├── .clusterfuzzlite ├── Dockerfile ├── build.sh └── project.yaml ├── .github └── workflows │ ├── cflite_batch.yml │ ├── cflite_cron.yml │ ├── cflite_pr.yml │ ├── cmake.yml │ └── codechecker.yaml ├── CMakeLists.txt ├── LICENSE ├── README.md ├── compat ├── CMakeLists.txt ├── arc4random.c ├── arc4random.h ├── arc4random_linux.h ├── arc4random_uniform.c ├── bsd-setres_id.c ├── bsd-socket.c ├── chacha_private.h ├── endian.h ├── explicit_bzero.c ├── explicit_bzero_win32.c ├── ffs.c ├── freezero.c ├── getdtablecount.c ├── getopt.h ├── getopt_long.c ├── getrtable.c ├── imsg-buffer.c ├── imsg.c ├── imsg.h ├── net │ ├── ethertypes.h │ ├── if_arp.h │ └── pfkeyv2.h ├── netinet │ ├── if_ether.h │ ├── in.h │ ├── ip.h │ ├── ip6.h │ ├── ip_ipsp.h │ ├── ip_var.h │ ├── udp.h │ └── udp_var.h ├── openbsd-compat.h ├── reallocarray.c ├── recallocarray.c ├── setproctitle.c ├── stdlib.h ├── string.h ├── strlcat.c ├── strlcpy.c ├── strtonum.c ├── sys │ ├── _null.h │ ├── queue.h │ ├── sysctl.h │ ├── tree.h │ ├── types.h │ ├── uio.h │ ├── un.h │ └── wait.h ├── timingsafe_bcmp.c ├── tree.h ├── unistd.h ├── vis.c └── vis.h ├── ikectl ├── CMakeLists.txt ├── Makefile ├── ikeca.c ├── ikeca.cnf ├── ikectl.8 ├── ikectl.c ├── ikex509v3.cnf ├── parser.c └── parser.h ├── iked.conf ├── iked ├── CMakeLists.txt ├── Makefile ├── apparmor.c ├── apparmor.h ├── ca.c ├── chap_ms.c ├── chap_ms.h ├── config.c ├── control.c ├── crypto.c ├── crypto_api.h ├── crypto_hash.c ├── dh.c ├── dh.h ├── eap.c ├── eap.h ├── genmap.sh ├── iked.8 ├── iked.c ├── iked.conf.5 ├── iked.h ├── ikev2.c ├── ikev2.h ├── ikev2_msg.c ├── ikev2_pld.c ├── imsg_util.c ├── ipsec.c ├── log.c ├── ocsp.c ├── parse.y ├── pfkey.c ├── policy.c ├── print.c ├── proc.c ├── smult_curve25519_ref.c ├── sntrup761.c ├── sntrup761.sh ├── timer.c ├── types.h ├── util.c ├── version.h ├── vroute-netlink.c └── vroute.c ├── linux ├── iked.apparmor └── openiked.service ├── regress ├── Makefile ├── Makefile.inc ├── dh │ ├── CMakeLists.txt │ ├── Makefile │ └── dhtest.c ├── live │ ├── Makefile │ ├── crt.in │ ├── iked.in │ ├── pf.in │ └── test_live.pl ├── parser-libfuzzer │ ├── CMakeLists.txt │ ├── common.c │ ├── run_test.sh │ ├── test_libfuzzer.dict │ ├── test_libfuzzer.options │ └── test_parser_fuzz.c ├── parser │ ├── CMakeLists.txt │ ├── Makefile │ ├── common.c │ ├── test_parser_fuzz.c │ └── tests.c └── test_helper │ ├── CMakeLists.txt │ ├── Makefile │ ├── fuzz.c │ ├── test_helper.c │ └── test_helper.h └── useradd.sh /.clusterfuzzlite/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM gcr.io/oss-fuzz-base/base-builder:v1 2 | 3 | ENV CLUSTERFUZZLITE=TRUE 4 | RUN apt-get update && apt-get install -y bison libssl-dev libevent-dev 5 | COPY . $SRC/openiked-portable 6 | WORKDIR openiked-portable 7 | COPY .clusterfuzzlite/build.sh $SRC/ 8 | -------------------------------------------------------------------------------- /.clusterfuzzlite/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | # build project 4 | cmake -S . -B build -DCMAKE_BUILD_TYPE=DEBUG -DCLUSTERFUZZ=ON 5 | cmake --build build 6 | 7 | # copy binary and dict to $OUT 8 | cp build/regress/parser-libfuzzer/test_libfuzzer $OUT/ 9 | cp regress/parser-libfuzzer/test_libfuzzer.dict regress/parser-libfuzzer/test_libfuzzer.options $OUT/ 10 | -------------------------------------------------------------------------------- /.clusterfuzzlite/project.yaml: -------------------------------------------------------------------------------- 1 | language: c 2 | -------------------------------------------------------------------------------- /.github/workflows/cflite_batch.yml: -------------------------------------------------------------------------------- 1 | name: ClusterFuzzLite batch fuzzing 2 | on: 3 | schedule: 4 | - cron: '0 0/6 * * *' # Every 6th hour. Change this to whatever is suitable. 5 | permissions: read-all 6 | jobs: 7 | BatchFuzzing: 8 | runs-on: ubuntu-latest 9 | strategy: 10 | fail-fast: false 11 | matrix: 12 | sanitizer: 13 | - address 14 | - undefined 15 | - memory 16 | steps: 17 | - name: Build Fuzzers (${{ matrix.sanitizer }}) 18 | id: build 19 | uses: google/clusterfuzzlite/actions/build_fuzzers@v1 20 | with: 21 | sanitizer: ${{ matrix.sanitizer }} 22 | - name: Run Fuzzers (${{ matrix.sanitizer }}) 23 | id: run 24 | uses: google/clusterfuzzlite/actions/run_fuzzers@v1 25 | with: 26 | github-token: ${{ secrets.GITHUB_TOKEN }} 27 | fuzz-seconds: 10800 # run 3h 28 | mode: 'batch' 29 | sanitizer: ${{ matrix.sanitizer }} 30 | # For storing certain artifacts from fuzzing. 31 | storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/openiked/openiked-fuzzing.git 32 | storage-repo-branch: main 33 | storage-repo-branch-coverage: gh-pages 34 | 35 | -------------------------------------------------------------------------------- /.github/workflows/cflite_cron.yml: -------------------------------------------------------------------------------- 1 | name: ClusterFuzzLite cron tasks 2 | on: 3 | schedule: 4 | - cron: '0 0 * * *' # Once a day at midnight. 5 | permissions: read-all 6 | jobs: 7 | Pruning: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Build Fuzzers 11 | id: build 12 | uses: google/clusterfuzzlite/actions/build_fuzzers@v1 13 | - name: Run Fuzzers 14 | id: run 15 | uses: google/clusterfuzzlite/actions/run_fuzzers@v1 16 | with: 17 | github-token: ${{ secrets.GITHUB_TOKEN }} 18 | fuzz-seconds: 600 19 | mode: 'prune' 20 | # For storing certain artifacts from fuzzing. 21 | storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/openiked/openiked-fuzzing.git 22 | storage-repo-branch: main 23 | storage-repo-branch-coverage: gh-pages 24 | Coverage: 25 | runs-on: ubuntu-latest 26 | steps: 27 | - name: Build Fuzzers 28 | id: build 29 | uses: google/clusterfuzzlite/actions/build_fuzzers@v1 30 | with: 31 | sanitizer: coverage 32 | - name: Run Fuzzers 33 | id: run 34 | uses: google/clusterfuzzlite/actions/run_fuzzers@v1 35 | with: 36 | github-token: ${{ secrets.GITHUB_TOKEN }} 37 | fuzz-seconds: 600 38 | mode: 'coverage' 39 | sanitizer: 'coverage' 40 | # For storing certain artifacts from fuzzing. 41 | # coverage-report will be created at 42 | # https://openiked.github.io/openiked-fuzzing/coverage/latest/report/linux/report.html 43 | storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/openiked/openiked-fuzzing.git 44 | storage-repo-branch: main 45 | storage-repo-branch-coverage: gh-pages 46 | 47 | -------------------------------------------------------------------------------- /.github/workflows/cflite_pr.yml: -------------------------------------------------------------------------------- 1 | name: ClusterFuzzLite PR fuzzing 2 | on: 3 | pull_request: 4 | paths: 5 | - iked/ikev2_pld.c 6 | - regress/parser-libfuzzer/** 7 | permissions: read-all 8 | jobs: 9 | PR: 10 | runs-on: ubuntu-latest 11 | strategy: 12 | fail-fast: false 13 | matrix: 14 | sanitizer: 15 | - address 16 | - undefined 17 | steps: 18 | - name: Build Fuzzers (${{ matrix.sanitizer }}) 19 | id: build 20 | uses: google/clusterfuzzlite/actions/build_fuzzers@v1 21 | with: 22 | sanitizer: ${{ matrix.sanitizer }} 23 | # used to only run fuzzers that are affected by the PR. 24 | storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/openiked/openiked-fuzzing.git 25 | storage-repo-branch: main 26 | storage-repo-branch-coverage: gh-pages 27 | - name: Run Fuzzers (${{ matrix.sanitizer }}) 28 | id: run 29 | uses: google/clusterfuzzlite/actions/run_fuzzers@v1 30 | with: 31 | github-token: ${{ secrets.GITHUB_TOKEN }} 32 | fuzz-seconds: 600 33 | mode: 'code-change' 34 | sanitizer: ${{ matrix.sanitizer }} 35 | # used to download the corpus produced by batch fuzzing. 36 | storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/openiked/openiked-fuzzing.git 37 | storage-repo-branch: main 38 | storage-repo-branch-coverage: gh-pages 39 | -------------------------------------------------------------------------------- /.github/workflows/cmake.yml: -------------------------------------------------------------------------------- 1 | name: CMake 2 | 3 | on: 4 | push: 5 | branches: [ master, ci ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | env: 10 | # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) 11 | BUILD_TYPE: Release 12 | CC: clang 13 | 14 | jobs: 15 | ubuntu: 16 | # The CMake configure and build commands are platform agnostic and should work equally 17 | # well on Windows or Mac. You can convert this to a matrix build if you need 18 | # cross-platform coverage. 19 | # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix 20 | strategy: 21 | matrix: 22 | os: [ ubuntu-latest, ubuntu-22.04 ] 23 | runs-on: ${{ matrix.os }} 24 | # env: 25 | # CFLAGS: -Werror 26 | 27 | steps: 28 | - uses: actions/checkout@v2 29 | 30 | - name: Install libevent 31 | run: | 32 | sudo apt update 33 | sudo apt install libevent-dev libsystemd-dev 34 | 35 | - name: Create Build Environment 36 | # Some projects don't allow in-source building, so create a separate build directory 37 | # We'll use this as our working directory for all subsequent commands 38 | run: cmake -E make_directory ${{github.workspace}}/build 39 | 40 | - name: Configure CMake 41 | # Use a bash shell so we can use the same syntax for environment variable 42 | # access regardless of the host operating system 43 | shell: bash 44 | working-directory: ${{github.workspace}}/build 45 | # Note the current convention is to use the -S and -B options here to specify source 46 | # and build directories, but this is only available with CMake 3.13 and higher. 47 | # The CMake binaries on the Github Actions machines are (as of this writing) 3.12 48 | run: cmake $GITHUB_WORKSPACE -DCMAKE_BUILD_TYPE=$BUILD_TYPE 49 | 50 | - name: Build 51 | working-directory: ${{github.workspace}}/build 52 | shell: bash 53 | # Execute the build. You can specify a specific target with "--target " 54 | run: cmake --build . --config $BUILD_TYPE 55 | 56 | - name: Test DH 57 | working-directory: ${{github.workspace}}/build/regress/dh 58 | shell: bash 59 | run: ./dhtest 60 | 61 | - name: Test Parser 62 | working-directory: ${{github.workspace}}/build/regress/parser 63 | shell: bash 64 | run: ./test_parser 65 | 66 | macos: 67 | strategy: 68 | matrix: 69 | os: [ macos-latest ] 70 | runs-on: ${{ matrix.os }} 71 | 72 | steps: 73 | - uses: actions/checkout@v2 74 | 75 | - name: Create Build Environment 76 | run: cmake -E make_directory ${{github.workspace}}/build 77 | 78 | - name: Install dependencies 79 | run: | 80 | brew install bison libevent openssl 81 | echo "/opt/homebrew/opt/bison/bin" >> $GITHUB_PATH 82 | 83 | - name: Configure CMake 84 | shell: bash 85 | working-directory: ${{github.workspace}}/build 86 | run: cmake $GITHUB_WORKSPACE -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DHOMEBREW=yes 87 | 88 | - name: Build 89 | working-directory: ${{github.workspace}}/build 90 | shell: bash 91 | run: cmake --build . --config $BUILD_TYPE 92 | 93 | - name: Test DH 94 | working-directory: ${{github.workspace}}/build/regress/dh 95 | shell: bash 96 | run: ./dhtest 97 | 98 | - name: Test Parser 99 | working-directory: ${{github.workspace}}/build/regress/parser 100 | shell: bash 101 | run: ./test_parser 102 | 103 | openbsd: 104 | runs-on: ubuntu-latest 105 | steps: 106 | - name: Bootstrap OpenBSD-latest 107 | uses: mario-campos/emulate@v1 108 | with: 109 | operating-system: openbsd-latest 110 | 111 | - name: Install Dependencies 112 | run: pkg_add cmake git 113 | 114 | - name: Build 115 | run: | 116 | git clone --depth=1 https://github.com/openiked/openiked-portable.git 117 | cd openiked-portable 118 | [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}") 119 | mkdir build; cd build 120 | cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE 121 | make 122 | cd regress/dh; ./dhtest 123 | cd ../parser; ./test_parser 124 | 125 | freebsd: 126 | runs-on: ubuntu-latest 127 | steps: 128 | - name: Bootstrap FreeBSD-latest 129 | uses: mario-campos/emulate@v1 130 | with: 131 | operating-system: freebsd-latest 132 | 133 | - name: Install Dependencies 134 | run: pkg install -y cmake libevent git 135 | 136 | - name: Build 137 | run: | 138 | git clone --depth=1 https://github.com/openiked/openiked-portable.git 139 | cd openiked-portable 140 | [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}") 141 | mkdir build; cd build 142 | cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE 143 | make 144 | cd regress/dh; ./dhtest 145 | cd ../parser; ./test_parser 146 | 147 | netbsd: 148 | runs-on: ubuntu-latest 149 | steps: 150 | - name: Bootstrap NetBSD-latest 151 | uses: mario-campos/emulate@v1 152 | with: 153 | operating-system: netbsd-latest 154 | 155 | - name: Build 156 | run: | 157 | git clone --depth=1 https://github.com/openiked/openiked-portable.git 158 | cd openiked-portable 159 | [ "${{ github.event.pull_request.number }}" = "" ] || (echo "fetching PR ${{ github.event.pull_request.number }}"; git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-${{ github.event.pull_request.number }} && git checkout "pr-${{ github.event.pull_request.number }}") 160 | mkdir build; cd build 161 | cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE 162 | make 163 | cd regress/dh; ./dhtest 164 | cd ../parser; ./test_parser 165 | -------------------------------------------------------------------------------- /.github/workflows/codechecker.yaml: -------------------------------------------------------------------------------- 1 | name: CodeChecker 2 | 3 | on: 4 | schedule: 5 | - cron: '0 0 * * *' 6 | workflow_dispatch: 7 | 8 | jobs: 9 | check: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | 14 | - name: Install libevent 15 | run: sudo apt install libevent-dev libsystemd-dev 16 | 17 | - name: Create Build Environment 18 | run: cmake -E make_directory ${{github.workspace}}/build 19 | 20 | - name: Configure CMake 21 | shell: bash 22 | working-directory: ${{github.workspace}}/build 23 | run: cmake $GITHUB_WORKSPACE -DCMAKE_BUILD_TYPE=Debug -DCMAKE_EXPORT_COMPILE_COMMANDS=ON 24 | 25 | - name: Build 26 | working-directory: ${{github.workspace}}/build 27 | shell: bash 28 | run: cmake --build . --config Debug 29 | 30 | # Run the analysis 31 | - uses: whisperity/codechecker-analysis-action@v1 32 | id: codechecker 33 | with: 34 | logfile: ${{ github.workspace }}/build/compile_commands.json 35 | 36 | # Upload the results to the CI. 37 | - uses: actions/upload-pages-artifact@v3 38 | with: 39 | path: ${{ steps.codechecker.outputs.result-html-dir }} 40 | 41 | deploy: 42 | needs: check 43 | permissions: 44 | pages: write 45 | id-token: write 46 | 47 | environment: 48 | name: github-pages 49 | url: ${{ steps.deployment.outputs.page_url }} 50 | 51 | runs-on: ubuntu-latest 52 | steps: 53 | - name: Deploy to GitHub Pages 54 | id: deployment 55 | uses: actions/deploy-pages@v4 56 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Permission to use, copy, modify, and distribute this software for any 2 | purpose with or without fee is hereby granted, provided that the above 3 | copyright notice and this permission notice appear in all copies. 4 | 5 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 6 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 7 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 8 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 9 | WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER 10 | IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 11 | OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OpenIKED 2 | 3 | [![License](https://img.shields.io/github/license/openiked/openiked-portable)](https://github.com/openiked/openiked-portable/blob/master/LICENSE) 4 | [![CMake](https://github.com/openiked/openiked-portable/workflows/CMake/badge.svg)](https://github.com/openiked/openiked-portable/actions?query=workflow%3ACMake) 5 | [![#openiked on matrix.org](https://img.shields.io/badge/matrix-%23openiked-blue)](https://app.element.io/#/room/#openiked:matrix.org) 6 | [![#openiked on libera.chat](https://img.shields.io/badge/IRC-%23openiked-blue)](https://kiwiirc.com/nextclient/irc.libera.chat/#openiked) 7 | 8 | This is a port of OpenBSD's [OpenIKED](https://openiked.org) to other 9 | Unix-like operating systems including Linux, macOS, FreeBSD and NetBSD. 