplicate: last_received: +110304.324236 Mesg 95 957e3b86 f602b129 232f5e1e 4f192e67 01100200 00000000 00000050 00000034 +110304.324382 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +110304.324486 Mesg 95 80030001 80040002 800b0001 800c003c +110304.324552 Mesg 20 message_free: freeing 0x8141c60 +110304.324625 Timr 10 timer_remove_event: removing event message_send_expire(0x8141c60) +110304.324707 Trpt 90 transport_release: transport 0x8141378 had 3 references +110304.324776 SA 80 sa_release: SA 0x8141220 had 5 references +110304.324846 SA 80 sa_release: SA 0x8141220 now has 4 references (sa_release) +110304.324914 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110304.325000 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +110304.325076 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +110304.325168 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x814259c of message 0x81427e0 +110304.325251 Mesg 60 message_validate_payloads: payload NONCE at 0x8142620 of message 0x81427e0 +110304.325334 Exch 90 exchange_validate: checking for required KEY_EXCH +110304.325401 Exch 90 exchange_validate: checking for required NONCE +110304.325482 Misc 80 ipsec_g_x: g^xr: +110304.325604 Misc 80 0aa827d3 ad52dbf1 db546aa5 56130eb3 c33786ab 7293b263 7cd64f96 8a7cd3fc +110304.325734 Misc 80 4661c7c3 a1cccd81 e0c2b4a0 09900d55 412a27f9 8e2cf80d c91730ed 1f8d9d8b +110304.325863 Misc 80 1aadc3f0 bd910223 1d151761 01699eca 92e8b85f ab32b442 7f91f163 d7e88648 +110304.325991 Misc 80 745214e2 cf84cc80 e0f523ae 57176b94 564bebaf 55f142a5 2228798f 26d5082f +110304.326069 Exch 80 exchange_nonce: NONCE_r: +110304.326187 Exch 80 fb40c23d fa26a01b aadea179 3ac3c675 +110304.377884 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +110304.378130 Negt 80 3566c7dc adeac30a 7690c318 8a974fea a97f59d4 391c3e51 32dab30e 863ef192 +110304.378321 Negt 80 711d7920 2f702636 4312a76b b0ed881e eb9b2cc1 a793145a a679905f bdd84176 +110304.378511 Negt 80 2b980c74 d22b9f12 572554ac 8898036e ebdb1a3c efb056f6 ac3108e1 cc9b0262 +110304.378701 Negt 80 ab693ccb b9a0c931 8b741fb3 6d341382 8575647a af929c5a f09c5d72 759fa5e7 +110304.378844 Misc 60 conf_get_str: [GDOI-key-server]:Authentication->mekmitasdigoat +110304.379041 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +110304.379221 Negt 80 cca17737 fee4d58b f459804b 146ccee6 902cec7b +110304.379374 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +110304.379542 Negt 80 ea265791 5352b9e2 5189f8e5 8d302c7e 560bd9ed +110304.379687 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +110304.379853 Negt 80 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +110304.379999 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +110304.380177 Negt 80 33593849 a445b93b 805caf11 4b9bf022 39569375 +110304.380335 Cryp 40 crypto_init: key: +110304.380510 Cryp 40 335a62df f6f5170e 0c138fe5 34fae831 23df5616 5fe37e3c +110304.380674 Cryp 50 crypto_update_iv: initialized IV: +110304.380820 Cryp 50 ce9979b5 51876db2 +110304.380950 Mesg 20 message_free: freeing 0x81413c8 +110304.381086 Trpt 90 transport_release: transport 0x8141378 had 2 references +110304.381230 SA 80 sa_release: SA 0x8141220 had 4 references +110304.381358 SA 80 sa_release: SA 0x8141220 now has 3 references (sa_release) +110304.381486 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110304.381605 Exch 40 exchange_run: exchange 0x81408d0 finished step 3, advancing... +110304.381706 Trpt 90 transport_reference: transport 0x8140880 now has 2 references +110304.381780 Mesg 90 message_alloc: allocated 0x81413c8 +110304.381844 SA 80 sa_reference: SA 0x8141220 now has 4 references +110304.381923 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:ID +110304.382000 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +110304.382084 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +110304.382170 Negt 40 0a00e025 +110304.382278 Misc 80 pre_shared_encode_hash: HASH_I: +110304.382382 Misc 80 503d7648 920baeaf 2475ef09 89167c9d d9d7df11 +110304.382468 Exch 90 exchange_validate: checking for required ID +110304.382537 Exch 90 exchange_validate: checking for required AUTH +110304.382618 Cryp 10 crypto_encrypt: before encryption: +110304.382744 Cryp 10 0800000c 01000000 0a00e025 0b000018 503d7648 920baeaf 2475ef09 89167c9d +110304.382871 Cryp 10 d9d7df11 0000001c 00000001 01106002 957e3b86 f602b129 232f5e1e 4f192e67 +110304.383012 Cryp 30 crypto_encrypt: after encryption: +110304.383151 Cryp 30 da019838 e7e4d036 05079dd4 199522a4 41a19ebd 5508ed18 52d7b4b6 cf63f939 +110304.383278 Cryp 30 e2a686e1 1c8be76d 4e25d6a9 08a03476 86aa4dbc c140348e 0779158e 94e5e346 +110304.383346 Cryp 50 crypto_update_iv: updated IV: +110304.383421 Cryp 50 0779158e 94e5e346 +110304.383482 Mesg 70 message_send: message 0x81413c8 +110304.383562 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110304.383641 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110304.383705 Mesg 70 NEXT_PAYLOAD: ID +110304.383771 Mesg 70 VERSION: 16 +110304.383833 Mesg 70 EXCH_TYPE: ID_PROT +110304.383899 Mesg 70 FLAGS: [ ENC ] +110304.383970 Mesg 70 MESSAGE_ID: 0x00000000 +110304.384035 Mesg 70 LENGTH: 92 +110304.384172 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 05100201 00000000 0000005c da019838 +110304.384302 Mesg 70 message_send: e7e4d036 05079dd4 199522a4 41a19ebd 5508ed18 52d7b4b6 cf63f939 e2a686e1 +110304.384421 Mesg 70 message_send: 1c8be76d 4e25d6a9 08a03476 86aa4dbc c140348e 0779158e 94e5e346 +110304.384491 Exch 40 exchange_run: exchange 0x81408d0 finished step 4, advancing... +110304.384565 Trpt 90 transport_reference: transport 0x8140880 now has 3 references +110304.384634 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110304.384702 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110304.384770 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110304.384838 Trpt 90 transport_release: transport 0x8140880 had 3 references +110304.384901 Trpt 90 transport_release: transport 0x8141378 had 2 references +110304.384963 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110304.385026 Trpt 90 transport_release: transport 0x8140170 had 2 references +110304.385150 Trpt 90 transport_reference: transport 0x8140880 now has 3 references +110304.385223 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110304.385291 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110304.385359 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110304.385526 Misc 60 conf_get_str: [General]:retransmits->5 +110304.385611 Trpt 30 transport_send_messages: message 0x81413c8 scheduled for retransmission 1 in 7 secs +110304.385728 Timr 10 timer_add_event: event message_send_expire(0x81413c8) added before connection_checker(0x813f378), expiration in 7s +110304.385802 Trpt 90 transport_release: transport 0x8140880 had 3 references +110304.385865 Trpt 90 transport_release: transport 0x8141378 had 2 references +110304.385927 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110304.385990 Trpt 90 transport_release: transport 0x8140170 had 2 references +110305.340768 Trpt 70 transport_add: adding 0x8140e10 +110305.340887 Trpt 90 transport_reference: transport 0x8140e10 now has 1 references +110305.340981 Mesg 90 message_alloc: allocated 0x8141c08 +110305.341050 Mesg 70 message_recv: message 0x8141c08 +110305.341136 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110305.341218 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110305.341286 Mesg 70 NEXT_PAYLOAD: ID +110305.341356 Mesg 70 VERSION: 16 +110305.341421 Mesg 70 EXCH_TYPE: ID_PROT +110305.341491 Mesg 70 FLAGS: [ ENC ] +110305.341526 Mesg 70 MESSAGE_ID: 0x00000000 +110305.341594 Mesg 70 LENGTH: 92 +110305.341719 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 05100201 00000000 0000005c 2852d718 +110305.341851 Mesg 70 message_recv: 1631ba40 cc84ae6e 19e5e061 cea4a622 c8b19683 547a39e7 e549a72b 66b4c3a4 +110305.342082 Mesg 70 message_recv: 082b5c54 2dc99eb4 5a60c66c 7d63b8b9 844c43ea 99869bed 414579f8 +110305.342171 SA 80 sa_reference: SA 0x8141220 now has 5 references +110305.342243 Mesg 90 message_check_duplicate: last_received 0x81427e0 +110305.342307 Mesg 95 message_check_duplicate: last_received: +110305.342431 Mesg 95 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +110305.342561 Mesg 95 0aa827d3 ad52dbf1 db546aa5 56130eb3 c33786ab 7293b263 7cd64f96 8a7cd3fc +110305.342691 Mesg 95 4661c7c3 a1cccd81 e0c2b4a0 09900d55 412a27f9 8e2cf80d c91730ed 1f8d9d8b +110305.342820 Mesg 95 1aadc3f0 bd910223 1d151761 01699eca 92e8b85f ab32b442 7f91f163 d7e88648 +110305.342962 Mesg 95 745214e2 cf84cc80 e0f523ae 57176b94 564bebaf 55f142a5 2228798f 26d5082f +110305.343072 Mesg 95 00000014 fb40c23d fa26a01b aadea179 3ac3c675 +110305.343139 Mesg 20 message_free: freeing 0x81413c8 +110305.343209 Timr 10 timer_remove_event: removing event message_send_expire(0x81413c8) +110305.343289 Trpt 90 transport_release: transport 0x8140880 had 2 references +110305.343358 SA 80 sa_release: SA 0x8141220 had 5 references +110305.343427 SA 80 sa_release: SA 0x8141220 now has 4 references (sa_release) +110305.343494 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110305.343576 Cryp 10 crypto_decrypt: before decryption: +110305.343700 Cryp 10 2852d718 1631ba40 cc84ae6e 19e5e061 cea4a622 c8b19683 547a39e7 e549a72b +110305.343829 Cryp 10 66b4c3a4 082b5c54 2dc99eb4 5a60c66c 7d63b8b9 844c43ea 99869bed 414579f8 +110305.343949 Cryp 30 crypto_decrypt: after decryption: +110305.344080 Cryp 30 0800000c 01000000 0a00e02c 0b000018 be1dd779 72a697e7 8466e026 9e243c7d +110305.344212 Cryp 30 ebbf29d4 0000001c 00000001 01106002 957e3b86 f602b129 232f5e1e 4f192e67 +110305.344299 Mesg 50 message_parse_payloads: offset 0x1c payload ID +110305.344371 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +110305.344442 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +110305.344515 Mesg 60 message_validate_payloads: payload ID at 0x8140f4c of message 0x8141c08 +110305.344611 Mesg 70 TYPE: 1 +110305.344687 Mesg 70 DOI_DATA: 0x000000 +110305.344758 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +110305.344823 Mesg 40 gdoi_validate_id_information: IPv4: +110305.344909 Mesg 40 0a00e02c +110305.344980 Mesg 60 message_validate_payloads: payload HASH at 0x8140f58 of message 0x8141c08 +110305.345059 Mesg 60 message_validate_payloads: payload NOTIFY at 0x8140f70 of message 0x8141c08 +110305.345135 Mesg 70 DOI: IPSEC +110305.345201 Mesg 70 PROTO: ISAKMP +110305.345270 Mesg 70 SPI_SZ: 16 +110305.345339 Mesg 70 MSG_TYPE: INITIAL_CONTACT +110305.345418 Exch 90 exchange_validate: checking for required ID +110305.345488 Exch 90 exchange_validate: checking for required AUTH +110305.345562 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +110305.345636 Negt 40 0a00e02c +110305.345704 Misc 80 pre_shared_decode_hash: HASH_R: +110305.345805 Misc 80 be1dd779 72a697e7 8466e026 9e243c7d ebbf29d4 +110305.345936 Negt 80 ike_phase_1_recv_AUTH: computed HASH_R: +110305.346043 Negt 80 be1dd779 72a697e7 8466e026 9e243c7d ebbf29d4 +110305.346109 Exch 10 exchange_run: unexpected payload NOTIFY +110305.346181 Mesg 20 message_free: freeing 0x81427e0 +110305.346253 Trpt 90 transport_release: transport 0x8140880 had 1 references +110305.346320 Trpt 70 transport_release: freeing 0x8140880 +110305.346388 SA 80 sa_release: SA 0x8141220 had 4 references +110305.346455 SA 80 sa_release: SA 0x8141220 now has 3 references (sa_release) +110305.346530 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110305.346601 Cryp 50 crypto_update_iv: updated IV: +110305.346681 Cryp 50 99869bed 414579f8 +110305.346757 Exch 10 exchange_finalize: 0x81408d0 GDOI-key-server Default-main-mode policy initiator phase 1 doi 2 exchange 2 step 5 +110305.346838 Exch 10 exchange_finalize: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +110305.346924 Exch 10 exchange_finalize: msgid 00000000 +110305.347344 SA 90 sa_find: no SA matched query +110305.347434 Misc 60 conf_get_str: configuration value not found [GDOI-key-server]:Flags +110305.347645 Exch 10 exchange_finalize: phase 1 done: initiator id 0a00e025: 10.0.224.37, responder id 0a00e02c: 10.0.224.44, src: 10.0.224.37 dst: 10.0.224.44 +110305.347746 Timr 95 sa_setup_expirations: SA 0x8141220 soft timeout in 52 seconds +110305.347835 Timr 10 timer_add_event: event sa_soft_expire(0x8141220) added before connection_checker(0x813f378), expiration in 52s +110305.347919 SA 80 sa_reference: SA 0x8141220 now has 4 references +110305.347994 Timr 95 sa_setup_expirations: SA 0x8141220 hard timeout in 60 seconds +110305.348078 Timr 10 timer_add_event: event sa_hard_expire(0x8141220) added before exchange_free_aux(0x81408d0), expiration in 60s +110305.348149 SA 80 sa_reference: SA 0x8141220 now has 5 references +110305.348210 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +110305.348286 Exch 20 exchange_establish_finalize: finalizing exchange 0x81408d0 with arg 0x813f168 (Group-1234) & fail = 0 +110305.348364 Misc 60 conf_get_str: [Group-1234]:Phase->2 +110305.348436 Exch 90 exchange_lookup_by_name: Group-1234 == GDOI-key-server && 2 == 1? +110305.348509 Misc 60 conf_get_str: [Group-1234]:ISAKMP-peer->GDOI-key-server +110305.348576 SA 90 sa_find: return SA 0x8141220 +110305.348642 Misc 60 conf_get_str: [Group-1234]:Configuration->Default-group-mode +110305.348714 Misc 60 conf_get_str: configuration value not found [Group-1234]:Acquire-ID +110305.348786 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +110305.348853 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +110305.348951 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +110305.349035 Timr 10 timer_add_event: event exchange_free_aux(0x8140fa8) added before cookie_reset_event((nil)), expiration in 120s +110305.349112 Misc 60 conf_get_str: [Group-1234]:Configuration->Default-group-mode +110305.349193 Exch 10 exchange_establish_p2: 0x8140fa8 Group-1234 Default-group-mode policy initiator phase 2 doi 2 exchange 32 step 0 +110305.349270 Exch 10 exchange_establish_p2: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +110305.349340 Exch 10 exchange_establish_p2: msgid 3cc1f923 sa_list +110305.349415 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110305.349488 Mesg 90 message_alloc: allocated 0x81427e0 +110305.349551 SA 80 sa_reference: SA 0x8141220 now has 6 references +110305.349633 Exch 80 exchange_nonce: NONCE_i: +110305.349728 Exch 80 7cb79b64 94c75a27 75653839 d80ff11c +110305.349795 Misc 60 conf_get_str: [Group-1234]:Group-ID->Group-1 +110305.349864 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +110305.349951 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +110305.350020 Misc 90 initiator_send_HASH_NONCE_ID: ID: +110305.350105 Misc 90 00000000 0b000000 000004d2 +110305.350173 Misc 90 group_do_hash: SKEYID_a: +110305.350271 Misc 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +110305.350349 Misc 90 group_do_hash: message_id: +110305.350421 Misc 90 3cc1f923 +110305.350484 Misc 90 group_fill_in_hash: payload 1 after HASH: +110305.350583 Misc 90 05000014 7cb79b64 94c75a27 75653839 d80ff11c +110305.350651 Misc 90 group_fill_in_hash: payload 2 after HASH: +110305.350735 Misc 90 0000000c 0b000000 000004d2 +110305.350806 Misc 80 group_fill_in_hash: HASH: +110305.350920 Misc 80 515d3409 a7a6c155 6b9b73b2 cab62b0f eb43e712 +110305.350986 Exch 90 exchange_validate: checking for required HASH +110305.351049 Exch 90 exchange_validate: checking for required NONCE +110305.351112 Exch 90 exchange_validate: checking for required ID +110305.351180 Cryp 80 gdoi_get_keystate: final phase 1 IV: +110305.351257 Cryp 80 99869bed 414579f8 +110305.351316 Cryp 80 gdoi_get_keystate: message ID: +110305.351382 Cryp 80 3cc1f923 +110305.351447 Cryp 50 crypto_update_iv: initialized IV: +110305.351529 Cryp 50 6e0432e0 2c1fd20f +110305.351588 Cryp 80 gdoi_get_keystate: phase 2 IV: +110305.351663 Cryp 80 6e0432e0 2c1fd20f +110305.351729 Cryp 10 crypto_encrypt: before encryption: +110305.463128 Cryp 10 0a000018 515d3409 a7a6c155 6b9b73b2 cab62b0f eb43e712 05000014 7cb79b64 +110305.463255 Cryp 10 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +110305.463349 Cryp 30 crypto_encrypt: after encryption: +110305.463469 Cryp 30 0b93aedc dae3d29b db990eee 33948e2e 5741d730 c39df964 60127d2c 3c534970 +110305.463580 Cryp 30 736349a2 46f94d8a 3d2d1ace b3721b78 626fbc58 d23457fb +110305.463640 Cryp 50 crypto_update_iv: updated IV: +110305.463713 Cryp 50 626fbc58 d23457fb +110305.463774 Mesg 70 message_send: message 0x81427e0 +110305.463854 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110305.463954 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110305.464018 Mesg 70 NEXT_PAYLOAD: HASH +110305.464082 Mesg 70 VERSION: 16 +110305.464144 Mesg 70 EXCH_TYPE: QUICK_MODE +110305.464209 Mesg 70 FLAGS: [ ENC ] +110305.464278 Mesg 70 MESSAGE_ID: 0x3cc1f923 +110305.464343 Mesg 70 LENGTH: 84 +110305.464464 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 00000054 0b93aedc +110305.464589 Mesg 70 message_send: dae3d29b db990eee 33948e2e 5741d730 c39df964 60127d2c 3c534970 736349a2 +110305.464692 Mesg 70 message_send: 46f94d8a 3d2d1ace b3721b78 626fbc58 d23457fb +110305.464761 Exch 40 exchange_run: exchange 0x8140fa8 finished step 0, advancing... +110305.464838 SA 80 sa_release: SA 0x8141220 had 6 references +110305.464920 SA 80 sa_release: SA 0x8141220 now has 5 references (sa_release) +110305.464984 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110305.465051 Timr 10 timer_remove_event: removing event exchange_free_aux(0x81408d0) +110305.465120 Exch 80 exchange_free_aux: freeing exchange 0x81408d0 +110305.465182 Mesg 20 message_free: freeing 0x8141c08 +110305.465250 Trpt 90 transport_release: transport 0x8140e10 had 1 references +110305.465314 Trpt 70 transport_release: freeing 0x8140e10 +110305.465380 SA 80 sa_release: SA 0x8141220 had 5 references +110305.465444 SA 80 sa_release: SA 0x8141220 now has 4 references (sa_release) +110305.465508 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110305.465585 Trpt 90 transport_reference: transport 0x8141378 now has 3 references +110305.465657 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110305.465724 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110305.465792 Trpt 90 transport_release: transport 0x8141378 had 3 references +110305.465854 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110305.465935 Trpt 90 transport_release: transport 0x8140170 had 2 references +110305.466052 Trpt 90 transport_reference: transport 0x8141378 now has 3 references +110305.466124 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110305.466193 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110305.466365 Misc 60 conf_get_str: [General]:retransmits->5 +110305.466452 Trpt 30 transport_send_messages: message 0x81427e0 scheduled for retransmission 1 in 7 secs +110305.466570 Timr 10 timer_add_event: event message_send_expire(0x81427e0) added before sa_soft_expire(0x8141220), expiration in 7s +110305.466644 Trpt 90 transport_release: transport 0x8141378 had 3 references +110305.466707 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110305.466770 Trpt 90 transport_release: transport 0x8140170 had 2 references +110306.843840 Trpt 70 transport_add: adding 0x8140e10 +110306.843975 Trpt 90 transport_reference: transport 0x8140e10 now has 1 references +110306.844054 Mesg 90 message_alloc: allocated 0x8141570 +110306.844120 Mesg 70 message_recv: message 0x8141570 +110306.844207 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110306.844288 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110306.844357 Mesg 70 NEXT_PAYLOAD: HASH +110306.844426 Mesg 70 VERSION: 16 +110306.844492 Mesg 70 EXCH_TYPE: QUICK_MODE +110306.844562 Mesg 70 FLAGS: [ ENC ] +110306.844653 Mesg 70 MESSAGE_ID: 0x3cc1f923 +110306.844721 Mesg 70 LENGTH: 228 +110306.844846 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 000000e4 922da769 +110306.844979 Mesg 70 message_recv: d9014a10 21861bdb e9231aa2 415cffe6 f1dfae01 b2d03ea5 c81f6936 4375540c +110306.845111 Mesg 70 message_recv: 8aeae663 2eabfbb5 b07622ea 9440a426 6aeffb61 b5e6841c 4f7b1f27 f30640a3 +110306.845243 Mesg 70 message_recv: 5983a88d 5bf90a28 44de2c7a d858d7e0 c2b9c536 86c26748 23ec6f56 29d56f0f +110306.845378 Mesg 70 message_recv: 7e035eb2 10566be2 9bcc7605 032f2ab2 15a7b307 61ca1f88 1e061cb9 757a3144 +110306.845509 Mesg 70 message_recv: 2bdb87e6 aacbdfaa 3b6ab0ce b9979ea0 f661cc53 826b987a 957bbdc6 94f3a089 +110306.845652 Mesg 70 message_recv: 1a0b3f05 b03b04d0 8b193751 3a89c43a b8161452 7ccf4144 391a041c 5775e24a +110306.845737 Mesg 70 message_recv: e2ba0f20 +110306.845807 SA 80 sa_reference: SA 0x8141220 now has 5 references +110306.845877 Mesg 90 message_check_duplicate: last_received 0x0 +110306.845943 Mesg 20 message_free: freeing 0x81427e0 +110306.846014 Timr 10 timer_remove_event: removing event message_send_expire(0x81427e0) +110306.846093 Trpt 90 transport_release: transport 0x8141378 had 2 references +110306.846163 SA 80 sa_release: SA 0x8141220 had 5 references +110306.846231 SA 80 sa_release: SA 0x8141220 now has 4 references (sa_release) +110306.846306 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110306.846390 Cryp 10 crypto_decrypt: before decryption: +110306.846517 Cryp 10 922da769 d9014a10 21861bdb e9231aa2 415cffe6 f1dfae01 b2d03ea5 c81f6936 +110306.846656 Cryp 10 4375540c 8aeae663 2eabfbb5 b07622ea 9440a426 6aeffb61 b5e6841c 4f7b1f27 +110306.846786 Cryp 10 f30640a3 5983a88d 5bf90a28 44de2c7a d858d7e0 c2b9c536 86c26748 23ec6f56 +110306.846915 Cryp 10 29d56f0f 7e035eb2 10566be2 9bcc7605 032f2ab2 15a7b307 61ca1f88 1e061cb9 +110306.847042 Cryp 10 757a3144 2bdb87e6 aacbdfaa 3b6ab0ce b9979ea0 f661cc53 826b987a 957bbdc6 +110306.847170 Cryp 10 94f3a089 1a0b3f05 b03b04d0 8b193751 3a89c43a b8161452 7ccf4144 391a041c +110306.847254 Cryp 10 5775e24a e2ba0f20 +110306.847402 Cryp 30 crypto_decrypt: after decryption: +110306.847528 Cryp 30 0a000018 ab8df0ff 90e2c084 0bb2bd08 e1b1a328 8ec714b1 01000014 29a5c670 +110306.847669 Cryp 30 d1ed0e52 e63f4a37 05f04e4f 0000009b 00000002 00000000 000f0000 10000035 +110306.847801 Cryp 30 11010350 040a00e0 2c010350 04ef0a01 01616263 64656667 68303132 33343536 +110306.847933 Cryp 30 37000000 00800200 02800500 02800600 01100000 2b010001 0000040a 00e02501 +110306.848064 Cryp 30 000004ef 01010103 1122aabb 80040002 80050002 80010001 8002003c 0000002b +110306.848195 Cryp 30 01000100 00040a00 e0280100 0004ef01 01020333 44ccdd80 04000280 05000280 +110306.848281 Cryp 30 01000180 02003c00 +110306.848359 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +110306.848431 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +110306.848501 Mesg 50 message_parse_payloads: offset 0x48 payload SA +110306.848587 Mesg 60 message_validate_payloads: payload SA at 0x81408c8 of message 0x8141570 +110306.848669 Mesg 70 DOI: 2 +110306.848741 Mesg 60 message_validate_payloads: payload HASH at 0x814089c of message 0x8141570 +110306.848821 Mesg 60 message_validate_payloads: payload NONCE at 0x81408b4 of message 0x8141570 +110306.848905 Exch 90 exchange_validate: checking for required HASH +110306.848974 Exch 90 exchange_validate: checking for required NONCE +110306.849041 Exch 90 exchange_validate: checking for required SA +110306.849139 Exch 80 exchange_nonce: NONCE_r: +110306.849666 Exch 80 29a5c670 d1ed0e52 e63f4a37 05f04e4f +110306.849812 Negt 90 group_check_hash: SKEYID_a: +110306.849973 Negt 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +110306.850125 Negt 90 group_check_hash: message_id: +110306.850260 Negt 90 3cc1f923 +110306.850383 Negt 90 group_check_hash: NONCE_I_b: +110306.850536 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +110306.850671 Negt 90 group_check_hash: payloads after HASH: +110306.850858 Negt 90 01000014 29a5c670 d1ed0e52 e63f4a37 05f04e4f 0000009b 00000002 00000000 +110306.851050 Negt 90 000f0000 10000035 11010350 040a00e0 2c010350 04ef0a01 01616263 64656667 +110306.851243 Negt 90 68303132 33343536 37000000 00800200 02800500 02800600 01100000 2b010001 +110306.851438 Negt 90 0000040a 00e02501 000004ef 01010103 1122aabb 80040002 80050002 80010001 +110306.851646 Negt 90 8002003c 0000002b 01000100 00040a00 e0280100 0004ef01 01020333 44ccdd80 +110306.851809 Negt 90 04000280 05000280 01000180 02003c +110306.851952 Negt 80 group_check_hash: computed HASH: +110306.852116 Negt 80 ab8df0ff 90e2c084 0bb2bd08 e1b1a328 8ec714b1 +110306.852245 Default Payload type: 15 + +110306.852499 Default group_handle_incoming_kek: Got SPI: abcdefgh01234567 +110306.852652 Default Payload type: 16 + +110306.852789 Trpt 90 transport_reference: transport 0x8140e10 now has 2 references +110306.852928 SA 80 sa_reference: SA 0x8141e48 now has 1 references +110306.853054 SA 70 sa_enter: SA 0x8141e48 added to SA list +110306.853180 SA 80 sa_reference: SA 0x8141e48 now has 2 references +110306.853310 SA 60 sa_create: sa 0x8141e48 phase 2 added to exchange 0x8140fa8 (Group-1234) +110306.853457 Default SPI found (SA) 287484603 287484603 (0x1122aabb) for sa 0x8141e48 +110306.853605 Default Payload type: 16 + +110306.853746 Trpt 90 transport_reference: transport 0x8140e10 now has 3 references +110306.853885 SA 80 sa_reference: SA 0x8142040 now has 1 references +110306.854011 SA 70 sa_enter: SA 0x8142040 added to SA list +110306.854137 SA 80 sa_reference: SA 0x8142040 now has 2 references +110306.854266 SA 60 sa_create: sa 0x8142040 phase 2 added to exchange 0x8140fa8 (Group-1234) +110306.854413 Default SPI found (SA) 860146909 860146909 (0x3344ccdd) for sa 0x8142040 +110306.854557 Cryp 50 crypto_update_iv: updated IV: +110306.854714 Cryp 50 5775e24a e2ba0f20 +110306.854840 Exch 40 exchange_run: exchange 0x8140fa8 finished step 1, advancing... +110306.854989 Trpt 90 transport_reference: transport 0x8140e10 now has 4 references +110306.855128 Mesg 90 message_alloc: allocated 0x81427e0 +110306.855257 SA 80 sa_reference: SA 0x8141220 now has 5 references +110306.855395 Misc 90 group_do_hash: SKEYID_a: +110306.855559 Misc 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +110306.855713 Misc 90 group_do_hash: message_id: +110306.855849 Misc 90 3cc1f923 +110306.855969 Negt 90 group_fill_in_hash: NONCE_I_b: +110306.856123 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +110306.856246 Negt 90 group_fill_in_hash: NONCE_R_b: +110306.856401 Negt 90 29a5c670 d1ed0e52 e63f4a37 05f04e4f +110306.856535 Misc 80 group_fill_in_hash: HASH: +110306.856712 Misc 80 8cdfdb9b 6b7d631d 08a1799b a08201e1 c34856be +110306.856837 Exch 90 exchange_validate: checking for required HASH +110306.856969 Cryp 10 crypto_encrypt: before encryption: +110306.857140 Cryp 10 00000018 8cdfdb9b 6b7d631d 08a1799b a08201e1 c34856be +110306.857281 Cryp 30 crypto_encrypt: after encryption: +110306.857453 Cryp 30 e5a63e6e ac3f1e35 6f4b7c2b 412b1b0a 129284eb 5a959d47 +110306.857591 Cryp 50 crypto_update_iv: updated IV: +110306.857733 Cryp 50 129284eb 5a959d47 +110306.857856 Mesg 70 message_send: message 0x81427e0 +110306.858001 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110306.858142 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110306.858267 Mesg 70 NEXT_PAYLOAD: HASH +110306.858398 Mesg 70 VERSION: 16 +110306.858523 Mesg 70 EXCH_TYPE: QUICK_MODE +110306.858664 Mesg 70 FLAGS: [ ENC ] +110306.858800 Mesg 70 MESSAGE_ID: 0x3cc1f923 +110306.858929 Mesg 70 LENGTH: 52 +110306.859115 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 00000034 e5a63e6e +110306.859273 Mesg 70 message_send: ac3f1e35 6f4b7c2b 412b1b0a 129284eb 5a959d47 +110306.859348 Exch 40 exchange_run: exchange 0x8140fa8 finished step 2, advancing... +110306.859422 Trpt 90 transport_reference: transport 0x8140e10 now has 5 references +110306.859492 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110306.859559 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110306.859644 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110306.859713 Trpt 90 transport_release: transport 0x8140e10 had 5 references +110306.859777 Trpt 90 transport_release: transport 0x8141378 had 2 references +110306.859838 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110306.859902 Trpt 90 transport_release: transport 0x8140170 had 2 references +110306.860012 Trpt 90 transport_reference: transport 0x8140e10 now has 5 references +110306.860083 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110306.860151 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110306.860219 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110306.860379 Misc 60 conf_get_str: [General]:retransmits->5 +110306.860492 Trpt 30 transport_send_messages: message 0x81427e0 scheduled for retransmission 1 in 7 secs +110306.860591 Timr 10 timer_add_event: event message_send_expire(0x81427e0) added before sa_soft_expire(0x8141220), expiration in 7s +110306.860666 Trpt 90 transport_release: transport 0x8140e10 had 5 references +110306.860731 Trpt 90 transport_release: transport 0x8141378 had 2 references +110306.860793 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110306.860856 Trpt 90 transport_release: transport 0x8140170 had 2 references +110307.960741 Trpt 70 transport_add: adding 0x8140f30 +110307.960868 Trpt 90 transport_reference: transport 0x8140f30 now has 1 references +110307.960948 Mesg 90 message_alloc: allocated 0x8143020 +110307.961015 Mesg 70 message_recv: message 0x8143020 +110307.961101 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +110307.961199 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +110307.961268 Mesg 70 NEXT_PAYLOAD: HASH +110307.961350 Mesg 70 VERSION: 16 +110307.961420 Mesg 70 EXCH_TYPE: QUICK_MODE +110307.961490 Mesg 70 FLAGS: [ ENC ] +110307.961565 Mesg 70 MESSAGE_ID: 0x3cc1f923 +110307.961633 Mesg 70 LENGTH: 420 +110307.961758 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 000001a4 79ae952f +110307.961890 Mesg 70 message_recv: ad84e030 8270f4af e8202ede 799ef945 2f388c45 a32da016 2e55e36d a4d1bc2d +110307.962024 Mesg 70 message_recv: 9bb5c80c 0df793bb 1c2ac84b 17be4d2f bb6aae57 990128ec e715379f 1cae1319 +110307.962177 Mesg 70 message_recv: b8ded5f4 328e7299 d07a022c f5a8e948 e5d1d4f4 f6a57249 bd47df71 d90fcc72 +110307.962311 Mesg 70 message_recv: 6dedeca2 230507f5 6cf00a40 cf517ac0 316a1452 66861dbb 163160d4 668393d3 +110307.962458 Mesg 70 message_recv: a971d546 880df7b4 cc7e6167 d67a9ea1 99f47752 2f648690 9fca3c8c 470b6f43 +110307.962590 Mesg 70 message_recv: 9372997b 442069ec eb1cec3e 7e4bdea7 29bded12 c11bd36b ee4150b3 b82572d7 +110307.962723 Mesg 70 message_recv: f436ab72 148359e6 09a186e3 e3c00460 f731efcc bc495f0d 5b1840ff a43c0219 +110307.962855 Mesg 70 message_recv: efcbf588 df8e92e4 45c1dbd1 4c4d5f43 0bd645a8 25380149 7c9d0ecf ee9f62a6 +110307.962988 Mesg 70 message_recv: 50fb753f 60cf6850 d210072a 2412edf6 93133d3b 34512592 42a99668 4b717b16 +110307.963121 Mesg 70 message_recv: 6dab53a4 2fb90e79 e445a966 0f40dd49 7bff6de0 07183e33 6b084cbc 3d27c408 +110307.963274 Mesg 70 message_recv: bdfd22f7 998d747b c9378219 06d18e5c 66a8d8b3 bdb558c0 7b4e337b 770cae85 +110307.963529 Mesg 70 message_recv: 64793743 0b34e53e 7a300725 f83ac828 a9c58cab 3a4273f0 3c49f894 0766198a +110307.963626 Mesg 70 message_recv: 5b6b449b +110307.963701 SA 80 sa_reference: SA 0x8141220 now has 6 references +110307.963771 Mesg 90 message_check_duplicate: last_received 0x8141570 +110307.963836 Mesg 95 message_check_duplicate: last_received: +110307.963959 Mesg 95 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 000000e4 922da769 +110307.964089 Mesg 95 d9014a10 21861bdb e9231aa2 415cffe6 f1dfae01 b2d03ea5 c81f6936 4375540c +110307.964234 Mesg 95 8aeae663 2eabfbb5 b07622ea 9440a426 6aeffb61 b5e6841c 4f7b1f27 f30640a3 +110307.964378 Mesg 95 5983a88d 5bf90a28 44de2c7a d858d7e0 c2b9c536 86c26748 23ec6f56 29d56f0f +110307.964511 Mesg 95 7e035eb2 10566be2 9bcc7605 032f2ab2 15a7b307 61ca1f88 1e061cb9 757a3144 +110307.964640 Mesg 95 2bdb87e6 aacbdfaa 3b6ab0ce b9979ea0 f661cc53 826b987a 957bbdc6 94f3a089 +110307.964769 Mesg 95 1a0b3f05 b03b04d0 8b193751 3a89c43a b8161452 7ccf4144 391a041c 5775e24a +110307.964847 Mesg 95 e2ba0f20 +110307.964911 Mesg 20 message_free: freeing 0x81427e0 +110307.964981 Timr 10 timer_remove_event: removing event message_send_expire(0x81427e0) +110307.965060 Trpt 90 transport_release: transport 0x8140e10 had 4 references +110307.965146 SA 80 sa_release: SA 0x8141220 had 6 references +110307.965216 SA 80 sa_release: SA 0x8141220 now has 5 references (sa_release) +110307.965284 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110307.965376 Cryp 10 crypto_decrypt: before decryption: +110307.965503 Cryp 10 79ae952f ad84e030 8270f4af e8202ede 799ef945 2f388c45 a32da016 2e55e36d +110307.965634 Cryp 10 a4d1bc2d 9bb5c80c 0df793bb 1c2ac84b 17be4d2f bb6aae57 990128ec e715379f +110307.965762 Cryp 10 1cae1319 b8ded5f4 328e7299 d07a022c f5a8e948 e5d1d4f4 f6a57249 bd47df71 +110307.965890 Cryp 10 d90fcc72 6dedeca2 230507f5 6cf00a40 cf517ac0 316a1452 66861dbb 163160d4 +110307.966017 Cryp 10 668393d3 a971d546 880df7b4 cc7e6167 d67a9ea1 99f47752 2f648690 9fca3c8c +110307.966165 Cryp 10 470b6f43 9372997b 442069ec eb1cec3e 7e4bdea7 29bded12 c11bd36b ee4150b3 +110307.966296 Cryp 10 b82572d7 f436ab72 148359e6 09a186e3 e3c00460 f731efcc bc495f0d 5b1840ff +110307.966440 Cryp 10 a43c0219 efcbf588 df8e92e4 45c1dbd1 4c4d5f43 0bd645a8 25380149 7c9d0ecf +110307.966569 Cryp 10 ee9f62a6 50fb753f 60cf6850 d210072a 2412edf6 93133d3b 34512592 42a99668 +110307.966697 Cryp 10 4b717b16 6dab53a4 2fb90e79 e445a966 0f40dd49 7bff6de0 07183e33 6b084cbc +110307.966825 Cryp 10 3d27c408 bdfd22f7 998d747b c9378219 06d18e5c 66a8d8b3 bdb558c0 7b4e337b +110307.966952 Cryp 10 770cae85 64793743 0b34e53e 7a300725 f83ac828 a9c58cab 3a4273f0 3c49f894 +110307.967037 Cryp 10 0766198a 5b6b449b +110307.967260 Cryp 30 crypto_decrypt: after decryption: +110307.967401 Cryp 30 12000018 a97be846 efffb19c 1d48ebc1 f6341084 e6e1ec15 11000008 00000000 +110307.967535 Cryp 30 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +110307.967662 Cryp 30 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +110307.967793 Cryp 30 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +110307.967921 Cryp 30 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +110307.968050 Cryp 30 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +110307.968197 Cryp 30 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +110307.968328 Cryp 30 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +110307.968474 Cryp 30 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +110307.968602 Cryp 30 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +110307.968732 Cryp 30 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +110307.968860 Cryp 30 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +110307.968946 Cryp 30 39000000 00000000 +110307.969024 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +110307.969096 Mesg 50 message_parse_payloads: offset 0x34 payload SEQ +110307.969544 Mesg 50 message_parse_payloads: offset 0x3c payload KD +110307.969625 Mesg 60 message_validate_payloads: payload HASH at 0x8142144 of message 0x8143020 +110307.969699 Mesg 60 message_validate_payloads: payload KD at 0x8142164 of message 0x8143020 +110307.969771 Mesg 70 NUM_PACKETS: 3 +110307.969837 Mesg 60 message_validate_payloads: payload SEQ at 0x814215c of message 0x8143020 +110307.969908 Mesg 70 SEQ_NUM: 0 +110307.969978 Exch 90 exchange_validate: checking for required HASH +110307.970042 Exch 90 exchange_validate: checking for required KD +110307.970109 Negt 90 group_check_hash: SKEYID_a: +110307.970229 Negt 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +110307.970318 Negt 90 group_check_hash: message_id: +110307.970404 Negt 90 3cc1f923 +110307.970463 Negt 90 group_check_hash: NONCE_I_b: +110307.970552 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +110307.970612 Negt 90 group_check_hash: NONCE_R_b: +110307.970702 Negt 90 29a5c670 d1ed0e52 e63f4a37 05f04e4f +110307.970764 Negt 90 group_check_hash: payloads after HASH: +110307.970885 Negt 90 11000008 00000000 00000161 00030000 020000df 10616263 64656667 68303132 +110307.971009 Negt 90 33343536 37000100 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f +110307.971152 Negt 90 50515253 54555657 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 +110307.971279 Negt 90 818d0030 81890281 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc +110307.971415 Negt 90 d0e005a2 9a69cdfd 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 +110307.971541 Negt 90 c9f3cea0 07d98e0d 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c +110307.971666 Negt 90 9aa9b1a6 7fdb3705 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 +110307.971793 Negt 90 5bb76d4c e7abea1c 020f0203 01000101 00003d04 1122aabb 00010018 41424344 +110307.971916 Negt 90 45464748 494a4b4c 4d4e4f50 51525354 55565758 00020014 31323334 35363738 +110307.972040 Negt 90 39303132 33343536 37383930 0100003d 043344cc dd000100 18464544 43424131 +110307.972181 Negt 90 314c4b4a 49484732 32525150 4f4e4d33 33000200 14303132 33343536 37383930 +110307.972265 Negt 90 31323334 35363738 39 +110307.972362 Negt 80 group_check_hash: computed HASH: +110307.972464 Negt 80 a97be846 efffb19c 1d48ebc1 f6341084 e6e1ec15 +110307.972527 Default GOT SEQ # of: 0 (PULL) +110307.972590 Default GOT # of packets: 3 +110307.972651 Default Found a KEK secrecy attribute +110307.972733 Default Found a KEK signature attribute +110307.973199 Default gdoi_rekey_listen: Setting up rekey listener! +110307.973393 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.37 +110307.974028 Trpt 70 transport_add: adding 0x8142ce0 +110307.974108 Trpt 90 transport_reference: transport 0x8142ce0 now has 1 references +110307.974205 Default SPI found (KD) 287484603 287484603 (0x1122aabb) for sa 0x8141e48 +110307.974273 Default Found a secrecy attribute +110307.974349 Default Found an integrity attribute +110307.974430 Default SPI found (KD) 860146909 860146909 (0x3344ccdd) for sa 0x8142040 +110307.974498 Default Found a secrecy attribute +110307.974558 Default Found an integrity attribute +110307.974635 Mesg 20 message_free: freeing 0x8141570 +110307.974710 Trpt 90 transport_release: transport 0x8140e10 had 3 references +110307.974776 SA 80 sa_release: SA 0x8141220 had 5 references +110307.974840 SA 80 sa_release: SA 0x8141220 now has 4 references (sa_release) +110307.974903 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110307.974966 Cryp 50 crypto_update_iv: updated IV: +110307.975042 Cryp 50 0766198a 5b6b449b +110307.975114 Exch 10 exchange_finalize: 0x8140fa8 Group-1234 Default-group-mode policy initiator phase 2 doi 2 exchange 32 step 3 +110307.975210 Exch 10 exchange_finalize: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +110307.975286 Exch 10 exchange_finalize: msgid 3cc1f923 sa_list 0x8141e48 0x8142040 +110307.975495 SA 90 sa_find: no SA matched query +110307.975600 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +110307.975687 Exch 30 checking whether new SA replaces existing SA with IDs +110308.091533 SA 90 sa_find: return SA 0x8141e48 +110308.091613 SA 60 sa_mark_replaced: SA 0x8141e48 (Group-1234) marked as replaced +110308.091681 SA 90 sa_find: no SA matched query +110308.091751 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +110308.091838 Exch 50 gdoi_finalize_exchange: src a00e025 ffffffff dst ef010101 ffffffff +110308.091909 SA 90 sa_find: no SA matched query +110308.091978 Exch 50 gdoi_finalize_exchange: src a00e028 ffffffff dst ef010102 ffffffff +110308.092046 SA 90 sa_find: no SA matched query +110308.092107 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +110308.092201 SA 80 sa_release: SA 0x8141e48 had 2 references +110308.092268 SA 80 sa_release: SA 0x8141e48 now has 1 references (sa_release) +110308.092343 SA 80 sa_release: SA 0x8141e48 returning without freeing SA +110308.092413 SA 80 sa_release: SA 0x8142040 had 2 references +110308.092478 SA 80 sa_release: SA 0x8142040 now has 1 references (sa_release) +110308.092542 SA 80 sa_release: SA 0x8142040 returning without freeing SA +110308.092608 Timr 10 timer_remove_event: removing event exchange_free_aux(0x8140fa8) +110308.092678 Exch 80 exchange_free_aux: freeing exchange 0x8140fa8 +110308.092742 Mesg 20 message_free: freeing 0x8143020 +110308.092811 Trpt 90 transport_release: transport 0x8140f30 had 1 references +110308.092876 Trpt 70 transport_release: freeing 0x8140f30 +110308.092941 SA 80 sa_release: SA 0x8141220 had 4 references +110308.093006 SA 80 sa_release: SA 0x8141220 now has 3 references (sa_release) +110308.093068 SA 80 sa_release: SA 0x8141220 returning without freeing SA +110308.093166 Trpt 90 transport_reference: transport 0x8142ce0 now has 2 references +110308.093240 Trpt 90 transport_reference: transport 0x8140e10 now has 3 references +110308.093319 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110308.093390 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110308.093458 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110308.093527 Trpt 90 transport_release: transport 0x8142ce0 had 2 references +110308.093589 Trpt 90 transport_release: transport 0x8140e10 had 3 references +110308.093651 Trpt 90 transport_release: transport 0x8141378 had 2 references +110308.093713 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110308.093776 Trpt 90 transport_release: transport 0x8140170 had 2 references +110338.072827 Default rekey_udp_handle_message: GOT A REKEY MESSAGE!!! +110338.073019 Trpt 90 transport_reference: transport 0x8142ce0 now has 2 references +110338.073103 Mesg 90 message_alloc: allocated 0x81413c8 +110338.073169 Mesg 70 message_recv: message 0x81413c8 +110338.073253 Mesg 70 ICOOKIE: 0x6162636465666768 +110338.073335 Mesg 70 RCOOKIE: 0x3031323334353637 +110338.073405 Mesg 70 NEXT_PAYLOAD: SEQ +110338.073474 Mesg 70 VERSION: 16 +110338.073541 Mesg 70 EXCH_TYPE: NEW_GROUP_MODE +110338.073611 Mesg 70 FLAGS: [ ENC ] +110338.073686 Mesg 70 MESSAGE_ID: 0x00000000 +110338.073753 Mesg 70 LENGTH: 404 +110338.073879 Mesg 70 message_recv: 61626364 65666768 30313233 34353637 12102101 00000000 00000194 5175e4fc +110338.074023 Mesg 70 message_recv: 59135cf4 2973b12d 1d6abd59 e4b40f93 c2f6ff08 4688feab a0d3566e fc0b62f0 +110338.074156 Mesg 70 message_recv: 1e3e69ca 9fb4f1ea fd2347f1 e87344a1 9533f966 11c29229 e610f717 8deb7458 +110338.074286 Mesg 70 message_recv: 5e9d3117 32dc8cb5 15dbd797 4955e843 6e97e8a7 ec9559a2 17c06a9d 421fb6ca +110338.074418 Mesg 70 message_recv: 34bb6261 d5c91b6f 939a166d 08a3ec17 0007a8b2 c7192039 2e0f77bc 609e6d60 +110338.074548 Mesg 70 message_recv: 7844abdb 4142992e 874acd1e 2085252f b0a02ad5 12385f5b 47cb0885 864c1961 +110338.074680 Mesg 70 message_recv: c41fdbf5 b70501ac 48d0e2b2 9c0b2629 70d08853 91bc60a4 bd123aba dd268a88 +110338.074812 Mesg 70 message_recv: 24370f99 c5c64315 d3d6cb00 4c91cdc8 a5363dde 5a052936 b6445696 45d6273c +110338.074944 Mesg 70 message_recv: 497a9935 cdd30202 5f17d68c 83a9990c 35e7725d 041fa88f 1393e50f 99a12222 +110338.075084 Mesg 70 message_recv: 336bb521 6166b2c8 94c9413a ea238054 d632e468 79ce7bdc a9c67d29 aaac3453 +110338.075217 Mesg 70 message_recv: b82ff88c d40087cc 5e9627d0 206b750f c413126b 612f7d66 56229d51 c9a4a701 +110338.075348 Mesg 70 message_recv: ddcc12a2 25e1b721 3086ad89 4fe47db8 b7249b55 be26bddf 112705a3 2065156c +110338.075457 Mesg 70 message_recv: e84f46a5 0b86b382 4bde6bf4 7a601cc4 c70fdfab +110338.075564 Cryp 40 crypto_init: key: +110338.075677 Cryp 40 41424344 45464748 494a4b4c 4d4e4f50 51525354 55565758 +110338.075762 Cryp 50 crypto_update_iv: initialized IV: +110338.075841 Cryp 50 49564956 49564956 +110338.075903 Cryp 10 rekey_crypto_decrypt: before decryption: +110338.076038 Cryp 10 5175e4fc 59135cf4 2973b12d 1d6abd59 e4b40f93 c2f6ff08 4688feab a0d3566e +110338.076201 Cryp 10 fc0b62f0 1e3e69ca 9fb4f1ea fd2347f1 e87344a1 9533f966 11c29229 e610f717 +110338.076325 Cryp 10 8deb7458 5e9d3117 32dc8cb5 15dbd797 4955e843 6e97e8a7 ec9559a2 17c06a9d +110338.076450 Cryp 10 421fb6ca 34bb6261 d5c91b6f 939a166d 08a3ec17 0007a8b2 c7192039 2e0f77bc +110338.076577 Cryp 10 609e6d60 7844abdb 4142992e 874acd1e 2085252f b0a02ad5 12385f5b 47cb0885 +110338.076701 Cryp 10 864c1961 c41fdbf5 b70501ac 48d0e2b2 9c0b2629 70d08853 91bc60a4 bd123aba +110338.076830 Cryp 10 dd268a88 24370f99 c5c64315 d3d6cb00 4c91cdc8 a5363dde 5a052936 b6445696 +110338.076957 Cryp 10 45d6273c 497a9935 cdd30202 5f17d68c 83a9990c 35e7725d 041fa88f 1393e50f +110338.077090 Cryp 10 99a12222 336bb521 6166b2c8 94c9413a ea238054 d632e468 79ce7bdc a9c67d29 +110338.077219 Cryp 10 aaac3453 b82ff88c d40087cc 5e9627d0 206b750f c413126b 612f7d66 56229d51 +110338.077344 Cryp 10 c9a4a701 ddcc12a2 25e1b721 3086ad89 4fe47db8 b7249b55 be26bddf 112705a3 +110338.077456 Cryp 10 2065156c e84f46a5 0b86b382 4bde6bf4 7a601cc4 c70fdfab +110338.077661 Cryp 30 rekey_crypto_decrypt: after decryption: +110338.077791 Cryp 30 01000008 00000001 11000066 00000002 00000000 00100000 1000002b 01000100 +110338.077920 Cryp 30 00040a00 e0250100 0004ef01 0101032e 22fbb780 04000280 05000280 01000180 +110338.078060 Cryp 30 02003c00 00002b01 00010000 040a00e0 28010000 04ef0101 02032123 d5f28004 +110338.078188 Cryp 30 00028005 00028001 00018002 003c0900 00820002 00000100 003d042e 22fbb700 +110338.078312 Cryp 30 01001805 4ab45cf1 80cf16ec 5d691cd9 aecf3f67 68850f33 ccb11100 02001499 +110338.078437 Cryp 30 46932950 584877a3 394974e3 d2a04f14 2c1d6b01 00003d04 2123d5f2 00010018 +110338.078560 Cryp 30 d367b868 d95d7f3f 345ae02a f74f7932 5e945454 a0dfef4d 00020014 10815b13 +110338.078683 Cryp 30 a8274909 f6f8cd0d 05b1d752 94638a2e 00000084 5a657fbe c82c5da5 fd9e3c3c +110338.078807 Cryp 30 e9d5af82 3e6bf6cc baf45c95 cbbdb17f ba5a6f56 d12c2edf 49a3940a 41b5dbb8 +110338.078930 Cryp 30 810e0596 f461db53 9ff42a4c 30cadf8f c0edbafc a9c60cff 04ef0eb7 49c1953d +110338.079070 Cryp 30 1f12c96f 508e488f ec42e0cb 78394ed2 bc754cb4 db57ed38 c3697c22 92f47888 +110338.079182 Cryp 30 df72b4c3 9e6c4a2a 569abd9c 3a9950e5 c7119019 00000000 +110338.079256 Mesg 50 message_parse_payloads: offset 0x1c payload SEQ +110338.079323 Mesg 50 message_parse_payloads: offset 0x24 payload SA +110338.079390 Mesg 50 message_parse_payloads: offset 0x8a payload KD +110338.079458 Mesg 50 message_parse_payloads: offset 0x10c payload SIG +110338.079529 Mesg 60 message_validate_payloads: payload SA at 0x8142804 of message 0x81413c8 +110338.079602 Mesg 70 DOI: 2 +110338.079672 Trpt 90 transport_reference: transport 0x8142ce0 now has 3 references +110338.079748 SA 80 sa_reference: SA 0x81422d0 now has 1 references +110338.079811 SA 70 sa_enter: SA 0x81422d0 added to SA list +110338.079874 SA 80 sa_reference: SA 0x81422d0 now has 2 references +110338.079939 SA 60 sa_create: sa 0x81422d0 phase 1 added to exchange 0x8140fa8 () +110338.080025 Mesg 60 message_validate_payloads: payload SIG at 0x81428ec of message 0x81413c8 +110338.080101 Mesg 60 message_validate_payloads: payload KD at 0x814286a of message 0x81413c8 +110338.080172 Mesg 70 NUM_PACKETS: 2 +110338.080238 Mesg 60 message_validate_payloads: payload SEQ at 0x81427fc of message 0x81413c8 +110338.080308 Mesg 70 SEQ_NUM: 1 +110338.080375 SA 80 sa_release: SA 0x81422d0 had 2 references +110338.080438 SA 80 sa_release: SA 0x81422d0 now has 1 references (sa_release) +110338.080500 SA 80 sa_release: SA 0x81422d0 returning without freeing SA +110338.080565 Exch 90 exchange_validate: checking for required SEQ +110338.080627 Exch 90 exchange_validate: checking for required SA +110338.080687 Exch 90 exchange_validate: checking for required KD +110338.080747 Exch 90 exchange_validate: checking for required SIG +110338.080811 Misc 30 gdoi_responder: phase 1 exchange 33 step 0 +110338.080880 Misc 90 responder_recv_SEQ_SA_KD_SIG: 'rekey': +110338.080950 Misc 90 72656b65 79 +110338.081019 Misc 90 responder_recv_SEQ_SA_KD_SIG: packet before SIG payload: +110338.081142 Misc 90 61626364 65666768 30313233 34353637 12102101 00000000 00000190 01000008 +110338.081269 Misc 90 00000001 11000066 00000002 00000000 00100000 1000002b 01000100 00040a00 +110338.081395 Misc 90 e0250100 0004ef01 0101032e 22fbb780 04000280 05000280 01000180 02003c00 +110338.081520 Misc 90 00002b01 00010000 040a00e0 28010000 04ef0101 02032123 d5f28004 00028005 +110338.081646 Misc 90 00028001 00018002 003c0900 00820002 00000100 003d042e 22fbb700 01001805 +110338.081769 Misc 90 4ab45cf1 80cf16ec 5d691cd9 aecf3f67 68850f33 ccb11100 02001499 46932950 +110338.081894 Misc 90 584877a3 394974e3 d2a04f14 2c1d6b01 00003d04 2123d5f2 00010018 d367b868 +110338.082029 Misc 90 d95d7f3f 345ae02a f74f7932 5e945454 a0dfef4d 00020014 10815b13 a8274909 +110338.082119 Misc 90 f6f8cd0d 05b1d752 94638a2e +110338.082202 Negt 80 responder_recv_SEQ_SA_KD_SIG: computed hash: +110338.082301 Negt 80 6414d488 0adb58b2 effeb540 7c9a5873 acddf9e5 +110338.083582 Negt 80 responder_recv_SEQ_SA_KD_SIG: decrypted hash: +110338.083692 Negt 80 6414d488 0adb58b2 effeb540 7c9a5873 acddf9e5 +110338.084204 Default GOT SEQ # of: 1 (PUSH) +110338.084279 Default Payload type: 16 + +110338.084353 Trpt 90 transport_reference: transport 0x8142ce0 now has 4 references +110338.084426 SA 80 sa_reference: SA 0x8140880 now has 1 references +110338.084490 SA 70 sa_enter: SA 0x8140880 added to SA list +110338.084553 SA 80 sa_reference: SA 0x8140880 now has 2 references +110338.084618 SA 60 sa_create: sa 0x8140880 phase 1 added to exchange 0x8140fa8 (Group-1234) +110338.084701 Default SPI found (SA) 774044599 774044599 (0x2e22fbb7) for sa 0x8140880 +110338.084774 Default Payload type: 16 + +110338.084845 Trpt 90 transport_reference: transport 0x8142ce0 now has 5 references +110338.084918 SA 80 sa_reference: SA 0x8142bf8 now has 1 references +110338.084981 SA 70 sa_enter: SA 0x8142bf8 added to SA list +110338.085061 SA 80 sa_reference: SA 0x8142bf8 now has 2 references +110338.085127 SA 60 sa_create: sa 0x8142bf8 phase 1 added to exchange 0x8140fa8 (Group-1234) +110338.085206 Default SPI found (SA) 555996658 555996658 (0x2123d5f2) for sa 0x8142bf8 +110338.085278 Default GOT # of packets: 2 +110338.085345 Default SPI found (KD) 774044599 774044599 (0x2e22fbb7) for sa 0x8140880 +110338.085413 Default Found a secrecy attribute +110338.085475 Default Found an integrity attribute +110338.085551 Default SPI found (KD) 555996658 555996658 (0x2123d5f2) for sa 0x8142bf8 +110338.085619 Default Found a secrecy attribute +110338.085680 Default Found an integrity attribute +110338.085756 Cryp 50 crypto_update_iv: updated IV: +110338.085834 Cryp 50 7a601cc4 c70fdfab +110338.085906 Exch 10 exchange_finalize: 0x8140fa8 Group-1234 policy responder phase 1 doi 2 exchange 33 step 0 +110338.085981 Exch 10 exchange_finalize: icookie 6162636465666768 rcookie 3031323334353637 +110338.086066 Exch 10 exchange_finalize: msgid 00000000 +110338.086136 SA 90 sa_find: no SA matched query +110338.086208 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +110338.086293 Exch 30 checking whether new SA replaces existing SA with IDs +110338.086369 SA 90 sa_find: return SA 0x8140880 +110338.086434 SA 60 sa_mark_replaced: SA 0x8140880 (Group-1234) marked as replaced +110338.086501 SA 90 sa_find: no SA matched query +110338.086568 Misc 60 conf_get_str: configuration value not found [Group-1234]:Flags +110338.086666 Exch 10 exchange_finalize: phase 1 done: initiator id , responder id , src: 239.10.1.1 dst: 10.0.224.44 +110338.086749 Exch 50 gdoi_finalize_exchange: src a00e025 ffffffff dst ef010101 ffffffff +110338.086820 SA 90 sa_find: no SA matched query +110338.086888 Exch 50 gdoi_finalize_exchange: src a00e028 ffffffff dst ef010102 ffffffff +110338.086958 SA 90 sa_find: return SA 0x8142040 +110338.087037 SA 60 sa_mark_replaced: SA 0x8142040 (Group-1234) marked as replaced +110338.087104 SA 90 sa_find: no SA matched query +110338.087164 Exch 50 gdoi_finalize_exchange: DONE WITH REKEY (RECEIVE)!!! + +110338.087233 SA 70 sa_remove: SA 0x81422d0 removed from SA list +110338.087296 SA 80 sa_release: SA 0x81422d0 had 1 references +110338.087358 SA 80 sa_release: SA 0x81422d0 now has 0 references (sa_release) +110338.087418 SA 60 sa_release: freeing SA 0x81422d0 +110338.087484 Trpt 90 transport_release: transport 0x8142ce0 had 5 references +110338.087552 Trpt 90 transport_release: transport 0x8142ce0 had 4 references +110338.087620 Trpt 90 transport_reference: transport 0x8142ce0 now has 4 references +110338.087690 Trpt 90 transport_reference: transport 0x8140e10 now has 3 references +110338.087758 Trpt 90 transport_reference: transport 0x8141378 now has 2 references +110338.087826 Trpt 90 transport_reference: transport 0x81401c0 now has 2 references +110338.087894 Trpt 90 transport_reference: transport 0x8140170 now has 2 references +110338.087962 Trpt 90 transport_release: transport 0x8142ce0 had 4 references +110338.088038 Trpt 90 transport_release: transport 0x8140e10 had 3 references +110338.088102 Trpt 90 transport_release: transport 0x8141378 had 2 references +110338.204872 Trpt 90 transport_release: transport 0x81401c0 had 2 references +110338.204952 Trpt 90 transport_release: transport 0x8140170 had 2 references +110343.908786 Default gdoid: shutting down... +110343.908912 SA 90 sa_find: return SA 0x8142040 +110343.908987 SA 90 sa_find: return SA 0x8142bf8 +110343.909085 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +110343.909182 Timr 10 timer_add_event: event exchange_free_aux(0x8142ed8) added before cookie_reset_event((nil)), expiration in 120s +110343.909272 Exch 10 exchange_establish_p2: 0x8142ed8 policy initiator phase 2 doi 2 exchange 5 step 0 +110343.909352 Exch 10 exchange_establish_p2: icookie 6162636465666768 rcookie 3031323334353637 +110343.909424 Exch 10 exchange_establish_p2: msgid be150118 sa_list +110343.909509 Trpt 90 transport_reference: transport 0x8142ce0 now has 4 references +110343.909584 Mesg 90 message_alloc: allocated 0x81431b8 +110343.909649 SA 80 sa_reference: SA 0x8142bf8 now has 3 references +110343.909721 Default exchange_run: doi->initiator (0x81431b8) failed +110343.909799 Mesg 20 message_free: freeing 0x81431b8 +110343.909874 Trpt 90 transport_release: transport 0x8142ce0 had 4 references +110343.909939 SA 80 sa_release: SA 0x8142bf8 had 3 references +110343.910002 SA 80 sa_release: SA 0x8142bf8 now has 2 references (sa_release) +110343.910064 SA 80 sa_release: SA 0x8142bf8 returning without freeing SA +110343.910137 SA 70 sa_remove: SA 0x8142040 removed from SA list +110343.910201 SA 80 sa_release: SA 0x8142040 had 1 references +110343.910264 SA 80 sa_release: SA 0x8142040 now has 0 references (sa_release) +110343.910326 SA 60 sa_release: freeing SA 0x8142040 +110343.910398 Exch 50 gdoi_delete_spi: Asked to delete SPI for src a00e028 ffffffff dst ef010102 ffffffff +110343.910468 Misc 90 proto_free: freeing 0x813e568 +110343.910535 Trpt 90 transport_release: transport 0x8140e10 had 2 references +110343.910601 SA 90 sa_find: return SA 0x8141e48 +110343.910662 SA 90 sa_find: return SA 0x8142bf8 +110343.910740 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +110343.910836 Timr 10 timer_add_event: event exchange_free_aux(0x8142128) added before cookie_reset_event((nil)), expiration in 120s +110343.910922 Exch 10 exchange_establish_p2: 0x8142128 policy initiator phase 2 doi 2 exchange 5 step 0 +110343.910999 Exch 10 exchange_establish_p2: icookie 6162636465666768 rcookie 3031323334353637 +110343.911067 Exch 10 exchange_establish_p2: msgid 61a85b23 sa_list +110343.911143 Trpt 90 transport_reference: transport 0x8142ce0 now has 4 references +110343.911216 Mesg 90 message_alloc: allocated 0x81431b8 +110343.911279 SA 80 sa_reference: SA 0x8142bf8 now has 3 references +110343.911345 Default exchange_run: doi->initiator (0x81431b8) failed +110343.911406 Mesg 20 message_free: freeing 0x81431b8 +110343.911469 Trpt 90 transport_release: transport 0x8142ce0 had 4 references +110343.911532 SA 80 sa_release: SA 0x8142bf8 had 3 references +110343.911593 SA 80 sa_release: SA 0x8142bf8 now has 2 references (sa_release) +110343.911653 SA 80 sa_release: SA 0x8142bf8 returning without freeing SA +110343.911718 SA 70 sa_remove: SA 0x8141e48 removed from SA list +110343.911790 SA 80 sa_release: SA 0x8141e48 had 1 references +110343.911856 SA 80 sa_release: SA 0x8141e48 now has 0 references (sa_release) +110343.911916 SA 60 sa_release: freeing SA 0x8141e48 +110343.911981 Exch 50 gdoi_delete_spi: Asked to delete SPI for src a00e025 ffffffff dst ef010101 ffffffff +110343.912049 Misc 90 proto_free: freeing 0x813e990 +110343.912114 Trpt 90 transport_release: transport 0x8140e10 had 1 references +110343.912174 Trpt 70 transport_release: freeing 0x8140e10 +110343.912237 SA 90 sa_find: no SA matched query diff --git a/samples/three-clients/sample_output_ks b/samples/three-clients/sample_output_ks new file mode 100644 index 0000000..4cd5f0c --- /dev/null +++ b/samples/three-clients/sample_output_ks @@ -0,0 +1,3022 @@ +$Id: sample_output_ks,v 1.3 2005/10/11 17:57:28 bew Exp $ +$Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/samples/three-clients/sample_output_ks,v $ + +pc4-ks: sudo ./START_KS +114927.377669 Default log_debug_cmd: log level changed from 0 to 99 for class 0 +114927.378191 Default log_debug_cmd: log level changed from 0 to 99 for class 1 +114927.378241 Default log_debug_cmd: log level changed from 0 to 99 for class 2 +114927.378284 Default log_debug_cmd: log level changed from 0 to 99 for class 3 +114927.378326 Default log_debug_cmd: log level changed from 0 to 99 for class 4 +114927.378368 Default log_debug_cmd: log level changed from 0 to 99 for class 5 +114927.378409 Default log_debug_cmd: log level changed from 0 to 99 for class 6 +114927.378451 Default log_debug_cmd: log level changed from 0 to 99 for class 7 +114927.378492 Default log_debug_cmd: log level changed from 0 to 99 for class 8 +114927.378534 Default log_debug_cmd: log level changed from 0 to 99 for class 9 +114927.381569 Misc 60 conf_get_str: configuration value not found [General]:Retransmits +114927.381640 Misc 70 conf_set: [General]:Retransmits->5 +114927.381711 Misc 60 conf_get_str: configuration value not found [General]:Exchange-max-time +114927.381764 Misc 70 conf_set: [General]:Exchange-max-time->120 +114927.381851 Misc 60 conf_get_str: configuration value not found [General]:Listen-on +114927.381902 Misc 70 conf_set: [General]:Listen-on->10.0.224.44 +114927.381947 Misc 60 conf_get_str: configuration value not found [Phase 1]:10.0.224.37 +114927.381994 Misc 70 conf_set: [Phase 1]:10.0.224.37->GDOI-group-member-1 +114927.382040 Misc 60 conf_get_str: configuration value not found [Phase 1]:10.0.224.40 +114927.382088 Misc 70 conf_set: [Phase 1]:10.0.224.40->GDOI-group-member-2 +114927.382133 Misc 60 conf_get_str: configuration value not found [Phase 1]:10.0.224.41 +114927.382180 Misc 70 conf_set: [Phase 1]:10.0.224.41->GDOI-group-member-3 +114927.382226 Misc 60 conf_get_str: configuration value not found [Phase 2]:Passive-Connections +114927.382273 Misc 70 conf_set: [Phase 2]:Passive-Connections->IPsec-group-policy +114927.382320 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Phase +114927.382367 Misc 70 conf_set: [GDOI-group-member-1]:Phase->1 +114927.382412 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Transport +114927.382553 Misc 70 conf_set: [GDOI-group-member-1]:Transport->udp +114927.382604 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Local-address +114927.382653 Misc 70 conf_set: [GDOI-group-member-1]:Local-address->10.0.224.44 +114927.382700 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Address +114927.382748 Misc 70 conf_set: [GDOI-group-member-1]:Address->10.0.224.37 +114927.382794 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Port +114927.382842 Misc 70 conf_set: [GDOI-group-member-1]:Port->848 +114927.382889 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Configuration +114927.382938 Misc 70 conf_set: [GDOI-group-member-1]:Configuration->Default-main-mode +114927.382986 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Authentication +114927.383035 Misc 70 conf_set: [GDOI-group-member-1]:Authentication->mekmitasdigoat +114927.383131 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Phase +114927.383184 Misc 70 conf_set: [GDOI-group-member-2]:Phase->1 +114927.383229 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Transport +114927.383277 Misc 70 conf_set: [GDOI-group-member-2]:Transport->udp +114927.383323 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Local-address +114927.383372 Misc 70 conf_set: [GDOI-group-member-2]:Local-address->10.0.224.44 +114927.383420 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Address +114927.383505 Misc 70 conf_set: [GDOI-group-member-2]:Address->10.0.224.40 +114927.383560 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Port +114927.383609 Misc 70 conf_set: [GDOI-group-member-2]:Port->848 +114927.383656 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Configuration +114927.383706 Misc 70 conf_set: [GDOI-group-member-2]:Configuration->Default-main-mode +114927.384166 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Authentication +114927.384224 Misc 70 conf_set: [GDOI-group-member-2]:Authentication->mekmitasdigoat +114927.384270 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Phase +114927.384317 Misc 70 conf_set: [GDOI-group-member-3]:Phase->1 +114927.384362 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Transport +114927.384410 Misc 70 conf_set: [GDOI-group-member-3]:Transport->udp +114927.384455 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Local-address +114927.384504 Misc 70 conf_set: [GDOI-group-member-3]:Local-address->10.0.224.44 +114927.384551 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Address +114927.384599 Misc 70 conf_set: [GDOI-group-member-3]:Address->10.0.224.41 +114927.384647 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Port +114927.384694 Misc 70 conf_set: [GDOI-group-member-3]:Port->848 +114927.449279 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Configuration +114927.449340 Misc 70 conf_set: [GDOI-group-member-3]:Configuration->Default-main-mode +114927.449390 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Authentication +114927.449440 Misc 70 conf_set: [GDOI-group-member-3]:Authentication->mekmitasdigoat +114927.449486 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Phase +114927.449533 Misc 70 conf_set: [IPsec-group-policy]:Phase->2 +114927.449579 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:ISAKMP-peer +114927.449627 Misc 70 conf_set: [IPsec-group-policy]:ISAKMP-peer->GDOI-group-member +114927.449673 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Configuration +114927.449722 Misc 70 conf_set: [IPsec-group-policy]:Configuration->Default-group-mode +114927.449769 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Group-ID +114927.544419 Misc 70 conf_set: [IPsec-group-policy]:Group-ID->Group-1 +114927.544474 Misc 60 conf_get_str: configuration value not found [Group-1]:ID-type +114927.544522 Misc 70 conf_set: [Group-1]:ID-type->KEY_ID +114927.544568 Misc 60 conf_get_str: configuration value not found [Group-1]:Key-value +114927.544614 Misc 70 conf_set: [Group-1]:Key-value->1234 +114927.544659 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:DOI +114927.544705 Misc 70 conf_set: [Default-main-mode]:DOI->GROUP +114927.544751 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:EXCHANGE_TYPE +114927.544798 Misc 70 conf_set: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +114927.544844 Misc 60 conf_get_str: configuration value not found [Default-main-mode]:Transforms +114927.544891 Misc 70 conf_set: [Default-main-mode]:Transforms->3DES-SHA +114927.544937 Misc 60 conf_get_str: configuration value not found [DES-MD5]:ENCRYPTION_ALGORITHM +114927.544984 Misc 70 conf_set: [DES-MD5]:ENCRYPTION_ALGORITHM->DES_CBC +114927.639229 Misc 60 conf_get_str: configuration value not found [DES-MD5]:HASH_ALGORITHM +114927.639287 Misc 70 conf_set: [DES-MD5]:HASH_ALGORITHM->MD5 +114927.639334 Misc 60 conf_get_str: configuration value not found [DES-MD5]:AUTHENTICATION_METHOD +114927.639382 Misc 70 conf_set: [DES-MD5]:AUTHENTICATION_METHOD->PRE_SHARED +114927.639428 Misc 60 conf_get_str: configuration value not found [DES-MD5]:GROUP_DESCRIPTION +114927.639476 Misc 70 conf_set: [DES-MD5]:GROUP_DESCRIPTION->MODP_768 +114927.639522 Misc 60 conf_get_str: configuration value not found [DES-MD5]:Life +114927.639568 Misc 70 conf_set: [DES-MD5]:Life->LIFE_600_SECS +114927.639613 Misc 60 conf_get_str: configuration value not found [DES-SHA]:ENCRYPTION_ALGORITHM +114927.639661 Misc 70 conf_set: [DES-SHA]:ENCRYPTION_ALGORITHM->DES_CBC +114927.639707 Misc 60 conf_get_str: configuration value not found [DES-SHA]:HASH_ALGORITHM +114927.639754 Misc 70 conf_set: [DES-SHA]:HASH_ALGORITHM->SHA +114927.639800 Misc 60 conf_get_str: configuration value not found [DES-SHA]:AUTHENTICATION_METHOD +114927.730232 Misc 70 conf_set: [DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +114927.730288 Misc 60 conf_get_str: configuration value not found [DES-SHA]:GROUP_DESCRIPTION +114927.730336 Misc 70 conf_set: [DES-SHA]:GROUP_DESCRIPTION->MODP_768 +114927.730383 Misc 60 conf_get_str: configuration value not found [DES-SHA]:Life +114927.730430 Misc 70 conf_set: [DES-SHA]:Life->LIFE_600_SECS +114927.730475 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:ENCRYPTION_ALGORITHM +114927.730522 Misc 70 conf_set: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +114927.730569 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:HASH_ALGORITHM +114927.730615 Misc 70 conf_set: [3DES-SHA]:HASH_ALGORITHM->SHA +114927.730661 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:AUTHENTICATION_METHOD +114927.730708 Misc 70 conf_set: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +114927.730754 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:GROUP_DESCRIPTION +114927.831138 Misc 70 conf_set: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +114927.831196 Misc 60 conf_get_str: configuration value not found [3DES-SHA]:Life +114927.831243 Misc 70 conf_set: [3DES-SHA]:Life->LIFE_60_SECS +114927.831289 Misc 60 conf_get_str: configuration value not found [LIFE_60_SECS]:LIFE_TYPE +114927.831336 Misc 70 conf_set: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +114927.831381 Misc 60 conf_get_str: configuration value not found [LIFE_60_SECS]:LIFE_DURATION +114927.831428 Misc 70 conf_set: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +114927.831474 Misc 60 conf_get_str: configuration value not found [LIFE_600_SECS]:LIFE_TYPE +114927.831521 Misc 70 conf_set: [LIFE_600_SECS]:LIFE_TYPE->SECONDS +114927.831567 Misc 60 conf_get_str: configuration value not found [LIFE_600_SECS]:LIFE_DURATION +114927.831614 Misc 70 conf_set: [LIFE_600_SECS]:LIFE_DURATION->600,450:720 +114927.831660 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_TYPE +114927.926903 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_TYPE->SECONDS +114927.926960 Misc 60 conf_get_str: configuration value not found [LIFE_3600_SECS]:LIFE_DURATION +114927.927008 Misc 70 conf_set: [LIFE_3600_SECS]:LIFE_DURATION->3600,1800:7200 +114927.927055 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID +114927.927104 Misc 70 conf_set: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +114927.927151 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE +114927.927201 Misc 70 conf_set: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +114927.927249 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM +114927.927299 Misc 70 conf_set: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +114927.927347 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-TRANSFORM-3DES-SHA]:Life +114927.927395 Misc 70 conf_set: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +114928.031877 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:DOI +114928.031937 Misc 70 conf_set: [Default-group-mode]:DOI->GROUP +114928.031983 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:EXCHANGE_TYPE +114928.032032 Misc 70 conf_set: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +114928.032077 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:SA-KEK +114928.032125 Misc 70 conf_set: [Default-group-mode]:SA-KEK->GROUP1-KEK +114928.032171 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:SA-TEKS +114928.032219 Misc 70 conf_set: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +114928.032264 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:Src-ID +114928.032311 Misc 70 conf_set: [GROUP1-KEK]:Src-ID->Group-kek-src +114928.032356 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:Dst-ID +114928.032402 Misc 70 conf_set: [GROUP1-KEK]:Dst-ID->Group-kek-dst +114928.123165 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:SPI +114928.123222 Misc 70 conf_set: [GROUP1-KEK]:SPI->abcdefgh01234567 +114928.123270 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:ENCRYPTION_ALGORITHM +114928.123318 Misc 70 conf_set: [GROUP1-KEK]:ENCRYPTION_ALGORITHM->3DES +114928.123365 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:SIG_HASH_ALGORITHM +114928.123413 Misc 70 conf_set: [GROUP1-KEK]:SIG_HASH_ALGORITHM->SHA +114928.123460 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:SIG_ALGORITHM +114928.123507 Misc 70 conf_set: [GROUP1-KEK]:SIG_ALGORITHM->RSA +114928.123554 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:DES_IV +114928.123602 Misc 70 conf_set: [GROUP1-KEK]:DES_IV->IVIVIVIV +114928.123648 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:DES_KEY1 +114928.123695 Misc 70 conf_set: [GROUP1-KEK]:DES_KEY1->ABCDEFGH +114928.123742 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:DES_KEY2 +114928.209857 Misc 70 conf_set: [GROUP1-KEK]:DES_KEY2->IJKLMNOP +114928.209914 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:DES_KEY3 +114928.209962 Misc 70 conf_set: [GROUP1-KEK]:DES_KEY3->QRSTUVWX +114928.210026 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:RSA-Keypair +114928.210075 Misc 70 conf_set: [GROUP1-KEK]:RSA-Keypair->/usr/local/gdoid/rsakeys.der +114928.210125 Misc 60 conf_get_str: configuration value not found [GROUP1-KEK]:REKEY_PERIOD +114928.210172 Misc 70 conf_set: [GROUP1-KEK]:REKEY_PERIOD->30 +114928.210217 Misc 60 conf_get_str: configuration value not found [Group-kek-src]:ID-type +114928.210264 Misc 70 conf_set: [Group-kek-src]:ID-type->IPV4_ADDR +114928.210310 Misc 60 conf_get_str: configuration value not found [Group-kek-src]:Address +114928.210356 Misc 70 conf_set: [Group-kek-src]:Address->10.0.224.44 +114928.210403 Misc 60 conf_get_str: configuration value not found [Group-kek-src]:Port +114928.210450 Misc 70 conf_set: [Group-kek-src]:Port->848 +114928.305115 Misc 60 conf_get_str: configuration value not found [Group-kek-dst]:ID-type +114928.305172 Misc 70 conf_set: [Group-kek-dst]:ID-type->IPV4_ADDR +114928.305218 Misc 60 conf_get_str: configuration value not found [Group-kek-dst]:Address +114928.305266 Misc 70 conf_set: [Group-kek-dst]:Address->239.10.1.1 +114928.305311 Misc 60 conf_get_str: configuration value not found [Group-kek-dst]:Port +114928.305358 Misc 70 conf_set: [Group-kek-dst]:Port->848 +114928.305403 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Crypto-protocol +114928.305450 Misc 70 conf_set: [GROUP1-TEK1]:Crypto-protocol->PROTO_IPSEC_ESP +114928.305496 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Src-ID +114928.305542 Misc 70 conf_set: [GROUP1-TEK1]:Src-ID->Group-tek1-src +114928.305587 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:Dst-ID +114928.305634 Misc 70 conf_set: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +114928.305680 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:SPI +114928.386896 Misc 70 conf_set: [GROUP1-TEK1]:SPI->287484603 +114928.386951 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:TEK_Suite +114928.386999 Misc 70 conf_set: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +114928.387047 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY1 +114928.387094 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY1->ABCDEFGH +114928.387141 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY2 +114928.387188 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY2->IJKLMNOP +114928.387235 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:DES_KEY3 +114928.387282 Misc 70 conf_set: [GROUP1-TEK1]:DES_KEY3->QRSTUVWX +114928.387329 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK1]:SHA_KEY +114928.387377 Misc 70 conf_set: [GROUP1-TEK1]:SHA_KEY->12345678901234567890 +114928.387422 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:ID-type +114928.387469 Misc 70 conf_set: [Group-tek1-src]:ID-type->IPV4_ADDR +114928.486576 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:Address +114928.486633 Misc 70 conf_set: [Group-tek1-src]:Address->10.0.224.37 +114928.486679 Misc 60 conf_get_str: configuration value not found [Group-tek1-src]:Port +114928.486725 Misc 70 conf_set: [Group-tek1-src]:Port->0 +114928.486771 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:ID-type +114928.486818 Misc 70 conf_set: [Group-tek1-dst]:ID-type->IPV4_ADDR +114928.486863 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:Address +114928.486910 Misc 70 conf_set: [Group-tek1-dst]:Address->239.1.1.1 +114928.486956 Misc 60 conf_get_str: configuration value not found [Group-tek1-dst]:Port +114928.487003 Misc 70 conf_set: [Group-tek1-dst]:Port->0 +114928.487048 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:Src-ID +114928.487094 Misc 70 conf_set: [GROUP1-TEK2]:Src-ID->Group-tek2-src +114928.487140 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:Dst-ID +114928.578486 Misc 70 conf_set: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +114928.578546 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:SPI +114928.578594 Misc 70 conf_set: [GROUP1-TEK2]:SPI->860146909 +114928.578640 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:TEK_Suite +114928.578688 Misc 70 conf_set: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +114928.578736 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY1 +114928.578782 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY1->FEDCBA11 +114928.578829 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY2 +114928.578877 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY2->LKJIHG22 +114928.578924 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:DES_KEY3 +114928.578972 Misc 70 conf_set: [GROUP1-TEK2]:DES_KEY3->RQPONM33 +114928.579019 Misc 60 conf_get_str: configuration value not found [GROUP1-TEK2]:SHA_KEY +114928.579067 Misc 70 conf_set: [GROUP1-TEK2]:SHA_KEY->01234567890123456789 +114928.683349 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:ID-type +114928.683405 Misc 70 conf_set: [Group-tek2-src]:ID-type->IPV4_ADDR +114928.683451 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:Address +114928.683498 Misc 70 conf_set: [Group-tek2-src]:Address->10.0.224.40 +114928.683544 Misc 60 conf_get_str: configuration value not found [Group-tek2-src]:Port +114928.683590 Misc 70 conf_set: [Group-tek2-src]:Port->0 +114928.683634 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:ID-type +114928.683681 Misc 70 conf_set: [Group-tek2-dst]:ID-type->IPV4_ADDR +114928.683726 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:Address +114928.683773 Misc 70 conf_set: [Group-tek2-dst]:Address->239.1.1.2 +114928.683818 Misc 60 conf_get_str: configuration value not found [Group-tek2-dst]:Port +114928.683864 Misc 70 conf_set: [Group-tek2-dst]:Port->0 +114928.683909 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA-SUITE]:Protocols +114928.779912 Misc 70 conf_set: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +114928.779971 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA]:PROTOCOL_ID +114928.780041 Misc 70 conf_set: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +114928.780089 Misc 60 conf_get_str: configuration value not found [GDOI-ESP-3DES-SHA]:Transforms +114928.780137 Misc 70 conf_set: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +114928.780215 Misc 60 conf_get_str: configuration value not found [X509-certificates]:CA-directory +114928.780268 Misc 70 conf_set: [X509-certificates]:CA-directory->/etc/gdoid/ca/ +114928.780315 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Cert-directory +114928.780365 Misc 70 conf_set: [X509-certificates]:Cert-directory->/etc/gdoid/certs/ +114928.780412 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Private-key +114928.780459 Misc 70 conf_set: [X509-certificates]:Private-key->/etc/gdoid/private/local.key +114928.879808 Misc 60 conf_get_str: configuration value not found [Phase 2]:Connections +114928.879865 Misc 60 conf_get_str: [Phase 2]:Passive-Connections->IPsec-group-policy +114928.879954 Misc 60 conf_get_str: [IPsec-group-policy]:Group-ID->Group-1 +114928.880024 Misc 60 conf_get_str: [Group-1]:ID-type->KEY_ID +114928.880073 Misc 60 conf_get_str: [Group-1]:Key-value->1234 +114928.880172 Misc 60 connection_record_passive: passive connection "IPsec-group-policy" added +114928.880261 Timr 10 timer_add_event: event cookie_reset_event(0x0) added last, expiration in 360s +114928.880329 Misc 60 conf_get_str: [X509-certificates]:CA-directory->/etc/gdoid/ca/ +114928.880422 Cryp 40 x509_read_from_dir: reading certs from /etc/gdoid/ca/ +114928.880739 Misc 60 conf_get_str: [X509-certificates]:Cert-directory->/etc/gdoid/certs/ +114928.880803 Cryp 40 x509_read_from_dir: reading certs from /etc/gdoid/certs/ +114928.881396 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.44 +114928.977405 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.44 +114928.977519 Trpt 70 transport_add: adding 0x4d500 +114928.977570 Trpt 90 transport_reference: transport 0x4d500 now has 1 references +114928.977638 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.44 +114928.977698 Trpt 70 transport_add: adding 0x4d580 +114928.977743 Trpt 90 transport_reference: transport 0x4d580 now has 1 references +114928.977786 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.44 +115031.367673 Trpt 70 transport_add: adding 0x4d600 +115031.368211 Trpt 90 transport_reference: transport 0x4d600 now has 1 references +115031.368266 Mesg 90 message_alloc: allocated 0x53000 +115031.368327 Mesg 70 message_recv: message 0x53000 +115031.368385 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115031.368437 Mesg 70 RCOOKIE: 0x0000000000000000 +115031.368481 Mesg 70 NEXT_PAYLOAD: SA +115031.368537 Mesg 70 VERSION: 16 +115031.368581 Mesg 70 EXCH_TYPE: ID_PROT +115031.368623 Mesg 70 FLAGS: [ ] +115031.368670 Mesg 70 MESSAGE_ID: 0x00000000 +115031.368714 Mesg 70 LENGTH: 80 +115031.368800 Mesg 70 message_recv: 957e3b86 f602b129 00000000 00000000 01100200 00000000 00000050 00000034 +115031.368888 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115031.368952 Mesg 70 message_recv: 80030001 80040002 800b0001 800c003c +115031.369010 SA 90 sa_find: no SA matched query +115031.369069 Mesg 50 message_parse_payloads: offset 0x1c payload SA +115031.369122 Mesg 60 message_validate_payloads: payload SA at 0x4d69c of message 0x53000 +115031.369201 Mesg 70 DOI: 2 +115031.369301 Misc 60 conf_get_str: [Phase 1]:10.0.224.37->GDOI-group-member-1 +115031.369354 Misc 60 conf_get_str: [GDOI-group-member-1]:Configuration->Default-main-mode +115031.369399 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +115031.369441 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +115031.369494 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115031.369554 Timr 10 timer_add_event: event exchange_free_aux(0x4b500) added before cookie_reset_event(0x0), expiration in 120s +115031.369694 Exch 10 exchange_setup_p1: 0x4b500 GDOI-group-member-1 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 0 +115031.369749 Exch 10 exchange_setup_p1: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +115031.369790 Exch 10 exchange_setup_p1: msgid 00000000 +115031.369837 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115031.369884 SA 80 sa_reference: SA 0x4b600 now has 1 references +115031.369924 SA 70 sa_enter: SA 0x4b600 added to SA list +115031.370091 SA 80 sa_reference: SA 0x4b600 now has 2 references +115031.370142 SA 60 sa_create: sa 0x4b600 phase 1 added to exchange 0x4b500 (GDOI-group-member-1) +115031.370185 SA 80 sa_reference: SA 0x4b600 now has 3 references +115031.370230 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +115031.370277 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +115031.370321 Mesg 50 Transform 0's attributes +115031.370384 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x4d6a8 of message 0x53000 +115031.370431 Mesg 70 NO: 1 +115031.370473 Mesg 70 PROTO: ISAKMP +115031.370515 Mesg 70 SPI_SZ: 0 +115031.370556 Mesg 70 NTRANSFORMS: 1 +115031.370603 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x4d6b0 of message 0x53000 +115031.370647 Mesg 70 NO: 0 +115031.370687 Mesg 70 ID: 1 +115031.370742 Exch 90 exchange_validate: checking for required SA +115031.370788 Misc 30 gdoi_responder: phase 1 exchange 2 step 0 +115031.370854 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +115031.370991 SA 80 sa_add_transform: proto 0x4e200 no 1 proto 1 chosen 0x55e20 sa 0x4b600 id 1 +115031.371062 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +115031.371123 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +115031.371175 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +115031.371222 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +115031.371270 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +115031.371318 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115031.371366 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115031.371434 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115031.371483 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115031.371533 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115031.371577 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115031.371619 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115031.371687 Misc 90 conf_match_num: LIFE_60_SECS:LIFE_DURATION 45<=60<=72? +115031.371813 Negt 20 ike_phase_1_validate_prop: success +115031.371864 Negt 30 message_negotiate_sa: proposal 1 succeeded +115031.371924 Misc 20 ipsec_decode_transform: transform 0 chosen +115031.372002 Misc 70 group_get: returning 0x4e240 of group 2 +115031.372061 Exch 40 exchange_run: exchange 0x4b500 finished step 0, advancing... +115031.372114 Trpt 90 transport_reference: transport 0x4d600 now has 3 references +115031.372157 Mesg 90 message_alloc: allocated 0x56000 +115031.372199 SA 80 sa_reference: SA 0x4b600 now has 4 references +115031.372244 Misc 30 gdoi_responder: phase 1 exchange 2 step 1 +115031.372308 Exch 90 exchange_validate: checking for required SA +115031.372355 Mesg 70 message_send: message 0x56000 +115031.372406 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115031.372456 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115031.372497 Mesg 70 NEXT_PAYLOAD: SA +115031.372541 Mesg 70 VERSION: 16 +115031.372582 Mesg 70 EXCH_TYPE: ID_PROT +115031.372819 Mesg 70 FLAGS: [ ] +115031.372873 Mesg 70 MESSAGE_ID: 0x00000000 +115031.372917 Mesg 70 LENGTH: 80 +115031.373001 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 01100200 00000000 00000050 00000034 +115031.373089 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115031.373153 Mesg 70 message_send: 80030001 80040002 800b0001 800c003c +115031.373196 Exch 40 exchange_run: exchange 0x4b500 finished step 1, advancing... +115031.373243 Trpt 90 transport_reference: transport 0x4d600 now has 4 references +115031.373286 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115031.373329 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115031.373373 Trpt 90 transport_release: transport 0x4d600 had 4 references +115031.373416 Trpt 90 transport_release: transport 0x4d580 had 2 references +115031.373458 Trpt 90 transport_release: transport 0x4d500 had 2 references +115031.373520 Trpt 90 transport_reference: transport 0x4d600 now has 4 references +115031.462192 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115031.462244 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115031.462397 Misc 60 conf_get_str: [General]:retransmits->5 +115031.462456 Trpt 30 transport_send_messages: message 0x56000 scheduled for retransmission 1 in 7 secs +115031.462511 Timr 10 timer_add_event: event message_send_expire(0x56000) added before exchange_free_aux(0x4b500), expiration in 7s +115031.462558 Trpt 90 transport_release: transport 0x4d600 had 4 references +115031.462601 Trpt 90 transport_release: transport 0x4d580 had 2 references +115031.462644 Trpt 90 transport_release: transport 0x4d500 had 2 references +115031.649861 Trpt 70 transport_add: adding 0x4d780 +115031.649932 Trpt 90 transport_reference: transport 0x4d780 now has 1 references +115031.649976 Mesg 90 message_alloc: allocated 0x57000 +115031.650106 Mesg 70 message_recv: message 0x57000 +115031.650184 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115031.650260 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115031.650322 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115031.650370 Mesg 70 VERSION: 16 +115031.650411 Mesg 70 EXCH_TYPE: ID_PROT +115031.650453 Mesg 70 FLAGS: [ ] +115031.650500 Mesg 70 MESSAGE_ID: 0x00000000 +115031.650544 Mesg 70 LENGTH: 180 +115031.650627 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +115031.650708 Mesg 70 message_recv: a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115031.650787 Mesg 70 message_recv: a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115031.650866 Mesg 70 message_recv: f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115031.650946 Mesg 70 message_recv: 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115031.651011 Mesg 70 message_recv: 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115031.651057 SA 80 sa_reference: SA 0x4b600 now has 5 references +115031.651100 Mesg 90 message_check_duplicate: last_received 0x53000 +115031.651137 Mesg 95 message_check_duplicate: last_received: +115031.728112 Mesg 95 957e3b86 f602b129 00000000 00000000 01100200 00000000 00000050 00000034 +115031.728204 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115031.728264 Mesg 95 80030001 80040002 800b0001 800c003c +115031.728304 Mesg 20 message_free: freeing 0x56000 +115031.728349 Timr 10 timer_remove_event: removing event message_send_expire(0x56000) +115031.728396 Trpt 90 transport_release: transport 0x4d600 had 3 references +115031.728439 SA 80 sa_release: SA 0x4b600 had 5 references +115031.728493 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +115031.728542 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +115031.728593 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x4b81c of message 0x57000 +115031.728642 Mesg 60 message_validate_payloads: payload NONCE at 0x4b8a0 of message 0x57000 +115031.728692 Exch 90 exchange_validate: checking for required KEY_EXCH +115031.728734 Exch 90 exchange_validate: checking for required NONCE +115031.811079 Misc 30 gdoi_responder: phase 1 exchange 2 step 2 +115031.811175 Misc 80 ipsec_g_x: g^xi: +115031.811258 Misc 80 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115031.811334 Misc 80 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115031.811410 Misc 80 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115031.811486 Misc 80 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115031.811530 Exch 80 exchange_nonce: NONCE_i: +115031.811587 Exch 80 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115031.811635 Mesg 20 message_free: freeing 0x53000 +115031.811682 Trpt 90 transport_release: transport 0x4d600 had 2 references +115031.811726 SA 80 sa_release: SA 0x4b600 had 4 references +115031.811772 Exch 40 exchange_run: exchange 0x4b500 finished step 2, advancing... +115031.811824 Trpt 90 transport_reference: transport 0x4d780 now has 2 references +115031.811868 Mesg 90 message_alloc: allocated 0x53000 +115031.893758 SA 80 sa_reference: SA 0x4b600 now has 4 references +115031.893816 Misc 30 gdoi_responder: phase 1 exchange 2 step 3 +115031.969021 Misc 80 ipsec_g_x: g^xr: +115031.969112 Misc 80 0aa827d3 ad52dbf1 db546aa5 56130eb3 c33786ab 7293b263 7cd64f96 8a7cd3fc +115031.969189 Misc 80 4661c7c3 a1cccd81 e0c2b4a0 09900d55 412a27f9 8e2cf80d c91730ed 1f8d9d8b +115031.969265 Misc 80 1aadc3f0 bd910223 1d151761 01699eca 92e8b85f ab32b442 7f91f163 d7e88648 +115031.969339 Misc 80 745214e2 cf84cc80 e0f523ae 57176b94 564bebaf 55f142a5 2228798f 26d5082f +115031.969391 Exch 80 exchange_nonce: NONCE_r: +115031.969449 Exch 80 fb40c23d fa26a01b aadea179 3ac3c675 +115031.969494 Exch 90 exchange_validate: checking for required KEY_EXCH +115031.969537 Exch 90 exchange_validate: checking for required NONCE +115031.969580 Mesg 70 message_send: message 0x53000 +115031.969631 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115031.969681 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115031.969723 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115031.969768 Mesg 70 VERSION: 16 +115032.051497 Mesg 70 EXCH_TYPE: ID_PROT +115032.051547 Mesg 70 FLAGS: [ ] +115032.051594 Mesg 70 MESSAGE_ID: 0x00000000 +115032.051638 Mesg 70 LENGTH: 180 +115032.051722 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +115032.051802 Mesg 70 message_send: 0aa827d3 ad52dbf1 db546aa5 56130eb3 c33786ab 7293b263 7cd64f96 8a7cd3fc +115032.051881 Mesg 70 message_send: 4661c7c3 a1cccd81 e0c2b4a0 09900d55 412a27f9 8e2cf80d c91730ed 1f8d9d8b +115032.051959 Mesg 70 message_send: 1aadc3f0 bd910223 1d151761 01699eca 92e8b85f ab32b442 7f91f163 d7e88648 +115032.052037 Mesg 70 message_send: 745214e2 cf84cc80 e0f523ae 57176b94 564bebaf 55f142a5 2228798f 26d5082f +115032.052101 Mesg 70 message_send: 00000014 fb40c23d fa26a01b aadea179 3ac3c675 +115032.052145 Exch 40 exchange_run: exchange 0x4b500 finished step 3, advancing... +115032.052191 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115032.052235 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115032.147907 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115032.147959 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115032.148003 Trpt 90 transport_release: transport 0x4d780 had 3 references +115032.148045 Trpt 90 transport_release: transport 0x4d600 had 2 references +115032.148088 Trpt 90 transport_release: transport 0x4d580 had 2 references +115032.148130 Trpt 90 transport_release: transport 0x4d500 had 2 references +115032.148190 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115032.148236 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115032.148279 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115032.148322 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115032.148460 Misc 60 conf_get_str: [General]:retransmits->5 +115032.148518 Trpt 30 transport_send_messages: message 0x53000 scheduled for retransmission 1 in 7 secs +115032.148574 Timr 10 timer_add_event: event message_send_expire(0x53000) added before exchange_free_aux(0x4b500), expiration in 7s +115032.323959 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +115032.324060 Negt 80 3566c7dc adeac30a 7690c318 8a974fea a97f59d4 391c3e51 32dab30e 863ef192 +115032.324135 Negt 80 711d7920 2f702636 4312a76b b0ed881e eb9b2cc1 a793145a a679905f bdd84176 +115032.324211 Negt 80 2b980c74 d22b9f12 572554ac 8898036e ebdb1a3c efb056f6 ac3108e1 cc9b0262 +115032.324286 Negt 80 ab693ccb b9a0c931 8b741fb3 6d341382 8575647a af929c5a f09c5d72 759fa5e7 +115032.324332 Misc 60 conf_get_str: [GDOI-group-member-1]:Authentication->mekmitasdigoat +115032.324464 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +115032.324556 Negt 80 cca17737 fee4d58b f459804b 146ccee6 902cec7b +115032.324631 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +115032.324697 Negt 80 ea265791 5352b9e2 5189f8e5 8d302c7e 560bd9ed +115032.324758 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +115032.324823 Negt 80 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +115032.416084 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +115032.416158 Negt 80 33593849 a445b93b 805caf11 4b9bf022 39569375 +115032.416238 Cryp 40 crypto_init: key: +115032.416309 Cryp 40 335a62df f6f5170e 0c138fe5 34fae831 23df5616 5fe37e3c +115032.416430 Cryp 50 crypto_update_iv: initialized IV: +115032.416485 Cryp 50 ce9979b5 51876db2 +115032.416531 Trpt 90 transport_release: transport 0x4d780 had 3 references +115032.416575 Trpt 90 transport_release: transport 0x4d600 had 2 references +115032.416618 Trpt 90 transport_release: transport 0x4d580 had 2 references +115032.416661 Trpt 90 transport_release: transport 0x4d500 had 2 references +115032.416734 Trpt 70 transport_add: adding 0x4d900 +115032.416790 Trpt 90 transport_reference: transport 0x4d900 now has 1 references +115032.416834 Mesg 90 message_alloc: allocated 0x56000 +115032.416874 Mesg 70 message_recv: message 0x56000 +115032.416925 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115032.416975 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115032.512975 Mesg 70 NEXT_PAYLOAD: ID +115032.513028 Mesg 70 VERSION: 16 +115032.513071 Mesg 70 EXCH_TYPE: ID_PROT +115032.513115 Mesg 70 FLAGS: [ ENC ] +115032.513163 Mesg 70 MESSAGE_ID: 0x00000000 +115032.513207 Mesg 70 LENGTH: 92 +115032.513290 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 05100201 00000000 0000005c da019838 +115032.513371 Mesg 70 message_recv: e7e4d036 05079dd4 199522a4 41a19ebd 5508ed18 52d7b4b6 cf63f939 e2a686e1 +115032.513445 Mesg 70 message_recv: 1c8be76d 4e25d6a9 08a03476 86aa4dbc c140348e 0779158e 94e5e346 +115032.513492 SA 80 sa_reference: SA 0x4b600 now has 5 references +115032.513536 Mesg 90 message_check_duplicate: last_received 0x57000 +115032.513574 Mesg 95 message_check_duplicate: last_received: +115032.513653 Mesg 95 957e3b86 f602b129 232f5e1e 4f192e67 04100200 00000000 000000b4 0a000084 +115032.513728 Mesg 95 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115032.513804 Mesg 95 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115032.609786 Mesg 95 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115032.609872 Mesg 95 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115032.609935 Mesg 95 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115032.609974 Mesg 20 message_free: freeing 0x53000 +115032.610037 Timr 10 timer_remove_event: removing event message_send_expire(0x53000) +115032.610086 Trpt 90 transport_release: transport 0x4d780 had 2 references +115032.610129 SA 80 sa_release: SA 0x4b600 had 5 references +115032.610179 Cryp 10 crypto_decrypt: before decryption: +115032.610258 Cryp 10 da019838 e7e4d036 05079dd4 199522a4 41a19ebd 5508ed18 52d7b4b6 cf63f939 +115032.610333 Cryp 10 e2a686e1 1c8be76d 4e25d6a9 08a03476 86aa4dbc c140348e 0779158e 94e5e346 +115032.610508 Cryp 30 crypto_decrypt: after decryption: +115032.610597 Cryp 30 0800000c 01000000 0a00e025 0b000018 503d7648 920baeaf 2475ef09 89167c9d +115032.610676 Cryp 30 d9d7df11 0000001c 00000001 01106002 957e3b86 f602b129 232f5e1e 4f192e67 +115032.677877 Mesg 50 message_parse_payloads: offset 0x1c payload ID +115032.677935 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +115032.677981 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +115032.678031 Mesg 60 message_validate_payloads: payload ID at 0x4d99c of message 0x56000 +115032.678075 Mesg 70 TYPE: 1 +115032.678120 Mesg 70 DOI_DATA: 0x000000 +115032.678168 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +115032.678207 Mesg 40 gdoi_validate_id_information: IPv4: +115032.678249 Mesg 40 0a00e025 +115032.678292 Mesg 60 message_validate_payloads: payload HASH at 0x4d9a8 of message 0x56000 +115032.678338 Mesg 60 message_validate_payloads: payload NOTIFY at 0x4d9c0 of message 0x56000 +115032.678381 Mesg 70 DOI: IPSEC +115032.678422 Mesg 70 PROTO: ISAKMP +115032.678466 Mesg 70 SPI_SZ: 16 +115032.678509 Mesg 70 MSG_TYPE: INITIAL_CONTACT +115032.678565 Exch 90 exchange_validate: checking for required ID +115032.678608 Exch 90 exchange_validate: checking for required AUTH +115032.774538 Misc 30 gdoi_responder: phase 1 exchange 2 step 4 +115032.774598 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +115032.774643 Negt 40 0a00e025 +115032.774686 Misc 80 pre_shared_decode_hash: HASH_I: +115032.774749 Misc 80 503d7648 920baeaf 2475ef09 89167c9d d9d7df11 +115032.774855 Negt 80 ike_phase_1_recv_AUTH: computed HASH_I: +115032.774921 Negt 80 503d7648 920baeaf 2475ef09 89167c9d d9d7df11 +115032.774964 Exch 10 exchange_run: unexpected payload NOTIFY +115032.775010 Mesg 20 message_free: freeing 0x57000 +115032.775055 Trpt 90 transport_release: transport 0x4d780 had 1 references +115032.775095 Trpt 70 transport_release: freeing 0x4d780 +115032.775138 SA 80 sa_release: SA 0x4b600 had 4 references +115032.775180 Cryp 50 crypto_update_iv: updated IV: +115032.775227 Cryp 50 0779158e 94e5e346 +115032.775269 Exch 40 exchange_run: exchange 0x4b500 finished step 4, advancing... +115032.775321 Trpt 90 transport_reference: transport 0x4d900 now has 2 references +115032.857437 Mesg 90 message_alloc: allocated 0x53000 +115032.857489 SA 80 sa_reference: SA 0x4b600 now has 4 references +115032.857536 Misc 30 gdoi_responder: phase 1 exchange 2 step 5 +115032.857589 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:ID +115032.857634 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +115032.857688 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +115032.857735 Negt 40 0a00e02c +115032.857859 Misc 80 pre_shared_encode_hash: HASH_R: +115032.857927 Misc 80 be1dd779 72a697e7 8466e026 9e243c7d ebbf29d4 +115032.857992 Exch 90 exchange_validate: checking for required ID +115032.858038 Exch 90 exchange_validate: checking for required AUTH +115032.858086 Cryp 10 crypto_encrypt: before encryption: +115032.858168 Cryp 10 0800000c 01000000 0a00e02c 0b000018 be1dd779 72a697e7 8466e026 9e243c7d +115032.858247 Cryp 10 ebbf29d4 0000001c 00000001 01106002 957e3b86 f602b129 232f5e1e 4f192e67 +115032.858359 Cryp 30 crypto_encrypt: after encryption: +115032.959594 Cryp 30 2852d718 1631ba40 cc84ae6e 19e5e061 cea4a622 c8b19683 547a39e7 e549a72b +115032.959677 Cryp 30 66b4c3a4 082b5c54 2dc99eb4 5a60c66c 7d63b8b9 844c43ea 99869bed 414579f8 +115032.959715 Cryp 50 crypto_update_iv: updated IV: +115032.959760 Cryp 50 99869bed 414579f8 +115032.959798 Mesg 70 message_send: message 0x53000 +115032.959849 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115032.959899 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115032.959942 Mesg 70 NEXT_PAYLOAD: ID +115032.959986 Mesg 70 VERSION: 16 +115032.960050 Mesg 70 EXCH_TYPE: ID_PROT +115032.960095 Mesg 70 FLAGS: [ ENC ] +115032.960144 Mesg 70 MESSAGE_ID: 0x00000000 +115032.960188 Mesg 70 LENGTH: 92 +115032.960271 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 05100201 00000000 0000005c 2852d718 +115032.960350 Mesg 70 message_send: 1631ba40 cc84ae6e 19e5e061 cea4a622 c8b19683 547a39e7 e549a72b 66b4c3a4 +115032.960424 Mesg 70 message_send: 082b5c54 2dc99eb4 5a60c66c 7d63b8b9 844c43ea 99869bed 414579f8 +115033.055751 Exch 40 exchange_run: exchange 0x4b500 finished step 5, advancing... +115033.055807 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115033.055850 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115033.055893 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115033.055935 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115033.055979 Trpt 90 transport_release: transport 0x4d900 had 3 references +115033.056021 Trpt 90 transport_release: transport 0x4d600 had 2 references +115033.056063 Trpt 90 transport_release: transport 0x4d580 had 2 references +115033.056105 Trpt 90 transport_release: transport 0x4d500 had 2 references +115033.056165 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115033.056210 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115033.056252 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115033.056295 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115033.167210 Exch 10 exchange_finalize: 0x4b500 GDOI-group-member-1 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 6 +115033.167271 Exch 10 exchange_finalize: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +115033.167313 Exch 10 exchange_finalize: msgid 00000000 +115033.167357 SA 90 sa_find: no SA matched query +115033.167408 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-1]:Flags +115033.167566 Exch 10 exchange_finalize: phase 1 done: initiator id 0a00e025: 10.0.224.37, responder id 0a00e02c: 10.0.224.44, src: 10.0.224.44 dst: 10.0.224.37 +115033.167627 Timr 95 sa_setup_expirations: SA 0x4b600 soft timeout in 55 seconds +115033.167682 Timr 10 timer_add_event: event sa_soft_expire(0x4b600) added before exchange_free_aux(0x4b500), expiration in 55s +115033.167726 SA 80 sa_reference: SA 0x4b600 now has 5 references +115033.167772 Timr 95 sa_setup_expirations: SA 0x4b600 hard timeout in 60 seconds +115033.167823 Timr 10 timer_add_event: event sa_hard_expire(0x4b600) added before exchange_free_aux(0x4b500), expiration in 60s +115033.255081 SA 80 sa_reference: SA 0x4b600 now has 6 references +115033.255129 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +115033.255179 SA 80 sa_release: SA 0x4b600 had 6 references +115033.255227 Trpt 90 transport_release: transport 0x4d900 had 3 references +115033.255271 Trpt 90 transport_release: transport 0x4d600 had 2 references +115033.255313 Trpt 90 transport_release: transport 0x4d580 had 2 references +115033.255355 Trpt 90 transport_release: transport 0x4d500 had 2 references +115033.293365 Trpt 70 transport_add: adding 0x4d780 +115033.293433 Trpt 90 transport_reference: transport 0x4d780 now has 1 references +115033.293477 Mesg 90 message_alloc: allocated 0x57000 +115033.293518 Mesg 70 message_recv: message 0x57000 +115033.293569 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115033.293619 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115033.293662 Mesg 70 NEXT_PAYLOAD: HASH +115033.293706 Mesg 70 VERSION: 16 +115033.337030 Mesg 70 EXCH_TYPE: QUICK_MODE +115033.337081 Mesg 70 FLAGS: [ ENC ] +115033.337128 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115033.337172 Mesg 70 LENGTH: 84 +115033.337254 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 00000054 0b93aedc +115033.337335 Mesg 70 message_recv: dae3d29b db990eee 33948e2e 5741d730 c39df964 60127d2c 3c534970 736349a2 +115033.337398 Mesg 70 message_recv: 46f94d8a 3d2d1ace b3721b78 626fbc58 d23457fb +115033.337444 SA 80 sa_reference: SA 0x4b600 now has 6 references +115033.337494 Cryp 80 gdoi_get_keystate: final phase 1 IV: +115033.337542 Cryp 80 99869bed 414579f8 +115033.337579 Cryp 80 gdoi_get_keystate: message ID: +115033.337620 Cryp 80 3cc1f923 +115033.337672 Cryp 50 crypto_update_iv: initialized IV: +115033.337721 Cryp 50 6e0432e0 2c1fd20f +115033.337756 Cryp 80 gdoi_get_keystate: phase 2 IV: +115033.337802 Cryp 80 6e0432e0 2c1fd20f +115033.337841 Cryp 10 crypto_decrypt: before decryption: +115033.337915 Cryp 10 0b93aedc dae3d29b db990eee 33948e2e 5741d730 c39df964 60127d2c 3c534970 +115033.447771 Cryp 10 736349a2 46f94d8a 3d2d1ace b3721b78 626fbc58 d23457fb +115033.447890 Cryp 30 crypto_decrypt: after decryption: +115033.447971 Cryp 30 0a000018 515d3409 a7a6c155 6b9b73b2 cab62b0f eb43e712 05000014 7cb79b64 +115033.448041 Cryp 30 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115033.448090 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115033.448137 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +115033.448183 Mesg 50 message_parse_payloads: offset 0x48 payload ID +115033.448232 Mesg 60 message_validate_payloads: payload ID at 0x4dac8 of message 0x57000 +115033.448276 Mesg 70 TYPE: 11 +115033.448321 Mesg 70 DOI_DATA: 0x000000 +115033.448376 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115033.448437 Timr 10 timer_add_event: event exchange_free_aux(0x4b800) added before cookie_reset_event(0x0), expiration in 120s +115033.448495 Exch 10 exchange_setup_p2: 0x4b800 policy responder phase 2 doi 2 exchange 32 step 0 +115033.518781 Exch 10 exchange_setup_p2: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +115033.518833 Exch 10 exchange_setup_p2: msgid 3cc1f923 sa_list +115033.518879 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 11 +115033.518918 Mesg 40 gdoi_validate_id_information: key id +115033.518964 Mesg 60 message_validate_payloads: payload HASH at 0x4da9c of message 0x57000 +115033.519011 Mesg 60 message_validate_payloads: payload NONCE at 0x4dab4 of message 0x57000 +115033.519067 Exch 90 exchange_validate: checking for required HASH +115033.519108 Exch 90 exchange_validate: checking for required NONCE +115033.519147 Exch 90 exchange_validate: checking for required ID +115033.519190 Misc 30 gdoi_responder: phase 2 exchange 32 step 0 +115033.519257 Negt 90 group_check_hash: SKEYID_a: +115033.519323 Negt 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +115033.519386 Negt 90 group_check_hash: message_id: +115033.519430 Negt 90 3cc1f923 +115033.519468 Negt 90 group_check_hash: payloads after HASH: +115033.600987 Negt 90 05000014 7cb79b64 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115033.601058 Negt 80 group_check_hash: computed HASH: +115033.601123 Negt 80 515d3409 a7a6c155 6b9b73b2 cab62b0f eb43e712 +115033.601169 Exch 80 exchange_nonce: NONCE_i: +115033.601225 Exch 80 7cb79b64 94c75a27 75653839 d80ff11c +115033.601265 Misc 90 responder_recv_HASH_NONCE_ID: ID: +115033.601314 Misc 90 0b000000 000004d2 +115033.601359 Cryp 50 crypto_update_iv: updated IV: +115033.601404 Cryp 50 626fbc58 d23457fb +115033.601447 Exch 40 exchange_run: exchange 0x4b800 finished step 0, advancing... +115033.601501 Trpt 90 transport_reference: transport 0x4d780 now has 2 references +115033.601543 Mesg 90 message_alloc: allocated 0x59000 +115033.601585 SA 80 sa_reference: SA 0x4b600 now has 7 references +115033.601632 Misc 30 gdoi_responder: phase 2 exchange 32 step 1 +115033.601688 Exch 80 exchange_nonce: NONCE_r: +115033.601747 Exch 80 29a5c670 d1ed0e52 e63f4a37 05f04e4f +115033.688800 Misc 60 connection_passive_lookup_by_group_id: returned "IPsec-group-policy" +115033.688860 Misc 60 conf_get_str: [IPsec-group-policy]:Configuration->Default-group-mode +115033.688907 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +115033.688949 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +115033.688993 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +115033.689047 Misc 60 conf_get_str: [Default-group-mode]:SA-KEK->GROUP1-KEK +115033.689123 Misc 60 conf_get_str: [GROUP1-KEK]:REKEY_PERIOD->30 +115033.689173 Default gdoi_get_kek_policy: Setting a rekey period of 30 seconds. +115033.689240 Misc 60 conf_get_str: [GROUP1-KEK]:Src-ID->Group-kek-src +115033.689290 Misc 60 conf_get_str: [Group-kek-src]:ID-type->IPV4_ADDR +115033.689333 Misc 60 conf_get_str: [Group-kek-src]:Address->10.0.224.44 +115033.689377 Misc 60 conf_get_str: [Group-kek-src]:Port->848 +115033.689423 Misc 60 conf_get_str: [GROUP1-KEK]:Dst-ID->Group-kek-dst +115033.689467 Misc 60 conf_get_str: [Group-kek-dst]:ID-type->IPV4_ADDR +115033.791102 Misc 60 conf_get_str: [Group-kek-dst]:Address->239.10.1.1 +115033.791156 Misc 60 conf_get_str: [Group-kek-dst]:Port->848 +115033.791217 Misc 60 conf_get_str: [GROUP1-KEK]:SPI->abcdefgh01234567 +115033.791272 Misc 60 conf_get_str: [GROUP1-KEK]:ENCRYPTION_ALGORITHM->3DES +115033.791321 Misc 60 conf_get_str: [GROUP1-KEK]:DES_IV->IVIVIVIV +115033.791362 Default gdoi_get_kek_policy: IV read: IVIVIVIV +115033.791404 Misc 60 conf_get_str: [GROUP1-KEK]:DES_KEY1->ABCDEFGH +115033.791444 Default gdoi_get_kek_policy: Key read: ABCDEFGH +115033.791483 Misc 60 conf_get_str: [GROUP1-KEK]:DES_KEY2->IJKLMNOP +115033.791522 Default gdoi_get_kek_policy: Key read: IJKLMNOP +115033.791561 Misc 60 conf_get_str: [GROUP1-KEK]:DES_KEY3->QRSTUVWX +115033.791600 Default gdoi_get_kek_policy: Key read: QRSTUVWX +115033.791642 Misc 60 conf_get_str: [GROUP1-KEK]:SIG_HASH_ALGORITHM->SHA +115033.791687 Misc 60 conf_get_str: [GROUP1-KEK]:SIG_ALGORITHM->RSA +115033.791730 Misc 60 conf_get_str: [GROUP1-KEK]:RSA-Keypair->/usr/local/gdoid/rsakeys.der +115033.884060 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115033.884127 SA 80 sa_reference: SA 0x5a000 now has 1 references +115033.884169 SA 70 sa_enter: SA 0x5a000 added to SA list +115033.884210 SA 80 sa_reference: SA 0x5a000 now has 2 references +115033.884256 SA 60 sa_create: sa 0x5a000 phase 1 added to exchange 0x4ba00 () +115033.884305 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115033.884348 Default gdoi_add_sa_payload: Assuming ESP +115033.884398 Misc 60 conf_get_str: [GROUP1-TEK1]:Src-ID->Group-tek1-src +115033.884448 Misc 60 conf_get_str: [Group-tek1-src]:ID-type->IPV4_ADDR +115033.884492 Misc 60 conf_get_str: [Group-tek1-src]:Address->10.0.224.37 +115033.884537 Misc 60 conf_get_str: [Group-tek1-src]:Port->0 +115033.884589 Misc 60 conf_get_str: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +115033.884635 Misc 60 conf_get_str: [Group-tek1-dst]:ID-type->IPV4_ADDR +115033.976115 Misc 60 conf_get_str: [Group-tek1-dst]:Address->239.1.1.1 +115033.976169 Misc 60 conf_get_str: [Group-tek1-dst]:Port->0 +115033.976222 Misc 60 conf_get_str: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115033.976269 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115033.976313 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115033.976355 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115033.976401 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115033.976449 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY1->ABCDEFGH +115033.976494 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY2->IJKLMNOP +115033.976535 Misc 60 conf_get_str: [GROUP1-TEK1]:DES_KEY3->QRSTUVWX +115033.976578 Misc 60 conf_get_str: [GROUP1-TEK1]:SPI->287484603 +115033.976626 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115033.976674 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115034.068523 Misc 60 conf_get_str: [GROUP1-TEK1]:SHA_KEY->12345678901234567890 +115034.068580 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115034.068633 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115034.068678 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115034.068764 Default SPI found (SA) 287484603 287484603 (0x1122aabb) for sa 0x5a000 +115034.068824 Trpt 90 transport_reference: transport 0x4d780 now has 4 references +115034.068872 SA 80 sa_reference: SA 0x5a100 now has 1 references +115034.068913 SA 70 sa_enter: SA 0x5a100 added to SA list +115034.068954 SA 80 sa_reference: SA 0x5a100 now has 2 references +115034.068998 SA 60 sa_create: sa 0x5a100 phase 1 added to exchange 0x4ba00 () +115034.069046 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115034.069088 Default gdoi_add_sa_payload: Assuming ESP +115034.069134 Misc 60 conf_get_str: [GROUP1-TEK2]:Src-ID->Group-tek2-src +115034.150565 Misc 60 conf_get_str: [Group-tek2-src]:ID-type->IPV4_ADDR +115034.150618 Misc 60 conf_get_str: [Group-tek2-src]:Address->10.0.224.40 +115034.150663 Misc 60 conf_get_str: [Group-tek2-src]:Port->0 +115034.150716 Misc 60 conf_get_str: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +115034.150764 Misc 60 conf_get_str: [Group-tek2-dst]:ID-type->IPV4_ADDR +115034.150806 Misc 60 conf_get_str: [Group-tek2-dst]:Address->239.1.1.2 +115034.150849 Misc 60 conf_get_str: [Group-tek2-dst]:Port->0 +115034.150899 Misc 60 conf_get_str: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115034.150945 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115034.150988 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115034.151030 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115034.151074 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115034.151121 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY1->FEDCBA11 +115034.228406 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY2->LKJIHG22 +115034.228458 Misc 60 conf_get_str: [GROUP1-TEK2]:DES_KEY3->RQPONM33 +115034.228502 Misc 60 conf_get_str: [GROUP1-TEK2]:SPI->860146909 +115034.228553 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115034.228602 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115034.228649 Misc 60 conf_get_str: [GROUP1-TEK2]:SHA_KEY->01234567890123456789 +115034.228698 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115034.228749 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115034.228794 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115034.228864 Default SPI found (SA) 860146909 860146909 (0x3344ccdd) for sa 0x5a100 +115034.228928 Misc 90 group_do_hash: SKEYID_a: +115034.228995 Misc 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +115034.229062 Misc 90 group_do_hash: message_id: +115034.229107 Misc 90 3cc1f923 +115034.229143 Negt 90 group_fill_in_hash: NONCE_I_b: +115034.315315 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115034.315369 Misc 90 group_fill_in_hash: payload 1 after HASH: +115034.315432 Misc 90 01000014 29a5c670 d1ed0e52 e63f4a37 05f04e4f +115034.315474 Misc 90 group_fill_in_hash: payload 2 after HASH: +115034.315556 Misc 90 0000009b 00000002 00000000 000f0000 10000035 11010350 040a00e0 2c010350 +115034.315636 Misc 90 04ef0a01 01616263 64656667 68303132 33343536 37000000 00800200 02800500 +115034.315718 Misc 90 02800600 01100000 2b010001 0000040a 00e02501 000004ef 01010103 1122aabb +115034.315800 Misc 90 80040002 80050002 80010001 8002003c 0000002b 01000100 00040a00 e0280100 +115034.315874 Misc 90 0004ef01 01020333 44ccdd80 04000280 05000280 01000180 02003c +115034.315954 Misc 80 group_fill_in_hash: HASH: +115034.316020 Misc 80 ab8df0ff 90e2c084 0bb2bd08 e1b1a328 8ec714b1 +115034.316062 Exch 90 exchange_validate: checking for required HASH +115034.316103 Exch 90 exchange_validate: checking for required NONCE +115034.402544 Exch 90 exchange_validate: checking for required SA +115034.402605 Cryp 10 crypto_encrypt: before encryption: +115034.402710 Cryp 10 0a000018 ab8df0ff 90e2c084 0bb2bd08 e1b1a328 8ec714b1 01000014 29a5c670 +115034.402792 Cryp 10 d1ed0e52 e63f4a37 05f04e4f 0000009b 00000002 00000000 000f0000 10000035 +115034.402871 Cryp 10 11010350 040a00e0 2c010350 04ef0a01 01616263 64656667 68303132 33343536 +115034.402954 Cryp 10 37000000 00800200 02800500 02800600 01100000 2b010001 0000040a 00e02501 +115034.403035 Cryp 10 000004ef 01010103 1122aabb 80040002 80050002 80010001 8002003c 0000002b +115034.403117 Cryp 10 01000100 00040a00 e0280100 0004ef01 01020333 44ccdd80 04000280 05000280 +115034.403165 Cryp 10 01000180 02003c00 +115034.403401 Cryp 30 crypto_encrypt: after encryption: +115034.403480 Cryp 30 922da769 d9014a10 21861bdb e9231aa2 415cffe6 f1dfae01 b2d03ea5 c81f6936 +115034.403555 Cryp 30 4375540c 8aeae663 2eabfbb5 b07622ea 9440a426 6aeffb61 b5e6841c 4f7b1f27 +115034.403630 Cryp 30 f30640a3 5983a88d 5bf90a28 44de2c7a d858d7e0 c2b9c536 86c26748 23ec6f56 +115034.488187 Cryp 30 29d56f0f 7e035eb2 10566be2 9bcc7605 032f2ab2 15a7b307 61ca1f88 1e061cb9 +115034.488269 Cryp 30 757a3144 2bdb87e6 aacbdfaa 3b6ab0ce b9979ea0 f661cc53 826b987a 957bbdc6 +115034.488346 Cryp 30 94f3a089 1a0b3f05 b03b04d0 8b193751 3a89c43a b8161452 7ccf4144 391a041c +115034.488392 Cryp 30 5775e24a e2ba0f20 +115034.488428 Cryp 50 crypto_update_iv: updated IV: +115034.488474 Cryp 50 5775e24a e2ba0f20 +115034.488512 Mesg 70 message_send: message 0x59000 +115034.488585 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115034.488637 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115034.488679 Mesg 70 NEXT_PAYLOAD: HASH +115034.488724 Mesg 70 VERSION: 16 +115034.488765 Mesg 70 EXCH_TYPE: QUICK_MODE +115034.488809 Mesg 70 FLAGS: [ ENC ] +115034.488855 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115034.488900 Mesg 70 LENGTH: 228 +115034.488981 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 000000e4 922da769 +115034.489062 Mesg 70 message_send: d9014a10 21861bdb e9231aa2 415cffe6 f1dfae01 b2d03ea5 c81f6936 4375540c +115034.579331 Mesg 70 message_send: 8aeae663 2eabfbb5 b07622ea 9440a426 6aeffb61 b5e6841c 4f7b1f27 f30640a3 +115034.579422 Mesg 70 message_send: 5983a88d 5bf90a28 44de2c7a d858d7e0 c2b9c536 86c26748 23ec6f56 29d56f0f +115034.579502 Mesg 70 message_send: 7e035eb2 10566be2 9bcc7605 032f2ab2 15a7b307 61ca1f88 1e061cb9 757a3144 +115034.579580 Mesg 70 message_send: 2bdb87e6 aacbdfaa 3b6ab0ce b9979ea0 f661cc53 826b987a 957bbdc6 94f3a089 +115034.579659 Mesg 70 message_send: 1a0b3f05 b03b04d0 8b193751 3a89c43a b8161452 7ccf4144 391a041c 5775e24a +115034.579704 Mesg 70 message_send: e2ba0f20 +115034.579747 Exch 40 exchange_run: exchange 0x4b800 finished step 1, advancing... +115034.579795 Trpt 90 transport_reference: transport 0x4d780 now has 5 references +115034.579839 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115034.579882 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115034.579926 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115034.669612 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115034.669666 Trpt 90 transport_release: transport 0x4d780 had 5 references +115034.669709 Trpt 90 transport_release: transport 0x4d900 had 3 references +115034.669751 Trpt 90 transport_release: transport 0x4d600 had 2 references +115034.669793 Trpt 90 transport_release: transport 0x4d580 had 2 references +115034.669836 Trpt 90 transport_release: transport 0x4d500 had 2 references +115034.669897 Trpt 90 transport_reference: transport 0x4d780 now has 5 references +115034.669943 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115034.669986 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115034.670048 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115034.670092 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115034.670234 Misc 60 conf_get_str: [General]:retransmits->5 +115034.670293 Trpt 30 transport_send_messages: message 0x59000 scheduled for retransmission 1 in 7 secs +115034.766368 Timr 10 timer_add_event: event message_send_expire(0x59000) added before sa_soft_expire(0x4b600), expiration in 7s +115034.766424 Trpt 90 transport_release: transport 0x4d780 had 5 references +115034.766467 Trpt 90 transport_release: transport 0x4d900 had 3 references +115034.766509 Trpt 90 transport_release: transport 0x4d600 had 2 references +115034.766551 Trpt 90 transport_release: transport 0x4d580 had 2 references +115034.766594 Trpt 90 transport_release: transport 0x4d500 had 2 references +115034.766664 Trpt 70 transport_add: adding 0x4df80 +115034.766723 Trpt 90 transport_reference: transport 0x4df80 now has 1 references +115034.766767 Mesg 90 message_alloc: allocated 0x5b000 +115034.766808 Mesg 70 message_recv: message 0x5b000 +115034.766858 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115034.766908 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115034.766951 Mesg 70 NEXT_PAYLOAD: HASH +115034.766995 Mesg 70 VERSION: 16 +115034.767037 Mesg 70 EXCH_TYPE: QUICK_MODE +115034.858106 Mesg 70 FLAGS: [ ENC ] +115034.858164 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115034.858210 Mesg 70 LENGTH: 52 +115034.858291 Mesg 70 message_recv: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 00000034 e5a63e6e +115034.858357 Mesg 70 message_recv: ac3f1e35 6f4b7c2b 412b1b0a 129284eb 5a959d47 +115034.858403 SA 80 sa_reference: SA 0x4b600 now has 8 references +115034.858448 Mesg 90 message_check_duplicate: last_received 0x57000 +115034.858485 Mesg 95 message_check_duplicate: last_received: +115034.858562 Mesg 95 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 00000054 0b93aedc +115034.858636 Mesg 95 dae3d29b db990eee 33948e2e 5741d730 c39df964 60127d2c 3c534970 736349a2 +115034.858696 Mesg 95 46f94d8a 3d2d1ace b3721b78 626fbc58 d23457fb +115034.858736 Mesg 20 message_free: freeing 0x59000 +115034.858780 Timr 10 timer_remove_event: removing event message_send_expire(0x59000) +115034.858827 Trpt 90 transport_release: transport 0x4d780 had 4 references +115034.978515 SA 80 sa_release: SA 0x4b600 had 8 references +115034.978578 Cryp 10 crypto_decrypt: before decryption: +115034.978647 Cryp 10 e5a63e6e ac3f1e35 6f4b7c2b 412b1b0a 129284eb 5a959d47 +115034.978728 Cryp 30 crypto_decrypt: after decryption: +115034.978798 Cryp 30 00000018 8cdfdb9b 6b7d631d 08a1799b a08201e1 c34856be +115034.978847 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115034.978898 Mesg 60 message_validate_payloads: payload HASH at 0x4e31c of message 0x5b000 +115034.978952 Exch 90 exchange_validate: checking for required HASH +115034.978997 Misc 30 gdoi_responder: phase 2 exchange 32 step 2 +115034.979036 Negt 90 group_check_hash: SKEYID_a: +115034.979096 Negt 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +115034.979167 Negt 90 group_check_hash: message_id: +115034.979213 Negt 90 3cc1f923 +115034.979248 Negt 90 group_check_hash: NONCE_I_b: +115034.979303 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115034.979341 Negt 90 group_check_hash: NONCE_R_b: +115034.979397 Negt 90 29a5c670 d1ed0e52 e63f4a37 05f04e4f +115035.064801 Negt 90 group_check_hash: payloads after HASH: +115035.064878 Negt 80 group_check_hash: computed HASH: +115035.064943 Negt 80 8cdfdb9b 6b7d631d 08a1799b a08201e1 c34856be +115035.064990 Mesg 20 message_free: freeing 0x57000 +115035.065038 Trpt 90 transport_release: transport 0x4d780 had 3 references +115035.065080 SA 80 sa_release: SA 0x4b600 had 7 references +115035.065120 Cryp 50 crypto_update_iv: updated IV: +115035.065166 Cryp 50 129284eb 5a959d47 +115035.065207 Exch 40 exchange_run: exchange 0x4b800 finished step 2, advancing... +115035.065259 Trpt 90 transport_reference: transport 0x4df80 now has 2 references +115035.065302 Mesg 90 message_alloc: allocated 0x57000 +115035.065344 SA 80 sa_reference: SA 0x4b600 now has 7 references +115035.065391 Misc 30 gdoi_responder: phase 2 exchange 32 step 3 +115035.065442 Default SENT SEQ # of: 0 (PULL) +115035.065532 Misc 90 group_do_hash: SKEYID_a: +115035.065599 Misc 90 331d58dd b1ce66b8 0e8f8514 65fedc43 25b4cc63 +115035.132703 Misc 90 group_do_hash: message_id: +115035.132757 Misc 90 3cc1f923 +115035.132792 Negt 90 group_fill_in_hash: NONCE_I_b: +115035.132847 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115035.132884 Negt 90 group_fill_in_hash: NONCE_R_b: +115035.132940 Negt 90 29a5c670 d1ed0e52 e63f4a37 05f04e4f +115035.132983 Misc 90 group_fill_in_hash: payload 1 after HASH: +115035.133032 Misc 90 11000008 00000000 +115035.133073 Misc 90 group_fill_in_hash: payload 2 after HASH: +115035.133152 Misc 90 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115035.133226 Misc 90 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115035.133306 Misc 90 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115035.133380 Misc 90 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115035.133456 Misc 90 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115035.133532 Misc 90 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115035.215406 Misc 90 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115035.215493 Misc 90 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115035.215569 Misc 90 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115035.215645 Misc 90 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115035.215720 Misc 90 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115035.215758 Misc 90 39 +115035.215837 Misc 80 group_fill_in_hash: HASH: +115035.215901 Misc 80 a97be846 efffb19c 1d48ebc1 f6341084 e6e1ec15 +115035.215940 Default responder_send_HASH_SEQ_KD: Setup rekey message +115035.215994 Timr 10 timer_add_event: event gdoi_rekey_sender(0x4b900) added before sa_soft_expire(0x4b600), expiration in 30s +115035.216040 Exch 90 exchange_validate: checking for required HASH +115035.216081 Exch 90 exchange_validate: checking for required KD +115035.216130 Cryp 10 crypto_encrypt: before encryption: +115035.312895 Cryp 10 12000018 a97be846 efffb19c 1d48ebc1 f6341084 e6e1ec15 11000008 00000000 +115035.312982 Cryp 10 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115035.313057 Cryp 10 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115035.313136 Cryp 10 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115035.313211 Cryp 10 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115035.313287 Cryp 10 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115035.313363 Cryp 10 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115035.313438 Cryp 10 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115035.313517 Cryp 10 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115035.313592 Cryp 10 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115035.313669 Cryp 10 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115035.404060 Cryp 10 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115035.404116 Cryp 10 39000000 00000000 +115035.404508 Cryp 30 crypto_encrypt: after encryption: +115035.404587 Cryp 30 79ae952f ad84e030 8270f4af e8202ede 799ef945 2f388c45 a32da016 2e55e36d +115035.404663 Cryp 30 a4d1bc2d 9bb5c80c 0df793bb 1c2ac84b 17be4d2f bb6aae57 990128ec e715379f +115035.404737 Cryp 30 1cae1319 b8ded5f4 328e7299 d07a022c f5a8e948 e5d1d4f4 f6a57249 bd47df71 +115035.404813 Cryp 30 d90fcc72 6dedeca2 230507f5 6cf00a40 cf517ac0 316a1452 66861dbb 163160d4 +115035.404888 Cryp 30 668393d3 a971d546 880df7b4 cc7e6167 d67a9ea1 99f47752 2f648690 9fca3c8c +115035.404962 Cryp 30 470b6f43 9372997b 442069ec eb1cec3e 7e4bdea7 29bded12 c11bd36b ee4150b3 +115035.405037 Cryp 30 b82572d7 f436ab72 148359e6 09a186e3 e3c00460 f731efcc bc495f0d 5b1840ff +115035.405113 Cryp 30 a43c0219 efcbf588 df8e92e4 45c1dbd1 4c4d5f43 0bd645a8 25380149 7c9d0ecf +115035.405187 Cryp 30 ee9f62a6 50fb753f 60cf6850 d210072a 2412edf6 93133d3b 34512592 42a99668 +115035.492402 Cryp 30 4b717b16 6dab53a4 2fb90e79 e445a966 0f40dd49 7bff6de0 07183e33 6b084cbc +115035.492485 Cryp 30 3d27c408 bdfd22f7 998d747b c9378219 06d18e5c 66a8d8b3 bdb558c0 7b4e337b +115035.492561 Cryp 30 770cae85 64793743 0b34e53e 7a300725 f83ac828 a9c58cab 3a4273f0 3c49f894 +115035.492608 Cryp 30 0766198a 5b6b449b +115035.492644 Cryp 50 crypto_update_iv: updated IV: +115035.492689 Cryp 50 0766198a 5b6b449b +115035.492727 Mesg 70 message_send: message 0x57000 +115035.492778 Mesg 70 ICOOKIE: 0x957e3b86f602b129 +115035.492828 Mesg 70 RCOOKIE: 0x232f5e1e4f192e67 +115035.492870 Mesg 70 NEXT_PAYLOAD: HASH +115035.492914 Mesg 70 VERSION: 16 +115035.492955 Mesg 70 EXCH_TYPE: QUICK_MODE +115035.492998 Mesg 70 FLAGS: [ ENC ] +115035.493044 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115035.493089 Mesg 70 LENGTH: 420 +115035.493170 Mesg 70 message_send: 957e3b86 f602b129 232f5e1e 4f192e67 08102001 3cc1f923 000001a4 79ae952f +115035.493249 Mesg 70 message_send: ad84e030 8270f4af e8202ede 799ef945 2f388c45 a32da016 2e55e36d a4d1bc2d +115035.589541 Mesg 70 message_send: 9bb5c80c 0df793bb 1c2ac84b 17be4d2f bb6aae57 990128ec e715379f 1cae1319 +115035.589631 Mesg 70 message_send: b8ded5f4 328e7299 d07a022c f5a8e948 e5d1d4f4 f6a57249 bd47df71 d90fcc72 +115035.589711 Mesg 70 message_send: 6dedeca2 230507f5 6cf00a40 cf517ac0 316a1452 66861dbb 163160d4 668393d3 +115035.589790 Mesg 70 message_send: a971d546 880df7b4 cc7e6167 d67a9ea1 99f47752 2f648690 9fca3c8c 470b6f43 +115035.589867 Mesg 70 message_send: 9372997b 442069ec eb1cec3e 7e4bdea7 29bded12 c11bd36b ee4150b3 b82572d7 +115035.589947 Mesg 70 message_send: f436ab72 148359e6 09a186e3 e3c00460 f731efcc bc495f0d 5b1840ff a43c0219 +115035.590042 Mesg 70 message_send: efcbf588 df8e92e4 45c1dbd1 4c4d5f43 0bd645a8 25380149 7c9d0ecf ee9f62a6 +115035.590160 Mesg 70 message_send: 50fb753f 60cf6850 d210072a 2412edf6 93133d3b 34512592 42a99668 4b717b16 +115035.590242 Mesg 70 message_send: 6dab53a4 2fb90e79 e445a966 0f40dd49 7bff6de0 07183e33 6b084cbc 3d27c408 +115035.690711 Mesg 70 message_send: bdfd22f7 998d747b c9378219 06d18e5c 66a8d8b3 bdb558c0 7b4e337b 770cae85 +115035.690801 Mesg 70 message_send: 64793743 0b34e53e 7a300725 f83ac828 a9c58cab 3a4273f0 3c49f894 0766198a +115035.690846 Mesg 70 message_send: 5b6b449b +115035.690890 Exch 40 exchange_run: exchange 0x4b800 finished step 3, advancing... +115035.690938 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115035.690982 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115035.691025 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115035.691068 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115035.691111 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115035.691154 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115035.691198 Trpt 90 transport_release: transport 0x4df80 had 3 references +115035.691241 Trpt 90 transport_release: transport 0x4d780 had 3 references +115035.786423 Trpt 90 transport_release: transport 0x4d900 had 3 references +115035.786474 Trpt 90 transport_release: transport 0x4d600 had 2 references +115035.786517 Trpt 90 transport_release: transport 0x4d580 had 2 references +115035.786559 Trpt 90 transport_release: transport 0x4d500 had 2 references +115035.786621 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115035.786667 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115035.786710 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115035.786753 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115035.786796 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115035.786839 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115035.786983 Exch 10 exchange_finalize: 0x4b800 IPsec-group-policy Default-group-mode policy responder phase 2 doi 2 exchange 32 step 4 +115035.787040 Exch 10 exchange_finalize: icookie 957e3b86f602b129 rcookie 232f5e1e4f192e67 +115035.895934 Exch 10 exchange_finalize: msgid 3cc1f923 sa_list +115035.895995 Timr 95 sa_setup_expirations: SA 0x5a000 soft timeout in 56 seconds +115035.896050 Timr 10 timer_add_event: event sa_soft_expire(0x5a000) added before sa_hard_expire(0x4b600), expiration in 56s +115035.896096 SA 80 sa_reference: SA 0x5a000 now has 3 references +115035.896141 Timr 95 sa_setup_expirations: SA 0x5a000 hard timeout in 60 seconds +115035.896192 Timr 10 timer_add_event: event sa_hard_expire(0x5a000) added before exchange_free_aux(0x4b500), expiration in 60s +115035.896237 SA 80 sa_reference: SA 0x5a000 now has 4 references +115035.896283 Timr 95 sa_setup_expirations: SA 0x5a100 soft timeout in 54 seconds +115035.896334 Timr 10 timer_add_event: event sa_soft_expire(0x5a100) added before sa_soft_expire(0x5a000), expiration in 54s +115035.896378 SA 80 sa_reference: SA 0x5a100 now has 3 references +115035.896423 Timr 95 sa_setup_expirations: SA 0x5a100 hard timeout in 60 seconds +115036.011400 Timr 10 timer_add_event: event sa_hard_expire(0x5a100) added before exchange_free_aux(0x4b500), expiration in 59s +115036.011453 SA 80 sa_reference: SA 0x5a100 now has 4 references +115036.011492 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +115036.011542 Trpt 90 transport_release: transport 0x4df80 had 3 references +115036.011588 Trpt 90 transport_release: transport 0x4d780 had 3 references +115036.011630 Trpt 90 transport_release: transport 0x4d900 had 3 references +115036.011672 Trpt 90 transport_release: transport 0x4d600 had 2 references +115036.011714 Trpt 90 transport_release: transport 0x4d580 had 2 references +115036.011756 Trpt 90 transport_release: transport 0x4d500 had 2 references +115045.547466 Trpt 70 transport_add: adding 0x4da80 +115045.547980 Trpt 90 transport_reference: transport 0x4da80 now has 1 references +115045.548034 Mesg 90 message_alloc: allocated 0x59000 +115045.548075 Mesg 70 message_recv: message 0x59000 +115045.548126 Mesg 70 ICOOKIE: 0x64375adba46c560b +115045.548178 Mesg 70 RCOOKIE: 0x0000000000000000 +115045.548221 Mesg 70 NEXT_PAYLOAD: SA +115045.548267 Mesg 70 VERSION: 16 +115045.548309 Mesg 70 EXCH_TYPE: ID_PROT +115045.548351 Mesg 70 FLAGS: [ ] +115045.548397 Mesg 70 MESSAGE_ID: 0x00000000 +115045.548441 Mesg 70 LENGTH: 80 +115045.548527 Mesg 70 message_recv: 64375adb a46c560b 00000000 00000000 01100200 00000000 00000050 00000034 +115045.548615 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115045.548678 Mesg 70 message_recv: 80030001 80040002 800b0001 800c003c +115045.548725 SA 90 sa_find: no SA matched query +115045.548780 Mesg 50 message_parse_payloads: offset 0x1c payload SA +115045.548833 Mesg 60 message_validate_payloads: payload SA at 0x4db1c of message 0x59000 +115045.548912 Mesg 70 DOI: 2 +115045.548976 Misc 60 conf_get_str: [Phase 1]:10.0.224.40->GDOI-group-member-2 +115045.549024 Exch 90 exchange_lookup_active: GDOI-group-member-2 == && 1 == 1? +115045.549069 Exch 90 exchange_lookup_active: GDOI-group-member-2 == IPsec-group-policy && 1 == 2? +115045.549113 Exch 90 exchange_lookup_active: GDOI-group-member-2 == GDOI-group-member-1 && 1 == 1? +115045.549158 Misc 60 conf_get_str: [GDOI-group-member-2]:Configuration->Default-main-mode +115045.549202 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +115045.549245 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +115045.549301 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115045.549363 Timr 10 timer_add_event: event exchange_free_aux(0x5a300) added before cookie_reset_event(0x0), expiration in 120s +115045.549454 Exch 10 exchange_setup_p1: 0x5a300 GDOI-group-member-2 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 0 +115045.549505 Exch 10 exchange_setup_p1: icookie 64375adba46c560b rcookie dca1591d945a7cad +115045.549652 Exch 10 exchange_setup_p1: msgid 00000000 +115045.549705 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115045.549753 SA 80 sa_reference: SA 0x5a400 now has 1 references +115045.549793 SA 70 sa_enter: SA 0x5a400 added to SA list +115045.549834 SA 80 sa_reference: SA 0x5a400 now has 2 references +115045.549878 SA 60 sa_create: sa 0x5a400 phase 1 added to exchange 0x5a300 (GDOI-group-member-2) +115045.549920 SA 80 sa_reference: SA 0x5a400 now has 3 references +115045.549965 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +115045.550361 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +115045.550413 Mesg 50 Transform 0's attributes +115045.550462 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x4db28 of message 0x59000 +115045.550505 Mesg 70 NO: 1 +115045.550547 Mesg 70 PROTO: ISAKMP +115045.550589 Mesg 70 SPI_SZ: 0 +115045.550631 Mesg 70 NTRANSFORMS: 1 +115045.550678 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x4db30 of message 0x59000 +115045.550762 Mesg 70 NO: 0 +115045.550806 Mesg 70 ID: 1 +115045.550862 Exch 90 exchange_validate: checking for required SA +115045.550908 Misc 30 gdoi_responder: phase 1 exchange 2 step 0 +115045.550983 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +115045.551040 SA 80 sa_add_transform: proto 0x4e5c0 no 1 proto 1 chosen 0x58580 sa 0x5a400 id 1 +115045.551088 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +115045.551144 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +115045.551194 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +115045.551241 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +115045.551289 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +115045.551336 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115045.551384 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115045.551429 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115045.551654 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115045.551710 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115045.551755 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115045.551797 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115045.551865 Misc 90 conf_match_num: LIFE_60_SECS:LIFE_DURATION 45<=60<=72? +115045.551938 Negt 20 ike_phase_1_validate_prop: success +115045.551985 Negt 30 message_negotiate_sa: proposal 1 succeeded +115045.552030 Misc 20 ipsec_decode_transform: transform 0 chosen +115045.552096 Misc 70 group_get: returning 0x4e600 of group 2 +115045.552152 Exch 40 exchange_run: exchange 0x5a300 finished step 0, advancing... +115045.552259 Trpt 90 transport_reference: transport 0x4da80 now has 3 references +115045.552309 Mesg 90 message_alloc: allocated 0x5d000 +115045.552352 SA 80 sa_reference: SA 0x5a400 now has 4 references +115045.552398 Misc 30 gdoi_responder: phase 1 exchange 2 step 1 +115045.552462 Exch 90 exchange_validate: checking for required SA +115045.552709 Mesg 70 message_send: message 0x5d000 +115045.552767 Mesg 70 ICOOKIE: 0x64375adba46c560b +115045.552817 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115045.552859 Mesg 70 NEXT_PAYLOAD: SA +115045.552903 Mesg 70 VERSION: 16 +115045.552944 Mesg 70 EXCH_TYPE: ID_PROT +115045.552986 Mesg 70 FLAGS: [ ] +115045.553032 Mesg 70 MESSAGE_ID: 0x00000000 +115045.553076 Mesg 70 LENGTH: 80 +115045.553159 Mesg 70 message_send: 64375adb a46c560b dca1591d 945a7cad 01100200 00000000 00000050 00000034 +115045.553248 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115045.553311 Mesg 70 message_send: 80030001 80040002 800b0001 800c003c +115045.553353 Exch 40 exchange_run: exchange 0x5a300 finished step 1, advancing... +115045.553400 Trpt 90 transport_reference: transport 0x4da80 now has 4 references +115045.553444 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115045.553486 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115045.637298 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115045.637350 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115045.637393 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115045.637436 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115045.637481 Trpt 90 transport_release: transport 0x4da80 had 4 references +115045.637523 Trpt 90 transport_release: transport 0x4df80 had 3 references +115045.637566 Trpt 90 transport_release: transport 0x4d780 had 3 references +115045.637608 Trpt 90 transport_release: transport 0x4d900 had 3 references +115045.637650 Trpt 90 transport_release: transport 0x4d600 had 2 references +115045.637693 Trpt 90 transport_release: transport 0x4d580 had 2 references +115045.637735 Trpt 90 transport_release: transport 0x4d500 had 2 references +115045.637796 Trpt 90 transport_reference: transport 0x4da80 now has 4 references +115045.637841 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115045.732143 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115045.732195 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115045.732239 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115045.732282 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115045.732324 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115045.732453 Misc 60 conf_get_str: [General]:retransmits->5 +115045.732511 Trpt 30 transport_send_messages: message 0x5d000 scheduled for retransmission 1 in 7 secs +115045.732567 Timr 10 timer_add_event: event message_send_expire(0x5d000) added before gdoi_rekey_sender(0x4b900), expiration in 7s +115045.732614 Trpt 90 transport_release: transport 0x4da80 had 4 references +115045.732657 Trpt 90 transport_release: transport 0x4df80 had 3 references +115045.732699 Trpt 90 transport_release: transport 0x4d780 had 3 references +115045.732742 Trpt 90 transport_release: transport 0x4d900 had 3 references +115045.828829 Trpt 90 transport_release: transport 0x4d600 had 2 references +115045.828880 Trpt 90 transport_release: transport 0x4d580 had 2 references +115045.828922 Trpt 90 transport_release: transport 0x4d500 had 2 references +115045.845270 Trpt 70 transport_add: adding 0x5c080 +115045.845375 Trpt 90 transport_reference: transport 0x5c080 now has 1 references +115045.845425 Mesg 90 message_alloc: allocated 0x5e000 +115045.845465 Mesg 70 message_recv: message 0x5e000 +115045.845516 Mesg 70 ICOOKIE: 0x64375adba46c560b +115045.845567 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115045.845610 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115045.845654 Mesg 70 VERSION: 16 +115045.845696 Mesg 70 EXCH_TYPE: ID_PROT +115045.845738 Mesg 70 FLAGS: [ ] +115045.845785 Mesg 70 MESSAGE_ID: 0x00000000 +115045.845830 Mesg 70 LENGTH: 180 +115045.845914 Mesg 70 message_recv: 64375adb a46c560b dca1591d 945a7cad 04100200 00000000 000000b4 0a000084 +115045.845995 Mesg 70 message_recv: a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115045.910203 Mesg 70 message_recv: a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115045.910291 Mesg 70 message_recv: f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115045.910394 Mesg 70 message_recv: 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115045.910460 Mesg 70 message_recv: 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115045.910506 SA 80 sa_reference: SA 0x5a400 now has 5 references +115045.910550 Mesg 90 message_check_duplicate: last_received 0x59000 +115045.910588 Mesg 95 message_check_duplicate: last_received: +115045.910669 Mesg 95 64375adb a46c560b 00000000 00000000 01100200 00000000 00000050 00000034 +115045.910752 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115045.910811 Mesg 95 80030001 80040002 800b0001 800c003c +115045.910849 Mesg 20 message_free: freeing 0x5d000 +115045.910894 Timr 10 timer_remove_event: removing event message_send_expire(0x5d000) +115045.988080 Trpt 90 transport_release: transport 0x4da80 had 3 references +115045.988130 SA 80 sa_release: SA 0x5a400 had 5 references +115045.988187 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +115045.988236 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +115045.988287 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x5a61c of message 0x5e000 +115045.988336 Mesg 60 message_validate_payloads: payload NONCE at 0x5a6a0 of message 0x5e000 +115045.988385 Exch 90 exchange_validate: checking for required KEY_EXCH +115045.988427 Exch 90 exchange_validate: checking for required NONCE +115045.988492 Misc 30 gdoi_responder: phase 1 exchange 2 step 2 +115045.988540 Misc 80 ipsec_g_x: g^xi: +115045.988618 Misc 80 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115045.988694 Misc 80 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115045.988769 Misc 80 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115045.988844 Misc 80 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115046.080514 Exch 80 exchange_nonce: NONCE_i: +115046.080582 Exch 80 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115046.080628 Mesg 20 message_free: freeing 0x59000 +115046.080675 Trpt 90 transport_release: transport 0x4da80 had 2 references +115046.080718 SA 80 sa_release: SA 0x5a400 had 4 references +115046.080764 Exch 40 exchange_run: exchange 0x5a300 finished step 2, advancing... +115046.080817 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115046.080861 Mesg 90 message_alloc: allocated 0x59000 +115046.080902 SA 80 sa_reference: SA 0x5a400 now has 4 references +115046.080947 Misc 30 gdoi_responder: phase 1 exchange 2 step 3 +115046.155796 Misc 80 ipsec_g_x: g^xr: +115046.155886 Misc 80 b61dc7ee c2c5775a 82308e27 6c46d05c 4e8b8501 62e2ee01 b1c14758 db5980ee +115046.155963 Misc 80 2cb5df53 7b934760 fd8c43a9 e099d459 16184500 14116638 ecf20327 0334c7fa +115046.156038 Misc 80 d26aaf68 fdfcccfb 0e61bb4a c09481e0 1c9ce292 ebb126c2 2bd40abb a64c344c +115046.223135 Misc 80 a2be3367 f02638d5 b35c884e 86df0b77 5409d3a4 f37c31af 6589230b 35c57e7f +115046.223201 Exch 80 exchange_nonce: NONCE_r: +115046.223260 Exch 80 e8d33d6a 9812c971 32f6da09 38992953 +115046.223306 Exch 90 exchange_validate: checking for required KEY_EXCH +115046.223348 Exch 90 exchange_validate: checking for required NONCE +115046.223391 Mesg 70 message_send: message 0x59000 +115046.223441 Mesg 70 ICOOKIE: 0x64375adba46c560b +115046.223491 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115046.223532 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115046.223577 Mesg 70 VERSION: 16 +115046.223619 Mesg 70 EXCH_TYPE: ID_PROT +115046.223660 Mesg 70 FLAGS: [ ] +115046.223706 Mesg 70 MESSAGE_ID: 0x00000000 +115046.223750 Mesg 70 LENGTH: 180 +115046.223834 Mesg 70 message_send: 64375adb a46c560b dca1591d 945a7cad 04100200 00000000 000000b4 0a000084 +115046.223914 Mesg 70 message_send: b61dc7ee c2c5775a 82308e27 6c46d05c 4e8b8501 62e2ee01 b1c14758 db5980ee +115046.223993 Mesg 70 message_send: 2cb5df53 7b934760 fd8c43a9 e099d459 16184500 14116638 ecf20327 0334c7fa +115046.295677 Mesg 70 message_send: d26aaf68 fdfcccfb 0e61bb4a c09481e0 1c9ce292 ebb126c2 2bd40abb a64c344c +115046.295767 Mesg 70 message_send: a2be3367 f02638d5 b35c884e 86df0b77 5409d3a4 f37c31af 6589230b 35c57e7f +115046.295833 Mesg 70 message_send: 00000014 e8d33d6a 9812c971 32f6da09 38992953 +115046.295877 Exch 40 exchange_run: exchange 0x5a300 finished step 3, advancing... +115046.295924 Trpt 90 transport_reference: transport 0x5c080 now has 3 references +115046.295967 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115046.296010 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115046.296053 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115046.296096 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115046.296139 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115046.296182 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115046.383508 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115046.383561 Trpt 90 transport_release: transport 0x5c080 had 3 references +115046.383604 Trpt 90 transport_release: transport 0x4da80 had 2 references +115046.383646 Trpt 90 transport_release: transport 0x4df80 had 3 references +115046.383689 Trpt 90 transport_release: transport 0x4d780 had 3 references +115046.383731 Trpt 90 transport_release: transport 0x4d900 had 3 references +115046.383774 Trpt 90 transport_release: transport 0x4d600 had 2 references +115046.383816 Trpt 90 transport_release: transport 0x4d580 had 2 references +115046.383858 Trpt 90 transport_release: transport 0x4d500 had 2 references +115046.383918 Trpt 90 transport_reference: transport 0x5c080 now has 3 references +115046.383964 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115046.384007 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115046.384050 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115046.478253 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115046.478304 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115046.478348 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115046.478390 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115046.478521 Misc 60 conf_get_str: [General]:retransmits->5 +115046.478579 Trpt 30 transport_send_messages: message 0x59000 scheduled for retransmission 1 in 7 secs +115046.478634 Timr 10 timer_add_event: event message_send_expire(0x59000) added before gdoi_rekey_sender(0x4b900), expiration in 7s +115046.567786 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +115046.567881 Negt 80 61d8d736 da8c380f c24b8d5d 4057bf02 76e18a8d dd30ddc7 2ff73198 7885a1f7 +115046.567957 Negt 80 3181b4ed e9bc4a1b 6ed37667 f4ef57fa 36d8a537 ae91cb81 5e4acd40 d166aa00 +115046.568033 Negt 80 526bf1cc 995eeded 628b7b04 4121985c a39550dd 87254650 2b946622 a479e4fa +115046.664136 Negt 80 e8b16304 b30bffa9 a41a7b30 8d3bfdfa 3b84b276 0c7d8ab4 d66befa4 facb21a5 +115046.664193 Misc 60 conf_get_str: [GDOI-group-member-2]:Authentication->mekmitasdigoat +115046.664299 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +115046.664367 Negt 80 320ca3c5 59d32a3f 9c63fa26 7a1b4d9e 117ec84b +115046.664440 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +115046.664506 Negt 80 f62231aa 6055e683 dd343583 7cc4e7a9 659003c6 +115046.664567 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +115046.664634 Negt 80 10000505 99f78cd5 127b129e b54f7c24 17391635 +115046.664696 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +115046.664761 Negt 80 c97ca685 7bc1f6f7 f7e5f7f5 855f18bc f1a4cf3e +115046.664840 Cryp 40 crypto_init: key: +115046.664910 Cryp 40 a4b93e86 c740ba96 c0ca3d39 53bd0c14 c38eb2cb cd60bbe7 +115046.664996 Cryp 50 crypto_update_iv: initialized IV: +115046.665049 Cryp 50 244b9520 26a509c7 +115046.665094 Trpt 90 transport_release: transport 0x5c080 had 3 references +115046.750118 Trpt 90 transport_release: transport 0x4da80 had 2 references +115046.750169 Trpt 90 transport_release: transport 0x4df80 had 3 references +115046.750212 Trpt 90 transport_release: transport 0x4d780 had 3 references +115046.750254 Trpt 90 transport_release: transport 0x4d900 had 3 references +115046.750297 Trpt 90 transport_release: transport 0x4d600 had 2 references +115046.750339 Trpt 90 transport_release: transport 0x4d580 had 2 references +115046.750381 Trpt 90 transport_release: transport 0x4d500 had 2 references +115046.750454 Trpt 70 transport_add: adding 0x5c200 +115046.750510 Trpt 90 transport_reference: transport 0x5c200 now has 1 references +115046.750555 Mesg 90 message_alloc: allocated 0x5d000 +115046.750595 Mesg 70 message_recv: message 0x5d000 +115046.750646 Mesg 70 ICOOKIE: 0x64375adba46c560b +115046.750697 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115046.750739 Mesg 70 NEXT_PAYLOAD: ID +115046.750784 Mesg 70 VERSION: 16 +115046.750826 Mesg 70 EXCH_TYPE: ID_PROT +115046.750871 Mesg 70 FLAGS: [ ENC ] +115046.856168 Mesg 70 MESSAGE_ID: 0x00000000 +115046.856221 Mesg 70 LENGTH: 92 +115046.856304 Mesg 70 message_recv: 64375adb a46c560b dca1591d 945a7cad 05100201 00000000 0000005c 899fb39a +115046.856384 Mesg 70 message_recv: 5f4d5b44 906c0867 6a4f5bb1 e67803b5 e1a6893a 345a2553 35bfbca4 33f07ea7 +115046.856458 Mesg 70 message_recv: 3e05328d f5f17746 692d5bba eefaf977 a125c844 650d95dc 3b58d6cf +115046.856506 SA 80 sa_reference: SA 0x5a400 now has 5 references +115046.856549 Mesg 90 message_check_duplicate: last_received 0x5e000 +115046.856587 Mesg 95 message_check_duplicate: last_received: +115046.856665 Mesg 95 64375adb a46c560b dca1591d 945a7cad 04100200 00000000 000000b4 0a000084 +115046.856741 Mesg 95 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115046.856816 Mesg 95 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115046.856892 Mesg 95 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115046.856967 Mesg 95 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115046.931892 Mesg 95 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115046.931941 Mesg 20 message_free: freeing 0x59000 +115046.931987 Timr 10 timer_remove_event: removing event message_send_expire(0x59000) +115046.932034 Trpt 90 transport_release: transport 0x5c080 had 2 references +115046.932077 SA 80 sa_release: SA 0x5a400 had 5 references +115046.932127 Cryp 10 crypto_decrypt: before decryption: +115046.932205 Cryp 10 899fb39a 5f4d5b44 906c0867 6a4f5bb1 e67803b5 e1a6893a 345a2553 35bfbca4 +115046.932281 Cryp 10 33f07ea7 3e05328d f5f17746 692d5bba eefaf977 a125c844 650d95dc 3b58d6cf +115046.932406 Cryp 30 crypto_decrypt: after decryption: +115046.932488 Cryp 30 0800000c 01000000 0a00e028 0b000018 5af158b2 36c0fe6c e18c9b74 f2f5b6c8 +115046.932567 Cryp 30 3b8410bb 0000001c 00000001 01106002 64375adb a46c560b dca1591d 945a7cad +115046.932616 Mesg 50 message_parse_payloads: offset 0x1c payload ID +115046.932662 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +115046.999842 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +115046.999902 Mesg 60 message_validate_payloads: payload ID at 0x5c29c of message 0x5d000 +115046.999946 Mesg 70 TYPE: 1 +115046.999992 Mesg 70 DOI_DATA: 0x000000 +115047.000055 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +115047.000092 Mesg 40 gdoi_validate_id_information: IPv4: +115047.000132 Mesg 40 0a00e028 +115047.000174 Mesg 60 message_validate_payloads: payload HASH at 0x5c2a8 of message 0x5d000 +115047.000218 Mesg 60 message_validate_payloads: payload NOTIFY at 0x5c2c0 of message 0x5d000 +115047.000259 Mesg 70 DOI: IPSEC +115047.000299 Mesg 70 PROTO: ISAKMP +115047.000341 Mesg 70 SPI_SZ: 16 +115047.000384 Mesg 70 MSG_TYPE: INITIAL_CONTACT +115047.000437 Exch 90 exchange_validate: checking for required ID +115047.000478 Exch 90 exchange_validate: checking for required AUTH +115047.000519 Misc 30 gdoi_responder: phase 1 exchange 2 step 4 +115047.000562 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +115047.081742 Negt 40 0a00e028 +115047.081798 Misc 80 pre_shared_decode_hash: HASH_I: +115047.081860 Misc 80 5af158b2 36c0fe6c e18c9b74 f2f5b6c8 3b8410bb +115047.081971 Negt 80 ike_phase_1_recv_AUTH: computed HASH_I: +115047.082037 Negt 80 5af158b2 36c0fe6c e18c9b74 f2f5b6c8 3b8410bb +115047.082079 Exch 10 exchange_run: unexpected payload NOTIFY +115047.082123 Mesg 20 message_free: freeing 0x5e000 +115047.082169 Trpt 90 transport_release: transport 0x5c080 had 1 references +115047.082232 Trpt 70 transport_release: freeing 0x5c080 +115047.082275 SA 80 sa_release: SA 0x5a400 had 4 references +115047.082317 Cryp 50 crypto_update_iv: updated IV: +115047.082364 Cryp 50 650d95dc 3b58d6cf +115047.082406 Exch 40 exchange_run: exchange 0x5a300 finished step 4, advancing... +115047.082459 Trpt 90 transport_reference: transport 0x5c200 now has 2 references +115047.082502 Mesg 90 message_alloc: allocated 0x59000 +115047.082543 SA 80 sa_reference: SA 0x5a400 now has 4 references +115047.082588 Misc 30 gdoi_responder: phase 1 exchange 2 step 5 +115047.168844 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:ID +115047.168899 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +115047.168955 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +115047.169001 Negt 40 0a00e02c +115047.169103 Misc 80 pre_shared_encode_hash: HASH_R: +115047.169168 Misc 80 14135cd4 5738545e 9050c0f0 dd421f38 e89ec3cd +115047.169238 Exch 90 exchange_validate: checking for required ID +115047.169284 Exch 90 exchange_validate: checking for required AUTH +115047.169331 Cryp 10 crypto_encrypt: before encryption: +115047.169414 Cryp 10 0800000c 01000000 0a00e02c 0b000018 14135cd4 5738545e 9050c0f0 dd421f38 +115047.169492 Cryp 10 e89ec3cd 0000001c 00000001 01106002 64375adb a46c560b dca1591d 945a7cad +115047.169607 Cryp 30 crypto_encrypt: after encryption: +115047.169686 Cryp 30 405530d3 64ca1ca3 8f066625 e4a6a5e9 f1770882 c075614a e3e40b5d 9f7ad2b3 +115047.169762 Cryp 30 f4631c98 d070f55c 69879892 236e3094 d8af8c50 0105d806 f4e4c077 38ffc626 +115047.256844 Cryp 50 crypto_update_iv: updated IV: +115047.256899 Cryp 50 f4e4c077 38ffc626 +115047.256938 Mesg 70 message_send: message 0x59000 +115047.256989 Mesg 70 ICOOKIE: 0x64375adba46c560b +115047.257039 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115047.257081 Mesg 70 NEXT_PAYLOAD: ID +115047.257125 Mesg 70 VERSION: 16 +115047.257167 Mesg 70 EXCH_TYPE: ID_PROT +115047.257211 Mesg 70 FLAGS: [ ENC ] +115047.257258 Mesg 70 MESSAGE_ID: 0x00000000 +115047.257302 Mesg 70 LENGTH: 92 +115047.257384 Mesg 70 message_send: 64375adb a46c560b dca1591d 945a7cad 05100201 00000000 0000005c 405530d3 +115047.257465 Mesg 70 message_send: 64ca1ca3 8f066625 e4a6a5e9 f1770882 c075614a e3e40b5d 9f7ad2b3 f4631c98 +115047.257540 Mesg 70 message_send: d070f55c 69879892 236e3094 d8af8c50 0105d806 f4e4c077 38ffc626 +115047.257584 Exch 40 exchange_run: exchange 0x5a300 finished step 5, advancing... +115047.257631 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115047.353351 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115047.353403 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115047.353446 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115047.353489 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115047.353532 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115047.353575 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115047.353617 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115047.353662 Trpt 90 transport_release: transport 0x5c200 had 3 references +115047.353704 Trpt 90 transport_release: transport 0x4da80 had 2 references +115047.353747 Trpt 90 transport_release: transport 0x4df80 had 3 references +115047.353789 Trpt 90 transport_release: transport 0x4d780 had 3 references +115047.353831 Trpt 90 transport_release: transport 0x4d900 had 3 references +115047.353874 Trpt 90 transport_release: transport 0x4d600 had 2 references +115047.453322 Trpt 90 transport_release: transport 0x4d580 had 2 references +115047.453372 Trpt 90 transport_release: transport 0x4d500 had 2 references +115047.453435 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115047.453480 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115047.453524 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115047.453567 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115047.453610 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115047.453653 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115047.453696 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115047.453739 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115047.453872 Exch 10 exchange_finalize: 0x5a300 GDOI-group-member-2 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 6 +115047.453929 Exch 10 exchange_finalize: icookie 64375adba46c560b rcookie dca1591d945a7cad +115047.555771 Exch 10 exchange_finalize: msgid 00000000 +115047.555826 SA 90 sa_find: no SA matched query +115047.555878 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-2]:Flags +115047.555994 Exch 10 exchange_finalize: phase 1 done: initiator id 0a00e028: 10.0.224.40, responder id 0a00e02c: 10.0.224.44, src: 10.0.224.44 dst: 10.0.224.40 +115047.556051 Timr 95 sa_setup_expirations: SA 0x5a400 soft timeout in 56 seconds +115047.556106 Timr 10 timer_add_event: event sa_soft_expire(0x5a400) added before exchange_free_aux(0x4b500), expiration in 56s +115047.556152 SA 80 sa_reference: SA 0x5a400 now has 5 references +115047.556197 Timr 95 sa_setup_expirations: SA 0x5a400 hard timeout in 60 seconds +115047.556248 Timr 10 timer_add_event: event sa_hard_expire(0x5a400) added before exchange_free_aux(0x4b500), expiration in 60s +115047.556293 SA 80 sa_reference: SA 0x5a400 now has 6 references +115047.556331 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +115047.643366 SA 80 sa_release: SA 0x5a400 had 6 references +115047.643425 Trpt 90 transport_release: transport 0x5c200 had 3 references +115047.643470 Trpt 90 transport_release: transport 0x4da80 had 2 references +115047.643513 Trpt 90 transport_release: transport 0x4df80 had 3 references +115047.643555 Trpt 90 transport_release: transport 0x4d780 had 3 references +115047.643597 Trpt 90 transport_release: transport 0x4d900 had 3 references +115047.643640 Trpt 90 transport_release: transport 0x4d600 had 2 references +115047.643682 Trpt 90 transport_release: transport 0x4d580 had 2 references +115047.643724 Trpt 90 transport_release: transport 0x4d500 had 2 references +115049.370307 Trpt 70 transport_add: adding 0x5c080 +115049.370741 Trpt 90 transport_reference: transport 0x5c080 now has 1 references +115049.370795 Mesg 90 message_alloc: allocated 0x5e000 +115049.370837 Mesg 70 message_recv: message 0x5e000 +115049.370889 Mesg 70 ICOOKIE: 0x64375adba46c560b +115049.370939 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115049.370983 Mesg 70 NEXT_PAYLOAD: HASH +115049.371029 Mesg 70 VERSION: 16 +115049.371070 Mesg 70 EXCH_TYPE: QUICK_MODE +115049.371115 Mesg 70 FLAGS: [ ENC ] +115049.371162 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115049.371206 Mesg 70 LENGTH: 84 +115049.371311 Mesg 70 message_recv: 64375adb a46c560b dca1591d 945a7cad 08102001 3cc1f923 00000054 6656b229 +115049.371392 Mesg 70 message_recv: b8d9feb9 03e5efcd a84a4bea f899cfa4 d6250fe4 b67fd49b b02641ee 659cd32e +115049.371457 Mesg 70 message_recv: a1956fe0 174598e0 db57d386 289e88c2 258cad02 +115049.371503 SA 80 sa_reference: SA 0x5a400 now has 6 references +115049.371556 Cryp 80 gdoi_get_keystate: final phase 1 IV: +115049.371605 Cryp 80 f4e4c077 38ffc626 +115049.371642 Cryp 80 gdoi_get_keystate: message ID: +115049.371718 Cryp 80 3cc1f923 +115049.371777 Cryp 50 crypto_update_iv: initialized IV: +115049.371826 Cryp 50 675d94c5 c4217bdc +115049.371862 Cryp 80 gdoi_get_keystate: phase 2 IV: +115049.371906 Cryp 80 675d94c5 c4217bdc +115049.371945 Cryp 10 crypto_decrypt: before decryption: +115049.372021 Cryp 10 6656b229 b8d9feb9 03e5efcd a84a4bea f899cfa4 d6250fe4 b67fd49b b02641ee +115049.372086 Cryp 10 659cd32e a1956fe0 174598e0 db57d386 289e88c2 258cad02 +115049.372195 Cryp 30 crypto_decrypt: after decryption: +115049.372275 Cryp 30 0a000018 2b15c822 fec15dab aa591e0d 11d7734c f0c7fb88 05000014 7cb79b64 +115049.372344 Cryp 30 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115049.372395 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115049.372441 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +115049.372486 Mesg 50 message_parse_payloads: offset 0x48 payload ID +115049.372536 Mesg 60 message_validate_payloads: payload ID at 0x5c3c8 of message 0x5e000 +115049.372685 Mesg 70 TYPE: 11 +115049.372735 Mesg 70 DOI_DATA: 0x000000 +115049.372793 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115049.372856 Timr 10 timer_add_event: event exchange_free_aux(0x5a600) added before cookie_reset_event(0x0), expiration in 120s +115049.372914 Exch 10 exchange_setup_p2: 0x5a600 policy responder phase 2 doi 2 exchange 32 step 0 +115049.372961 Exch 10 exchange_setup_p2: icookie 64375adba46c560b rcookie dca1591d945a7cad +115049.373003 Exch 10 exchange_setup_p2: msgid 3cc1f923 sa_list +115049.373047 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 11 +115049.373087 Mesg 40 gdoi_validate_id_information: key id +115049.373132 Mesg 60 message_validate_payloads: payload HASH at 0x5c39c of message 0x5e000 +115049.373178 Mesg 60 message_validate_payloads: payload NONCE at 0x5c3b4 of message 0x5e000 +115049.373227 Exch 90 exchange_validate: checking for required HASH +115049.373268 Exch 90 exchange_validate: checking for required NONCE +115049.373308 Exch 90 exchange_validate: checking for required ID +115049.373430 Misc 30 gdoi_responder: phase 2 exchange 32 step 0 +115049.373472 Negt 90 group_check_hash: SKEYID_a: +115049.373534 Negt 90 10000505 99f78cd5 127b129e b54f7c24 17391635 +115049.373600 Negt 90 group_check_hash: message_id: +115049.373644 Negt 90 3cc1f923 +115049.373682 Negt 90 group_check_hash: payloads after HASH: +115049.373762 Negt 90 05000014 7cb79b64 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115049.373815 Negt 80 group_check_hash: computed HASH: +115049.373879 Negt 80 2b15c822 fec15dab aa591e0d 11d7734c f0c7fb88 +115049.373924 Exch 80 exchange_nonce: NONCE_i: +115049.373981 Exch 80 7cb79b64 94c75a27 75653839 d80ff11c +115049.374020 Misc 90 responder_recv_HASH_NONCE_ID: ID: +115049.374070 Misc 90 0b000000 000004d2 +115049.374112 Cryp 50 crypto_update_iv: updated IV: +115049.374159 Cryp 50 289e88c2 258cad02 +115049.374201 Exch 40 exchange_run: exchange 0x5a600 finished step 0, advancing... +115049.374253 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115049.374352 Mesg 90 message_alloc: allocated 0x60000 +115049.374398 SA 80 sa_reference: SA 0x5a400 now has 7 references +115049.374445 Misc 30 gdoi_responder: phase 2 exchange 32 step 1 +115049.374500 Exch 80 exchange_nonce: NONCE_r: +115049.374559 Exch 80 79ca9250 4d5c541d 3deaad59 341a8f28 +115049.374603 Misc 60 connection_passive_lookup_by_group_id: returned "IPsec-group-policy" +115049.374650 Misc 60 conf_get_str: [IPsec-group-policy]:Configuration->Default-group-mode +115049.374697 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +115049.374739 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +115049.374783 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +115049.374836 Misc 60 conf_get_str: [Default-group-mode]:SA-KEK->GROUP1-KEK +115049.374952 Misc 90 group_do_hash: SKEYID_a: +115049.375019 Misc 90 10000505 99f78cd5 127b129e b54f7c24 17391635 +115049.375074 Misc 90 group_do_hash: message_id: +115049.375305 Misc 90 3cc1f923 +115049.375349 Negt 90 group_fill_in_hash: NONCE_I_b: +115049.375404 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115049.375448 Misc 90 group_fill_in_hash: payload 1 after HASH: +115049.375509 Misc 90 01000014 79ca9250 4d5c541d 3deaad59 341a8f28 +115049.375551 Misc 90 group_fill_in_hash: payload 2 after HASH: +115049.375633 Misc 90 0000009b 00000002 00000000 000f0000 10000035 11010350 040a00e0 2c010350 +115049.375713 Misc 90 04ef0a01 01616263 64656667 68303132 33343536 37000000 00800200 02800500 +115049.375795 Misc 90 02800600 01100000 2b010001 0000040a 00e02501 000004ef 01010103 1122aabb +115049.375878 Misc 90 80040002 80050002 80010001 8002002d 0000002b 01000100 00040a00 e0280100 +115049.375952 Misc 90 0004ef01 01020333 44ccdd80 04000280 05000280 01000180 02002d +115049.376017 Misc 80 group_fill_in_hash: HASH: +115049.376082 Misc 80 7343414c 2ca3007a 8f73c731 25133447 af641eda +115049.376123 Exch 90 exchange_validate: checking for required HASH +115049.376164 Exch 90 exchange_validate: checking for required NONCE +115049.464779 Exch 90 exchange_validate: checking for required SA +115049.464839 Cryp 10 crypto_encrypt: before encryption: +115049.464920 Cryp 10 0a000018 7343414c 2ca3007a 8f73c731 25133447 af641eda 01000014 79ca9250 +115049.465023 Cryp 10 4d5c541d 3deaad59 341a8f28 0000009b 00000002 00000000 000f0000 10000035 +115049.465103 Cryp 10 11010350 040a00e0 2c010350 04ef0a01 01616263 64656667 68303132 33343536 +115049.465186 Cryp 10 37000000 00800200 02800500 02800600 01100000 2b010001 0000040a 00e02501 +115049.465268 Cryp 10 000004ef 01010103 1122aabb 80040002 80050002 80010001 8002002d 0000002b +115049.465350 Cryp 10 01000100 00040a00 e0280100 0004ef01 01020333 44ccdd80 04000280 05000280 +115049.465398 Cryp 10 01000180 02002d00 +115049.465620 Cryp 30 crypto_encrypt: after encryption: +115049.465700 Cryp 30 af7b0b35 52486b1e 959cbe93 fe3683c3 fc69a6e9 0a3aacae ee485f8a 24e2b1db +115049.465775 Cryp 30 a6a9037c b9b2d668 b8f9b6e4 80b0bdd6 786a7d22 6dd8af80 445fc03c 21c77653 +115049.557422 Cryp 30 53ebb83d 19063f46 4fbe4810 c013f6d6 6ea00482 67ca62af d15b5d0c fcbe8f8b +115049.557506 Cryp 30 0ecb1a84 4c9429e9 25fd379a e07d2fa5 b334f663 db54c4a9 513d570a 294adaac +115049.557582 Cryp 30 885b2809 e2017d6f adfb85ab 9dbbec60 51f79664 232fd40f 5abbd00a 4caa7075 +115049.557657 Cryp 30 e35b44a9 0f2ecd60 63648567 c2139afb d754bd1b 4228480f 85c4a040 1ee72f3d +115049.557703 Cryp 30 1ced4be7 edfa6776 +115049.557739 Cryp 50 crypto_update_iv: updated IV: +115049.557784 Cryp 50 1ced4be7 edfa6776 +115049.557822 Mesg 70 message_send: message 0x60000 +115049.557872 Mesg 70 ICOOKIE: 0x64375adba46c560b +115049.557922 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115049.557964 Mesg 70 NEXT_PAYLOAD: HASH +115049.558008 Mesg 70 VERSION: 16 +115049.558050 Mesg 70 EXCH_TYPE: QUICK_MODE +115049.558094 Mesg 70 FLAGS: [ ENC ] +115049.558140 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115049.558185 Mesg 70 LENGTH: 228 +115049.558267 Mesg 70 message_send: 64375adb a46c560b dca1591d 945a7cad 08102001 3cc1f923 000000e4 af7b0b35 +115049.654619 Mesg 70 message_send: 52486b1e 959cbe93 fe3683c3 fc69a6e9 0a3aacae ee485f8a 24e2b1db a6a9037c +115049.654711 Mesg 70 message_send: b9b2d668 b8f9b6e4 80b0bdd6 786a7d22 6dd8af80 445fc03c 21c77653 53ebb83d +115049.654791 Mesg 70 message_send: 19063f46 4fbe4810 c013f6d6 6ea00482 67ca62af d15b5d0c fcbe8f8b 0ecb1a84 +115049.654870 Mesg 70 message_send: 4c9429e9 25fd379a e07d2fa5 b334f663 db54c4a9 513d570a 294adaac 885b2809 +115049.654949 Mesg 70 message_send: e2017d6f adfb85ab 9dbbec60 51f79664 232fd40f 5abbd00a 4caa7075 e35b44a9 +115049.655027 Mesg 70 message_send: 0f2ecd60 63648567 c2139afb d754bd1b 4228480f 85c4a040 1ee72f3d 1ced4be7 +115049.655072 Mesg 70 message_send: edfa6776 +115049.655115 Exch 40 exchange_run: exchange 0x5a600 finished step 1, advancing... +115049.655163 Trpt 90 transport_reference: transport 0x5c080 now has 3 references +115049.655207 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115049.655250 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115049.747148 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115049.747201 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115049.747244 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115049.747287 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115049.747330 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115049.747373 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115049.747418 Trpt 90 transport_release: transport 0x5c080 had 3 references +115049.747461 Trpt 90 transport_release: transport 0x5c200 had 3 references +115049.747504 Trpt 90 transport_release: transport 0x4da80 had 2 references +115049.747546 Trpt 90 transport_release: transport 0x4df80 had 3 references +115049.747589 Trpt 90 transport_release: transport 0x4d780 had 3 references +115049.747631 Trpt 90 transport_release: transport 0x4d900 had 3 references +115049.747673 Trpt 90 transport_release: transport 0x4d600 had 2 references +115049.834106 Trpt 90 transport_release: transport 0x4d580 had 2 references +115049.834158 Trpt 90 transport_release: transport 0x4d500 had 2 references +115049.834221 Trpt 90 transport_reference: transport 0x5c080 now has 3 references +115049.834267 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115049.834310 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115049.834353 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115049.834396 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115049.834439 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115049.834482 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115049.834525 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115049.834568 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115049.834709 Misc 60 conf_get_str: [General]:retransmits->5 +115049.834769 Trpt 30 transport_send_messages: message 0x60000 scheduled for retransmission 1 in 7 secs +115049.930912 Timr 10 timer_add_event: event message_send_expire(0x60000) added before gdoi_rekey_sender(0x4b900), expiration in 7s +115049.930969 Trpt 90 transport_release: transport 0x5c080 had 3 references +115049.931012 Trpt 90 transport_release: transport 0x5c200 had 3 references +115049.931054 Trpt 90 transport_release: transport 0x4da80 had 2 references +115049.931097 Trpt 90 transport_release: transport 0x4df80 had 3 references +115049.931139 Trpt 90 transport_release: transport 0x4d780 had 3 references +115049.931181 Trpt 90 transport_release: transport 0x4d900 had 3 references +115049.931223 Trpt 90 transport_release: transport 0x4d600 had 2 references +115049.931266 Trpt 90 transport_release: transport 0x4d580 had 2 references +115049.931308 Trpt 90 transport_release: transport 0x4d500 had 2 references +115049.931378 Trpt 70 transport_add: adding 0x5c500 +115049.931437 Trpt 90 transport_reference: transport 0x5c500 now has 1 references +115050.022321 Mesg 90 message_alloc: allocated 0x61000 +115050.022371 Mesg 70 message_recv: message 0x61000 +115050.022422 Mesg 70 ICOOKIE: 0x64375adba46c560b +115050.022472 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115050.022515 Mesg 70 NEXT_PAYLOAD: HASH +115050.022559 Mesg 70 VERSION: 16 +115050.022600 Mesg 70 EXCH_TYPE: QUICK_MODE +115050.022644 Mesg 70 FLAGS: [ ENC ] +115050.022690 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115050.022733 Mesg 70 LENGTH: 52 +115050.022814 Mesg 70 message_recv: 64375adb a46c560b dca1591d 945a7cad 08102001 3cc1f923 00000034 eab31c52 +115050.022880 Mesg 70 message_recv: 729ba6b9 9fd85ab5 d7eb7dfb 8dc8ebf2 018a97c8 +115050.022925 SA 80 sa_reference: SA 0x5a400 now has 8 references +115050.022969 Mesg 90 message_check_duplicate: last_received 0x5e000 +115050.023006 Mesg 95 message_check_duplicate: last_received: +115050.023082 Mesg 95 64375adb a46c560b dca1591d 945a7cad 08102001 3cc1f923 00000054 6656b229 +115050.023157 Mesg 95 b8d9feb9 03e5efcd a84a4bea f899cfa4 d6250fe4 b67fd49b b02641ee 659cd32e +115050.142744 Mesg 95 a1956fe0 174598e0 db57d386 289e88c2 258cad02 +115050.142793 Mesg 20 message_free: freeing 0x60000 +115050.142838 Timr 10 timer_remove_event: removing event message_send_expire(0x60000) +115050.142885 Trpt 90 transport_release: transport 0x5c080 had 2 references +115050.142928 SA 80 sa_release: SA 0x5a400 had 8 references +115050.142978 Cryp 10 crypto_decrypt: before decryption: +115050.143046 Cryp 10 eab31c52 729ba6b9 9fd85ab5 d7eb7dfb 8dc8ebf2 018a97c8 +115050.143123 Cryp 30 crypto_decrypt: after decryption: +115050.143193 Cryp 30 00000018 15c674d3 665b6bc9 b4aa2f37 10ae75ed e4723741 +115050.143242 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115050.143293 Mesg 60 message_validate_payloads: payload HASH at 0x4e6dc of message 0x61000 +115050.143346 Exch 90 exchange_validate: checking for required HASH +115050.143392 Misc 30 gdoi_responder: phase 2 exchange 32 step 2 +115050.143431 Negt 90 group_check_hash: SKEYID_a: +115050.143492 Negt 90 10000505 99f78cd5 127b129e b54f7c24 17391635 +115050.228901 Negt 90 group_check_hash: message_id: +115050.228955 Negt 90 3cc1f923 +115050.228991 Negt 90 group_check_hash: NONCE_I_b: +115050.229046 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115050.229084 Negt 90 group_check_hash: NONCE_R_b: +115050.229139 Negt 90 79ca9250 4d5c541d 3deaad59 341a8f28 +115050.229177 Negt 90 group_check_hash: payloads after HASH: +115050.229238 Negt 80 group_check_hash: computed HASH: +115050.229301 Negt 80 15c674d3 665b6bc9 b4aa2f37 10ae75ed e4723741 +115050.229348 Mesg 20 message_free: freeing 0x5e000 +115050.229395 Trpt 90 transport_release: transport 0x5c080 had 1 references +115050.229435 Trpt 70 transport_release: freeing 0x5c080 +115050.229478 SA 80 sa_release: SA 0x5a400 had 7 references +115050.229520 Cryp 50 crypto_update_iv: updated IV: +115050.229567 Cryp 50 8dc8ebf2 018a97c8 +115050.229609 Exch 40 exchange_run: exchange 0x5a600 finished step 2, advancing... +115050.229660 Trpt 90 transport_reference: transport 0x5c500 now has 2 references +115050.296775 Mesg 90 message_alloc: allocated 0x5e000 +115050.296826 SA 80 sa_reference: SA 0x5a400 now has 7 references +115050.296873 Misc 30 gdoi_responder: phase 2 exchange 32 step 3 +115050.296926 Default SENT SEQ # of: 0 (PULL) +115050.297018 Misc 90 group_do_hash: SKEYID_a: +115050.297087 Misc 90 10000505 99f78cd5 127b129e b54f7c24 17391635 +115050.297143 Misc 90 group_do_hash: message_id: +115050.297189 Misc 90 3cc1f923 +115050.297224 Negt 90 group_fill_in_hash: NONCE_I_b: +115050.297279 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115050.297316 Negt 90 group_fill_in_hash: NONCE_R_b: +115050.297371 Negt 90 79ca9250 4d5c541d 3deaad59 341a8f28 +115050.297414 Misc 90 group_fill_in_hash: payload 1 after HASH: +115050.297463 Misc 90 11000008 00000000 +115050.297505 Misc 90 group_fill_in_hash: payload 2 after HASH: +115050.297583 Misc 90 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115050.297658 Misc 90 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115050.365046 Misc 90 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115050.365130 Misc 90 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115050.365207 Misc 90 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115050.365283 Misc 90 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115050.365358 Misc 90 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115050.365437 Misc 90 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115050.365512 Misc 90 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115050.365588 Misc 90 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115050.365663 Misc 90 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115050.365700 Misc 90 39 +115050.365783 Misc 80 group_fill_in_hash: HASH: +115050.365848 Misc 80 630e375d fe14e0ad 256c64ba 2113dcfb de92c864 +115050.437657 Exch 90 exchange_validate: checking for required HASH +115050.437708 Exch 90 exchange_validate: checking for required KD +115050.437762 Cryp 10 crypto_encrypt: before encryption: +115050.437845 Cryp 10 12000018 630e375d fe14e0ad 256c64ba 2113dcfb de92c864 11000008 00000000 +115050.437924 Cryp 10 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115050.437998 Cryp 10 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115050.438078 Cryp 10 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115050.438153 Cryp 10 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115050.438229 Cryp 10 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115050.438305 Cryp 10 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115050.438381 Cryp 10 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115050.438460 Cryp 10 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115050.530367 Cryp 10 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115050.530454 Cryp 10 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115050.530530 Cryp 10 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115050.530579 Cryp 10 39000000 00000000 +115050.530969 Cryp 30 crypto_encrypt: after encryption: +115050.531049 Cryp 30 f576a797 d5420f4d e006695a d3aac66a 8c7d7d23 eed509f7 166d916a c1733880 +115050.531124 Cryp 30 f8512ce6 89e0c1d2 a1ff681c d68ce268 ceb15bba 7171a0c9 854414fb d00f64b8 +115050.531199 Cryp 30 cdc9b681 0ab4ac83 89981ca0 29b1f58a ccd6b753 1c670f39 96c6bfc3 b7d1874e +115050.531274 Cryp 30 870132ed 544fe16e 046c037e e7709b76 f73abaab b4ce4bab 6ed6edfd e214d71c +115050.531349 Cryp 30 f27162a0 a22f11c1 8351043f 7f3f8a0d b8c95605 7ef75056 c3dcd256 ab703c4f +115050.531425 Cryp 30 64e5f04e f3e8574d acbc24d4 55a4ad0c 01b2fdb8 d15b241c 5fa578e8 407c0cfd +115050.531499 Cryp 30 a7fb692d 7bb3b7fa 09cba2ed 4ad14eab 13cceeea cee25d57 a1732433 f5cc9b24 +115050.626390 Cryp 30 74949731 41b635cb 87f9afd5 64235ccd bdb19ffb 29ddd3a1 cccf65f6 760345eb +115050.626474 Cryp 30 b254c0d5 0841edb7 b659e9cc 88555706 b8882814 cf7fe9a0 1d562d93 caaa38c5 +115050.626549 Cryp 30 86201b50 08da9a01 c535d5a6 d82b0fe5 cea2fee5 8593f324 b2683ff5 19b7785a +115050.626625 Cryp 30 f64f6131 4dedfc1d fb07266c cbcf7de7 90d6fda9 56dd495e c5e77c05 6618e4d6 +115050.626699 Cryp 30 0a107fa0 c3bc52db 8b4bf299 ad07898e 59b1a810 231753cb a05740af f9221226 +115050.626745 Cryp 30 48405cc7 1a879577 +115050.626781 Cryp 50 crypto_update_iv: updated IV: +115050.626826 Cryp 50 48405cc7 1a879577 +115050.626864 Mesg 70 message_send: message 0x5e000 +115050.626915 Mesg 70 ICOOKIE: 0x64375adba46c560b +115050.626964 Mesg 70 RCOOKIE: 0xdca1591d945a7cad +115050.627006 Mesg 70 NEXT_PAYLOAD: HASH +115050.627051 Mesg 70 VERSION: 16 +115050.627092 Mesg 70 EXCH_TYPE: QUICK_MODE +115050.627135 Mesg 70 FLAGS: [ ENC ] +115050.627182 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115050.714059 Mesg 70 LENGTH: 420 +115050.714148 Mesg 70 message_send: 64375adb a46c560b dca1591d 945a7cad 08102001 3cc1f923 000001a4 f576a797 +115050.714230 Mesg 70 message_send: d5420f4d e006695a d3aac66a 8c7d7d23 eed509f7 166d916a c1733880 f8512ce6 +115050.714308 Mesg 70 message_send: 89e0c1d2 a1ff681c d68ce268 ceb15bba 7171a0c9 854414fb d00f64b8 cdc9b681 +115050.714387 Mesg 70 message_send: 0ab4ac83 89981ca0 29b1f58a ccd6b753 1c670f39 96c6bfc3 b7d1874e 870132ed +115050.714465 Mesg 70 message_send: 544fe16e 046c037e e7709b76 f73abaab b4ce4bab 6ed6edfd e214d71c f27162a0 +115050.714544 Mesg 70 message_send: a22f11c1 8351043f 7f3f8a0d b8c95605 7ef75056 c3dcd256 ab703c4f 64e5f04e +115050.714623 Mesg 70 message_send: f3e8574d acbc24d4 55a4ad0c 01b2fdb8 d15b241c 5fa578e8 407c0cfd a7fb692d +115050.714701 Mesg 70 message_send: 7bb3b7fa 09cba2ed 4ad14eab 13cceeea cee25d57 a1732433 f5cc9b24 74949731 +115050.714779 Mesg 70 message_send: 41b635cb 87f9afd5 64235ccd bdb19ffb 29ddd3a1 cccf65f6 760345eb b254c0d5 +115050.802195 Mesg 70 message_send: 0841edb7 b659e9cc 88555706 b8882814 cf7fe9a0 1d562d93 caaa38c5 86201b50 +115050.802285 Mesg 70 message_send: 08da9a01 c535d5a6 d82b0fe5 cea2fee5 8593f324 b2683ff5 19b7785a f64f6131 +115050.802364 Mesg 70 message_send: 4dedfc1d fb07266c cbcf7de7 90d6fda9 56dd495e c5e77c05 6618e4d6 0a107fa0 +115050.802443 Mesg 70 message_send: c3bc52db 8b4bf299 ad07898e 59b1a810 231753cb a05740af f9221226 48405cc7 +115050.802487 Mesg 70 message_send: 1a879577 +115050.802530 Exch 40 exchange_run: exchange 0x5a600 finished step 3, advancing... +115050.802578 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115050.802622 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115050.802665 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115050.802708 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115050.802750 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115050.802793 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115050.915930 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115050.915982 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115050.916025 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115050.916069 Trpt 90 transport_release: transport 0x5c500 had 3 references +115050.916112 Trpt 90 transport_release: transport 0x5c200 had 3 references +115050.916155 Trpt 90 transport_release: transport 0x4da80 had 2 references +115050.916197 Trpt 90 transport_release: transport 0x4df80 had 3 references +115050.916240 Trpt 90 transport_release: transport 0x4d780 had 3 references +115050.916282 Trpt 90 transport_release: transport 0x4d900 had 3 references +115050.916324 Trpt 90 transport_release: transport 0x4d600 had 2 references +115050.916367 Trpt 90 transport_release: transport 0x4d580 had 2 references +115050.916409 Trpt 90 transport_release: transport 0x4d500 had 2 references +115050.916470 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115051.012072 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115051.012123 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115051.012166 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115051.012209 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115051.012251 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115051.012294 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115051.012336 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115051.012379 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115051.012520 Exch 10 exchange_finalize: 0x5a600 IPsec-group-policy Default-group-mode policy responder phase 2 doi 2 exchange 32 step 4 +115051.012576 Exch 10 exchange_finalize: icookie 64375adba46c560b rcookie dca1591d945a7cad +115051.012619 Exch 10 exchange_finalize: msgid 3cc1f923 sa_list +115051.012662 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +115051.121733 Trpt 90 transport_release: transport 0x5c500 had 3 references +115051.121788 Trpt 90 transport_release: transport 0x5c200 had 3 references +115051.121831 Trpt 90 transport_release: transport 0x4da80 had 2 references +115051.121874 Trpt 90 transport_release: transport 0x4df80 had 3 references +115051.121916 Trpt 90 transport_release: transport 0x4d780 had 3 references +115051.121959 Trpt 90 transport_release: transport 0x4d900 had 3 references +115051.122001 Trpt 90 transport_release: transport 0x4d600 had 2 references +115051.122044 Trpt 90 transport_release: transport 0x4d580 had 2 references +115051.122086 Trpt 90 transport_release: transport 0x4d500 had 2 references +115057.058132 Trpt 70 transport_add: adding 0x5c080 +115057.058605 Trpt 90 transport_reference: transport 0x5c080 now has 1 references +115057.058660 Mesg 90 message_alloc: allocated 0x60000 +115057.058724 Mesg 70 message_recv: message 0x60000 +115057.058775 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115057.058828 Mesg 70 RCOOKIE: 0x0000000000000000 +115057.058870 Mesg 70 NEXT_PAYLOAD: SA +115057.058915 Mesg 70 VERSION: 16 +115057.058956 Mesg 70 EXCH_TYPE: ID_PROT +115057.058998 Mesg 70 FLAGS: [ ] +115057.059044 Mesg 70 MESSAGE_ID: 0x00000000 +115057.059087 Mesg 70 LENGTH: 80 +115057.059173 Mesg 70 message_recv: b0157219 72bc1c77 00000000 00000000 01100200 00000000 00000050 00000034 +115057.059261 Mesg 70 message_recv: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115057.059323 Mesg 70 message_recv: 80030001 80040002 800b0001 800c003c +115057.059372 SA 90 sa_find: no SA matched query +115057.059424 Mesg 50 message_parse_payloads: offset 0x1c payload SA +115057.059475 Mesg 60 message_validate_payloads: payload SA at 0x5c39c of message 0x60000 +115057.059554 Mesg 70 DOI: 2 +115057.059616 Misc 60 conf_get_str: [Phase 1]:10.0.224.41->GDOI-group-member-3 +115057.059663 Exch 90 exchange_lookup_active: GDOI-group-member-3 == && 1 == 1? +115057.059707 Exch 90 exchange_lookup_active: GDOI-group-member-3 == GDOI-group-member-2 && 1 == 1? +115057.059752 Exch 90 exchange_lookup_active: GDOI-group-member-3 == IPsec-group-policy && 1 == 2? +115057.059796 Exch 90 exchange_lookup_active: GDOI-group-member-3 == IPsec-group-policy && 1 == 2? +115057.059839 Exch 90 exchange_lookup_active: GDOI-group-member-3 == GDOI-group-member-1 && 1 == 1? +115057.059884 Misc 60 conf_get_str: [GDOI-group-member-3]:Configuration->Default-main-mode +115057.059928 Misc 60 conf_get_str: [Default-main-mode]:DOI->GROUP +115057.059970 Misc 60 conf_get_str: [Default-main-mode]:EXCHANGE_TYPE->ID_PROT +115057.060045 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115057.060108 Timr 10 timer_add_event: event exchange_free_aux(0x5a800) added before cookie_reset_event(0x0), expiration in 120s +115057.060303 Exch 10 exchange_setup_p1: 0x5a800 GDOI-group-member-3 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 0 +115057.060358 Exch 10 exchange_setup_p1: icookie b015721972bc1c77 rcookie 03fd48425906c102 +115057.060399 Exch 10 exchange_setup_p1: msgid 00000000 +115057.060445 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115057.060491 SA 80 sa_reference: SA 0x5ab00 now has 1 references +115057.060532 SA 70 sa_enter: SA 0x5ab00 added to SA list +115057.060572 SA 80 sa_reference: SA 0x5ab00 now has 2 references +115057.060616 SA 60 sa_create: sa 0x5ab00 phase 1 added to exchange 0x5a800 (GDOI-group-member-3) +115057.060659 SA 80 sa_reference: SA 0x5ab00 now has 3 references +115057.060703 Mesg 50 message_parse_payloads: offset 0x28 payload PROPOSAL +115057.060748 Mesg 50 message_parse_payloads: offset 0x30 payload TRANSFORM +115057.060792 Mesg 50 Transform 0's attributes +115057.060839 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x5c3a8 of message 0x60000 +115057.060960 Mesg 70 NO: 1 +115057.061005 Mesg 70 PROTO: ISAKMP +115057.061047 Mesg 70 SPI_SZ: 0 +115057.061088 Mesg 70 NTRANSFORMS: 1 +115057.061136 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x5c3b0 of message 0x60000 +115057.061179 Mesg 70 NO: 0 +115057.061219 Mesg 70 ID: 1 +115057.061272 Exch 90 exchange_validate: checking for required SA +115057.061318 Misc 30 gdoi_responder: phase 1 exchange 2 step 0 +115057.061369 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok +115057.061424 SA 80 sa_add_transform: proto 0x4e800 no 1 proto 1 chosen 0x58a80 sa 0x5ab00 id 1 +115057.061471 Misc 60 conf_get_str: [Default-main-mode]:Transforms->3DES-SHA +115057.061526 Misc 60 conf_get_str: [3DES-SHA]:ENCRYPTION_ALGORITHM->3DES_CBC +115057.061576 Misc 60 conf_get_str: [3DES-SHA]:HASH_ALGORITHM->SHA +115057.061623 Misc 60 conf_get_str: [3DES-SHA]:AUTHENTICATION_METHOD->PRE_SHARED +115057.061669 Misc 60 conf_get_str: [3DES-SHA]:GROUP_DESCRIPTION->MODP_1024 +115057.061769 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115057.061822 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115057.061866 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115057.061913 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115057.061962 Misc 60 conf_get_str: [3DES-SHA]:Life->LIFE_60_SECS +115057.062006 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115057.062047 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115057.062115 Misc 90 conf_match_num: LIFE_60_SECS:LIFE_DURATION 45<=60<=72? +115057.062186 Negt 20 ike_phase_1_validate_prop: success +115057.062232 Negt 30 message_negotiate_sa: proposal 1 succeeded +115057.062276 Misc 20 ipsec_decode_transform: transform 0 chosen +115057.062341 Misc 70 group_get: returning 0x4e840 of group 2 +115057.062396 Exch 40 exchange_run: exchange 0x5a800 finished step 0, advancing... +115057.062451 Trpt 90 transport_reference: transport 0x5c080 now has 3 references +115057.062494 Mesg 90 message_alloc: allocated 0x62000 +115057.062725 SA 80 sa_reference: SA 0x5ab00 now has 4 references +115057.062777 Misc 30 gdoi_responder: phase 1 exchange 2 step 1 +115057.062840 Exch 90 exchange_validate: checking for required SA +115057.062887 Mesg 70 message_send: message 0x62000 +115057.062937 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115057.062987 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115057.063028 Mesg 70 NEXT_PAYLOAD: SA +115057.063072 Mesg 70 VERSION: 16 +115057.063112 Mesg 70 EXCH_TYPE: ID_PROT +115057.063154 Mesg 70 FLAGS: [ ] +115057.063200 Mesg 70 MESSAGE_ID: 0x00000000 +115057.063242 Mesg 70 LENGTH: 80 +115057.063327 Mesg 70 message_send: b0157219 72bc1c77 03fd4842 5906c102 01100200 00000000 00000050 00000034 +115057.063414 Mesg 70 message_send: 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115057.063477 Mesg 70 message_send: 80030001 80040002 800b0001 800c003c +115057.063520 Exch 40 exchange_run: exchange 0x5a800 finished step 1, advancing... +115057.063566 Trpt 90 transport_reference: transport 0x5c080 now has 4 references +115057.152903 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115057.152956 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115057.152999 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115057.153043 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115057.153086 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115057.153129 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115057.153172 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115057.153215 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115057.153258 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115057.153302 Trpt 90 transport_release: transport 0x5c080 had 4 references +115057.153345 Trpt 90 transport_release: transport 0x5c500 had 3 references +115057.153387 Trpt 90 transport_release: transport 0x5c200 had 3 references +115057.153430 Trpt 90 transport_release: transport 0x4da80 had 2 references +115057.248924 Trpt 90 transport_release: transport 0x4df80 had 3 references +115057.248977 Trpt 90 transport_release: transport 0x4d780 had 3 references +115057.249020 Trpt 90 transport_release: transport 0x4d900 had 3 references +115057.249062 Trpt 90 transport_release: transport 0x4d600 had 2 references +115057.249105 Trpt 90 transport_release: transport 0x4d580 had 2 references +115057.249147 Trpt 90 transport_release: transport 0x4d500 had 2 references +115057.249210 Trpt 90 transport_reference: transport 0x5c080 now has 4 references +115057.249256 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115057.249299 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115057.249342 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115057.249385 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115057.249428 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115057.330972 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115057.331024 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115057.331067 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115057.331110 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115057.331240 Misc 60 conf_get_str: [General]:retransmits->5 +115057.331298 Trpt 30 transport_send_messages: message 0x62000 scheduled for retransmission 1 in 7 secs +115057.331353 Timr 10 timer_add_event: event message_send_expire(0x62000) added before gdoi_rekey_sender(0x4b900), expiration in 7s +115057.331401 Trpt 90 transport_release: transport 0x5c080 had 4 references +115057.331444 Trpt 90 transport_release: transport 0x5c500 had 3 references +115057.331486 Trpt 90 transport_release: transport 0x5c200 had 3 references +115057.331529 Trpt 90 transport_release: transport 0x4da80 had 2 references +115057.331571 Trpt 90 transport_release: transport 0x4df80 had 3 references +115057.427649 Trpt 90 transport_release: transport 0x4d780 had 3 references +115057.427703 Trpt 90 transport_release: transport 0x4d900 had 3 references +115057.427746 Trpt 90 transport_release: transport 0x4d600 had 2 references +115057.427788 Trpt 90 transport_release: transport 0x4d580 had 2 references +115057.427831 Trpt 90 transport_release: transport 0x4d500 had 2 references +115057.446085 Trpt 70 transport_add: adding 0x5c580 +115057.446153 Trpt 90 transport_reference: transport 0x5c580 now has 1 references +115057.446198 Mesg 90 message_alloc: allocated 0x63000 +115057.446238 Mesg 70 message_recv: message 0x63000 +115057.446288 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115057.446340 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115057.446383 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115057.446427 Mesg 70 VERSION: 16 +115057.446469 Mesg 70 EXCH_TYPE: ID_PROT +115057.446511 Mesg 70 FLAGS: [ ] +115057.446557 Mesg 70 MESSAGE_ID: 0x00000000 +115057.446601 Mesg 70 LENGTH: 180 +115057.446686 Mesg 70 message_recv: b0157219 72bc1c77 03fd4842 5906c102 04100200 00000000 000000b4 0a000084 +115057.504897 Mesg 70 message_recv: a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115057.504985 Mesg 70 message_recv: a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115057.505065 Mesg 70 message_recv: f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115057.505144 Mesg 70 message_recv: 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115057.505210 Mesg 70 message_recv: 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115057.505257 SA 80 sa_reference: SA 0x5ab00 now has 5 references +115057.505301 Mesg 90 message_check_duplicate: last_received 0x60000 +115057.505338 Mesg 95 message_check_duplicate: last_received: +115057.505419 Mesg 95 b0157219 72bc1c77 00000000 00000000 01100200 00000000 00000050 00000034 +115057.505502 Mesg 95 00000002 00000000 00000028 01010001 00000020 00010000 80010005 80020002 +115057.505561 Mesg 95 80030001 80040002 800b0001 800c003c +115057.602215 Mesg 20 message_free: freeing 0x62000 +115057.602270 Timr 10 timer_remove_event: removing event message_send_expire(0x62000) +115057.602318 Trpt 90 transport_release: transport 0x5c080 had 3 references +115057.602361 SA 80 sa_release: SA 0x5ab00 had 5 references +115057.602418 Mesg 50 message_parse_payloads: offset 0x1c payload KEY_EXCH +115057.602467 Mesg 50 message_parse_payloads: offset 0xa0 payload NONCE +115057.602518 Mesg 60 message_validate_payloads: payload KEY_EXCH at 0x5ad1c of message 0x63000 +115057.602567 Mesg 60 message_validate_payloads: payload NONCE at 0x5ada0 of message 0x63000 +115057.602617 Exch 90 exchange_validate: checking for required KEY_EXCH +115057.602659 Exch 90 exchange_validate: checking for required NONCE +115057.602701 Misc 30 gdoi_responder: phase 1 exchange 2 step 2 +115057.602749 Misc 80 ipsec_g_x: g^xi: +115057.602826 Misc 80 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115057.602902 Misc 80 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115057.670094 Misc 80 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115057.670177 Misc 80 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115057.670224 Exch 80 exchange_nonce: NONCE_i: +115057.670281 Exch 80 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115057.670329 Mesg 20 message_free: freeing 0x60000 +115057.670376 Trpt 90 transport_release: transport 0x5c080 had 2 references +115057.670418 SA 80 sa_release: SA 0x5ab00 had 4 references +115057.670464 Exch 40 exchange_run: exchange 0x5a800 finished step 2, advancing... +115057.670516 Trpt 90 transport_reference: transport 0x5c580 now has 2 references +115057.670560 Mesg 90 message_alloc: allocated 0x60000 +115057.670602 SA 80 sa_reference: SA 0x5ab00 now has 4 references +115057.670647 Misc 30 gdoi_responder: phase 1 exchange 2 step 3 +115057.745333 Misc 80 ipsec_g_x: g^xr: +115057.745422 Misc 80 d813737c fbb45a3a 15f3b0fd 88eaae6b b1791ce2 664f2bf9 4e8e84ec 09426dcb +115057.745500 Misc 80 843ea670 0437df75 e188aa1c 0f5cd94b da786676 3f08fadb f6aa3159 8ac38277 +115057.807498 Misc 80 b766a2dc 24b497b1 5d2a1300 91c99cb0 4b488b09 3d753e13 f1dd0e36 85d3fbea +115057.807582 Misc 80 195376ec 16fcf5ff ff1f8403 377dfcff 5c55b267 271e8775 d7097920 315f686d +115057.807637 Exch 80 exchange_nonce: NONCE_r: +115057.807697 Exch 80 f42f7c3f ec3b4125 0b0b1817 b9289357 +115057.807742 Exch 90 exchange_validate: checking for required KEY_EXCH +115057.807785 Exch 90 exchange_validate: checking for required NONCE +115057.807827 Mesg 70 message_send: message 0x60000 +115057.807877 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115057.807927 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115057.807969 Mesg 70 NEXT_PAYLOAD: KEY_EXCH +115057.808013 Mesg 70 VERSION: 16 +115057.808054 Mesg 70 EXCH_TYPE: ID_PROT +115057.808095 Mesg 70 FLAGS: [ ] +115057.808141 Mesg 70 MESSAGE_ID: 0x00000000 +115057.808185 Mesg 70 LENGTH: 180 +115057.808269 Mesg 70 message_send: b0157219 72bc1c77 03fd4842 5906c102 04100200 00000000 000000b4 0a000084 +115057.880265 Mesg 70 message_send: d813737c fbb45a3a 15f3b0fd 88eaae6b b1791ce2 664f2bf9 4e8e84ec 09426dcb +115057.880353 Mesg 70 message_send: 843ea670 0437df75 e188aa1c 0f5cd94b da786676 3f08fadb f6aa3159 8ac38277 +115057.880433 Mesg 70 message_send: b766a2dc 24b497b1 5d2a1300 91c99cb0 4b488b09 3d753e13 f1dd0e36 85d3fbea +115057.880512 Mesg 70 message_send: 195376ec 16fcf5ff ff1f8403 377dfcff 5c55b267 271e8775 d7097920 315f686d +115057.880577 Mesg 70 message_send: 00000014 f42f7c3f ec3b4125 0b0b1817 b9289357 +115057.880621 Exch 40 exchange_run: exchange 0x5a800 finished step 3, advancing... +115057.880668 Trpt 90 transport_reference: transport 0x5c580 now has 3 references +115057.880712 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115057.880754 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115057.880797 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115057.880840 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115057.973130 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115057.973184 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115057.973228 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115057.973271 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115057.973314 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115057.973357 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115057.973402 Trpt 90 transport_release: transport 0x5c580 had 3 references +115057.973445 Trpt 90 transport_release: transport 0x5c080 had 2 references +115057.973488 Trpt 90 transport_release: transport 0x5c500 had 3 references +115057.973530 Trpt 90 transport_release: transport 0x5c200 had 3 references +115057.973573 Trpt 90 transport_release: transport 0x4da80 had 2 references +115057.973615 Trpt 90 transport_release: transport 0x4df80 had 3 references +115057.973658 Trpt 90 transport_release: transport 0x4d780 had 3 references +115058.059361 Trpt 90 transport_release: transport 0x4d900 had 3 references +115058.059413 Trpt 90 transport_release: transport 0x4d600 had 2 references +115058.059455 Trpt 90 transport_release: transport 0x4d580 had 2 references +115058.059497 Trpt 90 transport_release: transport 0x4d500 had 2 references +115058.059558 Trpt 90 transport_reference: transport 0x5c580 now has 3 references +115058.059603 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115058.059646 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115058.059689 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115058.059731 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115058.059774 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115058.059817 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115058.059859 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115058.059902 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115058.150507 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115058.150561 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115058.150695 Misc 60 conf_get_str: [General]:retransmits->5 +115058.150754 Trpt 30 transport_send_messages: message 0x60000 scheduled for retransmission 1 in 7 secs +115058.150810 Timr 10 timer_add_event: event message_send_expire(0x60000) added before gdoi_rekey_sender(0x4b900), expiration in 7s +115058.239475 Negt 80 ike_phase_1_post_exchange_KE_NONCE: g^xy: +115058.239568 Negt 80 374942c7 3e2ebf83 98d6d1d2 373ceb88 dafccbeb 6f635bb9 60e9981a 45476632 +115058.239646 Negt 80 9d3d6be7 5168c470 014e0318 653c4b3e 1a41eefe bdaea204 3e95f9f0 442eddcb +115058.239722 Negt 80 e12af81b 485b0ae2 eb6a1e27 70d1d5c3 1a20cab4 83a6bc5b c5c99d45 e20b4e4d +115058.239797 Negt 80 ad155514 8e075c78 c4f3472e a03097af 066d3a3e 4739a8d4 89d5face 7a4d6c73 +115058.239842 Misc 60 conf_get_str: [GDOI-group-member-3]:Authentication->mekmitasdigoat +115058.331622 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID: +115058.331699 Negt 80 75672a06 1dd57f5a 32a36e10 738c2db2 cf72a6d4 +115058.331772 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_d: +115058.331839 Negt 80 33b7c86f 41a41834 1a644552 1c8fd9ba 5c49bdd9 +115058.331900 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_a: +115058.331966 Negt 80 e5c97812 f4abc193 63e76cc9 0da9e14b 899639f6 +115058.332028 Negt 80 ike_phase_1_post_exchange_KE_NONCE: SKEYID_e: +115058.332116 Negt 80 f8657d67 f6f17e94 a07d927a b83597cf b963f8df +115058.332197 Cryp 40 crypto_init: key: +115058.332267 Cryp 40 21cf7af8 791a965e 385bf6a2 94f2dfcc f855b91c 289e3d73 +115058.332353 Cryp 50 crypto_update_iv: initialized IV: +115058.332405 Cryp 50 e54dcd2f c170784d +115058.332450 Trpt 90 transport_release: transport 0x5c580 had 3 references +115058.332495 Trpt 90 transport_release: transport 0x5c080 had 2 references +115058.332537 Trpt 90 transport_release: transport 0x5c500 had 3 references +115058.437230 Trpt 90 transport_release: transport 0x5c200 had 3 references +115058.437283 Trpt 90 transport_release: transport 0x4da80 had 2 references +115058.437325 Trpt 90 transport_release: transport 0x4df80 had 3 references +115058.437368 Trpt 90 transport_release: transport 0x4d780 had 3 references +115058.437410 Trpt 90 transport_release: transport 0x4d900 had 3 references +115058.437452 Trpt 90 transport_release: transport 0x4d600 had 2 references +115058.437495 Trpt 90 transport_release: transport 0x4d580 had 2 references +115058.437537 Trpt 90 transport_release: transport 0x4d500 had 2 references +115058.437611 Trpt 70 transport_add: adding 0x5c700 +115058.437668 Trpt 90 transport_reference: transport 0x5c700 now has 1 references +115058.437712 Mesg 90 message_alloc: allocated 0x64000 +115058.437752 Mesg 70 message_recv: message 0x64000 +115058.437802 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115058.437854 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115058.437896 Mesg 70 NEXT_PAYLOAD: ID +115058.437940 Mesg 70 VERSION: 16 +115058.513949 Mesg 70 EXCH_TYPE: ID_PROT +115058.514003 Mesg 70 FLAGS: [ ENC ] +115058.514051 Mesg 70 MESSAGE_ID: 0x00000000 +115058.514095 Mesg 70 LENGTH: 92 +115058.514179 Mesg 70 message_recv: b0157219 72bc1c77 03fd4842 5906c102 05100201 00000000 0000005c edc4946b +115058.514259 Mesg 70 message_recv: 582a2c39 e0d96a5a a7489699 93a3046f f99357a2 4d144154 31c630ee 828c7a60 +115058.514334 Mesg 70 message_recv: 024256dc 9cf77425 fe4fd1c0 abae3648 b08dadd5 b4d16456 01e47be3 +115058.514380 SA 80 sa_reference: SA 0x5ab00 now has 5 references +115058.514425 Mesg 90 message_check_duplicate: last_received 0x63000 +115058.514462 Mesg 95 message_check_duplicate: last_received: +115058.514542 Mesg 95 b0157219 72bc1c77 03fd4842 5906c102 04100200 00000000 000000b4 0a000084 +115058.514618 Mesg 95 a429da99 e2e74ce3 5ae42cf5 864108cf 1c86e285 800f9be5 5cb15ff3 758f08ca +115058.514693 Mesg 95 a14d49c0 7ef44607 59852333 3dd7c7b2 458f3330 5ced09da 3838b813 0ae07205 +115058.514769 Mesg 95 f1dd6a05 b80b2aee f5b442e4 3c8f5625 0cefcce6 5b1c10af 521c87b5 551effbf +115058.581789 Mesg 95 9f20c582 b0527ff2 6fb07f4d 407ce0eb 027f5f42 b04cd1f6 50ffd70a 9307d12d +115058.581859 Mesg 95 00000014 fb85e612 29a5c670 d1ed0e52 e63f4a37 +115058.581899 Mesg 20 message_free: freeing 0x60000 +115058.581944 Timr 10 timer_remove_event: removing event message_send_expire(0x60000) +115058.581991 Trpt 90 transport_release: transport 0x5c580 had 2 references +115058.582034 SA 80 sa_release: SA 0x5ab00 had 5 references +115058.582085 Cryp 10 crypto_decrypt: before decryption: +115058.582185 Cryp 10 edc4946b 582a2c39 e0d96a5a a7489699 93a3046f f99357a2 4d144154 31c630ee +115058.582260 Cryp 10 828c7a60 024256dc 9cf77425 fe4fd1c0 abae3648 b08dadd5 b4d16456 01e47be3 +115058.582378 Cryp 30 crypto_decrypt: after decryption: +115058.582461 Cryp 30 0800000c 01000000 0a00e029 0b000018 ca32a1ac 9cf60e97 8111cf83 7924b3c8 +115058.582540 Cryp 30 c5214180 0000001c 00000001 01106002 b0157219 72bc1c77 03fd4842 5906c102 +115058.582589 Mesg 50 message_parse_payloads: offset 0x1c payload ID +115058.649638 Mesg 50 message_parse_payloads: offset 0x28 payload HASH +115058.649692 Mesg 50 message_parse_payloads: offset 0x40 payload NOTIFY +115058.649744 Mesg 60 message_validate_payloads: payload ID at 0x5c79c of message 0x64000 +115058.649787 Mesg 70 TYPE: 1 +115058.649833 Mesg 70 DOI_DATA: 0x000000 +115058.649881 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 1 +115058.649919 Mesg 40 gdoi_validate_id_information: IPv4: +115058.649961 Mesg 40 0a00e029 +115058.650044 Mesg 60 message_validate_payloads: payload HASH at 0x5c7a8 of message 0x64000 +115058.650096 Mesg 60 message_validate_payloads: payload NOTIFY at 0x5c7c0 of message 0x64000 +115058.650139 Mesg 70 DOI: IPSEC +115058.650181 Mesg 70 PROTO: ISAKMP +115058.650225 Mesg 70 SPI_SZ: 16 +115058.650270 Mesg 70 MSG_TYPE: INITIAL_CONTACT +115058.650324 Exch 90 exchange_validate: checking for required ID +115058.650367 Exch 90 exchange_validate: checking for required AUTH +115058.650409 Misc 30 gdoi_responder: phase 1 exchange 2 step 4 +115058.731686 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR: +115058.731739 Negt 40 0a00e029 +115058.731783 Misc 80 pre_shared_decode_hash: HASH_I: +115058.731845 Misc 80 ca32a1ac 9cf60e97 8111cf83 7924b3c8 c5214180 +115058.731953 Negt 80 ike_phase_1_recv_AUTH: computed HASH_I: +115058.732020 Negt 80 ca32a1ac 9cf60e97 8111cf83 7924b3c8 c5214180 +115058.732062 Exch 10 exchange_run: unexpected payload NOTIFY +115058.732107 Mesg 20 message_free: freeing 0x63000 +115058.732153 Trpt 90 transport_release: transport 0x5c580 had 1 references +115058.732193 Trpt 70 transport_release: freeing 0x5c580 +115058.732236 SA 80 sa_release: SA 0x5ab00 had 4 references +115058.732278 Cryp 50 crypto_update_iv: updated IV: +115058.732326 Cryp 50 b4d16456 01e47be3 +115058.732368 Exch 40 exchange_run: exchange 0x5a800 finished step 4, advancing... +115058.732421 Trpt 90 transport_reference: transport 0x5c700 now has 2 references +115058.732464 Mesg 90 message_alloc: allocated 0x60000 +115058.732506 SA 80 sa_reference: SA 0x5ab00 now has 4 references +115058.817799 Misc 30 gdoi_responder: phase 1 exchange 2 step 5 +115058.817860 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:ID +115058.817906 Misc 60 conf_get_str: configuration value not found [General]:Default-phase-1-ID +115058.817959 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: +115058.818006 Negt 40 0a00e02c +115058.818106 Misc 80 pre_shared_encode_hash: HASH_R: +115058.818174 Misc 80 f375e23e 0007aa22 a6219541 01a26096 fc7e73bd +115058.818231 Exch 90 exchange_validate: checking for required ID +115058.818276 Exch 90 exchange_validate: checking for required AUTH +115058.818323 Cryp 10 crypto_encrypt: before encryption: +115058.818406 Cryp 10 0800000c 01000000 0a00e02c 0b000018 f375e23e 0007aa22 a6219541 01a26096 +115058.818486 Cryp 10 fc7e73bd 0000001c 00000001 01106002 b0157219 72bc1c77 03fd4842 5906c102 +115058.818598 Cryp 30 crypto_encrypt: after encryption: +115058.818676 Cryp 30 bf3b4587 b3ae62b8 cc5cca28 84b2e373 a886d894 d25fa66a 9341b0e2 f63f0777 +115058.900911 Cryp 30 ca09e0db febe8fbb cbff7847 3784e127 b5ee9978 0e62c132 35ff8333 14c78470 +115058.900961 Cryp 50 crypto_update_iv: updated IV: +115058.901007 Cryp 50 35ff8333 14c78470 +115058.901046 Mesg 70 message_send: message 0x60000 +115058.901096 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115058.901146 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115058.901189 Mesg 70 NEXT_PAYLOAD: ID +115058.901234 Mesg 70 VERSION: 16 +115058.901275 Mesg 70 EXCH_TYPE: ID_PROT +115058.901319 Mesg 70 FLAGS: [ ENC ] +115058.901366 Mesg 70 MESSAGE_ID: 0x00000000 +115058.901410 Mesg 70 LENGTH: 92 +115058.901493 Mesg 70 message_send: b0157219 72bc1c77 03fd4842 5906c102 05100201 00000000 0000005c bf3b4587 +115058.901574 Mesg 70 message_send: b3ae62b8 cc5cca28 84b2e373 a886d894 d25fa66a 9341b0e2 f63f0777 ca09e0db +115058.901648 Mesg 70 message_send: febe8fbb cbff7847 3784e127 b5ee9978 0e62c132 35ff8333 14c78470 +115058.901692 Exch 40 exchange_run: exchange 0x5a800 finished step 5, advancing... +115058.901740 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115058.997714 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115058.997766 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115058.997809 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115058.997852 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115058.997895 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115058.997938 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115058.997981 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115058.998024 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115058.998067 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115058.998110 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115058.998154 Trpt 90 transport_release: transport 0x5c700 had 3 references +115058.998196 Trpt 90 transport_release: transport 0x5c080 had 2 references +115059.097881 Trpt 90 transport_release: transport 0x5c500 had 3 references +115059.097932 Trpt 90 transport_release: transport 0x5c200 had 3 references +115059.097974 Trpt 90 transport_release: transport 0x4da80 had 2 references +115059.098016 Trpt 90 transport_release: transport 0x4df80 had 3 references +115059.098058 Trpt 90 transport_release: transport 0x4d780 had 3 references +115059.098100 Trpt 90 transport_release: transport 0x4d900 had 3 references +115059.098142 Trpt 90 transport_release: transport 0x4d600 had 2 references +115059.098184 Trpt 90 transport_release: transport 0x4d580 had 2 references +115059.098226 Trpt 90 transport_release: transport 0x4d500 had 2 references +115059.098287 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115059.098333 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115059.098375 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115059.098418 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115059.203677 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115059.203731 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115059.203774 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115059.203817 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115059.203860 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115059.203903 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115059.203946 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115059.204084 Exch 10 exchange_finalize: 0x5a800 GDOI-group-member-3 Default-main-mode policy responder phase 1 doi 2 exchange 2 step 6 +115059.204141 Exch 10 exchange_finalize: icookie b015721972bc1c77 rcookie 03fd48425906c102 +115059.204183 Exch 10 exchange_finalize: msgid 00000000 +115059.204230 SA 90 sa_find: no SA matched query +115059.204281 Misc 60 conf_get_str: configuration value not found [GDOI-group-member-3]:Flags +115059.291605 Exch 10 exchange_finalize: phase 1 done: initiator id 0a00e029: 10.0.224.41, responder id 0a00e02c: 10.0.224.44, src: 10.0.224.44 dst: 10.0.224.41 +115059.291669 Timr 95 sa_setup_expirations: SA 0x5ab00 soft timeout in 53 seconds +115059.291724 Timr 10 timer_add_event: event sa_soft_expire(0x5ab00) added before exchange_free_aux(0x4b500), expiration in 53s +115059.291769 SA 80 sa_reference: SA 0x5ab00 now has 5 references +115059.291814 Timr 95 sa_setup_expirations: SA 0x5ab00 hard timeout in 60 seconds +115059.291865 Timr 10 timer_add_event: event sa_hard_expire(0x5ab00) added before exchange_free_aux(0x4b500), expiration in 60s +115059.291910 SA 80 sa_reference: SA 0x5ab00 now has 6 references +115059.291948 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 1!!! + +115059.291997 SA 80 sa_release: SA 0x5ab00 had 6 references +115059.292044 Trpt 90 transport_release: transport 0x5c700 had 3 references +115059.292088 Trpt 90 transport_release: transport 0x5c080 had 2 references +115059.383206 Trpt 90 transport_release: transport 0x5c500 had 3 references +115059.383257 Trpt 90 transport_release: transport 0x5c200 had 3 references +115059.383300 Trpt 90 transport_release: transport 0x4da80 had 2 references +115059.383342 Trpt 90 transport_release: transport 0x4df80 had 3 references +115059.383385 Trpt 90 transport_release: transport 0x4d780 had 3 references +115059.383427 Trpt 90 transport_release: transport 0x4d900 had 3 references +115059.383470 Trpt 90 transport_release: transport 0x4d600 had 2 references +115059.383512 Trpt 90 transport_release: transport 0x4d580 had 2 references +115059.383554 Trpt 90 transport_release: transport 0x4d500 had 2 references +115059.415601 Trpt 70 transport_add: adding 0x5c580 +115059.415667 Trpt 90 transport_reference: transport 0x5c580 now has 1 references +115059.415711 Mesg 90 message_alloc: allocated 0x63000 +115059.415751 Mesg 70 message_recv: message 0x63000 +115059.415800 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115059.415851 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115059.494603 Mesg 70 NEXT_PAYLOAD: HASH +115059.494656 Mesg 70 VERSION: 16 +115059.494698 Mesg 70 EXCH_TYPE: QUICK_MODE +115059.494742 Mesg 70 FLAGS: [ ENC ] +115059.494789 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115059.494833 Mesg 70 LENGTH: 84 +115059.494916 Mesg 70 message_recv: b0157219 72bc1c77 03fd4842 5906c102 08102001 3cc1f923 00000054 6aa660bc +115059.494996 Mesg 70 message_recv: 534e9fec b117ae85 bcced965 df109821 4e7fc84f 41f16028 79c18208 f27584bd +115059.495060 Mesg 70 message_recv: b485359e 36a6d39c 6776a823 ff91a5b9 d46ad61a +115059.495104 SA 80 sa_reference: SA 0x5ab00 now has 6 references +115059.495155 Cryp 80 gdoi_get_keystate: final phase 1 IV: +115059.495204 Cryp 80 35ff8333 14c78470 +115059.495241 Cryp 80 gdoi_get_keystate: message ID: +115059.495282 Cryp 80 3cc1f923 +115059.495337 Cryp 50 crypto_update_iv: initialized IV: +115059.495386 Cryp 50 72d7be74 3b499809 +115059.495421 Cryp 80 gdoi_get_keystate: phase 2 IV: +115059.495467 Cryp 80 72d7be74 3b499809 +115059.557384 Cryp 10 crypto_decrypt: before decryption: +115059.557469 Cryp 10 6aa660bc 534e9fec b117ae85 bcced965 df109821 4e7fc84f 41f16028 79c18208 +115059.557534 Cryp 10 f27584bd b485359e 36a6d39c 6776a823 ff91a5b9 d46ad61a +115059.557640 Cryp 30 crypto_decrypt: after decryption: +115059.557721 Cryp 30 0a000018 781d0f68 d8daf556 ac748e2c acf8f63d c58c63fb 05000014 7cb79b64 +115059.557790 Cryp 30 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115059.557839 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115059.557886 Mesg 50 message_parse_payloads: offset 0x34 payload NONCE +115059.557931 Mesg 50 message_parse_payloads: offset 0x48 payload ID +115059.557981 Mesg 60 message_validate_payloads: payload ID at 0x5c8c8 of message 0x63000 +115059.558025 Mesg 70 TYPE: 11 +115059.558070 Mesg 70 DOI_DATA: 0x000000 +115059.558126 Misc 60 conf_get_str: [General]:Exchange-max-time->120 +115059.558189 Timr 10 timer_add_event: event exchange_free_aux(0x5ad00) added before cookie_reset_event(0x0), expiration in 120s +115059.625244 Exch 10 exchange_setup_p2: 0x5ad00 policy responder phase 2 doi 2 exchange 32 step 0 +115059.625303 Exch 10 exchange_setup_p2: icookie b015721972bc1c77 rcookie 03fd48425906c102 +115059.625346 Exch 10 exchange_setup_p2: msgid 3cc1f923 sa_list +115059.625392 Mesg 00 gdoi_validate_id_information: proto 0 port 0 type 11 +115059.625431 Mesg 40 gdoi_validate_id_information: key id +115059.625477 Mesg 60 message_validate_payloads: payload HASH at 0x5c89c of message 0x63000 +115059.625523 Mesg 60 message_validate_payloads: payload NONCE at 0x5c8b4 of message 0x63000 +115059.625575 Exch 90 exchange_validate: checking for required HASH +115059.625617 Exch 90 exchange_validate: checking for required NONCE +115059.625657 Exch 90 exchange_validate: checking for required ID +115059.625700 Misc 30 gdoi_responder: phase 2 exchange 32 step 0 +115059.625739 Negt 90 group_check_hash: SKEYID_a: +115059.625799 Negt 90 e5c97812 f4abc193 63e76cc9 0da9e14b 899639f6 +115059.625865 Negt 90 group_check_hash: message_id: +115059.697725 Negt 90 3cc1f923 +115059.697774 Negt 90 group_check_hash: payloads after HASH: +115059.697854 Negt 90 05000014 7cb79b64 94c75a27 75653839 d80ff11c 0000000c 0b000000 000004d2 +115059.697915 Negt 80 group_check_hash: computed HASH: +115059.697980 Negt 80 781d0f68 d8daf556 ac748e2c acf8f63d c58c63fb +115059.698025 Exch 80 exchange_nonce: NONCE_i: +115059.698081 Exch 80 7cb79b64 94c75a27 75653839 d80ff11c +115059.698120 Misc 90 responder_recv_HASH_NONCE_ID: ID: +115059.698169 Misc 90 0b000000 000004d2 +115059.698214 Cryp 50 crypto_update_iv: updated IV: +115059.698260 Cryp 50 ff91a5b9 d46ad61a +115059.698302 Exch 40 exchange_run: exchange 0x5ad00 finished step 0, advancing... +115059.698354 Trpt 90 transport_reference: transport 0x5c580 now has 2 references +115059.698397 Mesg 90 message_alloc: allocated 0x65000 +115059.698439 SA 80 sa_reference: SA 0x5ab00 now has 7 references +115059.698486 Misc 30 gdoi_responder: phase 2 exchange 32 step 1 +115059.698542 Exch 80 exchange_nonce: NONCE_r: +115059.780110 Exch 80 baa8cc11 86ab324d c3ac073f 3ef6476b +115059.780165 Misc 60 connection_passive_lookup_by_group_id: returned "IPsec-group-policy" +115059.780213 Misc 60 conf_get_str: [IPsec-group-policy]:Configuration->Default-group-mode +115059.780259 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +115059.780302 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +115059.780345 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +115059.780398 Misc 60 conf_get_str: [Default-group-mode]:SA-KEK->GROUP1-KEK +115059.780518 Misc 90 group_do_hash: SKEYID_a: +115059.780585 Misc 90 e5c97812 f4abc193 63e76cc9 0da9e14b 899639f6 +115059.780643 Misc 90 group_do_hash: message_id: +115059.780689 Misc 90 3cc1f923 +115059.780724 Negt 90 group_fill_in_hash: NONCE_I_b: +115059.780779 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115059.780823 Misc 90 group_fill_in_hash: payload 1 after HASH: +115059.780885 Misc 90 01000014 baa8cc11 86ab324d c3ac073f 3ef6476b +115059.857985 Misc 90 group_fill_in_hash: payload 2 after HASH: +115059.858078 Misc 90 0000009b 00000002 00000000 000f0000 10000035 11010350 040a00e0 2c010350 +115059.858157 Misc 90 04ef0a01 01616263 64656667 68303132 33343536 37000000 00800200 02800500 +115059.858239 Misc 90 02800600 01100000 2b010001 0000040a 00e02501 000004ef 01010103 1122aabb +115059.858322 Misc 90 80040002 80050002 80010001 80020023 0000002b 01000100 00040a00 e0280100 +115059.858396 Misc 90 0004ef01 01020333 44ccdd80 04000280 05000280 01000180 020023 +115059.858469 Misc 80 group_fill_in_hash: HASH: +115059.858533 Misc 80 3dd03b22 34fd40cd 47c55083 66d598f2 fcaf92fd +115059.858574 Exch 90 exchange_validate: checking for required HASH +115059.858615 Exch 90 exchange_validate: checking for required NONCE +115059.858654 Exch 90 exchange_validate: checking for required SA +115059.858703 Cryp 10 crypto_encrypt: before encryption: +115059.858783 Cryp 10 0a000018 3dd03b22 34fd40cd 47c55083 66d598f2 fcaf92fd 01000014 baa8cc11 +115059.960365 Cryp 10 86ab324d c3ac073f 3ef6476b 0000009b 00000002 00000000 000f0000 10000035 +115059.960452 Cryp 10 11010350 040a00e0 2c010350 04ef0a01 01616263 64656667 68303132 33343536 +115059.960536 Cryp 10 37000000 00800200 02800500 02800600 01100000 2b010001 0000040a 00e02501 +115059.960617 Cryp 10 000004ef 01010103 1122aabb 80040002 80050002 80010001 80020023 0000002b +115059.960699 Cryp 10 01000100 00040a00 e0280100 0004ef01 01020333 44ccdd80 04000280 05000280 +115059.960747 Cryp 10 01000180 02002300 +115059.960975 Cryp 30 crypto_encrypt: after encryption: +115059.961054 Cryp 30 0b7838ed 6cb3dee5 a39417fc a7e7fb75 94f5c3ee 677c44c4 4110c014 8fe8cc3f +115059.961129 Cryp 30 1047a15a 9e580d52 32d6ce96 d12d6445 a38b6f7b b36227a3 05e9aee9 1734ae5b +115059.961203 Cryp 30 67c08c7d bec5318f 6490ff86 cb7cb43a fe4f1e95 3a6b46a7 3e38145e 523e662a +115059.961278 Cryp 30 9ef814a1 a73840b9 314055e7 7570bbb1 9297faf2 09e824ee a12f2c9a bc9245e6 +115059.961353 Cryp 30 a99d169b 16afc6ec e19e0915 1f3f51a6 6f333493 e694b688 26d494a7 5f630a30 +115100.052828 Cryp 30 54cd5e2b a719681f aa48ef76 26f50235 12ca74cf fed22315 93c00f73 0ef50f23 +115100.052884 Cryp 30 67d14502 fd4a96b4 +115100.052920 Cryp 50 crypto_update_iv: updated IV: +115100.052965 Cryp 50 67d14502 fd4a96b4 +115100.053003 Mesg 70 message_send: message 0x65000 +115100.053053 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115100.053103 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115100.053145 Mesg 70 NEXT_PAYLOAD: HASH +115100.053189 Mesg 70 VERSION: 16 +115100.053229 Mesg 70 EXCH_TYPE: QUICK_MODE +115100.053272 Mesg 70 FLAGS: [ ENC ] +115100.053318 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115100.053362 Mesg 70 LENGTH: 228 +115100.053444 Mesg 70 message_send: b0157219 72bc1c77 03fd4842 5906c102 08102001 3cc1f923 000000e4 0b7838ed +115100.053523 Mesg 70 message_send: 6cb3dee5 a39417fc a7e7fb75 94f5c3ee 677c44c4 4110c014 8fe8cc3f 1047a15a +115100.053601 Mesg 70 message_send: 9e580d52 32d6ce96 d12d6445 a38b6f7b b36227a3 05e9aee9 1734ae5b 67c08c7d +115100.053678 Mesg 70 message_send: bec5318f 6490ff86 cb7cb43a fe4f1e95 3a6b46a7 3e38145e 523e662a 9ef814a1 +115100.145159 Mesg 70 message_send: a73840b9 314055e7 7570bbb1 9297faf2 09e824ee a12f2c9a bc9245e6 a99d169b +115100.145248 Mesg 70 message_send: 16afc6ec e19e0915 1f3f51a6 6f333493 e694b688 26d494a7 5f630a30 54cd5e2b +115100.145328 Mesg 70 message_send: a719681f aa48ef76 26f50235 12ca74cf fed22315 93c00f73 0ef50f23 67d14502 +115100.145373 Mesg 70 message_send: fd4a96b4 +115100.145417 Exch 40 exchange_run: exchange 0x5ad00 finished step 1, advancing... +115100.145465 Trpt 90 transport_reference: transport 0x5c580 now has 3 references +115100.145509 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115100.145552 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115100.145594 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115100.145637 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115100.145680 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115100.237635 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115100.237688 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115100.237731 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115100.237774 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115100.237816 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115100.237859 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115100.237904 Trpt 90 transport_release: transport 0x5c580 had 3 references +115100.237947 Trpt 90 transport_release: transport 0x5c700 had 3 references +115100.237989 Trpt 90 transport_release: transport 0x5c080 had 2 references +115100.238031 Trpt 90 transport_release: transport 0x5c500 had 3 references +115100.238074 Trpt 90 transport_release: transport 0x5c200 had 3 references +115100.238116 Trpt 90 transport_release: transport 0x4da80 had 2 references +115100.238158 Trpt 90 transport_release: transport 0x4df80 had 3 references +115100.329660 Trpt 90 transport_release: transport 0x4d780 had 3 references +115100.329714 Trpt 90 transport_release: transport 0x4d900 had 3 references +115100.329757 Trpt 90 transport_release: transport 0x4d600 had 2 references +115100.329799 Trpt 90 transport_release: transport 0x4d580 had 2 references +115100.329841 Trpt 90 transport_release: transport 0x4d500 had 2 references +115100.329904 Trpt 90 transport_reference: transport 0x5c580 now has 3 references +115100.329949 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115100.330005 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115100.330051 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115100.330094 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115100.330137 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115100.330180 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115100.330223 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115100.416209 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115100.416261 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115100.416304 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115100.416346 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115100.416486 Misc 60 conf_get_str: [General]:retransmits->5 +115100.416546 Trpt 30 transport_send_messages: message 0x65000 scheduled for retransmission 1 in 7 secs +115100.416601 Timr 10 timer_add_event: event message_send_expire(0x65000) added before sa_soft_expire(0x4b600), expiration in 7s +115100.416648 Trpt 90 transport_release: transport 0x5c580 had 3 references +115100.416692 Trpt 90 transport_release: transport 0x5c700 had 3 references +115100.416734 Trpt 90 transport_release: transport 0x5c080 had 2 references +115100.416776 Trpt 90 transport_release: transport 0x5c500 had 3 references +115100.416819 Trpt 90 transport_release: transport 0x5c200 had 3 references +115100.521817 Trpt 90 transport_release: transport 0x4da80 had 2 references +115100.521868 Trpt 90 transport_release: transport 0x4df80 had 3 references +115100.521910 Trpt 90 transport_release: transport 0x4d780 had 3 references +115100.521952 Trpt 90 transport_release: transport 0x4d900 had 3 references +115100.521994 Trpt 90 transport_release: transport 0x4d600 had 2 references +115100.522037 Trpt 90 transport_release: transport 0x4d580 had 2 references +115100.522079 Trpt 90 transport_release: transport 0x4d500 had 2 references +115100.546360 Trpt 70 transport_add: adding 0x5ca00 +115100.546426 Trpt 90 transport_reference: transport 0x5ca00 now has 1 references +115100.546469 Mesg 90 message_alloc: allocated 0x66000 +115100.546510 Mesg 70 message_recv: message 0x66000 +115100.546560 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115100.546611 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115100.546654 Mesg 70 NEXT_PAYLOAD: HASH +115100.546699 Mesg 70 VERSION: 16 +115100.546740 Mesg 70 EXCH_TYPE: QUICK_MODE +115100.632704 Mesg 70 FLAGS: [ ENC ] +115100.632760 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115100.632804 Mesg 70 LENGTH: 52 +115100.632887 Mesg 70 message_recv: b0157219 72bc1c77 03fd4842 5906c102 08102001 3cc1f923 00000034 d8d39042 +115100.632952 Mesg 70 message_recv: aacab0bf 8e0c8a82 accf2d3a 2a6eead4 1c154144 +115100.632998 SA 80 sa_reference: SA 0x5ab00 now has 8 references +115100.633043 Mesg 90 message_check_duplicate: last_received 0x63000 +115100.633080 Mesg 95 message_check_duplicate: last_received: +115100.633157 Mesg 95 b0157219 72bc1c77 03fd4842 5906c102 08102001 3cc1f923 00000054 6aa660bc +115100.633231 Mesg 95 534e9fec b117ae85 bcced965 df109821 4e7fc84f 41f16028 79c18208 f27584bd +115100.633291 Mesg 95 b485359e 36a6d39c 6776a823 ff91a5b9 d46ad61a +115100.633330 Mesg 20 message_free: freeing 0x65000 +115100.633373 Timr 10 timer_remove_event: removing event message_send_expire(0x65000) +115100.633420 Trpt 90 transport_release: transport 0x5c580 had 2 references +115100.633462 SA 80 sa_release: SA 0x5ab00 had 8 references +115100.712922 Cryp 10 crypto_decrypt: before decryption: +115100.712999 Cryp 10 d8d39042 aacab0bf 8e0c8a82 accf2d3a 2a6eead4 1c154144 +115100.713077 Cryp 30 crypto_decrypt: after decryption: +115100.713148 Cryp 30 00000018 0bc8d41e ae5d6e6c 86d7f445 315025e9 1597b483 +115100.713197 Mesg 50 message_parse_payloads: offset 0x1c payload HASH +115100.713248 Mesg 60 message_validate_payloads: payload HASH at 0x4e91c of message 0x66000 +115100.713307 Exch 90 exchange_validate: checking for required HASH +115100.713352 Misc 30 gdoi_responder: phase 2 exchange 32 step 2 +115100.713391 Negt 90 group_check_hash: SKEYID_a: +115100.713451 Negt 90 e5c97812 f4abc193 63e76cc9 0da9e14b 899639f6 +115100.713521 Negt 90 group_check_hash: message_id: +115100.713566 Negt 90 3cc1f923 +115100.713601 Negt 90 group_check_hash: NONCE_I_b: +115100.713656 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115100.713693 Negt 90 group_check_hash: NONCE_R_b: +115100.713748 Negt 90 baa8cc11 86ab324d c3ac073f 3ef6476b +115100.780835 Negt 90 group_check_hash: payloads after HASH: +115100.780907 Negt 80 group_check_hash: computed HASH: +115100.780971 Negt 80 0bc8d41e ae5d6e6c 86d7f445 315025e9 1597b483 +115100.781022 Mesg 20 message_free: freeing 0x63000 +115100.781069 Trpt 90 transport_release: transport 0x5c580 had 1 references +115100.781109 Trpt 70 transport_release: freeing 0x5c580 +115100.781151 SA 80 sa_release: SA 0x5ab00 had 7 references +115100.781193 Cryp 50 crypto_update_iv: updated IV: +115100.781239 Cryp 50 2a6eead4 1c154144 +115100.781281 Exch 40 exchange_run: exchange 0x5ad00 finished step 2, advancing... +115100.781332 Trpt 90 transport_reference: transport 0x5ca00 now has 2 references +115100.781375 Mesg 90 message_alloc: allocated 0x63000 +115100.781417 SA 80 sa_reference: SA 0x5ab00 now has 7 references +115100.781464 Misc 30 gdoi_responder: phase 2 exchange 32 step 3 +115100.781515 Default SENT SEQ # of: 0 (PULL) +115100.781607 Misc 90 group_do_hash: SKEYID_a: +115100.781675 Misc 90 e5c97812 f4abc193 63e76cc9 0da9e14b 899639f6 +115100.848919 Misc 90 group_do_hash: message_id: +115100.848976 Misc 90 3cc1f923 +115100.849011 Negt 90 group_fill_in_hash: NONCE_I_b: +115100.849066 Negt 90 7cb79b64 94c75a27 75653839 d80ff11c +115100.849102 Negt 90 group_fill_in_hash: NONCE_R_b: +115100.849158 Negt 90 baa8cc11 86ab324d c3ac073f 3ef6476b +115100.849200 Misc 90 group_fill_in_hash: payload 1 after HASH: +115100.849248 Misc 90 11000008 00000000 +115100.849289 Misc 90 group_fill_in_hash: payload 2 after HASH: +115100.849368 Misc 90 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115100.849442 Misc 90 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115100.849522 Misc 90 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115100.849596 Misc 90 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115100.849672 Misc 90 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115100.849747 Misc 90 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115100.921638 Misc 90 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115100.921725 Misc 90 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115100.921801 Misc 90 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115100.921878 Misc 90 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115100.921952 Misc 90 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115100.921990 Misc 90 39 +115100.922069 Misc 80 group_fill_in_hash: HASH: +115100.922134 Misc 80 5e84f7db a36b0d46 9fc585e2 28fa068d 9b6e6c88 +115100.922176 Exch 90 exchange_validate: checking for required HASH +115100.922217 Exch 90 exchange_validate: checking for required KD +115100.922268 Cryp 10 crypto_encrypt: before encryption: +115100.922349 Cryp 10 12000018 5e84f7db a36b0d46 9fc585e2 28fa068d 9b6e6c88 11000008 00000000 +115100.922428 Cryp 10 00000161 00030000 020000df 10616263 64656667 68303132 33343536 37000100 +115101.004887 Cryp 10 20495649 56495649 56414243 44454647 48494a4b 4c4d4e4f 50515253 54555657 +115101.004976 Cryp 10 58000200 a230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 +115101.005051 Cryp 10 8100be25 5ebdc6e5 fa2d7c56 e0345ae0 32a256c1 5a47edfc d0e005a2 9a69cdfd +115101.005126 Cryp 10 627bb80c 67f6fa8f 1d54835e 944df0d7 3e0152d0 08a9c238 c9f3cea0 07d98e0d +115101.005200 Cryp 10 08eee41c b54d9a02 ba92c47b d2bf296d 924d3209 23b53a5c 9aa9b1a6 7fdb3705 +115101.005274 Cryp 10 7bb08766 500d8a32 ffade1dc e8ba4d05 c909feef e1201421 5bb76d4c e7abea1c +115101.005351 Cryp 10 020f0203 01000101 00003d04 1122aabb 00010018 41424344 45464748 494a4b4c +115101.005425 Cryp 10 4d4e4f50 51525354 55565758 00020014 31323334 35363738 39303132 33343536 +115101.005500 Cryp 10 37383930 0100003d 043344cc dd000100 18464544 43424131 314c4b4a 49484732 +115101.005574 Cryp 10 32525150 4f4e4d33 33000200 14303132 33343536 37383930 31323334 35363738 +115101.005621 Cryp 10 39000000 00000000 +115101.102258 Cryp 30 crypto_encrypt: after encryption: +115101.102345 Cryp 30 59542439 453a384c 3d9afc51 4f2a9e84 5b7a6f21 0704067c 82dc6915 1ca65cb2 +115101.102422 Cryp 30 28edc56d b2a06940 09ede273 4b3a97ad d51d0a5a 228a6600 f15b8326 ed074f9e +115101.102498 Cryp 30 1b1ad7d3 c9460a6a b691c0e4 e7460d7d 216a7fd0 1d8dc1ef ad0876b4 0c4c2a1b +115101.102573 Cryp 30 15b93a6a 312a1a02 a82903db cb951495 fbb2146f 621bde48 3a3e905e 1f333701 +115101.102647 Cryp 30 0674f468 9292d926 b5346c92 c58af83d 2bc5620b 6b9f3e63 18175927 21205434 +115101.102721 Cryp 30 3edd6fd2 3572885c 9fbf78c3 8f3c435c 877f3788 6c2a4219 9166b95a 975cf2fc +115101.102796 Cryp 30 891d233c 0aedf714 93186dc2 87e14a4a 0ac5bc70 1fec2b50 9ee8f93f e19f1e91 +115101.102870 Cryp 30 722ea791 92ce8611 fd26fe43 c0b81834 e40f90f1 d0bf60aa 9664be84 712f8eaa +115101.102944 Cryp 30 e2f2d0a5 f8be751c 3970971c 0394edb2 6eb26330 432ae752 684dde2f 197d1ca2 +115101.103019 Cryp 30 3b0f9c53 6eaf8600 45807030 b6b38244 95a35b39 1f73c180 95d4b8d1 1585f418 +115101.189640 Cryp 30 398e9858 81c5749d 9d63b598 a181e97e b23e13ed 9935b751 b76a2760 9a42b42f +115101.189724 Cryp 30 10dea677 cffa631a 4d78287c 7f1f2f91 a6e5d98e ba489ae8 c8c9eafc 2ccfc8e1 +115101.189770 Cryp 30 025664c8 56dff7aa +115101.189806 Cryp 50 crypto_update_iv: updated IV: +115101.189851 Cryp 50 025664c8 56dff7aa +115101.189890 Mesg 70 message_send: message 0x63000 +115101.189939 Mesg 70 ICOOKIE: 0xb015721972bc1c77 +115101.189990 Mesg 70 RCOOKIE: 0x03fd48425906c102 +115101.190049 Mesg 70 NEXT_PAYLOAD: HASH +115101.190093 Mesg 70 VERSION: 16 +115101.190134 Mesg 70 EXCH_TYPE: QUICK_MODE +115101.190177 Mesg 70 FLAGS: [ ENC ] +115101.190223 Mesg 70 MESSAGE_ID: 0x3cc1f923 +115101.190267 Mesg 70 LENGTH: 420 +115101.190348 Mesg 70 message_send: b0157219 72bc1c77 03fd4842 5906c102 08102001 3cc1f923 000001a4 59542439 +115101.190429 Mesg 70 message_send: 453a384c 3d9afc51 4f2a9e84 5b7a6f21 0704067c 82dc6915 1ca65cb2 28edc56d +115101.190508 Mesg 70 message_send: b2a06940 09ede273 4b3a97ad d51d0a5a 228a6600 f15b8326 ed074f9e 1b1ad7d3 +115101.277666 Mesg 70 message_send: c9460a6a b691c0e4 e7460d7d 216a7fd0 1d8dc1ef ad0876b4 0c4c2a1b 15b93a6a +115101.277754 Mesg 70 message_send: 312a1a02 a82903db cb951495 fbb2146f 621bde48 3a3e905e 1f333701 0674f468 +115101.277833 Mesg 70 message_send: 9292d926 b5346c92 c58af83d 2bc5620b 6b9f3e63 18175927 21205434 3edd6fd2 +115101.277910 Mesg 70 message_send: 3572885c 9fbf78c3 8f3c435c 877f3788 6c2a4219 9166b95a 975cf2fc 891d233c +115101.277988 Mesg 70 message_send: 0aedf714 93186dc2 87e14a4a 0ac5bc70 1fec2b50 9ee8f93f e19f1e91 722ea791 +115101.278067 Mesg 70 message_send: 92ce8611 fd26fe43 c0b81834 e40f90f1 d0bf60aa 9664be84 712f8eaa e2f2d0a5 +115101.278145 Mesg 70 message_send: f8be751c 3970971c 0394edb2 6eb26330 432ae752 684dde2f 197d1ca2 3b0f9c53 +115101.278223 Mesg 70 message_send: 6eaf8600 45807030 b6b38244 95a35b39 1f73c180 95d4b8d1 1585f418 398e9858 +115101.278300 Mesg 70 message_send: 81c5749d 9d63b598 a181e97e b23e13ed 9935b751 b76a2760 9a42b42f 10dea677 +115101.278379 Mesg 70 message_send: cffa631a 4d78287c 7f1f2f91 a6e5d98e ba489ae8 c8c9eafc 2ccfc8e1 025664c8 +115101.374652 Mesg 70 message_send: 56dff7aa +115101.374705 Exch 40 exchange_run: exchange 0x5ad00 finished step 3, advancing... +115101.374753 Trpt 90 transport_reference: transport 0x5ca00 now has 3 references +115101.374796 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115101.374839 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115101.374882 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115101.374925 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115101.374968 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115101.375010 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115101.375053 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115101.375096 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115101.375138 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115101.474641 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115101.474693 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115101.474738 Trpt 90 transport_release: transport 0x5ca00 had 3 references +115101.474781 Trpt 90 transport_release: transport 0x5c700 had 3 references +115101.474823 Trpt 90 transport_release: transport 0x5c080 had 2 references +115101.474865 Trpt 90 transport_release: transport 0x5c500 had 3 references +115101.474907 Trpt 90 transport_release: transport 0x5c200 had 3 references +115101.474950 Trpt 90 transport_release: transport 0x4da80 had 2 references +115101.474992 Trpt 90 transport_release: transport 0x4df80 had 3 references +115101.475034 Trpt 90 transport_release: transport 0x4d780 had 3 references +115101.475076 Trpt 90 transport_release: transport 0x4d900 had 3 references +115101.475118 Trpt 90 transport_release: transport 0x4d600 had 2 references +115101.475160 Trpt 90 transport_release: transport 0x4d580 had 2 references +115101.584020 Trpt 90 transport_release: transport 0x4d500 had 2 references +115101.584098 Trpt 90 transport_reference: transport 0x5ca00 now has 3 references +115101.584144 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115101.584186 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115101.584229 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115101.584272 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115101.584315 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115101.584358 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115101.584400 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115101.584443 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115101.584486 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115101.584528 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115101.584571 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115101.683513 Exch 10 exchange_finalize: 0x5ad00 IPsec-group-policy Default-group-mode policy responder phase 2 doi 2 exchange 32 step 4 +115101.683575 Exch 10 exchange_finalize: icookie b015721972bc1c77 rcookie 03fd48425906c102 +115101.683618 Exch 10 exchange_finalize: msgid 3cc1f923 sa_list +115101.683683 Exch 50 gdoi_finalize_exchange: DONE WITH PHASE 2!!! + +115101.683738 Trpt 90 transport_release: transport 0x5ca00 had 3 references +115101.683784 Trpt 90 transport_release: transport 0x5c700 had 3 references +115101.683827 Trpt 90 transport_release: transport 0x5c080 had 2 references +115101.683869 Trpt 90 transport_release: transport 0x5c500 had 3 references +115101.683912 Trpt 90 transport_release: transport 0x5c200 had 3 references +115101.683954 Trpt 90 transport_release: transport 0x4da80 had 2 references +115101.683997 Trpt 90 transport_release: transport 0x4df80 had 3 references +115101.684039 Trpt 90 transport_release: transport 0x4d780 had 3 references +115101.794135 Trpt 90 transport_release: transport 0x4d900 had 3 references +115101.794190 Trpt 90 transport_release: transport 0x4d600 had 2 references +115101.794232 Trpt 90 transport_release: transport 0x4d580 had 2 references +115101.794275 Trpt 90 transport_release: transport 0x4d500 had 2 references +115105.230028 Timr 10 timer_handle_expirations: event gdoi_rekey_sender(0x4b900) +115105.230533 Default gdoi_rekey_sender: Timer sprung!!! +115105.230601 Timr 10 timer_add_event: event gdoi_rekey_sender(0x4b900) added before sa_hard_expire(0x5a000), expiration in 30s +115105.230952 Default rekey_udp_make: bind (7, 0x5c59c, 16): Address already in use +115105.231095 Default rekey_udp_make: Continuing anyway: Address already in use +115105.231150 Misc 60 conf_get_str: [General]:Listen-on->10.0.224.44 +115105.231221 Trpt 70 transport_add: adding 0x5c580 +115105.231269 Trpt 90 transport_reference: transport 0x5c580 now has 1 references +115105.231340 Trpt 90 transport_reference: transport 0x5c580 now has 2 references +115105.231389 Mesg 90 message_alloc: allocated 0x65000 +115105.231439 Default SENT SEQ # of: 1 (PUSH) +115105.231491 Misc 60 connection_passive_lookup_by_group_id: returned "IPsec-group-policy" +115105.231541 Misc 60 conf_get_str: [IPsec-group-policy]:Configuration->Default-group-mode +115105.231586 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +115105.231628 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +115105.231709 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +115105.231771 Trpt 90 transport_reference: transport 0x5c580 now has 3 references +115105.231820 SA 80 sa_reference: SA 0x5af00 now has 1 references +115105.231861 SA 70 sa_enter: SA 0x5af00 added to SA list +115105.231901 SA 80 sa_reference: SA 0x5af00 now has 2 references +115105.231946 SA 60 sa_create: sa 0x5af00 phase 1 added to exchange 0x4ba00 (IPsec-group-policy) +115105.231993 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115105.232034 Default gdoi_add_sa_payload: Assuming ESP +115105.232084 Misc 60 conf_get_str: [GROUP1-TEK1]:Src-ID->Group-tek1-src +115105.232133 Misc 60 conf_get_str: [Group-tek1-src]:ID-type->IPV4_ADDR +115105.232178 Misc 60 conf_get_str: [Group-tek1-src]:Address->10.0.224.37 +115105.232223 Misc 60 conf_get_str: [Group-tek1-src]:Port->0 +115105.232276 Misc 60 conf_get_str: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +115105.232428 Misc 60 conf_get_str: [Group-tek1-dst]:ID-type->IPV4_ADDR +115105.232475 Misc 60 conf_get_str: [Group-tek1-dst]:Address->239.1.1.1 +115105.232518 Misc 60 conf_get_str: [Group-tek1-dst]:Port->0 +115105.232570 Misc 60 conf_get_str: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115105.232617 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115105.232660 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115105.232701 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115105.232746 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115105.232792 Misc 90 gdoi_ipsec_get_policy: Generated 3DES key: +115105.232861 Misc 90 054ab45c f180cf16 ec5d691c d9aecf3f 6768850f 33ccb111 +115105.232909 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115105.232957 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115105.233002 Misc 90 gdoi_ipsec_get_policy: Generated auth key: +115105.233140 Misc 90 99469329 50584877 a3394974 e3d2a04f 142c1d6b +115105.233193 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115105.233244 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115105.233288 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115105.233359 Default SPI found (SA) 774044599 774044599 (0x2e22fbb7) for sa 0x5af00 +115105.233416 Trpt 90 transport_reference: transport 0x5c580 now has 4 references +115105.233464 SA 80 sa_reference: SA 0x62200 now has 1 references +115105.233504 SA 70 sa_enter: SA 0x62200 added to SA list +115105.233545 SA 80 sa_reference: SA 0x62200 now has 2 references +115105.233589 SA 60 sa_create: sa 0x62200 phase 1 added to exchange 0x4ba00 (IPsec-group-policy) +115105.233636 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115105.233677 Default gdoi_add_sa_payload: Assuming ESP +115105.233723 Misc 60 conf_get_str: [GROUP1-TEK2]:Src-ID->Group-tek2-src +115105.233821 Misc 60 conf_get_str: [Group-tek2-src]:ID-type->IPV4_ADDR +115105.233868 Misc 60 conf_get_str: [Group-tek2-src]:Address->10.0.224.40 +115105.233911 Misc 60 conf_get_str: [Group-tek2-src]:Port->0 +115105.233962 Misc 60 conf_get_str: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +115105.234008 Misc 60 conf_get_str: [Group-tek2-dst]:ID-type->IPV4_ADDR +115105.234050 Misc 60 conf_get_str: [Group-tek2-dst]:Address->239.1.1.2 +115105.234092 Misc 60 conf_get_str: [Group-tek2-dst]:Port->0 +115105.234142 Misc 60 conf_get_str: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115105.234187 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115105.234229 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115105.234270 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115105.234313 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115105.234356 Misc 90 gdoi_ipsec_get_policy: Generated 3DES key: +115105.234612 Misc 90 d367b868 d95d7f3f 345ae02a f74f7932 5e945454 a0dfef4d +115105.234669 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115105.234717 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115105.234760 Misc 90 gdoi_ipsec_get_policy: Generated auth key: +115105.234823 Misc 90 10815b13 a8274909 f6f8cd0d 05b1d752 94638a2e +115105.234869 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115105.234919 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115105.234963 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115105.235032 Default SPI found (SA) 555996658 555996658 (0x2123d5f2) for sa 0x62200 +115105.235123 Misc 90 gdoi_add_sig_payload: 'rekey': +115105.235172 Misc 90 72656b65 79 +115105.235212 Misc 90 gdoi_add_sig_payload: 'ISAKMP header': +115105.235285 Misc 90 61626364 65666768 30313233 34353637 12102101 00000000 00000190 +115105.235328 Misc 90 gdoi_add_sig_payload: payload 1: +115105.316379 Misc 90 01000008 00000001 +115105.316453 Misc 90 gdoi_add_sig_payload: payload 2: +115105.316536 Misc 90 11000066 00000002 00000000 00100000 1000002b 01000100 00040a00 e0250100 +115105.316618 Misc 90 0004ef01 0101032e 22fbb780 04000280 05000280 01000180 02003c00 00002b01 +115105.316700 Misc 90 00010000 040a00e0 28010000 04ef0101 02032123 d5f28004 00028005 00028001 +115105.316745 Misc 90 00018002 003c +115105.316825 Misc 90 gdoi_add_sig_payload: payload 3: +115105.316907 Misc 90 09000082 00020000 0100003d 042e22fb b7000100 18054ab4 5cf180cf 16ec5d69 +115105.316983 Misc 90 1cd9aecf 3f676885 0f33ccb1 11000200 14994693 29505848 77a33949 74e3d2a0 +115105.317059 Misc 90 4f142c1d 6b010000 3d042123 d5f20001 0018d367 b868d95d 7f3f345a e02af74f +115105.317136 Misc 90 79325e94 5454a0df ef4d0002 00141081 5b13a827 4909f6f8 cd0d05b1 d7529463 +115105.317174 Misc 90 8a2e +115105.317227 Negt 80 gdoi_add_sig_payload: computed hash: +115105.317291 Negt 80 6414d488 0adb58b2 effeb540 7c9a5873 acddf9e5 +115105.428711 Cryp 40 crypto_init: key: +115105.428796 Cryp 40 41424344 45464748 494a4b4c 4d4e4f50 51525354 55565758 +115105.428855 Cryp 50 crypto_update_iv: initialized IV: +115105.428903 Cryp 50 49564956 49564956 +115105.428951 Cryp 10 rekey_crypto_encrypt: before encryption: +115105.429038 Cryp 10 01000008 00000001 11000066 00000002 00000000 00100000 1000002b 01000100 +115105.429120 Cryp 10 00040a00 e0250100 0004ef01 0101032e 22fbb780 04000280 05000280 01000180 +115105.429202 Cryp 10 02003c00 00002b01 00010000 040a00e0 28010000 04ef0101 02032123 d5f28004 +115105.429285 Cryp 10 00028005 00028001 00018002 003c0900 00820002 00000100 003d042e 22fbb700 +115105.429362 Cryp 10 01001805 4ab45cf1 80cf16ec 5d691cd9 aecf3f67 68850f33 ccb11100 02001499 +115105.429439 Cryp 10 46932950 584877a3 394974e3 d2a04f14 2c1d6b01 00003d04 2123d5f2 00010018 +115105.429515 Cryp 10 d367b868 d95d7f3f 345ae02a f74f7932 5e945454 a0dfef4d 00020014 10815b13 +115105.429591 Cryp 10 a8274909 f6f8cd0d 05b1d752 94638a2e 00000084 5a657fbe c82c5da5 fd9e3c3c +115105.520957 Cryp 10 e9d5af82 3e6bf6cc baf45c95 cbbdb17f ba5a6f56 d12c2edf 49a3940a 41b5dbb8 +115105.521044 Cryp 10 810e0596 f461db53 9ff42a4c 30cadf8f c0edbafc a9c60cff 04ef0eb7 49c1953d +115105.521119 Cryp 10 1f12c96f 508e488f ec42e0cb 78394ed2 bc754cb4 db57ed38 c3697c22 92f47888 +115105.521185 Cryp 10 df72b4c3 9e6c4a2a 569abd9c 3a9950e5 c7119019 00000000 +115105.521574 Cryp 30 rekey_crypto_encrypt: after encryption: +115105.521654 Cryp 30 5175e4fc 59135cf4 2973b12d 1d6abd59 e4b40f93 c2f6ff08 4688feab a0d3566e +115105.521729 Cryp 30 fc0b62f0 1e3e69ca 9fb4f1ea fd2347f1 e87344a1 9533f966 11c29229 e610f717 +115105.521803 Cryp 30 8deb7458 5e9d3117 32dc8cb5 15dbd797 4955e843 6e97e8a7 ec9559a2 17c06a9d +115105.521878 Cryp 30 421fb6ca 34bb6261 d5c91b6f 939a166d 08a3ec17 0007a8b2 c7192039 2e0f77bc +115105.521953 Cryp 30 609e6d60 7844abdb 4142992e 874acd1e 2085252f b0a02ad5 12385f5b 47cb0885 +115105.522028 Cryp 30 864c1961 c41fdbf5 b70501ac 48d0e2b2 9c0b2629 70d08853 91bc60a4 bd123aba +115105.522103 Cryp 30 dd268a88 24370f99 c5c64315 d3d6cb00 4c91cdc8 a5363dde 5a052936 b6445696 +115105.611290 Cryp 30 45d6273c 497a9935 cdd30202 5f17d68c 83a9990c 35e7725d 041fa88f 1393e50f +115105.611374 Cryp 30 99a12222 336bb521 6166b2c8 94c9413a ea238054 d632e468 79ce7bdc a9c67d29 +115105.611449 Cryp 30 aaac3453 b82ff88c d40087cc 5e9627d0 206b750f c413126b 612f7d66 56229d51 +115105.611524 Cryp 30 c9a4a701 ddcc12a2 25e1b721 3086ad89 4fe47db8 b7249b55 be26bddf 112705a3 +115105.611589 Cryp 30 2065156c e84f46a5 0b86b382 4bde6bf4 7a601cc4 c70fdfab +115105.611633 Exch 90 exchange_validate: checking for required SEQ +115105.611673 Exch 90 exchange_validate: checking for required SA +115105.611712 Exch 90 exchange_validate: checking for required KD +115105.611751 Exch 90 exchange_validate: checking for required SIG +115105.611797 Mesg 70 message_send: message 0x65000 +115105.611849 Mesg 70 ICOOKIE: 0x6162636465666768 +115105.611898 Mesg 70 RCOOKIE: 0x3031323334353637 +115105.611940 Mesg 70 NEXT_PAYLOAD: SEQ +115105.611984 Mesg 70 VERSION: 16 +115105.693481 Mesg 70 EXCH_TYPE: NEW_GROUP_MODE +115105.693533 Mesg 70 FLAGS: [ ENC ] +115105.693581 Mesg 70 MESSAGE_ID: 0x00000000 +115105.693625 Mesg 70 LENGTH: 404 +115105.693707 Mesg 70 message_send: 61626364 65666768 30313233 34353637 12102101 00000000 00000194 5175e4fc +115105.693788 Mesg 70 message_send: 59135cf4 2973b12d 1d6abd59 e4b40f93 c2f6ff08 4688feab a0d3566e fc0b62f0 +115105.693865 Mesg 70 message_send: 1e3e69ca 9fb4f1ea fd2347f1 e87344a1 9533f966 11c29229 e610f717 8deb7458 +115105.693943 Mesg 70 message_send: 5e9d3117 32dc8cb5 15dbd797 4955e843 6e97e8a7 ec9559a2 17c06a9d 421fb6ca +115105.694022 Mesg 70 message_send: 34bb6261 d5c91b6f 939a166d 08a3ec17 0007a8b2 c7192039 2e0f77bc 609e6d60 +115105.694099 Mesg 70 message_send: 7844abdb 4142992e 874acd1e 2085252f b0a02ad5 12385f5b 47cb0885 864c1961 +115105.694178 Mesg 70 message_send: c41fdbf5 b70501ac 48d0e2b2 9c0b2629 70d08853 91bc60a4 bd123aba dd268a88 +115105.694257 Mesg 70 message_send: 24370f99 c5c64315 d3d6cb00 4c91cdc8 a5363dde 5a052936 b6445696 45d6273c +115105.789376 Mesg 70 message_send: 497a9935 cdd30202 5f17d68c 83a9990c 35e7725d 041fa88f 1393e50f 99a12222 +115105.789461 Mesg 70 message_send: 336bb521 6166b2c8 94c9413a ea238054 d632e468 79ce7bdc a9c67d29 aaac3453 +115105.789540 Mesg 70 message_send: b82ff88c d40087cc 5e9627d0 206b750f c413126b 612f7d66 56229d51 c9a4a701 +115105.789618 Mesg 70 message_send: ddcc12a2 25e1b721 3086ad89 4fe47db8 b7249b55 be26bddf 112705a3 2065156c +115105.789682 Mesg 70 message_send: e84f46a5 0b86b382 4bde6bf4 7a601cc4 c70fdfab +115105.789726 Exch 40 exchange_run: exchange 0x4ba00 finished step 0, advancing... +115105.789795 Trpt 90 transport_reference: transport 0x5c580 now has 5 references +115105.789842 Trpt 90 transport_reference: transport 0x5ca00 now has 3 references +115105.789885 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115105.789927 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115105.789970 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115105.898912 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115105.898964 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115105.899007 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115105.899050 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115105.899093 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115105.899136 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115105.899179 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115105.899221 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115105.899410 Exch 10 exchange_finalize: 0x4ba00 IPsec-group-policy Default-group-mode policy initiator phase 1 doi 2 exchange 33 step 1 +115105.899467 Exch 10 exchange_finalize: icookie 6162636465666768 rcookie 3031323334353637 +115105.899508 Exch 10 exchange_finalize: msgid 00000000 +115105.899554 SA 90 sa_find: no SA matched query +115105.995239 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115105.995315 Exch 30 checking whether new SA replaces existing SA with IDs +115105.995366 SA 90 sa_find: return SA 0x5a000 +115105.995409 SA 60 sa_mark_replaced: SA 0x5a000 (IPsec-group-policy) marked as replaced +115105.995450 SA 90 sa_find: no SA matched query +115105.995496 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115105.995549 Exch 30 checking whether new SA replaces existing SA with IDs +115105.995598 SA 90 sa_find: return SA 0x5a100 +115105.995640 SA 60 sa_mark_replaced: SA 0x5a100 (IPsec-group-policy) marked as replaced +115105.995680 SA 90 sa_find: no SA matched query +115105.995726 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115105.995779 Exch 30 checking whether new SA replaces existing SA with IDs +115105.995828 SA 90 sa_find: return SA 0x5af00 +115105.995870 SA 60 sa_mark_replaced: SA 0x5af00 (IPsec-group-policy) marked as replaced +115106.104975 SA 90 sa_find: no SA matched query +115106.105037 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115106.105095 Timr 95 sa_setup_expirations: SA 0x5af00 soft timeout in 55 seconds +115106.105151 Timr 10 timer_add_event: event sa_soft_expire(0x5af00) added before exchange_free_aux(0x4b500), expiration in 55s +115106.105197 SA 80 sa_reference: SA 0x5af00 now has 3 references +115106.105242 Timr 95 sa_setup_expirations: SA 0x5af00 hard timeout in 60 seconds +115106.105293 Timr 10 timer_add_event: event sa_hard_expire(0x5af00) added before exchange_free_aux(0x4b500), expiration in 60s +115106.105338 SA 80 sa_reference: SA 0x5af00 now has 4 references +115106.105383 Timr 95 sa_setup_expirations: SA 0x62200 soft timeout in 52 seconds +115106.105435 Timr 10 timer_add_event: event sa_soft_expire(0x62200) added before sa_hard_expire(0x5ab00), expiration in 52s +115106.105503 SA 80 sa_reference: SA 0x62200 now has 3 references +115106.204854 Timr 95 sa_setup_expirations: SA 0x62200 hard timeout in 60 seconds +115106.204916 Timr 10 timer_add_event: event sa_hard_expire(0x62200) added before exchange_free_aux(0x4b500), expiration in 60s +115106.204961 SA 80 sa_reference: SA 0x62200 now has 4 references +115106.205010 Exch 50 gdoi_finalize_exchange: DONE WITH REKEY (SEND): Group 1234!!! + +115106.205055 Mesg 20 message_free: freeing 0x65000 +115106.205105 Trpt 90 transport_release: transport 0x5c580 had 5 references +115106.205153 Trpt 90 transport_release: transport 0x5c580 had 4 references +115106.205197 Trpt 90 transport_release: transport 0x5ca00 had 3 references +115106.205239 Trpt 90 transport_release: transport 0x5c700 had 3 references +115106.205281 Trpt 90 transport_release: transport 0x5c080 had 2 references +115106.205323 Trpt 90 transport_release: transport 0x5c500 had 3 references +115106.205365 Trpt 90 transport_release: transport 0x5c200 had 3 references +115106.205407 Trpt 90 transport_release: transport 0x4da80 had 2 references +115106.295951 Trpt 90 transport_release: transport 0x4df80 had 3 references +115106.296004 Trpt 90 transport_release: transport 0x4d780 had 3 references +115106.296047 Trpt 90 transport_release: transport 0x4d900 had 3 references +115106.296089 Trpt 90 transport_release: transport 0x4d600 had 2 references +115106.296131 Trpt 90 transport_release: transport 0x4d580 had 2 references +115106.296174 Trpt 90 transport_release: transport 0x4d500 had 2 references +115128.180032 Timr 10 timer_handle_expirations: event sa_soft_expire(0x4b600) +115128.180567 SA 80 sa_release: SA 0x4b600 had 7 references +115129.910025 Timr 10 timer_handle_expirations: event sa_soft_expire(0x5a100) +115129.910475 SA 80 sa_release: SA 0x5a100 had 4 references +115131.910025 Timr 10 timer_handle_expirations: event sa_soft_expire(0x5a000) +115131.910467 SA 80 sa_release: SA 0x5a000 had 4 references +115133.180028 Timr 10 timer_handle_expirations: event sa_hard_expire(0x4b600) +115133.180487 SA 80 sa_release: SA 0x4b600 had 6 references +115133.180541 SA 70 sa_remove: SA 0x4b600 removed from SA list +115133.180582 SA 80 sa_release: SA 0x4b600 had 5 references +115133.180636 SA 80 sa_release: SA 0x4b600 had 4 references +115135.240028 Timr 10 timer_handle_expirations: event gdoi_rekey_sender(0x4b900) +115135.240480 Default gdoi_rekey_sender: Timer sprung!!! +115135.240547 Timr 10 timer_add_event: event gdoi_rekey_sender(0x4b900) added before sa_hard_expire(0x5af00), expiration in 30s +115135.240608 Trpt 90 transport_reference: transport 0x5c580 now has 4 references +115135.240652 Mesg 90 message_alloc: allocated 0x65000 +115135.240703 Default SENT SEQ # of: 2 (PUSH) +115135.240757 Misc 60 conf_get_str: [Default-group-mode]:DOI->GROUP +115135.240803 Misc 60 conf_get_str: [Default-group-mode]:EXCHANGE_TYPE->PULL_MODE +115135.240846 Misc 60 conf_get_str: [Default-group-mode]:SA-TEKS->GROUP1-TEK1,GROUP1-TEK2 +115135.240903 Trpt 90 transport_reference: transport 0x5c580 now has 5 references +115135.240951 SA 80 sa_reference: SA 0x62300 now has 1 references +115135.240993 SA 70 sa_enter: SA 0x62300 added to SA list +115135.241034 SA 80 sa_reference: SA 0x62300 now has 2 references +115135.241079 SA 60 sa_create: sa 0x62300 phase 1 added to exchange 0x4ba00 (IPsec-group-policy) +115135.241126 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115135.241202 Default gdoi_add_sa_payload: Assuming ESP +115135.241257 Misc 60 conf_get_str: [GROUP1-TEK1]:Src-ID->Group-tek1-src +115135.241307 Misc 60 conf_get_str: [Group-tek1-src]:ID-type->IPV4_ADDR +115135.241351 Misc 60 conf_get_str: [Group-tek1-src]:Address->10.0.224.37 +115135.241398 Misc 60 conf_get_str: [Group-tek1-src]:Port->0 +115135.241452 Misc 60 conf_get_str: [GROUP1-TEK1]:Dst-ID->Group-tek1-dst +115135.241498 Misc 60 conf_get_str: [Group-tek1-dst]:ID-type->IPV4_ADDR +115135.241540 Misc 60 conf_get_str: [Group-tek1-dst]:Address->239.1.1.1 +115135.241583 Misc 60 conf_get_str: [Group-tek1-dst]:Port->0 +115135.241633 Misc 60 conf_get_str: [GROUP1-TEK1]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115135.241679 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115135.241722 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115135.241764 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115135.241913 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115135.241964 Misc 90 gdoi_ipsec_get_policy: Generated 3DES key: +115135.242034 Misc 90 b4c1aa0b bcacb236 44859d77 786eb24a faa2fa21 49cf5154 +115135.242083 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115135.242131 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115135.242176 Misc 90 gdoi_ipsec_get_policy: Generated auth key: +115135.242239 Misc 90 e600643e 237e2114 d0570771 1acd1550 da794442 +115135.242286 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115135.242338 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115135.242382 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115135.242455 Default SPI found (SA) 1635905385 1635905385 (0x6181ef69) for sa 0x62300 +115135.242514 Trpt 90 transport_reference: transport 0x5c580 now has 6 references +115135.242561 SA 80 sa_reference: SA 0x62400 now has 1 references +115135.242679 SA 70 sa_enter: SA 0x62400 added to SA list +115135.242725 SA 80 sa_reference: SA 0x62400 now has 2 references +115135.242770 SA 60 sa_create: sa 0x62400 phase 1 added to exchange 0x4ba00 (IPsec-group-policy) +115135.242819 Misc 60 conf_get_str: configuration value not found [Default-group-mode]:Crypto-protocol +115135.242860 Default gdoi_add_sa_payload: Assuming ESP +115135.242907 Misc 60 conf_get_str: [GROUP1-TEK2]:Src-ID->Group-tek2-src +115135.242952 Misc 60 conf_get_str: [Group-tek2-src]:ID-type->IPV4_ADDR +115135.242995 Misc 60 conf_get_str: [Group-tek2-src]:Address->10.0.224.40 +115135.243038 Misc 60 conf_get_str: [Group-tek2-src]:Port->0 +115135.243088 Misc 60 conf_get_str: [GROUP1-TEK2]:Dst-ID->Group-tek2-dst +115135.243135 Misc 60 conf_get_str: [Group-tek2-dst]:ID-type->IPV4_ADDR +115135.243176 Misc 60 conf_get_str: [Group-tek2-dst]:Address->239.1.1.2 +115135.243219 Misc 60 conf_get_str: [Group-tek2-dst]:Port->0 +115135.243269 Misc 60 conf_get_str: [GROUP1-TEK2]:TEK_Suite->GDOI-ESP-3DES-SHA-SUITE +115135.243368 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA-SUITE]:Protocols->GDOI-ESP-3DES-SHA +115135.243414 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:PROTOCOL_ID->IPSEC_ESP +115135.243455 Misc 60 conf_get_str: [GDOI-ESP-3DES-SHA]:Transforms->GDOI-ESP-TRANSFORM-3DES-SHA +115135.243498 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:TRANSFORM_ID->3DES +115135.243543 Misc 90 gdoi_ipsec_get_policy: Generated 3DES key: +115135.243611 Misc 90 699e9a1a 6a255e47 7eb38d36 4c713b6a 7e517b32 511b461f +115135.243657 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:ENCAPSULATION_MODE->TRANSPORT +115135.243705 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:AUTHENTICATION_ALGORITHM->HMAC_SHA +115135.243748 Misc 90 gdoi_ipsec_get_policy: Generated auth key: +115135.243811 Misc 90 b3ab5b5d 486bbf51 84630f7e 538b4b2b 3a41e372 +115135.243857 Misc 60 conf_get_str: [GDOI-ESP-TRANSFORM-3DES-SHA]:Life->LIFE_60_SECS +115135.243908 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_TYPE->SECONDS +115135.244135 Misc 60 conf_get_str: [LIFE_60_SECS]:LIFE_DURATION->60,45:72 +115135.244213 Default SPI found (SA) 700108581 700108581 (0x29bacf25) for sa 0x62400 +115135.244306 Misc 90 gdoi_add_sig_payload: 'rekey': +115135.244355 Misc 90 72656b65 79 +115135.244395 Misc 90 gdoi_add_sig_payload: 'ISAKMP header': +115135.244468 Misc 90 61626364 65666768 30313233 34353637 12102101 00000000 00000190 +115135.244512 Misc 90 gdoi_add_sig_payload: payload 1: +115135.244560 Misc 90 01000008 00000002 +115135.244601 Misc 90 gdoi_add_sig_payload: payload 2: +115135.244683 Misc 90 11000066 00000002 00000000 00100000 1000002b 01000100 00040a00 e0250100 +115135.244765 Misc 90 0004ef01 01010361 81ef6980 04000280 05000280 01000180 02003c00 00002b01 +115135.244847 Misc 90 00010000 040a00e0 28010000 04ef0101 020329ba cf258004 00028005 00028001 +115135.244893 Misc 90 00018002 003c +115135.244972 Misc 90 gdoi_add_sig_payload: payload 3: +115135.245055 Misc 90 09000082 00020000 0100003d 046181ef 69000100 18b4c1aa 0bbcacb2 3644859d +115135.316827 Misc 90 77786eb2 4afaa2fa 2149cf51 54000200 14e60064 3e237e21 14d05707 711acd15 +115135.316913 Misc 90 50da7944 42010000 3d0429ba cf250001 0018699e 9a1a6a25 5e477eb3 8d364c71 +115135.316989 Misc 90 3b6a7e51 7b32511b 461f0002 0014b3ab 5b5d486b bf518463 0f7e538b 4b2b3a41 +115135.317028 Misc 90 e372 +115135.317086 Negt 80 gdoi_add_sig_payload: computed hash: +115135.317149 Negt 80 c21ab43a 10b3b72a 29186b65 49c29743 75a72155 +115135.347068 Cryp 40 crypto_init: key: +115135.347147 Cryp 40 40434345 45464649 494a4a4c 4c4f4f51 51525254 54575758 +115135.347205 Cryp 50 crypto_update_iv: initialized IV: +115135.347253 Cryp 50 49564956 49564956 +115135.347298 Cryp 10 rekey_crypto_encrypt: before encryption: +115135.347386 Cryp 10 01000008 00000002 11000066 00000002 00000000 00100000 1000002b 01000100 +115135.347490 Cryp 10 00040a00 e0250100 0004ef01 01010361 81ef6980 04000280 05000280 01000180 +115135.347573 Cryp 10 02003c00 00002b01 00010000 040a00e0 28010000 04ef0101 020329ba cf258004 +115135.428957 Cryp 10 00028005 00028001 00018002 003c0900 00820002 00000100 003d0461 81ef6900 +115135.429042 Cryp 10 010018b4 c1aa0bbc acb23644 859d7778 6eb24afa a2fa2149 cf515400 020014e6 +115135.429121 Cryp 10 00643e23 7e2114d0 5707711a cd1550da 79444201 00003d04 29bacf25 00010018 +115135.429196 Cryp 10 699e9a1a 6a255e47 7eb38d36 4c713b6a 7e517b32 511b461f 00020014 b3ab5b5d +115135.429272 Cryp 10 486bbf51 84630f7e 538b4b2b 3a41e372 00000084 ad8127ef 4d838674 93b75eb5 +115135.429346 Cryp 10 8df6d8c8 31749726 746ec99f b9412bc6 f489efca 59bc8d5c bba4c04c 835dc78d +115135.429420 Cryp 10 f34dd317 6aef8a93 a4fcc54d cabb351a e8c5b3dc e7848a87 842211d9 2c424e3b +115135.429495 Cryp 10 8b8fa78d c791d8a8 d53d94ca bb602bc4 07c022aa e46d553b 0cc17942 7b5c1338 +115135.429563 Cryp 10 444f25e0 19942f0a 7751370d 8440cfc8 ae822c65 00000000 +115135.429950 Cryp 30 rekey_crypto_encrypt: after encryption: +115135.430046 Cryp 30 1b3db803 03e29d1c e39df077 2b8c72b2 4b0a87ff 498787b4 8934f3d0 14369d40 +115135.430126 Cryp 30 e9867b71 8990b0c3 fcaa7301 08451e10 2331fd7a 4c061bbd 42256819 b0521511 +115135.525742 Cryp 30 36b34158 224f3cac 05d13295 cd316b34 aed0bdd8 8007ee36 2dc4220f 0d2030af +115135.525826 Cryp 30 a3188b17 5ba16435 a9e38941 d2c54d45 0cfd6728 7d364b8f 2036b07d 797cff3f +115135.525901 Cryp 30 c7e82108 305aa634 9aec9143 4a7f611f 076a2178 409c8b75 a5689be2 50b4659f +115135.525977 Cryp 30 6109d116 6bfb0c7d a054b9b1 e048958e ea007184 a1843915 825de440 293c237c +115135.526051 Cryp 30 8c9c217f a1206bf7 97676a39 e4446eb5 b7c66e69 01e944cc 44b12dd8 d91e85b8 +115135.526125 Cryp 30 40e3cecf ae905621 796340fd 54939052 a7f3692a 5e4964af c2b66023 ca6842ea +115135.526200 Cryp 30 bee86259 4b279f6d d0c91e8f f0248390 210e8c3c 2ebb433b b9fc9968 d81f1ba1 +115135.526275 Cryp 30 bbc615cf ee2031f9 6cd49d52 95d15c8d 6de959d2 413f3c7f 98054ac4 e61315d9 +115135.526349 Cryp 30 9befd32f b542343d a0e200b3 79ff3c8a f8cff46f 64b12026 e5e4a340 f25d766f +115135.526414 Cryp 30 f1b91c3d b75e61b5 9bf2163b abc171ab cba7a1d5 3eb58a2a +115135.526457 Exch 90 exchange_validate: checking for required SEQ +115135.608272 Exch 90 exchange_validate: checking for required SA +115135.608325 Exch 90 exchange_validate: checking for required KD +115135.608366 Exch 90 exchange_validate: checking for required SIG +115135.608414 Mesg 70 message_send: message 0x65000 +115135.608467 Mesg 70 ICOOKIE: 0x6162636465666768 +115135.608517 Mesg 70 RCOOKIE: 0x3031323334353637 +115135.608560 Mesg 70 NEXT_PAYLOAD: SEQ +115135.608604 Mesg 70 VERSION: 16 +115135.608646 Mesg 70 EXCH_TYPE: NEW_GROUP_MODE +115135.608690 Mesg 70 FLAGS: [ ENC ] +115135.608738 Mesg 70 MESSAGE_ID: 0x00000000 +115135.608782 Mesg 70 LENGTH: 404 +115135.608865 Mesg 70 message_send: 61626364 65666768 30313233 34353637 12102101 00000000 00000194 1b3db803 +115135.608945 Mesg 70 message_send: 03e29d1c e39df077 2b8c72b2 4b0a87ff 498787b4 8934f3d0 14369d40 e9867b71 +115135.609025 Mesg 70 message_send: 8990b0c3 fcaa7301 08451e10 2331fd7a 4c061bbd 42256819 b0521511 36b34158 +115135.609104 Mesg 70 message_send: 224f3cac 05d13295 cd316b34 aed0bdd8 8007ee36 2dc4220f 0d2030af a3188b17 +115135.700007 Mesg 70 message_send: 5ba16435 a9e38941 d2c54d45 0cfd6728 7d364b8f 2036b07d 797cff3f c7e82108 +115135.700097 Mesg 70 message_send: 305aa634 9aec9143 4a7f611f 076a2178 409c8b75 a5689be2 50b4659f 6109d116 +115135.700176 Mesg 70 message_send: 6bfb0c7d a054b9b1 e048958e ea007184 a1843915 825de440 293c237c 8c9c217f +115135.700254 Mesg 70 message_send: a1206bf7 97676a39 e4446eb5 b7c66e69 01e944cc 44b12dd8 d91e85b8 40e3cecf +115135.700332 Mesg 70 message_send: ae905621 796340fd 54939052 a7f3692a 5e4964af c2b66023 ca6842ea bee86259 +115135.700410 Mesg 70 message_send: 4b279f6d d0c91e8f f0248390 210e8c3c 2ebb433b b9fc9968 d81f1ba1 bbc615cf +115135.700488 Mesg 70 message_send: ee2031f9 6cd49d52 95d15c8d 6de959d2 413f3c7f 98054ac4 e61315d9 9befd32f +115135.700566 Mesg 70 message_send: b542343d a0e200b3 79ff3c8a f8cff46f 64b12026 e5e4a340 f25d766f f1b91c3d +115135.700629 Mesg 70 message_send: b75e61b5 9bf2163b abc171ab cba7a1d5 3eb58a2a +115135.805372 Exch 40 exchange_run: exchange 0x4ba00 finished step 0, advancing... +115135.805479 Trpt 90 transport_reference: transport 0x5c580 now has 7 references +115135.805526 Trpt 90 transport_reference: transport 0x5ca00 now has 3 references +115135.805570 Trpt 90 transport_reference: transport 0x5c700 now has 3 references +115135.805613 Trpt 90 transport_reference: transport 0x5c080 now has 2 references +115135.805655 Trpt 90 transport_reference: transport 0x5c500 now has 3 references +115135.805698 Trpt 90 transport_reference: transport 0x5c200 now has 3 references +115135.805741 Trpt 90 transport_reference: transport 0x4da80 now has 2 references +115135.805784 Trpt 90 transport_reference: transport 0x4df80 now has 3 references +115135.805827 Trpt 90 transport_reference: transport 0x4d780 now has 3 references +115135.805870 Trpt 90 transport_reference: transport 0x4d900 now has 3 references +115135.805913 Trpt 90 transport_reference: transport 0x4d600 now has 2 references +115135.805956 Trpt 90 transport_reference: transport 0x4d580 now has 2 references +115135.901944 Trpt 90 transport_reference: transport 0x4d500 now has 2 references +115135.902135 Exch 10 exchange_finalize: 0x4ba00 IPsec-group-policy Default-group-mode policy initiator phase 1 doi 2 exchange 33 step 1 +115135.902192 Exch 10 exchange_finalize: icookie 6162636465666768 rcookie 3031323334353637 +115135.902233 Exch 10 exchange_finalize: msgid 00000000 +115135.902289 Exch 30 checking whether new SA replaces existing SA with IDs +115135.902338 SA 90 sa_find: return SA 0x62200 +115135.902381 SA 60 sa_mark_replaced: SA 0x62200 (IPsec-group-policy) marked as replaced +115135.902423 SA 90 sa_find: no SA matched query +115135.902473 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115135.902519 SA 90 sa_find: no SA matched query +115135.902567 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115135.902612 SA 90 sa_find: no SA matched query +115135.902660 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115136.011391 SA 90 sa_find: no SA matched query +115136.011448 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115136.011516 SA 90 sa_find: no SA matched query +115136.011563 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115136.011618 Exch 30 checking whether new SA replaces existing SA with IDs +115136.011666 SA 90 sa_find: return SA 0x62300 +115136.011708 SA 60 sa_mark_replaced: SA 0x62300 (IPsec-group-policy) marked as replaced +115136.011749 SA 90 sa_find: no SA matched query +115136.011794 Misc 60 conf_get_str: configuration value not found [IPsec-group-policy]:Flags +115136.011848 Timr 95 sa_setup_expirations: SA 0x62300 soft timeout in 51 seconds +115136.011905 Timr 10 timer_add_event: event sa_soft_expire(0x62300) added before exchange_free_aux(0x4b500), expiration in 51s +115136.011950 SA 80 sa_reference: SA 0x62300 now has 3 references +115136.120668 Timr 95 sa_setup_expirations: SA 0x62300 hard timeout in 60 seconds +115136.120730 Timr 10 timer_add_event: event sa_hard_expire(0x62300) added before exchange_free_aux(0x5a300), expiration in 60s +115136.120776 SA 80 sa_reference: SA 0x62300 now has 4 references +115136.120822 Timr 95 sa_setup_expirations: SA 0x62400 soft timeout in 55 seconds +115136.120897 Timr 10 timer_add_event: event sa_soft_expire(0x62400) added before exchange_free_aux(0x4b500), expiration in 55s +115136.120942 SA 80 sa_reference: SA 0x62400 now has 3 references +115136.120987 Timr 95 sa_setup_expirations: SA 0x62400 hard timeout in 60 seconds +115136.121038 Timr 10 timer_add_event: event sa_hard_expire(0x62400) added before exchange_free_aux(0x5a300), expiration in 60s +115136.121083 SA 80 sa_reference: SA 0x62400 now has 4 references +115136.121133 Exch 50 gdoi_finalize_exchange: DONE WITH REKEY (SEND): Group 1234!!! + +115136.121177 Mesg 20 message_free: freeing 0x65000 +115136.121227 Trpt 90 transport_release: transport 0x5c580 had 7 references +115136.213117 Trpt 90 transport_release: transport 0x5c580 had 6 references +115136.213168 Trpt 90 transport_release: transport 0x5ca00 had 3 references +115136.213211 Trpt 90 transport_release: transport 0x5c700 had 3 references +115136.213253 Trpt 90 transport_release: transport 0x5c080 had 2 references +115136.213295 Trpt 90 transport_release: transport 0x5c500 had 3 references +115136.213338 Trpt 90 transport_release: transport 0x5c200 had 3 references +115136.213380 Trpt 90 transport_release: transport 0x4da80 had 2 references +115136.213422 Trpt 90 transport_release: transport 0x4df80 had 3 references +115136.213464 Trpt 90 transport_release: transport 0x4d780 had 3 references +115136.213507 Trpt 90 transport_release: transport 0x4d900 had 3 references +115136.213549 Trpt 90 transport_release: transport 0x4d600 had 2 references +115136.213591 Trpt 90 transport_release: transport 0x4d580 had 2 references +115136.213633 Trpt 90 transport_release: transport 0x4d500 had 2 references +115136.302603 Timr 10 timer_handle_expirations: event sa_hard_expire(0x5a000) +115136.302655 SA 80 sa_release: SA 0x5a000 had 3 references +115136.302697 SA 70 sa_remove: SA 0x5a000 removed from SA list +115136.302737 SA 80 sa_release: SA 0x5a000 had 2 references +115136.302779 SA 80 sa_release: SA 0x5a000 had 1 references +115136.302817 SA 60 sa_release: freeing SA 0x5a000 +115136.302860 Misc 90 proto_free: freeing 0x4e380 +115136.302907 Trpt 90 transport_release: transport 0x4d780 had 2 references +115136.302952 Timr 10 timer_handle_expirations: event sa_hard_expire(0x5a100) +115136.302995 SA 80 sa_release: SA 0x5a100 had 3 references +115136.303035 SA 70 sa_remove: SA 0x5a100 removed from SA list +115136.303076 SA 80 sa_release: SA 0x5a100 had 2 references +115136.303118 SA 80 sa_release: SA 0x5a100 had 1 references +115136.303156 SA 60 sa_release: freeing SA 0x5a100 +115136.303196 Misc 90 proto_free: freeing 0x4e480 +115136.303242 Trpt 90 transport_release: transport 0x4d780 had 1 references +115136.374118 Trpt 70 transport_release: freeing 0x4d780 diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..0663241 --- /dev/null +++ b/src/Makefile.am @@ -0,0 +1,214 @@ +# $Id: Makefile.am,v 1.3.4.3 2011/12/12 23:15:28 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2002 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + + +# +# Makefile.am for gdoid. +# + +bin_PROGRAMS = gdoid + +BUILT_C_FILES = exchange_num.c ipsec_num.c isakmp_num.c gdoi_num.c \ + ipsec_fld.c isakmp_fld.c gdoi_fld.c + +BUILT_H_FILES = exchange_num.h ipsec_num.h isakmp_num.h gdoi_num.h \ + ipsec_fld.h isakmp_fld.h gdoi_fld.h + +BUILT_SOURCES = ${BUILT_C_FILES} ${BUILT_H_FILES} + +noinst_HEADERS = app.h attribute.h cert.h conf.h connection.h \ + constants.h cookie.h crypto.h dh.h doi.h dyn.h \ + exchange.h field.h gdoi.h gdoi_phase2.h gmp_util.h hash.h \ + if.h ike_aggressive.h ike_auth.h ike_main_mode.h \ + ike_phase_1.h init.h ipsec.h ipsec_doi.h isakmp.h \ + isakmp_doi.h libcrypto.h log.h math_2n.h math_ec2n.h \ + math_group.h math_mp.h message.h pcap.h pf_encap.h \ + pf_key_v2.h prf.h sa.h sysdep.h timer.h transport.h udp.h \ + ui.h util.h x509.h + +gdoid_SOURCES = ${BUILT_C_FILES}\ + udp.c app.c attribute.c cert.c connection.c \ + constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \ + field.c gmp_util.c hash.c if.c ike_auth.c \ + ike_aggressive.c ike_main_mode.c ike_phase_1.c \ + init.c ipsec.c \ + isakmpd.c isakmp_doi.c libcrypto.c \ + log.c message.c math_2n.c math_ec2n.c math_group.c \ + prf.c sa.c timer.c transport.c ui.c util.c \ + gdoi_phase2.c gdoi_doi.c gdoi_rekey.c + +man_MANS= gdoid.8 gdoid.conf.5 + +CLEANFILES= exchange_num.c exchange_num.h ipsec_num.c ipsec_num.h \ + isakmp_num.c isakmp_num.h ipsec_fld.c ipsec_fld.h \ + isakmp_fld.c isakmp_fld.h \ + gdoi_fld.c gdoi_fld.h gdoi_num.c gdoi_num.h + +DISTCLEANFILES= cscope.files cscope.out + +EXTRA_DIST= ${man_MANS} genconstants.sh genfields.sh \ + exchange_num.cst ipsec_num.cst isakmp_num.cst gdoi_num.cst \ + ipsec_fld.fld isakmp_fld.fld gdoi_fld.fld gdoi_app_num.cst + +# +# Compilation variables +# + +CFLAGS+= -O2 ${DEBUG} -Wall -DNEED_SYSDEP_APP -D_BSD_SOURCE + +# +# Generated targets +# +exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/exchange_num + +ipsec_fld.c ipsec_fld.h: genfields.sh ipsec_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/ipsec_fld + +ipsec_num.c ipsec_num.h: genconstants.sh ipsec_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/ipsec_num + +isakmp_fld.c isakmp_fld.h: genfields.sh isakmp_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/isakmp_fld + +isakmp_num.c isakmp_num.h: genconstants.sh isakmp_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/isakmp_num + +gdoi_fld.c gdoi_fld.h: genfields.sh gdoi_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/gdoi_fld +gdoi_num.c gdoi_num.h: genconstants.sh gdoi_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/gdoi_num + +# +# Extra sources to add based on the results of running "configure". +# + +if USE_AGGRESSIVE +gdoid_SOURCES+= ike_aggressive.c +endif + +if USE_LIBCRYPTO +gdoid_SOURCES+= x509.c +CFLAGS+= -DUSE_LIBCRYPTO -DUSE_X509 +CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL +endif + +if HAVE_PF_KEY_V2 +gdoid_SOURCES+= pf_key_v2.c key_api.c +CFLAGS+= -DUSE_PF_KEY_V2 +endif + +if GDOI_APP_SUPPORT +noinst_HEADERS+= gdoi_app_client.h +gdoid_SOURCES+= gdoi_app_client.c +BUILT_C_FILES+= gdoi_app_num.c +BUILT_H_FILES+= gdoi_app_num.h +CFLAGS+= -DGDOI_APP_SUPPORT +CLEANFILES+= gdoi_app_num.c gdoi_app_num.h +EXTRA_DIST+= gdoi_app_num.cst + +gdoi_app_num.c gdoi_app_num.h: genconstants.sh gdoi_app_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/gdoi_app_num +endif + +if SRTP_SUPPORT +noinst_HEADERS+= gdoi_srtp_attr.h gdoi_srtp_protos.h gdoi_srtp.h +BUILT_C_FILES+= srtp_num.c +BUILT_H_FILES+= srtp_num.h +gdoid_SOURCES+= gdoi_srtp.c +CFLAGS+= -DSRTP_SUPPORT +CLEANFILES+= srtp_num.c srtp_num.h +EXTRA_DIST+= srtp_num.cst + +srtp_num.c srtp_num.h: genconstants.sh srtp_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/srtp_num +endif + +if IEC90_5_SUPPORT +noinst_HEADERS+= gdoi_iec90_5.h gdoi_iec90_5_protos.h gdoi_app_iec90_5_attr.h +BUILT_C_FILES+= iec90_5_num.c iec90_5_fld.c +BUILT_H_FILES+= iec90_5_num.h iec90_5_fld.h +gdoid_SOURCES+= gdoi_iec90_5.c +CFLAGS+= -DIEC90_5_SUPPORT +CLEANFILES+= iec90_5_num.c iec90_5_fld.c iec90_5_num.h iec90_5_fld.h +EXTRA_DIST+= iec90_5_num.cst iec90_5_fld.fld + +iec90_5_num.c iec90_5_num.h: genconstants.sh iec90_5_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/iec90_5_num + +iec90_5_fld.c iec90_5_fld.h: genfields.sh iec90_5_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/iec90_5_fld +endif + +# +# Extra rules +# + +install-data-local: + ${mkinstalldirs} /etc/gdoid + ${mkinstalldirs} /etc/gdoid/ca + +# +# Remove generated .h and .c files from the distribution. +# +dist-hook: + (cd ${distdir}; rm -f ${BUILT_SOURCES}) diff --git a/src/Makefile.in b/src/Makefile.in new file mode 100644 index 0000000..1c028e0 --- /dev/null +++ b/src/Makefile.in @@ -0,0 +1,820 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# $Id: Makefile.am,v 1.3.4.3 2011/12/12 23:15:28 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Makefile.am,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2002 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# Makefile.am for gdoid. +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +bin_PROGRAMS = gdoid$(EXEEXT) + +# +# Extra sources to add based on the results of running "configure". +# +@USE_AGGRESSIVE_TRUE@am__append_1 = ike_aggressive.c +@USE_LIBCRYPTO_TRUE@am__append_2 = x509.c +@USE_LIBCRYPTO_TRUE@am__append_3 = -DUSE_LIBCRYPTO -DUSE_X509 \ +@USE_LIBCRYPTO_TRUE@ -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL +@HAVE_PF_KEY_V2_TRUE@am__append_4 = pf_key_v2.c key_api.c +@HAVE_PF_KEY_V2_TRUE@am__append_5 = -DUSE_PF_KEY_V2 +@GDOI_APP_SUPPORT_TRUE@am__append_6 = gdoi_app_client.h +@GDOI_APP_SUPPORT_TRUE@am__append_7 = gdoi_app_client.c +@GDOI_APP_SUPPORT_TRUE@am__append_8 = gdoi_app_num.c +@GDOI_APP_SUPPORT_TRUE@am__append_9 = gdoi_app_num.h +@GDOI_APP_SUPPORT_TRUE@am__append_10 = -DGDOI_APP_SUPPORT +@GDOI_APP_SUPPORT_TRUE@am__append_11 = gdoi_app_num.c gdoi_app_num.h +@GDOI_APP_SUPPORT_TRUE@am__append_12 = gdoi_app_num.cst +@SRTP_SUPPORT_TRUE@am__append_13 = gdoi_srtp_attr.h gdoi_srtp_protos.h gdoi_srtp.h +@SRTP_SUPPORT_TRUE@am__append_14 = srtp_num.c +@SRTP_SUPPORT_TRUE@am__append_15 = srtp_num.h +@SRTP_SUPPORT_TRUE@am__append_16 = gdoi_srtp.c +@SRTP_SUPPORT_TRUE@am__append_17 = -DSRTP_SUPPORT +@SRTP_SUPPORT_TRUE@am__append_18 = srtp_num.c srtp_num.h +@SRTP_SUPPORT_TRUE@am__append_19 = srtp_num.cst +@IEC90_5_SUPPORT_TRUE@am__append_20 = gdoi_iec90_5.h gdoi_iec90_5_protos.h gdoi_app_iec90_5_attr.h +@IEC90_5_SUPPORT_TRUE@am__append_21 = iec90_5_num.c iec90_5_fld.c +@IEC90_5_SUPPORT_TRUE@am__append_22 = iec90_5_num.h iec90_5_fld.h +@IEC90_5_SUPPORT_TRUE@am__append_23 = gdoi_iec90_5.c +@IEC90_5_SUPPORT_TRUE@am__append_24 = -DIEC90_5_SUPPORT +@IEC90_5_SUPPORT_TRUE@am__append_25 = iec90_5_num.c iec90_5_fld.c iec90_5_num.h iec90_5_fld.h +@IEC90_5_SUPPORT_TRUE@am__append_26 = iec90_5_num.cst iec90_5_fld.fld +subdir = src +DIST_COMMON = $(am__noinst_HEADERS_DIST) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" +binPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(bin_PROGRAMS) +am__gdoid_SOURCES_DIST = exchange_num.c ipsec_num.c isakmp_num.c \ + gdoi_num.c ipsec_fld.c isakmp_fld.c gdoi_fld.c gdoi_app_num.c \ + srtp_num.c iec90_5_num.c iec90_5_fld.c udp.c app.c attribute.c \ + cert.c connection.c constants.c conf.c cookie.c crypto.c dh.c \ + doi.c exchange.c field.c gmp_util.c hash.c if.c ike_auth.c \ + ike_aggressive.c ike_main_mode.c ike_phase_1.c init.c ipsec.c \ + isakmpd.c isakmp_doi.c libcrypto.c log.c message.c math_2n.c \ + math_ec2n.c math_group.c prf.c sa.c timer.c transport.c ui.c \ + util.c gdoi_phase2.c gdoi_doi.c gdoi_rekey.c x509.c \ + pf_key_v2.c key_api.c gdoi_app_client.c gdoi_srtp.c \ + gdoi_iec90_5.c +@GDOI_APP_SUPPORT_TRUE@am__objects_1 = gdoi_app_num.$(OBJEXT) +@SRTP_SUPPORT_TRUE@am__objects_2 = srtp_num.$(OBJEXT) +@IEC90_5_SUPPORT_TRUE@am__objects_3 = iec90_5_num.$(OBJEXT) \ +@IEC90_5_SUPPORT_TRUE@ iec90_5_fld.$(OBJEXT) +am__objects_4 = exchange_num.$(OBJEXT) ipsec_num.$(OBJEXT) \ + isakmp_num.$(OBJEXT) gdoi_num.$(OBJEXT) ipsec_fld.$(OBJEXT) \ + isakmp_fld.$(OBJEXT) gdoi_fld.$(OBJEXT) $(am__objects_1) \ + $(am__objects_2) $(am__objects_3) +@USE_AGGRESSIVE_TRUE@am__objects_5 = ike_aggressive.$(OBJEXT) +@USE_LIBCRYPTO_TRUE@am__objects_6 = x509.$(OBJEXT) +@HAVE_PF_KEY_V2_TRUE@am__objects_7 = pf_key_v2.$(OBJEXT) \ +@HAVE_PF_KEY_V2_TRUE@ key_api.$(OBJEXT) +@GDOI_APP_SUPPORT_TRUE@am__objects_8 = gdoi_app_client.$(OBJEXT) +@SRTP_SUPPORT_TRUE@am__objects_9 = gdoi_srtp.$(OBJEXT) +@IEC90_5_SUPPORT_TRUE@am__objects_10 = gdoi_iec90_5.$(OBJEXT) +am_gdoid_OBJECTS = $(am__objects_4) udp.$(OBJEXT) app.$(OBJEXT) \ + attribute.$(OBJEXT) cert.$(OBJEXT) connection.$(OBJEXT) \ + constants.$(OBJEXT) conf.$(OBJEXT) cookie.$(OBJEXT) \ + crypto.$(OBJEXT) dh.$(OBJEXT) doi.$(OBJEXT) exchange.$(OBJEXT) \ + field.$(OBJEXT) gmp_util.$(OBJEXT) hash.$(OBJEXT) if.$(OBJEXT) \ + ike_auth.$(OBJEXT) ike_aggressive.$(OBJEXT) \ + ike_main_mode.$(OBJEXT) ike_phase_1.$(OBJEXT) init.$(OBJEXT) \ + ipsec.$(OBJEXT) isakmpd.$(OBJEXT) isakmp_doi.$(OBJEXT) \ + libcrypto.$(OBJEXT) log.$(OBJEXT) message.$(OBJEXT) \ + math_2n.$(OBJEXT) math_ec2n.$(OBJEXT) math_group.$(OBJEXT) \ + prf.$(OBJEXT) sa.$(OBJEXT) timer.$(OBJEXT) transport.$(OBJEXT) \ + ui.$(OBJEXT) util.$(OBJEXT) gdoi_phase2.$(OBJEXT) \ + gdoi_doi.$(OBJEXT) gdoi_rekey.$(OBJEXT) $(am__objects_5) \ + $(am__objects_6) $(am__objects_7) $(am__objects_8) \ + $(am__objects_9) $(am__objects_10) +gdoid_OBJECTS = $(am_gdoid_OBJECTS) +gdoid_LDADD = $(LDADD) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/config/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +SOURCES = $(gdoid_SOURCES) +DIST_SOURCES = $(am__gdoid_SOURCES_DIST) +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__noinst_HEADERS_DIST = app.h attribute.h cert.h conf.h connection.h \ + constants.h cookie.h crypto.h dh.h doi.h dyn.h exchange.h \ + field.h gdoi.h gdoi_phase2.h gmp_util.h hash.h if.h \ + ike_aggressive.h ike_auth.h ike_main_mode.h ike_phase_1.h \ + init.h ipsec.h ipsec_doi.h isakmp.h isakmp_doi.h libcrypto.h \ + log.h math_2n.h math_ec2n.h math_group.h math_mp.h message.h \ + pcap.h pf_encap.h pf_key_v2.h prf.h sa.h sysdep.h timer.h \ + transport.h udp.h ui.h util.h x509.h gdoi_app_client.h \ + gdoi_srtp_attr.h gdoi_srtp_protos.h gdoi_srtp.h gdoi_iec90_5.h \ + gdoi_iec90_5_protos.h gdoi_app_iec90_5_attr.h +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ + +# +# Compilation variables +# +CFLAGS = @CFLAGS@ -O2 ${DEBUG} -Wall -DNEED_SYSDEP_APP -D_BSD_SOURCE \ + $(am__append_3) $(am__append_5) $(am__append_10) \ + $(am__append_17) $(am__append_24) +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +BUILT_C_FILES = exchange_num.c ipsec_num.c isakmp_num.c gdoi_num.c \ + ipsec_fld.c isakmp_fld.c gdoi_fld.c $(am__append_8) \ + $(am__append_14) $(am__append_21) +BUILT_H_FILES = exchange_num.h ipsec_num.h isakmp_num.h gdoi_num.h \ + ipsec_fld.h isakmp_fld.h gdoi_fld.h $(am__append_9) \ + $(am__append_15) $(am__append_22) +BUILT_SOURCES = ${BUILT_C_FILES} ${BUILT_H_FILES} +noinst_HEADERS = app.h attribute.h cert.h conf.h connection.h \ + constants.h cookie.h crypto.h dh.h doi.h dyn.h exchange.h \ + field.h gdoi.h gdoi_phase2.h gmp_util.h hash.h if.h \ + ike_aggressive.h ike_auth.h ike_main_mode.h ike_phase_1.h \ + init.h ipsec.h ipsec_doi.h isakmp.h isakmp_doi.h libcrypto.h \ + log.h math_2n.h math_ec2n.h math_group.h math_mp.h message.h \ + pcap.h pf_encap.h pf_key_v2.h prf.h sa.h sysdep.h timer.h \ + transport.h udp.h ui.h util.h x509.h $(am__append_6) \ + $(am__append_13) $(am__append_20) +gdoid_SOURCES = ${BUILT_C_FILES} udp.c app.c attribute.c cert.c \ + connection.c constants.c conf.c cookie.c crypto.c dh.c doi.c \ + exchange.c field.c gmp_util.c hash.c if.c ike_auth.c \ + ike_aggressive.c ike_main_mode.c ike_phase_1.c init.c ipsec.c \ + isakmpd.c isakmp_doi.c libcrypto.c log.c message.c math_2n.c \ + math_ec2n.c math_group.c prf.c sa.c timer.c transport.c ui.c \ + util.c gdoi_phase2.c gdoi_doi.c gdoi_rekey.c $(am__append_1) \ + $(am__append_2) $(am__append_4) $(am__append_7) \ + $(am__append_16) $(am__append_23) +man_MANS = gdoid.8 gdoid.conf.5 +CLEANFILES = exchange_num.c exchange_num.h ipsec_num.c ipsec_num.h \ + isakmp_num.c isakmp_num.h ipsec_fld.c ipsec_fld.h isakmp_fld.c \ + isakmp_fld.h gdoi_fld.c gdoi_fld.h gdoi_num.c gdoi_num.h \ + $(am__append_11) $(am__append_18) $(am__append_25) +DISTCLEANFILES = cscope.files cscope.out +EXTRA_DIST = ${man_MANS} genconstants.sh genfields.sh exchange_num.cst \ + ipsec_num.cst isakmp_num.cst gdoi_num.cst ipsec_fld.fld \ + isakmp_fld.fld gdoi_fld.fld gdoi_app_num.cst $(am__append_12) \ + $(am__append_19) $(am__append_26) +all: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) all-am + +.SUFFIXES: +.SUFFIXES: .c .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-binPROGRAMS: $(bin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-binPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(bin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \ + rm -f "$(DESTDIR)$(bindir)/$$f"; \ + done + +clean-binPROGRAMS: + -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) +gdoid$(EXEEXT): $(gdoid_OBJECTS) $(gdoid_DEPENDENCIES) + @rm -f gdoid$(EXEEXT) + $(LINK) $(gdoid_OBJECTS) $(gdoid_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/app.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/conf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connection.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constants.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cookie.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/doi.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exchange.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exchange_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/field.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_app_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_app_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_doi.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_fld.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_iec90_5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_phase2.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_rekey.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gdoi_srtp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gmp_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iec90_5_fld.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/iec90_5_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/if.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_aggressive.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_main_mode.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_phase_1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/init.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_fld.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_doi.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_fld.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmpd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key_api.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcrypto.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/math_2n.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/math_ec2n.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/math_group.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pf_key_v2.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/srtp_num.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transport.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/udp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ui.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-hook +check-am: all-am +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +all-am: Makefile $(PROGRAMS) $(MANS) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +clean: clean-am + +clean-am: clean-binPROGRAMS clean-generic mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-data-local install-man + +install-dvi: install-dvi-am + +install-exec-am: install-binPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-binPROGRAMS uninstall-man + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \ + clean-generic ctags dist-hook distclean distclean-compile \ + distclean-generic distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-binPROGRAMS \ + install-data install-data-am install-data-local install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-man8 install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-binPROGRAMS uninstall-man \ + uninstall-man5 uninstall-man8 + + +# +# Generated targets +# +exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/exchange_num + +ipsec_fld.c ipsec_fld.h: genfields.sh ipsec_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/ipsec_fld + +ipsec_num.c ipsec_num.h: genconstants.sh ipsec_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/ipsec_num + +isakmp_fld.c isakmp_fld.h: genfields.sh isakmp_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/isakmp_fld + +isakmp_num.c isakmp_num.h: genconstants.sh isakmp_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/isakmp_num + +gdoi_fld.c gdoi_fld.h: genfields.sh gdoi_fld.fld + /bin/sh ${srcdir}/genfields.sh ${srcdir}/gdoi_fld +gdoi_num.c gdoi_num.h: genconstants.sh gdoi_num.cst + /bin/sh ${srcdir}/genconstants.sh ${srcdir}/gdoi_num + +@GDOI_APP_SUPPORT_TRUE@gdoi_app_num.c gdoi_app_num.h: genconstants.sh gdoi_app_num.cst +@GDOI_APP_SUPPORT_TRUE@ /bin/sh ${srcdir}/genconstants.sh ${srcdir}/gdoi_app_num + +@SRTP_SUPPORT_TRUE@srtp_num.c srtp_num.h: genconstants.sh srtp_num.cst +@SRTP_SUPPORT_TRUE@ /bin/sh ${srcdir}/genconstants.sh ${srcdir}/srtp_num + +@IEC90_5_SUPPORT_TRUE@iec90_5_num.c iec90_5_num.h: genconstants.sh iec90_5_num.cst +@IEC90_5_SUPPORT_TRUE@ /bin/sh ${srcdir}/genconstants.sh ${srcdir}/iec90_5_num + +@IEC90_5_SUPPORT_TRUE@iec90_5_fld.c iec90_5_fld.h: genfields.sh iec90_5_fld.fld +@IEC90_5_SUPPORT_TRUE@ /bin/sh ${srcdir}/genfields.sh ${srcdir}/iec90_5_fld + +# +# Extra rules +# + +install-data-local: + ${mkinstalldirs} /etc/gdoid + ${mkinstalldirs} /etc/gdoid/ca + +# +# Remove generated .h and .c files from the distribution. +# +dist-hook: + (cd ${distdir}; rm -f ${BUILT_SOURCES}) +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/app.c b/src/app.c new file mode 100644 index 0000000..521193c --- /dev/null +++ b/src/app.c @@ -0,0 +1,71 @@ +/* $Id: app.c,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/app.c,v $ */ + +/* $OpenBSD: app.c,v 1.6 1999/05/01 20:43:42 niklas Exp $ */ +/* $EOM: app.c,v 1.6 1999/05/01 20:21:06 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * XXX This is just a wrapper module for now. Later we might handle many + * applications simultaneously but right now, we assume one system-dependent + * one only. + */ + +#include "sysdep.h" + +#include "app.h" +#include "log.h" + +int app_socket; + +/* Set this to not get any applications setup. */ +int app_none = 0; + +/* Initialize applications. */ +void +app_init () +{ + if (app_none) + return; + app_socket = sysdep_app_open (); + if (app_socket == -1) + log_fatal ("app_init: cannot open connection to application"); +} + +void +app_handler () +{ + sysdep_app_handler (app_socket); +} diff --git a/src/app.h b/src/app.h new file mode 100644 index 0000000..52caa12 --- /dev/null +++ b/src/app.h @@ -0,0 +1,50 @@ +/* $Id: app.h,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/app.h,v $ */ + +/* $OpenBSD: app.h,v 1.5 1999/04/19 19:54:54 niklas Exp $ */ +/* $EOM: app.h,v 1.4 1999/04/02 00:58:16 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _APP_H_ +#define _APP_H_ + +extern int app_socket; +extern int app_none; + +extern void app_conf_init_hook (void); +extern void app_handler (void); +extern void app_init (void); + +#endif /* _APP_H_ */ diff --git a/src/attribute.c b/src/attribute.c new file mode 100644 index 0000000..fd19490 --- /dev/null +++ b/src/attribute.c @@ -0,0 +1,123 @@ +/* $Id: attribute.c,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/attribute.c,v $ */ + +/* $OpenBSD: attribute.c,v 1.8 2000/02/25 17:23:38 niklas Exp $ */ +/* $EOM: attribute.c,v 1.10 2000/02/20 19:58:36 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "log.h" +#include "isakmp.h" +#include "util.h" + +u_int8_t * +attribute_set_basic (u_int8_t *buf, u_int16_t type, u_int16_t value) +{ + SET_ISAKMP_ATTR_TYPE (buf, ISAKMP_ATTR_MAKE (1, type)); + SET_ISAKMP_ATTR_LENGTH_VALUE (buf, value); + return buf + ISAKMP_ATTR_VALUE_OFF; +} + +u_int8_t * +attribute_set_var (u_int8_t *buf, u_int16_t type, u_int8_t *value, + u_int16_t len) +{ + SET_ISAKMP_ATTR_TYPE (buf, ISAKMP_ATTR_MAKE (0, type)); + SET_ISAKMP_ATTR_LENGTH_VALUE (buf, len); + memcpy (buf + ISAKMP_ATTR_VALUE_OFF, value, len); + return buf + ISAKMP_ATTR_VALUE_OFF + len; +} + +/* + * Execute a function FUNC taking an attribute type, value, length and ARG + * as arguments for each attribute in the area of ISAKMP attributes located + * at BUF, sized SZ. If any invocation fails, the processing aborts with a + * -1 return value. If all goes well return zero. + */ +int +attribute_map (u_int8_t *buf, size_t sz, + int (*func) (u_int16_t, u_int8_t *, u_int16_t, void *), + void *arg) +{ + u_int8_t *attr; + int fmt; + u_int16_t type; + u_int8_t *value; + u_int16_t len; + + for (attr = buf; attr < buf + sz; attr = value + len) + { + if (attr + ISAKMP_ATTR_VALUE_OFF > buf + sz) + return -1; + type = GET_ISAKMP_ATTR_TYPE (attr); + fmt = ISAKMP_ATTR_FORMAT (type); + type = ISAKMP_ATTR_TYPE (type); + value + = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF : ISAKMP_ATTR_VALUE_OFF); + len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN + : GET_ISAKMP_ATTR_LENGTH_VALUE (attr)); + if (value + len > buf + sz) + return -1; + if (func (type, value, len, arg)) + return -1; + } + return 0; +} + +int +attribute_set_constant (char *section, char *tag, struct constant_map *map, + int attr_class, u_int8_t **attr) +{ + char *name; + int value; + + name = conf_get_str (section, tag); + if (!name) + { + LOG_DBG ((LOG_MISC, 70, + "attribute_set_constant: no %s in the %s section", tag, + section)); + return -1; + } + value = constant_value (map, name); + *attr = attribute_set_basic (*attr, attr_class, value); + return 0; +} diff --git a/src/attribute.h b/src/attribute.h new file mode 100644 index 0000000..b65aa36 --- /dev/null +++ b/src/attribute.h @@ -0,0 +1,56 @@ +/* $Id: attribute.h,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/attribute.h,v $ */ + +/* $OpenBSD: attribute.h,v 1.3 1998/11/17 11:10:07 niklas Exp $ */ +/* $EOM: attribute.h,v 1.2 1998/09/29 21:51:07 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _ATTRIBUTE_H_ +#define _ATTRIBUTE_H_ + +#include + +struct constant_map; + +extern int attribute_map (u_int8_t *, size_t, + int (*) (u_int16_t, u_int8_t *, u_int16_t, void *), + void *); +extern u_int8_t *attribute_set_basic (u_int8_t *, u_int16_t, u_int16_t); +extern int attribute_set_constant (char *, char *, struct constant_map *, + int, u_int8_t **); +extern u_int8_t *attribute_set_var (u_int8_t *, u_int16_t, u_int8_t *, + u_int16_t); + +#endif /* _ATTRIBUTE_H_ */ diff --git a/src/cert.c b/src/cert.c new file mode 100644 index 0000000..97dc3e8 --- /dev/null +++ b/src/cert.c @@ -0,0 +1,139 @@ +/* $Id: cert.c,v 1.4 2003/10/14 22:40:24 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/cert.c,v $ */ + +/* $OpenBSD: cert.c,v 1.16 2000/10/07 06:57:08 niklas Exp $ */ +/* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "isakmp_num.h" +#include "log.h" +#include "cert.h" + +#ifdef USE_X509 +#include "x509.h" +#include +#endif + +struct cert_handler cert_handler[] = { +#ifdef USE_X509 + { + ISAKMP_CERTENC_X509_SIG, + x509_cert_init, x509_cert_get, x509_cert_validate, + x509_cert_insert, x509_cert_free, + x509_certreq_validate, x509_certreq_decode, x509_free_aca, + x509_cert_obtain, x509_cert_get_key, x509_cert_get_subjects + }, +#endif +}; + +/* Initialize all certificate handlers */ + +int +cert_init (void) +{ + int i, err = 1; + + for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) + if (cert_handler[i].cert_init && !(*cert_handler[i].cert_init) ()) + err = 0; + + return err; +} + +struct cert_handler * +cert_get (u_int16_t id) +{ + int i; + + for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) + if (id == cert_handler[i].id) + return &cert_handler[i]; + return 0; +} + +/* Decode a CERTREQ and return a parsed structure. */ +struct certreq_aca * +certreq_decode (u_int16_t type, u_int8_t *data, u_int32_t datalen) +{ + struct cert_handler *handler; + struct certreq_aca aca, *ret; + + handler = cert_get (type); + if (!handler) + return 0; + + aca.id = type; + aca.handler = handler; + + if (datalen > 0) + { + aca.data = handler->certreq_decode (data, datalen); + if (!aca.data) + return 0; + } + else + aca.data = 0; + + ret = malloc (sizeof aca); + if (!ret) + { + log_error ("certreq_decode: malloc (%d) failed", sizeof aca); + handler->free_aca (aca.data); + return 0; + } + + memcpy (ret, &aca, sizeof aca); + + return ret; +} + +void +cert_free_subjects (int n, u_int8_t **id, u_int32_t *len) +{ + int i; + + for (i = 0; i < n; i++) + free (id[i]); + free (id); + free (len); +} diff --git a/src/cert.h b/src/cert.h new file mode 100644 index 0000000..e0a2c3d --- /dev/null +++ b/src/cert.h @@ -0,0 +1,88 @@ +/* $Id: cert.h,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/cert.h,v $ */ + +/* $OpenBSD: cert.h,v 1.6 2000/10/07 06:57:08 niklas Exp $ */ +/* $EOM: cert.h,v 1.8 2000/09/28 12:53:27 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. + * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _CERT_H_ +#define _CERT_H_ + +#include +#include +#include + +/* + * CERT handler for each kind of certificate: + * + * cert_init - Initialize CERT handler - called only once + * cert_get - Get a certificate in internal representation from raw data + * cert_validate - validated a certificate, if it returns != 0 we can use it. + * cert_insert - inserts cert into memory storage, we can retrieve with + * cert_obtain. + */ + +struct cert_handler { + u_int16_t id; /* ISAKMP Cert Encoding ID */ + int (*cert_init) (void); + void *(*cert_get) (u_int8_t *, u_int32_t); + int (*cert_validate) (void *); + int (*cert_insert) (int, void *); + void (*cert_free) (void *); + int (*certreq_validate) (u_int8_t *, u_int32_t); + void *(*certreq_decode) (u_int8_t *, u_int32_t); + void (*free_aca) (void *); + int (*cert_obtain) (u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *); + int (*cert_get_key) (void *, void *); + int (*cert_get_subjects) (void *, int *, u_int8_t ***, u_int32_t **); +}; + +/* the acceptable authority of cert request */ + +struct certreq_aca { + TAILQ_ENTRY (certreq_aca) link; + + u_int16_t id; + struct cert_handler *handler; + void *data; /* if NULL everything is acceptable */ +}; + +struct certreq_aca *certreq_decode (u_int16_t, u_int8_t *, u_int32_t); +void cert_free_subjects (int, u_int8_t **, u_int32_t *); +struct cert_handler *cert_get (u_int16_t); +int cert_init (void); + +#endif /* _CERT_H_ */ diff --git a/src/conf.c b/src/conf.c new file mode 100644 index 0000000..7e988f0 --- /dev/null +++ b/src/conf.c @@ -0,0 +1,1019 @@ +/* $Id: conf.c,v 1.4.4.2 2011/12/05 20:26:53 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/conf.c,v $ */ + +/* $OpenBSD: conf.c,v 1.30 2001/03/27 15:46:29 ho Exp $ */ +/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-1011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000, 2001 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "app.h" +#include "conf.h" +#include "log.h" +#include "util.h" + +struct conf_trans { + TAILQ_ENTRY (conf_trans) link; + int trans; + enum conf_op { CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION } op; + char *section; + char *tag; + char *value; + int override; + int is_default; +}; + +TAILQ_HEAD (conf_trans_head, conf_trans) conf_trans_queue; + +/* + * Radix-64 Encoding. + */ +const u_int8_t bin2asc[] + = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + +const u_int8_t asc2bin[] = +{ + 255, 255, 255, 255, 255, 255, 255, 255, + 255, 255, 255, 255, 255, 255, 255, 255, + 255, 255, 255, 255, 255, 255, 255, 255, + 255, 255, 255, 255, 255, 255, 255, 255, + 255, 255, 255, 255, 255, 255, 255, 255, + 255, 255, 255, 62, 255, 255, 255, 63, + 52, 53, 54, 55, 56, 57, 58, 59, + 60, 61, 255, 255, 255, 255, 255, 255, + 255, 0, 1, 2, 3, 4, 5, 6, + 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, + 23, 24, 25, 255, 255, 255, 255, 255, + 255, 26, 27, 28, 29, 30, 31, 32, + 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, + 49, 50, 51, 255, 255, 255, 255, 255 +}; + +struct conf_binding { + LIST_ENTRY (conf_binding) link; + char *section; + char *tag; + char *value; + int is_default; +}; + +char *conf_path = CONFIG_FILE; +LIST_HEAD (conf_bindings, conf_binding) conf_bindings[256]; + +static char *conf_addr; + +static __inline__ u_int8_t +conf_hash (char *s) +{ + u_int8_t hash = 0; + + while (*s) + { + hash = ((hash << 1) | (hash >> 7)) ^ tolower (*s); + s++; + } + return hash; +} + +/* + * Insert a tag-value combination from LINE (the equal sign is at POS) + */ +static int +conf_remove_now (char *section, char *tag) +{ + struct conf_binding *cb, *next; + + for (cb = LIST_FIRST (&conf_bindings[conf_hash (section)]); cb; cb = next) + { + next = LIST_NEXT (cb, link); + if (strcasecmp (cb->section, section) == 0 + && strcasecmp (cb->tag, tag) == 0) + { + LIST_REMOVE (cb, link); + LOG_DBG ((LOG_MISC, 70, "[%s]:%s->%s removed", section, tag, + cb->value)); + free (cb->section); + free (cb->tag); + free (cb->value); + free (cb); + return 0; + } + } + return 1; +} + +static int +conf_remove_section_now (char *section) +{ + struct conf_binding *cb, *next; + int unseen = 1; + + for (cb = LIST_FIRST (&conf_bindings[conf_hash (section)]); cb; cb = next) + { + next = LIST_NEXT (cb, link); + if (strcasecmp (cb->section, section) == 0) + { + unseen = 0; + LIST_REMOVE (cb, link); + LOG_DBG ((LOG_MISC, 70, "[%s]:%s->%s removed", section, cb->tag, + cb->value)); + free (cb->section); + free (cb->tag); + free (cb->value); + free (cb); + } + } + return unseen; +} + +/* + * Insert a tag-value combination from LINE (the equal sign is at POS) + * into SECTION of our configuration database. + */ +static int +conf_set_now (char *section, char *tag, char *value, int override, + int is_default) +{ + struct conf_binding *node = 0; + + if (override) + conf_remove_now (section, tag); + else if (conf_get_str (section, tag)) + { + if (!is_default) + log_print ("conf_set: duplicate tag [%s]:%s, ignoring...