10 | 11 | ## Documentation 12 | 13 | The official documentation for OpenIKED are the man pages for each tool: 14 | 15 | * [iked(8)](https://man.openbsd.org/iked.8) 16 | * [ikectl(8)](https://man.openbsd.org/ikectl.8) 17 | * [iked.conf(5)](https://man.openbsd.org/iked.conf.5) 18 | 19 | and the [OpenBSD VPN FAQ](https://www.openbsd.org/faq/faq17.html). 20 | 21 | ## Installing OpenIKED 22 | 23 | ### Binary Packages 24 | 25 | Binary packages for OpenIKED are available for the package managers of various operating systems and Linux distributions: 26 | * [FreeBSD](https://www.freshports.org/security/openiked/) 27 | * [Debian](https://tracker.debian.org/pkg/openiked) 28 | * [Fedora](https://packages.fedoraproject.org/pkgs/openiked/openiked/index.html) 29 | * [Ubuntu](https://launchpad.net/ubuntu/+source/openiked) 30 | * [Arch Linux User Repository (AUR)](https://aur.archlinux.org/packages/openiked) 31 | * [openSUSE and SUSE Linux Enterprise](https://build.opensuse.org/package/show/network:vpn/openiked) 32 | * [MacPorts](https://ports.macports.org/port/openiked/) 33 | * [Homebrew](https://formulae.brew.sh/formula/openiked) 34 | 35 | ### Building from source 36 | 37 | Portable OpenIKED is built using ``cmake``. 38 | It requires a working C compiler, standard library and headers, a 39 | ``yacc`` compatible parser generator, ``libevent``, and ``libcrypto`` from either 40 | [LibreSSL](https://www.libressl.org/) or [OpenSSL](https://www.openssl.org). 41 | 42 | ``` 43 | git clone https://github.com/openiked/openiked-portable.git 44 | cd openiked-portable 45 | mkdir build && cd build 46 | cmake -DCMAKE_BUILD_TYPE=Release .. 47 | make 48 | # install 49 | make install 50 | ``` 51 | A few additional setup steps are required to create the required system group 52 | and user. 53 | The easiest way to do this is running the `useradd.sh script included in the 54 | source repository. 55 | -------------------------------------------------------------------------------- /compat/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | set(IKED_COMPAT "${CMAKE_CURRENT_SOURCE_DIR}") 16 | set(SRCS) 17 | 18 | if(NOT HAVE_RECALLOCARRAY) 19 | list(APPEND SRCS ${IKED_COMPAT}/recallocarray.c) 20 | endif() 21 | if(NOT HAVE_SOCK_NONBLOCK) 22 | list(APPEND SRCS ${IKED_COMPAT}/bsd-socket.c) 23 | endif() 24 | if(NOT HAVE_SETRESUID) 25 | list(APPEND SRCS ${IKED_COMPAT}/bsd-setres_id.c) 26 | endif() 27 | if(NOT HAVE_GETRTABLE) 28 | list(APPEND SRCS ${IKED_COMPAT}/getrtable.c) 29 | endif() 30 | if(NOT HAVE_GETDTABLECOUNT) 31 | list(APPEND SRCS ${IKED_COMPAT}/getdtablecount.c) 32 | endif() 33 | if(NOT HAVE_SETPROCTITLE) 34 | list(APPEND SRCS ${IKED_COMPAT}/setproctitle.c) 35 | endif() 36 | if(NOT HAVE_STRTONUM) 37 | list(APPEND SRCS ${IKED_COMPAT}/strtonum.c) 38 | endif() 39 | if(NOT HAVE_FFS) 40 | list(APPEND SRCS ${IKED_COMPAT}/ffs.c) 41 | endif() 42 | if(NOT HAVE_GETOPT) 43 | list(APPEND SRCS ${IKED_COMPAT}/getopt_long.c) 44 | endif() 45 | if(NOT HAVE_IMSG_H OR NOT HAVE_MSGBUF_NEW_READER) 46 | list(APPEND SRCS 47 | # imsg 48 | ${IKED_COMPAT}/imsg.c 49 | ${IKED_COMPAT}/imsg-buffer.c 50 | ) 51 | endif() 52 | if(NOT HAVE_STRLCPY) 53 | list(APPEND SRCS ${IKED_COMPAT}/strlcpy.c) 54 | endif() 55 | if(NOT HAVE_STRLCAT) 56 | list(APPEND SRCS ${IKED_COMPAT}/strlcat.c) 57 | endif() 58 | if(NOT HAVE_FREEZERO) 59 | list(APPEND SRCS ${IKED_COMPAT}/freezero.c) 60 | endif() 61 | if(NOT HAVE_ARC4RANDOM_BUF) 62 | list(APPEND SRCS ${IKED_COMPAT}/arc4random.c) 63 | endif() 64 | if(NOT HAVE_ARC4RANDOM_UNIFORM) 65 | list(APPEND SRCS ${IKED_COMPAT}/arc4random_uniform.c) 66 | endif() 67 | if(NOT HAVE_EXPLICIT_BZERO) 68 | list(APPEND SRCS ${IKED_COMPAT}/explicit_bzero.c) 69 | endif() 70 | if(NOT HAVE_REALLOCARRAY) 71 | list(APPEND SRCS ${IKED_COMPAT}/reallocarray.c) 72 | endif() 73 | if(NOT HAVE_VIS) 74 | list(APPEND SRCS ${IKED_COMPAT}/vis.c) 75 | endif() 76 | 77 | set(CFLAGS) 78 | list(APPEND CFLAGS 79 | -O2 80 | -fstack-protector-strong 81 | -fPIE 82 | -D_FORTIFY_SOURCE=2 83 | -Wall 84 | -Wno-pointer-sign 85 | -Wno-deprecated-declarations 86 | -Wstrict-prototypes 87 | -Wmissing-prototypes 88 | -Wmissing-declarations 89 | -Wshadow 90 | -Wpointer-arith 91 | -Wcast-qual 92 | -Wsign-compare 93 | "$<$:-O0;-g>" 94 | ) 95 | 96 | if(SRCS) 97 | add_library(compat OBJECT ${SRCS}) 98 | target_compile_options(compat PRIVATE ${CFLAGS}) 99 | target_include_directories(compat PUBLIC .) 100 | else() 101 | add_library(compat INTERFACE) 102 | target_include_directories(compat INTERFACE .) 103 | endif() 104 | -------------------------------------------------------------------------------- /compat/arc4random.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 1996, David Mazieres 5 | * Copyright (c) 2008, Damien Miller 6 | * Copyright (c) 2013, Markus Friedl 7 | * Copyright (c) 2014, Theo de Raadt 8 | * 9 | * Permission to use, copy, modify, and distribute this software for any 10 | * purpose with or without fee is hereby granted, provided that the above 11 | * copyright notice and this permission notice appear in all copies. 12 | * 13 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 | */ 21 | 22 | /* 23 | * ChaCha based random number generator for OpenBSD. 24 | */ 25 | 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | #define KEYSTREAM_ONLY 37 | #include "chacha_private.h" 38 | 39 | #define minimum(a, b) ((a) < (b) ? (a) : (b)) 40 | 41 | #if defined(__GNUC__) || defined(_MSC_VER) 42 | #define inline __inline 43 | #else /* __GNUC__ || _MSC_VER */ 44 | #define inline 45 | #endif /* !__GNUC__ && !_MSC_VER */ 46 | 47 | #define KEYSZ 32 48 | #define IVSZ 8 49 | #define BLOCKSZ 64 50 | #define RSBUFSZ (16*BLOCKSZ) 51 | 52 | #define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ 53 | 54 | /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ 55 | static struct _rs { 56 | size_t rs_have; /* valid bytes at end of rs_buf */ 57 | size_t rs_count; /* bytes till reseed */ 58 | } *rs; 59 | 60 | /* Maybe be preserved in fork children, if _rs_allocate() decides. */ 61 | static struct _rsx { 62 | chacha_ctx rs_chacha; /* chacha context for random keystream */ 63 | u_char rs_buf[RSBUFSZ]; /* keystream blocks */ 64 | } *rsx; 65 | 66 | static inline int _rs_allocate(struct _rs **, struct _rsx **); 67 | static inline void _rs_forkdetect(void); 68 | #include "arc4random.h" 69 | 70 | static inline void _rs_rekey(u_char *dat, size_t datlen); 71 | 72 | static inline void 73 | _rs_init(u_char *buf, size_t n) 74 | { 75 | if (n < KEYSZ + IVSZ) 76 | return; 77 | 78 | if (rs == NULL) { 79 | if (_rs_allocate(&rs, &rsx) == -1) 80 | _exit(1); 81 | } 82 | 83 | chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8); 84 | chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ); 85 | } 86 | 87 | static void 88 | _rs_stir(void) 89 | { 90 | u_char rnd[KEYSZ + IVSZ]; 91 | uint32_t rekey_fuzz = 0; 92 | 93 | if (getentropy(rnd, sizeof rnd) == -1) 94 | _getentropy_fail(); 95 | 96 | if (!rs) 97 | _rs_init(rnd, sizeof(rnd)); 98 | else 99 | _rs_rekey(rnd, sizeof(rnd)); 100 | explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ 101 | 102 | /* invalidate rs_buf */ 103 | rs->rs_have = 0; 104 | memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); 105 | 106 | /* rekey interval should not be predictable */ 107 | chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, 108 | (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); 109 | rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); 110 | } 111 | 112 | static inline void 113 | _rs_stir_if_needed(size_t len) 114 | { 115 | _rs_forkdetect(); 116 | if (!rs || rs->rs_count <= len) 117 | _rs_stir(); 118 | if (rs->rs_count <= len) 119 | rs->rs_count = 0; 120 | else 121 | rs->rs_count -= len; 122 | } 123 | 124 | static inline void 125 | _rs_rekey(u_char *dat, size_t datlen) 126 | { 127 | #ifndef KEYSTREAM_ONLY 128 | memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); 129 | #endif 130 | /* fill rs_buf with the keystream */ 131 | chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf, 132 | rsx->rs_buf, sizeof(rsx->rs_buf)); 133 | /* mix in optional user provided data */ 134 | if (dat) { 135 | size_t i, m; 136 | 137 | m = minimum(datlen, KEYSZ + IVSZ); 138 | for (i = 0; i < m; i++) 139 | rsx->rs_buf[i] ^= dat[i]; 140 | } 141 | /* immediately reinit for backtracking resistance */ 142 | _rs_init(rsx->rs_buf, KEYSZ + IVSZ); 143 | memset(rsx->rs_buf, 0, KEYSZ + IVSZ); 144 | rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ; 145 | } 146 | 147 | static inline void 148 | _rs_random_buf(void *_buf, size_t n) 149 | { 150 | u_char *buf = (u_char *)_buf; 151 | u_char *keystream; 152 | size_t m; 153 | 154 | _rs_stir_if_needed(n); 155 | while (n > 0) { 156 | if (rs->rs_have > 0) { 157 | m = minimum(n, rs->rs_have); 158 | keystream = rsx->rs_buf + sizeof(rsx->rs_buf) 159 | - rs->rs_have; 160 | memcpy(buf, keystream, m); 161 | memset(keystream, 0, m); 162 | buf += m; 163 | n -= m; 164 | rs->rs_have -= m; 165 | } 166 | if (rs->rs_have == 0) 167 | _rs_rekey(NULL, 0); 168 | } 169 | } 170 | 171 | static inline void 172 | _rs_random_u32(uint32_t *val) 173 | { 174 | u_char *keystream; 175 | 176 | _rs_stir_if_needed(sizeof(*val)); 177 | if (rs->rs_have < sizeof(*val)) 178 | _rs_rekey(NULL, 0); 179 | keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have; 180 | memcpy(val, keystream, sizeof(*val)); 181 | memset(keystream, 0, sizeof(*val)); 182 | rs->rs_have -= sizeof(*val); 183 | } 184 | 185 | uint32_t 186 | arc4random(void) 187 | { 188 | uint32_t val; 189 | 190 | _ARC4_LOCK(); 191 | _rs_random_u32(&val); 192 | _ARC4_UNLOCK(); 193 | return val; 194 | } 195 | 196 | void 197 | arc4random_buf(void *buf, size_t n) 198 | { 199 | _ARC4_LOCK(); 200 | _rs_random_buf(buf, n); 201 | _ARC4_UNLOCK(); 202 | } 203 | -------------------------------------------------------------------------------- /compat/arc4random.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * arc4random.h compatibility shim 4 | */ 5 | 6 | #ifndef IKED_COMPAT_ARC4RANDOM_H 7 | #define IKED_COMPAT_ARC4RANDOM_H 8 | 9 | #if defined(_AIX) 10 | #include "arc4random_aix.h" 11 | 12 | #elif defined(__FreeBSD__) 13 | #include "arc4random_freebsd.h" 14 | 15 | #elif defined(__hpux) 16 | #include "arc4random_hpux.h" 17 | 18 | #elif defined(__linux__) 19 | #include "arc4random_linux.h" 20 | 21 | #elif defined(__midipix__) 22 | #include "arc4random_linux.h" 23 | 24 | #elif defined(__NetBSD__) 25 | #include "arc4random_netbsd.h" 26 | 27 | #elif defined(__APPLE__) 28 | #include "arc4random_osx.h" 29 | 30 | #elif defined(__sun) 31 | #include "arc4random_solaris.h" 32 | 33 | #elif defined(_WIN32) 34 | #include "arc4random_win.h" 35 | 36 | #else 37 | #error "No arc4random hooks defined for this platform." 38 | 39 | #endif 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /compat/arc4random_linux.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: arc4random_linux.h,v 1.12 2019/07/11 10:37:28 inoguchi Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 1996, David Mazieres 5 | * Copyright (c) 2008, Damien Miller 6 | * Copyright (c) 2013, Markus Friedl 7 | * Copyright (c) 2014, Theo de Raadt 8 | * 9 | * Permission to use, copy, modify, and distribute this software for any 10 | * purpose with or without fee is hereby granted, provided that the above 11 | * copyright notice and this permission notice appear in all copies. 12 | * 13 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 | */ 21 | 22 | /* 23 | * Stub functions for portability. 24 | */ 25 | 26 | #include 27 | 28 | #include 29 | #include 30 | 31 | static pthread_mutex_t arc4random_mtx = PTHREAD_MUTEX_INITIALIZER; 32 | #define _ARC4_LOCK() pthread_mutex_lock(&arc4random_mtx) 33 | #define _ARC4_UNLOCK() pthread_mutex_unlock(&arc4random_mtx) 34 | 35 | #if defined(__GLIBC__) && !(defined(__UCLIBC__) && !defined(__ARCH_USE_MMU__)) 36 | extern void *__dso_handle; 37 | extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *); 38 | #define _ARC4_ATFORK(f) __register_atfork(NULL, NULL, (f), __dso_handle) 39 | #else 40 | #define _ARC4_ATFORK(f) pthread_atfork(NULL, NULL, (f)) 41 | #endif 42 | 43 | static inline void 44 | _getentropy_fail(void) 45 | { 46 | raise(SIGKILL); 47 | } 48 | 49 | static volatile sig_atomic_t _rs_forked; 50 | 51 | static inline void 52 | _rs_forkhandler(void) 53 | { 54 | _rs_forked = 1; 55 | } 56 | 57 | static inline void 58 | _rs_forkdetect(void) 59 | { 60 | static pid_t _rs_pid = 0; 61 | pid_t pid = getpid(); 62 | 63 | /* XXX unusual calls to clone() can bypass checks */ 64 | if (_rs_pid == 0 || _rs_pid == 1 || _rs_pid != pid || _rs_forked) { 65 | _rs_pid = pid; 66 | _rs_forked = 0; 67 | if (rs) 68 | memset(rs, 0, sizeof(*rs)); 69 | } 70 | } 71 | 72 | static inline int 73 | _rs_allocate(struct _rs **rsp, struct _rsx **rsxp) 74 | { 75 | if ((*rsp = mmap(NULL, sizeof(**rsp), PROT_READ|PROT_WRITE, 76 | MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) 77 | return (-1); 78 | 79 | if ((*rsxp = mmap(NULL, sizeof(**rsxp), PROT_READ|PROT_WRITE, 80 | MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED) { 81 | munmap(*rsp, sizeof(**rsp)); 82 | *rsp = NULL; 83 | return (-1); 84 | } 85 | 86 | _ARC4_ATFORK(_rs_forkhandler); 87 | return (0); 88 | } 89 | -------------------------------------------------------------------------------- /compat/arc4random_uniform.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: arc4random_uniform.c,v 1.3 2019/01/20 02:59:07 bcook Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2008, Damien Miller 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | /* 23 | * Calculate a uniformly distributed random number less than upper_bound 24 | * avoiding "modulo bias". 25 | * 26 | * Uniformity is achieved by generating new random numbers until the one 27 | * returned is outside the range [0, 2**32 % upper_bound). This 28 | * guarantees the selected random number will be inside 29 | * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound) 30 | * after reduction modulo upper_bound. 31 | */ 32 | uint32_t 33 | arc4random_uniform(uint32_t upper_bound) 34 | { 35 | uint32_t r, min; 36 | 37 | if (upper_bound < 2) 38 | return 0; 39 | 40 | /* 2**32 % x == (2**32 - x) % x */ 41 | min = -upper_bound % upper_bound; 42 | 43 | /* 44 | * This could theoretically loop forever but each retry has 45 | * p > 0.5 (worst case, usually far better) of selecting a 46 | * number inside the range we need, so it should rarely need 47 | * to re-roll. 48 | */ 49 | for (;;) { 50 | r = arc4random(); 51 | if (r >= min) 52 | break; 53 | } 54 | 55 | return r % upper_bound; 56 | } 57 | -------------------------------------------------------------------------------- /compat/bsd-setres_id.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #include "openbsd-compat.h" 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #if !defined(HAVE_SETRESGID) || defined(BROKEN_SETRESGID) 27 | int 28 | setresgid(gid_t rgid, gid_t egid, gid_t sgid) 29 | { 30 | int ret = 0; 31 | 32 | if (rgid != sgid) { 33 | errno = ENOSYS; 34 | return -1; 35 | } 36 | #if defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) 37 | if (setregid(rgid, egid) < 0) 38 | ret = -1; 39 | #else 40 | if (setegid(egid) < 0) 41 | ret = -1; 42 | if (setgid(rgid) < 0) 43 | ret = -1; 44 | #endif 45 | return ret; 46 | } 47 | #endif 48 | 49 | #if !defined(HAVE_SETRESUID) || defined(BROKEN_SETRESUID) 50 | int 51 | setresuid(uid_t ruid, uid_t euid, uid_t suid) 52 | { 53 | int ret = 0; 54 | 55 | if (ruid != suid) { 56 | errno = ENOSYS; 57 | return -1; 58 | } 59 | #if defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) 60 | if (setreuid(ruid, euid) < 0) 61 | ret = -1; 62 | #else 63 | 64 | # ifndef SETEUID_BREAKS_SETUID 65 | if (seteuid(euid) < 0) 66 | ret = -1; 67 | # endif 68 | if (setuid(ruid) < 0) 69 | ret = -1; 70 | #endif 71 | return ret; 72 | } 73 | #endif 74 | -------------------------------------------------------------------------------- /compat/bsd-socket.