\n", section, + tag); + return 1; + } + + node = calloc (1, sizeof *node); + if (!node) + { + log_error ("conf_set: calloc (1, %d) failed", sizeof *node); + return 1; + } + node->section = strdup (section); + node->tag = strdup (tag); + node->value = strdup (value); + node->is_default = is_default; + + LIST_INSERT_HEAD (&conf_bindings[conf_hash (section)], node, link); + LOG_DBG ((LOG_MISC, 70, "conf_set: [%s]:%s->%s", node->section, node->tag, + node->value)); + return 0; +} + +/* + * Parse the line LINE of SZ bytes. Skip Comments, recognize section + * headers and feed tag-value pairs into our configuration database. + */ +static void +conf_parse_line (int trans, char *line, size_t sz) +{ + char *cp = line; + int i; + static char *section = 0; + static int ln = 0; + + ln++; + + /* Lines starting with '#' or ';' are comments. */ + if (*line == '#' || *line == ';') + return; + + /* '[section]' parsing... */ + if (*line == '[') + { + for (i = 1; i < sz; i++) + if (line[i] == ']') + break; + if (i == sz) + { + log_print ("conf_parse_line: %d:" + "non-matched ']', ignoring until next section", ln); + section = 0; + return; + } + if (section) + free (section); + section = malloc (i); + strncpy (section, line + 1, i - 1); + section[i - 1] = '\0'; + return; + } + + /* Deal with assignments. */ + for (i = 0; i < sz; i++) + if (cp[i] == '=') + { + /* If no section, we are ignoring the lines. */ + if (!section) + { + log_print ("conf_parse_line: %d: ignoring line due to no section", + ln); + return; + } + line[strcspn (line, " \t=")] = '\0'; + /* XXX Perhaps should we not ignore errors? */ + conf_set (trans, section, line, + line + i + 1 + strspn (line + i + 1, " \t"), 0, 0); + return; + } + + /* Other non-empty lines are wierd. */ + i = strspn (line, " \t"); + if (line[i]) + log_print ("conf_parse_line: %d: syntax error", ln); + + return; +} + +/* Parse the mapped configuration file. */ +static void +conf_parse (int trans, char *buf, size_t sz) +{ + char *cp = buf; + char *bufend = buf + sz; + char *line; + + line = cp; + while (cp < bufend) + { + if (*cp == '\n') + { + /* Check for escaped newlines. */ + if (cp > buf && *(cp - 1) == '\\') + *(cp - 1) = *cp = ' '; + else + { + *cp = '\0'; + conf_parse_line (trans, line, cp - line); + line = cp + 1; + } + } + cp++; + } + if (cp != line) + log_print ("conf_parse: last line non-terminated, ignored."); +} + +/* + * Auto-generate default configuration values for the transforms and + * suites the user wants. + * + * Resulting section names can be: + * For main mode: + * {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}] + * For quick mode: + * QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE + * DH groups; currently always MODP_768 for MD5, and MODP_1024 for SHA. + * + * XXX We may want to support USE_BLOWFISH, USE_TRIPLEDES, etc... + * XXX No EC2N DH support here yet. + */ + +/* Find the value for a section+tag in the transaction list */ +char * +conf_get_trans_str (int trans, char *section, char *tag) +{ + struct conf_trans *node, *nf = 0; + + for (node = TAILQ_FIRST (&conf_trans_queue); node; + node = TAILQ_NEXT (node, link)) + if (node->trans == trans && strcmp (section, node->section) == 0 && + strcmp (tag, node->tag) == 0) + { + if (!nf) + nf = node; + else if (node->override) + nf = node; + } + return nf ? nf->value : NULL; +} + +int +conf_find_trans_xf (int phase, char *xf) +{ + struct conf_trans *node; + char *p; + + /* Find the relevant transforms and suites, if any. */ + for (node = TAILQ_FIRST (&conf_trans_queue); node; + node = TAILQ_NEXT (node, link)) + if ((phase == 1 && strcmp ("Transforms", node->tag) == 0) || + (phase == 2 && strcmp ("Suites", node->tag) == 0)) + { + p = node->value; + while ((p = strstr (p, xf)) != NULL) + if (*(p + strlen (p)) && *(p + strlen (p)) != ',') + p += strlen (p); + else + return 1; + } + return 0; +} + +void +conf_init (void) +{ + int i; + + for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) + LIST_INIT (&conf_bindings[i]); + TAILQ_INIT (&conf_trans_queue); + conf_reinit (); +} + +/* Open the config file and map it into our address space, then parse it. */ +void +conf_reinit (void) +{ + struct conf_binding *cb = 0; + int fd, i, trans; + off_t sz; + char *new_conf_addr = 0; + struct stat sb; + + if ((stat (conf_path, &sb) == 0) || (errno != ENOENT)) + { + if (check_file_secrecy (conf_path, &sz)) + return; + + fd = open (conf_path, O_RDONLY); + if (fd == -1) + { + log_error ("conf_reinit: open (\"%s\", O_RDONLY) failed", conf_path); + return; + } + + new_conf_addr = malloc (sz); + if (!new_conf_addr) + { + log_error ("conf_reinit: malloc (%d) failed", sz); + goto fail; + } + + /* XXX I assume short reads won't happen here. */ + if (read (fd, new_conf_addr, sz) != sz) + { + log_error ("conf_reinit: read (%d, %p, %d) failed", + fd, new_conf_addr, sz); + goto fail; + } + close (fd); + + trans = conf_begin (); + + /* XXX Should we not care about errors and rollback? */ + conf_parse (trans, new_conf_addr, sz); + } + else + trans = conf_begin (); + + /* Free potential existing configuration. */ + if (conf_addr) + { + for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) + for (cb = LIST_FIRST (&conf_bindings[i]); cb; + cb = LIST_FIRST (&conf_bindings[i])) + conf_remove_now (cb->section, cb->tag); + free (conf_addr); + } + + conf_end (trans, 1); + conf_addr = new_conf_addr; + return; + + fail: + if (new_conf_addr) + free (new_conf_addr); + close (fd); +} + +/* + * Return the numeric value denoted by TAG in section SECTION or DEF + * if that tag does not exist. + */ +int +conf_get_num (char *section, char *tag, int def) +{ + char *value = conf_get_str (section, tag); + + if (value) + return atoi (value); + return def; +} + +/* Validate X according to the range denoted by TAG in section SECTION. */ +int +conf_match_num (char *section, char *tag, int x) +{ + char *value = conf_get_str (section, tag); + int val, min, max, n; + + if (!value) + return 0; + n = sscanf (value, "%d,%d:%d", &val, &min, &max); + switch (n) + { + case 1: + LOG_DBG ((LOG_MISC, 90, "conf_match_num: %s:%s %d==%d?", section, tag, + val, x)); + return x == val; + case 3: + LOG_DBG ((LOG_MISC, 90, "conf_match_num: %s:%s %d<=%d<=%d?", section, + tag, min, x, max)); + return min <= x && max >= x; + default: + log_error ("conf_match_num: section %s tag %s: invalid number spec %s", + section, tag, value); + } + return 0; +} + +/* Return the string value denoted by TAG in section SECTION. */ +char * +conf_get_str (char *section, char *tag) +{ + struct conf_binding *cb; + + for (cb = LIST_FIRST (&conf_bindings[conf_hash (section)]); cb; + cb = LIST_NEXT (cb, link)) + if (strcasecmp (section, cb->section) == 0 + && strcasecmp (tag, cb->tag) == 0) + { + LOG_DBG ((LOG_MISC, 60, "conf_get_str: [%s]:%s->%s", section, + tag, cb->value)); + return cb->value; + } +#if BEW_DO_WE_REALLY_NEED_THIS_ANNOYING_MESSAGE + LOG_DBG ((LOG_MISC, 60, + "conf_get_str: configuration value not found [%s]:%s", section, + tag)); +#endif + return 0; +} + +/* + * Build a list of string values out of the comma separated value denoted by + * TAG in SECTION. + */ +struct conf_list * +conf_get_list (char *section, char *tag) +{ + char *liststr = 0, *p, *field; + struct conf_list *list = 0; + struct conf_list_node *node; + + list = malloc (sizeof *list); + if (!list) + goto cleanup; + TAILQ_INIT (&list->fields); + list->cnt = 0; + liststr = conf_get_str (section, tag); + if (!liststr) + goto cleanup; + liststr = strdup (liststr); + if (!liststr) + goto cleanup; + p = liststr; + while ((field = strsep (&p, ", \t")) != NULL) + { + if (*field == '\0') + { + log_print ("conf_get_list: empty field, ignoring..."); + continue; + } + list->cnt++; + node = calloc (1, sizeof *node); + if (!node) + goto cleanup; + node->field = strdup (field); + if (!node->field) + goto cleanup; + TAILQ_INSERT_TAIL (&list->fields, node, link); + } + free (liststr); + return list; + + cleanup: + if (list) + conf_free_list (list); + if (liststr) + free (liststr); + return 0; +} + +struct conf_list * +conf_get_tag_list (char *section) +{ + struct conf_list *list = 0; + struct conf_list_node *node; + struct conf_binding *cb; + + list = malloc (sizeof *list); + if (!list) + goto cleanup; + TAILQ_INIT (&list->fields); + list->cnt = 0; + for (cb = LIST_FIRST (&conf_bindings[conf_hash (section)]); cb; + cb = LIST_NEXT (cb, link)) + if (strcasecmp (section, cb->section) == 0) + { + list->cnt++; + node = calloc (1, sizeof *node); + if (!node) + goto cleanup; + node->field = strdup (cb->tag); + if (!node->field) + goto cleanup; + TAILQ_INSERT_TAIL (&list->fields, node, link); + } + return list; + + cleanup: + if (list) + conf_free_list (list); + return 0; +} + +/* Decode a PEM encoded buffer. */ +int +conf_decode_base64 (u_int8_t *out, u_int32_t *len, u_char *buf) +{ + u_int32_t c = 0; + u_int8_t c1, c2, c3, c4; + + while (*buf) + { + if (*buf > 127 || (c1 = asc2bin[*buf]) == 255) + return 0; + buf++; + + if (*buf > 127 || (c2 = asc2bin[*buf]) == 255) + return 0; + buf++; + + if (*buf == '=') + { + c3 = c4 = 0; + c++; + + /* Check last four bit */ + if (c2 & 0xF) + return 0; + + if (strcmp ((char *)buf, "==") == 0) + buf++; + else + return 0; + } + else if (*buf > 127 || (c3 = asc2bin[*buf]) == 255) + return 0; + else + { + if (*++buf == '=') + { + c4 = 0; + c += 2; + + /* Check last two bit */ + if (c3 & 3) + return 0; + + if (strcmp ((char *)buf, "=")) + return 0; + + } + else if (*buf > 127 || (c4 = asc2bin[*buf]) == 255) + return 0; + else + c += 3; + } + + buf++; + *out++ = (c1 << 2) | (c2 >> 4); + *out++ = (c2 << 4) | (c3 >> 2); + *out++ = (c3 << 6) | c4; + } + + *len = c; + return 1; + +} + +/* Read a line from a stream to the buffer. */ +int +conf_get_line (FILE *stream, char *buf, u_int32_t len) +{ + int c; + + while (len-- > 1) + { + c = fgetc (stream); + if (c == '\n') + { + *buf = 0; + return 1; + } + else if (c == EOF) + break; + + *buf++ = c; + } + + *buf = 0; + return 0; +} + +void +conf_free_list (struct conf_list *list) +{ + struct conf_list_node *node = TAILQ_FIRST (&list->fields); + + while (node) + { + TAILQ_REMOVE (&list->fields, node, link); + if (node->field) + free (node->field); + free (node); + node = TAILQ_FIRST (&list->fields); + } + free (list); +} + +int +conf_begin (void) +{ + static int seq = 0; + + return ++seq; +} + +static struct conf_trans * +conf_trans_node (int transaction, enum conf_op op) +{ + struct conf_trans *node; + + node = calloc (1, sizeof *node); + if (!node) + { + log_error ("conf_trans_node: calloc (1, %d) failed", sizeof *node); + return 0; + } + node->trans = transaction; + node->op = op; + TAILQ_INSERT_TAIL (&conf_trans_queue, node, link); + return node; +} + +/* Queue a set operation. */ +int +conf_set (int transaction, char *section, char *tag, char *value, int override, + int is_default) +{ + struct conf_trans *node; + + node = conf_trans_node (transaction, CONF_SET); + if (!node) + return 1; + node->section = strdup (section); + if (!node->section) + { + log_error ("conf_set: strdup (\"%s\") failed", section); + goto fail; + } + node->tag = strdup (tag); + if (!node->tag) + { + log_error ("conf_set: strdup (\"%s\") failed", tag); + goto fail; + } + node->value = strdup (value); + if (!node->value) + { + log_error ("conf_set: strdup (\"%s\") failed", value); + goto fail; + } + node->override = override; + node->is_default = is_default; + return 0; + + fail: + if (node->tag) + free (node->tag); + if (node->section) + free (node->section); + if (node) + free (node); + return 1; +} + +/* Queue a remove operation. */ +int +conf_remove (int transaction, char *section, char *tag) +{ + struct conf_trans *node; + + node = conf_trans_node (transaction, CONF_REMOVE); + if (!node) + goto fail; + node->section = strdup (section); + if (!node->section) + { + log_error ("conf_remove: strdup (\"%s\") failed", section); + goto fail; + } + node->tag = strdup (tag); + if (!node->tag) + { + log_error ("conf_remove: strdup (\"%s\") failed", tag); + goto fail; + } + return 0; + + fail: + if (node->section) + free (node->section); + if (node) + free (node); + return 1; +} + +/* Queue a remove section operation. */ +int +conf_remove_section (int transaction, char *section) +{ + struct conf_trans *node; + + node = conf_trans_node (transaction, CONF_REMOVE_SECTION); + if (!node) + goto fail; + node->section = strdup (section); + if (!node->section) + { + log_error ("conf_remove_section: strdup (\"%s\") failed", section); + goto fail; + } + return 0; + + fail: + if (node) + free (node); + return 1; +} + +/* Execute all queued operations for this transaction. Cleanup. */ +int +conf_end (int transaction, int commit) +{ + struct conf_trans *node, *next; + + for (node = TAILQ_FIRST (&conf_trans_queue); node; node = next) + { + next = TAILQ_NEXT (node, link); + if (node->trans == transaction) + { + if (commit) + switch (node->op) + { + case CONF_SET: + conf_set_now (node->section, node->tag, node->value, + node->override, node->is_default); + break; + case CONF_REMOVE: + conf_remove_now (node->section, node->tag); + break; + case CONF_REMOVE_SECTION: + conf_remove_section_now (node->section); + break; + default: + log_print ("conf_end: unknown operation: %d", node->op); + } + TAILQ_REMOVE (&conf_trans_queue, node, link); + if (node->section) + free (node->section); + if (node->tag) + free (node->tag); + if (node->value) + free (node->value); + free (node); + } + } + return 0; +} + +/* + * Dump running configuration upon SIGUSR1. + * XXX Configuration is "stored in reverse order", so reverse it. + */ +struct dumper { + char *s, *v; + struct dumper *next; +}; + +static void +conf_report_dump (struct dumper *node) +{ + /* Recursive, cleanup when we're done. */ + + if (node->next) + conf_report_dump (node->next); + + if (node->v) + LOG_DBG ((LOG_REPORT, 0, "%s=\t%s", node->s, node->v)); + else if (node->s) + { + LOG_DBG ((LOG_REPORT, 0, "%s", node->s)); + if (strlen (node->s) > 0) + free (node->s); + } + + free (node); +} + +void +conf_report (void) +{ + struct conf_binding *cb, *last = NULL; + int i; + char *current_section = (char *)0; + struct dumper *dumper, *dnode; + + dumper = dnode = (struct dumper *)calloc (1, sizeof *dumper); + if (!dumper) + goto mem_fail; + + LOG_DBG ((LOG_REPORT, 0, "conf_report: dumping running configuration")); + + for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) + for (cb = LIST_FIRST (&conf_bindings[i]); cb; + cb = LIST_NEXT (cb, link)) + { + if (!cb->is_default) + { + /* Dump this entry */ + if (!current_section || strcmp (cb->section, current_section)) + { + if (current_section) + { + dnode->s = malloc (strlen (current_section) + 3); + if (!dnode->s) + goto mem_fail; + + sprintf (dnode->s, "[%s]", current_section); + dnode->next + = (struct dumper *)calloc (1, sizeof (struct dumper)); + dnode = dnode->next; + if (!dnode) + goto mem_fail; + + dnode->s = ""; + dnode->next + = (struct dumper *)calloc (1, sizeof (struct dumper)); + dnode = dnode->next; + if (!dnode) + goto mem_fail; + } + current_section = cb->section; + } + dnode->s = cb->tag; + dnode->v = cb->value; + dnode->next = (struct dumper *)calloc (1, sizeof (struct dumper)); + dnode = dnode->next; + if (!dnode) + goto mem_fail; + last = cb; + } + } + + if (last) + { + dnode->s = malloc (strlen (last->section) + 3); + if (!dnode->s) + goto mem_fail; + sprintf (dnode->s, "[%s]", last->section); + } + + conf_report_dump (dumper); + + return; + + mem_fail: + LOG_DBG ((LOG_REPORT, 0, "conf_report: memory allocation failure.")); + while ((dnode = dumper) != NULL) + { + dumper = dumper->next; + if (dnode->s) + free (dnode->s); + free (dnode); + } + return; +} diff --git a/src/conf.h b/src/conf.h new file mode 100644 index 0000000..37fc0ff --- /dev/null +++ b/src/conf.h @@ -0,0 +1,98 @@ +/* $Id: conf.h,v 1.3 2003/08/15 23:24:03 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/conf.h,v $ */ + +/* $OpenBSD: conf.h,v 1.14 2001/01/27 12:03:31 niklas Exp $ */ +/* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _CONF_H_ +#define _CONF_H_ + +#include +#include +#include + +#define CONFIG_FILE "/etc/gdoid/gdoid.conf" + +/* Default values for autogenerated part of our configuration. */ +#define CONF_DFLT_TAG_LIFE_MAIN_MODE "LIFE_MAIN_MODE" +#define CONF_DFLT_TYPE_LIFE_MAIN_MODE "SECONDS" +#define CONF_DFLT_VAL_LIFE_MAIN_MODE "3600,60:86400" + +#define CONF_DFLT_TAG_LIFE_QUICK_MODE "LIFE_QUICK_MODE" +#define CONF_DFLT_TYPE_LIFE_QUICK_MODE "SECONDS" +#define CONF_DFLT_VAL_LIFE_QUICK_MODE "1200,60:86400" + +#define CONF_DFLT_VAL_BLF_KEYLEN "128,96:192" + +#define CONF_DFLT_RETRANSMITS "3" +#define CONF_DFLT_EXCH_MAX_TIME "120" + +#define CONF_DFLT_X509_CA_DIR "/etc/gdoid/ca/" +#define CONF_DFLT_X509_CERT_DIR "/etc/gdoid/certs/" +#define CONF_DFLT_X509_PRIVATE_KEY "/etc/gdoid/private/local.key" + +#define CONF_DFLT_KEYNOTE_CRED_DIR "/etc/gdoid/keynote/" +struct conf_list_node { + TAILQ_ENTRY (conf_list_node) link; + char *field; +}; + +struct conf_list { + int cnt; + TAILQ_HEAD (conf_list_fields_head, conf_list_node) fields; +}; + +extern char *conf_path; + +extern int conf_begin (void); +extern int conf_decode_base64 (u_int8_t *out, u_int32_t *len, u_char *buf); +extern int conf_end (int, int); +extern void conf_free_list (struct conf_list *); +extern int conf_get_line (FILE *, char *, u_int32_t); +extern struct conf_list *conf_get_list (char *, char *); +extern struct conf_list *conf_get_tag_list (char *); +extern int conf_get_num (char *, char *, int); +extern char *conf_get_str (char *, char *); +extern void conf_init (void); +extern int conf_match_num (char *, char *, int); +extern void conf_reinit (void); +extern int conf_remove (int, char *, char *); +extern int conf_remove_section (int, char *); +extern int conf_set (int, char *, char *, char *, int, int); +extern void conf_report (void); + +#endif /* _CONF_H_ */ diff --git a/src/connection.c b/src/connection.c new file mode 100644 index 0000000..19435f4 --- /dev/null +++ b/src/connection.c @@ -0,0 +1,618 @@ +/* $Id: connection.c,v 1.6.2.1 2011/10/18 03:26:54 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/connection.c,v $ */ + +/* $OpenBSD: connection.c,v 1.17 2001/03/14 21:13:24 tholo Exp $ */ +/* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Hakan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "conf.h" +#include "connection.h" +#include "doi.h" +#include "ipsec.h" +#include "gdoi_phase2.h" + +/* XXX isakmp.h only required for compare_ids(). */ +#include "isakmp.h" + +#include "log.h" +#include "timer.h" +#include "util.h" + +/* How often should we check that connections we require to be up, are up? */ +#define CHECK_INTERVAL 60 + +struct connection +{ + TAILQ_ENTRY (connection) link; + char *name; + struct event *ev; +}; + +struct connection_passive +{ + TAILQ_ENTRY (connection_passive) link; + char *name; + u_int8_t *local_id, *remote_id, *group_id; + size_t local_sz, remote_sz, group_sz; + +#if 0 + /* XXX Potential additions to 'connection_passive'. */ + char *isakmp_peer; + struct sa *sa; /* XXX "Soft" ref to active sa? */ + struct timeval sa_expiration; /* XXX *sa may expire. */ +#endif +}; + +TAILQ_HEAD (connection_head, connection) connections; +TAILQ_HEAD (passive_head, connection_passive) connections_passive; + +/* + * This is where we setup all the connections we want there right from the + * start. + */ +void +connection_init () +{ + struct conf_list *conns, *attrs; + struct conf_list_node *conn, *attr = NULL; + + /* + * Passive connections normally include: all "active" connections that + * are not flagged "Active-Only", plus all connections listed in + * the 'Passive-Connections' list. + */ + + TAILQ_INIT (&connections); + TAILQ_INIT (&connections_passive); + + conns = conf_get_list ("Phase 2", "Connections"); + if (conns) + { + for (conn = TAILQ_FIRST (&conns->fields); conn; + conn = TAILQ_NEXT (conn, link)) + { + if (connection_setup (conn->field)) + log_print ("connection_init: could not setup \"%s\"", conn->field); + + /* XXX Break/abort here if connection_setup failed? */ + + /* + * XXX This code (i.e. the attribute lookup) seems like a + * likely candidate for factoring out into a function of its + * own. + */ + attrs = conf_get_list (conn->field, "Flags"); + if (attrs) + for (attr = TAILQ_FIRST (&attrs->fields); attr; + attr = TAILQ_NEXT (attr, link)) + if (strcasecmp ("active-only", attr->field) == 0) + break; + if (!attrs || (attrs && !attr)) + if (connection_record_passive (conn->field)) + log_print ("connection_init: could not record " + "connection \"%s\"", conn->field); + if (attrs) + conf_free_list (attrs); + + } + conf_free_list (conns); + } + + conns = conf_get_list ("Phase 2", "Passive-Connections"); + if (conns) + { + for (conn = TAILQ_FIRST (&conns->fields); conn; + conn = TAILQ_NEXT (conn, link)) + if (connection_record_passive (conn->field)) + log_print ("connection_init: could not record passive " + "connection \"%s\"", conn->field); + conf_free_list (conns); + } +} + +/* Check the connection in VCONN and schedule another check later. */ +static void +connection_checker (void *vconn) +{ + struct timeval now; + struct connection *conn = vconn; + + gettimeofday (&now, 0); + now.tv_sec += conf_get_num ("General", "check-interval", CHECK_INTERVAL); + conn->ev + = timer_add_event ("connection_checker", connection_checker, conn, &now); + if (!conn->ev) + log_print ("connection_checker: could not add timer event"); + sysdep_connection_check (conn->name); +} + +/* Find the connection named NAME. */ +static struct connection * +connection_lookup (char *name) +{ + struct connection *conn; + + for (conn = TAILQ_FIRST (&connections); conn; conn = TAILQ_NEXT (conn, link)) + if (strcasecmp (conn->name, name) == 0) + return conn; + return 0; +} + +/* Does the connection named NAME exist? */ +int +connection_exist (char *name) +{ + return (connection_lookup (name) != NULL); +} + +/* Find the passive connection named NAME. */ +static struct connection_passive * +connection_passive_lookup_by_name (char *name) +{ + struct connection_passive *conn; + + for (conn = TAILQ_FIRST (&connections_passive); conn; + conn = TAILQ_NEXT (conn, link)) + if (strcasecmp (conn->name, name) == 0) + return conn; + return 0; +} + +/* + * IDs of different types cannot be the same. + * XXX Rename to ipsec_compare_id, and move to ipsec.c ? + */ +int +compare_ids (u_int8_t *id1, u_int8_t *id2, size_t idlen) +{ + int id1_type, id2_type; + + id1_type = GET_ISAKMP_ID_TYPE (id1); + id2_type = GET_ISAKMP_ID_TYPE (id2); + + return id1_type == id2_type + ? memcmp (id1 + ISAKMP_ID_DATA_OFF, id2 + ISAKMP_ID_DATA_OFF, + idlen - ISAKMP_ID_DATA_OFF) : -1; +} + +/* Find the connection named with matching IDs. */ +char * +connection_passive_lookup_by_ids (u_int8_t *id1, u_int8_t *id2) +{ + struct connection_passive *conn; + + for (conn = TAILQ_FIRST (&connections_passive); conn; + conn = TAILQ_NEXT (conn, link)) + { + if (conn->remote_id == NULL) + continue; + + /* + * If both IDs match what we have saved, return the name. Don't bother + * in which order they are. + */ + if ((compare_ids (id1, conn->local_id, conn->local_sz) == 0 + && compare_ids (id2, conn->remote_id, conn->remote_sz) == 0) + || (compare_ids (id1, conn->remote_id, conn->remote_sz) == 0 + && compare_ids (id2, conn->local_id, conn->local_sz) == 0)) + { + LOG_DBG ((LOG_MISC, 60, + "connection_passive_lookup_by_ids: returned \"%s\"", + conn->name)); + return conn->name; + } + } + + /* In the road warrior case, we do not know the remote ID. In that + * case we will just match against the local ID. + */ + for (conn = TAILQ_FIRST (&connections_passive); conn; + conn = TAILQ_NEXT (conn, link)) + { + if (conn->remote_id != NULL) + continue; + + if (compare_ids (id1, conn->local_id, conn->local_sz) == 0 + || compare_ids (id2, conn->local_id, conn->local_sz) == 0) + { + LOG_DBG ((LOG_MISC, 60, + "connection passive_lookup_by_ids: returned \"%s\"" + " only matched local id", conn->name)); + return conn->name; + } + } + LOG_DBG ((LOG_MISC, 60, + "connection_passive_lookup_by_ids: no match")); + return 0; +} + +/* Find the connection named with matching group ID. */ +char * +connection_passive_lookup_by_group_id (u_int8_t *id1) +{ + struct connection_passive *conn; + + for (conn = TAILQ_FIRST (&connections_passive); conn; + conn = TAILQ_NEXT (conn, link)) + { + /* + * If the group ID matches what we have saved, return the name. + */ + if (compare_ids (id1, conn->group_id, conn->group_sz) == 0) + { + LOG_DBG ((LOG_MISC, 60, + "connection_passive_lookup_by_group_id: returned \"%s\"", + conn->name)); + return conn->name; + } + } + LOG_DBG ((LOG_MISC, 60, + "connection_passive_lookup_by_group_id: no match")); + return 0; +} + +/* + * Setup NAME to be a connection that should be up "always", i.e. if it dies, + * for whatever reason, it should be tried to be brought up, over and over + * again. + */ +int +connection_setup (char *name) +{ + struct connection *conn = 0; + struct timeval now; + + /* Check for trials to add duplicate connections. */ + if (connection_lookup (name)) + { + LOG_DBG ((LOG_MISC, 10, "connection_setup: cannot add \"%s\" twice", + name)); + return 0; + } + + conn = calloc (1, sizeof *conn); + if (!conn) + { + log_error ("connection_setup: calloc (1, %d) failed", sizeof *conn); + goto fail; + } + + conn->name = strdup (name); + if (!conn->name) + { + log_error ("connection_setup: strdup (\"%s\") failed", name); + goto fail; + } + + gettimeofday (&now, 0); + conn->ev + = timer_add_event ("connection_checker", connection_checker, conn, &now); + if (!conn->ev) + { + log_print ("connection_setup: could not add timer event"); + goto fail; + } + + TAILQ_INSERT_TAIL (&connections, conn, link); + return 0; + + fail: + if (conn) + { + if (conn->name) + free (conn->name); + free (conn); + } + return -1; +} + +int +connection_record_passive_ipsec (char *name, char *local_id, char *remote_id) +{ + struct connection_passive *conn; + + local_id = conf_get_str (name, "Local-ID"); + if (!local_id) + { + log_print ("connection_record_passive: " + "\"Local-ID\" is missing from section [%s]", + name); + return -1; + } + + /* If the remote id lookup fails we defer it to later */ + remote_id = conf_get_str (name, "Remote-ID"); + + conn = calloc (1, sizeof *conn); + if (!conn) + { + log_error ("connection_record_passive: calloc (1, %d) failed", + sizeof *conn); + return -1; + } + + conn->name = strdup (name); + if (!conn->name) + { + log_error ("connection_record_passive: strdup (\"%s\") failed", name); + goto fail; + } + + /* XXX IPSec DOI-specific. */ + conn->local_id = ipsec_build_id (local_id, &conn->local_sz); + if (!conn->local_id) + goto fail; + + if (remote_id) + { + conn->remote_id = ipsec_build_id (remote_id, &conn->remote_sz); + if (!conn->remote_id) + goto fail; + } + else + conn->remote_id = NULL; + + TAILQ_INSERT_TAIL (&connections_passive, conn, link); + + LOG_DBG ((LOG_MISC, 60, + "connection_record_passive: passive connection \"%s\" " + "added", conn->name)); + return 0; + + fail: + if (conn->local_id) + free (conn->local_id); + if (conn->name) + free (conn->name); + free (conn); + return -1; +} + +int +connection_record_passive_gdoi (char *name, char *group_id) +{ + struct connection_passive *conn; + + conn = calloc (1, sizeof *conn); + if (!conn) + { + log_error ("connection_record_passive: calloc (1, %d) failed", + sizeof *conn); + return -1; + } + + conn->name = strdup (name); + if (!conn->name) + { + log_error ("connection_record_passive: strdup (\"%s\") failed", name); + goto fail; + } + + conn->group_id = group_build_id (group_id, &conn->group_sz); + if (!conn->group_id) + goto fail; + + TAILQ_INSERT_TAIL (&connections_passive, conn, link); + + LOG_DBG ((LOG_MISC, 60, + "connection_record_passive: passive connection \"%s\" " + "added", conn->name)); + return 0; + + fail: + if (conn->group_id) + free (conn->group_id); + if (conn->name) + free (conn->name); + free (conn); + return -1; +} + +int +connection_record_passive (char *name) +{ + if (connection_passive_lookup_by_name (name)) + { + LOG_DBG ((LOG_MISC, 10, + "connection_record_passive: cannot add \"%s\" twice", + name)); + return 0; + } + + if (connection_record_passive_gdoi (name, name)) + { + log_print ("connection_record_passive: " + "\"ID-type\" missing from section [%s]", name); + return -1; + } + + return 0; +} + +/* Remove the connection named NAME. */ +void +connection_teardown (char *name) +{ + struct connection *conn; + + conn = connection_lookup (name); + if (!conn) + return; + + TAILQ_REMOVE (&connections, conn, link); + timer_remove_event (conn->ev); + free (conn->name); + free (conn); +} + +/* Remove the passive connection named NAME. */ +void +connection_passive_teardown (char *name) +{ + struct connection_passive *conn; + + conn = connection_passive_lookup_by_name (name); + if (!conn) + return; + + TAILQ_REMOVE (&connections_passive, conn, link); + free (conn->name); + free (conn->local_id); + free (conn->remote_id); + free (conn); +} + +void +connection_report (void) +{ + struct connection *conn; + struct timeval now; +#ifdef USE_DEBUG + struct connection_passive *pconn; + struct doi *doi = doi_lookup (ISAKMP_DOI_ISAKMP); +#endif + + gettimeofday (&now, 0); + for (conn = TAILQ_FIRST (&connections); conn; conn = TAILQ_NEXT (conn, link)) + LOG_DBG ((LOG_REPORT, 0, + "connection_report: connection %s next check %ld seconds", + (conn->name ? conn->name : ""), + conn->ev->expiration.tv_sec - now.tv_sec)); +#ifdef USE_DEBUG + for (pconn = TAILQ_FIRST (&connections_passive); pconn; + pconn = TAILQ_NEXT (pconn, link)) + LOG_DBG ((LOG_REPORT, 0, + "connection_report: passive connection %s %s", pconn->name, + doi->decode_ids ("local_id: %s, remote_id: %s", + pconn->local_id, pconn->local_sz, + pconn->remote_id, pconn->remote_sz, 1))); +#endif +} + +/* Reinitialize all connections (SIGHUP handling). */ +void +connection_reinit (void) +{ + struct connection *conn, *next; + struct connection_passive *pconn, *pnext; + + LOG_DBG ((LOG_MISC, 30, + "connection_reinit: reinitializing connection list")); + + /* Remove all present connections. */ + for (conn = TAILQ_FIRST (&connections); conn; conn = next) + { + next = TAILQ_NEXT (conn, link); + connection_teardown (conn->name); + } + + for (pconn = TAILQ_FIRST (&connections_passive); pconn; pconn = pnext) + { + pnext = TAILQ_NEXT (pconn, link); + connection_passive_teardown (pconn->name); + } + + /* Setup new connections, as the (new) config directs. */ + connection_init (); +} diff --git a/src/connection.h b/src/connection.h new file mode 100644 index 0000000..24085bc --- /dev/null +++ b/src/connection.h @@ -0,0 +1,120 @@ +/* $Id: connection.h,v 1.2.4.1 2011/10/18 03:26:54 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/connection.h,v $ */ + +/* $OpenBSD: connection.h,v 1.3 1999/07/07 22:12:20 niklas Exp $ */ +/* $EOM: connection.h,v 1.6 1999/06/07 00:10:48 ho Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Hakan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * The connection module deals with connections that should always be up. + */ + +#ifndef _CONNECTION_H_ +#define _CONNECTION_H_ + +#include + +extern int connection_exist (char *); +extern void connection_init (void); +extern char *connection_passive_lookup_by_ids (u_int8_t *, u_int8_t *); +extern char *connection_passive_lookup_by_group_id (u_int8_t *); +extern void connection_reinit (void); +extern void connection_report (void); +extern int connection_setup (char *); +extern int connection_record_passive (char *); +extern void connection_teardown (char *); + +#endif /* _CONNECTION_H_ */ diff --git a/src/constants.c b/src/constants.c new file mode 100644 index 0000000..44a499f --- /dev/null +++ b/src/constants.c @@ -0,0 +1,109 @@ +/* $Id: constants.c,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/constants.c,v $ */ + +/* $OpenBSD: constants.c,v 1.6 1999/04/19 19:54:53 niklas Exp $ */ +/* $EOM: constants.c,v 1.7 1999/04/02 00:57:31 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include + +#include "sysdep.h" + +#include "constants.h" + +int +constant_value (struct constant_map *map, char *name) +{ + struct constant_map *entry = map; + + for (entry = map; entry->name; entry++) + if (strcasecmp (entry->name, name) == 0) + return entry->value; + return 0; +} + +char * +constant_lookup (struct constant_map *map, int value) +{ + struct constant_map *entry = map; + + for (entry = map; entry->name; entry++) + if (entry->value == value) + return entry->name; + return 0; +} + +struct constant_map * +constant_link_lookup (struct constant_map *map, int value) +{ + struct constant_map *entry = map; + + for (entry = map; entry->name; entry++) + if (entry->value == value) + return entry->link; + return 0; +} + +char * +constant_name (struct constant_map *map, int value) +{ + static char tmp[32]; /* XXX Ugly, I know. */ + char *retval = constant_lookup (map, value); + + if (!retval) + { + snprintf (tmp, 32, "", value); + return tmp; + } + return retval; +} + +char * +constant_name_maps (struct constant_map **maps, int value) +{ + static char tmp[32]; /* XXX Ugly, I know. */ + char *retval; + struct constant_map **map; + + for (map = maps; *map; map++) + { + retval = constant_lookup (*map, value); + if (retval) + return retval; + } + snprintf (tmp, 32, "", value); + return tmp; +} diff --git a/src/constants.h b/src/constants.h new file mode 100644 index 0000000..29df1c1 --- /dev/null +++ b/src/constants.h @@ -0,0 +1,55 @@ +/* $Id: constants.h,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/constants.h,v $ */ + +/* $OpenBSD: constants.h,v 1.4 1998/11/20 07:34:06 niklas Exp $ */ +/* $EOM: constants.h,v 1.5 1998/11/20 07:17:01 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _CONSTANTS_H_ +#define _CONSTANTS_H_ + +struct constant_map { + int value; + char *name; + struct constant_map *link; +}; + +struct constant_map *constant_link_lookup (struct constant_map *, int); +extern char *constant_lookup (struct constant_map *, int); +extern char *constant_name (struct constant_map *, int); +extern char *constant_name_maps (struct constant_map **, int); +extern int constant_value (struct constant_map *, char *); + +#endif /* _CONSTANTS_H_ */ diff --git a/src/cookie.c b/src/cookie.c new file mode 100644 index 0000000..336869f --- /dev/null +++ b/src/cookie.c @@ -0,0 +1,132 @@ +/* $Id: cookie.c,v 1.4 2007/03/21 20:02:55 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/cookie.c,v $ */ + +/* $OpenBSD: cookie.c,v 1.6 1999/08/05 22:40:37 niklas Exp $ */ +/* $EOM: cookie.c,v 1.21 1999/08/05 15:00:04 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "cookie.h" +#include "exchange.h" +#include "hash.h" +#include "log.h" +#include "timer.h" +#include "transport.h" +#include "util.h" + +#define COOKIE_EVENT_FREQ 360 +#define COOKIE_SECRET_SIZE 16 + +void cookie_secret_reset (void); + +u_int8_t cookie_secret[COOKIE_SECRET_SIZE]; + +/* + * Generate an anti-clogging token (a protection against an attacker forcing + * us to keep state for a flood of connection requests) a.k.a. a cookie + * at BUF, LEN bytes long. The cookie will be generated by hashing of + * information found, among otherplaces, in transport T and exchange + * EXCHANGE. + */ +void +cookie_gen (struct transport *t, struct exchange *exchange, u_int8_t *buf, + size_t len) +{ + struct hash* hash = hash_get (HASH_SHA1); + struct sockaddr *name; + int name_len; + + hash->Init (hash->ctx); + (*t->vtbl->get_dst) (t, &name, &name_len); + hash->Update (hash->ctx, (u_int8_t *)name, name_len); + (*t->vtbl->get_src) (t, &name, &name_len); + hash->Update (hash->ctx, (u_int8_t *)name, name_len); + if (exchange->initiator) + { + u_int8_t tmpsecret[COOKIE_SECRET_SIZE]; + + getrandom (tmpsecret, COOKIE_SECRET_SIZE); + hash->Update (hash->ctx, tmpsecret, COOKIE_SECRET_SIZE); + } + else + { + hash->Update (hash->ctx, exchange->cookies + ISAKMP_HDR_ICOOKIE_OFF, + ISAKMP_HDR_ICOOKIE_LEN); + hash->Update (hash->ctx, cookie_secret, COOKIE_SECRET_SIZE); + } + + hash->Final ((unsigned char *)hash->digest, hash->ctx); + memcpy (buf, hash->digest, len); +} + +/* + * Reset the secret which is used for the responder cookie. + * As responder we do not want to keep state in the cookie + * exchange, which means when the cookie secret is reset, + * our cookie response has timed out. + */ +void +cookie_secret_reset (void) +{ + getrandom (cookie_secret, COOKIE_SECRET_SIZE); +} + +/* + * Handle the cookie reset event, and reschedule with timer. + */ +void +cookie_reset_event (void *arg) +{ + struct timeval now; + + cookie_secret_reset (); + + gettimeofday (&now, 0); + now.tv_sec += COOKIE_EVENT_FREQ; + timer_add_event ("cookie_reset_event", cookie_reset_event, arg, &now); +} + +void +cookie_init (void) +{ + /* Start responder cookie resets. */ + cookie_reset_event (0); +} diff --git a/src/cookie.h b/src/cookie.h new file mode 100644 index 0000000..faca57f --- /dev/null +++ b/src/cookie.h @@ -0,0 +1,54 @@ +/* $Id: cookie.h,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/cookie.h,v $ */ + +/* $OpenBSD: cookie.h,v 1.3 1998/11/17 11:10:09 niklas Exp $ */ +/* $EOM: cookie.h,v 1.5 1998/08/05 09:21:43 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _COOKIE_H_ +#define _COOKIE_H_ + +#include +#include + +struct exchange; +struct transport; + +extern void cookie_gen (struct transport *, struct exchange *, u_int8_t *, + size_t); +extern void cookie_init (void); +extern void cookie_reset_event (void *); + +#endif /* _COOKIE_H_ */ diff --git a/src/crypto.c b/src/crypto.c new file mode 100644 index 0000000..312c527 --- /dev/null +++ b/src/crypto.c @@ -0,0 +1,307 @@ +/* $Id: crypto.c,v 1.4 2007/03/21 20:02:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/crypto.c,v $ */ + +/* $OpenBSD: crypto.c,v 1.11 2001/02/24 04:42:48 angelos Exp $ */ +/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "crypto.h" +#include "log.h" + +enum cryptoerr des1_init (struct keystate *, u_int8_t *, u_int16_t); +enum cryptoerr des3_init (struct keystate *, u_int8_t *, u_int16_t); +enum cryptoerr aes128_init (struct keystate *, u_int8_t *, u_int16_t); +enum cryptoerr blf_init (struct keystate *, u_int8_t *, u_int16_t); +enum cryptoerr cast_init (struct keystate *, u_int8_t *, u_int16_t); +void des1_encrypt (struct keystate *, u_int8_t *, u_int16_t); +void des1_decrypt (struct keystate *, u_int8_t *, u_int16_t); +void des3_encrypt (struct keystate *, u_int8_t *, u_int16_t); +void des3_decrypt (struct keystate *, u_int8_t *, u_int16_t); +void aes128_encrypt (struct keystate *, u_int8_t *, u_int16_t); +void aes128_decrypt (struct keystate *, u_int8_t *, u_int16_t); +void blf_encrypt (struct keystate *, u_int8_t *, u_int16_t); +void blf_decrypt (struct keystate *, u_int8_t *, u_int16_t); +void cast1_encrypt (struct keystate *, u_int8_t *, u_int16_t); +void cast1_decrypt (struct keystate *, u_int8_t *, u_int16_t); + +struct crypto_xf transforms[] = { +#ifdef USE_DES + { + DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, BLOCKSIZE, 0, + des1_init, + des1_encrypt, des1_decrypt + }, +#endif +#ifdef USE_TRIPLEDES + { + TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, BLOCKSIZE, 0, + des3_init, + des3_encrypt, des3_decrypt + }, +#endif + { + AES_CBC_128, "128-bit AES (CBC-Mode)", 16, 16, AES128_BLOCKSIZE, 0, + aes128_init, + aes128_encrypt, aes128_decrypt + }, +}; + +#define DC (void *) + +enum cryptoerr +des1_init (struct keystate *ks, u_int8_t *key, u_int16_t len) +{ + /* des_set_key returns -1 for parity problems, and -2 for weak keys */ + des_set_odd_parity (DC key); + switch (des_set_key (DC key, ks->ks_des[0])) + { + case -2: + return EWEAKKEY; + default: + return EOKAY; + } +} + +void +des1_encrypt (struct keystate *ks, u_int8_t *d, u_int16_t len) +{ + des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_ENCRYPT); +} + +void +des1_decrypt (struct keystate *ks, u_int8_t *d, u_int16_t len) +{ + des_cbc_encrypt (DC d, DC d, len, ks->ks_des[0], DC ks->riv, DES_DECRYPT); +} + +#ifdef USE_TRIPLEDES +enum cryptoerr +des3_init (struct keystate *ks, u_int8_t *key, u_int16_t len) +{ + des_set_odd_parity (DC key); + des_set_odd_parity (DC (key + 8)); + des_set_odd_parity (DC (key + 16)); + + /* As of the draft Tripe-DES does not check for weak keys */ + des_set_key (DC key, ks->ks_des[0]); + des_set_key (DC (key + 8), ks->ks_des[1]); + des_set_key (DC (key + 16), ks->ks_des[2]); + + return EOKAY; +} + +void +des3_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) +{ + u_int8_t iv[MAXBLK]; + + memcpy (iv, ks->riv, ks->xf->blocksize); + des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1], + ks->ks_des[2], DC iv, DES_ENCRYPT); +} + +void +des3_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) +{ + u_int8_t iv[MAXBLK]; + + memcpy (iv, ks->riv, ks->xf->blocksize); + des_ede3_cbc_encrypt (DC data, DC data, len, ks->ks_des[0], ks->ks_des[1], + ks->ks_des[2], DC iv, DES_DECRYPT); +} +#undef DC +#endif /* USE_TRIPLEDES */ + +enum cryptoerr +aes128_init (struct keystate *ks, u_int8_t *key, u_int16_t len) +{ + AES_set_encrypt_key(key, 128, &ks->ks_aes[0]); + AES_set_decrypt_key(key, 128, &ks->ks_aes[1]); + + return EOKAY; +} + +void +aes128_encrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) +{ + u_int8_t iv[MAXBLK]; + + memcpy (iv, ks->riv, ks->xf->blocksize); + AES_cbc_encrypt((unsigned char *) data, (unsigned char *) data, len, + &ks->ks_aes[0], iv, AES_ENCRYPT); +} + +void +aes128_decrypt (struct keystate *ks, u_int8_t *data, u_int16_t len) +{ + u_int8_t iv[MAXBLK]; + + memcpy (iv, ks->riv, ks->xf->blocksize); + AES_cbc_encrypt((unsigned char *) data, (unsigned char *) data, len, + &ks->ks_aes[1], iv, AES_DECRYPT); +} +struct crypto_xf * +crypto_get (enum transform id) +{ + int i; + + for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) + if (id == transforms[i].id) + return &transforms[i]; + + return 0; +} + +struct keystate * +crypto_init (struct crypto_xf *xf, u_int8_t *key, u_int16_t len, + enum cryptoerr *err) +{ + struct keystate *ks; + + if (len < xf->keymin || len > xf->keymax) + { + LOG_DBG ((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", len)); + *err = EKEYLEN; + return 0; + } + + ks = calloc (1, sizeof *ks); + if (!ks) + { + log_error ("crypto_init: calloc (1, %d) failed", sizeof *ks); + *err = ENOCRYPTO; + return 0; + } + + ks->xf = xf; + + /* Setup the IV. */ + ks->riv = ks->iv; + ks->liv = ks->iv2; + + LOG_DBG_BUF ((LOG_CRYPTO, 40, "crypto_init: key", key, len)); + + *err = xf->init (ks, key, len); + if (*err != EOKAY) + { + LOG_DBG ((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", + xf->name)); + free (ks); + return 0; + } + + return ks; +} + +void +crypto_update_iv (struct keystate *ks) +{ + u_int8_t *tmp; + + tmp = ks->riv; + ks->riv = ks->liv; + ks->liv = tmp; + + LOG_DBG_BUF ((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, + ks->xf->blocksize)); +} + +void +crypto_init_iv (struct keystate *ks, u_int8_t *buf, size_t len) +{ + memcpy (ks->riv, buf, len); + + LOG_DBG_BUF ((LOG_CRYPTO, 50, "crypto_update_iv: initialized IV", ks->riv, + len)); +} + +void +crypto_encrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) +{ + LOG_DBG_BUF ((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf, + len)); + ks->xf->encrypt (ks, buf, len); + memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, + len)); +} + +void +crypto_decrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) +{ + LOG_DBG_BUF ((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf, + len)); + /* + * XXX There is controversy about the correctness of updating the IV + * like this. + */ + memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); + ks->xf->decrypt (ks, buf, len);; + LOG_DBG_BUF ((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, + len)); +} + +/* Make a copy of the keystate pointed to by OKS. */ +struct keystate * +crypto_clone_keystate (struct keystate *oks) +{ + struct keystate *ks; + + ks = malloc (sizeof *ks); + if (!ks) + { + log_error ("crypto_clone_keystate: malloc (%d) failed", sizeof *ks); + return 0; + } + memcpy (ks, oks, sizeof *ks); + if (oks->riv == oks->iv) + { + ks->riv = ks->iv; + ks->liv = ks->iv2; + } + else + { + ks->riv = ks->iv2; + ks->liv = ks->iv; + } + return ks; +} diff --git a/src/crypto.h b/src/crypto.h new file mode 100644 index 0000000..8d4f132 --- /dev/null +++ b/src/crypto.h @@ -0,0 +1,148 @@ +/* $Id: crypto.h,v 1.4 2007/03/21 20:02:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/crypto.h,v $ */ + +/* $OpenBSD: crypto.h,v 1.4 2000/10/16 23:28:04 niklas Exp $ */ +/* $EOM: crypto.h,v 1.12 2000/10/15 21:56:41 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _CRYPTO_H_ +#define _CRYPTO_H_ + +#include +#include + +#define USE_32BIT +#if defined (USE_64BIT) + +#define XOR64(x,y) *(u_int64_t *)(x) ^= *(u_int64_t *)(y); +#define SET64(x,y) *(u_int64_t *)(x) = *(u_int64_t *)(y); + +#elif defined (USE_32BIT) + +#define XOR64(x,y) *(u_int32_t *)(x) ^= *(u_int32_t *)(y); \ + *(u_int32_t *)((u_int8_t *)(x) + 4) ^= *(u_int32_t *)((u_int8_t *)(y) + 4); +#define SET64(x,y) *(u_int32_t *)(x) = *(u_int32_t *)(y); \ + *(u_int32_t *)((u_int8_t *)(x) + 4) = *(u_int32_t *)((u_int8_t *)(y) + 4); + +#else + +#define XOR8(x,y,i) (x)[i] ^= (y)[i]; +#define XOR64(x,y) XOR8(x,y,0); XOR8(x,y,1); XOR8(x,y,2); XOR8(x,y,3); \ + XOR8(x,y,4); XOR8(x,y,5); XOR8(x,y,6); XOR8(x,y,7); +#define SET8(x,y,i) (x)[i] = (y)[i]; +#define SET64(x,y) SET8(x,y,0); SET8(x,y,1); SET8(x,y,2); SET8(x,y,3); \ + SET8(x,y,4); SET8(x,y,5); SET8(x,y,6); SET8(x,y,7); + +#endif /* USE_64BIT */ + +#define SET_32BIT_BIG(x,y) (x)[3]= (y); (x)[2]= (y) >> 8; \ + (x)[1] = (y) >> 16; (x)[0]= (y) >> 24; +#define GET_32BIT_BIG(x) (u_int32_t)(x)[3] | ((u_int32_t)(x)[2] << 8) | \ + ((u_int32_t)(x)[1] << 16)| ((u_int32_t)(x)[0] << 24); + +/* + * This is standard for all block ciphers we use at the moment. + * Theoretically this could increase in future, e.g. for TwoFish. + * Keep MAXBLK uptodate + */ +#define BLOCKSIZE 8 +#define AES128_BLOCKSIZE 16 + +#define MAXBLK AES128_BLOCKSIZE + +struct keystate { + struct crypto_xf *xf; /* Back pointer */ + u_int16_t ebytes; /* Number of encrypted bytes */ + u_int16_t dbytes; /* Number of decrypted bytes */ + time_t life; /* Creation time */ + u_int8_t iv[MAXBLK]; /* Next IV to use */ + u_int8_t iv2[MAXBLK]; + u_int8_t *riv, *liv; + union { + des_key_schedule desks[3]; + AES_KEY aeskey[2]; /* [0] for encryption, [1] for decryption */ + } keydata; +}; + +#define ks_des keydata.desks +#define ks_aes keydata.aeskey + +/* + * Information about the cryptotransform. + * + * XXX - In regards to the IV (Initialization Vector) the drafts are + * completly fucked up and specify a MUST as how it is derived, so + * we also have to provide for that. I just don't know where. + * Furthermore is this enum needed at all? It seems to be Oakley IDs + * only anyhow, and we already have defines for that in ipsec_doi.h. + */ +enum transform { + DES_CBC=1, /* This is a MUST */ + IDEA_CBC=2, /* Licensed, DONT use */ + BLOWFISH_CBC=3, + RC5_R16_B64_CBC=4, /* Licensed, DONT use */ + TRIPLEDES_CBC=5, /* This is a SHOULD */ + CAST_CBC=6, + AES_CBC_128=7, +}; + +enum cryptoerr { + EOKAY, /* No error */ + ENOCRYPTO, /* A none crypto related error, see errno */ + EWEAKKEY, /* A weak key was found in key setup */ + EKEYLEN, /* The key length was invalid for the cipher */ +}; + +struct crypto_xf { + enum transform id; /* Oakley ID */ + char *name; /* Transform Name */ + u_int16_t keymin, keymax; /* Possible Keying Bytes */ + u_int16_t blocksize; /* Need to keep IV in the state */ + struct keystate *state; /* Key information, can also be passed sep. */ + enum cryptoerr (*init) (struct keystate *, u_int8_t *, u_int16_t); + void (*encrypt) (struct keystate *, u_int8_t *, u_int16_t); + void (*decrypt) (struct keystate *, u_int8_t *, u_int16_t); +}; + +extern struct keystate *crypto_clone_keystate (struct keystate *); +extern void crypto_decrypt (struct keystate *, u_int8_t *, u_int16_t); +extern void crypto_encrypt (struct keystate *, u_int8_t *, u_int16_t); +extern struct crypto_xf *crypto_get (enum transform); +extern struct keystate *crypto_init (struct crypto_xf *, u_int8_t *, + u_int16_t, enum cryptoerr *); +extern void crypto_init_iv (struct keystate *, u_int8_t *, size_t); +extern void crypto_update_iv (struct keystate *); + +#endif /* _CRYPTO_H_ */ diff --git a/src/dh.c b/src/dh.c new file mode 100644 index 0000000..5902f32 --- /dev/null +++ b/src/dh.c @@ -0,0 +1,90 @@ +/* $Id: dh.c,v 1.2 2002/05/10 04:25:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/dh.c,v $ */ + +/* $OpenBSD: dh.c,v 1.6 2001/04/09 22:09:51 ho Exp $ */ +/* $EOM: dh.c,v 1.5 1999/04/17 23:20:22 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include + +#include "sysdep.h" + +#include "math_group.h" +#include "dh.h" +#include "log.h" + +/* + * Returns the length of our exchange value. + */ + +int +dh_getlen (struct group *group) +{ + return group->getlen (group); +} + +/* + * Creates the exchange value we are offering to the other party. + * Each time this function is called a new value is created, that + * means the application has to save the exchange value itself, + * dh_create_exchange should only be called once. + */ +int +dh_create_exchange (struct group *group, u_int8_t *buf) +{ + if (group->setrandom (group, group->c)) + return -1; + if (group->operation (group, group->a, group->gen, group->c)) + return -1; + group->getraw (group, group->a, buf); + return 0; +} + +/* + * Creates the Diffie-Hellman shared secret in 'secret', where 'exchange' + * is the exchange value offered by the other party. No length verification + * is done for the value, the application has to do that. + */ +int +dh_create_shared (struct group *group, u_int8_t *secret, u_int8_t *exchange) +{ + if (group->setraw (group, group->b, exchange, group->getlen (group))) + return -1; + if (group->operation (group, group->a, group->b, group->c)) + return -1; + group->getraw (group, group->a, secret); + return 0; +} diff --git a/src/dh.h b/src/dh.h new file mode 100644 index 0000000..4e50b78 --- /dev/null +++ b/src/dh.h @@ -0,0 +1,51 @@ +/* $Id: dh.h,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/dh.h,v $ */ + +/* $OpenBSD: dh.h,v 1.4 1999/04/19 21:22:49 niklas Exp $ */ +/* $EOM: dh.h,v 1.4 1999/04/17 23:20:24 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _DH_H_ +#define _DH_H_ + +#include + +struct group; + +int dh_getlen (struct group *); +int dh_create_exchange (struct group *, u_int8_t *); +int dh_create_shared (struct group *, u_int8_t *, u_int8_t *); + +#endif /* _DH_H_ */ diff --git a/src/doi.c b/src/doi.c new file mode 100644 index 0000000..4690837 --- /dev/null +++ b/src/doi.c @@ -0,0 +1,70 @@ +/* $Id: doi.c,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/doi.c,v $ */ + +/* $OpenBSD: doi.c,v 1.5 1999/04/19 19:54:53 niklas Exp $ */ +/* $EOM: doi.c,v 1.4 1999/04/02 00:57:36 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include + +#include "sysdep.h" + +#include "doi.h" + +static LIST_HEAD (doi_list, doi) doi_tab; + +void +doi_init () +{ + LIST_INIT (&doi_tab); +} + +struct doi * +doi_lookup (u_int8_t doi_id) +{ + struct doi *doi; + + for (doi = LIST_FIRST (&doi_tab); doi && doi->id != doi_id; + doi = LIST_NEXT (doi, link)) + ; + return doi; +} + +void +doi_register (struct doi *doi) +{ + LIST_INSERT_HEAD (&doi_tab, doi, link); +} + diff --git a/src/doi.h b/src/doi.h new file mode 100644 index 0000000..6fae9db --- /dev/null +++ b/src/doi.h @@ -0,0 +1,110 @@ +/* $Id: doi.h,v 1.6 2011/10/18 02:53:59 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/doi.h,v $ */ + +/* $OpenBSD: doi.h,v 1.9 2000/08/03 07:23:00 niklas Exp $ */ +/* $EOM: doi.h,v 1.29 2000/07/02 18:47:15 provos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _DOI_H_ +#define _DOI_H_ + +#ifndef NULL +#define NULL ((void *)0) +#endif + +#include +#include + +struct exchange; +struct keystate; +struct message; +struct payload; +struct proto; +struct sa; + +/* XXX This structure needs per-field commenting. */ +struct doi { + LIST_ENTRY (doi) link; + u_int8_t id; + + /* Size of DOI-specific exchange data. */ + size_t exchange_size; + + /* Size of DOI-specific security association data. */ + size_t sa_size; + + /* Size of DOI-specific protocol data. */ + size_t proto_size; + +#ifdef USE_DEBUG + int (*debug_attribute) (u_int16_t, u_int8_t *, u_int16_t, void *); +#endif + void (*delete_spi) (struct sa *, struct proto *, int); + u_int16_t *(*exchange_script) (u_int8_t); + void (*finalize_exchange) (struct message *); + void (*free_exchange_data) (void *); + void (*free_proto_data) (void *); + void (*free_sa_data) (void *); + struct keystate *(*get_keystate) (struct message *); + u_int8_t *(*get_spi) (size_t *, u_int8_t, struct message *); + int (*handle_leftover_payload) (struct message *, u_int8_t, + struct payload *); + int (*informational_post_hook) (struct message *); + int (*informational_pre_hook) (struct message *); + int (*is_attribute_incompatible) (u_int16_t, u_int8_t *, u_int16_t, void *); + void (*proto_init) (struct proto *, char *); + void (*setup_situation) (u_int8_t *); + size_t (*situation_size) (void); + u_int8_t (*spi_size) (u_int8_t); + int (*validate_attribute) (u_int16_t, u_int8_t *, u_int16_t, void *); + int (*validate_exchange) (u_int8_t); + int (*validate_id_information) (u_int8_t, u_int8_t *, u_int8_t *, size_t, + struct exchange *); + int (*validate_key_information) (u_int8_t *, size_t); + int (*validate_notification) (u_int16_t); + int (*validate_proto) (u_int8_t); + int (*validate_situation) (u_int8_t *, size_t *); + int (*validate_transform_id) (u_int8_t, u_int8_t); + int (*initiator) (struct message *msg); + int (*responder) (struct message *msg); + char *(*decode_ids) (char *, u_int8_t *, size_t, u_int8_t *, size_t, int); + void (*postprocess_sa) (struct sa *); +}; + +extern void doi_init (void); +extern struct doi *doi_lookup (u_int8_t); +extern void doi_register (struct doi *); + +#endif /* _DOI_H_ */ diff --git a/src/dyn.h b/src/dyn.h new file mode 100644 index 0000000..0cb1291 --- /dev/null +++ b/src/dyn.h @@ -0,0 +1,57 @@ +/* $Id: dyn.h,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/dyn.h,v $ */ + +/* $OpenBSD: dyn.h,v 1.1 1999/08/28 11:54:55 niklas Exp $ */ +/* $EOM: dyn.h,v 1.1 1999/08/12 22:34:27 niklas Exp $ */ + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _DYN_H_ +#define _DYN_H_ + +#ifdef SYMBOL_PREFIX +#define SYM(x) SYMBOL_PREFIX #x +#else +#define SYM(x) #x +#endif + +struct dynload_script { + enum { LOAD, SYM, EOS } op; + char *name; + void **ptr; +}; + +int dyn_load (struct dynload_script *); + +#endif /* _DYN_H_ */ diff --git a/src/exchange.c b/src/exchange.c new file mode 100644 index 0000000..e028032 --- /dev/null +++ b/src/exchange.c @@ -0,0 +1,1834 @@ +/* $Id: exchange.c,v 1.7.4.1 2011/10/18 03:26:54 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/exchange.c,v $ */ + +/* $OpenBSD: exchange.c,v 1.45 2001/04/24 07:27:36 niklas Exp $ */ +/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "cert.h" +#include "conf.h" +#include "connection.h" +#include "constants.h" +#include "cookie.h" +#include "crypto.h" +#include "doi.h" +#include "exchange.h" +#include "ipsec_num.h" +#include "isakmp.h" +#include "libcrypto.h" +#include "log.h" +#include "message.h" +#include "timer.h" +#include "transport.h" +#include "ipsec.h" +#include "sa.h" +#include "util.h" +#ifdef USE_X509 +#include "x509.h" +#endif +#include "gdoi_num.h" + +/* Initial number of bits from the cookies used as hash. */ +#define INITIAL_BUCKET_BITS 6 + +/* + * Don't try to use more bits than this as a hash. + * We only XOR 16 bits so going above that means changing the code below + * too. + */ +#define MAX_BUCKET_BITS 16 + +static void exchange_dump (char *, struct exchange *); +static void exchange_free_aux (void *); + +static LIST_HEAD (exchange_list, exchange) *exchange_tab; + +/* Works both as a maximum index and a mask. */ +static int bucket_mask; + +/* + * Validation scripts used to test messages for correct content of + * payloads depending on the exchange type. + */ +u_int16_t script_base[] = { + ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_KEY_EXCH, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_KEY_EXCH, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_END +}; + +u_int16_t script_identity_protection[] = { + ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_KEY_EXCH, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_KEY_EXCH, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_ID, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_ID, /* Responder -> initiator. */ + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_END +}; + +u_int16_t script_authentication_only[] = { + ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_NONCE, + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_ID, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_END +}; + +#ifdef USE_AGGRESSIVE +u_int16_t script_aggressive[] = { + ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_KEY_EXCH, + ISAKMP_PAYLOAD_NONCE, + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_KEY_EXCH, + ISAKMP_PAYLOAD_NONCE, + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_AUTH, + EXCHANGE_SCRIPT_SWITCH, + EXCHANGE_SCRIPT_AUTH, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_END +}; +#endif /* USE_AGGRESSIVE */ + +u_int16_t script_informational[] = { + EXCHANGE_SCRIPT_INFO, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_END +}; + +/* + * Check what exchange SA is negotiated with and return a suitable validation + * script. + */ +u_int16_t * +exchange_script (struct exchange *exchange) +{ + switch (exchange->type) + { + case ISAKMP_EXCH_BASE: + return script_base; + case ISAKMP_EXCH_ID_PROT: + return script_identity_protection; + case ISAKMP_EXCH_AUTH_ONLY: + return script_authentication_only; +#ifdef USE_AGGRESSIVE + case ISAKMP_EXCH_AGGRESSIVE: + return script_aggressive; +#endif + case ISAKMP_EXCH_INFO: + return script_informational; + default: + if (exchange->type >= ISAKMP_EXCH_DOI_MIN) + return exchange->doi->exchange_script (exchange->type); + } + return 0; +} + +/* + * Validate the message MSG's contents wrt what payloads the exchange type + * requires at this point in the dialogoue. Return -1 if the validation fails, + * 0 if it succeeds and the script is not finished and 1 if it's ready. + */ +static int +exchange_validate (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + int16_t *pc = exchange->exch_pc; + + while (*pc != EXCHANGE_SCRIPT_END && *pc != EXCHANGE_SCRIPT_SWITCH) + { + LOG_DBG ((LOG_EXCHANGE, 90, + "exchange_validate: checking for required %s", + *pc >= ISAKMP_PAYLOAD_NONE + ? constant_name (isakmp_payload_cst, *pc) + : constant_name (exchange_script_cst, *pc))); + + /* Check for existence of the required payloads. */ + if ((*pc > 0 && !TAILQ_FIRST (&msg->payload[*pc])) + || (*pc == EXCHANGE_SCRIPT_AUTH + && !TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]) + && !TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SIG])) + || (*pc == EXCHANGE_SCRIPT_INFO + && !TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NOTIFY]) + && !TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_DELETE]))) + { + /* Missing payload. */ + LOG_DBG ((LOG_MESSAGE, 70, + "exchange_validate: msg %p requires missing %s", msg, + *pc >= ISAKMP_PAYLOAD_NONE + ? constant_name (isakmp_payload_cst, *pc) + : constant_name (exchange_script_cst, *pc))); + return -1; + } + pc++; + } + if (*pc == EXCHANGE_SCRIPT_END) + /* Cleanup. */ + return 1; + + return 0; +} + +/* + * Run the exchange script from a point given by the "program counter" + * upto either the script's end or a transmittal of a message. If we are + * at the point of a reception of a message, that message should be handed + * in here in the MSG argument. Otherwise we are the initiator and should + * expect MSG to be a half-cooked message without payloads. + */ +void +exchange_run (struct message *msg) +{ + int i, done = 0; + struct exchange *exchange = msg->exchange; + struct doi *doi = exchange->doi; + int (*handler) (struct message *) + = exchange->initiator ? doi->initiator : doi->responder; + struct payload *payload; + + while (!done) + { + /* + * BUG! We ought to first verify that the state machine is not stepping + * off into memory after the end of the script. But all we have is + * the current exch_pc (which has incremented past the previous step) + * and the step number. We would need to know the beginning pc of the + * script as well. + */ + + /* + * It's our turn if we're either the initiator on an even step, + * or the responder on an odd step of the dialogue. + */ + if (exchange->initiator ^ (exchange->step % 2)) + { + done = 1; + if (exchange->step) + msg = message_alloc_reply (msg); + message_setup_header (msg, exchange->type, 0, exchange->message_id); + if (handler (msg)) + { + /* + * This can happen when transient starvation of memory occurs. + * XXX The peer's retransmit ought to kick-start this exchange + * again. If he's stopped retransmitting he's likely dropped + * the SA at his side so we need to do that too, i.e. + * implement automatic SA teardown after a certain amount + * of inactivity. + */ + log_print ("exchange_run: doi->%s (%p) failed", + exchange->initiator ? "initiator" : "responder", msg); + message_free (msg); + return; + } + + switch (exchange_validate (msg)) + { + case 1: + /* + * The last message of a multi-message exchange should + * not be retransmitted other than "on-demand", i.e. if we + * see retransmits of the last message of the peer + * later. + */ + msg->flags |= MSG_LAST; + if (exchange->step > 0) + { + if (exchange->last_sent) + message_free (exchange->last_sent); + exchange->last_sent = msg; + } + + /* + * After we physically have sent our last message we need to + * do SA-specific finalization, like telling our application + * the SA is ready to be used, or issuing a CONNECTED notify + * if we set the COMMIT bit. + */ + message_register_post_send (msg, exchange_finalize); + + /* Fallthrough. */ + + case 0: + /* XXX error handling. */ + message_send (msg); + break; + + default: + log_print ("exchange_run: exchange_validate failed, DOI error"); + exchange_free (exchange); + message_free (msg); + return; + } + } + else + { + done = exchange_validate (msg); + switch (done) + { + case 0: + case 1: + /* Feed the message to the DOI. */ + if (handler (msg)) + { + /* + * Trust the peer to retransmit. + * XXX We have to implement SA aging with automatic teardown. + */ + message_free (msg); + return; + } + + /* + * Go over the yet unhandled payloads and feed them to DOI + * for handling. + */ + for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_PRIVATE_MAX; i++) + if (i != ISAKMP_PAYLOAD_PROPOSAL + && i != ISAKMP_PAYLOAD_TRANSFORM) + for (payload = TAILQ_FIRST (&msg->payload[i]); payload; + payload = TAILQ_NEXT (payload, link)) + if ((payload->flags & PL_MARK) == 0) + if (!doi->handle_leftover_payload + || doi->handle_leftover_payload (msg, i, payload)) + LOG_DBG ((LOG_EXCHANGE, 10, + "exchange_run: unexpected payload %s", + constant_name (isakmp_payload_cst, i))); + + /* + * We have advanced the state. If we have been processing an + * incoming message, record that message as the one to do + * duplication tests against. + */ + if (exchange->last_received) + message_free (exchange->last_received); + exchange->last_received = msg; + if (exchange->flags & EXCHANGE_FLAG_ENCRYPT) + crypto_update_iv (exchange->keystate); + + if (done) + { + exchange_finalize (msg); + return; + } + break; + + case -1: + log_print ("exchange_run: exchange_validate failed"); + /* XXX Is this the best error notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + return; + } + } + + LOG_DBG ((LOG_EXCHANGE, 40, + "exchange_run: exchange %p finished step %d, advancing...", + exchange, exchange->step)); + exchange->step++; + while (*exchange->exch_pc != EXCHANGE_SCRIPT_SWITCH + && *exchange->exch_pc != EXCHANGE_SCRIPT_END) + exchange->exch_pc++; + exchange->exch_pc++; + } +} + +void +exchange_init () +{ + int i; + + bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; + exchange_tab = malloc ((bucket_mask + 1) * sizeof (struct exchange_list)); + if (!exchange_tab) + log_fatal ("exchange_init: out of memory"); + for (i = 0; i <= bucket_mask; i++) + { + LIST_INIT (&exchange_tab[i]); + } + +} + +void +exchange_resize () +{ + int new_mask = (bucket_mask + 1) * 2 - 1; + int i; + struct exchange_list *new_tab; + + new_tab + = realloc (exchange_tab, (new_mask + 1) * sizeof (struct exchange_list)); + if (!new_tab) + return; + for (i = bucket_mask + 1; i <= new_mask; i++) + { + LIST_INIT (&new_tab[i]); + } + bucket_mask = new_mask; + /* XXX Rehash existing entries. */ +} + +/* Lookup a phase 1 exchange out of just the initiator cookie. */ +struct exchange * +exchange_lookup_from_icookie (u_int8_t *cookie) +{ + int i; + struct exchange *exchange; + + for (i = 0; i <= bucket_mask; i++) + for (exchange = LIST_FIRST (&exchange_tab[i]); exchange; + exchange = LIST_NEXT (exchange, link)) + if (memcmp (exchange->cookies, cookie, ISAKMP_HDR_ICOOKIE_LEN) == 0 + && exchange->phase == 1) + return exchange; + return 0; +} + +/* Lookup an exchange out of the name and phase. */ +struct exchange * +exchange_lookup_by_name (char *name, int phase) +{ + int i; + struct exchange *exchange; + + /* If we search for nothing, we will find nothing. */ + if (!name) + return 0; + + for (i = 0; i <= bucket_mask; i++) + for (exchange = LIST_FIRST (&exchange_tab[i]); exchange; + exchange = LIST_NEXT (exchange, link)) + { + LOG_DBG ((LOG_EXCHANGE, 90, + "exchange_lookup_by_name: %s == %s && %d == %d?", name, + exchange->name ? exchange->name : "", phase, + exchange->phase)); + + /* + * Match by name, but don't select finished exchanges, i.e + * where MSG_LAST are set in last_sent msg. + */ + if (exchange->name && strcasecmp (exchange->name, name) == 0 + && exchange->phase == phase + && (!exchange->last_sent + || (exchange->last_sent->flags & MSG_LAST) == 0)) + return exchange; + } + return 0; +} + +/* Lookup an exchange out of the name, phase and step > 1. */ +struct exchange * +exchange_lookup_active (char *name, int phase) +{ + int i; + struct exchange *exchange; + + /* XXX Almost identical to exchange_lookup_by_name. */ + + if (!name) + return 0; + + for (i = 0; i <= bucket_mask; i++) + for (exchange = LIST_FIRST (&exchange_tab[i]); exchange; + exchange = LIST_NEXT (exchange, link)) + { + LOG_DBG ((LOG_EXCHANGE, 90, + "exchange_lookup_active: %s == %s && %d == %d?", + name, exchange->name ? exchange->name : "", phase, + exchange->phase)); + if (exchange->name && strcasecmp (exchange->name, name) == 0 + && exchange->phase == phase) + { + if (exchange->step > 1) + return exchange; + else + LOG_DBG ((LOG_EXCHANGE, 80, + "exchange_lookup_active: avoided early (pre-step 1) " + "exchange %p", exchange)); + } + } + return 0; +} + +void +exchange_enter (struct exchange *exchange) +{ + u_int16_t bucket = 0; + int i; + u_int8_t *cp; + + /* XXX We might resize if we are crossing a certain threshold */ + + for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) + { + cp = exchange->cookies + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) + { + cp = exchange->message_id + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + bucket &= bucket_mask; + LIST_INSERT_HEAD (&exchange_tab[bucket], exchange, link); +} + +/* + * Lookup the exchange given by the header fields MSG. PHASE2 is false when + * looking for phase 1 exchanges and true otherwise. + */ +struct exchange * +exchange_lookup (u_int8_t *msg, int phase2) +{ + u_int16_t bucket = 0; + int i; + struct exchange *exchange; + u_int8_t *cp; + + /* + * We use the cookies to get bits to use as an index into exchange_tab, as at + * least one (our cookie) is a good hash, xoring all the bits, 16 at a + * time, and then masking, should do. Doing it this way means we can + * validate cookies very fast thus delimiting the effects of "Denial of + * service"-attacks using packet flooding. + */ + for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) + { + cp = msg + ISAKMP_HDR_COOKIES_OFF + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + if (phase2) + for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) + { + cp = msg + ISAKMP_HDR_MESSAGE_ID_OFF + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + bucket &= bucket_mask; + for (exchange = LIST_FIRST (&exchange_tab[bucket]); + exchange && (memcmp (msg + ISAKMP_HDR_COOKIES_OFF, exchange->cookies, + ISAKMP_HDR_COOKIES_LEN) != 0 + || (phase2 && memcmp (msg + ISAKMP_HDR_MESSAGE_ID_OFF, + exchange->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN) != 0) + || (!phase2 && !zero_test (msg + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN))); + exchange = LIST_NEXT (exchange, link)) + ; + + return exchange; +} + +/* + * Create a phase PHASE exchange where INITIATOR denotes our role. DOI + * is the domain of interpretation identifier and TYPE tells what exchange + * type to use per either the DOI document or the ISAKMP spec proper. + * NSA tells how many SAs we should pre-allocate, and should be zero + * when we have the responder role. + */ +struct exchange * +exchange_create (int phase, int initiator, int doi, int type) +{ + struct exchange *exchange; + struct timeval expiration; + int delta; + + /* + * We want the exchange zeroed for exchange_free to be able to find + * out what fields have been filled-in. + */ + exchange = calloc (1, sizeof *exchange); + if (!exchange) + { + log_error ("exchange_create: calloc (1, %d) failed", sizeof *exchange); + return 0; + } + exchange->phase = phase; + exchange->step = 0; + exchange->initiator = initiator; + memset (exchange->cookies, 0, ISAKMP_HDR_COOKIES_LEN); + memset (exchange->message_id, 0, ISAKMP_HDR_MESSAGE_ID_LEN); + exchange->doi = doi_lookup (doi); + exchange->type = type; + exchange->policy_id = -1; + exchange->exch_pc = (int16_t *)exchange_script (exchange); + exchange->last_sent = exchange->last_received = 0; + TAILQ_INIT (&exchange->sa_list); + TAILQ_INIT (&exchange->aca_list); + + /* Allocate the DOI-specific structure and initialize it to zeroes. */ + if (exchange->doi->exchange_size) + { + exchange->data = calloc (1, exchange->doi->exchange_size); + if (!exchange->data) + { + log_error ("exchange_create: calloc (1, %d) failed", + exchange->doi->exchange_size); + exchange_free (exchange); + return 0; + } + } + + /* + * GDOI rekey messages don't time out. + */ + if (!(exchange->doi && (exchange->doi->id == GROUP_DOI_GDOI) && + (exchange->type == GDOI_EXCH_PUSH_MODE))) + { + gettimeofday (&expiration, 0); + delta = conf_get_num ("General", "Exchange-max-time", EXCHANGE_MAX_TIME); + expiration.tv_sec += delta; + exchange->death = timer_add_event ("exchange_free_aux", exchange_free_aux, + exchange, &expiration); + if (!exchange->death) + { + /* If we don't give up we might start leaking... */ + exchange_free_aux (exchange); + return 0; + } + } + + return exchange; +} + +struct exchange_finalization_node +{ + void (*first) (struct exchange *, void *, int); + void *first_arg; + void (*second) (struct exchange *, void *, int); + void *second_arg; +}; + +/* Run the finalization functions of ARG. */ +static void +exchange_run_finalizations (struct exchange *exchange, void *arg, int fail) +{ + struct exchange_finalization_node *node = arg; + + node->first (exchange, node->first_arg, fail); + node->second (exchange, node->second_arg, fail); + free (node); +} + +/* + * Add a finalization function FINALIZE with argument ARG to the tail + * of the finalization function list of EXCHANGE. + */ +static void +exchange_add_finalization (struct exchange *exchange, + void (*finalize) (struct exchange *, void *, int), + void *arg) +{ + struct exchange_finalization_node *node; + + if (!finalize) + return; + + if (!exchange->finalize) + { + exchange->finalize = finalize; + exchange->finalize_arg = arg; + return; + } + + node = malloc (sizeof *node); + if (!node) + { + log_error ("exchange_add_finalization: malloc (%d) failed", + sizeof *node); + free (arg); + return; + } + node->first = exchange->finalize; + node->first_arg = exchange->finalize_arg; + node->second = finalize; + node->second_arg = arg; + exchange->finalize = exchange_run_finalizations; + exchange->finalize_arg = node; +} + +/* Establish a phase 1 exchange. */ +void +exchange_establish_p1 (struct transport *t, u_int8_t type, u_int32_t doi, + char *name, void *args, + void (*finalize) (struct exchange *, void *, int), + void *arg) +{ + struct exchange *exchange; + struct message *msg; + char *tag = 0; + char *str; + + if (name) + { + /* If no exchange type given, fetch from the configuration. */ + if (type == 0) + { + /* XXX Similar code can be found in exchange_setup_p1. Share? */ + + /* Find out our phase 1 mode. */ + tag = conf_get_str (name, "Configuration"); + if (!tag) + { + /* Use default setting */ + tag = conf_get_str ("Phase 1", "Default"); + if (!tag) + { + log_print ("exchange_establish_p1: " + "no \"Default\" tag in [Phase 1] section"); + return; + } +#if 0 + log_print ("exchange_establish_p1: " + "no configuration found for peer \"%s\"", + name); +#endif + } + + /* Figure out the DOI. XXX Factor out? */ + str = conf_get_str (tag, "DOI"); + if (!str || strcasecmp (str, "IPSEC") == 0) + doi = IPSEC_DOI_IPSEC; + else if (strcasecmp (str, "ISAKMP") == 0) + doi = ISAKMP_DOI_ISAKMP; + else if (strcasecmp (str, "GROUP") == 0) + doi = GROUP_DOI_GDOI; + else + { + log_print ("exchange_establish_p1: DOI \"%s\" unsupported", str); + return; + } + + /* What exchange type do we want? */ + str = conf_get_str (tag, "EXCHANGE_TYPE"); + if (!str) + { + log_print ("exchange_establish_p1: " + "no \"EXCHANGE_TYPE\" tag in [%s] section", tag); + return; + } + type = constant_value (isakmp_exch_cst, str); + if (!type) + { + log_print ("exchange_establish_p1: unknown exchange type %s", + str); + return; + } + } + } + + exchange = exchange_create (1, 1, doi, type); + if (!exchange) + { + /* XXX Do something here? */ + return; + } + + if (name) + { + exchange->name = strdup (name); + if (!exchange->name) + { + log_error ("exchange_establish_p1: strdup (\"%s\") failed", name); + exchange_free (exchange); + return; + } + } + + exchange->policy = name ? conf_get_str (name, "Configuration") : 0; + if ((exchange->policy == NULL) && name) + exchange->policy = conf_get_str ("Phase 1", "Default"); + + exchange->finalize = finalize; + exchange->finalize_arg = arg; + cookie_gen (t, exchange, exchange->cookies, ISAKMP_HDR_ICOOKIE_LEN); + exchange_enter (exchange); + exchange_dump ("exchange_establish_p1", exchange); + + msg = message_alloc (t, 0, ISAKMP_HDR_SZ); + msg->exchange = exchange; + + /* Do not create SA for an information exchange. */ + if (exchange->type != ISAKMP_EXCH_INFO) + { + /* + * Don't install a transport into this SA as it will be an INADDR_ANY + * address in the local end, which is not good at all. Let the reply + * packet install the transport instead. + */ + sa_create (exchange, 0); + msg->isakmp_sa = TAILQ_FIRST (&exchange->sa_list); + if (!msg->isakmp_sa) + { + /* XXX Do something more here? */ + exchange_free (exchange); + return; + } + sa_reference (msg->isakmp_sa); + } + + msg->extra = args; + + exchange_run (msg); +} + +/* Establish a phase 2 exchange. XXX With just one SA for now. */ +void +exchange_establish_p2 (struct sa *isakmp_sa, u_int8_t type, char *name, + void *args, + void (*finalize) (struct exchange *, void *, int), + void *arg) +{ + struct exchange *exchange; + struct message *msg; + int i; + char *tag, *str; + u_int32_t doi = ISAKMP_DOI_ISAKMP; + u_int32_t seq = 0; + + if (isakmp_sa) + doi = isakmp_sa->doi->id; + + if (name) + { + /* Find out our phase 2 modes. */ + tag = conf_get_str (name, "Configuration"); + if (!tag) + { + log_print ("exchange_establish_p2: no configuration for peer \"%s\"", + name); + return; + } + + seq = (u_int32_t) conf_get_num (name, "Acquire-ID", 0); + + /* Figure out the DOI. */ + str = conf_get_str (tag, "DOI"); + if (!str || strcasecmp (str, "IPSEC") == 0) + doi = IPSEC_DOI_IPSEC; + else if (strcasecmp (str, "GROUP") == 0) + doi = GROUP_DOI_GDOI; + else if (strcasecmp (str, "ISAKMP") == 0) + doi = ISAKMP_DOI_ISAKMP; + else + { + log_print ("exchange_establish_p2: DOI \"%s\" unsupported", str); + return; + } + + /* What exchange type do we want? */ + if (!type) + { + str = conf_get_str (tag, "EXCHANGE_TYPE"); + if (!str) + { + log_print ("exchange_establish_p2: " + "no \"EXCHANGE_TYPE\" tag in [%s] section", tag); + return; + } + switch (doi) { + case IPSEC_DOI_IPSEC: + type = constant_value (ike_exch_cst, str); + break; + case GROUP_DOI_GDOI: + type = constant_value (gdoi_exch_cst, str); + break; + } + if (!type) + { + log_print ("exchange_establish_p2: unknown exchange type %s" + " for doi %d", str, doi); + return; + } + } + } + + exchange = exchange_create (2, 1, doi, type); + if (!exchange) + { + /* XXX Do something here? */ + return; + } + + if (name) + { + exchange->name = strdup (name); + if (!exchange->name) + { + log_error ("exchange_establish_p2: strdup (\"%s\") failed", name); + exchange_free (exchange); + return; + } + } + exchange->policy = name ? conf_get_str (name, "Configuration") : 0; + exchange->finalize = finalize; + exchange->finalize_arg = arg; + exchange->seq = seq; + memcpy (exchange->cookies, isakmp_sa->cookies, ISAKMP_HDR_COOKIES_LEN); + getrandom (exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + exchange_enter (exchange); + exchange_dump ("exchange_establish_p2", exchange); + + /* + * Do not create SA's for informational exchanges. + * XXX How to handle new group mode? + */ + if ((exchange->doi->id == IPSEC_DOI_IPSEC) && + (exchange->type != ISAKMP_EXCH_INFO)) + { + /* XXX Number of SAs should come from the args structure. */ + for (i = 0; i < 1; i++) + if (sa_create (exchange, isakmp_sa->transport)) + { + exchange_free (exchange); + return; + } + } + + msg = message_alloc (isakmp_sa->transport, 0, ISAKMP_HDR_SZ); + msg->isakmp_sa = isakmp_sa; + sa_reference (isakmp_sa); + + msg->extra = args; + + /* This needs to be done late or else get_keystate won't work right. */ + msg->exchange = exchange; + + exchange_run (msg); +} + +/* Out of an incoming phase 1 message, setup an exchange. */ +struct exchange * +exchange_setup_p1 (struct message *msg, u_int32_t doi) +{ + struct transport *t = msg->transport; + struct exchange *exchange; + struct sockaddr *dst; + int dst_len; + char *name = 0, *policy = 0, *str; + u_int32_t want_doi; + u_int8_t type; + + /* XXX Similar code can be found in exchange_establish_p1. Share? */ + + /* + * Unless this is an informational exchange, look up our policy for this + * peer. + */ + type = GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0].iov_base); + if (type != ISAKMP_EXCH_INFO) + { + /* + * Find out our inbound phase 1 mode. + * XXX Assumes IPv4. It might make sense to search through several + * policies too. + */ + t->vtbl->get_dst (t, &dst, &dst_len); + name = conf_get_str ("Phase 1", + inet_ntoa (((struct sockaddr_in *)dst)->sin_addr)); + if (name) + { +#ifdef ORIGINAL + /* + * If another phase 1 exchange is ongoing don't bother returning the + * call. However, we will need to continue responding if our phase 1 + * exchange is still waiting for step 1 (i.e still half-open). + */ + if (exchange_lookup_active (name, 1)) + return 0; +#endif + } + else + { + name = conf_get_str ("Phase 1", "Default"); + if (!name) + { + log_print ("exchange_setup_p1: " + "no \"Default\" tag in [Phase 1] section"); + return 0; + } + } + + policy = conf_get_str (name, "Configuration"); + if (!policy) + { + log_print ("exchange_setup_p1: no configuration for peer \"%s\"", + name); + return 0; + } + + /* Figure out the DOI. */ + str = conf_get_str (policy, "DOI"); + if (!str || strcasecmp (str, "IPSEC") == 0) + want_doi = IPSEC_DOI_IPSEC; + else if (strcasecmp (str, "GROUP") == 0) + want_doi = GROUP_DOI_GDOI; + else if (strcasecmp (str, "ISAKMP") == 0) + want_doi = ISAKMP_DOI_ISAKMP; + else + { + log_print ("exchange_setup_p1: DOI \"%s\" unsupported", str); + return 0; + } + if (want_doi != doi) + { + /* XXX Should I tell what DOI I got? */ + log_print ("exchange_setup_p1: expected %s DOI", str); + return 0; + } + + /* What exchange type do we want? */ + str = conf_get_str (policy, "EXCHANGE_TYPE"); + if (!str) + { + log_print ("exchange_setup_p1: " + "no \"EXCHANGE_TYPE\" tag in [%s] section", policy); + return 0; + } + type = constant_value (isakmp_exch_cst, str); + if (!type) + { + log_print ("exchange_setup_p1: unknown exchange type %s", str); + return 0; + } + if (type != GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0].iov_base)) + { + log_print ("exchange_setup_p1: expected exchange type %s got %s", + str, + constant_lookup (isakmp_exch_cst, + GET_ISAKMP_HDR_EXCH_TYPE (msg->iov[0] + .iov_base))); + return 0; + } + } + + exchange = exchange_create (1, 0, doi, type); + if (!exchange) + return 0; + + exchange->name = name ? strdup (name) : 0; + if (name && !exchange->name) + { + log_error ("exchange_setup_p1: strdup (\"%s\") failed", name); + exchange_free (exchange); + return 0; + } + exchange->policy = policy; + cookie_gen (msg->transport, exchange, + exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN, + ISAKMP_HDR_RCOOKIE_LEN); + GET_ISAKMP_HDR_ICOOKIE (msg->iov[0].iov_base, exchange->cookies); + exchange_enter (exchange); + exchange_dump ("exchange_setup_p1", exchange); + return exchange; +} + +/* Out of an incoming phase 2 message, setup an exchange. */ +struct exchange * +exchange_setup_p2 (struct message *msg, u_int8_t doi) +{ + struct exchange *exchange; + u_int8_t *buf = msg->iov[0].iov_base; + + exchange = exchange_create (2, 0, doi, GET_ISAKMP_HDR_EXCH_TYPE (buf)); + if (!exchange) + return 0; + GET_ISAKMP_HDR_ICOOKIE (buf, exchange->cookies); + GET_ISAKMP_HDR_RCOOKIE (buf, exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN); + GET_ISAKMP_HDR_MESSAGE_ID (buf, exchange->message_id); + exchange_enter (exchange); + exchange_dump ("exchange_setup_p2", exchange); + return exchange; +} + +/* Dump interesting data about an exchange. */ +static void +exchange_dump_real (char *header, struct exchange *exchange, int class, + int level) +{ + char buf[LOG_SIZE]; + /* Don't risk overflowing the final log buffer. */ + int bufsize_max = LOG_SIZE - strlen (header) - 32; + struct sa *sa; + + LOG_DBG ((class, level, + "%s: %p %s %s policy %s phase %d doi %d exchange %d step %d", + header, exchange, exchange->name ? exchange->name : "", + exchange->policy ? exchange->policy : "", + exchange->initiator ? "initiator" : "responder", exchange->phase, + exchange->doi->id, exchange->type, exchange->step)); + LOG_DBG ((class, level, + "%s: icookie %08x%08x rcookie %08x%08x", header, + decode_32 (exchange->cookies), decode_32 (exchange->cookies + 4), + decode_32 (exchange->cookies + 8), + decode_32 (exchange->cookies + 12))); + + /* Include phase 2 SA list for this exchange */ + if (exchange->phase == 2) + { + sprintf (buf, "sa_list "); + for (sa = TAILQ_FIRST (&exchange->sa_list); + sa && strlen (buf) < bufsize_max; sa = TAILQ_NEXT (sa, next)) + sprintf (buf + strlen (buf), "%p ", sa); + if (sa) + strcat (buf, "..."); + } + else + buf[0] = '\0'; + + LOG_DBG ((class, level, "%s: msgid %08x %s", header, + decode_32 (exchange->message_id), buf)); +} + +static void +exchange_dump (char *header, struct exchange *exchange) +{ + exchange_dump_real (header, exchange, LOG_EXCHANGE, 10); +} + +void +exchange_report (void) +{ + int i; + struct exchange *exchange; + + for (i = 0; i <= bucket_mask; i++) + for (exchange = LIST_FIRST (&exchange_tab[i]); exchange; + exchange = LIST_NEXT (exchange, link)) + exchange_dump_real ("exchange_report", exchange, LOG_REPORT, 0); +} + +/* + * Release all resources this exchange is using *except* for the "death" + * event. When removing an exchange from the expiration handler that event + * will be dealt with therein instead. + */ +static void +exchange_free_aux (void *v_exch) +{ + struct exchange *exchange = v_exch; + struct sa *sa, *next_sa; + struct cert_handler *handler; + + LOG_DBG ((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p", + exchange)); + + if (exchange->last_received) + message_free (exchange->last_received); + if (exchange->last_sent) + message_free (exchange->last_sent); + if (exchange->in_transit && exchange->in_transit != exchange->last_sent) + message_free (exchange->in_transit); + if (exchange->nonce_i) + free (exchange->nonce_i); + if (exchange->nonce_r) + free (exchange->nonce_r); + if (exchange->id_i) + free (exchange->id_i); + if (exchange->id_r) + free (exchange->id_r); + if (exchange->keystate) + free (exchange->keystate); + if (exchange->doi && exchange->doi->free_exchange_data) + exchange->doi->free_exchange_data (exchange->data); + if (exchange->data) + free (exchange->data); + if (exchange->name) + free (exchange->name); + if (exchange->recv_cert) + { + handler = cert_get (exchange->recv_certtype); + if (handler) + handler->cert_free (exchange->recv_cert); + else if (exchange->recv_certtype == ISAKMP_CERTENC_NONE) + free (exchange->recv_cert); + } + if (exchange->recv_key) + free (exchange->recv_key); + + exchange_free_aca_list (exchange); + LIST_REMOVE (exchange, link); + + /* Tell potential finalize routine we never got there. */ + if (exchange->finalize) + exchange->finalize (exchange, exchange->finalize_arg, 1); + + /* Remove any SAs that has not been disassociated from us. */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; sa = next_sa) + { + next_sa = TAILQ_NEXT (sa, next); + sa_free (sa); + } + + free (exchange); +} + +/* Release all resources this exchange is using. */ +void +exchange_free (struct exchange *exchange) +{ + if (exchange->death) + timer_remove_event (exchange->death); + exchange_free_aux (exchange); +} + +/* + * Upgrade the phase 1 exchange and its ISAKMP SA with the rcookie of our + * peer (found in his recently sent message MSG). + */ +void +exchange_upgrade_p1 (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + + LIST_REMOVE (exchange, link); + GET_ISAKMP_HDR_RCOOKIE (msg->iov[0].iov_base, + exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN); + exchange_enter (exchange); + sa_isakmp_upgrade (msg); +} + +static int +exchange_check_old_sa (struct sa *sa, void *v_arg) +{ + struct sa *new_sa = v_arg; + char res1[1024]; + + if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY) || + (sa->flags & SA_FLAG_REPLACED)) + return 0; + + if (sa->phase != new_sa->phase || new_sa->name == NULL || + strcasecmp (sa->name, new_sa->name)) + return 0; + + if (sa->initiator) + strlcpy (res1, ipsec_decode_ids ("%s %s", sa->id_i, sa->id_i_len, sa->id_r, + sa->id_r_len, 0), sizeof res1); + else + strlcpy (res1, ipsec_decode_ids ("%s %s", sa->id_r, sa->id_r_len, sa->id_i, + sa->id_i_len, 0), sizeof res1); + + LOG_DBG ((LOG_EXCHANGE, 30, + "checking whether new SA replaces existing SA with IDs %s", + res1)); + + if (new_sa->initiator) + return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_i, + new_sa->id_i_len, + new_sa->id_r, + new_sa->id_r_len, 0)) == 0; + else + return strcasecmp (res1, ipsec_decode_ids ("%s %s", new_sa->id_r, + new_sa->id_r_len, + new_sa->id_i, + new_sa->id_i_len, 0)) == 0; +} + +void +exchange_finalize (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct sa *sa, *old_sa; + struct proto *proto; + struct conf_list *attrs; + struct conf_list_node *attr; + int i; + + exchange_dump ("exchange_finalize", exchange); + + /* + * Walk over all the SAs and noting them as ready. If we set the + * COMMIT bit, tell the peer each SA is connected. + * + * XXX The decision should really be based on if a SA was installed + * successfully. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; sa = TAILQ_NEXT (sa, next)) + { + /* Move over the name to the SA. */ + sa->name = exchange->name ? strdup (exchange->name) : 0; + + if (exchange->flags & EXCHANGE_FLAG_I_COMMITTED) + { + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + for (i = 0; i < 2; i++) + message_send_notification (exchange->last_received, + msg->isakmp_sa, + ISAKMP_NOTIFY_STATUS_CONNECTED, proto, + i); + } + + /* Locate any old SAs and mark them replaced (SA_FLAG_REPLACED). */ + while ((old_sa = sa_find (exchange_check_old_sa, sa)) != 0) + sa_mark_replaced (old_sa); + + /* Setup the SA flags. */ + sa->flags |= SA_FLAG_READY; + if (exchange->name) + { + attrs = conf_get_list (exchange->name, "Flags"); + if (attrs) + { + for (attr = TAILQ_FIRST (&attrs->fields); attr; + attr = TAILQ_NEXT (attr, link)) + sa->flags |= sa_flag (attr->field); + conf_free_list (attrs); + } + /* 'Connections' should stay alive. */ + /* But not for GDOI */ + if (exchange->doi && (exchange->doi->id != GROUP_DOI_GDOI) && + connection_exist (exchange->name)) + { + sa->flags |= SA_FLAG_STAYALIVE; + + /* ISAKMP SA of this connection should also stay alive. */ + if (exchange->phase == 2 && msg->isakmp_sa) + msg->isakmp_sa->flags |= SA_FLAG_STAYALIVE; + } + } + + sa->exch_type = exchange->type; + } + + /* + * If this was an phase 1 SA negotiation, save the keystate in the ISAKMP SA + * structure for future initialization of phase 2 exchanges' keystates. + * Also save the Phase 1 ID and authentication information. + */ + if (exchange->phase == 1 && msg->isakmp_sa) + { + msg->isakmp_sa->keystate = exchange->keystate; + exchange->keystate = 0; + + msg->isakmp_sa->recv_certtype = exchange->recv_certtype; + msg->isakmp_sa->recv_certlen = exchange->recv_certlen; + msg->isakmp_sa->recv_key = exchange->recv_key; + exchange->recv_key = NULL; /* Reset */ + msg->isakmp_sa->policy_id = exchange->policy_id; + exchange->policy_id = -1; /* Reset */ + msg->isakmp_sa->id_i_len = exchange->id_i_len; + msg->isakmp_sa->id_r_len = exchange->id_r_len; + msg->isakmp_sa->initiator = exchange->initiator; + + switch (exchange->recv_certtype) + { + case ISAKMP_CERTENC_NONE: + case ISAKMP_CERTENC_KEYNOTE: /* No need for special handling */ + msg->isakmp_sa->recv_cert = malloc (exchange->recv_certlen); + if (!msg->isakmp_sa->recv_cert) + { + log_error ("exchange_finalize: malloc (%d) failed", + exchange->recv_certlen); + /* XXX How to cleanup? */ + return; + } + memcpy (msg->isakmp_sa->recv_cert, exchange->recv_cert, + msg->isakmp_sa->recv_certlen); + break; + + case ISAKMP_CERTENC_X509_SIG: +#ifdef USE_X509 + msg->isakmp_sa->recv_cert = LC (X509_dup, + ((X509 *) exchange->recv_cert)); + if (!msg->isakmp_sa->recv_cert) + { + log_print ("exchange_finalize: " + "failed copying X509 certificate to isakmp_sa"); + /* XXX How to cleanup? */ + return; + } + break; +#endif + + /* XXX Eventually handle these */ + case ISAKMP_CERTENC_PKCS: + case ISAKMP_CERTENC_PGP: + case ISAKMP_CERTENC_DNS: + case ISAKMP_CERTENC_X509_KE: + case ISAKMP_CERTENC_KERBEROS: + case ISAKMP_CERTENC_CRL: + case ISAKMP_CERTENC_ARL: + case ISAKMP_CERTENC_SPKI: + case ISAKMP_CERTENC_X509_ATTR: + break; + } + + LOG_DBG ((LOG_EXCHANGE, 10, + "exchange_finalize: phase 1 done: %s, %s", + exchange->doi == NULL ? "" : + exchange->doi->decode_ids ("initiator id %s, responder id %s", + exchange->id_i, exchange->id_i_len, + exchange->id_r, exchange->id_r_len, + 0), + msg->isakmp_sa == NULL || msg->isakmp_sa->transport == NULL + ? "" + : msg->isakmp_sa->transport->vtbl->decode_ids (msg->isakmp_sa->transport))); + } + + exchange->doi->finalize_exchange (msg); + if (exchange->finalize) + exchange->finalize (exchange, exchange->finalize_arg, 0); + exchange->finalize = 0; + + /* copy the ID from phase 1 to exchange or phase 2 SA */ + if (msg->isakmp_sa) + { + if (exchange->id_i && exchange->id_r) + { + ipsec_clone_id (&msg->isakmp_sa->id_i, &msg->isakmp_sa->id_i_len, + exchange->id_i, exchange->id_i_len); + ipsec_clone_id (&msg->isakmp_sa->id_r, &msg->isakmp_sa->id_r_len, + exchange->id_r, exchange->id_r_len); + } + else if (msg->isakmp_sa->id_i && msg->isakmp_sa->id_r) + { + ipsec_clone_id (&exchange->id_i, &exchange->id_i_len, + msg->isakmp_sa->id_i, msg->isakmp_sa->id_i_len); + ipsec_clone_id (&exchange->id_r, &exchange->id_r_len, + msg->isakmp_sa->id_r, msg->isakmp_sa->id_r_len); + } + } + + /* + * The GDOI PUSH exchange is reused, so don't cleanup the exchange. + */ + if (exchange->doi && (exchange->doi->id == GROUP_DOI_GDOI) && + (exchange->type == GDOI_EXCH_PUSH_MODE)) + { + /* + * The GDOI PUSH receiver needs to clean up the ISAKMP SA, if it + * still exists. We don't wan't to delete the IPsec SAs (below), so + * exit here unconditionally. + */ + if (!exchange->initiator && msg->isakmp_sa) + { + sa_delete(msg->isakmp_sa, 0); + } + return; + } + + /* + * There is no reason to keep the SAs connected to us anymore, in fact + * it can hurt us if we have short lifetimes on the SAs and we try + * to call exchange_report, where the SA list will be walked and + * references to freed SAs can occur. + */ + while (TAILQ_FIRST (&exchange->sa_list)) + { + struct sa *sa = TAILQ_FIRST (&exchange->sa_list); + + if (exchange->id_i && exchange->id_r) + { + ipsec_clone_id (&sa->id_i, &sa->id_i_len, exchange->id_i, + exchange->id_i_len); + ipsec_clone_id (&sa->id_r, &sa->id_r_len, exchange->id_r, + exchange->id_r_len); + } + + TAILQ_REMOVE (&exchange->sa_list, sa, next); + sa_release (sa); + } + + /* If we have nothing to retransmit we can safely remove ourselves. */ + if (!exchange->last_sent) + exchange_free (exchange); +} + +/* Stash a nonce into the exchange data. */ +static int +exchange_nonce (struct exchange *exchange, int peer, size_t nonce_sz, + u_int8_t *buf) +{ + int initiator = exchange->initiator ^ peer; + u_int8_t **nonce; + size_t *nonce_len; + char header[32]; + + nonce = initiator ? &exchange->nonce_i : &exchange->nonce_r; + nonce_len = initiator ? &exchange->nonce_i_len : &exchange->nonce_r_len; + *nonce_len = nonce_sz; + *nonce = malloc (nonce_sz); + if (!*nonce) + { + log_error ("exchange_nonce: malloc (%d) failed", nonce_sz); + return -1; + } + memcpy (*nonce, buf, nonce_sz); + snprintf (header, 32, "exchange_nonce: NONCE_%c", initiator ? 'i' : 'r'); + LOG_DBG_BUF ((LOG_EXCHANGE, 80, header, *nonce, nonce_sz)); + return 0; +} + +/* Generate our NONCE. */ +int +exchange_gen_nonce (struct message *msg, size_t nonce_sz) +{ + struct exchange *exchange = msg->exchange; + u_int8_t *buf; + + buf = malloc (ISAKMP_NONCE_SZ + nonce_sz); + if (!buf) + { + log_error ("exchange_gen_nonce: malloc (%d) failed", + ISAKMP_NONCE_SZ + nonce_sz); + return -1; + } + getrandom (buf + ISAKMP_NONCE_DATA_OFF, nonce_sz); + if (message_add_payload (msg, ISAKMP_PAYLOAD_NONCE, buf, + ISAKMP_NONCE_SZ + nonce_sz, 1)) + { + free (buf); + return -1; + } + return exchange_nonce (exchange, 0, nonce_sz, buf + ISAKMP_NONCE_DATA_OFF); +} + +/* Save the peer's NONCE. */ +int +exchange_save_nonce (struct message *msg) +{ + struct payload *noncep; + struct exchange *exchange = msg->exchange; + + noncep = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NONCE]); + noncep->flags |= PL_MARK; + return exchange_nonce (exchange, 1, + GET_ISAKMP_GEN_LENGTH (noncep->p) + - ISAKMP_NONCE_DATA_OFF, + noncep->p + ISAKMP_NONCE_DATA_OFF); +} + +/* Save the peer's CERT REQuests. */ +int +exchange_save_certreq (struct message *msg) +{ + struct payload *cp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_CERT_REQ]); + struct exchange *exchange = msg->exchange; + struct certreq_aca *tmp; + + for ( ; cp; cp = TAILQ_NEXT (cp, link)) + { + cp->flags |= PL_MARK; + tmp = certreq_decode (GET_ISAKMP_CERTREQ_TYPE (cp->p), + cp->p + ISAKMP_CERTREQ_AUTHORITY_OFF, + GET_ISAKMP_GEN_LENGTH (cp->p) - + ISAKMP_CERTREQ_AUTHORITY_OFF); + if (!tmp) + continue; + TAILQ_INSERT_TAIL (&exchange->aca_list, tmp, link); + } + + return 0; +} + +/* Free the list of pending CERTREQ */ + +void +exchange_free_aca_list (struct exchange *exchange) +{ + struct certreq_aca *aca; + + for (aca = TAILQ_FIRST (&exchange->aca_list); aca; + aca = TAILQ_FIRST (&exchange->aca_list)) + { + if (aca->data) + { + if (aca->handler) + aca->handler->free_aca (aca->data); + free (aca->data); + } + TAILQ_REMOVE (&exchange->aca_list, aca, link); + free (aca); + } +} + +/* Obtain certificates from acceptable certification authority. */ +int +exchange_add_certs (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct certreq_aca *aca; + u_int8_t *cert; + u_int32_t certlen; + u_int8_t *id; + size_t id_len; + + id = exchange->initiator ? exchange->id_r : exchange->id_i; + id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len; + + for (aca = TAILQ_FIRST (&exchange->aca_list); aca; + aca = TAILQ_NEXT (aca, link)) + { + /* XXX? If we can not satisfy a CERTREQ we drop the message */ + if (!aca->handler->cert_obtain (id, id_len, aca->data, &cert, &certlen)) + { + log_print ("exchange_add_certs: could not obtain cert for a type %d " + "cert request", aca->id); + return -1; + } + cert = realloc (cert, ISAKMP_CERT_SZ + certlen); + if (!cert) + { + log_error ("exchange_add_certs: realloc (%p, %d) failed", cert, + ISAKMP_CERT_SZ + certlen); + return -1; + } + memmove (cert + ISAKMP_CERT_DATA_OFF, cert, certlen); + SET_ISAKMP_CERT_ENCODING (cert, aca->id); + if (message_add_payload (msg, ISAKMP_PAYLOAD_CERT, cert, + ISAKMP_CERT_SZ + certlen, 1)) + { + free (cert); + return -1; + } + } + + /* We dont need the CERT REQs any more, they are anwsered */ + exchange_free_aca_list (exchange); + + return 0; +} + +static void +exchange_establish_finalize (struct exchange *exchange, void *arg, int fail) +{ + char *name = arg; + + LOG_DBG ((LOG_EXCHANGE, 20, + "exchange_establish_finalize: " + "finalizing exchange %p with arg %p (%s) & fail = %d", + exchange, arg, name ? name : "", fail)); + + if (!fail) + exchange_establish (name, 0, 0); + free (name); +} + +/* + * Establish an exchange named NAME, and record the FINALIZE function + * taking ARG as an argument to be run after the exchange is ready. + */ +void +exchange_establish (char *name, + void (*finalize) (struct exchange *, void *, int), + void *arg) +{ + int phase; + char *trpt; + struct transport *transport; + char *peer; + struct sa *isakmp_sa; + struct exchange *exchange; + phase = conf_get_num (name, "Phase", 0); + + /* + * First of all, never try to establish anything if another exchange of the + * same kind is running. + */ + exchange = exchange_lookup_by_name (name, phase); + if (exchange) + { + LOG_DBG ((LOG_EXCHANGE, 40, + "exchange_establish: %s exchange already exists as %p", name, + exchange)); + exchange_add_finalization (exchange, finalize, arg); + return; + } + + switch (phase) + { + case 1: + trpt = conf_get_str (name, "Transport"); + if (!trpt) + { + /* Phase 1 transport defaults to "udp". */ + trpt = ISAKMP_DEFAULT_TRANSPORT; + } + + transport = transport_create (trpt, name); + if (!transport) + { + log_print ("exchange_establish: " + "transport \"%s\" for peer \"%s\" could not be created", + trpt, name); + return; + } + + exchange_establish_p1 (transport, 0, 0, name, 0, finalize, arg); + break; + + case 2: + peer = conf_get_str (name, "ISAKMP-peer"); + if (!peer) + { + log_print ("exchange_establish: No ISAKMP-peer given for \"%s\"", + name); + return; + } + + isakmp_sa = sa_lookup_by_name (peer, 1); + if (!isakmp_sa) + { + name = strdup (name); + if (!name) + { + log_error ("exchange_establish: strdup(\"%s\") failed", name); + return; + } + + if (conf_get_num (peer, "Phase", 0) != 1) + { + log_print ("exchange_establish: " + "[%s]:ISAKMP-peer's (%s) phase is not 1", name, peer); + return; + } + + exchange_establish (peer, exchange_establish_finalize, name); + } + else + exchange_establish_p2 (isakmp_sa, 0, name, 0, finalize, arg); + break; + + default: + log_print ("exchange_establish: " + "peer \"%s\" does not have a correct phase (%d)", + name, phase); + break; + } +} diff --git a/src/exchange.h b/src/exchange.h new file mode 100644 index 0000000..f94dd5d --- /dev/null +++ b/src/exchange.h @@ -0,0 +1,215 @@ +/* $Id: exchange.h,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/exchange.h,v $ */ + +/* $OpenBSD: exchange.h,v 1.18 2001/02/24 03:59:55 angelos Exp $ */ +/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _EXCHANGE_H_ +#define _EXCHANGE_H_ + +#include +#include +#include + +#include "exchange_num.h" +#include "isakmp.h" + +/* Remove an exchange if it has not been fully negotiated in this time. */ +#define EXCHANGE_MAX_TIME 120 + +struct crypto_xf; +struct certreq_aca; +struct doi; +struct event; +struct keystate; +struct message; +struct payload; +struct transport; +struct sa; + +struct exchange { + /* Link to exchanges with the same hash value. */ + LIST_ENTRY (exchange) link; + + /* A name of the SAs this exchange will result in. XXX non unique? */ + char *name; + + /* A name of the major policy deciding offers and acceptable proposals. */ + char *policy; + + /* + * A function with a polymorphic argument called after the exchange + * has been run to its end, successfully. The 2nd argument is true + * if the finalization hook is called due to the exchange not running + * to its end normally. + */ + void (*finalize) (struct exchange *, void *, int); + void *finalize_arg; + + /* When several SA's are being negotiated we keep them here. */ + TAILQ_HEAD (sa_head, sa) sa_list; + + /* + * The event that will occur when it has taken too long time to try to + * run the exchange and which will trigger auto-destruction. + */ + struct event *death; + + /* + * Both initiator and responder cookies. + * XXX For code clarity we might split this into two fields. + */ + u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; + + /* The message ID signifying phase 2 exchanges. */ + u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; + + /* The exchange type we are using. */ + u_int8_t type; + + /* Phase is 1 for ISAKMP SA exchanges, and 2 for application ones. */ + u_int8_t phase; + + /* The "step counter" of the exchange, starting from zero. */ + u_int8_t step; + + /* 1 if we are the initiator, 0 if we are the responder. */ + u_int8_t initiator; + + /* Various flags, look below for descriptions. */ + u_int32_t flags; + + /* The DOI that is to handle DOI-specific issues for this exchange. */ + struct doi *doi; + + /* + * A "program counter" into the script that validate message contents for + * this exchange. + */ + int16_t *exch_pc; + + /* The last message received, used for checking for duplicates. */ + struct message *last_received; + + /* The last message sent, to be acked when something new is received. */ + struct message *last_sent; + + /* + * If some message is queued up for sending, we want to be able to remove + * it from the queue, when the exchange is deleted. + */ + struct message *in_transit; + + /* + * Initiator's & responder's nonces respectively, with lengths. + * XXX Should this be in the DOI-specific parts instead? + */ + u_int8_t *nonce_i; + size_t nonce_i_len; + u_int8_t *nonce_r; + size_t nonce_r_len; + + /* The ID payload contents for the initiator & responder, respectively. */ + u_int8_t *id_i; + size_t id_i_len; + u_int8_t *id_r; + size_t id_r_len; + + /* Policy session identifier, where applicable */ + int policy_id; + + /* Crypto info needed to encrypt/decrypt packets in this exchange. */ + struct crypto_xf *crypto; + int key_length; + struct keystate *keystate; + + /* + * Received certificate - used to verify signatures on packet, + * stored here for later policy processing. + * a type of ISAKMP_CERTENC_NONE implies pre-shared key. + */ + int recv_certtype, recv_certlen; + void *recv_cert; + void *recv_key; + + /* ACQUIRE sequence number */ + u_int32_t seq; + + /* XXX This is no longer necessary, it is covered by policy. */ + + /* Acceptable authorities for cert requests */ + TAILQ_HEAD (aca_head, certreq_aca) aca_list; + + /* DOI-specific opaque data. */ + void *data; +}; + +/* The flag bits. */ +#define EXCHANGE_FLAG_I_COMMITTED 1 +#define EXCHANGE_FLAG_HE_COMMITTED 2 +#define EXCHANGE_FLAG_COMMITTED (EXCHANGE_FLAG_I_COMMITTED \ + | EXCHANGE_FLAG_HE_COMMITTED) +#define EXCHANGE_FLAG_ENCRYPT 4 + +extern int exchange_add_certs (struct message *); +extern void exchange_finalize (struct message *); +extern void exchange_free (struct exchange *); +extern void exchange_free_aca_list (struct exchange *); +extern void exchange_establish (char *name, + void (*) (struct exchange *, void *, int), + void *); +extern void exchange_establish_p1 (struct transport *, u_int8_t, u_int32_t, + char *, void *, + void (*) (struct exchange *, void *, int), + void *); +extern void exchange_establish_p2 (struct sa *, u_int8_t, char *, void *, + void (*) (struct exchange *, void *, int), + void *); +extern int exchange_gen_nonce (struct message *, size_t); +extern void exchange_init (void); +extern struct exchange *exchange_lookup (u_int8_t *, int); +extern struct exchange *exchange_lookup_by_name (char *, int); +extern struct exchange *exchange_lookup_from_icookie (u_int8_t *); +extern void exchange_report (void); +extern void exchange_run (struct message *); +extern int exchange_save_nonce (struct message *); +extern int exchange_save_certreq (struct message *); +extern u_int16_t *exchange_script (struct exchange *); +extern struct exchange *exchange_setup_p1 (struct message *, u_int32_t); +extern struct exchange *exchange_setup_p2 (struct message *, u_int8_t); +extern void exchange_upgrade_p1 (struct message *); + +#endif /* _EXCHANGE_H_ */ diff --git a/src/exchange_num.cst b/src/exchange_num.cst new file mode 100644 index 0000000..c64d470 --- /dev/null +++ b/src/exchange_num.cst @@ -0,0 +1,50 @@ +# $Id: exchange_num.cst,v 1.2 2002/05/10 04:25:12 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/exchange_num.cst,v $ + +# $OpenBSD: exchange_num.cst,v 1.3 1998/11/17 11:10:10 niklas Exp $ +# $EOM: exchange_num.cst,v 1.1 1998/08/05 09:23:32 niklas Exp $ + +# +# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +# Special exchange script symbols. +EXCHANGE_SCRIPT +# Special type signifying PAYLOAD_HASH or PALOAD_SIG must be present. + AUTH -1 +# Special type signifying PAYLOAD_NOTIFY or PALOAD_DELETE must be present. + INFO -2 +# Switch roles at this point in the exchange. + SWITCH -3 +# End of script + END -4 +. diff --git a/src/field.c b/src/field.c new file mode 100644 index 0000000..937dd06 --- /dev/null +++ b/src/field.c @@ -0,0 +1,266 @@ +/* $Id: field.c,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/field.c,v $ */ + +/* $OpenBSD: field.c,v 1.8 2000/02/25 17:23:39 niklas Exp $ */ +/* $EOM: field.c,v 1.11 2000/02/20 19:58:37 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "constants.h" +#include "field.h" +#include "log.h" +#include "util.h" + +static char *field_debug_raw (u_int8_t *, size_t, struct constant_map **); +static char *field_debug_num (u_int8_t *, size_t, struct constant_map **); +static char *field_debug_mask (u_int8_t *, size_t, struct constant_map **); +static char *field_debug_ign (u_int8_t *, size_t, struct constant_map **); +static char *field_debug_cst (u_int8_t *, size_t, struct constant_map **); + +/* Contents must match the enum in struct field. */ +static char *(*decode_field[]) (u_int8_t *, size_t, struct constant_map **) = { + field_debug_raw, + field_debug_num, + field_debug_mask, + field_debug_ign, + field_debug_cst +}; + +/* + * Return a string showing the hexadecimal contents of the LEN-sized buffer + * BUF. MAPS should be zero and is only here because the API requires it. + */ +static char * +field_debug_raw (u_int8_t *buf, size_t len, struct constant_map **maps) +{ + char *retval, *p; + + if (len == 0) + return 0; + retval = malloc (3 + len * 2); + if (!retval) + return 0; + strcpy (retval, "0x"); + p = retval + 2; + while (len--) + { + sprintf (p, "%02x", *buf++); + p += 2; + } + return retval; +} + +/* + * Convert the unsigned LEN-sized number at BUF of network byteorder to a + * 32-bit unsigned integer of host byteorder pointed to by VAL. + */ +static int +extract_val (u_int8_t *buf, size_t len, u_int32_t *val) +{ + switch (len) + { + case 1: + *val = *buf; + break; + case 2: + *val = decode_16 (buf); + break; + case 4: + *val = decode_32 (buf); + break; + default: + return -1; + } + return 0; +} + +/* + * Return a textual representation of the unsigned number pointed to by BUF + * which is LEN octets long. MAPS should be zero and is only here because + * the API requires it. + */ +static char * +field_debug_num (u_int8_t *buf, size_t len, struct constant_map **maps) +{ + char *retval; + u_int32_t val; + + if (extract_val (buf, len, &val)) + return 0; + /* 3 decimal digits are enough to represent each byte. */ + retval = malloc (3 * len); + snprintf (retval, 3 * len, "%u", val); + return retval; +} + +/* + * Return the symbolic names of the flags pointed to by BUF which is LEN + * octets long, using the constant maps MAPS. + */ +static char * +field_debug_mask (u_int8_t *buf, size_t len, struct constant_map **maps) +{ + u_int32_t val; + u_int32_t bit; + char *retval, *new_buf, *name; + size_t buf_sz; + + if (extract_val (buf, len, &val)) + return 0; + + /* Size for brackets, two spaces and a NUL terminator. */ + buf_sz = 4; + retval = malloc (buf_sz); + if (!retval) + return 0; + + strcpy (retval, "[ "); + for (bit = 1; bit; bit <<= 1) + { + if (val & bit) + { + name = constant_name_maps (maps, bit); + buf_sz += strlen (name) + 1; + new_buf = realloc (retval, buf_sz); + if (!new_buf) + { + free (retval); + return 0; + } + retval = new_buf; + strcat (retval, name); + strcat (retval, " "); + } + } + strcat (retval, "]"); + return retval; +} + +/* + * Just a dummy needed to skip the unused LEN sized space at BUF. MAPS + * should be zero and is only here because the API requires it. + */ +static char * +field_debug_ign (u_int8_t *buf, size_t len, struct constant_map **maps) +{ + return 0; +} + +/* + * Return the symbolic name of a constant pointed to by BUF which is LEN + * octets long, using the constant maps MAPS. + */ +static char * +field_debug_cst (u_int8_t *buf, size_t len, struct constant_map **maps) +{ + u_int32_t val; + + if (extract_val (buf, len, &val)) + return 0; + + return strdup (constant_name_maps (maps, val)); +} + +/* Pretty-print a field from BUF as described by F. */ +void +field_dump_field (struct field *f, u_int8_t *buf) +{ + char *value; + + value = decode_field[(int)f->type] (buf + f->offset, f->len, f->maps); + if (value) + { + LOG_DBG ((LOG_MESSAGE, 70, "%s: %s", f->name, value)); + free (value); + } +} + +/* Pretty-print all the fields of BUF as described in FIELDS. */ +void +field_dump_payload (struct field *fields, u_int8_t *buf) +{ + struct field *field; + + for (field = fields; field->name; field++) + field_dump_field (field, buf); +} + +/* Return the numeric value of the field F of BUF. */ +u_int32_t +field_get_num (struct field *f, u_int8_t *buf) +{ + u_int32_t val; + + if (extract_val (buf + f->offset, f->len, &val)) + return 0; + return val; +} + +/* Stash the number VAL into BUF's field F. */ +void +field_set_num (struct field *f, u_int8_t *buf, u_int32_t val) +{ + switch (f->len) + { + case 1: + buf[f->offset] = val; + break; + case 2: + encode_16 (buf + f->offset, val); + break; + case 4: + encode_32 (buf + f->offset, val); + break; + } +} + +/* Stash BUF's raw field F into VAL. */ +void +field_get_raw (struct field *f, u_int8_t *buf, u_int8_t *val) +{ + memcpy (val, buf + f->offset, f->len); +} + +/* Stash the buffer VAL into BUF's field F. */ +void +field_set_raw (struct field *f, u_int8_t *buf, u_int8_t *val) +{ + memcpy (buf + f->offset, val, f->len); +} diff --git a/src/field.h b/src/field.h new file mode 100644 index 0000000..3c6ae8e --- /dev/null +++ b/src/field.h @@ -0,0 +1,60 @@ +/* $Id: field.h,v 1.2 2002/05/10 04:25:12 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/field.h,v $ */ + +/* $OpenBSD: field.h,v 1.3 1998/11/17 11:10:10 niklas Exp $ */ +/* $EOM: field.h,v 1.3 1998/08/02 20:25:01 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _FIELD_H_ +#define _FIELD_H_ + +#include + +struct field { + char *name; + int offset; + size_t len; + enum { raw, num, mask, ign, cst } type; + struct constant_map **maps; +}; + +extern void field_dump_field (struct field *, u_int8_t *); +extern void field_dump_payload (struct field *, u_int8_t *); +extern u_int32_t field_get_num (struct field *, u_int8_t *); +extern void field_get_raw (struct field *, u_int8_t *, u_int8_t *); +extern void field_set_num (struct field *, u_int8_t *, u_int32_t); +extern void field_set_raw (struct field *, u_int8_t *, u_int8_t *); + +#endif /* _FIELD_H_ */ diff --git a/src/gdoi.h b/src/gdoi.h new file mode 100644 index 0000000..d3268bc --- /dev/null +++ b/src/gdoi.h @@ -0,0 +1,177 @@ +/* $Id: gdoi.h,v 1.10.2.2 2011/12/05 20:26:54 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +#ifndef _GDOI_H_ +#define _GDOI_H_ +#include +#include +#include "transport.h" +#ifdef USE_X509 +#include +#include +#include +#include +#include +#include +#endif + +#define KEK_SPI_SIZE 16 +#define AES128_LENGTH 16 +#define GCM_SALT_LENGTH 4 + +#define FALSE 0 +#define TRUE 1 + +/* + * Partial KEK information to pass as the next KEK. We only support channging + * the SPI and encryption keys now, not the entire policy. + */ +struct next_gdoi_kek { + u_int8_t spi[KEK_SPI_SIZE]; + u_int8_t *encrypt_iv; + u_int8_t *encrypt_key; /* 3DES keys are stored as one value */ +}; + +struct deleted_sa { + TAILQ_ENTRY (deleted_sa) link; + u_int32_t doi; + u_int8_t protocol_type; + u_int8_t spi[KEK_SPI_SIZE]; +}; + +/* + * Group KEK in-memory structure. + */ +struct gdoi_kek { + TAILQ_ENTRY (gdoi_kek) link; +#define CREATE_NEW_KEK 0x01 +#define SEND_NEW_KEK 0x02 +#define CLEANING_UP 0x04 +#define USE_EXCH_ONLY 0x08 + u_int32_t flags; + u_int8_t *group_id; + u_int32_t group_id_len; + in_addr_t src_addr; + in_addr_t dst_addr; + u_int16_t sport; + u_int16_t dport; + u_int8_t spi[KEK_SPI_SIZE]; + u_int32_t current_seq_num; + u_int32_t replay_bitmap; + u_int16_t encrypt_alg; + u_int16_t sig_hash_alg; + u_int16_t sig_alg; + u_int8_t *encrypt_iv; + u_int8_t *encrypt_key; /* 3DES keys are stored as one value */ + u_int32_t encrypt_key_len; /* Only used for AES. Stored in bytes */ + u_int8_t *signature_key; + u_int16_t signature_key_modulus_size; /* The "size" of the key in bits */ + u_int32_t signature_key_len; /* Actual key size in bytes (PKCS#1 encaps) */ + struct next_gdoi_kek next_kek_policy; /* Send this info in a rekey message */ +#ifdef USE_X509 + RSA *rsa_keypair; +#endif + u_int32_t tek_timer_interval; + u_int32_t kek_timer_interval; + struct event *tek_lifetime_ev; /* Periodic TEK rekey timer (create new TEKS)*/ + struct event *kek_lifeime_ev; /* Periodic KEK rekey timer (new KEK keys) */ + int recv_sock; + int send_sock; + struct transport *send_transport; + struct exchange *send_exchange; + struct sockaddr_in recv_addr; /* Sender socket to join group */ + struct sockaddr_in send_addr; /* Sender socket to send to group */ + char *exchange_name; + struct ip_mreq mreq; + u_int16_t atd, dtd; + /* GM SID variables */ + u_int32_t sid_length; + u_int32_t number_sids; +#define MAX_GM_SIDS 5 + u_int32_t sids[MAX_GM_SIDS]; + u_int32_t number_sids_needed; + /* KS SID variables */ + u_int64_t sid_counter; + TAILQ_HEAD (deleted_sa_head, deleted_sa) deleted_sa_list; +}; + +extern int (*gdoi_rekey_initiator[]) (struct message *); +extern int (*gdoi_rekey_responder[]) (struct message *); + +void gdoi_rekey_init(void); +void gdoi_phase2_init(void); +struct gdoi_kek *gdoi_get_kek (u_int8_t *, size_t, int); +int gdoi_read_keypair (u_int8_t *, struct gdoi_kek *); +int gdoi_store_pubkey (u_int8_t *, int, struct gdoi_kek *); +int gdoi_kek_rekey_start (struct gdoi_kek *); +int gdoi_rekey_start (struct gdoi_kek *); +int gdoi_rekey_listen (struct gdoi_kek *); +int gdoi_rekey_setup_exchange (struct gdoi_kek *); +struct gdoi_kek *gdoi_get_kek_by_cookies (u_int8_t *); +struct gdoi_kek *gdoi_get_kek_by_transport (struct transport *); +struct gdoi_kek *gdoi_get_kek_by_name (char *); + +u_int8_t *gdoi_build_tek_id_internal (int, struct in_addr, struct in_addr, + uint16_t, size_t *); +enum hashes xlate_gdoi_hash (u_int16_t); + +#endif /* _GDOI_H_ */ diff --git a/src/gdoi_app_client.c b/src/gdoi_app_client.c new file mode 100644 index 0000000..3d77478 --- /dev/null +++ b/src/gdoi_app_client.c @@ -0,0 +1,693 @@ +/* $Id: gdoi_app_client.c,v 1.1.4.3 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_app_client.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * gdoi_app_client.c - Code to send/receive messages from GDOI + * applications. + */ + +#include +#include +#include +#include +#include +#include +#ifdef NOT_LINUX +#include +#endif +#include +#include +#include +#include + +#include "log.h" +#include "util.h" +#include "string.h" +#include "transport.h" +#include "attribute.h" +#include "message.h" +#include "exchange.h" +#include "sa.h" +#include "gdoi_num.h" +#include "gdoi_app_num.h" +#include "gdoi_app_client.h" +#ifdef IEC90_5_SUPPORT +#include "gdoi_phase2.h" /* To get struct gdoi_kd_decode_arg */ +#include "gdoi_iec90_5_protos.h" +#endif +#ifdef SRTP_SUPPORT +#include "gdoi_phase2.h" /* To get struct gdoi_kd_decode_arg */ +#include "gdoi_srtp_protos.h" +#endif + +#define FALSE 0 +#define TRUE 1 + +#define APP_CLIENT_PIPE "/tmp/apps_to_gdoi" + +extern int sigpiped; + +#define ATTR_SIZE (50 * ISAKMP_ATTR_VALUE_OFF) + +struct gdoi_app_group_info_type { + struct cmd_header hdr; + int group_id; + char address[7]; /* Possible address for ID type, depends on app type */ + char pipe_name[80]; +}; + +struct gdoi_app_transport { + struct transport transport; + struct gdoi_app_group_info_type gdoi_app_group_info; + int s; + int return_s; + int listening_socket_only; + int master_client_transport; /* One on which to accept connections */ +}; + +void gdoi_app_remove (struct transport *); +static void gdoi_app_report(struct transport *); +static int gdoi_app_fd_set(struct transport *, fd_set *, int); +static int gdoi_app_fd_isset(struct transport *, fd_set *); +static void gdoi_app_handle_message(struct transport *); + +static struct transport_vtbl gdoi_app_transport_vtbl = { + { 0 }, "app", + NULL, + gdoi_app_remove, + gdoi_app_report, + gdoi_app_fd_set, + gdoi_app_fd_isset, + gdoi_app_handle_message, + /* gdoi_app_send_message */ NULL, + /* gdoi_app_get_dst */ NULL, + /* gdoi_app_get_src */ NULL +}; + +void +gdoi_app_client_init (void) +{ + int s, ret; + struct gdoi_app_transport *t = 0; + struct sockaddr_un pipe; + mode_t old_umask; + int on = 1; + + /* + * Add the GDOI Application method to the transport list + */ + transport_method_add (&gdoi_app_transport_vtbl); + + /* + * Create the IPC socket, and add it as a transport session. + */ + t = malloc (sizeof *t); + if (!t) + { + log_print ("gdoi_app_client_init: malloc (%d) failed", sizeof *t); + return; + } + + t->transport.vtbl = &gdoi_app_transport_vtbl; + + s = socket (AF_LOCAL, SOCK_STREAM, 0); + if (s < 0) + { + log_error ("gdoi_app_client_init: socket failed"); + return; + } + + ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); + if (ret < 0) + { + log_error ("gdoi_app_client_init: bind failed"); + return; + } + + /* + * Make sure it's not left over from another run. + */ + unlink(APP_CLIENT_PIPE); + + /* + * The mode of the pipe must be readable by all, so we need to adjust + * our umask accordingly. + */ + old_umask = umask(0044); + + bzero(&pipe, sizeof(struct sockaddr_un)); + pipe.sun_family = AF_LOCAL; + strncpy(pipe.sun_path, APP_CLIENT_PIPE, sizeof(pipe.sun_path)-1); + + ret = bind(s, (struct sockaddr *) &pipe, SUN_LEN(&pipe)); + if (ret < 0) + { + log_error ("gdoi_app_client_init: bind failed"); + return; + } + + /* + * Reset the process umask for security reasons. + */ + (void) umask(old_umask); + + ret = listen(s, 1024); + if (ret < 0) + { + log_error ("listen failed"); + return; + } + + /* + * Set the open socket in the transport structure. + */ + t->s = s; + t->return_s = 0; + t->listening_socket_only = TRUE; + t->master_client_transport = TRUE; + + transport_add (&t->transport); + transport_reference (&t->transport); + t->transport.flags |= TRANSPORT_LISTEN; +} + +void +gdoi_app_remove (struct transport *t) +{ + free (t); +} + +static void +gdoi_app_report (struct transport *t) +{ + log_print ("gdoi_app_report: Got Here!"); +} + +/* + * Set transport T's socket in FDS, return a value useable by select(2) + * as the number of file descriptors to check. + */ +static int +gdoi_app_fd_set (struct transport *t, fd_set *fds, int bit) +{ + struct gdoi_app_transport *u = (struct gdoi_app_transport *)t; + + if (bit) + FD_SET (u->s, fds); + else { + /* + * Hack! Asssume both sockets need to be cleared. + * BEW: But this code doesn't seem to be getting called when the pipe is + * closed .... need to diagnose. + */ + log_print ("gdoi_app_fd_set: Clearing sockets."); + FD_CLR (u->s, fds); + FD_CLR (u->return_s, fds); + } + + return u->s + 1; +} + +/* Check if transport T's socket is set in FDS. */ +static int +gdoi_app_fd_isset (struct transport *t, fd_set *fds) +{ + struct gdoi_app_transport *u = (struct gdoi_app_transport *)t; + + return FD_ISSET (u->s, fds); +} + +int gdoi_app_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_app_group_info_type *ptr = + (struct gdoi_app_group_info_type *) arg; + + switch (type) + { + case GDOI_CLIENT_ATTR_GROUP_ID: + ptr->group_id = htonl(decode_32(value)); + break; + case GDOI_CLIENT_ATTR_GROUP_ADDRESS: + if (len < 7) { /* Largest address is MAC address (6 octets) */ + memcpy(ptr->address, value, len); + ptr->address[len] = 0; /* Terminate the string */ + } else { + log_print ("gdoi_app_decode_attribute: Bad address length %d\n", len); + return -1; + } + break; + case GDOI_CLIENT_ATTR_RETURN_PIPE: + memcpy(ptr->pipe_name, value, len); + ptr->pipe_name[len] = 0; /* Terminate the string */ + break; + default: + log_print ("gdoi_app_decode_attribute: Attribute not valid: %d", + type); + return -1; + } + +return 0; + +} +extern LIST_HEAD (transport_list, transport) transport_list; + +struct gdoi_app_transport * +gdoi_app_transport_search (int gid) +{ + struct transport *t; + struct gdoi_app_transport *u; + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) { + if (t->flags & TRANSPORT_LISTEN) { + /* + * Restrict the search to GDOI application transports. + * NOTE: This logic only allows on application client per group. + */ + if (!strcmp(t->vtbl->name, gdoi_app_transport_vtbl.name)) { + u = (struct gdoi_app_transport *)t; + if (gid == u->gdoi_app_group_info.group_id) { + /* + * Got it! + */ + return u; + } + } + } + } + return NULL; +} + +/* + * For now, just stuff the info into a global struct. We can't yet + * correlate an incoming msg with a finished GDOI session anyway, so + * have to restrict ourselves to one connection at a time. + */ +int +gdoi_app_parse_msg (char *msg, int msg_len, struct gdoi_app_transport *u) +{ + struct cmd_header *hdr = (struct cmd_header *)msg; + + /* + * Sanity check the header + */ + if (hdr->version != 1) + { + log_error("App header unsupported version: %d\n", hdr->version); + return -1; + } + u->gdoi_app_group_info.hdr.version = hdr->version; + if (hdr->command != COMMAND_REQUEST) + { + log_error("App header unsupported command: %d\n", hdr->command); + return -1; + } + u->gdoi_app_group_info.hdr.command = hdr->command; + u->gdoi_app_group_info.hdr.app_proto = hdr->app_proto; + u->gdoi_app_group_info.hdr.sequence = hdr->sequence; + u->gdoi_app_group_info.hdr.pid = hdr->pid; + + attribute_map (((u_int8_t *)msg + sizeof(struct cmd_header)), + (msg_len - sizeof(struct cmd_header)), + gdoi_app_decode_attribute, + &u->gdoi_app_group_info); + return 0; +} + +int +connect_to_client (char *out_fn) +{ + int s, ret; + struct sockaddr_un pipe; + + s = socket (AF_LOCAL, SOCK_STREAM, 0); + if (s < 0) + { + log_error("socket open failed"); + return -1; + } + + + bzero(&pipe, sizeof(struct sockaddr_un)); + pipe.sun_family = AF_LOCAL; + strncpy(pipe.sun_path, out_fn, sizeof(pipe.sun_path)-1); + + ret = connect(s, (struct sockaddr *) &pipe, sizeof(pipe)); + if (ret < 0) + { + log_error("connect failed: %s\n", out_fn); + return -1; + } + + return s; +} + +/* + * Clone a listen transport U, record a destination RADDR for outbound use. + */ +static struct transport * +group_app_clone (struct gdoi_app_transport *u, int new_socket) +{ + struct transport *t; + struct gdoi_app_transport *u2; + + t = malloc (sizeof *u); + if (!t) + { + log_error ("group_app_clone: malloc (%d) failed", sizeof *u); + return 0; + } + u2 = (struct gdoi_app_transport *)t; + + memcpy (u2, u, sizeof *u); + u2->s = new_socket; + u2->master_client_transport = FALSE; + + transport_add (t); + + t->flags |= TRANSPORT_LISTEN; + + return t; +} + + +/* + * A message has arrived on transport T's socket. If T is single-ended, + * clone it into a double-ended transport which we will use from now on. + * Package the message as we want it and continue processing in the message + * module. + */ +static void +gdoi_app_handle_message (struct transport *t) +{ + struct gdoi_app_transport *u = (struct gdoi_app_transport *)t; + struct transport *client_t; + struct gdoi_app_transport *client_u; + struct sockaddr_un from; + int from_len = sizeof(from); + struct message *msg; + struct msghdr sock_msg; + struct iovec iov[1]; + int c; + char data_in[80]; + char name[80]; + int ret, count; + struct cmd_header *hdr; + + if (u->master_client_transport) + { + /* + * Do accepts on this one. + * + * Accept happens after the select has woken. + * Only do this is this is a new connection on the listening socket. + */ + c = accept(u->s, (struct sockaddr *) &from, (socklen_t *)&from_len); + if (c < 0) + { + log_error ("gdoi_app_handle_message: accept failed"); + return; + } + /* + * Make a specialized GDOI Application transport structure out of the + * incoming transport. + */ + client_t = group_app_clone (u, c); + if (!client_t) + { + log_error("gdoi_app_handle_message: group_app_clone failed"); + return; + } + client_u = (struct gdoi_app_transport *)client_t; + } else { + client_t = t; + client_u = u; + c = u->s; + } + + /* + * Read and process the message. + */ + sock_msg.msg_name = NULL; + sock_msg.msg_namelen = 0; + sock_msg.msg_control = 0; + sock_msg.msg_controllen = 0; + iov[0].iov_base = data_in; + iov[0].iov_len = 80; + sock_msg.msg_iov = iov; + sock_msg.msg_iovlen = 1; + + count = recvmsg (c, &sock_msg, 0); + if (count < 0) + { + log_error("gdoi_app_handle_message: recvmsg failed"); + return; + } + if (count == 0) + { + /* + * Assume the problem comes from the transmit pipe closing down. + */ + log_print("gdoi_app_handle_message: " + "app pipe assumed closed. Deleting pipes to/from client"); + ret = close(client_u->s); + if (ret < 0) + { + log_error("gdoi_app_handle_message: close of s failed"); + } + ret = close(client_u->return_s); + if (ret < 0) + { + log_error("gdoi_app_handle_message: close of return_s failed"); + } + transport_release(client_t); + return; + } + + ret = gdoi_app_parse_msg (data_in, count, client_u); + if (ret < 0) + { + return; + } + + if (u->master_client_transport) + { + /* + * If we just created this transport, connect back to the client. + */ + client_u->return_s = + connect_to_client(&client_u->gdoi_app_group_info.pipe_name[0]); + if (client_u->return_s< 0) + { + log_error("gdoi_app_handle_message: connect_to_client failed"); + return; + } + client_u->listening_socket_only = FALSE; + } + + msg = message_alloc (client_t, (u_int8_t *)data_in, count); + if (!msg) + { + log_error("message_alloc failed"); + return; + } + + /* + * Kick off IKE based on the group-id passed in the message using msg. + * + * HACK! Require a policy named "Group-XXXXX" where XXXXX is the number + * of the group. This makes it easy to find the right phase 1 to kick off. + * We need to first parse the message to find the group id. + * + * BUG: We should handle re-transmissions gracefully. E.g., don't force a + * re-registration if one is already in progress. + */ + sprintf(name, "Group-%d", client_u->gdoi_app_group_info.group_id); + hdr = malloc(sizeof(struct cmd_header)); + if (!hdr) { + log_error("gdoi_app_handle_message: failed to allocated hdr bytes"); + return; + } + hdr->pid = client_u->gdoi_app_group_info.hdr.pid; + hdr->sequence = client_u->gdoi_app_group_info.hdr.sequence; + + log_print ("gdoi_app_handle_message: Starting exchange %s", name); + exchange_establish(name, 0, 0); +} + +/* + * Deliver the application data back to the correct application. + */ +int +gdoi_app_deliver_app_data (u_int32_t type, struct sa *sa) +{ + u_int8_t *attr_start, *attr; + char *buf; + struct cmd_header *hdr; + struct gdoi_app_transport *client_u; + struct proto *proto; + int buf_len; + int ret; + int gid; + + proto = TAILQ_FIRST (&sa->protos); + if (!proto) + { + log_error ("gdoi_app_deliver_app_data: Application SA proto data missing"); + return -1; + } + + /* + * Find the first transport asking for key info for this group using the + * special group name semantic. This is to deal with the HACK! in + * gdoi_app_handle_message(). + */ + if (strncmp(sa->name, "Group-", 6)) + { + log_error ("gdoi_app_deliver_app_data: Invalid group name: %s\n", + sa->name); + return -1; + } + sscanf(sa->name, "Group-%d", &gid); + client_u = gdoi_app_transport_search(gid); + if (!client_u) + { + log_error ("gdoi_app_deliver_app_data: No transport found for " + "group id %d\n", gid); + return -1; + } + + if (type != client_u->gdoi_app_group_info.hdr.app_proto) { + log_error ("gdoi_app_deliver_app_data: Protocol mismatch! " + "Expected:%d, Given by upper layer::%d\n", + client_u->gdoi_app_group_info.hdr.app_proto, type); + return -1; + } + + if (!(void *)proto->data) + { + log_error ("gdoi_app_deliver_app_data: Application SA TEK data missing"); + return -1; + } + + /* + * Allocate a block for building attributes. It's sized large enough + * so that we think it will avoid buffer overflows.... + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr_start) + { + log_error ("gdoi_app_deliver_app_data: malloc failed"); + return -1; + } + + /* + * Call an Application-specific function to fill in the rest of the + * attributes. + */ + switch (type) { +#ifdef SRTP_SUPPORT + case GDOI_PROTO_SRTP: + attr = gdoi_srtp_add_attributes(attr, sa); + break; +#endif +#ifdef IEC90_5_SUPPORT + case GDOI_PROTO_IEC90_5: + attr = gdoi_iec90_5_add_attributes(attr, sa); + break; +#endif + default: + log_error ("gdoi_app_deliver_app_data: No attribute support for " + "protocol %d", type); + return -1; + } + + /* + * Format the return message. Copy many of the fields from the originating + * header to ensure they are the same. + */ + buf_len = sizeof(struct cmd_header) + (attr - attr_start); + buf = malloc(buf_len); + + hdr = (struct cmd_header *) buf; + hdr->version = client_u->gdoi_app_group_info.hdr.version; + hdr->command = COMMAND_REPLY; + hdr->app_proto = type; + hdr->sequence = client_u->gdoi_app_group_info.hdr.sequence; + hdr->pid = client_u->gdoi_app_group_info.hdr.pid; + hdr->ret_errno = 0; + + memcpy(buf + sizeof(struct cmd_header), attr_start, (attr - attr_start)); + + free(attr_start); + /* + * Send the message. + */ + ret = send(client_u->return_s, buf, buf_len, 0); + if (ret < 0) + { + log_error ("gdoi_app_deliver_app_data: send failed"); + return -1; + } + + return 0; +} diff --git a/src/gdoi_app_client.h b/src/gdoi_app_client.h new file mode 100644 index 0000000..ea8b0fe --- /dev/null +++ b/src/gdoi_app_client.h @@ -0,0 +1,80 @@ +/* $Id: gdoi_app_client.h,v 1.1.4.3 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_app_client.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * gdoi_app_client.h - Socket defintions for communication with GDOI + * applications. + */ + +struct cmd_header { + short version; + short command; +#define COMMAND_REPLY 3 +#define COMMAND_REQUEST 5 + u_int32_t app_proto; + int ret_errno; + int sequence; + int pid; +}; + +extern void gdoi_app_client_init(void); +extern int gdoi_app_deliver_app_data(u_int32_t, struct sa *); diff --git a/src/gdoi_app_iec90_5_attr.h b/src/gdoi_app_iec90_5_attr.h new file mode 100644 index 0000000..fda2429 --- /dev/null +++ b/src/gdoi_app_iec90_5_attr.h @@ -0,0 +1,77 @@ +/* $Id: gdoi_app_iec90_5_attr.h,v 1.1.2.1 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_app_iec90_5_attr.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * SRTP COMMAND_GET Attributes + * + * Used for passing TEK attributes and in betweeen GDOI and the GDOI app + * Attributes based on draft-baugher-msec-gdoi-srtp-00.txt. + * + * Attributes must be in range 1-99. + */ + +#define IEC90_5_OID 1 +#define IEC90_5_LIFETIME_SECS 2 +#define IEC90_5_KEYID 3 +#define IEC90_5_AUTH_ALG 4 +#define IEC90_5_AUTH_KEY_SIZE 5 +#define IEC90_5_AUTH_KEY 6 diff --git a/src/gdoi_app_num.cst b/src/gdoi_app_num.cst new file mode 100644 index 0000000..33c36da --- /dev/null +++ b/src/gdoi_app_num.cst @@ -0,0 +1,76 @@ +# $Id: gdoi_app_num.cst,v 1.1.4.3 2011/12/12 20:43:47 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_app_num.cst,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# GDOI APPLICATION SA attributes +# GENERIC ATTRIBUTES COMMON TO ALL APPS +GDOI_CLIENT_ATTR + GROUP_ID 101 + RETURN_PIPE 102 + GROUP_ADDRESS 103 +. + +# Values in this list must be mutually exclusive to the IPSEC_PROTO list in +# ipsec_num.cst. +GDOI_PROTO + SRTP 100 + IEC90_5 101 +. diff --git a/src/gdoi_doi.c b/src/gdoi_doi.c new file mode 100644 index 0000000..cdd530e --- /dev/null +++ b/src/gdoi_doi.c @@ -0,0 +1,1213 @@ +/* $Id: gdoi_doi.c,v 1.13.2.3 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_doi.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +#include +#include +#include +#include + +#include "sysdep.h" +#include "conf.h" +#include "doi.h" +#include "crypto.h" +#include "hash.h" +#include "ike_aggressive.h" +#include "gdoi_fld.h" +#include "gdoi_num.h" +#include "ipsec_num.h" +#include "exchange.h" +#include "ike_main_mode.h" +#include "ike_auth.h" +#include "gdoi_phase2.h" +#include "gdoi.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "util.h" +#include "transport.h" +#include "udp.h" +#include "ipsec.h" +#ifdef GDOI_APP_SUPPORT +#include "gdoi_app_client.h" +#include "gdoi_app_num.h" +#endif +#ifdef IEC90_5_SUPPORT +#include "gdoi_iec90_5_protos.h" +#endif + +static int gdoi_debug_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +static void gdoi_delete_spi (struct sa *, struct proto *, int); +static u_int16_t *gdoi_exchange_script (u_int8_t); +static void gdoi_finalize_exchange (struct message *); +static void gdoi_free_exchange_data (void *); +static void gdoi_free_proto_data (void *); +static void gdoi_free_sa_data (void *); +static struct keystate *gdoi_get_keystate (struct message *); +static u_int8_t *gdoi_get_spi (size_t *, u_int8_t, struct message *); +int gdoi_handle_leftover_payload (struct message *, u_int8_t, struct payload *); +static int gdoi_informational_post_hook (struct message *); +static int gdoi_informational_pre_hook (struct message *); +void gdoi_proto_init (struct proto *, char *); +static int gdoi_initiator (struct message *); +static int gdoi_responder (struct message *); +static void gdoi_setup_situation (u_int8_t *); +static size_t gdoi_situation_size (void); +static u_int8_t gdoi_spi_size (u_int8_t); +static int gdoi_validate_attribute (u_int16_t, u_int8_t *, u_int16_t, + void *); +static int gdoi_validate_exchange (u_int8_t); +static int gdoi_validate_id_information (u_int8_t, u_int8_t *, u_int8_t *, + size_t, struct exchange *); +static int gdoi_validate_key_information (u_int8_t *, size_t); +static int gdoi_validate_notification (u_int16_t); +static int gdoi_validate_proto (u_int8_t); +static int gdoi_is_attribute_incompatible (u_int16_t, u_int8_t *, u_int16_t, + void *); +static int gdoi_validate_situation (u_int8_t *, size_t *); +static int gdoi_validate_transform_id (u_int8_t, u_int8_t); +static void gdoi_postprocess_sa (struct sa *); + +static struct doi gdoi_doi = { + { 0 }, GROUP_DOI_GDOI, + sizeof (struct gdoi_exch), + sizeof (struct ipsec_sa), + sizeof (struct ipsec_proto), +#ifdef USE_DEBUG + gdoi_debug_attribute, +#endif + gdoi_delete_spi, + gdoi_exchange_script, + gdoi_finalize_exchange, + gdoi_free_exchange_data, + gdoi_free_proto_data, + gdoi_free_sa_data, + gdoi_get_keystate, + gdoi_get_spi, + gdoi_handle_leftover_payload, + gdoi_informational_post_hook, + gdoi_informational_pre_hook, + gdoi_is_attribute_incompatible, + gdoi_proto_init, + gdoi_setup_situation, + gdoi_situation_size, + gdoi_spi_size, + gdoi_validate_attribute, + gdoi_validate_exchange, + gdoi_validate_id_information, + gdoi_validate_key_information, + gdoi_validate_notification, + gdoi_validate_proto, + gdoi_validate_situation, + gdoi_validate_transform_id, + gdoi_initiator, + gdoi_responder, + ipsec_decode_ids, + gdoi_postprocess_sa +}; + +/* + * Only mandatory payloads are specified. + */ +u_int16_t script_gdoi_registration[] = { + ISAKMP_PAYLOAD_HASH, /* Group member -> GCKS */ + ISAKMP_PAYLOAD_NONCE, + ISAKMP_PAYLOAD_ID, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* GCCK -> Group member */ + ISAKMP_PAYLOAD_NONCE, + ISAKMP_PAYLOAD_SA, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* Group member -> GCKS */ + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* GCCK -> Group member */ + ISAKMP_PAYLOAD_KD, + EXCHANGE_SCRIPT_END +}; + +u_int16_t script_gdoi_rekey[] = { + ISAKMP_PAYLOAD_SEQ, /* GCKS -> Group member */ + ISAKMP_PAYLOAD_SIG, + EXCHANGE_SCRIPT_END +}; + + +struct transport *gdoi_set_spi_transport; + +/* Requires doi_init to already have been called. */ +void +gdoi_init () +{ + doi_register (&gdoi_doi); + + gdoi_rekey_init(); + + gdoi_phase2_init(); + + /* + * Create a transport structure to use termporily to install SPIs into the + * kernel. We need this because the SA src/dst don't come already associated + * with the SA transport, as in IKE. + */ + gdoi_set_spi_transport = transport_create ("rekey_udp", "GDOI-SET-SPI"); + if (!gdoi_set_spi_transport) + { + log_error ("gdoi_init: Error: couldn't create GDOI-SET-SPI transport"); + return; + } + +#ifdef GDOI_APP_SUPPORT + /* + * Start the application listening pipe, if it is configured. + */ + + if (conf_get_str ("General", "GDOI-application-client-support")) + { + gdoi_app_client_init(); + } +#endif +} + +/* + * Check that a received message on a GDOI exchange is valid. + */ +int +gdoi_validate_gdoi_exchange_special (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct doi *doi = exchange->doi; + struct gdoi_kek *stored_kek; + + if (doi->id != GROUP_DOI_GDOI) + { + log_print ("gdoi_validate_gdoi_exchange_special: " + "Not a GDOI exchange. Aborting."); + return -1; + } + + if (exchange->type == GDOI_EXCH_PUSH_MODE) + { + stored_kek = gdoi_get_kek_by_cookies(exchange->cookies); + if (!stored_kek) + { + log_print ("gdoi_validate_gdoi_exchange_special: " + "No cookies found for GDOI rekey. Aborting."); + return -1; + } + /* + * Verify that the receiver isn't a key server receiving a rekey + * message. + */ + if (stored_kek->send_exchange == exchange) + { + log_print ("gdoi_validate_gdoi_exchange_special: " + "Key server should not be receiving messages on " + "the rekey SA! Aborting."); + return -1; + } + } + + return 0; +} + +#ifdef USE_DEBUG +int +gdoi_debug_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + /* XXX Not implemented yet. */ + return 0; +} +#endif + +/* + * Delete the IPSec SA represented by the INCOMING direction in protocol PROTO + * of the IKE security association SA. + */ +static void +gdoi_delete_spi (struct sa *sa, struct proto *proto, int incoming) +{ + struct udp_transport *u; +#ifdef USE_DEBUG + struct ipsec_sa *isa = (struct ipsec_sa *)sa->data; +#endif + + if (sa->phase == 1) + return; + + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_delete_spi: Asked to delete SPI for src %x %x dst %x %x", + ntohl (isa->src_net), ntohl (isa->src_mask), + ntohl (isa->dst_net), ntohl (isa->dst_mask))); + + sa->transport = gdoi_set_spi_transport; + u = (struct udp_transport *) sa->transport; + u->src.sin_family = AF_INET; + u->src.sin_addr.s_addr = isa->src_net; + u->dst.sin_family = AF_INET; + u->dst.sin_addr.s_addr = isa->dst_net; + + sysdep_ipsec_delete_spi (sa, proto, incoming); + + sa->transport = NULL; + + return; +} + +/* Return exchange script based on TYPE. */ +static u_int16_t * +gdoi_exchange_script (u_int8_t type) +{ + switch (type) + { + case GDOI_EXCH_PULL_MODE: + return script_gdoi_registration; + case GDOI_EXCH_PUSH_MODE: + return script_gdoi_rekey; + } + return 0; +} + +void +gdoi_ipsec_deliver_keys (struct message *msg, struct sa *sa) +{ + struct proto *proto; + struct ipsec_sa *isa = (struct ipsec_sa *)sa->data; + struct udp_transport *u; + + struct sa *isakmp_sa; + + proto = TAILQ_FIRST (&sa->protos); + if (!proto) + { + log_error ("gdoi_ipsec_deliver_keys: IPsec SA proto data missing"); + return; + } + + /* + * Add a transport to the SA for the purposes of setting the SPI. + */ + sa->transport = gdoi_set_spi_transport; + u = (struct udp_transport *) sa->transport; + /* + * Assume IPv4 + * BEW: Should be passing the mask to the PF_KEY code so that it can + * put it in sadb_address_prefixlen! + */ + u->src.sin_addr.s_addr = isa->src_net; + u->src.sin_family = AF_INET; + u->dst.sin_addr.s_addr = isa->dst_net; + u->dst.sin_family = AF_INET; + if (sysdep_ipsec_set_spi (sa, proto, 0)) + { + sa->transport = NULL; + log_error ("gdoi_ipsec_deliver_keys: " + "sysdep_ipsec_set_spi failed (out)"); + return; + } + + /* + * sysdep_ipsec_enable_sa() uses the id's in the isakmp_sa, which isn't + * correct for GDOI -- those id's (key server, client) have nothing to do + * with the group SAs. We need to carefully craft a useful isakmp_sa. + */ + isakmp_sa = malloc(sizeof(struct sa)); + if (!isakmp_sa) { + sa->transport = NULL; + log_error ("gdoi_ipsec_deliver_keys: malloc (%d) failed", + sizeof(struct sa)); + return; + } + + /* + * Setup an isamp_sa with NULL id_i and id_r fields. + */ + isakmp_sa->id_i = NULL; + isakmp_sa->id_r = NULL; + if (sysdep_ipsec_enable_sa (sa, isakmp_sa)) + { + log_error ("gdoi_ipsec_deliver_keys: " + "sysdep_ipsec_enable_sa failed (out)"); + goto clean_up; + } + + sa->transport = NULL; + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_ipsec_deliver_keys: src %x %x dst %x %x", + ntohl (isa->src_net), ntohl (isa->src_mask), + ntohl (isa->dst_net), ntohl (isa->dst_mask))); + +clean_up: + + sa->transport = NULL; + if (isakmp_sa->id_i) + free(isakmp_sa->id_i); + if (isakmp_sa->id_r) + free(isakmp_sa->id_r); + free(isakmp_sa); + + return; +} + +static void +gdoi_install_sas (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct sa *sa = 0, *old_sa; + + /* + * If this is the client side (initiator of the exchange), tell + * the application(s) about the SPIs and key material. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + if (!sa->data) + { + log_print ("gdoi_install_sas: " + "SA DOI specific data missing"); + return; + } + switch (ie->teks_type) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + gdoi_ipsec_deliver_keys(msg, sa); + break; +#ifdef IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: + gdoi_app_deliver_app_data(GDOI_PROTO_IEC90_5, sa); + break; +#endif +#ifdef SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: + gdoi_app_deliver_app_data(GDOI_PROTO_SRTP, sa); + break; +#endif + default: + log_print ("gdoi_install_sas: " + "Unsupported TEK type: %d", ie->teks_type); + return; + } + + /* Mark elder SAs with the same flow info as replaced. */ + while ((old_sa = sa_find (ipsec_sa_check_flow, sa)) != 0) + { + sa_mark_replaced (old_sa); + } + } +} + +/* + * Convert the unsigned LEN-sized number at BUF of network byteorder to a + * 32-bit unsigned integer of host byteorder pointed to by VAL. + */ +static int +extract_val (u_int8_t *buf, size_t len, u_int32_t *val) +{ + switch (len) + { + case 1: + *val = *buf; + break; + case 2: + *val = decode_16 (buf); + break; + case 4: + *val = decode_32 (buf); + break; + default: + return -1; + } + return 0; +} + +/* + * return a group ID for displaying in a debug message. + * + * WARNING: The string comes from a static location, so mustn't be + * stored anywhere! + */ +u_int8_t * +gdoi_display_group_id (char *id) +{ + static u_int8_t id_str[20]; + int type = GET_ISAKMP_ID_TYPE((u_int8_t *)id); + u_int32_t value; + + strncpy((char *)id_str, "UNKNOWN", 8); + switch (type) + { + case IPSEC_ID_KEY_ID: + /* Assume Group ID is a 32-bit number */ + extract_val((u_int8_t *)id + ISAKMP_ID_DATA_OFF, 4, &value); + sprintf((char *)id_str, "%d", value); + break; + default: + log_print ("gdoi_display_group_id: unsupported identity type %d", type); + break; + } + return id_str; +} + +/* + * Do GDOI specific finalizations task for the exchange where MSG was + * the final message. + */ +static void +gdoi_finalize_exchange (struct message *msg) +{ + struct sa *isakmp_sa, *sa; + struct ipsec_sa *isa; + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct gdoi_kek *kek; + + switch (exchange->phase) + { + case 1: + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + case ISAKMP_EXCH_AGGRESSIVE: + isakmp_sa = msg->isakmp_sa; + isa = isakmp_sa->data; + isa->hash = ie->hash->type; + isa->prf_type = ie->prf_type; + isa->skeyid_len = ie->skeyid_len; + isa->skeyid_d = ie->skeyid_d; + isa->skeyid_a = ie->skeyid_a; + /* Prevents early free of SKEYID_*. */ + ie->skeyid_a = ie->skeyid_d = 0; + + /* If a lifetime was negotiated setup the expiration timers. */ + if (isakmp_sa->seconds) + sa_setup_expirations (isakmp_sa); + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: DONE WITH PHASE 1!!!\n")); + break; + case GDOI_EXCH_PUSH_MODE: + if (exchange->initiator) + { + /* + * Setup SA expirations. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + if (sa->seconds && !sa->death) + { + sa_setup_expirations (sa); + } + } + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: " + "DONE WITH REKEY (SEND): Group %s!!!\n", + gdoi_display_group_id((char *)ie->id_gdoi))); + } + else + { + /* + * Let the lower layer code setup the expirations (e.g., pf-key + * handing code for IPSec.) + */ + gdoi_install_sas (msg); + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: DONE WITH REKEY (RECEIVE)!!!\n")); + } + break; + default: + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: Invalid exchange for phase 1 (%d)", + exchange->type)); + } + break; + + case 2: + switch (exchange->type) + { + case GDOI_EXCH_PULL_MODE: + if (exchange->initiator) + { + gdoi_install_sas (msg); + } + else + { + /* + * Setup SA expirations. + * + * If the SA list for the exchange is empty, then the SAs + * are on the rekey list. + */ + sa = TAILQ_FIRST (&exchange->sa_list); + if (!sa) + { + kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (!kek) + { + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: " + "No KEK found! \n")); + return; + } + sa = TAILQ_FIRST (&kek->send_exchange->sa_list); + if (!sa) + { + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: " + "No SAs found! \n")); + return; + } + } + while (sa) + { + if (sa->seconds && !sa->death) + { + sa_setup_expirations (sa); + } + sa = TAILQ_NEXT (sa, next); + } + } + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: DONE WITH PHASE 2!!!