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2016 Reyk Floeter 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include "openbsd-compat.h" 21 | 22 | #undef socket 23 | #undef accept4 24 | 25 | #if defined(SOCK_SETFLAGS) 26 | #include 27 | 28 | static int 29 | bsd_socket_setflags(int s, int flags) 30 | { 31 | #ifdef _WIN32 32 | /* see libressl/tests/compat/pipe2.c */ 33 | if (flags & FD_CLOEXEC) { 34 | HANDLE h = (HANDLE)_get_osfhandle(s); 35 | if (h != NULL) 36 | if (SetHandleInformation(h, HANDLE_FLAG_INHERIT, 0) == 0) 37 | return (-1); 38 | } 39 | if (flags & O_NONBLOCK) { 40 | unsigned long mode = 1; 41 | if (ioctlsocket(s, FIONBIO, &mode) != 0) 42 | return (-1); 43 | } 44 | return (0); 45 | #else 46 | int f; 47 | 48 | if (flags & SOCK_NONBLOCK) { 49 | if (fcntl(s, F_GETFL, &f) == -1) 50 | return (-1); 51 | f |= O_NONBLOCK; 52 | if (fcntl(s, F_SETFL, &f) == -1) 53 | return (-1); 54 | } 55 | 56 | if (flags & SOCK_CLOEXEC) { 57 | if (fcntl(s, F_GETFD, &f) == -1) 58 | return (-1); 59 | f |= FD_CLOEXEC; 60 | if (fcntl(s, F_SETFD, &f) == -1) 61 | return (-1); 62 | } 63 | 64 | return (0); 65 | #endif 66 | } 67 | #endif 68 | 69 | int 70 | bsd_socket(int domain, int type, int protocol) 71 | { 72 | int s; 73 | #if defined(SOCK_SETFLAGS) 74 | int setfl; 75 | 76 | setfl = type & SOCK_SETFLAGS; 77 | type &= ~SOCK_SETFLAGS; 78 | #endif 79 | 80 | if ((s = socket(domain, type, protocol)) == -1) 81 | return (-1); 82 | 83 | #if defined(SOCK_SETFLAGS) 84 | if (bsd_socket_setflags(s, setfl) == -1) { 85 | close(s); 86 | return (-1); 87 | } 88 | #endif 89 | 90 | return (s); 91 | } 92 | 93 | #if 0 94 | /* conflicts w/ libressl/compat/pipe2.c */ 95 | int 96 | bsd_socketpair(int d, int type, int protocol, int sv[2]) 97 | { 98 | #if defined(SOCK_SETFLAGS) 99 | int setfl; 100 | int i; 101 | 102 | setfl = type & SOCK_SETFLAGS; 103 | type &= ~SOCK_SETFLAGS; 104 | #endif 105 | 106 | if (socketpair(d, type, protocol, sv) == -1) 107 | return (-1); 108 | 109 | #if defined(SOCK_SETFLAGS) 110 | for (i = 0; i < 2; i++) { 111 | if (bsd_socket_setflags(sv[i], setfl) == -1) { 112 | close(sv[0]); 113 | close(sv[1]); 114 | return (-1); 115 | } 116 | } 117 | #endif 118 | 119 | return (0); 120 | } 121 | #endif 122 | 123 | int 124 | bsd_accept4(int s, struct sockaddr *addr, socklen_t *addrlen, int flags) 125 | { 126 | #if !defined(SOCK_SETFLAGS) && defined(HAVE_ACCEPT4) 127 | return (accept4(s, addr, addrlen, flags)); 128 | #elif defined(SOCK_SETFLAGS) 129 | int c, setfl; 130 | 131 | setfl = flags & SOCK_SETFLAGS; 132 | flags &= ~SOCK_SETFLAGS; 133 | if ((c = accept(s, addr, addrlen)) == -1) 134 | return (-1); 135 | if (bsd_socket_setflags(c, setfl) == -1) { 136 | close(c); 137 | return (-1); 138 | } 139 | return (c); 140 | #elif defined(__NetBSD__) 141 | return (paccept(s, addr, addrlen, NULL, flags)); 142 | #endif 143 | } 144 | -------------------------------------------------------------------------------- /compat/chacha_private.h: -------------------------------------------------------------------------------- 1 | /* 2 | chacha-merged.c version 20080118 3 | D. J. Bernstein 4 | Public domain. 5 | */ 6 | 7 | /* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */ 8 | 9 | typedef unsigned char u8; 10 | typedef unsigned int u32; 11 | 12 | typedef struct 13 | { 14 | u32 input[16]; /* could be compressed */ 15 | } chacha_ctx; 16 | 17 | #define U8C(v) (v##U) 18 | #define U32C(v) (v##U) 19 | 20 | #define U8V(v) ((u8)(v) & U8C(0xFF)) 21 | #define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF)) 22 | 23 | #define ROTL32(v, n) \ 24 | (U32V((v) << (n)) | ((v) >> (32 - (n)))) 25 | 26 | #define U8TO32_LITTLE(p) \ 27 | (((u32)((p)[0]) ) | \ 28 | ((u32)((p)[1]) << 8) | \ 29 | ((u32)((p)[2]) << 16) | \ 30 | ((u32)((p)[3]) << 24)) 31 | 32 | #define U32TO8_LITTLE(p, v) \ 33 | do { \ 34 | (p)[0] = U8V((v) ); \ 35 | (p)[1] = U8V((v) >> 8); \ 36 | (p)[2] = U8V((v) >> 16); \ 37 | (p)[3] = U8V((v) >> 24); \ 38 | } while (0) 39 | 40 | #define ROTATE(v,c) (ROTL32(v,c)) 41 | #define XOR(v,w) ((v) ^ (w)) 42 | #define PLUS(v,w) (U32V((v) + (w))) 43 | #define PLUSONE(v) (PLUS((v),1)) 44 | 45 | #define QUARTERROUND(a,b,c,d) \ 46 | a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \ 47 | c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \ 48 | a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ 49 | c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); 50 | 51 | static const char sigma[16] = "expand 32-byte k"; 52 | static const char tau[16] = "expand 16-byte k"; 53 | 54 | static void 55 | chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) 56 | { 57 | const char *constants; 58 | 59 | x->input[4] = U8TO32_LITTLE(k + 0); 60 | x->input[5] = U8TO32_LITTLE(k + 4); 61 | x->input[6] = U8TO32_LITTLE(k + 8); 62 | x->input[7] = U8TO32_LITTLE(k + 12); 63 | if (kbits == 256) { /* recommended */ 64 | k += 16; 65 | constants = sigma; 66 | } else { /* kbits == 128 */ 67 | constants = tau; 68 | } 69 | x->input[8] = U8TO32_LITTLE(k + 0); 70 | x->input[9] = U8TO32_LITTLE(k + 4); 71 | x->input[10] = U8TO32_LITTLE(k + 8); 72 | x->input[11] = U8TO32_LITTLE(k + 12); 73 | x->input[0] = U8TO32_LITTLE(constants + 0); 74 | x->input[1] = U8TO32_LITTLE(constants + 4); 75 | x->input[2] = U8TO32_LITTLE(constants + 8); 76 | x->input[3] = U8TO32_LITTLE(constants + 12); 77 | } 78 | 79 | static void 80 | chacha_ivsetup(chacha_ctx *x,const u8 *iv) 81 | { 82 | x->input[12] = 0; 83 | x->input[13] = 0; 84 | x->input[14] = U8TO32_LITTLE(iv + 0); 85 | x->input[15] = U8TO32_LITTLE(iv + 4); 86 | } 87 | 88 | static void 89 | chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) 90 | { 91 | u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; 92 | u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; 93 | u8 *ctarget = NULL; 94 | u8 tmp[64]; 95 | u_int i; 96 | 97 | if (!bytes) return; 98 | 99 | j0 = x->input[0]; 100 | j1 = x->input[1]; 101 | j2 = x->input[2]; 102 | j3 = x->input[3]; 103 | j4 = x->input[4]; 104 | j5 = x->input[5]; 105 | j6 = x->input[6]; 106 | j7 = x->input[7]; 107 | j8 = x->input[8]; 108 | j9 = x->input[9]; 109 | j10 = x->input[10]; 110 | j11 = x->input[11]; 111 | j12 = x->input[12]; 112 | j13 = x->input[13]; 113 | j14 = x->input[14]; 114 | j15 = x->input[15]; 115 | 116 | for (;;) { 117 | if (bytes < 64) { 118 | for (i = 0;i < bytes;++i) tmp[i] = m[i]; 119 | m = tmp; 120 | ctarget = c; 121 | c = tmp; 122 | } 123 | x0 = j0; 124 | x1 = j1; 125 | x2 = j2; 126 | x3 = j3; 127 | x4 = j4; 128 | x5 = j5; 129 | x6 = j6; 130 | x7 = j7; 131 | x8 = j8; 132 | x9 = j9; 133 | x10 = j10; 134 | x11 = j11; 135 | x12 = j12; 136 | x13 = j13; 137 | x14 = j14; 138 | x15 = j15; 139 | for (i = 20;i > 0;i -= 2) { 140 | QUARTERROUND( x0, x4, x8,x12) 141 | QUARTERROUND( x1, x5, x9,x13) 142 | QUARTERROUND( x2, x6,x10,x14) 143 | QUARTERROUND( x3, x7,x11,x15) 144 | QUARTERROUND( x0, x5,x10,x15) 145 | QUARTERROUND( x1, x6,x11,x12) 146 | QUARTERROUND( x2, x7, x8,x13) 147 | QUARTERROUND( x3, x4, x9,x14) 148 | } 149 | x0 = PLUS(x0,j0); 150 | x1 = PLUS(x1,j1); 151 | x2 = PLUS(x2,j2); 152 | x3 = PLUS(x3,j3); 153 | x4 = PLUS(x4,j4); 154 | x5 = PLUS(x5,j5); 155 | x6 = PLUS(x6,j6); 156 | x7 = PLUS(x7,j7); 157 | x8 = PLUS(x8,j8); 158 | x9 = PLUS(x9,j9); 159 | x10 = PLUS(x10,j10); 160 | x11 = PLUS(x11,j11); 161 | x12 = PLUS(x12,j12); 162 | x13 = PLUS(x13,j13); 163 | x14 = PLUS(x14,j14); 164 | x15 = PLUS(x15,j15); 165 | 166 | #ifndef KEYSTREAM_ONLY 167 | x0 = XOR(x0,U8TO32_LITTLE(m + 0)); 168 | x1 = XOR(x1,U8TO32_LITTLE(m + 4)); 169 | x2 = XOR(x2,U8TO32_LITTLE(m + 8)); 170 | x3 = XOR(x3,U8TO32_LITTLE(m + 12)); 171 | x4 = XOR(x4,U8TO32_LITTLE(m + 16)); 172 | x5 = XOR(x5,U8TO32_LITTLE(m + 20)); 173 | x6 = XOR(x6,U8TO32_LITTLE(m + 24)); 174 | x7 = XOR(x7,U8TO32_LITTLE(m + 28)); 175 | x8 = XOR(x8,U8TO32_LITTLE(m + 32)); 176 | x9 = XOR(x9,U8TO32_LITTLE(m + 36)); 177 | x10 = XOR(x10,U8TO32_LITTLE(m + 40)); 178 | x11 = XOR(x11,U8TO32_LITTLE(m + 44)); 179 | x12 = XOR(x12,U8TO32_LITTLE(m + 48)); 180 | x13 = XOR(x13,U8TO32_LITTLE(m + 52)); 181 | x14 = XOR(x14,U8TO32_LITTLE(m + 56)); 182 | x15 = XOR(x15,U8TO32_LITTLE(m + 60)); 183 | #endif 184 | 185 | j12 = PLUSONE(j12); 186 | if (!j12) { 187 | j13 = PLUSONE(j13); 188 | /* stopping at 2^70 bytes per nonce is user's responsibility */ 189 | } 190 | 191 | U32TO8_LITTLE(c + 0,x0); 192 | U32TO8_LITTLE(c + 4,x1); 193 | U32TO8_LITTLE(c + 8,x2); 194 | U32TO8_LITTLE(c + 12,x3); 195 | U32TO8_LITTLE(c + 16,x4); 196 | U32TO8_LITTLE(c + 20,x5); 197 | U32TO8_LITTLE(c + 24,x6); 198 | U32TO8_LITTLE(c + 28,x7); 199 | U32TO8_LITTLE(c + 32,x8); 200 | U32TO8_LITTLE(c + 36,x9); 201 | U32TO8_LITTLE(c + 40,x10); 202 | U32TO8_LITTLE(c + 44,x11); 203 | U32TO8_LITTLE(c + 48,x12); 204 | U32TO8_LITTLE(c + 52,x13); 205 | U32TO8_LITTLE(c + 56,x14); 206 | U32TO8_LITTLE(c + 60,x15); 207 | 208 | if (bytes <= 64) { 209 | if (bytes < 64) { 210 | for (i = 0;i < bytes;++i) ctarget[i] = c[i]; 211 | } 212 | x->input[12] = j12; 213 | x->input[13] = j13; 214 | return; 215 | } 216 | bytes -= 64; 217 | c += 64; 218 | #ifndef KEYSTREAM_ONLY 219 | m += 64; 220 | #endif 221 | } 222 | } 223 | -------------------------------------------------------------------------------- /compat/endian.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * endian.h compatibility shim 4 | */ 5 | 6 | #ifndef IKED_COMPAT_ENDIAN_H 7 | #define IKED_COMPAT_ENDIAN_H 8 | 9 | #ifdef HAVE_ENDIAN_H 10 | #include_next 11 | #endif /* HAVE_ENDIAN_H */ 12 | 13 | #if defined(__APPLE__) && !defined(HAVE_ENDIAN_H) 14 | #include 15 | #define betoh16(x) OSSwapBigToHostInt16((x)) 16 | #define htobe16(x) OSSwapHostToBigInt16((x)) 17 | #define betoh32(x) OSSwapBigToHostInt32((x)) 18 | #define htobe32(x) OSSwapHostToBigInt32(x) 19 | #define htole64(x) OSSwapHostToLittleInt64(x) 20 | #define htobe64(x) OSSwapHostToBigInt64(x) 21 | #define letoh64(x) OSSwapLittleToHostInt64(x) 22 | #define betoh64(x) OSSwapBigToHostInt64(x) 23 | #define be16toh betoh16 24 | #define be32toh betoh32 25 | #define be64toh betoh64 26 | #endif /* __APPLE__ && !HAVE_ENDIAN_H */ 27 | 28 | #if defined(_WIN32) && !defined(HAVE_ENDIAN_H) 29 | #include 30 | #define betoh16(x) ntohs((x)) 31 | #define htobe16(x) htons((x)) 32 | #define betoh32(x) ntohl((x)) 33 | #define htobe32(x) ntohl((x)) 34 | #define betoh64(x) ntohll((x)) 35 | #define htobe64(x) ntohll((x)) 36 | #define be16toh betoh16 37 | #define be32toh betoh32 38 | #define be64toh betoh64 39 | #endif /* _WIN32 && !HAVE_ENDIAN_H */ 40 | 41 | #ifdef __linux__ 42 | #if !defined(betoh16) 43 | #define betoh16 be16toh 44 | #endif 45 | #if !defined(betoh32) 46 | #define betoh32 be32toh 47 | #endif 48 | #if !defined(betoh64) 49 | #define betoh64 be64toh 50 | #endif 51 | #endif /* __linux__ */ 52 | 53 | #if defined(__FreeBSD__) 54 | #if !defined(HAVE_ENDIAN_H) 55 | #include 56 | #endif 57 | #if !defined(betoh16) 58 | #define betoh16 be16toh 59 | #endif 60 | #if !defined(betoh32) 61 | #define betoh32 be32toh 62 | #endif 63 | #if !defined(betoh64) 64 | #define betoh64 be64toh 65 | #endif 66 | #endif 67 | 68 | #if defined(__NetBSD__) 69 | #if !defined(betoh16) 70 | #define betoh16 be16toh 71 | #endif 72 | #if !defined(betoh32) 73 | #define betoh32 be32toh 74 | #endif 75 | #if !defined(betoh64) 76 | #define betoh64 be64toh 77 | #endif 78 | #endif 79 | 80 | #endif /* IKED_COMPAT_ENDIAN_H */ 81 | -------------------------------------------------------------------------------- /compat/explicit_bzero.c: -------------------------------------------------------------------------------- 1 | /* OPENBSD ORIGINAL: lib/libc/string/explicit_bzero.c */ 2 | /* $OpenBSD: explicit_bzero.c,v 1.1 2014/01/22 21:06:45 tedu Exp $ */ 3 | /* 4 | * Public domain. 5 | * Written by Ted Unangst 6 | */ 7 | 8 | #include "openbsd-compat.h" 9 | 10 | #if !defined(HAVE_EXPLICIT_BZERO) && !defined(_WIN32) 11 | 12 | #include 13 | 14 | /* 15 | * explicit_bzero - don't let the compiler optimize away bzero 16 | */ 17 | 18 | #ifdef HAVE_MEMSET_S 19 | 20 | void 21 | explicit_bzero(void *p, size_t n) 22 | { 23 | if (n == 0) 24 | return; 25 | (void)memset_s(p, n, 0, n); 26 | } 27 | 28 | #else /* HAVE_MEMSET_S */ 29 | 30 | /* 31 | * Indirect bzero through a volatile pointer to hopefully avoid 32 | * dead-store optimisation eliminating the call. 33 | */ 34 | static void (* volatile ssh_bzero)(void *, size_t) = bzero; 35 | 36 | void 37 | explicit_bzero(void *p, size_t n) 38 | { 39 | if (n == 0) 40 | return; 41 | /* 42 | * clang -fsanitize=memory needs to intercept memset-like functions 43 | * to correctly detect memory initialisation. Make sure one is called 44 | * directly since our indirection trick above successfully confuses it. 45 | */ 46 | #if defined(__has_feature) 47 | # if __has_feature(memory_sanitizer) 48 | memset(p, 0, n); 49 | # endif 50 | #endif 51 | 52 | ssh_bzero(p, n); 53 | } 54 | 55 | #endif /* HAVE_MEMSET_S */ 56 | 57 | #endif /* !defined(HAVE_EXPLICIT_BZERO) && !defined(_WIN32) */ 58 | -------------------------------------------------------------------------------- /compat/explicit_bzero_win32.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain. 3 | * Win32 explicit_bzero compatibility shim. 4 | */ 5 | 6 | #include "openbsd-compat.h" 7 | 8 | #if !defined(HAVE_EXPLICIT_BZERO) && defined(_WIN32) 9 | 10 | #include 11 | #include 12 | 13 | void 14 | explicit_bzero(void *buf, size_t len) 15 | { 16 | SecureZeroMemory(buf, len); 17 | } 18 | 19 | #endif /* !defined(HAVE_EXPLICIT_BZERO) && defined(_WIN32) */ 20 | -------------------------------------------------------------------------------- /compat/ffs.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: ffs.c,v 1.10 2018/01/18 08:23:44 guenther Exp $ */ 2 | 3 | /* 4 | * Public domain. 5 | * Written by Dale Rahn. 6 | */ 7 | 8 | #include "openbsd-compat.h" 9 | 10 | /* 11 | * ffs -- vax ffs instruction 12 | */ 13 | int 14 | ffs(int mask) 15 | { 16 | int bit; 17 | unsigned int r = mask; 18 | static const signed char t[16] = { 19 | -28, 1, 2, 1, 20 | 3, 1, 2, 1, 21 | 4, 1, 2, 1, 22 | 3, 1, 2, 1 23 | }; 24 | 25 | bit = 0; 26 | if (!(r & 0xffff)) { 27 | bit += 16; 28 | r >>= 16; 29 | } 30 | if (!(r & 0xff)) { 31 | bit += 8; 32 | r >>= 8; 33 | } 34 | if (!(r & 0xf)) { 35 | bit += 4; 36 | r >>= 4; 37 | } 38 | 39 | return (bit + t[ r & 0xf ]); 40 | } 41 | -------------------------------------------------------------------------------- /compat/freezero.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek 3 | * Copyright (c) 2012 Matthew Dempsky 4 | * Copyright (c) 2008 Damien Miller 5 | * Copyright (c) 2000 Poul-Henning Kamp 6 | * 7 | * Permission to use, copy, modify, and distribute this software for any 8 | * purpose with or without fee is hereby granted, provided that the above 9 | * copyright notice and this permission notice appear in all copies. 10 | * 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 | */ 19 | 20 | #include 21 | #include 22 | 23 | void 24 | freezero(void *ptr, size_t sz) 25 | { 26 | /* This is legal. */ 27 | if (ptr == NULL) 28 | return; 29 | 30 | explicit_bzero(ptr, sz); 31 | free(ptr); 32 | } 33 | -------------------------------------------------------------------------------- /compat/getdtablecount.c: -------------------------------------------------------------------------------- 1 | /* Placed in the public domain */ 2 | 3 | #include "openbsd-compat.h" 4 | 5 | #if !defined(HAVE_GETDTABLECOUNT) 6 | int 7 | getdtablecount(void) 8 | { 9 | return (0); 10 | } 11 | #endif 12 | -------------------------------------------------------------------------------- /compat/getopt.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: getopt.h,v 1.3 2013/11/22 21:32:49 millert Exp $ */ 2 | /* $NetBSD: getopt.h,v 1.4 2000/07/07 10:43:54 ad Exp $ */ 3 | 4 | /*- 5 | * Copyright (c) 2000 The NetBSD Foundation, Inc. 6 | * All rights reserved. 7 | * 8 | * This code is derived from software contributed to The NetBSD Foundation 9 | * by Dieter Baron and Thomas Klausner. 10 | * 11 | * Redistribution and use in source and binary forms, with or without 12 | * modification, are permitted provided that the following conditions 13 | * are met: 14 | * 1. Redistributions of source code must retain the above copyright 15 | * notice, this list of conditions and the following disclaimer. 16 | * 2. Redistributions in binary form must reproduce the above copyright 17 | * notice, this list of conditions and the following disclaimer in the 18 | * documentation and/or other materials provided with the distribution. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 | * POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _GETOPT_H_ 34 | #define _GETOPT_H_ 35 | 36 | /* 37 | * GNU-like getopt_long() 38 | */ 39 | #define no_argument 0 40 | #define required_argument 1 41 | #define optional_argument 2 42 | 43 | struct option { 44 | /* name of long option */ 45 | const char *name; 46 | /* 47 | * one of no_argument, required_argument, and optional_argument: 48 | * whether option takes an argument 49 | */ 50 | int has_arg; 51 | /* if not NULL, set *flag to val when option found */ 52 | int *flag; 53 | /* if flag not NULL, value to set *flag to; else return value */ 54 | int val; 55 | }; 56 | 57 | int getopt_long(int, char * const *, const char *, 58 | const struct option *, int *); 59 | int getopt_long_only(int, char * const *, const char *, 60 | const struct option *, int *); 61 | #ifndef _GETOPT_DEFINED_ 62 | #define _GETOPT_DEFINED_ 63 | int getopt(int, char * const *, const char *); 64 | 65 | extern char *optarg; /* getopt(3) external variables */ 66 | extern int opterr; 67 | extern int optind; 68 | extern int optopt; 69 | extern int optreset; 70 | #endif 71 | 72 | #endif /* !_GETOPT_H_ */ 73 | -------------------------------------------------------------------------------- /compat/getrtable.c: -------------------------------------------------------------------------------- 1 | /* Placed in the public domain */ 2 | 3 | #include "openbsd-compat.h" 4 | 5 | #if !defined(HAVE_GETRTABLE) 6 | int 7 | getrtable(void) 8 | { 9 | return (0); 10 | } 11 | #endif 12 | 13 | #if !defined(HAVE_SETRTABLE) 14 | int 15 | setrtable(int rtableid) 16 | { 17 | if (rtableid == 0) 18 | return (0); 19 | return (-1); 20 | } 21 | #endif 22 | -------------------------------------------------------------------------------- /compat/imsg.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: imsg.h,v 1.19 2024/11/26 13:57:31 claudio Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2023 Claudio Jeker 5 | * Copyright (c) 2006, 2007 Pierre-Yves Ritschard 6 | * Copyright (c) 2006, 2007, 2008 Reyk Floeter 7 | * Copyright (c) 2003, 2004 Henning Brauer 8 | * 9 | * Permission to use, copy, modify, and distribute this software for any 10 | * purpose with or without fee is hereby granted, provided that the above 11 | * copyright notice and this permission notice appear in all copies. 12 | * 13 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 | */ 21 | 22 | #ifndef _IMSG_H_ 23 | #define _IMSG_H_ 24 | 25 | #include 26 | 27 | #define IBUF_READ_SIZE 65535 28 | #define IMSG_HEADER_SIZE sizeof(struct imsg_hdr) 29 | #define MAX_IMSGSIZE 16384 30 | 31 | struct ibuf { 32 | TAILQ_ENTRY(ibuf) entry; 33 | unsigned char *buf; 34 | size_t size; 35 | size_t max; 36 | size_t wpos; 37 | size_t rpos; 38 | int fd; 39 | }; 40 | 41 | struct msgbuf; 42 | 43 | struct imsgbuf { 44 | struct msgbuf *w; 45 | pid_t pid; 46 | uint32_t maxsize; 47 | int fd; 48 | int flags; 49 | }; 50 | 51 | struct imsg_hdr { 52 | uint32_t type; 53 | uint32_t len; 54 | uint32_t peerid; 55 | uint32_t pid; 56 | }; 57 | 58 | struct imsg { 59 | struct imsg_hdr hdr; 60 | void *data; 61 | struct ibuf *buf; 62 | }; 63 | 64 | struct iovec; 65 | 66 | /* imsg-buffer.c */ 67 | struct ibuf *ibuf_open(size_t); 68 | struct ibuf *ibuf_dynamic(size_t, size_t); 69 | int ibuf_add(struct ibuf *, const void *, size_t); 70 | int ibuf_add_ibuf(struct ibuf *, const struct ibuf *); 71 | int ibuf_add_zero(struct ibuf *, size_t); 72 | int ibuf_add_n8(struct ibuf *, uint64_t); 73 | int ibuf_add_n16(struct ibuf *, uint64_t); 74 | int ibuf_add_n32(struct ibuf *, uint64_t); 75 | int ibuf_add_n64(struct ibuf *, uint64_t); 76 | int ibuf_add_h16(struct ibuf *, uint64_t); 77 | int ibuf_add_h32(struct ibuf *, uint64_t); 78 | int ibuf_add_h64(struct ibuf *, uint64_t); 79 | void *ibuf_reserve(struct ibuf *, size_t); 80 | void *ibuf_seek(struct ibuf *, size_t, size_t); 81 | int ibuf_set(struct ibuf *, size_t, const void *, size_t); 82 | int ibuf_set_n8(struct ibuf *, size_t, uint64_t); 83 | int ibuf_set_n16(struct ibuf *, size_t, uint64_t); 84 | int ibuf_set_n32(struct ibuf *, size_t, uint64_t); 85 | int ibuf_set_n64(struct ibuf *, size_t, uint64_t); 86 | int ibuf_set_h16(struct ibuf *, size_t, uint64_t); 87 | int ibuf_set_h32(struct ibuf *, size_t, uint64_t); 88 | int ibuf_set_h64(struct ibuf *, size_t, uint64_t); 89 | void *ibuf_data(const struct ibuf *); 90 | size_t ibuf_size(const struct ibuf *); 91 | size_t ibuf_left(const struct ibuf *); 92 | int ibuf_truncate(struct ibuf *, size_t); 93 | void ibuf_rewind(struct ibuf *); 94 | void ibuf_close(struct msgbuf *, struct ibuf *); 95 | void ibuf_from_buffer(struct ibuf *, void *, size_t); 96 | void ibuf_from_ibuf(struct ibuf *, const struct ibuf *); 97 | int ibuf_get(struct ibuf *, void *, size_t); 98 | int ibuf_get_ibuf(struct ibuf *, size_t, struct ibuf *); 99 | int ibuf_get_n8(struct ibuf *, uint8_t *); 100 | int ibuf_get_n16(struct ibuf *, uint16_t *); 101 | int ibuf_get_n32(struct ibuf *, uint32_t *); 102 | int ibuf_get_n64(struct ibuf *, uint64_t *); 103 | int ibuf_get_h16(struct ibuf *, uint16_t *); 104 | int ibuf_get_h32(struct ibuf *, uint32_t *); 105 | int ibuf_get_h64(struct ibuf *, uint64_t *); 106 | char *ibuf_get_string(struct ibuf *, size_t); 107 | int ibuf_skip(struct ibuf *, size_t); 108 | void ibuf_free(struct ibuf *); 109 | int ibuf_fd_avail(struct ibuf *); 110 | int ibuf_fd_get(struct ibuf *); 111 | void ibuf_fd_set(struct ibuf *, int); 112 | struct msgbuf *msgbuf_new(void); 113 | struct msgbuf *msgbuf_new_reader(size_t, 114 | struct ibuf *(*)(struct ibuf *, void *, int *), void *); 115 | void msgbuf_free(struct msgbuf *); 116 | void msgbuf_clear(struct msgbuf *); 117 | uint32_t msgbuf_queuelen(struct msgbuf *); 118 | int ibuf_write(int, struct msgbuf *); 119 | int msgbuf_write(int, struct msgbuf *); 120 | int ibuf_read(int, struct msgbuf *); 121 | int msgbuf_read(int, struct msgbuf *); 122 | struct ibuf *msgbuf_get(struct msgbuf *); 123 | 124 | /* imsg.c */ 125 | int imsgbuf_init(struct imsgbuf *, int); 126 | void imsgbuf_allow_fdpass(struct imsgbuf *imsgbuf); 127 | int imsgbuf_set_maxsize(struct imsgbuf *, uint32_t); 128 | int imsgbuf_read(struct imsgbuf *); 129 | int imsgbuf_write(struct imsgbuf *); 130 | int imsgbuf_flush(struct imsgbuf *); 131 | void imsgbuf_clear(struct imsgbuf *); 132 | uint32_t imsgbuf_queuelen(struct imsgbuf *); 133 | ssize_t imsg_get(struct imsgbuf *, struct imsg *); 134 | int imsg_get_ibuf(struct imsg *, struct ibuf *); 135 | int imsg_get_data(struct imsg *, void *, size_t); 136 | int imsg_get_fd(struct imsg *); 137 | uint32_t imsg_get_id(struct imsg *); 138 | size_t imsg_get_len(struct imsg *); 139 | pid_t imsg_get_pid(struct imsg *); 140 | uint32_t imsg_get_type(struct imsg *); 141 | int imsg_forward(struct imsgbuf *, struct imsg *); 142 | int imsg_compose(struct imsgbuf *, uint32_t, uint32_t, pid_t, int, 143 | const void *, size_t); 144 | int imsg_composev(struct imsgbuf *, uint32_t, uint32_t, pid_t, int, 145 | const struct iovec *, int); 146 | int imsg_compose_ibuf(struct imsgbuf *, uint32_t, uint32_t, pid_t, 147 | struct ibuf *); 148 | struct ibuf *imsg_create(struct imsgbuf *, uint32_t, uint32_t, pid_t, size_t); 149 | int imsg_add(struct ibuf *, const void *, size_t); 150 | void imsg_close(struct imsgbuf *, struct ibuf *); 151 | void imsg_free(struct imsg *); 152 | 153 | #endif 154 | -------------------------------------------------------------------------------- /compat/net/if_arp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1986, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)if_arp.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #ifndef _MSC_VER 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_SYS_WAIT_H 37 | #define IKED_COMPAT_SYS_WAIT_H 38 | 39 | /* 40 | * Address Resolution Protocol. 41 | * 42 | * See RFC 826 for protocol description. ARP packets are variable 43 | * in size; the arphdr structure defines the fixed-length portion. 44 | * Protocol type values are the same as those for 10 Mb/s Ethernet. 45 | * It is followed by the variable-sized fields ar_sha, arp_spa, 46 | * arp_tha and arp_tpa in that order, according to the lengths 47 | * specified. Field names used correspond to RFC 826. 48 | */ 49 | struct arphdr { 50 | uint16_t ar_hrd; /* format of hardware address */ 51 | #define ARPHRD_ETHER 1 /* ethernet hardware format */ 52 | #define ARPHRD_IEEE802 6 /* IEEE 802 hardware format */ 53 | #define ARPHRD_FRELAY 15 /* frame relay hardware format */ 54 | #define ARPHRD_IEEE1394 24 /* IEEE 1394 (FireWire) hardware format */ 55 | uint16_t ar_pro; /* format of protocol address */ 56 | uint8_t ar_hln; /* length of hardware address */ 57 | uint8_t ar_pln; /* length of protocol address */ 58 | uint16_t ar_op; /* one of: */ 59 | #define ARPOP_REQUEST 1 /* request to resolve address */ 60 | #define ARPOP_REPLY 2 /* response to previous request */ 61 | #define ARPOP_REVREQUEST 3 /* request protocol address given hardware */ 62 | #define ARPOP_REVREPLY 4 /* response giving protocol address */ 63 | #define ARPOP_INVREQUEST 8 /* request to identify peer */ 64 | #define ARPOP_INVREPLY 9 /* response identifying peer */ 65 | /* 66 | * The remaining fields are variable in size, 67 | * according to the sizes above. 68 | */ 69 | #ifdef COMMENT_ONLY 70 | uint8_t ar_sha[]; /* sender hardware address */ 71 | uint8_t ar_spa[]; /* sender protocol address */ 72 | uint8_t ar_tha[]; /* target hardware address */ 73 | uint8_t ar_tpa[]; /* target protocol address */ 74 | #endif 75 | }; 76 | 77 | #endif /* !IKED_COMPAT_SYS_WAIT_H */ 78 | 79 | #endif 80 | -------------------------------------------------------------------------------- /compat/net/pfkeyv2.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2021 Tobias Heider 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #if defined(HAVE_NET_PFKEY_H) 18 | #include_next 19 | #elif defined(HAVE_LINUX_PFKEY_H) 20 | #include 21 | #endif 22 | -------------------------------------------------------------------------------- /compat/netinet/if_ether.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1982, 1986, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)if_ether.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #ifndef _MSC_VER 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_NETINET_IF_ETHER_H 37 | #define IKED_COMPAT_NETINET_IF_ETHER_H 38 | 39 | 40 | /* 41 | * Some basic Ethernet constants. 42 | */ 43 | #define ETHER_ADDR_LEN 6 /* Ethernet address length */ 44 | #define ETHER_TYPE_LEN 2 /* Ethernet type field length */ 45 | #define ETHER_CRC_LEN 4 /* Ethernet CRC length */ 46 | #define ETHER_HDR_LEN ((ETHER_ADDR_LEN * 2) + ETHER_TYPE_LEN) 47 | #define ETHER_MIN_LEN 64 /* Minimum frame length, CRC included */ 48 | #define ETHER_MAX_LEN 1518 /* Maximum frame length, CRC included */ 49 | #define ETHER_MAX_DIX_LEN 1536 /* Maximum DIX frame length */ 50 | 51 | /* 52 | * Some Ethernet extensions. 53 | */ 54 | #define ETHER_VLAN_ENCAP_LEN 4 /* len of 802.1Q VLAN encapsulation */ 55 | 56 | /* 57 | * Mbuf adjust factor to force 32-bit alignment of IP header. 58 | * Drivers should do m_adj(m, ETHER_ALIGN) when setting up a 59 | * receive so the upper layers get the IP header properly aligned 60 | * past the 14-byte Ethernet header. 61 | */ 62 | #define ETHER_ALIGN 2 /* driver adjust for IP hdr alignment */ 63 | 64 | /* 65 | * The maximum supported Ethernet length and some space for encapsulation. 66 | */ 67 | #define ETHER_MAX_HARDMTU_LEN 65435 68 | 69 | /* 70 | * Ethernet address - 6 octets 71 | */ 72 | struct ether_addr { 73 | uint8_t ether_addr_octet[ETHER_ADDR_LEN]; 74 | }; 75 | 76 | /* 77 | * The length of the combined header. 78 | */ 79 | struct ether_header { 80 | uint8_t ether_dhost[ETHER_ADDR_LEN]; 81 | uint8_t ether_shost[ETHER_ADDR_LEN]; 82 | uint16_t ether_type; 83 | }; 84 | 85 | /* 86 | * VLAN headers. 87 | */ 88 | 89 | struct ether_vlan_header { 90 | uchar evl_dhost[ETHER_ADDR_LEN]; 91 | uchar evl_shost[ETHER_ADDR_LEN]; 92 | uint16_t evl_encap_proto; 93 | uint16_t evl_tag; 94 | uint16_t evl_proto; 95 | }; 96 | 97 | /* 98 | * Ethernet Address Resolution Protocol. 99 | * 100 | * See RFC 826 for protocol description. Structure below is adapted 101 | * to resolving internet addresses. Field names used correspond to 102 | * RFC 826. 103 | */ 104 | struct ether_arp { 105 | struct arphdr ea_hdr; /* fixed-size header */ 106 | uint8_t arp_sha[ETHER_ADDR_LEN]; /* sender hardware address */ 107 | uint8_t arp_spa[4]; /* sender protocol address */ 108 | uint8_t arp_tha[ETHER_ADDR_LEN]; /* target hardware address */ 109 | uint8_t arp_tpa[4]; /* target protocol address */ 110 | }; 111 | #define arp_hrd ea_hdr.ar_hrd 112 | #define arp_pro ea_hdr.ar_pro 113 | #define arp_hln ea_hdr.ar_hln 114 | #define arp_pln ea_hdr.ar_pln 115 | #define arp_op ea_hdr.ar_op 116 | 117 | #endif /* !IKED_COMPAT_NETINET_IF_ETHER_H */ 118 | 119 | #endif 120 | -------------------------------------------------------------------------------- /compat/netinet/in.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * in.h compatibility shim 4 | */ 5 | 6 | #ifdef _MSC_VER 7 | #elif defined(__linux__) 8 | #ifndef IKED_COMPAT_NETINET_IN_H 9 | #define IKED_COMPAT_NETINET_IN_H 10 | #include_next 11 | #define IPPROTO_IPV4 IPPROTO_IPIP 12 | #endif 13 | #else /* OpenBSD */ 14 | #include_next 15 | #endif 16 | -------------------------------------------------------------------------------- /compat/netinet/ip.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1982, 1986, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)ip.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #ifndef _MSC_VER 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_NETINET_IP_H 37 | #define IKED_COMPAT_NETINET_IP_H 38 | 39 | /* 40 | * Definitions for internet protocol version 4. 41 | * Per RFC 791, September 1981. 42 | */ 43 | #define IPVERSION 4 44 | 45 | /* 46 | * Structure of an internet header, naked of options. 47 | */ 48 | #pragma pack(push,1) 49 | struct ip { 50 | #if _BYTE_ORDER == _LITTLE_ENDIAN 51 | uint8_t ip_hl:4, /* header length */ 52 | ip_v:4; /* version */ 53 | #elif _BYTE_ORDER == _BIG_ENDIAN 54 | uint8_t ip_v:4, /* version */ 55 | ip_hl:4; /* header length */ 56 | #endif 57 | uint8_t ip_tos; /* type of service */ 58 | uint16_t ip_len; /* total length */ 59 | uint16_t ip_id; /* identification */ 60 | uint16_t ip_off; /* fragment offset field */ 61 | #define IP_RF 0x8000 /* reserved fragment flag */ 62 | #define IP_DF 0x4000 /* dont fragment flag */ 63 | #define IP_MF 0x2000 /* more fragments flag */ 64 | #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ 65 | uint8_t ip_ttl; /* time to live */ 66 | uint8_t ip_p; /* protocol */ 67 | uint16_t ip_sum; /* checksum */ 68 | struct in_addr ip_src, ip_dst; /* source and dest address */ 69 | }; 70 | #pragma pack(pop) 71 | 72 | #define IP_MAXPACKET 65535 /* maximum packet size */ 73 | 74 | /* 75 | * Definitions for IP type of service (ip_tos) 76 | */ 77 | #define IPTOS_LOWDELAY 0x10 78 | #define IPTOS_THROUGHPUT 0x08 79 | #define IPTOS_RELIABILITY 0x04 80 | /* IPTOS_LOWCOST 0x02 XXX */ 81 | #if 1 82 | /* ECN RFC3168 obsoletes RFC2481, and these will be deprecated soon. */ 83 | #define IPTOS_CE 0x01 /* congestion experienced */ 84 | #define IPTOS_ECT 0x02 /* ECN-capable transport */ 85 | #endif 86 | 87 | #endif /* !IKED_COMPAT_NETINET_IP_H */ 88 | 89 | #endif 90 | -------------------------------------------------------------------------------- /compat/netinet/ip6.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: ip6.h,v 1.20 2011/04/05 15:14:59 blambert Exp $ */ 2 | /* $KAME: ip6.h,v 1.45 2003/06/05 04:46:38 keiichi Exp $ */ 3 | 4 | /* 5 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. Neither the name of the project nor the names of its contributors 17 | * may be used to endorse or promote products derived from this software 18 | * without specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | /* 34 | * Copyright (c) 1982, 1986, 1993 35 | * The Regents of the University of California. All rights reserved. 36 | * 37 | * Redistribution and use in source and binary forms, with or without 38 | * modification, are permitted provided that the following conditions 39 | * are met: 40 | * 1. Redistributions of source code must retain the above copyright 41 | * notice, this list of conditions and the following disclaimer. 