\n")); + break; + default: + LOG_DBG ((LOG_EXCHANGE, 50, + "gdoi_finalize_exchange: Invalid exchange for phase 2 (%d)", + exchange->type)); + } + } +} + +/* Free the DOI-specific exchange data pointed to by VIE. */ +static void +gdoi_free_exchange_data (void *vie) +{ + return; +} + +/* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */ +static void +gdoi_free_proto_data (void *viproto) +{ + return; +} + +/* Free the DOI-specific SA data pointed to by VISA. */ +static void +gdoi_free_sa_data (void *visa) +{ + struct ipsec_sa *isa = visa; + + if (isa->skeyid_a) + free (isa->skeyid_a); + if (isa->skeyid_d) + free (isa->skeyid_d); +} + +static struct keystate * +gdoi_get_keystate (struct message *msg) +{ + struct keystate *ks; + struct hash *hash; + + /* If we have already have an IV, use it. */ + if (msg->exchange && msg->exchange->keystate) + { + ks = malloc (sizeof *ks); + if (!ks) + { + log_error ("gdoi_get_keystate: malloc (%d) failed", sizeof *ks); + return 0; + } + memcpy (ks, msg->exchange->keystate, sizeof *ks); + return ks; + } + + /* + * For phase 2 when no SA yet is setup we need to hash the IV used by + * the ISAKMP SA concatenated with the message ID, and use that as an + * IV for further cryptographic operations. + */ + ks = crypto_clone_keystate (msg->isakmp_sa->keystate); + if (!ks) + return 0; + + hash = hash_get (((struct ipsec_sa *)msg->isakmp_sa->data)->hash); + hash->Init (hash->ctx); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "gdoi_get_keystate: final phase 1 IV", + ks->riv, ks->xf->blocksize)); + hash->Update (hash->ctx, ks->riv, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "gdoi_get_keystate: message ID", + ((u_int8_t *)msg->iov[0].iov_base) + + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN)); + hash->Update (hash->ctx, + ((u_int8_t *)msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN); + hash->Final ((u_int8_t *)hash->digest, hash->ctx); + crypto_init_iv (ks, (u_int8_t *)hash->digest, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "gdoi_get_keystate: phase 2 IV", + (u_int8_t *)hash->digest, ks->xf->blocksize)); + return ks; +} + +/* + * Get a SPI for PROTO and the transport MSG passed over. Store the + * size where SZ points. NB! A zero return is OK if *SZ is zero. + */ +static u_int8_t * +gdoi_get_spi (size_t *sz, u_int8_t proto, struct message *msg) +{ + if (msg->exchange->phase == 1) + { + *sz = 0; + return 0; + } + else + { + /* + * Return no SPI for now -- SPIs must be manually specified in the + * config file for now. + */ + *sz = 0; + return 0; + } +} + +/* + * We have gotten a payload PAYLOAD of type TYPE, which did not get handled + * by the logic of the exchange MSG takes part in. Now is the time to deal + * with such a payload if we know how to, if we don't, return -1, otherwise + * 0. + */ +int +gdoi_handle_leftover_payload (struct message *msg, u_int8_t type, + struct payload *payload) +{ + return -1; +} + +/* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */ +static int +gdoi_informational_pre_hook (struct message *msg) +{ +#ifdef NOTYET + struct sa *isakmp_sa = msg->isakmp_sa; + struct gdoi_sa *isa; + struct hash *hash; + + if (!isakmp_sa) + return 0; + isa = isakmp_sa->data; + hash = hash_get (isa->hash); + return ipsec_add_hash_payload (msg, hash->hashsize) == 0; +#else + return -1; +#endif +} + +/* + * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by. + */ +static int +gdoi_informational_post_hook (struct message *msg) +{ +#ifdef NOTYET + if (!msg->isakmp_sa) + return 0; + return ipsec_fill_in_hash (msg); +#else + return -1; +#endif +} + +enum hashes xlate_gdoi_hash (u_int16_t hash) +{ + switch (hash) + { + case GDOI_KEK_HASH_ALG_MD5: + return HASH_MD5; + case GDOI_KEK_HASH_ALG_SHA: + return HASH_SHA1; + case GDOI_KEK_HASH_ALG_SHA256: + return HASH_SHA256; + } + return -1; +} + +/* XXX Copied from ipsec.c */ +static enum transform from_ike_crypto (u_int16_t crypto) +{ + /* Coincidentally this is the null operation :-) */ + return crypto; +} + + +/* + * Find out whether the attribute of type TYPE with a LEN length value + * pointed to by VALUE is incompatible with what we can handle. + * VMSG is a pointer to the current message. + */ +int +gdoi_is_attribute_incompatible (u_int16_t type, u_int8_t *value, + u_int16_t len, void *vmsg) +{ + struct message *msg = vmsg; + + if (msg->exchange->phase == 1) + { + switch (type) + { + case IKE_ATTR_ENCRYPTION_ALGORITHM: + return !crypto_get (from_ike_crypto (decode_16 (value))); + case IKE_ATTR_HASH_ALGORITHM: + return !hash_get (xlate_gdoi_hash (decode_16 (value))); + case IKE_ATTR_AUTHENTICATION_METHOD: + return !ike_auth_get (decode_16 (value)); + case IKE_ATTR_GROUP_DESCRIPTION: + return decode_16 (value) < IKE_GROUP_DESC_MODP_768 + || decode_16 (value) > IKE_GROUP_DESC_MODP_1536; + case IKE_ATTR_GROUP_TYPE: + return 1; + case IKE_ATTR_GROUP_PRIME: + return 1; + case IKE_ATTR_GROUP_GENERATOR_1: + return 1; + case IKE_ATTR_GROUP_GENERATOR_2: + return 1; + case IKE_ATTR_GROUP_CURVE_A: + return 1; + case IKE_ATTR_GROUP_CURVE_B: + return 1; + case IKE_ATTR_LIFE_TYPE: + return decode_16 (value) < IKE_DURATION_SECONDS + || decode_16 (value) > IKE_DURATION_KILOBYTES; + case IKE_ATTR_LIFE_DURATION: + return 0; + case IKE_ATTR_PRF: + return 1; + case IKE_ATTR_KEY_LENGTH: + /* + * Our crypto routines only allows key-lengths which are multiples + * of an octet. + */ + return decode_16 (value) % 8 != 0; + case IKE_ATTR_FIELD_SIZE: + return 1; + case IKE_ATTR_GROUP_ORDER: + return 1; + } + } + else + { + /* Nothing to do. */ + } + /* XXX Silence gcc. */ + return 1; +} + +/* + * IPSec-specific PROTO initializations. SECTION is only set if we are the + * initiator thus only usable there. + * XXX I want to fix this later. + */ +void +gdoi_proto_init (struct proto *proto, char *section) +{ + /* Nothing to do. */ +} + +static void +gdoi_setup_situation (u_int8_t *buf) +{ + SET_GDOI_SIT_SIT (buf + ISAKMP_SA_SIT_OFF, 0 /* As of GDOI draft 1 */); +} + +static size_t +gdoi_situation_size (void) +{ + return GDOI_SIT_SIT_LEN; +} + +static u_int8_t +gdoi_spi_size (u_int8_t proto) +{ + /* One way to specify ISAKMP SPIs is to say they're zero-sized. */ + return 0; +} + +static int +gdoi_validate_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + struct message *msg = vmsg; + + if ((msg->exchange->phase == 1 + && (type < IKE_ATTR_ENCRYPTION_ALGORITHM + || type > IKE_ATTR_GROUP_ORDER)) + || (msg->exchange->phase == 2 + && (type < IPSEC_ATTR_SA_LIFE_TYPE + || type > IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM))) + return -1; + return 0; +} + +static int +gdoi_validate_exchange (u_int8_t exch) +{ + /* If we get here the exchange is invalid. */ + return exch != GDOI_EXCH_PULL_MODE && exch != GDOI_EXCH_PUSH_MODE; +} + +static int +gdoi_validate_id_information (u_int8_t type, u_int8_t *extra, u_int8_t *buf, + size_t sz, struct exchange *exchange) +{ + u_int8_t proto = GET_IPSEC_ID_PROTO (extra); + u_int16_t port = GET_IPSEC_ID_PORT (extra); + + LOG_DBG ((LOG_MESSAGE, 0, + "gdoi_validate_id_information: proto %d port %d type %d", + proto, port, type)); + if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_IEC90_5) + return -1; + + switch (type) + { + case IPSEC_ID_IPV4_ADDR: + LOG_DBG_BUF ((LOG_MESSAGE, 40, "gdoi_validate_id_information: IPv4", + buf, 4)); + break; + + case IPSEC_ID_IPV4_ADDR_SUBNET: + LOG_DBG_BUF ((LOG_MESSAGE, 40, + "gdoi_validate_id_information: IPv4 network/netmask", + buf, 8)); + break; + + case IPSEC_ID_KEY_ID: + LOG_DBG ((LOG_MESSAGE, 40, "gdoi_validate_id_information: key id %s", + buf)); + break; + +#ifdef IEC90_5_SUPPORT + case IPSEC_ID_IEC90_5: + if (iec90_5_validate_id_information(buf)) { + log_print ("gdoi_validate_id_information: IEC90-5 validation failed\n"); + return -1; + } + break; +#endif + + default: + break; + } + + if (exchange->phase == 1 + && (proto != IPPROTO_UDP || port != UDP_DEFAULT_PORT) + && (proto != 0 || port != 0)) + { +/* XXX SSH's ISAKMP tester fails this test (proto 17 - port 0). */ +#ifdef notyet + return -1; +#else + log_print ("gdoi_validate_id_information: " + "dubious ID information accepted"); +#endif + } + + /* XXX More checks? */ + + return 0; +} + +static int +gdoi_validate_key_information (u_int8_t *buf, size_t sz) +{ + /* Nothing to do. */ + return 0; +} + +static int +gdoi_validate_notification (u_int16_t type) +{ + return type < IPSEC_NOTIFY_RESPONDER_LIFETIME + || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0; +} + +static int +gdoi_validate_proto (u_int8_t proto) +{ + if (!constant_lookup(gdoi_tek_prot_cst, proto)) + { + log_print ("gdoi_validate_proto: unsupported TEK protocol %d", proto); + return -1; + } + return 0; +} + +static int +gdoi_validate_situation (u_int8_t *buf, size_t *sz) +{ + int sit = GET_GDOI_SIT_SIT (buf); + + /* + * As of GDOI Draft 1, no situation bits are in use. + */ + if (sit != 0) { + *sz = 0; + return -1; + } + + *sz = 4; + return 0; +} + +static int +gdoi_validate_transform_id (u_int8_t proto, u_int8_t transform_id) +{ + switch (proto) + { + /* + * As no unexpected protocols can occur, we just tie the default case + * to the first case, in orer to silence a GCC warning. + */ + default: + case ISAKMP_PROTO_ISAKMP: + return transform_id != IPSEC_TRANSFORM_KEY_IKE; + case IPSEC_PROTO_IPSEC_AH: + return + transform_id < IPSEC_AH_MD5 + || transform_id > IPSEC_AH_SHA2_512 ? -1 : 0; + case IPSEC_PROTO_IPSEC_ESP: + return transform_id < IPSEC_ESP_DES_IV64 + || transform_id > IPSEC_ESP_AES_NULL_AUTH_AES_GMAC ? -1 : 0; + case IPSEC_PROTO_IPCOMP: + return transform_id < IPSEC_IPCOMP_OUI + || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0; + } +} + +/* + * If applicable, unlink the SA from the rekey exchange. + */ +static void +gdoi_postprocess_sa (struct sa *sa) +{ + struct gdoi_kek *stored_kek; + + /* + * The SA might have already been deleted. This is likely on + * the group member side where we have no postprocessing to do. + */ + if (sa->refcnt == 0) + { + return; + } + + /* + * This is probably an error. + */ + if ((int16_t)sa->refcnt < 0) + { + LOG_DBG ((LOG_SA, 50, + "gdoi_postprocess_sa: SA %p has invalid reference count %d", + sa, sa->refcnt)); + return; + } + + stored_kek = gdoi_get_kek_by_cookies(sa->cookies); + if (!stored_kek) + { + return; + } + + if (stored_kek->send_exchange) + { + TAILQ_REMOVE(&stored_kek->send_exchange->sa_list, sa, next); + } + sa_release (sa); + + return; +} + +static int +gdoi_initiator (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + int (**script) (struct message *msg) = 0; + + /* Check that the SA is coherent with the GDOI rules. */ + if ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != GDOI_EXCH_PUSH_MODE + && exchange->type != ISAKMP_EXCH_INFO) + || (exchange->phase == 2 && exchange->type != GDOI_EXCH_PULL_MODE + && exchange->type != ISAKMP_EXCH_INFO)) + { + log_print ("gdoi_initiator: unsupported exchange type %d in phase %d", + exchange->type, exchange->phase); + return -1; + } + + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + script = ike_main_mode_initiator; + break; +#ifdef USE_AGGRESSIVE + case ISAKMP_EXCH_AGGRESSIVE: + script = ike_aggressive_initiator; + break; +#endif + case ISAKMP_EXCH_INFO: + return message_send_info (msg); + case GDOI_EXCH_PULL_MODE: + script = gdoi_phase2_initiator; + break; + case GDOI_EXCH_PUSH_MODE: + script = gdoi_rekey_initiator; + break; + default: + log_print ("gdoi_initiator: unuspported exchange type %d", + exchange->type); + return -1; + } + + /* Run the script code for this step. */ + if (script) + return script[exchange->step] (msg); + + return 0; +} + +static int +gdoi_responder (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + int (**script) (struct message *msg) = 0; + + /* Check that a new exchange is coherent with the GDOI rules. */ + if (exchange->step == 0 + && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != GDOI_EXCH_PUSH_MODE) + || (exchange->phase == 2 && exchange->type == ISAKMP_EXCH_ID_PROT))) + { + message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + return -1; + } + + LOG_DBG ((LOG_MISC, 30, + "gdoi_responder: phase %d exchange %d step %d", exchange->phase, + exchange->type, exchange->step)); + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + script = ike_main_mode_responder; + break; + +#ifdef USE_AGGRESSIVE + case ISAKMP_EXCH_AGGRESSIVE: + script = ike_aggressive_responder; + break; +#endif + + case GDOI_EXCH_PULL_MODE: + script = gdoi_phase2_responder; + break; + + case GDOI_EXCH_PUSH_MODE: + script = gdoi_rekey_responder; + break; + + default: + message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + return -1; + } + + /* Run the script code for this step. */ + if (script) + return script[exchange->step] (msg); + + return 0; +} + +int +gdoi_validate_kd (struct message *msg, struct payload *p) +{ + return 0; +} + +int +gdoi_validate_seq (struct message *msg, struct payload *p) +{ + return 0; +} + +int +gdoi_validate_gap (struct message *msg, struct payload *p) +{ + return 0; +} diff --git a/src/gdoi_fld.fld b/src/gdoi_fld.fld new file mode 100644 index 0000000..7d65d08 --- /dev/null +++ b/src/gdoi_fld.fld @@ -0,0 +1,135 @@ +# $Id: gdoi_fld.fld,v 1.6.2.1 2011/10/18 03:26:55 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_fld.fld,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# Generic payload header. +GDOI_GEN + NEXT_PAYLOAD cst 1 isakmp_payload_cst + RESERVED ign 1 + LENGTH num 2 +. + +# GDOI Security association payload. +GDOI_SA : GDOI_GEN + DOI num 4 group_doi_cst + SIT raw 4 + SA_ATTR_NEXT num 2 isakmp_payload_cst + RES2 ign 2 +. + +# GDOI's situation +GDOI_SIT + SIT mask 4 gdoi_sit_cst +. + +# SA_KEK payload beginning fields +GDOI_SA_KEK + PROTOCOL num 1 +. + +# SA_KEK payload ending fields +GDOI_SA_KEK_END + SPI raw 16 + RESERVED2 num 4 + POP_KEYLEN num 2 +. + +# SA_TEK payload beginning fields. +GDOI_SA_TEK : GDOI_GEN + PROT_ID num 1 gdoi_tek_prot_cst +. + +GDOI_SA_TEK_ESP + IP_PROT num 1 +. + +# Identify part for part of the ESP protocol-specific payload for SA_TEK +# Also used for the the ID part of the KEK payload +GDOI_SA_ID + TYPE num 1 ipsec_id_cst + PORT num 2 + DATA_LEN num 1 + DATA raw +. + +# GDOI SEQ payload. +GDOI_SEQ : GDOI_GEN + SEQ_NUM num 4 +. + +# GDOI GAP payload. +GDOI_GAP : GDOI_GEN gdoi_gap_fld + DATA raw +. + +# KD key packet +GDOI_KD_PAK + KD_TYPE cst 1 gdoi_kd_type_cst + RESERVED ign 1 + LENGTH num 2 + SPI_SIZE num 1 +. + +# GDOI KD payload. +GDOI_KD : GDOI_GEN + NUM_PACKETS num 2 + RES2 ign 2 +. diff --git a/src/gdoi_iec90_5.c b/src/gdoi_iec90_5.c new file mode 100644 index 0000000..f2e49b2 --- /dev/null +++ b/src/gdoi_iec90_5.c @@ -0,0 +1,609 @@ +/* $Id: gdoi_iec90_5.c,v 1.1.2.1 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_iec90_5.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +#include +#include +#include +#include + +#include "attribute.h" +#include "conf.h" +#include "connection.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "gdoi_phase2.h" +#include "log.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "util.h" +#include "gdoi_fld.h" +#include "ipsec_num.h" +#include "gdoi_num.h" +#include "gdoi_iec90_5.h" +#include "iec90_5_num.h" +#include "iec90_5_fld.h" +#include "gdoi.h" +#include "gdoi_app_iec90_5_attr.h" + +int +iec90_5_get_id (char *section, size_t *id_sz, u_int8_t **buf) +{ + int oid_type; + char *oid, *address; + struct in_addr ip_addr; + size_t id_asn_sz, id_buf_sz; + u_int8_t *id_buf; + + oid = conf_get_str (section, "OID"); + oid_type = constant_value (iec90_5_id_cst, oid); + + switch (oid_type) + { + case IEC90_5_ID_61850_UDP_ADDR_GOOSE: + address = conf_get_str (section, "Address"); + if (!address) + { + log_print ("iec90_5_get_id: section %s has no \"Address\" tag", + section); + return -1; + } + if (!inet_aton (address, &ip_addr)) + { + log_print ("iec90_5_get_id: invalid address %s in section %s", + section, address); + return -1; + } + break; + default: + log_print ("iec90_5_get_id: Unkonwn or Unsupported IEC90_5 OID: %d\n", + oid_type); + return -1; + } + + /* + * Format ID payload. See Clause 11.4.2 ("Identification Paylod") of 90-5. + * NOTE: This doesn't actually match that clause -- needs work. + */ + id_asn_sz = strlen(OID_61850_UDP_ADDR_GOOSE); + id_buf_sz = IEC90_5_ID_SZ + id_asn_sz; + id_buf = calloc(1, id_buf_sz); + if (!id_buf) { + log_print ("iec90_5_get_id: Calloc failed for %d bytes\n", id_buf_sz); + return -1; + } + SET_IEC90_5_ID_ID(id_buf, 0xa1); + SET_IEC90_5_ID_PAYLOAD_LEN(id_buf, id_buf_sz); + SET_IEC90_5_ID_TAG(id_buf, 0x80); + SET_IEC90_5_ID_OID_LEN(id_buf, id_asn_sz); + memcpy(&id_buf[IEC90_5_ID_SZ], OID_61850_UDP_ADDR_GOOSE, id_asn_sz); + + *buf = id_buf; + *id_sz = id_buf_sz; + + return 0; +} + +int +iec90_5_validate_id_information (u_int8_t *buf) +{ + LOG_DBG ((LOG_MESSAGE, 40, + "iec90_5_validate_id_information: Got an IEC90-5 ID")); + + /* + * The ID payload is so complicated that it probably warrants some good + * format validation here. + */ + + return 0; +} + +/* + * Key server side + * Find the TEK-specific policy for an IEC90-5 type TEK. + */ +int gdoi_iec90_5_set_policy (char *conf_field, struct message *msg, + struct exchange *sa_exchange, u_int8_t *id_gdoi, + u_int16_t id_gdoi_sz) +{ + struct sa *sa; + struct proto *proto; + struct iec90_5_proto *iec_proto; + u_int8_t *iec90_5_id; + + /* + * Find the sa. The last SA in the list was just created for our use. + */ + sa = TAILQ_LAST (&sa_exchange->sa_list, sa_head); + if (!sa) + { + log_error ("gdoi_iec90_5_set_policy: No sa's in list!"); + goto bail_out; + } + + /* + * Initialize the SA + */ + if (gdoi_setup_sa (sa, &proto, IPSEC_PROTO_IEC90_5, sizeof(struct iec90_5_proto))) + { + goto bail_out; + } + iec_proto = proto->data; + + /* + * TEK will need to include the ID ASN.1 included in the 1st GDOI message. + * Note: Need to adjust the starting point of the macros to the start of + * the IEC90-5 specific ID data. + */ + iec90_5_id = id_gdoi + 8; + iec_proto->oid_sz = GET_IEC90_5_ID_OID_LEN(iec90_5_id); + iec_proto->oid = calloc(1, iec_proto->oid_sz); + if (!iec_proto->oid) { + log_error ("gdoi_iec90_5_set_policy: Malloc failed %d bytes."); + goto bail_out; + } + memcpy(iec_proto->oid, &iec90_5_id[IEC90_5_ID_SZ], iec_proto->oid_sz); + + /* + * BEW: Hardcode policy for now. It shoud be read in from the configuration. + */ + iec_proto->auth_alg = GDOI_KEK_HASH_ALG_SHA; + iec_proto->auth_key_size = HMAC_SHA_LENGTH; + iec_proto->next_auth_alg = 0; + iec_proto->next_auth_key_size = 0; + + /* + * BEW: Assume SPI is 1 byte. + * Also, just send key_id NOT next key_id for now. + */ + proto->spi_sz[0] = 1; + proto->spi[0] = malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_error ("gdoi_iec90_5_set_policy: malloc failure -- SPI (%d bytes)", + proto->spi_sz[0]); + goto bail_out; + } + /* + * Choose a random SPI + * + * Write the SPI length & SPI. + */ + getrandom(proto->spi[0], proto->spi_sz[0]); + + iec_proto->auth_key = malloc(iec_proto->auth_key_size); + if (!iec_proto->auth_key) + { + log_print ("gdoi_iec90_5_set_policy: malloc failed: auth key (%d)", + iec_proto->auth_key_size); + goto bail_out; + } + getrandom(iec_proto->auth_key, iec_proto->auth_key_size); + + return 0; + +bail_out: + return -1; +} + +int +gdoi_iec90_5_get_policy_from_sa (struct sa *sa, u_int8_t **ret_buf, + size_t *ret_buf_sz) +{ + u_int8_t *iec90_5_tek_buf = 0; + u_int8_t *iec90_5_tek_p2_buf = 0; + size_t iec90_5_tek_sz; + struct proto *proto; + struct iec90_5_proto *iec_proto; + char keyid; + + proto = TAILQ_FIRST (&sa->protos); + iec_proto = proto->data; + + iec90_5_tek_sz = IEC90_5_TEK_P1_SZ + iec_proto->oid_sz + IEC90_5_TEK_P2_SZ; + iec90_5_tek_buf = calloc(1, iec90_5_tek_sz); + if (!iec90_5_tek_buf) { + log_print ("gdoi_iec90_5_get_policy_from_sa: Failed to get %d bytes for " + "IEC90-5 TEK payload", iec90_5_tek_sz); + return -1; + } + + /* + * IEC90-5 paylaod (approximtely) + */ + + SET_IEC90_5_TEK_P1_TAG(iec90_5_tek_buf, 0x80); + SET_IEC90_5_TEK_P1_OID_SZ(iec90_5_tek_buf, iec_proto->oid_sz); + memcpy(iec90_5_tek_buf+IEC90_5_TEK_P1_SZ, iec_proto->oid, iec_proto->oid_sz); + iec90_5_tek_p2_buf = iec90_5_tek_buf + IEC90_5_TEK_P1_SZ + iec_proto->oid_sz; + if (1 == proto->spi_sz[0]) { + keyid = *proto->spi[0]; + SET_IEC90_5_TEK_P2_CUR_KEY_ID(iec90_5_tek_p2_buf, keyid); + } else { + log_print ("gdoi_iec90_5_get_policy_from_sa: Improper SPI size %d!", + proto->spi_sz[0]); + return -1; + } + /* + * NOTE: The same values below need to be sent in the KD paylaod! + */ + SET_IEC90_5_TEK_P2_LT_ID(iec90_5_tek_p2_buf, 1); + SET_IEC90_5_TEK_P2_LT_V(iec90_5_tek_p2_buf, 1); + SET_IEC90_5_TEK_P2_RES(iec90_5_tek_p2_buf, 0); + SET_IEC90_5_TEK_P2_LT(iec90_5_tek_p2_buf, 3600); + SET_IEC90_5_TEK_P2_AUTH_ALG_ID(iec90_5_tek_p2_buf, 5); + SET_IEC90_5_TEK_P2_AUTH_ALG(iec90_5_tek_p2_buf, 2); + SET_IEC90_5_TEK_P2_KEY_LEN(iec90_5_tek_p2_buf, iec_proto->auth_key_size); + + /* + * I don't get how the AES bits work when HMAC is used so am omitting them. + * Also omitting the next key stuff. + */ + + *ret_buf = iec90_5_tek_buf; + *ret_buf_sz = iec90_5_tek_sz; + + return 0; + +} + +/* + * Group member side (decode & store TEK values) Decode the SRTP type TEK + * and stuff into the SA. + */ +int +gdoi_iec90_5_decode_tek (struct message *msg, struct sa *sa, + u_int8_t *iec90_5_tek, size_t iec90_5_tek_len, + int create_proto) +{ + u_int8_t *iec90_5_p2_tek; + struct proto *proto = NULL; + struct iec90_5_proto *iec_proto = NULL; + u_int8_t tmp_1byte; + + /* + * Validate the SA. + */ + if (!sa) + { + log_error ("group_decode_esp_tek: No sa's in list!"); + goto clean_up; + } + + if (create_proto) + { + if (gdoi_setup_sa (sa, &proto, IPSEC_PROTO_IEC90_5, + sizeof(struct iec90_5_proto))) + { + goto clean_up; + } + } + else + { + proto = TAILQ_LAST(&sa->protos, proto_head); + } + + /* + * Stuff the SRTP policy in the proto structure. (Can't use sa->data because + * that is initialized in sa_create(). sa->data is unused for SRTP.) + */ + iec_proto = (struct iec90_5_proto *) proto->data; + + /* + * Process 1st part of TEK (OID) + */ + tmp_1byte = GET_IEC90_5_TEK_P1_TAG(iec90_5_tek); + if (0x80 != tmp_1byte) { + log_print ("gdoi_iec90_5_decode_tek: Wrong TEK ID %d\n", tmp_1byte); + goto clean_up; + } + iec_proto->oid_sz = GET_IEC90_5_TEK_P1_OID_SZ(iec90_5_tek); + iec_proto->oid = calloc(1, iec_proto->oid_sz); + if (!iec_proto->oid) { + log_print ("gdoi_iec90_5_decode_tek: calloc failed for OID size (%d)", + iec_proto->oid_sz); + goto clean_up; + } + memcpy(iec_proto->oid, iec90_5_tek+IEC90_5_TEK_P1_SZ, iec_proto->oid_sz); + + /* + * Process 2nd part of TEK + */ + /* SPI */ + iec90_5_p2_tek = iec90_5_tek + IEC90_5_TEK_P1_SZ + iec_proto->oid_sz; + proto->spi_sz[0] = 1; /* Hard code to match TEK */ + proto->spi[0] = malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_error ("gdoi_iec90_5_decode_tek: malloc failure -- SPI (%d bytes)", + proto->spi_sz[0]); + goto clean_up; + } + *proto->spi[0] = GET_IEC90_5_TEK_P2_CUR_KEY_ID(iec90_5_p2_tek); + log_print(" SPI found (SA) %u (%01#x) for sa %#x", + *proto->spi[0], *proto->spi[0], sa); + + /* Lifetime & Reserved byte */ + tmp_1byte = GET_IEC90_5_TEK_P2_LT_ID(iec90_5_p2_tek); + if (1 != tmp_1byte) { + log_print ("gdoi_iec90_5_decode_tek: Wrong LT ID %d\n", tmp_1byte); + goto clean_up; + } + tmp_1byte = GET_IEC90_5_TEK_P2_RES(iec90_5_p2_tek); + if (0 != tmp_1byte) { + log_print ("gdoi_iec90_5_decode_tek: Wrong Reserved byte value %d\n", + tmp_1byte); + goto clean_up; + } + tmp_1byte = GET_IEC90_5_TEK_P2_LT_V(iec90_5_p2_tek); + if (1 != tmp_1byte) { + log_print ("gdoi_iec90_5_decode_tek: Wrong LT V %d\n", tmp_1byte); + goto clean_up; + } + iec_proto->lifetime_secs = GET_IEC90_5_TEK_P2_LT(iec90_5_p2_tek); + + /* Authentication values */ + tmp_1byte = GET_IEC90_5_TEK_P2_AUTH_ALG_ID(iec90_5_p2_tek); + if (5 != tmp_1byte) { + log_print ("gdoi_iec90_5_decode_tek: Wrong Auth value %d\n", tmp_1byte); + goto clean_up; + } + iec_proto->auth_alg = GET_IEC90_5_TEK_P2_AUTH_ALG(iec90_5_p2_tek); + iec_proto->auth_key_size = GET_IEC90_5_TEK_P2_KEY_LEN(iec90_5_p2_tek); + + return 0; + +clean_up: + if (proto) + { + proto_free(proto); + } + return -1; +} + +/* + * Translate keys from the IEC90-5 proto into a generic structure + */ +int +gdoi_iec90_5_get_tek_keys (struct gdoi_kd_decode_arg *keys, struct proto *proto) +{ + struct iec90_5_proto *iec_proto= (struct iec90_5_proto *) proto->data; + u_int8_t *kd_buf; + u_int32_t kd_sz; + + /* + * Build a private KD attribute for IEC90-5. + */ + if (!iec_proto->auth_key_size) { + log_print ("gdoi_iec90_5_get_tek_keys: Warning: No keys to send!"); + return 0; + } + + + kd_sz = IEC90_5_KD_SZ + iec_proto->auth_key_size; + kd_buf = calloc(1, kd_sz); + if (!kd_buf) { + log_print ("gdoi_iec90_5_get_tek_keys: Failed to get %d bytes for " + "IEC90-5 KD payload", kd_sz); + return -1; + } + + /* + * Note: Most or all of these hard coded values should have come from policy + * stored in iec_proto. + */ + SET_IEC90_5_KD_LT_ID(kd_buf,1); + SET_IEC90_5_KD_LT_V(kd_buf,1); + SET_IEC90_5_KD_RES(kd_buf,0); + SET_IEC90_5_KD_LT(kd_buf, 3600); + SET_IEC90_5_KD_AUTH_ALG_ID(kd_buf, 5); + SET_IEC90_5_KD_AUTH_ALG(kd_buf, 2); + SET_IEC90_5_KD_KEY_LEN(kd_buf, iec_proto->auth_key_size); + memcpy(kd_buf + IEC90_5_KD_SZ, iec_proto->auth_key, iec_proto->auth_key_size); + + keys->custom_kd_payload = kd_buf; + keys->custom_kd_payload_sz = kd_sz; + /* I have not idea which value to use for the payload type */ + keys->custom_kd_payload_type = IEC90_5_KD_61850_ETHERENT_GOOSE_OR_SV; + + return 0; +} + +/* + * Group member side + * Validate and install keys gotten from the KD in the iec_proto structure. + */ +int +gdoi_iec90_5_install_keys (struct proto *proto, struct gdoi_kd_decode_arg *keys) +{ + struct iec90_5_proto *iec_proto; + u_int8_t *kd_buf; + + kd_buf = keys->custom_kd_payload; + + if (proto->proto != IPSEC_PROTO_IEC90_5) + { + log_error ("gdoi_iec90_5_install_keys: IEC90_5 SA expected, got %d", + proto->proto); + return -1; + } + + iec_proto = (struct iec90_5_proto *) proto->data; + if (!iec_proto) + { + log_error ("gdoi_iec90_5_install_keys: IEC90_5 SA TEK data missing"); + return -1; + } + + if (GET_IEC90_5_KD_KEY_LEN(kd_buf) != iec_proto->auth_key_size) { + log_print ("gdoi_iec90_5_install_keys: Auth key size doesn't match" + "key size sent in TEK"); + return -1; + } + + iec_proto->auth_key = malloc(iec_proto->auth_key_size); + if (!iec_proto->auth_key) + { + log_print ("gdoi_iec90_5_get_policy: malloc failed: auth key (%d)", + iec_proto->auth_key_size); + return -1; + } + memcpy(iec_proto->auth_key, kd_buf + IEC90_5_KD_SZ, iec_proto->auth_key_size); + + /* No need to save policy already sent in the TEK payload */ + + return 0; +} + +u_int8_t * +gdoi_iec90_5_add_attributes (u_int8_t *attr, struct sa *sa) +{ + struct proto *proto = NULL; + struct iec90_5_proto *iec_proto = NULL; + + proto = TAILQ_LAST(&sa->protos, proto_head); + iec_proto = (struct iec90_5_proto *) proto->data; + + attr = attribute_set_var(attr, IEC90_5_OID, iec_proto->oid, + iec_proto->oid_sz); + attr = attribute_set_var(attr, IEC90_5_LIFETIME_SECS, + (u_int8_t *)&iec_proto->lifetime_secs, + sizeof(iec_proto->lifetime_secs)); + attr = attribute_set_basic(attr, IEC90_5_KEYID, *proto->spi[0]); + attr = attribute_set_basic(attr, IEC90_5_AUTH_ALG, iec_proto->auth_alg); + attr = attribute_set_basic(attr, IEC90_5_AUTH_KEY_SIZE, + iec_proto->auth_key_size); + + if (!iec_proto->auth_key) + { + log_print ("gdoi_iec90_5_add_attributes: Auth key missing!\n"); + } + else + { + attr = attribute_set_var (attr, IEC90_5_AUTH_KEY, iec_proto->auth_key, + iec_proto->auth_key_size); + } + + return attr; +} diff --git a/src/gdoi_iec90_5.h b/src/gdoi_iec90_5.h new file mode 100644 index 0000000..38db41a --- /dev/null +++ b/src/gdoi_iec90_5.h @@ -0,0 +1,154 @@ +/* $Id: gdoi_iec90_5.h,v 1.1.2.1 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_iec90_5.h,v $ */ + + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * IEC90-5 ID payload mappings. + */ +#define OID_61850_ETHERNET_GOOSE "1.2.840.10070.61850.8.1.1" +#define OID_61850_UDP_ADDR_GOOSE "1.2.840.10070.61850.8.1.2" + +struct iec90_5_proto { + /* + * OID from the ID payload in GDOI message 1 that caused this SA to be + * generated. + * NOTE: Not sure at this point how it will be carried forward to + * replacement SAs (e.g., when the lifetime for this SA expires). + */ + u_int8_t *oid; + u_int8_t oid_sz; + /* + * policy fields + * NOTE: SPIs (i.e., key_ids) should be kept in the generic proto struct. + */ + u_int16_t auth_alg; + u_int16_t next_auth_alg; + u_int32_t lifetime_secs; + /* + * keying material fields + * Lengths indicate how many bytes in which the keys + * are stored, not the number of bits! + */ + u_int16_t auth_key_size; + u_int8_t *auth_key; + u_int16_t next_auth_key_size; + u_int8_t *next_auth_key; +}; diff --git a/src/gdoi_iec90_5_protos.h b/src/gdoi_iec90_5_protos.h new file mode 100644 index 0000000..4a04494 --- /dev/null +++ b/src/gdoi_iec90_5_protos.h @@ -0,0 +1,76 @@ +/* $Id: gdoi_iec90_5_protos.h,v 1.1.2.1 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_iec90_5_protos.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * IEC 90-5 functions referenced by the generic GDOI code + */ + +int iec90_5_get_id(char *, size_t *, u_int8_t **); +int iec90_5_validate_id_information(u_int8_t *); +int gdoi_iec90_5_set_policy(char *, struct message *, struct exchange *, u_int8_t *, + u_int16_t); +int gdoi_iec90_5_get_policy_from_sa(struct sa *, u_int8_t **, size_t *); +int gdoi_iec90_5_decode_tek(struct message *, struct sa *, u_int8_t *, size_t, int); +int gdoi_iec90_5_get_tek_keys(struct gdoi_kd_decode_arg *, struct proto *); +int gdoi_iec90_5_install_keys(struct proto *, struct gdoi_kd_decode_arg *); +u_int8_t *gdoi_iec90_5_add_attributes(u_int8_t *, struct sa *); + diff --git a/src/gdoi_num.cst b/src/gdoi_num.cst new file mode 100644 index 0000000..c529d88 --- /dev/null +++ b/src/gdoi_num.cst @@ -0,0 +1,162 @@ +# $Id: gdoi_num.cst,v 1.10.2.3 2011/12/12 20:43:47 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_num.cst,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# ISAKMP Group DOI numbers. +# + +# GROUP DOI Identifier. +GROUP_DOI + GDOI 2 +. + +# GDOI Situation Types +GDOI_SIT + NO_SITUATION_DEFINED 0 +. + +# GDOI exchange types. +GDOI_EXCH + PULL_MODE 32 + PUSH_MODE 33 +. + +# GDOI KEK attributes +GDOI_ATTR + KEK_MANAGEMENT_ALGORITHM 1 + KEK_ALGORITHM 2 + KEK_KEY_LENGTH 3 + KEK_KEY_LIFETIME 4 + SIG_HASH_ALGORITHM 5 + SIG_ALGORITHM 6 + SIG_KEY_LENGTH 7 + KE_OAKLEY_GROUP 8 +. + +# GDOI KEK rekey encryption algorithms +GDOI_KEK_ALG + DES 1 + 3DES 2 + AES 3 +. + +# GDOI KEK rekey signature algorithms +GDOI_KEK_SIG_ALG + RSA 1 + DSS 2 + ECDSS 3 + ECDSA256 4 + ECDSA384 5 + ECDSA521 6 +. + +# GDOI KEK rekey signature hash algorithms +GDOI_KEK_HASH_ALG + MD5 1 + SHA 2 + SHA256 3 + SHA384 3 + SHA512 3 +. + +# GDOI TEK Protocol-id types +GDOI_TEK_PROT + RESERVED 0 + PROTO_IPSEC_ESP 1 + PROTO_IPSEC_AH 2 + PROTO_SRTP 128 + PROTO_IEC90_5 161 +. + +# GDOI GAP Attributes +GDOI_GAP + ACTIVATION_TIME_DELAY 1 + DEACTIVATION_TIME_DELAY 2 + SENDER_ID_REQUEST 3 +. + +# GDOI KD Key packet types +GDOI_KD_TYPE + TEK 1 + KEK 2 + LKH 3 + SID 4 +. + +# TEK KD TEK Key Packet Attributes +GDOI_ATTR_KD_TEK + SECRECY_KEY 1 + INTEGRITY_KEY 2 + SOURCE_AUTH_KEY 3 +. + +# TEK KD KEK Key Packet Attributes +GDOI_ATTR_KD_KEK + SECRECY_KEY 1 + SIGNATURE_KEY 2 +. + +# TEK SID Key Packet attributes +GDOI_ATTR_KD_SID + NUM_BITS 1 + VALUE 2 +. diff --git a/src/gdoi_phase2.c b/src/gdoi_phase2.c new file mode 100644 index 0000000..43a5520 --- /dev/null +++ b/src/gdoi_phase2.c @@ -0,0 +1,5185 @@ +/* $Id: gdoi_phase2.c,v 1.22.2.3 2011/12/12 20:43:47 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_phase2.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "connection.h" +#include "dh.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "gdoi_phase2.h" +#include "gdoi.h" +#include "ipsec.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "crypto.h" +#include "util.h" +#include "gdoi_fld.h" +#include "gdoi_num.h" +#include "x509.h" +#include "cert.h" +#include "libcrypto.h" +#include +#include +#include +#ifdef IEC90_5_SUPPORT +#include "gdoi_iec90_5_protos.h" +#include "gdoi_iec90_5.h" +#include "iec90_5_num.h" +#endif +#ifdef SRTP_SUPPORT +#include "gdoi_srtp_protos.h" +#include "gdoi_srtp.h" +#endif + +#define DES_LENGTH 8 +#define MAX_PUBKEY_SIZE 1024 + +enum i_hash_inc { NO_I_NONCE, INC_I_NONCE }; +enum r_hash_inc { NO_R_NONCE, INC_R_NONCE }; + +#define SRC 1 +#define DST 2 + +#define DEFAULT_REKEY_PERIOD 10 +#define DEFAULT_KEK_REKEY_PERIOD 25 + +#define ATTR_SIZE (50 * ISAKMP_ATTR_VALUE_OFF) + +u_int8_t empty_cookies[KEK_SPI_SIZE]; + +static int initiator_send_HASH_NONCE_ID (struct message *); +static int initiator_recv_HASH_NONCE_SA (struct message *); +static int initiator_send_HASH (struct message *); +static int initiator_recv_HASH_SEQ_KD (struct message *); +static int responder_recv_HASH_NONCE_ID (struct message *); +static int responder_send_HASH_NONCE_SA (struct message *); +static int responder_recv_HASH (struct message *); +static int responder_send_HASH_SEQ_KD (struct message *); + +int (*gdoi_phase2_initiator[]) (struct message *) = { + initiator_send_HASH_NONCE_ID, + initiator_recv_HASH_NONCE_SA, + initiator_send_HASH, + initiator_recv_HASH_SEQ_KD +}; + +int (*gdoi_phase2_responder[]) (struct message *) = { + responder_recv_HASH_NONCE_ID, + responder_send_HASH_NONCE_SA, + responder_recv_HASH, + responder_send_HASH_SEQ_KD +}; + +struct extended_attrs { + TAILQ_ENTRY (extended_attrs) link; + size_t sz; + int has_generic_header; + int attr_type; + void *attr_payload; +}; + +static TAILQ_HEAD (attr_payload_list, extended_attrs) attr_payloads; + +#define MAX_PRINT_STRING_LEN 4096 +static char bit_string[MAX_PRINT_STRING_LEN]; /* Cheap way of returning a string -- should be save in a single-threaded daemon */ + +/* + * Initialization for this file. + */ +void gdoi_phase2_init(void) +{ + memset(empty_cookies, 0, KEK_SPI_SIZE); +} + +uint8_t +nibble_to_hex_char(uint8_t nibble) { + char buf[16] = {'0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + return buf[nibble & 0xF]; +} + +char * +octet_string_hex_string(const void *s, int length) { + const uint8_t *str = (const uint8_t *)s; + int i; + + /* double length, since one octet takes two hex characters */ + length *= 2; + + /* truncate string if it would be too long */ + if (length > MAX_PRINT_STRING_LEN) + length = MAX_PRINT_STRING_LEN-1; + + for (i=0; i < length; i+=2) { + bit_string[i] = nibble_to_hex_char(*str >> 4); + bit_string[i+1] = nibble_to_hex_char(*str++ & 0xF); + } + bit_string[i] = 0; /* null terminate string */ + return bit_string; +} + +/* + * Out of a named section SECTION in the configuration file find out + * the group identity information. Modelled after ipsec_get_id(). + */ +static int +group_get_id (char *section, int *id, size_t *id_sz, u_int8_t **buf) +{ + char *type, *group; + u_int32_t group_id; + u_int8_t *local_buf; + + type = conf_get_str (section, "ID-type"); + if (!type) + { + log_print ("group_get_id: section %s has no \"ID-type\" tag", section); + return -1; + } + + *id = constant_value (ipsec_id_cst, type); + switch (*id) + { + case IPSEC_ID_IPV4_ADDR: + return -1; + + case IPSEC_ID_FQDN: + return -1; + + case IPSEC_ID_USER_FQDN: + return -1; + + case IPSEC_ID_IPV4_ADDR_SUBNET: + return -1; + + case IPSEC_ID_IPV6_ADDR: + return -1; + + case IPSEC_ID_IPV6_ADDR_SUBNET: + return -1; + + case IPSEC_ID_IPV4_RANGE: + return -1; + + case IPSEC_ID_IPV6_RANGE: + return -1; + + case IPSEC_ID_DER_ASN1_DN: + return -1; + + case IPSEC_ID_DER_ASN1_GN: + return -1; + + case IPSEC_ID_KEY_ID: + group = conf_get_str (section, "Key-value"); + if (!group) { + log_print ("group_get_id: section %s has no \"Key-value\" tag", + section); + return -1; + } + /* + * Assume the Group identifier is a 32-bit number. + */ + /* Assume Group ID is a 32-bit number */ + *id_sz = sizeof(unsigned int); + local_buf = calloc(1, *id_sz); + if (!local_buf) { + log_print("group_get_id: Couldn't get buf of size %d\n", *id_sz); + return -1; + } + group_id = atoi(group); + memcpy(local_buf, (char *)&group_id, 4); + break; + +#ifdef IEC90_5_SUPPORT + case IPSEC_ID_IEC90_5: + if (iec90_5_get_id(section, id_sz, &local_buf)) { + log_print ("group_get_id: IEC90-5 identity error.\n"); + return -1; + } + break; +#endif + + default: + log_print ("group_get_id: unknown ID type \"%s\" in section %s", type, + section); + return -1; + } + + *buf = local_buf; + return 0; +} + +/* + * Out of a named section SECTION in the configuration file build an + * ISAKMP ID payload. Ths payload size should be stashed in SZ. + * The caller is responsible for freeing the payload. + */ +u_int8_t * +group_build_id (char *section, size_t *sz) +{ + u_int8_t *p; + int id; + size_t id_sz; + u_int8_t *buf; + + if (group_get_id (section, &id, &id_sz, &buf)) + return 0; + + *sz = ISAKMP_ID_SZ + id_sz; + + p = calloc (1, *sz); + if (!p) + { + log_print ("group_build_id: calloc(%d) failed", *sz); + return 0; + } + + SET_ISAKMP_ID_TYPE (p, id); + SET_ISAKMP_ID_DOI_DATA (p, (u_int8_t *)"\000\000\000"); + memcpy(&p[ISAKMP_ID_DATA_OFF], buf, id_sz); + free(buf); + + return p; +} + +/* + * Grow a buffer. This takes as input an old buffer location and size, and + * another buffer which is to be added to it. It has two affects: + * 1. Returns a new buffer with the original two buffers concatenated. + * 2. Returns the new buffer length in the old buffer length argument. + */ +u_int8_t * +gdoi_grow_buf (u_int8_t *old_buf, size_t *old_buf_sz, + u_int8_t *addto_buf, size_t addto_buf_sz) +{ + u_int8_t *new_buf; + size_t new_buf_sz = *old_buf_sz + addto_buf_sz; + + new_buf = realloc (old_buf, new_buf_sz); + if (!new_buf) + { + log_print ("gdoi_grow_buf: " + "realloc failed (%d) bytes", new_buf_sz); + return 0; + } + memcpy((new_buf+*old_buf_sz), addto_buf, addto_buf_sz); + *old_buf_sz = new_buf_sz; + + return new_buf; +} + +/* + * Setup a GDOI SA proto and data sections + */ +int gdoi_setup_sa (struct sa *sa, struct proto **ret_proto, + int proto_type, int proto_data_size) +{ + struct proto *proto; + + /* + * Create a proto structure and initialize some fields. + * We only use one proto structure -- proposals aren't negotiated. + */ + proto = calloc (1, sizeof *proto); + if (!proto) + { + log_error ("group_setup_gdoi_sa: calloc failure -- proto"); + return 1; + } + TAILQ_INSERT_TAIL (&sa->protos, proto, link); + proto->proto = proto_type; + proto->sa = sa; + + proto->data = calloc(1, proto_data_size); + if (!proto->data) + { + log_error ("group_setup_gdoi_sa: calloc failure -- proto data"); + return 1; + } + + *ret_proto = proto; + return 0; +} + +/* + * Handle an AH/ESP TEK + * - Allocate a gdoi_esp_tek_sa structure + * - Allocate an ipsec_sa structure & attach to gdoi_esp_tek_sa + * - Allocate an ipsec_proto structure & attach to gdoi_esp_tek_sa + * - Fill 'em all up from the TEK paylaod. + */ +static int +group_decode_ipsec_tek (struct message *msg, struct sa *sa, u_int8_t *esp_tek, + size_t esp_tek_len, int create_proto, + int ipsec_proto_type) +{ + u_int8_t *cur_p; + int id_type, id_len; + struct ipsec_decode_arg ida; + struct proto *proto; + struct ipsec_sa *ipsec; + + /* + * Validate the SA. + */ + if (!sa) + { + log_error ("group_decode_ipsec_tek: No sa's in list!"); + goto clean_up; + } + + if (create_proto) + { + if (gdoi_setup_sa (sa, &proto, ipsec_proto_type, + sizeof(struct ipsec_proto))) + { + goto clean_up; + } + } + else + { + proto = TAILQ_LAST(&sa->protos, proto_head); + } + ipsec = (struct ipsec_sa *) sa->data; + + /* + * Interpret the AH/ESP TEK header + * - Protocol + */ + cur_p = esp_tek; + ipsec->tproto = GET_GDOI_SA_TEK_ESP_IP_PROT(cur_p); + + + /* + * Get src_id fields + */ + cur_p = esp_tek + GDOI_SA_TEK_ESP_IP_PROT_LEN; + id_type = GET_GDOI_SA_ID_TYPE(cur_p); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + ipsec->sport = GET_GDOI_SA_ID_PORT(cur_p); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + if (id_len != 4) + { + log_error ("group_decode_ipsec_tek: Invalid length for src IP addr: %d", + id_len); + goto clean_up; + } + ipsec->src_net = decode_32(cur_p+GDOI_SA_ID_DATA_OFF); + ipsec->src_mask = 0xffffffff; + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + if (id_len != 8) + { + log_error ("group_decode_ipsec_tek: Invalid length for src IP subnet:" + "%d", id_len); + goto clean_up; + } + ipsec->src_net = decode_32(cur_p+GDOI_SA_ID_DATA_OFF); + ipsec->src_mask = decode_32(cur_p+GDOI_SA_ID_DATA_OFF+4); + break; + default: + log_error ("group_decode_ipsec_tek: Unsupported src id type: %d", id_type); + goto clean_up; + } + + /* + * Get dst_id fields. Only type ID_IPV4_ADDR is reasonable. + */ + cur_p = cur_p + GDOI_SA_ID_DATA_OFF + id_len; + ipsec->dport = GET_GDOI_SA_ID_PORT(cur_p); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + if (id_len != 4) + { + log_error ("group_decode_ipsec_tek: Invalid length for dst IP addr: %d", + id_len); + goto clean_up; + } + ipsec->dst_net = decode_32(cur_p + GDOI_SA_ID_DATA_OFF); + ipsec->dst_mask = 0xffffffff; + + /* + * Get transform + */ + cur_p = cur_p + GDOI_SA_ID_DATA_OFF + id_len; + proto->id = *cur_p; + if (msg->exchange->doi->validate_transform_id (ipsec_proto_type, + proto->id) < 0) + { + log_error ("group_decode_ipsec_tek: Invalid transform id: %d", proto->id); + goto clean_up; + } + + /* + * Get SPI + */ + cur_p = cur_p + 1; + proto->spi_sz[0] = 4; /* ESP SPI length */ + proto->spi[0] = malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_error ("group_decode_ipsec_tek: Malloc failure -- spi"); + goto clean_up; + } + memcpy(proto->spi[0], cur_p, proto->spi_sz[0]); + log_print(" SPI found (SA) %u (%d) (%#x) for sa %#x", decode_32(proto->spi[0]), + decode_32(proto->spi[0]), decode_32(proto->spi[0]), sa); + + /* + * Extract the attributes and stuff them into the SA. + */ + cur_p += 4; + + ida.msg = msg; + ida.sa = proto->sa; + ida.proto = proto; + + attribute_map (cur_p, (esp_tek_len - (cur_p - esp_tek)), + ipsec_decode_attribute, &ida); + + return 0; + +clean_up: + return -1; +} + +int gap_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_kek *kek = (struct gdoi_kek *) arg; + + switch (type) + { + case GDOI_GAP_ACTIVATION_TIME_DELAY: + kek->atd = decode_16(value); + break; + case GDOI_GAP_DEACTIVATION_TIME_DELAY: + kek->dtd = decode_16(value); + break; + default: + log_print ("gap_decode_attribute: Attribute not valid: %d", type); + return -1; + } + + return 0; +} + + +int kek_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_kek *kek = (struct gdoi_kek *) arg; + + switch (type) + { + case GDOI_ATTR_KEK_ALGORITHM: + kek->encrypt_alg = decode_16(value); + break; + case GDOI_ATTR_SIG_HASH_ALGORITHM: + kek->sig_hash_alg = decode_16(value); + break; + case GDOI_ATTR_SIG_ALGORITHM: + kek->sig_alg = decode_16(value); + break; + case GDOI_ATTR_KEK_KEY_LENGTH: + /* + * Sent in bits, so convert to bytes. + */ + kek->encrypt_key_len = decode_16(value) / 8; + break; + case GDOI_ATTR_KEK_KEY_LIFETIME: + kek->kek_timer_interval = decode_32(value); + break; + case GDOI_ATTR_SIG_KEY_LENGTH: + /* + * The length of the key is sent in bits. + */ + kek->signature_key_modulus_size = decode_16(value); + break; + case GDOI_ATTR_KEK_MANAGEMENT_ALGORITHM: + log_print ("kek_decode_attribute: Attribute not supported: %d", type); + return -1; + default: + log_print ("kek_decode_attribute: Attribute not valid: %d", type); + return -1; + } + + return 0; +} + +static int +group_handle_incoming_tek (struct message *msg, u_int8_t *tek) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + u_int8_t specific_tek_type; + size_t specific_tek_len; + u_int8_t *specific_tek_p; + int ipsec_proto_type; + + /* + * Find the encapsulation-specific TEK payload, validate that we + * support the specific TEK protocol (e.g., ESP), and then call + * the specific TEK protocol code. + */ + specific_tek_type = GET_GDOI_SA_TEK_PROT_ID(tek); + specific_tek_p = tek + GDOI_SA_TEK_SZ; + specific_tek_len = GET_GDOI_GEN_LENGTH(tek) - GDOI_SA_TEK_SZ; + + /* + * Create an SA per TEK in exchange->sa_list. The policy will be stored + * in the SA structures. + */ + if (sa_create(msg->exchange, NULL)) + { + log_error ("group_handle_incoming_tek: Unable to create sa"); + return -1; + } + + switch (specific_tek_type) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + /* + * Check the previous type. Valid types are RESERVED (indicates this is + * the first TEK), ESP, or AH. + */ + switch (ie->teks_type) + { + case GDOI_TEK_PROT_RESERVED: + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + ie->teks_type = specific_tek_type; + break; + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + ie->teks_type = specific_tek_type; + break; + default: + log_error ("group_handle_incoming_tek:" + "TEKs must all be IPSEC. Previous TEK was %d", + ie->teks_type); + return -1; + } + if (specific_tek_type == GDOI_TEK_PROT_PROTO_IPSEC_ESP) + { + ipsec_proto_type = IPSEC_PROTO_IPSEC_ESP; + } + else + { + ipsec_proto_type = IPSEC_PROTO_IPSEC_AH; + } + if (group_decode_ipsec_tek(msg, TAILQ_LAST (&exchange->sa_list, sa_head), + specific_tek_p, specific_tek_len, TRUE, + ipsec_proto_type)) + { + return -1; + } + break; +#ifdef IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: + ie->teks_type = specific_tek_type; + switch (ie->teks_type) + { + case GDOI_TEK_PROT_PROTO_IEC90_5: + break; + default: + /* + * This error is for simplicity now. If both IEC90-5 and IPsec + * TEKs are retreived we might need to do a bit more processsing + * to ensure we have all the right fields for both of them. + */ + log_error ("group_handle_incoming_tek:" + "Error! TEKs must all be the same! " + "Installing IEC90-5 TEK after TEK of type %d", + ie->teks_type); + return -1; + } + if (gdoi_iec90_5_decode_tek(msg, + TAILQ_LAST (&exchange->sa_list,sa_head), + specific_tek_p, specific_tek_len, TRUE)) + { + return -1; + } + break; +#endif +#ifdef SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: + ie->teks_type = specific_tek_type; + switch (ie->teks_type) + { + case GDOI_TEK_PROT_PROTO_SRTP: + break; + default: + log_error ("group_handle_incoming_tek:" + "Error! TEKs must all be the same! " + "Installing SRTP TEK after TEK of type %d", + ie->teks_type); + return -1; + } + if (gdoi_srtp_decode_tek(msg, TAILQ_LAST (&exchange->sa_list,sa_head), + specific_tek_p, specific_tek_len, TRUE)) + { + return -1; + } + break; +#endif + default: + log_error ("group_handle_incoming_tek:" + "Unsupported TEK type: %d", specific_tek_type); + return -1; + } + return 0; +} + +static int +group_handle_incoming_kek (struct message *msg, u_int8_t *kek) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + u_int8_t *cur_p = 0; + struct gdoi_kek *stored_kek; + int id_type, id_len; + + /* + * Populate the KEK fields. The received policy is kept seperate from the + * GDOI registration exchange because it will still be valid once the GDOI + * registration exchange is deleted. + * + * A GDOI registration message will have the ie->id_gdoi initialized, but + * not a GDOI rekey message. + */ + if (ie->id_gdoi) + { + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 1); + /* + * Initialize the exchange name for later use. + */ + if (exchange->name && !stored_kek->exchange_name) + { + stored_kek->exchange_name = strdup(exchange->name); + } + } + else + { + stored_kek = gdoi_get_kek_by_cookies(exchange->cookies); + } + if (!stored_kek) + { + log_error ("group_handle_incoming_kek: " + "Can't allocate KEK data structure"); + return 1; + } + + /* + * Validate the protocol field. + */ + cur_p = kek + GDOI_GEN_SZ; + if (GET_GDOI_SA_KEK_PROTOCOL(cur_p) != IPPROTO_UDP) + { + log_error ("group_handle_incoming_kek: " + "Invalid protocol type %d", GET_GDOI_SA_KEK_PROTOCOL(cur_p)); + return 1; + } + + /* + * Get src/dst fields + */ + cur_p += GDOI_SA_KEK_PROTOCOL_LEN; + id_type = GET_GDOI_SA_ID_TYPE(cur_p); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + stored_kek->sport = ntohs(GET_GDOI_SA_ID_PORT(cur_p)); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + if (id_len != 4) + { + log_error ("group_handle_incoming_kek: " + "Invalid length for src IP addr: %d", id_len); + return 1; + } + stored_kek->src_addr = ntohl(decode_32(cur_p+GDOI_SA_ID_DATA_OFF)); + break; + default: + log_error ("group_handle_incoming_kek: " + "Unsupported src id type: %d", id_type); + return 1; + } + cur_p += GDOI_SA_ID_DATA_OFF + id_len; + id_type = GET_GDOI_SA_ID_TYPE(cur_p); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + stored_kek->dport = ntohs(GET_GDOI_SA_ID_PORT(cur_p)); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + if (id_len != 4) + { + log_error ("group_handle_incoming_kek: " + "Invalid length for src IP addr: %d", id_len); + return 1; + } + stored_kek->dst_addr = ntohl(decode_32(cur_p+GDOI_SA_ID_DATA_OFF)); + break; + default: + log_error ("group_handle_incoming_kek: " + "Unsupported src id type: %d", id_type); + return 1; + } + + /* + * Get SPI + * If there is already a SPI value present, put the SPI in the "next SPI", + * and install it later after we have the entire new policy including keys. + * This is necessary when a KEK is being replaced because we still need to + * lookup the KEK by the old cookies until we get & install the new KEK keys. + */ + cur_p += GDOI_SA_ID_DATA_OFF + id_len; + if (memcmp(stored_kek->spi, empty_cookies, KEK_SPI_SIZE)) + { + GET_GDOI_SA_KEK_END_SPI(cur_p, stored_kek->next_kek_policy.spi); + } + else + { + GET_GDOI_SA_KEK_END_SPI(cur_p, stored_kek->spi); + } + /* BEW: BUG: Need to store it in a "new" variable now. + * When get the keys in the KD payload, then + * a) install the new SPI and its keys + * b) fix the exchange->cookies to match. + */ + + log_print("group_handle_incoming_kek: Got New KEK SPI: " + "%02x%02x%02x%02x%02x%02x%02x%02x " + "%02x%02x%02x%02x%02x%02x%02x%02x", + stored_kek->next_kek_policy.spi[0], stored_kek->next_kek_policy.spi[1], + stored_kek->next_kek_policy.spi[2], stored_kek->next_kek_policy.spi[3], + stored_kek->next_kek_policy.spi[4], stored_kek->next_kek_policy.spi[5], + stored_kek->next_kek_policy.spi[6], stored_kek->next_kek_policy.spi[7], + stored_kek->next_kek_policy.spi[8], stored_kek->next_kek_policy.spi[9], + stored_kek->next_kek_policy.spi[10],stored_kek->next_kek_policy.spi[11], + stored_kek->next_kek_policy.spi[12],stored_kek->next_kek_policy.spi[13], + stored_kek->next_kek_policy.spi[14],stored_kek->next_kek_policy.spi[15] + ); + + cur_p += GDOI_SA_KEK_END_SZ; + + /* + * Get KEK attributes. + */ + attribute_map (cur_p, (GET_GDOI_GEN_LENGTH(kek) - (cur_p - kek)), + kek_decode_attribute, stored_kek); + /* + * Validate cipher attributes. + */ + if (stored_kek->encrypt_alg == GDOI_KEK_ALG_AES) + { + /* + * We only support 128-bit keys. Ensure that's what we've been givne. + */ + if (stored_kek->encrypt_key_len != AES128_LENGTH) + { + log_error ("group_handle_incoming_kek: " + "Unsupported AES key length: %d", + stored_kek->encrypt_key_len); + return 1; + } + } + + return 0; +} + +static int +group_handle_incoming_gap (struct message *msg, u_int8_t *gap) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + u_int8_t *cur_p = 0; + struct gdoi_kek *stored_kek; + + log_print ("group_handle_incoming_gap: Got one!\n"); + + /* + * Store the GAP policy in the stored_kek. + */ + if (ie->id_gdoi) + { + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 1); + } + else + { + stored_kek = gdoi_get_kek_by_cookies(exchange->cookies); + } + if (!stored_kek) + { + log_error ("group_handle_incoming_gap: " + "Can't allocate KEK data structure for GAP use"); + return 1; + } + + /* + * Get GAP attributes sent by the KS. + */ + + cur_p = gap + GDOI_GEN_SZ; + attribute_map (cur_p, (GET_GDOI_GEN_LENGTH(gap) - GDOI_GEN_SZ), + gap_decode_attribute, stored_kek); + + return 0; +} + +static int +group_fill_in_hash (struct message *msg, enum i_hash_inc i_nonce, + enum r_hash_inc r_nonce) +{ + struct exchange *exchange = msg->exchange; + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa = isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + struct prf *prf; + struct payload *payload; + u_int8_t *buf; + int i; + char header[80]; + + /* If no SKEYID_a, we need not do anything. */ + if (!isa->skeyid_a) { + log_print ("group_do_hash: aborting -- no skeyid_a"); + return 0; + } + + payload = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + if (!payload) + { + log_print ("group_do_hash: no HASH payload found"); + return -1; + } + buf = payload->p; + + /* Allocate the prf and start calculating our hash */ + LOG_DBG_BUF ((LOG_MISC, 90, "group_do_hash: SKEYID_a", isa->skeyid_a, + isa->skeyid_len)); + prf = prf_alloc (isa->prf_type, hash->type, (char *)isa->skeyid_a, + isa->skeyid_len); + if (!prf) + return -1; + + prf->Init (prf->prfctx); + LOG_DBG_BUF ((LOG_MISC, 90, "group_do_hash: message_id", + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + + if (i_nonce == INC_I_NONCE) + { + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "group_fill_in_hash: NONCE_I_b", + exchange->nonce_i, exchange->nonce_i_len)); + prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); + } + if (r_nonce == INC_R_NONCE) + { + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "group_fill_in_hash: NONCE_R_b", + exchange->nonce_r, exchange->nonce_r_len)); + prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); + } + + + /* Loop over all payloads after HASH. */ + for (i = 2; i < msg->iovlen; i++) + { + snprintf (header, 80, "group_fill_in_hash: payload %d after HASH", + i - 1); + LOG_DBG_BUF ((LOG_MISC, 90, header, msg->iov[i].iov_base, + msg->iov[i].iov_len)); + prf->Update (prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len); + } + prf->Final (buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); + prf_free (prf); + LOG_DBG_BUF ((LOG_MISC, 80, "group_fill_in_hash: HASH", + buf + ISAKMP_HASH_DATA_OFF, hash->hashsize)); + + return 0; +} + +static int +group_check_hash (struct message *msg, enum i_hash_inc i_nonce, + enum r_hash_inc r_nonce) +{ + struct exchange *exchange = msg->exchange; + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa = isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + struct payload *hashp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + size_t hashsize = hash->hashsize; + struct prf *prf; + u_int8_t *rest; + size_t rest_len; + + if (!hashp) + { + log_print ("group_check_hash: no HASH payload found"); + return -1; + } + + /* Allocate the prf and start calculating our HASH. */ + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "group_check_hash: SKEYID_a", + isa->skeyid_a, isa->skeyid_len)); + prf = prf_alloc (isa->prf_type, hash->type, (char *)isa->skeyid_a, + isa->skeyid_len); + if (!prf) + return -1; + + prf->Init (prf->prfctx); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "group_check_hash: message_id", + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + + if (i_nonce == INC_I_NONCE) + { + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "group_check_hash: NONCE_I_b", + exchange->nonce_i, exchange->nonce_i_len)); + prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); + } + if (r_nonce == INC_R_NONCE) + { + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, "group_check_hash: NONCE_R_b", + exchange->nonce_r, exchange->nonce_r_len)); + prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); + } + + rest = hashp->p + GET_ISAKMP_GEN_LENGTH (hashp->p); + rest_len = (GET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base) + - (rest - (u_int8_t*)msg->iov[0].iov_base)); + LOG_DBG_BUF ((LOG_NEGOTIATION, 90, + "group_check_hash: payloads after HASH", rest, + rest_len)); + prf->Update (prf->prfctx, rest, rest_len); + prf->Final ((unsigned char *)hash->digest, prf->prfctx); + prf_free (prf); + + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, "group_check_hash: computed HASH", + (u_int8_t *)hash->digest, hashsize)); + if (memcmp (hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) != 0) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, 0); + return -1; + } + /* Mark the HASH as handled. */ + hashp->flags |= PL_MARK; + + return 0; +} + +/* + * Copy the Phase 1 cookies to the Phase 2 exchange. + */ +static int +copy_p1_cookies (struct exchange *exchange) +{ + struct exchange *p1_exchange; + + /* + * Copy the Phase 1 identities from the phase 1 exchange in case they are + * needed later for KE payload processing. + */ + p1_exchange = exchange_lookup_from_icookie(exchange->cookies); + if (p1_exchange) + { + exchange->id_i_len = p1_exchange->id_i_len; + exchange->id_i = malloc(exchange->id_i_len); + if (!exchange->id_i) + { + log_print("copy_p1_cookies: " + "id_i malloc failed (%d bytes)", exchange->id_i_len); + } + memcpy(exchange->id_i, p1_exchange->id_i, exchange->id_i_len); + + exchange->id_r_len = p1_exchange->id_r_len; + exchange->id_r = malloc(exchange->id_r_len); + if (!exchange->id_r) + { + log_print("copy_p1_cookies: " + "id_r malloc failed (%d bytes)", exchange->id_r_len); + } + memcpy(exchange->id_r, p1_exchange->id_r, exchange->id_r_len); + } + else + { + log_print ("copy_p1_cookies: Couldn't find Phase 1 for this exchange."); + return -1; + } + + return 0; +} + +/* + * Make initial membership request to the GCKS. + */ +static int +initiator_send_HASH_NONCE_ID (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + u_int8_t *id; + size_t sz; + struct ipsec_sa *isa = msg->isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + + /* + * Copy the Phase 1 cookies for possible use with the KE payload. + */ + if (copy_p1_cookies(exchange)) + { + return -1; + } + + /* + * Add HASH payload + */ + if (!ipsec_add_hash_payload (msg, hash->hashsize)) { + return -1; + } + + /* + * Add NONCE payload + */ + if (exchange_gen_nonce (msg, 16)) { + return -1; + } + + /* + * Add ID payload, and update the exchange structure with the group id. + */ + id = group_build_id (exchange->name, &sz); + if (!id) + { + log_error ("initiator_send_HASH_ID_NONCE: Group ID missing!"); + return -1; + } + LOG_DBG_BUF ((LOG_MISC, 90, "initiator_send_HASH_NONCE_ID: ID", id, sz)); + if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) + { + free (id); + return -1; + } + ie->id_gdoi_sz = sz; + ie->id_gdoi = calloc (1, ie->id_gdoi_sz); + memcpy(ie->id_gdoi, id, ie->id_gdoi_sz); + + if (group_fill_in_hash (msg, NO_I_NONCE, NO_R_NONCE)) { + return -1; + } + + return 0; +} + +int +gdoi_process_SA_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct payload *sa_p; + u_int32_t situation; + size_t total_p_len, cummulative_p_len; + u_int8_t *current_p; + struct sa *sa; + struct proto *proto; + u_int8_t next_p_type; + + + /* + * Evaluate the SA header. + # Verify DOI value is GDOI. + # Verify situation is 0 + # Verify that SA Attribute Next Payload is valid + */ + + sa_p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA]); + if (!sa_p) + { + log_print("gdoi_process_SA_payload: Missing SA payload!"); + goto cleanup; + } + sa_p->flags |= PL_MARK; + + if (GET_GDOI_SA_DOI(sa_p->p) != GROUP_DOI_GDOI) + { + log_error ("gdoi_process_SA_payload: Wrong DOI: %d", + GET_GDOI_SA_DOI(sa_p->p)); + goto cleanup; + } + + GET_GDOI_SA_SIT(sa_p->p, (u_int8_t *) &situation); + if (situation != 0) + { + log_error ("gdoi_process_SA_payload: Unsupported Situation: %d", + GET_GDOI_SA_DOI(sa_p->p)); + goto cleanup; + } + + next_p_type = GET_GDOI_SA_SA_ATTR_NEXT(sa_p->p); + if ((next_p_type != ISAKMP_PAYLOAD_SA_TEK) && + (next_p_type != ISAKMP_PAYLOAD_GAP) && + (next_p_type != ISAKMP_PAYLOAD_SA_KEK)) + { + log_error ("gdoi_process_SA_payload: Unsupported Next Attr: %d", + next_p_type); + goto cleanup; + } + + total_p_len = GET_GDOI_GEN_LENGTH(sa_p->p); + cummulative_p_len = ISAKMP_SA_SIT_OFF + GDOI_SIT_SIT_LEN + + GDOI_SA_SA_ATTR_NEXT_LEN + GDOI_SA_RES2_LEN; + current_p = sa_p->p + cummulative_p_len; + + /* + * Loop through the KEK and TEK payloads. Get policy from the SA TEK + * payloads and stuff them away in the SA. + */ + while (next_p_type && (cummulative_p_len < total_p_len)) + { + log_print ("Payload type: %d\n", next_p_type); + /* + * Validate payload length is within normal boundaries. + */ + if (GET_GDOI_GEN_LENGTH(current_p) > (total_p_len - cummulative_p_len)) + { + log_print ("gdoi_process_SA_payload: " + "Payload length (%d) exceeds remaining total length (%d)", + GET_GDOI_GEN_LENGTH(current_p), + (total_p_len - cummulative_p_len)); + goto cleanup; + } + + switch (next_p_type) + { + case ISAKMP_PAYLOAD_SA_TEK: + if (group_handle_incoming_tek(msg, current_p) < 0) + { + goto cleanup; + } + break; + + case ISAKMP_PAYLOAD_SA_KEK: + if (group_handle_incoming_kek(msg, current_p) < 0) + { + goto cleanup; + } + break; + + case ISAKMP_PAYLOAD_GAP: + if (group_handle_incoming_gap(msg, current_p) < 0) + { + goto cleanup; + } + break; + + default: + log_error ("gdoi_process_SA_payload: " + "Unsupported SA payload type: %d", next_p_type); + goto cleanup; + } + + /* + * Advance past this payload. Save the "next payload" type from the + * current payload first. + */ + next_p_type = GET_GDOI_GEN_NEXT_PAYLOAD(current_p); + cummulative_p_len += GET_GDOI_GEN_LENGTH(current_p); + current_p += GET_GDOI_GEN_LENGTH(current_p); + } + + return 0; + +cleanup: + /* Remove all potential protocols that have been added to the SAs. */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; sa = TAILQ_NEXT (sa, next)) + while ((proto = TAILQ_FIRST (&sa->protos)) != 0) + proto_free (proto); + return -1; +} + +static int +initiator_recv_HASH_NONCE_SA (struct message *msg) +{ + struct payload *hashp; + u_int8_t *hash, *my_hash = 0; + size_t hash_len; + u_int8_t *pkt = msg->iov[0].iov_base; + + hashp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + hash = hashp->p; + hashp->flags |= PL_MARK; + + /* The HASH payload should be the first one. */ + if (hash != pkt + ISAKMP_HDR_SZ) + { + /* XXX Is there a better notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + goto cleanup; + } + hash_len = GET_ISAKMP_GEN_LENGTH (hash); + my_hash = calloc (1, hash_len - ISAKMP_GEN_SZ); + if (!my_hash) + { + log_error ("responder_recv_HASH_NONCE_ID: calloc (%d) failed", + hash_len - ISAKMP_GEN_SZ); + goto cleanup; + } + + /* Copy out the responder's nonce. */ + if (exchange_save_nonce (msg)) + goto cleanup; + + if (group_check_hash(msg, INC_I_NONCE, NO_R_NONCE)) + { + goto cleanup; + } + + if (gdoi_process_SA_payload (msg)) + { + goto cleanup; + } + + return 0; + +cleanup: + if (my_hash) + free (my_hash); + return -1; +} + +int gdoi_ipsec_is_counter_mode_tek (int protocol_id, int transform_id) +{ + switch (protocol_id) + { + case IPSEC_PROTO_IPSEC_ESP: + switch (transform_id) + { + case IPSEC_ESP_AES_CTR: + case IPSEC_ESP_AES_CCM_8: + case IPSEC_ESP_AES_CCM_12: + case IPSEC_ESP_AES_CCM_16: + case IPSEC_ESP_AES_GCM_8: case IPSEC_ESP_AES_GCM_12: + case IPSEC_ESP_AES_GCM_16: + return 1; + default: + break; + } + break; + case IPSEC_PROTO_IPSEC_AH: + switch (transform_id) + { + case IPSEC_AH_AES_128_GMAC: + case IPSEC_AH_AES_192_GMAC: + case IPSEC_AH_AES_256_GMAC: + return 1; + default: + break; + } + break; + default: + /* Not an error */ + return -1; + } + + return 0; /* Not a counter mode */ + +} + + +int gdoi_add_request_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct sa *sa; + struct proto *proto; + int found_counter_modes = 0; + int sids_needed = 0; + int ret; + char *sids_needed_str; + size_t gap_sz; + u_int8_t *gap_buf, *attr; + + /* + * First check whether the policy given to us by the KS includes a counter + * mode, which means we need at least one SID. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; sa = TAILQ_NEXT (sa, next)) + { + proto = TAILQ_FIRST (&sa->protos); + if (proto) + { + ret = gdoi_ipsec_is_counter_mode_tek(proto->proto, proto->id); + switch (ret) + { + case 1: + found_counter_modes += 1; + break; + case -1: + /* + * Probably a non-IPsec SA. + */ + return 0; + default: + break; + } + } + } + + if (!found_counter_modes) + { + /* + * No counter modes found -- don't need to ask for SIDs. + */ + return 0; + } + + /* + * Check to see if the configuration said we need more than one. + */ + sids_needed_str = conf_get_str (exchange->name, "SIDs-needed"); + if (sids_needed_str) + { + sids_needed = atoi(sids_needed_str); + if (sids_needed > MAX_GM_SIDS) + { + log_print("gdoi_add_request_payload: Too many SIDs configured. " + "Configured #: %d, Max supported: %d", sids_needed, + MAX_GM_SIDS); + return -1; + } + } + + if (1 == sids_needed) + { + /* + * No need to includes a request payload. We either don't need any, + * or if we need just one the KS will give it to us without asking. + */ + return 0; + } + + /* + * Add a GAP paylaod. + */ + gap_sz = GDOI_GEN_LENGTH_OFF + GDOI_GEN_LENGTH_LEN + 4; + gap_buf = calloc(1, gap_sz); + if (!gap_buf) + { + log_print ("gdoi_get_kek_policy: calloc failed (gap_buf)"); + return -1; + } + SET_GDOI_GEN_RESERVED(gap_buf, 0); + SET_GDOI_GEN_LENGTH(gap_buf, gap_sz); + attr = gap_buf + GDOI_GEN_LENGTH_OFF + GDOI_GEN_LENGTH_LEN; + attr = attribute_set_basic (attr, GDOI_GAP_SENDER_ID_REQUEST, sids_needed); + + if (message_add_payload (msg, ISAKMP_PAYLOAD_GAP, gap_buf, gap_sz, 1)) + { + return -1; + } + log_print("gdoi_get_kek_policy: Sending GAP payload"); + + return 0; +} + +static int +initiator_send_HASH (struct message *msg) +{ + struct ipsec_sa *isa = msg->isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + + /* + * Add HASH payload + */ + if (!ipsec_add_hash_payload (msg, hash->hashsize)) { + return -1; + } + + /* + * Optionally add a payload to request SIDs. + */ + if (gdoi_add_request_payload (msg)) { + return -1; + } + + if (group_fill_in_hash (msg, INC_I_NONCE, INC_R_NONCE)) { + return -1; + } + + return 0; +} + +/* + * This function take a set of keys and puts them in the passed in argument. + * If there multiple secrecy keys they are put into the key in the same order + * as they were sent as attributes. + */ +int +gdoi_decode_kd_kek_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_kek *stored_kek = (struct gdoi_kek *) arg; + u_int16_t exp_len; + + switch (type) + { + case GDOI_ATTR_KD_KEK_SECRECY_KEY: + log_print("Found a KEK secrecy attribute"); + /* + * If there was already allocated memory then we must have already + * gotten KEK keys and IV. We don't really know if the new iv & + * keys are the same length as the old ones, so need to free and + * re-malloc rather than re-use. + */ + if (stored_kek->encrypt_iv) + { + log_print("decode_kd_kek_attribute: Replacing KEK IV and keys."); + free(stored_kek->encrypt_iv); + free(stored_kek->encrypt_key); + } + /* + * Validate that we got adequate keys for the algorithm. + */ + switch (stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + /* + * IV is pre-prepended before the DES keys. + */ + exp_len = 4 * DES_LENGTH; + + if (len != exp_len) + { + log_error ("decode_kd_kek_attribute: " + "Wrong key length! Expected:%d, Actual:%d", + exp_len, len); + return -1; + } + /* + * Store the IV + */ + stored_kek->encrypt_iv = malloc(DES_LENGTH); + if (!stored_kek->encrypt_iv) + { + log_error ("decode_kd_kek_attribute: malloc failed (%d)", + DES_LENGTH); + return -1; + } + memcpy(stored_kek->encrypt_iv, value, DES_LENGTH); + /* + * Store the keys + */ + stored_kek->encrypt_key = malloc(3 * DES_LENGTH); + if (!stored_kek->encrypt_key) + { + log_error ("decode_kd_kek_attribute: malloc failed (%d)", + 3 * DES_LENGTH); + return -1; + } + memcpy((stored_kek->encrypt_key), (value+DES_LENGTH), 3 * DES_LENGTH); + break; + case GDOI_KEK_ALG_AES: + /* + * IV is pre-prepended before the AES key. + */ + exp_len = 2 * stored_kek->encrypt_key_len; + + if (len != exp_len) + { + log_error ("decode_kd_kek_attribute: " + "Wrong key length! Expected:%d, Actual:%d", + exp_len, len); + return -1; + } + /* + * Store the IV + */ + stored_kek->encrypt_iv = malloc(stored_kek->encrypt_key_len); + if (!stored_kek->encrypt_iv) + { + log_error ("decode_kd_kek_attribute: malloc failed (%d)", + stored_kek->encrypt_key_len); + return -1; + } + memcpy(stored_kek->encrypt_iv, value, stored_kek->encrypt_key_len); + /* + * Store the key + */ + stored_kek->encrypt_key = malloc(stored_kek->encrypt_key_len); + if (!stored_kek->encrypt_key) + { + log_error ("decode_kd_kek_attribute: malloc failed (%d)", + stored_kek->encrypt_key_len); + return -1; + } + memcpy((stored_kek->encrypt_key), (value+stored_kek->encrypt_key_len), + stored_kek->encrypt_key_len); + break; + default: + log_error ("decode_kd_kek_attribute: " + "Unknown KEK secrecy algorithm: %d", type); + return -1; + } + break; + + case GDOI_ATTR_KD_KEK_SIGNATURE_KEY: + log_print("Found a KEK signature attribute"); + + /* + * Key length may vary, so can't validate it for certain. But we + * can estimate an upper bound. + */ + if (len > MAX_PUBKEY_SIZE) + { + log_error ("decode_kd_kek_attribute: sig public key too large (%d)", + len); + return -1; + } + if (gdoi_store_pubkey (value, len, stored_kek) < 0) + { + log_error ("decode_kd_kek_attribute: Storing public key failed (%d)"); + return -1; + } + break; + + default: + log_error ("decode_kd_kek_attribute: " + "Unknown attribute: %d", type); + return -1; + } + + return 0; +} + +/* + * This function take a set of keys and puts them in the passed in argument. + * If there multiple secrecy keys they are put into the key in the same order + * as they were sent as attributes. + */ +int +gdoi_decode_kd_tek_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_kd_decode_arg *keys = (struct gdoi_kd_decode_arg *) arg; + + switch (type) + { + case GDOI_ATTR_KD_TEK_SECRECY_KEY: + log_print("Found a secrecy attribute"); + keys->sec_key = malloc(len); + keys->sec_key_sz = len; + memcpy(keys->sec_key, value, len); + break; + + case GDOI_ATTR_KD_TEK_INTEGRITY_KEY: + log_print("Found an integrity attribute"); + keys->int_key = malloc(len); + keys->int_key_sz = len; + memcpy(keys->int_key, value, len); + break; + + case GDOI_ATTR_KD_TEK_SOURCE_AUTH_KEY: + log_error ("decode_kd_tek_attribute: " + "Source authentication not yet supported"); + return -1; + break; + +#ifdef IEC90_5_SUPPORT + case IEC90_5_KD_61850_ETHERENT_GOOSE_OR_SV: + case IEC90_5_KD_61850_90_5_SESSION: + case IEC90_5_KD_61850_8_1_ISO9506: + case IEC90_5_KD_61850_UDP_IP_AGGR: + case IEC90_5_KD_61850_UDP_MNGT: + log_print("Found an IEC 90-5 attribute"); + keys->custom_kd_payload_type = type; + keys->custom_kd_payload = malloc(len); + keys->custom_kd_payload_sz = len; + memcpy(keys->custom_kd_payload, value, len); + break; +#endif + + default: + log_error ("decode_kd_tek_attribute: " + "Unknown attribute: %d", type); + return -1; + } + return 0; +} + +static int +install_kek_keys (struct message *msg, u_int8_t **buf) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + size_t kd_spi_sz; + u_int8_t *kd_spi; + u_int8_t *key_packet = *buf; + u_int8_t *attr_p; + size_t attr_len; + struct gdoi_kek *stored_kek; + + /* + * Find the KEK policy, and validate that the SPI is the same. + * + * A GDOI registration message will have the ie->id_gdoi initialized, but + * not a GDOI rekey message. + */ + if (ie->id_gdoi) + { + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + } + else + { + stored_kek = gdoi_get_kek_by_cookies(exchange->cookies); + } + if (!stored_kek) + { + log_print ("install_kek_keys: " + "KEK policy missing from exchange"); + return -1; + } + kd_spi_sz = GET_GDOI_KD_PAK_SPI_SIZE(key_packet); + kd_spi = key_packet + GDOI_KD_PAK_SPI_SIZE_OFF + GDOI_KD_PAK_SPI_SIZE_LEN; + if ((kd_spi_sz != KEK_SPI_SIZE) || + memcmp(stored_kek->spi, kd_spi, KEK_SPI_SIZE)) + { + log_print ("install_kek_keys: SPI mismatch!"); + return -1; + } + + /* + * Find the key attributes and stick them into the kek structure. + */ + attr_p = key_packet + GDOI_KD_PAK_SPI_SIZE_OFF + + GDOI_KD_PAK_SPI_SIZE_LEN + kd_spi_sz; + attr_len = GET_GDOI_KD_PAK_LENGTH(key_packet) - + GDOI_KD_PAK_SPI_SIZE_LEN - kd_spi_sz; + attribute_map (attr_p, attr_len, gdoi_decode_kd_kek_attribute, + (void *)stored_kek); + + *buf += GET_GDOI_KD_PAK_LENGTH(key_packet); + + /* + * We now have everything we need in order to listen for rekey messages. + * So, stuff the SPI into current SPI, adjust the cookies in the exchange + * to match the SPI, and start listening. + */ + memset(empty_cookies, 0, KEK_SPI_SIZE); + if (memcmp(stored_kek->next_kek_policy.spi, empty_cookies, KEK_SPI_SIZE)) + { + memcpy(stored_kek->spi, &stored_kek->next_kek_policy.spi, KEK_SPI_SIZE); + } + gdoi_rekey_listen (stored_kek); + + return 0; +} + +/* + * Concatonate the encryption and auth keys as keymat[0] in an IPSEC + * proto structure. + */ +static int +stuff_tek_keys (struct gdoi_kd_decode_arg *keys, struct ipsec_proto *iproto) +{ + if (keys->int_key) + { + if (keys->sec_key) + { + /* + * Combine the keys into one blob. + */ + keys->sec_key = gdoi_grow_buf(keys->sec_key, + &keys->sec_key_sz, + keys->int_key, + keys->int_key_sz); + free(keys->int_key); + } + else + { + /* + * There is no sec_key in this case, so overload the field. + */ + keys->sec_key = keys->int_key; + } + } + iproto->keymat[0] = keys->sec_key; + + return 0; +} + +/* + * Seperate the encryption and auth keys from keymat[0] in an IPSEC + * proto structure. + */ +int +gdoi_ipsec_get_tek_keys (struct gdoi_kd_decode_arg *keys, struct proto *proto) +{ + struct ipsec_proto *iproto = (struct ipsec_proto *) proto->data; + + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + keys->sec_key_sz = ipsec_esp_enckeylength(proto); + keys->int_key_sz = ipsec_esp_authkeylength(proto); + break; + case IPSEC_PROTO_IPSEC_AH: + keys->sec_key_sz = 0; + keys->int_key_sz = ipsec_ah_keylength(proto); + break; + default: + log_error ("gdoi_ipsec_get_tek_keys: " + "Unknown IPsedc protocol: %d", proto->proto); + return -1; + } + + if (keys->sec_key_sz) + { + keys->sec_key = malloc(keys->sec_key_sz); + if (!keys->sec_key) + { + return -1; + } + memcpy(keys->sec_key, iproto->keymat[0], keys->sec_key_sz); + } + + if (keys->int_key_sz) + { + keys->int_key = malloc(keys->int_key_sz); + if (!keys->int_key) + { + return -1; + } + memcpy(keys->int_key, (iproto->keymat[0]+keys->sec_key_sz), + keys->int_key_sz); + } + + return 0; +} + +static int +install_tek_keys (struct message *msg, u_int8_t **buf) +{ + struct sa *sa; + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct proto *proto; + struct ipsec_proto *iproto = 0; + u_int32_t kd_spi_sz; + u_int8_t *kd_spi = 0; + u_int32_t exp_keymat_len; + u_int8_t *key_packet = *buf; + u_int8_t *attr_p; + size_t attr_len; + struct gdoi_kd_decode_arg keys; + int found_spi = 0; +#ifdef SRTP_SUPPORT + struct srtp_proto *sproto; +#endif + + /* + * Match SPI in the key packet to a proto in the sa_list. + * For the SA structures + * For all Group SA structures + * Do the protocol-specific search (See below) + */ + for (sa = TAILQ_FIRST (&msg->exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + if (!sa->data) + { + log_print ("install_tek_keys: " + "SA DOI specific data missing"); + return -1; + } + + /* + * Common KD paylaod handling. + */ + proto = TAILQ_FIRST (&sa->protos); + if (!proto) + { + log_print ("install_tek_keys: " + "TEK proto data missing"); + return -1; + } + if (!proto->spi[0]) + { + log_print ("install_tek_keys: " + "TEK proto SPI missing"); + return -1; + } + kd_spi_sz = GET_GDOI_KD_PAK_SPI_SIZE(key_packet); + kd_spi = key_packet + GDOI_KD_PAK_SPI_SIZE_OFF + + GDOI_KD_PAK_SPI_SIZE_LEN; + if (proto->spi_sz[0] != (u_int8_t) kd_spi_sz) + { + /* Might indicate an error, so log it */ + log_print ("install_tek_keys: Mismatching spi size!"); + continue; + } + if (memcmp(proto->spi[0], kd_spi, proto->spi_sz[0])) + { + /* No match. Try the next one */ + continue; + } + /* + * SPIs match! + */ + switch(kd_spi_sz) { + case 1: + log_print(" SPI found (SA) %u (%#x) for sa %#x", + *kd_spi, *kd_spi, sa); + found_spi = 1; + break; + case 2: + log_print(" SPI found (KD) %u (%#x) for sa %#x", + decode_16(kd_spi), decode_16(kd_spi), sa); + found_spi = 1; + break; + case 4: + log_print(" SPI found (KD) %u (%#x) for sa %#x", + decode_32(kd_spi), decode_32(kd_spi), sa); + found_spi = 1; + break; + default: + log_print ("install_tek_keys: " + "Unsupported spi size: %d", kd_spi_sz); + break; + } + + /* + * Find the length of the keying material based on the TEK type. + */ + switch (ie->teks_type) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + /* + * Install the keys. The SAs will be installed in the kernel + * in gdoi_finalize_exchange(). + */ + iproto = (struct ipsec_proto *) proto->data; + if (!iproto) + { + log_print ("install_tek_keys:" "Missing iproto ptr"); + return -1; + } + /* + * Get the expected length of the keys for malloc. Verify + * that the byte count matches when we get the keys. + */ + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + exp_keymat_len = ipsec_esp_enckeylength (proto) + + ipsec_esp_authkeylength (proto); + break; + case IPSEC_PROTO_IPSEC_AH: + exp_keymat_len = ipsec_ah_keylength(proto); + break; + default: + log_error ("install_tek_keys: " + "Unknown IPsec protocol: %d", proto->proto); + return -1; + } + break; +#ifdef IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: + /* + * Keys are returned in a private attribute structure. + * Trying to check the key length here isn't valuables. + */ + exp_keymat_len = 0; + break; +#endif +#ifdef SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: + /* + * Install the keys. The SAs will be installed in the kernel + * in gdoi_finalize_exchange(). + */ + sproto = (struct srtp_proto *) proto->data; + if (!sproto) + { + log_print ("install_tek_keys:" "Missing sproto ptr"); + return -1; + } + /* + * Get the expected length of the keys for malloc. Verify + * that the byte count matches when we get the keys. + */ + exp_keymat_len = sproto->master_key_len + + sproto->master_salt_key_len; + break; +#endif + default: + log_error ("install_tek_keys: " + "Unknown TEK type: %d", proto->proto); + return -1; + } + /* + * Find the key attributes and stick them into keymat. + */ + attr_p = key_packet + GDOI_KD_PAK_SPI_SIZE_OFF + + GDOI_KD_PAK_SPI_SIZE_LEN + kd_spi_sz; + attr_len = GET_GDOI_KD_PAK_LENGTH(key_packet) - + GDOI_KD_PAK_SPI_SIZE_OFF - + GDOI_KD_PAK_SPI_SIZE_LEN - kd_spi_sz; + memset((void *)&keys, 0, sizeof(struct gdoi_kd_decode_arg)); + attribute_map (attr_p, attr_len, gdoi_decode_kd_tek_attribute, + (void *)&keys); + /* + * Verify that the key server sent the right amount of key + * material. + */ + if ((keys.sec_key_sz + keys.int_key_sz) != exp_keymat_len) + { + log_print ("install_tek_keys:" + "Wrong key length! Expected: %d, Actual: %d", + exp_keymat_len, + keys.sec_key_sz + keys.int_key_sz); + free(keys.sec_key); + free(keys.int_key); + return -1; + } + switch (ie->teks_type) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + if (stuff_tek_keys(&keys, iproto)) + { + return -1; + } + break; +#ifdef IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: + if (gdoi_iec90_5_install_keys(proto, &keys)) + { + return -1; + } + break; +#endif +#ifdef SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: + if (gdoi_srtp_install_keys(proto, &keys)) + { + return -1; + } + break; +#endif + default: + log_print ("install_tek_keys:" + "Unsupported TEK type: %d", ie->teks_type); + return -1; + } + } + + *buf += GET_GDOI_KD_PAK_LENGTH(key_packet); + return 0; +} + + +/* + * This function take a set of keys and puts them in the passed in argument. + * If there multiple secrecy keys they are put into the key in the same order + * as they were sent as attributes. + */ +int +gdoi_decode_kd_sid_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_kek *stored_kek = (struct gdoi_kek *) arg; + int found_length = 0; + + /* + * New SID values override an pre-existing one. This is important: the old + * ones may be re-assigned by the KS for new SAs. + */ + stored_kek->number_sids = 0; + + switch (type) + { + case GDOI_ATTR_KD_SID_NUM_BITS: + log_print("Found a SID length (in # of bits) attribute"); + if (found_length) + { + log_print("gdoi_decode_kd_sid_attribute: " + "Multiple SID length attributes received"); + return -1; + } + stored_kek->sid_length = decode_16(value); + found_length = 1; + break; + + case GDOI_ATTR_KD_SID_VALUE: + log_print("Found a SID value attribute"); + /* + * We only support certain lengths to decode the value. + */ + if (stored_kek->number_sids < MAX_GM_SIDS) + { + switch (len) + { + case 2: + stored_kek->sids[stored_kek->number_sids] = decode_16 (value); + break; + case 4: + stored_kek->sids[stored_kek->number_sids] = decode_32 (value); + break; + default: + log_error ("decode_kd_sid_attribute: Unsupported SID value " + "length: %d", len); + return -1; + } + stored_kek->number_sids += 1; + } + else + { + log_print("Warning: Too many SID value attributes - can only store %d", + MAX_GM_SIDS); + } + break; + + default: + log_error ("decode_kd_sid_attribute: " + "Unknown attribute: %d", type); + return -1; + } + return 0; +} + +static int +install_sid_values (struct message *msg, u_int8_t **buf) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + size_t kd_spi_sz; + u_int8_t *key_packet = *buf; + u_int8_t *attr_p; + size_t attr_len; + struct gdoi_kek *stored_kek; + + /* + * Find the place to store group policy first. + */ + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (!stored_kek) + { + log_print("install_sid_values: No place to store group policy!"); + return -1; + } + + /* + * SPI size shold be zero. + */ + kd_spi_sz = GET_GDOI_KD_PAK_SPI_SIZE(key_packet); + if (0 != kd_spi_sz) + { + log_print("install_sid_values: Expected SPI size 0, got %d", kd_spi_sz); + return -1; + } + + /* + * Find the key attributes and stick them into keymat. + */ + attr_p = key_packet + GDOI_KD_PAK_SPI_SIZE_OFF + GDOI_KD_PAK_SPI_SIZE_LEN + + kd_spi_sz; + attr_len = GET_GDOI_KD_PAK_LENGTH(key_packet) - GDOI_KD_PAK_SPI_SIZE_OFF - + GDOI_KD_PAK_SPI_SIZE_LEN - kd_spi_sz; + attribute_map (attr_p, attr_len, gdoi_decode_kd_sid_attribute, + (void *)stored_kek); + + *buf += GET_GDOI_KD_PAK_LENGTH(key_packet); + + /* + * Verify if we got as many SIDs as we needed (based on configuration). + */ + if (stored_kek->number_sids < stored_kek->number_sids_needed) + { + log_print("install_sid_values: WARNING: Needed %s SIDs, got %s.", + stored_kek->number_sids_needed, stored_kek->number_sids); + } + + return 0; +} + +int +gdoi_process_KD_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct payload *kdp; + u_int8_t *buf; + size_t num_key_packets; + u_int32_t type; + int i; + + kdp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_KD]); + if (kdp) + { + kdp->flags |= PL_MARK; + num_key_packets = GET_GDOI_KD_NUM_PACKETS(kdp->p); + log_print ("GOT # of packets: %d", num_key_packets); + + buf = kdp->p + GDOI_KD_RES2_OFF + GDOI_KD_RES2_LEN; + for (i=0; itype == GDOI_EXCH_PULL_MODE) + { + if (install_sid_values(msg, &buf) < 0) + { + return -1; + } + } + else + { + log_print("gdoi_process_KD_payload: Received SIDs in " + "a GDOI_PUSH exchange, which is invalid!"); + return -1; + } + break; + default: + log_print ("gdoi_process_KD_payload: " + "Unsupported KD Payload type (%d)", type); + return -1; + } + } + } + else + { + log_print("gdoi_process_KD_payload: Missing KD payload!"); + return -1; + } + + return 0; +} + +static int initiator_recv_HASH_SEQ_KD (struct message *msg) +{ + struct gdoi_exch *ie = msg->exchange->data; + struct payload *hashp, *seqp; + u_int8_t *hash; + u_int8_t *pkt = msg->iov[0].iov_base; + u_int32_t seq; + struct gdoi_kek *stored_kek = 0; + + hashp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + hash = hashp->p; + hashp->flags |= PL_MARK; + + /* The HASH payload should be the first one. */ + if (hash != pkt + ISAKMP_HDR_SZ) + { + /* XXX Is there a better notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + goto cleanup; + } + if (group_check_hash(msg, INC_I_NONCE, INC_R_NONCE)) + goto cleanup; + + /* + * Handle SEQ + */ + seqp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SEQ]); + if (seqp) + { + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (!stored_kek) + { + log_print ("initiator_recv_HASH_SEQ_KD: " + "group policy structure missing from exchange"); + return -1; + } + seqp->flags |= PL_MARK; + seq = GET_GDOI_SEQ_SEQ_NUM(seqp->p); + log_print ("GOT SEQ # of: %d (PULL)", seq); + if (stored_kek->encrypt_alg) + { + stored_kek->current_seq_num = seq; + } + else + { + log_print ("initiator_recv_HASH_SEQ_KD: " + "SEQ sent without KEK. Ignoring sequence number"); + } + } + else + { + /* + * Complain about a missing SEQ if we received a KEK (including the + * KEK encryption algorithm). + */ + if (stored_kek && stored_kek->encrypt_alg) + { + log_print("initiator_recv_HASH_SEQ_KD: Missing SEQ payload!"); + goto cleanup; + } + } + + + /* + * Handle KD + */ + if (gdoi_process_KD_payload (msg)) + { + goto cleanup; + } + + return 0; + +cleanup: + return -1; +} + +static int responder_recv_HASH_NONCE_ID (struct message *msg) +{ + struct payload *idp; + struct sa *sa; + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct proto *proto; + + /* + * Copy the Phase 1 cookies for possible use with the KE payload. + */ + if (copy_p1_cookies(exchange)) + { + return -1; + } + + if (group_check_hash(msg, NO_I_NONCE, NO_R_NONCE)) + goto cleanup; + + /* Copy out the initiator's nonce. */ + if (exchange_save_nonce (msg)) + goto cleanup; + + /* Handle ID payload. */ + idp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_ID]); + if (idp) + { + ie->id_gdoi_sz = GET_ISAKMP_GEN_LENGTH (idp->p); + ie->id_gdoi = calloc (1, ie->id_gdoi_sz); + if (!ie->id_gdoi) + { + log_print ("responder_recv_HASH_NONCE_ID: malloc (%d) failed", + ie->id_gdoi_sz); + return -1; + } + memcpy (ie->id_gdoi, idp->p, ie->id_gdoi_sz); + idp->flags |= PL_MARK; + LOG_DBG_BUF ((LOG_MISC, 90, + "responder_recv_HASH_NONCE_ID: ID", + ie->id_gdoi + ISAKMP_GEN_SZ, ie->id_gdoi_sz - + ISAKMP_GEN_SZ)); + + } + else + { + log_print("responder_recv_HASH_NONCE_ID: Missing ID payload!"); + goto cleanup; + } + + return 0; + +cleanup: + /* Remove all potential protocols that have been added to the SAs. */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; sa = TAILQ_NEXT (sa, next)) + while ((proto = TAILQ_FIRST (&sa->protos)) != 0) + proto_free (proto); + return -1; +} + +/* + * Out of a named section SECTION in the configuration file find out + * the network address and mask as well as the ID type. Put the info + * in the areas pointed to by ADDR, MASK and ID respectively. Return + * 0 on success and -1 on failure. + * + * Taken from ipsec_get_id(). Added support for getting a port and returning + * it as the "port" argument. + */ +int +gdoi_get_id (char *section, int *id, struct in_addr *addr, + struct in_addr *mask, uint16_t *port) +{ + char *type, *address, *netmask, *port_string; + + type = conf_get_str (section, "ID-type"); + if (!type) + { + log_print ("gdoi_get_id: section %s has no \"ID-type\" tag", section); + return -1; + } + + *id = constant_value (ipsec_id_cst, type); + switch (*id) + { + case IPSEC_ID_IPV4_ADDR: + address = conf_get_str (section, "Address"); + if (!address) + { + log_print ("gdoi_get_id: section %s has no \"Address\" tag", + section); + return -1; + } + + if (!inet_aton (address, addr)) + { + log_print ("gdoi_get_id: invalid address %s in section %s", section, + address); + return -1; + } + + mask->s_addr = 0xffffffff; + break; + +#ifdef notyet + case IPSEC_ID_FQDN: + return -1; + + case IPSEC_ID_USER_FQDN: + return -1; +#endif + + case IPSEC_ID_IPV4_ADDR_SUBNET: + address = conf_get_str (section, "Network"); + if (!address) + { + log_print ("gdoi_get_id: section %s has no \"Network\" tag", + section); + return -1; + } + + if (!inet_aton (address, addr)) + { + log_print ("gdoi_get_id: invalid section %s network %s", section, + address); + return -1; + } + + netmask = conf_get_str (section, "Netmask"); + if (!netmask) + { + log_print ("gdoi_get_id: section %s has no \"Netmask\" tag", + section); + return -1; + } + + if (!inet_aton (netmask, mask)) + { + log_print ("gdoi_id_build: invalid section %s network %s", section, + netmask); + return -1; + } + break; + +#ifdef notyet + case IPSEC_ID_IPV6_ADDR: + return -1; + + case IPSEC_ID_IPV6_ADDR_SUBNET: + return -1; + + case IPSEC_ID_IPV4_RANGE: + return -1; + + case IPSEC_ID_IPV6_RANGE: + return -1; + + case IPSEC_ID_DER_ASN1_DN: + return -1; + + case IPSEC_ID_DER_ASN1_GN: + return -1; + + case IPSEC_ID_KEY_ID: + return -1; +#endif + } + + port_string = conf_get_str (section, "Port"); + if (!port_string) + { + log_print ("gdoi_get_id: section %s has no \"Port\" tag", + section); + *port = 0; + } + else + { + *port = atoi(port_string); + } + + return 0; +} + +/* + * Create the ID fields of a TEK payload. This payload size should be + * stashed in sz. The caller is responsible for freeing the payload. + */ +u_int8_t * +gdoi_build_tek_id_internal (int id_type, struct in_addr addr, + struct in_addr mask, uint16_t port, size_t *sz) +{ + u_int8_t *p; + size_t id_payload_len; + + /* + * Initialize size to the size of the structure except for the + * identity data. + */ + *sz = GDOI_SA_ID_DATA_LEN_OFF + GDOI_SA_ID_DATA_LEN_LEN; + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + id_payload_len = sizeof addr; + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + id_payload_len = sizeof addr * 2; + break; + default: + log_print ("gdoi_build_id: " + "Unsupported ID type (%d) for ESP", id_type); + return 0; + } + *sz += id_payload_len; + p = calloc(1, *sz); + if (!p) + { + log_error ("gdoi_build_id: " + "calloc(%d) failed", *sz); + return 0; + } + + /* + * Fill in the id structure + */ + SET_GDOI_SA_ID_TYPE(p, id_type); + SET_GDOI_SA_ID_PORT(p, htons(port)); + SET_GDOI_SA_ID_DATA_LEN(p, id_payload_len); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + encode_32 (p + GDOI_SA_ID_DATA_OFF, htonl (addr.s_addr)); + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + encode_32 (p + GDOI_SA_ID_DATA_OFF, htonl (addr.s_addr)); + encode_32 (p + GDOI_SA_ID_DATA_OFF + sizeof addr, + ntohl (mask.s_addr)); + break; + default: + log_print ("gdoi_build_id: " + "Unsupported ID type (%d) for ESP", id_type); + free (p); + return 0; + } + + return p; +} + +/* + * Out of a named section SECTION in the configuration file the ID fields + * of a TEK payload. The caller is responsible for freeing the payload. + */ +u_int8_t * +gdoi_build_tek_id (char *section, size_t *sz) +{ + struct in_addr addr, mask; + uint16_t port; + int id_type; + + if (gdoi_get_id (section, &id_type, &addr, &mask, &port)) + { + return 0; + } + return gdoi_build_tek_id_internal (id_type, addr, mask, port, sz); +} + +/* + * Out of an SA build the ID fields of a TEK payload. The caller is + * responsible for freeing the payload. + */ +u_int8_t * +gdoi_build_tek_id_from_sa (struct sa *sa, int srcdst, size_t *sz) +{ + struct ipsec_sa *ipsec = (struct ipsec_sa *) sa->data; + struct in_addr addr, mask; + u_int16_t port; + int id_type = 0; + + switch (srcdst) + { + case SRC: + port = ipsec->sport; + addr.s_addr = ipsec->src_net; + mask.s_addr = ipsec->src_mask; + break; + case DST: + port = ipsec->dport; + addr.s_addr = ipsec->dst_net; + mask.s_addr = ipsec->dst_mask; + break; + default: + log_print ("gdoi_build_tek_id_from_sa: " + "Unsupported SRC/DST type (%d)", srcdst); + return 0; + } + id_type = (mask.s_addr == 0xffffffff) ? IPSEC_ID_IPV4_ADDR : + IPSEC_ID_IPV4_ADDR_SUBNET; + + return gdoi_build_tek_id_internal (id_type, addr, mask, port, sz); +} + +/* + * Out of a named section SECTION in the configuration file store + * src/dst identification info in a stored kek for later use. + */ +int +gdoi_store_kek_ids (char *section, struct gdoi_kek *stored_kek) +{ + struct in_addr addr, mask; + uint16_t port; + int id_type; + char *id; + + id = conf_get_str (section, "Src-ID"); + if (!id) + { + log_print ("gdoi_store_kek_ids: Src-ID missing"); + return -1; + } + if (gdoi_get_id (id, &id_type, &addr, &mask, &port)) + { + return -1; + } + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + stored_kek->src_addr = addr.s_addr; + stored_kek->sport = port; + break; + default: + log_print ("gdoi_store_kek_ids: " + "Unsupported ID type (%d) for KEK src", id_type); + return -1; + } + + id = conf_get_str (section, "Dst-ID"); + if (!id) + { + log_print ("gdoi_store_kek_ids: Dst-ID missing"); + return -1; + } + if (gdoi_get_id (id, &id_type, &addr, &mask, &port)) + { + return -1; + } + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + stored_kek->dst_addr = addr.s_addr; + stored_kek->dport = port; + break; + default: + log_print ("gdoi_store_kek_ids: " + "Unsupported ID type (%d) for KEK dst", id_type); + return -1; + } + + return 0; +} + +/* + * Out of a KEK structure build the identity fields for a KEK payload. + * The payload size should be stashed in SZ. The caller is responsible for + * freeing the payload. + */ +u_int8_t * +gdoi_build_kek_id (int srcdst, size_t *sz, struct gdoi_kek *stored_kek) +{ + struct in_addr addr, mask; + uint16_t port; + u_int8_t *p; + int id_type; + size_t id_payload_len; + + switch (srcdst) + { + case SRC: + addr.s_addr = stored_kek->src_addr; + port = stored_kek->sport; + break; + case DST: + addr.s_addr = stored_kek->dst_addr; + port = stored_kek->dport; + break; + default: + log_print ("gdoi_build_kek_id: " + "Unsupported SRC/DST type (%d)", srcdst); + return 0; + } + id_type = IPSEC_ID_IPV4_ADDR; /* Only IPv4 for now */ + + /* + * Initialize size to the size of the structure except for the + * identity data. + */ + *sz = GDOI_SA_ID_DATA_LEN_OFF + GDOI_SA_ID_DATA_LEN_LEN; + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + id_payload_len = sizeof addr; + break; + default: + log_print ("gdoi_build_kek_id: " + "Unsupported ID type (%d) for ESP", id_type); + return 0; + } + *sz += id_payload_len; + p = calloc(1, *sz); + if (!p) + { + log_error ("gdoi_build_kek_id: " + "calloc(%d) failed", *sz); + return 0; + } + + /* + * Fill in the src id structure + */ + SET_GDOI_SA_ID_TYPE(p, id_type); + SET_GDOI_SA_ID_PORT(p, port); + SET_GDOI_SA_ID_DATA_LEN(p, id_payload_len); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + encode_32 (p + GDOI_SA_ID_DATA_OFF, ntohl (addr.s_addr)); + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + encode_32 (p + GDOI_SA_ID_DATA_OFF, ntohl (addr.s_addr)); + encode_32 (p + GDOI_SA_ID_DATA_OFF + sizeof addr, + ntohl (mask.s_addr)); + break; + default: + log_print ("gdoi_build_id: " + "Unsupported ID type (%d) for ESP", id_type); + free (p); + return 0; + } + + return p; +} + +void +gdoi_free_attr_payloads (void) +{ + struct extended_attrs *thisp; + thisp = TAILQ_FIRST (&attr_payloads); + while (thisp) + { + TAILQ_REMOVE(&attr_payloads, thisp, link); + free(thisp->attr_payload); + free(thisp); + thisp = TAILQ_FIRST (&attr_payloads); + } +} + +/* + * Add a SPI to the exchange verification SPI list. + */ +int +gdoi_add_spi_to_list (struct exchange *exchange, struct sa *sa) +{ + struct gdoi_exch *ie = exchange->data; + struct tekspi *tekspi = calloc(1, sizeof (struct tekspi)); + struct proto *proto = TAILQ_FIRST (&sa->protos); + + if (!tekspi) + { + log_print ("gdoi_add_ipsec_spi_to_list: calloc failed (tekspi)"); + return -1; + } + tekspi->spi_sz = proto->spi_sz[0]; + tekspi->spi = calloc(1, tekspi->spi_sz); + if (!tekspi->spi) + { + log_print ("gdoi_add_ipsec_spi_to_list: calloc failed (spi)"); + return -1; + } + memcpy(tekspi->spi, proto->spi[0], tekspi->spi_sz); + + if (tekspi->spi_sz == 4) + { + log_print ("gdoi_add_ipsec_spi_to_list: Adding TEK SPI %u (%d) (%#x) to SA", + *(u_int32_t *)tekspi->spi, *(u_int32_t *)tekspi->spi, + *(u_int32_t *)tekspi->spi); + } + else + { + log_print ("gdoi_add_ipsec_spi_to_list: Adding TEK to SA (SPI unknown)"); + } + + TAILQ_INSERT_TAIL(&ie->spis, tekspi, link); + + return 0; +} + +static void +gdoi_remove_spi_from_list (struct gdoi_exch *ie, struct tekspi *tekspi) +{ + TAILQ_REMOVE(&ie->spis, tekspi, link); + free(tekspi->spi); + free(tekspi); + return; +} + +static void +gdoi_clear_spi_list (struct exchange *exchange) +{ + struct gdoi_exch *ie = exchange->data; + struct tekspi *tekspi; + + tekspi = TAILQ_FIRST (&ie->spis); + while (tekspi) + { + gdoi_remove_spi_from_list(ie, tekspi); + tekspi = TAILQ_FIRST (&ie->spis); + } +} + +/* + * Find the TEK-specific policy for an IPSEC ESP or AH type TEK. + * Accoding to the GDOI Update draft, they have the same packet format, and + * this is assumed in this function. + * + * This function doesn't really know whether the policy is ESP or AH until it + * is read from the configuration file. + */ +static int +gdoi_ipsec_set_policy (char *conf_field, struct message *msg, + struct exchange *sa_exchange) +{ + struct sa *sa; + char *tek_suite_conf, *life_conf; + char *protocol_id, *transform_id; + char *src_id, *dst_id; + u_int8_t transform_value; + struct proto *proto; + struct ipsec_proto *iproto; + struct ipsec_sa *ipsec; + struct gdoi_kd_decode_arg keys; + char *name; + int value; + int i; + int id; + struct in_addr addr; + struct in_addr mask; + uint16_t port; + + /* + * Find the sa. The last SA in the list was just created for our use. + */ + sa = TAILQ_LAST (&sa_exchange->sa_list, sa_head); + if (!sa) + { + log_error ("gdoi_ipsec_set_policy: No sa's in list!"); + goto bail_out; + } + + /* + * Assume ESP for now, and correct it if necessary after reading the + * configuration. + */ + if (gdoi_setup_sa (sa, &proto, IPSEC_PROTO_IPSEC_ESP, + sizeof(struct ipsec_proto))) + { + goto bail_out; + } + iproto = (struct ipsec_proto *) proto->data; + ipsec = (struct ipsec_sa *) sa->data; + + ipsec->tproto = 0; /* Any IP protocol is allowed between Src and Dst */ + /* + * Get the src/dst IDs. + */ + src_id = conf_get_str (conf_field, "Src-ID"); + if (!src_id) + { + log_print ("gdoi_ipsec_set_policy: Src-ID missing"); + goto bail_out; + } + if (gdoi_get_id (src_id, &id, &addr, &mask, &port)) + { + goto bail_out; + } + ipsec->src_net = htonl(addr.s_addr); + ipsec->src_mask = htonl(mask.s_addr); + ipsec->sport = ntohs(port); + + dst_id = conf_get_str (conf_field, "Dst-ID"); + if (!dst_id) + { + log_print ("gdoi_ipsec_set_policy: Dst-ID missing"); + goto bail_out; + } + if (gdoi_get_id (dst_id, &id, &addr, &mask, &port)) + { + goto bail_out; + } + ipsec->dst_net = htonl(addr.s_addr); + ipsec->dst_mask = htonl(mask.s_addr); + ipsec->dport = ntohs(port); + + /* + * Get a suite defined for this group. + */ + tek_suite_conf = conf_get_str (conf_field, "TEK_Suite"); + if (!tek_suite_conf) + { + goto bail_out; + } + /* + * Get the individual protocol configuration + * + * Only IPSec ESP and AH is supported for now (not compression). + */ + protocol_id = conf_get_str (tek_suite_conf, "PROTOCOL_ID"); + if (!protocol_id) + { + goto bail_out; + } + proto->proto = constant_value(ipsec_proto_cst, protocol_id); + + /* + * Need to put the Transform ID in the ESP TEK header since it's not + * treated as an attribute. + */ + transform_id = conf_get_str (tek_suite_conf, "TRANSFORM_ID"); + if (!transform_id) + { + goto bail_out; + } + /* + * Transform values depend on whether this is ESP or AH. + */ + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + transform_value = constant_value(ipsec_esp_cst, transform_id); + break; + case IPSEC_PROTO_IPSEC_AH: + transform_value = constant_value(ipsec_ah_cst, transform_id); + break; + default: + transform_value = 0; + break; + } + if (!transform_value) + { + goto bail_out; + } + proto->id = transform_value; + + /* + * Generate the secrecy keys and stuff in a structure. We'll save them in + * the sa proto field later so that we can push them in a KD payload + * later. + */ + + memset((void *)&keys, 0, sizeof(struct gdoi_kd_decode_arg)); + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + switch (transform_value) + { + case IPSEC_ESP_AES_GCM_16: + keys.sec_key_sz = AES128_LENGTH + GCM_SALT_LENGTH; + keys.sec_key = calloc(1, keys.sec_key_sz); + if (!keys.sec_key) + { + log_print ("gdoi_ipsec_set_policy: " + "calloc failed (%d)", keys.sec_key_sz); + goto bail_out; + } + getrandom(keys.sec_key, keys.sec_key_sz); + LOG_DBG_BUF ((LOG_MISC, 90, "gdoi_ipsec_set_policy: " + "Generated AES key", keys.sec_key, keys.sec_key_sz)); + break; + case IPSEC_ESP_AES_CBC: + keys.sec_key_sz = AES128_LENGTH; + keys.sec_key = calloc(1, keys.sec_key_sz); + if (!keys.sec_key) + { + log_print ("gdoi_ipsec_set_policy: " + "calloc failed (%d)", keys.sec_key_sz); + goto bail_out; + } + getrandom(keys.sec_key, keys.sec_key_sz); + LOG_DBG_BUF ((LOG_MISC, 90, "gdoi_ipsec_set_policy: " + "Generated AES key", keys.sec_key, keys.sec_key_sz)); + break; + case IPSEC_ESP_3DES: + keys.sec_key_sz = 3 * DES_LENGTH; + keys.sec_key = calloc(1, keys.sec_key_sz); + if (!keys.sec_key) + { + log_print ("gdoi_ipsec_set_policy: " + "calloc failed (%d)", keys.sec_key_sz); + goto bail_out; + } + for (i=0; i<3; i++) + { + getrandom((keys.sec_key + (i*DES_LENGTH)), DES_LENGTH); + } + LOG_DBG_BUF ((LOG_MISC, 90, "gdoi_ipsec_set_policy: " + "Generated 3DES key", keys.sec_key, keys.sec_key_sz)); + break; + default: + log_print ("gdoi_ipsec_set_policy: invalid ESP transform_value (%d)", + transform_value); + goto bail_out; + } + /* + * If there is an authentication algorithm, store it as an + * attribute and go back to find the key in the configuration + * following the TEK_Suite. + */ + name = conf_get_str (tek_suite_conf, "AUTHENTICATION_ALGORITHM"); + if (name) + { + /* + * First check to make sure it's legit to have an + * authentication algorithm. For a combined mode such as GCM + * it is NOT legit. + */ + if (gdoi_ipsec_is_counter_mode_tek(proto->proto, transform_value)) + { + log_print ("gdoi_ipsec_set_policy: Authentication " + "algorithm not valid with protocol %d " + "transform %d", proto->proto, transform_value); + goto bail_out; + } + value = constant_value (ipsec_auth_cst, name); + switch(value) + { + case IPSEC_AUTH_HMAC_SHA: + iproto->auth = IPSEC_AUTH_HMAC_SHA; + break; + case IPSEC_AUTH_HMAC_SHA2_256: + iproto->auth = IPSEC_AUTH_HMAC_SHA2_256; + break; + case IPSEC_AUTH_HMAC_MD5: + iproto->auth = IPSEC_AUTH_HMAC_MD5; + break; + default: + log_print ("gdoi_ipsec_set_policy: " + "Unknown auth key type found (%d).", value); + goto bail_out; + } + keys.int_key_sz = ipsec_esp_authkeylength(proto); + keys.int_key = malloc(keys.int_key_sz); + if (!keys.int_key) + { + log_print ("gdoi_ipsec_set_policy: malloc failed (%d)", + keys.int_key); + goto bail_out; + } + getrandom(keys.int_key, keys.int_key_sz); + LOG_DBG_BUF ((LOG_MISC, 90, + "gdoi_ipsec_set_policy: Generated auth key", + keys.int_key, keys.int_key_sz)); + } + break; + + case IPSEC_PROTO_IPSEC_AH: + switch (transform_value) + { + case IPSEC_AH_SHA: + keys.int_key_sz = HMAC_SHA_LENGTH; + keys.int_key = calloc(1, keys.int_key_sz); + if (!keys.int_key) + { + log_print ("gdoi_ipsec_set_policy: " + "calloc failed (%d)", keys.int_key_sz); + goto bail_out; + } + getrandom(keys.int_key, HMAC_SHA_LENGTH); + LOG_DBG_BUF ((LOG_MISC, 90, + "gdoi_ipsec_set_policy: " + "Generated SHA-HMAC key", + keys.sec_key, keys.sec_key_sz)); + break; + case IPSEC_AH_SHA2_256: + keys.int_key_sz = HMAC_SHA256_LENGTH; + keys.int_key = calloc(1, keys.int_key_sz); + if (!keys.int_key) + { + log_print ("gdoi_ipsec_set_policy: " + "calloc failed (%d)", keys.int_key_sz); + goto bail_out; + } + getrandom(keys.int_key, HMAC_SHA256_LENGTH); + LOG_DBG_BUF ((LOG_MISC, 90, + "gdoi_ipsec_set_policy: " + "Generated SHA-HMAC key", + keys.sec_key, keys.sec_key_sz)); + break; default: + /* + * HMAC-MD5 not supported + */ + log_print ("gdoi_ipsec_set_policy: " + "invalid transform_value (%d)", transform_value); + goto bail_out; + } + } + /* + * Stuff the secrecy and integrity keys into the ipsec proto + * structure. + */ + if (stuff_tek_keys(&keys, iproto)) + { + return -1; + } + + /* + * Set the SPI for this TEK. Reject SPIs < 255 for simplicity, although + * only SPIs between 101 and 255 are actually acceptable. + */ + proto->spi_sz[0] = 4; /* IPsec SPI length */ + proto->spi[0] = malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_print ("gdoi_ipsec_set_policy: malloc failed (%d)", + proto->spi_sz[0]); + goto bail_out; + } + do { + getrandom (proto->spi[0], proto->spi_sz[0]); + } while ((proto->spi[0] != 0x0) && (proto->spi[1] != 0x0) && + (proto->spi[2] != 0x0)); + + name = conf_get_str (tek_suite_conf, "ENCAPSULATION_MODE"); + if (name) + { + value = constant_value (ipsec_encap_cst, name); + iproto->encap_mode = value; + } + + life_conf = conf_get_str (tek_suite_conf, "Life"); + if (!life_conf) + { + log_print ("gdoi_ipsec_set_policy: TEK has no Life policy"); + goto bail_out; + } + name = conf_get_str (life_conf, "LIFE_TYPE"); + if (!name) + { + log_print ("gdoi_ipsec_set_policy: TEK must have LIFE_TYPE:"); + goto bail_out; + } + value = conf_get_num (life_conf, "LIFE_DURATION", 0); + if (value) + { + sa->seconds = value; + sa->start_time = time((time_t)0); + } + + /* + * Check for an Address Preservation directive. + */ + name = conf_get_str (tek_suite_conf, "ADDRESS_PRESERVATION"); + if (name) + { + value = constant_value (ipsec_addr_pres_cst, name); + iproto->addr_pres = value; + } + + /* + * Check for an SA direction directive + */ + name = conf_get_str (tek_suite_conf, "SA_DIRECTION"); + if (name) + { + value = constant_value (ipsec_sa_direction_cst, name); + iproto->sa_direction = value; + } + + return 0; + +bail_out: + return -1; +} + +static int gdoi_set_kek_policy (char *conf_field, struct gdoi_kek *stored_kek, + struct message *msg) +{ + struct exchange *exchange = msg->exchange; + char *period_str; + u_int8_t *conf_string; + int ret; + u_int8_t *keyfile; + + /* + * Setup the basics of the exchange. + */ + getrandom(stored_kek->spi, KEK_SPI_SIZE); + log_print ("gdoi_set_kek_policy: KEK SPI: %s", + octet_string_hex_string(stored_kek->spi, KEK_SPI_SIZE)); + stored_kek->exchange_name = malloc(strlen(exchange->name)); + if (!stored_kek->exchange_name) + { + log_print ("gdoi_set_kek_policy: malloc of exchange name failed (%d)\n", + strlen(exchange->name)); + return -1; + } + strcpy(stored_kek->exchange_name, exchange->name); + if (gdoi_rekey_setup_exchange(stored_kek)) + { + return -1; + } + + /* + * If the string is NULL, mark that only the exchange is being used, which + * means there is no KEK policy in the stored_kek structure. + */ + if (!conf_field) + { + stored_kek->flags = USE_EXCH_ONLY; + return 0; + } + + /* + * Newly formed rekey policy. Initialize the rekey exchange sequence + * number. Also set the period for sending out KEKs. + */ + stored_kek->current_seq_num = 0; + + /* + * Deterimine the interval to change the TEK. + */ + period_str = conf_get_str (conf_field, "REKEY_PERIOD"); + if (period_str) + { + stored_kek->tek_timer_interval = atoi(period_str); + } + else + { + stored_kek->tek_timer_interval = DEFAULT_REKEY_PERIOD; + log_print ("gdoi_set_kek_policy: Using default REKEY_PERIOD."); + } + log_print ("gdoi_set_kek_policy: " + "Setting a rekey period of %d seconds.", + stored_kek->tek_timer_interval); + + /* + * Deterimine the interval to change the KEK. + */ + period_str = conf_get_str (conf_field, "KEK_REKEY_PERIOD"); + if (period_str) + { + stored_kek->kek_timer_interval = atoi(period_str); + } + else + { + stored_kek->kek_timer_interval = DEFAULT_KEK_REKEY_PERIOD; + log_print ("gdoi_set_kek_policy: Using default REKEY_PERIOD."); + } + log_print ("gdoi_set_kek_policy: Setting a KEK rekey period of %d seconds.", + stored_kek->kek_timer_interval); + + /* + * Get the src/dst IDs. + */ + ret = gdoi_store_kek_ids (conf_field, stored_kek); + if (ret) + { + return -1; + } + + /* + * Set the encryption algorithm and initial keys. + */ + conf_string = (u_int8_t *)conf_get_str (conf_field, "ENCRYPTION_ALGORITHM"); + if (!conf_string) + { + log_print ("gdoi_set_kek_policy: ENCRYPTION_ALGORITHM missing"); + return -1; + } + stored_kek->encrypt_alg = constant_value (gdoi_kek_alg_cst, + (char *)conf_string); + + /* + * Generate the encryption keys + */ + switch(stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + /* + * This is 3DES-CBC. CBC requires both an IV and algorithm sent. + * Read the IV first + */ + stored_kek->encrypt_iv = calloc(1, DES_LENGTH); + if (!stored_kek->encrypt_iv) + { + log_error ("gdoi_set_kek_policy: calloc failed (%d)", DES_LENGTH); + return -1; + } + getrandom(stored_kek->encrypt_iv, DES_LENGTH); + /* + * Now get the keys. + */ + stored_kek->encrypt_key = calloc(1, 3 * DES_LENGTH); + if (!stored_kek->encrypt_key) + { + log_error ("gdoi_set_kek_policy: calloc failed (%d)", 3 * DES_LENGTH); + return -1; + } + /* + * Generate the keys together. + */ + getrandom(stored_kek->encrypt_key, 3 * DES_LENGTH); + break; + + case GDOI_KEK_ALG_AES: + /* + * Only support 128-bit AES keys for now. + * + * This is AES-CBC mode. CBC requires both an IV and key sent. + * Derive the IV first. + */ + stored_kek->encrypt_iv = calloc(1, AES128_LENGTH); + if (!stored_kek->encrypt_iv) + { + log_error ("gdoi_set_kek_policy: calloc failed (%d)", AES128_LENGTH); + return -1; + } + getrandom(stored_kek->encrypt_iv, AES128_LENGTH); + log_print ("gdoi_set_kek_policy: KEK IV: %s", + octet_string_hex_string(stored_kek->encrypt_iv, AES128_LENGTH)); + /* + * Now set the key. + */ + stored_kek->encrypt_key = calloc(1, AES128_LENGTH); + if (!stored_kek->encrypt_key) + { + log_error ("gdoi_set_kek_policy: calloc failed (%d)", AES128_LENGTH); + return -1; + } + getrandom(stored_kek->encrypt_key, AES128_LENGTH); + log_print ("gdoi_set_kek_policy: KEK Key: %s", + octet_string_hex_string(stored_kek->encrypt_key, AES128_LENGTH)); + /* + * Store the length of the AES key in bits. + */ + stored_kek->encrypt_key_len = AES128_LENGTH; + break; + + case GDOI_KEK_ALG_DES: + default: + log_error ("gdoi_set_kek_policy: Unsupported KEK Algorithm type %s", + stored_kek->encrypt_alg); + return -1; + break; + + } + + /* + * Generate the authentication keys. + */ + conf_string = (u_int8_t *)conf_get_str (conf_field, "SIG_HASH_ALGORITHM"); + if (!conf_string) + { + log_print ("gdoi_set_kek_policy: SIG_HASH_ALGORITHM missing"); + return -1; + } + stored_kek->sig_hash_alg = + constant_value (gdoi_kek_hash_alg_cst, (char *)conf_string); + if (stored_kek->sig_hash_alg == 0) + { + log_print ("gdoi_set_kek_policy: SIG_HASH_ALGORITHM type unknown"); + return -1; + } + + /* + * Get the KEK signature keys. + */ + conf_string = (u_int8_t *)conf_get_str (conf_field, "SIG_ALGORITHM"); + if (!conf_string) + { + log_print ("gdoi_set_kek_policy: SIG_ALGORITHM missing"); + return -1; + } + stored_kek->sig_alg = constant_value (gdoi_kek_sig_alg_cst, + (char *)conf_string); + /* + * Read the signature keypair and stuff away for later use. + * We also need to package up the public key to put in the KEK + * policy attribute. + */ + switch(stored_kek->sig_alg) + { + case GDOI_KEK_SIG_ALG_RSA: + /* + * BEW: Should generate the RSA keypair rather than get it out of the + * config. + */ + keyfile = (u_int8_t *)conf_get_str (conf_field, "RSA-Keypair"); + if (!keyfile) + { + log_error ("gdoi_set_kek_policy: RSA-Keypair not found."); + return -1; + } + if (gdoi_read_keypair (keyfile, stored_kek)) + { + log_error ("gdoi_set_kek_policy: Reading RSA-Kepair failed"); + return -1; + } + break; + + default: + log_error ("gdoi_set_kek_policy: Unsupported KEK Signature type %s", + stored_kek->sig_alg); + return -1; + } + + return 0; +} + +static int gdoi_get_gap_policy (char *conf_field, u_int8_t **ret_buf, + size_t *ret_buf_sz) +{ + char *str; + u_int8_t *attr, *attr_start; + int atd = 0; + int dtd = 0; + size_t gap_sz; + u_int8_t *gap_buf; + + /* + * Find the ATD and DTD + */ + str = conf_get_str (conf_field, "ATD"); + if (str) + { + atd = atoi(str); + log_print ("gdoi_get_gap_policy: Setting an ATD value of %d seconds.", + atd); + } + + str = conf_get_str (conf_field, "DTD"); + if (str) + { + dtd = atoi(str); + log_print ("gdoi_get_gap_policy: Setting a DTD value of %d seconds.", + dtd); + } + + if (!atd && !dtd) { + log_print ("gdoi_get_gap_policy: GAP policy decleard but none found!\n"); + return -1; + } + + /* + * Create the GAP header payload + */ + gap_sz = GDOI_GEN_LENGTH_OFF + GDOI_GEN_LENGTH_LEN; + gap_buf = calloc(1, gap_sz); + if (!gap_buf) + { + log_print ("gdoi_get_kek_policy: calloc failed (gap_buf)"); + return -1; + } + + /* + * Setup the generic header except for the length & next payload. + */ + SET_GDOI_GEN_RESERVED(gap_buf, 0); + + + /* + * Allocate a block for building attributes. It's sized large enough + * so that we think it will avoid buffer overflows.... + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_get_kek_policy: calloc(%d) failed", ATTR_SIZE); + free(gap_buf); + return -1; + } + + /* + * Send the ACTIVATION_TIME_DELAY (optional) + */ + if (atd) + { + attr = attribute_set_basic (attr, GDOI_GAP_ACTIVATION_TIME_DELAY, atd); + } + + /* + * Send the DEACTIVATION_TIME_DELAY (optional) + */ + if (dtd) + { + attr = attribute_set_basic (attr, GDOI_GAP_DEACTIVATION_TIME_DELAY, dtd); + } + + /* + * Done adding attributes! + */ + gap_buf = gdoi_grow_buf(gap_buf, &gap_sz, attr_start, + (attr - attr_start)); + free(attr_start); + if (!gap_buf) + { + return -1; + } + +SET_GDOI_GEN_LENGTH(gap_buf, gap_sz); + +*ret_buf = gap_buf; +*ret_buf_sz = gap_sz; + +return 0; + +} +static int gdoi_get_kek_policy (char *conf_field, u_int8_t **ret_buf, + size_t *ret_buf_sz, struct gdoi_kek *stored_kek) +{ + size_t sz; + u_int8_t *attr, *attr_start; + u_int8_t *buf, *kek_buf = 0; + size_t kek_buf_sz; + int key_size_in_bits; + + /* + * Create the KEK header payload + */ + sz = GDOI_GEN_LENGTH_OFF + GDOI_GEN_LENGTH_LEN; + buf = calloc(1, sz); + if (!buf) + { + log_print ("gdoi_get_kek_policy: calloc failed (buf)"); + goto bail_out; + } + + /* + * Setup the generic header except for the length & next payload. + */ + SET_GDOI_GEN_RESERVED(buf, 0); + + kek_buf = buf; + kek_buf_sz = sz; + + /* + * Set the protocol + */ + sz = GDOI_SA_KEK_PROTOCOL_OFF + GDOI_SA_KEK_PROTOCOL_LEN; + buf = calloc(1, sz); + if (!buf) + { + log_print ("gdoi_get_kek_policy: calloc failed (kek_p)"); + goto bail_out; + } + SET_GDOI_SA_KEK_PROTOCOL(buf, IPPROTO_UDP); /* UDP */ + kek_buf = gdoi_grow_buf(kek_buf, &kek_buf_sz, buf, sz); + + /* + * Set the IDs + */ + buf = gdoi_build_kek_id (SRC, &sz, stored_kek); + kek_buf = gdoi_grow_buf(kek_buf, &kek_buf_sz, buf, sz); + free(buf); + buf = NULL; + buf = gdoi_build_kek_id (DST, &sz, stored_kek); + kek_buf = gdoi_grow_buf(kek_buf, &kek_buf_sz, buf, sz); + free(buf); + buf = NULL; + + /* + * Get the "SPI" (ISAKMP HDR cookie pair) + */ + sz = GDOI_SA_KEK_END_POP_KEYLEN_OFF + GDOI_SA_KEK_END_POP_KEYLEN_LEN; + buf = calloc(1, sz); + if (!buf) + { + log_print ("gdoi_get_kek_policy: calloc failed (buf)"); + goto bail_out; + } + if (stored_kek->flags & SEND_NEW_KEK) + { + if (stored_kek->flags & CREATE_NEW_KEK) + { + /* + * Create a new SPI + */ + getrandom(stored_kek->next_kek_policy.spi, KEK_SPI_SIZE); + } + /* + * Send the new SPI rather than the old one. + */ + SET_GDOI_SA_KEK_END_SPI(buf, stored_kek->next_kek_policy.spi); + } + else + { + SET_GDOI_SA_KEK_END_SPI(buf, stored_kek->spi); + } + kek_buf = gdoi_grow_buf(kek_buf, &kek_buf_sz, buf, sz); + + /* + * Allocate a block for building attributes. It's sized large enough + * so that we think it will avoid buffer overflows.... + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_get_kek_policy: calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + + /* + * Send the KEK_ALGORITHM (required) + */ + attr = attribute_set_basic (attr, GDOI_ATTR_KEK_ALGORITHM, + stored_kek->encrypt_alg); + + /* + * Send the KEK_KEY_LENGTH if KEK_ALGORITHM has a variable length key (e.g., + * AES). + */ + key_size_in_bits = 0; + switch(stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + case GDOI_KEK_ALG_DES: + /* + * Don't need to send a length -- it is clear from the length of the + * cipher. + */ + break; + case GDOI_KEK_ALG_AES: + /* + * Need to send the size in bits, so convert from bytes. + */ + attr = attribute_set_basic (attr, GDOI_ATTR_KEK_KEY_LENGTH, + stored_kek->encrypt_key_len * 8); + break; + default: + log_error ("gdoi_get_kek_policy: " + "Unsupported KEK Algorithm type (KEK_KEY_LENGTH) %s", + stored_kek->encrypt_alg); + goto bail_out; + } + + /* + * Send the KEK_KEY_LIFETIME (required) + */ + attr = attribute_set_basic (attr, GDOI_ATTR_KEK_KEY_LIFETIME, + stored_kek->kek_timer_interval); + + /* + * Send the SIG_HASH_ALGORITHM (required) + */ + attr = attribute_set_basic (attr, GDOI_ATTR_SIG_HASH_ALGORITHM, + stored_kek->sig_hash_alg); + + /* + * Send the SIG_ALGORITHM (required) + */ + attr = attribute_set_basic (attr, GDOI_ATTR_SIG_ALGORITHM, + stored_kek->sig_alg); + + /* + * Send the SIG_KEY_LENGTH (required) + */ + if (!stored_kek->signature_key_modulus_size) + { + log_print ("gdoi_get_kek_policy: No signature key modulus size!"); + goto bail_out; + } + attr = attribute_set_basic (attr, GDOI_ATTR_SIG_KEY_LENGTH, + stored_kek->signature_key_modulus_size); + + /* + * Done adding attributes! + */ + + kek_buf = gdoi_grow_buf(kek_buf, &kek_buf_sz, attr_start, + (attr - attr_start)); + if (!kek_buf) { + goto bail_out; + } + free(attr_start); + + SET_GDOI_GEN_LENGTH(kek_buf, kek_buf_sz); + + *ret_buf = kek_buf; + *ret_buf_sz = kek_buf_sz; + return 0; + +bail_out: + free (buf); + gdoi_free_attr_payloads(); + return -1; +} + +int +gdoi_ipsec_get_policy_from_sa (struct sa *sa, u_int8_t **ret_buf, + size_t *ret_buf_sz) +{ + struct proto *proto; + struct ipsec_proto *iproto; + u_int8_t *esp_tek_buf = 0; + u_int8_t *buf = 0; + size_t sz, esp_tek_sz; + u_int8_t *attr, *attr_start = 0; + int time_left; + struct gdoi_kd_decode_arg keys; + + proto = TAILQ_FIRST (&sa->protos); + iproto = (struct ipsec_proto *) proto->data; + + /* + * Set the protocol + */ + sz = GDOI_SA_TEK_ESP_SZ; + buf = calloc(1, sz); + if (!buf) + { + log_print ("gdoi_ipsec_get_policy_from_sa: calloc failed"); + goto bail_out; + } + /* + * Hard code the network protocol type to be ignored for now + */ + SET_GDOI_SA_TEK_PROT_ID(buf, 0); + esp_tek_buf = buf; + esp_tek_sz = sz; + + /* + * Get the src/dst IDs. + */ + buf = gdoi_build_tek_id_from_sa (sa, SRC, &sz); + if (!buf) + { + goto bail_out; + } + esp_tek_buf = gdoi_grow_buf(esp_tek_buf, &esp_tek_sz, buf, sz); + free(buf); + buf = NULL; + + buf = gdoi_build_tek_id_from_sa (sa, DST, &sz); + if (!buf) + { + goto bail_out; + } + esp_tek_buf = gdoi_grow_buf(esp_tek_buf, &esp_tek_sz, buf, sz); + if (!esp_tek_buf) + { + goto bail_out; + } + free(buf); + buf = NULL; + + /* + * Need to put the Transform ID in the ESP TEK header since it's not + * treated as an attribute. + */ + esp_tek_buf = gdoi_grow_buf(esp_tek_buf, &esp_tek_sz, &proto->id, + sizeof(u_int8_t)); + if (!esp_tek_buf) + { + goto bail_out; + } + + /* + * Get the SPI for this TEK. + */ + esp_tek_buf = gdoi_grow_buf(esp_tek_buf, &esp_tek_sz, + proto->spi[0], proto->spi_sz[0]); + if (!esp_tek_buf) + { + goto bail_out; + } + + /* + * Allocate a block for building attributes. It's sized large enough + * so that we think it will avoid buffer overflows.... + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_ipsec_get_policy: " + "calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + + attr = attribute_set_basic (attr, IPSEC_ATTR_ENCAPSULATION_MODE, + iproto->encap_mode); + + /* + * If there is an ESP authentication algorithm, store it as an attribute and + * go back to find the key in the configuration following the TEK_Suite. + */ + if ((proto->proto == IPSEC_PROTO_IPSEC_ESP) && iproto->auth) + { + attr = attribute_set_basic (attr, + IPSEC_ATTR_AUTHENTICATION_ALGORITHM, + iproto->auth); + } + + /* + * Send whatever lifetime info we have, after adjusting from the + * start time. + */ + if (sa->seconds) + { + time_left = sa->seconds - (time((time_t)0) - sa->start_time); + if (time_left > 0) + { + + attr = attribute_set_basic (attr, + IPSEC_ATTR_SA_LIFE_TYPE, + IPSEC_DURATION_SECONDS); + attr = attribute_set_basic (attr, + IPSEC_ATTR_SA_LIFE_DURATION, + time_left); + } + else + { + log_print ("gdoi_ipsec_get_policy_from_sa: " + "SA time has expired, but still on SA list!"); + time_left = 0; + } + } + + /* + * If the ESP transform is AES, we need to send the key size. + */ + if ((proto->id == IPSEC_ESP_AES_CBC) || (proto->id == IPSEC_ESP_AES_GCM_16)) + { + memset((void *)&keys, 0, sizeof(struct gdoi_kd_decode_arg)); + if (gdoi_ipsec_get_tek_keys(&keys, proto)) + { + log_print ("gdoi_ipsec_get_policy_from_sa: " + "Error in getting AES TEK key length!"); + } + /* + * Sent in bits, so convert from bytes. + */ + attr = attribute_set_basic (attr, IPSEC_ATTR_KEY_LENGTH, + keys.sec_key_sz * 8); + } + + /* + * Pass the Address Preservation attribute, if it's not the default. + */ + if (iproto->addr_pres != IPSEC_ADDR_PRES_SOURCE_AND_DEST) + { + attr = attribute_set_basic (attr, IPSEC_ATTR_ADDRESS_PRESERVATION, + iproto->addr_pres); + } + + /* + * Pass the SA Direction attribute, if it's not the default. + */ + if (iproto->sa_direction != IPSEC_SA_DIRECTION_SYMMETRIC) + { + attr = attribute_set_basic (attr, IPSEC_ATTR_SA_DIRECTION, + iproto->sa_direction); + } + + /* + * Add the attributes to the tek payload + */ + esp_tek_buf = gdoi_grow_buf(esp_tek_buf, &esp_tek_sz, attr_start, + (attr - attr_start)); + free (attr_start); + if (!esp_tek_buf) + { + goto bail_out; + } + + *ret_buf = esp_tek_buf; + *ret_buf_sz = esp_tek_sz; + return 0; + +bail_out: + free (buf); + free (attr_start); + return -1; +} + +/* + * Return whether an SA should be sent to a group member. + * + * This depends on the exchange type, and the state of the SA. + */ +int +gdoi_current_sa (u_int8_t type, struct sa *sa) +{ + struct proto *proto; + + /* + * PUSH SA check + * + * For simplicity, for a rekey message only send the SAs + * which were just created. Those can be identified as not yet marked + * with the SA_FLAG_READY flag. + */ + if ((type == GDOI_EXCH_PUSH_MODE) && (sa->flags & SA_FLAG_READY)) + { + return FALSE; + } + + /* + * PUSH and PULL: Only send live SAs. + */ + if (sa->flags & SA_FLAG_FADING) + { + return FALSE; + } + proto = TAILQ_FIRST (&sa->protos); + if (!proto) + { + return FALSE; + } + + return TRUE; +} + +/* + * Create a TEK SA payload from an sa structure + */ +u_int8_t * +gdoi_get_current_tek (struct sa *sa, size_t *sz, int last_tek) +{ + struct proto *proto; + u_int8_t *buf = 0, *tek_p = 0; + size_t tek_sz; + + /* + * 1. Create the generic TEK structure + * 2. Add the protocol-specific TEK structure (e.g., ESP) + */ + tek_p = calloc(1, GDOI_SA_TEK_SZ); + if (!tek_p) + { + log_print ("gdoi_get_current_tek: calloc failed (tek_p)"); + goto bail_out; + } + + /* + * Fill in the TEK structure, except for the length -- it will be + * filled in after the protocol-specific structure has been created. + */ + if (last_tek) + { + SET_GDOI_GEN_NEXT_PAYLOAD(tek_p, 0); + } + else + { + SET_GDOI_GEN_NEXT_PAYLOAD(tek_p, ISAKMP_PAYLOAD_SA_TEK); + } + SET_GDOI_GEN_RESERVED(tek_p, 0); + + /* + * Determine what kind of TEK this is & format it. + */ + proto = TAILQ_FIRST (&sa->protos); + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + case IPSEC_PROTO_IPSEC_AH: + if (proto->proto == IPSEC_PROTO_IPSEC_ESP) + { + SET_GDOI_SA_TEK_PROT_ID(tek_p, GDOI_TEK_PROT_PROTO_IPSEC_ESP); + } + else + { + SET_GDOI_SA_TEK_PROT_ID(tek_p, GDOI_TEK_PROT_PROTO_IPSEC_AH); + } + if (gdoi_ipsec_get_policy_from_sa(sa, &buf, &tek_sz)) + { + log_error ("gdoi_get_current_tek: " + "Getting IPSEC TEK policy failed"); + goto bail_out; + } + break; +#ifdef SRTP_SUPPORT + case IPSEC_PROTO_SRTP: + SET_GDOI_SA_TEK_PROT_ID(tek_p, GDOI_TEK_PROT_PROTO_SRTP); + if (gdoi_srtp_get_policy_from_sa(sa, &buf, &tek_sz)) + { + log_error ("gdoi_get_current_tek: " + "Getting IPSEC TEK policy failed"); + goto bail_out; + } + break; +#endif +#ifdef IEC90_5_SUPPORT + case IPSEC_PROTO_IEC90_5: + SET_GDOI_SA_TEK_PROT_ID(tek_p, GDOI_TEK_PROT_PROTO_IEC90_5); + if (gdoi_iec90_5_get_policy_from_sa(sa, &buf, &tek_sz)) + { + log_error ("gdoi_get_current_tek: " + "Getting IPSEC TEK policy failed"); + goto bail_out; + } + break; +#endif + default: + log_print ("gdoi_get_current_tek: Unsupported protocol %d", + proto->proto); + goto bail_out; + } + + *sz = GDOI_SA_TEK_SZ + tek_sz; + SET_GDOI_GEN_LENGTH(tek_p, *sz); + tek_p = realloc(tek_p, *sz); + if (!tek_p) + { + log_error ("gdoi_get_current_tek: " + "realloc failed"); + goto bail_out; + } + memcpy((tek_p + GDOI_SA_TEK_SZ), buf, tek_sz); + free(buf); + + return tek_p; + +bail_out: + free (tek_p); + free (buf); + return 0; +} + +int gdoi_add_sa_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct exchange *sa_exchange; + struct sa *sa; + u_int8_t *sa_buf = 0; + u_int8_t *tek_p = 0; + u_int8_t *buf = 0; + size_t sa_len; + size_t sz; + struct gdoi_exch *ie = exchange->data; + struct conf_list *suite_conf; + struct conf_list_node *suite; + struct gdoi_kek *stored_kek = NULL; + char *name, *str; + char *tek_type_conf; + int suite_no, tek_no; + struct extended_attrs *attrp; + size_t offset; + int proto; + int next_payload = ISAKMP_PAYLOAD_NONE; + + /* + * Before completing the SA payload, need to get the KEK, GAP, TEK and SA + * attributes. We create a list of structures which will be added to the + * SA payload, one per TEK or KEK. + */ + + /* + * Initialize the list. + */ + TAILQ_INIT (&attr_payloads); + + /* + * Find the group id in the configuration, which identifies the policy for + * the group. If we are a rekey message, we might be re-using the exchange + * and the name is already set. + */ + if (exchange->name) + { + name = exchange->name; + } + else + { + name = connection_passive_lookup_by_group_id (ie->id_gdoi); + if (name) + { + exchange->name = strdup (name); + if (!exchange->name) + { + log_error ("gdoi_add_sa_payload: strdup (\"%s\") failed", + name); + goto bail_out; + } + } + else + { + log_error ("gdoi_add_sa_payload: " + "Passive connection not found for group in ID payload."); + goto bail_out; + } + } + + /* + * Find the Configuration keyword + */ + if (!exchange->policy) + { + exchange->policy = conf_get_str (name, "Configuration"); + if (!exchange->policy) + { + log_print ("gdoi_add_sa_payload: no configuration for " + "peer \"%s\"", name); + return -1; + } + } + + /* Validate the DOI. */ + str = conf_get_str (exchange->policy, "DOI"); + if (str) + { + if (!(strcasecmp (str, "GROUP") == 0)) + { + log_print ("gdoi_add_sa_payload: DOI \"%s\" unsupported " + "for group policy", str); + return -1; + } + } + else + { + log_print ("gdoi_add_sa_payload: DOI missing"); + return -1; + } + + /* Validate the exchange */ + str = conf_get_str (exchange->policy, "EXCHANGE_TYPE"); + if (str) + { + if (!(strcasecmp (str, "PULL_MODE") == 0)) + { + log_print ("gdoi_add_sa_payload: EXCHANGE_TYPE \"%s\" " + "unsupported for group policy", str); + return -1; + } + } + else + { + log_print ("gdoi_add_sa_payload: EXCHANGE_TYPE missing"); + return -1; + } + + /* + * GDOI constraint: + * Either a KEK or a TEK must be found in the configuration. The only + * obvious error is if neither is found. + * + * Local policy: + * Registration messages get all of the current TEKs, but no new ones. + * For each rekey message generate new TEKs to replace those in the + * configuration. + * + * BEW: This is really broken local policy. + */ + + /* + * Find or create the KEK policy structure. Note: Even if there isn't a KEK + * (and thus we're not sending rekeys), we're stroring the TEKs in its + * exchange to take advantage of the normal SA expiration, etc. semantics. + */ + str = conf_get_str (exchange->policy, "SA-KEK"); + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (!stored_kek) + { + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 1); + if (!stored_kek) + { + goto bail_out; + } + + /* + * Initialize the KEK policy, either with the KEK policy if found, + * or for use of the echange only. + */ + gdoi_set_kek_policy(str, stored_kek, msg); + } + + /* + * If an SA-KEK was found, create the SA_KEK payload. + */ + if (str) + { + if (gdoi_get_kek_policy(str, &buf, &sz, stored_kek)) + { + log_print ("gdoi_add_sa_payload: Error in getting KEK policy"); + goto bail_out; + } + attrp = calloc(1, sizeof (struct extended_attrs)); + attrp->attr_payload = buf; + attrp->has_generic_header = TRUE; + attrp->attr_type = ISAKMP_PAYLOAD_SA_KEK; + attrp->sz = sz; + TAILQ_INSERT_TAIL (&attr_payloads, attrp, link); + } + else + { + log_print ("gdoi_add_sa_payload: " + "No SA-KEK found -- no rekey will happen"); + } + + /* + * Generate GAP, if there is any GAP configuration. + */ + str = conf_get_str (exchange->policy, "GROUP-POLICY"); + if (str) + { + if (gdoi_get_gap_policy(str, &buf, &sz)) + { + log_print ("gdoi_add_sa_payload: Error in getting GAP policy"); + goto bail_out; + } + attrp = calloc(1, sizeof (struct extended_attrs)); + attrp->attr_payload = buf; + attrp->has_generic_header = TRUE; + attrp->attr_type = ISAKMP_PAYLOAD_GAP; + attrp->sz = sz; + TAILQ_INSERT_TAIL (&attr_payloads, attrp, link); + } + else + { + log_print ("gdoi_add_sa_payload: No SA-GAP found for this group"); + } + + /* + * Decide whether or not to create more TEKs: + * 1. If it's a rekey, and if this isn't a special rekey sending a new KEK. + * 2. If it's a registration, and there aren't any TEKs in the list (because + * they either all expired, or this is the first registeration). + * + * In the rekey message case (GDOI_EXCH_PUSH_MODE), a new SA will be + * generated for each one in the configuration. New key values and SPIs + * will be chosen for the new SAs, of course. + * + * This path, is also chosen in the case of a registration message + * (GDOI_EXCH_PULL_MODE) when there are no current SPIs on the SPI list. + * A lack of SPIs on that list means that either there is no KEK for the + * group, or that there is a KEK but this is the first registration attempt + * for the group. + */ + sa_exchange = stored_kek->send_exchange; + if (!sa_exchange) { + log_print ("gdoi_add_sa_payload: sa_exchange missing! Aborting."); + goto bail_out; + } + + if (((exchange->type == GDOI_EXCH_PUSH_MODE) && + !(stored_kek->flags & SEND_NEW_KEK)) || + ((exchange->type == GDOI_EXCH_PULL_MODE) && + (!TAILQ_FIRST(&sa_exchange->sa_list)))) + { + /* + * TEKs are processed as a list. + * + * This processing follows the style of Quick Mode protocol suite + * processing at the beginning of + * ike_quick_mode.c:initiator_send_HASH_SA_NONCE(). + * + * Create TEK strcutures as we go, and store them in the list for adding + * to the SA payload later. + */ + + /* + * Evalute the TEK SA policy in the configuration file. + */ + suite_conf = conf_get_list (exchange->policy, "SA-TEKS"); + if (!suite_conf) + { + log_print ("gdoi_add_sa_payload: No SA-TEKS found"); + goto bail_out; + } + + for (suite = TAILQ_FIRST (&suite_conf->fields), suite_no = tek_no = 0; + suite_no < suite_conf->cnt; + suite_no++, suite = TAILQ_NEXT (suite, link)) + { + /* + * Before creating the TEK, create an SA to stuff the policy and keys + * read in from the config file. The keys are picked up later by the + * KD payload processing. The SAs will also be sent out again later + * in the rekey message if they are still active. + * + * sa_create calls sa_reference twice. GDOI only needs it + * referenced once, so release it once here. + */ + sa_create(sa_exchange, NULL); + + /* + * Determine what kind of TEK this is. Default is IPsec + */ + tek_type_conf = conf_get_str (exchange->policy, "Crypto-protocol"); + if (!tek_type_conf) + { + log_print ("gdoi_add_sa_payload: " + "Assuming TEK in configuration is IPsec (ESP or AH)"); + /* + * We don't know if its ESP or AH, so mark as ESP for now. + * It will be corrected when we read in the configuration. + */ + proto = GDOI_TEK_PROT_PROTO_IPSEC_ESP; + } + else + { + proto = constant_value (gdoi_tek_prot_cst, tek_type_conf); + switch (proto) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: +#if SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: +#endif +#ifdef IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: +#endif + break; + default: + log_print ("gdoi_add_sa_payload: " + "Unsupported Protocol type %s", tek_type_conf); + goto bail_out; + } + } + + /* + * Get this TEK's particular policy. + */ + switch (proto) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + if (gdoi_ipsec_set_policy(suite->field, msg, sa_exchange)) + { + log_error ("gdoi_add_sa_payload: " + "Getting IPsec TEK policy failed"); + goto bail_out; + } + break; +#if SRTP_SUPPORT + case GDOI_TEK_PROT_PROTO_SRTP: + if (gdoi_srtp_set_policy(suite->field, msg, sa_exchange)) + { + log_error ("gdoi_add_sa_payload: " + "Getting SRTP TEK policy failed"); + goto bail_out; + } + break; +#endif +#if IEC90_5_SUPPORT + case GDOI_TEK_PROT_PROTO_IEC90_5: + if (gdoi_iec90_5_set_policy(suite->field, msg, sa_exchange, + ie->id_gdoi, ie->id_gdoi_sz)) + { + log_error ("gdoi_add_sa_payload: " + "Getting IEC90-5 TEK policy failed"); + goto bail_out; + } + break; +#endif + default: + log_print ("gdoi_add_sa_payload: " + "Unsupported Protocol type %s", tek_type_conf); + goto bail_out; + } + } + } + + /* + * Now add all the old & new TEKs to the message. + */ + if (TAILQ_FIRST(&sa_exchange->sa_list)) + { + for (sa = TAILQ_FIRST (&sa_exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + if (gdoi_current_sa(exchange->type, sa)) + { + tek_p = gdoi_get_current_tek(sa, &sz, + (sa == TAILQ_LAST (&sa_exchange->sa_list, sa_head))); + attrp = calloc(1, sizeof (struct extended_attrs)); + attrp->attr_payload = tek_p; + attrp->has_generic_header = TRUE; + attrp->attr_type = ISAKMP_PAYLOAD_SA_TEK; + attrp->sz = sz; + TAILQ_INSERT_TAIL (&attr_payloads, attrp, link); + /* + * Add the SPI to the exchange list for use of the KD + * payload processing. + */ + gdoi_add_spi_to_list(exchange, sa); + } + } + } + + /* + * Setup the SA payload. Calculate the length by including all of the + * extended attributes along with the static part. We're going to create a + * contiguous SA paylaod buffer using this length. + * + * While we're at it, fix the "next payload" of each attribute. + */ + offset = sa_len = GDOI_SA_SZ; + + TAILQ_FOREACH_REVERSE(attrp, &attr_payloads, attr_payload_list, link) + { + sa_len += attrp->sz; + if (attrp->has_generic_header == TRUE) + { + SET_GDOI_GEN_NEXT_PAYLOAD(attrp->attr_payload, next_payload); + next_payload = attrp->attr_type; + } + } + + sa_buf = calloc (1, sa_len); + if (!sa_buf) + { + log_error ("gdoi_add_sa_payload: calloc (%d) failed", sa_len); + goto bail_out; + } + SET_GDOI_GEN_NEXT_PAYLOAD(sa_buf, 0); + SET_GDOI_GEN_RESERVED(sa_buf, 0); + SET_GDOI_SA_DOI (sa_buf, GROUP_DOI_GDOI); + exchange->doi->setup_situation (sa_buf); + SET_GDOI_SA_SA_ATTR_NEXT (sa_buf, next_payload); + SET_GDOI_SA_RES2 (sa_buf, 0); + + /* + * Copy in the extended attributes. + */ + for (attrp = TAILQ_FIRST (&attr_payloads); attrp; + attrp = TAILQ_NEXT(attrp, link)) + { + memcpy ((sa_buf + offset), attrp->attr_payload, attrp->sz); + offset += attrp->sz; + } + + /* + * Fill in the SA payload length now that its known. + */ + SET_GDOI_GEN_LENGTH(sa_buf, sa_len); + + /* + * Add the SA payload, including it's extended attributes. + */ + if (message_add_payload (msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) + { + goto bail_out; + } + sa_buf = 0; + gdoi_free_attr_payloads(); + return 0; + +bail_out: + free (buf); + free (sa_buf); + gdoi_free_attr_payloads(); + return -1; +} + +static int responder_send_HASH_NONCE_SA (struct message *msg) +{ + struct ipsec_sa *isa = msg->isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + + /* + * Add HASH payload + */ + if (!ipsec_add_hash_payload (msg, hash->hashsize)) { + return -1; + } + + /* + * Add NONCE payload + */ + if (exchange_gen_nonce (msg, 16)) { + return -1; + } + + /* + * Add SA payload + */ + TAILQ_INIT(&ie->spis); + if (gdoi_add_sa_payload (msg)) { + return -1; + } + + /* + * All payloads present and accounted for. Fill in the hash and we're done. + */ + if (group_fill_in_hash (msg, INC_I_NONCE, NO_R_NONCE)) + { + return -1; + } + + return 0; +} + +int gm_gap_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct gdoi_exch *ie = (struct gdoi_exch *) arg; + + switch (type) + { + case GDOI_GAP_SENDER_ID_REQUEST: + ie->num_sids = decode_16(value); + break; + default: + log_print ("gm_gap_decode_attribute: Attribute not valid: %d", type); + return -1; + } + + return 0; +} + +static int gdoi_process_GM_GAP_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct payload *gap_p; + u_int8_t *cur_p = 0; + + gap_p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_GAP]); + if (!gap_p) + { + /* + * GM GAP payload is optional. + */ + return 0; + } + + gap_p->flags |= PL_MARK; + log_print("gdoi_process_GM_GAP_payload: Found a payload!"); + + cur_p = gap_p->p + GDOI_GEN_SZ; + attribute_map (cur_p, (GET_GDOI_GEN_LENGTH(gap_p->p) - GDOI_GEN_SZ), + gm_gap_decode_attribute, ie); + return 0; +} + +static int responder_recv_HASH (struct message *msg) +{ + struct payload *hashp; + u_int8_t *hash; + u_int8_t *pkt = msg->iov[0].iov_base; + + hashp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + hash = hashp->p; + hashp->flags |= PL_MARK; + + /* The HASH payload should be the first one. */ + if (hash != pkt + ISAKMP_HDR_SZ) + { + /* XXX Is there a better notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + if (group_check_hash(msg, INC_I_NONCE, INC_R_NONCE)) + return -1; + + /* + * If a GAP payload is present, process it. + */ + if (gdoi_process_GM_GAP_payload (msg)) + { + return -1; + } + + return 0; +} + +int gdoi_add_kd_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct exchange *sa_exchange = 0; + struct gdoi_exch *ie = exchange->data; + u_int8_t *seq_buf = 0; + u_int8_t *kd_buf = 0; + size_t sz, kd_pak_sz; + struct sa *sa; + struct proto *proto; + size_t total_kd_pak = 0; + u_int8_t *kd_pak_buf = 0; + u_int8_t *attr, *attr_start = 0; + u_int8_t *tmp_buf = 0; + int tmp_buf_len = 0; + struct gdoi_kd_decode_arg keys; + int foundspi; + struct tekspi *tekspi; + u_int8_t *iv_to_send, *key_to_send; + int have_counter_modes = 0; + struct gdoi_kek *stored_kek = NULL; + char *conf_field, *str; + + /* + * Start with the KD header + */ + sz = GDOI_KD_RES2_OFF+ GDOI_KD_RES2_LEN; + kd_buf = calloc (1, sz); + if (!kd_buf) + { + log_error ("gdoi_add_kd_payload: calloc (%d) failed", sz); + goto bail_out; + } + + /* + * Add the KEK policy, if one exists for the group. + */ + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (stored_kek && !(stored_kek->flags & USE_EXCH_ONLY)) + { + kd_pak_sz = GDOI_KD_PAK_SPI_SIZE_OFF + GDOI_KD_PAK_SPI_SIZE_LEN; + kd_pak_buf = calloc(1, kd_pak_sz); + if (!kd_pak_buf) + { + log_error ("gdoi_add_kd_payload: calloc (%d) failed", + kd_pak_sz); + goto bail_out; + } + SET_GDOI_KD_PAK_KD_TYPE(kd_pak_buf, GDOI_KD_TYPE_KEK); + SET_GDOI_KD_PAK_SPI_SIZE(kd_pak_buf, KEK_SPI_SIZE); + kd_pak_buf = gdoi_grow_buf(kd_pak_buf, &kd_pak_sz, + stored_kek->spi, KEK_SPI_SIZE); + + /* + * Stuff the encryption keys into an attribute block. This is an + * especially large one due to the size of the signature key. + */ + attr_start = attr = calloc(1, ATTR_SIZE * 10); + if (!attr) + { + log_error ("gdoi_add_kd_payload: " + "calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + switch(stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + /* + * Send the current keys UNLESS flags includes the SEND_NEW_KEK + * flag. + */ + if (stored_kek->flags & SEND_NEW_KEK) + { + if (stored_kek->flags & CREATE_NEW_KEK) + { + stored_kek->next_kek_policy.encrypt_iv = malloc(DES_LENGTH); + stored_kek->next_kek_policy.encrypt_key =malloc(3*DES_LENGTH); + if (!stored_kek->next_kek_policy.encrypt_iv || + !stored_kek->next_kek_policy.encrypt_key) + { + log_error ("gdoi_add_kd_payload: " + "Can't malloc space for key or IV\n"); + goto bail_out; + } + getrandom(stored_kek->next_kek_policy.encrypt_iv, DES_LENGTH); + getrandom(stored_kek->next_kek_policy.encrypt_key, + 3*DES_LENGTH); + } + iv_to_send = stored_kek->next_kek_policy.encrypt_iv; + key_to_send = stored_kek->next_kek_policy.encrypt_key; + } + else + { + if (!stored_kek->encrypt_iv || !stored_kek->encrypt_key) + { + log_error ("gdoi_add_kd_payload: " + "Missing KEK encryption key or IV\n"); + goto bail_out; + } + iv_to_send = stored_kek->encrypt_iv; + key_to_send = stored_kek->encrypt_key; + } + + /* + * Prepend the IV + */ + tmp_buf_len = 4 * DES_LENGTH; + tmp_buf = malloc(tmp_buf_len); + if (!tmp_buf) + { + log_error ("gdoi_add_kd_payload: " + "malloc failed: %d bytes\n", tmp_buf_len); + goto bail_out; + } + memcpy(tmp_buf, iv_to_send, DES_LENGTH); + memcpy((tmp_buf+DES_LENGTH), key_to_send, 3*DES_LENGTH); + attr = attribute_set_var (attr, + GDOI_ATTR_KD_KEK_SECRECY_KEY, + tmp_buf, + tmp_buf_len); + free(tmp_buf); + tmp_buf = 0; + tmp_buf_len = 0; + break; + + case GDOI_KEK_ALG_AES: + if (stored_kek->flags & SEND_NEW_KEK) + { + if (stored_kek->flags & CREATE_NEW_KEK) + { + stored_kek->next_kek_policy.encrypt_iv = + malloc(stored_kek->encrypt_key_len); + stored_kek->next_kek_policy.encrypt_key = + malloc(stored_kek->encrypt_key_len); + if (!stored_kek->next_kek_policy.encrypt_iv || + !stored_kek->next_kek_policy.encrypt_key) + { + log_error ("gdoi_add_kd_payload: " + "Can't malloc space for key or IV\n"); + goto bail_out; + } + getrandom(stored_kek->next_kek_policy.encrypt_iv, + stored_kek->encrypt_key_len); + getrandom(stored_kek->next_kek_policy.encrypt_key, + stored_kek->encrypt_key_len); + } + iv_to_send = stored_kek->next_kek_policy.encrypt_iv; + key_to_send = stored_kek->next_kek_policy.encrypt_key; + } + else + { + if (!stored_kek->encrypt_iv || !stored_kek->encrypt_key) + { + log_error ("gdoi_add_kd_payload: " + "Missing KEK encryption key or IV\n"); + goto bail_out; + } + iv_to_send = stored_kek->encrypt_iv; + key_to_send = stored_kek->encrypt_key; + } + /* + * Prepend the IV + */ + tmp_buf_len = 2 * stored_kek->encrypt_key_len; + tmp_buf = malloc(tmp_buf_len); + if (!tmp_buf) + { + log_error ("gdoi_add_kd_payload: " + "malloc failed: %d bytes\n", tmp_buf_len); + goto bail_out; + } + memcpy(tmp_buf, iv_to_send, stored_kek->encrypt_key_len); + memcpy((tmp_buf+stored_kek->encrypt_key_len), + key_to_send, stored_kek->encrypt_key_len); + attr = attribute_set_var (attr, + GDOI_ATTR_KD_KEK_SECRECY_KEY, + tmp_buf, + tmp_buf_len); + free(tmp_buf); + tmp_buf = 0; + tmp_buf_len = 0; + break; + + default: + log_error ("gdoi_add_kd_payload: " + "Unsupported KEK Algorithm type %s", + stored_kek->encrypt_alg); + goto bail_out; + break; + } + + /* + * Stuff the signature public key into the same attribute block. + */ + switch(stored_kek->sig_alg) + { + case GDOI_KEK_SIG_ALG_RSA: + attr = attribute_set_var (attr, + GDOI_ATTR_KD_KEK_SIGNATURE_KEY, + stored_kek->signature_key, + stored_kek->signature_key_len); + break; + default: + log_error ("gdoi_add_kd_payload: " + "Unsupported KEK Signature type %s", + stored_kek->sig_alg); + goto bail_out; + } + kd_pak_buf = gdoi_grow_buf(kd_pak_buf, &kd_pak_sz, + attr_start, (attr - attr_start)); + if (!kd_pak_buf) + { + goto bail_out; + } + free (attr_start); + attr_start = 0; + + /* + * Fill in KD key packet length. + */ + SET_GDOI_KD_PAK_LENGTH(kd_pak_buf, kd_pak_sz); + + /* + * Add the fully formed key packet to the KD payload + */ + kd_buf = gdoi_grow_buf((u_int8_t *)kd_buf, &sz, kd_pak_buf, kd_pak_sz); + /* + * Update the running total of KD key packets. + */ + total_kd_pak++; + } + + /* + * Add the TEK policies. + * + * The TEKs are stored in the "stored_kek" structure even if there is no KEK. + * (Perhaps it should be renamed to "stored_group_policy".) + */ + if (!stored_kek->send_exchange) + { + log_print ("gdoi_add_kd_payload: Exchange includeing SPIs not found"); + goto bail_out; + } + sa_exchange = stored_kek->send_exchange; + + /* + * Only send KD key packets for SPIs found in the SPI list attached to + * the exchange. This guarentees consistency between the payloads. + */ + tekspi = TAILQ_FIRST (&ie->spis); + while (tekspi) + { + /* + * Find the sa structure for this SPI. + * + * Note that the SPI list is attached to "exchange", but the + * SA list is attached to "sa_exchange". + */ + proto = NULL; + foundspi = FALSE; + for (sa = TAILQ_FIRST (&sa_exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + proto = TAILQ_FIRST (&sa->protos); + if (proto && (proto->spi_sz[0] == tekspi->spi_sz) && + !memcmp(proto->spi[0], tekspi->spi, tekspi->spi_sz)) + { + foundspi = TRUE; + break; + } + } + if (!foundspi) + { + log_print ("gdoi_add_kd_payload: SPI not found in SPI list"); + goto bail_out; + } + + /* + * The TEK keys are in the sa_exchange->sa_list->proto structure. + * + * Initialize the sa pointer. This appears to be the first + * convenient time to do so. + */ + proto->sa = sa; + kd_pak_sz = GDOI_KD_PAK_SPI_SIZE_OFF + GDOI_KD_PAK_SPI_SIZE_LEN; + kd_pak_buf = calloc(1, kd_pak_sz); + if (!kd_pak_buf) + { + log_error ("gdoi_add_kd_payload: calloc (%d) failed", + kd_pak_sz); + goto bail_out; + } + SET_GDOI_KD_PAK_KD_TYPE((u_int8_t *)kd_pak_buf, GDOI_KD_TYPE_TEK); + SET_GDOI_KD_PAK_SPI_SIZE((u_int8_t *)kd_pak_buf, proto->spi_sz[0]); + + kd_pak_buf = gdoi_grow_buf(kd_pak_buf, &kd_pak_sz, + proto->spi[0], proto->spi_sz[0]); + + /* + * Find the keys in the proto and stuff them in an attribute block. + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_add_kd_payload: " + "calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + + /* + * Get this TEK's keys. + */ + memset((void *)&keys, 0, sizeof(struct gdoi_kd_decode_arg)); + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + case IPSEC_PROTO_IPSEC_AH: + if (gdoi_ipsec_get_tek_keys(&keys, proto)) + { + log_print ("gdoi_add_kd_payload: " + "Error in getting IPSEC TEK keys!"); + } + + /* + * In the case of a GDOI registration ("PULL_MODE") we may need + * to send SIDs. Since SIDs are allocated to a single GM, they are + * NEVER distributed in a rekey message. + * + * We only need to send SIDs if there is at least one ESP + * transform that is a counter mode transform. + */ + if (exchange->type == GDOI_EXCH_PULL_MODE) + { + have_counter_modes = + gdoi_ipsec_is_counter_mode_tek(proto->proto, proto->id); + if (have_counter_modes < 0) + { + goto bail_out; + } + } + + break; +#ifdef IEC90_5_SUPPORT + case IPSEC_PROTO_IEC90_5: + if (gdoi_iec90_5_get_tek_keys(&keys, proto)) + { + log_print ("gdoi_add_kd_payload: " + "Error in getting IEC90-5 TEK keys!"); + } + break; +#endif +#ifdef SRTP_SUPPORT + case IPSEC_PROTO_SRTP: + if (gdoi_srtp_get_tek_keys(&keys, proto)) + { + log_print ("gdoi_add_kd_payload: " + "Error in getting SRTP TEK keys!"); + } + break; +#endif + default: + log_print ("gdoi_add_kd_payload: " + "Unsupported Protocol type %d", proto->proto); + goto bail_out; + } + + if (keys.sec_key_sz) + { + attr = attribute_set_var (attr, + GDOI_ATTR_KD_TEK_SECRECY_KEY, + keys.sec_key, keys.sec_key_sz); + } + if (keys.int_key_sz) + { + attr = attribute_set_var (attr, + GDOI_ATTR_KD_TEK_INTEGRITY_KEY, + keys.int_key, keys.int_key_sz); + } +#ifdef IEC90_5_SUPPORT + if (keys.custom_kd_payload_sz) + { + attr = attribute_set_var (attr, + keys.custom_kd_payload_type, + keys.custom_kd_payload, keys.custom_kd_payload_sz); + free(keys.custom_kd_payload); + keys.custom_kd_payload = 0; + } +#endif + kd_pak_buf = gdoi_grow_buf(kd_pak_buf, + &kd_pak_sz, attr_start, (attr - attr_start)); + if (!kd_pak_buf) + { + goto bail_out; + } + free (attr_start); + attr_start = 0; + + /* + * Fill in KD key packet length. + */ + SET_GDOI_KD_PAK_LENGTH(kd_pak_buf, kd_pak_sz); + + /* + * Add the fully formed key packet to the KD payload + */ + kd_buf = gdoi_grow_buf(kd_buf, &sz, kd_pak_buf, kd_pak_sz); + + /* + * Update the running total of KD key packets. + */ + total_kd_pak++; + + /* + * Loop maintenance + */ + gdoi_remove_spi_from_list(ie, tekspi); + tekspi = TAILQ_FIRST (&ie->spis); + } + + /* + * Add the SIDs, if needed. + */ + if ((exchange->type == GDOI_EXCH_PULL_MODE) && have_counter_modes) + { + u_int32_t sid_size = 16; /* Default SID size, if not configured */ + u_int32_t num_gm_sids, max_sid_size; + int i; + + /* + * Prepare the payload. + */ + kd_pak_sz = GDOI_KD_PAK_SPI_SIZE_OFF + GDOI_KD_PAK_SPI_SIZE_LEN; + kd_pak_buf = calloc(1, kd_pak_sz); + if (!kd_pak_buf) + { + log_error ("gdoi_add_kd_payload: calloc (%d) failed", kd_pak_sz); + goto bail_out; + } + SET_GDOI_KD_PAK_KD_TYPE(kd_pak_buf, GDOI_KD_TYPE_SID); + SET_GDOI_KD_PAK_SPI_SIZE(kd_pak_buf, 0); + + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_add_kd_payload: calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + + /* + * Check for the SID size (in bits) and send it. + */ + conf_field = conf_get_str (exchange->policy, "GROUP-POLICY"); + if (conf_field) + { + str = conf_get_str (conf_field, "SID-SIZE"); + if (str) + { + sid_size = atoi(str); + } + } + attr = attribute_set_basic (attr, GDOI_ATTR_KD_SID_NUM_BITS, sid_size); + + /* + * Send as many unique SIDs are are needed -- either as many as the GM + * asked for, or send them one if they did not ask for any. + * + * This KS has a simple policy for dispensing unique SIDs: Start a + * counter at zero, and distribute SIDs until they run out. When the + * counter reaches its max, a less naive KS implementation would reset + * the counter, and force the GMs to re-register and get new SIDs. + */ + max_sid_size = ((u_int64_t)1 << sid_size) - 1; + num_gm_sids = (ie->num_sids > 1)? ie->num_sids : 1; + if ((stored_kek->sid_counter + num_gm_sids) < max_sid_size) + { + for (i=0; isid_counter, 4); + stored_kek->sid_counter++; + } + } + else + { + log_print("gdoi_add_kd_payload: Not enough SID values to send!"); + goto bail_out; + } + + kd_pak_buf = gdoi_grow_buf(kd_pak_buf, &kd_pak_sz, + attr_start, (attr - attr_start)); + if (!kd_pak_buf) + { + goto bail_out; + } + free (attr_start); + attr_start = 0; + + SET_GDOI_KD_PAK_LENGTH(kd_pak_buf, kd_pak_sz); + kd_buf = gdoi_grow_buf(kd_buf, &sz, kd_pak_buf, kd_pak_sz); + total_kd_pak++; + } + + SET_GDOI_KD_NUM_PACKETS (kd_buf, total_kd_pak); + + if (message_add_payload (msg, ISAKMP_PAYLOAD_KD, kd_buf, sz, 1)) + goto bail_out; + kd_buf = 0; + + return 0; + + bail_out: + free(kd_buf); + free(seq_buf); + free(attr_start); + gdoi_clear_spi_list(exchange); + return -1; +} + +static int responder_send_HASH_SEQ_KD (struct message *msg) +{ + struct ipsec_sa *isa = msg->isakmp_sa->data; + struct exchange *exchange = msg->exchange; + struct gdoi_exch *ie = exchange->data; + struct hash *hash = hash_get (isa->hash); + struct gdoi_kek *stored_kek; + u_int8_t *seq_buf = 0; + size_t sz; + + /* + * Add HASH payload + */ + if (!ipsec_add_hash_payload (msg, hash->hashsize)) { + return -1; + } + + /* + * Add SEQ payload if there's a rekey policy for this message + */ + stored_kek = gdoi_get_kek(ie->id_gdoi, ie->id_gdoi_sz, 0); + if (!stored_kek) + { + return -1; + } + + if (!(stored_kek->flags & USE_EXCH_ONLY)) { + sz = GDOI_SEQ_SEQ_NUM_OFF + GDOI_SEQ_SEQ_NUM_LEN; + seq_buf = calloc (1, sz); + if (!seq_buf) + { + log_error ("responder_send_HASH_SEQ_KD: calloc (%d) failed", sz); + goto bail_out; + } + SET_GDOI_SEQ_SEQ_NUM(seq_buf, stored_kek->current_seq_num); + log_print ("SENT SEQ # of: %d (PULL)", stored_kek->current_seq_num); + if (message_add_payload (msg, ISAKMP_PAYLOAD_SEQ, seq_buf, sz, 1)) + { + return -1; + } + } + + /* + * Add KD payload + */ + if (gdoi_add_kd_payload(msg)) + { + return -1; + } + + /* + * Fill in the hash for the HASH payload. + */ + if (group_fill_in_hash (msg, INC_I_NONCE, INC_R_NONCE)) + { + return -1; + } + + if (exchange->type == GDOI_EXCH_PULL_MODE) + { + if (stored_kek && !(stored_kek->flags & USE_EXCH_ONLY) && + !stored_kek->tek_lifetime_ev) + { + log_print("responder_send_HASH_SEQ_KD: Setup rekey message"); + /* + * Start the KEK rekey timer here. + */ + gdoi_kek_rekey_start(stored_kek); + gdoi_rekey_start(stored_kek); + } + } + + return 0; + + bail_out: + if (seq_buf) { + free(seq_buf); + } + return -1; +} diff --git a/src/gdoi_phase2.h b/src/gdoi_phase2.h new file mode 100644 index 0000000..eeae3f4 --- /dev/null +++ b/src/gdoi_phase2.h @@ -0,0 +1,178 @@ +/* $Id: gdoi_phase2.h,v 1.7.2.2 2011/12/12 20:43:48 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_phase2.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +#ifndef _GDOI_PHASE2_H_ +#define _GDOI_PHASE2_H_ +#include /* For struct in_addr */ +#include "exchange.h" /* For struct exchange */ + +#define HMAC_SHA_LENGTH 20 +#define HMAC_SHA256_LENGTH 32 +#define HMAC_MD5_LENGTH 16 + +struct message; + +extern int (*gdoi_phase2_initiator[]) (struct message *msg); +extern int (*gdoi_phase2_responder[]) (struct message *msg); + +struct tekspi { + /* Link to the next SPI in the list */ + TAILQ_ENTRY (tekspi) link; + + /* SPI info */ + u_int8_t spi_sz; + u_int8_t *spi; +}; + +/* + * Group-specific data to be linked into the exchange struct. + * XXX Should probably be two different structs, one for phase 1 and one + * for phase 2 parameters. + * + * NOTE: This must remain the same as the ipsec_exch structure except for the + * id payloads, or anything following the id payloads! A pointer of this + * type is given to ipsec_decode_attribute() which currently thinks it's + * a ipsec_exch structure. + */ +struct gdoi_exch { + u_int flags; + struct hash *hash; + struct ike_auth *ike_auth; + struct group *group; + u_int16_t prf_type; + u_int8_t pfs; /* 0 if no KEY_EXCH was proposed, 1 otherwise */ + + /* + * A copy of the initiator SA payload body for later computation of hashes. + * Phase 1 only. + */ + size_t sa_i_b_len; + u_int8_t *sa_i_b; + + /* Diffie-Hellman values. */ + size_t g_x_len; + u_int8_t *g_xi; + u_int8_t *g_xr; + u_int8_t* g_xy; + + /* SKEYIDs. XXX Phase 1 only? */ + size_t skeyid_len; + u_int8_t *skeyid; + u_int8_t *skeyid_d; + u_int8_t *skeyid_a; + u_int8_t *skeyid_e; + + /* HASH_I & HASH_R. XXX Do these need to be saved here? */ + u_int8_t *hash_i; + u_int8_t *hash_r; + + /* KEYMAT */ + size_t keymat_len; + + /* Phase 2. */ + u_int8_t *id_gdoi; + size_t id_gdoi_sz; + + /* TEK Types */ + u_int8_t teks_type; /* All TEKs must be of the same type */ + + /* Number of SIDs requested by a GM */ + u_int8_t num_sids; + + /* List of SPIs sent in the SA payload for sanity checking */ + TAILQ_HEAD (spi_head, tekspi) spis; +}; + +struct gdoi_kd_decode_arg { + u_int8_t *sec_key; + u_int8_t *int_key; + size_t sec_key_sz; + size_t int_key_sz; +#ifdef IEC90_5_SUPPORT + u_int8_t *custom_kd_payload; + size_t custom_kd_payload_sz; + u_int8_t custom_kd_payload_type; +#endif +}; + +enum msg_type { REKEY, REGISTRATION }; + +void gdoi_init(void); +extern u_int8_t *group_build_id (char *, size_t *); + +/* + * Generic GDOI functions referenced by the SRTP and IPSEC code. + */ +int gdoi_decode_kd_tek_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +u_int8_t *gdoi_grow_buf(u_int8_t *, size_t *, u_int8_t *, size_t); +int gdoi_get_id(char *, int *, struct in_addr *, struct in_addr *, + u_int16_t *); +int gdoi_current_sa (u_int8_t, struct sa *); +void gdoi_free_attr_payloads(void); +int gdoi_process_SA_payload (struct message *); +int gdoi_process_KD_payload (struct message *); +int gdoi_add_spi_to_list (struct exchange *, struct sa *); + +int gdoi_setup_sa (struct sa *, struct proto **, int, int); + +#endif /* _GDOI_PHASE2_H_ */ diff --git a/src/gdoi_rekey.c b/src/gdoi_rekey.c new file mode 100644 index 0000000..e300d9c --- /dev/null +++ b/src/gdoi_rekey.c @@ -0,0 +1,2162 @@ +/* $Id: gdoi_rekey.c,v 1.12.2.1 2011/10/18 03:26:55 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoi_rekey.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +#include "config.h" +#include +#include +#include +#include +#include "sysdep.h" +#include "conf.h" +#include "log.h" +#include "timer.h" +#include "transport.h" +#include "crypto.h" +#include "exchange.h" +#include "message.h" +#include "udp.h" +#include "log.h" +#include "isakmp_fld.h" +#include "gdoi_fld.h" +#include "gdoi_num.h" +#include "gdoi_phase2.h" +#include "gdoi.h" +#include "doi.h" +#include "sa.h" +#include "libcrypto.h" +#include "util.h" +#include "ipsec_num.h" +#include +#include +#include +#include +#include +#include + +#define UDP_SIZE 65536 + +#define REKEY_HEADER_STRING "rekey" + +/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ +#ifndef SO_REUSEPORT +#define SO_REUSEPORT SO_REUSEADDR +#endif + +static struct transport *rekey_udp_create (char *); +extern void udp_remove (struct transport *); +extern void udp_report (struct transport *); +extern int udp_fd_set (struct transport *, fd_set *, int); +extern int udp_fd_isset (struct transport *, fd_set *); +static void rekey_udp_handle_message (struct transport *); +static int rekey_udp_send_message (struct message *); +extern void udp_get_dst (struct transport *, struct sockaddr **, int *); +extern void udp_get_src (struct transport *, struct sockaddr **, int *); +extern char *udp_decode_ids (struct transport *); +extern void exchange_enter (struct exchange *); + +static int initiator_send_SEQ_SA_KD_SIG (struct message *); +static int responder_recv_SEQ_SA_KD_SIG (struct message *); + +struct spi_proto_arg { + u_int32_t spi; + u_int8_t proto; +}; + +int (*gdoi_rekey_initiator[]) (struct message *) = { + initiator_send_SEQ_SA_KD_SIG, +}; + +int (*gdoi_rekey_responder[]) (struct message *) = { + responder_recv_SEQ_SA_KD_SIG, +}; + +static struct transport_vtbl rekey_udp_transport_vtbl = { + { 0 }, "rekey_udp", + rekey_udp_create, + udp_remove, + udp_report, + udp_fd_set, + udp_fd_isset, + rekey_udp_handle_message, + rekey_udp_send_message, + udp_get_dst, + udp_get_src, + udp_decode_ids +}; + +enum roles { + SENDER, + RECEIVER, +}; + +extern int compare_ids(u_int8_t *, u_int8_t *, size_t); +static struct transport *rekey_udp_make (struct gdoi_kek *, enum roles); +struct exchange *exchange_create (int, int, int, int); + + +TAILQ_HEAD (gdoi_kek_head, gdoi_kek) gdoi_kek_queue; + +void +gdoi_rekey_init (void) +{ + transport_method_add (&rekey_udp_transport_vtbl); + TAILQ_INIT (&gdoi_kek_queue); +} + +struct gdoi_kek * +gdoi_get_kek (u_int8_t *id, size_t id_len, int create) +{ + struct gdoi_kek *node; + + /* + * Sanity check + */ + if (!id) + { + log_print("gdoi_get_kek: No identity payload!"); + return 0; + } + + for (node = TAILQ_FIRST (&gdoi_kek_queue); node; + node = TAILQ_NEXT (node, link)) + { + if (compare_ids(id, node->group_id, node->group_id_len) == 0) + { + break; + } + } + + if (!node && create) + { + node = calloc(1, sizeof(struct gdoi_kek)); + if (!node) + { + return 0; + } + node->group_id_len = id_len; + node->group_id = malloc(id_len); + if (!node->group_id) + { + free(node); + return 0; + } + TAILQ_INIT(&node->deleted_sa_list); + memcpy(node->group_id, id, id_len); + TAILQ_INSERT_TAIL (&gdoi_kek_queue, node, link); + } + + return node; +} + +struct gdoi_kek * +gdoi_get_kek_by_cookies (u_int8_t *cookies) +{ + struct gdoi_kek *node; + + for (node = TAILQ_FIRST (&gdoi_kek_queue); node; + node = TAILQ_NEXT (node, link)) + { + if (strncmp((char *)cookies, (char *)node->spi, KEK_SPI_SIZE) == 0) + { + return node; + } + } + + return NULL; +} + +struct gdoi_kek * +gdoi_get_kek_by_transport (struct transport *transport) +{ + struct gdoi_kek *node; + + for (node = TAILQ_FIRST (&gdoi_kek_queue); node; + node = TAILQ_NEXT (node, link)) + { + if (transport == node->send_transport) + { + return node; + } + } + + return NULL; +} + +struct gdoi_kek * +gdoi_get_kek_by_name (char *name) +{ + struct gdoi_kek *node; + + if (!name) + { + return NULL; + } + + for (node = TAILQ_FIRST (&gdoi_kek_queue); node; + node = TAILQ_NEXT (node, link)) + { + if (node->exchange_name && !strcmp(name, node->exchange_name)) + { + return node; + } + } + + return NULL; +} + +/* + * Sender side only + * Open a socket to the multicast group for the purposes of joining the + * group. Then open the socket with which to send rekey messages to the + * multicast group. They must be unique. + */ +static int +gdoi_rekey_open_socket (struct gdoi_kek *kek, enum roles role) +{ + int *s; + + /* + * Sanity check the rekey fields we're going to use + */ + if ((kek->dst_addr == INADDR_NONE) || (kek->src_addr == INADDR_NONE)) + { + log_error("gdoi_rekey_open_socket: No rekey address"); + return -1; + } + if ((kek->dport == 0) || (kek->sport == 0)) + { + log_error("gdoi_rekey_open_socket: No rekey port"); + return -1; + } + + if (role == SENDER) + { + s = &kek->send_sock; + kek->send_addr.sin_family = PF_INET; + kek->send_addr.sin_port = htons(kek->sport); + kek->send_addr.sin_addr.s_addr = kek->src_addr; +#ifndef USE_OLD_SOCKADDR + kek->send_addr.sin_len = sizeof(struct sockaddr_in); +#endif + } + else + { + s = &kek->recv_sock; + kek->recv_addr.sin_family = PF_INET; + kek->recv_addr.sin_port = kek->dport; /* Leave in host order */ + kek->recv_addr.sin_addr.s_addr = kek->dst_addr; +#ifndef USE_OLD_SOCKADDR + kek->recv_addr.sin_len = sizeof(struct sockaddr_in); +#endif + } + + /* + * Setup sending side socket + */ + *s = socket (AF_INET, SOCK_DGRAM, 0); + if (*s < 0) + { + log_error("gdoi_rekey_open_socket: Socket open failed"); + return -1; + } + + return 0; +} + +static void +rekey_crypto_encrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) +{ + LOG_DBG_BUF ((LOG_CRYPTO, 10, "rekey_crypto_encrypt: before encryption", buf, + len)); + ks->xf->encrypt (ks, buf, len); + memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 30, "rekey_crypto_encrypt: after encryption", buf, + len)); +} + +void +rekey_crypto_decrypt (struct keystate *ks, u_int8_t *buf, u_int16_t len) +{ + LOG_DBG_BUF ((LOG_CRYPTO, 10, "rekey_crypto_decrypt: before decryption", buf, + len)); + memcpy (ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); + ks->xf->decrypt (ks, buf, len);; + LOG_DBG_BUF ((LOG_CRYPTO, 30, "rekey_crypto_decrypt: after decryption", buf, + len)); +} + +/* + * Encrypt an outgoing message MSG. As outgoing messages are represented + * with an iovec with one segment per payload, we need to coalesce them + * into just une buffer containing all payloads and some padding before + * we encrypt. + */ +static int +gdoi_rekey_message_encrypt (struct message *msg, struct gdoi_kek *stored_kek) +{ + struct exchange *exchange = msg->exchange; + size_t sz = 0; + u_int8_t *buf; + int i; + enum cryptoerr err; + + /* If no payloads, nothing to do. */ + if (msg->iovlen == 1) { + log_print ("gdoi_rekey_message_encrypt: No payloads to encrypt!"); + return -1; + } + + /* + * Setup the crypto vectors based on the algorithm. We have to translate + * The GDOI algorithm number to the IKE one in order to use the crypto + * routines.... + */ + switch (stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + exchange->crypto = crypto_get(TRIPLEDES_CBC); + break; + case GDOI_KEK_ALG_AES: + if (stored_kek->encrypt_key_len == AES128_LENGTH) + { + exchange->crypto = crypto_get(AES_CBC_128); + } + else + { + log_error ("decode_kd_kek_attribute: Unsupported AES key length %d", + stored_kek->encrypt_key_len); + return -1; + } + break; + default: + log_error ("decode_kd_kek_attribute: " + "Unknown KEK secrecy algorithm: %d", stored_kek->encrypt_alg); + return -1; + } + exchange->keystate = crypto_init (exchange->crypto, stored_kek->encrypt_key, + exchange->crypto->keymax, &err); + /* + * RFC 3547 specifies a static IV for the rekey. It is unfortuanate, but + * there isn't an easy placae to insert a dynamic IV into the ISAKMP header. + * Re-install the static IV into the crypto state each time we do an + * encryption. + */ + crypto_init_iv (exchange->keystate, stored_kek->encrypt_iv, + exchange->keystate->xf->blocksize); + + /* + * For encryption we need to put all payloads together in a single buffer. + * This buffer should be padded to the current crypto transform's blocksize. + */ + for (i = 1; i < msg->iovlen; i++) + sz += msg->iov[i].iov_len; + sz = ((sz + exchange->crypto->blocksize - 1) / exchange->crypto->blocksize) + * exchange->crypto->blocksize; + buf = realloc (msg->iov[1].iov_base, sz); + if (!buf) + { + log_error ("message_encrypt: realloc (%p, %d) failed", + msg->iov[1].iov_base, sz); + return -1; + } + msg->iov[1].iov_base = buf; + for (i = 2; i < msg->iovlen; i++) + { + memcpy (buf + msg->iov[1].iov_len, msg->iov[i].iov_base, + msg->iov[i].iov_len); + msg->iov[1].iov_len += msg->iov[i].iov_len; + free (msg->iov[i].iov_base); + } + + /* Pad with zeroes. */ + memset (buf + msg->iov[1].iov_len, '\0', sz - msg->iov[1].iov_len); + msg->iov[1].iov_len = sz; + msg->iovlen = 2; + + SET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base, + GET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base) + | ISAKMP_FLAGS_ENC); + SET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); + rekey_crypto_encrypt (exchange->keystate, buf, msg->iov[1].iov_len); + msg->flags |= MSG_ENCRYPTED; + + return 0; +} + +/* + * Read the keypair file and stuff it into the stored KEK suitable for + * use with openssl. + * + * Also create a DER version of the public key (according to PKCS 2.0) + * for sending to the group members. + */ +int gdoi_read_keypair (u_int8_t *infile, struct gdoi_kek *stored_kek) +{ + BIO *in=NULL, *out=NULL; + BUF_MEM *buf_mem=NULL; + + /* + * Open the DER based key file and get the keypair. + */ + in = BIO_new (BIO_s_file()); + if (!in) + { + log_print ("gdoi_read_keypair: " + "BIO_new(BIO_s_file()) failed"); + return -1; + } + + if (BIO_read_filename (in, infile) <= 0) + { + log_print ("gdoi_read_keypair: " + "BIO_read_filename (in, \"%s\") failed", + infile); + BIO_free (in); + return -1; + } + + stored_kek->rsa_keypair = d2i_RSAPrivateKey_bio(in,NULL); + if (!stored_kek->rsa_keypair) + { + log_print ("gdoi_read_keypair: " + "d2i_RSAPrivateKey_bio failed"); + BIO_free (in); + return -1; + } + + BIO_free (in); + + /* + * Now create a PKCS 2.0 version of the public key + */ + + out = BIO_new (BIO_s_mem()); + + if (!i2d_RSA_PUBKEY_bio(out,stored_kek->rsa_keypair)) + { + log_print ("gdoi_read_keypair: " + "i2d_RSA_PUBKEY_bio failed"); + return -1; + } + + BIO_get_mem_ptr(out, &buf_mem); + + stored_kek->signature_key_len = buf_mem->length; + stored_kek->signature_key = calloc(1, stored_kek->signature_key_len); + if (!stored_kek->signature_key) + { + log_error ("gdoi_get_kek_policy: " + "calloc failed (%d)", stored_kek->signature_key_len); + BIO_free (out); + return -1; + } + + memcpy(stored_kek->signature_key, buf_mem->data, + stored_kek->signature_key_len); + stored_kek->signature_key_modulus_size = + BN_num_bits(stored_kek->rsa_keypair->n); + BIO_free (out); + return 0; +} + +int gdoi_store_pubkey (u_int8_t *der, int der_len, struct gdoi_kek *stored_kek) +{ + BIO *in=NULL; + BUF_MEM *buf_mem; + u_int8_t *der_copy; + + /* + * Only support RSA for now. + */ + if (stored_kek->sig_alg != GDOI_KEK_SIG_ALG_RSA) + { + log_print ("gdoi_store_keypair: Unsupported signature algorithm!"); + return -1; + } + + in = BIO_new (BIO_s_mem()); + + buf_mem = malloc(sizeof(BUF_MEM)); + if (!buf_mem) + { + log_error ("gdoi_store_pubkey: " + "malloc failed (%d)", sizeof(BUF_MEM)); + return -1; + } + der_copy = malloc(der_len); + if (!der_copy) + { + log_error ("gdoi_store_pubkey: " + "malloc failed (%d)", der_len); + BIO_free (in); + return -1; + } + memcpy(der_copy, der, der_len); + buf_mem->data = (char *)der_copy; + buf_mem->length = der_len; + buf_mem->max = der_len; + BIO_set_mem_buf(in, buf_mem, der_len); + + /* + * Store the public key in the stored_kek. This is not really a + * "keypair", but we're re-using the key server structure so it's + * named oddly. + */ + stored_kek->rsa_keypair = d2i_RSA_PUBKEY_bio(in,NULL); + if (!stored_kek->rsa_keypair) + { + log_print ("gdoi_store_keypair: " + "d2i_RSA_PUBKEY_bio failed"); + BIO_free (in); + free(der_copy); + return -1; + } + + /* + * Validate that the size of the keypair matches what we were told in + * the SA payload. + */ + if (BN_num_bits(stored_kek->rsa_keypair->n) != + stored_kek->signature_key_modulus_size) + { + log_print ("gdoi_store_pubkey: Modulus size of signature key " + "doesn't match the SA payload policy. Expected %d " + "got %d", stored_kek->signature_key_modulus_size, + BN_num_bits(stored_kek->rsa_keypair->n)); + return -1; + } + + /* + * The mem_buf pointer (der_copy) seems to be freed as part of BIO_free. + */ + BIO_free (in); + return 0; +} + +extern int gdoi_add_sa_payload (struct message *); +extern int gdoi_add_kd_payload (struct message *); + +static int gdoi_add_sig_payload (struct message *msg, + struct gdoi_kek *stored_kek) +{ + struct hash *hash; + u_int8_t *buf; + u_int32_t datalen = 0, sig_bytes; + u_int8_t hdr[ISAKMP_HDR_SZ]; + int i; + char header[80]; + u_int8_t *data; + + /* + * Calculate the hash over the "rekey" prefix, IKE header, and payloads. + */ + hash = hash_get(xlate_gdoi_hash(stored_kek->sig_hash_alg)); + buf = malloc (hash->hashsize); + if (!buf) + { + log_error ("gdoi_add_sig_payload: " + "malloc (%d) failed", hash->hashsize); + } + + /* Start with the characters in 'rekey' */ + hash->Init (hash->ctx); + LOG_DBG_BUF ((LOG_MISC, 90, "gdoi_add_sig_payload: 'rekey'", + (u_int8_t *)REKEY_HEADER_STRING, strlen(REKEY_HEADER_STRING))); + hash->Update (hash->ctx, (u_int8_t *)REKEY_HEADER_STRING, + strlen(REKEY_HEADER_STRING)); + + /* + * The header must be adjusted in the following ways in order to match + * what the receiver will be hashing: + * 1) The length must include the size of the SIG payload. The size of the + * SIG payload will be the size of the modulus + 4 bytes for the SIG + * payload header. + * 2) The encrypted bit will be enabled. + */ + if (msg->iov[0].iov_len != ISAKMP_HDR_SZ) + { + log_print("gdoi_add_sig_payload: GDOI header length incorrect"); + return -1; + } + memcpy(hdr, msg->iov[0].iov_base, ISAKMP_HDR_SZ); + + /* + * Adjust the length + */ + sig_bytes = (BN_num_bits(stored_kek->rsa_keypair->n) / 8) + ISAKMP_GEN_SZ; + SET_ISAKMP_HDR_LENGTH(hdr, GET_ISAKMP_HDR_LENGTH(hdr) + sig_bytes); + /* + * Fix the encrypted bit + */ + SET_ISAKMP_HDR_FLAGS (hdr, GET_ISAKMP_HDR_FLAGS (hdr) | ISAKMP_FLAGS_ENC); + + LOG_DBG_BUF ((LOG_MISC, 90, "gdoi_add_sig_payload: 'ISAKMP header'", + hdr, ISAKMP_HDR_SZ)); + hash->Update (hash->ctx, hdr, ISAKMP_HDR_SZ); + + /* Loop over all payloads including the HDR. */ + for (i = 1; i < msg->iovlen; i++) + { + snprintf (header, 80, "gdoi_add_sig_payload: payload %d", + i); + LOG_DBG_BUF ((LOG_MISC, 90, header, + msg->iov[i].iov_base, msg->iov[i].iov_len)); + hash->Update (hash->ctx, msg->iov[i].iov_base, msg->iov[i].iov_len); + } + + hash->Final (buf, hash->ctx); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "gdoi_add_sig_payload: computed hash", buf, hash->hashsize)); + + /* + * Sign the packet following the model in rsa_sig_encode_hash() + */ + if (!stored_kek->rsa_keypair) + { + log_print("gdoi_add_sig_payload: No private key found!"); + return -1; + } + + data = malloc (sig_bytes); + if (!data) + { + log_error ("gdoi_add_sig_payload: malloc (%d) failed", + RSA_size (stored_kek->rsa_keypair)); + return -1; + } + + /* + * The signing parameters aren't well specified in the GDOI draft. There + * are several PKCS#1 v2.0 parameters for padding. Here we've chosen + * the one named "EMSA-PKCS1-v1_5" in PKCS#1 v2. + */ + datalen = RSA_private_encrypt (hash->hashsize, buf, (data+ISAKMP_SIG_SZ), + stored_kek->rsa_keypair, RSA_PKCS1_PADDING); + + if (datalen != (BN_num_bits(stored_kek->rsa_keypair->n) / 8)) + { + log_error ("gdoi_add_sig_payload: signing failed"); + } + + if (message_add_payload (msg, ISAKMP_PAYLOAD_SIG, data, sig_bytes, 1)) + { + free(data); + return -1; + } + + return 0; +} + +/* + * Check if SA matches what we are asking for through V_ARG. It has to + * be a finished phase 2 SA. + * Modelled after ipsec_sa_check. + * + * Note that for GDOI we don't have a "destination" to compare against, simply + * a SPI and protocol. This is accordance with RFC 4301 where the SA lookup is + * simply {SPI, protocol}. + */ +static int +gdoi_sa_check (struct sa *sa, void *v_arg) +{ + struct spi_proto_arg *arg = v_arg; + struct proto *proto; + + if (sa->phase != 2 || !(sa->flags & SA_FLAG_READY)) + return 0; + + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + if ((arg->proto == 0 || proto->proto == arg->proto) + && memcmp (proto->spi[0], &arg->spi, sizeof arg->spi) == 0) + return 1; + return 0; +} + +/* + * Find an SA with a "name" of SPI & PROTO. + * Modelled after ipsec_sa_lookup + * */ +struct sa * +gdoi_sa_lookup (u_int32_t spi, u_int8_t proto) +{ + struct spi_proto_arg arg = { spi, proto }; + + return sa_find (gdoi_sa_check, &arg); +} + +/* + * delete all SA's from addr with the associated proto and SPI's + * Modeled after ispec_delete_spi_list. + * + * spis[] is an array of SPIs of size 16-octet for proto ISAKMP + * or 4-octet otherwise. + */ +static void +gdoi_delete_spi_list (struct sockaddr *addr, u_int8_t proto, + u_int8_t *spis, int nspis, char *type) +{ + struct sa *sa; + int i; + + for (i = 0; i < nspis; i++) + { + if (proto == ISAKMP_PROTO_ISAKMP) + { + u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN; + + sa = sa_lookup_isakmp_sa (addr, spi); + if (sa == NULL) + { + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "could not locate IKE SA (SPI %08x, proto %u)", + spi, proto)); + continue; + } + } + else + { + u_int32_t spi = ((u_int32_t *)spis)[i]; + + sa = gdoi_sa_lookup (spi, proto); + if (sa == NULL) + { + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "could not locate IPsec SA (SPI %04x, proto %u)", + ntohl(spi), proto)); + continue; + } + } + + /* Delete the SA and search for the next */ + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "%s made us delete SA %p (%d references) for proto %d", + type, sa, sa->refcnt, proto)); + + sa_free (sa); + } +} +/* + * Look for an deleted SA in the given group that matches a particular + * DOI and protocol type. (Protocol_type can be 0 for "no protocol".) + */ +static struct deleted_sa *find_deleted_sa (struct gdoi_kek *stored_kek, + u_int32_t doi, + u_int8_t protocol_type) +{ + struct deleted_sa *del_sa; + + for(del_sa = TAILQ_FIRST (&stored_kek->deleted_sa_list); del_sa; + del_sa = TAILQ_NEXT (del_sa, link)) + { + if ((del_sa->doi == doi) && (del_sa->protocol_type == protocol_type)) + { + return del_sa; + } + } + + /* + * No matching SAs found. + */ + return NULL; +} + +/* + * Add a delete payload, if there are deleted SAs matching the DOI & protocol + * id. + * Return values: + * -1 = error + * 0 = no delete payloads added + * 1 = delete payloads added + */ +static int +gdoi_create_delete_payload(struct message *msg, struct gdoi_kek *stored_kek, + u_int32_t doi, u_int8_t protocol_type, + size_t spi_sz) +{ + int spi_count = 0; + u_int8_t *buf; + struct deleted_sa *del_sa; + size_t sz; + + if (!find_deleted_sa(stored_kek, doi, protocol_type)) + { + return 0; + } + + /* + * Allocate the DELETE header + */ + sz = ISAKMP_DELETE_SZ; /* Allocate the DELETE header */ + buf = malloc(sz); + if (!buf) + { + log_error ("gdoi_add_delete_payload: Malloc of DELETE hdr failed"); + return -1; + } + + /* + * Setup as much header as possible + */ + SET_ISAKMP_DELETE_DOI (buf, GROUP_DOI_GDOI); + SET_ISAKMP_DELETE_PROTO (buf, protocol_type); + SET_ISAKMP_DELETE_SPI_SZ (buf, spi_sz); + + while ((del_sa = find_deleted_sa(stored_kek, doi, protocol_type))) + { + sz += spi_sz; + buf = realloc(buf, sz); + if (!buf) + { + log_error ("gdoi_add_delete_payload: Realloc of %d failed", sz); + return -1; + } + memcpy(buf+sz-spi_sz, del_sa->spi, spi_sz); + TAILQ_REMOVE (&stored_kek->deleted_sa_list, del_sa, link); + free(del_sa); + spi_count++; + } + + SET_ISAKMP_DELETE_NSPIS(buf, spi_count); + + if (message_add_payload (msg, ISAKMP_PAYLOAD_DELETE, buf, sz, 1)) { + free(buf); + return -1; + } + + return 1; +} + +/* + * This function may actually create several different DELETE paylaods: + * a) One payload per DOI is required (i.e., GDOI TEKs, GDOI Rekey SA) + * b) If within the GDOI TEKs there are multiple Protocols (e.g., AH/ESP), + * there must be a unique payload per Protocol ID. + * Therefore, if a KEK SPI, ESP SPI, and AH SPI are all deleted this will + * result in 3 DELETE paylaods. + */ +static int +gdoi_add_delete_payloads(struct message *msg, struct gdoi_kek *stored_kek, + int *added) +{ + int ret; + + /* + * Deleted ESP SAs + */ + ret = gdoi_create_delete_payload(msg, stored_kek, GROUP_DOI_GDOI, + GDOI_TEK_PROT_PROTO_IPSEC_ESP, 4); + if (ret < 0) return -1; + if (ret == 1) *added += 1; + + /* + * Deleted AH SAs + */ + ret = gdoi_create_delete_payload(msg, stored_kek, GROUP_DOI_GDOI, + GDOI_TEK_PROT_PROTO_IPSEC_AH, 4); + if (ret < 0) return -1; + if (ret == 1) *added +=1; + + /* + * Deleted KEK SAs + */ + ret = gdoi_create_delete_payload(msg, stored_kek, ISAKMP_DOI_ISAKMP, 0, + KEK_SPI_SIZE); + if (ret < 0) return -1; + if (ret == 1) *added +=1; + + return 0; +} + +/* + * Handle a delete payload. + * Extracted from ipsec_handle_leftover_payload(). + */ +int +gdoi_process_delete_payload (struct message *msg, struct payload *payload) +{ + u_int32_t spisz, nspis; + struct sockaddr *dst; + socklen_t dstlen; + u_int8_t *spis, proto, ipsec_proto; + + proto = GET_ISAKMP_DELETE_PROTO (payload->p); + nspis = GET_ISAKMP_DELETE_NSPIS (payload->p); + spisz = GET_ISAKMP_DELETE_SPI_SZ (payload->p); + + payload->flags |= PL_MARK; + + if (nspis == 0) + { + LOG_DBG ((LOG_SA, 60, "gdoi_process_delete_payload: message " + "specified zero SPIs, ignoring")); + return -1; + } + + /* verify proper SPI size */ + switch (proto) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + if (spisz != sizeof (u_int32_t)) + { + log_print ("gdoi_process_delete_payload: invalid IPsec SPI size %d" + " for proto %d in DELETE payload", spisz, proto); + return -1; + } + break; + case ISAKMP_DOI_ISAKMP: + if (spisz != ISAKMP_HDR_COOKIES_LEN) + { + log_print ("gdoi_process_delete_payload: " + "invalid IKE SPI size %d for proto %d in DELETE payload", + spisz, proto); + return -1; + } + break; + default: + log_print ("gdoi_process_delete_payload: " + "Unknown proto %d in DELETE payload", proto); + return -1; + } + + spis = (u_int8_t *)malloc (nspis * spisz); + if (!spis) + { + log_error ("gdoi_process_delete_payload: malloc (%d) failed", + nspis * spisz); + return -1; + } + + /* extract SPI and get dst address */ + memcpy (spis, payload->p + ISAKMP_DELETE_SPI_OFF, nspis * spisz); + msg->transport->vtbl->get_dst (msg->transport, &dst, (int *)&dstlen); + + /* need to convert GDOI proto to IPsec proto ID */ + switch (proto) + { + case GDOI_TEK_PROT_PROTO_IPSEC_ESP: + ipsec_proto = IPSEC_PROTO_IPSEC_ESP; + break; + case GDOI_TEK_PROT_PROTO_IPSEC_AH: + ipsec_proto = IPSEC_PROTO_IPSEC_AH; + break; + case ISAKMP_DOI_ISAKMP: + default: /* did error checking above */ + ipsec_proto = proto; + break; + } + gdoi_delete_spi_list (dst, ipsec_proto, spis, nspis, "DELETE"); + + free (spis); + + return 0; +} + +/* + * The current hardcoded policy for rekey is to send new SPIs and keys for + * orginal policy in the configuration file. To do that, we use the same code + * as the registration message to get the SAs, expect the behavior for the + * SPIs and keys is different. + */ +static int +initiator_send_SEQ_SA_KD_SIG (struct message *msg) +{ + struct payload *p; + struct gdoi_kek *stored_kek; + u_int8_t *seq_buf = 0; + size_t sz; + int have_delete_payloads = 0; + + /* + * Find the KEK. The only search value we have is the transport address, + * which is fixed in the KEK, and installed in the msg by the GDOI message + * initiating logic. + */ + stored_kek = gdoi_get_kek_by_transport(msg->transport); + if (!stored_kek) + { + log_print ("initiator_send_SEQ_SA_KD_SIG: SA not found in rekey SA list"); + return -1; + } + + /* + * Add SEQ payload with the current sequence number & then increment it for + * the next time. + */ + sz = GDOI_SEQ_SEQ_NUM_OFF + GDOI_SEQ_SEQ_NUM_LEN; + seq_buf = calloc (1, sz); + if (!seq_buf) + { + log_error ("initiator_send_SEQ_SA_KD_SIG: calloc (%d) failed", sz); + goto bail_out; + } + /* + * The reciever will check that the next one is greater than the value sent + * in the registration message. Therefore we must increment the seq value + * BEFORE sending it in this message. + */ + stored_kek->current_seq_num++; + SET_GDOI_SEQ_SEQ_NUM(seq_buf, stored_kek->current_seq_num); + log_print ("SENT SEQ # of: %d (PUSH)", stored_kek->current_seq_num); + if (message_add_payload (msg, ISAKMP_PAYLOAD_SEQ, seq_buf, sz, 1)) { + return -1; + } + + if (gdoi_add_delete_payloads(msg, stored_kek, &have_delete_payloads)) { + return -1; + } + + /* + * Don't send SA/KD payloads if we're just cleaning up the group. + */ + if ((stored_kek->flags & CLEANING_UP)) + { + if (!have_delete_payloads) + { + log_print ("initiator_send_SEQ_SA_KD_SIG: Cleaning up, but no" + " delete payloads found. Aborting - Nothing to do."); + return -1; + } + + /* + * Fixup the last DELETE payload "next payload" so that the hash of the + * DELETE payload is correct. This needs to be set before going to + * the signature code. + */ + p = TAILQ_LAST (&msg->payload[ISAKMP_PAYLOAD_DELETE], payload_head); + if (!p) + { + log_print("initiator_send_SEQ_SA_KD_SIG: DELETE payload missing"); + return -1; + } + SET_ISAKMP_GEN_NEXT_PAYLOAD(p->p, ISAKMP_PAYLOAD_SIG); + } + else + { + /* + * Add the SA payload from the config file. + */ + if (gdoi_add_sa_payload(msg)) { + return -1; + } + + /* + * Add the KD payload from the config file. + */ + if (gdoi_add_kd_payload(msg)) { + return -1; + } + + /* + * Fixup the KD payload "next payload" so that the hash of the KD + * payload is correct. This needs to be set before going to the + * signature code. + */ + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_KD]); + if (!p) + { + log_print("initiator_send_SEQ_SA_KD_SIG: KD payload missing"); + return -1; + } + SET_ISAKMP_GEN_NEXT_PAYLOAD(p->p, ISAKMP_PAYLOAD_SIG); + } + + /* + * Add the SIG payload and sign it. + */ + if (gdoi_add_sig_payload(msg, stored_kek)) { + return -1; + } + + if (gdoi_rekey_message_encrypt(msg, stored_kek)) { + return -1; + } + + return 0; + +bail_out: + if (seq_buf) { + free(seq_buf); + } + return -1; +} + +int +gdoi_rekey_setup_exchange (struct gdoi_kek *kek) +{ + struct gdoi_exch *ie; + + kek->send_exchange = + exchange_create (1, 0, GROUP_DOI_GDOI, GDOI_EXCH_PUSH_MODE); + if (!kek->send_exchange) + { + log_print("gdoi_rekey_setup_exchange: exchange creation failed"); + return -1; + } + memcpy (kek->send_exchange->cookies, kek->spi, ISAKMP_HDR_COOKIES_LEN); + ie = kek->send_exchange->data; + ie->id_gdoi_sz = kek->group_id_len; + ie->id_gdoi = calloc (1, ie->id_gdoi_sz); + memcpy(ie->id_gdoi, kek->group_id, ie->id_gdoi_sz); + kek->send_exchange->initiator = 1; + exchange_enter (kek->send_exchange); + TAILQ_INIT(&ie->spis); + return 0; +} + +/* + * Delete an SA from the list, and insert it on the KEK deleted SA list. + */ +int +gdoi_add_deleted_sa (struct gdoi_kek *kek, struct sa *sa) +{ + struct proto *proto; + struct deleted_sa *del_sa; + + proto = TAILQ_FIRST (&sa->protos); + if (!proto) + { + log_print("gdoi_add_deleted_sa: No proto found for SA %#x", sa); + return -1; + } + + log_print("gdoi_add_deleted_sa: Deleting SPI (SA) %u (%d) (%#x) for sa %#x", + decode_32(proto->spi[0]), decode_32(proto->spi[0]), + decode_32(proto->spi[0]), sa); + + del_sa = malloc(sizeof(struct deleted_sa)); + if (!del_sa) + { + log_print("gdoi_add_deleted_sa: deleted SA malloc failure"); + return -1; + } + /* + * RFC 3547 says the DOI must be GDOI except for a KEK SPI, which + * must be zero. Protocol IDs within the GDOI DOI come from Section 5.4 of + * RFC 3547. + */ + del_sa->doi = GROUP_DOI_GDOI; + /* + * Insert the SPIs in network byte order. This is the last convenient + * place to know what size the SPI should be by protocol type. + */ + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + del_sa->protocol_type = GDOI_TEK_PROT_PROTO_IPSEC_ESP; + if (proto->spi_sz[0] != 4) + { + log_error("gdoi_add_deleted_sa: Wrong ESP SPI size %d", + proto->spi_sz[0]); + return -1; + } + memcpy(del_sa->spi, proto->spi[0], proto->spi_sz[0]); + break; + case IPSEC_PROTO_IPSEC_AH: + del_sa->protocol_type = GDOI_TEK_PROT_PROTO_IPSEC_AH; + if (proto->spi_sz[0] != 4) + { + log_error("gdoi_add_deleted_sa: Wrong AH SPI size %d", + proto->spi_sz[0]); + return -1; + } + memcpy(del_sa->spi, proto->spi[0], proto->spi_sz[0]); + break; + default: + log_error("gdoi_add_deleted_sa: Unsupported protocol %d", + proto->proto); + free(del_sa); + return -1; + } + TAILQ_INSERT_TAIL (&kek->deleted_sa_list, del_sa, link); + sa_free(sa); + + return 0; +} + +static int +gdoi_rekey_send_msg (struct gdoi_kek *kek) +{ + struct message *msg; + + if (!kek->send_sock) + { + /* + * Open a socket for sending + */ + if (gdoi_rekey_open_socket(kek, SENDER) <0) + { + log_print("gdoi_rekey_send_msg: Socket open failed"); + return -1; + } + } + if (!kek->send_transport) + { + kek->send_transport = rekey_udp_make (kek, SENDER); + if (!kek->send_transport) + { + log_print("gdoi_rekey_send_msg: transport creation failed"); + return -1; + } + } + if (!kek->send_exchange) + { + if (gdoi_rekey_setup_exchange(kek)) + { + return -1; + } + } + else + { + /* + * Reset the exchange "PC" to the beginning. This is necssary because + * we're re-using the exchange structure for each rekey so that we can + * accumulate SAs in one exchange. + * + * This assumes that we are never working on more than 1 rekey message + * for a particular group at any one time .... + */ + kek->send_exchange->exch_pc = (int16_t *)exchange_script (kek->send_exchange); + kek->send_exchange->step = 0; + } + msg = message_alloc (kek->send_transport, 0, ISAKMP_HDR_SZ); + msg->exchange = kek->send_exchange; + message_setup_header (msg, GDOI_EXCH_PUSH_MODE, ISAKMP_FLAGS_ENC, + kek->send_exchange->message_id); + exchange_run (msg); + return 0; +} + +/* + * Delete GDOI SAs and send a rekey with delete payloads & new SAs matching + * the policy. + * + * Called from receiving a TERM signal. + * + * NOTE: If the group has no KEK (i.e., no rekey) then there is no point in + * "deleting" the SAs because we can't send a rekey anyway. Therefore, this + * code does not deal with group which have no rekey. + */ +void gdoi_rekey_delete_sas (fd_set *wfds) +{ + struct gdoi_kek *kek; + struct sa *sa; + + for (kek = TAILQ_FIRST(&gdoi_kek_queue); kek; + kek = TAILQ_NEXT (kek, link)) + { + if (!kek->send_exchange) + { + /* + * Not a key server for this group. + */ + continue; + } + log_print("gdoi_rekey_delete_sas: Deleting SAs and Sending a rekey " + "with DELETE paylaods for exchange %s", + (kek->exchange_name ? kek->exchange_name : "unknown")); + /* + * Find the TEKs associated with the rekey exchange. + */ + sa = TAILQ_FIRST (&kek->send_exchange->sa_list); + while (sa) + { + gdoi_add_deleted_sa(kek, sa); + LOG_DBG ((LOG_SA, 60, "gdoi_rekey_delete_sas: " + "freeing SA %p from exchange %p", + sa, kek->send_exchange)); + sa_release(sa); + sa = TAILQ_NEXT (sa, next); + } + kek->flags |= CLEANING_UP; + gdoi_rekey_send_msg(kek); + udp_fd_set(kek->send_transport, wfds, 1); + } + + return; +} + +static void +gdoi_kek_rekey_sender (void *vkek) +{ + struct gdoi_kek *kek = vkek; + + log_print("gdoi_kek_rekey_sender: Timer sprung!!!"); + /* + * Careful! Need to generate a rekey message using the OLD KEK keys, but + * delivering the NEW key keys. + * + * TODO: We should re-transmit this a couple of times in case of packet loss. + * If we send it once and a device misses it, it won't be able to decrypt + * future KEKs and will be forced to re-register. + * + * Using seperate flags for creating and sending a new KEK allows us to + * later do re-transmits of the new KEK info. + */ + kek->flags |= CREATE_NEW_KEK|SEND_NEW_KEK; + if (gdoi_rekey_send_msg (kek) < 0) + { + log_print("gdoi_rekey_sender: Error in sending msg - Aborting"); + return; + } + gdoi_kek_rekey_start (kek); + /* + * Clean up flags + */ + kek->flags &= ~(CREATE_NEW_KEK|SEND_NEW_KEK); + /* + * Install the new SPI and clean up. + */ + memcpy(kek->spi, &kek->next_kek_policy.spi, KEK_SPI_SIZE); + memset(&kek->next_kek_policy.spi, 0, KEK_SPI_SIZE); + /* + * Install the new SPI in the rekey exchange cookies too! However, the + * exchange needs to be re-linked in the echange data structures. + */ + memcpy(kek->send_exchange->cookies, &kek->spi, ISAKMP_HDR_COOKIES_LEN); + LIST_REMOVE (kek->send_exchange, link); + exchange_enter (kek->send_exchange); + /* + * Install the new keys and free old ones. + */ + kek->encrypt_iv = kek->next_kek_policy.encrypt_iv; + kek->encrypt_key = kek->next_kek_policy.encrypt_key; + kek->next_kek_policy.encrypt_iv = NULL; + kek->next_kek_policy.encrypt_key = NULL; +} + +int +gdoi_kek_rekey_start (struct gdoi_kek *kek) +{ + struct timeval expire_time; + + gettimeofday (&expire_time, 0); + expire_time.tv_sec += kek->kek_timer_interval; + kek->tek_lifetime_ev = timer_add_event ("gdoi_kek_rekey_sender", + gdoi_kek_rekey_sender, kek, &expire_time); + return 0; +} + +static void +gdoi_rekey_sender (void *vkek) +{ + struct gdoi_kek *kek = vkek; + + log_print("gdoi_rekey_sender: Timer sprung!!!"); + gdoi_rekey_start (kek); + if (gdoi_rekey_send_msg (kek) < 0) + { + log_print("gdoi_rekey_sender: Error in sending msg - Aborting"); + return; + } +} + +int +gdoi_rekey_start (struct gdoi_kek *kek) +{ + struct timeval expire_time; + + gettimeofday (&expire_time, 0); + expire_time.tv_sec += kek->tek_timer_interval; + kek->tek_lifetime_ev = timer_add_event ("gdoi_rekey_sender", + gdoi_rekey_sender, kek, &expire_time); + return 0; +} + +int +gdoi_rekey_listen (struct gdoi_kek *kek) +{ + if (kek->recv_sock) + { + log_print("gdoi_rekey_listen: Already a listener for this group."); + return 0; + } + + log_print("gdoi_rekey_listen: Setting up rekey listener!"); + + /* + * Open a socket for receiving + */ + if (gdoi_rekey_open_socket(kek, RECEIVER) <0) + { + log_print("gdoi_rekey_send_msg: Socket open failed"); + return -1; + } + rekey_udp_make(kek, RECEIVER); + return 0; +} + +static struct transport * +rekey_udp_make (struct gdoi_kek *kek, enum roles role) +{ + int s; + struct sockaddr_in *laddr; + struct in_addr iaddr; + u_int8_t ttl = IPDEFTTL; + u_int8_t loop = 0; /* Disable loopback of our own multicast packets*/ + struct udp_transport *t = 0; + int on; + struct ip_mreq maddr; + struct conf_list *listen_on; + struct conf_list_node *address; + + t = calloc (1, sizeof *t); + if (!t) + { + log_print ("rekey_udp_make: malloc (%d) failed", sizeof *t); + return 0; + } + + if (role == SENDER) + { + s = kek->send_sock; + laddr = &kek->send_addr; + t->dst.sin_family = PF_INET; + t->dst.sin_port = htons(kek->dport); + t->dst.sin_addr.s_addr = kek->dst_addr; +#ifndef USE_OLD_SOCKADDR + t->dst.sin_len = sizeof(struct sockaddr_in); +#endif + } + else + { + s = kek->recv_sock; + laddr = &kek->recv_addr; + t->dst.sin_family = PF_INET; + t->dst.sin_port = kek->sport; + t->dst.sin_addr.s_addr = kek->src_addr; +#ifndef USE_OLD_SOCKADDR + t->dst.sin_len = sizeof(struct sockaddr_in); +#endif + } + + /* + * In order to have several bound specific address-port combinations + * with the same port SO_REUSEADDR is needed. + * If this is a wildcard socket and we are not listening there, but only + * sending from it make sure it is entirely reuseable with SO_REUSEPORT. + */ + on = 1; + if (setsockopt (s, SOL_SOCKET, + (laddr->sin_addr.s_addr == INADDR_ANY + && conf_get_str ("General", "Listen-on")) + ? SO_REUSEPORT : SO_REUSEADDR, + (void *)&on, sizeof on) == -1) + { + log_error ("rekey_udp_make: setsockopt (%d, %d, %d, %p, %d)", s, SOL_SOCKET, + (laddr->sin_addr.s_addr == INADDR_ANY + && conf_get_str ("General", "Listen-on")) + ? SO_REUSEPORT : SO_REUSEADDR, + &on, sizeof on); + goto err; + } + + t->transport.vtbl = &rekey_udp_transport_vtbl; + memcpy (&t->src, laddr, sizeof t->src); + + if (bind (s, (struct sockaddr *)&t->src, sizeof t->src)) + { + log_error ("rekey_udp_make: bind (%d, %p, %d)", s, &t->src, + sizeof t->src); + log_error("rekey_udp_make: Continuing anyway"); + } + + if (role == RECEIVER) + { + if (IN_MULTICAST(htonl(laddr->sin_addr.s_addr))) + { + bzero(&maddr, sizeof(maddr)); + maddr.imr_multiaddr.s_addr = laddr->sin_addr.s_addr; + /* + * Pick the first interface off the "Listen-on" list. + */ + listen_on = conf_get_list ("General", "Listen-on"); + if (listen_on) + { + address = TAILQ_FIRST (&listen_on->fields); + if (!inet_aton (address->field, &iaddr)) + { + log_print ("rekey_udp_make: " + "invalid address %s in \"Listen-on\"", + address->field); + goto err; + } + maddr.imr_interface.s_addr = iaddr.s_addr; + } + conf_free_list (listen_on); + if (setsockopt(s, IPPROTO_IP, IP_ADD_MEMBERSHIP, + &maddr,sizeof(maddr))) + { + log_error("rekey_udp_make: setsockopt(IP_ADD_MEMBERSHIP)"); + goto err; + } + } + } + + if (role == SENDER) + { + listen_on = conf_get_list ("General", "Listen-on"); + if (listen_on) + { + for (address = TAILQ_FIRST (&listen_on->fields); address; + address = TAILQ_NEXT (address, link)) + { + if (!inet_aton (address->field, &iaddr)) + { + log_print ("rekey_udp_make: " + "invalid address %s in \"Listen-on\"", + address->field); + goto err; + } + if (setsockopt (s, IPPROTO_IP, IP_MULTICAST_IF, (void *)&iaddr, + sizeof iaddr) == -1) + { + log_error ("rekey_udp_make: Setting IP_MULTICAST_IF failed"); + goto err; + } + if (setsockopt (s, IPPROTO_IP, IP_MULTICAST_TTL, (void *)&ttl, + sizeof ttl) == -1) + { + log_error ("rekey_udp_make: Setting IP_MULTICAST_TTL failed"); + goto err; + } + if (setsockopt (s, IPPROTO_IP, IP_MULTICAST_LOOP, (void *)&loop, + sizeof loop) == -1) + { + log_error ("rekey_udp_make: Setting IP_MULTICAST_LOOP failed"); + goto err; + } + } + conf_free_list (listen_on); + } + } + + t->s = s; + transport_add (&t->transport); + transport_reference (&t->transport); + t->transport.flags |= TRANSPORT_LISTEN; + return &t->transport; + +err: + if (s != -1) + close (s); + if (t) + free (t); + return 0; +} + +/* + * Receive a rekey message. Based on message_recv(). + */ +static int +rekey_message_recv (struct message *msg) +{ + u_int8_t *buf = msg->iov[0].iov_base; + size_t sz = msg->iov[0].iov_len; + int exch_type; + u_int8_t flags; + struct gdoi_kek *stored_kek; + enum cryptoerr err; + u_int8_t *cookies; + struct sa *sa; + + /* Possibly dump a raw hex image of the message to the log channel. */ + message_dump_raw ("message_recv", msg, LOG_MESSAGE); + + /* Messages shorter than an ISAKMP header are bad. */ + if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH (buf)) + { + log_print ("message_recv: bad message length"); + message_drop (msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); + return -1; + } + + cookies = buf + ISAKMP_HDR_COOKIES_OFF; + stored_kek = gdoi_get_kek_by_cookies (cookies); + if (!stored_kek) + { + log_print ("rekey_message_recv: SA not found in rekey SA list"); + log_print ("rekey_message_recv: cookie pair:): " + "%02x%02x%02x%02x%02x%02x%02x%02x " + "%02x%02x%02x%02x%02x%02x%02x%02x", + cookies[0], cookies[1], cookies[2], cookies[3], cookies[4], + cookies[5], cookies[6], cookies[7], cookies[8], cookies[9], + cookies[10], cookies[11], cookies[12], cookies[13], cookies[14], + cookies[15]); + return -1; + } + + if (GET_ISAKMP_HDR_NEXT_PAYLOAD (buf) >= ISAKMP_PAYLOAD_PRIVATE_MAX) + { + log_print ("message_recv: " + "invalid payload type %d in ISAKMP header " + "(check passphrases, if applicable and in Phase 1)", + GET_ISAKMP_HDR_NEXT_PAYLOAD (buf)); + return -1; + } + + /* Validate that the message is of version 1.0. */ + if (ISAKMP_VERSION_MAJOR (GET_ISAKMP_HDR_VERSION (buf)) != 1) + { + log_print ("message_recv: invalid version major %d", + ISAKMP_VERSION_MAJOR (GET_ISAKMP_HDR_VERSION (buf))); + return -1; + } + + if (ISAKMP_VERSION_MINOR (GET_ISAKMP_HDR_VERSION (buf)) != 0) + { + log_print ("message_recv: invalid version minor %d", + ISAKMP_VERSION_MINOR (GET_ISAKMP_HDR_VERSION (buf))); + return -1; + } + + /* + * Validate the exchange type. It must be a rekey message type. If not, + * ignore it. + */ + exch_type = GET_ISAKMP_HDR_EXCH_TYPE (buf); + if (exch_type != GDOI_EXCH_PUSH_MODE) + { + log_print ("message_recv: invalid exchange type %s", + constant_name (isakmp_exch_cst, exch_type)); + return -1; + } + msg->exchange = exchange_create (1, 0, GROUP_DOI_GDOI, exch_type); + if (!msg->exchange) + { + log_print ("rekey_message_recv: failed to allocate exchange"); + return -1; + } + + /* + * Save the cookies for later use in finding the stored KEK + */ + memcpy(msg->exchange->cookies, cookies, ISAKMP_HDR_COOKIES_LEN); + + /* + * Check for unrecognized flags. Only the encryption flag is valid for now. + */ + flags = GET_ISAKMP_HDR_FLAGS (buf); + if (flags != ISAKMP_FLAGS_ENC) + { + log_print ("rekey_message_recv: invalid flags 0x%x", + GET_ISAKMP_HDR_FLAGS (buf)); + return -1; + } + + if (flags & ISAKMP_FLAGS_ENC) + { + msg->orig = malloc (sz); + if (!msg->orig) + { + message_free (msg); + return -1; + } + memcpy (msg->orig, buf, sz); + + /* + * Setup the crypto vectors based on the algorithm. We have to translate + * The GDOI algorithm number to the IKE one in order to use the crypto + * routines.... + */ + switch (stored_kek->encrypt_alg) + { + case GDOI_KEK_ALG_3DES: + msg->exchange->crypto = crypto_get(TRIPLEDES_CBC); + break; + case GDOI_KEK_ALG_AES: + msg->exchange->crypto = crypto_get(AES_CBC_128); + break; + default: + log_error ("decode_kd_kek_attribute: " + "Unknown KEK secrecy algorithm: %d", + stored_kek->encrypt_alg); + return -1; + } + msg->exchange->keystate = crypto_init (msg->exchange->crypto, + stored_kek->encrypt_key, + msg->exchange->crypto->keymax, &err); + /* + * Re-install the static IV into the crypto state + * each time we do an encryption. + */ + crypto_init_iv (msg->exchange->keystate, stored_kek->encrypt_iv, + msg->exchange->keystate->xf->blocksize); + + rekey_crypto_decrypt (msg->exchange->keystate, buf + ISAKMP_HDR_SZ, + sz - ISAKMP_HDR_SZ); + } + else + msg->orig = buf; + msg->orig_sz = sz; + + /* + * Check the overall payload structure at the same time as indexing them by + * type. + */ + if (GET_ISAKMP_HDR_NEXT_PAYLOAD (buf) != ISAKMP_PAYLOAD_NONE + && message_sort_payloads (msg, GET_ISAKMP_HDR_NEXT_PAYLOAD (buf))) + { + return -1; + } + + /* + * Run generic payload tests now. If anything fails these checks, the + * message needs either to be retained for later duplicate checks or + * freed entirely. + * XXX Should SAs and even transports be cleaned up then too? + */ + if (message_validate_payloads (msg)) + { + return -1; + } + + /* + * HACK! message_validate_sa() Adds gratuitously create an SA payload for + * us, but we don't need it. That SA payload is intended to be used as the + sa->isakmp_sa but we don't need it for the rekey message. So remove it here. + */ + sa = TAILQ_FIRST(&msg->exchange->sa_list); + if (sa) + { + TAILQ_REMOVE(&msg->exchange->sa_list, sa, next); + sa_release(sa); + sa = NULL; + } + + /* + * Now we can validate DOI-specific exchange types. If we have no SA + * DOI-specific exchange types are definitely wrong. + */ + if (exch_type >= ISAKMP_EXCH_DOI_MIN && exch_type <= ISAKMP_EXCH_DOI_MAX + && msg->exchange->doi->validate_exchange (exch_type)) + { + log_print ("message_recv: invalid DOI exchange type %d", exch_type); + return -1; + } + + /* Handle the flags. */ + if (flags & ISAKMP_FLAGS_ENC) + msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + if ((msg->exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0 + && (flags & ISAKMP_FLAGS_COMMIT)) + msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED; + + /* OK let the exchange logic do the rest. */ + exchange_enter (msg->exchange); + exchange_run (msg); + + return 0; +} + +static struct transport * +rekey_udp_create (char *name) +{ + struct transport *t; + struct udp_transport *u; + + t = malloc (sizeof *u); + if (!t) + { + log_error ("rekey_udp_create: malloc (%d) failed", sizeof *u); + return 0; + } + + u = (struct udp_transport *)t; + u->transport.vtbl = &rekey_udp_transport_vtbl; + + return t; +} + +/* + * A message has arrived on transport T's socket. If T is single-ended, + * clone it into a double-ended transport which we will use from now on. + * Package the message as we want it and continue processing in the message + * module. + */ +static void +rekey_udp_handle_message (struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + u_int8_t buf[UDP_SIZE]; + struct sockaddr_in from; + int len = sizeof from; + ssize_t n; + struct message *msg; + + log_print("rekey_udp_handle_message: GOT A REKEY MESSAGE!!!"); + + n = recvfrom (u->s, buf, UDP_SIZE, 0, (struct sockaddr *)&from,(socklen_t *)&len); + if (n == -1) + { + log_error ("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, UDP_SIZE, 0, + &from, &len); + return; + } + + msg = message_alloc (t, buf, n); + if (!msg) + { + log_print("rekey_udp_handle_message: No msg allocated"); + return; + } + rekey_message_recv (msg); + transport_release (t); +} + +/* Physically send the message MSG over its associated transport. */ +static int +rekey_udp_send_message (struct message *msg) +{ + struct udp_transport *u = (struct udp_transport *)msg->transport; + ssize_t n; + struct msghdr m; + + /* + * Sending on connected sockets requires that no destination address is + * given, or else EISCONN will occur. + */ + m.msg_name = (caddr_t)&u->dst; + m.msg_namelen = sizeof u->dst; + m.msg_iov = msg->iov; + m.msg_iovlen = msg->iovlen; + m.msg_control = 0; + m.msg_controllen = 0; + m.msg_flags = 0; + n = sendmsg (u->s, &m, 0); + if (n == -1) + { + log_error ("sendmsg (%d, %p, %d)", u->s, &m, 0); + return -1; + } + return 0; +} + +enum { + ReplayWindowSize = 32 +}; + +int ChkReplayWindow(u_int32_t seq); + +/* + * Validate the sequence number. + * HACK! THe following does not yet match the draft + * + * Cribbed from RFC 2401 Appendix C + * + * Returns 0 if packet disallowed, 1 if packet permitted + */ +static int gdoi_seq_valid (struct gdoi_kek *stored_kek, + u_int32_t received_seq) +{ + u_int32_t diff; + + if (received_seq == 0) return 0; /* first == 0 or wrapped */ + if (received_seq > stored_kek->current_seq_num) { + /* new larger sequence number */ + diff = received_seq - stored_kek->current_seq_num; + if (diff < ReplayWindowSize) { /* In window */ + stored_kek->replay_bitmap <<= diff; + stored_kek->replay_bitmap |= 1; /* set bit for this packet */ + } else stored_kek->replay_bitmap = 1; /* This packet has a "way larger" */ + stored_kek->current_seq_num = received_seq; + return 1; /* larger is good */ + } + diff = stored_kek->current_seq_num - received_seq; + if (diff >= ReplayWindowSize) return 0; /* too old or wrapped */ + if (stored_kek->replay_bitmap & ((u_int32_t)1 << diff)) return 0; + /* already seen */ + stored_kek->replay_bitmap |= ((u_int32_t)1 << diff); /* mark as seen */ + return 1; /* out of order but good */ +} + +/* + * Handle a rekey message. Note that it has already been decrypted. + */ +static int responder_recv_SEQ_SA_KD_SIG (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct payload *sigp, *p; + struct gdoi_kek *stored_kek; + u_int32_t seq; + u_int8_t *begin, *end; + struct hash *hash; + u_int8_t *computed_hash, *decrypted_hash; + int siglen, found_delete = 0; + + /* + * Find the current KEK policy first. + */ + stored_kek = gdoi_get_kek_by_cookies (exchange->cookies); + if (!stored_kek) + { + log_print ("responder_recv_SEQ_SA_KD_SIG: " + "KEK policy missing from exchange"); + goto cleanup; + } + /* + * Set the exchange name for reporting convienience and to match the + * SAs up with other policy by name. + */ + if (!exchange->name) + { + exchange->name = strdup(stored_kek->exchange_name); + } + + /* Handle SIG payload */ + sigp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SIG]); + if (sigp) + { + sigp->flags |= PL_MARK; + /* + * Compute the hash + */ + hash = hash_get(xlate_gdoi_hash(stored_kek->sig_hash_alg)); + computed_hash = malloc (hash->hashsize); + if (!computed_hash) + { + log_error ("responder_recv_SEQ_SA_KD_SIG: " + "malloc (%d) failed", hash->hashsize); + } + + /* Start with the characters in 'rekey' */ + hash->Init (hash->ctx); + LOG_DBG_BUF ((LOG_MISC, 90, "responder_recv_SEQ_SA_KD_SIG: 'rekey'", + (u_int8_t *)REKEY_HEADER_STRING, strlen(REKEY_HEADER_STRING))); + hash->Update (hash->ctx, (u_int8_t *)REKEY_HEADER_STRING, + strlen(REKEY_HEADER_STRING)); + begin = msg->iov[0].iov_base; + end = sigp->p; + LOG_DBG_BUF ((LOG_MISC, 90, + "responder_recv_SEQ_SA_KD_SIG: packet before SIG payload", + begin, (end-begin))); + hash->Update (hash->ctx, begin, (end-begin)); + hash->Final (computed_hash, hash->ctx); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "responder_recv_SEQ_SA_KD_SIG: computed hash", + computed_hash, hash->hashsize)); + /* + * Validate the signature + * First check that the sig is of the correct size. + */ + siglen = GET_ISAKMP_GEN_LENGTH (sigp->p) - ISAKMP_SIG_SZ; + if (siglen != RSA_size (stored_kek->rsa_keypair)) + { + log_print ("responder_recv_SEQ_SA_KD_SIG: " + "SIG payload length does not match public key"); + return -1; + } + decrypted_hash = malloc (siglen); + if (!decrypted_hash) + { + log_error ("responder_recv_SEQ_SA_KD_SIG: " + "malloc (%d) failed", siglen); + return -1; + } + + siglen = RSA_public_decrypt (siglen, sigp->p + ISAKMP_SIG_DATA_OFF, + decrypted_hash, stored_kek->rsa_keypair, RSA_PKCS1_PADDING); + if (siglen == -1) + { + ERR_load_crypto_strings(); + log_print ("responder_recv_SEQ_SA_KD_SIG: " + "RSA_public_decrypt () failed: %s", + ERR_error_string(ERR_get_error(),NULL)); + free(decrypted_hash); + return -1; + } + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "responder_recv_SEQ_SA_KD_SIG: decrypted hash", + decrypted_hash, hash->hashsize)); + + if (memcmp(computed_hash, decrypted_hash, hash->hashsize)) + { + log_print("responder_recv_SEQ_SA_KD_SIG: " + "Computed hash does not match decrypted hash!"); + free(decrypted_hash); + return -1; + } + free(decrypted_hash); + } + else + { + log_print("responder_recv_SEQ_SA_KD_SIG: Missing SIG payload!"); + goto cleanup; + } + + /* Handle SEQ paylaod */ + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SEQ]); + if (p) + { + p->flags |= PL_MARK; + seq = GET_GDOI_SEQ_SEQ_NUM(p->p); + log_print ("GOT SEQ # of: %d (PUSH)", seq); + if (gdoi_seq_valid(stored_kek, seq)) + { + stored_kek->current_seq_num = seq; + } + else + { + log_print("responder_recv_SEQ_SA_KD_SIG: " + "Sequence number out of range: previous %d, received %d", + stored_kek->current_seq_num, seq); + goto cleanup; + } + } + else + { + log_print("responder_recv_SEQ_SA_KD_SIG: Missing SEQ payload!"); + goto cleanup; + } + + /* + * There must be either an SA/KD pair, or DELETEs in the message, or both + * (in which case the DELETEs are handled first). + */ + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_DELETE]); + if (p) + { + found_delete=1; + /* + * Loop through the DELETE payloads and handle them. + */ + for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_DELETE]); p; + p = TAILQ_NEXT (p, link)) + { + gdoi_process_delete_payload (msg, p); + } + } + + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA]); + if (p) + { + /* Handle SA payload */ + if (gdoi_process_SA_payload (msg)) + { + goto cleanup; + } + + /* Handle KD payload */ + if (gdoi_process_KD_payload (msg)) + { + goto cleanup; + } + } + else + { + if (!found_delete) + { + log_print("responder_recv_SEQ_SA_KD_SIG: Rekey message contains " + "neither SA payload or DELETE paylaod. Aborting"); + goto cleanup; + } + } + + return 0; + +cleanup: + /* + * Return a non-error return, otherwise the message will get torn down, + * which tears down the transport, and then we don't receive any more rekey + * messages. One bad message doesn't mean the rest will be bad (and could + * even have been sent or replayed by an attacker. + */ + log_print("responder_recv_SEQ_SA_KD_SIG: " + "Aborting processing of Rekey message"); + return 0; +} + +/* + * Find the given SA on any rekey exchange SA lists and remove it. + */ +void +gdoi_rekey_free_sa (struct sa *sa_to_remove) +{ + + struct gdoi_kek *node; + struct sa *sa; + + for (node = TAILQ_FIRST (&gdoi_kek_queue); node; + node = TAILQ_NEXT (node, link)) + { + if (!node->send_exchange) + { + continue; + } + for (sa = TAILQ_FIRST (&node->send_exchange->sa_list); + sa; sa = TAILQ_NEXT (sa, next)) + { + if (sa == sa_to_remove) + { + LOG_DBG ((LOG_SA, 60, "gdoi_rekey_free_sa: " + "freeing SA %p from exchange %p", + sa, node->send_exchange)); + TAILQ_REMOVE (&node->send_exchange->sa_list, sa, next); + /* + * We're not deleting sa here, so it's pointer to the + * next SA should be correct. + */ + } + } + } +} diff --git a/src/gdoi_srtp.c b/src/gdoi_srtp.c new file mode 100644 index 0000000..d34f9bc --- /dev/null +++ b/src/gdoi_srtp.c @@ -0,0 +1,761 @@ +/* $Id: gdoi_srtp.c,v 1.6.4.2 2011/12/05 20:31:07 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_srtp.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +#include +#include +#include +#include + +#include "attribute.h" +#include "conf.h" +#include "connection.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "gdoi_phase2.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "util.h" +#include "gdoi_fld.h" +#include "gdoi_num.h" +#include "gdoi_srtp.h" +#include "gdoi_srtp_attr.h" +#include "srtp_num.h" +#include "ipsec_num.h" +#include "gdoi.h" + +#define AES_128_LENGTH 16 +#define SALT_112_LENGTH 14 + +#define SRC 1 +#define DST 2 + +#define ATTR_SIZE (50 * ISAKMP_ATTR_VALUE_OFF) + +/* + * BEW: Temp extern. ID handling should be moved to a new file. + */ +extern u_int8_t *gdoi_build_tek_id (char *section, size_t *sz); + +int srtp_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *arg) +{ + struct srtp_proto *sa = (struct srtp_proto *) arg; + + switch (type) + { + case SRTP_ATTR_CIPHER: + sa->cipher_type = decode_16(value); + break; + case SRTP_ATTR_CIPHER_MODE: + sa->cipher_mode = decode_16(value); + break; + case SRTP_ATTR_CIPHER_KEY_LENGTH: + sa->cipher_key_length = decode_16(value); + break; + default: + log_print ("srtp_decode_attribute: Attribute not valid: %d", type); + return -1; + } + + return 0; +} + +/* + * Group member side (decode & store TEK values) + * Key server side (save a copy of the SA in his own sa list for later use by + * the rekey message) + * + * Decode the SRTP type TEK and stuff into the SA. + */ +int +gdoi_srtp_decode_tek (struct message *msg, struct sa *sa, u_int8_t *srtp_tek, + size_t srtp_tek_len, int create_proto) +{ + u_int8_t *cur_p; + struct proto *proto = NULL; + struct srtp_proto *sproto = NULL; + int id_type, id_len, temp_len; + + /* + * Validate the SA. + */ + if (!sa) + { + log_error ("group_decode_esp_tek: No sa's in list!"); + goto clean_up; + } + + if (create_proto) + { + if (gdoi_setup_sa (sa, &proto, IPSEC_PROTO_SRTP, + sizeof(struct srtp_proto))) + { + goto clean_up; + } + } + else + { + proto = TAILQ_LAST(&sa->protos, proto_head); + } + + /* + * Stuff the SRTP policy in the proto structure. (Can't use sa->data because + * that is initialized in sa_create(). sa->data is unused for SRTP.) + */ + sproto = (struct srtp_proto *) proto->data; + + /* + * Get src_id fields + * We can use the ESP fields & types since they are defined identically. + */ + cur_p = srtp_tek; + id_type = GET_GDOI_SA_ID_TYPE(cur_p); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + sproto->sport = ntohs(GET_GDOI_SA_ID_PORT(cur_p)); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + if (id_len != 4) + { + log_error ("gdoi_srtp_decode_tek: Invalid length for src IP addr: %d", + id_len); + goto clean_up; + } + sproto->src_net = htonl(decode_32(cur_p+GDOI_SA_ID_DATA_OFF)); + sproto->src_mask = htonl(0xffffffff); + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + if (id_len != 8) + { + log_error ("gdoi_srtp_decode_tek: Invalid length for src IP subnet:" + "%d", id_len); + goto clean_up; + } + sproto->src_net = htonl(decode_32(cur_p+GDOI_SA_ID_DATA_OFF)); + sproto->src_mask = htonl(decode_32(cur_p+GDOI_SA_ID_DATA_OFF+4)); + break; + default: + log_error ("gdoi_srtp_decode_tek: Unsupported src id type: %d", id_type); + goto clean_up; + } + cur_p = cur_p + GDOI_SA_ID_DATA_OFF + id_len; + + /* + * Get dst_id fields. Only type ID_IPV4_ADDR is reasonable. + */ + sproto->dport = ntohs(GET_GDOI_SA_ID_PORT(cur_p)); + id_len = GET_GDOI_SA_ID_DATA_LEN(cur_p); + if (id_len != 4) + { + log_error ("gdoi_srtp_decode_tek: Invalid length for dst IP addr: %d", + id_len); + goto clean_up; + } + sproto->dst_net = htonl(decode_32(cur_p + GDOI_SA_ID_DATA_OFF)); + sproto->dst_mask = htonl(0xffffffff); + cur_p = cur_p + GDOI_SA_ID_DATA_OFF + id_len; + + /* + * Get Replay Window, KD Rate, SRTP Lifeime, SRTCP Lifetime + */ + sproto->replay_window = *cur_p++; + sproto->kd_rate = *cur_p++; + sproto->srtp_lifetime = *cur_p++; + sproto->srtcp_lifetime = *cur_p++; + + /* + * Get SPI + */ + proto->spi_sz[0]=*cur_p++; + proto->spi[0]= malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_print ("gdoi_srtp_decode_tek: malloc failed (%d)", proto->spi_sz[0]); + goto clean_up; + } + memcpy(proto->spi[0], cur_p, proto->spi_sz[0]); + + switch(proto->spi_sz[0]) { + case 2: + log_print(" SPI found (SA) %u (%d) (%#x) for sa %#x", + decode_16(proto->spi[0]), decode_16(proto->spi[0]), + decode_16(proto->spi[0]), sa); + break; + case 4: + log_print(" SPI found (SA) %u (%d) (%#x) for sa %#x", + decode_32(proto->spi[0]), decode_32(proto->spi[0]), + decode_32(proto->spi[0]), sa); + break; + default: + log_print ("install_tek_keys: Unsupported spi size: %d", proto->spi[0]); + break; + } + cur_p += proto->spi_sz[0]; + + /* + * BEW: HACK! HACK! HACK! + * Assuming 128 bit AES & 112 bit master salt. Need to stuff it into the + * srtp_proto now. Normally it would come from the Cipher Suite. + * + * This is used in KD payload processing to verify that the length of the keys + * received in the KD payload are correct. + */ + sproto->master_key_len = AES_128_LENGTH; + sproto->master_salt_key_len = SALT_112_LENGTH; + + temp_len = srtp_tek_len - (cur_p - srtp_tek); + + attribute_map (cur_p, temp_len, srtp_decode_attribute, sproto); + + return 0; + +clean_up: + if (proto) + { + proto_free(proto); + } + return -1; +} + +/* + * Key server side + * Find the TEK-specific policy for an SRTP type TEK. + */ +int gdoi_srtp_set_policy (char *conf_field, struct message *msg, + struct exchange *sa_exchange) +{ + struct sa *sa; + struct proto *proto; + struct srtp_proto *sproto; + char *src_id, *dst_id; + int id; + struct in_addr addr; + struct in_addr mask; + uint16_t port; + + /* + * Find the sa. The last SA in the list was just created for our use. + */ + sa = TAILQ_LAST (&sa_exchange->sa_list, sa_head); + if (!sa) + { + log_error ("gdoi_ipsec_get_policy: No sa's in list!"); + goto bail_out; + } + + /* + * Initialize the SA + */ + if (gdoi_setup_sa (sa, &proto, IPSEC_PROTO_SRTP, sizeof(struct srtp_proto))) + { + goto bail_out; + } + sproto = proto->data; + + /* + * Start with the src/dst fields. + */ + src_id = conf_get_str (conf_field, "Src-ID"); + if (!src_id) + { + log_print ("gdoi_ipsec_get_policy: " + "Src-ID missing"); + goto bail_out; + } + if (gdoi_get_id (src_id, &id, &addr, &mask, &port)) + { + goto bail_out; + } + sproto->src_net = htonl(addr.s_addr); + sproto->src_mask = htonl(mask.s_addr); + sproto->sport = ntohs(port); + + dst_id = conf_get_str (conf_field, "Dst-ID"); + if (!dst_id) + { + log_print ("gdoi_ipsec_get_policy: " + "Dst-ID missing"); + goto bail_out; + } + if (gdoi_get_id (dst_id, &id, &addr, &mask, &port)) + { + goto bail_out; + } + sproto->dst_net = htonl(addr.s_addr); + sproto->dst_mask = htonl(mask.s_addr); + sproto->dport = ntohs(port); + + /* + * Replay Window + */ + sproto->replay_window=16; /* BEW: Temp hardcoded value */ + + /* + * KD Rate + */ + sproto->kd_rate=1; /* BEW: Temp hardcoded value */ + + /* + * SRTP Lifetime + */ + sproto->srtp_lifetime=16; /* BEW: Temp hardcoded value */ + + /* + * SRTCP Lifetime + */ + sproto->srtcp_lifetime=16; /* BEW: Temp hardcoded value */ + + /* + * BEW: Assume SPI is 2 bytes. + */ + proto->spi_sz[0] = 2; + proto->spi[0] = malloc(proto->spi_sz[0]); + if (!proto->spi[0]) + { + log_error ("gdoi_srtp_get_policy: malloc failure -- SPI (%d bytes)", + proto->spi_sz[0]); + goto bail_out; + } + + /* + * BEW: Choose a random SPI for now. + * + * Write the SPI length & SPI. + */ + getrandom(proto->spi[0], proto->spi_sz[0]); + + /* + * BEW: Generate AES keys irrespective of Options and Crypto Suite for + * now. + */ + sproto->master_key_len = AES_128_LENGTH; + sproto->master_key = malloc(sproto->master_key_len); + if (!sproto->master_key) + { + log_print ("gdoi_srtp_get_policy: malloc failed: master key (%d)", + sproto->master_key_len); + goto bail_out; + } + getrandom(sproto->master_key, sproto->master_key_len); + + sproto->master_salt_key_len = SALT_112_LENGTH; + sproto->master_salt_key = malloc(sproto->master_salt_key_len); + if (!sproto->master_salt_key) + { + log_print ("gdoi_srtp_get_policy: malloc failed: master key (%d)", + sproto->master_salt_key_len); + goto bail_out; + } + getrandom(sproto->master_salt_key, sproto->master_salt_key_len); + + return 0; + +bail_out: + return -1; +} + +/* + * Group member side + * Validate and install keys gotten from the KD in the sproto structure. + */ +int +gdoi_srtp_install_keys (struct proto *proto, struct gdoi_kd_decode_arg *keys) +{ + struct srtp_proto *sproto; + + if (proto->proto != IPSEC_PROTO_SRTP) + { + log_error ("gdoi_srtp_install_keys: SRTP SA expected, got %d", + proto->proto); + return -1; + } + + sproto = (struct srtp_proto *) proto->data; + if (!sproto) + { + log_error ("gdoi_srtp_install_keys: SRTP SA TEK data missing"); + return -1; + } + + /* + * Validate that the key length is correct & copy them. + */ + if (keys->sec_key_sz != + (size_t)(sproto->master_key_len + sproto->master_salt_key_len)) + { + log_error ("gdoi_srtp_install_tek_keys:" + "Wrong key length! Expected: %d, Actual: %d", + sproto->master_key_len+sproto->master_salt_key_len, + keys->sec_key_sz); + return -1; + } + + /* + * Split the keying material into their repsective parts. + */ + sproto->master_key = malloc(sproto->master_key_len); + if (!sproto->master_key) + { + log_print ("gdoi_srtp_get_policy: malloc failed: master key (%d)", + sproto->master_key_len); + return -1; + } + memcpy(sproto->master_key, keys->sec_key, sproto->master_key_len); + + sproto->master_salt_key = malloc(sproto->master_salt_key_len); + if (!sproto->master_salt_key) + { + log_print ("gdoi_srtp_get_policy: malloc failed: master key (%d)", + sproto->master_salt_key_len); + free(sproto->master_key); + return -1; + } + memcpy(sproto->master_salt_key, (keys->sec_key+sproto->master_key_len), + sproto->master_key_len); + + return 0; +} + +#ifdef NOTYET +/* + * Group member side + * Finalize the exchange -- send the key & policy info to the SRTP app. + */ +int +gdoi_srtp_deliver_keys (struct message *msg, struct sa *sa) +{ + /* + * Give the keys to the client s/w. + */ + srtp_deliver_keys (sa); + return 0; +} +#endif +/* + * Translate keys from the SRTP proto into a generic structure + */ +int +gdoi_srtp_get_tek_keys (struct gdoi_kd_decode_arg *keys, struct proto *proto) +{ + struct srtp_proto *sproto= (struct srtp_proto *) proto->data; + + /* + * Concatenate the master key and master salt key. + */ + keys->sec_key_sz = sproto->master_key_len + sproto->master_salt_key_len; + keys->int_key_sz = 0; + + if (keys->sec_key_sz) + { + keys->sec_key = malloc(keys->sec_key_sz); + if (!keys->sec_key) + { + return -1; + } + memcpy(keys->sec_key, sproto->master_key, sproto->master_key_len); + memcpy(keys->sec_key+sproto->master_key_len, + sproto->master_salt_key, sproto->master_salt_key_len); + } + + return 0; +} + +/* + * Out of an SA build the ID fields of a TEK payload. The caller is + * responsible for freeing the payload. + */ +static u_int8_t * +gdoi_srtp_build_tek_id_from_sa (struct sa *sa, int srcdst, size_t *sz) +{ + struct proto *proto = TAILQ_FIRST (&sa->protos); + struct srtp_proto *sproto= (struct srtp_proto *) proto->data; + struct in_addr addr, mask; + u_int16_t port; + int id_type = 0; + + switch (srcdst) + { + case SRC: + port = sproto->sport; + addr.s_addr = sproto->src_net; + mask.s_addr = sproto->src_mask; + break; + case DST: + port = sproto->dport; + addr.s_addr = sproto->dst_net; + mask.s_addr = sproto->dst_mask; + break; + default: + log_print ("gdoi_build_tek_id_from_sa: " + "Unsupported SRC/DST type (%d)", srcdst); + return 0; + } + id_type = (mask.s_addr == 0xffffffff) ? IPSEC_ID_IPV4_ADDR : + IPSEC_ID_IPV4_ADDR_SUBNET; + + return gdoi_build_tek_id_internal (id_type, addr, mask, port, sz); +} +int +gdoi_srtp_get_policy_from_sa (struct sa *sa, u_int8_t **ret_buf, + size_t *ret_buf_sz) +{ + u_int8_t *srtp_tek_buf = 0; + u_int8_t *buf = 0; + size_t sz, srtp_tek_sz; + u_int8_t *attr, *attr_start; + struct proto *proto; + struct srtp_proto *sproto; + + proto = TAILQ_FIRST (&sa->protos); + sproto = proto->data; + + /* + * Set the SRC/DST ID info + */ + srtp_tek_sz = 0; + srtp_tek_buf = NULL; + buf = gdoi_srtp_build_tek_id_from_sa (sa, SRC, &sz); + if (!buf) + { + goto bail_out; + } + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, buf, sz); + free(buf); + buf = NULL; + buf = gdoi_srtp_build_tek_id_from_sa (sa, DST, &sz); + if (!buf) + { + goto bail_out; + } + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, buf, sz); + free(buf); + buf = NULL; + + /* + * Replay window, KD rate, SRTP lifetime, SRTCP lifetime + * 1 byte each + */ + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + &sproto->replay_window, 1); + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + &sproto->kd_rate, 1); + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + &sproto->srtp_lifetime, 1); + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + &sproto->srtcp_lifetime, 1); + + /* + * Write out the SPI size and SPI for this TEK. + */ + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + &proto->spi_sz[0], 1); + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, + (u_int8_t *)proto->spi[0], proto->spi_sz[0]); + + /* + * BEGIN ATTRIBUTE PROCESSING + * Allocate a block for building attributes. It's sized large enough + * so that we think it will avoid buffer overflows.... + */ + attr_start = attr = calloc(1, ATTR_SIZE); + if (!attr) + { + log_print ("gdoi_srtp_get_policy: " + "calloc(%d) failed", ATTR_SIZE); + goto bail_out; + } + + /* + * Put the cipher into the payload as attributes + */ + attr = attribute_set_basic (attr, SRTP_ATTR_CIPHER, sproto->cipher_type); + attr = attribute_set_basic (attr, SRTP_ATTR_CIPHER_MODE, + sproto->cipher_mode); + attr = attribute_set_basic (attr, SRTP_ATTR_CIPHER_KEY_LENGTH, + sproto->cipher_key_length); + /* + * Add the attributes to the tek payload + */ + srtp_tek_buf = gdoi_grow_buf(srtp_tek_buf, &srtp_tek_sz, attr_start, + (attr - attr_start)); + free (attr_start); + if (!srtp_tek_buf) + { + goto bail_out; + } + + *ret_buf = srtp_tek_buf; + *ret_buf_sz = srtp_tek_sz; + + return 0; + +bail_out: + if (buf) + { + free (buf); + } + gdoi_free_attr_payloads(); + return -1; +} + +u_int8_t * +gdoi_srtp_add_attributes (u_int8_t *attr, struct sa *sa) +{ + struct proto *proto = NULL; + struct srtp_proto *sproto = NULL; + + proto = TAILQ_LAST(&sa->protos, proto_head); + sproto = (struct srtp_proto *) proto->data; + + attr = attribute_set_basic (attr, SRTP_REPLAY_WINDOW, sproto->replay_window); + attr = attribute_set_basic (attr, SRTP_KD_RATE, sproto->kd_rate); + attr = attribute_set_basic (attr, SRTP_LIFETIME, sproto->srtp_lifetime); + attr = attribute_set_basic (attr, SRTP_SRTCP_LIFETIME, sproto->srtp_lifetime); + + if (!sproto->master_key) + { + log_print ("gdoi_srtp_add_attributes: Master key missing!\n"); + } + else + { + attr = attribute_set_var (attr, SRTP_MASTER_KEY, + sproto->master_key, + sproto->master_key_len); + } + if (!sproto->master_salt_key) + { + log_print ("gdoi_srtp_add_attributes: Master Salt key missing!\n"); + } + else + { + attr = attribute_set_var (attr, SRTP_MASTER_SALT_KEY, + sproto->master_salt_key, + sproto->master_salt_key_len); + } + + return attr; +} diff --git a/src/gdoi_srtp.h b/src/gdoi_srtp.h new file mode 100644 index 0000000..24bc25f --- /dev/null +++ b/src/gdoi_srtp.h @@ -0,0 +1,154 @@ +/* $Id: gdoi_srtp.h,v 1.4.4.2 2011/12/05 20:31:07 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_srtp.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +#define SRTP_SSRC_SIZE 2 + +struct srtp_proto { + /* + * traffic selector fields, modelled after IPsec's traffic selectors + */ + in_addr_t src_net; + in_addr_t src_mask; + in_addr_t dst_net; + in_addr_t dst_mask; + u_int8_t tproto; + u_int16_t sport; + u_int16_t dport; + /* + * policy fields + * NOTE: SPI is kept in the generic proto struct. + */ + u_int8_t replay_window; + u_int8_t kd_rate; + u_int8_t srtp_lifetime; + u_int8_t srtcp_lifetime; + u_int16_t cipher_type; + u_int16_t cipher_mode; + u_int16_t cipher_key_length; + /* + * keying material fields + */ + u_int16_t master_key_len; + u_int8_t *master_key; + u_int16_t master_salt_key_len; + u_int8_t *master_salt_key; +}; diff --git a/src/gdoi_srtp_attr.h b/src/gdoi_srtp_attr.h new file mode 100644 index 0000000..3bc7490 --- /dev/null +++ b/src/gdoi_srtp_attr.h @@ -0,0 +1,87 @@ +/* $Id: gdoi_srtp_attr.h,v 1.1.4.2 2011/12/05 20:31:08 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_srtp_attr.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * SRTP COMMAND_GET Attributes + * + * Used for passing TEK attributes and in betweeen GDOI and the GDOI app + * Attributes based on draft-baugher-msec-gdoi-srtp-00.txt. + * + * Attributes must be in range 1-99. + */ + +#define SRTP_SOURCE_ID 1 +#define SRTP_DEST_ID 2 +#define SRTP_OPTIONS 3 +#define SRTP_SSRC 4 +#define SRTP_CRYPTO_SUITE 5 +#define SRTP_REPLAY_WINDOW 6 +#define SRTP_KD_RATE 7 +#define SRTP_LIFETIME 8 +#define SRTP_ROC 9 +#define SRTP_SEQ 10 +#define SRTP_MKI 11 +#define SRTP_EKT_CIPHER 12 +#define SRTP_EKT_SPI 13 +#define SRTP_MASTER_KEY 14 +#define SRTP_MASTER_SALT_KEY 15 +#define SRTP_SRTCP_LIFETIME 16 diff --git a/src/gdoi_srtp_protos.h b/src/gdoi_srtp_protos.h new file mode 100644 index 0000000..19a02aa --- /dev/null +++ b/src/gdoi_srtp_protos.h @@ -0,0 +1,76 @@ +/* $Id: gdoi_srtp_protos.h,v 1.1.4.2 2011/12/05 20:31:08 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/gdoi_srtp_protos.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2007 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* + * SRTP functions referenced by the generic GDOI code + */ +int gdoi_srtp_set_policy(char *, struct message *, struct exchange *); +int gdoi_srtp_decode_tek(struct message *, struct sa *, u_int8_t *, size_t, + int); +int gdoi_srtp_install_keys (struct proto *proto, + struct gdoi_kd_decode_arg *keys); +int gdoi_srtp_deliver_keys(struct message *, struct sa *); +int gdoi_srtp_get_tek_keys(struct gdoi_kd_decode_arg *, struct proto *); +int gdoi_srtp_get_policy_from_sa(struct sa *, u_int8_t **, size_t *); +void srtp_client_init(void); +u_int8_t *gdoi_srtp_add_attributes(u_int8_t *attr, struct sa *sa); + diff --git a/src/gdoid.8 b/src/gdoid.8 new file mode 100644 index 0000000..7db4814 --- /dev/null +++ b/src/gdoid.8 @@ -0,0 +1,250 @@ +.\" $OpenBSD: gdoid.8,v 1.24 2001/04/09 21:21:57 ho Exp $ +.\" $EOM: gdoid.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ +.\" +.\" Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. +.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Ericsson Radio Systems. +.\" 4. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd July 31, 1998 +.Dt GDOID 8 +.Os +.Sh NAME +.Nm gdoid +.Nd GDOI group key management daemon +.Sh SYNOPSIS +.Nm gdoid +.Op Fl c Ar config-file +.Op Fl d +.Op Fl D Ar class=level +.Op Fl f Ar fifo +.Op Fl i Ar pid-file +.Op Fl n +.Op Fl p Ar listen-port +.Op Fl P Ar local-port +.Op Fl L +.Op Fl l Ar packetlog-file +.Op Fl r Ar seed +.Op Fl R Ar report-file +.Sh DESCRIPTION +The +.Nm +daemon establishes security associations for encrypted +and/or authenticated group and multicast network traffic. At this moment, +this means +.Xr ipsec 4 +traffic. +.Pp +The gdoid deamon acts in two roles: either as group controller/key server for +a group that distributes keys and policy, or as a group member. +.Pp +A group controller/key server (GCKS) has specific group policy and +cryptographic keys defined for group traffic. The GCKS listens for group +members to register with it. Once contacted by the group member, +it authenticates the group member +and then distributes the policy. Policy includes IPsec SA's, and also GDOI +rekey SAs. The policy is kept in a local configuration file. +.Pp +A group member is configured to register with a GCKS, to get the policy and +keys for a specific group. It too has a configuration file, but one with just +enough configuration to identity and authenticate itself to the GCKS. +If the group member is given IPsec SAs as part of the registreation, it will +try to load them into the kernel with a +.Dv PF_KEY +socket. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl c Ar config-file +If given, the +.Fl c +option specifies an alternate configuration file instead of +.Pa /etc/gdoid/gdoid.conf . +As this file may contain sensitive information, it must be readable +only by the user running the daemon. +.It Fl d +The +.Fl d +option is used to make the daemon run in the foreground, logging to stderr. +.It Xo Fl D +.Ar class Ns No = Ns Ar level +.Xc +Debugging class. +This argument is possible to specify many times. +It takes a parameter of the form +.Ar class Ns No = Ns Ar level +where both +.Ar class +and +.Ar level +are numbers. +.Ar class +denotes a debugging class, and +.Ar level +the level you want that debugging class to +limit debug printouts at (i.e., all debug printouts above the level specified +will not output anything). +If +.Ar class +is set to 'A', +then all debugging classes are set to the specified level. +.Pp +Valid values for +.Ar class +are as follows: +.Pp +.Bl -tag -width 1n -compact -offset indent +.It 0 +Misc +.It 1 +Transport +.It 2 +Message +.It 3 +Crypto +.It 4 +Timer +.It 5 +Sysdep +.It 6 +SA +.It 7 +Exchange +.It 8 +Negotiation +.It 9 +Policy +.It A +All +.El +.It Fl f Ar fifo +The +.Fl f +option specifies the +.Tn FIFO +(a.k.a. named pipe) where the daemon listens for +user requests. +If the path given is a dash +.Pq Sq \&- , +.Nm +will listen to stdin instead. +.It Fl i Ar pid-file +By default the PID of the daemon process will be written to +.Pa /var/run/gdoid.pid . +This path can be overridden by specifying another one as the argument to the +.Fl i +option. +.It Fl n +When the +.Fl n +option is given, the kernel will not take part in the negotiations. +This is a non-destructive mode so to say, in that it won't alter any +SAs in the IPsec stack. +.It Fl p Ar listen-port +The +.Fl p +option specifies the listen port the daemon will bind to. +.It Fl P Ar local-port +On the other hand, the port specified to capital +.Fl P +will be what the daemon binds its local end to when acting as +initiator. +.It Fl L +Enable GDOI packet capture. When this option is given, +.Nm +will capture to file an unencrypted copy of the negotiation packets it +is sending and receiveing. This file can later be read by +.Xr tcpdump 8 +and other utilities using +.Xr pcap 3 . +.It Fl l Ar packetlog-file +As option +.Fl L +above, but capture to a specified file. +.It Fl r Ar seed +If given a deterministic random number sequence will be used internally. +.It Fl R Ar report-file +When you signal +.Nm +a +.Dv SIGUSR1 +it will report its internal state to a report file, normally +.Pa /var/run/gdoid.report , +but this can be changed by feeding +the file name as an argument to the +.Fl R +flag. +.El +.Sh BUGS +The +.Fl P +flag does not do what we document, rather it does nothing. +.Sh FILES +.Bl -tag -width /var/run/gdoid.report +.It Pa /etc/gdoid/ca/ +The directory where CA certificates can be found. +.It Pa /etc/gdoid/certs/ +The directory where GDOI certificates can be found, both the local +certificate(s) and those of the peers, if a choice to have them kept +permanently has been made. +.It Pa /etc/gdoid/gdoid.conf +The configuration file. As this file can contain sensitive information +it must not be readable by anyone but the user running gdoid. +.It Pa /etc/gdoid/private/local.key +A local private key for certificate based authentication. There has +to be a certificate for this key in the certificate directory mentioned +above. Same mode requirements as gdoid.conf. +.It Pa /var/run/gdoid.fifo +The FIFO used to manually control +.Nm gdoid . +.It Pa /var/run/gdoid.pcap +The default GDOI packet capture file. +.It Pa /var/run/gdoid.report +The report file written when +.Dv SIGUSR1 +is received. +.El +.Sh SEE ALSO +.Xr ipsec 4 , +.Xr gdoid.conf 5 , +.Xr openssl 8 , +.Xr pcap 3 , +.Xr photurisd 8 , +.Xr ssl 8 , +.Xr tcpdump 8 , +.Sh HISTORY +The GDOI key management protocol is described in RFC 3547. It is based on +the ISAKMP/Oakley key management protocol is described in the RFCs +.%T RFC 2407 , +.%T RFC 2408 +and +.%T RFC 2409 . +This gdoid implementation was based on isakmpd, by Niklas Hallqvist and Niels Provos, +sponsored by Ericsson Radio Systems. diff --git a/src/gdoid.conf.5 b/src/gdoid.conf.5 new file mode 100644 index 0000000..1bcd68d --- /dev/null +++ b/src/gdoid.conf.5 @@ -0,0 +1,792 @@ +.\" $Id: gdoid.conf.5,v 1.3 2005/10/11 17:57:36 bew Exp $ +.\" $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gdoid.conf.5,v $ +.\" +.\" $OpenBSD: gdoid.conf.5,v 1.50 2001/04/05 23:04:53 ho Exp $ +.\" $EOM: gdoid.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ +.\" +.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. +.\" Copyright (c) 2000, 2001 Håkan Olsson. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Ericsson Radio Systems. +.\" 4. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" This code was written under funding by Ericsson Radio Systems. +.\" +.\" Manual page, using -mandoc macros +.\" +.Dd August 15, 2003 +.Dt GDOID.CONF 5 +.Os +.Sh NAME +.Nm gdoid.conf +.Nd configuration file for gdoid +.Sh DESCRIPTION +.Nm +is the configuration file for the +.Nm gdoid +daemon managing security association and key management for the +IPSEC layer of the kernel's networking stack. +.Pp +The file is of a well known type of format called .INI style, named after +the suffix used by an overrated windowing environment for its configuration +files. +This format consists of sections, each beginning with a line looking like: +.Bd -literal +[Section name] +.Ed +Between the brackets is the name of the section following this section header. +Inside a section many tag/value pairs can be stored, each one looking like: +.Bd -literal +Tag=Value +.Ed +If the value needs more space than fits on a single line it's possible to +continue it on the next by ending the first with a backslash character +immediately before the newline character. +This method can extend a value for an arbitrary amount of lines. +.Pp +Comments can be put anywhere in the file by using a hash mark +.Pq Sq \&# . +Then the comment goes on to the end of the line. +.Pp +Often the right-hand side values consist of other section names. +This results in a tree structure. +Some values are treated as a list of several scalar values, such lists always +use comma as the separator. +Some values are formatted like this: X,Y:Z, which +is an offer/accept syntax, where X is a value we offer and Y:Z is a range of +accepted values, inclusive. +.Pp +.\"XXX Following empty .Ss works around a nroff bug, we want the new line." +.Ss +.Pp +.Ss Roots +.Bl -hang -width 12n +.It Em General +Generic global configuration parameters +.Bl -tag -width 12n +.It Em Retransmits +How many times should a message be retransmitted before giving up. +.It Em Check-interval +The interval between watchdog checks of connections we want up at all times. +.It Em Exchange-max-time +How many seconds should an exchange maximally take to setup +before we give up. +.It Em Listen-on +A list of IP-addresses OK to listen on. +This list is used as +a filter for the set of addresses the interfaces configured +provides. +This means that we won't see if an address given +here does not exist on this host, and thus no error is given for +that case. +.It Em Shared-SADB +If this tag is defined, whatever the value is, some semantics of +.Nm +are changed so that multiple instances can run on top of one SADB +and setup SAs with eachother. +Specifically this means replay +protection will not be asked for, and errors that can occur when +updating an SA with its parameters a 2nd time will be ignored. +.El +.It Em Phase 1 +ISAKMP SA negotiation parameter root +.Bl -tag -width 12n +.It Em +A name of the ISAKMP peer at the given IP-address. +.It Em Default +A name of the default ISAKMP peer. Incoming +Phase 1 connections from other IP-addresses will use this peer name. +.It "" +This name is used as the section name for further information to be found. +Look at below. +.El +.It Em Phase 2 +IPsec SA negotiation parameter root +.Bl -tag -width 12n +.It Em Connections +A list of directed IPSec "connection" names that should be brought up +automatically, either on first use if the system supports it, or at +startup of the daemon. +These names are section names where further information can be found. +Look at below. +Normally any connection mentioned here are treated as part of the +"Passive-connection" list we present below, however there is a +flag: "Active-only" that disables this behaviour. +This too is mentioned in the section, in the "Flags" tag. +.It Em Passive-connections +A list of IPSec "connection" names we recognize and accept initiations for. +These names are section names where further information can be found. +Look at below. +Currently only the Local-ID and Remote-ID tags +are looked at in those sections, as they are matched against the IDs given +by the initiator. +.El +.It Em X509-Certificates +.Bl -tag -width 12n +.It Em CA-directory +A directory containing PEM certificates of certification authorities +that we trust to sign other certificates. +The certificates in this directory are used for the actual X.509 +authentication and for cross-referencing policies that refer to +Distinguished Names (DNs). Keeping a separate directory (as opposed +to integrating policies and X.509 CA certificates) allows for maintenance +of a list of "well known" CAs without actually having to trust all (or any) +of them. +.It Em Cert-directory +A directory containing PEM certificates that we trust to be valid. +These certificates are used in preference to those passed in messages and +are required to have a SubjectAltName extension. +.It Em Accept-self-signed +If this tag is defined, whatever the value is, certificates that +do not originate from a trusted CA but are self-signed will be +accepted. +.It Em Private-key +The private key matching the public key of our certificate (which should be +in the "Cert-directory", and have a subjectAltName matching our ID, so far +that is our IP-address). +.El +.El +.Ss Referred-to sections +.Bl -hang -width 12n +.It Em +Parameters for negotiation with an ISAKMP peer +.Bl -tag -width 12n +.It Em Phase +The constant +.Li 1 , +as ISAKMP-peers and Group-specification +really are handled by the same code inside gdoid. +.It Em Transport +The name of the transport protocol, defaults to +.Li UDP . +.It Em Port +In case of +.Li UDP , +the +.Li UDP +port number to send to. +This is optional, the +default value is 500 which is the IANA-registered number for ISAKMP. +.It Em Local-address +The Local IP-address to use, if we are multi-homed, or have aliases. +.It Em Address +If existent, the IP-address of the peer. +.It Em Configuration +The name of the ISAKMP-configuration section to use. +Look at below. +.It Em Authentication +If existent, authentication data for this specific peer. +In the case of preshared key, this is the key value itself. +.It Em ID +If existent, the name of the section that describes the +local client ID that we should present to our peer. +If not present, it +defaults to the address of the local interface we are sending packets +over to the remote daemon. +Look at below. +.It Em Remote-ID +If existent, the name of the section that describes the remote client +ID we expect the remote daemon to send us. +If not present, it defaults to the address of the remote daemon. +Look at below. +.It Em Flags +A comma-separated list of flags controlling the further +handling of the ISAKMP SA. +Currently there are no specific ISAKMP SA flags defined. +.El +.It Em +.Bl -tag -width 12n +.It Em ID-type +The ID type as given by the RFCs. +For Phase 1 this is currently +.Li IPV4_ADDR , +.Li IPV4_ADDR_SUBNET , +.Li FQDN , +.Li USER_FQDN , +or +.Li KEY_ID . +.It Em Address +If the ID-type is +.Li IPV4_ADDR , +this tag should exist and be an IP-address. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +this tag should exist and +be a network address. +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +this tag should exist and +be a network subnet mask. +.It Em Name +If the ID-type is +.Li FQDN , +.Li USER_FQDN , +or +.Li KEY_ID , +this tag should exist and contain a domain name, user@domain, or +other identifying string respectively. +.El +.It Em +.Bl -tag -width 12n +.It Em DOI +The domain of interpretation as given by the RFCs. +Normally +.Li GDOI . +If unspecified, results in an error. +.It Em EXCHANGE_TYPE +The exchange type as given by the RFCs. +For main mode this is +.Li ID_PROT +and for aggressive mode it is +.Li AGGRESSIVE . +.It Em Transforms +A list of proposed transforms to use for protecting the +ISAKMP traffic. +These are actually names for sections +further describing the transforms. +Look at below. +.El +.It Em +.Bl -tag -width 12n +.It Em ENCRYPTION_ALGORITHM +The encryption algorithm as the RFCs name it, or ANY to denote that any +encryption algorithm proposed will be accepted. +.It Em KEY_LENGTH +For encryption algorithms with variable key length, this is +where the offered/accepted keylengths are described. +The value is of the offer-accept kind described above. +.It Em HASH_ALGORITHM +The hash algorithm as the RFCs name it, or ANY. +.It Em AUTHENTICATION_METHOD +The authentication method as the RFCs name it, or ANY. +.It Em GROUP_DESCRIPTION +The group used for Diffie-Hellman exponentiations, or ANY. +The name are symbolic, like +.Li MODP_768 , MODP_1024 , EC_155 +and +.Li EC_185 . +.It Em PRF +The algorithm to use for the keyed pseudo-random function (used for key +derivation and authentication in Phase 1), or ANY. +.It Em Life +A list of lifetime descriptions, or ANY. +In the former case, each +element is in itself a name of the section that defines the lifetime. +Look at below. +If it is set to ANY, then any type of +proposed lifetime type and value will be accepted. +.El +.It Em +.Bl -tag -width 12n +.It Em LIFE_TYPE +.Li SECONDS +or +.Li KILOBYTES +depending on the type of the duration. +Notice that this field may NOT be set to ANY. +.It Em LIFE_DURATION +An offer/accept kind of value, see above. +Can also be set to ANY. +.El +.It Em +.Bl -tag -width 12n +.It Em Phase +The constant +.Li 2 , +as ISAKMP-peers and Group-specification +really are handled by the same code inside gdoid. +.It Em Configuration +The name of the Group-configuration section to use. +Look at below. +.It Em Group-ID +The name of the section that describes the +local group ID for which the is identified. +.El +.It Em +.Bl -tag -width 12n +.It Em DOI +The domain of interpretation as given by the RFCs. Should be +.Li GDOI . +.It Em EXCHANGE_TYPE +The exchange type as given by RFC 3549. +For GDOI Registration this is +.Li PULL_MODE . +.It Em SA-TEKS +On the key server only, a list of statements that describe +particular IPsec SAs. +.It Em SA-KEK +On the key server only, a single statement that describes +the GDOI PUSH_MODE Rekey message. +.El +.It Em +The policy definition and keys associated with a Data SA. The keys (and in the +case of IPsec, the SPI) are used for the first use of the SA. If a GDOI rekey +message sends another SA based on this policy, it will replace the keys and +SPI with random values. +.Bl -tag -width 12n +.It Em Crypto-protocol +The protocol type used to protect the data. The only supported value is +PROTO_IPSEC_ESP. +.It Em Source-ID +The name of the section that describes the +source address or addresses that represent the sender of data packets. +Look at below. +.It Em Dest-ID +The name of the section that describes the +destination address or addresses that represent the destination of data packets. +Look at below. +.It Em SPI +The Security Parameter Index (SPI) value representing this SA. +.It Em TEK_Suite +The which represents the IPsec policy to use for the packets +matching this SA. +.It Em DES_KEY1 +When 3DES is specified in the TEK_Suite, this is the first of the three +3DES keys used when creating the SA. +.It Em DES_KEY2 +When 3DES is specified in the TEK_Suite, this is the second of the three +3DES keys used when creating the SA. +.It Em DES_KEY3 +When 3DES is specified in the TEK_Suite, this is the third of the three +3DES keys used when creating the SA. +.It Em AES_KEY +When AES is specified in the TEK_Suite, this is the +key used when creating the SA. +.It Em SHA_KEY +When SHA is specified in the TEK_Suite, this is the SHA key used for +packet authentication. +.El +.It Em +.Bl -tag -width 12n +.It Em Source-ID +The name of the section that describes the +source address that represents the sender of rekey packets. +Look at below. +.It Em Dest-ID +The name of the section that describes the +destination address that represents the destination of the rekey packets. +Look at below. +.It Em SPI +The Security Parameter Index (SPI) value representing this SA. The SPI is the +same as the ISAKMP "cookie pair". +.It Em ENCRYPTION_ALGORITHM +The encryption algorithm used to protect the rekey message. Must be 3DES. +.It Em SIG_HASH_ALGORITHM +The cryptographic algorithm used to digest the rekey message. Must be SHA. +.It Em SIG_ALGORITHM +The cryptographic algorithm used to create a signature for the rekey message. +Must be RSA. +.It Em DES_IV +The value of an Initialization Vector used when the ENCRYPTION_ALGORITHM +requires one. +.It Em DES_KEY1 +When 3DES is specified as the ENCRYPTION_ALGORITHM, +this is the first of the three +3DES keys used to encrypt the rekey message. +.It Em DES_KEY2 +When 3DES is specified as the ENCRYPTION_ALGORITHM, +this is the second of the three +3DES keys used to encrypt the rekey message. +.It Em DES_KEY3 +When 3DES is specified as the ENCRYPTION_ALGORITHM, +this is the third of the three +3DES keys used to encrypt the rekey message. +.It Em +The location in the file system of a DER-encoded keypair. The private key of +this keypair is used by the key server to sign messages. The public key of +this keypair is passed to group members for the purpose of verifying the +authenticity of rekey messages. +.It Em +The period between which rekey messages are sent. The rekey messages conatin +replacement SAs for those listed in the part of the +. The rekey period value works best when it is identical +to the lifetime of the IPSec SAs. +.El +.It Em +.Bl -tag -width 12n +.It Em Protocols +A list of the protocols included in this protection suite. +Each of the list elements is a name of an +section. +See below. +.El +.It Em +.Bl -tag -width 12n +.It Em PROTOCOL_ID +The protocol as given by the RFCs. +Acceptable values today are +.Li IPSEC_AH +and +.Li IPSEC_ESP . +.It Em Transforms +A list of transforms usable for implementing the protocol. +Each of the list elements is a name of an +section. +See below. +.It Em ReplayWindow +The size of the window used for replay protection. +This is normally left alone. +Look at the +.Nm ESP +and +.Nm AH +RFCs for a better description. +.El +.It Em +.Bl -tag -width 12n +.It Em TRANSFORM_ID +The transform ID as given by the RFCs. +.It Em ENCAPSULATION_MODE +The encapsulation mode as given by the RFCs. +This means TRANSPORT or TUNNEL. +.It Em AUTHENTICATION_ALGORITHM +The optional authentication algorithm in the case of this +being an ESP transform. +.It Em GROUP_DESCRIPTION +An optional (provides PFS if present) Diffie-Hellman group +description. +The values are the same as GROUP_DESCRIPTION's +in sections shown above. +.It Em Life +List of lifetimes, each element is a section name. +.El +.It Em +.Bl -tag -width 12n +.It Em ID-type +The ID type as given by the RFCs. +For IPSec this is currently +.Li IPV4_ADDR +or +.Li IPV4_ADDR_SUBNET . +.It Em Address +If the ID-type is +.Li IPV4_ADDR , +this tag should exist and be an IP-address. +.It Em Network +If the ID-type is +.Li IPV4_ADDR_SUBNET +this tag should exist and +be a network address. +.It Em Netmask +If the ID-type is +.Li IPV4_ADDR_SUBNET +this tag should exist and +be a network subnet mask. +.It Em Protocol +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV4_ADDR_SUBNET , +this tag indicates what transport protocol should be transmitted over +the SA. +If left unspecified, all transport protocols between the two address +(ranges) will be sent (or permitted) over that SA. +.It Em Port +If the ID-type is +.Li IPV4_ADDR +or +.Li IPV4_ADDR_SUBNET , +this tag indicates what source or destination port is allowed to be +transported over the SA (depending on whether this is a local or +remote ID). +If left unspecified, all ports of the given transport protocol +will be transmitted (or permitted) over the SA. +The Protocol tag must be specified in conjunction with this tag. +.El +.Sh EXAMPLES +.Pp + +EXAMPLE 1: An example of a key server configuration file: +.Pp +.Bd -literal + +# +# A configuration sample for testing GDOI. +# This is the key server side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.2 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.1= GDOI-loopback-1 +127.0.0.3= GDOI-loopback-3 + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Passive-Connections= Group-1234 + +[GDOI-loopback-1] +Phase= 1 +Transport= udp +Local-address= 127.0.0.2 +Address= 127.0.0.1 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[GDOI-loopback-3] +Phase= 1 +Transport= udp +Local-address= 127.0.0.2 +Address= 127.0.0.3 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +#ISAKMP-peer= GDOI-loopback-1 +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_3600_SECS + +# Lifetimes + +[LIFE_60_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 60,45:72 + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# GDOI description +######################## + +# 3DES + +[GDOI-ESP-3DES-SHA-XF] +TRANSFORM_ID= 3DES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_3600_SECS + +# AES + +[GDOI-ESP-AES-SHA-XF] +TRANSFORM_ID= AES +ENCAPSULATION_MODE= TUNNEL +AUTHENTICATION_ALGORITHM= HMAC_SHA +Life= LIFE_3600_SECS + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE +# +SA-KEK= GROUP2-KEK +SA-TEKS= GROUP1-TEK1,GROUP1-TEK2 + +[GROUP2-KEK] +Src-ID= Group-kek-src +Dst-ID= Group-kek-dst +SPI= abcdefgh01234567 +ENCRYPTION_ALGORITHM= 3DES +SIG_HASH_ALGORITHM= SHA +SIG_ALGORITHM= RSA +DES_IV= IVIVIVIV +DES_KEY1= ABCDEFGH +DES_KEY2= IJKLMNOP +DES_KEY3= QRSTUVWX +RSA-Keypair= /usr/local/gdoi/tests/rsakeys.der +REKEY_PERIOD= 30 + +[Group-kek-src] +ID-type= IPV4_ADDR +Address= 127.0.0.2 +Port= 2400 + +[Group-kek-dst] +ID-type= IPV4_ADDR +#Address= 172.23.56.253 +Address= 239.11.1.1 +Port= 848 + +# Src-ID and Dst-ID are the addresses for the IP ESP packet. +[GROUP1-TEK1] +Crypto-protocol= PROTO_IPSEC_ESP +Src-ID= Group-tek1-src +Dst-ID= Group-tek1-dst +# SPI is 0x1122aabb +SPI= 287484603 +TEK_Suite= GDOI-ESP-3DES-SHA-SUITE +DES_KEY1= ABCDEFGH +DES_KEY2= IJKLMNOP +DES_KEY3= QRSTUVWX +SHA_KEY= 12345678901234567890 + +[Group-tek1-src] +ID-type= IPV4_ADDR +Address= 172.19.137.42 +Port= 1024 + +[Group-tek1-dst] +ID-type= IPV4_ADDR +Address= 239.192.1.1 +Port= 1024 + +# Src-ID and Dst-ID are the addresses for the IP ESP packet. +[GROUP1-TEK2] +Src-ID= Group-tek2-src +Dst-ID= Group-tek2-dst +# SPI is 0x3344ccdd +SPI= 860146909 +TEK_Suite= GDOI-ESP-AES-SHA-SUITE +AES_KEY= ABCDEFGHIJKLMNOP +SHA_KEY= 01234567890123456789 + +[Group-tek2-src] +ID-type= IPV4_ADDR +Address= 172.19.137.42 +Port= 512 + +[Group-tek2-dst] +ID-type= IPV4_ADDR +Address= 239.192.1.2 +Port= 512 + +[GDOI-ESP-3DES-SHA-SUITE] +Protocols= GDOI-ESP-3DES-SHA + +[GDOI-ESP-3DES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= GDOI-ESP-3DES-SHA-XF + +[GDOI-ESP-AES-SHA-SUITE] +Protocols= GDOI-ESP-AES-SHA + +[GDOI-ESP-AES-SHA] +PROTOCOL_ID= IPSEC_ESP +Transforms= GDOI-ESP-AES-SHA-XF + +EXAMPLE 2: An example of a group member configuration file: + + +# +# A configuration sample for testing GDOI. +# This is the client (group member) side. +# + +[General] +Retransmits= 5 +Exchange-max-time= 120 +Listen-on= 127.0.0.1 +check-interval= 86400 + +# Incoming phase 1 negotiations are multiplexed on the source IP address +[Phase 1] +127.0.0.2= ISAKMP-peer-gcks + +# These connections are walked over after config file parsing and told +# to the application layer so that it will inform us when traffic wants to +# pass over them. This means we can do on-demand keying. +[Phase 2] +Connections= Group-1234 + +[ISAKMP-peer-gcks] +Phase= 1 +Transport= udp +Local-address= 127.0.0.1 +Address= 127.0.0.2 +Configuration= Default-main-mode +Authentication= mekmitasdigoat + +[Group-1234] +Phase= 2 +ISAKMP-peer= ISAKMP-peer-gcks +Configuration= Default-group-mode +Group-ID= Group-1 + +[Group-1] +ID-type= KEY_ID +Key-value= 1234 + +# Main mode descriptions + +[Default-main-mode] +DOI= GROUP +EXCHANGE_TYPE= ID_PROT +Transforms= 3DES-SHA + +# Main mode transforms +###################### + + +# 3DES + +[3DES-SHA] +ENCRYPTION_ALGORITHM= 3DES_CBC +HASH_ALGORITHM= SHA +AUTHENTICATION_METHOD= PRE_SHARED +GROUP_DESCRIPTION= MODP_1024 +Life= LIFE_3600_SECS + +# Lifetimes + +[LIFE_3600_SECS] +LIFE_TYPE= SECONDS +LIFE_DURATION= 3600,1800:7200 + +# Group mode description +######################## + +[Default-group-mode] +DOI= GROUP +EXCHANGE_TYPE= PULL_MODE + +.Ed +.Sh SEE ALSO +.Xr ipsec 4 , +.Xr gdoid 8 diff --git a/src/genconstants.sh b/src/genconstants.sh new file mode 100644 index 0000000..9d25a77 --- /dev/null +++ b/src/genconstants.sh @@ -0,0 +1,121 @@ +# $Id: genconstants.sh,v 1.2 2002/05/10 04:25:13 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/genconstants.sh,v $ + +# $OpenBSD: genconstants.sh,v 1.8 2001/01/27 12:03:32 niklas Exp $ +# $EOM: genconstants.sh,v 1.6 1999/04/02 01:15:53 niklas Exp $ + +# +# Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +base=`basename $1` +upcased_name=`echo $base |tr a-z A-Z` + +awk=${AWK:-awk} + +locase_function='function locase (str) { + cmd = "echo " str " |tr A-Z a-z" + cmd | getline retval; + close (cmd); + return retval; +}' + +$awk " +$locase_function +"' +BEGIN { + print "/* DO NOT EDIT-- this file is automatically generated. */\n" + print "#ifndef _'$upcased_name'_H_" + print "#define _'$upcased_name'_H_\n" + print "#include \"sysdep.h\"\n" + print "#include \"constants.h\"\n" +} + +/^[#.]/ { + next +} + +/^[^ ]/ { + prefix = $1 + printf ("extern struct constant_map %s_cst[];\n\n", locase(prefix)); + next +} + +/^[ ]/ && $1 { + printf ("#define %s_%s %s\n", prefix, $1, $2) + next +} + +{ + print +} + +END { + printf ("\n") + print "#endif /* _'$upcased_name'_H_ */" +} +' <$1.cst >$base.h + +$awk " +$locase_function +"' +BEGIN { + print "/* DO NOT EDIT-- this file is automatically generated. */\n" + print "#include \"sysdep.h\"\n" + print "#include \"constants.h\"" + print "#include \"'$base'.h\"\n" +} + +/^#/ { + next +} + +/^\./ { + print " { 0, 0 }\n};\n" + next +} + +/^[^ ]/ { + prefix = $1 + printf ("struct constant_map %s_cst[] = {\n", locase(prefix)) + next +} + +/^[ ]/ && $1 { + printf (" { %s_%s, \"%s\", %s }, \n", prefix, $1, $1, $3 ? $3 : 0) + next +} + +{ + print +} +' <$1.cst >$base.c diff --git a/src/genfields.sh b/src/genfields.sh new file mode 100644 index 0000000..9085579 --- /dev/null +++ b/src/genfields.sh @@ -0,0 +1,253 @@ +# $Id: genfields.sh,v 1.4 2005/10/11 17:57:36 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/genfields.sh,v $ + +# $OpenBSD: genfields.sh,v 1.6 2001/01/27 12:03:32 niklas Exp $ +# $EOM: genfields.sh,v 1.5 1999/04/02 01:15:55 niklas Exp $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +base=`basename $1` +upcased_name=`echo $base |tr a-z A-Z` + +awk=${AWK:-awk} + +locase_function='function locase (str) { + cmd = "echo " str " |tr A-Z a-z" + cmd | getline retval; + close (cmd); + return retval; +}' + +$awk " +$locase_function +"' +BEGIN { + print "/* DO NOT EDIT-- this file is automatically generated. */\n" + print "#ifndef _'$upcased_name'_H_" + print "#define _'$upcased_name'_H_\n" + + print "#include \"sysdep.h\"\n" + print "#include \"field.h\"\n" + + print "struct constant_map;\n" +} + +/^#/ { + next +} + +/^\./ { + printf ("#define %s_SZ %d\n", prefix, off) + size[prefix] = off + next +} + +/^[^ ]/ { + prefix = $1 + printf ("extern struct field %s_fld[];\n\n", locase(prefix)); + if ($3) + { + off = size[$3] + } + else + { + off = 0 + } + i = 0 + next +} + +/^[ ]/ && $1 { + printf ("#define %s_%s_OFF %d\n", prefix, $1, off) + if ($3) + { + printf ("#define %s_%s_LEN %d\n", prefix, $1, $3) + } + if ($4) + { + printf ("extern struct constant_map *%s_%s_maps[];\n", locase(prefix), + locase($1)) + } + if ($2 == "raw") + { + printf ("#define GET_%s_%s(buf, val) ", prefix, $1) + printf ("field_get_raw (%s_fld + %d, buf, val)\n", locase(prefix), i) + printf ("#define SET_%s_%s(buf, val) ", prefix, $1) + printf ("field_set_raw (%s_fld + %d, buf, val)\n", locase(prefix), i) + } + else + { + printf ("#define GET_%s_%s(buf) field_get_num (%s_fld + %d, buf)\n", + prefix, $1, locase(prefix), i) + printf ("#define SET_%s_%s(buf, val) ", prefix, $1) + printf ("field_set_num (%s_fld + %d, buf, val)\n", locase(prefix), i) + } + off += $3 + i++ + next +} + +{ + print +} + +END { + printf ("\n") + print "#endif /* _'$upcased_name'_H_ */" +} +' <$1.fld >$base.h + +$awk " +$locase_function +"' +BEGIN { + print "/* DO NOT EDIT-- this file is automatically generated. */\n" + print "#include \"sysdep.h\"\n" + print "#include \"constants.h\"" + print "#include \"field.h\"" + print "#include \"'$base'.h\"" + print "#include \"isakmp_num.h\"" + print "#include \"ipsec_num.h\"\n" + print "#include \"gdoi_num.h\"\n" +} + +/^#/ { + next +} + +/^\./ { + print " { 0, 0, 0, 0, 0 }\n};\n" + size[prefix] = off + for (map in maps) + { + printf ("struct constant_map *%s_%s_maps[] = { ", locase(prefix), + locase(map)) + printf ("%s,0 };\n", maps[map]) + } + next +} + +/^[^ ]/ { + prefix = $1 + printf ("struct field %s_fld[] = {\n", locase(prefix)) + if ($3) + { + off = size[$3] + } + else + { + off = 0 + } + delete maps + next +} + +/^[ ]/ && $1 { + if ($4) + { + maps_name = locase(prefix)"_"locase($1)"_maps" + maps[$1] = $4 + } + else + { + maps_name = "0" + } + printf (" { \"%s\", %d, %d, %s, %s }, \n", $1, off, $3, $2, maps_name) + off += $3 + next +} + +{ + print +} +' <$1.fld >$base.c diff --git a/src/gmp_util.c b/src/gmp_util.c new file mode 100644 index 0000000..b491f0c --- /dev/null +++ b/src/gmp_util.c @@ -0,0 +1,115 @@ +/* $Id: gmp_util.c,v 1.2 2002/05/10 04:25:13 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gmp_util.c,v $ */ + +/* $OpenBSD: gmp_util.c,v 1.9 2000/10/07 07:00:08 niklas Exp $ */ +/* $EOM: gmp_util.c,v 1.7 2000/09/18 00:01:47 ho Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include + +#include "sysdep.h" + +#include "gmp_util.h" +#include "math_mp.h" + +/* Various utility functions for gmp, used in more than one module */ + +u_int32_t +mpz_sizeinoctets (math_mp_t a) +{ +#if MP_FLAVOUR == MP_FLAVOUR_GMP + return (7 + mpz_sizeinbase (a, 2)) >> 3; +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + return BN_num_bytes (a); +#endif +} + +void +mpz_getraw (u_int8_t *raw, math_mp_t v, u_int32_t len) +{ + math_mp_t a; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + math_mp_t tmp; + + /* XXX mpz_get_str (raw, BASE, v); ? */ + mpz_init_set (a, v); + mpz_init (tmp); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + /* XXX bn2bin? */ + a = BN_dup (v); +#endif + + while (len-- > 0) +#if MP_FLAVOUR == MP_FLAVOUR_GMP + raw[len] = mpz_fdiv_qr_ui (a, tmp, a, 256); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + raw[len] = BN_div_word (a, 256); +#endif + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_clear (a); + mpz_clear (tmp); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_clear_free (a); +#endif +} + +void +mpz_setraw (math_mp_t d, u_int8_t *s, u_int32_t l) +{ + u_int32_t i; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + /* XXX mpz_set_str (d, s, 0); */ + mpz_set_si (d, 0); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + /* XXX bin2bn? */ + BN_set_word (d, 0); +#endif + for (i = 0; i < l; i++) + { +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_mul_ui (d, d, 256); + mpz_add_ui (d, d, s[i]); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_mul_word (d, 256); + BN_add_word (d, s[i]); +#endif + } +} + diff --git a/src/gmp_util.h b/src/gmp_util.h new file mode 100644 index 0000000..3a5413e --- /dev/null +++ b/src/gmp_util.h @@ -0,0 +1,50 @@ +/* $Id: gmp_util.h,v 1.2 2002/05/10 04:25:13 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/gmp_util.h,v $ */ + +/* $OpenBSD: gmp_util.h,v 1.6 2000/06/08 20:49:08 niklas Exp $ */ +/* $EOM: gmp_util.h,v 1.4 2000/05/08 13:42:11 ho Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _GMP_UTIL_H_ +#define _GMP_UTIL_H_ + +#include "math_mp.h" + +u_int32_t mpz_sizeinoctets (math_mp_t); +void mpz_getraw (u_int8_t *, math_mp_t, u_int32_t); +void mpz_setraw (math_mp_t, u_int8_t *, u_int32_t); + +#endif /* _GMP_UTIL_H_ */ diff --git a/src/hash.c b/src/hash.c new file mode 100644 index 0000000..cef82bc --- /dev/null +++ b/src/hash.c @@ -0,0 +1,149 @@ +/* $Id: hash.c,v 1.4 2007/03/21 20:02:58 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/hash.c,v $ */ + +/* $OpenBSD: hash.c,v 1.6 2001/04/15 16:09:16 ho Exp $ */ +/* $EOM: hash.c,v 1.10 1999/04/17 23:20:34 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "hash.h" + +void hmac_init (struct hash *, unsigned char *, int); +void hmac_final (unsigned char *, struct hash *); + +/* Temporary hash contexts. */ +static union { + MD5_CTX md5ctx; + SHA_CTX sha1ctx; + SHA256_CTX sha256ctx; +} Ctx, Ctx2; + +/* Temporary hash digest. */ +static unsigned char digest[HASH_MAX]; + +/* Encapsulation of hash functions. */ + +static struct hash hashes[] = { + { HASH_MD5, 5, MD5_SIZE, (void *)&Ctx.md5ctx, (char *)digest, + sizeof (MD5_CTX), (void *)&Ctx2.md5ctx, + (void (*) (void *))MD5_Init, + (void (*) (void *, unsigned char *, unsigned int))MD5_Update, + (void (*) (unsigned char *, void *))MD5_Final, + hmac_init, hmac_final }, + { HASH_SHA1, 6, SHA1_SIZE, (void *)&Ctx.sha1ctx, (char *)digest, + sizeof (SHA_CTX), (void *)&Ctx2.sha1ctx, + (void (*) (void *))SHA1_Init, + (void (*) (void *, unsigned char *, unsigned int))SHA1_Update, + (void (*) (unsigned char *, void *))SHA1_Final, + hmac_init, hmac_final }, + { HASH_SHA256, 7, SHA256_SIZE, (void *)&Ctx.sha256ctx, (char *)digest, + sizeof (SHA256_CTX), (void *)&Ctx2.sha256ctx, + (void (*) (void *))SHA256_Init, + (void (*) (void *, unsigned char *, unsigned int))SHA256_Update, + (void (*) (unsigned char *, void *))SHA256_Final, + hmac_init, hmac_final }, +}; + +struct hash * +hash_get (enum hashes hashtype) +{ + int i; + + for (i = 0; i < sizeof hashes / sizeof hashes[0]; i++) + if (hashtype == hashes[i].type) + return &hashes[i]; + + return 0; +} + +/* + * Initial a hash for HMAC usage this requires a special init function. + * ctx, ctx2 hold the contexts, if you want to use the hash object for + * something else in the meantime, be sure to store the contexts somewhere. + */ + +void +hmac_init (struct hash *hash, unsigned char *okey, int len) +{ + int i, blocklen = HMAC_BLOCKLEN; + unsigned char key[HMAC_BLOCKLEN]; + + if (len > blocklen) + { + /* Truncate key down to blocklen */ + hash->Init (hash->ctx); + hash->Update (hash->ctx, okey, len); + hash->Final (key, hash->ctx); + } + else + { + memset (key, 0, blocklen); + memcpy (key, okey, len); + } + + /* HMAC I and O pad computation */ + for (i = 0; i < blocklen; i++) + key[i] ^= HMAC_IPAD_VAL; + + hash->Init (hash->ctx); + hash->Update (hash->ctx, key, blocklen); + + for (i = 0; i < blocklen; i++) + key[i] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL); + + hash->Init (hash->ctx2); + hash->Update (hash->ctx2, key, blocklen); + + memset (key, 0, blocklen); +} + +/* + * HMAC Final function + */ + +void +hmac_final (unsigned char *digest, struct hash *hash) +{ + hash->Final (digest, hash->ctx); + hash->Update (hash->ctx2, digest, hash->hashsize); + hash->Final (digest, hash->ctx2); +} diff --git a/src/hash.h b/src/hash.h new file mode 100644 index 0000000..024e335 --- /dev/null +++ b/src/hash.h @@ -0,0 +1,80 @@ +/* $Id: hash.h,v 1.3 2007/03/21 20:02:59 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/hash.h,v $ */ + +/* $OpenBSD: hash.h,v 1.3 1998/11/17 11:10:11 niklas Exp $ */ +/* $EOM: hash.h,v 1.6 1998/07/25 22:04:36 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _HASH_H_ +#define _HASH_H_ + +/* Normal mode hash encapsulation */ + +#define MD5_SIZE 16 +#define SHA1_SIZE 20 +#define SHA256_SIZE 32 +#define HASH_MAX SHA256_SIZE + +enum hashes { + HASH_MD5 = 0, + HASH_SHA1, + HASH_SHA256 +}; + +struct hash { + enum hashes type; + int id; /* ISAKMP/Oakley ID */ + u_int8_t hashsize; /* Size of the hash */ + void *ctx; /* Pointer to a context, for HMAC ictx */ + char *digest; /* Pointer to a digest */ + int ctxsize; + void *ctx2; /* Pointer to a 2nd context, for HMAC octx */ + void (*Init) (void *); + void (*Update) (void *, unsigned char *, unsigned int); + void (*Final) (unsigned char *, void *); + void (*HMACInit) (struct hash *, unsigned char *, int); + void (*HMACFinal) (unsigned char *, struct hash *); +}; + +/* HMAC Hash Encapsulation */ + +#define HMAC_IPAD_VAL 0x36 +#define HMAC_OPAD_VAL 0x5C +#define HMAC_BLOCKLEN 64 + +extern struct hash *hash_get (enum hashes); +extern void hmac_init (struct hash *, unsigned char *, int); + +#endif /* _HASH_H_ */ diff --git a/src/iec90_5_fld.fld b/src/iec90_5_fld.fld new file mode 100644 index 0000000..3115110 --- /dev/null +++ b/src/iec90_5_fld.fld @@ -0,0 +1,95 @@ +# $Id: iec90_5_fld.fld,v 1.1.2.1 2011/12/12 20:43:48 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/iec90_5_fld.fld,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# GDOI Security association payload. +IEC90_5_ID + ID num 1 + PAYLOAD_LEN num 2 + TAG num 1 + OID_LEN num 1 +. + +IEC90_5_TEK_P1 + TAG num 1 + OID_SZ num 2 +. + +IEC90_5_TEK_P2 + CUR_KEY_ID num 1 + LT_ID num 1 + LT_V num 1 + RES num 1 + LT num 4 + AUTH_ALG_ID num 1 + AUTH_ALG num 2 + KEY_LEN num 2 +. + +IEC90_5_KD + LT_ID num 1 + LT_V num 1 + RES num 2 + LT num 4 + AUTH_ALG_ID num 1 + AUTH_ALG num 2 + KEY_LEN num 2 +. diff --git a/src/iec90_5_num.cst b/src/iec90_5_num.cst new file mode 100644 index 0000000..ce1dd5f --- /dev/null +++ b/src/iec90_5_num.cst @@ -0,0 +1,90 @@ +# $Id: iec90_5_num.cst,v 1.1.2.1 2011/12/12 20:43:48 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/iec90_5_num.cst,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# ISAKMP IEC90-5 TEK numbers. +# + +# The ordinal IEC90_5_ID values are for easier manipulation whne parsing the configuration +# file. The actual OID values are documented in gdoi_iec90_5.h. +# +# The purpose of IEC90_5_DUMMY below is also for easier parsing. Lower case 'iec90_5_id' +# must match the upper caes IEC90_5_ID following. The *_cst value actually should be placed +# following IEC90_5 in ipsec_num.cst, but then it would create a modularity problem when +# GDOID is configured without IEC90-5 support. + +IEC90_5_DUMMY + DUMMY 1 iec90_5_id_cst +. + +IEC90_5_ID + 61850_ETHERNET_GOOSE 1 + 61850_UDP_ADDR_GOOSE 2 +. + +IEC90_5_KD + 61850_ETHERENT_GOOSE_OR_SV 192 + 61850_90_5_SESSION 193 + 61850_8_1_ISO9506 194 + 61850_UDP_IP_AGGR 195 + 61850_UDP_MNGT 196 +. diff --git a/src/if.c b/src/if.c new file mode 100644 index 0000000..d55358b --- /dev/null +++ b/src/if.c @@ -0,0 +1,143 @@ +/* $Id: if.c,v 1.3 2003/09/05 21:14:25 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/if.c,v $ */ + +/* $OpenBSD: if.c,v 1.7 1999/10/01 14:08:26 niklas Exp $ */ +/* $EOM: if.c,v 1.12 1999/10/01 13:45:20 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "log.h" +#include "if.h" + +/* XXX Unsafe if either x or y has side-effects. */ +#define MAX(x, y) ((x) > (y) ? (x) : (y)) + +/* Most boxes has less than 16 interfaces, so this might be a good guess. */ +#define INITIAL_IFREQ_COUNT 16 + +/* + * Get all network interface configurations. + * Return 0 if successful, -1 otherwise. + */ +int +siocgifconf (struct ifconf *ifcp) +{ + int s; + int len; + caddr_t buf, new_buf; + + /* Get a socket to ask for the network interface configurations. */ + s = socket (AF_INET, SOCK_DGRAM, 0); + if (s == -1) + { + log_error ("siocgifconf: socket (AF_INET, SOCK_DGRAM, 0) failed"); + return -1; + } + + len = sizeof (struct ifreq) * INITIAL_IFREQ_COUNT; + buf = 0; + while (1) + { + /* + * Allocate a larger buffer each time around the loop and get the + * network interfaces configurations into it. + */ + ifcp->ifc_len = len; + new_buf = realloc (buf, len); + if (!new_buf) + { + log_error ("siocgifconf: realloc (%p, %d) failed", buf, len); + goto err; + } + ifcp->ifc_buf = buf = new_buf; + if (ioctl (s, SIOCGIFCONF, ifcp) == -1) + { + log_error ("siocgifconf: ioctl (%s, SIOCGIFCONF, ...) failed", s); + goto err; + } + + /* + * If there is place for another ifreq we can be sure that the buffer + * was big enough, otherwise double the size and try again. + */ + if (len - ifcp->ifc_len >= sizeof (struct ifreq)) + break; + len *= 2; + } + close (s); + return 0; + +err: + if (buf) + free (buf); + close (s); + return -1; +} + +int +if_map (void (*func) (struct ifreq *, void *), void *arg) +{ + struct ifconf ifc; + struct ifreq *ifrp; + caddr_t limit, p; + size_t len; + + if (siocgifconf (&ifc)) + return -1; + + limit = ifc.ifc_buf + ifc.ifc_len; + for (p = ifc.ifc_buf; p < limit; p += len) + { + ifrp = (struct ifreq *)p; + (*func) (ifrp, arg); +#ifdef USE_OLD_SOCKADDR + len = sizeof ifrp->ifr_name + sizeof ifrp->ifr_addr; +#else + len = sizeof ifrp->ifr_name + + MAX (ifrp->ifr_addr.sa_len, sizeof ifrp->ifr_addr); +#endif + } + free (ifc.ifc_buf); + return 0; +} diff --git a/src/if.h b/src/if.h new file mode 100644 index 0000000..c20134d --- /dev/null +++ b/src/if.h @@ -0,0 +1,51 @@ +/* $Id: if.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/if.h,v $ */ + +/* $OpenBSD: if.h,v 1.3 1998/11/17 11:10:12 niklas Exp $ */ +/* $EOM: if.h,v 1.2 1998/07/07 23:35:58 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IF_H_ +#define _IF_H_ + +#include + +struct ifreq; +struct ifconf; + +extern int if_map (void (*) (struct ifreq *, void *), void *); +extern int siocgifconf (struct ifconf *); + +#endif /* _IF_H_ */ diff --git a/src/ike_aggressive.c b/src/ike_aggressive.c new file mode 100644 index 0000000..3673160 --- /dev/null +++ b/src/ike_aggressive.c @@ -0,0 +1,171 @@ +/* $Id: ike_aggressive.c,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_aggressive.c,v $ */ + +/* $OpenBSD: ike_aggressive.c,v 1.4 2000/02/01 02:46:18 niklas Exp $ */ +/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */ + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "constants.h" +#include "crypto.h" +#include "dh.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "ike_auth.h" +#include "ike_aggressive.h" +#include "ike_phase_1.h" +#include "ipsec.h" +#include "ipsec_doi.h" +#include "isakmp.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "util.h" + +static int initiator_recv_SA_KE_NONCE_ID_AUTH (struct message *); +static int initiator_send_SA_KE_NONCE_ID (struct message *); +static int initiator_send_AUTH (struct message *); +static int responder_recv_SA_KE_NONCE_ID (struct message *); +static int responder_send_SA_KE_NONCE_ID_AUTH (struct message *); + +int (*ike_aggressive_initiator[]) (struct message *) = { + initiator_send_SA_KE_NONCE_ID, + initiator_recv_SA_KE_NONCE_ID_AUTH, + initiator_send_AUTH +}; + +int (*ike_aggressive_responder[]) (struct message *) = { + responder_recv_SA_KE_NONCE_ID, + responder_send_SA_KE_NONCE_ID_AUTH, + ike_phase_1_recv_AUTH +}; + +/* Offer a set of transforms to the responder in the MSG message. */ +static int +initiator_send_SA_KE_NONCE_ID (struct message *msg) +{ + if (ike_phase_1_initiator_send_SA (msg)) + return -1; + + if (ike_phase_1_initiator_send_KE_NONCE (msg)) + return -1; + + return ike_phase_1_send_ID (msg); +} + +/* Figure out what transform the responder chose. */ +static int +initiator_recv_SA_KE_NONCE_ID_AUTH (struct message *msg) +{ + if (ike_phase_1_initiator_recv_SA (msg)) + return -1; + + if (ike_phase_1_initiator_recv_KE_NONCE (msg)) + return -1; + + return ike_phase_1_recv_ID_AUTH (msg); +} + +static int +initiator_send_AUTH (struct message *msg) +{ + msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + + if (ike_phase_1_send_AUTH (msg)) + return -1; + + /* + * RFC 2407 4.6.3 says that, among others, INITIAL-CONTACT MUST NOT + * be sent in Aggressive Mode. This leaves us with the choice of + * doing it in an informational exchange of its own with no delivery + * guarantee or in the first Quick Mode, or not at all. + * draft-jenkins-ipsec-rekeying-01.txt has some text that requires + * INITIAL-CONTACT in phase 1, thus contradicting what we learned + * above. I will bring this up in the IPsec list. For now we don't + * do INITIAL-CONTACT at all when using aggressive mode. + */ + return 0; +} + +/* + * Accept a set of transforms offered by the initiator and chose one we can + * handle. Also accept initiator's public DH value, nonce and ID. + */ +static int +responder_recv_SA_KE_NONCE_ID (struct message *msg) +{ + if (ike_phase_1_responder_recv_SA (msg)) + return -1; + + if (ike_phase_1_recv_ID (msg)) + return -1; + + return ike_phase_1_recv_KE_NONCE (msg); +} + +/* + * Reply with the transform we chose. Send our public DH value and a nonce + * to the initiator. + */ +static int +responder_send_SA_KE_NONCE_ID_AUTH (struct message *msg) +{ + /* Add the SA payload with the transform that was chosen. */ + if (ike_phase_1_responder_send_SA (msg)) + return -1; + + /* XXX Should we really just use the initiator's nonce size? */ + if (ike_phase_1_send_KE_NONCE (msg, msg->exchange->nonce_i_len)) + return -1; + + if (ike_phase_1_post_exchange_KE_NONCE (msg)) + return -1; + + return ike_phase_1_responder_send_ID_AUTH (msg); + return -1; +} diff --git a/src/ike_aggressive.h b/src/ike_aggressive.h new file mode 100644 index 0000000..eb5844e --- /dev/null +++ b/src/ike_aggressive.h @@ -0,0 +1,48 @@ +/* $Id: ike_aggressive.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_aggressive.h,v $ */ + +/* $OpenBSD: ike_aggressive.h,v 1.2 1999/05/02 05:54:49 niklas Exp $ */ +/* $EOM: ike_aggressive.h,v 1.1 1999/04/16 21:24:43 niklas Exp $ */ + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IKE_AGGRESSIVE_H_ +#define _IKE_AGGRESSIVE_H_ + +struct message; + +extern int (*ike_aggressive_initiator[]) (struct message *msg); +extern int (*ike_aggressive_responder[]) (struct message *msg); + +#endif /* _IKE_AGGRESSIVE_H_ */ diff --git a/src/ike_auth.c b/src/ike_auth.c new file mode 100644 index 0000000..275305b --- /dev/null +++ b/src/ike_auth.c @@ -0,0 +1,916 @@ +/* $Id: ike_auth.c,v 1.5 2007/03/21 20:02:59 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_auth.c,v $ */ + +/* $OpenBSD: ike_auth.c,v 1.39 2001/04/09 12:34:37 ho Exp $ */ +/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2000, 2001 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "cert.h" +#include "conf.h" +#include "constants.h" +#include "exchange.h" +#include "gmp_util.h" +#include "hash.h" +#include "ike_auth.h" +#include "ipsec.h" +#include "ipsec_doi.h" +#include "libcrypto.h" +#include "log.h" +#include "message.h" +#include "prf.h" +#include "transport.h" +#include "util.h" + +#ifdef notyet +static u_int8_t *enc_gen_skeyid (struct exchange *, size_t *); +#endif +static u_int8_t *pre_shared_gen_skeyid (struct exchange *, size_t *); + +static int pre_shared_decode_hash (struct message *); +static int pre_shared_encode_hash (struct message *); + +#if defined(USE_X509) +static u_int8_t *sig_gen_skeyid (struct exchange *, size_t *); +static int rsa_sig_decode_hash (struct message *); +static int rsa_sig_encode_hash (struct message *); +#endif + +static int ike_auth_hash (struct exchange *, u_int8_t *); + +static struct ike_auth ike_auth[] = { + { + IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid, pre_shared_decode_hash, + pre_shared_encode_hash + }, +#ifdef notdef + { + IKE_AUTH_DSS, sig_gen_skeyid, pre_shared_decode_hash, + pre_shared_encode_hash + }, +#endif +#if defined(USE_X509) + { + IKE_AUTH_RSA_SIG, sig_gen_skeyid, rsa_sig_decode_hash, + rsa_sig_encode_hash + }, +#endif +#ifdef notdef + { + IKE_AUTH_RSA_ENC, enc_gen_skeyid, pre_shared_decode_hash, + pre_shared_encode_hash + }, + { + IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid, pre_shared_decode_hash, + pre_shared_encode_hash + }, +#endif +}; + +struct ike_auth * +ike_auth_get (u_int16_t id) +{ + int i; + + for (i = 0; i < sizeof ike_auth / sizeof ike_auth[0]; i++) + if (id == ike_auth[i].id) + return &ike_auth[i]; + return 0; +} + +/* + * Find and decode the configured key (pre-shared or public) for the + * peer denoted by ID. Stash the len in KEYLEN. + */ +static void * +ike_auth_get_key (int type, char *id, char *local_id, size_t *keylen) +{ + char *key, *buf; +#if defined(USE_X509) + char *keyfile; + BIO *keyh; + RSA *rsakey; +#endif + + switch (type) + { + case IKE_AUTH_PRE_SHARED: + /* Get the pre-shared key for our peer. */ + key = conf_get_str (id, "Authentication"); + if (!key && local_id) + key = conf_get_str (local_id, "Authentication"); + + if (!key) + { + log_print ("ike_auth_get_key: " + "no key found for peer \"%s\"or local ID \"%s\"", + id, local_id); + return 0; + } + + /* If the key starts with 0x it is in hex format. */ + if (strncasecmp (key, "0x", 2) == 0) + { + *keylen = (strlen (key) - 1) / 2; + buf = malloc (*keylen); + if (!buf) + { + log_print ("ike_auth_get_key: malloc (%d) failed", *keylen); + return 0; + } + if (hex2raw (key + 2, (u_char *)buf, *keylen)) + { + free (buf); + log_print ("ike_auth_get_key: invalid hex key %s", key); + return 0; + } + key = buf; + } + else + *keylen = strlen (key); + break; + + case IKE_AUTH_RSA_SIG: +#if defined(USE_X509) + /* Otherwise, try X.509 */ + keyfile = conf_get_str ("X509-certificates", "Private-key"); + + if (check_file_secrecy (keyfile, NULL)) + return 0; + + if ((keyh = LC (BIO_new, (LC (BIO_s_file, ())))) == NULL) + { + log_print ("ike_auth_get_key: " + "BIO_new (BIO_s_file ()) failed"); + return 0; + } + if (LC (BIO_read_filename, (keyh, keyfile)) == -1) + { + log_print ("ike_auth_get_key: " + "BIO_read_filename (keyh, \"%s\") failed", + keyfile); + LC (BIO_free, (keyh)); + return 0; + } + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L + rsakey = LC (PEM_read_bio_RSAPrivateKey, (keyh, NULL, NULL, NULL)); +#else + rsakey = LC (PEM_read_bio_RSAPrivateKey, (keyh, NULL, NULL)); +#endif + if (!rsakey) + { + log_print ("ike_auth_get_key: PEM_read_bio_RSAPrivateKey failed"); + LC (BIO_free, (keyh)); + return 0; + } + + LC (BIO_free, (keyh)); + return rsakey; +#endif + + default: + log_print ("ike_auth_get_key: unknown key type %d", type); + return 0; + } + + return key; +} + +static u_int8_t * +pre_shared_gen_skeyid (struct exchange *exchange, size_t *sz) +{ + struct prf *prf; + struct ipsec_exch *ie = exchange->data; + u_int8_t *skeyid; + u_int8_t *key; + u_int8_t *buf = 0; + size_t keylen; + in_addr_t addr; + + /* + * If we're the responder and have the initiator's ID (which is the + * case in Aggressive mode), try to find the preshared key in the + * section of the initiator's Phase 1 ID. This allows us to do + * mobile user support with preshared keys. + */ + if (!exchange->initiator && exchange->id_i) + { + switch (exchange->id_i[0]) + { + case IPSEC_ID_IPV4_ADDR: + buf = malloc (16); + if (!buf) + { + log_error ("pre_shared_gen_skeyid: malloc (16) failed"); + return 0; + } + addr = htonl (decode_32 (exchange->id_i + ISAKMP_ID_DATA_OFF - + ISAKMP_GEN_SZ)); + inet_ntop (AF_INET, &addr, (char *)buf, 16); + break; + + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + buf = calloc (exchange->id_i_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ + 1, sizeof (char)); + if (!buf) + { + log_print ("pre_shared_gen_skeyid: malloc (%d) failed", + exchange->id_i_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ + 1); + return 0; + } + memcpy (buf, exchange->id_i + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + exchange->id_i_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); + break; + + /* XXX Support more ID types ? */ + default: + break; + } + } + + /* Get the pre-shared key for our peer. */ + key = ike_auth_get_key (IKE_AUTH_PRE_SHARED, exchange->name, (char *)buf, + &keylen); + if (buf) + free (buf); + + /* Fail if no key could be found */ + if (key == NULL) + return 0; + + /* Store the secret key for later policy processing. */ + exchange->recv_cert = malloc (keylen); + if (!exchange->recv_cert) + { + log_error ("pre_shared_gen_skeyid: malloc (%d) failed", keylen); + return 0; + } + memcpy (exchange->recv_cert, key, keylen); + exchange->recv_certlen = keylen; + exchange->recv_certtype = ISAKMP_CERTENC_NONE; + + prf = prf_alloc (ie->prf_type, ie->hash->type, (char *)key, keylen); + if (!prf) + return 0; + + *sz = prf->blocksize; + skeyid = malloc (*sz); + if (!skeyid) + { + log_error ("pre_shared_gen_skeyid: malloc (%d) failed", *sz); + prf_free (prf); + return 0; + } + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); + prf->Update (prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); + prf->Final (skeyid, prf->prfctx); + prf_free (prf); + + return skeyid; +} + +#if defined(USE_X509) +/* Both DSS & RSA signature authentication use this algorithm. */ +static u_int8_t * +sig_gen_skeyid (struct exchange *exchange, size_t *sz) +{ + struct prf *prf; + struct ipsec_exch *ie = exchange->data; + u_int8_t *skeyid, *key; + + key = malloc (exchange->nonce_i_len + exchange->nonce_r_len); + if (!key) + return 0; + memcpy (key, exchange->nonce_i, exchange->nonce_i_len); + memcpy (key + exchange->nonce_i_len, exchange->nonce_r, + exchange->nonce_r_len); + prf = prf_alloc (ie->prf_type, ie->hash->type, (char *)key, + exchange->nonce_i_len + exchange->nonce_r_len); + free (key); + if (!prf) + return 0; + + *sz = prf->blocksize; + skeyid = malloc (*sz); + if (!skeyid) + { + log_error ("sig_gen_skeyid: malloc (%d) failed", *sz); + prf_free (prf); + return 0; + } + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len); + prf->Final (skeyid, prf->prfctx); + prf_free (prf); + + return skeyid; +} +#endif /* USE_X509 */ + +#ifdef notdef +/* + * Both standard and revised RSA encryption authentication use this SKEYID + * computation. + */ +static u_int8_t * +enc_gen_skeyid (struct exchange *exchange, size_t *sz) +{ + struct prf *prf; + struct ipsec_exch *ie = exchange->data; + struct hash *hash = ie->hash; + u_int8_t *skeyid; + + hash->Init (hash->ctx); + hash->Update (hash->ctx, exchange->nonce_i, exchange->nonce_i_len); + hash->Update (hash->ctx, exchange->nonce_r, exchange->nonce_r_len); + hash->Final (hash->digest, hash->ctx); + prf = prf_alloc (ie->prf_type, hash->type, hash->digest, *sz); + if (!prf) + return 0; + + *sz = prf->blocksize; + skeyid = malloc (*sz); + if (!skeyid) + { + log_error ("enc_gen_skeyid: malloc (%d) failed", *sz); + prf_free (prf); + return 0; + } + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); + prf->Final (skeyid, prf->prfctx); + prf_free (prf); + + return skeyid; +} +#endif /* notdef */ + +static int +pre_shared_decode_hash (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct payload *payload; + size_t hashsize = ie->hash->hashsize; + char header[80]; + int initiator = exchange->initiator; + u_int8_t **hash_p; + + /* Choose the right fields to fill-in. */ + hash_p = initiator ? &ie->hash_r : &ie->hash_i; + + payload = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + if (!payload) + { + log_print ("pre_shared_decode_hash: no HASH payload found"); + return -1; + } + + /* Check that the hash is of the correct size. */ + if (GET_ISAKMP_GEN_LENGTH (payload->p) - ISAKMP_GEN_SZ != hashsize) + return -1; + + /* XXX Need this hash be in the SA? */ + *hash_p = malloc (hashsize); + if (!*hash_p) + { + log_error ("pre_shared_decode_hash: malloc (%d) failed", hashsize); + return -1; + } + + memcpy (*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize); + snprintf (header, 80, "pre_shared_decode_hash: HASH_%c", + initiator ? 'R' : 'I'); + LOG_DBG_BUF ((LOG_MISC, 80, header, *hash_p, hashsize)); + + payload->flags |= PL_MARK; + + return 0; +} + +#if defined(USE_X509) +/* Decrypt the HASH in SIG, we already need a parsed ID payload. */ +static int +rsa_sig_decode_hash (struct message *msg) +{ + struct cert_handler *handler; + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct payload *p; + void *cert; + u_int8_t *rawcert = NULL; + u_int32_t rawcertlen; + RSA *key; + size_t hashsize = ie->hash->hashsize; + char header[80]; + int len; + int initiator = exchange->initiator; + u_int8_t **hash_p, **id_cert, *id; + u_int32_t *id_cert_len; + size_t id_len; + int found = 0, n, i, id_found; + + /* Choose the right fields to fill-in. */ + hash_p = initiator ? &ie->hash_r : &ie->hash_i; + id = initiator ? exchange->id_r : exchange->id_i; + id_len = initiator ? exchange->id_r_len : exchange->id_i_len; + + if (!id || id_len == 0) + { + log_print ("rsa_sig_decode_hash: ID is missing"); + return -1; + } + + /* + * XXX Assume we should use the same kind of certification as the remote... + * moreover, just use the first CERT payload to decide what to use. + */ + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_CERT]); + if (!p) + handler = cert_get (ISAKMP_CERTENC_KEYNOTE); + else + handler = cert_get (GET_ISAKMP_CERT_ENCODING (p->p)); + if (!handler) + { + log_print ("rsa_sig_decode_hash: " + "cert_get (%d) failed", p != NULL + ? GET_ISAKMP_CERT_ENCODING (p->p) : -1); + return -1; + } + + /* Obtain a certificate from our certificate storage */ + if (handler->cert_obtain (id, id_len, 0, &rawcert, &rawcertlen)) + { + if (handler->id == ISAKMP_CERTENC_X509_SIG) + { + cert = handler->cert_get (rawcert, rawcertlen); + if (!cert) + LOG_DBG ((LOG_CRYPTO, 50, + "rsa_sig_decode_hash: certificate malformed")); + else + { + if (!handler->cert_get_key (cert, &key)) + { + log_print ("rsa_sig_decode_hash: " + "decoding certificate failed"); + handler->cert_free (cert); + } + else + { + found++; + LOG_DBG ((LOG_CRYPTO, 40, + "rsa_sig_decode_hash: using cert of type %d", + handler->id)); + exchange->recv_cert = cert; + exchange->recv_certtype = handler->id; + } + } + } + else if (handler->id == ISAKMP_CERTENC_KEYNOTE) + handler->cert_insert (exchange->policy_id, rawcert); + free (rawcert); + } + + /* + * Walk over potential CERT payloads in this message. + * XXX I believe this is the wrong spot for this. CERTs can appear + * anytime. + */ + for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_CERT]); p; + p = TAILQ_NEXT (p, link)) + { + p->flags |= PL_MARK; + + /* When we have found a key, just walk over the rest, marking them. */ + if (found) + continue; + + handler = cert_get (GET_ISAKMP_CERT_ENCODING (p->p)); + if (!handler) + { + LOG_DBG ((LOG_MISC, 30, + "rsa_sig_decode_hash: no handler for %s CERT encoding", + constant_lookup (isakmp_certenc_cst, + GET_ISAKMP_CERT_ENCODING (p->p)))); + continue; + } + + cert = handler->cert_get (p->p + ISAKMP_CERT_DATA_OFF, + GET_ISAKMP_GEN_LENGTH (p->p) + - ISAKMP_CERT_DATA_OFF); + if (!cert) + { + log_print ("rsa_sig_decode_hash: can not get data from CERT"); + continue; + } + + if (!handler->cert_validate (cert)) + { + handler->cert_free (cert); + log_print ("rsa_sig_decode_hash: received CERT can't be validated"); + continue; + } + + if (GET_ISAKMP_CERT_ENCODING (p->p) == ISAKMP_CERTENC_X509_SIG) + { + if (!handler->cert_get_subjects (cert, &n, &id_cert, &id_cert_len)) + { + handler->cert_free (cert); + log_print ("rsa_sig_decode_hash: can not get subject from CERT"); + continue; + } + + id_found = 0; + for (i = 0; i < n; i++) + if (id_cert_len[i] == id_len + && memcmp (id, id_cert[i], id_len) == 0) + { + id_found++; + break; + } + if (!id_found) + { + handler->cert_free (cert); + log_print ("rsa_sig_decode_hash: no CERT subject match the ID"); + free (id_cert); + continue; + } + + cert_free_subjects (n, id_cert, id_cert_len); + } + + if (!handler->cert_get_key (cert, &key)) + { + handler->cert_free (cert); + log_print ("rsa_sig_decode_hash: decoding payload CERT failed"); + continue; + } + + /* We validated the cert, cache it for later use. */ + handler->cert_insert (exchange->policy_id, cert); + + exchange->recv_cert = cert; + exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING (p->p); + + found++; + } + + /* If we still have not found a key, try the config file. */ + if (!found) + { +#ifdef notyet + rawkey = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, &keylen); + if (!rawkey) + { + log_print ("rsa_sig_decode_hash: no public key found"); + return -1; + } +#else + log_print ("rsa_sig_decode_hash: no public key found"); + return -1; +#endif + } + + p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SIG]); + if (!p) + { + log_print ("rsa_sig_decode_hash: missing signature payload"); + LC (RSA_free, (key)); + return -1; + } + + /* Check that the sig is of the correct size. */ + len = GET_ISAKMP_GEN_LENGTH (p->p) - ISAKMP_SIG_SZ; + if (len != LC (RSA_size, (key))) + { + LC (RSA_free, (key)); + log_print ("rsa_sig_decode_hash: " + "SIG payload length does not match public key"); + return -1; + } + + *hash_p = malloc (len); + if (!*hash_p) + { + LC (RSA_free, (key)); + log_error ("rsa_sig_decode_hash: malloc (%d) failed", len); + return -1; + } + + len = LC (RSA_public_decrypt, (len, p->p + ISAKMP_SIG_DATA_OFF, *hash_p, key, + RSA_PKCS1_PADDING)); + if (len == -1) + { + LC (RSA_free, (key)); + log_print ("rsa_sig_decode_hash: RSA_public_decrypt () failed"); + return -1; + } + + LC (RSA_free, (key)); + + if (len != hashsize) + { + free (*hash_p); + *hash_p = 0; + log_print ("rsa_sig_decode_hash: len %d != hashsize %d", len, hashsize); + return -1; + } + + snprintf (header, 80, "rsa_sig_decode_hash: HASH_%c", initiator ? 'R' : 'I'); + LOG_DBG_BUF ((LOG_MISC, 80, header, *hash_p, hashsize)); + + p->flags |= PL_MARK; + + return 0; +} +#endif /* USE_X509 */ + +static int +pre_shared_encode_hash (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + size_t hashsize = ie->hash->hashsize; + char header[80]; + int initiator = exchange->initiator; + u_int8_t *buf; + + buf = ipsec_add_hash_payload (msg, hashsize); + if (!buf) + return -1; + + if (ike_auth_hash (exchange, buf + ISAKMP_HASH_DATA_OFF) == -1) + return -1; + + snprintf (header, 80, "pre_shared_encode_hash: HASH_%c", + initiator ? 'I' : 'R'); + LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, hashsize)); + return 0; +} + +#if defined(USE_X509) +/* Encrypt the HASH into a SIG type. */ +static int +rsa_sig_encode_hash (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + size_t hashsize = ie->hash->hashsize; + struct cert_handler *handler; + RSA *key; + char header[80]; + int initiator = exchange->initiator; + u_int8_t *buf, *data, *buf2; + u_int32_t datalen; + u_int8_t *id; + size_t id_len; + int idtype; + in_addr_t addr; + + id = initiator ? exchange->id_i : exchange->id_r; + id_len = initiator ? exchange->id_i_len : exchange->id_r_len; + + /* XXX This needs to be configureable. */ + idtype = ISAKMP_CERTENC_KEYNOTE; + + doitagain: + handler = cert_get (idtype); + if (!handler) + { + if (idtype == ISAKMP_CERTENC_KEYNOTE) + { + idtype = ISAKMP_CERTENC_X509_SIG; + goto doitagain; + } + + log_print ("rsa_sig_encode_hash: " + "cert_get(%d) failed", idtype); + return -1; + } + + /* Find a certificate with subjectAltName = id. */ + if (handler->cert_obtain (id, id_len, 0, &data, &datalen)) + { + buf = realloc (data, ISAKMP_CERT_SZ + datalen); + if (!buf) + { + log_error ("rsa_sig_encode_hash: realloc (%p, %d) failed", data, + ISAKMP_CERT_SZ + datalen); + free (data); + return -1; + } + memmove (buf + ISAKMP_CERT_SZ, buf, datalen); + SET_ISAKMP_CERT_ENCODING (buf, idtype); + if (message_add_payload (msg, ISAKMP_PAYLOAD_CERT, buf, + ISAKMP_CERT_SZ + datalen, 1)) + { + free (buf); + return -1; + } + } + else + { + if (handler->id == ISAKMP_CERTENC_KEYNOTE) + { + idtype = ISAKMP_CERTENC_X509_SIG; + goto doitagain; + } + else + LOG_DBG ((LOG_MISC, 10, + "rsa_sig_encode_hash: no certificate to send")); + } + + switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) + { + case IPSEC_ID_IPV4_ADDR: + buf2 = malloc (16); + if (!buf2) + { + log_error ("rsa_sig_encode_hash: malloc (16) failed"); + return 0; + } + addr = htonl (decode_32 (id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ)); + inet_ntop (AF_INET, &addr, (char *)buf2, 16); + break; + + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + buf2 = calloc (id_len - ISAKMP_ID_DATA_OFF + + ISAKMP_GEN_SZ + 1, sizeof (char)); + if (!buf2) + { + log_print ("rsa_sig_encode_hash: malloc (%d) failed", + id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); + return 0; + } + memcpy (buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, + id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); + break; + + /* XXX Support more ID types ? */ + default: + buf2 = NULL; + break; + } + + key = ike_auth_get_key (IKE_AUTH_RSA_SIG, exchange->name, (char *)buf2, NULL); + free (buf2); + if (key == NULL) + { + log_print ("rsa_sig_encode_hash: could not get private key"); + return -1; + } + + /* XXX hashsize is not necessarily prf->blocksize. */ + buf = malloc (hashsize); + if (!buf) + { + log_error ("rsa_sig_encode_hash: malloc (%d) failed", hashsize); + LC (RSA_free, (key)); + return -1; + } + + if (ike_auth_hash (exchange, buf) == -1) + { + free (buf); + LC (RSA_free, (key)); + return -1; + } + + snprintf (header, 80, "rsa_sig_encode_hash: HASH_%c", initiator ? 'I' : 'R'); + LOG_DBG_BUF ((LOG_MISC, 80, header, buf, hashsize)); + + data = malloc (LC (RSA_size, (key))); + if (!data) + { + log_error ("rsa_sig_encode_hash: malloc (%d) failed", + LC (RSA_size, (key))); + LC (RSA_free, (key)); + return -1; + } + + datalen + = LC (RSA_private_encrypt, (hashsize, buf, data, key, RSA_PKCS1_PADDING)); + if (datalen == -1) + { + log_error ("rsa_sig_encode_hash: RSA_private_encrypt () failed"); + free (buf); + LC (RSA_free, (key)); + return -1; + } + + LC (RSA_free, (key)); + free (buf); + + buf = realloc (data, ISAKMP_SIG_SZ + datalen); + if (!buf) + { + log_error ("rsa_sig_encode_hash: realloc (%p, %d) failed", data, + ISAKMP_SIG_SZ + datalen); + free (data); + return -1; + } + memmove (buf + ISAKMP_SIG_SZ, buf, datalen); + + snprintf (header, 80, "rsa_sig_encode_hash: SIG_%c", initiator ? 'I' : 'R'); + LOG_DBG_BUF ((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF, datalen)); + if (message_add_payload (msg, ISAKMP_PAYLOAD_SIG, buf, + ISAKMP_SIG_SZ + datalen, 1)) + { + free (buf); + return -1; + } + return 0; +} +#endif /* USE_X509 */ + +int +ike_auth_hash (struct exchange *exchange, u_int8_t *buf) +{ + struct ipsec_exch *ie = exchange->data; + struct prf *prf; + struct hash *hash = ie->hash; + int initiator = exchange->initiator; + u_int8_t *id; + size_t id_len; + + /* Choose the right fields to fill-in. */ + id = initiator ? exchange->id_i : exchange->id_r; + id_len = initiator ? exchange->id_i_len : exchange->id_r_len; + + /* Allocate the prf and start calculating our HASH. */ + prf = prf_alloc (ie->prf_type, hash->type, (char *)ie->skeyid, ie->skeyid_len); + if (!prf) + return -1; + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len); + prf->Update (prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len); + prf->Update (prf->prfctx, + exchange->cookies + + (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF), + ISAKMP_HDR_ICOOKIE_LEN); + prf->Update (prf->prfctx, + exchange->cookies + + (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF), + ISAKMP_HDR_ICOOKIE_LEN); + prf->Update (prf->prfctx, ie->sa_i_b, ie->sa_i_b_len); + prf->Update (prf->prfctx, id, id_len); + prf->Final (buf, prf->prfctx); + prf_free (prf); + + return 0; +} diff --git a/src/ike_auth.h b/src/ike_auth.h new file mode 100644 index 0000000..389f86e --- /dev/null +++ b/src/ike_auth.h @@ -0,0 +1,56 @@ +/* $Id: ike_auth.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_auth.h,v $ */ + +/* $OpenBSD: ike_auth.h,v 1.3 1998/11/17 11:10:12 niklas Exp $ */ +/* $EOM: ike_auth.h,v 1.5 1998/08/16 19:55:24 provos Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IKE_AUTH_H_ +#define _IKE_AUTH_H_ + +#include + +struct exchange; + +struct ike_auth { + u_int16_t id; + u_int8_t *(*gen_skeyid) (struct exchange *, size_t *); + int (*decode_hash) (struct message *); + int (*encode_hash) (struct message *); +}; + +extern struct ike_auth *ike_auth_get (u_int16_t); + +#endif /* _IKE_AUTH_H_ */ diff --git a/src/ike_main_mode.c b/src/ike_main_mode.c new file mode 100644 index 0000000..c350426 --- /dev/null +++ b/src/ike_main_mode.c @@ -0,0 +1,133 @@ +/* $Id: ike_main_mode.c,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_main_mode.c,v $ */ + +/* $OpenBSD: ike_main_mode.c,v 1.11 1999/04/27 21:11:53 niklas Exp $ */ +/* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "constants.h" +#include "crypto.h" +#include "dh.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "ike_auth.h" +#include "ike_main_mode.h" +#include "ike_phase_1.h" +#include "ipsec.h" +#include "ipsec_doi.h" +#include "isakmp.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "util.h" + +static int initiator_send_ID_AUTH (struct message *); +static int responder_send_ID_AUTH (struct message *); +static int responder_send_KE_NONCE (struct message *); + +int (*ike_main_mode_initiator[]) (struct message *) = { + ike_phase_1_initiator_send_SA, + ike_phase_1_initiator_recv_SA, + ike_phase_1_initiator_send_KE_NONCE, + ike_phase_1_initiator_recv_KE_NONCE, + initiator_send_ID_AUTH, + ike_phase_1_recv_ID_AUTH +}; + +int (*ike_main_mode_responder[]) (struct message *) = { + ike_phase_1_responder_recv_SA, + ike_phase_1_responder_send_SA, + ike_phase_1_recv_KE_NONCE, + responder_send_KE_NONCE, + ike_phase_1_recv_ID_AUTH, + responder_send_ID_AUTH +}; + +static int +initiator_send_ID_AUTH (struct message *msg) +{ + msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + + if (ike_phase_1_send_ID (msg)) + return -1; + + if (ike_phase_1_send_AUTH (msg)) + return -1; + + return ipsec_initial_contact (msg); +} + +/* Send our public DH value and a nonce to the initiator. */ +int +responder_send_KE_NONCE (struct message *msg) +{ + /* XXX Should we really just use the initiator's nonce size? */ + if (ike_phase_1_send_KE_NONCE (msg, msg->exchange->nonce_i_len)) + return -1; + + /* + * Calculate DH values & key material in parallel with the message going + * on a roundtrip over the wire. + */ + message_register_post_send (msg, + (void (*) (struct message *)) + ike_phase_1_post_exchange_KE_NONCE); + + return 0; +} + +static int +responder_send_ID_AUTH (struct message *msg) +{ + msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + + if (ike_phase_1_responder_send_ID_AUTH (msg)) + return -1; + + return ipsec_initial_contact (msg); +} diff --git a/src/ike_main_mode.h b/src/ike_main_mode.h new file mode 100644 index 0000000..510d56a --- /dev/null +++ b/src/ike_main_mode.h @@ -0,0 +1,48 @@ +/* $Id: ike_main_mode.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_main_mode.h,v $ */ + +/* $OpenBSD: ike_main_mode.h,v 1.3 1998/11/17 11:10:12 niklas Exp $ */ +/* $EOM: ike_main_mode.h,v 1.1 1998/07/25 11:22:07 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IKE_MAIN_MODE_H_ +#define _IKE_MAIN_MODE_H_ + +struct message; + +extern int (*ike_main_mode_initiator[]) (struct message *msg); +extern int (*ike_main_mode_responder[]) (struct message *msg); + +#endif /* _IKE_MAIN_MODE_H_ */ diff --git a/src/ike_phase_1.c b/src/ike_phase_1.c new file mode 100644 index 0000000..b4804e5 --- /dev/null +++ b/src/ike_phase_1.c @@ -0,0 +1,1344 @@ +/* $Id: ike_phase_1.c,v 1.3.4.1 2011/10/18 03:26:55 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_phase_1.c,v $ */ + +/* $OpenBSD: ike_phase_1.c,v 1.23 2001/03/13 14:05:18 ho Exp $ */ +/* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "constants.h" +#include "crypto.h" +#include "dh.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "ike_auth.h" +#include "ike_phase_1.h" +#include "ipsec.h" +#include "ipsec_doi.h" +#include "isakmp.