42 | * 2. Redistributions in binary form must reproduce the above copyright 43 | * notice, this list of conditions and the following disclaimer in the 44 | * documentation and/or other materials provided with the distribution. 45 | * 3. Neither the name of the University nor the names of its contributors 46 | * may be used to endorse or promote products derived from this software 47 | * without specific prior written permission. 48 | * 49 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 50 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 51 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 52 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 53 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 54 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 55 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 56 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 57 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 58 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 59 | * SUCH DAMAGE. 60 | * 61 | * @(#)ip.h 8.1 (Berkeley) 6/10/93 62 | */ 63 | 64 | #ifndef _MSC_VER 65 | #include_next 66 | #else 67 | 68 | #ifndef IKED_COMPAT_NETINET_IP6_H 69 | #define IKED_COMPAT_NETINET_IP6_H 70 | 71 | #ifndef __packed 72 | #define __packed __attribute__((__packed__)) 73 | #endif 74 | 75 | /* 76 | * Definition for internet protocol version 6. 77 | * RFC 2460 78 | */ 79 | 80 | struct ip6_hdr { 81 | union { 82 | struct ip6_hdrctl { 83 | uint32_t ip6_un1_flow; /* 20 bits of flow-ID */ 84 | uint16_t ip6_un1_plen; /* payload length */ 85 | uint8_t ip6_un1_nxt; /* next header */ 86 | uint8_t ip6_un1_hlim; /* hop limit */ 87 | } ip6_un1; 88 | uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits class */ 89 | } ip6_ctlun; 90 | struct in6_addr ip6_src; /* source address */ 91 | struct in6_addr ip6_dst; /* destination address */ 92 | } __packed; 93 | 94 | #define ip6_vfc ip6_ctlun.ip6_un2_vfc 95 | #define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow 96 | #define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen 97 | #define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt 98 | #define ip6_hlim ip6_ctlun.ip6_un1.ip6_un1_hlim 99 | #define ip6_hops ip6_ctlun.ip6_un1.ip6_un1_hlim 100 | 101 | #define IPV6_VERSION 0x60 102 | #define IPV6_VERSION_MASK 0xf0 103 | 104 | #endif /* !IKED_COMPAT_NETINET_IP6_H */ 105 | 106 | #endif 107 | 108 | -------------------------------------------------------------------------------- /compat/netinet/ip_ipsp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2021 Tobias Heider 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #ifdef HAVE_IPSP_H 18 | #include_next "netinet/ip_ipsp.h" 19 | #else 20 | 21 | #ifdef HAVE_NET_IPSEC_H 22 | #include 23 | #include 24 | #include 25 | #endif 26 | #ifdef HAVE_LINUX_IPSEC_H 27 | #include 28 | #endif 29 | #ifdef HAVE_NETINET6_IPSEC_H 30 | #include 31 | #endif 32 | 33 | #if !defined HAVE_IPSP_H && (defined HAVE_NET_IPSEC_H || \ 34 | defined HAVE_LINUX_IPSEC_H || defined HAVE_NETINET6_IPSEC_H) 35 | #if !defined(IPSP_DIRECTION_IN) 36 | #define IPSP_DIRECTION_IN IPSEC_DIR_INBOUND 37 | #endif 38 | #if !defined(IPSP_DIRECTION_OUT) 39 | #define IPSP_DIRECTION_OUT IPSEC_DIR_OUTBOUND 40 | #endif 41 | #endif 42 | 43 | #endif /* HAVE_IPSP_H */ 44 | -------------------------------------------------------------------------------- /compat/netinet/ip_var.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1982, 1986, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)ip.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #if !defined _MSC_VER && !defined __linux__ 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_NETINET_IP_VAR_H 37 | #define IKED_COMPAT_NETINET_IP_VAR_H 38 | 39 | /* 40 | * Overlay for ip header used by other protocols (tcp, udp). 41 | */ 42 | struct ipovly { 43 | uint8_t ih_x1[9]; /* (unused) */ 44 | uint8_t ih_pr; /* protocol */ 45 | uint16_t ih_len; /* protocol length */ 46 | struct in_addr ih_src; /* source internet address */ 47 | struct in_addr ih_dst; /* destination internet address */ 48 | }; 49 | 50 | #endif /* !IKED_COMPAT_NETINET_IP_VAR_H */ 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /compat/netinet/udp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1982, 1986, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)udp.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #ifndef _MSC_VER 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_NETINET_UDP_H 37 | #define IKED_COMPAT_NETINET_UDP_H 38 | 39 | /* 40 | * Udp protocol header. 41 | * Per RFC 768, September, 1981. 42 | */ 43 | struct udphdr { 44 | uint16_t uh_sport; /* source port */ 45 | uint16_t uh_dport; /* destination port */ 46 | uint16_t uh_ulen; /* udp length */ 47 | uint16_t uh_sum; /* udp checksum */ 48 | }; 49 | 50 | #endif /* !IKED_COMPAT_NETINET_UDP_H */ 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /compat/netinet/udp_var.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1982, 1986, 1989, 1993 3 | * The Regents of the University of California. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. Neither the name of the University nor the names of its contributors 14 | * may be used to endorse or promote products derived from this software 15 | * without specific prior written permission. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | * SUCH DAMAGE. 28 | * 29 | * @(#)udp_var.h 8.1 (Berkeley) 6/10/93 30 | */ 31 | 32 | #if !defined _MSC_VER && !defined __linux__ 33 | #include_next 34 | #else 35 | 36 | #ifndef IKED_COMPAT_NETINET_UDP_VAR_H 37 | #define IKED_COMPAT_NETINET_UDP_VAR_H 38 | 39 | /* 40 | * UDP kernel structures and variables. 41 | */ 42 | struct udpiphdr { 43 | struct ipovly ui_i; /* overlaid ip structure */ 44 | struct udphdr ui_u; /* udp header */ 45 | }; 46 | #define ui_x1 ui_i.ih_x1 47 | #define ui_pr ui_i.ih_pr 48 | #define ui_len ui_i.ih_len 49 | #define ui_src ui_i.ih_src 50 | #define ui_dst ui_i.ih_dst 51 | #define ui_sport ui_u.uh_sport 52 | #define ui_dport ui_u.uh_dport 53 | #define ui_ulen ui_u.uh_ulen 54 | #define ui_sum ui_u.uh_sum 55 | 56 | #endif /* !IKED_COMPAT_NETINET_UDP_VAR_H */ 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /compat/openbsd-compat.h: -------------------------------------------------------------------------------- 1 | /* Placed in the public domain */ 2 | 3 | #ifndef _OPENBSD_COMPAT_H 4 | #define _OPENBSD_COMPAT_H 5 | 6 | #define YYSTYPE_IS_DECLARED 1 /* for bison */ 7 | 8 | #ifndef LOGIN_NAME_MAX 9 | # define LOGIN_NAME_MAX 9 10 | #endif 11 | 12 | #include 13 | 14 | #if !defined(HAVE_STRLCAT) 15 | size_t strlcat(char *, const char *, size_t); 16 | #endif 17 | 18 | #if !defined(HAVE_STRLCPY) 19 | size_t strlcpy(char *, const char *, size_t); 20 | #endif 21 | 22 | #if !defined(HAVE_REALLOCARRAY) 23 | void *reallocarray(void *, size_t, size_t); 24 | #endif 25 | 26 | #if !defined(HAVE_RECALLOCARRAY) 27 | void *recallocarray(void *, size_t, size_t, size_t); 28 | #endif 29 | 30 | #if !defined(HAVE_EXPLICIT_BZERO) 31 | void explicit_bzero(void *, size_t); 32 | #endif 33 | 34 | #if !defined(HAVE_GETPAGESIZE) 35 | int getpagesize(void); 36 | #endif 37 | 38 | #if !defined(HAVE_TIMINGSAFE_BCMP) 39 | int timingsafe_bcmp(const void *, const void *, size_t); 40 | #endif 41 | 42 | #if !defined(HAVE_ACCEPT4) 43 | #include 44 | #define accept4 bsd_accept4 45 | int bsd_accept4(int, struct sockaddr *, socklen_t *, int flags); 46 | #endif 47 | 48 | #if !defined(HAVE_SOCK_NONBLOCK) 49 | #define SOCK_NONBLOCK 0x4000 /* Set O_NONBLOCK */ 50 | #define SOCK_CLOEXEC 0x8000 /* Set FD_CLOEXEC */ 51 | #define SOCK_SETFLAGS 0xf000 /* Set flags as checked above */ 52 | #define socket bsd_socket 53 | int bsd_socket(int domain, int type, int protocol); 54 | #endif 55 | 56 | #if !defined(HAVE_SETPROCTITLE) 57 | void compat_init_setproctitle(int argc, char *argv[]); 58 | void setproctitle(const char *fmt, ...); 59 | #endif 60 | 61 | #if !defined(HAVE_SETRESGID) 62 | int setresgid(gid_t rgid, gid_t egid, gid_t sgid); 63 | #endif 64 | 65 | #if !defined(HAVE_SETRESUID) 66 | int setresuid(uid_t ruid, uid_t euid, uid_t suid); 67 | #endif 68 | 69 | #ifdef _WIN32 70 | #include 71 | uid_t geteuid(void); 72 | #endif 73 | 74 | #if !defined(HAVE_GETRTABLE) 75 | int getrtable(void); 76 | #endif 77 | 78 | #if !defined(HAVE_SETRTABLE) 79 | int setrtable(int rtableid); 80 | #endif 81 | 82 | #if !defined(HAVE_STRTONUM) 83 | long long 84 | strtonum(const char *nptr, long long minval, long long maxval, 85 | const char **errstr); 86 | #endif 87 | 88 | #if !defined(HAVE_FREEZERO) 89 | void freezero(void *ptr, size_t size); 90 | #endif 91 | 92 | #if !defined(HAVE_GETDTABLECOUNT) 93 | int getdtablecount(void); 94 | #endif 95 | 96 | #if !defined(HAVE_GETOPT) 97 | #include "getopt.h" 98 | #endif 99 | 100 | #if !defined(HAVE_USLEEP) 101 | int usleep(unsigned int x); 102 | #endif 103 | 104 | #ifdef HAVE_SOCKADDR_SA_LEN 105 | #ifndef SA_LEN 106 | #define SA_LEN(sa) (sa)->sa_len 107 | #endif 108 | #ifndef SS_LEN 109 | #define SS_LEN(ss) (ss).ss_len 110 | #endif 111 | #else 112 | #define SA_LEN(sa) \ 113 | ((sa->sa_family == AF_INET) ? sizeof(struct sockaddr_in) : \ 114 | (sa->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) : \ 115 | sizeof(struct sockaddr)) 116 | #define SS_LEN(ss) \ 117 | ((ss.ss_family == AF_INET) ? sizeof(struct sockaddr_in) : \ 118 | (ss.ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : \ 119 | sizeof(struct sockaddr_storage)) 120 | #endif 121 | 122 | #ifndef HAVE_FFS 123 | int ffs(int); 124 | #endif 125 | 126 | #ifdef __OpenBSD__ 127 | typedef int evutil_socket_t; 128 | #endif 129 | 130 | #ifndef _PASSWORD_LEN 131 | #define _PASSWORD_LEN 120 132 | #endif 133 | 134 | #ifdef HAVE_DIRENT_H 135 | # include 136 | # define NAMLEN(dirent) strlen((dirent)->d_name) 137 | #else 138 | # define dirent direct 139 | # define NAMLEN(dirent) (dirent)->d_namlen 140 | # ifdef HAVE_SYS_NDIR_H 141 | # include 142 | # endif 143 | # ifdef HAVE_SYS_DIR_H 144 | # include 145 | # endif 146 | # ifdef HAVE_NDIR_H 147 | # include 148 | # endif 149 | #endif 150 | 151 | #if !defined(AF_LINK) && defined(AF_PACKET) 152 | #define AF_LINK AF_PACKET /* XXX workaround on Linux */ 153 | #endif 154 | 155 | #ifndef HOST_NAME_MAX 156 | # include "netdb.h" /* for MAXHOSTNAMELEN */ 157 | # if defined(_POSIX_HOST_NAME_MAX) 158 | # define HOST_NAME_MAX _POSIX_HOST_NAME_MAX 159 | # elif defined(MAXHOSTNAMELEN) 160 | # define HOST_NAME_MAX MAXHOSTNAMELEN 161 | # else 162 | # define HOST_NAME_MAX 255 163 | # endif 164 | #endif /* HOST_NAME_MAX */ 165 | 166 | /* FreeBSD */ 167 | #ifndef CPI_PRIVATE_MIN 168 | #define CPI_PRIVATE_MIN 61440 169 | #endif 170 | #ifndef CPI_PRIVATE_MAX 171 | #define CPI_PRIVATE_MAX 65535 172 | #endif 173 | 174 | #if !defined(SADB_X_ADDFLOW) && defined(SADB_X_SPDUPDATE) 175 | #define SADB_X_ADDFLOW SADB_X_SPDUPDATE 176 | #endif 177 | #if !defined(SADB_X_DELFLOW) && defined(SADB_X_SPDDELETE) 178 | #define SADB_X_DELFLOW SADB_X_SPDDELETE 179 | #endif 180 | #if !defined(SADB_X_FLOW_TYPE_DENY) 181 | #define SADB_X_FLOW_TYPE_DENY 1 182 | #endif 183 | 184 | #if defined(HAVE_LINUX_PFKEY_H) 185 | /* Encryption Algorithms */ 186 | #define SADB_X_EALG_AES SADB_X_EALG_AESCBC 187 | #define SADB_X_EALG_AESGCM16 SADB_X_EALG_AES_GCM_ICV16 188 | #define SADB_X_EALG_AESGMAC SADB_X_EALG_NULL_AES_GMAC 189 | 190 | /* Authentication Algorithms */ 191 | #define SADB_X_AALG_SHA2_256 SADB_X_AALG_SHA2_256HMAC 192 | #define SADB_X_AALG_SHA2_384 SADB_X_AALG_SHA2_384HMAC 193 | #define SADB_X_AALG_SHA2_512 SADB_X_AALG_SHA2_512HMAC 194 | #endif 195 | 196 | #if !defined(__packed) 197 | #define __packed __attribute__((__packed__)) 198 | #endif 199 | 200 | #if defined(HAVE_APPLE_NATT) && !defined(SADB_X_EXT_NATT) 201 | /* 202 | * These are hidden in Apple XNU's private pfkeyv2.h header 203 | */ 204 | #define SADB_X_EXT_NATT 0x0002 /* Enable UDP encapsulation */ 205 | #define SADB_X_EXT_NATT_KEEPALIVE 0x0004 /* Send NAT-T keepalives */ 206 | #define SADB_X_EXT_NATT_MULTIPLEUSERS 0x0008 /* Use for VPN gateways */ 207 | #define SADB_X_EXT_NATT_DETECTED_PEER 0x1000 /* Opposite of KEEPALIVE */ 208 | 209 | struct sadb_sa_natt { 210 | uint16_t sadb_sa_natt_port; 211 | union { 212 | uint16_t sadb_reserved0; 213 | uint16_t sadb_sa_natt_interval; 214 | }; 215 | uint16_t sadb_sa_natt_offload_interval; 216 | uint16_t sadb_sa_natt_src_port; 217 | }; 218 | #endif 219 | 220 | #endif /* !_OPENBSD_COMPAT_H */ 221 | -------------------------------------------------------------------------------- /compat/reallocarray.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: reallocarray.c,v 1.3 2015/09/13 08:31:47 guenther Exp $ */ 2 | /* 3 | * Copyright (c) 2008 Otto Moerbeek 4 | * 5 | * Permission to use, copy, modify, and distribute this software for any 6 | * purpose with or without fee is hereby granted, provided that the above 7 | * copyright notice and this permission notice appear in all copies. 8 | * 9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | /* 24 | * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX 25 | * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW 26 | */ 27 | #define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t) * 4)) 28 | 29 | void * 30 | reallocarray(void *optr, size_t nmemb, size_t size) 31 | { 32 | if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && 33 | nmemb > 0 && SIZE_MAX / nmemb < size) { 34 | errno = ENOMEM; 35 | return NULL; 36 | } 37 | return realloc(optr, size * nmemb); 38 | } 39 | -------------------------------------------------------------------------------- /compat/recallocarray.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: recallocarray.c,v 1.2 2021/03/18 11:16:58 claudio Exp $ */ 2 | /* 3 | * Copyright (c) 2008, 2017 Otto Moerbeek 4 | * 5 | * Permission to use, copy, modify, and distribute this software for any 6 | * purpose with or without fee is hereby granted, provided that the above 7 | * copyright notice and this permission notice appear in all copies. 8 | * 9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | /* 25 | * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX 26 | * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW 27 | */ 28 | #define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t) * 4)) 29 | 30 | void * 31 | recallocarray(void *ptr, size_t oldnmemb, size_t newnmemb, size_t size) 32 | { 33 | size_t oldsize, newsize; 34 | void *newptr; 35 | 36 | if (ptr == NULL) 37 | return calloc(newnmemb, size); 38 | 39 | if ((newnmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && 40 | newnmemb > 0 && SIZE_MAX / newnmemb < size) { 41 | errno = ENOMEM; 42 | return NULL; 43 | } 44 | newsize = newnmemb * size; 45 | 46 | if ((oldnmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && 47 | oldnmemb > 0 && SIZE_MAX / oldnmemb < size) { 48 | errno = EINVAL; 49 | return NULL; 50 | } 51 | oldsize = oldnmemb * size; 52 | 53 | /* 54 | * Don't bother too much if we're shrinking just a bit, 55 | * we do not shrink for series of small steps, oh well. 56 | */ 57 | if (newsize <= oldsize) { 58 | size_t d = oldsize - newsize; 59 | 60 | if (d < oldsize / 2 && d < (size_t)getpagesize()) { 61 | memset((char *)ptr + newsize, 0, d); 62 | return ptr; 63 | } 64 | } 65 | 66 | newptr = malloc(newsize); 67 | if (newptr == NULL) 68 | return NULL; 69 | 70 | if (newsize > oldsize) { 71 | memcpy(newptr, ptr, oldsize); 72 | memset((char *)newptr + oldsize, 0, newsize - oldsize); 73 | } else 74 | memcpy(newptr, ptr, newsize); 75 | 76 | explicit_bzero(ptr, oldsize); 77 | free(ptr); 78 | 79 | return newptr; 80 | } 81 | -------------------------------------------------------------------------------- /compat/setproctitle.c: -------------------------------------------------------------------------------- 1 | /* Based on conf.c from UCB sendmail 8.8.8 */ 2 | 3 | /* 4 | * Copyright 2003 Damien Miller 5 | * Copyright (c) 1983, 1995-1997 Eric P. Allman 6 | * Copyright (c) 1988, 1993 7 | * The Regents of the University of California. All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions 11 | * are met: 12 | * 1. Redistributions of source code must retain the above copyright 13 | * notice, this list of conditions and the following disclaimer. 14 | * 2. Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 3. Neither the name of the University nor the names of its contributors 18 | * may be used to endorse or promote products derived from this software 19 | * without specific prior written permission. 