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "transport.h" +#include "util.h" + +static int attribute_unacceptable (u_int16_t, u_int8_t *, u_int16_t, void *); +static int ike_phase_1_validate_prop (struct exchange *, struct sa *, + struct sa *); + +/* Offer a set of transforms to the responder in the MSG message. */ +int +ike_phase_1_initiator_send_SA (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + u_int8_t *proposal = 0, *sa_buf = 0, *saved_nextp, *attr; + u_int8_t **transform = 0; + size_t transforms_len = 0, proposal_len, sa_len; + size_t *transform_len = 0; + struct conf_list *conf, *life_conf; + struct conf_list_node *xf, *life; + int i, value, update_nextp; + struct payload *p; + struct proto *proto; + int group_desc = -1, new_group_desc; + + /* Get the list of transforms. */ + conf = conf_get_list (exchange->policy, "Transforms"); + if (!conf) + return -1; + + transform = calloc (conf->cnt, sizeof *transform); + if (!transform) + { + log_error ("ike_phase_1_initiator_send_SA: calloc (%d, %d) failed", + conf->cnt, sizeof *transform); + goto bail_out; + } + + transform_len = calloc (conf->cnt, sizeof *transform_len); + if (!transform_len) + { + log_error ("ike_phase_1_initiator_send_SA: calloc (%d, %d) failed", + conf->cnt, sizeof *transform_len); + goto bail_out; + } + + for (xf = TAILQ_FIRST (&conf->fields), i = 0; i < conf->cnt; + i++, xf = TAILQ_NEXT (xf, link)) + { + /* XXX The sizing needs to be dynamic. */ + transform[i] + = malloc (ISAKMP_TRANSFORM_SA_ATTRS_OFF + 16 * ISAKMP_ATTR_VALUE_OFF); + if (!transform[i]) + { + log_error ("ike_phase_1_initiator_send_SA: malloc (%d) failed", + ISAKMP_TRANSFORM_SA_ATTRS_OFF + + 16 * ISAKMP_ATTR_VALUE_OFF); + goto bail_out; + } + + SET_ISAKMP_TRANSFORM_NO (transform[i], i); + SET_ISAKMP_TRANSFORM_ID (transform[i], IPSEC_TRANSFORM_KEY_IKE); + SET_ISAKMP_TRANSFORM_RESERVED (transform[i], 0); + + attr = transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF; + + if (attribute_set_constant (xf->field, "ENCRYPTION_ALGORITHM", + ike_encrypt_cst, + IKE_ATTR_ENCRYPTION_ALGORITHM, &attr)) + goto bail_out; + + if (attribute_set_constant (xf->field, "HASH_ALGORITHM", ike_hash_cst, + IKE_ATTR_HASH_ALGORITHM, &attr)) + goto bail_out; + + if (attribute_set_constant (xf->field, "AUTHENTICATION_METHOD", + ike_auth_cst, IKE_ATTR_AUTHENTICATION_METHOD, + &attr)) + goto bail_out; + + if (attribute_set_constant (xf->field, "GROUP_DESCRIPTION", + ike_group_desc_cst, + IKE_ATTR_GROUP_DESCRIPTION, &attr)) + { + /* + * If no group description exists, try looking for a user-defined + * one. + */ + if (attribute_set_constant (xf->field, "GROUP_TYPE", ike_group_cst, + IKE_ATTR_GROUP_TYPE, &attr)) + goto bail_out; + +#if 0 + if (attribute_set_bignum (xf->field, "GROUP_PRIME", + IKE_ATTR_GROUP_PRIME, &attr)) + goto bail_out; + + if (attribute_set_bignum (xf->field, "GROUP_GENERATOR_2", + IKE_ATTR_GROUP_GENERATOR_2, &attr)) + goto bail_out; + + if (attribute_set_bignum (xf->field, "GROUP_GENERATOR_2", + IKE_ATTR_GROUP_GENERATOR_2, &attr)) + goto bail_out; + + if (attribute_set_bignum (xf->field, "GROUP_CURVE_A", + IKE_ATTR_GROUP_CURVE_A, &attr)) + goto bail_out; + + if (attribute_set_bignum (xf->field, "GROUP_CURVE_B", + IKE_ATTR_GROUP_CURVE_B, &attr)) + goto bail_out; +#endif + } + + /* + * Life durations are special, we should be able to specify + * several, one per type. + */ + life_conf = conf_get_list (xf->field, "Life"); + if (life_conf) + { + for (life = TAILQ_FIRST (&life_conf->fields); life; + life = TAILQ_NEXT (life, link)) + { + attribute_set_constant (life->field, "LIFE_TYPE", + ike_duration_cst, IKE_ATTR_LIFE_TYPE, + &attr); + + /* XXX Deals with 16 and 32 bit lifetimes only */ + value = conf_get_num (life->field, "LIFE_DURATION", 0); + if (value) + { + if (value <= 0xffff) + attr = attribute_set_basic (attr, IKE_ATTR_LIFE_DURATION, + value); + else + { + value = htonl (value); + attr = attribute_set_var (attr, IKE_ATTR_LIFE_DURATION, + (u_int8_t *)&value, sizeof value); + } + } + } + conf_free_list (life_conf); + } + + attribute_set_constant (xf->field, "PRF", ike_prf_cst, IKE_ATTR_PRF, + &attr); + + value = conf_get_num (xf->field, "KEY_LENGTH", 0); + if (value) + attr = attribute_set_basic (attr, IKE_ATTR_KEY_LENGTH, value); + + value = conf_get_num (xf->field, "FIELD_SIZE", 0); + if (value) + attr = attribute_set_basic (attr, IKE_ATTR_FIELD_SIZE, value); + + value = conf_get_num (xf->field, "GROUP_ORDER", 0); + if (value) + attr = attribute_set_basic (attr, IKE_ATTR_GROUP_ORDER, value); + + /* Record the real transform size. */ + transforms_len += transform_len[i] = attr - transform[i]; + + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) + { + /* + * Make sure that if a group description is specified, it is + * specified for all transforms equally. + */ + attr = (u_int8_t *)conf_get_str (xf->field, "GROUP_DESCRIPTION"); + new_group_desc + = attr ? constant_value (ike_group_desc_cst, (char *)attr) : 0; + if (group_desc == -1) + group_desc = new_group_desc; + else if (group_desc != new_group_desc) + { + log_print ("ike_phase_1_inititor_send_SA: " + "differing group descriptions in a proposal"); + goto bail_out; + } + } + + /* We need to check that we actually support our configuration. */ + if (attribute_map (transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + transform_len[i] - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + exchange->doi->is_attribute_incompatible, msg)) + { + log_print ("ike_phase_1_initiator_send_SA: " + "section [%s] has unsupported attribute(s)", + xf->field); + goto bail_out; + } + } + + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) + ie->group = group_get (group_desc); + + proposal_len = ISAKMP_PROP_SPI_OFF; + proposal = malloc (proposal_len); + if (!proposal) + { + log_error ("ike_phase_1_initiator_send_SA: malloc (%d) failed", + proposal_len); + goto bail_out; + } + + SET_ISAKMP_PROP_NO (proposal, 1); + SET_ISAKMP_PROP_PROTO (proposal, ISAKMP_PROTO_ISAKMP); + SET_ISAKMP_PROP_SPI_SZ (proposal, 0); + SET_ISAKMP_PROP_NTRANSFORMS (proposal, conf->cnt); + + /* XXX I would like to see this factored out. */ + proto = calloc (1, sizeof *proto); + if (!proto) + { + log_error ("ike_phase_1_initiator_send_SA: calloc (1, %d) failed", + sizeof *proto); + goto bail_out; + } + + proto->no = 1; + proto->proto = ISAKMP_PROTO_ISAKMP; + proto->sa = TAILQ_FIRST (&exchange->sa_list); + TAILQ_INSERT_TAIL (&TAILQ_FIRST (&exchange->sa_list)->protos, proto, + link); + + sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN; + sa_buf = malloc (sa_len); + if (!sa_buf) + { + log_error ("ike_phase_1_initiator_send_SA: malloc (%d) failed", sa_len); + goto bail_out; + } + + /* Set the appropriate DOI and it's situation */ + SET_ISAKMP_SA_DOI (sa_buf, msg->isakmp_sa->doi->id); + if (msg->isakmp_sa->doi->setup_situation) + { + msg->isakmp_sa->doi->setup_situation (sa_buf); + } + + /* + * Add the payloads. As this is a SA, we need to recompute the + * lengths of the payloads containing others. + */ + if (message_add_payload (msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) + goto bail_out; + SET_ISAKMP_GEN_LENGTH (sa_buf, + sa_len + proposal_len + transforms_len); + sa_buf = 0; + + saved_nextp = msg->nextp; + if (message_add_payload (msg, ISAKMP_PAYLOAD_PROPOSAL, proposal, + proposal_len, 0)) + goto bail_out; + SET_ISAKMP_GEN_LENGTH (proposal, proposal_len + transforms_len); + proposal = 0; + + update_nextp = 0; + for (i = 0; i < conf->cnt; i++) + { + if (message_add_payload (msg, ISAKMP_PAYLOAD_TRANSFORM, transform[i], + transform_len[i], update_nextp)) + goto bail_out; + update_nextp = 1; + transform[i] = 0; + } + msg->nextp = saved_nextp; + + /* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. */ + ie->sa_i_b_len = sa_len + proposal_len + transforms_len - ISAKMP_GEN_SZ; + ie->sa_i_b = malloc (ie->sa_i_b_len); + if (!ie->sa_i_b) + { + log_error ("ike_phase_1_initiator_send_SA: malloc (%d) failed", + ie->sa_i_b_len); + goto bail_out; + } + memcpy (ie->sa_i_b, + TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA])->p + ISAKMP_GEN_SZ, + sa_len - ISAKMP_GEN_SZ); + memcpy (ie->sa_i_b + sa_len - ISAKMP_GEN_SZ, + TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_PROPOSAL])->p, + proposal_len); + transforms_len = 0; + for (i = 0, p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); + i < conf->cnt; i++, p = TAILQ_NEXT (p, link)) + { + memcpy (ie->sa_i_b + sa_len + proposal_len + transforms_len + - ISAKMP_GEN_SZ, + p->p, transform_len[i]); + transforms_len += transform_len[i]; + } + + conf_free_list (conf); + free (transform); + free (transform_len); + return 0; + + bail_out: + if (sa_buf) + free (sa_buf); + if (proposal) + free (proposal); + if (transform) + { + for (i = 0; i < conf->cnt; i++) + if (transform[i]) + free (transform[i]); + free (transform); + } + if (transform_len) + free (transform_len); + conf_free_list (conf); + return -1; +} + +/* Figure out what transform the responder chose. */ +int +ike_phase_1_initiator_recv_SA (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct sa *sa = TAILQ_FIRST (&exchange->sa_list); + struct ipsec_exch *ie = exchange->data; + struct ipsec_sa *isa = sa->data; + struct payload *sa_p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA]); + struct payload *prop = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_PROPOSAL]); + struct payload *xf = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); + + /* + * IKE requires that only one SA with only one proposal exists and since + * we are getting an answer on our transform offer, only one transform. + */ + if (TAILQ_NEXT (sa_p, link) || TAILQ_NEXT (prop, link) + || TAILQ_NEXT (xf, link)) + { + log_print ("ike_phase_1_initiator_recv_SA: " + "multiple SA, proposal or transform payloads in phase 1"); + /* XXX Is there a better notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Check that the chosen transform matches an offer. */ + if (message_negotiate_sa (msg, ike_phase_1_validate_prop) + || !TAILQ_FIRST (&sa->protos)) + return -1; + + ipsec_decode_transform (msg, sa, TAILQ_FIRST (&sa->protos), xf->p); + + /* XXX I don't like exchange-specific stuff in here. */ + if (exchange->type != ISAKMP_EXCH_AGGRESSIVE) + ie->group = group_get (isa->group_desc); + + /* Mark the SA as handled. */ + sa_p->flags |= PL_MARK; + + return 0; +} + +/* Send our public DH value and a nonce to the responder. */ +int +ike_phase_1_initiator_send_KE_NONCE (struct message *msg) +{ + struct ipsec_exch *ie = msg->exchange->data; + + ie->g_x_len = dh_getlen (ie->group); + + /* XXX I want a better way to specify the nonce's size. */ + return ike_phase_1_send_KE_NONCE (msg, 16); +} + +/* Accept responder's public DH value and nonce. */ +int +ike_phase_1_initiator_recv_KE_NONCE (struct message *msg) +{ + if (ike_phase_1_recv_KE_NONCE (msg)) + return -1; + + return ike_phase_1_post_exchange_KE_NONCE (msg); +} + +/* + * Accept a set of transforms offered by the initiator and chose one we can + * handle. + */ +int +ike_phase_1_responder_recv_SA (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct sa *sa = TAILQ_FIRST (&exchange->sa_list); + struct ipsec_sa *isa = sa->data; + struct payload *sa_p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA]); + struct payload *prop = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_PROPOSAL]); + struct ipsec_exch *ie = exchange->data; + + /* Mark the SA as handled. */ + sa_p->flags |= PL_MARK; + + /* IKE requires that only one SA with only one proposal exists. */ + if (TAILQ_NEXT (sa_p, link) || TAILQ_NEXT (prop, link)) + { + log_print ("ike_phase_1_responder_recv_SA: " + "multiple SA or proposal payloads in phase 1"); + /* XXX Is there a better notification type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Chose a transform from the SA. */ + if (message_negotiate_sa (msg, ike_phase_1_validate_prop) + || !TAILQ_FIRST (&sa->protos)) + return -1; + + /* XXX Move into message_negotiate_sa? */ + ipsec_decode_transform (msg, sa, TAILQ_FIRST (&sa->protos), + TAILQ_FIRST (&sa->protos)->chosen->p); + + ie->group = group_get (isa->group_desc); + + /* + * Check that the mandatory attributes: encryption, hash, authentication + * method and Diffie-Hellman group description, has been supplied. + */ + if (!exchange->crypto || !ie->hash || !ie->ike_auth || !ie->group) + { + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Save the body for later hash computation. */ + ie->sa_i_b_len = GET_ISAKMP_GEN_LENGTH (sa_p->p) - ISAKMP_GEN_SZ; + ie->sa_i_b = malloc (ie->sa_i_b_len); + if (!ie->sa_i_b) + { + /* XXX How to notify peer? */ + log_error ("ike_phase_1_responder_recv_SA: malloc (%d) failed", + ie->sa_i_b_len); + return -1; + } + memcpy (ie->sa_i_b, sa_p->p + ISAKMP_GEN_SZ, ie->sa_i_b_len); + + return 0; +} + +/* Reply with the transform we chose. */ +int +ike_phase_1_responder_send_SA (struct message *msg) +{ + /* Add the SA payload with the transform that was chosen. */ + return message_add_sa_payload (msg); +} + +/* Send our public DH value and a nonce to the peer. */ +int +ike_phase_1_send_KE_NONCE (struct message *msg, size_t nonce_sz) +{ + /* Public DH key. */ + if (ipsec_gen_g_x (msg)) + { + /* XXX How to log and notify peer? */ + return -1; + } + + /* Generate a nonce, and add it to the message. */ + if (exchange_gen_nonce (msg, nonce_sz)) + { + /* XXX Log? */ + return -1; + } + + /* Try to add certificates which are acceptable for the CERTREQs */ + if (exchange_add_certs (msg)) + { + /* XXX Log? */ + return -1; + } + + return 0; +} + +/* Receive our peer's public DH value and nonce. */ +int +ike_phase_1_recv_KE_NONCE (struct message *msg) +{ + /* Copy out the initiator's DH public value. */ + if (ipsec_save_g_x (msg)) + { + /* XXX How to log and notify peer? */ + return -1; + } + + /* Copy out the initiator's nonce. */ + if (exchange_save_nonce (msg)) + { + /* XXX How to log and notify peer? */ + return -1; + } + + /* Copy out the initiator's cert requests. */ + if (exchange_save_certreq (msg)) + { + /* XXX How to log and notify peer? */ + return -1; + } + + return 0; +} + +/* + * Compute DH values and key material. This is done in a post-send function + * as that means we can do parallel work in both the initiator and responder + * thus speeding up exchanges. + */ +int +ike_phase_1_post_exchange_KE_NONCE (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct prf *prf; + struct hash *hash = ie->hash; + enum cryptoerr err; + + /* Compute Diffie-Hellman shared value. */ + ie->g_xy = malloc (ie->g_x_len); + if (!ie->g_xy) + { + /* XXX How to notify peer? */ + log_error ("ike_phase_1_post_exchange_KE_NONCE: malloc (%d) failed", + ie->g_x_len); + return -1; + } + if (dh_create_shared (ie->group, ie->g_xy, + exchange->initiator ? ie->g_xr : ie->g_xi)) + { + log_print ("ike_phase_1_post_exchange_KE_NONCE: " + "dh_create_shared failed"); + return -1; + } + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: g^xy", ie->g_xy, + ie->g_x_len)); + + /* Compute the SKEYID depending on the authentication method. */ + ie->skeyid = ie->ike_auth->gen_skeyid (exchange, &ie->skeyid_len); + if (!ie->skeyid) + { + /* XXX Log and teardown? */ + return -1; + } + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID", ie->skeyid, + ie->skeyid_len)); + + /* SKEYID_d. */ + ie->skeyid_d = malloc (ie->skeyid_len); + if (!ie->skeyid_d) + { + /* XXX How to notify peer? */ + log_error ("ike_phase_1_post_exchange_KE_NONCE: malloc (%d) failed", + ie->skeyid_len); + return -1; + } + prf = prf_alloc (ie->prf_type, hash->type, (char *)ie->skeyid, ie->skeyid_len); + if (!prf) + { + /* XXX Log and teardown? */ + return -1; + } + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len); + prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); + prf->Update (prf->prfctx, (unsigned char *)"\0", 1); + prf->Final (ie->skeyid_d, prf->prfctx); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", ie->skeyid_d, + ie->skeyid_len)); + + /* SKEYID_a. */ + ie->skeyid_a = malloc (ie->skeyid_len); + if (!ie->skeyid_a) + { + log_error ("ike_phase_1_post_exchange_KE_NONCE: malloc (%d) failed", + ie->skeyid_len); + prf_free (prf); + return -1; + } + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, ie->skeyid_d, ie->skeyid_len); + prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len); + prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); + prf->Update (prf->prfctx, (unsigned char *)"\1", 1); + prf->Final (ie->skeyid_a, prf->prfctx); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", ie->skeyid_a, + ie->skeyid_len)); + + /* SKEYID_e. */ + ie->skeyid_e = malloc (ie->skeyid_len); + if (!ie->skeyid_e) + { + /* XXX How to notify peer? */ + log_error ("ike_phase_1_post_exchange_KE_NONCE: malloc (%d) failed", + ie->skeyid_len); + prf_free (prf); + return -1; + } + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, ie->skeyid_a, ie->skeyid_len); + prf->Update (prf->prfctx, ie->g_xy, ie->g_x_len); + prf->Update (prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); + prf->Update (prf->prfctx, (unsigned char *)"\2", 1); + prf->Final (ie->skeyid_e, prf->prfctx); + prf_free (prf); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, + "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", ie->skeyid_e, + ie->skeyid_len)); + + /* Key length determination. */ + if (!exchange->key_length) + exchange->key_length = exchange->crypto->keymax; + + /* Derive a longer key from skeyid_e */ + if (ie->skeyid_len < exchange->key_length) + { + u_int16_t len, keylen; + u_int8_t *key, *p; + + prf = prf_alloc (ie->prf_type, hash->type, (char *)ie->skeyid_e, + ie->skeyid_len); + if (!prf) + { + /* XXX - notify peer */ + return -1; + } + + /* Make keylen a multiple of prf->blocksize */ + keylen = exchange->key_length; + if (keylen % prf->blocksize) + keylen += prf->blocksize - (keylen % prf->blocksize); + + key = malloc (keylen); + if (!key) + { + /* XXX - Notify peer. */ + log_error ("ike_phase_1_post_exchange_KE_NONCE: malloc (%d) failed", + keylen); + return -1; + } + + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, (unsigned char *)"\0", 1); + prf->Final (key, prf->prfctx); + + for (len = prf->blocksize, p = key; len < exchange->key_length; + len += prf->blocksize, p += prf->blocksize) + { + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, p, prf->blocksize); + prf->Final (p + prf->blocksize, prf->prfctx); + } + prf_free (prf); + + /* Setup our keystate using the derived encryption key. */ + exchange->keystate + = crypto_init (exchange->crypto, key, exchange->key_length, &err); + + free (key); + } + else + /* Setup our keystate using the raw skeyid_e. */ + exchange->keystate = crypto_init (exchange->crypto, ie->skeyid_e, + exchange->key_length, &err); + + /* Special handling for DES weak keys. */ + if (!exchange->keystate && err == EWEAKKEY + && (exchange->key_length << 1) <= ie->skeyid_len) + { + log_print ("ike_phase_1_post_exchange_KE_NONCE: " + "weak key, trying subseq. skeyid_e"); + exchange->keystate + = crypto_init (exchange->crypto, ie->skeyid_e + exchange->key_length, + exchange->key_length, &err); + } + + if (!exchange->keystate) + { + log_print ("ike_phase_1_post_exchange_KE_NONCE: " + "exchange->crypto->init () failed: %d", err); + + /* + * XXX We really need to know if problems are of transient nature + * or fatal (like failed assertions etc.) + */ + return -1; + } + + /* Setup IV. XXX Only for CBC transforms, no? */ + hash->Init (hash->ctx); + hash->Update (hash->ctx, ie->g_xi, ie->g_x_len); + hash->Update (hash->ctx, ie->g_xr, ie->g_x_len); + hash->Final ((unsigned char *)hash->digest, hash->ctx); + crypto_init_iv (exchange->keystate, (u_int8_t *)hash->digest, + exchange->crypto->blocksize); + + return 0; +} + +int +ike_phase_1_responder_send_ID_AUTH (struct message *msg) +{ + if (ike_phase_1_send_ID (msg)) + return -1; + + return ike_phase_1_send_AUTH (msg); +} + +int +ike_phase_1_send_ID (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + u_int8_t *buf; + char header[80]; + ssize_t sz; + struct sockaddr *src; + int src_len; + int initiator = exchange->initiator; + u_int8_t **id; + size_t *id_len; + char *my_id = 0; + u_int8_t id_type; + + /* Choose the right fields to fill-in. */ + id = initiator ? &exchange->id_i : &exchange->id_r; + id_len = initiator ? &exchange->id_i_len : &exchange->id_r_len; + + if (exchange->name) + my_id = conf_get_str (exchange->name, "ID"); + + if (!my_id) + my_id = conf_get_str ("General", "Default-phase-1-ID"); + + sz = my_id ? ipsec_id_size (my_id, &id_type) : sizeof (in_addr_t); + if (sz == -1) + return -1; + + sz += ISAKMP_ID_DATA_OFF; + buf = malloc (sz); + if (!buf) + { + log_error ("ike_phase_1_send_ID: malloc (%d) failed", sz); + return -1; + } + + SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0); + SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0); + if (my_id) + { + SET_ISAKMP_ID_TYPE (buf, id_type); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + msg->transport->vtbl->get_src (msg->transport, &src, &src_len); + + /* Already in network byteorder. */ + memcpy (buf + ISAKMP_ID_DATA_OFF, + &((struct sockaddr_in *)src)->sin_addr.s_addr, + sizeof (in_addr_t)); + break; + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + case IPSEC_ID_KEY_ID: + memcpy (buf + ISAKMP_ID_DATA_OFF, conf_get_str (my_id, "Name"), + sz - ISAKMP_ID_DATA_OFF); + break; + default: + log_print ("ike_phase_1_send_ID: unsupported ID type %d", id_type); + free (buf); + return -1; + } + } + else + { + msg->transport->vtbl->get_src (msg->transport, &src, &src_len); + /* XXX Assumes IPv4. */ + SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR); + /* Already in network byteorder. */ + memcpy (buf + ISAKMP_ID_DATA_OFF, + &((struct sockaddr_in *)src)->sin_addr.s_addr, + sizeof (in_addr_t)); + } + + if (message_add_payload (msg, ISAKMP_PAYLOAD_ID, buf, sz, 1)) + { + free (buf); + return -1; + } + *id_len = sz - ISAKMP_GEN_SZ; + *id = malloc (*id_len); + if (!*id) + { + log_error ("ike_phase_1_send_ID: malloc (%d) failed", *id_len); + return -1; + } + memcpy (*id, buf + ISAKMP_GEN_SZ, *id_len); + snprintf (header, 80, "ike_phase_1_send_ID: %s", + constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (buf))); + LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF, + sz - ISAKMP_ID_DATA_OFF)); + + return 0; +} + +int +ike_phase_1_send_AUTH (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + + if (ie->ike_auth->encode_hash (msg)) + { + /* XXX Log? */ + return -1; + } + + /* + * XXX Many people say the COMMIT flag is just junk, especially in Phase 1. + */ +#ifdef notyet + if ((exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0) + exchange->flags |= EXCHANGE_FLAG_I_COMMITTED; +#endif + + return 0; +} + +/* Receive ID and HASH and check that the exchange has been consistent. */ +int +ike_phase_1_recv_ID_AUTH (struct message *msg) +{ + if (ike_phase_1_recv_ID (msg)) + return -1; + + return ike_phase_1_recv_AUTH (msg); +} + +/* Receive ID. */ +int +ike_phase_1_recv_ID (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct payload *payload; + char header[80]; + int initiator = exchange->initiator; + u_int8_t **id; + size_t *id_len; + + /* + * XXX Here, we could be checking that the received ID matches what + * we expect it to be (if anything). That information is contained + * in the [[exchange->name]:Remote-ID] section. + */ + + /* Choose the right fields to fill in */ + id = initiator ? &exchange->id_r : &exchange->id_i; + id_len = initiator ? &exchange->id_r_len : &exchange->id_i_len; + + /* XXX Do I really have to save the ID in the SA? */ + payload = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_ID]); + *id_len = GET_ISAKMP_GEN_LENGTH (payload->p) - ISAKMP_GEN_SZ; + *id = malloc (*id_len); + if (!*id) + { + log_error ("ike_phase_1_recv_ID: malloc (%d) failed", *id_len); + return -1; + } + memcpy (*id, payload->p + ISAKMP_GEN_SZ, *id_len); + snprintf (header, 80, "ike_phase_1_recv_ID: %s", + constant_name (ipsec_id_cst, GET_ISAKMP_ID_TYPE (payload->p))); + LOG_DBG_BUF ((LOG_NEGOTIATION, 40, header, payload->p + ISAKMP_ID_DATA_OFF, + *id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF)); + payload->flags |= PL_MARK; + + return 0; +} + +/* Receive HASH and check that the exchange has been consistent. */ +int +ike_phase_1_recv_AUTH (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct prf *prf; + struct hash *hash = ie->hash; + char header[80]; + size_t hashsize = hash->hashsize; + int initiator = exchange->initiator; + u_int8_t **hash_p, *id; + size_t id_len; + + /* Choose the right fields to fill in */ + hash_p = initiator ? &ie->hash_r : &ie->hash_i; + id = initiator ? exchange->id_r : exchange->id_i; + id_len = initiator ? exchange->id_r_len : exchange->id_i_len; + + /* The decoded hash will be in ie->hash_r or ie->hash_i */ + if (ie->ike_auth->decode_hash (msg)) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 0); + return -1; + } + + /* Allocate the prf and start calculating his HASH. */ + prf = prf_alloc (ie->prf_type, hash->type, (char *)ie->skeyid, ie->skeyid_len); + if (!prf) + { + /* XXX Log? */ + return -1; + } + prf->Init (prf->prfctx); + prf->Update (prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len); + prf->Update (prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len); + prf->Update (prf->prfctx, + exchange->cookies + + (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF), + ISAKMP_HDR_ICOOKIE_LEN); + prf->Update (prf->prfctx, + exchange->cookies + + (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF), + ISAKMP_HDR_ICOOKIE_LEN); + prf->Update (prf->prfctx, ie->sa_i_b, ie->sa_i_b_len); + prf->Update (prf->prfctx, id, id_len); + prf->Final ((unsigned char *)hash->digest, prf->prfctx); + prf_free (prf); + snprintf (header, 80, "ike_phase_1_recv_AUTH: computed HASH_%c", + initiator ? 'R' : 'I'); + LOG_DBG_BUF ((LOG_NEGOTIATION, 80, header, (u_int8_t *)hash->digest, hashsize)); + + /* Check that the hash we got matches the one we computed. */ + if (memcmp (*hash_p, hash->digest, hashsize) != 0) + { + /* XXX Log? */ + return -1; + } + + return 0; +} + +struct attr_node { + LIST_ENTRY (attr_node) link; + u_int16_t type; +}; + +struct validation_state { + struct conf_list_node *xf; + LIST_HEAD (attr_head, attr_node) attrs; + char *life; +}; + +/* Validate a proposal inside SA according to EXCHANGE's policy. */ +static int +ike_phase_1_validate_prop (struct exchange *exchange, struct sa *sa, + struct sa *isakmp_sa) +{ + struct conf_list *conf, *tags; + struct conf_list_node *xf, *tag; + struct proto *proto; + struct validation_state vs; + struct attr_node *node, *next_node; + + /* Get the list of transforms. */ + conf = conf_get_list (exchange->policy, "Transforms"); + if (!conf) + return 0; + + for (xf = TAILQ_FIRST (&conf->fields); xf; xf = TAILQ_NEXT (xf, link)) + { + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + { + /* Mark all attributes in our policy as unseen. */ + LIST_INIT (&vs.attrs); + vs.xf = xf; + vs.life = 0; + if (attribute_map (proto->chosen->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (proto->chosen->p) + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + attribute_unacceptable, &vs)) + goto try_next; + + /* Sweep over unseen tags in this section. */ + tags = conf_get_tag_list (xf->field); + if (tags) + { + for (tag = TAILQ_FIRST (&tags->fields); tag; + tag = TAILQ_NEXT (tag, link)) + /* + * XXX Should we care about attributes we have, they do not + * provide? + */ + for (node = LIST_FIRST (&vs.attrs); node; + node = next_node) + { + next_node = LIST_NEXT (node, link); + if (node->type + == constant_value (ike_attr_cst, tag->field)) + { + LIST_REMOVE (node, link); + free (node); + } + } + conf_free_list (tags); + } + + /* Are there leftover tags in this section? */ + node = LIST_FIRST (&vs.attrs); + if (node) + goto try_next; + } + + /* All protocols were OK, we succeeded. */ + LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: success")); + conf_free_list (conf); + if (vs.life) + free (vs.life); + return 1; + + try_next: + /* Are there leftover tags in this section? */ + node = LIST_FIRST (&vs.attrs); + while (node) + { + LIST_REMOVE (node, link); + free (node); + node = LIST_FIRST (&vs.attrs); + } + if (vs.life) + free (vs.life); + } + + LOG_DBG ((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure")); + conf_free_list (conf); + return 0; +} + +/* + * Look at the attribute of type TYPE, located at VALUE for LEN bytes forward. + * The VVS argument holds a validation state kept across invocations. + * If the attribute is unacceptable to use, return non-zero, otherwise zero. + */ +static int +attribute_unacceptable (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vvs) +{ + struct validation_state *vs = vvs; + struct conf_list *life_conf; + struct conf_list_node *xf = vs->xf, *life; + char *tag = constant_lookup (ike_attr_cst, type); + char *str; + struct constant_map *map; + struct attr_node *node; + int rv; + + if (!tag) + { + LOG_DBG ((LOG_NEGOTIATION, 60, + "attribute_unacceptable: attribute type %d not known", type)); + return 1; + } + + switch (type) + { + case IKE_ATTR_ENCRYPTION_ALGORITHM: + case IKE_ATTR_HASH_ALGORITHM: + case IKE_ATTR_AUTHENTICATION_METHOD: + case IKE_ATTR_GROUP_DESCRIPTION: + case IKE_ATTR_GROUP_TYPE: + case IKE_ATTR_PRF: + str = conf_get_str (xf->field, tag); + if (!str) + { + /* This attribute does not exist in this policy. */ + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: attr %s does not exist in %s", + tag, xf->field)); + return 1; + } + + map = constant_link_lookup (ike_attr_cst, type); + if (!map) + return 1; + + if ((constant_value (map, str) == decode_16 (value)) || + (!strcmp (str, "ANY"))) + { + /* Mark this attribute as seen. */ + node = malloc (sizeof *node); + if (!node) + { + log_error ("attribute_unacceptable: malloc (%d) failed", + sizeof *node); + return 1; + } + node->type = type; + LIST_INSERT_HEAD (&vs->attrs, node, link); + return 0; + } + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: %s: got %s, expected %s", tag, + constant_lookup (map, decode_16 (value)), str)); + return 1; + + case IKE_ATTR_GROUP_PRIME: + case IKE_ATTR_GROUP_GENERATOR_1: + case IKE_ATTR_GROUP_GENERATOR_2: + case IKE_ATTR_GROUP_CURVE_A: + case IKE_ATTR_GROUP_CURVE_B: + /* XXX Bignums not handled yet. */ + return 1; + + case IKE_ATTR_LIFE_TYPE: + case IKE_ATTR_LIFE_DURATION: + life_conf = conf_get_list (xf->field, "Life"); + if (life_conf && !strcmp (conf_get_str (xf->field, "Life"), "ANY")) + return 0; + + rv = 1; + if (!life_conf) + { + /* Life attributes given, but not in our policy. */ + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "received unexpected life attribute")); + return 1; + } + + /* + * Each lifetime type must match, otherwise we turn the proposal down. + * In order to do this we need to find the specific section of our + * policy's "Life" list and match its duration + */ + switch (type) + { + case IKE_ATTR_LIFE_TYPE: + for (life = TAILQ_FIRST (&life_conf->fields); life; + life = TAILQ_NEXT (life, link)) + { + str = conf_get_str (life->field, "LIFE_TYPE"); + if (!str) + { + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "section [%s] has no LIFE_TYPE", life->field)); + continue; + } + + /* + * If this is the type we are looking at, save a pointer + * to this section in vs->life. + */ + if (constant_value (ike_duration_cst, str) == decode_16 (value)) + { + vs->life = strdup (life->field); + rv = 0; + goto bail_out; + } + } + LOG_DBG ((LOG_NEGOTIATION, 70, + "attribute_unacceptable: unrecognized LIFE_TYPE %d", + decode_16 (value))); + vs->life = 0; + break; + + case IKE_ATTR_LIFE_DURATION: + if (!vs->life) + { + LOG_DBG ((LOG_NEGOTIATION, 70, "attribute_unacceptable: " + "LIFE_DURATION without LIFE_TYPE")); + rv = 1; + goto bail_out; + } + + if (!strcmp (conf_get_str (vs->life, "LIFE_DURATION"), "ANY")) + rv = 0; + else + rv = !conf_match_num (vs->life, "LIFE_DURATION", + len == 4 ? decode_32 (value) : + decode_16 (value)); + free (vs->life); + vs->life = 0; + break; + } + + bail_out: + conf_free_list (life_conf); + return rv; + + case IKE_ATTR_KEY_LENGTH: + case IKE_ATTR_FIELD_SIZE: + case IKE_ATTR_GROUP_ORDER: + if (conf_match_num (xf->field, tag, decode_16 (value))) + { + /* Mark this attribute as seen. */ + node = malloc (sizeof *node); + if (!node) + { + log_error ("attribute_unacceptable: malloc (%d) failed", + sizeof *node); + return 1; + } + node->type = type; + LIST_INSERT_HEAD (&vs->attrs, node, link); + return 0; + } + return 1; + } + return 1; +} diff --git a/src/ike_phase_1.h b/src/ike_phase_1.h new file mode 100644 index 0000000..5659261 --- /dev/null +++ b/src/ike_phase_1.h @@ -0,0 +1,61 @@ +/* $Id: ike_phase_1.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ike_phase_1.h,v $ */ + +/* $OpenBSD: ike_phase_1.h,v 1.2 2001/01/28 22:38:47 niklas Exp $ */ + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IKE_PHASE_1_H_ +#define _IKE_PHASE_1_H_ + +struct message; + +extern int ike_phase_1_initiator_recv_KE_NONCE (struct message *); +extern int ike_phase_1_initiator_recv_SA (struct message *); +extern int ike_phase_1_initiator_send_KE_NONCE (struct message *); +extern int ike_phase_1_initiator_send_SA (struct message *); +extern int ike_phase_1_post_exchange_KE_NONCE (struct message *); +extern int ike_phase_1_recv_AUTH (struct message *); +extern int ike_phase_1_recv_ID (struct message *); +extern int ike_phase_1_recv_ID_AUTH (struct message *); +extern int ike_phase_1_recv_KE_NONCE (struct message *); +extern int ike_phase_1_responder_recv_SA (struct message *); +extern int ike_phase_1_responder_send_SA (struct message *); +extern int ike_phase_1_responder_send_ID_AUTH (struct message *); +extern int ike_phase_1_send_AUTH (struct message *); +extern int ike_phase_1_send_ID (struct message *); +extern int ike_phase_1_send_ID_AUTH (struct message *); +extern int ike_phase_1_send_KE_NONCE (struct message *, size_t); + +#endif /* _IKE_PHASE_1_H_ */ diff --git a/src/init.c b/src/init.c new file mode 100644 index 0000000..91e12df --- /dev/null +++ b/src/init.c @@ -0,0 +1,171 @@ +/* $Id: init.c,v 1.5.4.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/init.c,v $ */ + +/* $OpenBSD: init.c,v 1.15 2000/04/07 22:05:08 niklas Exp $ */ +/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* XXX This file could easily be built dynamically instead. */ + +#include "sysdep.h" + +#include +#include "app.h" +#include "cert.h" +#include "conf.h" +#include "connection.h" +#include "cookie.h" +#include "doi.h" +#include "exchange.h" +#include "init.h" +#include "ipsec.h" +#include "isakmp_doi.h" +#include "libcrypto.h" +#include "log.h" +#include "math_group.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "udp.h" +#include "ui.h" +#include "gdoi_phase2.h" + +#ifdef HAVE_GETTIMEOFDAY +void +random_init() +{ + struct timeval tp; + gettimeofday(&tp, NULL); + srandom(tp.tv_sec); +} +#endif + +void +init () +{ +#ifdef HAVE_GETTIMEOFDAY + random_init (); +#endif + log_init (); + app_init (); + doi_init (); + exchange_init (); + group_init (); + ipsec_init (); + isakmp_doi_init (); + libcrypto_init (); + + tzset (); + + timer_init (); + + /* The following group are depending on timer_init having run. */ + conf_init (); + connection_init (); + cookie_init (); + + /* Depends on conf_init and policy_init having run */ + cert_init (); + + sa_init (); + transport_init (); + udp_init (); + ui_init (); + + /* Depends on doi_init and conf_init having run */ + gdoi_init (); + +} diff --git a/src/init.h b/src/init.h new file mode 100644 index 0000000..8397fd4 --- /dev/null +++ b/src/init.h @@ -0,0 +1,45 @@ +/* $Id: init.h,v 1.2 2002/05/10 04:25:14 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/init.h,v $ */ + +/* $OpenBSD: init.h,v 1.3 1998/11/17 11:10:13 niklas Exp $ */ +/* $EOM: init.h,v 1.2 1998/07/07 23:36:00 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _INIT_H_ +#define _INIT_H_ + +extern void init (void); + +#endif /* _INIT_H_ */ diff --git a/src/ipsec.c b/src/ipsec.c new file mode 100644 index 0000000..55423c8 --- /dev/null +++ b/src/ipsec.c @@ -0,0 +1,2189 @@ +/* $Id: ipsec.c,v 1.9.2.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ipsec.c,v $ */ + +/* $OpenBSD: ipsec.c,v 1.44 2001/04/24 07:27:37 niklas Exp $ */ +/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2001 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "conf.h" +#include "constants.h" +#include "crypto.h" +#include "dh.h" +#include "doi.h" +#include "exchange.h" +#include "hash.h" +#include "ike_aggressive.h" +#include "ike_auth.h" +#include "ike_main_mode.h" +#include "ipsec.h" +#include "ipsec_doi.h" +#include "isakmp.h" +#include "log.h" +#include "math_group.h" +#include "message.h" +#include "prf.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "util.h" +#include "gdoi_num.h" + +/* Backwards compatibility. */ +#ifndef NI_MAXHOST +#define NI_MAXHOST 1025 +#endif + +/* The replay window size used for all IPSec protocols if not overridden. */ +#define DEFAULT_REPLAY_WINDOW 16 + +/* These variables hold the contacted peers ADT state. */ +struct contact { + struct sockaddr *addr; + socklen_t len; +} *contacts = 0; +int contact_cnt = 0, contact_limit = 0; + +static int addr_cmp (const void *, const void *); +static int ipsec_add_contact (struct message *msg); +static int ipsec_contacted (struct message *msg); +#ifdef USE_DEBUG +static int ipsec_debug_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +#endif +static void ipsec_delete_spi (struct sa *, struct proto *, int); +static u_int16_t *ipsec_exchange_script (u_int8_t); +static void ipsec_finalize_exchange (struct message *); +static void ipsec_free_exchange_data (void *); +static void ipsec_free_proto_data (void *); +static void ipsec_free_sa_data (void *); +static struct keystate *ipsec_get_keystate (struct message *); +static u_int8_t *ipsec_get_spi (size_t *, u_int8_t, struct message *); +static int ipsec_handle_leftover_payload (struct message *, u_int8_t, + struct payload *); +static int ipsec_informational_post_hook (struct message *); +static int ipsec_informational_pre_hook (struct message *); +static int ipsec_initiator (struct message *); +static void ipsec_proto_init (struct proto *, char *); +static int ipsec_responder (struct message *); +static void ipsec_setup_situation (u_int8_t *); +static size_t ipsec_situation_size (void); +static u_int8_t ipsec_spi_size (u_int8_t); +static int ipsec_validate_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +static int ipsec_validate_exchange (u_int8_t); +static int ipsec_validate_id_information (u_int8_t, u_int8_t *, u_int8_t *, + size_t, struct exchange *); +static int ipsec_validate_key_information (u_int8_t *, size_t); +static int ipsec_validate_notification (u_int16_t); +static int ipsec_validate_proto (u_int8_t); +static int ipsec_validate_situation (u_int8_t *, size_t *); +static int ipsec_validate_transform_id (u_int8_t, u_int8_t); + +static struct doi ipsec_doi = { + { 0 }, IPSEC_DOI_IPSEC, + sizeof (struct ipsec_exch), sizeof (struct ipsec_sa), + sizeof (struct ipsec_proto), +#ifdef USE_DEBUG + ipsec_debug_attribute, +#endif + ipsec_delete_spi, + ipsec_exchange_script, + ipsec_finalize_exchange, + ipsec_free_exchange_data, + ipsec_free_proto_data, + ipsec_free_sa_data, + ipsec_get_keystate, + ipsec_get_spi, + ipsec_handle_leftover_payload, + ipsec_informational_post_hook, + ipsec_informational_pre_hook, + ipsec_is_attribute_incompatible, + ipsec_proto_init, + ipsec_setup_situation, + ipsec_situation_size, + ipsec_spi_size, + ipsec_validate_attribute, + ipsec_validate_exchange, + ipsec_validate_id_information, + ipsec_validate_key_information, + ipsec_validate_notification, + ipsec_validate_proto, + ipsec_validate_situation, + ipsec_validate_transform_id, + ipsec_initiator, + ipsec_responder, + ipsec_decode_ids, + 0 +}; + +u_int16_t script_quick_mode[] = { + ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_SA, + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_SA, + ISAKMP_PAYLOAD_NONCE, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ + EXCHANGE_SCRIPT_END +}; + +u_int16_t script_new_group_mode[] = { + ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_SA, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_SA, + EXCHANGE_SCRIPT_END +}; + +struct dst_spi_proto_arg { + in_addr_t dst; + u_int32_t spi; + u_int8_t proto; +}; + +/* + * Check if SA matches what we are asking for through V_ARG. It has to + * be a finished phase 2 SA. + * if "proto" arg is 0, match any proto + */ +static int +ipsec_sa_check (struct sa *sa, void *v_arg) +{ + struct dst_spi_proto_arg *arg = v_arg; + struct proto *proto; + struct sockaddr *dst, *src; + int dstlen, srclen; + int incoming; + + if (sa->phase != 2 || !(sa->flags & SA_FLAG_READY) || !sa->transport) + return 0; + + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + if (((struct sockaddr_in *)dst)->sin_addr.s_addr == arg->dst) + incoming = 0; + else + { + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + if (((struct sockaddr_in *)src)->sin_addr.s_addr == arg->dst) + incoming = 1; + else + return 0; + } + + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + if ((arg->proto == 0 || proto->proto == arg->proto) + && memcmp (proto->spi[incoming], &arg->spi, sizeof arg->spi) == 0) + return 1; + return 0; +} + +/* Find an SA with a "name" of DST, SPI & PROTO. */ +struct sa * +ipsec_sa_lookup (in_addr_t dst, u_int32_t spi, u_int8_t proto) +{ + struct dst_spi_proto_arg arg = { dst, spi, proto }; + + return sa_find (ipsec_sa_check, &arg); +} + +/* + * Check if SA matches the flow of another SA in V_ARG. It has to + * be a finished non-replaced phase 2 SA. + * XXX At some point other selectors will matter here too. + */ +int +ipsec_sa_check_flow (struct sa *sa, void *v_arg) +{ + struct sa *sa2 = v_arg; + struct ipsec_sa *isa = sa->data, *isa2 = sa2->data; + + if (sa == sa2 || sa->phase != 2 + || (sa->flags & (SA_FLAG_READY | SA_FLAG_REPLACED)) != SA_FLAG_READY) + return 0; + + return isa->src_net == isa2->src_net && isa->src_mask == isa2->src_mask + && isa->dst_net == isa2->dst_net && isa->dst_mask == isa2->dst_mask + && isa->tproto == isa2->tproto && isa->sport == isa2->sport + && isa->dport == isa2->dport; +} + +/* + * Do IPSec DOI specific finalizations task for the exchange where MSG was + * the final message. + */ +static void +ipsec_finalize_exchange (struct message *msg) +{ + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa; + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct sa *sa = 0, *old_sa; + struct proto *proto, *last_proto = 0; + + switch (exchange->phase) + { + case 1: + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + case ISAKMP_EXCH_AGGRESSIVE: + isa = isakmp_sa->data; + isa->hash = ie->hash->type; + isa->prf_type = ie->prf_type; + isa->skeyid_len = ie->skeyid_len; + isa->skeyid_d = ie->skeyid_d; + isa->skeyid_a = ie->skeyid_a; + /* Prevents early free of SKEYID_*. */ + ie->skeyid_a = ie->skeyid_d = 0; + + /* If a lifetime was negotiated setup the expiration timers. */ + if (isakmp_sa->seconds) + sa_setup_expirations (isakmp_sa); + break; + } + break; + + case 2: + switch (exchange->type) + { + case IKE_EXCH_QUICK_MODE_OR_GDOI_REGISTRATION: + /* + * Tell the application(s) about the SPIs and key material. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + for (proto = TAILQ_FIRST (&sa->protos), last_proto = 0; proto; + proto = TAILQ_NEXT (proto, link)) + { + if (sysdep_ipsec_set_spi (sa, proto, 0) + || (last_proto + && sysdep_ipsec_group_spis (sa, last_proto, proto, + 0)) + || sysdep_ipsec_set_spi (sa, proto, 1) + || (last_proto + && sysdep_ipsec_group_spis (sa, last_proto, proto, + 1))) + /* XXX Tear down this exchange. */ + return; + last_proto = proto; + } + + isa = sa->data; + + if (exchange->initiator) + /* Initiator is source, responder is destination. */ + ipsec_set_network (ie->id_ci, ie->id_cr, isa); + else + /* Responder is source, initiator is destination. */ + ipsec_set_network (ie->id_cr, ie->id_ci, isa); + + LOG_DBG ((LOG_EXCHANGE, 50, + "ipsec_finalize_exchange: " + "src %x %x dst %x %x tproto %u sport %u dport %u", + ntohl (isa->src_net), ntohl (isa->src_mask), + ntohl (isa->dst_net), ntohl (isa->dst_mask), + ntohs (isa->tproto), isa->sport, ntohs (isa->dport))); + + /* + * If this is not an SA acquired by the kernel, it needs + * to have a SPD entry (a.k.a. flow) set up. + */ + if (!(sa->flags & SA_FLAG_ONDEMAND) + && sysdep_ipsec_enable_sa (sa, isakmp_sa)) + /* XXX Tear down this exchange. */ + return; + + /* Mark elder SAs with the same flow information as replaced. */ + while ((old_sa = sa_find (ipsec_sa_check_flow, sa)) != 0) + sa_mark_replaced (old_sa); + } + break; + } + } +} + +/* Set the client addresses in ISA from SRC_ID and DST_ID. */ +void +ipsec_set_network (u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) +{ + int id; + + /* Set source address. */ + id = GET_ISAKMP_ID_TYPE (src_id); + switch (id) + { + case IPSEC_ID_IPV4_ADDR: + memcpy (&isa->src_net, src_id + ISAKMP_ID_DATA_OFF, sizeof isa->src_net); + isa->src_mask = htonl (0xffffffff); + memcpy (&isa->tproto, + src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, + IPSEC_ID_PROTO_LEN); + memcpy (&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + IPSEC_ID_PORT_LEN); + break; + + case IPSEC_ID_IPV4_ADDR_SUBNET: + memcpy (&isa->src_net, src_id + ISAKMP_ID_DATA_OFF, sizeof isa->src_net); + memcpy (&isa->src_mask, + src_id + ISAKMP_ID_DATA_OFF + sizeof isa->src_net, + sizeof isa->src_mask); + memcpy (&isa->tproto, + src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, + IPSEC_ID_PROTO_LEN); + memcpy (&isa->sport, src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + IPSEC_ID_PORT_LEN); + break; + } + + /* Set destination address. */ + id = GET_ISAKMP_ID_TYPE (dst_id); + switch (id) + { + case IPSEC_ID_IPV4_ADDR: + memcpy (&isa->dst_net, dst_id + ISAKMP_ID_DATA_OFF, sizeof isa->dst_net); + isa->dst_mask = htonl (0xffffffff); + memcpy (&isa->tproto, + dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, + IPSEC_ID_PROTO_LEN); + memcpy (&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + IPSEC_ID_PORT_LEN); + break; + + case IPSEC_ID_IPV4_ADDR_SUBNET: + memcpy (&isa->dst_net, dst_id + ISAKMP_ID_DATA_OFF, sizeof isa->dst_net); + memcpy (&isa->dst_mask, + dst_id + ISAKMP_ID_DATA_OFF + sizeof isa->dst_net, + sizeof isa->dst_mask); + memcpy (&isa->tproto, + dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PROTO_OFF, + IPSEC_ID_PROTO_LEN); + memcpy (&isa->dport, dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, + IPSEC_ID_PORT_LEN); + break; + } +} + +/* Free the DOI-specific exchange data pointed to by VIE. */ +static void +ipsec_free_exchange_data (void *vie) +{ + struct ipsec_exch *ie = vie; + + if (ie->sa_i_b) + free (ie->sa_i_b); + if (ie->id_ci) + free (ie->id_ci); + if (ie->id_cr) + free (ie->id_cr); + if (ie->g_xi) + free (ie->g_xi); + if (ie->g_xr) + free (ie->g_xr); + if (ie->g_xy) + free (ie->g_xy); + if (ie->skeyid) + free (ie->skeyid); + if (ie->skeyid_d) + free (ie->skeyid_d); + if (ie->skeyid_a) + free (ie->skeyid_a); + if (ie->skeyid_e) + free (ie->skeyid_e); + if (ie->hash_i) + free (ie->hash_i); + if (ie->hash_r) + free (ie->hash_r); + if (ie->group) + group_free (ie->group); +} + +/* Free the DOI-specific SA data pointed to by VISA. */ +static void +ipsec_free_sa_data (void *visa) +{ + struct ipsec_sa *isa = visa; + + if (isa->skeyid_a) + free (isa->skeyid_a); + if (isa->skeyid_d) + free (isa->skeyid_d); +} + +/* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */ +static void +ipsec_free_proto_data (void *viproto) +{ + struct ipsec_proto *iproto = viproto; + int i; + + for (i = 0; i < 2; i++) + if (iproto->keymat[i]) + free (iproto->keymat[i]); +} + +/* Return exchange script based on TYPE. */ +static u_int16_t * +ipsec_exchange_script (u_int8_t type) +{ + switch (type) + { + case IKE_EXCH_QUICK_MODE_OR_GDOI_REGISTRATION: + return script_quick_mode; + case IKE_EXCH_NEW_GROUP_MODE_OR_GDOI_REKEY: + return script_new_group_mode; + } + return 0; +} + +/* Initialize this DOI, requires doi_init to already have been called. */ +void +ipsec_init () +{ + doi_register (&ipsec_doi); +} + +/* Given a message MSG, return a suitable IV (or rather keystate). */ +static struct keystate * +ipsec_get_keystate (struct message *msg) +{ + struct keystate *ks; + struct hash *hash; + + /* If we have already have an IV, use it. */ + if (msg->exchange && msg->exchange->keystate) + { + ks = malloc (sizeof *ks); + if (!ks) + { + log_error ("ipsec_get_keystate: malloc (%d) failed", sizeof *ks); + return 0; + } + memcpy (ks, msg->exchange->keystate, sizeof *ks); + return ks; + } + + /* + * For phase 2 when no SA yet is setup we need to hash the IV used by + * the ISAKMP SA concatenated with the message ID, and use that as an + * IV for further cryptographic operations. + */ + if (!msg->isakmp_sa->keystate) + { + log_print ("ipsec_get_keystate: no keystate in ISAKMP SA %p", + msg->isakmp_sa); + return 0; + } + ks = crypto_clone_keystate (msg->isakmp_sa->keystate); + if (!ks) + return 0; + + hash = hash_get (((struct ipsec_sa *)msg->isakmp_sa->data)->hash); + hash->Init (hash->ctx); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV", + ks->riv, ks->xf->blocksize)); + hash->Update (hash->ctx, ks->riv, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID", + ((u_int8_t *)msg->iov[0].iov_base) + + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN)); + hash->Update (hash->ctx, + ((u_int8_t *)msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN); + hash->Final ((u_int8_t *)hash->digest, hash->ctx); + crypto_init_iv (ks, (u_int8_t *)hash->digest, ks->xf->blocksize); + LOG_DBG_BUF ((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV", + (u_int8_t *)hash->digest, ks->xf->blocksize)); + return ks; +} + +static void +ipsec_setup_situation (u_int8_t *buf) +{ + SET_IPSEC_SIT_SIT (buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); +} + +static size_t +ipsec_situation_size (void) +{ + return IPSEC_SIT_SIT_LEN; +} + +static u_int8_t +ipsec_spi_size (u_int8_t proto) +{ + return IPSEC_SPI_SIZE; +} + +static int +ipsec_validate_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + struct message *msg = vmsg; + + if ((msg->exchange->phase == 1 + && (type < IKE_ATTR_ENCRYPTION_ALGORITHM + || type > IKE_ATTR_GROUP_ORDER)) + || (msg->exchange->phase == 2 + && (type < IPSEC_ATTR_SA_LIFE_TYPE + || type > IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM))) + return -1; + return 0; +} + +static int +ipsec_validate_exchange (u_int8_t exch) +{ + return exch != IKE_EXCH_QUICK_MODE_OR_GDOI_REGISTRATION && + exch != IKE_EXCH_NEW_GROUP_MODE_OR_GDOI_REKEY; +} + +static int +ipsec_validate_id_information (u_int8_t type, u_int8_t *extra, u_int8_t *buf, + size_t sz, struct exchange *exchange) +{ + u_int8_t proto = GET_IPSEC_ID_PROTO (extra); + u_int16_t port = GET_IPSEC_ID_PORT (extra); + + LOG_DBG ((LOG_MESSAGE, 0, + "ipsec_validate_id_information: proto %d port %d type %d", + proto, port, type)); + if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_KEY_ID) + return -1; + + switch (type) + { + case IPSEC_ID_IPV4_ADDR: + LOG_DBG_BUF ((LOG_MESSAGE, 40, "ipsec_validate_id_information: IPv4", + buf, 4)); + break; + + case IPSEC_ID_IPV4_ADDR_SUBNET: + LOG_DBG_BUF ((LOG_MESSAGE, 40, + "ipsec_validate_id_information: IPv4 network/netmask", + buf, 8)); + break; + + default: + break; + } + + if (exchange->phase == 1 + && (proto != IPPROTO_UDP || port != UDP_DEFAULT_PORT) + && (proto != 0 || port != 0)) + { +/* XXX SSH's ISAKMP tester fails this test (proto 17 - port 0). */ +#ifdef notyet + return -1; +#else + log_print ("ipsec_validate_id_information: " + "dubious ID information accepted"); +#endif + } + + /* XXX More checks? */ + + return 0; +} + +static int +ipsec_validate_key_information (u_int8_t *buf, size_t sz) +{ + /* XXX Not implemented yet. */ + return 0; +} + +static int +ipsec_validate_notification (u_int16_t type) +{ + return type < IPSEC_NOTIFY_RESPONDER_LIFETIME + || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0; +} + +static int +ipsec_validate_proto (u_int8_t proto) +{ + return proto < IPSEC_PROTO_IPSEC_AH || proto > IPSEC_PROTO_IPCOMP ? -1 : 0; +} + +static int +ipsec_validate_situation (u_int8_t *buf, size_t *sz) +{ + int sit = GET_IPSEC_SIT_SIT (buf); + int off; + + if (sit & (IPSEC_SIT_SECRECY | IPSEC_SIT_INTEGRITY)) + { + /* + * XXX All the roundups below, round up to 32 bit boundaries given + * that the situation field is aligned. This is not necessarily so, + * but I interpret the drafts as this is like this they want it. + */ + off = ROUNDUP_32 (GET_IPSEC_SIT_SECRECY_LENGTH (buf)); + off += ROUNDUP_32 (GET_IPSEC_SIT_SECRECY_CAT_LENGTH (buf + off)); + off += ROUNDUP_32 (GET_IPSEC_SIT_INTEGRITY_LENGTH (buf + off)); + off += ROUNDUP_32 (GET_IPSEC_SIT_INTEGRITY_CAT_LENGTH (buf + off)); + *sz = off + IPSEC_SIT_SZ; + } + else + *sz = IPSEC_SIT_SIT_LEN; + + /* Currently only "identity only" situations are supported. */ +#ifdef notdef + return + sit & ~(IPSEC_SIT_IDENTITY_ONLY | IPSEC_SIT_SECRECY | IPSEC_SIT_INTEGRITY); +#else + return sit & ~IPSEC_SIT_IDENTITY_ONLY; +#endif + return 1; + return 0; +} + +static int +ipsec_validate_transform_id (u_int8_t proto, u_int8_t transform_id) +{ + switch (proto) + { + /* + * As no unexpected protocols can occur, we just tie the default case + * to the first case, in orer to silence a GCC warning. + */ + default: + case ISAKMP_PROTO_ISAKMP: + return transform_id != IPSEC_TRANSFORM_KEY_IKE; + case IPSEC_PROTO_IPSEC_AH: + return + transform_id < IPSEC_AH_MD5 || transform_id > IPSEC_AH_DES ? -1 : 0; + case IPSEC_PROTO_IPSEC_ESP: + return transform_id < IPSEC_ESP_DES_IV64 + || transform_id > IPSEC_ESP_AES_CBC ? -1 : 0; + case IPSEC_PROTO_IPCOMP: + return transform_id < IPSEC_IPCOMP_OUI + || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0; + } +} + +static int +ipsec_initiator (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + int (**script) (struct message *msg) = 0; + + /* Check that the SA is coherent with the IKE rules. */ + if ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != ISAKMP_EXCH_INFO) + || (exchange->phase == 2 && + exchange->type != IKE_EXCH_QUICK_MODE_OR_GDOI_REGISTRATION + && exchange->type != ISAKMP_EXCH_INFO)) + { + log_print ("ipsec_initiator: unsupported exchange type %d in phase %d", + exchange->type, exchange->phase); + return -1; + } + + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + script = ike_main_mode_initiator; + break; +#ifdef USE_AGGRESSIVE + case ISAKMP_EXCH_AGGRESSIVE: + script = ike_aggressive_initiator; + break; +#endif + case ISAKMP_EXCH_INFO: + return message_send_info (msg); + default: + log_print ("ipsec_initiator: unsupported exchange type %d", + exchange->type); + return -1; + } + + /* Run the script code for this step. */ + if (script) + return script[exchange->step] (msg); + + return 0; +} + +/* + * delete all SA's from addr with the associated proto and SPI's + * + * spis[] is an array of SPIs of size 16-octet for proto ISAKMP + * or 4-octet otherwise. + */ +static void +ipsec_delete_spi_list (struct sockaddr *addr, u_int8_t proto, + u_int8_t *spis, int nspis, char *type) +{ + u_int32_t iaddr = ((struct sockaddr_in *)addr)->sin_addr.s_addr; + struct sa *sa; + int i; + + for (i = 0; i < nspis; i++) + { + if (proto == ISAKMP_PROTO_ISAKMP) + { + u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN; + + /* + * This really shouldn't happen in IPSEC DOI + * code, but Cisco VPN 3000 sends ISAKMP DELETE's + * this way. + */ + sa = sa_lookup_isakmp_sa (addr, spi); + if (sa == NULL) + { + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "could not locate IKE SA (SPI %08x, proto %u)", + spi, proto)); + continue; + } + } + else + { + u_int32_t spi = ((u_int32_t *)spis)[i]; + + sa = ipsec_sa_lookup (iaddr, spi, proto); + if (sa == NULL) + { + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "could not locate IPsec SA (SPI %04x, proto %u)", + ntohl(spi), proto)); + continue; + } + } + + /* Delete the SA and search for the next */ + LOG_DBG ((LOG_SA, 30, "ipsec_delete_spi_list: " + "%s made us delete SA %p (%d references) for proto %d", + type, sa, sa->refcnt, proto)); + + sa_free (sa); + } +} + +/* + * deal with a NOTIFY of INVALID_SPI + */ +static void +ipsec_invalid_spi (struct message *msg, struct payload *p) +{ + struct sockaddr *dst; + int invspisz, off, dstlen; + u_int32_t spi; + u_int16_t totsiz; + u_int8_t spisz; + + /* + * get the invalid spi out of the variable sized notification data + * field, which is after the variable sized SPI field [which specifies + * the receiving entity's phase-1 SPI, not the invalid spi] + */ + totsiz = GET_ISAKMP_GEN_LENGTH (p->p); + spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p); + off = ISAKMP_NOTIFY_SPI_OFF + spisz; + invspisz = totsiz - off; + + if (invspisz != sizeof spi) + { + LOG_DBG ((LOG_SA, 40, + "ipsec_invalid_spi: SPI size %d in INVALID_SPI " + "payload unsupported", spisz)); + return; + } + memcpy (&spi, p->p + off, sizeof spi); + + msg->transport->vtbl->get_dst (msg->transport, &dst, &dstlen); + + /* delete matching SPI's from this peer */ + ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI"); +} + +static int +ipsec_responder (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + int (**script) (struct message *msg) = 0; + struct payload *p; + u_int16_t type; + + /* Check that a new exchange is coherent with the IKE rules. */ + if (exchange->step == 0 + && ((exchange->phase == 1 && exchange->type != ISAKMP_EXCH_ID_PROT + && exchange->type != ISAKMP_EXCH_AGGRESSIVE + && exchange->type != ISAKMP_EXCH_INFO) + || (exchange->phase == 2 && exchange->type == ISAKMP_EXCH_ID_PROT))) + { + message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + return -1; + } + + LOG_DBG ((LOG_MISC, 30, + "ipsec_responder: phase %d exchange %d step %d", exchange->phase, + exchange->type, exchange->step)); + switch (exchange->type) + { + case ISAKMP_EXCH_ID_PROT: + script = ike_main_mode_responder; + break; + +#ifdef USE_AGGRESSIVE + case ISAKMP_EXCH_AGGRESSIVE: + script = ike_aggressive_responder; + break; +#endif + + case ISAKMP_EXCH_INFO: + for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p; + p = TAILQ_NEXT (p, link)) + { + type = GET_ISAKMP_NOTIFY_MSG_TYPE (p->p); + LOG_DBG ((LOG_EXCHANGE, 10, + "ipsec_responder: got NOTIFY of type %s", + constant_lookup (isakmp_notify_cst, type))); + + if (type == ISAKMP_NOTIFY_INVALID_SPI) + ipsec_invalid_spi (msg, p); + + p->flags |= PL_MARK; + } + + /* + * If any DELETEs are in here, let the logic of leftover payloads deal + * with them. + */ + + return 0; + + default: + message_drop (msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, 0, 1, 0); + return -1; + } + + /* Run the script code for this step. */ + if (script) + return script[exchange->step] (msg); + + /* + * XXX So far we don't accept any proposals for exchanges we don't support. + */ + if (TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA])) + { + message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + return -1; + } + return 0; +} + +static enum hashes from_ike_hash (u_int16_t hash) +{ + switch (hash) + { + case IKE_HASH_MD5: + return HASH_MD5; + case IKE_HASH_SHA: + return HASH_SHA1; + } + return -1; +} + +static enum transform from_ike_crypto (u_int16_t crypto) +{ + /* Coincidentally this is the null operation :-) */ + return crypto; +} + +/* + * Find out whether the attribute of type TYPE with a LEN length value + * pointed to by VALUE is incompatible with what we can handle. + * VMSG is a pointer to the current message. + */ +int +ipsec_is_attribute_incompatible (u_int16_t type, u_int8_t *value, + u_int16_t len, void *vmsg) +{ + struct message *msg = vmsg; + + if (msg->exchange->phase == 1) + { + switch (type) + { + case IKE_ATTR_ENCRYPTION_ALGORITHM: + return !crypto_get (from_ike_crypto (decode_16 (value))); + case IKE_ATTR_HASH_ALGORITHM: + return !hash_get (from_ike_hash (decode_16 (value))); + case IKE_ATTR_AUTHENTICATION_METHOD: + return !ike_auth_get (decode_16 (value)); + case IKE_ATTR_GROUP_DESCRIPTION: + return decode_16 (value) < IKE_GROUP_DESC_MODP_768 + || decode_16 (value) > IKE_GROUP_DESC_MODP_1536; + case IKE_ATTR_GROUP_TYPE: + return 1; + case IKE_ATTR_GROUP_PRIME: + return 1; + case IKE_ATTR_GROUP_GENERATOR_1: + return 1; + case IKE_ATTR_GROUP_GENERATOR_2: + return 1; + case IKE_ATTR_GROUP_CURVE_A: + return 1; + case IKE_ATTR_GROUP_CURVE_B: + return 1; + case IKE_ATTR_LIFE_TYPE: + return decode_16 (value) < IKE_DURATION_SECONDS + || decode_16 (value) > IKE_DURATION_KILOBYTES; + case IKE_ATTR_LIFE_DURATION: + return len != 2 && len != 4; + case IKE_ATTR_PRF: + return 1; + case IKE_ATTR_KEY_LENGTH: + /* + * Our crypto routines only allows key-lengths which are multiples + * of an octet. + */ + return decode_16 (value) % 8 != 0; + case IKE_ATTR_FIELD_SIZE: + return 1; + case IKE_ATTR_GROUP_ORDER: + return 1; + } + } + else + { + switch (type) + { + case IPSEC_ATTR_SA_LIFE_TYPE: + return decode_16 (value) < IPSEC_DURATION_SECONDS + || decode_16 (value) > IPSEC_DURATION_KILOBYTES; + case IPSEC_ATTR_SA_LIFE_DURATION: + return len != 2 && len != 4; + case IPSEC_ATTR_GROUP_DESCRIPTION: + return decode_16 (value) < IKE_GROUP_DESC_MODP_768 + || decode_16 (value) > IKE_GROUP_DESC_MODP_1536; + case IPSEC_ATTR_ENCAPSULATION_MODE: + return decode_16 (value) < IPSEC_ENCAP_TUNNEL + || decode_16 (value) > IPSEC_ENCAP_TRANSPORT; + case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: + return decode_16 (value) < IPSEC_AUTH_HMAC_MD5 + || decode_16 (value) > IPSEC_AUTH_KPDK; + case IPSEC_ATTR_KEY_LENGTH: + /* XXX Blowfish needs '0'. Others appear to disregard this attr? */ + return 0; + case IPSEC_ATTR_KEY_ROUNDS: + return 1; + case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: + return 1; + case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: + return 1; + } + } + /* XXX Silence gcc. */ + return 1; +} + +#ifdef USE_DEBUG +/* + * Log the attribute of TYPE with a LEN length value pointed to by VALUE + * in human-readable form. VMSG is a pointer to the current message. + */ +int +ipsec_debug_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + struct message *msg = vmsg; + char val[20]; + + /* XXX Transient solution. */ + if (len == 2) + sprintf (val, "%d", decode_16 (value)); + else if (len == 4) + sprintf (val, "%d", decode_32 (value)); + else + sprintf (val, "unrepresentable"); + + LOG_DBG ((LOG_MESSAGE, 50, "Attribute %s value %s", + constant_name (msg->exchange->phase == 1 + ? ike_attr_cst : ipsec_attr_cst, type), + val)); + return 0; +} +#endif + +/* + * Decode the attribute of type TYPE with a LEN length value pointed to by + * VALUE. VIDA is a pointer to a context structure where we can find the + * current message, SA and protocol. + */ +int +ipsec_decode_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vida) +{ + struct ipsec_decode_arg *ida = vida; + struct message *msg = ida->msg; + struct sa *sa = ida->sa; + struct ipsec_sa *isa = sa->data; + struct proto *proto = ida->proto; + struct ipsec_proto *iproto = proto->data; + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + static int lifetype = 0; + u_int32_t doi_id = msg->exchange->doi->id; + + if (((doi_id == IPSEC_DOI_IPSEC) && (exchange->phase == 1)) || + ((doi_id == GROUP_DOI_GDOI) && (exchange->phase == 1) && + (exchange->type != GDOI_EXCH_PUSH_MODE))) + { + switch (type) + { + case IKE_ATTR_ENCRYPTION_ALGORITHM: + /* XXX Errors possible? */ + exchange->crypto = crypto_get (from_ike_crypto (decode_16 (value))); + break; + case IKE_ATTR_HASH_ALGORITHM: + /* XXX Errors possible? */ + ie->hash = hash_get (from_ike_hash (decode_16 (value))); + break; + case IKE_ATTR_AUTHENTICATION_METHOD: + /* XXX Errors possible? */ + ie->ike_auth = ike_auth_get (decode_16 (value)); + break; + case IKE_ATTR_GROUP_DESCRIPTION: + isa->group_desc = decode_16 (value); + break; + case IKE_ATTR_GROUP_TYPE: + break; + case IKE_ATTR_GROUP_PRIME: + break; + case IKE_ATTR_GROUP_GENERATOR_1: + break; + case IKE_ATTR_GROUP_GENERATOR_2: + break; + case IKE_ATTR_GROUP_CURVE_A: + break; + case IKE_ATTR_GROUP_CURVE_B: + break; + case IKE_ATTR_LIFE_TYPE: + lifetype = decode_16 (value); + return 0; + case IKE_ATTR_LIFE_DURATION: + switch (lifetype) + { + case IKE_DURATION_SECONDS: + switch (len) + { + case 2: + sa->seconds = decode_16 (value); + break; + case 4: + sa->seconds = decode_32 (value); + break; + default: + /* XXX Log. */ + break; + } + break; + case IKE_DURATION_KILOBYTES: + switch (len) + { + case 2: + sa->kilobytes = decode_16 (value); + break; + case 4: + sa->kilobytes = decode_32 (value); + break; + default: + /* XXX Log. */ + break; + } + break; + default: + /* XXX Log! */ + break; + } + break; + case IKE_ATTR_PRF: + break; + case IKE_ATTR_KEY_LENGTH: + exchange->key_length = decode_16 (value) / 8; + break; + case IKE_ATTR_FIELD_SIZE: + break; + case IKE_ATTR_GROUP_ORDER: + break; + } + } + else + { + switch (type) + { + case IPSEC_ATTR_SA_LIFE_TYPE: + lifetype = decode_16 (value); + return 0; + case IPSEC_ATTR_SA_LIFE_DURATION: + switch (lifetype) + { + case IPSEC_DURATION_SECONDS: + switch (len) + { + case 2: + sa->seconds = decode_16 (value); + break; + case 4: + sa->seconds = decode_32 (value); + break; + default: + /* XXX Log. */ + break; + } + break; + case IPSEC_DURATION_KILOBYTES: + switch (len) + { + case 2: + sa->kilobytes = decode_16 (value); + break; + case 4: + sa->kilobytes = decode_32 (value); + break; + default: + /* XXX Log. */ + break; + } + break; + default: + /* XXX Log! */ + break; + } + break; + case IPSEC_ATTR_GROUP_DESCRIPTION: + isa->group_desc = decode_16 (value); + break; + case IPSEC_ATTR_ENCAPSULATION_MODE: + /* XXX Multiple protocols must have same encapsulation mode, no? */ + iproto->encap_mode = decode_16 (value); + break; + case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: + iproto->auth = decode_16 (value); + break; + case IPSEC_ATTR_KEY_LENGTH: + iproto->keylen = decode_16 (value); + break; + case IPSEC_ATTR_KEY_ROUNDS: + iproto->keyrounds = decode_16 (value); + break; + case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: + break; + case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: + break; + case IPSEC_ATTR_ADDRESS_PRESERVATION: + iproto->addr_pres = decode_16 (value); + break; + case IPSEC_ATTR_SA_DIRECTION: + iproto->sa_direction = decode_16 (value); + break; + } + } + lifetype = 0; + return 0; +} + +/* + * Walk over the attributes of the transform payload found in BUF, and + * fill out the fields of the SA attached to MSG. Also mark the SA as + * processed. + */ +void +ipsec_decode_transform (struct message *msg, struct sa *sa, + struct proto *proto, u_int8_t *buf) +{ + struct ipsec_exch *ie = msg->exchange->data; + struct ipsec_decode_arg ida; + + LOG_DBG ((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen", + GET_ISAKMP_TRANSFORM_NO (buf))); + + ida.msg = msg; + ida.sa = sa; + ida.proto = proto; + + /* The default IKE lifetime is 8 hours. */ + if (sa->phase == 1) + sa->seconds = 28800; + + /* Extract the attributes and stuff them into the SA. */ + attribute_map (buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + ipsec_decode_attribute, &ida); + + /* + * If no pseudo-random function was negotiated, it's HMAC. + * XXX As PRF_HMAC currently is zero, this is a no-op. + */ + if (!ie->prf_type) + ie->prf_type = PRF_HMAC; +} + +/* + * Delete the IPSec SA represented by the INCOMING direction in protocol PROTO + * of the IKE security association SA. + */ +static void +ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) +{ + if (sa->phase == 1) + return; + /* XXX Error handling? Is it interesting? */ + sysdep_ipsec_delete_spi (sa, proto, incoming); +} + +/* + * Store BUF into the g^x entry of the exchange that message MSG belongs to. + * PEER is non-zero when the value is our peer's, and zero when it is ours. + */ +static int +ipsec_g_x (struct message *msg, int peer, u_int8_t *buf) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + u_int8_t **g_x; + int initiator = exchange->initiator ^ peer; + char header[32]; + + g_x = initiator ? &ie->g_xi : &ie->g_xr; + *g_x = malloc (ie->g_x_len); + if (!*g_x) + { + log_error ("ipsec_g_x: malloc (%d) failed", ie->g_x_len); + return -1; + } + memcpy (*g_x, buf, ie->g_x_len); + snprintf (header, 32, "ipsec_g_x: g^x%c", initiator ? 'i' : 'r'); + LOG_DBG_BUF ((LOG_MISC, 80, header, *g_x, ie->g_x_len)); + return 0; +} + +/* Generate our DH value. */ +int +ipsec_gen_g_x (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + u_int8_t *buf; + + buf = malloc (ISAKMP_KE_SZ + ie->g_x_len); + if (!buf) + { + log_error ("ipsec_gen_g_x: malloc (%d) failed", + ISAKMP_KE_SZ + ie->g_x_len); + return -1; + } + + if (message_add_payload (msg, ISAKMP_PAYLOAD_KEY_EXCH, buf, + ISAKMP_KE_SZ + ie->g_x_len, 1)) + { + free (buf); + return -1; + } + + if (dh_create_exchange (ie->group, buf + ISAKMP_KE_DATA_OFF)) + { + log_print ("ipsec_gen_g_x: dh_create_exchange failed"); + free (buf); + return -1; + } + return ipsec_g_x (msg, 0, buf + ISAKMP_KE_DATA_OFF); +} + +/* Save the peer's DH value. */ +int +ipsec_save_g_x (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct ipsec_exch *ie = exchange->data; + struct payload *kep; + + kep = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_KEY_EXCH]); + kep->flags |= PL_MARK; + ie->g_x_len = GET_ISAKMP_GEN_LENGTH (kep->p) - ISAKMP_KE_DATA_OFF; + + /* Check that the given length matches the group's expectancy. */ + if (ie->g_x_len != dh_getlen (ie->group)) + { + /* XXX Is this a good notify type? */ + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + return ipsec_g_x (msg, 1, kep->p + ISAKMP_KE_DATA_OFF); +} + +/* + * Get a SPI for PROTO and the transport MSG passed over. Store the + * size where SZ points. NB! A zero return is OK if *SZ is zero. + */ +static u_int8_t * +ipsec_get_spi (size_t *sz, u_int8_t proto, struct message *msg) +{ + struct sockaddr *dst, *src; + int dstlen, srclen; + struct transport *transport = msg->transport; + + if (msg->exchange->phase == 1) + { + *sz = 0; + return 0; + } + else + { + /* We are the destination in the SA we want a SPI for. */ + transport->vtbl->get_src (transport, &dst, &dstlen); + /* The peer is the source. */ + transport->vtbl->get_dst (transport, &src, &srclen); + return sysdep_ipsec_get_spi (sz, proto, src, srclen, dst, dstlen, + msg->exchange->seq); + } +} + +/* + * We have gotten a payload PAYLOAD of type TYPE, which did not get handled + * by the logic of the exchange MSG takes part in. Now is the time to deal + * with such a payload if we know how to, if we don't, return -1, otherwise + * 0. + */ +int +ipsec_handle_leftover_payload (struct message *msg, u_int8_t type, + struct payload *payload) +{ + u_int32_t spisz, nspis; + struct sockaddr *dst; + socklen_t dstlen; + int reenter = 0; + u_int8_t *spis, proto; + struct sa *sa; + + switch (type) + { + case ISAKMP_PAYLOAD_DELETE: + proto = GET_ISAKMP_DELETE_PROTO (payload->p); + nspis = GET_ISAKMP_DELETE_NSPIS (payload->p); + spisz = GET_ISAKMP_DELETE_SPI_SZ (payload->p); + + if (nspis == 0) + { + LOG_DBG ((LOG_SA, 60, "ipsec_handle_leftover_payload: message " + "specified zero SPIs, ignoring")); + return -1; + } + + /* verify proper SPI size */ + if ((proto == ISAKMP_PROTO_ISAKMP && spisz != ISAKMP_HDR_COOKIES_LEN) + || (proto != ISAKMP_PROTO_ISAKMP && spisz != sizeof (u_int32_t))) + { + log_print ("ipsec_handle_leftover_payload: " + "invalid SPI size %d for proto %d in DELETE payload", + spisz, proto); + return -1; + } + + spis = (u_int8_t *)malloc (nspis * spisz); + if (!spis) + { + log_error ("ipsec_handle_leftover_payload: malloc (%d) failed", + nspis * spisz); + return -1; + } + + /* extract SPI and get dst address */ + memcpy (spis, payload->p + ISAKMP_DELETE_SPI_OFF, nspis * spisz); + msg->transport->vtbl->get_dst (msg->transport, &dst, (int *)&dstlen); + + ipsec_delete_spi_list (dst, proto, spis, nspis, "DELETE"); + + free (spis); + payload->flags |= PL_MARK; + return 0; + + case ISAKMP_PAYLOAD_NOTIFY: + switch (GET_ISAKMP_NOTIFY_MSG_TYPE (payload->p)) + { + case IPSEC_NOTIFY_INITIAL_CONTACT: + /* + * Find out who is sending this and then delete every SA that is + * ready. Exchanges will timeout themselves and then the + * non-ready SAs will disappear too. + */ + msg->transport->vtbl->get_dst (msg->transport, &dst, (int *)&dstlen); + while ((sa = sa_lookup_by_peer (dst, dstlen)) != 0) + { + /* + * Don't delete the current SA -- we received the notification + * over it, so it's obviously still active. We temporarily need + * to remove the SA from the list to avoid an endless loop, + * but keep a reference so it won't disappear meanwhile. + */ + if (sa == msg->isakmp_sa) + { + sa_reference (sa); + sa_remove (sa); + reenter = 1; + continue; + } + + LOG_DBG ((LOG_SA, 30, + "ipsec_handle_leftover_payload: " + "INITIAL-CONTACT made us delete SA %p", + sa)); + sa_delete (sa, 0); + } + + if (reenter) + { + sa_enter (msg->isakmp_sa); + sa_release (msg->isakmp_sa); + } + payload->flags |= PL_MARK; + return 0; + } + } + return -1; +} + +/* Return the encryption keylength in octets of the ESP protocol PROTO. */ +int +ipsec_esp_enckeylength (struct proto *proto) +{ + struct ipsec_proto *iproto = proto->data; + + /* Compute the keylength to use. */ + switch (proto->id) + { + case IPSEC_ESP_DES: + case IPSEC_ESP_DES_IV32: + case IPSEC_ESP_DES_IV64: + return 8; + case IPSEC_ESP_3DES: + return 24; + case IPSEC_ESP_CAST: + case IPSEC_ESP_AES_CBC: + default: + return iproto->keylen / 8; + } +} + +/* Return the authentication keylength in octets of the ESP protocol PROTO. */ +int +ipsec_esp_authkeylength (struct proto *proto) +{ + struct ipsec_proto *iproto = proto->data; + + switch (iproto->auth) + { + case IPSEC_AUTH_HMAC_MD5: + return 16; + case IPSEC_AUTH_HMAC_SHA: + case IPSEC_AUTH_HMAC_RIPEMD: + return 20; + case IPSEC_AUTH_HMAC_SHA2_256: + return 32; + default: + return 0; + } +} + +/* Return the authentication keylength in octets of the AH protocol PROTO. */ +int +ipsec_ah_keylength (struct proto *proto) +{ + switch (proto->id) + { + case IPSEC_AH_MD5: + return 16; + case IPSEC_AH_SHA: + case IPSEC_AH_RIPEMD: + return 20; + case IPSEC_AH_SHA2_256: + return 32; + default: + return -1; + } +} + +/* Return the total keymaterial length of the protocol PROTO. */ +int +ipsec_keymat_length (struct proto *proto) +{ + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + return ipsec_esp_enckeylength (proto) + ipsec_esp_authkeylength (proto); + case IPSEC_PROTO_IPSEC_AH: + return ipsec_ah_keylength (proto); + default: + return -1; + } +} + +/* + * Out of a named section SECTION in the configuration file find out + * the network address and mask as well as the ID type. Put the info + * in the areas pointed to by ADDR, MASK, TPROTO, PORT, and ID respectively. + * Return 0 on success and -1 on failure. + */ +int +ipsec_get_id (char *section, int *id, struct in_addr *addr, + struct in_addr *mask, u_int8_t *tproto, u_int16_t *port) +{ + char *type, *address, *netmask; + + type = conf_get_str (section, "ID-type"); + if (!type) + { + log_print ("ipsec_get_id: section %s has no \"ID-type\" tag", section); + return -1; + } + + *id = constant_value (ipsec_id_cst, type); + switch (*id) + { + case IPSEC_ID_IPV4_ADDR: + address = conf_get_str (section, "Address"); + if (!address) + { + log_print ("ipsec_get_id: section %s has no \"Address\" tag", + section); + return -1; + } + + if (!inet_aton (address, addr)) + { + log_print ("ipsec_get_id: invalid address %s in section %s", section, + address); + return -1; + } + + *tproto = conf_get_num (section, "Protocol", 0); + if (*tproto) + *port = conf_get_num (section, "Port", 0); + break; + +#ifdef notyet + case IPSEC_ID_FQDN: + return -1; + + case IPSEC_ID_USER_FQDN: + return -1; +#endif + + case IPSEC_ID_IPV4_ADDR_SUBNET: + address = conf_get_str (section, "Network"); + if (!address) + { + log_print ("ipsec_get_id: section %s has no \"Network\" tag", + section); + return -1; + } + + if (!inet_aton (address, addr)) + { + log_print ("ipsec_get_id: invalid section %s network %s", section, + address); + return -1; + } + + netmask = conf_get_str (section, "Netmask"); + if (!netmask) + { + log_print ("ipsec_get_id: section %s has no \"Netmask\" tag", + section); + return -1; + } + + if (!inet_aton (netmask, mask)) + { + log_print ("ipsec_id_build: invalid section %s network %s", section, + netmask); + return -1; + } + + *tproto = conf_get_num (section, "Protocol", 0); + if (*tproto) + *port = conf_get_num (section, "Port", 0); + break; + +#ifdef notyet + case IPSEC_ID_IPV6_ADDR: + return -1; + + case IPSEC_ID_IPV6_ADDR_SUBNET: + return -1; + + case IPSEC_ID_IPV4_RANGE: + return -1; + + case IPSEC_ID_IPV6_RANGE: + return -1; + + case IPSEC_ID_DER_ASN1_DN: + return -1; + + case IPSEC_ID_DER_ASN1_GN: + return -1; + + case IPSEC_ID_KEY_ID: + return -1; +#endif + } + + return 0; +} + +static void +ipsec_ipv4toa (char *buf, size_t size, u_int8_t *addr) +{ +#ifdef HAVE_GETNAMEINFO + struct sockaddr_storage from; + struct sockaddr_in *sfrom = (struct sockaddr_in *)&from; + socklen_t fromlen = sizeof from; + + memset (&from, 0, fromlen); + sfrom->sin_len = sizeof *sfrom; + sfrom->sin_family = AF_INET; + memcpy (&sfrom->sin_addr.s_addr, addr, sizeof sfrom->sin_addr.s_addr); + + if (getnameinfo ((struct sockaddr *)sfrom, sfrom->sin_len, buf, size, NULL, + 0, NI_NUMERICHOST) != 0) + { + log_print ("ipsec_ipv4toa: getnameinfo () failed"); + strcpy (buf, ""); + } +#else + strncpy (buf, inet_ntoa (*(struct in_addr *)addr), size - 1); + buf[size - 1] = '\0'; +#endif /* HAVE_GETNAMEINFO */ +} + +static void +ipsec_decode_id (u_int8_t *buf, int size, u_int8_t *id, size_t id_len, + int isakmpform) +{ + int id_type; + char ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; + + if (id) + { + if (!isakmpform) + { + /* exchanges and SA's dont carry the IDs in ISAKMP form */ + id -= ISAKMP_ID_TYPE_OFF; + id_len += ISAKMP_ID_TYPE_OFF; + } + + id_type = GET_ISAKMP_ID_TYPE (id); + switch (id_type) + { + case IPSEC_ID_IPV4_ADDR: + ipsec_ipv4toa (ntop, sizeof ntop, id + ISAKMP_ID_DATA_OFF); + snprintf ((char *)buf, size, "%08x: %s", + decode_32 (id + ISAKMP_ID_DATA_OFF), ntop); + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + ipsec_ipv4toa (ntop, sizeof ntop, id + ISAKMP_ID_DATA_OFF); + ipsec_ipv4toa (ntop2, sizeof ntop2, id + ISAKMP_ID_DATA_OFF + 4); + snprintf ((char *)buf, size, "%08x/%08x: %s/%s", + decode_32 (id + ISAKMP_ID_DATA_OFF), + decode_32 (id + ISAKMP_ID_DATA_OFF + 4), + ntop, ntop2); + break; + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + /* String is not NUL terminated, be careful */ + id_len -= ISAKMP_ID_DATA_OFF; + id_len = MIN(id_len, size - 1); + memcpy (buf, id + ISAKMP_ID_DATA_OFF, id_len); + buf[id_len] = '\0'; + break; + /* XXX - IPV6 et al */ + default: + snprintf ((char *)buf, size, "", id_type); + break; + } + } + else + snprintf ((char *)buf, size, ""); +} + +char * +ipsec_decode_ids (char *fmt, u_int8_t *id1, size_t id1_len, + u_int8_t *id2, size_t id2_len, int isakmpform) +{ + static char result[1024]; + char s_id1[256], s_id2[256]; + + ipsec_decode_id ((u_int8_t *)s_id1, sizeof s_id1, id1, id1_len, isakmpform); + ipsec_decode_id ((u_int8_t *)s_id2, sizeof s_id2, id2, id2_len, isakmpform); + + snprintf (result, sizeof result, fmt, s_id1, s_id2); + return result; +} + +/* + * Out of a named section SECTION in the configuration file build an + * ISAKMP ID payload. Ths payload size should be stashed in SZ. + * The caller is responsible for freeing the payload. + */ +u_int8_t * +ipsec_build_id (char *section, size_t *sz) +{ + struct in_addr addr, mask; + u_int8_t *p; + int id; + u_int8_t tproto = 0; + u_int16_t port = 0; + + if (ipsec_get_id (section, &id, &addr, &mask, &tproto, &port)) + return 0; + + *sz = ISAKMP_ID_SZ; + switch (id) + { + case IPSEC_ID_IPV4_ADDR: + *sz += sizeof addr; + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + *sz += sizeof addr + sizeof mask; + break; + } + + p = malloc (*sz); + if (!p) + { + log_print ("ipsec_build_id: malloc(%d) failed", *sz); + return 0; + } + + SET_ISAKMP_ID_TYPE (p, id); + SET_ISAKMP_ID_DOI_DATA (p, (u_int8_t *)"\000\000\000"); + + switch (id) + { + case IPSEC_ID_IPV4_ADDR: + encode_32 (p + ISAKMP_ID_DATA_OFF, ntohl (addr.s_addr)); + SET_IPSEC_ID_PROTO (p + ISAKMP_ID_DOI_DATA_OFF, tproto); + SET_IPSEC_ID_PORT (p + ISAKMP_ID_DOI_DATA_OFF, port); + break; + case IPSEC_ID_IPV4_ADDR_SUBNET: + encode_32 (p + ISAKMP_ID_DATA_OFF, ntohl (addr.s_addr)); + encode_32 (p + ISAKMP_ID_DATA_OFF + 4, ntohl (mask.s_addr)); + SET_IPSEC_ID_PROTO (p + ISAKMP_ID_DOI_DATA_OFF, tproto); + SET_IPSEC_ID_PORT (p + ISAKMP_ID_DOI_DATA_OFF, port); + break; + } + + return p; +} + +/* + * copy an ISAKMPD id + */ + +int +ipsec_clone_id (u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len) +{ + if (*did) + free (*did); + + if (!id_len || id == NULL) + { + *did = NULL; + *did_len = 0; + return 0; + } + + *did = malloc (id_len); + if (*did == NULL) + { + *did_len = 0; + log_error ("ipsec_clone_id: malloc(%d) failed", id_len); + return -1; + } + + *did_len = id_len; + memcpy (*did, id, id_len); + + return 0; +} + +/* + * IPSec-specific PROTO initializations. SECTION is only set if we are the + * initiator thus only usable there. + * XXX I want to fix this later. + */ +void +ipsec_proto_init (struct proto *proto, char *section) +{ + struct ipsec_proto *iproto = proto->data; + + if (proto->sa->phase == 2 && section) + iproto->replay_window + = conf_get_num (section, "ReplayWindow", DEFAULT_REPLAY_WINDOW); +} + +/* + * Add a notification payload of type INITIAL CONTACT to MSG if this is + * the first contact we have made to our peer. + */ +int +ipsec_initial_contact (struct message *msg) +{ + u_int8_t *buf; + + if (ipsec_contacted (msg)) + return 0; + + buf = malloc (ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); + if (!buf) + { + log_error ("ike_phase_1_initial_contact: malloc (%d) failed", + ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); + return -1; + } + SET_ISAKMP_NOTIFY_DOI (buf, IPSEC_DOI_IPSEC); + SET_ISAKMP_NOTIFY_PROTO (buf, ISAKMP_PROTO_ISAKMP); + SET_ISAKMP_NOTIFY_SPI_SZ (buf, ISAKMP_HDR_COOKIES_LEN); + SET_ISAKMP_NOTIFY_MSG_TYPE (buf, IPSEC_NOTIFY_INITIAL_CONTACT); + memcpy (buf + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies, + ISAKMP_HDR_COOKIES_LEN); + if (message_add_payload (msg, ISAKMP_PAYLOAD_NOTIFY, buf, + ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) + { + free (buf); + return -1; + } + + return ipsec_add_contact (msg); +} + +/* + * Compare the two contacts pointed to by A and B. Return negative if + * *A < *B, 0 if they are equal, and positive if *A is the largest of them. + */ +static int +addr_cmp (const void *a, const void *b) +{ + const struct contact *x = a, *y = b; + int minlen = MIN (x->len, y->len); + int rv = memcmp (x->addr, y->addr, minlen); + + return rv ? rv : (x->len - y->len); +} + +/* + * Add the peer that MSG is bound to as an address we don't want to send + * INITIAL CONTACT too from now on. Do not call this function with a + * specific address duplicate times. We want fast lookup, speed of insertion + * is unimportant, if this is to scale. + */ +static int +ipsec_add_contact (struct message *msg) +{ + struct contact *new_contacts; + struct sockaddr *dst, *addr; + socklen_t dstlen; + int cnt; + + if (contact_cnt == contact_limit) + { + cnt = contact_limit ? 2 * contact_limit : 64; + new_contacts = realloc (contacts, cnt * sizeof contacts[0]); + if (!new_contacts) + { + log_error ("ipsec_add_contact: realloc (%p, %d) failed", contacts, + cnt * sizeof contacts[0]); + return -1; + } + contact_limit = cnt; + contacts = new_contacts; + } + msg->transport->vtbl->get_dst (msg->transport, &dst, (int *)&dstlen); + addr = malloc (dstlen); + if (!addr) + { + log_error ("ipsec_add_contact: malloc (%d) failed", dstlen); + return -1; + } + memcpy (addr, dst, dstlen); + contacts[contact_cnt].addr = addr; + contacts[contact_cnt++].len = dstlen; + + /* + * XXX There are better algorithms for already mostly-sorted data like + * this, but only qsort is standard. I will someday do this inline. + */ + qsort (contacts, contact_cnt, sizeof *contacts, addr_cmp); + return 0; +} + +/* Return true if the recipient of MSG has already been contacted. */ +static int +ipsec_contacted (struct message *msg) +{ + struct contact contact; + + msg->transport->vtbl->get_dst (msg->transport, &contact.addr,(int *)&contact.len); + return contacts + ? (bsearch (&contact, contacts, contact_cnt, sizeof *contacts, addr_cmp) + != 0) + : 0; +} + +/* Add a HASH for to MSG. */ +u_int8_t * +ipsec_add_hash_payload (struct message *msg, size_t hashsize) +{ + u_int8_t *buf; + + buf = malloc (ISAKMP_HASH_SZ + hashsize); + if (!buf) + { + log_error ("ipsec_add_hash_payload: malloc (%d) failed", + ISAKMP_HASH_SZ + hashsize); + return 0; + } + + if (message_add_payload (msg, ISAKMP_PAYLOAD_HASH, buf, + ISAKMP_HASH_SZ + hashsize, 1)) + { + free (buf); + return 0; + } + + return buf; +} + +/* Fill in the HASH payload of MSG. */ +int +ipsec_fill_in_hash (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa = isakmp_sa->data; + struct hash *hash = hash_get (isa->hash); + struct prf *prf; + struct payload *payload; + u_int8_t *buf; + int i; + char header[80]; + + /* If no SKEYID_a, we need not do anything. */ + if (!isa->skeyid_a) { + log_print ("ipsec_fill_in_hash: aborting -- no skeyid_a"); + return 0; + } + + payload = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]); + if (!payload) + { + log_print ("ipsec_fill_in_hash: no HASH payload found"); + return -1; + } + buf = payload->p; + + /* Allocate the prf and start calculating our HASH(1). */ + LOG_DBG_BUF ((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", isa->skeyid_a, + isa->skeyid_len)); + prf = prf_alloc (isa->prf_type, hash->type, (char *)isa->skeyid_a, + isa->skeyid_len); + if (!prf) + return -1; + + prf->Init (prf->prfctx); + LOG_DBG_BUF ((LOG_MISC, 90, "ipsec_fill_in_hash: message_id", + exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); + prf->Update (prf->prfctx, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + + /* Loop over all payloads after HASH(1). */ + for (i = 2; i < msg->iovlen; i++) + { + /* XXX Misleading payload type printouts. */ + snprintf (header, 80, "ipsec_fill_in_hash: payload %d after HASH(1)", + i - 1); + LOG_DBG_BUF ((LOG_MISC, 90, header, msg->iov[i].iov_base, + msg->iov[i].iov_len)); + prf->Update (prf->prfctx, msg->iov[i].iov_base, msg->iov[i].iov_len); + } + prf->Final (buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); + prf_free (prf); + LOG_DBG_BUF ((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", + buf + ISAKMP_HASH_DATA_OFF, hash->hashsize)); + + return 0; +} + +/* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */ +static int +ipsec_informational_pre_hook (struct message *msg) +{ + struct sa *isakmp_sa = msg->isakmp_sa; + struct ipsec_sa *isa; + struct hash *hash; + + if (!isakmp_sa) + return 0; + isa = isakmp_sa->data; + hash = hash_get (isa->hash); + return ipsec_add_hash_payload (msg, hash->hashsize) == 0; +} + +/* + * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by. + */ +static int +ipsec_informational_post_hook (struct message *msg) +{ + if (!msg->isakmp_sa) + return 0; + return ipsec_fill_in_hash (msg); +} + +ssize_t +ipsec_id_size (char *section, u_int8_t *id) +{ + char *type, *data; + + type = conf_get_str (section, "ID-type"); + if (!type) + { + log_print ("ipsec_id_size: section %s has no \"ID-type\" tag", section); + return -1; + } + + *id = constant_value (ipsec_id_cst, type); + switch (*id) + { + case IPSEC_ID_IPV4_ADDR: + return sizeof (in_addr_t); + case IPSEC_ID_IPV4_ADDR_SUBNET: + return 2 * sizeof (in_addr_t); + case IPSEC_ID_FQDN: + case IPSEC_ID_USER_FQDN: + case IPSEC_ID_KEY_ID: + data = conf_get_str (section, "Name"); + if (!data) + { + log_print ("ipsec_id_size: section %s has no \"Name\" tag", section); + return -1; + } + return strlen (data); + } + log_print ("ipsec_id_size: unrecognized ID-type %d (%s)", *id, type); + return -1; +} diff --git a/src/ipsec.h b/src/ipsec.h new file mode 100644 index 0000000..5a2b48a --- /dev/null +++ b/src/ipsec.h @@ -0,0 +1,280 @@ +/* $Id: ipsec.h,v 1.4.2.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ipsec.h,v $ */ + +/* $OpenBSD: ipsec.h,v 1.15 2000/12/12 01:44:59 niklas Exp $ */ +/* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IPSEC_H_ +#define _IPSEC_H_ + +#include + +#include "ipsec_doi.h" + +/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ +#define IPSEC_PORT_ANY 0 +#define IPSEC_ULPROTO_ANY 255 +#define IPSEC_PROTO_ANY 255 + +/* mode of security protocol */ + /* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */ +#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */ +#define IPSEC_MODE_TRANSPORT 1 +#define IPSEC_MODE_TUNNEL 2 +#define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */ + +/* + * Direction of security policy. + * NOTE: Since INVALID is used just as flag. + * The other are used for loop counter too. + */ +#define IPSEC_DIR_ANY 0 +#define IPSEC_DIR_INBOUND 1 +#define IPSEC_DIR_OUTBOUND 2 +#define IPSEC_DIR_MAX 3 +#define IPSEC_DIR_INVALID 4 + +/* Policy level */ + /* + * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB, + * DISCARD, IPSEC and NONE are allowed for setkey() in SPD. + * DISCARD and NONE are allowed for system default. + */ +#define IPSEC_POLICY_DISCARD 0 /* discard the packet */ +#define IPSEC_POLICY_NONE 1 /* bypass IPsec engine */ +#define IPSEC_POLICY_IPSEC 2 /* pass to IPsec */ +#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */ +#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */ +#define IPSEC_POLICY_TCP 5 /* TCP MD5 policy */ + +#ifdef LINUX_PFKEY +/* Security protocol level */ +#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */ +#define IPSEC_LEVEL_USE 1 /* use SA if present. */ +#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */ +#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */ +#endif + + +struct group; +struct hash; +struct ike_auth; +struct message; +struct proto; +struct sa; + +/* + * IPSEC-specific data to be linked into the exchange struct. + * XXX Should probably be two different structs, one for phase 1 and one + * for phase 2 parameters. + */ +struct ipsec_exch { + u_int flags; + struct hash *hash; + struct ike_auth *ike_auth; + struct group *group; + u_int16_t prf_type; + u_int8_t pfs; /* 0 if no KEY_EXCH was proposed, 1 otherwise */ + + /* + * A copy of the initiator SA payload body for later computation of hashes. + * Phase 1 only. + */ + size_t sa_i_b_len; + u_int8_t *sa_i_b; + + /* Diffie-Hellman values. */ + size_t g_x_len; + u_int8_t *g_xi; + u_int8_t *g_xr; + u_int8_t* g_xy; + + /* SKEYIDs. XXX Phase 1 only? */ + size_t skeyid_len; + u_int8_t *skeyid; + u_int8_t *skeyid_d; + u_int8_t *skeyid_a; + u_int8_t *skeyid_e; + + /* HASH_I & HASH_R. XXX Do these need to be saved here? */ + u_int8_t *hash_i; + u_int8_t *hash_r; + + /* KEYMAT */ + size_t keymat_len; + + /* Phase 2. */ + u_int8_t *id_ci; + size_t id_ci_sz; + u_int8_t *id_cr; + size_t id_cr_sz; +}; + +#define IPSEC_EXCH_FLAG_NO_ID 1 + +struct ipsec_sa { + /* Phase 1. */ + u_int8_t hash; + size_t skeyid_len; + u_int8_t *skeyid_d; + u_int8_t *skeyid_a; + u_int16_t prf_type; + + /* Phase 2. */ + u_int16_t group_desc; + + /* Tunnel parameters. These are in network byte order. */ + in_addr_t src_net; + in_addr_t src_mask; + in_addr_t dst_net; + in_addr_t dst_mask; + u_int8_t tproto; + u_int16_t sport; + u_int16_t dport; +}; + +struct ipsec_proto { + /* Phase 2. */ + u_int16_t encap_mode; + u_int16_t auth; + u_int16_t keylen; + u_int16_t keyrounds; + u_int16_t addr_pres; + u_int16_t sa_direction; + + /* This is not negotiated, but rather configured. */ + int32_t replay_window; + + /* KEYMAT */ + u_int8_t *keymat[2]; +}; + +struct ipsec_decode_arg { + struct message *msg; + struct sa *sa; + struct proto *proto; +}; + +extern u_int8_t *ipsec_add_hash_payload (struct message *msg, size_t); +extern int ipsec_ah_keylength (struct proto *); +extern u_int8_t *ipsec_build_id (char *, size_t *); +extern int ipsec_decode_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +extern void ipsec_decode_transform (struct message *, struct sa *, + struct proto *, u_int8_t *); +extern int ipsec_esp_authkeylength (struct proto *); +extern int ipsec_esp_enckeylength (struct proto *); +extern int ipsec_fill_in_hash (struct message *msg); +extern int ipsec_gen_g_x (struct message *); +extern int ipsec_get_id (char *, int *, struct in_addr *, struct in_addr *, + u_int8_t *, u_int16_t *); +extern ssize_t ipsec_id_size (char *, u_int8_t *); +extern void ipsec_init (void); +extern int ipsec_initial_contact (struct message *msg); +extern int ipsec_is_attribute_incompatible (u_int16_t, u_int8_t *, u_int16_t, + void *); +extern int ipsec_keymat_length (struct proto *); +extern int ipsec_save_g_x (struct message *); +extern struct sa *ipsec_sa_lookup (in_addr_t, u_int32_t, u_int8_t); +extern void ipsec_set_network (u_int8_t *, u_int8_t *, struct ipsec_sa *); +extern int ipsec_sa_check_flow (struct sa *sa, void *v_arg); + + +extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, size_t, + int); +extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); + +#endif /* _IPSEC_H_ */ diff --git a/src/ipsec_doi.h b/src/ipsec_doi.h new file mode 100644 index 0000000..9b44ee1 --- /dev/null +++ b/src/ipsec_doi.h @@ -0,0 +1,52 @@ +/* $Id: ipsec_doi.h,v 1.3 2011/02/04 03:50:38 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ipsec_doi.h,v $ */ + +/* $OpenBSD: ipsec_doi.h,v 1.5 1999/04/19 19:54:54 niklas Exp $ */ +/* $EOM: ipsec_doi.h,v 1.10 1999/04/02 00:57:51 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IPSEC_DOI_H_ +#define _IPSEC_DOI_H_ + +#include "ipsec_fld.h" +#include "ipsec_num.h" + +/* The SPI size of all IPSEC protocols. XXX Correct? */ +#define IPSEC_SPI_SIZE 4 + +/* The low limit of valid SPI values. */ +#define IPSEC_SPI_LOW 0x100 + +#endif /* _IPSEC_DOI_H_ */ diff --git a/src/ipsec_fld.fld b/src/ipsec_fld.fld new file mode 100644 index 0000000..0575e3b --- /dev/null +++ b/src/ipsec_fld.fld @@ -0,0 +1,68 @@ +# $Id: ipsec_fld.fld,v 1.2 2002/05/10 04:25:15 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ipsec_fld.fld,v $ + +# $OpenBSD: ipsec_fld.fld,v 1.3 1998/11/17 11:10:14 niklas Exp $ +# $EOM: ipsec_fld.fld,v 1.1 1998/08/02 20:12:02 niklas Exp $ + +# +# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +# XXX There are num-declared fields below that really are csts. + +# IPSEC's situation field's subdivision. +IPSEC_SIT + SIT mask 4 ipsec_sit_cst + LABELED_DOMAIN_ID num 4 + SECRECY_LENGTH num 2 + RESERVED_1 ign 2 +# The following fields' offsets need the secrecy length added + 32bit +# alignment. + SECRECY_CAT_LENGTH num 2 + RESERVED_2 ign 2 +# The following fields' offsets need the secrecy cat length added + 32bit +# alignment on top of the aforementioned offset. + INTEGRITY_LENGTH num 2 + RESERVED_3 ign 2 +# The following fields' offsets need the integrity length added + 32bit +# alignment on top of the aforementioned offset. + INTEGRITY_CAT_LENGTH num 2 + RESERVED_4 ign 2 +# The IPSEC_SIT record's length need the integrity cat length added + 32bit +# alignment on top of the aforementioned offset. +. + +# IPSEC's layout of the identification payload's DOI data field. +IPSEC_ID + PROTO num 1 + PORT num 2 +. diff --git a/src/ipsec_num.cst b/src/ipsec_num.cst new file mode 100644 index 0000000..a3d7392 --- /dev/null +++ b/src/ipsec_num.cst @@ -0,0 +1,342 @@ +# $Id: ipsec_num.cst,v 1.7.2.3 2011/12/12 20:43:48 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ipsec_num.cst,v $ + +# $OpenBSD: ipsec_num.cst,v 1.7 2000/10/16 23:27:55 niklas Exp $ +# $EOM: ipsec_num.cst,v 1.5 2000/10/13 17:56:52 angelos Exp $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# + +# +# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +# IPSEC DOI Identifier. +IPSEC_DOI + IPSEC 1 +. + +# IPSEC SA attributes +IPSEC_ATTR + SA_LIFE_TYPE 1 + SA_LIFE_DURATION 2 + GROUP_DESCRIPTION 3 + ENCAPSULATION_MODE 4 + AUTHENTICATION_ALGORITHM 5 + KEY_LENGTH 6 + KEY_ROUNDS 7 + COMPRESS_DICTIONARY_SIZE 8 + COMPRESS_PRIVATE_ALGORITHM 9 + ECN_TUNNEL 10 + EXTENDED_SEQ_NUMBER 11 + AUTHENTICATION_KEY_LENGTH 12 + SIGNATURE_ENCODING 13 + ADDRESS_PRESERVATION 14 + SA_DIRECTION 15 +. + +# IPSEC SA duration. +IPSEC_DURATION + SECONDS 1 + KILOBYTES 2 +. + +# IPSEC encapsulation mode. +IPSEC_ENCAP + TUNNEL 1 + TRANSPORT 2 +. + +# IPSEC authentication algorithm. +IPSEC_AUTH + NONE 0 + HMAC_MD5 1 + HMAC_SHA 2 + DES_MAC 3 + KPDK 4 + HMAC_SHA2_256 5 + HMAC_SHA2_384 6 + HMAC_SHA2_512 7 + HMAC_RIPEMD 8 +. + +# IPSEC address preservation + +IPSEC_ADDR_PRES + NONE 1 + SOURCE_ONLY 2 + DESTINATION_ONLY 3 + SOURCE_AND_DEST 4 +. + +IPSEC_SA_DIRECTION + SENDER_ONLY 1 + RECEIVER_ONLY 2 + SYMMETRIC 3 +. + +# IPSEC ID types. +IPSEC_ID + IPV4_ADDR 1 + FQDN 2 + USER_FQDN 3 + IPV4_ADDR_SUBNET 4 + IPV6_ADDR 5 + IPV6_ADDR_SUBNET 6 + IPV4_RANGE 7 + IPV6_RANGE 8 + DER_ASN1_DN 9 + DER_ASN1_GN 10 + KEY_ID 11 + IEC90_5 161 +. + +# IKE SA attributes +IKE_ATTR + ENCRYPTION_ALGORITHM 1 ike_encrypt_cst + HASH_ALGORITHM 2 ike_hash_cst + AUTHENTICATION_METHOD 3 ike_auth_cst + GROUP_DESCRIPTION 4 ike_group_desc_cst + GROUP_TYPE 5 ike_group_cst + GROUP_PRIME 6 + GROUP_GENERATOR_1 7 + GROUP_GENERATOR_2 8 + GROUP_CURVE_A 9 + GROUP_CURVE_B 10 + LIFE_TYPE 11 ike_duration_cst + LIFE_DURATION 12 + PRF 13 ike_prf_cst + KEY_LENGTH 14 + FIELD_SIZE 15 + GROUP_ORDER 16 +. + +# XXX Fill in reserved ranges for the attributes below. + +# IKE encryption algorithm. +IKE_ENCRYPT + DES_CBC 1 + IDEA_CBC 2 + BLOWFISH_CBC 3 + RC5_R16_B64_CBC 4 + 3DES_CBC 5 + CAST_CBC 6 + AES_CBC 7 +. + +# IKE hash algorithm. +IKE_HASH + MD5 1 + SHA 2 + TIGER 3 + SHA2_256 4 + SHA2_384 5 + SHA2_512 6 +. + +# IKE authentication method. +IKE_AUTH + PRE_SHARED 1 + DSS 2 + RSA_SIG 3 + RSA_ENC 4 + RSA_ENC_REV 5 +. + +# IKE group description. +IKE_GROUP_DESC + MODP_768 1 + MODP_1024 2 + EC2N_155 3 + EC2N_185 4 + MODP_1536 5 +. + +# IKE Group type. +IKE_GROUP + MODP 1 + ECP 2 + EC2N 3 +. + +# IKE SA duration. +IKE_DURATION + SECONDS 1 + KILOBYTES 2 +. + +# IKE Pseudo random function. No defined so far. +IKE_PRF +. + +# IPSEC Situation bits. +IPSEC_SIT + IDENTITY_ONLY 1 + SECRECY 2 + INTEGRITY 4 +. + +# IPSEC security protocol IDs. +# NOTE: Protocol ids of >= 100 are not registered +# values, but are assigned here only for the +# purpose of carrying state about non-IPSec +# protocols within gdoid code modules. +IPSEC_PROTO + IPSEC_AH 2 + IPSEC_ESP 3 + IPCOMP 4 + SRTP 100 + IEC90_5 101 +. + +# IPSEC ISAKMP transform IDs. +IPSEC_TRANSFORM + KEY_IKE 1 +. + +# IPSEC AH transform IDs. +IPSEC_AH + MD5 2 + SHA 3 + DES 4 + SHA2_256 5 + SHA2_384 6 + SHA2_512 7 + RIPEMD 8 + AES_XCBC_MAC 9 + RSA 10 + AES_128_GMAC 11 + AES_192_GMAC 12 + AES_256_GMAC 13 +. + +# IPSEC ESP transform IDs. +IPSEC_ESP + DES_IV64 1 + DES 2 + 3DES 3 + RC5 4 + IDEA 5 + CAST 6 + BLOWFISH 7 + 3IDEA 8 + DES_IV32 9 + RC4 10 + NULL 11 + AES_CBC 12 + AES_CTR 13 + AES_CCM_8 14 + AES_CCM_12 15 + AES_CCM_16 16 + Unassigned 17 + AES_GCM_8 18 + AES_GCM_12 19 + AES_GCM_16 20 + AES_SEED_CBC 21 + AES_CAMELLIA 22 + AES_NULL_AUTH_AES_GMAC 23 +. + +# IPSEC IPCOMP transform IDs +IPSEC_IPCOMP + OUI 1 + DEFLATE 2 + LZS 3 + V42BIS 4 +. + +# IPSEC notify message types. +IPSEC_NOTIFY + RESPONDER_LIFETIME 24576 + REPLAY_STATUS 24577 + INITIAL_CONTACT 24578 +. + +# IKE exchange types. +IKE_EXCH + QUICK_MODE_OR_GDOI_REGISTRATION 32 + NEW_GROUP_MODE_OR_GDOI_REKEY 33 +. diff --git a/src/isakmp.h b/src/isakmp.h new file mode 100644 index 0000000..f3245b7 --- /dev/null +++ b/src/isakmp.h @@ -0,0 +1,67 @@ +/* $Id: isakmp.h,v 1.3 2003/07/25 04:06:08 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmp.h,v $ */ + +/* $OpenBSD: isakmp.h,v 1.4 2000/08/03 07:24:05 niklas Exp $ */ +/* $EOM: isakmp.h,v 1.11 2000/07/05 10:48:43 ho Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _ISAKMP_H_ +#define _ISAKMP_H_ + +#include "isakmp_fld.h" +#include "isakmp_num.h" + +/* ISAKMP default transport */ +#define ISAKMP_DEFAULT_TRANSPORT "udp" + +/* IANA assigned port for GDOI */ +#define UDP_DEFAULT_PORT 848 + +/* ISAKMP header extras defines */ +#define ISAKMP_HDR_COOKIES_OFF ISAKMP_HDR_ICOOKIE_OFF +#define ISAKMP_HDR_COOKIES_LEN (ISAKMP_HDR_ICOOKIE_LEN \ + + ISAKMP_HDR_ICOOKIE_LEN) + +/* ISAKMP attribute utilitiy macros. */ +#define ISAKMP_ATTR_FORMAT(x) ((x) >> 15) +#define ISAKMP_ATTR_TYPE(x) ((x) & 0x7fff) +#define ISAKMP_ATTR_MAKE(fmt, type) (((fmt) << 15) | (type)) + +/* Version number handling. */ +#define ISAKMP_VERSION_MAJOR(x) ((x) >> 4) +#define ISAKMP_VERSION_MINOR(x) ((x) & 0xf) +#define ISAKMP_VERSION_MAKE(maj, min) ((maj) << 4 | (min)) + +#endif /* _ISAKMP_H_ */ diff --git a/src/isakmp_doi.c b/src/isakmp_doi.c new file mode 100644 index 0000000..a2cc551 --- /dev/null +++ b/src/isakmp_doi.c @@ -0,0 +1,273 @@ +/* $Id: isakmp_doi.c,v 1.3 2002/07/26 22:58:10 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmp_doi.c,v $ */ + +/* $OpenBSD: isakmp_doi.c,v 1.11 2000/10/07 06:59:24 niklas Exp $ */ +/* $EOM: isakmp_doi.c,v 1.42 2000/09/12 16:29:41 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * XXX This DOI is very fuzzily defined, and should perhaps be short-circuited + * to the IPSEC DOI instead. At the moment I will have it as its own DOI, + * as the ISAKMP architecture seems to imply it should be done like this. + */ + +#include + +#include "sysdep.h" + +#include "doi.h" +#include "exchange.h" +#include "isakmp.h" +#include "ipsec.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "util.h" + +#ifdef USE_DEBUG +static int isakmp_debug_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); +#endif +static void isakmp_finalize_exchange (struct message *); +static struct keystate *isakmp_get_keystate (struct message *); +static int isakmp_initiator (struct message *); +static int isakmp_responder (struct message *); +static void isakmp_setup_situation (u_int8_t *); +static size_t isakmp_situation_size (void); +static u_int8_t isakmp_spi_size (u_int8_t); +static int isakmp_validate_attribute (u_int16_t, u_int8_t *, u_int16_t, + void *); +static int isakmp_validate_exchange (u_int8_t); +static int isakmp_validate_id_information (u_int8_t, u_int8_t *, u_int8_t *, + size_t, struct exchange *); +static int isakmp_validate_key_information (u_int8_t *, size_t); +static int isakmp_validate_notification (u_int16_t); +static int isakmp_validate_proto (u_int8_t); +static int isakmp_validate_situation (u_int8_t *, size_t *); +static int isakmp_validate_transform_id (u_int8_t, u_int8_t); + +static struct doi isakmp_doi = { + { 0 }, ISAKMP_DOI_ISAKMP, 0, 0, 0, +#ifdef USE_DEBUG + isakmp_debug_attribute, +#endif + 0, /* delete_spi not needed. */ + 0, /* exchange_script not needed. */ + isakmp_finalize_exchange, + 0, /* free_exchange_data not needed. */ + 0, /* free_proto_data not needed. */ + 0, /* free_sa_data not needed. */ + isakmp_get_keystate, + 0, /* get_spi not needed. */ + 0, /* handle_leftover_payload not needed. */ + 0, /* informational_post_hook not needed. */ + 0, /* informational_pre_hook not needed. */ + 0, /* XXX need maybe be filled-in. */ + 0, /* proto_init not needed. */ + isakmp_setup_situation, + isakmp_situation_size, + isakmp_spi_size, + isakmp_validate_attribute, + isakmp_validate_exchange, + isakmp_validate_id_information, + isakmp_validate_key_information, + isakmp_validate_notification, + isakmp_validate_proto, + isakmp_validate_situation, + isakmp_validate_transform_id, + isakmp_initiator, + isakmp_responder, +#ifdef USE_DEBUG + ipsec_decode_ids, +#else + 0, +#endif + 0 +}; + +/* Requires doi_init to already have been called. */ +void +isakmp_doi_init () +{ + doi_register (&isakmp_doi); +} + +#ifdef USE_DEBUG +int +isakmp_debug_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + /* XXX Not implemented yet. */ + return 0; +} +#endif /* USE_DEBUG */ + +static void +isakmp_finalize_exchange (struct message *msg) +{ +} + +static struct keystate * +isakmp_get_keystate (struct message *msg) +{ + return 0; +} + +static void +isakmp_setup_situation (u_int8_t *buf) +{ + /* Nothing to do. */ +} + +static size_t +isakmp_situation_size (void) +{ + return 0; +} + +static u_int8_t +isakmp_spi_size (u_int8_t proto) +{ + /* One way to specify ISAKMP SPIs is to say they're zero-sized. */ + return 0; +} + +static int +isakmp_validate_attribute (u_int16_t type, u_int8_t *value, u_int16_t len, + void *vmsg) +{ + /* XXX Not implemented yet. */ + return -1; +} + +static int +isakmp_validate_exchange (u_int8_t exch) +{ + /* If we get here the exchange is invalid. */ + return -1; +} + +static int +isakmp_validate_id_information (u_int8_t type, u_int8_t *extra, u_int8_t *buf, + size_t sz, struct exchange *exchange) +{ + return zero_test (extra, ISAKMP_ID_DOI_DATA_LEN); +} + +static int +isakmp_validate_key_information (u_int8_t *buf, size_t sz) +{ + /* Nothing to do. */ + return 0; +} + +static int +isakmp_validate_notification (u_int16_t type) +{ + /* If we get here the message type is invalid. */ + return -1; +} + +static int +isakmp_validate_proto (u_int8_t proto) +{ + /* If we get here the protocol is invalid. */ + return -1; +} + +static int +isakmp_validate_situation (u_int8_t *buf, size_t *sz) +{ + /* There are no situations in the ISAKMP DOI. */ + *sz = 0; + return 0; +} + +static int +isakmp_validate_transform_id (u_int8_t proto, u_int8_t transform_id) +{ + /* XXX Not yet implemented. */ + return -1; +} + +static int +isakmp_initiator (struct message *msg) +{ + if (msg->exchange->type != ISAKMP_EXCH_INFO) + { + log_print ("isakmp_initiator: unsupported exchange type %d in phase %d", + msg->exchange->type, msg->exchange->phase); + return -1; + } + + return message_send_info (msg); +} + +static int +isakmp_responder (struct message *msg) +{ + struct payload *p; + + switch (msg->exchange->type) + { + case ISAKMP_EXCH_INFO: + for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); p; + p = TAILQ_NEXT (p, link)) + { + LOG_DBG ((LOG_EXCHANGE, 10, + "isakmp_responder: got NOTIFY of type %s, ignoring", + constant_lookup (isakmp_notify_cst, + GET_ISAKMP_NOTIFY_MSG_TYPE (p->p)))); + p->flags |= PL_MARK; + } + + for (p = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_DELETE]); p; + p = TAILQ_NEXT (p, link)) + { + LOG_DBG ((LOG_EXCHANGE, 10, + "isakmp_responder: got DELETE, ignoring")); + p->flags |= PL_MARK; + } + return 0; + + default: + /* XXX So far we don't accept any proposals. */ + if (TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_SA])) + { + message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + return -1; + } + } + return 0; +} diff --git a/src/isakmp_doi.h b/src/isakmp_doi.h new file mode 100644 index 0000000..6acd3cd --- /dev/null +++ b/src/isakmp_doi.h @@ -0,0 +1,45 @@ +/* $Id: isakmp_doi.h,v 1.2 2002/05/10 04:25:15 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmp_doi.h,v $ */ + +/* $OpenBSD: isakmp_doi.h,v 1.3 1998/11/17 11:10:14 niklas Exp $ */ +/* $EOM: isakmp_doi.h,v 1.1 1998/07/07 23:20:29 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _ISAKMP_DOI_H_ +#define _ISAKMP_DOI_H_ + +extern void isakmp_doi_init (void); + +#endif /* _ISAKMP_DOI_H_ */ diff --git a/src/isakmp_fld.fld b/src/isakmp_fld.fld new file mode 100644 index 0000000..1a8ec88 --- /dev/null +++ b/src/isakmp_fld.fld @@ -0,0 +1,152 @@ +# $Id: isakmp_fld.fld,v 1.4 2005/10/11 17:57:38 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmp_fld.fld,v $ + +# $OpenBSD: isakmp_fld.fld,v 1.5 1999/04/27 21:14:30 niklas Exp $ +# $EOM: isakmp_fld.fld,v 1.5 1999/04/25 13:38:22 niklas Exp $ + +# +# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +# XXX There are num-declared fields below that really are csts. + +# The ISAKMP message header. +ISAKMP_HDR +# XXX I want a way to specify COOKIES as an overlay of ICOOKIE + RCOOKIE + ICOOKIE raw 8 + RCOOKIE raw 8 + NEXT_PAYLOAD cst 1 isakmp_payload_cst + VERSION num 1 + EXCH_TYPE cst 1 ike_exch_cst,isakmp_exch_cst + FLAGS mask 1 isakmp_flags_cst + MESSAGE_ID raw 4 + LENGTH num 4 +. + +# Generic payload header. +ISAKMP_GEN + NEXT_PAYLOAD cst 1 isakmp_payload_cst + RESERVED ign 1 + LENGTH num 2 +. + +# ISAKMP data attributes +ISAKMP_ATTR + TYPE num 2 ike_attr_cst,ipsec_attr_cst + LENGTH_VALUE num 2 + VALUE raw +. + +# Security association payload. +ISAKMP_SA : ISAKMP_GEN + DOI num 4 isakmp_doi_cst,ipsec_doi_cst + SIT raw +. + +# Proposal payload. +ISAKMP_PROP : ISAKMP_GEN + NO num 1 + PROTO cst 1 isakmp_proto_cst,ipsec_proto_cst + SPI_SZ num 1 + NTRANSFORMS num 1 + SPI raw +. + +# Transform payload. +ISAKMP_TRANSFORM : ISAKMP_GEN + NO num 1 + ID num 1 + RESERVED ign 2 + SA_ATTRS raw +. + +# Key exchange payload. +ISAKMP_KE : ISAKMP_GEN + DATA raw +. + +# Identification payload. +ISAKMP_ID : ISAKMP_GEN + TYPE num 1 + DOI_DATA raw 3 + DATA raw +. + +# Certificate payload. +ISAKMP_CERT : ISAKMP_GEN + ENCODING cst 1 isakmp_certenc_cst + DATA raw +. + +# Certificate request payload. +ISAKMP_CERTREQ : ISAKMP_GEN + TYPE cst 1 isakmp_certenc_cst + AUTHORITY raw +. + +# Hash payload. +ISAKMP_HASH : ISAKMP_GEN + DATA raw +. + +# Signature payload. +ISAKMP_SIG : ISAKMP_GEN + DATA raw +. + +# Nonce payload. +ISAKMP_NONCE : ISAKMP_GEN + DATA raw +. + +# Notify payload. +ISAKMP_NOTIFY : ISAKMP_GEN + DOI cst 4 isakmp_doi_cst,ipsec_doi_cst + PROTO cst 1 isakmp_proto_cst + SPI_SZ num 1 + MSG_TYPE cst 2 isakmp_notify_cst,ipsec_notify_cst + SPI raw +. + +# Delete payload. +ISAKMP_DELETE : ISAKMP_GEN + DOI cst 4 isakmp_doi_cst,ipsec_doi_cst + PROTO cst 1 isakmp_proto_cst + SPI_SZ num 1 + NSPIS num 2 + SPI raw +. + +# Vendor ID payload. +ISAKMP_VENDOR : ISAKMP_GEN + ID raw +. diff --git a/src/isakmp_num.cst b/src/isakmp_num.cst new file mode 100644 index 0000000..7b8980f --- /dev/null +++ b/src/isakmp_num.cst @@ -0,0 +1,170 @@ +# $Id: isakmp_num.cst,v 1.5 2011/02/02 00:19:27 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmp_num.cst,v $ + +# $OpenBSD: isakmp_num.cst,v 1.4 2000/06/08 20:49:37 niklas Exp $ +# $EOM: isakmp_num.cst,v 1.3 2000/05/17 03:09:50 angelos Exp $ + +# +# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Ericsson Radio Systems. +# 4. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +# +# This code was written under funding by Ericsson Radio Systems. +# + +# XXX Please fill in references to the drafts, chapter & verse for each +# constant group below. +# Also think about ranges, can they be specified diferently? Can we use +# these constants for vlidity checks? + +# ISAKMP payload type. +ISAKMP_PAYLOAD + NONE 0 + SA 1 + PROPOSAL 2 + TRANSFORM 3 + KEY_EXCH 4 + ID 5 + CERT 6 + CERT_REQ 7 + HASH 8 + SIG 9 + NONCE 10 + NOTIFY 11 + DELETE 12 + VENDOR 13 + CONFIG 14 + SA_KEK 15 + SA_TEK 16 + KD 17 + SEQ 18 + POP 19 + NAT_D 20 + NAT_OA 21 + GAP 22 + RESERVED_MIN 23 + RESERVED_MAX 127 + PRIVATE_MIN 128 + PRIVATE_MAX 255 +. + +# ISAKMP exchange types. +ISAKMP_EXCH + NONE 0 + BASE 1 + ID_PROT 2 + AUTH_ONLY 3 + AGGRESSIVE 4 + INFO 5 + FUTURE_MIN 6 + FUTURE_MAX 31 + DOI_MIN 32 + DOI_MAX 255 +. + +# ISAKMP flags. +ISAKMP_FLAGS + ENC 1 + COMMIT 2 + AUTH_ONLY 4 +. + +# ISAKMP certificate encoding. +ISAKMP_CERTENC + NONE 0 + PKCS 1 + PGP 2 + DNS 3 + X509_SIG 4 + X509_KE 5 + KERBEROS 6 + CRL 7 + ARL 8 + SPKI 9 + X509_ATTR 10 + KEYNOTE 11 + RESERVED_MIN 12 + RESERVED_MAX 255 +. + +# ISAKMP Notify message types. +ISAKMP_NOTIFY + INVALID_PAYLOAD_TYPE 1 + DOI_NOT_SUPPORTED 2 + SITUATION_NOT_SUPPORTED 3 + INVALID_COOKIE 4 + INVALID_MAJOR_VERSION 5 + INVALID_MINOR_VERSION 6 + INVALID_EXCHANGE_TYPE 7 + INVALID_FLAGS 8 + INVALID_MESSAGE_ID 9 + INVALID_PROTOCOL_ID 10 + INVALID_SPI 11 + INVALID_TRANSFORM_ID 12 + ATTRIBUTES_NOT_SUPPORTED 13 + NO_PROPOSAL_CHOSEN 14 + BAD_PROPOSAL_SYNTAX 15 + PAYLOAD_MALFORMED 16 + INVALID_KEY_INFORMATION 17 + INVALID_ID_INFORMATION 18 + INVALID_CERT_ENCODING 19 + INVALID_CERTIFICATE 20 + CERT_TYPE_UNSUPPORTED 21 + INVALID_CERT_AUTHORITY 22 + INVALID_HASH_INFORMATION 23 + AUTHENTICATION_FAILED 24 + INVALID_SIGNATURE 25 + ADDRESS_NOTIFICATION 26 + NOTIFY_SA_LIFETIME 27 + CERTIFICATE_UNAVAILABLE 28 + UNSUPPORTED_EXCHANGE_TYPE 29 + UNEQUAL_PAYLOAD_LENGTHS 30 + RESERVED_MIN 31 + RESERVED_MAX 8191 + PRIVATE_MIN 8192 + PRIVATE_MAX 16383 + STATUS_CONNECTED 16384 + STATUS_RESERVED1_MIN 16385 + STATUS_RESERVED1_MAX 24575 + STATUS_DOI_MIN 12576 + STATUS_DOI_MAX 32767 + STATUS_PRIVATE_MIN 32768 + STATUS_PRIVATE_MAX 40959 + STATUS_RESERVED2_MIN 40960 + STATUS_RESERVED2_MAX 65535 +. + +# ISAKMP DOI Identifier. +ISAKMP_DOI + ISAKMP 0 +. + +# ISAKMP Protocol ID. +ISAKMP_PROTO + ISAKMP 1 +. diff --git a/src/isakmpd.c b/src/isakmpd.c new file mode 100644 index 0000000..b461d6a --- /dev/null +++ b/src/isakmpd.c @@ -0,0 +1,562 @@ +/* $Id: isakmpd.c,v 1.8.2.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/isakmpd.c,v $ */ + +/* $OpenBSD: isakmpd.c,v 1.30 2001/04/09 22:09:52 ho Exp $ */ +/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "app.h" +#include "conf.h" +#include "sa.h" +#include "connection.h" +#include "init.h" +#include "libcrypto.h" +#include "log.h" +#include "timer.h" +#include "transport.h" +#include "udp.h" +#include "ui.h" +#include "util.h" +#include "cert.h" +#include + +/* + * Set if -d is given, currently just for running in the foreground and log + * to stderr instead of syslog. + */ +int debug = 0; + +/* + * If we receive a SIGHUP signal, this flag gets set to show we need to + * reconfigure ASAP. + */ +static int sighupped = 0; + +/* + * If we receive a USR1 signal, this flag gets set to show we need to dump + * a report over our internal state ASAP. The file to report to is settable + * via the -R parameter. + */ +static int sigusr1ed = 0; +static char *report_file = "/var/run/gdoid.report"; + +/* The default path of the PID file. */ +static char *pid_file = "/var/run/gdoid.pid"; + +#ifdef USE_DEBUG +/* The path of the IKE packet capture log file. */ +static char *pcap_file = 0; +#endif + +/* + * If we receive a TERM signal, perform a "clean shutdown" of the daemon. + * This includes to send DELETE notifications for all our active SAs. + * Also on recv of an INT signal (Ctrl-C out of an '-d' session, typically). + */ +volatile sig_atomic_t sigtermed = 0; +void daemon_shutdown_now(int); + +/* + * If we receive a USR2 signal, this flag gets set to show we need to + * rehash our SA soft expiration timers to a uniform distribution. + * XXX Perhaps this is a really bad idea? + */ +static int sigusr2ed = 0; + +static void +usage () +{ + fprintf (stderr, + "usage: %s [-c config-file] [-d] [-D class=level] [-f fifo]\n" + " [-i pid-file] [-n] [-p listen-port] [-P local-port]\n" + " [-L] [-l packetlog-file] [-R report-file]\n", + sysdep_progname ()); + exit (1); +} + +static void +parse_args (int argc, char *argv[]) +{ + int ch; +#ifdef USE_DEBUG + int cls, level; + int do_packetlog = 0; +#endif + + while ((ch = getopt (argc, argv, "c:dD:f:i:np:P:Ll:R:")) != -1) { + switch (ch) { + case 'c': + conf_path = optarg; + break; + + case 'd': + debug++; + break; + +#ifdef USE_DEBUG + case 'D': + if (sscanf (optarg, "%d=%d", &cls, &level) != 2) + { + if (sscanf (optarg, "A=%d", &level) == 1) + { + for (cls = 0; cls < LOG_ENDCLASS; cls++) + log_debug_cmd (cls, level); + } + else + log_print ("parse_args: -D argument unparseable: %s", optarg); + } + else + log_debug_cmd (cls, level); + break; +#endif /* USE_DEBUG */ + + case 'f': + ui_fifo = optarg; + break; + + case 'i': + pid_file = optarg; + break; + + case 'n': + app_none++; + break; + + case 'p': + udp_default_port = udp_decode_port (optarg); + if (!udp_default_port) + exit (1); + break; + + case 'P': + udp_bind_port = udp_decode_port (optarg); + if (!udp_bind_port) + exit (1); + break; + +#ifdef USE_DEBUG + case 'l': + pcap_file = optarg; + /* Fallthrough intended. */ + + case 'L': + do_packetlog++; + break; +#endif /* USE_DEBUG */ + + case 'R': + report_file = optarg; + break; + + case '?': + default: + usage (); + } + } + argc -= optind; + argv += optind; + +#ifdef USE_DEBUG + if (do_packetlog && !pcap_file) + pcap_file = PCAP_FILE_DEFAULT; +#endif +} + +/* Reinitialize after a SIGHUP reception. */ +static void +reinit (void) +{ + log_print ("SIGHUP recieved, reinitializing daemon."); + + /* + * XXX Remove all(/some?) pending exchange timers? - they may not be + * possible to complete after we've re-read the config file. + * User-initiated SIGHUP's maybe "authorizes" a wait until + * next connection-check. + * XXX This means we discard exchange->last_msg, is this really ok? + */ + + /* Reread config file. */ + conf_reinit (); + + /* Try again to link in libcrypto (good if we started without /usr). */ + libcrypto_init (); + + /* Set timezone */ + tzset (); + + /* Reinitialize certificates */ + cert_init (); + + /* Reinitialize our connection list. */ + connection_reinit (); + + /* + * XXX Rescan interfaces. + * transport_reinit (); + * udp_reinit (); + */ + + /* + * XXX "These" (non-existant) reinitializations should not be done. + * cookie_reinit (); + * ui_reinit (); + * sa_reinit (); + */ + + sighupped = 0; +} + +static void +sighup (int sig) +{ + sighupped = 1; +} + +/* Report internal state on SIGUSR1. */ +static void +report (void) +{ + FILE *report, *old; + mode_t old_umask; + + old_umask = umask (S_IRWXG | S_IRWXO); + report = fopen (report_file, "w"); + umask (old_umask); + + if (!report) + { + log_error ("fopen (\"%s\", \"w\") failed", report_file); + return; + } + + /* Divert the log channel to the report file during the report. */ + old = log_current (); + log_to (report); + ui_report ("r"); + log_to (old); + fclose (report); + + sigusr1ed = 0; +} + +static void +sigusr1 (int sig) +{ + sigusr1ed = 1; +} + +/* Rehash soft expiration timers on SIGUSR2. */ +static void +rehash_timers (void) +{ +#if 0 + /* XXX - not yet */ + log_print ("SIGUSR2 received, rehasing soft expiration timers."); + + timer_rehash_timers (); +#endif + + sigusr2ed = 0; +} + +static void +sigusr2 (int sig) +{ + sigusr2ed = 1; +} + +static int +phase2_sa_check(struct sa *sa, void *arg) +{ + return sa->phase == 2; +} + +extern void gdoi_rekey_delete_sas (fd_set *wfds); + +static void +daemon_shutdown(fd_set *wfds) +{ + /* Perform a (protocol-wise) clean shutdown of the daemon. */ + struct sa *sa; + + if (sigtermed == 1) { + log_print("gdoid: shutting down..."); + + /* Delete all active phase 2 SAs. */ + while ((sa = sa_find(phase2_sa_check, NULL))) { + /* Each DELETE is another (outgoing) message. */ + sa_delete(sa, 1); + } + /* Delete GDOI SAs */ + gdoi_rekey_delete_sas(wfds); + sigtermed++; + } +} + +/* Called on SIGTERM, SIGINT or by ui_shutdown_daemon(). */ +void +daemon_shutdown_now(int sig) +{ + sigtermed = 1; +} + +/* Write pid file. */ +static void +write_pid_file (void) +{ + FILE *fp; + + /* Ignore errors. */ + unlink (pid_file); + + fp = fopen (pid_file, "w"); + if (fp != NULL) + { + /* XXX Error checking! */ + fprintf (fp, "%d\n", getpid ()); + fclose (fp); + } + else + log_fatal ("main: fopen (\"%s\", \"w\") failed", pid_file); +} + +int +main (int argc, char *argv[]) +{ + fd_set *rfds, *wfds; + int n, m; + size_t mask_size; + struct timeval tv, *timeout; + static const char rnd_seed[] = "this is a seed"; + + log_to (stderr); + + RAND_seed(rnd_seed, sizeof rnd_seed); + + parse_args (argc, argv); + init (); + if (!debug) + { + if (daemon (0, 0)) + log_fatal ("main: daemon (0, 0) failed"); + /* Switch to syslog. */ + log_to (0); + } + + write_pid_file (); + + /* Do a clean daemon shutdown */ + signal(SIGTERM, daemon_shutdown_now); + if (debug == 1) /* i.e '-dd' will skip this. */ + signal(SIGINT, daemon_shutdown_now); + + /* Reinitialize on HUP reception. */ + signal (SIGHUP, sighup); + + /* Report state on USR1 reception. */ + signal (SIGUSR1, sigusr1); + + /* Rehash soft expiration timers on USR2 reception. */ + signal (SIGUSR2, sigusr2); + +#ifdef USE_DEBUG + /* If we wanted IKE packet capture to file, initialize it now. */ + if (pcap_file != 0) + log_packet_init (pcap_file); +#endif + + /* Allocate the file descriptor sets just big enough. */ + n = getdtablesize (); + mask_size = howmany (n, NFDBITS) * sizeof (fd_mask); + rfds = (fd_set *)malloc (mask_size); + if (!rfds) + log_fatal ("main: malloc (%d) failed", mask_size); + wfds = (fd_set *)malloc (mask_size); + if (!wfds) + log_fatal ("main: malloc (%d) failed", mask_size); + + while (1) + { + /* If someone has sent SIGHUP to us, reconfigure. */ + if (sighupped) + reinit (); + + /* and if someone sent SIGUSR1, do a state report. */ + if (sigusr1ed) + report (); + + /* and if someone sent SIGUSR2, do a timer rehash. */ + if (sigusr2ed) + rehash_timers (); + + /* Do a clean shutdown on SIGINT or SIGTERM */ + if (sigtermed) + { + daemon_shutdown(wfds); + transport_send_messages (wfds); + exit(0); + } + + /* Setup the descriptors to look for incoming messages at. */ + memset (rfds, 0, mask_size); + n = transport_fd_set (rfds); + FD_SET (ui_socket, rfds); + if (ui_socket + 1 > n) + n = ui_socket + 1; + + /* + * XXX Some day we might want to deal with an abstract application + * class instead, with many instantiations possible. + */ + if (!app_none && app_socket >= 0) + { + FD_SET (app_socket, rfds); + if (app_socket + 1 > n) + n = app_socket + 1; + } + + /* Setup the descriptors that have pending messages to send. */ + memset (wfds, 0, mask_size); + m = transport_pending_wfd_set (wfds); + if (m > n) + n = m; + + /* Find out when the next timed event is. */ + timeout = &tv; + timer_next_event (&timeout); + + n = select (n, rfds, wfds, 0, timeout); + if (n == -1) + { + if (errno != EINTR) + { + log_error ("select"); + + /* + * In order to give the unexpected error condition time to + * resolve without letting this process eat up all available CPU + * we sleep for a short while. + */ + sleep (1); + } + } + else if (n) + { + transport_handle_messages (rfds); + transport_send_messages (wfds); + if (FD_ISSET (ui_socket, rfds)) + ui_handler (); + if (!app_none && app_socket >= 0 && FD_ISSET (app_socket, rfds)) + app_handler (); + } + timer_handle_expirations (); + } +} diff --git a/src/key_api.c b/src/key_api.c new file mode 100644 index 0000000..b0b2411 --- /dev/null +++ b/src/key_api.c @@ -0,0 +1,289 @@ +/* $Id: key_api.c,v 1.4.4.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/key_api.c,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* $OpenBSD: sysdep.c,v 1.8 2001/02/24 03:59:58 angelos Exp $ */ +/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "util.h" + +#ifdef NEED_SYSDEP_APP +#include "app.h" +#include "conf.h" +#include "ipsec.h" + +#ifdef USE_PF_KEY_V2 +#include "pf_key_v2.h" +#define KEY_API(x) pf_key_v2_##x +#else +#include +#include "pf_encap.h" +#define KEY_API(x) pf_encap_##x +#endif + +#endif /* NEED_SYSDEP_APP */ +#include "log.h" + +#if defined(LINUX_PFKEY) || defined(OSX) +#define IPSEC_LEVEL_BYPASS 0 +#define IP_AUTH_LEVEL 1 +#define IP_ESP_TRANS_LEVEL 1 +#define IP_ESP_NETWORK_LEVEL 1 +#endif + +extern char *__progname; + +/* Return the basename of the command used to invoke us. */ +char * +sysdep_progname () +{ + return __progname; +} + +/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ +#ifdef NEED_SYSDEP_APP +/* + * Prepare the application we negotiate SAs for (i.e. the IPsec stack) + * for communication. We return a file descriptor useable to select(2) on. + */ +int +sysdep_app_open () +{ + return KEY_API(open) (); +} + +/* + * When select(2) has noticed our application needs attendance, this is what + * gets called. FD is the file descriptor causing the alarm. + */ +void +sysdep_app_handler (int fd) +{ + KEY_API (handler) (fd); +} + +/* Check that the connection named NAME is active, or else make it active. */ +void +sysdep_connection_check (char *name) +{ + KEY_API (connection_check) (name); +} + +/* + * Generate a SPI for protocol PROTO and the source/destination pair given by + * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. + */ +u_int8_t * +sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) +{ + if (app_none) + { + *sz = IPSEC_SPI_SIZE; + /* XXX should be random instead I think. */ + return (u_int8_t *)strdup ("\x12\x34\x56\x78"); + } + return KEY_API (get_spi) (sz, proto, src, srclen, dst, dstlen, seq); +} + +/* Force communication on socket FD to go in the clear. */ +int +sysdep_cleartext (int fd) +{ + int level; + + if (app_none) + return 0; + + /* + * Need to bypass system security policy, so I can send and + * receive key management datagrams in the clear. + */ +#ifdef FREEBSD_PFKEY_EXT + level = IPSEC_POLICY_BYPASS; + if (setsockopt (fd, IPPROTO_IP, IP_IPSEC_POLICY, (char *)&level, sizeof level) + == -1) + { + log_error ("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed", fd); + return -1; + } + if (setsockopt (fd, IPPROTO_IP, IPSECCTL_DEF_ESP_TRANSLEV, (char *)&level, + sizeof level) == -1) + { + log_error ("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IPSECCTL_DEF_ESP_TRANSLEV, ...) " + "failed", fd); + return -1; + } + if (setsockopt (fd, IPPROTO_IP, IPSECCTL_DEF_ESP_NETLEV, (char *)&level, + sizeof level) == -1) + { + log_error("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IPSECCTL_DEF_ESP_NETLEV, ...) " + "failed", fd); + return -1; + } +#else + level = IPSEC_LEVEL_BYPASS; + if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level) + == -1) + { + log_error ("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd); + return -1; + } + if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level, + sizeof level) == -1) + { + log_error ("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) " + "failed", fd); + return -1; + } + if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level, + sizeof level) == -1) + { + log_error("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) " + "failed", fd); + return -1; + } +#endif + return 0; +} + +int +sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) +{ + if (app_none) + return 0; + return KEY_API (delete_spi) (sa, proto, incoming); +} + +int +sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) +{ + if (app_none) + return 0; + return KEY_API (enable_sa) (sa, isakmp_sa); +} + +int +sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, + struct proto *proto2, int incoming) +{ + if (app_none) + return 0; + return KEY_API (group_spis) (sa, proto1, proto2, incoming); +} + +int +sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming) +{ + if (app_none) + return 0; + return KEY_API (set_spi) (sa, proto, incoming); +} +#endif diff --git a/src/libcrypto.c b/src/libcrypto.c new file mode 100644 index 0000000..50d15a2 --- /dev/null +++ b/src/libcrypto.c @@ -0,0 +1,287 @@ +/* $Id: libcrypto.c,v 1.2.4.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/libcrypto.c,v $ */ + +/* $OpenBSD: libcrypto.c,v 1.11 2001/01/27 15:39:55 ho Exp $ */ +/* $EOM: libcrypto.c,v 1.14 2000/09/28 12:53:27 niklas Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include "sysdep.h" + +#include "dyn.h" +#include "libcrypto.h" + +void *libcrypto = 0; + +#ifdef USE_X509 + +#ifdef HAVE_DLOPEN + +/* + * These prototypes matches SSLeay version 0.9.0b or OpenSSL 0.9.4, if + * you try to load a different version than that, you are on your own. + */ +char *(*lc_ASN1_d2i_bio) (char *(*) (), char *(*) (), BIO *bp, + unsigned char **); +char *(*lc_ASN1_dup) (int (*) (), char *(*) (), char *); +long (*lc_BIO_ctrl) (BIO *bp, int, long, char *); +int (*lc_BIO_free) (BIO *a); +BIO *(*lc_BIO_new) (BIO_METHOD *type); +int (*lc_BIO_write) (BIO *, char *, int); +BIO_METHOD *(*lc_BIO_s_file) (void); +BIO_METHOD *(*lc_BIO_s_mem) (void); +BIGNUM *(*lc_BN_bin2bn) (const unsigned char *, int, BIGNUM *); +int (*lc_BN_num_bits) (const BIGNUM *); +int (*lc_BN_print_fp) (FILE *, BIGNUM *); +char *(*lc_PEM_ASN1_read_bio) (char *(*) (), char *, BIO *, char **, + int (*) ()); +void (*lc_RSA_free) (RSA *); +RSA *(*lc_RSA_new) (void); +RSA *(*lc_RSA_generate_key) (int, unsigned long, void (*) (int, int, char *), + char *); +int (*lc_RSA_private_encrypt) (int, unsigned char *, unsigned char *, RSA *, + int); +int (*lc_RSA_public_decrypt) (int, unsigned char *, unsigned char *, RSA *, + int); +int (*lc_RSA_size) (RSA *); +#if OPENSSL_VERSION_NUMBER >= 0x00905100L +void (*lc_OpenSSL_add_all_algorithms) (void); +#else +void (*lc_SSLeay_add_all_algorithms) (void); +#endif +int (*lc_X509_NAME_cmp) (X509_NAME *, X509_NAME *); +void (*lc_X509_STORE_CTX_cleanup) (X509_STORE_CTX *); +void (*lc_X509_OBJECT_free_contents) (X509_OBJECT *); + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L +void (*lc_X509_STORE_CTX_init) (X509_STORE_CTX *, X509_STORE *, X509 *, + STACK_OF (X509) *); +#else +void (*lc_X509_STORE_CTX_init) (X509_STORE_CTX *, X509_STORE *, X509 *, + STACK *); +#endif + +int (*lc_X509_STORE_add_cert) (X509_STORE *, X509 *); +X509_STORE *(*lc_X509_STORE_new) (void); +void (*lc_X509_STORE_free) (X509_STORE *); +X509 *(*lc_X509_dup) (X509 *); +void (*lc_X509_free) (X509 *); +X509_EXTENSION *(*lc_X509_get_ext) (X509 *, int); +int (*lc_X509_get_ext_by_NID) (X509 *, int, int); +X509_NAME *(*lc_X509_get_issuer_name) (X509 *); +EVP_PKEY *(*lc_X509_get_pubkey) (X509 *); +X509_NAME *(*lc_X509_get_subject_name) (X509 *); +X509 *(*lc_X509_new) (void); +int (*lc_X509_verify) (X509 *, EVP_PKEY *); +int (*lc_X509_verify_cert) (X509_STORE_CTX *); +RSA *(*lc_d2i_RSAPrivateKey) (RSA **, unsigned char **, long); +RSA *(*lc_d2i_RSAPublicKey) (RSA **, unsigned char **, long); +X509 *(*lc_d2i_X509) (X509 **, unsigned char **, long); +char *(*lc_X509_NAME_oneline) (X509_NAME *, char *, int); +int (*lc_i2d_RSAPublicKey) (RSA *, unsigned char **); +int (*lc_i2d_RSAPrivateKey) (RSA *, unsigned char **); +int (*lc_i2d_X509) (X509 *, unsigned char **); +int (*lc_i2d_X509_NAME) (X509_NAME *, unsigned char **); +#if (SSLEAY_VERSION_NUMBER >= 0x00904100L \ + && SSLEAY_VERSION_NUMBER < 0x0090600fL) +void (*lc_sk_X509_free) (STACK_OF (X509) *); +STACK_OF (X509) *(*lc_sk_X509_new_null) (); +#else +void (*lc_sk_free) (STACK *); +STACK *(*lc_sk_new) (int (*) ()); +#endif + +#if SSLEAY_VERSION_NUMBER >= 0x00904100L +X509 *(*lc_X509_find_by_subject) (STACK_OF (X509) *, X509_NAME *); +#else +X509 *(*lc_X509_find_by_subject) (STACK *, X509_NAME *); +#endif + +int (*lc_X509_STORE_get_by_subject) (X509_STORE_CTX *, int, X509_NAME *, + X509_OBJECT *); + +#define SYMENTRY(x) { SYM, SYM (x), (void **)&lc_ ## x } + +static struct dynload_script libcrypto_script[] = { + { LOAD, "libc.so.6", &libcrypto }, + { LOAD, "libcrypto.so", &libcrypto }, + SYMENTRY (ASN1_d2i_bio), + SYMENTRY (ASN1_dup), + SYMENTRY (BIO_ctrl), + SYMENTRY (BIO_free), + SYMENTRY (BIO_new), + SYMENTRY (BIO_write), + SYMENTRY (BIO_s_file), + SYMENTRY (BIO_s_mem), + SYMENTRY (BN_print_fp), + SYMENTRY (PEM_ASN1_read_bio), + SYMENTRY (RSA_generate_key), + SYMENTRY (RSA_free), + SYMENTRY (RSA_private_encrypt), + SYMENTRY (RSA_public_decrypt), + SYMENTRY (RSA_size), +#if OPENSSL_VERSION_NUMBER >= 0x00905100L + SYMENTRY (OpenSSL_add_all_algorithms), +#else + SYMENTRY (SSLeay_add_all_algorithms), +#endif + SYMENTRY (X509_NAME_cmp), + SYMENTRY (X509_STORE_CTX_cleanup), + SYMENTRY (X509_STORE_CTX_init), + SYMENTRY (X509_STORE_add_cert), + SYMENTRY (X509_STORE_new), + SYMENTRY (X509_STORE_free), + SYMENTRY (X509_dup), + SYMENTRY (X509_find_by_subject), + SYMENTRY (X509_free), + SYMENTRY (X509_get_ext), + SYMENTRY (X509_get_ext_by_NID), + SYMENTRY (X509_get_issuer_name), + SYMENTRY (X509_get_pubkey), + SYMENTRY (X509_get_subject_name), + SYMENTRY (X509_new), + SYMENTRY (X509_verify), + SYMENTRY (X509_verify_cert), + SYMENTRY (X509_STORE_get_by_subject), + SYMENTRY (X509_OBJECT_free_contents), + SYMENTRY (X509_NAME_oneline), + SYMENTRY (d2i_RSAPrivateKey), + SYMENTRY (d2i_RSAPublicKey), + SYMENTRY (d2i_X509), + SYMENTRY (i2d_RSAPublicKey), + SYMENTRY (i2d_RSAPrivateKey), + SYMENTRY (i2d_X509), + SYMENTRY (i2d_X509_NAME), +#if (SSLEAY_VERSION_NUMBER >= 0x00904100L \ + && SSLEAY_VERSION_NUMBER < 0x0090600fL) + SYMENTRY (sk_X509_free), + SYMENTRY (sk_X509_new_null), +#else + SYMENTRY (sk_free), + SYMENTRY (sk_new), +#endif + { EOS } +}; +#endif + +#endif /* USE_X509 */ + +void +libcrypto_init (void) +{ +#ifdef USE_X509 +#ifdef HAVE_DLOPEN + dyn_load (libcrypto_script); +#elif !defined (USE_LIBCRYPTO) + return; +#endif + + /* + * XXX Do something imaginative with libcrypto here. The problem is if + * the dynload fails libcrypto will be 0 which is good for the macros but + * not the tests for support. + */ + +#if defined (USE_LIBCRYPTO) + /* Add all algorithms known by SSL */ +#if OPENSSL_VERSION_NUMBER >= 0x00905100L + LC (OpenSSL_add_all_algorithms, ()); +#else + LC (SSLeay_add_all_algorithms, ()); +#endif +#endif +#endif /* USE_X509 */ +} + diff --git a/src/libcrypto.h b/src/libcrypto.h new file mode 100644 index 0000000..9ce7608 --- /dev/null +++ b/src/libcrypto.h @@ -0,0 +1,63 @@ +/* $Id: libcrypto.h,v 1.4 2007/03/21 20:03:03 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/libcrypto.h,v $ */ + +/* $OpenBSD: libcrypto.h,v 1.9 2001/01/27 15:39:55 ho Exp $ */ +/* $EOM: libcrypto.h,v 1.16 2000/09/28 12:53:27 niklas Exp $ */ + +/* + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _LIBCRYPTO_H_ +#define _LIBCRYPTO_H_ + + +#include + +/* XXX I want #include but we appear to not install meth.h */ +#include +#include +#include +#include +#include + +extern void *libcrypto; + +#if defined (USE_LIBCRYPTO) +#define LC(sym, args) sym args +#else +#define LC(sym, args) !!libcrypto called but no USE_LIBCRYPTO!! +#endif + +extern void libcrypto_init (void); +#endif /* _LIBCRYPTO_H_ */ diff --git a/src/log.c b/src/log.c new file mode 100644 index 0000000..699f3f4 --- /dev/null +++ b/src/log.c @@ -0,0 +1,619 @@ +/* $Id: log.c,v 1.6 2007/03/21 20:03:04 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/log.c,v $ */ + +/* $OpenBSD: log.c,v 1.18 2001/04/15 16:09:16 ho Exp $ */ +/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include "config.h" +#include +#include +#include + +#ifdef USE_DEBUG +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_PCAP +#include +#else +#include "pcap.h" +#endif + +#endif /* USE_DEBUG */ + +#include +#include +#include +#include +#include + +#ifdef __STDC__ +#include +#else +#include +#endif + +#include "isakmp_num.h" +#include "log.h" + +static void _log_print (int, int, const char *, va_list, int, int); + +static FILE *log_output; + +#ifdef USE_DEBUG +static int log_level[LOG_ENDCLASS]; + +#define TCPDUMP_MAGIC 0xa1b2c3d4 +#define SNAPLEN (64 * 1024) + +struct packhdr { + struct pcap_pkthdr pcap; /* pcap file packet header */ + struct { + u_int32_t null_family; /* NULL encapsulation */ + } null; + struct ip ip; /* IP header (w/o options) */ + struct udphdr udp; /* UDP header */ +}; + +struct isakmp_hdr { + u_int8_t icookie[8], rcookie[8]; + u_int8_t next, ver, type, flags; + u_int32_t msgid, len; +}; + +static char *pcaplog_file = NULL; +static FILE *packet_log; +static u_int8_t pack[SNAPLEN + sizeof (struct packhdr)]; +static struct packhdr *hdr; + +static int udp_cksum (const struct ip *, const struct udphdr *, int); +static u_int16_t in_cksum (const struct ip *, int); +#endif /* USE_DEBUG */ + +void +log_init (void) +{ + log_output = stderr; +} + +void +log_to (FILE *f) +{ + if (!log_output && f) + closelog (); + log_output = f; + if (!f) + openlog ("gdoid", LOG_PID | LOG_CONS, LOG_DAEMON); +} + +FILE * +log_current (void) +{ + return log_output; +} + +static char * +_log_get_class (int error_class) +{ + /* XXX For test purposes. To be removed later on? */ + static char *class_text[] = LOG_CLASSES_TEXT; + + if (error_class < 0) + return "Dflt"; + else if (error_class >= LOG_ENDCLASS) + return "Unkn"; + else + return class_text[error_class]; +} + +static void +_log_print (int error, int syslog_level, const char *fmt, va_list ap, + int class, int level) +{ + char buffer[LOG_SIZE], nbuf[LOG_SIZE + 32]; + static const char fallback_msg[] = + "write to log file failed (errno %d), redirecting output to syslog"; + int len; + struct tm *tm; + struct timeval now; + time_t t; + + len = vsnprintf (buffer, LOG_SIZE, fmt, ap); + if (len < LOG_SIZE - 1 && error) + snprintf (buffer + len, LOG_SIZE - len, ": %s", strerror (errno)); + if (log_output) + { + gettimeofday (&now, 0); + t = now.tv_sec; + tm = localtime (&t); + if (class >= 0) +#ifdef OSX + sprintf (nbuf, "%02d%02d%02d.%06ld %s %02d ", tm->tm_hour, + tm->tm_min, tm->tm_sec, (long)now.tv_usec, _log_get_class (class), + level); +#else + sprintf (nbuf, "%02d%02d%02d.%06ld %s %02d ", tm->tm_hour, + tm->tm_min, tm->tm_sec, now.tv_usec, _log_get_class (class), + level); +#endif + else /* LOG_PRINT (-1) or LOG_REPORT (-2) */ +#ifdef OSX + sprintf (nbuf, "%02d%02d%02d.%06ld %s ", tm->tm_hour, + tm->tm_min, tm->tm_sec, (long)now.tv_usec, + class == LOG_PRINT ? "Default" : "Report>"); +#else + sprintf (nbuf, "%02d%02d%02d.%06ld %s ", tm->tm_hour, + tm->tm_min, tm->tm_sec, now.tv_usec, + class == LOG_PRINT ? "Default" : "Report>"); +#endif + strcat (nbuf, buffer); + strcat (nbuf, "\n"); + + if (fwrite (nbuf, strlen (nbuf), 1, log_output) == 0) + { + /* Report fallback. */ + syslog (LOG_ALERT, fallback_msg, errno); + fprintf (log_output, fallback_msg, errno); + + /* + * Close log_output to prevent gdoid from locking the file. + * We may need to explicitly close stdout to do this properly. + * XXX - Figure out how to match two FILE *'s and rewrite. + */ + if (fileno (log_output) != -1 + && fileno (stdout) == fileno (log_output)) + fclose (stdout); + fclose (log_output); + + /* Fallback to syslog. */ + log_to (0); + + /* (Re)send current message to syslog(). */ + syslog (class == LOG_REPORT ? LOG_ALERT + : syslog_level, "%s", buffer); + } + } + else + syslog (class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s", buffer); +} + +#ifdef USE_DEBUG +void +#ifdef __STDC__ +log_debug (int cls, int level, const char *fmt, ...) +#else +log_debug (cls, level, fmt, va_alist) + int cls; + int level; + const char *fmt; + va_dcl +#endif +{ + va_list ap; + + /* + * If we are not debugging this class, or the level is too low, just return. + */ + if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) + return; +#ifdef __STDC__ + va_start (ap, fmt); +#else + va_start (ap); + fmt = va_arg (ap, const char *); +#endif + _log_print (0, LOG_DEBUG, fmt, ap, cls, level); + va_end (ap); +} + +void +log_debug_buf (int cls, int level, const char *header, const u_int8_t *buf, + size_t sz) +{ + char s[73]; + int i, j; + + /* + * If we are not debugging this class, or the level is too low, just return. + */ + if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) + return; + + log_debug (cls, level, "%s:", header); + for (i = j = 0; i < sz;) + { + sprintf (s + j, "%02x", buf[i++]); + j += 2; + if (i % 4 == 0) + { + if (i % 32 == 0) + { + s[j] = '\0'; + log_debug (cls, level, "%s", s); + j = 0; + } + else + s[j++] = ' '; + } + } + if (j) + { + s[j] = '\0'; + log_debug (cls, level, "%s", s); + } +} + +void +log_debug_cmd (int cls, int level) +{ + if (cls < 0 || cls >= LOG_ENDCLASS) + { + log_print ("log_debug_cmd: invalid debugging class %d", cls); + return; + } + + if (level < 0) + { + log_print ("log_debug_cmd: invalid debugging level %d for class %d", + level, cls); + return; + } + + if (level == log_level[cls]) + log_print ("log_debug_cmd: log level unchanged for class %d", cls); + else + { + log_print ("log_debug_cmd: log level changed from %d to %d for class %d", + log_level[cls], level, cls); + log_level[cls] = level; + } +} +#endif /* USE_DEBUG */ + +void +#ifdef __STDC__ +log_print (const char *fmt, ...) +#else +log_print (fmt, va_alist) + const char *fmt; + va_dcl +#endif +{ + va_list ap; + +#ifdef __STDC__ + va_start (ap, fmt); +#else + va_start (ap); + fmt = va_arg (ap, const char *); +#endif + _log_print (0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0); + va_end (ap); +} + +void +#ifdef __STDC__ +log_error (const char *fmt, ...) +#else +log_error (fmt, va_alist) + const char *fmt; + va_dcl +#endif +{ + va_list ap; + +#ifdef __STDC__ + va_start (ap, fmt); +#else + va_start (ap); + fmt = va_arg (ap, const char *); +#endif + _log_print (1, LOG_ERR, fmt, ap, LOG_PRINT, 0); + va_end (ap); +} + +void +#ifdef __STDC__ +log_fatal (const char *fmt, ...) +#else +log_fatal (fmt, va_alist) + const char *fmt; + va_dcl +#endif +{ + va_list ap; + +#ifdef __STDC__ + va_start (ap, fmt); +#else + va_start (ap); + fmt = va_arg (ap, const char *); +#endif + _log_print (1, LOG_CRIT, fmt, ap, LOG_PRINT, 0); + va_end (ap); + exit (1); +} + +#ifdef USE_DEBUG +void +log_packet_init (char *newname) +{ + struct pcap_file_header sf_hdr; + mode_t old_umask; + + if (pcaplog_file && strcmp (pcaplog_file, PCAP_FILE_DEFAULT) != 0) + free (pcaplog_file); + + pcaplog_file = strdup (newname); + if (!pcaplog_file) + { + log_error ("log_packet_init: strdup (\"%s\") failed", newname); + return; + } + + old_umask = umask (S_IRWXG | S_IRWXO); + packet_log = fopen (pcaplog_file, "w"); + umask (old_umask); + + if (!packet_log) + { + log_error ("log_packet_init: fopen (\"%s\", \"w\") failed", + pcaplog_file); + return; + } + + log_print ("log_packet_init: starting IKE packet capture to file \"%s\"", + pcaplog_file); + + sf_hdr.magic = TCPDUMP_MAGIC; + sf_hdr.version_major = PCAP_VERSION_MAJOR; + sf_hdr.version_minor = PCAP_VERSION_MINOR; + sf_hdr.thiszone = 0; + sf_hdr.snaplen = SNAPLEN; + sf_hdr.sigfigs = 0; + sf_hdr.linktype = DLT_NULL; + + fwrite ((char *)&sf_hdr, sizeof sf_hdr, 1, packet_log); + fflush (packet_log); + + /* prep dummy header prepended to each packet */ + hdr = (struct packhdr *)pack; + hdr->null.null_family = AF_INET; + hdr->ip.ip_v = 0x4; + hdr->ip.ip_hl = 0x5; + hdr->ip.ip_p = IPPROTO_UDP; + hdr->udp.uh_sport = htons (500); + hdr->udp.uh_dport = htons (500); +} + +void +log_packet_restart (char *newname) +{ + struct stat st; + + if (packet_log) + { + log_print ("log_packet_restart: capture already active on file \"%s\"", + pcaplog_file); + return; + } + + if (newname) + { + if (stat (newname, &st) == 0) + log_print ("log_packet_restart: won't overwrite existing \"%s\"", + newname); + else + log_packet_init (newname); + } + else if (!pcaplog_file) + log_packet_init (PCAP_FILE_DEFAULT); + else if (stat (pcaplog_file, &st) != 0) + log_packet_init (pcaplog_file); + else + { + /* Re-activate capture on current file. */ + packet_log = fopen (pcaplog_file, "a"); + if (!packet_log) + log_error ("log_packet_restart: fopen (\"%s\", \"a\") failed", + pcaplog_file); + else + log_print ("log_packet_restart: capture restarted on file \"%s\"", + pcaplog_file); + } +} + +void +log_packet_stop (void) +{ + /* Stop capture. */ + if (packet_log) + { + fclose (packet_log); + log_print ("log_packet_stop: stopped capture"); + } + packet_log = 0; +} + +void +log_packet_iov (struct sockaddr *src, struct sockaddr *dst, struct iovec *iov, + int iovcnt) +{ + struct isakmp_hdr *isakmphdr; + int off, len, i; + + len = 0; + for (i = 0; i < iovcnt; i++) + len += iov[i].iov_len; + + if (!packet_log || len > SNAPLEN) + return; + + /* copy packet into buffer */ + off = sizeof *hdr; + for (i = 0; i < iovcnt; i++) + { + memcpy (pack + off, iov[i].iov_base, iov[i].iov_len); + off += iov[i].iov_len; + } + + /* isakmp - turn off the encryption bit in the isakmp hdr */ + isakmphdr = (struct isakmp_hdr *)(pack + sizeof *hdr); + isakmphdr->flags &= ~(ISAKMP_FLAGS_ENC); + + /* udp */ + len += sizeof hdr->udp; + hdr->udp.uh_ulen = htons (len); + + /* ip */ + len += sizeof hdr->ip; + hdr->ip.ip_len = htons (len); + + switch (src->sa_family) + { + case AF_INET: + hdr->ip.ip_src.s_addr = ((struct sockaddr_in *)src)->sin_addr.s_addr; + hdr->ip.ip_dst.s_addr = ((struct sockaddr_in *)dst)->sin_addr.s_addr; + break; + case AF_INET6: + /* XXX TBD */ + default: + hdr->ip.ip_src.s_addr = 0x02020202; + hdr->ip.ip_dst.s_addr = 0x01010101; + } + + /* Let's use the IP ID as a "packet counter". */ + i = ntohs (hdr->ip.ip_id) + 1; + hdr->ip.ip_id = htons (i); + + /* Calculate UDP checksum. */ + hdr->udp.uh_sum = 0; + hdr->udp.uh_sum = udp_cksum (&hdr->ip, &hdr->udp, len); + + /* Calculate IP header checksum. */ + hdr->ip.ip_sum = 0; + hdr->ip.ip_sum = in_cksum (&hdr->ip, hdr->ip.ip_hl << 2); + + /* null header */ + len += sizeof hdr->null; + + /* pcap file packet header */ + gettimeofday (&hdr->pcap.ts, 0); + hdr->pcap.caplen = len; + hdr->pcap.len = len; + len += sizeof hdr->pcap; + + fwrite (pack, len, 1, packet_log); + fflush (packet_log); + return; +} + +/* Copied from tcpdump/print-udp.c */ +static int +udp_cksum (const struct ip *ip, const struct udphdr *up, int len) +{ + int i, tlen; + union phu { + struct phdr { + u_int32_t src; + u_int32_t dst; + u_char mbz; + u_char proto; + u_int16_t len; + } ph; + u_int16_t pa[6]; + } phu; + const u_int16_t *sp; + u_int32_t sum; + tlen = ntohs (ip->ip_len) - ((const char *)up-(const char*)ip); + + /* pseudo-header.. */ + phu.ph.len = htons (tlen); + phu.ph.mbz = 0; + phu.ph.proto = ip->ip_p; + memcpy (&phu.ph.src, &ip->ip_src.s_addr, sizeof (u_int32_t)); + memcpy (&phu.ph.dst, &ip->ip_dst.s_addr, sizeof (u_int32_t)); + + sp = &phu.pa[0]; + sum = sp[0] + sp[1] + sp[2] + sp[3] + sp[4] + sp[5]; + + sp = (const u_int16_t *)up; + + for (i = 0; i < (tlen&~1); i += 2) + sum += *sp++; + + if (tlen & 1) { + sum += htons ((*(const char *)sp) << 8); + } + + while (sum > 0xffff) + sum = (sum & 0xffff) + (sum >> 16); + sum = ~sum & 0xffff; + + return sum; +} + +/* Copied from tcpdump/print-ip.c, modified. */ +static u_int16_t +in_cksum (const struct ip *ip, int len) +{ + int nleft = len; + const u_short *w = (const u_short *)ip; + u_short answer; + int sum = 0; + + while (nleft > 1) { + sum += *w++; + nleft -= 2; + } + if (nleft == 1) + sum += htons (*(u_char *)w << 8); + + sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ + sum += (sum >> 16); /* add carry */ + answer = ~sum; /* truncate to 16 bits */ + return answer; +} + + +#endif /* USE_DEBUG */ diff --git a/src/log.h b/src/log.h new file mode 100644 index 0000000..22d99cd --- /dev/null +++ b/src/log.h @@ -0,0 +1,99 @@ +/* $Id: log.h,v 1.3 2003/08/15 23:24:08 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/log.h,v $ */ + +/* $OpenBSD: log.h,v 1.10 2001/04/09 21:21:57 ho Exp $ */ +/* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _LOG_H_ +#define _LOG_H_ + +#include +#include +#include +#include + +/* + * We cannot do the log strings dynamically sizeable as out of memory is one + * of the situations we need to report about. + */ +#define LOG_SIZE 200 + +enum log_classes { + LOG_MISC, LOG_TRANSPORT, LOG_MESSAGE, LOG_CRYPTO, LOG_TIMER, LOG_SYSDEP, + LOG_SA, LOG_EXCHANGE, LOG_NEGOTIATION, LOG_POLICY, LOG_ENDCLASS +}; +#define LOG_CLASSES_TEXT \ + { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch", "Negt", \ + "Plcy" } + +/* + * "Class" LOG_REPORT will always be logged to the current log channel, + * regardless of level. + */ +#define LOG_PRINT -1 +#define LOG_REPORT -2 + +#ifdef USE_DEBUG + +#define LOG_DBG(x) log_debug x +#define LOG_DBG_BUF(x) log_debug_buf x + +extern void log_debug (int, int, const char *, ...); +extern void log_debug_buf (int, int, const char *, const u_int8_t *, size_t); +extern void log_debug_cmd (int, int); + +#define PCAP_FILE_DEFAULT "/var/run/gdoid.pcap" +extern void log_packet_init (char *); +extern void log_packet_iov (struct sockaddr *, struct sockaddr *, + struct iovec *, int); +extern void log_packet_restart (char *); +extern void log_packet_stop (void); + +#else /* !USE_DEBUG */ + +#define LOG_DBG(x) +#define LOG_DBG_BUF(x) + +#endif /* USE_DEBUG */ + +extern FILE *log_current (void); +extern void log_error (const char *, ...); +extern void log_fatal (const char *, ...); +extern void log_print (const char *, ...); +extern void log_to (FILE *); +extern void log_init (void); + +#endif /* _LOG_H_ */ diff --git a/src/math_2n.c b/src/math_2n.c new file mode 100644 index 0000000..fbddb25 --- /dev/null +++ b/src/math_2n.c @@ -0,0 +1,1152 @@ +/* $Id: math_2n.c,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_2n.c,v $ */ + +/* $OpenBSD: math_2n.c,v 1.8 2001/04/09 22:09:52 ho Exp $ */ +/* $EOM: math_2n.c,v 1.15 1999/04/20 09:23:30 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * B2N is a module for doing arithmetic on the Field GF(2**n) which is + * isomorph to ring of polynomials GF(2)[x]/p(x) where p(x) is an + * irreduciable polynomial over GF(2)[x] with grade n. + * + * First we need functions which operate on GF(2)[x], operation + * on GF(2)[x]/p(x) can be done as for Z_p then. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "math_2n.h" +#include "util.h" + +static u_int8_t hex2int (char); + +static char int2hex[] = "0123456789abcdef"; +CHUNK_TYPE b2n_mask[CHUNK_BITS] = { + 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80, +#if CHUNK_BITS > 8 + 0x0100,0x0200,0x0400,0x0800,0x1000,0x2000,0x4000,0x8000, +#if CHUNK_BITS > 16 + 0x00010000,0x00020000,0x00040000,0x00080000, + 0x00100000,0x00200000,0x00400000,0x00800000, + 0x01000000,0x02000000,0x04000000,0x08000000, + 0x10000000,0x20000000,0x40000000,0x80000000, +#endif +#endif +}; + +/* Convert a hex character to its integer value. */ +static u_int8_t +hex2int (char c) +{ + if (c <= '9') + return c - '0'; + if (c <= 'f') + return 10 + c - 'a'; + + return 0; +} + +int +b2n_random (b2n_ptr n, u_int32_t bits) +{ + if (b2n_resize (n, (CHUNK_MASK + bits) >> CHUNK_SHIFTS)) + return -1; + + getrandom ((u_int8_t *)n->limp, CHUNK_BYTES * n->chunks); + + /* Get the number of significant bits right */ + if (bits & CHUNK_MASK) + { + CHUNK_TYPE m = (((1 << ((bits & CHUNK_MASK)-1)) - 1) << 1) | 1; + n->limp[n->chunks-1] &= m; + } + + n->dirty = 1; + return 0; +} + +/* b2n management functions */ + +void +b2n_init (b2n_ptr n) +{ + n->chunks = 0; + n->limp = 0; +} + +void +b2n_clear (b2n_ptr n) +{ + if (n->limp) + free (n->limp); +} + +int +b2n_resize (b2n_ptr n, unsigned int chunks) +{ + int old = n->chunks; + int size; + CHUNK_TYPE *new; + + if (chunks == 0) + chunks = 1; + + if (chunks == old) + return 0; + + size = CHUNK_BYTES * chunks; + + new = realloc (n->limp, size); + if (!new) + return -1; + + n->limp = new; + n->chunks = chunks; + n->bits = chunks << CHUNK_SHIFTS; + n->dirty = 1; + + if (chunks > old) + memset (n->limp + old, 0, size - CHUNK_BYTES * old); + + return 0; +} + +/* Simple assignment functions. */ + +int +b2n_set (b2n_ptr d, b2n_ptr s) +{ + if (d == s) + return 0; + + b2n_sigbit (s); + if (b2n_resize (d, (CHUNK_MASK + s->bits) >> CHUNK_SHIFTS)) + return -1; + memcpy (d->limp, s->limp, CHUNK_BYTES * d->chunks); + d->bits = s->bits; + d->dirty = s->dirty; + return 0; +} + +int +b2n_set_null (b2n_ptr n) +{ + if (b2n_resize (n, 1)) + return -1; + n->limp[0] = n->bits = n->dirty = 0; + return 0; +} + +int +b2n_set_ui (b2n_ptr n, unsigned int val) +{ +#if CHUNK_BITS < 32 + int i, chunks; + + chunks = (CHUNK_BYTES - 1 + sizeof (val)) / CHUNK_BYTES; + + if (b2n_resize (n, chunks)) + return -1; + + for (i = 0; i < chunks; i++) + { + n->limp[i] = val & CHUNK_BMASK; + val >>= CHUNK_BITS; + } +#else + if (b2n_resize (n, 1)) + return -1; + n->limp[0] = val; +#endif + n->dirty = 1; + return 0; +} + +/* XXX This one only takes hex at the moment. */ +int +b2n_set_str (b2n_ptr n, char *str) +{ + int i, j, w, len, chunks; + CHUNK_TYPE tmp; + + if (strncasecmp (str, "0x", 2)) + return -1; + + /* Make the hex string even lengthed */ + len = strlen (str) - 2; + if (len & 1) + { + len ++; + str ++; + } + else + str += 2; + + len /= 2; + + chunks = (CHUNK_BYTES - 1 + len) / CHUNK_BYTES; + if (b2n_resize (n, chunks)) + return -1; + memset (n->limp, 0, CHUNK_BYTES * n->chunks); + + for (w = 0, i = 0; i < chunks; i++) + { + tmp = 0; + for (j = (i == 0 ? ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); j > 0; + j--) + { + tmp <<= 8; + tmp |= (hex2int (str[w]) << 4) | hex2int (str[w + 1]); + w += 2; + } + n->limp[chunks - 1 - i] = tmp; + } + + n->dirty = 1; + return 0; +} + +/* Output function, mainly for debugging purposes. */ +void +b2n_print (b2n_ptr n) +{ + int i, j, w, flag = 0; + int left; + char buffer[2 * CHUNK_BYTES]; + CHUNK_TYPE tmp; + + left = ((((7 + b2n_sigbit (n)) >> 3) - 1) % CHUNK_BYTES) + 1; + printf ("0x"); + for (i = 0; i < n->chunks; i++) + { + tmp = n->limp[n->chunks - 1 - i]; + memset (buffer, '0', sizeof (buffer)); + for (w = 0, j = (i == 0 ? left : CHUNK_BYTES); j > 0; j--) + { + buffer[w++] = int2hex[(tmp >> 4) & 0xf]; + buffer[w++] = int2hex[tmp & 0xf]; + tmp >>= 8; + } + + for (j = (i == 0 ? left - 1: CHUNK_BYTES - 1); j >= 0; j--) + if (flag || (i == n->chunks - 1 && j == 0) || + buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') + { + putchar (buffer[2 * j]); + putchar (buffer[2 * j + 1]); + flag = 1; + } + } + printf ("\n"); +} + +int +b2n_sprint (char *buf, b2n_ptr n) +{ + int i, k, j, w, flag = 0; + int left; + char buffer[2 * CHUNK_BYTES]; + CHUNK_TYPE tmp; + + left = ((((7 + b2n_sigbit (n)) >> 3) - 1) % CHUNK_BYTES) + 1; + + strcpy (buf, "0x"); k = 2; + for (i = 0; i < n->chunks; i++) + { + tmp = n->limp[n->chunks - 1 - i]; + memset (buffer, '0', sizeof (buffer)); + for (w = 0, j = (i == 0 ? left : CHUNK_BYTES); j > 0; j--) + { + buffer[w++] = int2hex[(tmp >> 4) & 0xf]; + buffer[w++] = int2hex[tmp & 0xf]; + tmp >>= 8; + } + + for (j = (i == 0 ? left - 1: CHUNK_BYTES - 1); j >= 0; j--) + if (flag || (i == n->chunks - 1 && j == 0) || + buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') + { + buf[k++] = buffer[2 * j]; + buf[k++] = buffer[2 * j + 1]; + flag = 1; + } + } + + buf[k++] = 0; + return k; +} + +/* Arithmetic functions. */ + +u_int32_t +b2n_sigbit (b2n_ptr n) +{ + int i, j; + + if (!n->dirty) + return n->bits; + + for (i = n->chunks - 1; i > 0; i--) + if (n->limp[i]) + break; + + if (!n->limp[i]) + return 0; + + for (j = CHUNK_MASK; j > 0; j--) + if (n->limp[i] & b2n_mask[j]) + break; + + n->bits = (i << CHUNK_SHIFTS) + j + 1; + n->dirty = 0; + return n->bits; +} + +/* Addition on GF(2)[x] is nice, its just an XOR. */ +int +b2n_add (b2n_ptr d, b2n_ptr a, b2n_ptr b) +{ + int i; + b2n_ptr bmin, bmax; + + if (!b2n_cmp_null (a)) + return b2n_set (d, b); + + if (!b2n_cmp_null (b)) + return b2n_set (d, a); + + bmin = B2N_MIN (a,b); + bmax = B2N_MAX (a,b); + + if (b2n_resize (d, bmax->chunks)) + return -1; + + for (i = 0; i < bmin->chunks; i++) + d->limp[i] = bmax->limp[i] ^ bmin->limp[i]; + + /* + * If d is not bmax, we have to copy the rest of the bytes, and also + * need to adjust to number of relevant bits. + */ + if (d != bmax) + { + for ( ; i < bmax->chunks; i++) + d->limp[i] = bmax->limp[i]; + + d->bits = bmax->bits; + } + + /* + * Help to converse memory. When the result of the addition is zero + * truncate the used amount of memory. + */ + if (d != bmax && !b2n_cmp_null (d)) + return b2n_set_null (d); + else + d->dirty = 1; + return 0; +} + +/* Compare two polynomials. */ +int +b2n_cmp (b2n_ptr n, b2n_ptr m) +{ + int sn, sm; + int i; + + sn = b2n_sigbit (n); + sm = b2n_sigbit (m); + + if (sn > sm) + return 1; + if (sn < sm) + return -1; + + for (i = n->chunks-1; i >= 0; i--) + if (n->limp[i] > m->limp[i]) + return 1; + else if (n->limp[i] < m->limp[i]) + return -1; + + return 0; +} + +int +b2n_cmp_null (b2n_ptr a) +{ + int i = 0; + + do + { + if (a->limp[i]) + return 1; + } + while (++i < a->chunks); + + return 0; +} + +/* Left shift, needed for polynomial multiplication. */ +int +b2n_lshift (b2n_ptr d, b2n_ptr n, unsigned int s) +{ + int i, maj, min, chunks; + u_int16_t bits = b2n_sigbit (n), add; + CHUNK_TYPE *p, *op; + + if (!s) + return b2n_set (d, n); + + maj = s >> CHUNK_SHIFTS; + min = s & CHUNK_MASK; + + add = (!(bits & CHUNK_MASK) || ((bits & CHUNK_MASK) + min) > CHUNK_MASK) + ? 1 : 0; + chunks = n->chunks; + if (b2n_resize (d, chunks + maj + add)) + return -1; + memmove (d->limp + maj, n->limp, CHUNK_BYTES * chunks); + + if (maj) + memset (d->limp, 0, CHUNK_BYTES * maj); + if (add) + d->limp[d->chunks - 1] = 0; + + /* If !min there are no bit shifts, we are done */ + if (!min) + return 0; + + op = p = &d->limp[d->chunks - 1]; + for (i = d->chunks - 2; i >= maj; i--) + { + op--; + *p-- = (*p << min) | (*op >> (CHUNK_BITS - min)); + } + *p <<= min; + + d->dirty = 0; + d->bits = bits + (maj << CHUNK_SHIFTS) + min; + return 0; +} + +/* Right shift, needed for polynomial division. */ +int +b2n_rshift (b2n_ptr d, b2n_ptr n, unsigned int s) +{ + int maj, min, size = n->chunks, newsize; + b2n_ptr tmp; + + if (!s) + return b2n_set (d, n); + + maj = s >> CHUNK_SHIFTS; + + newsize = size - maj; + + if (size < maj) + return b2n_set_null (d); + + min = (CHUNK_BITS - (s & CHUNK_MASK)) & CHUNK_MASK; + if (min) + { + if ((b2n_sigbit (n) & CHUNK_MASK) > min) + newsize++; + + if (b2n_lshift (d, n, min)) + return -1; + tmp = d; + } + else + tmp = n; + + memmove (d->limp, tmp->limp + maj + (min ? 