20 | * 21 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 | * SUCH DAMAGE. 32 | */ 33 | 34 | #include "openbsd-compat.h" 35 | 36 | #ifndef HAVE_SETPROCTITLE 37 | 38 | #include 39 | #include 40 | #include 41 | #include 42 | #ifdef HAVE_SYS_PSTAT_H 43 | #include 44 | #endif 45 | #include 46 | 47 | #include 48 | 49 | #define SPT_NONE 0 /* don't use it at all */ 50 | #define SPT_PSTAT 1 /* use pstat(PSTAT_SETCMD, ...) */ 51 | #define SPT_REUSEARGV 2 /* cover argv with title information */ 52 | 53 | #ifndef SPT_TYPE 54 | # define SPT_TYPE SPT_NONE 55 | #endif 56 | 57 | #ifndef SPT_PADCHAR 58 | # define SPT_PADCHAR '\0' 59 | #endif 60 | 61 | #if SPT_TYPE == SPT_REUSEARGV 62 | static char *argv_start = NULL; 63 | static size_t argv_env_len = 0; 64 | #endif 65 | 66 | #endif /* HAVE_SETPROCTITLE */ 67 | 68 | void 69 | compat_init_setproctitle(int argc, char *argv[]) 70 | { 71 | #if !defined(HAVE_SETPROCTITLE) && \ 72 | defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV 73 | extern char **environ; 74 | char *lastargv = NULL; 75 | char **envp = environ; 76 | int i; 77 | 78 | /* 79 | * NB: This assumes that argv has already been copied out of the 80 | * way. This is true for sshd, but may not be true for other 81 | * programs. Beware. 82 | */ 83 | 84 | if (argc == 0 || argv[0] == NULL) 85 | return; 86 | 87 | /* Fail if we can't allocate room for the new environment */ 88 | for (i = 0; envp[i] != NULL; i++) 89 | ; 90 | if ((environ = calloc(i + 1, sizeof(*environ))) == NULL) { 91 | environ = envp; /* put it back */ 92 | return; 93 | } 94 | 95 | /* 96 | * Find the last argv string or environment variable within 97 | * our process memory area. 98 | */ 99 | for (i = 0; i < argc; i++) { 100 | if (lastargv == NULL || lastargv + 1 == argv[i]) 101 | lastargv = argv[i] + strlen(argv[i]); 102 | } 103 | for (i = 0; envp[i] != NULL; i++) { 104 | if (lastargv + 1 == envp[i]) 105 | lastargv = envp[i] + strlen(envp[i]); 106 | } 107 | 108 | argv[1] = NULL; 109 | argv_start = argv[0]; 110 | argv_env_len = lastargv - argv[0] - 1; 111 | 112 | /* 113 | * Copy environment 114 | * XXX - will truncate env on strdup fail 115 | */ 116 | for (i = 0; envp[i] != NULL; i++) 117 | environ[i] = strdup(envp[i]); 118 | environ[i] = NULL; 119 | #endif /* SPT_REUSEARGV */ 120 | } 121 | 122 | #ifndef HAVE_SETPROCTITLE 123 | void 124 | setproctitle(const char *fmt, ...) 125 | { 126 | #if SPT_TYPE != SPT_NONE 127 | va_list ap; 128 | char buf[1024], ptitle[1024]; 129 | size_t len = 0; 130 | int r; 131 | extern char *__progname; 132 | #if SPT_TYPE == SPT_PSTAT 133 | union pstun pst; 134 | #endif 135 | 136 | #if SPT_TYPE == SPT_REUSEARGV 137 | if (argv_env_len <= 0) 138 | return; 139 | #endif 140 | 141 | strlcpy(buf, __progname, sizeof(buf)); 142 | 143 | r = -1; 144 | va_start(ap, fmt); 145 | if (fmt != NULL) { 146 | len = strlcat(buf, ": ", sizeof(buf)); 147 | if (len < sizeof(buf)) 148 | r = vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); 149 | } 150 | va_end(ap); 151 | if (r == -1 || (size_t)r >= sizeof(buf) - len) 152 | return; 153 | strnvis(ptitle, buf, sizeof(ptitle), 154 | VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL); 155 | 156 | #if SPT_TYPE == SPT_PSTAT 157 | pst.pst_command = ptitle; 158 | pstat(PSTAT_SETCMD, pst, strlen(ptitle), 0, 0); 159 | #elif SPT_TYPE == SPT_REUSEARGV 160 | /* debug("setproctitle: copy \"%s\" into len %d", 161 | buf, argv_env_len); */ 162 | len = strlcpy(argv_start, ptitle, argv_env_len); 163 | for(; len < argv_env_len; len++) 164 | argv_start[len] = SPT_PADCHAR; 165 | #endif 166 | 167 | #endif /* SPT_NONE */ 168 | } 169 | 170 | #endif /* HAVE_SETPROCTITLE */ 171 | -------------------------------------------------------------------------------- /compat/stdlib.h: -------------------------------------------------------------------------------- 1 | /* 2 | * stdlib.h compatibility shim 3 | * Public domain 4 | */ 5 | 6 | #ifdef _MSC_VER 7 | #if _MSC_VER >= 1900 8 | #include <../ucrt/stdlib.h> 9 | #else 10 | #include <../include/stdlib.h> 11 | #endif 12 | #else 13 | #include_next 14 | #endif 15 | 16 | #ifndef IKED_COMPAT_STDLIB_H 17 | #define IKED_COMPAT_STDLIB_H 18 | 19 | #include 20 | #include 21 | 22 | #ifndef HAVE_ARC4RANDOM_BUF 23 | uint32_t arc4random(void); 24 | void arc4random_buf(void *_buf, size_t n); 25 | uint32_t arc4random_uniform(uint32_t upper_bound); 26 | #endif 27 | 28 | #ifndef HAVE_FREEZERO 29 | void freezero(void *ptr, size_t sz); 30 | #endif 31 | 32 | #ifndef HAVE_GETPROGNAME 33 | const char * getprogname(void); 34 | #endif 35 | 36 | void *reallocarray(void *, size_t, size_t); 37 | 38 | #ifndef HAVE_RECALLOCARRAY 39 | void *recallocarray(void *, size_t, size_t, size_t); 40 | #endif 41 | 42 | #ifndef HAVE_STRTONUM 43 | long long strtonum(const char *nptr, long long minval, 44 | long long maxval, const char **errstr); 45 | #endif 46 | 47 | #endif 48 | -------------------------------------------------------------------------------- /compat/string.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * string.h compatibility shim 4 | */ 5 | 6 | #ifndef IKED_COMPAT_STRING_H 7 | #define IKED_COMPAT_STRING_H 8 | 9 | #ifdef _MSC_VER 10 | #if _MSC_VER >= 1900 11 | #include <../ucrt/string.h> 12 | #else 13 | #include <../include/string.h> 14 | #endif 15 | #else 16 | #include_next 17 | #endif 18 | 19 | #include 20 | 21 | #if defined(__sun) || defined(_AIX) || defined(__hpux) 22 | /* Some functions historically defined in string.h were placed in strings.h by 23 | * SUS. Use the same hack as OS X and FreeBSD use to work around on AIX, 24 | * Solaris, and HPUX. 25 | */ 26 | #include 27 | #endif 28 | 29 | #ifndef HAVE_STRCASECMP 30 | int strcasecmp(const char *s1, const char *s2); 31 | int strncasecmp(const char *s1, const char *s2, size_t len); 32 | #endif 33 | 34 | #ifndef HAVE_STRLCPY 35 | size_t strlcpy(char *dst, const char *src, size_t siz); 36 | #endif 37 | 38 | #ifndef HAVE_STRLCAT 39 | size_t strlcat(char *dst, const char *src, size_t siz); 40 | #endif 41 | 42 | #ifndef HAVE_STRNDUP 43 | char * strndup(const char *str, size_t maxlen); 44 | /* the only user of strnlen is strndup, so only build it if needed */ 45 | #ifndef HAVE_STRNLEN 46 | size_t strnlen(const char *str, size_t maxlen); 47 | #endif 48 | #endif 49 | 50 | #ifndef HAVE_STRSEP 51 | char *strsep(char **stringp, const char *delim); 52 | #endif 53 | 54 | #ifndef HAVE_EXPLICIT_BZERO 55 | void explicit_bzero(void *, size_t); 56 | #endif 57 | 58 | #ifndef HAVE_TIMINGSAFE_BCMP 59 | int timingsafe_bcmp(const void *b1, const void *b2, size_t n); 60 | #endif 61 | 62 | #ifndef HAVE_TIMINGSAFE_MEMCMP 63 | int timingsafe_memcmp(const void *b1, const void *b2, size_t len); 64 | #endif 65 | 66 | #ifndef HAVE_MEMMEM 67 | void * memmem(const void *big, size_t big_len, const void *little, 68 | size_t little_len); 69 | #endif 70 | 71 | #ifdef _WIN32 72 | #include 73 | 74 | static inline char * 75 | posix_strerror(int errnum) 76 | { 77 | if (errnum == ECONNREFUSED) { 78 | return "Connection refused"; 79 | } 80 | return strerror(errnum); 81 | } 82 | 83 | #define strerror(errnum) posix_strerror(errnum) 84 | 85 | #endif 86 | 87 | #endif 88 | -------------------------------------------------------------------------------- /compat/strlcat.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: strlcat.c,v 1.19 2019/01/25 00:19:25 millert Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 1998, 2015 Todd C. Miller 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | /* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ 20 | 21 | #include "openbsd-compat.h" 22 | 23 | #if !defined(HAVE_STRLCAT) 24 | 25 | #include 26 | #include 27 | 28 | /* 29 | * Appends src to string dst of size dsize (unlike strncat, dsize is the 30 | * full size of dst, not space left). At most dsize-1 characters 31 | * will be copied. Always NUL terminates (unless dsize <= strlen(dst)). 32 | * Returns strlen(src) + MIN(dsize, strlen(initial dst)). 33 | * If retval >= dsize, truncation occurred. 34 | */ 35 | size_t 36 | strlcat(char *dst, const char *src, size_t dsize) 37 | { 38 | const char *odst = dst; 39 | const char *osrc = src; 40 | size_t n = dsize; 41 | size_t dlen; 42 | 43 | /* Find the end of dst and adjust bytes left but don't go past end. */ 44 | while (n-- != 0 && *dst != '\0') 45 | dst++; 46 | dlen = dst - odst; 47 | n = dsize - dlen; 48 | 49 | if (n-- == 0) 50 | return(dlen + strlen(src)); 51 | while (*src != '\0') { 52 | if (n != 0) { 53 | *dst++ = *src; 54 | n--; 55 | } 56 | src++; 57 | } 58 | *dst = '\0'; 59 | 60 | return(dlen + (src - osrc)); /* count does not include NUL */ 61 | } 62 | 63 | #endif /* !defined(HAVE_STRLCAT) */ 64 | -------------------------------------------------------------------------------- /compat/strlcpy.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: strlcpy.c,v 1.16 2019/01/25 00:19:25 millert Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 1998, 2015 Todd C. Miller 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | /* 23 | * Copy string src to buffer dst of size dsize. At most dsize-1 24 | * chars will be copied. Always NUL terminates (unless dsize == 0). 25 | * Returns strlen(src); if retval >= dsize, truncation occurred. 26 | */ 27 | size_t 28 | strlcpy(char *dst, const char *src, size_t dsize) 29 | { 30 | const char *osrc = src; 31 | size_t nleft = dsize; 32 | 33 | /* Copy as many bytes as will fit. */ 34 | if (nleft != 0) { 35 | while (--nleft != 0) { 36 | if ((*dst++ = *src++) == '\0') 37 | break; 38 | } 39 | } 40 | 41 | /* Not enough room in dst, add NUL and traverse rest of src. */ 42 | if (nleft == 0) { 43 | if (dsize != 0) 44 | *dst = '\0'; /* NUL-terminate dst */ 45 | while (*src++) 46 | ; 47 | } 48 | 49 | return(src - osrc - 1); /* count does not include NUL */ 50 | } 51 | -------------------------------------------------------------------------------- /compat/strtonum.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: strtonum.c,v 1.8 2015/09/13 08:31:48 guenther Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2004 Ted Unangst and Todd Miller 5 | * All rights reserved. 6 | * 7 | * Permission to use, copy, modify, and distribute this software for any 8 | * purpose with or without fee is hereby granted, provided that the above 9 | * copyright notice and this permission notice appear in all copies. 10 | * 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 | */ 19 | 20 | #include 21 | #include 22 | #include 23 | 24 | #define INVALID 1 25 | #define TOOSMALL 2 26 | #define TOOLARGE 3 27 | 28 | long long 29 | strtonum(const char *numstr, long long minval, long long maxval, 30 | const char **errstrp) 31 | { 32 | long long ll = 0; 33 | int error = 0; 34 | char *ep; 35 | struct errval { 36 | const char *errstr; 37 | int err; 38 | } ev[4] = { 39 | { NULL, 0 }, 40 | { "invalid", EINVAL }, 41 | { "too small", ERANGE }, 42 | { "too large", ERANGE }, 43 | }; 44 | 45 | ev[0].err = errno; 46 | errno = 0; 47 | if (minval > maxval) { 48 | error = INVALID; 49 | } else { 50 | ll = strtoll(numstr, &ep, 10); 51 | if (numstr == ep || *ep != '\0') 52 | error = INVALID; 53 | else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval) 54 | error = TOOSMALL; 55 | else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval) 56 | error = TOOLARGE; 57 | } 58 | if (errstrp != NULL) 59 | *errstrp = ev[error].errstr; 60 | errno = ev[error].err; 61 | if (error) 62 | ll = 0; 63 | 64 | return (ll); 65 | } 66 | -------------------------------------------------------------------------------- /compat/sys/_null.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: _null.h,v 1.2 2016/09/09 22:07:58 millert Exp $ */ 2 | 3 | /* 4 | * Written by Todd C. Miller, September 9, 2016 5 | * Public domain. 6 | */ 7 | 8 | #ifndef NULL 9 | #if !defined(__cplusplus) 10 | #define NULL ((void *)0) 11 | #elif __cplusplus >= 201103L 12 | #define NULL nullptr 13 | #elif defined(__GNUG__) 14 | #define NULL __null 15 | #else 16 | #define NULL 0L 17 | #endif 18 | #endif 19 | -------------------------------------------------------------------------------- /compat/sys/sysctl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * sys/sysctl.h compatibility shim 4 | */ 5 | 6 | #if defined _MSC_VER 7 | 8 | #ifndef IKED_COMPAT_SYS_SYSCTL_H 9 | #define IKED_COMPAT_SYS_SYSCTL_H 10 | 11 | /* XXX */ 12 | 13 | #endif /* !IKED_COMPAT_SYS_SYSCTL_H */ 14 | 15 | #elif defined __linux__ 16 | #include 17 | #else 18 | #include_next 19 | #endif 20 | -------------------------------------------------------------------------------- /compat/sys/types.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * sys/types.h compatibility shim 4 | */ 5 | 6 | #ifdef _MSC_VER 7 | #if _MSC_VER >= 1900 8 | #include <../ucrt/sys/types.h> 9 | #else 10 | #include <../include/sys/types.h> 11 | #endif 12 | #else 13 | #include_next 14 | #endif 15 | 16 | #ifndef IKED_COMPAT_SYS_TYPES_H 17 | #define IKED_COMPAT_SYS_TYPES_H 18 | 19 | #include 20 | 21 | #ifdef __MINGW32__ 22 | #include <_bsd_types.h> 23 | typedef uint32_t in_addr_t; 24 | typedef uint32_t uid_t; 25 | #endif 26 | 27 | #ifdef _MSC_VER 28 | typedef unsigned char u_char; 29 | typedef unsigned short u_short; 30 | typedef unsigned int u_int; 31 | typedef uint32_t in_addr_t; 32 | typedef uint32_t mode_t; 33 | typedef uint32_t uid_t; 34 | 35 | #include 36 | typedef SSIZE_T ssize_t; 37 | 38 | #ifndef SSIZE_MAX 39 | #ifdef _WIN64 40 | #define SSIZE_MAX _I64_MAX 41 | #else 42 | #define SSIZE_MAX INT_MAX 43 | #endif 44 | #endif 45 | 46 | #endif 47 | 48 | #if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__) 49 | # define __bounded__(x, y, z) 50 | #endif 51 | 52 | #if !defined(HAVE_ATTRIBUTE__DEAD) && !defined(__dead) 53 | #ifdef _MSC_VER 54 | #define __dead __declspec(noreturn) 55 | #else 56 | #define __dead __attribute__((__noreturn__)) 57 | #endif 58 | #endif 59 | 60 | #ifdef _WIN32 61 | #define __warn_references(sym,msg) 62 | #else 63 | 64 | #ifndef __warn_references 65 | 66 | #ifndef __STRING 67 | #define __STRING(x) #x 68 | #endif 69 | 70 | #if defined(__GNUC__) && defined (HAS_GNU_WARNING_LONG) 71 | #define __warn_references(sym,msg) \ 72 | __asm__(".section .gnu.warning." __STRING(sym) \ 73 | "\n\t.ascii \"" msg "\"\n\t.text"); 74 | #else 75 | #define __warn_references(sym,msg) 76 | #endif 77 | 78 | #endif /* __warn_references */ 79 | #endif /* _WIN32 */ 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /compat/sys/uio.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * sys/uio.h compatibility shim 4 | */ 5 | 6 | #ifndef _MSC_VER 7 | #include_next 8 | #else 9 | 10 | #ifndef IKED_COMPAT_SYS_UIO_H 11 | #define IKED_COMPAT_SYS_UIO_H 12 | 13 | #define IOV_MAX 16 /* XXX */ 14 | 15 | struct iovec { 16 | void *iov_base; /* Base address. */ 17 | size_t iov_len; /* Length. */ 18 | }; 19 | 20 | /* needs to be converted to WSABUF with buf/len attributes */ 21 | 22 | #endif /* !IKED_COMPAT_SYS_UIO_H */ 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /compat/sys/un.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * sys/types.h compatibility shim 4 | */ 5 | 6 | #ifndef _MSC_VER 7 | #include_next 8 | #else 9 | 10 | #ifndef IKED_COMPAT_SYS_UN_H 11 | #define IKED_COMPAT_SYS_UN_H 12 | 13 | #include 14 | 15 | #endif /* !IKED_COMPAT_SYS_UN_H */ 16 | #endif 17 | -------------------------------------------------------------------------------- /compat/sys/wait.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * sys/wait.h compatibility shim 4 | */ 5 | 6 | #ifndef _MSC_VER 7 | #include_next 8 | #else 9 | 10 | #ifndef IKED_COMPAT_SYS_WAIT_H 11 | #define IKED_COMPAT_SYS_WAIT_H 12 | 13 | /* FIXME */ 14 | 15 | #endif /* !IKED_COMPAT_SYS_WAIT_H */ 16 | 17 | #endif 18 | -------------------------------------------------------------------------------- /compat/timingsafe_bcmp.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: timingsafe_bcmp.c,v 1.3 2015/08/31 02:53:57 guenther Exp $ */ 2 | /* 3 | * Copyright (c) 2010 Damien Miller. All rights reserved. 4 | * 5 | * Permission to use, copy, modify, and distribute this software for any 6 | * purpose with or without fee is hereby granted, provided that the above 7 | * copyright notice and this permission notice appear in all copies. 