1 : 0), CHUNK_BYTES * newsize); + if (b2n_resize (d, newsize)) + return -1; + + d->bits = tmp->bits - ((maj + (min ? 1 : 0)) << CHUNK_SHIFTS); + return 0; +} + +/* Normal polynomial multiplication. */ +int +b2n_mul (b2n_ptr d, b2n_ptr n, b2n_ptr m) +{ + int i, j; + b2n_t tmp, tmp2; + + if (!b2n_cmp_null (m) || !b2n_cmp_null (n)) + return b2n_set_null (d); + + if (b2n_sigbit (m) == 1) + return b2n_set (d, n); + + if (b2n_sigbit (n) == 1) + return b2n_set (d, m); + + b2n_init (tmp); + b2n_init (tmp2); + + if (b2n_set (tmp, B2N_MAX (n, m))) + goto fail; + if (b2n_set (tmp2, B2N_MIN (n, m))) + goto fail; + + if (b2n_set_null (d)) + goto fail; + + for (i = 0; i < tmp2->chunks; i++) + if (tmp2->limp[i]) + for (j = 0; j < CHUNK_BITS; j++) + { + if (tmp2->limp[i] & b2n_mask[j]) + if (b2n_add (d, d, tmp)) + goto fail; + + if (b2n_lshift (tmp, tmp, 1)) + goto fail; + } + else + if (b2n_lshift (tmp, tmp, CHUNK_BITS)) + goto fail; + + b2n_clear (tmp); + b2n_clear (tmp2); + return 0; + + fail: + b2n_clear (tmp); + b2n_clear (tmp2); + return -1; +} + +/* + * Squaring in this polynomial ring is more efficient than normal + * multiplication. + */ +int +b2n_square (b2n_ptr d, b2n_ptr n) +{ + int i, j, maj, min, bits, chunk; + b2n_t t; + + maj = b2n_sigbit (n); + min = maj & CHUNK_MASK; + maj = (maj + CHUNK_MASK) >> CHUNK_SHIFTS; + + b2n_init (t); + if (b2n_resize (t, 2 * maj + ((CHUNK_MASK + 2 * min) >> CHUNK_SHIFTS))) + { + b2n_clear (t); + return -1; + } + + chunk = 0; + bits = 0; + + for (i = 0; i < maj; i++) + if (n->limp[i]) + for (j = 0; j < CHUNK_BITS; j++) + { + if (n->limp[i] & b2n_mask[j]) + t->limp[chunk] ^= b2n_mask[bits]; + + bits += 2; + if (bits >= CHUNK_BITS) + { + chunk++; + bits &= CHUNK_MASK; + } + } + else + chunk += 2; + + t->dirty = 1; + B2N_SWAP (d, t); + b2n_clear (t); + return 0; +} + +/* + * Normal polynomial division. + * These functions are far from optimal in speed. + */ +int +b2n_div_q (b2n_ptr d, b2n_ptr n, b2n_ptr m) +{ + b2n_t r; + int rv; + + b2n_init (r); + rv = b2n_div (d, r, n, m); + b2n_clear (r); + return rv; +} + +int +b2n_div_r (b2n_ptr r, b2n_ptr n, b2n_ptr m) +{ + b2n_t q; + int rv; + + b2n_init (q); + rv = b2n_div (q, r, n, m); + b2n_clear (q); + return rv; +} + +int +b2n_div (b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m) +{ + int sn, sm, i, j, len, bits; + b2n_t nenn, div, shift, mask; + + /* If Teiler > Zaehler, the result is 0 */ + if ((sm = b2n_sigbit (m)) > (sn = b2n_sigbit (n))) + { + if (b2n_set_null (q)) + return -1; + return b2n_set (r, n); + } + + if (sm == 0) + /* Division by Zero */ + return -1; + else if (sm == 1) + { + /* Division by the One-Element */ + if (b2n_set (q, n)) + return -1; + return b2n_set_null (r); + } + + b2n_init (nenn); + b2n_init (div); + b2n_init (shift); + b2n_init (mask); + + if (b2n_set (nenn, n)) + goto fail; + if (b2n_set (div, m)) + goto fail; + if (b2n_set (shift, m)) + goto fail; + if (b2n_set_ui (mask, 1)) + goto fail; + + if (b2n_resize (q, (sn - sm + CHUNK_MASK) >> CHUNK_SHIFTS)) + goto fail; + memset (q->limp, 0, CHUNK_BYTES * q->chunks); + + if (b2n_lshift (shift, shift, sn - sm)) + goto fail; + if (b2n_lshift (mask, mask, sn - sm)) + goto fail; + + /* Number of significant octets */ + len = (sn - 1) >> CHUNK_SHIFTS; + /* The first iteration is done over the relevant bits */ + bits = (CHUNK_MASK + sn) & CHUNK_MASK; + for (i = len; i >= 0 && b2n_sigbit (nenn) >= sm; i--) + for (j = (i == len ? bits : CHUNK_MASK); j >= 0 && b2n_sigbit (nenn) >= sm; + j--) + { + if (nenn->limp[i] & b2n_mask[j]) + { + if (b2n_sub (nenn, nenn, shift)) + goto fail; + if (b2n_add (q, q, mask)) + goto fail; + } + if (b2n_rshift (shift, shift, 1)) + goto fail; + if (b2n_rshift (mask, mask, 1)) + goto fail; + } + + B2N_SWAP (r, nenn); + + b2n_clear (nenn); + b2n_clear (div); + b2n_clear (shift); + b2n_clear (mask); + return 0; + +fail: + b2n_clear (nenn); + b2n_clear (div); + b2n_clear (shift); + b2n_clear (mask); + return -1; +} + +/* Functions for Operation on GF(2**n) ~= GF(2)[x]/p(x). */ +int +b2n_mod (b2n_ptr m, b2n_ptr n, b2n_ptr p) +{ + int bits, size; + + if (b2n_div_r (m, n, p)) + return -1; + + bits = b2n_sigbit (m); + size = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS); + if (size == 0) + size = 1; + if (m->chunks > size) + if (b2n_resize (m, size)) + return -1; + + m->bits = bits; + m->dirty = 0; + return 0; +} + +int +b2n_gcd (b2n_ptr e, b2n_ptr go, b2n_ptr ho) +{ + b2n_t g, h; + + b2n_init (g); + b2n_init (h); + if (b2n_set (g, go)) + goto fail; + if (b2n_set (h, ho)) + goto fail; + + while (b2n_cmp_null (h)) + { + if (b2n_mod (g, g, h)) + goto fail; + B2N_SWAP (g, h); + } + + B2N_SWAP (e, g); + + b2n_clear (g); + b2n_clear (h); + return 0; + +fail: + b2n_clear (g); + b2n_clear (h); + return -1; +} + +int +b2n_mul_inv (b2n_ptr ga, b2n_ptr be, b2n_ptr p) +{ + b2n_t a; + + b2n_init (a); + if (b2n_set_ui (a, 1)) + goto fail; + + if (b2n_div_mod (ga, a, be, p)) + goto fail; + + b2n_clear (a); + return 0; + + fail: + b2n_clear (a); + return -1; +} + +int +b2n_div_mod (b2n_ptr ga, b2n_ptr a, b2n_ptr be, b2n_ptr p) +{ + b2n_t s0, s1, s2, q, r0, r1; + + /* There is no multiplicative inverse to Null. */ + if (!b2n_cmp_null (be)) + return b2n_set_null (ga); + + b2n_init (s0); + b2n_init (s1); + b2n_init (s2); + b2n_init (r0); + b2n_init (r1); + b2n_init (q); + + if (b2n_set (r0, p)) + goto fail; + if (b2n_set (r1, be)) + goto fail; + + if (b2n_set_null (s0)) + goto fail; + if (b2n_set (s1, a)) + goto fail; + + while (b2n_cmp_null (r1)) + { + if (b2n_div (q, r0, r0, r1)) + goto fail; + B2N_SWAP (r0, r1); + + if (b2n_mul (s2, q, s1)) + goto fail; + if (b2n_mod (s2, s2, p)) + goto fail; + if (b2n_sub (s2, s0, s2)) + goto fail; + + B2N_SWAP (s0, s1); + B2N_SWAP (s1, s2); + } + B2N_SWAP (ga, s0); + + b2n_clear (s0); + b2n_clear (s1); + b2n_clear (s2); + b2n_clear (r0); + b2n_clear (r1); + b2n_clear (q); + return 0; + +fail: + b2n_clear (s0); + b2n_clear (s1); + b2n_clear (s2); + b2n_clear (r0); + b2n_clear (r1); + b2n_clear (q); + return -1; +} + +/* + * The trace tells us if there do exist any square roots + * for 'a' in GF(2)[x]/p(x). The number of square roots is + * 2 - 2*Trace. + * If z is a square root, z + 1 is the other. + */ +int +b2n_trace (b2n_ptr ho, b2n_ptr a, b2n_ptr p) +{ + int i, m = b2n_sigbit (p) - 1; + b2n_t h; + + b2n_init (h); + if (b2n_set (h, a)) + goto fail; + + for (i = 0; i < m - 1; i++) + { + if (b2n_square (h, h)) + goto fail; + if (b2n_mod (h, h, p)) + goto fail; + + if (b2n_add (h, h, a)) + goto fail; + } + B2N_SWAP (ho, h); + + b2n_clear (h); + return 0; + + fail: + b2n_clear (h); + return -1; +} + +/* + * The halftrace yields the square root if the degree of the + * irreduceable polynomial is odd. + */ +int +b2n_halftrace (b2n_ptr ho, b2n_ptr a, b2n_ptr p) +{ + int i, m = b2n_sigbit (p) - 1; + b2n_t h; + + b2n_init (h); + if (b2n_set (h, a)) + goto fail; + + for (i = 0; i < (m - 1) / 2; i++) + { + if (b2n_square (h, h)) + goto fail; + if (b2n_mod (h, h, p)) + goto fail; + if (b2n_square (h, h)) + goto fail; + if (b2n_mod (h, h, p)) + goto fail; + + if (b2n_add (h, h, a)) + goto fail; + } + + B2N_SWAP (ho, h); + + b2n_clear (h); + return 0; + + fail: + b2n_clear (h); + return -1; +} + +/* + * Solving the equation: y**2 + y = b in GF(2**m) where ip is the + * irreduceable polynomial. If m is odd, use the half trace. + */ +int +b2n_sqrt (b2n_ptr zo, b2n_ptr b, b2n_ptr ip) +{ + int i, m = b2n_sigbit (ip) - 1; + b2n_t w, p, temp, z; + + if (!b2n_cmp_null (b)) + return b2n_set_null (z); + + if (m & 1) + return b2n_halftrace (zo, b, ip); + + b2n_init (z); + b2n_init (w); + b2n_init (p); + b2n_init (temp); + + do + { + if (b2n_random (p, m)) + goto fail; + if (b2n_set_null (z)) + goto fail; + if (b2n_set (w, p)) + goto fail; + + for (i = 1; i < m; i++) + { + if (b2n_square (z, z)) /* z**2 */ + goto fail; + if (b2n_mod (z, z, ip)) + goto fail; + + if (b2n_square (w, w)) /* w**2 */ + goto fail; + if (b2n_mod (w, w, ip)) + goto fail; + + if (b2n_mul (temp, w, b)) /* w**2 * b */ + goto fail; + if (b2n_mod (temp, temp, ip)) + goto fail; + if (b2n_add (z, z, temp)) /* z**2 + w**2 + b */ + goto fail; + + if (b2n_add (w, w, p)) /* w**2 + p */ + goto fail; + } + } + while (!b2n_cmp_null (w)); + + B2N_SWAP (zo, z); + + b2n_clear (w); + b2n_clear (p); + b2n_clear (temp); + b2n_clear (z); + return 0; + + fail: + b2n_clear (w); + b2n_clear (p); + b2n_clear (temp); + b2n_clear (z); + return -1; +} + +/* Exponentiation modulo a polynomial. */ +int +b2n_exp_mod (b2n_ptr d, b2n_ptr b0, u_int32_t e, b2n_ptr p) +{ + b2n_t u, b; + + b2n_init (u); + b2n_init (b); + if (b2n_set_ui (u, 1)) + goto fail; + if (b2n_mod (b, b0, p)) + goto fail; + + while (e) + { + if (e & 1) + { + if (b2n_mul (u, u, b)) + goto fail; + if (b2n_mod (u, u, p)) + goto fail; + } + if (b2n_square (b, b)) + goto fail; + if (b2n_mod (b, b, p)) + goto fail; + e >>= 1; + } + + B2N_SWAP (d, u); + + b2n_clear (u); + b2n_clear (b); + return 0; + + fail: + b2n_clear (u); + b2n_clear (b); + return -1; +} + +/* + * Low-level function to speed up scalar multiplication with + * elliptic curves. + * Multiplies a normal number by 3. + */ + +/* Normal addition behaves as Z_{2**n} and not F_{2**n}. */ +int +b2n_nadd (b2n_ptr d0, b2n_ptr a0, b2n_ptr b0) +{ + int i, carry; + b2n_ptr a, b; + b2n_t d; + + if (!b2n_cmp_null (a0)) + return b2n_set (d0, b0); + + if (!b2n_cmp_null (b0)) + return b2n_set (d0, a0); + + b2n_init (d); + a = B2N_MAX (a0, b0); + b = B2N_MIN (a0, b0); + + if (b2n_resize (d, a->chunks + 1)) + { + b2n_clear (d); + return -1; + } + + for (carry = i = 0; i < b->chunks; i++) + { + d->limp[i] = a->limp[i] + b->limp[i] + carry; + carry = (d->limp[i] < a->limp[i] ? 1 : 0); + } + + for (; i < a->chunks && carry; i++) + { + d->limp[i] = a->limp[i] + carry; + carry = (d->limp[i] < a->limp[i] ? 1 : 0); + } + + if (i < a->chunks) + memcpy (d->limp + i, a->limp + i, CHUNK_BYTES * (a->chunks - i)); + + d->dirty = 1; + B2N_SWAP (d0, d); + + b2n_clear (d); + return 0; +} + +/* Very special sub, a > b. */ +int +b2n_nsub (b2n_ptr d0, b2n_ptr a, b2n_ptr b) +{ + int i, carry; + b2n_t d; + + if (b2n_cmp (a, b) <= 0) + return b2n_set_null (d0); + + b2n_init (d); + if (b2n_resize (d, a->chunks)) + { + b2n_clear (d); + return -1; + } + + for (carry = i = 0; i < b->chunks; i++) + { + d->limp[i] = a->limp[i] - b->limp[i] - carry; + carry = (d->limp[i] > a->limp[i] ? 1 : 0); + } + + for (; i < a->chunks && carry; i++) + { + d->limp[i] = a->limp[i] - carry; + carry = (d->limp[i] > a->limp[i] ? 1 : 0); + } + + if (i < a->chunks) + memcpy (d->limp + i, a->limp + i, CHUNK_BYTES*(a->chunks - i)); + + d->dirty = 1; + + B2N_SWAP (d0, d); + + b2n_clear (d); + return 0; +} + +int +b2n_3mul (b2n_ptr d0, b2n_ptr e) +{ + b2n_t d; + + b2n_init (d); + if (b2n_lshift (d, e, 1)) + goto fail; + + if (b2n_nadd (d0, d, e)) + goto fail; + + b2n_clear (d); + return 0; + + fail: + b2n_clear (d); + return -1; +} diff --git a/src/math_2n.h b/src/math_2n.h new file mode 100644 index 0000000..b2e2fd2 --- /dev/null +++ b/src/math_2n.h @@ -0,0 +1,140 @@ +/* $Id: math_2n.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_2n.h,v $ */ + +/* $OpenBSD: math_2n.h,v 1.4 1999/04/19 19:56:23 niklas Exp $ */ +/* $EOM: math_2n.h,v 1.9 1999/04/17 23:20:32 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _MATH_2N_H +#define _MATH_2N_H_ + +/* + * The chunk size we use is variable, this allows speed ups + * for processors like the Alpha with 64bit words. + * XXX - b2n_mask is only up to 32 bit at the moment. + */ + +#define USE_32BIT /* XXX - This obviously needs fixing */ + +#ifdef USE_32BIT +#define CHUNK_TYPE u_int32_t +#define CHUNK_BITS 32 +#define CHUNK_SHIFTS 5 +#define CHUNK_BMASK 0xffffffff +#define CHUNK_MASK (CHUNK_BITS - 1) +#define CHUNK_BYTES (CHUNK_BITS >> 3) +#define CHUNK_NIBBLES (CHUNK_BITS >> 2) +#else +#define CHUNK_TYPE u_int8_t +#define CHUNK_BITS 8 +#define CHUNK_SHIFTS 3 +#define CHUNK_BMASK 0xff +#define CHUNK_MASK (CHUNK_BITS - 1) +#define CHUNK_BYTES (CHUNK_BITS >> 3) +#define CHUNK_NIBBLES (CHUNK_BITS >> 2) +#endif + +extern CHUNK_TYPE b2n_mask[CHUNK_BITS]; + +/* An element of GF(2**n), n = bits */ + +typedef struct { + u_int16_t chunks; + u_int16_t bits; + u_int8_t dirty; /* Sig bits are dirty */ + CHUNK_TYPE *limp; +} _b2n; + +typedef _b2n *b2n_ptr; +typedef _b2n b2n_t[1]; + +#define B2N_SET(x,y) do \ + { \ + (x)->chunks = (y)->chunks; \ + (x)->bits = (y)->bits; \ + (x)->limp = (y)->limp; \ + (x)->dirty = (y)->dirty; \ + } \ +while (0) + +#define B2N_SWAP(x,y) do \ + { \ + b2n_t _t_; \ +\ + B2N_SET (_t_, (x)); \ + B2N_SET ((x), (y)); \ + B2N_SET ((y), _t_); \ + } \ +while (0) + +#define B2N_MIN(x,y) ((x)->chunks > (y)->chunks ? (y) : (x)) +#define B2N_MAX(x,y) ((x)->chunks > (y)->chunks ? (x) : (y)) + +int b2n_3mul (b2n_ptr, b2n_ptr); +int b2n_add (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_cmp (b2n_ptr, b2n_ptr); +int b2n_cmp_null (b2n_ptr); +int b2n_div (b2n_ptr, b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_div_mod (b2n_ptr, b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_div_q (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_div_r (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_exp_mod (b2n_ptr, b2n_ptr, u_int32_t, b2n_ptr); +void b2n_init (b2n_ptr); +void b2n_clear (b2n_ptr); +int b2n_gcd (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_halftrace (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_lshift (b2n_ptr, b2n_ptr, unsigned int); +int b2n_mod (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_mul (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_mul_inv (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_nadd (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_nsub (b2n_ptr, b2n_ptr, b2n_ptr); +void b2n_print (b2n_ptr); +int b2n_random (b2n_ptr, u_int32_t); +int b2n_resize (b2n_ptr, unsigned int); +int b2n_rshift (b2n_ptr, b2n_ptr, unsigned int); +int b2n_set (b2n_ptr, b2n_ptr); +int b2n_set_null (b2n_ptr); +int b2n_set_str (b2n_ptr, char *); +int b2n_set_ui (b2n_ptr, unsigned int); +u_int32_t b2n_sigbit (b2n_ptr); +int b2n_sprint (char *, b2n_ptr); +int b2n_sqrt (b2n_ptr, b2n_ptr, b2n_ptr); +int b2n_square (b2n_ptr, b2n_ptr); +#define b2n_sub b2n_add +int b2n_trace (b2n_ptr, b2n_ptr, b2n_ptr); + +#endif /* _MATH_2N_H_ */ diff --git a/src/math_ec2n.c b/src/math_ec2n.c new file mode 100644 index 0000000..af79d06 --- /dev/null +++ b/src/math_ec2n.c @@ -0,0 +1,402 @@ +/* $Id: math_ec2n.c,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_ec2n.c,v $ */ + +/* $OpenBSD: math_ec2n.c,v 1.7 1999/04/20 11:32:57 niklas Exp $ */ +/* $EOM: math_ec2n.c,v 1.9 1999/04/20 09:23:31 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include + +#include "sysdep.h" + +#include "math_2n.h" +#include "math_ec2n.h" + +void +ec2np_init (ec2np_ptr n) +{ + b2n_init (n->x); + b2n_init (n->y); + n->inf = 0; +} + +void +ec2np_clear (ec2np_ptr n) +{ + b2n_clear (n->x); + b2n_clear (n->y); +} + +int +ec2np_set (ec2np_ptr d, ec2np_ptr n) +{ + if (d == n) + return 0; + + d->inf = n->inf; + if (b2n_set (d->x, n->x)) + return -1; + return b2n_set (d->y, n->y); +} + +/* Group */ + +void +ec2ng_init (ec2ng_ptr n) +{ + b2n_init (n->a); + b2n_init (n->b); + b2n_init (n->p); +} + +void +ec2ng_clear (ec2ng_ptr n) +{ + b2n_clear (n->a); + b2n_clear (n->b); + b2n_clear (n->p); +} + +int +ec2ng_set (ec2ng_ptr d, ec2ng_ptr n) +{ + if (b2n_set (d->a, n->a)) + return -1; + if (b2n_set (d->b, n->b)) + return -1; + return b2n_set (d->p, n->p); +} + +/* Arithmetic functions */ + +int +ec2np_right (b2n_ptr n, ec2np_ptr p, ec2ng_ptr g) +{ + b2n_t temp; + + b2n_init (temp); + + /* First calc x**3 + ax**2 + b */ + if (b2n_square (n, p->x)) + goto fail; + if (b2n_mod (n, n, g->p)) + goto fail; + + if (b2n_mul (temp, g->a, n)) /* a*x**2 */ + goto fail; + if (b2n_mod (temp, temp, g->p)) + goto fail; + + if (b2n_mul (n, n, p->x)) /* x**3 */ + goto fail; + if (b2n_mod (n, n, g->p)) + goto fail; + + if (b2n_add (n, n, temp)) + goto fail; + if (b2n_add (n, n, g->b)) + goto fail; + + b2n_clear (temp); + return 0; + + fail: + b2n_clear (temp); + return -1; +} + +int +ec2np_ison (ec2np_ptr p, ec2ng_ptr g) +{ + int res; + + b2n_t x, y, temp; + + if (p->inf) + return 1; + + b2n_init (x); + b2n_init (y); + b2n_init (temp); + + /* First calc x**3 + ax**2 + b */ + if (ec2np_right (x, p, g)) + goto fail; + + /* Now calc y**2 + xy */ + if (b2n_square (y, p->y)) + goto fail; + if (b2n_mod (y, y, g->p)) + goto fail; + + if (b2n_mul (temp, p->y, p->x)) + goto fail; + if (b2n_mod (temp, temp, g->p)) + goto fail; + + if (b2n_add (y, y, temp)) + goto fail; + + res = !b2n_cmp (x, y); + + b2n_clear (x); + b2n_clear (y); + b2n_clear (temp); + return res; + + fail: + b2n_clear (x); + b2n_clear (y); + b2n_clear (temp); + return -1; +} + +int +ec2np_find_y (ec2np_ptr p, ec2ng_ptr g) +{ + b2n_t right; + + b2n_init (right); + + if (ec2np_right (right, p, g)) /* Right sight of equation */ + goto fail; + if (b2n_mul_inv (p->y, p->x, g->p)) + goto fail; + + if (b2n_square (p->y, p->y)) + goto fail; + if (b2n_mod (p->y, p->y, g->p)) + goto fail; + + if (b2n_mul (right, right, p->y)) /* x^-2 * right */ + goto fail; + if (b2n_mod (right, right, g->p)) + goto fail; + + if (b2n_sqrt (p->y, right, g->p)) /* Find root */ + goto fail; + if (b2n_mul (p->y, p->y, p->x)) + goto fail; + if (b2n_mod (p->y, p->y, g->p)) + goto fail; + + b2n_clear (right); + return 0; + + fail: + b2n_clear (right); + return -1; +} + +int +ec2np_add (ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g) +{ + b2n_t lambda, temp; + ec2np_t pn; + + /* Check for Neutral Element */ + if (b->inf) + return ec2np_set (d, a); + if (a->inf) + return ec2np_set (d, b); + + if (!b2n_cmp (a->x, b->x) && (b2n_cmp (a->y, b->y) || !b2n_cmp_null (a->x))) + { + d->inf = 1; + if (b2n_set_null (d->x)) + return -1; + return b2n_set_null (d->y); + } + + b2n_init (lambda); + b2n_init (temp); + ec2np_init (pn); + + if (b2n_cmp (a->x, b->x)) + { + if (b2n_add (temp, a->x, b->x)) + goto fail; + if (b2n_add (lambda, a->y, b->y)) + goto fail; + if (b2n_div_mod (lambda, lambda, temp, g->p)) + goto fail; + + if (b2n_square (pn->x, lambda)) + goto fail; + if (b2n_mod (pn->x, pn->x, g->p)) + goto fail; + + if (b2n_add (pn->x, pn->x, lambda)) + goto fail; + if (b2n_add (pn->x, pn->x, g->a)) + goto fail; + if (b2n_add (pn->x, pn->x, a->x)) + goto fail; + if (b2n_add (pn->x, pn->x, b->x)) + goto fail; + } + else + { + if (b2n_div_mod (lambda, b->y, b->x, g->p)) + goto fail; + if (b2n_add (lambda, lambda, b->x)) + goto fail; + + if (b2n_square (pn->x, lambda)) + goto fail; + if (b2n_mod (pn->x, pn->x, g->p)) + goto fail; + if (b2n_add (pn->x, pn->x, lambda)) + goto fail; + if (b2n_add (pn->x, pn->x, g->a)) + goto fail; + } + + if (b2n_add (pn->y, b->x, pn->x)) + goto fail; + + if (b2n_mul (pn->y, pn->y, lambda)) + goto fail; + if (b2n_mod (pn->y, pn->y, g->p)) + goto fail; + + if (b2n_add (pn->y, pn->y, pn->x)) + goto fail; + if (b2n_add (pn->y, pn->y, b->y)) + goto fail; + + EC2NP_SWAP (d, pn); + + ec2np_clear (pn); + b2n_clear (lambda); + b2n_clear (temp); + return 0; + + fail: + ec2np_clear (pn); + b2n_clear (lambda); + b2n_clear (temp); + return -1; +} + +int +ec2np_mul (ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g) +{ + int i, j, bits, start; + b2n_t h, k; + ec2np_t q, mina; + + if (!b2n_cmp_null (e)) + { + d->inf = 1; + if (b2n_set_null (d->x)) + return -1; + return b2n_set_null (d->y); + } + + b2n_init (h); + b2n_init (k); + ec2np_init (q); + ec2np_init (mina); + + if (ec2np_set (q, a)) + goto fail; + + /* Create the point -a. */ + if (ec2np_set (mina, a)) + goto fail; + if (b2n_add (mina->y, mina->y, mina->x)) + goto fail; + + if (b2n_set (k, e)) + goto fail; + if (b2n_3mul (h, k)) + goto fail; + if (b2n_resize (k, h->chunks)) + goto fail; + + /* + * This is low level but can not be avoided, since we have to do single + * bit checks on h and k. + */ + bits = b2n_sigbit (h); + if ((bits & CHUNK_MASK) == 1) + { + start = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS) - 2; + bits = CHUNK_BITS; + } + else + { + start = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS) - 1; + bits = ((bits - 1) & CHUNK_MASK); + } + + /* + * This is the addition, subtraction method which is faster because + * we avoid one out of three additions (mean). + */ + for (i = start; i >= 0; i--) + for (j = (i == start ? bits : CHUNK_BITS) - 1; j >= 0; j--) + if (i > 0 || j > 0) + { + if (ec2np_add (q, q, q, g)) + goto fail; + if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i] & b2n_mask[j])) + { + if (ec2np_add (q, q, a, g)) + goto fail; + } + else if (!(h->limp[i] & b2n_mask[j]) && (k->limp[i] & b2n_mask[j])) + if (ec2np_add (q, q, mina, g)) + goto fail; + } + + EC2NP_SWAP (d, q); + + b2n_clear (k); + b2n_clear (h); + ec2np_clear (q); + ec2np_clear (mina); + return 0; + + fail: + b2n_clear (k); + b2n_clear (h); + ec2np_clear (q); + ec2np_clear (mina); + return -1; +} diff --git a/src/math_ec2n.h b/src/math_ec2n.h new file mode 100644 index 0000000..0e8017d --- /dev/null +++ b/src/math_ec2n.h @@ -0,0 +1,102 @@ +/* $Id: math_ec2n.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_ec2n.h,v $ */ + +/* $OpenBSD: math_ec2n.h,v 1.4 1999/04/19 21:22:49 niklas Exp $ */ +/* $EOM: math_ec2n.h,v 1.4 1999/04/17 23:20:37 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _MATH_EC2N_H +#define _MATH_EC2N_H_ + +/* Definitions for points on an elliptic curve */ + +typedef struct { + int inf; /* Are we the point at infinity ? */ + b2n_t x, y; +} _ec2n_point; + +typedef _ec2n_point *ec2np_ptr; +typedef _ec2n_point ec2np_t[1]; + +#define EC2NP_SWAP(k,n) do \ + { \ + int _i_; \ +\ + _i_ = (k)->inf; \ + (k)->inf = (n)->inf; \ + (n)->inf = _i_; \ + B2N_SWAP ((k)->x, (n)->x); \ + B2N_SWAP ((k)->y, (n)->y); \ + } \ +while (0) + +void ec2np_init (ec2np_ptr); +void ec2np_clear (ec2np_ptr); +int ec2np_set (ec2np_ptr, ec2np_ptr); + +#define ec2np_set_x_ui(n, y) b2n_set_ui ((n)->x, y) +#define ec2np_set_y_ui(n, x) b2n_set_ui ((n)->y, x) +#define ec2np_set_x_str(n, y) b2n_set_str ((n)->x, y) +#define ec2np_set_y_str(n, x) b2n_set_str ((n)->y, x) + +/* Definitions for the group to which the points to belong to. */ + +typedef struct { + b2n_t a, b, p; +} _ec2n_group; + +typedef _ec2n_group *ec2ng_ptr; +typedef _ec2n_group ec2ng_t[1]; + +void ec2ng_init (ec2ng_ptr); +void ec2ng_clear (ec2ng_ptr); +int ec2ng_set (ec2ng_ptr, ec2ng_ptr); + +#define ec2ng_set_a_ui(n, x) b2n_set_ui ((n)->a, x) +#define ec2ng_set_b_ui(n, x) b2n_set_ui ((n)->b, x) +#define ec2ng_set_p_ui(n, x) b2n_set_ui ((n)->p, x) +#define ec2ng_set_a_str(n, x) b2n_set_str ((n)->a, x) +#define ec2ng_set_b_str(n, x) b2n_set_str ((n)->b, x) +#define ec2ng_set_p_str(n, x) b2n_set_str ((n)->p, x) + +/* Functions for computing on the elliptic group. */ + +int ec2np_add (ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr); +int ec2np_find_y (ec2np_ptr, ec2ng_ptr); +int ec2np_ison (ec2np_ptr, ec2ng_ptr); +int ec2np_mul (ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr); +int ec2np_right (b2n_ptr n, ec2np_ptr, ec2ng_ptr); + +#endif /* _MATH_2N_H_ */ diff --git a/src/math_group.c b/src/math_group.c new file mode 100644 index 0000000..1cc0b7b --- /dev/null +++ b/src/math_group.c @@ -0,0 +1,650 @@ +/* $Id: math_group.c,v 1.3 2005/10/11 17:57:39 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_group.c,v $ */ + +/* $OpenBSD: math_group.c,v 1.13 2001/04/09 22:09:52 ho Exp $ */ +/* $EOM: math_group.c,v 1.25 2000/04/07 19:53:26 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "gmp_util.h" +#include "log.h" +#include "math_2n.h" +#include "math_ec2n.h" +#include "math_group.h" +#include "math_mp.h" + +/* We do not want to export these definitions. */ +int modp_getlen (struct group *); +void modp_getraw (struct group *, math_mp_t, u_int8_t *); +int modp_setraw (struct group *, math_mp_t, u_int8_t *, int); +int modp_setrandom (struct group *, math_mp_t); +int modp_operation (struct group *, math_mp_t, math_mp_t, math_mp_t); + +int ec2n_getlen (struct group *); +void ec2n_getraw (struct group *, ec2np_ptr, u_int8_t *); +int ec2n_setraw (struct group *, ec2np_ptr, u_int8_t *, int); +int ec2n_setrandom (struct group *, ec2np_ptr); +int ec2n_operation (struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr); + +struct ec2n_group { + ec2np_t gen; /* Generator */ + ec2ng_t grp; + ec2np_t a, b, c, d; +}; + +struct modp_group { + math_mp_t gen; /* Generator */ + math_mp_t p; /* Prime */ + math_mp_t a, b, c, d; +}; + +/* + * This module provides access to the operations on the specified group + * and is absolutly free of any cryptographic devices. This is math :-). + */ + +#define OAKLEY_GRP_1 1 +#define OAKLEY_GRP_2 2 +#define OAKLEY_GRP_3 3 +#define OAKLEY_GRP_4 4 +#define OAKLEY_GRP_5 5 + +/* Describe preconfigured MODP groups */ + +/* + * The Generalized Number Field Sieve has an asymptotic running time + * of: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))), where q is the + * group order, e.g. q = 2**768. + */ + +struct modp_dscr oakley_modp[] = +{ + { OAKLEY_GRP_1, 72, /* This group is insecure, only sufficient for DES */ + "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", + "0x02" + }, + { OAKLEY_GRP_2, 82, /* This group is a bit better */ + "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" + "FFFFFFFFFFFFFFFF", + "0x02" + }, + { OAKLEY_GRP_5, 102, /* This group is yet a bit better, but non-standard */ + "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", + "0x02" + } +}; + +#ifdef USE_EC +/* Describe preconfigured EC2N groups */ + +/* + * Related collision-search methods can compute discrete logarithmns + * in O(sqrt(r)), r being the subgroup order. + */ + +struct ec2n_dscr oakley_ec2n[] = { + { OAKLEY_GRP_3, 76, /* This group is also considered insecure (P1363) */ + "0x0800000000000000000000004000000000000001", + "0x7b", + "0x00", + "0x7338f" }, + { OAKLEY_GRP_4, 91, + "0x020000000000000000000000000000200000000000000001", + "0x18", + "0x00", + "0x1ee9" }, +}; +#endif /* USE_EC */ + +/* XXX I want to get rid of the casting here. */ +struct group groups[] = { + { + MODP, OAKLEY_GRP_1, 0, &oakley_modp[0], 0, 0, 0, 0, 0, + (int (*) (struct group *))modp_getlen, + (void (*) (struct group *, void *, u_int8_t *))modp_getraw, + (int (*) (struct group *, void *, u_int8_t *, int))modp_setraw, + (int (*) (struct group *, void *))modp_setrandom, + (int (*) (struct group *, void *, void *, void *))modp_operation + }, + { + MODP, OAKLEY_GRP_2, 0, &oakley_modp[1], 0, 0, 0, 0, 0, + (int (*) (struct group *))modp_getlen, + (void (*) (struct group *, void *, u_int8_t *))modp_getraw, + (int (*) (struct group *, void *, u_int8_t *, int))modp_setraw, + (int (*) (struct group *, void *))modp_setrandom, + (int (*) (struct group *, void *, void *, void *))modp_operation + }, +#ifdef USE_EC + { + EC2N, OAKLEY_GRP_3, 0, &oakley_ec2n[0], 0, 0, 0, 0, 0, + (int (*) (struct group *))ec2n_getlen, + (void (*) (struct group *, void *, u_int8_t *))ec2n_getraw, + (int (*) (struct group *, void *, u_int8_t *, int))ec2n_setraw, + (int (*) (struct group *, void *))ec2n_setrandom, + (int (*) (struct group *, void *, void *, void *))ec2n_operation + }, + { + EC2N, OAKLEY_GRP_4, 0, &oakley_ec2n[1], 0, 0, 0, 0, 0, + (int (*) (struct group *))ec2n_getlen, + (void (*) (struct group *, void *, u_int8_t *))ec2n_getraw, + (int (*) (struct group *, void *, u_int8_t *, int))ec2n_setraw, + (int (*) (struct group *, void *))ec2n_setrandom, + (int (*) (struct group *, void *, void *, void *))ec2n_operation + }, +#endif /* USE_EC */ + { + MODP, OAKLEY_GRP_5, 0, &oakley_modp[2], 0, 0, 0, 0, 0, + (int (*) (struct group *))modp_getlen, + (void (*) (struct group *, void *, u_int8_t *))modp_getraw, + (int (*) (struct group *, void *, u_int8_t *, int))modp_setraw, + (int (*) (struct group *, void *))modp_setrandom, + (int (*) (struct group *, void *, void *, void *))modp_operation + } +}; + +/* + * Initalize the group structure for later use, + * this is done by converting the values given in the describtion + * and converting them to their native representation. + */ +void +group_init (void) +{ + int i; + + for (i = sizeof (groups) / sizeof (groups[0]) - 1; i >= 0; i--) + switch (groups[i].type) + { +#ifdef USE_EC + case EC2N: /* Initalize an Elliptic Curve over GF(2**n) */ + ec2n_init (&groups[i]); + break; +#endif + + case MODP: /* Initalize an over GF(p) */ + modp_init (&groups[i]); + break; + + default: + log_print ("Unknown group type %d at index %d in group_init().", + groups[i].type, i); + break; + } +} + +struct group * +group_get (int id) +{ + struct group *new, *clone; + + if (id < 1 || id > (sizeof (groups) / sizeof (groups[0]))) + { + log_print ("group_get: group ID (%d) out of range", id); + return 0; + } + + clone = &groups[id - 1]; + + new = malloc (sizeof *new); + if (!new) + { + log_error ("group_get: malloc (%d) failed", sizeof *new); + return 0; + } + + switch (clone->type) + { +#ifdef USE_EC + case EC2N: + new = ec2n_clone (new, clone); + break; +#endif + case MODP: + new = modp_clone (new, clone); + break; + default: + log_print ("group_get: unknown group type %d", clone->type); + free (new); + return 0; + } + LOG_DBG ((LOG_MISC, 70, "group_get: returning %p of group %d", new, + new->id)); + return new; +} + +void +group_free (struct group *grp) +{ + switch (grp->type) + { +#ifdef USE_EC + case EC2N: + ec2n_free (grp); + break; +#endif + case MODP: + modp_free (grp); + break; + default: + log_print ("group_free: unknown group type %d", grp->type); + break; + } + free (grp); +} + +struct group * +modp_clone (struct group *new, struct group *clone) +{ + struct modp_group *new_grp, *clone_grp = clone->group; + + new_grp = malloc (sizeof *new_grp); + if (!new_grp) + { + log_print ("modp_clone: malloc (%d) failed", sizeof *new_grp); + free (new); + return 0; + } + + memcpy (new, clone, sizeof (struct group)); + + new->group = new_grp; +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_init_set (new_grp->p, clone_grp->p); + mpz_init_set (new_grp->gen, clone_grp->gen); + + mpz_init (new_grp->a); + mpz_init (new_grp->b); + mpz_init (new_grp->c); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + new_grp->p = BN_dup (clone_grp->p); + new_grp->gen = BN_dup (clone_grp->gen); + + new_grp->a = BN_new (); + new_grp->b = BN_new (); + new_grp->c = BN_new (); +#endif + + new->gen = new_grp->gen; + new->a = new_grp->a; + new->b = new_grp->b; + new->c = new_grp->c; + + return new; +} + +void +modp_free (struct group *old) +{ + struct modp_group *grp = old->group; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_clear (grp->p); + mpz_clear (grp->gen); + mpz_clear (grp->a); + mpz_clear (grp->b); + mpz_clear (grp->c); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_clear_free (grp->p); + BN_clear_free (grp->gen); + BN_clear_free (grp->a); + BN_clear_free (grp->b); + BN_clear_free (grp->c); +#endif + + free (grp); +} + +void +modp_init (struct group *group) +{ + struct modp_dscr *dscr = (struct modp_dscr *)group->group; + struct modp_group *grp; + + grp = malloc (sizeof *grp); + if (!grp) + log_fatal ("modp_init: malloc (%d) failed", sizeof *grp); + + group->bits = dscr->bits; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_init_set_str (grp->p, dscr->prime, 0); + mpz_init_set_str (grp->gen, dscr->gen, 0); + + mpz_init (grp->a); + mpz_init (grp->b); + mpz_init (grp->c); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + grp->p = BN_new (); + BN_hex2bn (&grp->p, dscr->prime + 2); + grp->gen = BN_new (); + BN_hex2bn (&grp->gen, dscr->gen + 2); + + grp->a = BN_new (); + grp->b = BN_new (); + grp->c = BN_new (); +#endif + + group->gen = grp->gen; + group->a = grp->a; + group->b = grp->b; + group->c = grp->c; + + group->group = grp; +} + +#ifdef USE_EC +struct group * +ec2n_clone (struct group *new, struct group *clone) +{ + struct ec2n_group *new_grp, *clone_grp = clone->group; + + new_grp = malloc (sizeof *new_grp); + if (!new_grp) + { + log_error ("ec2n_clone: malloc (%d) failed", sizeof *new_grp); + free (new); + return 0; + } + + memcpy (new, clone, sizeof (struct group)); + + new->group = new_grp; + ec2ng_init (new_grp->grp); + ec2np_init (new_grp->gen); + ec2np_init (new_grp->a); + ec2np_init (new_grp->b); + ec2np_init (new_grp->c); + + if (ec2ng_set (new_grp->grp, clone_grp->grp)) + goto fail; + if (ec2np_set (new_grp->gen, clone_grp->gen)) + goto fail; + + new->gen = new_grp->gen; + new->a = new_grp->a; + new->b = new_grp->b; + new->c = new_grp->c; + new->d = ((ec2np_ptr)new->a)->x; + + return new; + + fail: + ec2ng_clear (new_grp->grp); + ec2np_clear (new_grp->gen); + ec2np_clear (new_grp->a); + ec2np_clear (new_grp->b); + ec2np_clear (new_grp->c); + free (new_grp); + free (new); + return 0; +} + +void +ec2n_free (struct group *old) +{ + struct ec2n_group *grp = old->group; + + ec2ng_clear (grp->grp); + ec2np_clear (grp->gen); + ec2np_clear (grp->a); + ec2np_clear (grp->b); + ec2np_clear (grp->c); + + free (grp); +} + +void +ec2n_init (struct group *group) +{ + struct ec2n_dscr *dscr = (struct ec2n_dscr *)group->group; + struct ec2n_group *grp; + + grp = malloc (sizeof *grp); + if (!grp) + log_fatal ("ec2n_init: malloc (%d) failed", sizeof *grp); + + group->bits = dscr->bits; + + ec2ng_init (grp->grp); + ec2np_init (grp->gen); + ec2np_init (grp->a); + ec2np_init (grp->b); + ec2np_init (grp->c); + + if (ec2ng_set_p_str (grp->grp, dscr->polynomial)) + goto fail; + grp->grp->p->bits = b2n_sigbit (grp->grp->p); + if (ec2ng_set_a_str (grp->grp, dscr->a)) + goto fail; + if (ec2ng_set_b_str (grp->grp, dscr->b)) + goto fail; + + if (ec2np_set_x_str (grp->gen, dscr->gen_x)) + goto fail; + if (ec2np_find_y (grp->gen, grp->grp)) + goto fail; + + /* Sanity check */ + if (!ec2np_ison (grp->gen, grp->grp)) + log_fatal ("ec2n_init: generator is not on curve"); + + group->gen = grp->gen; + group->a = grp->a; + group->b = grp->b; + group->c = grp->c; + group->d = ((ec2np_ptr)group->a)->x; + + group->group = grp; + return; + + fail: + log_fatal ("ec2n_init: general failure"); +} +#endif /* USE_EC */ + +int +modp_getlen (struct group *group) +{ + struct modp_group *grp = (struct modp_group *)group->group; + + return mpz_sizeinoctets (grp->p); +} + +void +modp_getraw (struct group *grp, math_mp_t v, u_int8_t *d) +{ + mpz_getraw (d, v, grp->getlen (grp)); +} + +int +modp_setraw (struct group *grp, math_mp_t d, u_int8_t *s, int l) +{ + mpz_setraw (d, s, l); + return 0; +} + +int +modp_setrandom (struct group *grp, math_mp_t d) +{ + int i, l = grp->getlen (grp); + u_int32_t tmp = 0; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_set_ui (d, 0); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_set_word (d, 0); +#endif + + for (i = 0; i < l; i++) + { + if (i % 4) + tmp = random (); + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_mul_2exp (d, d, 8); + mpz_add_ui (d, d, tmp & 0xFF); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_lshift (d, d, 8); + BN_add_word (d, tmp & 0xFF); +#endif + tmp >>= 8; + } + return 0; +} + +int +modp_operation (struct group *group, math_mp_t d, math_mp_t a, math_mp_t e) +{ + struct modp_group *grp = (struct modp_group *)group->group; + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + mpz_powm (d, a, e, grp->p); +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + BN_CTX *ctx = BN_CTX_new (); + BN_mod_exp (d, a, e, grp->p, ctx); + BN_CTX_free (ctx); +#endif + return 0; +} + +#ifdef USE_EC +int +ec2n_getlen (struct group *group) +{ + struct ec2n_group *grp = (struct ec2n_group *)group->group; + int bits = b2n_sigbit (grp->grp->p) - 1; + + return (7 + bits) >> 3; +} + +void +ec2n_getraw (struct group *group, ec2np_ptr xo, u_int8_t *e) +{ + struct ec2n_group *grp = (struct ec2n_group *)group->group; + int chunks, bytes, i, j; + b2n_ptr x = xo->x; + CHUNK_TYPE tmp; + + bytes = b2n_sigbit (grp->grp->p) - 1; + chunks = (CHUNK_MASK + bytes) >> CHUNK_SHIFTS; + bytes = ((7 + (bytes & CHUNK_MASK)) >> 3); + + for (i = chunks - 1; i >= 0; i--) + { + tmp = (i >= x->chunks ? 0 : x->limp[i]); + for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0; j--) + { + e[j] = tmp & 0xff; + tmp >>= 8; + } + e += (i == chunks - 1 ? bytes : CHUNK_BYTES); + } +} + +int +ec2n_setraw (struct group *grp, ec2np_ptr out, u_int8_t *s, int l) +{ + int len, bytes, i, j; + b2n_ptr outx = out->x; + CHUNK_TYPE tmp; + + len = (CHUNK_BYTES - 1 + l) / CHUNK_BYTES; + if (b2n_resize (outx, len)) + return -1; + + bytes = ((l - 1) % CHUNK_BYTES) + 1; + + for (i = len - 1; i >= 0; i--) + { + tmp = 0; + for (j = (i == len - 1 ? bytes : CHUNK_BYTES); j > 0; j--) + { + tmp <<= 8; + tmp |= *s++; + } + outx->limp[i] = tmp; + } + return 0; +} + +int +ec2n_setrandom (struct group *group, ec2np_ptr x) +{ + b2n_ptr d = x->x; + struct ec2n_group *grp = (struct ec2n_group *)group->group; + + return b2n_random (d, b2n_sigbit (grp->grp->p) - 1); +} + +/* + * This is an attempt at operation abstraction. It can happen + * that we need to initalize the y variable for the operation + * to proceed correctly. When this is the case operation has + * to supply the variable 'a' with the chunks of the Y cooridnate + * set to zero. + */ +int +ec2n_operation (struct group *grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e) +{ + b2n_ptr ex = e->x; + struct ec2n_group *group = (struct ec2n_group *)grp->group; + + if (a->y->chunks == 0) + if (ec2np_find_y (a, group->grp)) + return -1; + + return ec2np_mul (d, a, ex, group->grp); +} +#endif /* USE_EC */ diff --git a/src/math_group.h b/src/math_group.h new file mode 100644 index 0000000..68aecee --- /dev/null +++ b/src/math_group.h @@ -0,0 +1,101 @@ +/* $Id: math_group.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_group.h,v $ */ + +/* $OpenBSD: math_group.h,v 1.5 1999/04/19 20:00:24 niklas Exp $ */ +/* $EOM: math_group.h,v 1.7 1999/04/17 23:20:40 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _MATH_GROUP_H_ +#define _MATH_GROUP_H_ + +enum groups { + MODP, /* F_p, Z modulo a prime */ + EC2N, /* Elliptic Curve over the Field GF(2**N) */ + ECP, /* Elliptic Curve over the Field Z_p */ +}; + +/* + * The group on which diffie hellmann calculations are done. + */ + +struct group { + enum groups type; + int id; /* Group ID */ + int bits; /* Number of key bits provided by this group */ + void *group; + void *a, *b, *c, *d; + void *gen; /* Group Generator */ + int (*getlen) (struct group *); + void (*getraw) (struct group *, void *, u_int8_t *); + int (*setraw) (struct group *, void *, u_int8_t *, int); + int (*setrandom) (struct group *, void *); + int (*operation) (struct group *, void *, void *, void *); +}; + +/* Description of an Elliptic Group over GF(2**n) for Boot-Strapping */ + +struct ec2n_dscr { + int id; + int bits; /* Key Bits provided by this group */ + char *polynomial; /* Irreduceable polynomial */ + char *gen_x; /* X - Coord. of Generator */ + char *a, *b; /* Curve Parameters */ +}; + +/* Description of F_p for Boot-Strapping */ + +struct modp_dscr { + int id; + int bits; /* Key Bits provided by this group */ + char *prime; /* Prime */ + char *gen; /* Generator */ +}; + +/* Prototypes */ + +void group_init (void); +void group_free (struct group *); +struct group *group_get (int); + +void ec2n_free (struct group *); +struct group *ec2n_clone (struct group *, struct group *); +void ec2n_init (struct group *); + +void modp_free (struct group *); +struct group *modp_clone (struct group *, struct group *); +void modp_init (struct group *); + +#endif /* _MATH_GROUP_H_ */ diff --git a/src/math_mp.h b/src/math_mp.h new file mode 100644 index 0000000..e686209 --- /dev/null +++ b/src/math_mp.h @@ -0,0 +1,64 @@ +/* $Id: math_mp.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/math_mp.h,v $ */ + +/* $OpenBSD: math_mp.h,v 1.4 2000/10/07 07:00:44 niklas Exp $ */ +/* $EOM: math_mp.h,v 1.4 2000/09/16 09:41:43 ho Exp $ */ + +/* + * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _MATH_MP_H_ +#define _MATH_MP_H_ + +#define MP_FLAVOUR_GMP 1 +#define MP_FLAVOUR_OPENSSL 2 + +#if MP_FLAVOUR == MP_FLAVOUR_GMP + +#include + +#define math_mp_t mpz_t + +#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL + +#include + +typedef BIGNUM *math_mp_t; + +#else + +#error "No multiprecision math library chosen." + +#endif + +#endif /* _MATH_MP_H_ */ diff --git a/src/message.c b/src/message.c new file mode 100644 index 0000000..160ea60 --- /dev/null +++ b/src/message.c @@ -0,0 +1,2222 @@ +/* $Id: message.c,v 1.8.2.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/message.c,v $ */ + +/* $OpenBSD: message.c,v 1.42 2001/04/24 07:27:37 niklas Exp $ */ +/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "attribute.h" +#include "cert.h" +#include "constants.h" +#include "crypto.h" +#include "doi.h" +#include "exchange.h" +#include "field.h" +#include "isakmp.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "util.h" +#include "gdoi_fld.h" +#include "gdoi_num.h" +#include "ipsec_num.h" + +#ifdef __GNUC__ +#define INLINE __inline +#else +#define INLINE +#endif + +/* A local set datatype, coincidentally fd_set suits our purpose fine. */ +typedef fd_set set; +#define ISSET FD_ISSET +#define SET FD_SET +#define ZERO FD_ZERO + +static int message_check_duplicate (struct message *); +static int message_encrypt (struct message *); +static int message_index_payload (struct message *, struct payload *, u_int8_t, + u_int8_t *); +static int message_parse_transform (struct message *, struct payload *, + u_int8_t, u_int8_t *); +static int message_validate_cert (struct message *, struct payload *); +static int message_validate_cert_req (struct message *, struct payload *); +static int message_validate_delete (struct message *, struct payload *); +static int message_validate_hash (struct message *, struct payload *); +static int message_validate_id (struct message *, struct payload *); +static int message_validate_key_exch (struct message *, struct payload *); +static int message_validate_nonce (struct message *, struct payload *); +static int message_validate_notify (struct message *, struct payload *); +static int message_validate_proposal (struct message *, struct payload *); +static int message_validate_sa (struct message *, struct payload *); +static int message_validate_sig (struct message *, struct payload *); +static int message_validate_transform (struct message *, struct payload *); +static int message_validate_vendor (struct message *, struct payload *); +extern int gdoi_validate_kd (struct message *, struct payload *); +extern int gdoi_validate_seq (struct message *, struct payload *); +extern int gdoi_validate_gap (struct message *, struct payload *); +extern int gdoi_validate_gdoi_exchange_special (struct message *msg); + +static void message_packet_log (struct message *); + +static int (*message_validate_payload[]) (struct message *, struct payload *) = +{ + message_validate_sa, message_validate_proposal, message_validate_transform, + message_validate_key_exch, message_validate_id, message_validate_cert, + message_validate_cert_req, message_validate_hash, message_validate_sig, + message_validate_nonce, message_validate_notify, message_validate_delete, + message_validate_vendor, + 0, /* CONFIG */ + 0, /* SA_KEK */ + 0, /* SA_TEK */ + gdoi_validate_kd, /* KD */ + gdoi_validate_seq, /* SEQ */ + 0, /* POP */ + 0, /* NAT_D */ + 0, /* NAT_OA */ + gdoi_validate_gap, /* GAP */ +}; + +static struct field *fields[] = { + isakmp_sa_fld, isakmp_prop_fld, isakmp_transform_fld, isakmp_ke_fld, + isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld, + isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld, + isakmp_vendor_fld, + 0, /* CONFIG */ + 0, /* SA_KEK */ + 0, /* SA_TEK */ + gdoi_kd_fld, /* KD */ + gdoi_seq_fld, /* SEQ */ + 0, /* POP - deprecated */ + 0, /* NAT_D */ + 0, /* NAT_OA */ + gdoi_gap_fld, /* GAP */ +}; + +/* + * Fields used for checking monotonic increasing of proposal and transform + * numbers. + */ +static u_int8_t *last_sa = 0; +static int last_prop_no; +static u_int8_t *last_prop = 0; +static int last_xf_no; + +/* + * Allocate a message structure bound to transport T, and with a first + * segment buffer sized SZ, copied from BUF if given. + */ +struct message * +message_alloc (struct transport *t, u_int8_t *buf, size_t sz) +{ + struct message *msg; + int i; + + /* + * We use calloc(3) because it zeroes the structure which we rely on in + * message_free when determining what sub-allocations to free. + */ + msg = (struct message *)calloc (1, sizeof *msg); + if (!msg) + return 0; + msg->iov = calloc (1, sizeof *msg->iov); + if (!msg->iov) + { + message_free (msg); + return 0; + } + msg->iov[0].iov_len = sz; + msg->iov[0].iov_base = malloc (sz); + if (!msg->iov[0].iov_base) + { + message_free (msg); + return 0; + } + msg->iovlen = 1; + if (buf) + memcpy (msg->iov[0].iov_base, buf, sz); + msg->nextp = msg->iov[0].iov_base + ISAKMP_HDR_NEXT_PAYLOAD_OFF; + msg->transport = t; + transport_reference (t); + for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_PRIVATE_MAX; i++) + TAILQ_INIT (&msg->payload[i]); + TAILQ_INIT (&msg->post_send); + LOG_DBG ((LOG_MESSAGE, 90, "message_alloc: allocated %p", msg)); + return msg; +} + +/* + * Allocate a message suitable for a reply to MSG. Just allocate an empty + * ISAKMP header as the first segment. + */ +struct message * +message_alloc_reply (struct message *msg) +{ + struct message *reply; + + reply = message_alloc (msg->transport, 0, ISAKMP_HDR_SZ); + reply->exchange = msg->exchange; + reply->isakmp_sa = msg->isakmp_sa; + if (msg->isakmp_sa) + sa_reference (msg->isakmp_sa); + return reply; +} + +/* Free up all resources used by the MSG message. */ +void +message_free (struct message *msg) +{ + int i; + struct payload *payload, *next; + + LOG_DBG ((LOG_MESSAGE, 20, "message_free: freeing %p", msg)); + if (!msg) + return; + if (msg->orig && msg->orig != (u_int8_t *)msg->iov[0].iov_base) + free (msg->orig); + if (msg->iov) + { + for (i = 0; i < msg->iovlen; i++) + if (msg->iov[i].iov_base) + free (msg->iov[i].iov_base); + free (msg->iov); + } + if (msg->retrans) + timer_remove_event (msg->retrans); + for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_RESERVED_MIN; i++) + for (payload = TAILQ_FIRST (&msg->payload[i]); payload; payload = next) + { + next = TAILQ_NEXT (payload, link); + free (payload); + } + while (TAILQ_FIRST (&msg->post_send) != 0) + TAILQ_REMOVE (&msg->post_send, TAILQ_FIRST (&msg->post_send), link); + + /* If we are on the send queue, remove us from there. */ + if (msg->flags & MSG_IN_TRANSIT) + TAILQ_REMOVE (&msg->transport->sendq, msg, link); + transport_release (msg->transport); + + if (msg->isakmp_sa) + sa_release (msg->isakmp_sa); + + free (msg); +} + +/* + * Generic ISAKMP parser. + * MSG is the ISAKMP message to be parsed. NEXT is the type of the first + * payload to be parsed, and it's pointed to by BUF. ACCEPTED_PAYLOADS + * tells what payloads are accepted and FUNC is a pointer to a function + * to be called for each payload found. Returns the total length of the + * parsed payloads. + */ +static int +message_parse_payloads (struct message *msg, struct payload *p, u_int8_t next, + u_int8_t *buf, set *accepted_payloads, + int (*func) (struct message *, struct payload *, + u_int8_t, u_int8_t *)) +{ + u_int8_t payload; + u_int16_t len; + int sz = 0; + + do + { + LOG_DBG ((LOG_MESSAGE, 50, + "message_parse_payloads: offset 0x%x payload %s", + buf - (u_int8_t *)msg->iov[0].iov_base, + constant_name (isakmp_payload_cst, next))); + + /* Does this payload's header fit? */ + if (buf + ISAKMP_GEN_SZ + > (u_int8_t *)msg->iov[0].iov_base + msg->iov[0].iov_len) + { + log_print ("message_parse_payloads: short message"); + message_drop (msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); + return -1; + } + + /* Ponder on the payload that is at BUF... */ + payload = next; + + /* Look at the next payload's type. */ + next = GET_ISAKMP_GEN_NEXT_PAYLOAD (buf); + if (next >= ISAKMP_PAYLOAD_RESERVED_MIN && + next <= ISAKMP_PAYLOAD_RESERVED_MAX) + { + log_print ("message_parse_payloads: invalid next payload type %d " + "in payload of type %d", next, payload); + message_drop (msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + return -1; + } + + /* Reserved fields in ISAKMP messages should be zero. */ + if (GET_ISAKMP_GEN_RESERVED (buf) != 0) + { + log_print ("message_parse_payloads: reserved field non-zero: %x", + GET_ISAKMP_GEN_RESERVED (buf)); + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + return -1; + } + + /* + * Decode the payload length field. + */ + len = GET_ISAKMP_GEN_LENGTH (buf); +#if BUG_DOES_NOT_SET_THIS_PAYLOAD_ALTHOUGH_ITS_OK + /* Ignore private payloads. */ + if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN) + { + LOG_DBG ((LOG_MESSAGE, 30, + "message_parse_payloads: private next payload type %d " + "in payload of type %d ignored", next, payload)); + goto next_payload; + } +#endif + /* + * Check if the current payload is one of the accepted ones at this + * stage. + */ + if (!ISSET (payload, accepted_payloads)) + { + log_print ("message_parse_payloads: payload type %d unexpected", + payload); + message_drop (msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + return -1; + } + + /* Call the payload handler specified by the caller. */ + if (func (msg, p, payload, buf)) + return -1; + +#if BUG_DOES_NOT_SET_THIS_PAYLOAD_ALTHOUGH_ITS_OK + next_payload: +#endif + /* Advance to next payload. */ + buf += len; + sz += len; + } + while (next != ISAKMP_PAYLOAD_NONE); + return sz; +} + +/* + * Parse a proposal payload found in message MSG. PAYLOAD is always + * ISAKMP_PAYLOAD_PROPOSAL and ignored in here. It's needed as the API for + * message_parse_payloads requires it. BUF points to the proposal's + * generic payload header. + */ +static int +message_parse_proposal (struct message *msg, struct payload *p, + u_int8_t payload, u_int8_t *buf) +{ + set payload_set; + + /* Put the proposal into the proposal bucket. */ + message_index_payload (msg, p, payload, buf); + + ZERO (&payload_set); + SET (ISAKMP_PAYLOAD_TRANSFORM, &payload_set); + if (message_parse_payloads (msg, + TAILQ_LAST (&msg->payload + [ISAKMP_PAYLOAD_PROPOSAL], + payload_head), + ISAKMP_PAYLOAD_TRANSFORM, + buf + ISAKMP_PROP_SPI_OFF + + GET_ISAKMP_PROP_SPI_SZ (buf), + &payload_set, message_parse_transform) == -1) + return -1; + + return 0; +} + +static int +message_parse_transform (struct message *msg, struct payload *p, + u_int8_t payload, u_int8_t *buf) +{ + /* Put the transform into the transform bucket. */ + message_index_payload (msg, p, payload, buf); + + LOG_DBG ((LOG_MESSAGE, 50, "Transform %d's attributes", + GET_ISAKMP_TRANSFORM_NO (buf))); +#ifdef USE_DEBUG + attribute_map (buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + msg->exchange->doi->debug_attribute, msg); +#endif + + return 0; +} + +/* Validate the certificate payload P in message MSG. */ +static int +message_validate_cert (struct message *msg, struct payload *p) +{ + if (GET_ISAKMP_CERT_ENCODING (p->p) >= ISAKMP_CERTENC_RESERVED_MIN) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); + return -1; + } + return 0; +} + +/* Validate the certificate request payload P in message MSG. */ +static int +message_validate_cert_req (struct message *msg, struct payload *p) +{ + struct cert_handler *cert; + size_t len = GET_ISAKMP_GEN_LENGTH (p->p)- ISAKMP_CERTREQ_AUTHORITY_OFF; + + if (GET_ISAKMP_CERTREQ_TYPE (p->p) >= ISAKMP_CERTENC_RESERVED_MIN) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, 1); + return -1; + } + + /* + * Check the certificate types we support and if an acceptable authority + * is included in the payload check if it can be decoded + */ + cert = cert_get (GET_ISAKMP_CERTREQ_TYPE (p->p)); + if (!cert + || (len && !cert->certreq_validate (p->p + ISAKMP_CERTREQ_AUTHORITY_OFF, + len))) + { + message_drop (msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, 1); + return -1; + } + return 0; +} + +/* + * Validate the delete payload P in message MSG. As a side-effect, create + * an exchange if we do not have one already. + */ +static int +message_validate_delete (struct message *msg, struct payload *p) +{ + u_int8_t proto = GET_ISAKMP_DELETE_PROTO (p->p); + struct doi *doi; + + doi = doi_lookup (GET_ISAKMP_DELETE_DOI (p->p)); + if (!doi) + { + log_print ("message_validate_delete: DOI not supported"); + message_free (msg); + return -1; + } + + /* If we don't have an exchange yet, create one. */ + if (!msg->exchange) + { + if (zero_test (msg->iov[0].iov_base + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN)) + msg->exchange = exchange_setup_p1 (msg, doi->id); + else + msg->exchange = exchange_setup_p2 (msg, doi->id); + if (!msg->exchange) + { + log_print ("message_validate_delete: can not create exchange"); + message_free (msg); + return -1; + } + } + + if (proto != ISAKMP_PROTO_ISAKMP && doi->validate_proto (proto)) + { + log_print ("message_validate_delete: protocol not supported"); + message_free (msg); + return -1; + } + + /* Validate the SPIs. */ + + return 0; +} + +/* + * Validate the hash payload P in message MSG. */ +static int +message_validate_hash (struct message *msg, struct payload *p) +{ + /* XXX Not implemented yet. */ + return 0; +} + +/* Validate the identification payload P in message MSG. */ +static int +message_validate_id (struct message *msg, struct payload *p) +{ + struct exchange *exchange = msg->exchange; + size_t len = GET_ISAKMP_GEN_LENGTH (p->p); + + /* + * If this is a GDOI Phase 2 exchange, it's the first payload, so + * exchange will be NULL. Need to do some setup, similar to what is done + * in message_validate_sa for IKE Quick Mode + */ + if (!exchange) + { + if (msg->isakmp_sa && msg->isakmp_sa->doi) + { + msg->exchange = exchange = + exchange_setup_p2 (msg, msg->isakmp_sa->doi->id); + } + if (!exchange) + { + log_print ("message_validate_id: exchange not found"); + message_free (msg); + return -1; + } + } + + + if (exchange->doi + && exchange->doi->validate_id_information (GET_ISAKMP_ID_TYPE (p->p), + p->p + ISAKMP_ID_DOI_DATA_OFF, + p->p + ISAKMP_ID_DATA_OFF, + len - ISAKMP_ID_DATA_OFF, + exchange)) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, 1); + return -1; + } + return 0; +} + +/* Validate the key exchange payload P in message MSG. */ +static int +message_validate_key_exch (struct message *msg, struct payload *p) +{ + struct exchange *exchange = msg->exchange; + size_t len = GET_ISAKMP_GEN_LENGTH (p->p); + + if (exchange->doi + && exchange->doi->validate_key_information (p->p + ISAKMP_KE_DATA_OFF, + len - ISAKMP_KE_DATA_OFF)) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION, 0, 1, 1); + return -1; + } + return 0; +} + +/* Validate the nonce payload P in message MSG. */ +static int +message_validate_nonce (struct message *msg, struct payload *p) +{ + /* Nonces require no specific validation. */ + return 0; +} + +/* + * Validate the notify payload P in message MSG. As a side-effect, create + * an exchange if we do not have one already. + */ +static int +message_validate_notify (struct message *msg, struct payload *p) +{ + u_int8_t proto = GET_ISAKMP_NOTIFY_PROTO (p->p); + u_int16_t type = GET_ISAKMP_NOTIFY_MSG_TYPE (p->p); + struct doi *doi; + + doi = doi_lookup (GET_ISAKMP_NOTIFY_DOI (p->p)); + if (!doi) + { + log_print ("message_validate_notify: DOI not supported"); + message_free (msg); + return -1; + } + + /* If we don't have an exchange yet, create one. */ + if (!msg->exchange) + { + if (zero_test (msg->iov[0].iov_base + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN)) + msg->exchange = exchange_setup_p1 (msg, doi->id); + else + msg->exchange = exchange_setup_p2 (msg, doi->id); + if (!msg->exchange) + { + log_print ("message_validate_notify: can not create exchange"); + message_free (msg); + return -1; + } + } + + if (proto != ISAKMP_PROTO_ISAKMP && doi->validate_proto (proto)) + { + log_print ("message_validate_notify: protocol not supported"); + message_free (msg); + return -1; + } + + /* XXX Validate the SPI. */ + + if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE + || (type >= ISAKMP_NOTIFY_RESERVED_MIN + && type < ISAKMP_NOTIFY_PRIVATE_MIN) + || (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN + && type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) + || (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN + && type <= ISAKMP_NOTIFY_STATUS_DOI_MAX + && doi->validate_notification (type)) + || type >= ISAKMP_NOTIFY_STATUS_RESERVED2_MIN) + { + log_print ("message_validate_notify: message type not supported"); + message_free (msg); + return -1; + } + return 0; +} + +/* Validate the proposal payload P in message MSG. */ +static int +message_validate_proposal (struct message *msg, struct payload *p) +{ + u_int8_t proto = GET_ISAKMP_PROP_PROTO (p->p); + u_int8_t *sa = p->context->p; + + if (proto != ISAKMP_PROTO_ISAKMP + && msg->exchange->doi->validate_proto (proto)) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_PROTOCOL_ID, 0, 1, 1); + return -1; + } + + /* Check that we get monotonically increasing proposal IDs per SA. */ + if (sa != last_sa) + last_sa = sa; + else if (GET_ISAKMP_PROP_NO (p->p) < last_prop_no) + { + message_drop (msg, ISAKMP_NOTIFY_BAD_PROPOSAL_SYNTAX, 0, 1, 1); + return -1; + } + last_prop_no = GET_ISAKMP_PROP_NO (p->p); + + /* XXX Validate the SPI, and other syntactic things. */ + + return 0; +} + +/* + * Validate the SA payload P in message MSG. + * Aside from normal validation, note what DOI is in use for other + * validation routines to look at. Also index the proposal payloads + * on the fly. + * XXX This assumes PAYLOAD_SA is always the first payload + * to be validated, which is true for IKE, except for quick mode where + * a PAYLOAD_HASH comes first, but in that specific case it does not matter. + * XXX Make sure the above comment is relevant, isn't SA always checked + * first due to the IANA assigned payload number? + */ +static int +message_validate_sa (struct message *msg, struct payload *p) +{ + set payload_set; + size_t len; + u_int32_t doi_id; + struct exchange *exchange = msg->exchange; + u_int8_t *pkt = msg->iov[0].iov_base; + + doi_id = GET_ISAKMP_SA_DOI (p->p); + if (!doi_lookup (doi_id)) + { + log_print ("message_validate_sa: DOI not supported"); + message_drop (msg, ISAKMP_NOTIFY_DOI_NOT_SUPPORTED, 0, 1, 1); + return -1; + } + + /* + * It's time to figure out what SA this message is about. If it is + * already set, then we are creating a new phase 1 SA. Otherwise, lookup + * the SA using the cookies and the message ID. If we cannot find + * it, and the phase 1 SA is ready, setup a phase 2 SA. + */ + if (!exchange) + { + if (zero_test (pkt + ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN)) + exchange = exchange_setup_p1 (msg, doi_id); + else if (msg->isakmp_sa->flags & SA_FLAG_READY) + exchange = exchange_setup_p2 (msg, doi_id); + else + { + /* XXX What to do here? */ + message_free (msg); + return -1; + } + if (!exchange) + { + /* XXX Log? */ + message_free (msg); + return -1; + } + } + msg->exchange = exchange; + + /* + * Create a struct sa for each SA payload handed to us unless we are the + * initiator where we only will count them. + */ + if (exchange->initiator) + { + /* XXX Count SA payloads. */ + } + else if (sa_create (exchange, msg->transport)) + { + /* XXX Remove exchange if we just created it? */ + message_free (msg); + return -1; + } + + if (exchange->phase == 1) + { + msg->isakmp_sa = TAILQ_FIRST (&exchange->sa_list); + if (msg->isakmp_sa && + !((doi_id == GROUP_DOI_GDOI) && + (exchange->type == GDOI_EXCH_PUSH_MODE))) + sa_reference (msg->isakmp_sa); + } + + /* + * Let the DOI validate the situation, at the same time it tells us what + * the length of the situation field is. + */ + if (exchange->doi->validate_situation (p->p + ISAKMP_SA_SIT_OFF, &len)) + { + log_print ("message_validate_sa: situation not supported"); + message_drop (msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, 0, 1, 1); + return -1; + } + + /* Reset the fields we base our proposal & transform number checks on. */ + last_sa = last_prop = 0; + last_prop_no = last_xf_no = 0; + + /* If IKE Phase 1 or Quick Mode, go through the PROPOSAL payloads. */ + /* + * NOTE: The following logic should really be located as a new vector for + * the DOI + */ + if ((doi_id == IPSEC_DOI_IPSEC) || + ((doi_id == GROUP_DOI_GDOI) && (exchange->phase == 1) && + (exchange->type != GDOI_EXCH_PUSH_MODE))) + { + ZERO (&payload_set); + SET (ISAKMP_PAYLOAD_PROPOSAL, &payload_set); + if (message_parse_payloads (msg, p, ISAKMP_PAYLOAD_PROPOSAL, + p->p + ISAKMP_SA_SIT_OFF + len, &payload_set, + message_parse_proposal) == -1) + return -1; + } + + return 0; +} + +/* Validate the signature payload P in message MSG. */ +static int +message_validate_sig (struct message *msg, struct payload *p) +{ + /* XXX Not implemented yet. */ + return 0; +} + +/* Validate the transform payload P in message MSG. */ +static int +message_validate_transform (struct message *msg, struct payload *p) +{ + u_int8_t proto = GET_ISAKMP_PROP_PROTO (p->context->p); + u_int8_t *prop = p->context->p; + + if (msg->exchange->doi + ->validate_transform_id (proto, GET_ISAKMP_TRANSFORM_ID (p->p))) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_TRANSFORM_ID, 0, 1, 1); + return -1; + } + + /* Check that the reserved field is zero. */ + if (!zero_test (p->p + ISAKMP_TRANSFORM_RESERVED_OFF, + ISAKMP_TRANSFORM_RESERVED_LEN)) + { + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + return -1; + } + + /* + * Check that we get monotonically increasing transform numbers per proposal. + */ + if (prop != last_prop) + last_prop = prop; + else if (GET_ISAKMP_TRANSFORM_NO (p->p) <= last_xf_no) + { + message_drop (msg, ISAKMP_NOTIFY_BAD_PROPOSAL_SYNTAX, 0, 1, 1); + return -1; + } + last_xf_no = GET_ISAKMP_TRANSFORM_NO (p->p); + + /* Validate the attributes. */ + if (attribute_map (p->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (p->p) + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + msg->exchange->doi->validate_attribute, msg)) + { + message_drop (msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED, 0, 1, 1); + return -1; + } + + return 0; +} + +/* Validate the vendor payload P in message MSG. */ +static int +message_validate_vendor (struct message *msg, struct payload *p) +{ + /* Vendor IDs are only allowed in phase 1. */ + if (msg->exchange->phase != 1) + { + message_drop (msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + return -1; + } + + LOG_DBG ((LOG_MESSAGE, 40, "message_validate_vendor: vendor ID seen")); + return 0; +} + +/* + * Add an index-record pointing to the payload at BUF in message MSG + * to the PAYLOAD bucket of payloads. This allows us to quickly reference + * payloads by type. Also stash the parent payload P link into the new + * node so we can go from transforms -> payloads -> SAs. + */ +static int +message_index_payload (struct message *msg, struct payload *p, + u_int8_t payload, u_int8_t *buf) +{ + struct payload *payload_node; + + /* Put the payload pointer into the right bucket. */ + payload_node = malloc (sizeof *payload_node); + if (!payload_node) + return -1; + payload_node->p = buf; + payload_node->context = p; + payload_node->flags = 0; + TAILQ_INSERT_TAIL (&msg->payload[payload], payload_node, link); + return 0; +} + +/* + * Group each payload found in MSG by type for easy reference later. + * While doing this, validate the generic parts of the message structure too. + * NEXT is the 1st payload's type. This routine will also register the + * computed message length (i.e. without padding) in msg->iov[0].iov_len. + */ +int +message_sort_payloads (struct message *msg, u_int8_t next) +{ + set payload_set; + int i, sz; + + ZERO (&payload_set); + for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_PRIVATE_MAX; i++) + if (i != ISAKMP_PAYLOAD_PROPOSAL && i != ISAKMP_PAYLOAD_TRANSFORM) + SET (i, &payload_set); + sz = message_parse_payloads (msg, 0, next, + msg->iov[0].iov_base + ISAKMP_HDR_SZ, + &payload_set, message_index_payload); + if (sz == -1) + return -1; + msg->iov[0].iov_len = ISAKMP_HDR_SZ + sz; + SET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); + return 0; +} + +/* Run all the generic payload tests that the drafts specify. */ +int +message_validate_payloads (struct message *msg) +{ + int i; + struct payload *p; + for (i = ISAKMP_PAYLOAD_SA; i < ISAKMP_PAYLOAD_PRIVATE_MAX; i++) + for (p = TAILQ_FIRST (&msg->payload[i]); p; p = TAILQ_NEXT (p, link)) + { + LOG_DBG ((LOG_MESSAGE, 60, + "message_validate_payloads: " + "payload %s at %p of message %p", + constant_name (isakmp_payload_cst, i), p->p, msg)); + field_dump_payload (fields[i - ISAKMP_PAYLOAD_SA], p->p); + if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] (msg, p)) + return -1; + } + return 0; +} + +/* + * All incoming messages go through here. We do generic validity checks + * and try to find or establish SAs. Last but not least we try to find + * the exchange this message, MSG, is part of, and feed it there. + */ +int +message_recv (struct message *msg) +{ + u_int8_t *buf = msg->iov[0].iov_base; + size_t sz = msg->iov[0].iov_len; + u_int8_t exch_type; + int setup_isakmp_sa, msgid_is_zero; + u_int8_t flags; + struct keystate *ks = 0; + struct proto tmp_proto; + struct sa tmp_sa; + + /* Possibly dump a raw hex image of the message to the log channel. */ + message_dump_raw ("message_recv", msg, LOG_MESSAGE); + + /* Messages shorter than an ISAKMP header are bad. */ + if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH (buf)) + { + log_print ("message_recv: bad message length"); + message_drop (msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); + return -1; + } + + /* + * If the responder cookie is zero, this is a request to setup an ISAKMP SA. + * Otherwise the cookies should refer to an existing ISAKMP SA. + * + * XXX This is getting ugly, please reread later to see if it can be made + * nicer. + */ + setup_isakmp_sa = zero_test (buf + ISAKMP_HDR_RCOOKIE_OFF, + ISAKMP_HDR_RCOOKIE_LEN); + if (setup_isakmp_sa) + { + /* + * This might be a retransmission of a former ISAKMP SA setup message. + * If so, just drop it. + * XXX Must we really look in both the SA and exchange pools? + */ + if (exchange_lookup_from_icookie (buf + ISAKMP_HDR_ICOOKIE_OFF) + || sa_lookup_from_icookie (buf + ISAKMP_HDR_ICOOKIE_OFF)) + { + /* + * XXX Later we should differentiate between retransmissions and + * potential replay attacks. + */ + LOG_DBG ((LOG_MESSAGE, 90, + "message_recv: dropping setup for existing SA")); + message_free (msg); + return -1; + } + } + else + { + msg->isakmp_sa = sa_lookup_by_header (buf, 0); + if (msg->isakmp_sa) + sa_reference (msg->isakmp_sa); + + /* + * If we cannot find an ISAKMP SA out of the cookies, this is either + * a responder's first reply, and we need to upgrade our exchange, + * or it's just plain invalid cookies. + */ + if (!msg->isakmp_sa) + { + msg->exchange + = exchange_lookup_from_icookie (buf + ISAKMP_HDR_ICOOKIE_OFF); + if (msg->exchange && msg->exchange->phase == 1 + && zero_test (msg->exchange->cookies + ISAKMP_HDR_RCOOKIE_OFF, + ISAKMP_HDR_RCOOKIE_LEN)) + exchange_upgrade_p1 (msg); + else + { + log_print ("message_recv: invalid cookie(s) %08x%08x %08x%08x", + decode_32 (buf + ISAKMP_HDR_ICOOKIE_OFF), + decode_32 (buf + ISAKMP_HDR_ICOOKIE_OFF + 4), + decode_32 (buf + ISAKMP_HDR_RCOOKIE_OFF), + decode_32 (buf + ISAKMP_HDR_RCOOKIE_OFF + 4)); + tmp_proto.sa = &tmp_sa; + tmp_sa.doi = doi_lookup (ISAKMP_DOI_ISAKMP); + tmp_proto.proto = ISAKMP_PROTO_ISAKMP; + tmp_proto.spi_sz[1] = ISAKMP_HDR_COOKIES_LEN; + tmp_proto.spi[1] = buf + ISAKMP_HDR_COOKIES_OFF; + message_drop (msg, ISAKMP_NOTIFY_INVALID_COOKIE, &tmp_proto, 1, + 1); + return -1; + } +#if 0 + msg->isakmp_sa + = sa_lookup_from_icookie (buf + ISAKMP_HDR_ICOOKIE_OFF); + if (msg->isakmp_sa) + sa_isakmp_upgrade (msg); +#endif + } + msg->exchange = exchange_lookup (buf, 1); + } + + if (message_check_duplicate (msg)) + return -1; + + if (GET_ISAKMP_HDR_NEXT_PAYLOAD (buf) >= ISAKMP_PAYLOAD_PRIVATE_MAX) + { + log_print ("message_recv: " + "invalid payload type %d in ISAKMP header " + "(check passphrases, if applicable and in Phase 1)", + GET_ISAKMP_HDR_NEXT_PAYLOAD (buf)); + message_drop (msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); + return -1; + } + + /* Validate that the message is of version 1.0. */ + if (ISAKMP_VERSION_MAJOR (GET_ISAKMP_HDR_VERSION (buf)) != 1) + { + log_print ("message_recv: invalid version major %d", + ISAKMP_VERSION_MAJOR (GET_ISAKMP_HDR_VERSION (buf))); + message_drop (msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, 1); + return -1; + } + + if (ISAKMP_VERSION_MINOR (GET_ISAKMP_HDR_VERSION (buf)) != 0) + { + log_print ("message_recv: invalid version minor %d", + ISAKMP_VERSION_MINOR (GET_ISAKMP_HDR_VERSION (buf))); + message_drop (msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, 1); + return -1; + } + + /* + * Validate the exchange type. If it's a DOI-specified exchange wait until + * after all payloads have been seen for the validation as the SA payload + * might not yet have been parsed, thus the DOI might be unknown. + */ + exch_type = GET_ISAKMP_HDR_EXCH_TYPE (buf); + if (exch_type == ISAKMP_EXCH_NONE + || (exch_type >= ISAKMP_EXCH_FUTURE_MIN && + exch_type <= ISAKMP_EXCH_FUTURE_MAX) + || (setup_isakmp_sa && exch_type >= ISAKMP_EXCH_DOI_MIN)) + { + log_print ("message_recv: invalid exchange type %s", + constant_name (isakmp_exch_cst, exch_type)); + message_drop (msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); + return -1; + } + + /* + * Check for unrecognized flags, or the encryption flag when we don't + * have an ISAKMP SA to decrypt with. + */ + flags = GET_ISAKMP_HDR_FLAGS (buf); + if (flags + & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT | ISAKMP_FLAGS_AUTH_ONLY)) + { + log_print ("message_recv: invalid flags 0x%x", + GET_ISAKMP_HDR_FLAGS (buf)); + message_drop (msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1); + return -1; + } + + /* If we are about to setup an ISAKMP SA, the message ID must be zero. */ + msgid_is_zero = zero_test (buf + ISAKMP_HDR_MESSAGE_ID_OFF, + ISAKMP_HDR_MESSAGE_ID_LEN); + if (setup_isakmp_sa && !msgid_is_zero) + { + log_print ("message_recv: invalid message id"); + message_drop (msg, ISAKMP_NOTIFY_INVALID_MESSAGE_ID, 0, 1, 1); + return -1; + } + + if (!setup_isakmp_sa && msgid_is_zero) + { + /* + * XXX Very likely redundant, look at the else clause of the + * if (setup_isakmp_sa) statement above. + */ + msg->exchange = exchange_lookup (buf, 0); + if (!msg->exchange) + { + log_print ("message_recv: phase 1 message after ISAKMP SA is ready"); + message_free (msg); + return -1; + } + else if (msg->exchange->last_sent) + { + LOG_DBG ((LOG_MESSAGE, 80, + "message_recv: resending last message from phase 1")); + message_send (msg->exchange->last_sent); + } + } + + if (flags & ISAKMP_FLAGS_ENC) + { + if (msg->isakmp_sa == NULL) + { + LOG_DBG ((LOG_MISC, 10, + "message_recv: no isakmp_sa for encrypted message")); + return -1; + } + + /* Decrypt rest of message using a DOI-specified IV. */ + ks = msg->isakmp_sa->doi->get_keystate (msg); + if (!ks) + { + message_free (msg); + return -1; + } + msg->orig = malloc (sz); + if (!msg->orig) + { + message_free (msg); + free (ks); + return -1; + } + memcpy (msg->orig, buf, sz); + crypto_decrypt (ks, buf + ISAKMP_HDR_SZ, sz - ISAKMP_HDR_SZ); + } + else + msg->orig = buf; + msg->orig_sz = sz; + + /* IKE packet capture */ + message_packet_log (msg); + + /* + * Check the overall payload structure at the same time as indexing them by + * type. + */ + if (GET_ISAKMP_HDR_NEXT_PAYLOAD (buf) != ISAKMP_PAYLOAD_NONE + && message_sort_payloads (msg, GET_ISAKMP_HDR_NEXT_PAYLOAD (buf))) + { + if (ks) + free (ks); + return -1; + } + + /* + * Run generic payload tests now. If anything fails these checks, the + * message needs either to be retained for later duplicate checks or + * freed entirely. + * XXX Should SAs and even transports be cleaned up then too? + */ + if (message_validate_payloads (msg)) + { + if (ks) + free (ks); + return -1; + } + + /* If we have not found an exchange by now something is definitely wrong. */ + if (!msg->exchange) + { + log_print ("message_recv: no exchange"); + message_drop (msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); + if (ks) + free (ks); + return -1; + } + + /* + * Now we can validate DOI-specific exchange types. If we have no SA + * DOI-specific exchange types are definitely wrong. + */ + if (exch_type >= ISAKMP_EXCH_DOI_MIN + && msg->exchange->doi->validate_exchange (exch_type)) + { + log_print ("message_recv: invalid DOI exchange type %d", exch_type); + message_drop (msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, 1); + if (ks) + free (ks); + return -1; + } + + /* + * In the case of GDOI, further validate that the message is appropriate + * for the role (e.g., a GDOI key server should not be receiving rekeys). + */ + if (msg->exchange->doi->id == GROUP_DOI_GDOI) + { + if (gdoi_validate_gdoi_exchange_special(msg)) + { + return -1; + } + } + + /* Make sure the IV we used gets saved in the proper SA. */ + if (ks) + { + if (!msg->exchange->keystate) + { + msg->exchange->keystate = ks; + msg->exchange->crypto = ks->xf; + } + else + free (ks); + } + + /* Handle the flags. */ + if (flags & ISAKMP_FLAGS_ENC) + msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + if ((msg->exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0 + && (flags & ISAKMP_FLAGS_COMMIT)) + msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED; + + /* OK let the exchange logic do the rest. */ + exchange_run (msg); + + return 0; +} + +void +message_send_expire (struct message *msg) +{ + msg->retrans = 0; + + message_send (msg); +} + +/* Queue up message MSG for transmittal. */ +void +message_send (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + struct message *m; + + /* Remove retransmissions on this message */ + if (msg->retrans) + { + timer_remove_event (msg->retrans); + msg->retrans = 0; + } + + /* IKE packet capture */ + message_packet_log (msg); + + /* + * If the ISAKMP SA has set up encryption, encrypt the message. + * However, in a retransmit, it is already encrypted. + */ + if ((msg->flags & MSG_ENCRYPTED) == 0 + && exchange->flags & EXCHANGE_FLAG_ENCRYPT) + { + if (!exchange->keystate) + { + exchange->keystate = exchange->doi->get_keystate (msg); + exchange->crypto = exchange->keystate->xf; + exchange->flags |= EXCHANGE_FLAG_ENCRYPT; + } + + if (message_encrypt (msg)) + { + /* XXX Log. */ + return; + } + } + + /* Keep the COMMIT bit on. */ + if (exchange->flags & EXCHANGE_FLAG_COMMITTED) + SET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base, + GET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base) + | ISAKMP_FLAGS_COMMIT); + + message_dump_raw ("message_send", msg, LOG_MESSAGE); + msg->flags |= MSG_IN_TRANSIT; + exchange->in_transit = msg; + + /* + * If we get a retransmission of a message before our response + * has left the queue, don't queue it again, as it will result + * in a circular list. + */ + for (m = TAILQ_FIRST (&msg->transport->sendq); m; m = TAILQ_NEXT (m, link)) + if (m == msg) + { + LOG_DBG ((LOG_MESSAGE, 60, "message_send: msg %p already on sendq", + m)); + return; + } + + TAILQ_INSERT_TAIL (&msg->transport->sendq, msg, link); +} + +/* + * Setup the ISAKMP message header for message MSG. EXCHANGE is the exchange + * type, FLAGS are the ISAKMP header flags and MSG_ID is message ID + * identifying the exchange. + */ +void +message_setup_header (struct message *msg, u_int8_t exchange, u_int8_t flags, + u_int8_t *msg_id) +{ + u_int8_t *buf = msg->iov[0].iov_base; + + SET_ISAKMP_HDR_ICOOKIE (buf, msg->exchange->cookies); + SET_ISAKMP_HDR_RCOOKIE (buf, + msg->exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN); + SET_ISAKMP_HDR_NEXT_PAYLOAD (buf, ISAKMP_PAYLOAD_NONE); + SET_ISAKMP_HDR_VERSION (buf, ISAKMP_VERSION_MAKE (1, 0)); + SET_ISAKMP_HDR_EXCH_TYPE (buf, exchange); + SET_ISAKMP_HDR_FLAGS (buf, flags); + SET_ISAKMP_HDR_MESSAGE_ID (buf, msg_id); + SET_ISAKMP_HDR_LENGTH (buf, msg->iov[0].iov_len); +} + +/* + * Add the payload of type PAYLOAD in BUF sized SZ to the MSG message. + * The caller thereby is released from the responsibility of freeing BUF, + * unless we return a failure of course. If LINK is set the former + * payload's "next payload" field to PAYLOAD. + * + * XXX We might want to resize the iov array several slots at a time. + */ +int +message_add_payload (struct message *msg, u_int8_t payload, u_int8_t *buf, + size_t sz, int link) +{ + struct iovec *new_iov; + struct payload *payload_node; + + payload_node = malloc (sizeof *payload_node); + if (!payload_node) + { + log_error ("message_add_payload: malloc (%d) failed", + sizeof *payload_node); + return -1; + } + new_iov + = (struct iovec *)realloc (msg->iov, (msg->iovlen + 1) * sizeof *msg->iov); + if (!new_iov) + { + log_error ("message_add_payload: realloc (%p, %d) failed", msg->iov, + (msg->iovlen + 1) * sizeof *msg->iov); + free (payload_node); + return -1; + } + msg->iov = new_iov; + new_iov[msg->iovlen].iov_base = buf; + new_iov[msg->iovlen].iov_len = sz; + msg->iovlen++; + if (link) + *msg->nextp = payload; + msg->nextp = buf + ISAKMP_GEN_NEXT_PAYLOAD_OFF; + *msg->nextp = ISAKMP_PAYLOAD_NONE; + SET_ISAKMP_GEN_RESERVED (buf, 0); + SET_ISAKMP_GEN_LENGTH (buf, sz); + SET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base, + GET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base) + sz); + + /* + * For the sake of exchange_validate we index the payloads even in outgoing + * messages, however context and flags are uninteresting in this situation. + */ + payload_node->p = buf; + TAILQ_INSERT_TAIL (&msg->payload[payload], payload_node, link); + return 0; +} + +/* XXX Move up when ready. */ +struct info_args { + char discr; + u_int32_t doi; + u_int8_t proto; + u_int16_t spi_sz; + union { + struct { + u_int16_t msg_type; + u_int8_t *spi; + } n; + struct { + u_int16_t nspis; + u_int8_t *spis; + } d; + } u; +}; + +/* + * As a reaction to the incoming message MSG create an informational exchange + * protected by ISAKMP_SA and send a notify payload of type NOTIFY, with + * fields initialized from SA. INCOMING is true if the SPI field should be + * filled with the incoming SPI and false if it is to be filled with the + * outgoing one. + * + * XXX Should we handle sending multiple notify payloads? The draft allows + * it, but do we need it? Furthermore, should we not return a success + * status value? + */ +void +message_send_notification (struct message *msg, struct sa *isakmp_sa, + u_int16_t notify, struct proto *proto, + int incoming) +{ + struct info_args args; + struct sa *doi_sa = proto ? proto->sa : isakmp_sa; + + args.discr = 'N'; + args.doi = doi_sa ? doi_sa->doi->id : ISAKMP_DOI_ISAKMP; + args.proto = proto ? proto->proto : ISAKMP_PROTO_ISAKMP; + args.spi_sz = proto ? proto->spi_sz[incoming] : 0; + args.u.n.msg_type = notify; + args.u.n.spi = proto ? proto->spi[incoming] : 0; + if (isakmp_sa && (isakmp_sa->flags & SA_FLAG_READY)) + exchange_establish_p2 (isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0 ,0); + else + exchange_establish_p1 (msg->transport, ISAKMP_EXCH_INFO, + msg->exchange + ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP, + 0, &args, 0, 0); +} + +/* Send a DELETE inside an informational exchange for each protocol in SA. */ +void +message_send_delete (struct sa *sa) +{ + struct info_args args; + struct proto *proto; + struct sa *isakmp_sa; + struct sockaddr *dst; + socklen_t dstlen; + + if (!sa->transport) + { + return; + } + + sa->transport->vtbl->get_dst (sa->transport, &dst, (int *)&dstlen); + isakmp_sa = sa_isakmp_lookup_by_peer (dst, dstlen); + if (!isakmp_sa) + { + /* + * XXX We ought to setup an ISAKMP SA with our peer here and send + * the DELETE over that one. + */ + return; + } + + args.discr = 'D'; + args.doi = sa->doi->id; + args.u.d.nspis = 1; + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + { + args.proto = proto->proto; + args.spi_sz = proto->spi_sz[1]; + args.u.d.spis = proto->spi[1]; + exchange_establish_p2 (isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0 ,0); + } +} + +/* Build the informational message into MSG. */ +int +message_send_info (struct message *msg) +{ + u_int8_t *buf; + size_t sz; + struct info_args *args = msg->extra; + u_int8_t payload; + + /* Let the DOI get the first hand on the message. */ + if (msg->exchange->doi->informational_pre_hook) + if (msg->exchange->doi->informational_pre_hook (msg)) + return -1; + + sz = (args->discr == 'N' ? ISAKMP_NOTIFY_SPI_OFF + args->spi_sz + : ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz); + buf = calloc (1, sz); + if (!buf) + { + log_error ("message_send_info: calloc (1, %d) failed", sz); + message_free (msg); + return -1; + } + + switch (args->discr) + { + case 'N': + /* Build the NOTIFY payload. */ + payload = ISAKMP_PAYLOAD_NOTIFY; + SET_ISAKMP_NOTIFY_DOI (buf, args->doi); + SET_ISAKMP_NOTIFY_PROTO (buf, args->proto); + SET_ISAKMP_NOTIFY_SPI_SZ (buf, args->spi_sz); + SET_ISAKMP_NOTIFY_MSG_TYPE (buf, args->u.n.msg_type); + memcpy (buf + ISAKMP_NOTIFY_SPI_OFF, args->u.n.spi, args->spi_sz); + break; + + case 'D': + default: /* Silence GCC. */ + /* Build the DELETE payload. */ + payload = ISAKMP_PAYLOAD_DELETE; + SET_ISAKMP_DELETE_DOI (buf, args->doi); + SET_ISAKMP_DELETE_PROTO (buf, args->proto); + SET_ISAKMP_DELETE_SPI_SZ (buf, args->spi_sz); + SET_ISAKMP_DELETE_NSPIS (buf, args->u.d.nspis); + memcpy (buf + ISAKMP_DELETE_SPI_OFF, args->u.d.spis, + args->u.d.nspis * args->spi_sz); + break; + } + + if (message_add_payload (msg, payload, buf, sz, 1)) + { + free (buf); + message_free (msg); + return -1; + } + + /* Let the DOI get the last hand on the message. */ + if (msg->exchange->doi->informational_post_hook) + if (msg->exchange->doi->informational_post_hook (msg)) + { + message_free (msg); + return -1; + } + + return 0; +} + +/* + * Drop the MSG message due to reason given in NOTIFY. If NOTIFY is set + * send out a notification to the originator. Fill this notification with + * values from PROTO. INCOMING decides which SPI to include. If CLEAN is + * set, free the message when ready with it. + */ +void +message_drop (struct message *msg, int notify, struct proto *proto, + int incoming, int clean) +{ + struct transport *t = msg->transport; + struct sockaddr *dst; + int dst_len; + + t->vtbl->get_dst (t, &dst, &dst_len); + + /* XXX Assumes IPv4. */ + log_print ("dropped message from %s port %d due to notification type %s", + inet_ntoa (((struct sockaddr_in *)dst)->sin_addr), + ntohs (((struct sockaddr_in *)dst)->sin_port), + constant_name (isakmp_notify_cst, notify)); + + /* If specified, return a notification. */ + if (notify) + message_send_notification (msg, msg->isakmp_sa, notify, proto, incoming); + if (clean) + message_free (msg); +} + +/* + * If the user demands debug printouts, printout MSG with as much detail + * as we can without resorting to per-payload handling. + */ +void +message_dump_raw (char *header, struct message *msg, int class) +{ + int i, j, k = 0; + char buf[80], *p = buf; + + LOG_DBG ((class, 70, "%s: message %p", header, msg)); + field_dump_payload (isakmp_hdr_fld, msg->iov[0].iov_base); + for (i = 0; i < msg->iovlen; i++) + for (j = 0; j < msg->iov[i].iov_len; j++) + { + sprintf (p, "%02x", ((u_int8_t *)msg->iov[i].iov_base)[j]); + p += 2; + if (++k % 32 == 0) + { + *p = '\0'; + LOG_DBG ((class, 70, "%s: %s", header, buf)); + p = buf; + } + else if (k % 4 == 0) + *p++ = ' '; + } + *p = '\0'; + if (p != buf) + LOG_DBG ((class, 70, "%s: %s", header, buf)); +} + +static void +message_packet_log (struct message *msg) +{ +#ifdef USE_DEBUG + struct sockaddr *src, *dst; + int srclen, dstlen; + + /* Don't log retransmissions. Redundant for incoming packets... */ + if (msg->xmits > 0) + return; + + /* Figure out direction. */ + if (msg->exchange && msg->exchange->initiator ^ (msg->exchange->step % 2)) + { + msg->transport->vtbl->get_src (msg->transport, &src, &srclen); + msg->transport->vtbl->get_dst (msg->transport, &dst, &dstlen); + } + else + { + msg->transport->vtbl->get_src (msg->transport, &dst, &dstlen); + msg->transport->vtbl->get_dst (msg->transport, &src, &srclen); + } + + log_packet_iov (src, dst, msg->iov, msg->iovlen); +#endif /* USE_DEBUG */ +} + +/* + * Encrypt an outgoing message MSG. As outgoing messages are represented + * with an iovec with one segment per payload, we need to coalesce them + * into just une buffer containing all payloads and some padding before + * we encrypt. + */ +static int +message_encrypt (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + size_t sz = 0; + u_int8_t *buf; + int i; + + /* If no payloads, nothing to do. */ + if (msg->iovlen == 1) + return 0; + + /* + * For encryption we need to put all payloads together in a single buffer. + * This buffer should be padded to the current crypto transform's blocksize. + */ + for (i = 1; i < msg->iovlen; i++) + sz += msg->iov[i].iov_len; + sz = ((sz + exchange->crypto->blocksize - 1) / exchange->crypto->blocksize) + * exchange->crypto->blocksize; + buf = realloc (msg->iov[1].iov_base, sz); + if (!buf) + { + log_error ("message_encrypt: realloc (%p, %d) failed", + msg->iov[1].iov_base, sz); + return -1; + } + msg->iov[1].iov_base = buf; + for (i = 2; i < msg->iovlen; i++) + { + memcpy (buf + msg->iov[1].iov_len, msg->iov[i].iov_base, + msg->iov[i].iov_len); + msg->iov[1].iov_len += msg->iov[i].iov_len; + free (msg->iov[i].iov_base); + } + + /* Pad with zeroes. */ + memset (buf + msg->iov[1].iov_len, '\0', sz - msg->iov[1].iov_len); + msg->iov[1].iov_len = sz; + msg->iovlen = 2; + + SET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base, + GET_ISAKMP_HDR_FLAGS (msg->iov[0].iov_base) + | ISAKMP_FLAGS_ENC); + SET_ISAKMP_HDR_LENGTH (msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); + crypto_encrypt (exchange->keystate, buf, msg->iov[1].iov_len); + msg->flags |= MSG_ENCRYPTED; + + /* Update the IV so we can decrypt the next incoming message. */ + crypto_update_iv (exchange->keystate); + + return 0; +} + +/* + * Check whether the message MSG is a duplicate of the last one negotiating + * this specific SA. + */ +static int +message_check_duplicate (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + size_t sz = msg->iov[0].iov_len; + u_int8_t *pkt = msg->iov[0].iov_base; + + /* If no SA has been found, we cannot test, thus it's good. */ + if (!exchange) + return 0; + + LOG_DBG ((LOG_MESSAGE, 90, "message_check_duplicate: last_received 0x%x", + exchange->last_received)); + if (exchange->last_received) + { + LOG_DBG_BUF ((LOG_MESSAGE, 95, + "message_check_duplicate: last_received", + exchange->last_received->orig, + exchange->last_received->orig_sz)); + /* Is it a duplicate, lose the new one. */ + if (sz == exchange->last_received->orig_sz + && memcmp (pkt, exchange->last_received->orig, sz) == 0) + { + LOG_DBG ((LOG_MESSAGE, 80, + "message_check_duplicate: dropping dup")); + + /* + * Retransmit if the previos sent message was the last of an + * exchange, otherwise just wait for the ordinary retransmission. + */ + if (exchange->last_sent && (exchange->last_sent->flags & MSG_LAST)) + message_send (exchange->last_sent); + message_free (msg); + return -1; + } + } + + /* + * As this new message is an indication that state is moving forward + * at the peer, remove the retransmit timer on our last message. + */ + if (exchange->last_sent) + { + if (exchange->last_sent == exchange->in_transit) + { + TAILQ_REMOVE (&exchange->in_transit->transport->sendq, + exchange->in_transit, link); + exchange->in_transit = 0; + } + message_free (exchange->last_sent); + exchange->last_sent = 0; + } + + return 0; +} + +/* Helper to message_negotiate_sa. */ +static INLINE struct payload * +step_transform (struct payload *tp, struct payload **propp, + struct payload **sap) +{ + tp = TAILQ_NEXT (tp, link); + if (tp) + { + *propp = tp->context; + *sap = (*propp)->context; + } + return tp; +} + +/* + * Pick out the first transforms out of MSG (which should contain at least one + * SA payload) we accept as a full protection suite. + */ +int +message_negotiate_sa (struct message *msg, + int (*validate) (struct exchange *, struct sa *, + struct sa *)) +{ + struct payload *tp, *propp, *sap, *next_tp = 0; + struct payload *next_propp = NULL, *next_sap = NULL; + struct payload *saved_tp = 0, *saved_propp = 0, *saved_sap = 0; + struct sa *sa; + struct proto *proto; + int suite_ok_so_far = 0; + struct exchange *exchange = msg->exchange; + + /* + * This algorithm is a weird bottom-up thing... mostly due to the + * payload links pointing upwards. + * + * The algorithm goes something like this: + * Foreach transform + * If transform is compatible + * Remember that this protocol can work + * Skip to last transform of this protocol + * If next transform belongs to a new protocol inside the same suite + * If no transform was found for the current protocol + * Forget all earlier transforms for protocols in this suite + * Skip to last transform of this suite + * If next transform belongs to a new suite + * If the current protocol had an OK transform + * Skip to the last transform of this SA + * If the next transform belongs to a new SA + * If no transforms have been chosen + * Issue a NO_PROPOSAL_CHOSEN notification + */ + + sa = TAILQ_FIRST (&exchange->sa_list); + for (tp = TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_TRANSFORM]); tp; + tp = next_tp) + { + propp = tp->context; + sap = propp->context; + sap->flags |= PL_MARK; + next_tp = step_transform (tp, &next_propp, &next_sap); + + /* For each transform, see if it is compatible. */ + if (!attribute_map (tp->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, + GET_ISAKMP_GEN_LENGTH (tp->p) + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, + exchange->doi->is_attribute_incompatible, msg)) + { + LOG_DBG ((LOG_NEGOTIATION, 30, + "message_negotiate_sa: " + "transform %d proto %d proposal %d ok", + GET_ISAKMP_TRANSFORM_NO (tp->p), + GET_ISAKMP_PROP_PROTO (propp->p), + GET_ISAKMP_PROP_NO (propp->p))); + if (sa_add_transform (sa, tp, exchange->initiator, &proto)) + goto cleanup; + suite_ok_so_far = 1; + + saved_tp = next_tp; + saved_propp = next_propp; + saved_sap = next_sap; + /* Skip to last transform of this protocol proposal. */ + while ((next_tp = step_transform (tp, &next_propp, &next_sap)) + && next_propp == propp) + tp = next_tp; + } + + retry_transform: + /* + * Figure out if we will be looking at a new protocol proposal + * inside the current protection suite. + */ + if (next_tp && propp != next_propp && sap == next_sap + && (GET_ISAKMP_PROP_NO (propp->p) + == GET_ISAKMP_PROP_NO (next_propp->p))) + { + if (!suite_ok_so_far) + { + LOG_DBG ((LOG_NEGOTIATION, 30, + "message_negotiate_sa: proto %d proposal %d failed", + GET_ISAKMP_PROP_PROTO (propp->p), + GET_ISAKMP_PROP_NO (propp->p))); + /* Remove potentially succeeded choices from the SA. */ + while (TAILQ_FIRST (&sa->protos)) + TAILQ_REMOVE (&sa->protos, TAILQ_FIRST (&sa->protos), link); + + /* Skip to the last transform of this protection suite. */ + while ((next_tp = step_transform (tp, &next_propp, &next_sap)) + && (GET_ISAKMP_PROP_NO (next_propp->p) + == GET_ISAKMP_PROP_NO (propp->p)) + && next_sap == sap) + tp = next_tp; + } + suite_ok_so_far = 0; + } + + /* Figure out if we will be looking at a new protection suite. */ + if (!next_tp + || (propp != next_propp + && (GET_ISAKMP_PROP_NO (propp->p) + != GET_ISAKMP_PROP_NO (next_propp->p))) + || sap != next_sap) + { + /* + * Check if the suite we just considered was OK, if so we check + * it against the accepted ones. + */ + if (suite_ok_so_far) + { + if (!validate || validate (exchange, sa, msg->isakmp_sa)) + { + LOG_DBG ((LOG_NEGOTIATION, 30, + "message_negotiate_sa: proposal %d succeeded", + GET_ISAKMP_PROP_NO (propp->p))); + + /* Skip to the last transform of this SA. */ + while ((next_tp + = step_transform (tp, &next_propp, &next_sap)) + && next_sap == sap) + tp = next_tp; + } + else + { + /* Backtrack. */ + LOG_DBG ((LOG_NEGOTIATION, 30, + "message_negotiate_sa: proposal %d failed", + GET_ISAKMP_PROP_NO (propp->p))); + next_tp = saved_tp; + next_propp = saved_propp; + next_sap = saved_sap; + suite_ok_so_far = 0; + + /* Remove potentially succeeded choices from the SA. */ + while (TAILQ_FIRST (&sa->protos)) + TAILQ_REMOVE (&sa->protos, TAILQ_FIRST (&sa->protos), + link); + goto retry_transform; + } + } + } + + /* Have we walked all the proposals of an SA? */ + if (!next_tp || sap != next_sap) + { + if (!suite_ok_so_far) + { + /* + * XXX We cannot possibly call this a drop... seeing we just turn + * down one of the offers, can we? I suggest renaming + * message_drop to something else. + */ + log_print ("message_negotiate_sa: no compatible proposal found"); + message_drop (msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); + } + sa = TAILQ_NEXT (sa, next); + } + } + return 0; + + cleanup: + /* + * Remove potentially succeeded choices from the SA. + * XXX Do we leak struct protos and related data here? + */ + while (TAILQ_FIRST (&sa->protos)) + TAILQ_REMOVE (&sa->protos, TAILQ_FIRST (&sa->protos), link); + return -1; +} + +/* + * Add SA, proposal and transform payload(s) to MSG out of information + * found in the exchange MSG is part of.. + */ +int +message_add_sa_payload (struct message *msg) +{ + struct exchange *exchange = msg->exchange; + u_int8_t *sa_buf, *saved_nextp_sa, *saved_nextp_prop; + size_t sa_len, extra_sa_len; + int i, nprotos = 0; + struct proto *proto; + u_int8_t **transforms = 0, **proposals = 0; + size_t *transform_lens = 0, *proposal_lens = 0; + struct sa *sa; + struct doi *doi = exchange->doi; + u_int8_t *spi = 0; + size_t spi_sz; + + /* + * Generate SA payloads. + */ + for (sa = TAILQ_FIRST (&exchange->sa_list); sa; + sa = TAILQ_NEXT (sa, next)) + { + /* Setup a SA payload. */ + sa_len = ISAKMP_SA_SIT_OFF + doi->situation_size (); + extra_sa_len = 0; + sa_buf = malloc (sa_len); + if (!sa_buf) + { + log_error ("message_add_sa_payload: malloc (%d) failed", sa_len); + goto cleanup; + } + + SET_ISAKMP_SA_DOI (sa_buf, doi->id); + doi->setup_situation (sa_buf); + + /* Count transforms. */ + nprotos = 0; + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + nprotos++; + + /* Allocate transient transform and proposal payload/size vectors. */ + transforms = calloc (nprotos, sizeof *transforms); + if (!transforms) + { + log_error ("message_add_sa_payload: calloc (%d, %d) failed", nprotos, + sizeof *transforms); + goto cleanup; + } + + transform_lens = calloc (nprotos, sizeof *transform_lens); + if (!transform_lens) + { + log_error ("message_add_sa_payload: calloc (%d, %d) failed", nprotos, + sizeof *transform_lens); + goto cleanup; + } + + proposals = calloc (nprotos, sizeof *proposals); + if (!proposals) + { + log_error ("message_add_sa_payload: calloc (%d, %d) failed", nprotos, + sizeof *proposals); + goto cleanup; + } + + proposal_lens = calloc (nprotos, sizeof *proposal_lens); + if (!proposal_lens) + { + log_error ("message_add_sa_payload: calloc (%d, %d) failed", nprotos, + sizeof *proposal_lens); + goto cleanup; + } + + /* Pick out the chosen transforms. */ + for (proto = TAILQ_FIRST (&sa->protos), i = 0; proto; + proto = TAILQ_NEXT (proto, link), i++) + { + transform_lens[i] = GET_ISAKMP_GEN_LENGTH (proto->chosen->p); + transforms[i] = malloc (transform_lens[i]); + if (!transforms[i]) + { + log_error ("message_add_sa_payload: malloc (%d) failed", + transform_lens[i]); + goto cleanup; + } + + /* Get incoming SPI from application. */ + if (doi->get_spi) + { + spi = doi->get_spi (&spi_sz, + GET_ISAKMP_PROP_PROTO (proto->chosen + ->context->p), + msg); + if (spi_sz && !spi) + goto cleanup; + proto->spi[1] = spi; + proto->spi_sz[1] = spi_sz; + } + else + spi_sz = 0; + + proposal_lens[i] = ISAKMP_PROP_SPI_OFF + spi_sz; + proposals[i] = malloc (proposal_lens[i]); + if (!proposals[i]) + { + log_error ("message_add_sa_payload: malloc (%d) failed", + proposal_lens[i]); + goto cleanup; + } + + memcpy (transforms[i], proto->chosen->p, transform_lens[i]); + memcpy (proposals[i], proto->chosen->context->p, + ISAKMP_PROP_SPI_OFF); + SET_ISAKMP_PROP_NTRANSFORMS (proposals[i], 1); + SET_ISAKMP_PROP_SPI_SZ (proposals[i], spi_sz); + if (spi_sz) + memcpy (proposals[i] + ISAKMP_PROP_SPI_OFF, spi, spi_sz); + extra_sa_len += proposal_lens[i] + transform_lens[i]; + } + + /* + * Add the payloads. As this is a SA, we need to recompute the + * lengths of the payloads containing others. We also need to + * reset these payload's "next payload type" field. + */ + if (message_add_payload (msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) + goto cleanup; + SET_ISAKMP_GEN_LENGTH (sa_buf, sa_len + extra_sa_len); + sa_buf = 0; + + saved_nextp_sa = msg->nextp; + for (proto = TAILQ_FIRST (&sa->protos), i = 0; proto; + proto = TAILQ_NEXT (proto, link), i++) + { + if (message_add_payload (msg, ISAKMP_PAYLOAD_PROPOSAL, proposals[i], + proposal_lens[i], i > 1)) + goto cleanup; + SET_ISAKMP_GEN_LENGTH (proposals[i], + proposal_lens[i] + transform_lens[i]); + proposals[i] = 0; + + saved_nextp_prop = msg->nextp; + if (message_add_payload (msg, ISAKMP_PAYLOAD_TRANSFORM, + transforms[i], transform_lens[i], 0)) + goto cleanup; + msg->nextp = saved_nextp_prop; + transforms[i] = 0; + } + msg->nextp = saved_nextp_sa; + + /* Free the temporary allocations made above. */ + free (transforms); + free (transform_lens); + free (proposals); + free (proposal_lens); + } + return 0; + + cleanup: + if (sa_buf) + free (sa_buf); + for (i = 0; i < nprotos; i++) + { + if (transforms[i]) + free (transforms[i]); + if (proposals[i]) + free (proposals[i]); + } + if (transforms) + free (transforms); + if (transform_lens) + free (transform_lens); + if (proposals) + free (proposals); + if (proposal_lens) + free (proposal_lens); + return -1; +} + +/* + * Return a copy of MSG's constants starting from OFFSET and stash the size + * in SZP. It is the callers responsibility to free this up. + */ +u_int8_t * +message_copy (struct message *msg, size_t offset, size_t *szp) +{ + int i, skip = 0; + size_t sz = 0; + ssize_t start = -1; + u_int8_t *buf, *p; + + /* Calculate size of message and where we want to start to copy. */ + for (i = 1; i < msg->iovlen; i++) + { + sz += msg->iov[i].iov_len; + if (sz <= offset) + skip = i; + else if (start < 0) + start = offset - (sz - msg->iov[i].iov_len); + } + + /* Allocate and copy. */ + *szp = sz - offset; + buf = malloc (*szp); + if (!buf) + return 0; + p = buf; + for (i = skip + 1; i < msg->iovlen; i++) + { + memcpy (p, msg->iov[i].iov_base + start, msg->iov[i].iov_len - start); + p += msg->iov[i].iov_len - start; + start = 0; + } + return buf; +} + +/* Register a post-send function POST_SEND with message MSG. */ +int +message_register_post_send (struct message *msg, + void (*post_send) (struct message *)) +{ + struct post_send *node; + + node = malloc (sizeof *node); + if (!node) + return -1; + node->func = post_send; + TAILQ_INSERT_TAIL (&msg->post_send, node, link); + return 0; +} + +/* Run the post-send functions of message MSG. */ +void +message_post_send (struct message *msg) +{ + struct post_send *node; + + while ((node = TAILQ_FIRST (&msg->post_send)) != 0) + { + TAILQ_REMOVE (&msg->post_send, node, link); + node->func (msg); + free (node); + } +} diff --git a/src/message.h b/src/message.h new file mode 100644 index 0000000..734b851 --- /dev/null +++ b/src/message.h @@ -0,0 +1,259 @@ +/* $Id: message.h,v 1.2.4.1 2011/10/18 03:26:56 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/message.h,v $ */ + +/* $OpenBSD: message.h,v 1.14 2000/10/10 13:35:12 niklas Exp $ */ +/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _MESSAGE_H_ +#define _MESSAGE_H_ + +#include +#include +#include +#include + +#include "isakmp.h" + +struct event; +struct message; +struct proto; +struct sa; +struct transport; + +struct payload { + /* Link all payloads of the same type through here. */ + TAILQ_ENTRY (payload) link; + + /* The pointer to the actual payload data. */ + u_int8_t *p; + + /* + * A pointer to the parent payload, used for proposal and transform payloads. + */ + struct payload *context; + + /* Payload flags described below. */ + int flags; +}; + +/* Payload flags. */ + +/* + * Set this when a payload has been handled, so we later can sweep over + * unhandled ones. + */ +#define PL_MARK 1 + +/* A post-send chain of functions to be called. */ +struct post_send { + /* Link to the next function in the chain. */ + TAILQ_ENTRY (post_send) link; + + /* The actual function. */ + void (*func) (struct message *); +}; + +struct message { + /* Link message in send queues via this link. */ + TAILQ_ENTRY (message) link; + + /* Message flags described below. */ + u_int flags; + + /* + * This is the transport the message either arrived on or will be sent to. + */ + struct transport *transport; + + /* + * This is the ISAKMP SA protecting this message. + * XXX Needs to be redone to some keystate pointer or something. + */ + struct sa *isakmp_sa; + + /* This is the exchange where this message appears. */ + struct exchange *exchange; + + /* + * A segmented buffer structure holding the messages raw contents. On input + * only segment 0 will be filled, holding all of the message. On output, as + * long as the message body is unencrypted each segment will be one payload, + * after encryption segment 0 will be the unencrypted header, and segment 1 + * will be the encrypted payloads, all of them. + */ + struct iovec *iov; + + /* The segment count. */ + u_int iovlen; + + /* Pointer to the last "next payload" field. */ + u_int8_t *nextp; + + /* "Smart" pointers to each payload, sorted by type. */ +#ifdef ORIGINAL + TAILQ_HEAD (payload_head, payload) payload[ISAKMP_PAYLOAD_RESERVED_MIN]; +#else + /* GDOI has private payloads. */ + TAILQ_HEAD (payload_head, payload) payload[ISAKMP_PAYLOAD_PRIVATE_MAX]; +#endif + + /* Number of times this message has been sent. */ + int xmits; + + /* The timeout event causing retransmission of this message. */ + struct event *retrans; + + /* The (possibly encrypted) message text, used for duplicate testing. */ + u_int8_t *orig; + size_t orig_sz; + + /* + * Extra baggage needed to travel with the message. Used transiently + * in context sensitive ways. + */ + void *extra; + + /* + * Hooks for stuff needed to be done after the message has gone out to + * the wire. + */ + TAILQ_HEAD (post_send_head, post_send) post_send; +}; + +/* Message flags. */ + +/* + * This is the last message of an exchange, meaning it should not be + * retransmitted other than if we see duplicates from our peer's last + * message. + */ +#define MSG_LAST 1 + +/* The message has already been encrypted. */ +#define MSG_ENCRYPTED 2 + +/* The message is on the send queue. */ +#define MSG_IN_TRANSIT 4 + +extern int message_add_payload (struct message *, u_int8_t, u_int8_t *, + size_t, int); +extern int message_add_sa_payload (struct message *); +extern struct message *message_alloc (struct transport *, u_int8_t *, size_t); +extern struct message *message_alloc_reply (struct message *); +extern u_int8_t *message_copy (struct message *, size_t, size_t *); +extern void message_drop (struct message *, int, struct proto *, int, int); +extern void message_dump_raw (char *, struct message *, int); +extern void message_free (struct message *); +extern int message_negotiate_sa (struct message *, + int (*) (struct exchange *, struct sa *, + struct sa *)); +extern int message_recv (struct message *); +extern int message_register_post_send (struct message *, + void (*) (struct message *)); +extern void message_post_send (struct message *); +extern void message_send (struct message *); +extern void message_send_expire (struct message *); +extern void message_send_delete (struct sa *); +extern int message_send_info (struct message *); +extern void message_send_notification (struct message *, struct sa *, + u_int16_t, struct proto *, int); +extern void message_setup_header (struct message *, u_int8_t, u_int8_t, + u_int8_t *); +extern int message_sort_payloads (struct message *, u_int8_t); +extern int message_validate_payloads (struct message *); + +#endif /* _MESSAGE_H_ */ diff --git a/src/pcap.h b/src/pcap.h new file mode 100644 index 0000000..859ccb8 --- /dev/null +++ b/src/pcap.h @@ -0,0 +1,126 @@ +/* $Id: pcap.h,v 1.1.4.1 2011/10/18 03:26:57 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/pcap.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2011 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* $OpenBSD: pcap.h,v 1.1 2001/04/09 21:21:58 ho Exp $ */ + +/* + * Copyright (c) 1993, 1994, 1995, 1996, 1997 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Computer Systems + * Engineering Group at Lawrence Berkeley Laboratory. + * 4. Neither the name of the University nor of the Laboratory may be used + * to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#) $Header: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/pcap.h,v 1.1.4.1 2011/10/18 03:26:57 bew Exp $ (LBL) + */ + +#ifndef lib_pcap_h +#define lib_pcap_h + +#include +#include + +#define PCAP_VERSION_MAJOR 2 +#define PCAP_VERSION_MINOR 4 +#define DLT_NULL 0 + +struct pcap_file_header { + u_int32_t magic; + u_int16_t version_major; + u_int16_t version_minor; + int32_t thiszone; /* gmt to local correction */ + u_int32_t sigfigs; /* accuracy of timestamps */ + u_int32_t snaplen; /* max length saved portion of each pkt */ + u_int32_t linktype; /* data link type (DLT_*) */ +}; + +struct pcap_pkthdr { + struct timeval ts; /* time stamp */ + u_int32_t caplen; /* length of portion present */ + u_int32_t len; /* length this packet (off wire) */ +}; + +#endif /* lib_pcap_h */ diff --git a/src/pf_encap.h b/src/pf_encap.h new file mode 100644 index 0000000..ac2f52e --- /dev/null +++ b/src/pf_encap.h @@ -0,0 +1,75 @@ +/* $Id: pf_encap.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/pf_encap.h,v $ */ + +/* $OpenBSD: pf_encap.h,v 1.8 2000/12/12 01:46:17 niklas Exp $ */ +/* $EOM: pf_encap.h,v 1.13 2000/12/04 04:46:35 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _PF_ENCAP_H_ +#define _PF_ENCAP_H_ + +#include +#include + +struct proto; +struct sa; +struct sockaddr; + +struct pf_encap_node { + /* Link to next node. */ + TAILQ_ENTRY (pf_encap_node) link; + + /* The message itself. */ + struct encap_msghdr *emsg; + + /* The callback function and its argument. */ + void (*callback) (void *); + void *arg; +}; + +extern void pf_encap_connection_check (char *); +extern int pf_encap_delete_spi (struct sa *, struct proto *, int); +extern int pf_encap_enable_sa (struct sa *, struct sa *); +extern int pf_encap_enable_spi (in_addr_t, in_addr_t, in_addr_t, in_addr_t, + u_int8_t *, u_int8_t, in_addr_t); +extern u_int8_t *pf_encap_get_spi (size_t *, u_int8_t, struct sockaddr *, int, + struct sockaddr *, int); +extern int pf_encap_group_spis (struct sa *, struct proto *, struct proto *, + int); +extern void pf_encap_handler (int); +extern int pf_encap_open (void); +extern int pf_encap_set_spi (struct sa *, struct proto *, int); + +#endif /* _PF_ENCAP_H_ */ diff --git a/src/pf_key_v2.c b/src/pf_key_v2.c new file mode 100644 index 0000000..4ffa9c9 --- /dev/null +++ b/src/pf_key_v2.c @@ -0,0 +1,3318 @@ +/* $Id: pf_key_v2.c,v 1.9.2.1 2011/12/12 20:43:48 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/pf_key_v2.c,v $ */ + +/* $OpenBSD: pf_key_v2.c,v 1.50 2001/04/24 07:27:37 niklas Exp $ */ +/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ + +/* + * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#ifdef OSX +#include +#endif +#ifdef LINUX_PFKEY +/* typedef unsigned char __u8; +typedef __u8 uint8_t; +#include */ +typedef u_int8_t uint8_t; +typedef u_int16_t uint16_t; +typedef u_int32_t uint32_t; +typedef u_int64_t uint64_t; +/* + * BEW: We should use the system one NOT one we carry around with us. The + * one below should be nuked. + */ +#include "sysdep/linux/pfkeyv2.h" +struct sadb_msgg { + uint8_t sadb_msg_version; +}; +#else +#include +#endif +#include +#ifdef SADB_X_EXT_FLOW_TYPE +#include +#include +#endif +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "conf.h" +#include "exchange.h" +#include "ipsec.h" +#include "ipsec_num.h" +#include "log.h" +#include "pf_key_v2.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "util.h" + +#define IN6_IS_ADDR_FULL(a) \ + ((*(u_int32_t *)(void *)(&(a)->s6_addr[0]) == 0xffff) \ + && (*(u_int32_t *)(void *)(&(a)->s6_addr[4]) == 0xffff) \ + && (*(u_int32_t *)(void *)(&(a)->s6_addr[8]) == 0xffff) \ + && (*(u_int32_t *)(void *)(&(a)->s6_addr[12]) == 0xffff)) + +#define ADDRESS_MAX sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255" + +/* + * PF_KEY v2 always work with 64-bit entities and aligns on 64-bit boundaries. + */ +#define PF_KEY_V2_CHUNK 8 +#define PF_KEY_V2_ROUND(x) \ + (((x) + PF_KEY_V2_CHUNK - 1) & ~(PF_KEY_V2_CHUNK - 1)) + +/* How many microseconds we will wait for a reply from the PF_KEY socket. */ +#define PF_KEY_REPLY_TIMEOUT 1000 + +struct pf_key_v2_node { + TAILQ_ENTRY (pf_key_v2_node) link; + void *seg; + size_t sz; + int cnt; + u_int16_t type; + u_int8_t flags; +}; + +TAILQ_HEAD (pf_key_v2_msg, pf_key_v2_node); + +#define PF_KEY_V2_NODE_MALLOCED 1 +#define PF_KEY_V2_NODE_MARK 2 + +/* Used to derive "unique" connection identifiers */ +int connection_seq = 0; + +#ifdef KAME +/* + * KAME requires the sadb_msg_seq of an UPDATE be the same of that of the + * GETSPI creating the larval SA. + */ +struct pf_key_v2_sa_seq { + TAILQ_ENTRY (pf_key_v2_sa_seq) link; + u_int8_t *spi; + size_t sz; + u_int8_t proto; + struct sockaddr *dst; + int dstlen; + u_int32_t seq; +}; + +TAILQ_HEAD (, pf_key_v2_sa_seq) pf_key_v2_sa_seq_map; +#endif + +static struct pf_key_v2_msg *pf_key_v2_call (struct pf_key_v2_msg *); +static struct pf_key_v2_node *pf_key_v2_find_ext (struct pf_key_v2_msg *, + u_int16_t); +static void pf_key_v2_notify (struct pf_key_v2_msg *); +static struct pf_key_v2_msg *pf_key_v2_read (u_int32_t); +static u_int32_t pf_key_v2_seq (void); +static u_int32_t pf_key_v2_write (struct pf_key_v2_msg *); + +/* The socket to use for PF_KEY interactions. */ +static int pf_key_v2_socket; + +/* + * Debugging PF_Key messages. + */ +void pf_key_extention_dump (u_int8_t *msg) +{ + struct sadb_sa *sa; + struct sadb_lifetime *life; + struct sadb_key *key; + struct sadb_supported *sup; + struct sadb_alg *alg; + struct sadb_x_sa2 *sa2; + struct sadb_address *addr; + struct sockaddr_in *ipv4_addr; + u_int16_t len, cur; + + /* + * Display the extension header. All of the extensions have the same length + * and type fields, so rather than defining a new structure we just map to + * an arbitrary existing one for now. + */ + sa = (struct sadb_sa *)msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key ext: length=%d (%d bytes), type=%d", + sa->sadb_sa_len, (sa->sadb_sa_len * PF_KEY_V2_CHUNK), + sa->sadb_sa_exttype)); + + switch (sa->sadb_sa_exttype) + { + case SADB_EXT_SA: + sa = (struct sadb_sa *)msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key sa: spi=%#04x, replay=%d " + "state=%d, auth=%d, encrypt=%d, flags=%#04x", + sa->sadb_sa_spi, sa->sadb_sa_replay, sa->sadb_sa_state, + sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags)); + break; + + case SADB_EXT_KEY_AUTH: + case SADB_EXT_KEY_ENCRYPT: + key = (struct sadb_key *) msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key %s key: keybits=%d, res=%d", + (SADB_EXT_KEY_AUTH == sa->sadb_sa_exttype) ? "auth" : "enc", + key->sadb_key_bits, key->sadb_key_reserved)); + LOG_DBG_BUF ((LOG_SYSDEP, 80, "pf_key key: key=", + &msg[8], (key->sadb_key_bits/8))); + break; + + case SADB_EXT_SUPPORTED_AUTH: + case SADB_EXT_SUPPORTED_ENCRYPT: + /* + * BEW: Should store the algs, and verify them against SAs that before + * attempting to install them into the kernel. + */ + sup = (struct sadb_supported *) msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key %s supported: res=%d", + (SADB_EXT_SUPPORTED_AUTH == sa->sadb_sa_exttype) ? "auth" : "enc", + sup->sadb_supported_reserved)); + /* + * Now print the supported algorithms. + */ + len = (sup->sadb_supported_len * PF_KEY_V2_CHUNK) - + sizeof(struct sadb_supported); + cur = sizeof(struct sadb_supported); + while (cur < len) + { + alg = (struct sadb_alg *) &msg[cur]; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key supported alg: id=%d ivlen=%d " + "minbits=%d, maxbits=%d, res=%d", + alg->sadb_alg_id, alg->sadb_alg_ivlen, alg->sadb_alg_minbits, + alg->sadb_alg_maxbits, alg->sadb_alg_reserved)); + cur += sizeof(struct sadb_alg); + } + + case SADB_X_EXT_SA2: + sa2 = (struct sadb_x_sa2 *) msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key x_sa2: mode=%d, res1=%d, res2=%d " + "seq=%d, reqid=%d", + sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reserved1, + sa2->sadb_x_sa2_reserved2, sa2->sadb_x_sa2_sequence, + sa2->sadb_x_sa2_reqid)); + break; + + case SADB_EXT_LIFETIME_HARD: + case SADB_EXT_LIFETIME_SOFT: + life = (struct sadb_lifetime *) msg; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key %s lifetime: alloc=%d, bytes=%d, " + "addtime=%lld, usetime=%lld", + (SADB_EXT_LIFETIME_HARD == sa->sadb_sa_exttype) ? "hard" : "soft", + life->sadb_lifetime_allocations, life->sadb_lifetime_bytes, + (uint64_t)life->sadb_lifetime_addtime, (uint64_t)life->sadb_lifetime_usetime)); + + case SADB_EXT_ADDRESS_SRC: + case SADB_EXT_ADDRESS_DST: + addr = (struct sadb_address *) msg; + ipv4_addr = (struct sockaddr_in *)(msg + sizeof(struct sadb_address)); + LOG_DBG ((LOG_SYSDEP, 80, "pf_key %s addr: proto=%d, prefixlen=%d, " + "res=%d, ipv4_family=%d, ipv4_port=%d, ipv4_addr=%s", + (SADB_EXT_ADDRESS_SRC == sa->sadb_sa_exttype) ? "src" : "dst", + addr->sadb_address_proto, addr->sadb_address_prefixlen, + addr->sadb_address_reserved, ipv4_addr->sin_family, + ipv4_addr->sin_port, inet_ntoa(ipv4_addr->sin_addr))); + + + default: + break; + } + + return; +} + +void pf_key_message_debug (u_int8_t *buf, ssize_t n) +{ + uint16_t total_msg_length, cur; + struct sadb_msg *msg = (struct sadb_msg *)buf; + struct sadb_sa *generic_ext; + + total_msg_length = msg->sadb_msg_len * PF_KEY_V2_CHUNK; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key msg hdr: version=%d, type=%d, errno=%d, " + "satype=%d, len=%d (%d bytes), res=%d, seq=%d, " + "pid=%d", + msg->sadb_msg_version, msg->sadb_msg_type, + msg->sadb_msg_errno, msg->sadb_msg_satype, + msg->sadb_msg_len, total_msg_length, + msg->sadb_msg_reserved, + msg->sadb_msg_seq, msg->sadb_msg_pid)); + + cur = sizeof(struct sadb_msg); + while (cur < total_msg_length) + { + pf_key_extention_dump(&buf[cur]); + generic_ext = (struct sadb_sa *) &buf[cur]; + cur += generic_ext->sadb_sa_len * PF_KEY_V2_CHUNK; + } +} + +void pf_key_message_debug_iov (struct iovec *iov, int cnt) +{ + int i; + struct sadb_msg *msg; + uint16_t total_msg_length; + + msg = (struct sadb_msg *)iov[0].iov_base; + total_msg_length = msg->sadb_msg_len * PF_KEY_V2_CHUNK; + LOG_DBG ((LOG_SYSDEP, 80, "pf_key msg hdr: version=%d, type=%d, errno=%d, " + "satype=%d, len=%d (%d bytes), res=%d, seq=%d, " + "pid=%d", + msg->sadb_msg_version, msg->sadb_msg_type, + msg->sadb_msg_errno, msg->sadb_msg_satype, + msg->sadb_msg_len, total_msg_length, + msg->sadb_msg_reserved, + msg->sadb_msg_seq, msg->sadb_msg_pid)); + for (i=1; ispi = malloc (sz); + if (!node->spi) + goto cleanup; + node->dst = malloc (dstlen); + if (!node->spi) + goto cleanup; + memcpy (node->dst, dst, dstlen); + node->dstlen = dstlen; + memcpy (node->spi, spi, sz); + node->sz = sz; + node->proto = proto; + node->seq = seq; + TAILQ_INSERT_TAIL (&pf_key_v2_sa_seq_map, node, link); + return 1; + + cleanup: + if (node->dst) + free (node->dst); + if (node) + free (node); + return 0; +} + +static u_int32_t +pf_key_v2_seq_by_sa (u_int8_t *spi, size_t sz, u_int8_t proto, + struct sockaddr *dst, int dstlen) +{ + struct pf_key_v2_sa_seq *node; + + for (node = TAILQ_FIRST (&pf_key_v2_sa_seq_map); node; + node = TAILQ_NEXT (node, link)) + if (node->proto == proto + && node->sz == sz && memcmp (node->spi, spi, sz) == 0 + && node->dstlen == dstlen && memcmp (node->dst, dst, dstlen) == 0) + return node->seq; + return 0; +} +#endif + +static struct pf_key_v2_msg * +pf_key_v2_msg_new (struct sadb_msg *msg, int flags) +{ + struct pf_key_v2_node *node = 0; + struct pf_key_v2_msg *ret; + + node = malloc (sizeof *node); + if (!node) + goto cleanup; + ret = malloc (sizeof *ret); + if (!ret) + goto cleanup; + TAILQ_INIT (ret); + node->seg = msg; + node->sz = sizeof *msg; + node->type = 0; + node->cnt = 1; + node->flags = flags; + TAILQ_INSERT_HEAD (ret, node, link); + return ret; + + cleanup: + if (node) + free (node); + return 0; +} + +/* Add a SZ sized segment SEG to the PF_KEY message MSG. */ +static int +pf_key_v2_msg_add (struct pf_key_v2_msg *msg, struct sadb_ext *ext, int flags) +{ + struct pf_key_v2_node *node; + + node = malloc (sizeof *node); + if (!node) + return -1; + node->seg = ext; + node->sz = ext->sadb_ext_len * PF_KEY_V2_CHUNK; + node->type = ext->sadb_ext_type; + node->flags = flags; + TAILQ_FIRST (msg)->cnt++; + TAILQ_INSERT_TAIL (msg, node, link); + return 0; +} + +/* Deallocate the PF_KEY message MSG. */ +static void +pf_key_v2_msg_free (struct pf_key_v2_msg *msg) +{ + struct pf_key_v2_node *np; + + np = TAILQ_FIRST (msg); + while (np) + { + TAILQ_REMOVE (msg, np, link); + if (np->flags & PF_KEY_V2_NODE_MALLOCED) + free (np->seg); + free (np); + np = TAILQ_FIRST (msg); + } + free (msg); +} + +/* Just return a new sequence number. */ +static u_int32_t +pf_key_v2_seq () +{ + static u_int32_t seq = 0; + + return ++seq; +} + +/* + * Read a PF_KEY packet with SEQ as the sequence number, looping if necessary. + * If SEQ is zero just read the first message we see, otherwise we queue + * messages up untile both the PID and the sequence number match. + */ +static struct pf_key_v2_msg * +pf_key_v2_read (u_int32_t seq) +{ + ssize_t n; + u_int8_t *buf = 0; + struct pf_key_v2_msg *ret = 0; + struct sadb_msg *msg; + struct sadb_msg hdr; + struct sadb_ext *ext; + struct timeval tv; + fd_set *fds; + + while (1) + { + /* + * If this is a read of a reply we should actually expect the reply to + * get lost as PF_KEY is an unreliable service per the specs. + * Currently we do this by setting a short timeout, and if it is not + * readable in that time, we fail the read. + */ + if (seq) + { + fds = calloc (howmany (pf_key_v2_socket + 1, NFDBITS), + sizeof (fd_mask)); + if (!fds) + { + log_error ("pf_key_v2_read: calloc (%d, %d) failed", + howmany (pf_key_v2_socket + 1, NFDBITS), + sizeof (fd_mask)); + goto cleanup; + } + FD_SET (pf_key_v2_socket, fds); + tv.tv_sec = 0; + tv.tv_usec = PF_KEY_REPLY_TIMEOUT; + n = select (pf_key_v2_socket + 1, fds, 0, 0, &tv); + free (fds); + if (n == -1) + { + log_error ("pf_key_v2_read: select (%d, fds, 0, 0, &tv) failed", + pf_key_v2_socket + 1); + goto cleanup; + } + if (!n) + { + log_print ("pf_key_v2_read: no reply from PF_KEY"); + goto cleanup; + } + } + n = recv (pf_key_v2_socket, &hdr, sizeof hdr, MSG_PEEK); + if (n == -1) + { + log_error ("pf_key_v2_read: recv (%d, ...) failed", + pf_key_v2_socket); + goto cleanup; + } + if (n != sizeof hdr) + { + log_error ("pf_key_v2_read: recv (%d, ...) returned short packet " + "(%d bytes)", + pf_key_v2_socket, n); + goto cleanup; + } + + n = hdr.sadb_msg_len * PF_KEY_V2_CHUNK; + buf = malloc (n); + if (!buf) + { + log_error ("pf_key_v2_read: malloc (%d) failed", n); + goto cleanup; + } + + n = read (pf_key_v2_socket, buf, n); + if (n == -1) + { + log_error ("pf_key_v2_read: read (%d, ...) failed", + pf_key_v2_socket); + goto cleanup; + } + + if ((size_t)n != hdr.sadb_msg_len * PF_KEY_V2_CHUNK) + { + log_print ("pf_key_v2_read: read (%d, ...) returned short packet " + "(%d bytes)", + pf_key_v2_socket, n); + goto cleanup; + } + + LOG_DBG_BUF ((LOG_SYSDEP, 80, "pf_key_v2_read: msg", buf, n)); + pf_key_message_debug(buf, n); + + /* We drop all messages that is not what we expect. */ + msg = (struct sadb_msg *)buf; + if (msg->sadb_msg_version != PF_KEY_V2 + || (msg->sadb_msg_pid != 0 && msg->sadb_msg_pid != getpid ())) + { + if (seq) + { + free (buf); + buf = 0; + continue; + } + else + { + LOG_DBG ((LOG_SYSDEP, 90, + "pf_key_v2_read:" + "bad version (%d) or PID (%d, mine is %d), ignored", + msg->sadb_msg_version, msg->sadb_msg_pid, + getpid ())); + goto cleanup; + } + } + + /* Parse the message. */ + ret = pf_key_v2_msg_new (msg, PF_KEY_V2_NODE_MALLOCED); + if (!ret) + goto cleanup; + buf = 0; + for (ext = (struct sadb_ext *)(msg + 1); + (u_int8_t *)ext - (u_int8_t *)msg + < msg->sadb_msg_len * PF_KEY_V2_CHUNK; + ext = (struct sadb_ext *)((u_int8_t *)ext + + ext->sadb_ext_len * PF_KEY_V2_CHUNK)) + pf_key_v2_msg_add (ret, ext, 0); + + /* If the message is not the one we are waiting for, queue it up. */ + if (seq && (msg->sadb_msg_pid != getpid () || msg->sadb_msg_seq != seq)) + { + gettimeofday (&tv, 0); + timer_add_event ("pf_key_v2_notify", + (void (*) (void *))pf_key_v2_notify, ret, &tv); + ret = 0; + continue; + } + + return ret; + } + + cleanup: + if (buf) + free (buf); + if (ret) + pf_key_v2_msg_free (ret); + return 0; +} + +/* Write the message in PMSG to the PF_KEY socket. */ +u_int32_t +pf_key_v2_write (struct pf_key_v2_msg *pmsg) +{ + struct iovec *iov = 0; + ssize_t n; + size_t len; + int i, cnt = TAILQ_FIRST (pmsg)->cnt; + char header[80]; + struct sadb_msg *msg = TAILQ_FIRST (pmsg)->seg; + struct pf_key_v2_node *np = TAILQ_FIRST (pmsg); + + iov = (struct iovec *)malloc (cnt * sizeof *iov); + if (!iov) + { + log_error ("pf_key_v2_write: malloc (%d) failed", cnt * sizeof *iov); + return 0; + } + + msg->sadb_msg_version = PF_KEY_V2; + msg->sadb_msg_errno = 0; + msg->sadb_msg_reserved = 0; + msg->sadb_msg_pid = getpid (); + if (!msg->sadb_msg_seq) + msg->sadb_msg_seq = pf_key_v2_seq (); + + /* Compute the iovec segments as well as the message length. */ + len = 0; + for (i = 0; i < cnt; i++) + { + iov[i].iov_base = np->seg; + len += iov[i].iov_len = np->sz; + + /* + * XXX One can envision setting specific extension fields, like + * *_reserved ones here. For now we require them to be set by the + * caller. + */ + + np = TAILQ_NEXT (np, link); + } + msg->sadb_msg_len = len / PF_KEY_V2_CHUNK; + + /* + * Print a debug trace of the message + */ + for (i = 0; i < cnt; i++) + { + sprintf (header, "pf_key_v2_write: iov[%d]", i); + LOG_DBG_BUF ((LOG_SYSDEP, 80, header, (u_int8_t *)iov[i].iov_base, + iov[i].iov_len)); + } + /* + * More precise info. + */ + pf_key_message_debug_iov(iov, cnt); + + + n = writev (pf_key_v2_socket, iov, cnt); + if (n == -1) + { + log_error ("pf_key_v2_write: writev (%d, %p, %d) failed", + pf_key_v2_socket, iov, cnt); + goto cleanup; + } + if ((size_t)n != len) + { + log_error ("pf_key_v2_write: writev (%d, ...) returned prematurely (%d)", + pf_key_v2_socket, n); + goto cleanup; + } + free (iov); + return msg->sadb_msg_seq; + + cleanup: + if (iov) + free (iov); + return 0; +} + +/* + * Do a PF_KEY "call", i.e. write a message MSG, read the reply and return + * it to the caller. + */ +static struct pf_key_v2_msg * +pf_key_v2_call (struct pf_key_v2_msg *msg) +{ + u_int32_t seq; + + seq = pf_key_v2_write (msg); + if (!seq) + { + log_print ("pf_key_v2_call: Error in write:"); + return 0; + } + return pf_key_v2_read (seq); +} + +/* Find the TYPE extension in MSG. Return zero if none found. */ +static struct pf_key_v2_node * +pf_key_v2_find_ext (struct pf_key_v2_msg *msg, u_int16_t type) +{ + struct pf_key_v2_node *ext; + + for (ext = TAILQ_NEXT (TAILQ_FIRST (msg), link); ext; + ext = TAILQ_NEXT (ext, link)) + if (ext->type == type) + return ext; + return 0; +} + +/* + * Open the PF_KEYv2 sockets and return the descriptor used for notifies. + * Return -1 for failure and -2 if no notifies will show up. + */ +int +pf_key_v2_open () +{ + int fd = -1, err; + struct sadb_msg msg; + struct pf_key_v2_msg *regmsg = 0, *ret = 0; + + /* Open the socket we use to speak to IPSec. */ + pf_key_v2_socket = -1; + fd = socket (PF_KEY, SOCK_RAW, PF_KEY_V2); + if (fd == -1) + { + log_error ("pf_key_v2_open: " + "socket (PF_KEY, SOCK_RAW, PF_KEY_V2) failed"); + goto cleanup; + } + pf_key_v2_socket = fd; + + /* Register it to get ESP and AH acquires from the kernel. */ + msg.sadb_msg_seq = 0; + msg.sadb_msg_type = SADB_REGISTER; + msg.sadb_msg_satype = SADB_SATYPE_ESP; + regmsg = pf_key_v2_msg_new (&msg, 0); + if (!regmsg) + goto cleanup; + ret = pf_key_v2_call (regmsg); + pf_key_v2_msg_free (regmsg); + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + log_print ("pf_key_v2_open: REGISTER: %s", strerror (err)); + goto cleanup; + } + + /* XXX Register the accepted transforms. */ + + pf_key_v2_msg_free (ret); + ret = 0; + + msg.sadb_msg_seq = 0; + msg.sadb_msg_type = SADB_REGISTER; + msg.sadb_msg_satype = SADB_SATYPE_AH; + regmsg = pf_key_v2_msg_new (&msg, 0); + if (!regmsg) + goto cleanup; + ret = pf_key_v2_call (regmsg); + pf_key_v2_msg_free (regmsg); + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + log_print ("pf_key_v2_open: REGISTER: %s", strerror (err)); + goto cleanup; + } + + /* XXX Register the accepted transforms. */ + +#ifdef KAME + TAILQ_INIT (&pf_key_v2_sa_seq_map); +#endif + + pf_key_v2_msg_free (ret); + return fd; + + cleanup: + if (pf_key_v2_socket != -1) + { + close (pf_key_v2_socket); + pf_key_v2_socket = -1; + } + if (ret) + pf_key_v2_msg_free (ret); + return -1; +} + +/* + * Generate a SPI for protocol PROTO and the source/destination pair given by + * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. + */ +u_int8_t * +pf_key_v2_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, + int srclen, struct sockaddr *dst, int dstlen, + u_int32_t seq) +{ + struct sadb_msg msg; + struct sadb_sa *sa; + struct sadb_address *addr = 0; + struct sadb_spirange spirange; + struct pf_key_v2_msg *getspi = 0, *ret = 0; + struct pf_key_v2_node *ext; + u_int8_t *spi = 0; + int len, err; +#ifdef KAME + struct sadb_x_sa2 ssa2; +#endif + + msg.sadb_msg_type = SADB_GETSPI; + switch (proto) + { + case IPSEC_PROTO_IPSEC_ESP: + msg.sadb_msg_satype = SADB_SATYPE_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + msg.sadb_msg_satype = SADB_SATYPE_AH; + break; + default: + log_print ("pf_key_v2_get_spi: invalid proto %d", proto); + goto cleanup; + } + + /* Set the sequence number from the ACQUIRE message */ + msg.sadb_msg_seq = seq; + getspi = pf_key_v2_msg_new (&msg, 0); + if (!getspi) + goto cleanup; + +#ifdef KAME + memset (&ssa2, 0, sizeof ssa2); + ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; + ssa2.sadb_x_sa2_mode = 0; + if (pf_key_v2_msg_add (getspi, (struct sadb_ext *)&ssa2, 0) == -1) + goto cleanup; +#endif + + /* Setup the ADDRESS extensions. */ + len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (srclen); + addr = malloc (len); + if (!addr) + goto cleanup; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); + addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ +#ifdef KAME + addr->sadb_address_proto = IPSEC_PROTO_ANY; +#else + addr->sadb_address_proto = 0; +#endif + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, src, srclen); + /* XXX IPv4-specific. */ + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (getspi, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + len = sizeof (struct sadb_address) + PF_KEY_V2_ROUND (dstlen); + addr = malloc (len); + if (!addr) + goto cleanup; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ +#ifdef KAME + addr->sadb_address_proto = IPSEC_PROTO_ANY; +#else + addr->sadb_address_proto = 0; +#endif + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, dst, dstlen); + /* XXX IPv4-specific. */ + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (getspi, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + /* Setup the SPIRANGE extension. */ + spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; + spirange.sadb_spirange_len = sizeof spirange / PF_KEY_V2_CHUNK; + spirange.sadb_spirange_min = IPSEC_SPI_LOW; + spirange.sadb_spirange_max = 0xffffffff; + spirange.sadb_spirange_reserved = 0; + if (pf_key_v2_msg_add (getspi, (struct sadb_ext *)&spirange, 0) == -1) + goto cleanup; + + ret = pf_key_v2_call (getspi); + pf_key_v2_msg_free (getspi); + getspi = 0; + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + log_print ("pf_key_v2_get_spi: GETSPI: %s", strerror (err)); + goto cleanup; + } + + ext = pf_key_v2_find_ext (ret, SADB_EXT_SA); + if (!ext) + { + log_print ("pf_key_v2_get_spi: no SA extension found"); + goto cleanup; + } + sa = ext->seg; + + *sz = sizeof sa->sadb_sa_spi; + spi = malloc (*sz); + if (!spi) + goto cleanup; + memcpy (spi, &sa->sadb_sa_spi, *sz); +#ifdef KAME + if (!pf_key_v2_register_sa_seq (spi, *sz, proto, dst, dstlen, + ((struct sadb_msg *)(TAILQ_FIRST (ret)->seg)) + ->sadb_msg_seq)) + goto cleanup; +#endif + pf_key_v2_msg_free (ret); + + LOG_DBG_BUF ((LOG_SYSDEP, 50, "pf_key_v2_get_spi: spi", spi, *sz)); + + return spi; + + cleanup: + if (spi) + free (spi); + if (addr) + free (addr); + if (getspi) + pf_key_v2_msg_free (getspi); + if (ret) + pf_key_v2_msg_free (ret); + return 0; +} + +/* + * Store/update a PF_KEY_V2 security association with full information from the + * IKE SA and PROTO into the kernel. INCOMING is set if we are setting the + * parameters for the incoming SA, and cleared otherwise. + */ +int +pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming) +{ + struct sadb_msg msg; + struct sadb_sa ssa; + struct sadb_lifetime *life = 0; + struct sadb_address *addr = 0; + struct sadb_key *key = 0; + struct sockaddr *src, *dst; + int dstlen, srclen, keylen, hashlen, err; + struct pf_key_v2_msg *update = 0, *ret = 0; + struct ipsec_proto *iproto = proto->data; + size_t len; +#ifdef KAME + struct sadb_x_sa2 ssa2; +#endif + + msg.sadb_msg_type = incoming ? SADB_UPDATE : SADB_ADD; + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + msg.sadb_msg_satype = SADB_SATYPE_ESP; + keylen = ipsec_esp_enckeylength (proto); + hashlen = ipsec_esp_authkeylength (proto); + + switch (proto->id) + { + case IPSEC_ESP_DES: + case IPSEC_ESP_DES_IV32: + case IPSEC_ESP_DES_IV64: + ssa.sadb_sa_encrypt = SADB_EALG_DESCBC; + break; + + case IPSEC_ESP_3DES: + ssa.sadb_sa_encrypt = SADB_EALG_3DESCBC; + break; + +#ifdef SADB_X_EALG_AES + case IPSEC_ESP_AES_CBC: + ssa.sadb_sa_encrypt = SADB_X_EALG_AES; + break; +#endif + +#ifdef SADB_X_EALG_CAST + case IPSEC_ESP_CAST: + ssa.sadb_sa_encrypt = SADB_X_EALG_CAST; + break; +#endif + +#ifdef SADB_X_EALG_BLF + case IPSEC_ESP_BLOWFISH: + ssa.sadb_sa_encrypt = SADB_X_EALG_BLF; + break; +#endif + + default: + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_set_spi: unknown encryption algorithm %d", + proto->id)); + return -1; + } + + switch (iproto->auth) + { + case IPSEC_AUTH_HMAC_MD5: +#ifdef SADB_AALG_MD5HMAC96 + ssa.sadb_sa_auth = SADB_AALG_MD5HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; +#endif + break; + + case IPSEC_AUTH_HMAC_SHA: +#ifdef SADB_AALG_SHA1HMAC96 + ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; +#endif + break; + + case IPSEC_AUTH_HMAC_SHA2_256: +#if defined(LINUX_PFKEY) + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256HMAC; +#elif defined(OSX) || defined(FREEBSD_PFKEY_EXT) + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; +#else + ssa.sadb_sa_auth = SADB_AALG_SHA2_256; +#endif + break; + +#if !defined(KAME) && !defined(OSX) + case IPSEC_AUTH_HMAC_RIPEMD: +#ifdef SADB_X_AALG_RIPEMD160HMAC96 + ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_RIPEMD160HMAC; +#endif + break; +#endif + + case IPSEC_AUTH_DES_MAC: + case IPSEC_AUTH_KPDK: + /* XXX We should be supporting KPDK */ + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_set_spi: unknown authentication algorithm %d", + iproto->auth)); + return -1; + + default: + ssa.sadb_sa_auth = SADB_AALG_NONE; + } + break; + + case IPSEC_PROTO_IPSEC_AH: + msg.sadb_msg_satype = SADB_SATYPE_AH; + hashlen = ipsec_ah_keylength (proto); + keylen = 0; + + ssa.sadb_sa_encrypt = SADB_EALG_NONE; + switch (proto->id) + { + case IPSEC_AH_MD5: +#ifdef SADB_AALG_MD5HMAC96 + ssa.sadb_sa_auth = SADB_AALG_MD5HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; +#endif + break; + + case IPSEC_AH_SHA: +#ifdef SADB_AALG_SHA1HMAC96 + ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; +#endif + break; + + case IPSEC_AH_SHA2_256: +#if defined(LINUX_PFKEY) + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256HMAC; +#elif defined(OSX) || defined(FREEBSD_PFKEY_EXT) + ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; +#else + ssa.sadb_sa_auth = SADB_AALG_SHA2_256; +#endif + break; + +#if !defined(KAME) && !defined(OSX) + case IPSEC_AH_RIPEMD: +#ifdef SADB_X_AALG_RIPEMD160HMAC96 + ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC96; +#else + ssa.sadb_sa_auth = SADB_AALG_RIPEMD160HMAC; +#endif + break; +#endif + + default: + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_set_spi: unknown authentication algorithm %d", + proto->id)); + goto cleanup; + } + break; + + default: + log_print ("pf_key_v2_set_spi: invalid proto %d", proto->proto); + goto cleanup; + } + if (incoming) + sa->transport->vtbl->get_src (sa->transport, &dst, &dstlen); + else + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); +#ifdef KAME + msg.sadb_msg_seq + = (incoming ? pf_key_v2_seq_by_sa (proto->spi[incoming], + sizeof ssa.sadb_sa_spi, proto->proto, + dst, dstlen) + : 0); +#else + msg.sadb_msg_seq = 0; +#endif + update = pf_key_v2_msg_new (&msg, 0); + if (!update) + goto cleanup; + + /* Setup the rest of the SA extension. */ + ssa.sadb_sa_exttype = SADB_EXT_SA; + ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; + memcpy (&ssa.sadb_sa_spi, proto->spi[incoming], sizeof ssa.sadb_sa_spi); + ssa.sadb_sa_replay + = conf_get_str ("General", "Shared-SADB") ? 0 : iproto->replay_window; + ssa.sadb_sa_state = SADB_SASTATE_MATURE; +#ifdef SADB_X_SAFLAGS_TUNNEL + ssa.sadb_sa_flags + = iproto->encap_mode == IPSEC_ENCAP_TUNNEL ? SADB_X_SAFLAGS_TUNNEL : 0; +#else + ssa.sadb_sa_flags = 0; +#endif + if (pf_key_v2_msg_add (update, (struct sadb_ext *)&ssa, 0) == -1) + goto cleanup; + +#ifdef KAME + memset (&ssa2, 0, sizeof ssa2); + ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; + ssa2.sadb_x_sa2_mode = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)&ssa2, 0) == -1) + goto cleanup; +#endif + +#ifdef BEW_NOT_FOR_NOW + if (sa->seconds || sa->kilobytes) + { + /* setup the hard limits. */ + life = malloc (sizeof *life); + if (!life) + goto cleanup; + life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; + life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; + life->sadb_lifetime_allocations = 0; + life->sadb_lifetime_bytes = sa->kilobytes * 1024; + life->sadb_lifetime_addtime = sa->seconds; + life->sadb_lifetime_usetime = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)life, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + life = 0; + + /* + * Setup the soft limits, we use 90 % of the hard ones. + * XXX A configurable ratio would be better. + */ + life = malloc (sizeof *life); + if (!life) + goto cleanup; + life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; + life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; + life->sadb_lifetime_allocations = 0; + life->sadb_lifetime_bytes = sa->kilobytes * 1024 * 9 / 10; + life->sadb_lifetime_addtime = sa->seconds * 9 / 10; + life->sadb_lifetime_usetime = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)life, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + life = 0; + } +#endif /* BEW_NOT_FOR_NOW */ + + /* + * Setup the ADDRESS extensions. + * + * XXX Addresses have to be thought through. Assumes IPv4. + */ + if (incoming) + sa->transport->vtbl->get_dst (sa->transport, &src, &srclen); + else + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + len = sizeof *addr + PF_KEY_V2_ROUND (srclen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ +#ifdef KAME + addr->sadb_address_proto = IPSEC_PROTO_ANY; + /* + * BEW: prefixlen seems to assume host to host communications! That's wrong. + */ + addr->sadb_address_prefixlen = 32; +#else + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, src, srclen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + len = sizeof *addr + PF_KEY_V2_ROUND (dstlen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ +#ifdef KAME + addr->sadb_address_proto = IPSEC_PROTO_ANY; + /* + * BEW: prefixlen seems to assume host to host communications! That's wrong. + */ + addr->sadb_address_prefixlen = 32; +#else + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, dst, dstlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + +#if 0 + /* XXX I am not sure about what to do here just yet. */ + if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) + { + len = sizeof *addr + PF_KEY_V2_ROUND (dstlen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, dst, dstlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (update, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; +#if 0 + msg->em_odst = msg->em_dst; + msg->em_osrc = msg->em_src; +#endif + } +#endif + + /* Setup the KEY extensions. */ + len = sizeof *key + PF_KEY_V2_ROUND (hashlen); + key = malloc (len); + if (!key) + goto cleanup; + key->sadb_key_exttype = SADB_EXT_KEY_AUTH; + key->sadb_key_len = len / PF_KEY_V2_CHUNK; + key->sadb_key_bits = hashlen * 8; + key->sadb_key_reserved = 0; + memcpy (key + 1, + iproto->keymat[incoming] + + (proto->proto == IPSEC_PROTO_IPSEC_ESP ? keylen : 0), + hashlen); + if (pf_key_v2_msg_add (update, (struct sadb_ext *)key, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + key = 0; + + if (keylen) + { + len = sizeof *key + PF_KEY_V2_ROUND (keylen); + key = malloc (len); + if (!key) + goto cleanup; + key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; + key->sadb_key_len = len / PF_KEY_V2_CHUNK; + key->sadb_key_bits = keylen * 8; + key->sadb_key_reserved = 0; + memcpy (key + 1, iproto->keymat[incoming], keylen); + if (pf_key_v2_msg_add (update, (struct sadb_ext *)key, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + key = 0; + } + /* XXX Here can identity and sensitivity extensions be setup. */ + + /* XXX IPv4 specific. */ + LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_set_spi: satype %d dst %s SPI 0x%x", + msg.sadb_msg_satype, + inet_ntoa (((struct sockaddr_in *)dst)->sin_addr), + ntohl (ssa.sadb_sa_spi))); + + /* + * Although PF_KEY knows about expirations, it is unreliable per the specs + * thus we need to do them inside gdoid as well. + */ + if (sa->seconds) + if (sa_setup_expirations (sa)) + goto cleanup; + + ret = pf_key_v2_call (update); + pf_key_v2_msg_free (update); + update = 0; + if (ret) { + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + } else { + /* + * Catastrophic error. + */ + log_print("pf_key_v2_set_spi: Null pointer returned by pf_key_v2_call(), " + "aborting, probably causing a memory leak."); + goto cleanup; + } + + + /* + * If we are doing an addition into an SADB shared with our peer, errors + * here are to be expected as the peer will already have created the SA, + * and can thus be ignored. + */ + if (err && !(msg.sadb_msg_type == SADB_ADD + && conf_get_str ("General", "Shared-SADB"))) + { + log_print ("pf_key_v2_set_spi: %s: %s", + msg.sadb_msg_type == SADB_ADD ? "ADD" : "UPDATE", + strerror (err)); + pf_key_v2_msg_free (ret); + ret = 0; + goto cleanup; + } + + pf_key_v2_msg_free (ret); + ret = 0; + LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_set_spi: done")); + + return 0; + + cleanup: + if (addr) + free (addr); + if (life) + free (life); + if (key) + free (key); + if (update) + pf_key_v2_msg_free (update); + if (ret) + pf_key_v2_msg_free (ret); + return -1; +} + +static __inline__ int +pf_key_v2_mask_to_bits (u_int32_t mask) +{ + return (33 - ffs (~mask + 1)) % 33; +} + +/* + * Enable/disable a flow. + * XXX Assumes OpenBSD {ADD,DEL}FLOW extensions. + * Should probably be moved to sysdep.c + */ +static int +pf_key_v2_flow (in_addr_t laddr, in_addr_t lmask, in_addr_t raddr, + in_addr_t rmask, u_int8_t tproto, u_int16_t sport, + u_int16_t dport, u_int8_t *spi, u_int8_t proto, + in_addr_t dst, in_addr_t src, int delete, int ingress, + u_int8_t srcid_type, u_int8_t *srcid, int srcid_len, + u_int8_t dstid_type, u_int8_t *dstid, int dstid_len, + u_int16_t encap_mode) +{ +#if defined (SADB_X_ADDFLOW) && defined (SADB_X_DELFLOW) + struct sadb_msg msg; +#ifdef SADB_X_EXT_FLOW_TYPE + struct sadb_protocol flowtype; + struct sadb_ident *sid = 0; +#else + struct sadb_sa ssa; +#endif + struct sadb_address *addr = 0; + struct sadb_protocol tprotocol; + struct pf_key_v2_msg *flow = 0, *ret = 0; + size_t len; + int err; + +#if !defined (SADB_X_SAFLAGS_INGRESS_FLOW) && !defined(SADB_X_EXT_FLOW_TYPE) + if (ingress) + return 0; +#endif + + msg.sadb_msg_type = delete ? SADB_X_DELFLOW : SADB_X_ADDFLOW; + switch (proto) + { + case IPSEC_PROTO_IPSEC_ESP: + msg.sadb_msg_satype = SADB_SATYPE_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + msg.sadb_msg_satype = SADB_SATYPE_AH; + break; + default: + log_print ("pf_key_v2_flow: invalid proto %d", proto); + goto cleanup; + } + msg.sadb_msg_seq = 0; + flow = pf_key_v2_msg_new (&msg, 0); + if (!flow) + goto cleanup; + +#ifdef SADB_X_EXT_FLOW_TYPE + if (!delete) + { + /* Setup the source ID, if provided */ + if (srcid) + { + sid = calloc (PF_KEY_V2_ROUND (srcid_len + 1) + sizeof *sid, + sizeof (u_int8_t)); + if (!sid) + goto cleanup; + + sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (srcid_len) / PF_KEY_V2_CHUNK; + sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; + sid->sadb_ident_type = srcid_type; + + memcpy (sid + 1, srcid, srcid_len); + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)sid, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + + sid = 0; + } + + /* Setup the destination ID, if provided */ + if (dstid) + { + sid = calloc (PF_KEY_V2_ROUND (dstid_len + 1) + sizeof *sid, + sizeof (u_int8_t)); + if (!sid) + goto cleanup; + + sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + + PF_KEY_V2_ROUND (dstid_len) / PF_KEY_V2_CHUNK; + sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; + sid->sadb_ident_type = dstid_type; + + memcpy (sid + 1, dstid, dstid_len); + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)sid, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + + sid = 0; + } + } + + /* Setup the flow type extension. */ + bzero (&flowtype, sizeof flowtype); + flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; + flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; + flowtype.sadb_protocol_direction + = ingress ? IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; +#ifdef OLD_OPENBSD_PFKEY_EXT + flowtype.sadb_protocol_proto = FLOW_X_TYPE_REQUIRE; +#else + flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE; +#endif + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&flowtype, 0) == -1) + goto cleanup; +#else /* SADB_X_EXT_FLOW_TYPE */ + /* Setup the SA extension. */ + ssa.sadb_sa_exttype = SADB_EXT_SA; + ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; + memcpy (&ssa.sadb_sa_spi, spi, sizeof ssa.sadb_sa_spi); + ssa.sadb_sa_replay = 0; + ssa.sadb_sa_state = 0; + ssa.sadb_sa_auth = 0; + ssa.sadb_sa_encrypt = 0; + ssa.sadb_sa_flags = 0; +#ifdef SADB_X_SAFLAGS_INGRESS_FLOW + if (ingress) + ssa.sadb_sa_flags |= SADB_X_SAFLAGS_INGRESS_FLOW; +#endif +#ifdef SADB_X_SAFLAGS_REPLACEFLOW + if (!delete && !ingress) + ssa.sadb_sa_flags |= SADB_X_SAFLAGS_REPLACEFLOW; +#endif + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&ssa, 0) == -1) + goto cleanup; +#endif /* SADB_X_EXT_FLOW_TYPE */ + + /* + * Setup the ADDRESS extensions. + * + * XXX Addresses have to be thought through. Assumes IPv4. + */ + len = sizeof *addr + PF_KEY_V2_ROUND (sizeof (struct sockaddr_in)); +#ifndef SADB_X_EXT_FLOW_TYPE + if (!delete || ingress) +#else + if (!delete) +#endif /* SADB_X_EXT_FLOW_TYPE */ + { + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len + = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; +#ifdef SADB_X_EXT_FLOW_TYPE + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr + = ingress ? src : dst; +#else + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = dst; +#endif + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + } + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_X_EXT_SRC_FLOW; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = laddr; + ((struct sockaddr_in *)(addr + 1))->sin_port = sport; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_X_EXT_SRC_MASK; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = lmask; + ((struct sockaddr_in *)(addr + 1))->sin_port = sport ? 0xffff : 0; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_X_EXT_DST_FLOW; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = raddr; + ((struct sockaddr_in *)(addr + 1))->sin_port = dport; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_X_EXT_DST_MASK; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = rmask; + ((struct sockaddr_in *)(addr + 1))->sin_port = dport ? 0xffff : 0; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + /* Setup the protocol extension. */ + bzero (&tprotocol, sizeof tprotocol); + tprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; + tprotocol.sadb_protocol_proto = tproto; + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&tprotocol, 0) == -1) + goto cleanup; + + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_flow: src %x %x dst %x %x proto %u sport %u dport %u", + ntohl (laddr), ntohl (lmask), ntohl (raddr), ntohl (rmask), + tproto, ntohs (sport), ntohs (dport))); + + ret = pf_key_v2_call (flow); + pf_key_v2_msg_free (flow); + flow = 0; + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + if (err == ESRCH) /* These are common and usually harmless. */ + LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", + delete ? "DEL" : "ADD", strerror (err))); + else + log_print ("pf_key_v2_flow: %sFLOW: %s", delete ? "DEL" : "ADD", + strerror (err)); + goto cleanup; + } + pf_key_v2_msg_free (ret); + + LOG_DBG ((LOG_MISC, 50, "pf_key_v2_flow: done")); + + return 0; + + cleanup: +#ifdef SADB_X_EXT_FLOW_TYPE + if (sid) + free (sid); +#endif /* SADB_X_EXT_FLOW_TYPE */ + if (addr) + free (addr); + if (flow) + pf_key_v2_msg_free (flow); + if (ret) + pf_key_v2_msg_free (ret); + return -1; + +#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE) + struct sadb_msg msg; + struct sadb_x_policy *policy = 0; + struct sadb_x_ipsecrequest *ipsecrequest; + struct sadb_x_sa2 ssa2; + struct sadb_address *addr = 0; + struct sockaddr_in *saddr; + u_int8_t + policy_buf[sizeof *policy + sizeof *ipsecrequest + 2 * sizeof *saddr]; + struct pf_key_v2_msg *flow = 0, *ret = 0; + size_t len; + int err; + + msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD; + msg.sadb_msg_satype = SADB_SATYPE_UNSPEC; + msg.sadb_msg_seq = 0; + flow = pf_key_v2_msg_new (&msg, 0); + if (!flow) + goto cleanup; + + memset (&ssa2, 0, sizeof ssa2); + ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; + ssa2.sadb_x_sa2_mode = 0; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)&ssa2, 0) == -1) + goto cleanup; + + /* + * Setup the ADDRESS extensions. + * + * XXX Addresses have to be thought through. Assumes IPv4. + */ + len = sizeof *addr + PF_KEY_V2_ROUND (sizeof (struct sockaddr_in)); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_proto = IPSEC_ULPROTO_ANY; + addr->sadb_address_prefixlen = pf_key_v2_mask_to_bits (ntohl (lmask)); + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = laddr; + ((struct sockaddr_in *)(addr + 1))->sin_port = IPSEC_PORT_ANY; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; + addr->sadb_address_proto = IPSEC_ULPROTO_ANY; + addr->sadb_address_prefixlen = pf_key_v2_mask_to_bits (ntohl (rmask)); + addr->sadb_address_reserved = 0; + memset (addr + 1, '\0', sizeof (struct sockaddr_in)); +#ifndef LINUX_PFKEY + ((struct sockaddr_in *)(addr + 1))->sin_len = sizeof (struct sockaddr_in); +#endif + ((struct sockaddr_in *)(addr + 1))->sin_family = AF_INET; + ((struct sockaddr_in *)(addr + 1))->sin_addr.s_addr = raddr; + ((struct sockaddr_in *)(addr + 1))->sin_port = IPSEC_PORT_ANY; + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + /* Setup the POLICY extension. */ + policy = (struct sadb_x_policy *)policy_buf; + policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY; + policy->sadb_x_policy_len = sizeof policy_buf / PF_KEY_V2_CHUNK; + policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC; + if (ingress) + policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND; + else + policy->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; + policy->sadb_x_policy_reserved = 0; + + /* Setup the IPSECREQUEST extension part. */ + ipsecrequest = (struct sadb_x_ipsecrequest *)(policy + 1); + ipsecrequest->sadb_x_ipsecrequest_len + = sizeof *ipsecrequest + 2 * sizeof *saddr; + switch (proto) + { + case IPSEC_PROTO_IPSEC_ESP: + ipsecrequest->sadb_x_ipsecrequest_proto = IPPROTO_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + ipsecrequest->sadb_x_ipsecrequest_proto = IPPROTO_AH; + break; + default: + log_print ("pf_key_v2_flow: invalid proto %d", proto); + goto cleanup; + } + /* Setup the encapsulation mode */ + switch (encap_mode) { + case IPSEC_ENCAP_TUNNEL: + ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; + break; + case IPSEC_ENCAP_TRANSPORT: + ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; + break; + default: + log_print ("pf_key_v2_flow: invalid encap_mode %d", encap_mode); + goto cleanup; + } + ipsecrequest->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE; + ipsecrequest->sadb_x_ipsecrequest_reqid = 0; /* XXX */ + + /* Add source and destination addresses. XXX IPv4 dependent */ + saddr = (struct sockaddr_in *)(ipsecrequest + 1); + memset (saddr, '\0', sizeof *saddr); +#ifndef LINUX_PFKEY + saddr->sin_len = sizeof (struct sockaddr_in); +#endif + saddr->sin_family = AF_INET; + saddr->sin_addr.s_addr = src; + saddr->sin_port = 0; + + saddr++; + memset (saddr, '\0', sizeof *saddr); +#ifndef LINUX_PFKEY + saddr->sin_len = sizeof (struct sockaddr_in); +#endif + saddr->sin_family = AF_INET; + saddr->sin_addr.s_addr = dst; + saddr->sin_port = 0; + + if (pf_key_v2_msg_add (flow, (struct sadb_ext *)policy, 0) == -1) + goto cleanup; + + LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_flow: src %x %x dst %x %x", + ntohl (laddr), ntohl (lmask), ntohl (raddr), ntohl (rmask))); + + ret = pf_key_v2_call (flow); + pf_key_v2_msg_free (flow); + flow = 0; + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + /* + * Re-adding an SPD entry shouldn't be a catastrophic failure. Continue. + */ + log_print ("pf_key_v2_flow: SPD%s: %s", delete ? "DELETE" : "ADD", + strerror (err)); + } + pf_key_v2_msg_free (ret); + + LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_flow: done")); + + return 0; + + cleanup: + if (addr) + free (addr); + if (policy) + free (policy); + if (flow) + pf_key_v2_msg_free (flow); + if (ret) + pf_key_v2_msg_free (ret); + return -1; + +#else + log_error ("pf_key_v2_flow: not supported in pure PF_KEYv2"); + return -1; +#endif +} + +#ifdef SADB_X_EXT_FLOW_TYPE +static u_int8_t * +pf_key_v2_convert_id (u_int8_t *id, int idlen, int *reslen, int *idtype) +{ + u_int8_t *res = 0; + + switch (id[0]) + { + case IPSEC_ID_FQDN: + res = calloc (idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, + sizeof (u_int8_t)); + if (!res) + return 0; + + *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; + memcpy (res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); + *idtype = SADB_IDENTTYPE_FQDN; + return res; + + case IPSEC_ID_USER_FQDN: + res = calloc (idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, + sizeof (u_int8_t)); + if (!res) + return 0; + + *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; + memcpy (res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); +#ifdef OLD_OPENBSD_PFKEY_EXT + *idtype = SADB_IDENTTYPE_MBOX; +#else + *idtype = SADB_IDENTTYPE_USERFQDN; +#endif + return res; + + case IPSEC_ID_IPV4_ADDR: + case IPSEC_ID_IPV4_RANGE: + case IPSEC_ID_IPV4_ADDR_SUBNET: + case IPSEC_ID_IPV6_ADDR: + case IPSEC_ID_IPV6_RANGE: + case IPSEC_ID_IPV6_ADDR_SUBNET: + case IPSEC_ID_DER_ASN1_DN: + case IPSEC_ID_DER_ASN1_GN: + case IPSEC_ID_KEY_ID: + /* XXX Not implemented yet. */ + return 0; + } + + return 0; +} +#endif /* SADB_X_EXT_FLOW_TYPE */ + +/* Enable a flow given a SA. */ +int +pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa) +{ + struct ipsec_sa *isa = sa->data; + struct sockaddr *dst, *src; + int dstlen, srclen, error; + struct proto *proto = TAILQ_FIRST (&sa->protos); + int sidtype = 0, didtype = 0, sidlen = 0, didlen = 0; + u_int8_t *sid = 0, *did = 0; +#ifndef SADB_X_EXT_FLOW_TYPE + in_addr_t hostmask = 0xffffffff; /* XXX IPv4 specific */ +#endif /* SADB_X_EXT_FLOW_TYPE */ + struct ipsec_proto *iproto; + + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + +#ifdef SADB_X_EXT_FLOW_TYPE + if (isakmp_sa->id_i) + { + if (isakmp_sa->initiator) + sid = pf_key_v2_convert_id (isakmp_sa->id_i, isakmp_sa->id_i_len, + &sidlen, &sidtype); + else + did = pf_key_v2_convert_id (isakmp_sa->id_i, isakmp_sa->id_i_len, + &didlen, &didtype); + } + + if (isakmp_sa->id_r) + { + if (isakmp_sa->initiator) + did = pf_key_v2_convert_id (isakmp_sa->id_r, isakmp_sa->id_r_len, + &didlen, &didtype); + else + sid = pf_key_v2_convert_id (isakmp_sa->id_r, isakmp_sa->id_r_len, + &sidlen, &sidtype); + } +#endif /* SADB_X_EXT_FLOW_TYPE */ + + iproto = proto->data; + /* XXX IPv4 specific */ + error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, + isa->dst_mask, isa->tproto, isa->sport, isa->dport, + proto->spi[0], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + ((struct sockaddr_in *)src)->sin_addr.s_addr, 0, 0, + sidtype, sid, sidlen, didtype, did, didlen, + iproto->encap_mode); + if (error) + goto cleanup; + +#ifndef SADB_X_EXT_FLOW_TYPE + /* Ingress flows, handling SA bundles */ + while (TAILQ_NEXT (proto, link)) + { + iproto = proto->data; + error = pf_key_v2_flow (((struct sockaddr_in *)dst)->sin_addr.s_addr, + hostmask, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + hostmask, 0, 0, 0, proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + 0, 1, 0, 0, 0, 0, 0, 0, iproto->encap_mode); + if (error) + goto cleanup; + proto = TAILQ_NEXT (proto, link); + } +#endif /* SADB_X_EXT_FLOW_TYPE */ + + iproto = proto->data; +#if 0 + error = pf_key_v2_flow (isa->dst_net, isa->dst_mask, isa->src_net, + isa->src_mask, isa->tproto, isa->dport, isa->sport, + proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, 0, 1, + sidtype, sid, sidlen, didtype, did, didlen, iproto->encap_mode); +#else + error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, + isa->dst_mask, isa->tproto, isa->sport, isa->dport, + proto->spi[0], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + ((struct sockaddr_in *)src)->sin_addr.s_addr, 0, 1, + sidtype, sid, sidlen, didtype, did, didlen, + iproto->encap_mode); + if (error) + goto cleanup; +#endif + + cleanup: +#ifdef SADB_X_EXT_FLOW_TYPE + if (sid) + free (sid); + if (did) + free (did); +#endif /* SADB_X_EXT_FLOW_TYPE */ + + return error; +} + +/* Disable a flow given a SA. */ +static int +pf_key_v2_disable_sa (struct sa *sa, int incoming) +{ + struct ipsec_sa *isa = sa->data; + struct sockaddr *dst, *src; + int dstlen, srclen; + struct proto *proto = TAILQ_FIRST (&sa->protos); +#ifndef SADB_X_EXT_FLOW_TYPE + in_addr_t hostmask = 0xffffffff; /* XXX IPv4 specific */ + int error; +#endif /* SADB_X_EXT_FLOW_TYPE */ + struct ipsec_proto *iproto; + + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + + if (!incoming) { + iproto = proto->data; + return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net, + isa->dst_mask, isa->tproto, isa->sport, isa->dport, + proto->spi[0], proto->proto, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + ((struct sockaddr_in *)src)->sin_addr.s_addr, 1, 0, + 0, 0, 0, 0, 0, 0, iproto->encap_mode); + } else + { +#ifndef SADB_X_EXT_FLOW_TYPE + /* Ingress flow --- SA bundles */ + while (TAILQ_NEXT (proto, link)) + { + iproto = proto->data; + error = pf_key_v2_flow (((struct sockaddr_in *)dst)->sin_addr.s_addr, + hostmask, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + hostmask, 0, 0, 0, + proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + 1, 1, 0, 0, 0, 0, 0, 0, iproto->encap_mode); + if (error) + return error; + proto = TAILQ_NEXT (proto, link); + } +#endif /* SADB_X_EXT_FLOW_TYPE */ + + iproto = proto->data; + return pf_key_v2_flow (isa->dst_net, isa->dst_mask, isa->src_net, + isa->src_mask, isa->tproto, isa->dport, + isa->sport, proto->spi[1], proto->proto, + ((struct sockaddr_in *)src)->sin_addr.s_addr, + ((struct sockaddr_in *)dst)->sin_addr.s_addr, + 1, 1, 0, 0, 0, 0, 0, 0, iproto->encap_mode); + } +} + +/* + * Delete the IPSec SA represented by the INCOMING direction in protocol PROTO + * of the IKE security association SA. Also delete potential flows tied to it. + */ +int +pf_key_v2_delete_spi (struct sa *sa, struct proto *proto, int incoming) +{ + struct sadb_msg msg; + struct sadb_sa ssa; + struct sadb_address *addr = 0; + struct sockaddr *saddr; + struct sockaddr_in saddr_in; + int saddrlen, len, err; + struct pf_key_v2_msg *delete = 0, *ret = 0; + struct ipsec_sa *isa; +#ifdef KAME + struct sadb_x_sa2 ssa2; +#endif + + /* + * If the SA was not replaced and was not one acquired through the + * kernel (ACQUIRE message), remove the flow associated with it. + * We ignore any errors from the disabling of the flow. + */ + if (!