8 | * 9 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | */ 17 | 18 | /* OPENBSD ORIGINAL: lib/libc/string/timingsafe_bcmp.c */ 19 | 20 | #include "includes.h" 21 | #ifndef HAVE_TIMINGSAFE_BCMP 22 | 23 | int 24 | timingsafe_bcmp(const void *b1, const void *b2, size_t n) 25 | { 26 | const unsigned char *p1 = b1, *p2 = b2; 27 | int ret = 0; 28 | 29 | for (; n > 0; n--) 30 | ret |= *p1++ ^ *p2++; 31 | return (ret != 0); 32 | } 33 | 34 | #endif /* TIMINGSAFE_BCMP */ 35 | -------------------------------------------------------------------------------- /compat/unistd.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Public domain 3 | * unistd.h compatibility shim 4 | */ 5 | 6 | #ifndef IKED_COMPAT_UNISTD_H 7 | #define IKED_COMPAT_UNISTD_H 8 | 9 | #ifndef _MSC_VER 10 | 11 | #include_next 12 | 13 | #ifdef __MINGW32__ 14 | int ftruncate(int fd, off_t length); 15 | uid_t getuid(void); 16 | ssize_t pread(int d, void *buf, size_t nbytes, off_t offset); 17 | ssize_t pwrite(int d, const void *buf, size_t nbytes, off_t offset); 18 | #endif 19 | 20 | #else 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | #define STDOUT_FILENO 1 27 | #define STDERR_FILENO 2 28 | 29 | #define R_OK 4 30 | #define W_OK 2 31 | #define X_OK 0 32 | #define F_OK 0 33 | 34 | #define SEEK_SET 0 35 | #define SEEK_CUR 1 36 | #define SEEK_END 2 37 | 38 | #define access _access 39 | 40 | #ifdef _MSC_VER 41 | #include 42 | static inline unsigned int sleep(unsigned int seconds) 43 | { 44 | Sleep(seconds * 1000); 45 | return seconds; 46 | } 47 | #endif 48 | 49 | int ftruncate(int fd, off_t length); 50 | uid_t getuid(void); 51 | ssize_t pread(int d, void *buf, size_t nbytes, off_t offset); 52 | ssize_t pwrite(int d, const void *buf, size_t nbytes, off_t offset); 53 | 54 | #endif 55 | 56 | #ifndef HAVE_GETENTROPY 57 | int getentropy(void *buf, size_t buflen); 58 | #else 59 | /* 60 | * Solaris 11.3 adds getentropy(2), but defines the function in sys/random.h 61 | */ 62 | #if defined(__sun) 63 | #include 64 | #endif 65 | #endif 66 | 67 | #ifndef HAVE_GETPAGESIZE 68 | int getpagesize(void); 69 | #endif 70 | 71 | #define pledge(request, paths) 0 72 | #define unveil(path, permissions) 0 73 | 74 | #ifndef HAVE_PIPE2 75 | int pipe2(int fildes[2], int flags); 76 | #endif 77 | 78 | #endif 79 | -------------------------------------------------------------------------------- /compat/vis.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: vis.c,v 1.26 2022/05/04 18:57:50 deraadt Exp $ */ 2 | /*- 3 | * Copyright (c) 1989, 1993 4 | * The Regents of the University of California. All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions 8 | * are met: 9 | * 1. Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 3. Neither the name of the University nor the names of its contributors 15 | * may be used to endorse or promote products derived from this software 16 | * without specific prior written permission. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 | * SUCH DAMAGE. 29 | */ 30 | 31 | /* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ 32 | 33 | #if !defined(HAVE_STRNVIS) 34 | 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | 43 | static int 44 | isoctal(int c) 45 | { 46 | u_char uc = c; 47 | 48 | return uc >= '0' && uc <= '7'; 49 | } 50 | 51 | static int 52 | isvisible(int c, int flag) 53 | { 54 | int vis_sp = flag & VIS_SP; 55 | int vis_tab = flag & VIS_TAB; 56 | int vis_nl = flag & VIS_NL; 57 | int vis_safe = flag & VIS_SAFE; 58 | int vis_glob = flag & VIS_GLOB; 59 | int vis_all = flag & VIS_ALL; 60 | u_char uc = c; 61 | 62 | if (c == '\\' || !vis_all) { 63 | if ((u_int)c <= UCHAR_MAX && isascii(uc) && 64 | ((c != '*' && c != '?' && c != '[' && c != '#') || !vis_glob) && 65 | isgraph(uc)) 66 | return 1; 67 | if (!vis_sp && c == ' ') 68 | return 1; 69 | if (!vis_tab && c == '\t') 70 | return 1; 71 | if (!vis_nl && c == '\n') 72 | return 1; 73 | if (vis_safe && (c == '\b' || c == '\007' || c == '\r' || isgraph(uc))) 74 | return 1; 75 | } 76 | return 0; 77 | } 78 | 79 | /* 80 | * vis - visually encode characters 81 | */ 82 | char * 83 | vis(char *dst, int c, int flag, int nextc) 84 | { 85 | int vis_dq = flag & VIS_DQ; 86 | int vis_noslash = flag & VIS_NOSLASH; 87 | int vis_cstyle = flag & VIS_CSTYLE; 88 | int vis_octal = flag & VIS_OCTAL; 89 | int vis_glob = flag & VIS_GLOB; 90 | 91 | if (isvisible(c, flag)) { 92 | if ((c == '"' && vis_dq) || 93 | (c == '\\' && !vis_noslash)) 94 | *dst++ = '\\'; 95 | *dst++ = c; 96 | *dst = '\0'; 97 | return (dst); 98 | } 99 | 100 | if (vis_cstyle) { 101 | switch (c) { 102 | case '\n': 103 | *dst++ = '\\'; 104 | *dst++ = 'n'; 105 | goto done; 106 | case '\r': 107 | *dst++ = '\\'; 108 | *dst++ = 'r'; 109 | goto done; 110 | case '\b': 111 | *dst++ = '\\'; 112 | *dst++ = 'b'; 113 | goto done; 114 | case '\a': 115 | *dst++ = '\\'; 116 | *dst++ = 'a'; 117 | goto done; 118 | case '\v': 119 | *dst++ = '\\'; 120 | *dst++ = 'v'; 121 | goto done; 122 | case '\t': 123 | *dst++ = '\\'; 124 | *dst++ = 't'; 125 | goto done; 126 | case '\f': 127 | *dst++ = '\\'; 128 | *dst++ = 'f'; 129 | goto done; 130 | case ' ': 131 | *dst++ = '\\'; 132 | *dst++ = 's'; 133 | goto done; 134 | case '\0': 135 | *dst++ = '\\'; 136 | *dst++ = '0'; 137 | if (isoctal(nextc)) { 138 | *dst++ = '0'; 139 | *dst++ = '0'; 140 | } 141 | goto done; 142 | } 143 | } 144 | if (((c & 0177) == ' ') || vis_octal || 145 | (vis_glob && (c == '*' || c == '?' || c == '[' || c == '#'))) { 146 | *dst++ = '\\'; 147 | *dst++ = ((u_char)c >> 6 & 07) + '0'; 148 | *dst++ = ((u_char)c >> 3 & 07) + '0'; 149 | *dst++ = ((u_char)c & 07) + '0'; 150 | goto done; 151 | } 152 | if (!vis_noslash) 153 | *dst++ = '\\'; 154 | if (c & 0200) { 155 | c &= 0177; 156 | *dst++ = 'M'; 157 | } 158 | if (iscntrl((u_char)c)) { 159 | *dst++ = '^'; 160 | if (c == 0177) 161 | *dst++ = '?'; 162 | else 163 | *dst++ = c + '@'; 164 | } else { 165 | *dst++ = '-'; 166 | *dst++ = c; 167 | } 168 | done: 169 | *dst = '\0'; 170 | return (dst); 171 | } 172 | 173 | /* 174 | * strvis, strnvis, strvisx - visually encode characters from src into dst 175 | * 176 | * Dst must be 4 times the size of src to account for possible 177 | * expansion. The length of dst, not including the trailing NULL, 178 | * is returned. 179 | * 180 | * Strnvis will write no more than siz-1 bytes (and will NULL terminate). 181 | * The number of bytes needed to fully encode the string is returned. 182 | * 183 | * Strvisx encodes exactly len bytes from src into dst. 184 | * This is useful for encoding a block of data. 185 | */ 186 | int 187 | strvis(char *dst, const char *src, int flag) 188 | { 189 | char c; 190 | char *start; 191 | 192 | for (start = dst; (c = *src);) 193 | dst = vis(dst, c, flag, *++src); 194 | *dst = '\0'; 195 | return (dst - start); 196 | } 197 | 198 | int 199 | strnvis(char *dst, const char *src, size_t siz, int flag) 200 | { 201 | int vis_dq = flag & VIS_DQ; 202 | int vis_noslash = flag & VIS_NOSLASH; 203 | char *start, *end; 204 | char tbuf[5]; 205 | int c, i; 206 | 207 | i = 0; 208 | for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) { 209 | if (isvisible(c, flag)) { 210 | if ((c == '"' && vis_dq) || 211 | (c == '\\' && !vis_noslash)) { 212 | /* need space for the extra '\\' */ 213 | if (dst + 1 >= end) { 214 | i = 2; 215 | break; 216 | } 217 | *dst++ = '\\'; 218 | } 219 | i = 1; 220 | *dst++ = c; 221 | src++; 222 | } else { 223 | i = vis(tbuf, c, flag, *++src) - tbuf; 224 | if (dst + i <= end) { 225 | memcpy(dst, tbuf, i); 226 | dst += i; 227 | } else { 228 | src--; 229 | break; 230 | } 231 | } 232 | } 233 | if (siz > 0) 234 | *dst = '\0'; 235 | if (dst + i > end) { 236 | /* adjust return value for truncation */ 237 | while ((c = *src)) 238 | dst += vis(tbuf, c, flag, *++src) - tbuf; 239 | } 240 | return (dst - start); 241 | } 242 | 243 | int 244 | stravis(char **outp, const char *src, int flag) 245 | { 246 | char *buf; 247 | int len, serrno; 248 | 249 | buf = reallocarray(NULL, 4, strlen(src) + 1); 250 | if (buf == NULL) 251 | return -1; 252 | len = strvis(buf, src, flag); 253 | serrno = errno; 254 | *outp = realloc(buf, len + 1); 255 | if (*outp == NULL) { 256 | *outp = buf; 257 | errno = serrno; 258 | } 259 | return (len); 260 | } 261 | 262 | int 263 | strvisx(char *dst, const char *src, size_t len, int flag) 264 | { 265 | char c; 266 | char *start; 267 | 268 | for (start = dst; len > 1; len--) { 269 | c = *src; 270 | dst = vis(dst, c, flag, *++src); 271 | } 272 | if (len) 273 | dst = vis(dst, *src, flag, '\0'); 274 | *dst = '\0'; 275 | return (dst - start); 276 | } 277 | 278 | #endif 279 | -------------------------------------------------------------------------------- /compat/vis.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: vis.h,v 1.15 2015/07/20 01:52:27 millert Exp $ */ 2 | /* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ 3 | 4 | /*- 5 | * Copyright (c) 1990 The Regents of the University of California. 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. Neither the name of the University nor the names of its contributors 17 | * may be used to endorse or promote products derived from this software 18 | * without specific prior written permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | * 32 | * @(#)vis.h 5.9 (Berkeley) 4/3/91 33 | */ 34 | 35 | /* OPENBSD ORIGINAL: include/vis.h */ 36 | 37 | #ifdef HAVE_CONFIG_H 38 | #include "includes.h" 39 | #endif 40 | 41 | #ifndef _VIS_H_ 42 | #define _VIS_H_ 43 | 44 | #include 45 | #include 46 | 47 | /* 48 | * to select alternate encoding format 49 | */ 50 | #define VIS_OCTAL 0x01 /* use octal \ddd format */ 51 | #define VIS_CSTYLE 0x02 /* use \[nrft0..] where appropriate */ 52 | 53 | /* 54 | * to alter set of characters encoded (default is to encode all 55 | * non-graphic except space, tab, and newline). 56 | */ 57 | #define VIS_SP 0x04 /* also encode space */ 58 | #define VIS_TAB 0x08 /* also encode tab */ 59 | #define VIS_NL 0x10 /* also encode newline */ 60 | #define VIS_WHITE (VIS_SP | VIS_TAB | VIS_NL) 61 | #define VIS_SAFE 0x20 /* only encode "unsafe" characters */ 62 | #define VIS_DQ 0x200 /* backslash-escape double quotes */ 63 | #define VIS_ALL 0x400 /* encode all characters */ 64 | 65 | /* 66 | * other 67 | */ 68 | #define VIS_NOSLASH 0x40 /* inhibit printing '\' */ 69 | #define VIS_GLOB 0x100 /* encode glob(3) magics and '#' */ 70 | 71 | /* 72 | * unvis return codes 73 | */ 74 | #define UNVIS_VALID 1 /* character valid */ 75 | #define UNVIS_VALIDPUSH 2 /* character valid, push back passed char */ 76 | #define UNVIS_NOCHAR 3 /* valid sequence, no character produced */ 77 | #define UNVIS_SYNBAD -1 /* unrecognized escape sequence */ 78 | #define UNVIS_ERROR -2 /* decoder in unknown state (unrecoverable) */ 79 | 80 | /* 81 | * unvis flags 82 | */ 83 | #define UNVIS_END 1 /* no more characters */ 84 | 85 | char *vis(char *, int, int, int); 86 | int strvis(char *, const char *, int); 87 | int stravis(char **, const char *, int); 88 | int strnvis(char *, const char *, size_t, int) 89 | __attribute__ ((__bounded__(__string__,1,3))); 90 | int strvisx(char *, const char *, size_t, int) 91 | __attribute__ ((__bounded__(__string__,1,3))); 92 | int strunvis(char *, const char *); 93 | int unvis(char *, char, int *, int); 94 | ssize_t strnunvis(char *, const char *, size_t) 95 | __attribute__ ((__bounded__(__string__,1,3))); 96 | 97 | #endif /* !_VIS_H_ */ 98 | -------------------------------------------------------------------------------- /ikectl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | set(SRCS) 16 | list(APPEND SRCS 17 | ikeca.c 18 | ikectl.c 19 | parser.c 20 | # iked 21 | ${CMAKE_CURRENT_SOURCE_DIR}/../iked/log.c 22 | ${CMAKE_CURRENT_SOURCE_DIR}/../iked/util.c 23 | ) 24 | 25 | add_executable(ikectl ${SRCS}) 26 | 27 | set(CFLAGS) 28 | list(APPEND CFLAGS 29 | -O2 30 | -fstack-protector-strong 31 | -fPIE 32 | -D_FORTIFY_SOURCE=2 33 | -Wall 34 | -Wno-pointer-sign 35 | -Wno-deprecated-declarations 36 | -Wstrict-prototypes 37 | -Wmissing-prototypes 38 | -Wmissing-declarations 39 | -Wshadow 40 | -Wpointer-arith 41 | -Wcast-qual 42 | -Wsign-compare 43 | "$<$:-O0;-g>" 44 | ) 45 | 46 | target_compile_options(ikectl PRIVATE ${CFLAGS}) 47 | if(HAVE_LD_Z) 48 | target_link_options(ikectl PRIVATE "LINKER:-z,relro,-z,now") 49 | endif() 50 | 51 | target_include_directories(ikectl 52 | PRIVATE ${CMAKE_CURRENT_SOURCE_DIR} 53 | ${CMAKE_CURRENT_SOURCE_DIR}/../iked 54 | ) 55 | 56 | target_link_libraries(ikectl 57 | PRIVATE util event crypto ssl compat 58 | ) 59 | 60 | install(TARGETS ikectl RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}) 61 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikectl.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/) 62 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikeca.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl) 63 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/ikex509v3.cnf DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/ssl) 64 | -------------------------------------------------------------------------------- /ikectl/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.7 2016/09/11 14:31:02 natano Exp $ 2 | 3 | .PATH: ${.CURDIR}/../../sbin/iked 4 | 5 | PROG= ikectl 6 | SRCS= log.c ikeca.c ikectl.c parser.c util.c 7 | 8 | MAN= ikectl.8 9 | 10 | LDADD= -lutil -lcrypto 11 | DPADD= ${LIBUTIL} ${LIBCRYPTO} 12 | CFLAGS+= -Wall -I${.CURDIR} -I${.CURDIR}/../../sbin/iked 13 | CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes 14 | CFLAGS+= -Wmissing-declarations 15 | CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual 16 | CFLAGS+= -Wsign-compare 17 | 18 | distribution: 19 | ${INSTALL} -C -o root -g wheel -m 0644 ${.CURDIR}/ikeca.cnf \ 20 | ${DESTDIR}/etc/ssl/ikeca.cnf 21 | 22 | .include 23 | -------------------------------------------------------------------------------- /ikectl/ikeca.cnf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: ikeca.cnf,v 1.10 2023/11/17 14:43:36 tobhe Exp $ 2 | 3 | CERT_C = DE 4 | CERT_ST = Lower Saxony 5 | CERT_L = Hanover 6 | CERT_O = OpenBSD 7 | CERT_OU = iked 8 | CERT_CN = 9 | CERT_EMAIL = reyk@openbsd.org 10 | 11 | # default settings 12 | CERTPATHLEN = 1 13 | CERTUSAGE = digitalSignature,keyCertSign,cRLSign 14 | EXTCERTUSAGE = serverAuth,clientAuth 15 | CERTIP = 0.0.0.0 16 | CERTFQDN = nohost.nodomain 17 | CADB = index.txt 18 | CASERIAL = serial.txt 19 | NSCERTTYPE = server,client 20 | 21 | [ req ] 22 | #default_bits = 2048 23 | #default_md = sha256 24 | #default_keyfile = privkey.pem 25 | distinguished_name = req_distinguished_name 26 | #attributes = req_attributes 27 | req_extensions = $ENV::REQ_EXT 28 | 29 | [ req_distinguished_name ] 30 | countryName = Country Name (2 letter code) 31 | countryName_default = $ENV::CERT_C 32 | countryName_min = 2 33 | countryName_max = 2 34 | 35 | stateOrProvinceName = State or Province Name (full name) 36 | stateOrProvinceName_default = $ENV::CERT_ST 37 | 38 | localityName = Locality Name (eg, city) 39 | localityName_default = $ENV::CERT_L 40 | 41 | 0.organizationName = Organization Name (eg, company) 42 | 0.organizationName_default = $ENV::CERT_O 43 | 44 | # we can do this but it is not needed normally :-) 45 | #1.organizationName = Second Organization Name (eg, company) 46 | #1.organizationName_default = OpenBSD 47 | 48 | organizationalUnitName = Organizational Unit Name (eg, section) 49 | organizationalUnitName_default = $ENV::CERT_OU 50 | 51 | commonName = Common Name (eg, fully qualified host name) 52 | commonName_max = 64 53 | commonName_default = $ENV::CERT_CN 54 | 55 | emailAddress = Email Address 56 | emailAddress_max = 64 57 | emailAddress_default = $ENV::CERT_EMAIL 58 | 59 | [ req_attributes ] 60 | challengePassword = A challenge password 61 | challengePassword_min = 4 62 | challengePassword_max = 20 63 | 64 | unstructuredName = An optional company name 65 | 66 | [ x509v3_extensions ] 67 | nsCaRevocationUrl = http://127.0.0.1/ca-crl.pem 68 | nsComment = "This is a comment" 69 | 70 | # under ASN.1, the 0 bit would be encoded as 80 71 | nsCertType = 0x40 72 | 73 | [x509v3_CA] 74 | basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN 75 | keyUsage=$ENV::CERTUSAGE 76 | 77 | [x509v3_IPAddr] 78 | keyUsage=$ENV::CERTUSAGE 79 | nsCertType=$ENV::NSCERTTYPE 80 | subjectAltName=IP:$ENV::CERTIP 81 | extendedKeyUsage=$ENV::EXTCERTUSAGE 82 | 83 | [x509v3_FQDN] 84 | keyUsage=$ENV::CERTUSAGE 85 | nsCertType=$ENV::NSCERTTYPE 86 | subjectAltName=DNS:$ENV::CERTFQDN 87 | extendedKeyUsage=$ENV::EXTCERTUSAGE 88 | 89 | [ca] 90 | default_ca = CA_default 91 | 92 | [CA_sign_policy] 93 | countryName = optional 94 | stateOrProvinceName = optional 95 | localityName = optional 96 | organizationName = optional 97 | organizationalUnitName = optional 98 | commonName = supplied 99 | emailAddress = optional 100 | 101 | [CA_default] 102 | database = $ENV::CADB 103 | serial = $ENV::CASERIAL 104 | default_md = sha256 105 | default_days = 365 106 | default_crl_days = 365 107 | unique_subject = no 108 | email_in_dn = yes 109 | policy = CA_sign_policy 110 | -------------------------------------------------------------------------------- /ikectl/ikex509v3.cnf: -------------------------------------------------------------------------------- 1 | # default settings 2 | CERTPATHLEN = 1 3 | CERTUSAGE = digitalSignature,keyCertSign,cRLSign 4 | EXTCERTUSAGE = serverAuth,clientAuth 5 | CERTIP = 0.0.0.0 6 | CERTFQDN = nohost.nodomain 7 | 8 | # This section should be referenced when building an x509v3 CA 9 | # Certificate. 