(sa->flags & SA_FLAG_REPLACED) + && !(sa->flags & SA_FLAG_ONDEMAND)) + pf_key_v2_disable_sa (sa, incoming); + + msg.sadb_msg_type = SADB_DELETE; + switch (proto->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + msg.sadb_msg_satype = SADB_SATYPE_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + msg.sadb_msg_satype = SADB_SATYPE_AH; + break; + default: + log_print ("pf_key_v2_delete_spi: invalid proto %d", proto->proto); + goto cleanup; + } + msg.sadb_msg_seq = 0; + delete = pf_key_v2_msg_new (&msg, 0); + if (!delete) + goto cleanup; + + /* Setup the SA extension. */ + ssa.sadb_sa_exttype = SADB_EXT_SA; + ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; + memcpy (&ssa.sadb_sa_spi, proto->spi[incoming], sizeof ssa.sadb_sa_spi); + ssa.sadb_sa_replay = 0; + ssa.sadb_sa_state = 0; + ssa.sadb_sa_auth = 0; + ssa.sadb_sa_encrypt = 0; + ssa.sadb_sa_flags = 0; + if (pf_key_v2_msg_add (delete, (struct sadb_ext *)&ssa, 0) == -1) + goto cleanup; + +#ifdef KAME + memset (&ssa2, 0, sizeof ssa2); + ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; + ssa2.sadb_x_sa2_mode = 0; + if (pf_key_v2_msg_add (delete, (struct sadb_ext *)&ssa2, 0) == -1) + goto cleanup; +#endif + + /* + * Setup the ADDRESS extensions. + * + * XXX Assumes IPv4. + * NOTE: For GDOI we cannot use the addresses on the transport, as IKE would + * do. Rather, the addresses in the proto shouldbe used. + */ +#ifdef IKE_CODE + if (incoming) + sa->transport->vtbl->get_dst (sa->transport, &saddr, &saddrlen); + else + sa->transport->vtbl->get_src (sa->transport, &saddr, &saddrlen); +#else /* GDOI */ + /* + * I think we should always use the incoming SPI. + * Assume IPv4 and sockaddr_in type. + */ + isa = (struct ipsec_sa *)sa->data; + memset(&saddr_in, 0, sizeof(struct sockaddr_in)); + saddr_in.sin_family = PF_INET; + saddr_in.sin_port = isa->sport; + saddr_in.sin_addr.s_addr = isa->src_net; + saddr = (struct sockaddr *)&saddr_in; + saddrlen = sizeof(struct sockaddr_in); +#endif + + len = sizeof *addr + PF_KEY_V2_ROUND (saddrlen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, saddr, saddrlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (delete, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + +#ifdef IKE_CODE + if (incoming) + sa->transport->vtbl->get_src (sa->transport, &saddr, &saddrlen); + else + sa->transport->vtbl->get_dst (sa->transport, &saddr, &saddrlen); +#else /* GDOI */ + saddr_in.sin_port = isa->dport; + saddr_in.sin_addr.s_addr = isa->dst_net; +#endif + len = sizeof *addr + PF_KEY_V2_ROUND (saddrlen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, saddr, saddrlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (delete, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + LOG_DBG ((LOG_SYSDEP, 20, "pf_key_v2_delete_spi: dst %s SPI %x sproto %d", + inet_ntoa (((struct sockaddr_in *)saddr)->sin_addr), + ntohl (ssa.sadb_sa_spi), msg.sadb_msg_satype)); + + ret = pf_key_v2_call (delete); + pf_key_v2_msg_free (delete); + delete = 0; + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + LOG_DBG ((LOG_SYSDEP, 10, "pf_key_v2_delete_spi: DELETE: %s", + strerror (err))); + goto cleanup; + } + pf_key_v2_msg_free (ret); + + LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_delete_spi: done")); + + return 0; + + cleanup: + if (addr) + free (addr); + if (delete) + pf_key_v2_msg_free (delete); + if (ret) + pf_key_v2_msg_free (ret); + return -1; +} + +static void +pf_key_v2_stayalive (struct exchange *exchange, void *vconn, int fail) +{ + char *conn = vconn; + struct sa *sa; + + /* XXX What if it is phase 1? */ + sa = sa_lookup_by_name (conn, 2); + if (sa) + sa->flags |= SA_FLAG_STAYALIVE; +} + +/* Check if a connection CONN exists, otherwise establish it. */ +void +pf_key_v2_connection_check (char *conn) +{ + if (!sa_lookup_by_name (conn, 2)) + { + LOG_DBG ((LOG_SYSDEP, 70, + "pf_key_v2_connection_check: SA for %s missing", conn)); + exchange_establish (conn, pf_key_v2_stayalive, conn); + } + else + LOG_DBG ((LOG_SYSDEP, 70, "pf_key_v2_connection_check: SA for %s exists", + conn)); +} + +/* Handle a PF_KEY lifetime expiration message PMSG. */ +static void +pf_key_v2_expire (struct pf_key_v2_msg *pmsg) +{ + struct sadb_msg *msg; + struct sadb_sa *ssa; + struct sadb_address *dst; + struct sockaddr *dstaddr; + struct sadb_lifetime *life, *lifecurrent; + struct sa *sa; + struct pf_key_v2_node *lifenode, *ext; + + msg = (struct sadb_msg *)TAILQ_FIRST (pmsg)->seg; + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_SA); + if (!ext) + { + log_print ("pf_key_v2_expire: no SA extension found"); + return; + } + ssa = ext->seg; + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_ADDRESS_DST); + if (!ext) + { + log_print ("pf_key_v2_expire: no destination address extension found"); + return; + } + dst = ext->seg; + dstaddr = (struct sockaddr *)(dst + 1); + lifenode = pf_key_v2_find_ext (pmsg, SADB_EXT_LIFETIME_HARD); + if (!lifenode) + lifenode = pf_key_v2_find_ext (pmsg, SADB_EXT_LIFETIME_SOFT); + if (!lifenode) + { + log_print ("pf_key_v2_expire: no lifetime extension found"); + return; + } + life = lifenode->seg; + + lifenode = pf_key_v2_find_ext (pmsg, SADB_EXT_LIFETIME_CURRENT); + if (!lifenode) + { + log_print ("pf_key_v2_expire: no current lifetime extension found"); + return; + } + lifecurrent = lifenode->seg; + + /* XXX IPv4 specific. */ + LOG_DBG ((LOG_SYSDEP, 20, "pf_key_v2_expire: %s dst %s SPI %x sproto %d", + life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" + : "HARD", + inet_ntoa (((struct sockaddr_in *)dstaddr)->sin_addr), + ntohl (ssa->sadb_sa_spi), msg->sadb_msg_satype)); + + /* + * Find the IPsec SA. The IPsec stack has two SAs for every IKE SA, + * one outgoing and one incoming, we regard expirations for any of + * them as an expiration of the full IKE SA. Likewise, in + * protection suites consisting of more than one protocol, any + * expired individual IPsec stack SA will be seen as an expiration + * of the full suite. + * + * XXX When anything else than AH and ESP is supported this needs to change. + * XXX IPv4 specific. + */ + sa = ipsec_sa_lookup (((struct sockaddr_in *)dstaddr)->sin_addr.s_addr, + ssa->sadb_sa_spi, + msg->sadb_msg_satype == SADB_SATYPE_ESP + ? IPSEC_PROTO_IPSEC_ESP : IPSEC_PROTO_IPSEC_AH); + + /* If the SA is already gone, don't do anything. */ + if (!sa) + return; + + /* + * If we got a notification, try to renegotiate the SA -- unless of + * course it has already been replaced by another. + * Also, ignore SAs that were not dynamically established, or that + * did not see any use. + */ + if (!(sa->flags & SA_FLAG_REPLACED) && (sa->flags & SA_FLAG_ONDEMAND) && + lifecurrent->sadb_lifetime_bytes) + exchange_establish (sa->name, 0, 0); + + if (life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_HARD) + { + /* Remove the old SA, it isn't useful anymore. */ + sa_free (sa); + } +} + +/* Handle a PF_KEY SA ACQUIRE message PMSG. */ +static void +pf_key_v2_acquire (struct pf_key_v2_msg *pmsg) +{ +#if !defined (SADB_X_ASKPOLICY) + return; +#else + struct sadb_msg *msg, askpolicy_msg; + struct pf_key_v2_msg *askpolicy = 0, *ret = 0; +#ifdef OLD_OPENBSD_PFKEY_EXT + struct sadb_policy policy; +#else + struct sadb_x_policy *policy = 0; +#endif + struct sadb_address *dst = 0, *src = 0; + struct sockaddr *dstaddr, *srcaddr = 0; + struct sadb_comb *scmb = 0; + struct sadb_prop *sprp = 0; + struct sadb_ident *srcident = 0, *dstident = 0; + char dstbuf[ADDRESS_MAX], srcbuf[ADDRESS_MAX], *peer = 0, conn[22]; + char confname[120]; + char *srcid = 0, *dstid = 0, *prefstring = 0; + int slen, af; + struct sockaddr *smask, *sflow, *dmask, *dflow; + struct sadb_protocol *sproto; + char ssflow[ADDRESS_MAX], sdflow[ADDRESS_MAX]; + char sdmask[ADDRESS_MAX], ssmask[ADDRESS_MAX]; + char lname[100], dname[100], configname[30]; + int shostflag = 0, dhostflag = 0; + struct pf_key_v2_node *ext; + struct passwd *pwd = NULL; + u_int16_t sport = 0, dport = 0; + u_int8_t tproto = 0; + char tmbuf[sizeof sport * 3 + 1]; + + msg = (struct sadb_msg *)TAILQ_FIRST (pmsg)->seg; + + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_ADDRESS_DST); + if (!ext) + { + log_print ("pf_key_v2_acquire: no destination address specified"); + return; + } + dst = ext->seg; + + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_ADDRESS_SRC); + if (ext) + src = ext->seg; + + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_PROPOSAL); + if (ext) + { + sprp = ext->seg; + scmb = (struct sadb_comb *)(sprp + 1); + } + + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_IDENTITY_SRC); + if (ext) + srcident = ext->seg; + + ext = pf_key_v2_find_ext (pmsg, SADB_EXT_IDENTITY_DST); + if (ext) + dstident = ext->seg; + + /* Ask the kernel for the matching policy */ + bzero (&askpolicy_msg, sizeof askpolicy_msg); + askpolicy_msg.sadb_msg_type = SADB_X_ASKPOLICY; + askpolicy = pf_key_v2_msg_new (&askpolicy_msg, 0); + if (!askpolicy) + goto fail; + +#ifdef OLD_OPENBSD_PFKEY_EXT + policy.sadb_policy_exttype = SADB_X_EXT_POLICY; + policy.sadb_policy_len = sizeof policy / PF_KEY_V2_CHUNK; + policy.sadb_policy_seq = msg->sadb_msg_seq; +#else + policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY; + policy->sadb_x_policy_len = sizeof policy / PF_KEY_V2_CHUNK; + policy->sadb_x_policy_seq = msg->sadb_msg_seq; +#endif + + if (pf_key_v2_msg_add (askpolicy, (struct sadb_ext *)&policy, 0) == -1) + goto fail; + + ret = pf_key_v2_call (askpolicy); + if (!ret) + goto fail; + + /* Now we have all the information needed */ + + ext = pf_key_v2_find_ext (ret, SADB_X_EXT_SRC_FLOW); + if (!ext) + { + log_print ("pf_key_v2_acquire: no source flow extension found"); + goto fail; + } + sflow = (struct sockaddr *) (((struct sadb_address *)ext->seg) + 1); + + ext = pf_key_v2_find_ext (ret, SADB_X_EXT_DST_FLOW); + if (!ext) + { + log_print ("pf_key_v2_acquire: no destination flow extension found"); + goto fail; + } + dflow = (struct sockaddr *)(((struct sadb_address *)ext->seg) + 1); + ext = pf_key_v2_find_ext (ret, SADB_X_EXT_SRC_MASK); + if (!ext) + { + log_print ("pf_key_v2_acquire: no source mask extension found"); + goto fail; + } + smask = (struct sockaddr *)(((struct sadb_address *)ext->seg) + 1); + + ext = pf_key_v2_find_ext (ret, SADB_X_EXT_DST_MASK); + if (!ext) + { + log_print ("pf_key_v2_acquire: no destination mask extension found"); + goto fail; + } + dmask = (struct sockaddr *)(((struct sadb_address *)ext->seg) + 1); + + ext = pf_key_v2_find_ext (ret, SADB_X_EXT_FLOW_TYPE); + if (!ext) + { + log_print ("pf_key_v2_acquire: no flow type extension found"); + goto fail; + } + sproto = ext->seg; + tproto = sproto->sadb_protocol_proto; + + bzero (ssflow, sizeof ssflow); + bzero (sdflow, sizeof sdflow); + bzero (ssmask, sizeof ssmask); + bzero (sdmask, sizeof sdmask); + + switch (sflow->sa_family) + { + case AF_INET: + if (inet_ntop (AF_INET, &((struct sockaddr_in *)sflow)->sin_addr, ssflow, + ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + sport = ((struct sockaddr_in *)sflow)->sin_port; + if (inet_ntop (AF_INET, &((struct sockaddr_in *)dflow)->sin_addr, sdflow, + ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + dport = ((struct sockaddr_in *)dflow)->sin_port; + if (inet_ntop (AF_INET, &((struct sockaddr_in *)smask)->sin_addr, ssmask, + ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + if (inet_ntop (AF_INET, &((struct sockaddr_in *)dmask)->sin_addr, sdmask, + ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + if (((struct sockaddr_in *)smask)->sin_addr.s_addr == INADDR_BROADCAST) + shostflag = 1; + if (((struct sockaddr_in *)dmask)->sin_addr.s_addr == INADDR_BROADCAST) + dhostflag = 1; + break; + + case AF_INET6: + if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)sflow)->sin6_addr, + ssflow, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + sport = ((struct sockaddr_in6 *)sflow)->sin6_port; + if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)dflow)->sin6_addr, + sdflow, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + dport = ((struct sockaddr_in6 *)dflow)->sin6_port; + if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)smask)->sin6_addr, + ssmask, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)dmask)->sin6_addr, + sdmask, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + if (IN6_IS_ADDR_FULL (&((struct sockaddr_in6 *)smask)->sin6_addr)) + shostflag = 1; + if (IN6_IS_ADDR_FULL (&((struct sockaddr_in6 *)dmask)->sin6_addr)) + dhostflag = 1; + break; + } + + dstaddr = (struct sockaddr *)(dst + 1); + bzero (dstbuf, sizeof dstbuf); + bzero (srcbuf, sizeof srcbuf); + + switch (dstaddr->sa_family) + { + case AF_INET: + if (inet_ntop (AF_INET, &((struct sockaddr_in *)dstaddr)->sin_addr, + dstbuf, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + LOG_DBG ((LOG_SYSDEP, 20, "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, + msg->sadb_msg_satype)); + break; + + case AF_INET6: + if (inet_ntop (AF_INET6, &((struct sockaddr_in6 *)dstaddr)->sin6_addr, + dstbuf, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + LOG_DBG ((LOG_SYSDEP, 20, "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, + msg->sadb_msg_satype)); + break; + } + + if (src) + { + srcaddr = (struct sockaddr *)(src + 1); + + switch (srcaddr->sa_family) + { + case AF_INET: + if (inet_ntop (AF_INET, &((struct sockaddr_in *)srcaddr)->sin_addr, + srcbuf, ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + break; + + case AF_INET6: + if (inet_ntop (AF_INET6, + &((struct sockaddr_in6 *)srcaddr)->sin6_addr, srcbuf, + ADDRESS_MAX) == NULL) + { + log_error ("pf_key_v2_acquire: inet_ntop failed"); + goto fail; + } + break; + } + } + + /* Insert source ID */ + if (srcident) + { + /* Check for valid type */ + switch (srcident->sadb_ident_type) + { + case SADB_IDENTTYPE_PREFIX: + /* XXX Process the address */ + break; + + case SADB_IDENTTYPE_FQDN: + prefstring = "FQDN"; + /* Fall through */ + +#ifdef OLD_OPENBSD_PFKEY_EXT + case SADB_IDENTTYPE_MBOX: +#else + case SADB_IDENTTYPE_USERFQDN: +#endif + slen = (srcident->sadb_ident_len * sizeof (u_int64_t)) + - sizeof (struct sadb_ident); + if (!prefstring) + { + prefstring = "USER_FQDN"; + + /* + * Check whether there is a string following the header; + * if no, that there is a user ID (and acquire the login + * name). If there is both a string and a user ID, check + * that they match. + */ + if ((slen == 0) && (srcident->sadb_ident_id == 0)) + { + log_error ("pf_key_v2_acquire: no user FQDN or ID provided"); + goto fail; + } + + if (srcident->sadb_ident_id) + { + pwd = getpwuid (srcident->sadb_ident_id); + if (pwd == NULL) + { + log_error ("pf_key_v2_acquire: could not acquire " + "username from provided ID %d", + srcident->sadb_ident_id); + goto fail; + } + + if (slen != 0) + if (strcmp (pwd->pw_name, (char *)(srcident + 1)) != 0) + { + log_error ("pf_key_v2_acquire: provided user name and " + "ID do not match (%s != %s)", + (char *)(srcident + 1), pwd->pw_name); + goto fail; + } + } + } + + srcid = malloc ((slen ? slen : strlen (pwd->pw_name)) + + strlen (prefstring) + 1 + strlen ("ID:/")); + if (!srcid) + { + log_error ("pf_key_v2_acquire: malloc (%d) failed", + slen + strlen (prefstring) + 1 + strlen ("ID:/")); + goto fail; + } + + sprintf (srcid, "ID:%s/", prefstring); + if (slen != 0) + strlcat (srcid + strlen ("ID:/") + strlen (prefstring), + (char *)(srcident + 1), + slen + strlen (prefstring) + 1 + strlen ("ID:/")); + else + strlcat (srcid + strlen ("ID:/") + strlen (prefstring), + pwd->pw_name, + strlen (prefstring) + 1 + strlen ("ID:/")); + pwd = NULL; + + /* Set the section if it doesn't already exist */ + if (!conf_get_str (srcid, "ID-type")) + { + af = conf_begin (); + if (conf_set (af, srcid, "ID-type", prefstring, 0, 0) + || conf_set (af, srcid, "Name", + srcid + strlen ("ID:/") + strlen (prefstring), + 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + conf_end (af, 1); + } + + break; + + default: + LOG_DBG ((LOG_SYSDEP, 20, + "pf_key_v2_acquire: invalid source ID type %d", + srcident->sadb_ident_type)); + goto fail; + } + + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_acquire: constructed source ID \"%s\"", srcid)); + prefstring = 0; + } + + /* Insert destination ID */ + if (dstident) + { + /* Check for valid type */ + switch (dstident->sadb_ident_type) + { + case SADB_IDENTTYPE_PREFIX: + /* XXX Process the address */ + break; + + case SADB_IDENTTYPE_FQDN: + prefstring = "FQDN"; + /* Fall through */ + +#ifdef OLD_OPENBSD_PFKEY_EXT + case SADB_IDENTTYPE_MBOX: +#else + case SADB_IDENTTYPE_USERFQDN: +#endif + slen = (dstident->sadb_ident_len * sizeof (u_int64_t)) + - sizeof (struct sadb_ident); + if (!prefstring) + { + prefstring = "USER_FQDN"; + + /* + * Check whether there is a string following the header; + * if no, that there is a user ID (and acquire the login + * name). If there is both a string and a user ID, check + * that they match. + */ + if ((slen == 0) && (dstident->sadb_ident_id == 0)) + { + log_error ("pf_key_v2_acquire: no user FQDN or ID provided"); + goto fail; + } + + if (dstident->sadb_ident_id) + { + pwd = getpwuid (dstident->sadb_ident_id); + if (pwd == NULL) + { + log_error ("pf_key_v2_acquire: could not acquire " + "username from provided ID %d", + dstident->sadb_ident_id); + goto fail; + } + + if (slen != 0) + if (strcmp (pwd->pw_name, (char *)(dstident + 1)) != 0) + { + log_error ("pf_key_v2_acquire: provided user name and " + "ID do not match (%s != %s)", + (char *)(dstident + 1), pwd->pw_name); + goto fail; + } + } + } + + dstid = malloc ((slen ? slen : strlen (pwd->pw_name)) + + strlen (prefstring) + 1 + strlen ("ID:/")); + if (!dstid) + { + log_error ("pf_key_v2_acquire: malloc (%d) failed", + slen + strlen (prefstring) + 1 + strlen ("ID:/")); + goto fail; + } + + sprintf (dstid, "ID:%s/", prefstring); + if (slen != 0) + strlcat (dstid + strlen ("ID:/") + strlen (prefstring), + (char *)(dstident + 1), + slen + strlen (prefstring) + 1 + strlen ("ID:/")); + else + strlcat (dstid + strlen ("ID:/") + strlen (prefstring), + pwd->pw_name, + strlen (prefstring) + 1 + strlen ("ID:/")); + pwd = NULL; + + /* Set the section if it doesn't already exist */ + if (!conf_get_str (dstid, "ID-type")) + { + af = conf_begin (); + if (conf_set (af, dstid, "ID-type", prefstring, 0, 0) + || conf_set (af, dstid, "Name", + dstid + strlen ("ID:/") + strlen (prefstring), + 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + conf_end (af, 1); + } + + break; + + default: + LOG_DBG ((LOG_SYSDEP, 20, + "pf_key_v2_acquire: invalid destination ID type %d", + dstident->sadb_ident_type)); + goto fail; + } + + LOG_DBG ((LOG_SYSDEP, 50, + "pf_key_v2_acquire: constructed destination ID \"%s\"", + dstid)); + } + + /* Now we've placed the necessary IDs in the configuration space */ + + /* Get a new connection sequence number */ + for (;; connection_seq++) + { + sprintf (conn, "Connection-%d", connection_seq); + sprintf (configname, "Config-Phase2-%d", connection_seq); + + /* Does it exist ? */ + if (!conf_get_str (conn, "Phase") + && !conf_get_str (configname, "Suites")) + break; + } + + /* + * Set the IPsec connection entry. In particular, the following fields: + * - Phase + * - ISAKMP-peer + * - Local-ID/Remote-ID (if provided) + * - Acquire-ID (sequence number of kernel message, e.g., PF_KEYv2) + * + * Also set the following section: + * [Peer-dstaddr(/srcaddr)(-srcid)(/dstid)] + * with these fields: + * - Phase + * - ID (if provided) + * - Remote-ID (if provided) + * - Local-address (if provided) + * - Address + * - Configuration (if an entry "ISAKMP-configuration-dstaddr(/srcaddr)" + * exists -- otherwise use the defaults) + */ + + peer = malloc (strlen (dstbuf) + strlen (srcbuf) + + (srcid ? strlen (srcid) : 0) + + (dstid ? strlen (dstid) : 0) + strlen ("Peer-/-/") + 1); + if (!peer) + goto fail; + + /* + * The various cases: + * - Peer-dstaddr + * - Peer-dstaddr/srcaddr + * - Peer-dstaddr/srcaddr-srcid + * - Peer-dstaddr/srcaddr-srcid/dstid + * - Peer-dstaddr/srcaddr-/dstid + * - Peer-dstaddr-srcid/dstid + * - Peer-dstaddr-/dstid + * - Peer-dstaddr-srcid + */ + sprintf (peer, "Peer-%s%s%s%s%s%s%s", dstbuf, srcaddr ? "/" : "", + srcaddr ? srcbuf : "", srcid ? "-" : "", srcid ? srcid : "", + dstid ? (srcid ? "/" : "-/") : "", dstid ? dstid : ""); + + /* Set the IPsec connection section */ + af = conf_begin (); + if (conf_set (af, conn, "Phase", "2", 0, 0) + || conf_set (af, conn, "Flags", "__ondemand", 0 ,0) + || conf_set (af, conn, "ISAKMP-peer", peer, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + /* Set the sequence number */ + sprintf (lname, "%u", msg->sadb_msg_seq); + if (conf_set (af, conn, "Acquire-ID", lname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + /* Set Phase 2 IDs -- this is the Local-ID section */ + sprintf (lname, "Phase2-ID:%s/%s/%d/%d", ssflow, ssmask, tproto, sport); + if (conf_set (af, conn, "Local-ID", lname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (!conf_get_str (lname, "ID-type")) + { + if (shostflag) + { + if (conf_set (af, lname, "ID-type", "IPV4_ADDR", 0, 0) + || conf_set (af, lname, "Address", ssflow, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + else + { + if (conf_set (af, lname, "ID-type", "IPV4_ADDR_SUBNET", 0, 0) + || conf_set (af, lname, "Network", ssflow, 0, 0) + || conf_set (af, lname, "Netmask", ssmask, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + if (tproto) + { + sprintf (tmbuf, "%d", tproto); + if (conf_set (af, lname, "Protocol", tmbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (sport) + { + sprintf (tmbuf, "%d", ntohs (sport)); + if (conf_set (af, lname, "Port", tmbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + } + } + + /* Set Remote-ID section */ + sprintf (dname, "Phase2-ID:%s/%s/%d/%d", sdflow, sdmask, tproto, dport); + if (conf_set (af, conn, "Remote-ID", dname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (!conf_get_str (dname, "ID-type")) + { + if (dhostflag) + { + if (conf_set (af, dname, "ID-type", "IPV4_ADDR", 0, 0) + || conf_set (af, dname, "Address", sdflow, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + else + { + if (conf_set (af, dname, "ID-type", "IPV4_ADDR_SUBNET", 0, 0) + || conf_set (af, dname, "Network", sdflow, 0, 0) + || conf_set (af, dname, "Netmask", sdmask, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + + if (tproto) + { + sprintf (tmbuf, "%d", tproto); + if (conf_set (af, dname, "Protocol", tmbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (dport) + { + sprintf (tmbuf, "%d", ntohs (dport)); + if (conf_set (af, dname, "Port", tmbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + } + } + + /* + * XXX + * We should be using information from the proposal to set this up. + * At least, we should make this selectable. + */ + + /* Phase 2 configuration */ + if (conf_set (af, conn, "Configuration", configname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (conf_set (af, configname, "Exchange_type", "Quick_mode", 0, 0) + || conf_set (af, configname, "DOI", "IPSEC", 0, 0) + || conf_set (af, configname, "Suites", + "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + /* Set the ISAKMP-peer section */ + if (!conf_get_str (peer, "Phase")) + { + if (conf_set (af, peer, "Phase", "1", 0, 0) + || conf_set (af, peer, "Address", dstbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + if (srcaddr && conf_set (af, peer, "Local-address", srcbuf, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + sprintf (confname, "ISAKMP-Configuration-%s", peer); + if (conf_set (af, peer, "Configuration", confname, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + /* XXX Default transform set should be settable */ + /* Phase 1 configuration */ + if (!conf_get_str (confname, "exchange_type")) + { + if (conf_set (af, confname, "Exchange_Type", "ID_PROT", 0, 0) + || conf_set (af, confname, "DOI", "IPSEC", 0, 0) + || conf_set (af, confname, "Transforms", "3DES-SHA-RSA_SIG", 0, + 0)) + { + conf_end (af, 0); + goto fail; + } + } + + /* The ID we should use in Phase 1 */ + if (srcid && conf_set (af, peer, "ID", srcid, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + + /* The ID the other side should use in Phase 1 */ + if (dstid && conf_set (af, peer, "Remote-ID", dstid, 0, 0)) + { + conf_end (af, 0); + goto fail; + } + } + else + { + /* Phase 1 tag exists, there's nothing more we need to do */ + } + + /* All done */ + conf_end (af, 1); + + /* Let's rock */ + pf_key_v2_connection_check (conn); + + /* + * XXX Need to implement cleanup of sections after SAs expire. In + * particular, we need to expire the IPsec connection section; we + * could keep the ISAKMP-peer, Local-ID/Remote-ID sections. + */ + + /* Fall-through to cleanup */ + fail: + if (ret) + pf_key_v2_msg_free (ret); + if (askpolicy) + pf_key_v2_msg_free (askpolicy); + if (srcid) + free (srcid); + if (dstid) + free (dstid); + if (peer) + free (peer); + return; +#endif +} + +static void +pf_key_v2_notify (struct pf_key_v2_msg *msg) +{ + switch (((struct sadb_msg *)TAILQ_FIRST (msg)->seg)->sadb_msg_type) + { + case SADB_EXPIRE: + pf_key_v2_expire (msg); + break; + + case SADB_ACQUIRE: + pf_key_v2_acquire (msg); + break; + + default: + log_print ("pf_key_v2_notify: unexpected message type (%d)", + ((struct sadb_msg *)TAILQ_FIRST (msg)->seg)->sadb_msg_type); + } + pf_key_v2_msg_free (msg); +} + +void +pf_key_v2_handler (int fd) +{ + struct pf_key_v2_msg *msg; +#ifndef LINUX_PFKEY + int n; + + /* + * As synchronous read/writes to the socket can have taken place between + * the select(2) call of the main loop and this handler, we need to recheck + * the readability. + */ + if (ioctl (pf_key_v2_socket, FIONREAD, &n) == -1) + { + log_error ("pf_key_v2_handler: ioctl (%d, FIONREAD, &n) failed", + pf_key_v2_socket); + return; + } + if (!n) + return; +#endif + msg = pf_key_v2_read (0); + if (msg) + pf_key_v2_notify (msg); +} + +/* + * Group 2 IPSec SAs given by the PROTO1 and PROTO2 protocols of the SA IKE + * security association in a chain. + * XXX Assumes OpenBSD GRPSPIS extension. Should probably be moved to sysdep.c + */ +int +pf_key_v2_group_spis (struct sa *sa, struct proto *proto1, + struct proto *proto2, int incoming) +{ +#ifdef SADB_X_GRPSPIS + struct sadb_msg msg; + struct sadb_sa sa1, sa2; + struct sadb_address *addr = 0; + struct sadb_protocol protocol; + struct pf_key_v2_msg *grpspis = 0, *ret = 0; + struct sockaddr *saddr; + int saddrlen, err; + size_t len; +#ifdef KAME + struct sadb_x_sa2 kamesa2; +#endif + + msg.sadb_msg_type = SADB_X_GRPSPIS; + switch (proto1->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + msg.sadb_msg_satype = SADB_SATYPE_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + msg.sadb_msg_satype = SADB_SATYPE_AH; + break; + default: + log_print ("pf_key_v2_group_spis: invalid proto %d", proto1->proto); + goto cleanup; + } + msg.sadb_msg_seq = 0; + grpspis = pf_key_v2_msg_new (&msg, 0); + if (!grpspis) + goto cleanup; + + /* Setup the SA extensions. */ + sa1.sadb_sa_exttype = SADB_EXT_SA; + sa1.sadb_sa_len = sizeof sa1 / PF_KEY_V2_CHUNK; + memcpy (&sa1.sadb_sa_spi, proto1->spi[incoming], sizeof sa1.sadb_sa_spi); + sa1.sadb_sa_replay = 0; + sa1.sadb_sa_state = 0; + sa1.sadb_sa_auth = 0; + sa1.sadb_sa_encrypt = 0; + sa1.sadb_sa_flags = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)&sa1, 0) == -1) + goto cleanup; + +#ifndef KAME + sa2.sadb_sa_exttype = SADB_X_EXT_SA2; + sa2.sadb_sa_len = sizeof sa2 / PF_KEY_V2_CHUNK; + memcpy (&sa2.sadb_sa_spi, proto2->spi[incoming], sizeof sa2.sadb_sa_spi); + sa2.sadb_sa_replay = 0; + sa2.sadb_sa_state = 0; + sa2.sadb_sa_auth = 0; + sa2.sadb_sa_encrypt = 0; + sa2.sadb_sa_flags = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)&sa2, 0) == -1) + goto cleanup; +#else + memset (&kamesa2, 0, sizeof kamesa2); + kamesa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; + kamesa2.sadb_x_sa2_len = sizeof kamesa2 / PF_KEY_V2_CHUNK; + kamesa2.sadb_x_sa2_mode = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)&kamesa2, 0) == -1) + goto cleanup; +#endif + + /* + * Setup the ADDRESS extensions. + * + * XXX Addresses have to be thought through. Assumes IPv4. + */ + if (incoming) + sa->transport->vtbl->get_src (sa->transport, &saddr, &saddrlen); + else + sa->transport->vtbl->get_dst (sa->transport, &saddr, &saddrlen); + len = sizeof *addr + PF_KEY_V2_ROUND (saddrlen); + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, saddr, saddrlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + addr = malloc (len); + if (!addr) + goto cleanup; + addr->sadb_address_exttype = SADB_X_EXT_DST2; + addr->sadb_address_len = len / PF_KEY_V2_CHUNK; +#ifndef __OpenBSD__ + addr->sadb_address_proto = 0; + addr->sadb_address_prefixlen = 0; +#endif + addr->sadb_address_reserved = 0; + memcpy (addr + 1, saddr, saddrlen); + ((struct sockaddr_in *)(addr + 1))->sin_port = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)addr, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + addr = 0; + + /* Setup the PROTOCOL extension. */ + protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; + protocol.sadb_protocol_len = sizeof protocol / PF_KEY_V2_CHUNK; + switch (proto2->proto) + { + case IPSEC_PROTO_IPSEC_ESP: + protocol.sadb_protocol_proto = SADB_SATYPE_ESP; + break; + case IPSEC_PROTO_IPSEC_AH: + protocol.sadb_protocol_proto = SADB_SATYPE_AH; + break; + default: + log_print ("pf_key_v2_group_spis: invalid proto %d", proto2->proto); + goto cleanup; + } + protocol.sadb_protocol_reserved2 = 0; + if (pf_key_v2_msg_add (grpspis, (struct sadb_ext *)&protocol, 0) == -1) + goto cleanup; + + ret = pf_key_v2_call (grpspis); + pf_key_v2_msg_free (grpspis); + grpspis = 0; + if (!ret) + goto cleanup; + err = ((struct sadb_msg *)TAILQ_FIRST (ret)->seg)->sadb_msg_errno; + if (err) + { + log_print ("pf_key_v2_group_spis: GRPSPIS: %s", strerror (err)); + goto cleanup; + } + pf_key_v2_msg_free (ret); + + LOG_DBG ((LOG_SYSDEP, 50, "pf_key_v2_group_spis: done")); + + return 0; + + cleanup: + if (addr) + free (addr); + if (grpspis) + pf_key_v2_msg_free (grpspis); + if (ret) + pf_key_v2_msg_free (ret); + return -1; + +#else + log_error ("pf_key_v2_group_spis: not supported in pure PF_KEYv2"); + return -1; +#endif +} diff --git a/src/pf_key_v2.h b/src/pf_key_v2.h new file mode 100644 index 0000000..e99d0b5 --- /dev/null +++ b/src/pf_key_v2.h @@ -0,0 +1,63 @@ +/* $Id: pf_key_v2.h,v 1.2 2002/05/10 04:25:16 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/pf_key_v2.h,v $ */ + +/* $OpenBSD: pf_key_v2.h,v 1.5 2001/02/24 03:59:56 angelos Exp $ */ +/* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */ + +/* + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _PF_KEY_V2_H_ +#define _PF_KEY_V2_H_ + +#include +#include + +struct proto; +struct sa; +struct sockaddr; + +extern void pf_key_v2_connection_check (char *); +extern int pf_key_v2_delete_spi (struct sa *, struct proto *, int); +extern int pf_key_v2_enable_sa (struct sa *, struct sa *); +extern int pf_key_v2_enable_spi (in_addr_t, in_addr_t, in_addr_t, in_addr_t, + u_int8_t *, u_int8_t, in_addr_t); +extern u_int8_t *pf_key_v2_get_spi (size_t *, u_int8_t, struct sockaddr *, int, + struct sockaddr *, int, u_int32_t); +extern int pf_key_v2_group_spis (struct sa *, struct proto *, struct proto *, + int); +extern void pf_key_v2_handler (int); +extern int pf_key_v2_open (void); +extern int pf_key_v2_set_spi (struct sa *, struct proto *, int); + +#endif /* _PF_KEY_V2_H_ */ diff --git a/src/prf.c b/src/prf.c new file mode 100644 index 0000000..1e414d5 --- /dev/null +++ b/src/prf.c @@ -0,0 +1,182 @@ +/* $Id: prf.c,v 1.3 2007/03/21 20:03:05 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/prf.c,v $ */ + +/* $OpenBSD: prf.c,v 1.7 1999/05/02 19:16:41 niklas Exp $ */ +/* $EOM: prf.c,v 1.7 1999/05/02 12:50:29 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "hash.h" +#include "log.h" +#include "prf.h" + +void prf_hash_init (struct prf_hash_ctx *); +void prf_hash_update (struct prf_hash_ctx *, unsigned char *, unsigned int); +void prf_hash_final (unsigned char *, struct prf_hash_ctx *); + +/* PRF behaves likes a hash */ + +void +prf_hash_init (struct prf_hash_ctx *ctx) +{ + memcpy (ctx->hash->ctx, ctx->ctx, ctx->hash->ctxsize); + memcpy (ctx->hash->ctx2, ctx->ctx2, ctx->hash->ctxsize); +} + +void +prf_hash_update (struct prf_hash_ctx *ctx, unsigned char *data, + unsigned int len) +{ + ctx->hash->Update (ctx->hash->ctx, data, len); +} + +void +prf_hash_final (unsigned char *digest, struct prf_hash_ctx *ctx) +{ + ctx->hash->HMACFinal (digest, ctx->hash); +} + +/* + * Obtain a Pseudo-Random Function for us. At the moment this is + * the HMAC version of a hash. See RFC-2104 for reference. + */ +struct prf * +prf_alloc (enum prfs type, int subtype, char *shared, int sharedsize) +{ + struct hash *hash; + struct prf *prf; + struct prf_hash_ctx *prfctx; + + switch (type) + { + case PRF_HMAC: + case PRF_HASH: + hash = hash_get (subtype); + if (!hash) + { + log_print ("prf_alloc: unknown hash type %d", subtype); + return 0; + } + break; + default: + log_print ("prf_alloc: unknown PRF type %d", type); + return 0; + } + + prf = malloc (sizeof *prf); + if (!prf) + { + log_error ("prf_alloc: malloc (%d) failed", sizeof *prf); + return 0; + } + + switch (type) + { + case PRF_HMAC: + case PRF_HASH: + /* Obtain needed memory. */ + prfctx = malloc (sizeof *prfctx); + if (!prfctx) + { + log_error ("prf_alloc: malloc (%d) failed", sizeof *prfctx); + goto cleanprf; + } + prf->prfctx = prfctx; + + prfctx->ctx = malloc (hash->ctxsize); + if (!prfctx->ctx) + { + log_error ("prf_alloc: malloc (%d) failed", hash->ctxsize); + goto cleanprfctx; + } + + prfctx->ctx2 = malloc (hash->ctxsize); + if (!prfctx->ctx2) + { + log_error ("prf_alloc: malloc (%d) failed", hash->ctxsize); + free (prfctx->ctx); + goto cleanprfctx; + } + prf->type = PRF_HMAC; + prf->blocksize = hash->hashsize; + prfctx->hash = hash; + + /* Use the correct function pointers. */ + prf->Init = (void (*) (void *))prf_hash_init; + prf->Update + = (void (*) (void *, unsigned char *, unsigned int))prf_hash_update; + prf->Final = (void (*) (unsigned char *, void *))prf_hash_final; + + if (type == PRF_HMAC) + { + /* Init HMAC contexts. */ + hash->HMACInit (hash, (unsigned char *)shared, sharedsize); + } + + /* Save contexts. */ + memcpy (prfctx->ctx, hash->ctx, hash->ctxsize); + memcpy (prfctx->ctx2, hash->ctx2, hash->ctxsize); + break; + } + + return prf; + + cleanprfctx: + free (prf->prfctx); + cleanprf: + free (prf); + return 0; +} + +/* Deallocate the PRF pointed to by PRF. */ +void +prf_free (struct prf *prf) +{ + struct prf_hash_ctx *prfctx = prf->prfctx; + + if (prf->type == PRF_HMAC) + { + free (prfctx->ctx2); + free (prfctx->ctx); + } + free (prf->prfctx); + free (prf); +} diff --git a/src/prf.h b/src/prf.h new file mode 100644 index 0000000..4f351af --- /dev/null +++ b/src/prf.h @@ -0,0 +1,67 @@ +/* $Id: prf.h,v 1.2 2002/05/10 04:25:17 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/prf.h,v $ */ + +/* $OpenBSD: prf.h,v 1.5 2001/01/27 12:03:36 niklas Exp $ */ +/* $EOM: prf.h,v 1.1 1998/07/11 20:06:22 provos Exp $ */ + +/* + * Copyright (c) 1998 Niels Provos. All rights reserved. + * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _PRF_H_ +#define _PRF_H_ + +/* Enumeration of possible PRF - Pseudo-Random Functions. */ +enum prfs { + PRF_HMAC = 0, /* No PRFs in drafts, this is the default */ + PRF_HASH +}; + +struct prf { + enum prfs type; /* Type of PRF */ + void *prfctx; /* Context for PRF */ + u_int8_t blocksize; /* The blocksize of PRF */ + void (*Init) (void *); + void (*Update) (void *, unsigned char *, unsigned int); + void (*Final) (unsigned char *, void *); +}; + +struct prf_hash_ctx { + struct hash *hash; /* Hash type to use */ + void *ctx, *ctx2; /* Contexts we need for later */ +}; + +struct prf *prf_alloc (enum prfs, int, char *, int); +void prf_free (struct prf *); + +#endif /* _PRF_H_ */ diff --git a/src/sa.c b/src/sa.c new file mode 100644 index 0000000..72fd2cd --- /dev/null +++ b/src/sa.c @@ -0,0 +1,867 @@ +/* $Id: sa.c,v 1.6 2007/03/21 20:03:05 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/sa.c,v $ */ + +/* $OpenBSD: sa.c,v 1.41 2001/04/24 07:27:37 niklas Exp $ */ +/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "cookie.h" +#include "doi.h" +#include "exchange.h" +#include "isakmp.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "util.h" +#include "cert.h" +#include "gdoi_num.h" + +#ifndef SA_LEN +#define SA_LEN(x) (x)->sa_len +#endif + +/* Initial number of bits from the cookies used as hash. */ +#define INITIAL_BUCKET_BITS 6 + +/* + * Don't try to use more bits than this as a hash. + * We only XOR 16 bits so going above that means changing the code below + * too. + */ +#define MAX_BUCKET_BITS 16 + +static void sa_dump (char *, struct sa *); +static void sa_soft_expire (void *); +static void sa_hard_expire (void *); + +static LIST_HEAD (sa_list, sa) *sa_tab; + +/* Works both as a maximum index and a mask. */ +static int bucket_mask; + +void +sa_init () +{ + int i; + + bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; + sa_tab = malloc ((bucket_mask + 1) * sizeof (struct sa_list)); + if (!sa_tab) + log_fatal ("sa_init: malloc (%s) failed", + (bucket_mask + 1) * sizeof (struct sa_list)); + for (i = 0; i <= bucket_mask; i++) + { + LIST_INIT (&sa_tab[i]); + } + +} + +/* XXX We don't yet resize. */ +void +sa_resize () +{ + int new_mask = (bucket_mask + 1) * 2 - 1; + int i; + struct sa_list *new_tab; + + new_tab = realloc (sa_tab, (new_mask + 1) * sizeof (struct sa_list)); + if (!new_tab) + return; + sa_tab = new_tab; + for (i = bucket_mask + 1; i <= new_mask; i++) + { + LIST_INIT (&sa_tab[i]); + } + bucket_mask = new_mask; + + /* XXX Rehash existing entries. */ +} + +/* Lookup an SA with the help from a user-supplied checking function. */ +struct sa * +sa_find (int (*check) (struct sa *, void *), void *arg) +{ + int i; + struct sa *sa; + + for (i = 0; i <= bucket_mask; i++) + for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link)) + if (check (sa, arg)) + { + LOG_DBG ((LOG_SA, 90, "sa_find: return SA %p", sa)); + return sa; + } + LOG_DBG ((LOG_SA, 90, "sa_find: no SA matched query")); + return 0; +} + +/* Check if SA is an ISAKMP SA with an initiar cookie equal to ICOOKIE. */ +static int +sa_check_icookie (struct sa *sa, void *icookie) +{ + return sa->phase == 1 + && memcmp (sa->cookies, icookie, ISAKMP_HDR_ICOOKIE_LEN) == 0; +} + +/* Lookup an ISAKMP SA out of just the initiator cookie. */ +struct sa * +sa_lookup_from_icookie (u_int8_t *cookie) +{ + return sa_find (sa_check_icookie, cookie); +} + +struct name_phase_arg { + char *name; + u_int8_t phase; +}; + +/* + * Argument for sa_check_name_phase(). It was declared locally + * to the function, but it then always gets passed as NULL on + * Linux. Compiler err? + */ +struct name_phase_arg *sa_check_name_phase_arg; + +/* Check if SA has the name and phase given by V_ARG. */ +static int +sa_check_name_phase (struct sa *sa, void *v_arg) +{ + sa_check_name_phase_arg = v_arg; + + return sa->name && + strcasecmp (sa->name, sa_check_name_phase_arg->name) == 0 && + sa->phase == sa_check_name_phase_arg->phase && + !(sa->flags & SA_FLAG_REPLACED); +} + +/* Lookup an SA by name, case-independent, and phase. */ +struct sa * +sa_lookup_by_name (char *name, int phase) +{ + struct name_phase_arg arg = { name, phase }; + void *v_arg = (void *)&arg; + + return sa_find (sa_check_name_phase, v_arg); +} + +struct addr_arg +{ + struct sockaddr *addr; + socklen_t len; + int phase; + int flags; +}; + +/* + * Check if SA is ready and has a peer with an address equal the one given + * by V_ADDR. Furthermore if we are searching for a specific phase, check + * that too. + */ +static int +sa_check_peer (struct sa *sa, void *v_addr) +{ + struct addr_arg *addr = v_addr; + struct sockaddr *dst; + socklen_t dstlen; + + if (!sa->transport || (sa->flags & SA_FLAG_READY) == 0 + || (addr->phase && addr->phase != sa->phase)) + return 0; + + sa->transport->vtbl->get_dst (sa->transport, &dst, (int *)&dstlen); + return dstlen == addr->len && memcmp (dst, addr->addr, dstlen) == 0; +} + +struct dst_isakmpspi_arg { + struct sockaddr *dst; + u_int8_t *spi; /* must be ISAKMP_SPI_SIZE octets */ +}; + +/* + * Check if SA matches what we are asking for through V_ARG. It has to + * be a finished phaes 1 (ISAKMP) SA. + */ +static int +isakmp_sa_check (struct sa *sa, void *v_arg) +{ + struct dst_isakmpspi_arg *arg = v_arg; + struct sockaddr *dst, *src; + int dstlen, srclen; + + if (sa->phase != 1 || !(sa->flags & SA_FLAG_READY) || !sa->transport) + return 0; + + /* verify address is either src or dst for this sa */ + sa->transport->vtbl->get_dst (sa->transport, &dst, &dstlen); + sa->transport->vtbl->get_src (sa->transport, &src, &srclen); + if (memcmp (src, arg->dst, SA_LEN(src)) && + memcmp (dst, arg->dst, SA_LEN(dst))) + return 0; + + /* match icookie+rcookie against spi */ + if (memcmp (sa->cookies, arg->spi, ISAKMP_HDR_COOKIES_LEN) == 0) + return 1; + + return 0; +} + +/* + * Find an ISAKMP SA with a "name" of DST & SPI. + */ +struct sa * +sa_lookup_isakmp_sa (struct sockaddr *dst, u_int8_t *spi) +{ + struct dst_isakmpspi_arg arg = { dst, spi }; + + return sa_find (isakmp_sa_check, &arg); +} + +/* Lookup a ready SA by the peer's address. */ +struct sa * +sa_lookup_by_peer (struct sockaddr *dst, socklen_t dstlen) +{ + struct addr_arg arg = { dst, dstlen, 0 }; + + return sa_find (sa_check_peer, &arg); +} + +/* Lookup a ready ISAKMP SA given its peer address. */ +struct sa * +sa_isakmp_lookup_by_peer (struct sockaddr *dst, socklen_t dstlen) +{ + struct addr_arg arg = { dst, dstlen, 1 }; + + return sa_find (sa_check_peer, &arg); +} + +int +sa_enter (struct sa *sa) +{ + u_int16_t bucket = 0; + int i; + u_int8_t *cp; + + /* XXX We might resize if we are crossing a certain threshold */ + + for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) + { + cp = sa->cookies + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) + { + cp = sa->message_id + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + bucket &= bucket_mask; + LIST_INSERT_HEAD (&sa_tab[bucket], sa, link); + sa_reference (sa); + LOG_DBG ((LOG_SA, 70, "sa_enter: SA %p added to SA list", sa)); + return 1; +} + +/* + * Lookup the SA given by the header fields MSG. PHASE2 is false when + * looking for phase 1 SAa and true otherwise. + */ +struct sa * +sa_lookup_by_header (u_int8_t *msg, int phase2) +{ + return sa_lookup (msg + ISAKMP_HDR_COOKIES_OFF, + phase2 ? msg + ISAKMP_HDR_MESSAGE_ID_OFF : 0); +} + +/* + * Lookup the SA given by the COOKIES and possibly the MESSAGE_ID unless + * NULL, meaning we are looking for phase 1 SAs. + */ +struct sa * +sa_lookup (u_int8_t *cookies, u_int8_t *message_id) +{ + u_int16_t bucket = 0; + int i; + struct sa *sa; + u_int8_t *cp; + + /* + * We use the cookies to get bits to use as an index into sa_tab, as at + * least one (our cookie) is a good hash, xoring all the bits, 16 at a + * time, and then masking, should do. Doing it this way means we can + * validate cookies very fast thus delimiting the effects of "Denial of + * service"-attacks using packet flooding. + */ + for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) + { + cp = cookies + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + if (message_id) + for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) + { + cp = message_id + i; + /* Doing it this way avoids alignment problems. */ + bucket ^= cp[0] | cp[1] << 8; + } + bucket &= bucket_mask; + for (sa = LIST_FIRST (&sa_tab[bucket]); + sa && (memcmp (cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 + || (message_id && memcmp (message_id, sa->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN) + != 0) + || (!message_id && !zero_test (sa->message_id, + ISAKMP_HDR_MESSAGE_ID_LEN))); + sa = LIST_NEXT (sa, link)) + ; + + return sa; +} + +/* Create an SA. */ +int +sa_create (struct exchange *exchange, struct transport *t) +{ + struct sa *sa; + + /* + * We want the SA zeroed for sa_free to be able to find out what fields + * have been filled-in. + */ + sa = calloc (1, sizeof *sa); + if (!sa) + { + log_error ("sa_create: calloc (1, %d) failed", sizeof *sa); + return -1; + } + sa->transport = t; + if (t) + transport_reference (t); + sa->phase = exchange->phase; + memcpy (sa->cookies, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); + memcpy (sa->message_id, exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); + sa->doi = exchange->doi; + + if (sa->doi->sa_size) + { + /* Allocate the DOI-specific structure and initialize it to zeroes. */ + sa->data = calloc (1, sa->doi->sa_size); + if (!sa->data) + { + log_error ("sa_create: calloc (1, %d) failed", sa->doi->sa_size); + free (sa); + return -1; + } + } + + TAILQ_INIT (&sa->protos); + + sa_enter (sa); + TAILQ_INSERT_TAIL (&exchange->sa_list, sa, next); + sa_reference (sa); + + LOG_DBG ((LOG_SA, 60, + "sa_create: sa %p phase %d added to exchange %p (%s)", sa, + sa->phase, exchange, + exchange->name ? exchange->name : "")); + return 0; +} + +/* + * Dump the internal state of SA to the report channel, with HEADER + * prepended to each line. + */ +static void +sa_dump (char *header, struct sa *sa) +{ + struct proto *proto; + char spi_header[80]; + int i; + + LOG_DBG ((LOG_REPORT, 0, "%s: %p %s phase %d doi %d flags 0x%x", + header, sa, sa->name ? sa->name : "", sa->phase, + sa->doi->id, sa->flags)); + LOG_DBG ((LOG_REPORT, 0, + "%s: icookie %08x%08x rcookie %08x%08x", header, + decode_32 (sa->cookies), decode_32 (sa->cookies + 4), + decode_32 (sa->cookies + 8), decode_32 (sa->cookies + 12))); + LOG_DBG ((LOG_REPORT, 0, "%s: msgid %08x refcnt %d", header, + decode_32 (sa->message_id), sa->refcnt)); + for (proto = TAILQ_FIRST (&sa->protos); proto; + proto = TAILQ_NEXT (proto, link)) + { + LOG_DBG ((LOG_REPORT, 0, + "%s: suite %d proto %d", header, proto->no, proto->proto)); + LOG_DBG ((LOG_REPORT, 0, + "%s: spi_sz[0] %d spi[0] %p spi_sz[1] %d spi[1] %p", header, + proto->spi_sz[0], proto->spi[0], proto->spi_sz[1], + proto->spi[1])); + LOG_DBG ((LOG_REPORT, 0, "%s: %s, %s", header, + sa->doi == NULL ? "" + : sa->doi->decode_ids ("initiator id: %s, responder id: %s", + sa->id_i, sa->id_i_len, + sa->id_r, sa->id_r_len, 0), + sa->transport == NULL ? "" : + sa->transport->vtbl->decode_ids (sa->transport))); + for (i = 0; i < 2; i++) + if (proto->spi[i]) + { + snprintf (spi_header, 80, "%s: spi[%d]", header, i); + LOG_DBG_BUF ((LOG_REPORT, 0, spi_header, proto->spi[i], + proto->spi_sz[i])); + } + } +} + +/* Report all the SAs to the report channel. */ +void +sa_report (void) +{ + int i; + struct sa *sa; + + for (i = 0; i <= bucket_mask; i++) + for (sa = LIST_FIRST (&sa_tab[i]); sa; sa = LIST_NEXT (sa, link)) + sa_dump ("sa_report", sa); +} + +/* Free the protocol structure pointed to by PROTO. */ +void +proto_free (struct proto *proto) +{ + int i; + struct sa *sa = proto->sa; + + for (i = 0; i < 2; i++) + if (proto->spi[i]) + { + if (sa->doi->delete_spi) + sa->doi->delete_spi (sa, proto, i); + free (proto->spi[i]); + } + TAILQ_REMOVE (&sa->protos, proto, link); + if (proto->data) + { + if (sa->doi && sa->doi->free_proto_data) + sa->doi->free_proto_data (proto->data); + free (proto->data); + } + + /* XXX Use class LOG_SA instead? */ + LOG_DBG ((LOG_MISC, 90, "proto_free: freeing %p", proto)); + + free (proto); +} + +/* Release all resources this SA is using. */ +void +sa_free (struct sa *sa) +{ + if (sa->death) + { + timer_remove_event (sa->death); + sa->death = 0; + sa->refcnt--; + LOG_DBG ((LOG_SA, 80, "sa_reference: SA %p now has %d references" + " (remove death timer event)", sa, sa->refcnt)); + } + if (sa->soft_death) + { + timer_remove_event (sa->soft_death); + sa->soft_death = 0; + sa->refcnt--; + LOG_DBG ((LOG_SA, 80, "sa_reference: SA %p now has %d references" + " (remove soft death timer event)", sa, sa->refcnt)); + } + sa_remove (sa); +} + +/* Remove the SA from the hash table of live SAs. */ +void +sa_remove (struct sa *sa) +{ + LIST_REMOVE (sa, link); + LOG_DBG ((LOG_SA, 70, "sa_remove: SA %p removed from SA list", sa)); + sa_release (sa); + if (sa->doi && sa->doi->postprocess_sa) + { + sa->doi->postprocess_sa (sa); + } +} + +/* Raise the reference count of SA. */ +void +sa_reference (struct sa *sa) +{ + sa->refcnt++; + LOG_DBG ((LOG_SA, 80, "sa_reference: SA %p now has %d references", + sa, sa->refcnt)); +} + +extern void gdoi_rekey_free_sa (struct sa *); + +/* Release a reference to SA. */ +void +sa_release (struct sa *sa) +{ + struct proto *proto; + struct cert_handler *handler; + + LOG_DBG ((LOG_SA, 80, "sa_release: SA %p had %d references", + sa, sa->refcnt)); + + if (sa->refcnt == 0) + { + LOG_DBG ((LOG_SA, 60, "sa_release: No references to this SA!")); + return; + } + else + { + sa->refcnt--; + LOG_DBG ((LOG_SA, 80, "sa_release: SA %p now has %d references" + " (sa_release)", sa, sa->refcnt)); + if (sa->refcnt > 0) + { + LOG_DBG ((LOG_SA, 80, "sa_release: SA %p returning without" + " freeing SA", sa)); + return; + } + } + + LOG_DBG ((LOG_SA, 60, "sa_release: freeing SA %p", sa)); + + /* + * Remove the SA from any GDOI Rekey exchange lists. + * This should not be necessary, but sometimes a stray SA isn't + * properly removed, which results in a crash. The real fix is + * TBD .... + */ + gdoi_rekey_free_sa(sa); + + while ((proto = TAILQ_FIRST (&sa->protos)) != 0) + proto_free (proto); + if (sa->data) + { + if (sa->doi && sa->doi->free_sa_data) + sa->doi->free_sa_data (sa->data); + free (sa->data); + } + if (sa->id_i) + free (sa->id_i); + if (sa->id_r) + free (sa->id_r); + if (sa->recv_cert) + { + handler = cert_get (sa->recv_certtype); + if (handler) + handler->cert_free (sa->recv_cert); + else if (sa->recv_certtype == ISAKMP_CERTENC_NONE) + free (sa->recv_cert); + } + if (sa->recv_key) + free (sa->recv_key); + if (sa->name) + free (sa->name); + if (sa->keystate) + free (sa->keystate); + if (sa->transport) + transport_release (sa->transport); + free (sa); +} + +/* + * Rehash the ISAKMP SA this MSG is negotiating with the responder cookie + * filled in. + */ +void +sa_isakmp_upgrade (struct message *msg) +{ + struct sa *sa = TAILQ_FIRST (&msg->exchange->sa_list); + + sa_remove (sa); + GET_ISAKMP_HDR_RCOOKIE (msg->iov[0].iov_base, + sa->cookies + ISAKMP_HDR_ICOOKIE_LEN); + + /* + * We don't install a transport in the initiator case as we don't know + * what local address will be chosen. Do it now instead. + */ + sa->transport = msg->transport; + transport_reference (sa->transport); + sa_enter (sa); +} + +/* + * Register the chosen transform XF into SA. As a side effect set PROTOP + * to point at the corresponding proto structure. INITIATOR is true if we + * are the initiator. + */ +int +sa_add_transform (struct sa *sa, struct payload *xf, int initiator, + struct proto **protop) +{ + struct proto *proto; + struct payload *prop = xf->context; + + *protop = 0; + if (!initiator) + { + proto = calloc (1, sizeof *proto); + if (!proto) + log_error ("sa_add_transform: calloc (1, %d) failed", sizeof *proto); + } + else + /* Find the protection suite that were chosen. */ + for (proto = TAILQ_FIRST (&sa->protos); + proto && proto->no != GET_ISAKMP_PROP_NO (prop->p); + proto = TAILQ_NEXT (proto, link)) + ; + if (!proto) + return -1; + *protop = proto; + + /* Allocate DOI-specific part. */ + if (!initiator) + { + proto->data = calloc (1, sa->doi->proto_size); + if (!proto->data) + { + log_error ("sa_add_transform: calloc (1, %d) failed", + sa->doi->proto_size); + goto cleanup; + } + } + + proto->no = GET_ISAKMP_PROP_NO (prop->p); + proto->proto = GET_ISAKMP_PROP_PROTO (prop->p); + proto->spi_sz[0] = GET_ISAKMP_PROP_SPI_SZ (prop->p); + if (proto->spi_sz[0]) + { + proto->spi[0] = malloc (proto->spi_sz[0]); + if (!proto->spi[0]) + goto cleanup; + memcpy (proto->spi[0], prop->p + ISAKMP_PROP_SPI_OFF, proto->spi_sz[0]); + } + proto->chosen = xf; + proto->sa = sa; + proto->id = GET_ISAKMP_TRANSFORM_ID (xf->p); + if (!initiator) + TAILQ_INSERT_TAIL (&sa->protos, proto, link); + + /* Let the DOI get at proto for initializing its own data. */ + if (sa->doi->proto_init) + sa->doi->proto_init (proto, 0); + + LOG_DBG ((LOG_SA, 80, + "sa_add_transform: " + "proto %p no %d proto %d chosen %p sa %p id %d", + proto, proto->no, proto->proto, proto->chosen, proto->sa, + proto->id)); + + return 0; + + cleanup: + if (!initiator) + { + if (proto->data) + free (proto->data); + free (proto); + } + *protop = 0; + return -1; +} + +/* Delete an SA. Tell the peer if NOTIFY is set. */ +void +sa_delete (struct sa *sa, int notify) +{ + /* + * Don't bother notifying of Phase 1 SA deletes. + * Don't bother with GDOI SA deletes either, as they will be taken care + * of in GDOI, if appropriate. + */ + if ((sa->phase != 1 && notify) && (sa->doi->id != GROUP_DOI_GDOI)) + message_send_delete (sa); + sa_free (sa); +} + +/* + * This function will get called when we are closing in on the death time of SA + */ +static void +sa_soft_expire (void *v_sa) +{ + struct sa *sa = v_sa; + + sa->soft_death = 0; + sa_release (sa); + + if ((sa->flags & (SA_FLAG_STAYALIVE | SA_FLAG_REPLACED)) + == SA_FLAG_STAYALIVE) + exchange_establish (sa->name, 0, 0); + else + /* + * Start to watch the use of this SA, so a renegotiation can + * happen as soon as it is shown to be alive. + */ + sa->flags |= SA_FLAG_FADING; +} + +/* SA has passed its best before date. */ +static void +sa_hard_expire (void *v_sa) +{ + struct sa *sa = v_sa; + + sa->death = 0; + sa_release (sa); + + if ((sa->flags & (SA_FLAG_STAYALIVE | SA_FLAG_REPLACED)) + == SA_FLAG_STAYALIVE) + exchange_establish (sa->name, 0, 0); + + if (sa->doi && (sa->doi->id == GROUP_DOI_GDOI)) + { + sa_delete (sa, 0); + } + else + { + sa_delete (sa, 1); + } +} + +/* + * Get an SA attribute's flag value out of textual description. + */ +int +sa_flag (char *attr) +{ + static struct sa_flag_map { + char *name; + int flag; + } sa_flag_map[] = { + { "active-only", SA_FLAG_ACTIVE_ONLY }, + /* Below this point are flags that are internal to the implementation. */ + { "__ondemand", SA_FLAG_ONDEMAND } + }; + int i; + + for (i = 0; i < sizeof sa_flag_map / sizeof sa_flag_map[0]; i++) + if (strcasecmp (attr, sa_flag_map[i].name) == 0) + return sa_flag_map[i].flag; + log_print ("sa_flag: attribute \"%s\" unknown", attr); + return 0; +} + +/* Mark SA as replaced. */ +void +sa_mark_replaced (struct sa *sa) +{ + LOG_DBG ((LOG_SA, 60, "sa_mark_replaced: SA %p (%s) marked as replaced", + sa, sa->name ? sa->name : "unnamed")); + sa->flags |= SA_FLAG_REPLACED; +} + +/* + * Setup expiration timers for SA. This is used for ISAKMP SAs, but also + * possible to use for application SAs if the application does not deal + * with expirations itself. An example is the Linux FreeS/WAN KLIPS IPsec + * stack. + */ +int +sa_setup_expirations (struct sa *sa) +{ + u_int64_t seconds = sa->seconds; + struct timeval expiration; + + /* + * Set the soft timeout to a random percentage between 85 & 95 of + * the negotiated lifetime to break strictly synchronized + * renegotiations. This works better when the randomization is on the + * order of processing plus network-roundtrip times, or larger. + * I.e. it depends on configuration and negotiated lifetimes. + * It is not good to do the decrease on the hard timeout, because then + * we may drop our SA before our peer. + * XXX Better scheme to come? + */ + if (!sa->soft_death) + { + gettimeofday (&expiration, 0); + /* XXX This should probably be configuration controlled somehow. */ + seconds = sa->seconds * (850 + random () % 100) / 1000; + LOG_DBG ((LOG_TIMER, 95, + "sa_setup_expirations: SA %p soft timeout in %qd seconds", + sa, seconds)); + expiration.tv_sec += seconds; + sa->soft_death + = timer_add_event ("sa_soft_expire", sa_soft_expire, sa, &expiration); + if (!sa->soft_death) + { + /* If we don't give up we might start leaking... */ + sa_delete (sa, 1); + return -1; + } + sa_reference (sa); + } + + if (!sa->death) + { + gettimeofday (&expiration, 0); + LOG_DBG ((LOG_TIMER, 95, + "sa_setup_expirations: SA %p hard timeout in %qd seconds", + sa, sa->seconds)); + expiration.tv_sec += sa->seconds; + sa->death + = timer_add_event ("sa_hard_expire", sa_hard_expire, sa, &expiration); + if (!sa->death) + { + /* If we don't give up we might start leaking... */ + sa_delete (sa, 1); + return -1; + } + sa_reference (sa); + } + return 0; +} diff --git a/src/sa.h b/src/sa.h new file mode 100644 index 0000000..db6288b --- /dev/null +++ b/src/sa.h @@ -0,0 +1,212 @@ +/* $Id: sa.h,v 1.3 2002/07/26 22:58:11 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/sa.h,v $ */ + +/* $OpenBSD: sa.h,v 1.21 2001/04/24 07:27:37 niklas Exp $ */ +/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _SA_H_ +#define _SA_H_ + +#include +#include +#include +#include + +#include "isakmp.h" + +/* Remove a SA if it has not been fully negotiated in this time. */ +#define SA_NEGOTIATION_MAX_TIME 120 + +struct crypto_xf; +struct doi; +struct event; +struct exchange; +struct keystate; +struct message; +struct payload; +struct sa; +struct transport; + +/* A protection suite consists of a set of protocol descriptions like this. */ +struct proto { + /* Link to the next protocol in the suite. */ + TAILQ_ENTRY (proto) link; + + /* The SA we belong to. */ + struct sa *sa; + + /* The protocol number as found in the proposal payload. */ + u_int8_t no; + + /* The protocol this SA is for. */ + u_int8_t proto; + + /* Security parameter index info. Element 0 - outgoing, 1 - incoming. */ + u_int8_t spi_sz[2]; + u_int8_t *spi[2]; + + /* + * The chosen transform, only valid while the incoming SA payload that held + * it is available for duplicate testing. + */ + struct payload *chosen; + + /* The chosen transform's ID. */ + u_int8_t id; + + /* DOI-specific data. */ + void *data; +}; + +struct sa { + /* Link to SAs with the same hash value. */ + LIST_ENTRY (sa) link; + + /* + * When several SA's are being negotiated in one message we connect them + * through this link. + */ + TAILQ_ENTRY (sa) next; + + /* A name of the major policy deciding offers and acceptable proposals. */ + char *name; + + /* The transport this SA got negotiated over. */ + struct transport *transport; + + /* Both initiator and responder cookies. */ + u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; + + /* The message ID signifying non-ISAKMP SAs. */ + u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; + + /* The protection suite chosen. */ + TAILQ_HEAD (proto_head, proto) protos; + + /* The exchange type we should use when rekeying. */ + u_int8_t exch_type; + + /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ + u_int8_t phase; + + /* A reference counter for this structure. */ + u_int16_t refcnt; + + /* Various flags, look below for descriptions. */ + u_int32_t flags; + + /* The DOI that is to handle DOI-specific issues for this SA. */ + struct doi *doi; + + /* Crypto info needed to encrypt/decrypt packets protected by this SA. */ + struct crypto_xf *crypto; + int key_length; + struct keystate *keystate; + + /* IDs from Phase 1 */ + u_int8_t *id_i; + size_t id_i_len; + u_int8_t *id_r; + size_t id_r_len; + + /* Set if we were the initiator of the SA/exchange in Phase 1 */ + int initiator; + + /* Policy session ID, where applicable, copied over from the exchange */ + int policy_id; + + /* Certs or other information from Phase 1 */ + int recv_certtype, recv_certlen, recv_certid; + void *recv_cert; + void *recv_key; /* Key used to authenticate, in KeyNote */ + + /* DOI-specific opaque data. */ + void *data; + + /* Lifetime data. */ + u_int64_t seconds; + time_t start_time; + u_int64_t kilobytes; + + /* The events that will occur when an SA has timed out. */ + struct event *soft_death; + struct event *death; +}; + +/* This SA is alive. */ +#define SA_FLAG_READY 0x01 + +/* Renegotiate the SA at each expiry. */ +#define SA_FLAG_STAYALIVE 0x02 + +/* Establish the SA when it is needed. */ +#define SA_FLAG_ONDEMAND 0x04 + +/* This SA has been replaced by another newer one. */ +#define SA_FLAG_REPLACED 0x08 + +/* This SA has seen a soft timeout and wants to be renegotiated on use. */ +#define SA_FLAG_FADING 0x10 + +/* This SA should always be actively renegotiated (with us as initiator). */ +#define SA_FLAG_ACTIVE_ONLY 0x20 + +extern void proto_free (struct proto *proto); +extern int sa_add_transform (struct sa *, struct payload *, int, + struct proto **); +extern int sa_create (struct exchange *, struct transport *); +extern int sa_enter (struct sa *); +extern void sa_delete (struct sa *, int); +extern struct sa *sa_find (int (*) (struct sa *, void *), void *); +extern int sa_flag (char *); +extern void sa_free (struct sa *); +extern void sa_init (void); +extern struct sa *sa_isakmp_lookup_by_peer (struct sockaddr *, socklen_t); +extern void sa_isakmp_upgrade (struct message *); +extern struct sa *sa_lookup (u_int8_t *, u_int8_t *); +extern struct sa *sa_lookup_by_peer (struct sockaddr *, socklen_t); +extern struct sa *sa_lookup_by_header (u_int8_t *, int); +extern struct sa *sa_lookup_by_name (char *, int); +extern struct sa *sa_lookup_from_icookie (u_int8_t *); +extern struct sa *sa_lookup_isakmp_sa (struct sockaddr *, u_int8_t *); +extern void sa_mark_replaced (struct sa *); +extern void sa_reference (struct sa *); +extern void sa_release (struct sa *); +extern void sa_remove (struct sa *); +extern void sa_report (void); +extern int sa_setup_expirations (struct sa *); +#endif /* _SA_H_ */ diff --git a/src/srtp_num.cst b/src/srtp_num.cst new file mode 100644 index 0000000..5191f44 --- /dev/null +++ b/src/srtp_num.cst @@ -0,0 +1,73 @@ +# $Id: srtp_num.cst,v 1.1.2.1 2011/12/05 20:31:08 bew Exp $ +# $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/Attic/srtp_num.cst,v $ + +# +# The license applies to all software incorporated in the "Cisco GDOI reference +# implementation" except for those portions incorporating third party software +# specifically identified as being licensed under separate license. +# +# +# The Cisco Systems Public Software License, Version 1.0 +# Copyright (c) 2011 Cisco Systems, Inc. All rights reserved. +# Subject to the following terms and conditions, Cisco Systems, Inc., +# hereby grants you a worldwide, royalty-free, nonexclusive, license, +# subject to third party intellectual property claims, to create +# derivative works of the Licensed Code and to reproduce, display, +# perform, sublicense, distribute such Licensed Code and derivative works. +# All rights not expressly granted herein are reserved. +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# 3. The names Cisco and "Cisco GDOI reference implementation" must not +# be used to endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# opensource@cisco.com. +# 4. Products derived from this software may not be called +# "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or +# "Cisco GDOI reference implementation" appear in +# their name, without prior written permission of Cisco Systems, Inc. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR +# PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT +# SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF +# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO +# LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH +# PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH +# LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR +# LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT +# EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU +# AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO +# THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) +# (US$5,000). +# +# ==================================================================== +# This software consists of voluntary contributions made by Cisco Systems, +# Inc. and many individuals on behalf of Cisco Systems, Inc. For more +# information on Cisco Systems, Inc., please see . +# +# This product includes software developed by Ericsson Radio Systems. +# + +# +# ISAKMP Group DOI numbers. +# + +# GDOI KEK attributes +SRTP_ATTR + CIPHER 1 + CIPHER_MODE 2 + CIPHER_KEY_LENGTH 3 +. + diff --git a/src/sysdep.h b/src/sysdep.h new file mode 100644 index 0000000..2267df7 --- /dev/null +++ b/src/sysdep.h @@ -0,0 +1,102 @@ +/* $Id: sysdep.h,v 1.5 2005/10/11 17:57:40 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/sysdep.h,v $ */ + +/* $OpenBSD: sysdep.h,v 1.9 2001/02/24 03:59:56 angelos Exp $ */ +/* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _SYSDEP_H_ +#define _SYSDEP_H_ + +#include +#include "config.h" + +#ifdef OSX +#include +#endif + +#ifndef HAVE_STRLCPY +extern size_t strlcpy(char *, const char *, size_t); +#endif + +#ifdef DEFINE_EXTRA_QUEUE_FUNCTIONS +#define LIST_FIRST(head) ((head)->lh_first) +#define LIST_NEXT(elm, field) ((elm)->field.le_next) +#define TAILQ_FIRST(head) ((head)->tqh_first) +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) +#define TAILQ_LAST(head, headname) \ + (*(((struct headname *)((head)->tqh_last))->tqh_last)) +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ + (elm)->field.tqe_next = (listelm); \ + *(listelm)->field.tqe_prev = (elm); \ + (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ +} while (0) +#endif + +#ifdef DEFINE_SA_LEN +#define SA_LEN(x) sizeof(struct sockaddr) +#endif + +#ifdef OPENBSD_PFKEY_EXT +#include "sysdep/openbsd/pf_key_ext.h" +#endif + +#ifdef FREEBSD_PFKEY_EXT +#include +#endif + +#ifdef NETBSD_PFKEY_EXT +#include +#endif + +struct proto; +struct sa; +struct sockaddr; + +extern void sysdep_app_handler (int); +extern int sysdep_app_open (void); +extern int sysdep_cleartext (int); +extern void sysdep_connection_check (char *); +extern int sysdep_ipsec_delete_spi (struct sa *, struct proto *, int); +extern int sysdep_ipsec_enable_sa (struct sa *, struct sa *); +extern u_int8_t *sysdep_ipsec_get_spi (size_t *, u_int8_t, struct sockaddr *, + int, struct sockaddr *, int, u_int32_t); +extern int sysdep_ipsec_group_spis (struct sa *, struct proto *, + struct proto *, int); +extern int sysdep_ipsec_set_spi (struct sa *, struct proto *, int); +extern char *sysdep_progname (void); + +#endif /* _SYSDEP_H_ */ diff --git a/src/sysdep/linux/pfkeyv2.h b/src/sysdep/linux/pfkeyv2.h new file mode 100644 index 0000000..ba3664d --- /dev/null +++ b/src/sysdep/linux/pfkeyv2.h @@ -0,0 +1,398 @@ +/* $Id: pfkeyv2.h,v 1.1 2005/10/11 18:08:26 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/sysdep/linux/pfkeyv2.h,v $ */ + +/* + * The license applies to all software incorporated in the "Cisco GDOI reference + * implementation" except for those portions incorporating third party software + * specifically identified as being licensed under separate license. + * + * + * The Cisco Systems Public Software License, Version 1.0 + * Copyright (c) 2001-2005 Cisco Systems, Inc. All rights reserved. + * Subject to the following terms and conditions, Cisco Systems, Inc., + * hereby grants you a worldwide, royalty-free, nonexclusive, license, + * subject to third party intellectual property claims, to create + * derivative works of the Licensed Code and to reproduce, display, + * perform, sublicense, distribute such Licensed Code and derivative works. + * All rights not expressly granted herein are reserved. + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * 3. The names Cisco and "Cisco GDOI reference implementation" must not + * be used to endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * opensource@cisco.com. + * 4. Products derived from this software may not be called + * "Cisco" or "Cisco GDOI reference implementation", nor may "Cisco" or + * "Cisco GDOI reference implementation" appear in + * their name, without prior written permission of Cisco Systems, Inc. + * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, TITLE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT + * SHALL CISCO SYSTEMS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO + * LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH + * PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH + * LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR + * LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THAT + * EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. FURTHER, YOU + * AGREE THAT IN NO EVENT WILL CISCO'S LIABILITY UNDER OR RELATED TO + * THIS AGREEMENT EXCEED AMOUNT FIVE THOUSAND DOLLARS (US) + * (US$5,000). + * + * ==================================================================== + * This software consists of voluntary contributions made by Cisco Systems, + * Inc. and many individuals on behalf of Cisco Systems, Inc. For more + * information on Cisco Systems, Inc., please see . + * + * This product includes software developed by Ericsson Radio Systems. + */ + +/* PF_KEY user interface, this is defined by rfc2367 so + * do not make arbitrary modifications or else this header + * file will not be compliant. + */ + +#ifndef _LINUX_PFKEY2_H +#define _LINUX_PFKEY2_H + +#include + +#define PF_KEY_V2 2 +#define PFKEYV2_REVISION 199806L + +struct sadb_msg { + uint8_t sadb_msg_version; + uint8_t sadb_msg_type; + uint8_t sadb_msg_errno; + uint8_t sadb_msg_satype; + uint16_t sadb_msg_len; + uint16_t sadb_msg_reserved; + uint32_t sadb_msg_seq; + uint32_t sadb_msg_pid; +} __attribute__((packed)); +/* sizeof(struct sadb_msg) == 16 */ + +struct sadb_ext { + uint16_t sadb_ext_len; + uint16_t sadb_ext_type; +} __attribute__((packed)); +/* sizeof(struct sadb_ext) == 4 */ + +struct sadb_sa { + uint16_t sadb_sa_len; + uint16_t sadb_sa_exttype; + uint32_t sadb_sa_spi; + uint8_t sadb_sa_replay; + uint8_t sadb_sa_state; + uint8_t sadb_sa_auth; + uint8_t sadb_sa_encrypt; + uint32_t sadb_sa_flags; +} __attribute__((packed)); +/* sizeof(struct sadb_sa) == 16 */ + +struct sadb_lifetime { + uint16_t sadb_lifetime_len; + uint16_t sadb_lifetime_exttype; + uint32_t sadb_lifetime_allocations; + uint64_t sadb_lifetime_bytes; + uint64_t sadb_lifetime_addtime; + uint64_t sadb_lifetime_usetime; +} __attribute__((packed)); +/* sizeof(struct sadb_lifetime) == 32 */ + +struct sadb_address { + uint16_t sadb_address_len; + uint16_t sadb_address_exttype; + uint8_t sadb_address_proto; + uint8_t sadb_address_prefixlen; + uint16_t sadb_address_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_address) == 8 */ + +struct sadb_key { + uint16_t sadb_key_len; + uint16_t sadb_key_exttype; + uint16_t sadb_key_bits; + uint16_t sadb_key_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_key) == 8 */ + +struct sadb_ident { + uint16_t sadb_ident_len; + uint16_t sadb_ident_exttype; + uint16_t sadb_ident_type; + uint16_t sadb_ident_reserved; + uint64_t sadb_ident_id; +} __attribute__((packed)); +/* sizeof(struct sadb_ident) == 16 */ + +struct sadb_sens { + uint16_t sadb_sens_len; + uint16_t sadb_sens_exttype; + uint32_t sadb_sens_dpd; + uint8_t sadb_sens_sens_level; + uint8_t sadb_sens_sens_len; + uint8_t sadb_sens_integ_level; + uint8_t sadb_sens_integ_len; + uint32_t sadb_sens_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_sens) == 16 */ + +/* followed by: + uint64_t sadb_sens_bitmap[sens_len]; + uint64_t sadb_integ_bitmap[integ_len]; */ + +struct sadb_prop { + uint16_t sadb_prop_len; + uint16_t sadb_prop_exttype; + uint8_t sadb_prop_replay; + uint8_t sadb_prop_reserved[3]; +} __attribute__((packed)); +/* sizeof(struct sadb_prop) == 8 */ + +/* followed by: + struct sadb_comb sadb_combs[(sadb_prop_len + + sizeof(uint64_t) - sizeof(struct sadb_prop)) / + sizeof(strut sadb_comb)]; */ + +struct sadb_comb { + uint8_t sadb_comb_auth; + uint8_t sadb_comb_encrypt; + uint16_t sadb_comb_flags; + uint16_t sadb_comb_auth_minbits; + uint16_t sadb_comb_auth_maxbits; + uint16_t sadb_comb_encrypt_minbits; + uint16_t sadb_comb_encrypt_maxbits; + uint32_t sadb_comb_reserved; + uint32_t sadb_comb_soft_allocations; + uint32_t sadb_comb_hard_allocations; + uint64_t sadb_comb_soft_bytes; + uint64_t sadb_comb_hard_bytes; + uint64_t sadb_comb_soft_addtime; + uint64_t sadb_comb_hard_addtime; + uint64_t sadb_comb_soft_usetime; + uint64_t sadb_comb_hard_usetime; +} __attribute__((packed)); +/* sizeof(struct sadb_comb) == 72 */ + +struct sadb_supported { + uint16_t sadb_supported_len; + uint16_t sadb_supported_exttype; + uint32_t sadb_supported_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_supported) == 8 */ + +/* followed by: + struct sadb_alg sadb_algs[(sadb_supported_len + + sizeof(uint64_t) - sizeof(struct sadb_supported)) / + sizeof(struct sadb_alg)]; */ + +struct sadb_alg { + uint8_t sadb_alg_id; + uint8_t sadb_alg_ivlen; + uint16_t sadb_alg_minbits; + uint16_t sadb_alg_maxbits; + uint16_t sadb_alg_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_alg) == 8 */ + +struct sadb_spirange { + uint16_t sadb_spirange_len; + uint16_t sadb_spirange_exttype; + uint32_t sadb_spirange_min; + uint32_t sadb_spirange_max; + uint32_t sadb_spirange_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_spirange) == 16 */ + +struct sadb_x_kmprivate { + uint16_t sadb_x_kmprivate_len; + uint16_t sadb_x_kmprivate_exttype; + u_int32_t sadb_x_kmprivate_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_x_kmprivate) == 8 */ + +struct sadb_x_sa2 { + uint16_t sadb_x_sa2_len; + uint16_t sadb_x_sa2_exttype; + uint8_t sadb_x_sa2_mode; + uint8_t sadb_x_sa2_reserved1; + uint16_t sadb_x_sa2_reserved2; + uint32_t sadb_x_sa2_sequence; + uint32_t sadb_x_sa2_reqid; +} __attribute__((packed)); +/* sizeof(struct sadb_x_sa2) == 16 */ + +struct sadb_x_policy { + uint16_t sadb_x_policy_len; + uint16_t sadb_x_policy_exttype; + uint16_t sadb_x_policy_type; + uint8_t sadb_x_policy_dir; + uint8_t sadb_x_policy_reserved; + uint32_t sadb_x_policy_id; + uint32_t sadb_x_policy_priority; +} __attribute__((packed)); +/* sizeof(struct sadb_x_policy) == 16 */ + +struct sadb_x_ipsecrequest { + uint16_t sadb_x_ipsecrequest_len; + uint16_t sadb_x_ipsecrequest_proto; + uint8_t sadb_x_ipsecrequest_mode; + uint8_t sadb_x_ipsecrequest_level; + uint16_t sadb_x_ipsecrequest_reserved1; + uint32_t sadb_x_ipsecrequest_reqid; + uint32_t sadb_x_ipsecrequest_reserved2; +} __attribute__((packed)); +/* sizeof(struct sadb_x_ipsecrequest) == 16 */ + +/* This defines the TYPE of Nat Traversal in use. Currently only one + * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06 + */ +struct sadb_x_nat_t_type { + uint16_t sadb_x_nat_t_type_len; + uint16_t sadb_x_nat_t_type_exttype; + uint8_t sadb_x_nat_t_type_type; + uint8_t sadb_x_nat_t_type_reserved[3]; +} __attribute__((packed)); +/* sizeof(struct sadb_x_nat_t_type) == 8 */ + +/* Pass a NAT Traversal port (Source or Dest port) */ +struct sadb_x_nat_t_port { + uint16_t sadb_x_nat_t_port_len; + uint16_t sadb_x_nat_t_port_exttype; + uint16_t sadb_x_nat_t_port_port; + uint16_t sadb_x_nat_t_port_reserved; +} __attribute__((packed)); +/* sizeof(struct sadb_x_nat_t_port) == 8 */ + +/* Message types */ +#define SADB_RESERVED 0 +#define SADB_GETSPI 1 +#define SADB_UPDATE 2 +#define SADB_ADD 3 +#define SADB_DELETE 4 +#define SADB_GET 5 +#define SADB_ACQUIRE 6 +#define SADB_REGISTER 7 +#define SADB_EXPIRE 8 +#define SADB_FLUSH 9 +#define SADB_DUMP 10 +#define SADB_X_PROMISC 11 +#define SADB_X_PCHANGE 12 +#define SADB_X_SPDUPDATE 13 +#define SADB_X_SPDADD 14 +#define SADB_X_SPDDELETE 15 +#define SADB_X_SPDGET 16 +#define SADB_X_SPDACQUIRE 17 +#define SADB_X_SPDDUMP 18 +#define SADB_X_SPDFLUSH 19 +#define SADB_X_SPDSETIDX 20 +#define SADB_X_SPDEXPIRE 21 +#define SADB_X_SPDDELETE2 22 +#define SADB_X_NAT_T_NEW_MAPPING 23 +#define SADB_MAX 23 + +/* Security Association flags */ +#define SADB_SAFLAGS_PFS 1 +#define SADB_SAFLAGS_DECAP_DSCP 0x40000000 +#define SADB_SAFLAGS_NOECN 0x80000000 + +/* Security Association states */ +#define SADB_SASTATE_LARVAL 0 +#define SADB_SASTATE_MATURE 1 +#define SADB_SASTATE_DYING 2 +#define SADB_SASTATE_DEAD 3 +#define SADB_SASTATE_MAX 3 + +/* Security Association types */ +#define SADB_SATYPE_UNSPEC 0 +#define SADB_SATYPE_AH 2 +#define SADB_SATYPE_ESP 3 +#define SADB_SATYPE_RSVP 5 +#define SADB_SATYPE_OSPFV2 6 +#define SADB_SATYPE_RIPV2 7 +#define SADB_SATYPE_MIP 8 +#define SADB_X_SATYPE_IPCOMP 9 +#define SADB_SATYPE_MAX 9 + +/* Authentication algorithms */ +#define SADB_AALG_NONE 0 +#define SADB_AALG_MD5HMAC 2 +#define SADB_AALG_SHA1HMAC 3 +#define SADB_X_AALG_SHA2_256HMAC 5 +#define SADB_X_AALG_SHA2_384HMAC 6 +#define SADB_X_AALG_SHA2_512HMAC 7 +#define SADB_X_AALG_RIPEMD160HMAC 8 +#define SADB_X_AALG_NULL 251 /* kame */ +#define SADB_AALG_MAX 251 + +/* Encryption algorithms */ +#define SADB_EALG_NONE 0 +#define SADB_EALG_DESCBC 2 +#define SADB_EALG_3DESCBC 3 +#define SADB_X_EALG_CASTCBC 6 +#define SADB_X_EALG_BLOWFISHCBC 7 +#define SADB_EALG_NULL 11 +#define SADB_X_EALG_AESCBC 12 +#define SADB_EALG_MAX 253 /* last EALG */ +/* private allocations should use 249-255 (RFC2407) */ +#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ +#define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ + +/* Compression algorithms */ +#define SADB_X_CALG_NONE 0 +#define SADB_X_CALG_OUI 1 +#define SADB_X_CALG_DEFLATE 2 +#define SADB_X_CALG_LZS 3 +#define SADB_X_CALG_LZJH 4 +#define SADB_X_CALG_MAX 4 + +/* Extension Header values */ +#define SADB_EXT_RESERVED 0 +#define SADB_EXT_SA 1 +#define SADB_EXT_LIFETIME_CURRENT 2 +#define SADB_EXT_LIFETIME_HARD 3 +#define SADB_EXT_LIFETIME_SOFT 4 +#define SADB_EXT_ADDRESS_SRC 5 +#define SADB_EXT_ADDRESS_DST 6 +#define SADB_EXT_ADDRESS_PROXY 7 +#define SADB_EXT_KEY_AUTH 8 +#define SADB_EXT_KEY_ENCRYPT 9 +#define SADB_EXT_IDENTITY_SRC 10 +#define SADB_EXT_IDENTITY_DST 11 +#define SADB_EXT_SENSITIVITY 12 +#define SADB_EXT_PROPOSAL 13 +#define SADB_EXT_SUPPORTED_AUTH 14 +#define SADB_EXT_SUPPORTED_ENCRYPT 15 +#define SADB_EXT_SPIRANGE 16 +#define SADB_X_EXT_KMPRIVATE 17 +#define SADB_X_EXT_POLICY 18 +#define SADB_X_EXT_SA2 19 +/* The next four entries are for setting up NAT Traversal */ +#define SADB_X_EXT_NAT_T_TYPE 20 +#define SADB_X_EXT_NAT_T_SPORT 21 +#define SADB_X_EXT_NAT_T_DPORT 22 +#define SADB_X_EXT_NAT_T_OA 23 +#define SADB_EXT_MAX 23 + +/* Identity Extension values */ +#define SADB_IDENTTYPE_RESERVED 0 +#define SADB_IDENTTYPE_PREFIX 1 +#define SADB_IDENTTYPE_FQDN 2 +#define SADB_IDENTTYPE_USERFQDN 3 +#define SADB_IDENTTYPE_MAX 3 + +#endif /* !(_LINUX_PFKEY2_H) */ diff --git a/src/sysdep/openbsd/pf_key_ext.h b/src/sysdep/openbsd/pf_key_ext.h new file mode 100644 index 0000000..40fe2a0 --- /dev/null +++ b/src/sysdep/openbsd/pf_key_ext.h @@ -0,0 +1,72 @@ +/* $Id: pf_key_ext.h,v 1.1 2003/09/05 21:44:42 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/sysdep/openbsd/pf_key_ext.h,v $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _PF_KEY_EXT_H_ +#define _PF_KEY_EXT_H_ + +#ifdef SADB_EXT_X_SRC_MASK + +/* Non-conformant PF_KEYv2 extensions, transform them into being conformant. */ + +#define SADB_X_EXT_SRC_MASK SADB_EXT_X_SRC_MASK +#define SADB_X_EXT_DST_MASK SADB_EXT_X_DST_MASK +#define SADB_X_EXT_PROTOCOL SADB_EXT_X_PROTOCOL +#define SADB_X_EXT_SA2 SADB_EXT_X_SA2 +#define SADB_X_EXT_SRC_FLOW SADB_EXT_X_SRC_FLOW +#define SADB_X_EXT_DST_FLOW SADB_EXT_X_DST_FLOW +#define SADB_X_EXT_DST2 SADB_EXT_X_DST2 + +#define SADB_X_SATYPE_AH_OLD SADB_SATYPE_X_AH_OLD +#define SADB_X_SATYPE_ESP_OLD SADB_SATYPE_X_ESP_OLD +#define SADB_X_SATYPE_IPIP SADB_SATYPE_X_IPIP + +#define SADB_X_AALG_RIPEMD160HMAC96 SADB_AALG_X_RIPEMD160HMAC96 +#define SADB_X_AALG_MD5 SADB_AALG_X_MD5 +#define SADB_X_AALG_SHA1 SADB_AALG_X_SHA1 + +#define SADB_X_EALG_BLF SADB_EALG_X_BLF +#define SADB_X_EALG_CAST SADB_EALG_X_CAST +#define SADB_X_EALG_SKIPJACK SADB_EALG_X_SKIPJACK + +#define SADB_X_SAFLAGS_HALFIV SADB_SAFLAGS_X_HALFIV +#define SADB_X_SAFLAGS_TUNNEL SADB_SAFLAGS_X_TUNNEL +#define SADB_X_SAFLAGS_CHAINDEL SADB_SAFLAGS_X_CHAINDEL +#define SADB_X_SAFLAGS_LOCALFLOW SADB_SAFLAGS_X_LOCALFLOW +#define SADB_X_SAFLAGS_REPLACEFLOW SADB_SAFLAGS_X_REPLACEFLOW + +#endif /* SADB_EXT_X_SRC_MASK */ + +#endif /* _PF_KEY_EXT_H_ */ diff --git a/src/timer.c b/src/timer.c new file mode 100644 index 0000000..60c0f91 --- /dev/null +++ b/src/timer.c @@ -0,0 +1,151 @@ +/* $Id: timer.c,v 1.2 2002/05/10 04:25:17 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/timer.c,v $ */ + +/* $OpenBSD: timer.c,v 1.7 2000/02/25 17:23:41 niklas Exp $ */ +/* $EOM: timer.c,v 1.13 2000/02/20 19:58:42 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include + +#include "sysdep.h" + +#include "log.h" +#include "timer.h" + +static TAILQ_HEAD (event_list, event) events; + +void +timer_init () +{ + TAILQ_INIT (&events); +} + +void +timer_next_event (struct timeval **timeout) +{ + struct timeval now; + + if (TAILQ_FIRST (&events)) + { + gettimeofday (&now, 0); + if (timercmp (&now, &TAILQ_FIRST (&events)->expiration, >=)) + timerclear (*timeout); + else + timersub (&TAILQ_FIRST (&events)->expiration, &now, *timeout); + } + else + *timeout = 0; +} + +void +timer_handle_expirations () +{ + struct timeval now; + struct event *n; + + gettimeofday (&now, 0); + for (n = TAILQ_FIRST (&events); n && timercmp (&now, &n->expiration, >=); + n = TAILQ_FIRST (&events)) + { + LOG_DBG ((LOG_TIMER, 10, + "timer_handle_expirations: event %s(%p)", n->name, n->arg)); + TAILQ_REMOVE (&events, n, link); + (*n->func) (n->arg); + free (n); + } +} + +struct event * +timer_add_event (char *name, void (*func) (void *), void *arg, + struct timeval *expiration) +{ + struct event *ev = (struct event *)malloc (sizeof *ev); + struct event *n; + struct timeval now; + + if (!ev) + return 0; + ev->name = name; + ev->func = func; + ev->arg = arg; + gettimeofday (&now, 0); + memcpy (&ev->expiration, expiration, sizeof *expiration); + for (n = TAILQ_FIRST (&events); + n && timercmp (expiration, &n->expiration, >=); + n = TAILQ_NEXT (n, link)) + ; + if (n) + { + LOG_DBG ((LOG_TIMER, 10, + "timer_add_event: event %s(%p) added before %s(%p), " + "expiration in %ds", name, + arg, n->name, n->arg, expiration->tv_sec - now.tv_sec)); + TAILQ_INSERT_BEFORE (n, ev, link); + } + else + { + LOG_DBG ((LOG_TIMER, 10, "timer_add_event: event %s(%p) added last, " + "expiration in %ds", name, arg, + expiration->tv_sec - now.tv_sec)); + TAILQ_INSERT_TAIL (&events, ev, link); + } + return ev; +} + +void +timer_remove_event (struct event *ev) +{ + LOG_DBG ((LOG_TIMER, 10, "timer_remove_event: removing event %s(%p)", + ev->name, ev->arg)); + TAILQ_REMOVE (&events, ev, link); + free (ev); +} + +void +timer_report (void) +{ + struct event *ev; + struct timeval now; + + gettimeofday (&now, 0); + + for (ev = TAILQ_FIRST (&events); ev; ev = TAILQ_NEXT (ev, link)) + LOG_DBG ((LOG_REPORT, 0, + "timer_report: event %s(%p) scheduled in %d seconds", + (ev->name ? ev->name : ""), ev, + (int)(ev->expiration.tv_sec - now.tv_sec))); +} diff --git a/src/timer.h b/src/timer.h new file mode 100644 index 0000000..379c129 --- /dev/null +++ b/src/timer.h @@ -0,0 +1,63 @@ +/* $Id: timer.h,v 1.2 2002/05/10 04:25:17 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/timer.h,v $ */ + +/* $OpenBSD: timer.h,v 1.4 1999/04/19 21:02:30 niklas Exp $ */ +/* $EOM: timer.h,v 1.6 1999/04/11 22:35:55 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _TIMER_H_ +#define _TIMER_H_ + +#include +#include +#include + +struct event { + TAILQ_ENTRY (event) link; + char *name; + void (*func) (void *); + void *arg; + struct timeval expiration; +}; + +extern void timer_init (void); +extern void timer_next_event (struct timeval **); +extern void timer_handle_expirations (void); +extern struct event *timer_add_event (char *, void (*) (void *), void *, + struct timeval *); +extern void timer_remove_event (struct event *); +extern void timer_report (void); + +#endif /* _TIMER_H_ */ diff --git a/src/transport.c b/src/transport.c new file mode 100644 index 0000000..51d2e02 --- /dev/null +++ b/src/transport.c @@ -0,0 +1,348 @@ +/* $Id: transport.c,v 1.4 2007/03/21 20:03:06 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/transport.c,v $ */ + +/* $OpenBSD: transport.c,v 1.13 2001/04/09 22:09:53 ho Exp $ */ +/* $EOM: transport.c,v 1.43 2000/10/10 12:36:39 provos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include + +#include "sysdep.h" + +#include "conf.h" +#include "exchange.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "string.h" + +/* If no retransmit limit is given, use this as a default. */ +#define RETRANSMIT_DEFAULT 10 + +LIST_HEAD (transport_list, transport) transport_list; +LIST_HEAD (transport_method_list, transport_vtbl) transport_method_list; + +/* Initialize the transport maintenance module. */ +void +transport_init (void) +{ + LIST_INIT (&transport_list); + LIST_INIT (&transport_method_list); +} + +/* Register another transport T. */ +void +transport_add (struct transport *t) +{ + LOG_DBG ((LOG_TRANSPORT, 70, "transport_add: adding %p", t)); + TAILQ_INIT (&t->sendq); + LIST_INSERT_HEAD (&transport_list, t, link); + t->flags = 0; + t->refcnt = 0; +} + +/* Add a referer to transport T. */ +void +transport_reference (struct transport *t) +{ + t->refcnt++; + LOG_DBG ((LOG_TRANSPORT, 90, + "transport_reference: transport %p now has %d references", t, + t->refcnt)); +} + +/* + * Remove a referer from transport T, removing all of T when no referers left. + */ +void +transport_release (struct transport *t) +{ + LOG_DBG ((LOG_TRANSPORT, 90, + "transport_release: transport %p had %d references", t, + t->refcnt)); + if (--t->refcnt) + return; + + LOG_DBG ((LOG_TRANSPORT, 70, "transport_release: freeing %p", t)); + LIST_REMOVE (t, link); + t->vtbl->remove (t); +} + +void +transport_report (void) +{ + struct transport *t; + struct message *msg; + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + { + LOG_DBG ((LOG_REPORT, 0, + "transport_report: transport %p flags %x refcnt %d", t, + t->flags, t->refcnt)); + + t->vtbl->report (t); + + /* This is the reason message_dump_raw lives outside message.c. */ + for (msg = TAILQ_FIRST (&t->sendq); msg; msg = TAILQ_NEXT (msg, link)) + message_dump_raw ("udp_report", msg, LOG_REPORT); + } +} + +/* Register another transport method T. */ +void +transport_method_add (struct transport_vtbl *t) +{ + LIST_INSERT_HEAD (&transport_method_list, t, link); +} + +/* Apply a function FUNC on all registered transports. */ +void +transport_map (void (*func) (struct transport *)) +{ + struct transport *t; + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + (*func) (t); +} + +/* + * Build up a file desciptor set FDS with all transport descriptors we want + * to read from. Return the number of file descriptors select(2) needs to + * check in order to cover the ones we setup in here. + */ +int +transport_fd_set (fd_set *fds) +{ + int n; + int max = -1; + struct transport *t; + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + if (t->flags & TRANSPORT_LISTEN) + { + n = t->vtbl->fd_set (t, fds, 1); + if (n > max) + max = n; + } + return max + 1; +} + +/* + * Build up a file desciptor set FDS with all the descriptors belonging to + * transport where messages are queued for transmittal. Return the number + * of file descriptors select(2) needs to check in order to cover the ones + * we setup in here. + */ +int +transport_pending_wfd_set (fd_set *fds) +{ + int n; + int max = -1; + struct transport *t; + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + { + if (TAILQ_FIRST (&t->sendq)) + { + n = t->vtbl->fd_set (t, fds, 1); + if (n > max) + max = n; + } + } + return max + 1; +} + +/* + * For each transport with a file descriptor in FDS, try to get an + * incoming message and start processing it. + */ +void +transport_handle_messages (fd_set *fds) +{ + struct transport *t, *next_t; + + for (t = LIST_FIRST (&transport_list); t; t = next_t) + { + /* + * Grab the next pointer now. Transport t could be deleted before the + * handle_message() function returns. + */ + next_t = LIST_NEXT (t, link); + if ((t->flags & TRANSPORT_LISTEN) && (*t->vtbl->fd_isset) (t, fds)) + (*t->vtbl->handle_message) (t); + } +} + +/* + * Send the first queued message on the transports found whose file + * descriptor is in FDS and has messages queued. Remove the fd bit from + * FDS as soon as one message has been sent on it so other transports + * sharing the socket won't get service without an intervening select + * call. Perhaps a fairness strategy should be implemented between + * such transports. Now early transports in the list will potentially + * be favoured to later ones sharing the file descriptor. + */ +void +transport_send_messages (fd_set *fds) +{ + struct transport *t, *next; + struct message *msg; + struct exchange *exchange; + struct timeval expiration; + int expiry, ok_to_drop_message; + + /* Reference all transports first so noone will disappear while in use. */ + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + transport_reference (t); + + for (t = LIST_FIRST (&transport_list); t; t = LIST_NEXT (t, link)) + { + if (TAILQ_FIRST (&t->sendq) && t->vtbl->fd_isset (t, fds)) + { + t->vtbl->fd_set (t, fds, 0); + msg = TAILQ_FIRST (&t->sendq); + msg->flags &= ~MSG_IN_TRANSIT; + exchange = msg->exchange; + exchange->in_transit = 0; + TAILQ_REMOVE (&t->sendq, msg, link); + + /* + * We disregard the potential error message here, hoping that the + * retransmit will go better. + * XXX Consider a retry/fatal error discriminator. + */ + t->vtbl->send_message (msg); + msg->xmits++; + + /* + * This piece of code has been proven to be quite delicate. + * Think twice for before altering. Here's an outline: + * + * If this message is not the one which finishes an exchange, + * check if we have reached the number of retransmit before + * queuing it up for another. + * + * If it is a finishing message we still may have to keep it + * around for an on-demand retransmit when seeing a duplicate + * of our peer's previous message. + * + * If we have no previous message from our peer, we need not + * to keep the message around. + */ + if ((msg->flags & MSG_LAST) == 0) + { + if (msg->xmits > conf_get_num ("General", "retransmits", + RETRANSMIT_DEFAULT)) + { + log_print ("transport_send_messages: " + "giving up on message %p", + msg); + exchange->last_sent = 0; + } + else + { + gettimeofday (&expiration, 0); + + /* + * XXX Calculate from round trip timings and a backoff func. + */ + expiry = msg->xmits * 2 + 5; + expiration.tv_sec += expiry; + LOG_DBG ((LOG_TRANSPORT, 30, + "transport_send_messages: message %p " + "scheduled for retransmission %d in %d secs", + msg, msg->xmits, expiry)); + if (msg->retrans) + timer_remove_event (msg->retrans); + msg->retrans + = timer_add_event ("message_send_expire", + (void (*) (void *))message_send_expire, + msg, &expiration); + /* If we cannot retransmit, we cannot... */ + exchange->last_sent = msg->retrans ? msg : 0; + } + } + else + exchange->last_sent = exchange->last_received ? msg : 0; + + /* + * If this message is not referred to for later retransmission + * it will be ok for us to drop it after the post-send function. + * But as the post-send function may remove the exchange, we need + * to remember this fact here. + */ + ok_to_drop_message = exchange->last_sent == 0; + + /* + * If this is not a retransmit call post-send functions that allows + * parallel work to be done while the network and peer does their + * share of the job. Note that a post-send function may take + * away the exchange we belong to, but only if no retransmits + * are possible. + */ + if (msg->xmits == 1) + message_post_send (msg); + + if (ok_to_drop_message) + message_free (msg); + } + } + + for (t = LIST_FIRST (&transport_list); t; t = next) + { + next = LIST_NEXT (t, link); + transport_release (t); + } +} + +/* + * Textual search after the transport method denoted by NAME, then create + * a transport connected to the peer with address ADDR, given in a transport- + * specific string format. + */ +struct transport * +transport_create (char *name, char *addr) +{ + struct transport_vtbl *method; + + for (method = LIST_FIRST (&transport_method_list); method; + method = LIST_NEXT (method, link)) + if (strcmp (method->name, name) == 0) + return (*method->create) (addr); + return 0; +} diff --git a/src/transport.h b/src/transport.h new file mode 100644 index 0000000..000d623 --- /dev/null +++ b/src/transport.h @@ -0,0 +1,139 @@ +/* $Id: transport.h,v 1.2 2002/05/10 04:25:17 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/transport.h,v $ */ + +/* $OpenBSD: transport.h,v 1.7 2000/08/03 07:23:55 niklas Exp $ */ +/* $EOM: transport.h,v 1.16 2000/07/17 18:57:59 provos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +/* + * The transport module tries to separate out details concerning the + * actual transferral of ISAKMP messages to other parties. + */ + +#ifndef _TRANSPORT_H_ +#define _TRANSPORT_H_ + +#include +#include +#include +#include + +struct message; +struct transport; + +/* This describes a tranport "method" like UDP or similar. */ +struct transport_vtbl { + /* All transport methods are linked together. */ + LIST_ENTRY (transport_vtbl) link; + + /* A textual name of the transport method. */ + char *name; + + /* Create a transport instance of this method. */ + struct transport *(*create) (char *); + + /* Remove a transport instance of this method. */ + void (*remove) (struct transport *); + + /* Report status of given transport */ + void (*report) (struct transport *); + + /* Let the given transport set it's bit in the fd_set passed in. */ + int (*fd_set) (struct transport *, fd_set *, int); + + /* Is the given transport ready for I/O? */ + int (*fd_isset) (struct transport *, fd_set *); + + /* + * Read a message from the transport's incoming pipe and start + * handling it. + */ + void (*handle_message) (struct transport *); + + /* Send a message through the outgoing pipe. */ + int (*send_message) (struct message *); + + /* + * Fill out a sockaddr structure with the transport's destination end's + * address info. XXX Why not size_t * instead of int *? + */ + void (*get_dst) (struct transport *, struct sockaddr **, int *); + + /* + * Fill out a sockaddr structure with the transport's source end's + * address info. XXX Why not size_t * instead of int *? + */ + void (*get_src) (struct transport *, struct sockaddr **, int *); + + /* + * Return a string with decoded src and dst information + */ + char *(*decode_ids) (struct transport *); +}; + +struct transport { + /* All transports used are linked together. */ + LIST_ENTRY (transport) link; + + /* What transport method is this an instance of? */ + struct transport_vtbl *vtbl; + + /* The queue holding messages to send on this transport. */ + TAILQ_HEAD (msg_head, message) sendq; + + /* Flags describing the transport. */ + int flags; + + /* References counter. */ + int refcnt; +}; + +/* Set if this is a transport we want to listen on. */ +#define TRANSPORT_LISTEN 1 + +extern void transport_add (struct transport *); +extern struct transport *transport_create (char *, char *); +extern int transport_fd_set (fd_set *); +extern void transport_handle_messages (fd_set *); +extern void transport_init (void); +extern void transport_map (void (*) (struct transport *)); +extern void transport_method_add (struct transport_vtbl *); +extern int transport_pending_wfd_set (fd_set *); +extern void transport_reference (struct transport *); +extern void transport_release (struct transport *); +extern void transport_report (void); +extern void transport_send_messages (fd_set *); + +#endif /* _TRANSPORT_H_ */ diff --git a/src/udp.c b/src/udp.c new file mode 100644 index 0000000..c090e9d --- /dev/null +++ b/src/udp.c @@ -0,0 +1,649 @@ +/* $Id: udp.c,v 1.5 2007/03/21 20:03:06 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/udp.c,v $ */ + +/* $OpenBSD: udp.c,v 1.29 2001/04/09 22:09:53 ho Exp $ */ +/* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include "config.h" +#include +#include +#include +#ifndef linux +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "conf.h" +#include "if.h" +#include "isakmp.h" +#include "log.h" +#include "message.h" +#include "sysdep.h" +#include "transport.h" +#include "udp.h" +#include "util.h" + +#define UDP_SIZE 65536 + +/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ +#ifndef SO_REUSEPORT +#define SO_REUSEPORT SO_REUSEADDR +#endif + +static struct transport *udp_clone (struct udp_transport *, + struct sockaddr_in *); +static struct transport *udp_create (char *); +void udp_remove (struct transport *); +void udp_report (struct transport *); +int udp_fd_set (struct transport *, fd_set *, int); +int udp_fd_isset (struct transport *, fd_set *); +static void udp_handle_message (struct transport *); +static struct transport *udp_make (struct sockaddr_in *); +static int udp_send_message (struct message *); +void udp_get_dst (struct transport *, struct sockaddr **, int *); +void udp_get_src (struct transport *, struct sockaddr **, int *); +char *udp_decode_ids (struct transport *); + +static struct transport_vtbl udp_transport_vtbl = { + { 0 }, "udp", + udp_create, + udp_remove, + udp_report, + udp_fd_set, + udp_fd_isset, + udp_handle_message, + udp_send_message, + udp_get_dst, + udp_get_src, + udp_decode_ids +}; + +/* A list of UDP transports we listen for messages on. */ +static LIST_HEAD (udp_listen_list, udp_transport) udp_listen_list; + +in_port_t udp_default_port = 0; +in_port_t udp_bind_port = 0; +static int udp_proto; +static struct transport *default_transport; + +/* Find an UDP transport listening on ADDR:PORT. */ +static struct udp_transport * +udp_listen_lookup (in_addr_t addr, in_port_t port) +{ + struct udp_transport *u; + + for (u = LIST_FIRST (&udp_listen_list); u; u = LIST_NEXT (u, link)) + if (u->src.sin_addr.s_addr == addr && u->src.sin_port == port) + return u; + return 0; +} + +/* Create a UDP transport structure bound to LADDR just for listening. */ +static struct transport * +udp_make (struct sockaddr_in *laddr) +{ + struct udp_transport *t = 0; + int s, on; + + t = malloc (sizeof *t); + if (!t) + { + log_print ("udp_make: malloc (%d) failed", sizeof *t); + return 0; + } + + s = socket (AF_INET, SOCK_DGRAM, udp_proto); + if (s == -1) + { + log_error ("udp_make: socket (%d, %d, %d)", AF_INET, SOCK_DGRAM, + udp_proto); + goto err; + } + + /* Make sure we don't get our traffic encrypted. */ + sysdep_cleartext (s); + + /* + * In order to have several bound specific address-port combinations + * with the same port SO_REUSEADDR is needed. + * If this is a wildcard socket and we are not listening there, but only + * sending from it make sure it is entirely reuseable with SO_REUSEPORT. + */ + on = 1; + if (setsockopt (s, SOL_SOCKET, + (laddr->sin_addr.s_addr == INADDR_ANY + && conf_get_str ("General", "Listen-on")) + ? SO_REUSEPORT : SO_REUSEADDR, + (void *)&on, sizeof on) == -1) + { + log_error ("udp_make: setsockopt (%d, %d, %d, %p, %d)", s, SOL_SOCKET, + (laddr->sin_addr.s_addr == INADDR_ANY + && conf_get_str ("General", "Listen-on")) + ? SO_REUSEPORT : SO_REUSEADDR, + &on, sizeof on); + goto err; + } + + t->transport.vtbl = &udp_transport_vtbl; + memcpy (&t->src, laddr, sizeof t->src); + if (bind (s, (struct sockaddr *)&t->src, sizeof t->src)) + { + log_error ("udp_make: bind (%d, %p, %d)", s, &t->src, sizeof t->src); + goto err; + } + + memset (&t->dst, 0, sizeof t->dst); + t->s = s; + transport_add (&t->transport); + transport_reference (&t->transport); + t->transport.flags |= TRANSPORT_LISTEN; + return &t->transport; + +err: + if (s != -1) + close (s); + if (t) + free (t); + return 0; +} + +/* Clone a listen transport U, record a destination RADDR for outbound use. */ +static struct transport * +udp_clone (struct udp_transport *u, struct sockaddr_in *raddr) +{ + struct transport *t; + struct udp_transport *u2; + + t = malloc (sizeof *u); + if (!t) + { + log_error ("udp_clone: malloc (%d) failed", sizeof *u); + return 0; + } + u2 = (struct udp_transport *)t; + + memcpy (u2, u, sizeof *u); + memcpy (&u2->dst, raddr, sizeof u2->dst); + t->flags &= ~TRANSPORT_LISTEN; + + transport_add (t); + + return t; +} + +/* + * Initialize an object of the UDP transport class. Fill in the local + * IP address and port information and create a server socket bound to + * that specific port. Add the polymorphic transport structure to the + * system-wide pools of known ISAKMP transports. + */ +static struct transport * +udp_bind (in_addr_t addr, in_port_t port) +{ + struct sockaddr_in src; + + memset (&src, 0, sizeof src); +#ifndef USE_OLD_SOCKADDR + src.sin_len = sizeof src; +#endif + src.sin_family = AF_INET; + src.sin_addr.s_addr = addr; + src.sin_port = port; + return udp_make (&src); +} + +/* + * When looking at a specific network interface address, if it's an INET one, + * create an UDP server socket bound to it. + */ +static void +udp_bind_if (struct ifreq *ifrp, void *arg) +{ + in_port_t port = *(in_port_t *)arg; + in_addr_t if_addr = ((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr; + struct conf_list *listen_on; + struct conf_list_node *address; + struct in_addr addr; + struct transport *t; + struct ifreq flags_ifr; + int s; + + /* + * Well, UDP is an internet protocol after all so drop other ifreqs. + * XXX IPv6 support is missing. + */ +#ifdef USE_OLD_SOCKADDR + if (ifrp->ifr_addr.sa_family != AF_INET) +#else + if (ifrp->ifr_addr.sa_family != AF_INET + || ifrp->ifr_addr.sa_len != sizeof (struct sockaddr_in)) +#endif + return; + + /* + * These special addresses are not useable as they have special meaning + * in the IP stack. + */ + if (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr == INADDR_ANY + || (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr + == INADDR_NONE)) + return; + + /* Don't bother with interfaces that are down. */ + s = socket (AF_INET, SOCK_DGRAM, 0); + if (s == -1) + { + log_error ("udp_bind_if: socket (AF_INET, SOCK_DGRAM, 0) failed"); + return; + } + strncpy (flags_ifr.ifr_name, ifrp->ifr_name, sizeof flags_ifr.ifr_name - 1); + if (ioctl (s, SIOCGIFFLAGS, (caddr_t)&flags_ifr) == -1) + { + log_error ("udp_bind_if: ioctl (%d, SIOCGIFFLAGS, ...) failed", s); + return; + } + close (s); + if (!(flags_ifr.ifr_flags & IFF_UP)) + return; + + /* + * If we are explicit about what addresses we can listen to, be sure + * to respect that option. + * This is quite wasteful redoing the list-run for every interface, + * but who cares? This is not an operation that needs to be fast. + */ + listen_on = conf_get_list ("General", "Listen-on"); + if (listen_on) + { + for (address = TAILQ_FIRST (&listen_on->fields); address; + address = TAILQ_NEXT (address, link)) + { + if (!inet_aton (address->field, &addr)) + { + log_print ("udp_bind_if: invalid address %s in \"Listen-on\"", + address->field); + continue; + } + + /* If found, take the easy way out. */ + if (addr.s_addr == if_addr) + break; + } + conf_free_list (listen_on); + + /* + * If address is zero then we did not find the address among the ones + * we should listen to. + * XXX We do not discover if we do not find our listen addresses... + * Maybe this should be the other way round. + */ + if (!address) + return; + } + + t = udp_bind (if_addr, port); + if (!t) + { + log_print ("udp_bind_if: failed to create a socket on %s:%d", + inet_ntoa (*((struct in_addr *)&if_addr)), port); + return; + } + LIST_INSERT_HEAD (&udp_listen_list, (struct udp_transport *)t, link); +} + +/* + * NAME is a section name found in the config database. Setup and return + * a transport useable to talk to the peer specified by that name. + */ +static struct transport * +udp_create (char *name) +{ + struct udp_transport *u; + struct sockaddr_in dst; + char *addr_str, *port_str; + in_addr_t addr; + in_port_t port; + + port_str = conf_get_str (name, "Port"); + if (port_str) + { + port = udp_decode_port (port_str); + if (!port) + return 0; + } + else + port = UDP_DEFAULT_PORT; + port = htons (port); + + addr_str = conf_get_str (name, "Address"); + if (!addr_str) + { + log_print ("udp_create: no address configured for \"%s\"", name); + return 0; + } + addr = inet_addr (addr_str); + if (addr == INADDR_NONE) + { + log_print ("udp_create: inet_addr (\"%s\") failed", addr_str); + return 0; + } + + memset (&dst, 0, sizeof dst); +#ifndef USE_OLD_SOCKADDR + dst.sin_len = sizeof dst; +#endif + dst.sin_family = AF_INET; + dst.sin_addr.s_addr = addr; + dst.sin_port = port; + + addr_str = conf_get_str (name, "Local-address"); + if (!addr_str) + addr_str = conf_get_str ("General", "Listen-on"); + if (!addr_str) + { + if (!default_transport) + { + log_print ("udp_create: no default transport"); + return 0; + } + else + return udp_clone ((struct udp_transport *)default_transport, &dst); + } + + addr = inet_addr (addr_str); + if (addr == INADDR_NONE) + { + log_print ("udp_create: inet_addr (\"%s\") failed", addr_str); + return 0; + } + u = udp_listen_lookup (addr, (udp_default_port ? htons (udp_default_port) : + htons (UDP_DEFAULT_PORT))); + if (!u) + { + log_print ("udp_create: %s:%d must exist as a listener too", addr_str, + udp_default_port); + return 0; + } + return udp_clone (u, &dst); +} + +void +udp_remove (struct transport *t) +{ + free (t); +} + +/* Report transport-method specifics of the T transport. */ +void +udp_report (struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + char src[16], dst[16]; + + snprintf (src, 16, "%s", inet_ntoa (u->src.sin_addr)); + snprintf (dst, 16, "%s", inet_ntoa (u->dst.sin_addr)); + LOG_DBG ((LOG_REPORT, 0, "udp_report: fd %d src %s dst %s", u->s, src, + dst)); +} + +/* + * Find out the magic numbers for the UDP protocol as well as the UDP port + * to use. Setup an UDP server for each address of this machine, and one + * for the generic case when we are the initiator. + */ +void +udp_init () +{ + struct protoent *p; + in_port_t port; + + /* Initialize the protocol and port numbers. */ + p = getprotobyname ("udp"); + udp_proto = p ? p->p_proto : IPPROTO_UDP; + if (udp_default_port) + port = htons (udp_default_port); + else + port = htons (UDP_DEFAULT_PORT); + + LIST_INIT (&udp_listen_list); + + /* Bind the GDOI UDP port on all network interfaces we have. */ + /* XXX need to check errors */ + if_map (udp_bind_if, &port); + + /* + * If we don't bind to specific addresses via the Listen-on configuration + * option, bind to INADDR_ANY in case of new addresses popping up. + * XXX We should use packets coming in on this socket as a signal + * to reprobe for new interfaces. + */ + default_transport = udp_bind (INADDR_ANY, port); + if (!default_transport) + log_error ("udp_init: could not allocate default GDOI UDP port"); + else if (conf_get_str ("General", "Listen-on")) + default_transport->flags &= ~TRANSPORT_LISTEN; + + transport_method_add (&udp_transport_vtbl); +} + +/* + * Set transport T's socket in FDS, return a value useable by select(2) + * as the number of file descriptors to check. + */ +int +udp_fd_set (struct transport *t, fd_set *fds, int bit) +{ + struct udp_transport *u = (struct udp_transport *)t; + + if (bit) + FD_SET (u->s, fds); + else + FD_CLR (u->s, fds); + + return u->s + 1; +} + +/* Check if transport T's socket is set in FDS. */ +int +udp_fd_isset (struct transport *t, fd_set *fds) +{ + struct udp_transport *u = (struct udp_transport *)t; + + return FD_ISSET (u->s, fds); +} + +/* + * A message has arrived on transport T's socket. If T is single-ended, + * clone it into a double-ended transport which we will use from now on. + * Package the message as we want it and continue processing in the message + * module. + */ +static void +udp_handle_message (struct transport *t) +{ + struct udp_transport *u = (struct udp_transport *)t; + u_int8_t buf[UDP_SIZE]; + struct sockaddr_in from; + socklen_t len = sizeof from; + ssize_t n; + struct message *msg; + + n = recvfrom (u->s, buf, UDP_SIZE, 0, (struct sockaddr *)&from, &len); + if (n == -1) + { + log_error ("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, UDP_SIZE, 0, + &from, &len); + return; + } + + /* + * Make a specialized UDP transport structure out of the incoming + * transport and the address information we got from recvfrom(2). + */ + t = udp_clone (u, &from); + if (!t) + /* XXX Should we do more here? */ + return; + + msg = message_alloc (t, buf, n); + if (!msg) + /* XXX Log? */ + return; + message_recv (msg); +} + +/* Physically send the message MSG over its associated transport. */ +static int +udp_send_message (struct message *msg) +{ + struct udp_transport *u = (struct udp_transport *)msg->transport; + ssize_t n; + struct msghdr m; + + /* + * Sending on connected sockets requires that no destination address is + * given, or else EISCONN will occur. + */ + m.msg_name = (caddr_t)&u->dst; + m.msg_namelen = sizeof u->dst; + m.msg_iov = msg->iov; + m.msg_iovlen = msg->iovlen; + m.msg_control = 0; + m.msg_controllen = 0; + m.msg_flags = 0; + n = sendmsg (u->s, &m, 0); + if (n == -1) + { + log_error ("sendmsg (%d, %p, %d)", u->s, &m, 0); + return -1; + } + return 0; +} + +/* + * Get transport T's peer address and stuff it into the sockaddr pointed + * to by DST. Put its length into DST_LEN. + */ +void +udp_get_dst (struct transport *t, struct sockaddr **dst, int *dst_len) +{ + *dst = (struct sockaddr *)&((struct udp_transport *)t)->dst; + *dst_len = sizeof ((struct udp_transport *)t)->dst; +} + +/* + * Get transport T's local address and stuff it into the sockaddr pointed + * to by SRC. Put its length into SRC_LEN. + */ +void +udp_get_src (struct transport *t, struct sockaddr **src, int *src_len) +{ + *src = (struct sockaddr *)&((struct udp_transport *)t)->src; + *src_len = sizeof ((struct udp_transport *)t)->src; +} + +char * +udp_decode_ids (struct transport *t) +{ + static char result[1024]; + char idsrc[256], iddst[256]; + +#ifdef HAVE_GETNAMEINFO + if (getnameinfo ((struct sockaddr *)&((struct udp_transport *)t)->src, + sizeof ((struct udp_transport *)t)->src, + idsrc, sizeof idsrc, NULL, 0, NI_NUMERICHOST) != 0) + { + log_print ("udp_decode_ids: getnameinfo () failed"); + strcpy (idsrc, ""); + } + + if (getnameinfo ((struct sockaddr *)&((struct udp_transport *)t)->dst, + sizeof ((struct udp_transport *)t)->dst, + iddst, sizeof iddst, NULL, 0, NI_NUMERICHOST) != 0) + { + log_error ("udp_decode_ids: getnameinfo () failed"); + strcpy (iddst, ""); + } +#else + strcpy (idsrc, inet_ntoa (((struct udp_transport *)t)->src.sin_addr)); + strcpy (iddst, inet_ntoa (((struct udp_transport *)t)->dst.sin_addr)); +#endif /* HAVE_GETNAMEINFO */ + + sprintf (result, "src: %s dst: %s", idsrc, iddst); + + return result; +} +/* + * Take a string containing an ext representation of port and return a + * binary port number. Return zero if anything goes wrong. + */ +in_port_t +udp_decode_port (char *port_str) +{ + char *port_str_end; + long port_long; + struct servent *service; + + port_long = strtol (port_str, &port_str_end, 0); + if (port_str == port_str_end) + { + service = getservbyname (port_str, "udp"); + if (!service) + { + log_print ("udp_decode_port: service \"%s\" unknown", port_str); + return 0; + } + return ntohs (service->s_port); + } + else if (port_long < 1 || port_long > 65535) + { + log_print ("udp_decode_port: port %ld out of range", port_long); + return 0; + } + + return port_long; +} diff --git a/src/udp.h b/src/udp.h new file mode 100644 index 0000000..661682d --- /dev/null +++ b/src/udp.h @@ -0,0 +1,58 @@ +/* $Id: udp.h,v 1.2 2002/05/10 04:25:17 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/udp.h,v $ */ + +/* $OpenBSD: udp.h,v 1.4 1998/12/22 02:25:15 niklas Exp $ */ +/* $EOM: udp.h,v 1.4 1998/12/22 02:23:43 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _UDP_H_ +#define _UDP_H_ +#include +/* XXX IPv4 specific. */ +struct udp_transport { + struct transport transport; + struct sockaddr_in src; + struct sockaddr_in dst; + int s; + LIST_ENTRY (udp_transport) link; +}; + +extern in_port_t udp_default_port; +extern in_port_t udp_bind_port; + +extern in_port_t udp_decode_port (char *); +extern void udp_init (void); + +#endif /* _UDP_H_ */ diff --git a/src/ui.c b/src/ui.c new file mode 100644 index 0000000..33593da --- /dev/null +++ b/src/ui.c @@ -0,0 +1,394 @@ +/* $Id: ui.c,v 1.4 2003/10/14 22:40:27 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ui.c,v $ */ + +/* $OpenBSD: ui.c,v 1.18 2001/04/09 21:21:57 ho Exp $ */ +/* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "conf.h" +#include "connection.h" +#include "doi.h" +#include "exchange.h" +#include "isakmp.h" +#include "log.h" +#include "sa.h" +#include "timer.h" +#include "transport.h" +#include "ui.h" +#include "util.h" + +#define BUF_SZ 256 + +char *ui_fifo = FIFO; +int ui_socket; + +/* Create and open the FIFO used for user control. */ +void +ui_init () +{ + struct stat st; + + /* -f- means control messages comes in via stdin. */ + if (strcmp (ui_fifo, "-") == 0) + ui_socket = 0; + else + { + /* Don't overwrite a file, i.e '-f /etc/gdoid/gdoid.conf'. */ + if (lstat (ui_fifo, &st) == 0) + if ((st.st_mode & S_IFMT) == S_IFREG) + { + errno = EEXIST; + log_fatal ("ui_init: could not create FIFO \"%s\"", ui_fifo); + } + + /* No need to know about errors. */ + unlink (ui_fifo); + if (mkfifo (ui_fifo, 0600) == -1) + log_fatal ("ui_init: mkfifo (\"%s\", 0600) failed", ui_fifo); + +#ifdef OPEN_FIFO_RDRW + ui_socket = open (ui_fifo, O_RDWR | O_NONBLOCK, 0); +#else + ui_socket = open (ui_fifo, O_RDONLY | O_NONBLOCK, 0); +#endif + if (ui_socket == -1) + log_fatal ("ui_init: open (\"%s\", O_RDONLY | O_NONBLOCK, 0) failed", + ui_fifo); + } +} + +/* + * Setup a phase 2 connection. + * XXX Maybe phase 1 works too, but teardown won't work then, fix? + */ +static void +ui_connect (char *cmd) +{ + char name[81]; + + if (sscanf (cmd, "c %80s", name) != 1) + { + log_print ("ui_connect: command \"%s\" malformed", cmd); + return; + } + connection_setup (name); +} + +/* Tear down a phase 2 connection. */ +static void +ui_teardown (char *cmd) +{ + char name[81]; + struct sa *sa; + + if (sscanf (cmd, "t %80s", name) != 1) + { + log_print ("ui_teardown: command \"%s\" malformed", cmd); + return; + } + connection_teardown (name); + while ((sa = sa_lookup_by_name (name, 2)) != 0) + sa_delete (sa, 1); +} + +/* + * Call the configuration API. + * XXX Error handling! How to do multi-line transactions? Too short arbitrary + * limit on the parameters? + */ +static void +ui_config (char *cmd) +{ + char subcmd[81], section[81], tag[81], value[81]; + int override, trans = 0; + + if (sscanf (cmd, "C %80s", subcmd) != 1) + goto fail; + + trans = conf_begin (); + if (strcasecmp (subcmd, "set") == 0) + { + if (sscanf (cmd, "C %*s [%80[^]]]:%80[^=]=%80s %d", section, tag, value, + &override) != 4) + goto fail; + conf_set (trans, section, tag, value, override, 0); + } + else if (strcasecmp (subcmd, "rm") == 0) + { + if (sscanf (cmd, "C %*s [%80[^]]]:%80s", section, tag) != 2) + goto fail; + conf_remove (trans, section, tag); + } + else if (strcasecmp (subcmd, "rms") == 0) + { + if (sscanf (cmd, "C %*s [%80[^]]]", section) != 1) + goto fail; + conf_remove_section (trans, section); + } + else + goto fail; + + conf_end (trans, 1); + return; + + fail: + if (trans) + conf_end (trans, 0); + log_print ("ui_config: command \"%s\" malformed", cmd); +} + +static void +ui_delete (char *cmd) +{ + char cookies_str[ISAKMP_HDR_COOKIES_LEN * 2 + 1]; + char message_id_str[ISAKMP_HDR_MESSAGE_ID_LEN * 2 + 1]; + u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; + u_int8_t message_id_buf[ISAKMP_HDR_MESSAGE_ID_LEN]; + u_int8_t *message_id = message_id_buf; + struct sa *sa; + + if (sscanf (cmd, "d %32s %8s", cookies_str, message_id_str) != 2) + { + log_print ("ui_delete: command \"%s\" malformed", cmd); + return; + } + + if (strcmp (message_id_str, "-") == 0) + message_id = 0; + + if (hex2raw (cookies_str, cookies, ISAKMP_HDR_COOKIES_LEN) == -1 + || (message_id && hex2raw (message_id_str, message_id_buf, + ISAKMP_HDR_MESSAGE_ID_LEN) == -1)) + { + log_print ("ui_delete: command \"%s\" has bad arguments", cmd); + return; + } + + sa = sa_lookup (cookies, message_id); + if (!sa) + { + log_print ("ui_delete: command \"%s\" found no SA", cmd); + return; + } + sa_delete (sa, 1); +} + +#ifdef USE_DEBUG +/* Parse the debug command found in CMD. */ +static void +ui_debug (char *cmd) +{ + int cls, level; + + if (sscanf (cmd, "D %d %d", &cls, &level) != 2) + { + log_print ("ui_debug: command \"%s\" malformed", cmd); + return; + } + log_debug_cmd (cls, level); +} + +static void +ui_packetlog (char *cmd) +{ + char subcmd[81]; + + if (sscanf (cmd, "p %80s", subcmd) != 1) + goto fail; + + if (strncasecmp (subcmd, "on=", 3) == 0) + { + /* Start capture to a new file. */ + if (subcmd[strlen (subcmd) - 1] == '\n') + subcmd[strlen (subcmd) - 1] = 0; + log_packet_restart (subcmd + 3); + } + else if (strcasecmp (subcmd, "on") == 0) + log_packet_restart (NULL); + else if (strcasecmp (subcmd, "off") == 0) + log_packet_stop (); + + return; + + fail: + log_print ("ui_packetlog: command \"%s\" malformed", cmd); +} +#endif /* USE_DEBUG */ + +/* Report SAs and ongoing exchanges. */ +void +ui_report (char *cmd) +{ + /* XXX Skip 'cmd' as arg? */ + sa_report (); + exchange_report (); + transport_report (); + connection_report (); + timer_report (); + conf_report (); +} + +/* + * Call the relevant command handler based on the first character of the + * line (the command). + */ +static void +ui_handle_command (char *line) +{ + /* Find out what one-letter command was sent. */ + switch (line[0]) + { + case 'c': + ui_connect (line); + break; + + case 'C': + ui_config (line); + break; + + case 'd': + ui_delete (line); + break; + +#ifdef USE_DEBUG + case 'D': + ui_debug (line); + break; +#endif + + case 'r': + ui_report (line); + break; + + case 't': + ui_teardown (line); + break; + +#ifdef USE_DEBUG + case 'p': + ui_packetlog (line); + break; +#endif + + default: + log_print ("ui_handle_messages: unrecognized command: '%c'", line[0]); + } +} + +/* + * A half-complex implementation of reading from a file descriptor + * line by line without resorting to stdio which apparently have + * troubles with non-blocking fifos. + */ +void +ui_handler () +{ + static char *buf = 0; + static char *p; + static size_t sz; + static size_t resid; + size_t n; + char *new_buf; + + /* If no buffer, set it up. */ + if (!buf) + { + sz = BUF_SZ; + buf = malloc (sz); + if (!buf) + { + log_print ("ui_handler: malloc (%d) failed", sz); + return; + } + p = buf; + resid = sz; + } + + /* If no place left in the buffer reallocate twice as large. */ + if (!resid) + { + new_buf = realloc (buf, sz * 2); + if (!new_buf) + { + log_print ("ui_handler: realloc (%p, %d) failed", buf, sz * 2); + free (buf); + buf = 0; + return; + } + buf = new_buf; + p = buf + sz; + resid = sz; + sz *= 2; + } + + n = read (ui_socket, p, resid); + if (n == -1) + { + log_error ("ui_handler: read (%d, %p, %d)", ui_socket, p, resid); + return; + } + + if (!n) + return; + resid -= n; + while (n--) + { + /* + * When we find a newline, cut off the line and feed it to the + * command processor. Then move the rest up-front. + */ + if (*p == '\n') + { + *p = '\0'; + ui_handle_command (buf); + memcpy (buf, p + 1, n); + p = buf; + resid = sz - n; + continue; + } + p++; + } +} diff --git a/src/ui.h b/src/ui.h new file mode 100644 index 0000000..6d174d8 --- /dev/null +++ b/src/ui.h @@ -0,0 +1,52 @@ +/* $Id: ui.h,v 1.3 2003/08/15 23:24:10 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/ui.h,v $ */ + +/* $OpenBSD: ui.h,v 1.4 1998/12/21 01:02:28 niklas Exp $ */ +/* $EOM: ui.h,v 1.5 1998/12/01 10:20:12 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _UI_H_ +#define _UI_H_ + +#define FIFO "/var/run/gdoid.fifo" + +extern char *ui_fifo; +extern int ui_socket; + +extern void ui_handler (void); +extern void ui_init (void); +extern void ui_report (char *); + +#endif /* _UI_H_ */ diff --git a/src/util.c b/src/util.c new file mode 100644 index 0000000..8f30de3 --- /dev/null +++ b/src/util.c @@ -0,0 +1,297 @@ +/* $Id: util.c,v 1.5 2011/02/04 03:50:38 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/util.c,v $ */ + +/* $OpenBSD: util.c,v 1.12 2001/04/05 23:02:02 ho Exp $ */ +/* $EOM: util.c,v 1.23 2000/11/23 12:22:08 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "sysdep.h" + +#include "log.h" +#include "message.h" +#include "sysdep.h" +#include "transport.h" +#include "util.h" +#include + +/* + * XXX These might be turned into inlines or macros, maybe even + * machine-dependent ones, for performance reasons. + */ +u_int16_t +decode_16 (u_int8_t *cp) +{ + return cp[0] << 8 | cp[1]; +} + +u_int32_t +decode_32 (u_int8_t *cp) +{ + return cp[0] << 24 | cp[1] << 16 | cp[2] << 8 | cp[3]; +} + +u_int64_t +decode_64 (u_int8_t *cp) +{ + return (u_int64_t)cp[0] << 56 | (u_int64_t)cp[1] << 48 + | (u_int64_t)cp[2] << 40 | (u_int64_t)cp[3] << 32 + | cp[4] << 24 | cp[5] << 16 | cp[6] << 8 | cp[7]; +} + +#if 0 +/* + * XXX I severly doubt that we will need this. IPv6 does not have the legacy + * of representation in host byte order, AFAIK. + */ + +void +decode_128 (u_int8_t *cp, u_int8_t *cpp) +{ +#if BYTE_ORDER == LITTLE_ENDIAN + int i; + + for (i = 0; i < 16; i++) + cpp[i] = cp[15 - i]; +#elif BYTE_ORDER == BIG_ENDIAN + bcopy (cp, cpp, 16); +#else +#error "Byte order unknown!" +#endif +} +#endif + +void +encode_16 (u_int8_t *cp, u_int16_t x) +{ + *cp++ = x >> 8; + *cp = x & 0xff; +} + +void +encode_32 (u_int8_t *cp, u_int32_t x) +{ + *cp++ = x >> 24; + *cp++ = (x >> 16) & 0xff; + *cp++ = (x >> 8) & 0xff; + *cp = x & 0xff; +} + +void +encode_64 (u_int8_t *cp, u_int64_t x) +{ + *cp++ = x >> 56; + *cp++ = (x >> 48) & 0xff; + *cp++ = (x >> 40) & 0xff; + *cp++ = (x >> 32) & 0xff; + *cp++ = (x >> 24) & 0xff; + *cp++ = (x >> 16) & 0xff; + *cp++ = (x >> 8) & 0xff; + *cp = x & 0xff; +} + +#if 0 +/* + * XXX I severly doubt that we will need this. IPv6 does not have the legacy + * of representation in host byte order, AFAIK. + */ + +void +encode_128 (u_int8_t *cp, u_int8_t *cpp) +{ + decode_128 (cpp, cp); +} +#endif + +/* Check a buffer for all zeroes. */ +int +zero_test (const u_int8_t *p, size_t sz) +{ + while (sz-- > 0) + if (*p++ != 0) + return 0; + return 1; +} + +/* Check a buffer for all ones. */ +int +ones_test (const u_int8_t *p, size_t sz) +{ + while (sz-- > 0) + if (*p++ != 0xff) + return 0; + return 1; +} + +/* + * Generate a random data, len bytes long. + */ +u_int8_t * +getrandom (u_int8_t *buf, size_t len) +{ + if (1 != RAND_bytes(buf, len)) + { + log_error ("getrandom: FAILED!!"); + return NULL; + } + + return buf; +} + +static __inline int +hex2nibble (char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + return -1; +} + +/* + * Convert hexadecimal string in S to raw binary buffer at BUF sized SZ + * bytes. Return 0 if everything is OK, -1 otherwise. + */ +int +hex2raw (char *s, u_int8_t *buf, size_t sz) +{ + char *p; + u_int8_t *bp; + int tmp; + + if (strlen (s) > sz * 2) + return -1; + for (p = s + strlen (s) - 1, bp = &buf[sz - 1]; bp >= buf; bp--) + { + *bp = 0; + if (p >= s) + { + tmp = hex2nibble (*p--); + if (tmp == -1) + return -1; + *bp = tmp; + } + if (p >= s) + { + tmp = hex2nibble (*p--); + if (tmp == -1) + return -1; + *bp |= tmp << 4; + } + } + return 0; +} + +/* + * Perform sanity check on files containing secret information. + * Returns -1 on failure, 0 otherwise. + * Also, if *file_size != NULL, store file size here. + */ +int +check_file_secrecy (char *name, off_t *file_size) +{ + struct stat st; + + if (stat (name, &st) == -1) + { + log_error ("check_file_secrecy: stat (\"%s\") failed", name); + return -1; + } + if (st.st_uid != geteuid () && st.st_uid != getuid ()) + { + log_print ("check_file_secrecy: " + "not loading %s - file owner is not process user", name); + errno = EPERM; + return -1; + } + if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) + { + log_print ("conf_file_secrecy: not loading %s - too open permissions", + name); + errno = EPERM; + return -1; + } + + if (file_size) + *file_size = st.st_size; + + return 0; +} + +#ifndef HAVE_STRLCPY +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t +strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} +#endif /* HAVE_STRLCPY */ diff --git a/src/util.h b/src/util.h new file mode 100644 index 0000000..72886f6 --- /dev/null +++ b/src/util.h @@ -0,0 +1,66 @@ +/* $Id: util.h,v 1.3 2003/09/05 21:14:28 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/util.h,v $ */ + +/* $OpenBSD: util.h,v 1.7 2000/11/23 12:56:15 niklas Exp $ */ +/* $EOM: util.h,v 1.10 2000/10/24 13:33:39 niklas Exp $ */ + +/* + * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _UTIL_H_ +#define _UTIL_H_ + +#include + +#define ROUNDUP_32(x) (((x) + 3) & ~4) + +struct message; + +extern u_int16_t decode_16 (u_int8_t *); +extern u_int32_t decode_32 (u_int8_t *); +extern u_int64_t decode_64 (u_int8_t *); +#if 0 +extern void decode_128 (u_int8_t *, u_int8_t *); +#endif +extern void encode_16 (u_int8_t *, u_int16_t); +extern void encode_32 (u_int8_t *, u_int32_t); +extern void encode_64 (u_int8_t *, u_int64_t); +#if 0 +extern void encode_128 (u_int8_t *, u_int8_t *); +#endif +extern u_int8_t *getrandom (u_int8_t *, size_t); +extern int hex2raw (char *, u_int8_t *, size_t); +extern int zero_test (const u_int8_t *, size_t); +extern int check_file_secrecy (char *, off_t *); + +#endif /* _UTIL_H_ */ diff --git a/src/x509.c b/src/x509.c new file mode 100644 index 0000000..42efd11 --- /dev/null +++ b/src/x509.c @@ -0,0 +1,889 @@ +/* $Id: x509.c,v 1.4 2007/03/21 20:03:06 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/x509.c,v $ */ + +/* $OpenBSD: x509.c,v 1.49 2001/04/12 15:50:02 ho Exp $ */ +/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifdef USE_X509 + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "sysdep.h" + +#include "cert.h" +#include "conf.h" +#include "dyn.h" +#include "exchange.h" +#include "hash.h" +#include "ike_auth.h" +#include "ipsec.h" +#include "log.h" +#include "math_mp.h" +#include "sa.h" +#include "x509.h" +#include + +/* + * X509_STOREs do not support subjectAltNames, so we have to build + * our own hash table. + */ + +/* + * XXX Actually this store is not really useful, we never use it as we have + * our own hash table. It also gets collisons if we have several certificates + * only differing in subjectAltName. + */ +static X509_STORE *x509_certs = 0; +static X509_STORE *x509_cas = 0; + +/* Initial number of bits used as hash. */ +#define INITIAL_BUCKET_BITS 6 + +struct x509_hash { + LIST_ENTRY (x509_hash) link; + + X509 *cert; +}; + +static LIST_HEAD (x509_list, x509_hash) *x509_tab = 0; + +/* Works both as a maximum index and a mask. */ +static int bucket_mask; + +u_int16_t +x509_hash (u_int8_t *id, size_t len) +{ + int i; + u_int16_t bucket = 0; + + /* XXX We might resize if we are crossing a certain threshold. */ + for (i = 4; i < (len & ~1); i += 2) + { + /* Doing it this way avoids alignment problems. */ + bucket ^= (id[i] + 1) * (id[i + 1] + 257); + } + /* Hash in the last character of odd length IDs too. */ + if (i < len) + bucket ^= (id[i] + 1) * (id[i] + 257); + + bucket &= bucket_mask; + + return bucket; +} + +void +x509_hash_init () +{ + struct x509_hash *certh; + int i; + + bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; + + /* If reinitializing, free existing entries. */ + if (x509_tab) + { + for (i = 0; i <= bucket_mask; i++) + for (certh = LIST_FIRST (&x509_tab[i]); certh; + certh = LIST_FIRST (&x509_tab[i])) + { + LIST_REMOVE (certh, link); + free (certh); + } + + free (x509_tab); + } + + x509_tab = malloc ((bucket_mask + 1) * sizeof (struct x509_list)); + if (!x509_tab) + log_fatal ("x509_hash_init: malloc (%d) failed", + (bucket_mask + 1) * sizeof (struct x509_list)); + for (i = 0; i <= bucket_mask; i++) + { + LIST_INIT (&x509_tab[i]); + } +} + +/* Lookup a certificate by an ID blob. */ +X509 * +x509_hash_find (u_int8_t *id, size_t len) +{ + struct x509_hash *cert; + u_int8_t **cid; + size_t *clen; + int n, i, id_found; + + for (cert = LIST_FIRST (&x509_tab[x509_hash (id, len)]); cert; + cert = LIST_NEXT (cert, link)) + { + if (!x509_cert_get_subjects (cert->cert, &n, &cid, (u_int32_t **)&clen)) + continue; + + id_found = 0; + for (i = 0; i < n; i++) + { + LOG_DBG_BUF ((LOG_CRYPTO, 70, "cert_cmp", id, len)); + LOG_DBG_BUF ((LOG_CRYPTO, 70, "cert_cmp", cid[i], clen[i])); + /* XXX This identity predicate needs to be understood. */ + if (clen[i] == len && id[0] == cid[i][0] + && memcmp (id + 4, cid[i] + 4, len - 4) == 0) + { + id_found++; + break; + } + } + cert_free_subjects (n, cid, (u_int32_t *)clen); + if (!id_found) + continue; + + LOG_DBG ((LOG_CRYPTO, 70, "x509_hash_find: return X509 %p", + cert->cert)); + return cert->cert; + } + + LOG_DBG ((LOG_CRYPTO, 70, "x509_hash_find: no certificate matched query")); + return 0; +} + +int +x509_hash_enter (X509 *cert) +{ + u_int16_t bucket = 0; + u_int8_t **id; + u_int32_t *len; + struct x509_hash *certh; + int n, i; + + if (!x509_cert_get_subjects (cert, &n, &id, &len)) + { + log_print ("x509_hash_enter: cannot retrieve subjects"); + return 0; + } + + for (i = 0; i < n; i++) + { + certh = calloc (1, sizeof *certh); + if (!certh) + { + cert_free_subjects (n, id, len); + log_error ("x509_hash_enter: calloc (1, %d) failed", sizeof *certh); + return 0; + } + + certh->cert = cert; + + bucket = x509_hash (id[i], len[i]); + + LIST_INSERT_HEAD (&x509_tab[bucket], certh, link); + LOG_DBG ((LOG_CRYPTO, 70, "x509_hash_enter: cert %p added to bucket %d", + cert, bucket)); + } + cert_free_subjects (n, id, len); + + return 1; +} + +/* X509 Certificate Handling functions. */ + +/* + * Read n a certificate by name and return it as DER + */ +int +x509_read_one_cert (char *name, u_int8_t **cert_out, u_int32_t *certlen) +{ + BIO *certh, *err; + X509 *cert; + u_char *p; + + certh = LC (BIO_new, (LC (BIO_s_file, ()))); + if (!certh) + { + log_error ("x509_read_one_cert: BIO_new (BIO_s_file ()) failed"); + return -1; + } + + if (LC (BIO_read_filename, (certh, name)) == -1) + { + LC (BIO_free, (certh)); + log_error ("x509_read_one_cert: " + "BIO_read_filename (certh, \"%s\") failed", + name); + return -1; + } + + err = BIO_new_fp(stderr,BIO_NOCLOSE); + cert = PEM_read_bio_X509 (certh, NULL, NULL, NULL); + LC (BIO_free, (certh)); + if (cert == NULL) + { + BIO_printf(err, "unable to load certificate\n"); + ERR_print_errors(err); + log_error ("x509_read_one_cert: PEM_read_bio_X509 failed for %s", + name); + LC (BIO_free, (err)); + return -1; + } + + *certlen = LC (i2d_X509, (cert, NULL)); + p = *cert_out = malloc (*certlen); + if (!p) + { + log_error ("x509_read_one_cert: malloc (%d) failed", *certlen); + return 0; + } + *certlen = LC (i2d_X509, (cert, &p)); + + return 0; +} + +int +x509_read_from_dir (X509_STORE *ctx, char *name, int hash) +{ + DIR *dir; + struct dirent *file; + BIO *certh, *err; + X509 *cert; + char fullname[PATH_MAX]; + int off, size; + + if (strlen (name) >= sizeof fullname - 1) + { + log_print ("x509_read_from_dir: directory name too long"); + return 0; + } + + LOG_DBG ((LOG_CRYPTO, 40, "x509_read_from_dir: reading certs from %s", + name)); + + dir = opendir (name); + if (!dir) + { + log_error ("x509_read_from_dir: opendir (\"%s\") failed", name); + return 0; + } + + strncpy (fullname, name, sizeof fullname - 1); + fullname[sizeof fullname - 1] = 0; + off = strlen (fullname); + size = sizeof fullname - off - 1; + + while ((file = readdir (dir)) != NULL) + { + if (file->d_type != DT_REG && file->d_type != DT_LNK) + continue; + + LOG_DBG ((LOG_CRYPTO, 60, "x509_read_from_dir: reading certificate %s", + file->d_name)); + + certh = LC (BIO_new, (LC (BIO_s_file, ()))); + if (!certh) + { + log_error ("x509_read_from_dir: BIO_new (BIO_s_file ()) failed"); + continue; + } + + strncpy (fullname + off, file->d_name, size); + fullname[off + size] = 0; + + if (LC (BIO_read_filename, (certh, fullname)) == -1) + { + LC (BIO_free, (certh)); + log_error ("x509_read_from_dir: " + "BIO_read_filename (certh, \"%s\") failed", + fullname); + continue; + } + err = BIO_new_fp(stderr,BIO_NOCLOSE); + cert = PEM_read_bio_X509 (certh, NULL, NULL, NULL); + LC (BIO_free, (certh)); + if (cert == NULL) + { + BIO_printf(err, "unable to load certificate\n"); + ERR_print_errors(err); + log_error ("x509_read_from_dir: PEM_read_bio_X509 failed for %s", + file->d_name); + LC (BIO_free, (err)); + continue; + } + LC (BIO_free, (err)); + + if (!LC (X509_STORE_add_cert, (ctx, cert))) + { + /* + * This is actually expected if we have several certificates only + * differing in subjectAltName, which is not an something that is + * strange. Consider multi-homed machines. + */ + LOG_DBG ((LOG_CRYPTO, 50, + "x509_read_from_dir: X509_STORE_add_cert failed for %s", + file->d_name)); + } + + if (hash) + { + + if (!x509_hash_enter (cert)) + log_print ("x509_read_from_dir: x509_hash_enter (%s) failed", + file->d_name); + } + } + + closedir (dir); + + return 1; +} + +/* Initialize our databases and load our own certificates. */ +int +x509_cert_init (void) +{ + char *dirname; + + x509_hash_init (); + + /* Process CA certificates we will trust. */ + dirname = conf_get_str ("X509-certificates", "CA-directory"); + if (!dirname) + { + log_print ("x509_cert_init: no CA-directory"); + return 0; + } + + /* Free if already initialized. */ + if (x509_cas) + LC (X509_STORE_free, (x509_cas)); + + x509_cas = LC (X509_STORE_new, ()); + if (!x509_cas) + { + log_print ("x509_cert_init: creating new X509_STORE failed"); + return 0; + } + + if (!x509_read_from_dir (x509_cas, dirname, 0)) + { + log_print ("x509_cert_init: x509_read_from_dir failed"); + return 0; + } + + /* Process client certificates we will accept. */ + dirname = conf_get_str ("X509-certificates", "Cert-directory"); + if (!dirname) + { + log_print ("x509_cert_init: no Cert-directory"); + return 0; + } + + /* Free if already initialized. */ + if (x509_certs) + LC (X509_STORE_free, (x509_certs)); + + x509_certs = LC (X509_STORE_new, ()); + if (!x509_certs) + { + log_print ("x509_cert_init: creating new X509_STORE failed"); + return 0; + } + + if (!x509_read_from_dir (x509_certs, dirname, 1)) + { + log_print ("x509_cert_init: x509_read_from_dir failed"); + return 0; + } + + return 1; +} + +void * +x509_cert_get (u_int8_t *asn, u_int32_t len) +{ +#ifndef USE_LIBCRYPTO + /* + * If we don't have a statically linked libcrypto, the dlopen must have + * succeeded for X.509 to be usable. + */ + if (!libcrypto) + return 0; +#endif + + return x509_from_asn (asn, len); +} + +int +x509_cert_validate (void *scert) +{ + X509_STORE_CTX csc; + X509_NAME *issuer, *subject; + X509 *cert = (X509 *)scert; + EVP_PKEY *key; + int res; + + /* + * Validate the peer certificate by checking with the CA certificates we + * trust. + */ + LC (X509_STORE_CTX_init, (&csc, x509_cas, cert, NULL)); + res = LC (X509_verify_cert, (&csc)); + LC (X509_STORE_CTX_cleanup, (&csc)); + + /* Return if validation succeeded or self-signed certs are not accepted. */ + if (res || !conf_get_str ("X509-certificates", "Accept-self-signed")) + return res; + + issuer = LC (X509_get_issuer_name, (cert)); + subject = LC (X509_get_subject_name, (cert)); + + if (!issuer || !subject || LC (X509_name_cmp, (issuer, subject))) + return 0; + + key = LC (X509_get_pubkey, (cert)); + if (!key) + return 0; + + if (LC (X509_verify, (cert, key)) == -1) + return 0; + + return 1; +} + +int +x509_cert_insert (int id, void *scert) +{ + X509 *cert; + int res; + + cert = LC (X509_dup, ((X509 *)scert)); + if (!cert) + { + log_print ("x509_cert_insert: X509_dup failed"); + return 0; + } + + res = x509_hash_enter (cert); + if (!res) + LC (X509_free, (cert)); + + return res; +} + +static struct x509_hash * +x509_hash_lookup (X509 *cert) +{ + int i; + struct x509_hash *certh; + + for (i = 0; i <= bucket_mask; i++) + for (certh = LIST_FIRST (&x509_tab[i]); certh; + certh = LIST_NEXT (certh, link)) + if (certh->cert == cert) + return certh; + return 0; +} + +void +x509_cert_free (void *cert) +{ + struct x509_hash *certh = x509_hash_lookup ((X509 *)cert); + + if (certh) + LIST_REMOVE (certh, link); + LC (X509_free, ((X509 *)cert)); +} + +/* Validate the BER Encoding of a RDNSequence in the CERT_REQ payload. */ +int +x509_certreq_validate (u_int8_t *asn, u_int32_t len) +{ + int res = 1; +#if 0 + struct norm_type name = SEQOF ("issuer", RDNSequence); + + if (!asn_template_clone (&name, 1) + || (asn = asn_decode_sequence (asn, len, &name)) == 0) + { + log_print ("x509_certreq_validate: can not decode 'acceptable CA' info"); + res = 0; + } + asn_free (&name); +#endif + + /* XXX - not supported directly in SSL - later. */ + + return res; +} + +/* Decode the BER Encoding of a RDNSequence in the CERT_REQ payload. */ +void * +x509_certreq_decode (u_int8_t *asn, u_int32_t len) +{ +#if 0 + /* XXX This needs to be done later. */ + struct norm_type aca = SEQOF ("aca", RDNSequence); + struct norm_type *tmp; + struct x509_aca naca, *ret; + + if (!asn_template_clone (&aca, 1) + || (asn = asn_decode_sequence (asn, len, &aca)) == 0) + { + log_print ("x509_certreq_validate: can not decode 'acceptable CA' info"); + goto fail; + } + memset (&naca, 0, sizeof (naca)); + + tmp = asn_decompose ("aca.RelativeDistinguishedName.AttributeValueAssertion", + &aca); + if (!tmp) + goto fail; + x509_get_attribval (tmp, &naca.name1); + + tmp = asn_decompose ("aca.RelativeDistinguishedName[1]" + ".AttributeValueAssertion", &aca); + if (tmp) + x509_get_attribval (tmp, &naca.name2); + + asn_free (&aca); + + ret = malloc (sizeof (struct x509_aca)); + if (ret) + memcpy (ret, &naca, sizeof (struct x509_aca)); + else + { + log_error ("x509_certreq_decode: malloc (%d) failed", + sizeof (struct x509_aca)); + x509_free_aca (&aca); + } + + return ret; + + fail: + asn_free (&aca); +#endif + return 0; +} + +void +x509_free_aca (void *blob) +{ + struct x509_aca *aca = blob; + + if (aca->name1.type) + free (aca->name1.type); + if (aca->name1.val) + free (aca->name1.val); + + if (aca->name2.type) + free (aca->name2.type); + if (aca->name2.val) + free (aca->name2.val); +} + +X509 * +x509_from_asn (u_char *asn, u_int len) +{ + BIO *certh; + X509 *scert = 0; + + certh = LC (BIO_new, (LC (BIO_s_mem, ()))); + if (!certh) + { + log_error ("x509_from_asn: BIO_new (BIO_s_mem ()) failed"); + return 0; + } + + if (LC (BIO_write, (certh, asn, len)) == -1) + { + log_error ("x509_from_asn: BIO_write failed\n"); + goto end; + } + + scert = LC (d2i_X509_bio, (certh, NULL)); + if (!scert) + { + log_print ("x509_from_asn: d2i_X509_bio failed\n"); + goto end; + } + + end: + LC (BIO_free, (certh)); + return scert; +} + +/* + * Obtain a certificate from an acceptable CA. + * XXX We don't check if the certificate we find is from an accepted CA. + */ +int +x509_cert_obtain (u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, + u_int32_t *certlen) +{ + struct x509_aca *aca = data; + X509 *scert; + u_char *p; + + if (aca) + LOG_DBG ((LOG_CRYPTO, 60, + "x509_cert_obtain: acceptable certificate authorities here")); + + /* We need our ID to find a certificate. */ + if (!id) + { + log_print ("x509_cert_obtain: ID is missing"); + return 0; + } + + scert = x509_hash_find (id, id_len); + if (!scert) + return 0; + + *certlen = LC (i2d_X509, (scert, NULL)); + p = *cert = malloc (*certlen); + if (!p) + { + log_error ("x509_cert_obtain: malloc (%d) failed", *certlen); + return 0; + } + *certlen = LC (i2d_X509, (scert, &p)); + + return 1; +} + +/* Returns a pointer to the subjectAltName information of X509 certificate. */ +int +x509_cert_subjectaltname (X509 *scert, u_int8_t **altname, u_int32_t *len) +{ + X509_EXTENSION *subjectaltname; + u_int8_t *sandata; + int extpos; + int santype, sanlen; + + extpos = LC (X509_get_ext_by_NID, (scert, NID_subject_alt_name, -1)); + if (extpos == -1) + { + log_print ("x509_cert_subjectaltname: " + "certificate does not contain subjectAltName"); + return 0; + } + + subjectaltname = LC (X509_get_ext, (scert, extpos)); + + if (!subjectaltname || !subjectaltname->value + || !subjectaltname->value->data || subjectaltname->value->length < 4) + { + log_print ("x509_cert_subjectaltname: invalid subjectaltname extension"); + return 0; + } + + /* SSL does not handle unknown ASN stuff well, do it by hand. */ + sandata = subjectaltname->value->data; + santype = sandata[2] & 0x3f; + sanlen = sandata[3]; + sandata += 4; + + if (sanlen + 4 != subjectaltname->value->length) + { + log_print ("x509_cert_subjectaltname: subjectaltname invalid length"); + return 0; + } + + *len = sanlen; + *altname = sandata; + + return santype; +} + +int +x509_cert_get_subjects (void *scert, int *cnt, u_int8_t ***id, + u_int32_t **id_len) +{ + X509 *cert = scert; + X509_NAME *subject; + int type; + u_int8_t *altname; + u_int32_t altlen; + u_int8_t *buf = 0; + unsigned char *ubuf; + int i; + + *id = 0; + *id_len = 0; + + /* + * XXX There can be a collection of subjectAltNames, but for now + * I only return the subjectName and a single subjectAltName. + */ + *cnt = 2; + + *id = calloc (*cnt, sizeof **id); + if (!*id) + { + log_print ("x509_cert_get_subject: malloc (%d) failed", + *cnt * sizeof **id); + goto fail; + } + + *id_len = malloc (*cnt * sizeof **id_len); + if (!*id_len) + { + log_print ("x509_cert_get_subject: malloc (%d) failed", + *cnt * sizeof **id_len); + goto fail; + } + + /* Stash the subjectName into the first slot. */ + subject = LC (X509_get_subject_name, (cert)); + if (!subject) + goto fail; + + + (*id_len)[0] = + ISAKMP_ID_DATA_OFF + LC (i2d_X509_NAME, (subject, NULL)) - ISAKMP_GEN_SZ; + (*id)[0] = malloc ((*id_len)[0]); + if (!(*id)[0]) + { + log_print ("x509_cert_get_subject: malloc (%d) failed", (*id_len)[0]); + goto fail; + } + SET_ISAKMP_ID_TYPE ((*id)[0] - ISAKMP_GEN_SZ, IPSEC_ID_DER_ASN1_DN); + ubuf = (*id)[0] + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; + LC (i2d_X509_NAME, (subject, &ubuf)); + + /* Stash the subjectAltName into the second slot. */ + type = x509_cert_subjectaltname (cert, &altname, &altlen); + if (!type) + goto fail; + + buf = malloc (altlen + ISAKMP_ID_DATA_OFF); + if (!buf) + { + log_print ("x509_cert_get_subject: malloc (%d) failed", + altlen + ISAKMP_ID_DATA_OFF); + goto fail; + } + + switch (type) + { + case X509v3_DNS_NAME: + SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_FQDN); + break; + + case X509v3_RFC_NAME: + SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_USER_FQDN); + break; + + case X509v3_IP_ADDR: + /* + * XXX I dislike the numeric constants, but I don't know what we + * should use otherwise. + */ + switch (altlen) + { + case 4: + SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV4_ADDR); + break; + + case 16: + SET_ISAKMP_ID_TYPE (buf, IPSEC_ID_IPV6_ADDR); + break; + + default: + log_print ("x509_cert_get_subject: " + "invalid subjectAltName iPAdress length %d ", altlen); + goto fail; + } + break; + } + + SET_IPSEC_ID_PROTO (buf + ISAKMP_ID_DOI_DATA_OFF, 0); + SET_IPSEC_ID_PORT (buf + ISAKMP_ID_DOI_DATA_OFF, 0); + memcpy (buf + ISAKMP_ID_DATA_OFF, altname, altlen); + + (*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ; + (*id)[1] = malloc ((*id_len)[1]); + if (!(*id)[1]) + { + log_print ("x509_cert_get_subject: malloc (%d) failed", (*id_len)[1]); + goto fail; + } + memcpy ((*id)[1], buf + ISAKMP_GEN_SZ, (*id_len)[1]); + + free (buf); + buf = 0; + return 1; + + fail: + for (i = 0; i < *cnt; i++) + if ((*id)[i]) + free ((*id)[i]); + if (*id) + free (*id); + if (*id_len) + free (*id_len); + if (buf) + free (buf); + return 0; +} + +int +x509_cert_get_key (void *scert, void *keyp) +{ + X509 *cert = scert; + EVP_PKEY *key; + + key = LC (X509_get_pubkey, (cert)); + + /* Check if we got the right key type. */ + if (key->type != EVP_PKEY_RSA) + { + log_print ("x509_cert_get_key: public key is not a RSA key"); + LC (X509_free, (cert)); + return 0; + } + + *(RSA **)keyp = LC (RSAPublicKey_dup, (key->pkey.rsa)); + + return *(RSA **)keyp == NULL ? 0 : 1; +} + +#endif /* USE_X509 */ diff --git a/src/x509.h b/src/x509.h new file mode 100644 index 0000000..79dffdd --- /dev/null +++ b/src/x509.h @@ -0,0 +1,90 @@ +/* $Id: x509.h,v 1.3 2007/03/21 20:03:07 bew Exp $ */ +/* $Source: /nfs/cscbz/gdoi/gdoicvs/gdoi/src/x509.h,v $ */ + +/* $OpenBSD: x509.h,v 1.10 2001/01/27 12:03:36 niklas Exp $ */ +/* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Ericsson Radio Systems. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _X509_H_ +#define _X509_H_ + +#include "libcrypto.h" + +#define X509v3_RFC_NAME 1 +#define X509v3_DNS_NAME 2 +#define X509v3_IP_ADDR 7 + +struct x509_attribval { + char *type; + char *val; +}; + +/* + * The acceptable certification authority. + * XXX We only support two names at the moment, as of ASN this can + * be dynamic but we don't care for now. + */ +struct x509_aca { + struct x509_attribval name1; + struct x509_attribval name2; +}; + +struct X509; + +/* Functions provided by cert handler. */ + +int x509_certreq_validate (u_int8_t *, u_int32_t); +void *x509_certreq_decode (u_int8_t *, u_int32_t); +void x509_cert_free (void *); +void *x509_cert_get (u_int8_t *, u_int32_t); +int x509_cert_get_key (void *, void *); +int x509_cert_get_subjects (void *, int *, u_int8_t ***, u_int32_t **); +int x509_cert_init (void); +int x509_cert_obtain (u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *); +int x509_cert_validate (void *); +void x509_free_aca (void *); + +/* Misc. X509 certificate functions. */ + +int x509_cert_insert (int, void *); +int x509_cert_subjectaltname (X509 *cert, u_char **, u_int *); +X509 *x509_from_asn (u_char *, u_int); +int x509_generate_kn(X509 *); +int x509_read_from_dir (X509_STORE *, char *, int); +int x509_read_one_cert (char *name, u_int8_t **cert_out, u_int32_t *certlen); + +#endif /* _X509_H_ */