10 | # The default path length and the key usage can be overridden 11 | # modified by setting the CERTPATHLEN and CERTUSAGE environment 12 | # variables. 13 | [x509v3_CA] 14 | basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN 15 | keyUsage=$ENV::CERTUSAGE 16 | 17 | # This section should be referenced to add an IP Address 18 | # as an alternate subject name, needed by isakmpd 19 | # The address must be provided in the CERTIP environment variable 20 | [x509v3_IPAddr] 21 | subjectAltName=IP:$ENV::CERTIP 22 | extendedKeyUsage=$ENV::EXTCERTUSAGE 23 | 24 | # This section should be referenced to add a FQDN hostname 25 | # as an alternate subject name, needed by isakmpd 26 | # The address must be provided in the CERTFQDN environment variable 27 | [x509v3_FQDN] 28 | subjectAltName=DNS:$ENV::CERTFQDN 29 | extendedKeyUsage=$ENV::EXTCERTUSAGE 30 | -------------------------------------------------------------------------------- /ikectl/parser.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: parser.h,v 1.18 2022/09/19 20:54:02 tobhe Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2007-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #ifndef IKECTL_PARSER_H 20 | #define IKECTL_PARSER_H 21 | 22 | enum actions { 23 | NONE, 24 | LOAD, 25 | RELOAD, 26 | MONITOR, 27 | LOG_VERBOSE, 28 | LOG_BRIEF, 29 | COUPLE, 30 | DECOUPLE, 31 | ACTIVE, 32 | PASSIVE, 33 | RESETALL, 34 | RESETCA, 35 | RESETPOLICY, 36 | RESETSA, 37 | RESETUSER, 38 | CA, 39 | CA_CREATE, 40 | CA_DELETE, 41 | CA_INSTALL, 42 | CA_EXPORT, 43 | CA_CERTIFICATE, 44 | CA_CERT_CREATE, 45 | CA_SERVER, 46 | CA_CLIENT, 47 | CA_OCSP, 48 | CA_CERT_DELETE, 49 | CA_CERT_INSTALL, 50 | CA_CERT_EXPORT, 51 | CA_CERT_REVOKE, 52 | CA_KEY_CREATE, 53 | CA_KEY_DELETE, 54 | CA_KEY_INSTALL, 55 | CA_KEY_IMPORT, 56 | SHOW_CA, 57 | SHOW_CA_CERTIFICATES, 58 | SHOW_SA, 59 | RESET_ID, 60 | SHOW_CERTSTORE, 61 | SHOW_STATS 62 | }; 63 | 64 | struct parse_result { 65 | enum actions action; 66 | struct imsgbuf *ibuf; 67 | char *path; 68 | char *caname; 69 | char *pass; 70 | char *host; 71 | char *peer; 72 | char *id; 73 | int htype; 74 | int quiet; 75 | }; 76 | 77 | #define HOST_IPADDR 1 78 | #define HOST_FQDN 2 79 | 80 | struct parse_result *parse(int, char *[]); 81 | 82 | struct ca *ca_setup(char *, int, int, char *); 83 | int ca_create(struct ca *); 84 | int ca_certificate(struct ca *, char *, int, int); 85 | int ca_export(struct ca *, char *, char *, char *); 86 | int ca_revoke(struct ca *, char *); 87 | int ca_delete(struct ca *); 88 | int ca_delkey(struct ca *, char *); 89 | int ca_install(struct ca *, char *); 90 | int ca_cert_install(struct ca *, char *, char *); 91 | int ca_show_certs(struct ca *, char *); 92 | int ca_key_create(struct ca *, char *); 93 | int ca_key_delete(struct ca *, char *); 94 | int ca_key_install(struct ca *, char *, char *); 95 | int ca_key_import(struct ca *, char *, char *); 96 | 97 | #endif /* IKECTL_PARSER_H */ 98 | -------------------------------------------------------------------------------- /iked.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $ 2 | # 3 | # See iked.conf(5) for syntax and examples. 4 | 5 | # Configure users for the Extensible Authentication Protocol (EAP) 6 | #user "user1" "password123" 7 | #user "user2" "password456" 8 | 9 | # Configuration for clients connecting with EAP authentication. 10 | # Remember to set up a PKI, see ikectl(8) for more information. 11 | #ikev2 "win7" passive esp \ 12 | # from 10.1.0.0/24 to 10.2.0.0/24 \ 13 | # local any peer any \ 14 | # eap "mschap-v2" \ 15 | # config address 10.2.0.1 \ 16 | # config name-server 10.1.0.2 \ 17 | # tag "$name-$id" 18 | 19 | # Configuration for a client authenticating with a pre-shared key. 20 | #ikev2 esp \ 21 | # from 10.3.0.0/24 to 10.1.0.0/24 \ 22 | # from 10.5.0.0/24 to 10.1.0.0/24 \ 23 | # from 10.5.0.0/24 to 172.16.1.0/24 \ 24 | # local 192.168.1.1 peer 192.168.2.1 \ 25 | # psk "you-should-not-use-psk-authentication!" 26 | -------------------------------------------------------------------------------- /iked/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | include(CheckFunctionExists) 16 | include(CheckLibraryExists) 17 | include(CheckSymbolExists) 18 | include(CheckIncludeFiles) 19 | 20 | set(VERSIONED_FILES) 21 | list(APPEND VERSIONED_FILES iked.c) 22 | 23 | set(SRCS) 24 | set(LIBS) 25 | 26 | set(CFLAGS) 27 | list(APPEND CFLAGS 28 | -O2 29 | -fstack-protector-strong 30 | -fPIE 31 | -D_FORTIFY_SOURCE=2 32 | -Wall 33 | -Wno-pointer-sign 34 | -Wno-deprecated-declarations 35 | -Wstrict-prototypes 36 | -Wmissing-prototypes 37 | -Wmissing-declarations 38 | -Wshadow 39 | -Wpointer-arith 40 | -Wcast-qual 41 | -Wsign-compare 42 | "$<$:-O0;-g>" 43 | ) 44 | 45 | set(INC_DIRS 46 | ${CMAKE_CURRENT_SOURCE_DIR} 47 | ${CMAKE_CURRENT_SOURCE_DIR}/../iked 48 | ) 49 | 50 | add_library(iked-shared OBJECT 51 | ikev2_pld.c 52 | imsg_util.c 53 | log.c 54 | util.c 55 | ${CMAKE_CURRENT_BINARY_DIR}/ikev2_map.c 56 | ${CMAKE_CURRENT_BINARY_DIR}/eap_map.c 57 | ) 58 | 59 | if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD") 60 | list(APPEND SRCS ipsec.c pfkey.c) 61 | elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") 62 | list(APPEND SRCS ipsec.c pfkey.c) 63 | elseif(CMAKE_SYSTEM_NAME MATCHES "Darwin") 64 | list(APPEND SRCS ipsec.c pfkey.c) 65 | elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD") 66 | list(APPEND SRCS ipsec.c pfkey.c) 67 | elseif(CMAKE_SYSTEM_NAME MATCHES "NetBSD") 68 | list(APPEND SRCS ipsec.c pfkey.c) 69 | endif() 70 | if(HAVE_VROUTE) 71 | list(APPEND SRCS vroute.c) 72 | endif() 73 | if(HAVE_VROUTE_NETLINK) 74 | list(APPEND SRCS vroute-netlink.c) 75 | endif() 76 | if (WITH_APPARMOR) 77 | list(APPEND SRCS apparmor.c) 78 | endif() 79 | 80 | list(APPEND SRCS 81 | ca.c 82 | chap_ms.c 83 | config.c 84 | control.c 85 | crypto.c 86 | dh.c 87 | eap.c 88 | iked.c 89 | ikev2.c 90 | ikev2.h 91 | ikev2_msg.c 92 | ocsp.c 93 | policy.c 94 | print.c 95 | proc.c 96 | smult_curve25519_ref.c 97 | timer.c 98 | crypto_hash.c 99 | sntrup761.c 100 | # Generated files 101 | ${CMAKE_CURRENT_BINARY_DIR}/parse.c 102 | ) 103 | 104 | add_executable(iked ${SRCS}) 105 | 106 | target_compile_options(iked PRIVATE ${CFLAGS}) 107 | target_compile_options(iked-shared PRIVATE ${CFLAGS}) 108 | if(HAVE_LD_Z) 109 | target_link_options(iked PRIVATE "LINKER:-z,relro,-z,now") 110 | endif() 111 | 112 | target_include_directories(iked PRIVATE ${INC_DIRS}) 113 | target_include_directories(iked-shared PRIVATE ${INC_DIRS}) 114 | 115 | if(DEFINED ENV{CLUSTERFUZZLITE}) 116 | target_link_libraries(iked-shared 117 | "-lm -Wl,-Bstatic -lssl -lcrypto -levent -Wl,-Bdynamic" compat 118 | ) 119 | else() 120 | target_link_libraries(iked-shared 121 | PRIVATE util event crypto ssl compat 122 | ) 123 | endif() 124 | 125 | list(APPEND LIBS 126 | util 127 | event 128 | crypto 129 | ssl 130 | compat 131 | iked-shared 132 | ) 133 | 134 | if (WITH_SYSTEMD) 135 | list(APPEND LIBS systemd) 136 | endif() 137 | 138 | target_link_libraries(iked 139 | PRIVATE ${LIBS} 140 | ) 141 | 142 | add_custom_command( 143 | OUTPUT parse.c 144 | COMMAND yacc -o parse.c ${CMAKE_CURRENT_SOURCE_DIR}/parse.y 145 | DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/parse.y 146 | ) 147 | 148 | add_custom_command( 149 | OUTPUT ikev2_map.c 150 | COMMAND sh ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh 151 | ${CMAKE_CURRENT_SOURCE_DIR}/ikev2.h ikev2 > ikev2_map.c 152 | DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/ikev2.h 153 | DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh 154 | ) 155 | 156 | add_custom_command( 157 | OUTPUT eap_map.c 158 | COMMAND sh ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh 159 | ${CMAKE_CURRENT_SOURCE_DIR}/eap.h eap > eap_map.c 160 | DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/eap.h 161 | DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/genmap.sh 162 | ) 163 | 164 | install(TARGETS iked RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}) 165 | install(FILES ${CMAKE_SOURCE_DIR}/iked.conf 166 | PERMISSIONS OWNER_READ OWNER_WRITE 167 | DESTINATION ${CMAKE_INSTALL_SYSCONFDIR} 168 | ) 169 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.conf.5 DESTINATION ${CMAKE_INSTALL_MANDIR}/man5/) 170 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/iked.8 DESTINATION ${CMAKE_INSTALL_MANDIR}/man8/) 171 | if(WITH_APPARMOR) 172 | install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/../linux/iked.apparmor 173 | DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/apparmor.d/ 174 | RENAME usr.sbin.iked) 175 | endif() 176 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/ca) 177 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/certs) 178 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/crls) 179 | install(DIRECTORY 180 | DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE 181 | DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/private 182 | ) 183 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/pubkeys/ipv4) 184 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/pubkeys/ipv6) 185 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/pubkeys/fqdn) 186 | install(DIRECTORY DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/iked/pubkeys/ufqdn) 187 | -------------------------------------------------------------------------------- /iked/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.22 2021/05/28 18:01:39 tobhe Exp $ 2 | 3 | PROG= iked 4 | SRCS= ca.c chap_ms.c config.c control.c crypto.c dh.c \ 5 | eap.c iked.c ikev2.c ikev2_msg.c ikev2_pld.c \ 6 | log.c ocsp.c pfkey.c policy.c print.c proc.c timer.c util.c \ 7 | imsg_util.c smult_curve25519_ref.c vroute.c 8 | SRCS+= eap_map.c ikev2_map.c 9 | SRCS+= crypto_hash.c sntrup761.c 10 | SRCS+= parse.y 11 | SRCS+= ipsec.c 12 | MAN= iked.conf.5 iked.8 13 | #NOMAN= yes 14 | 15 | LDADD= -lutil -levent -lcrypto 16 | DPADD= ${LIBUTIL} ${LIBEVENT} ${LIBCRYPTO} 17 | CFLAGS+= -Wall -I${.CURDIR} 18 | CFLAGS+= -Wstrict-prototypes -Wmissing-prototypes 19 | CFLAGS+= -Wmissing-declarations 20 | CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual 21 | CFLAGS+= -Wsign-compare 22 | CLEANFILES+= ikev2_map.c eap_map.c 23 | GENERATED= ikev2_map.c eap_map.c 24 | 25 | YFLAGS= 26 | 27 | ikev2_map.c: genmap.sh ikev2.h 28 | /bin/sh ${.CURDIR}/genmap.sh ${.CURDIR}/ikev2.h ikev2 > $@ 29 | @touch $@ 30 | 31 | eap_map.c: genmap.sh eap.h 32 | /bin/sh ${.CURDIR}/genmap.sh ${.CURDIR}/eap.h eap > $@ 33 | @touch $@ 34 | 35 | .include 36 | 37 | # Don't compile iked as static binary by default 38 | LDSTATIC= 39 | -------------------------------------------------------------------------------- /iked/apparmor.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2023 Tobias Heider 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "apparmor.h" 23 | 24 | static const char *armor_proc_path_tmpl = "/proc/%d/attr/apparmor/%s"; 25 | 26 | int 27 | armor_proc_open(void) 28 | { 29 | char *path; 30 | pid_t tid = gettid(); 31 | int fd; 32 | int ret = -1; 33 | 34 | ret = asprintf(&path, armor_proc_path_tmpl, tid, "current"); 35 | if (ret <= 0) 36 | return (-1); 37 | 38 | fd = open(path, O_WRONLY); 39 | free(path); 40 | 41 | return (fd); 42 | } 43 | 44 | int 45 | armor_change_profile(int fd, const char *profile) 46 | { 47 | char *cmd = NULL; 48 | int len; 49 | int ret = -1; 50 | 51 | len = asprintf(&cmd, "changeprofile %s", profile); 52 | if (len < 0) 53 | goto done; 54 | 55 | ret = write(fd, cmd, len); 56 | if (ret == -1) 57 | goto done; 58 | 59 | ret = 0; 60 | done: 61 | free(cmd); 62 | close(fd); 63 | return (ret); 64 | } 65 | -------------------------------------------------------------------------------- /iked/apparmor.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019-2023 Tobias Heider 3 | * 4 | * Permission to use, copy, modify, and distribute this software for any 5 | * purpose with or without fee is hereby granted, provided that the above 6 | * copyright notice and this permission notice appear in all copies. 7 | * 8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | */ 16 | 17 | #ifndef IKED_APPARMOR_H 18 | #define IKED_APPARMOR_H 19 | 20 | /* apparmor.c */ 21 | int armor_proc_open(void); 22 | int armor_change_profile(int, const char *); 23 | 24 | #endif /* IKED_APPARMOR_H */ 25 | -------------------------------------------------------------------------------- /iked/chap_ms.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: chap_ms.h,v 1.6 2015/08/21 11:59:27 reyk Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2010-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #ifndef CHAP_MS_H 20 | #define CHAP_MS_H 21 | 22 | #define MSCHAP_CHALLENGE_SZ 8 23 | #define MSCHAPV2_CHALLENGE_SZ 16 24 | #define MSCHAP_HASH_SZ 16 25 | #define MSCHAP_MASTERKEY_SZ 16 26 | #define MSCHAP_MSK_KEY_SZ 32 27 | #define MSCHAP_MSK_PADDING_SZ 32 28 | #define MSCHAP_MSK_SZ 64 29 | 30 | #define MSCHAP_MAXNTPASSWORD_SZ 255 /* unicode chars */ 31 | 32 | void mschap_nt_response(uint8_t *, uint8_t *, uint8_t *, int, 33 | uint8_t *, int , uint8_t *); 34 | void mschap_auth_response(uint8_t *, int, uint8_t *, uint8_t *, 35 | uint8_t *, uint8_t *, int, uint8_t *); 36 | 37 | void mschap_ntpassword_hash(uint8_t *, int, uint8_t *); 38 | void mschap_challenge_hash(uint8_t *, uint8_t *, uint8_t *, 39 | int, uint8_t *); 40 | 41 | void mschap_asymetric_startkey(uint8_t *, uint8_t *, int, int, int); 42 | void mschap_masterkey(uint8_t *, uint8_t *, uint8_t *); 43 | void mschap_radiuskey(uint8_t *, const uint8_t *, const uint8_t *, 44 | const uint8_t *); 45 | void mschap_msk(uint8_t *, int, uint8_t *, uint8_t *); 46 | 47 | #endif /* CHAP_MS_H */ 48 | -------------------------------------------------------------------------------- /iked/crypto_api.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: crypto_api.h,v 1.1 2021/05/28 18:01:39 tobhe Exp $ */ 2 | 3 | /* 4 | * Assembled from generated headers and source files by Markus Friedl. 5 | * Placed in the public domain. 6 | */ 7 | 8 | #ifndef crypto_api_h 9 | #define crypto_api_h 10 | 11 | #include 12 | #include 13 | 14 | typedef int8_t crypto_int8; 15 | typedef uint8_t crypto_uint8; 16 | typedef int16_t crypto_int16; 17 | typedef uint16_t crypto_uint16; 18 | typedef int32_t crypto_int32; 19 | typedef uint32_t crypto_uint32; 20 | typedef uint64_t crypto_uint64; 21 | 22 | #define randombytes(buf, buf_len) arc4random_buf((buf), (buf_len)) 23 | #define small_random32() arc4random() 24 | 25 | #define crypto_hash_sha512_BYTES 64U 26 | 27 | int crypto_hash_sha512(unsigned char *, const unsigned char *, 28 | unsigned long long); 29 | 30 | int crypto_verify_32(const unsigned char *, const unsigned char *); 31 | 32 | #define crypto_kem_sntrup761_PUBLICKEYBYTES 1158 33 | #define crypto_kem_sntrup761_SECRETKEYBYTES 1763 34 | #define crypto_kem_sntrup761_CIPHERTEXTBYTES 1039 35 | #define crypto_kem_sntrup761_BYTES 32 36 | 37 | int crypto_kem_sntrup761_enc(unsigned char *cstr, unsigned char *k, 38 | const unsigned char *pk); 39 | int crypto_kem_sntrup761_dec(unsigned char *k, 40 | const unsigned char *cstr, const unsigned char *sk); 41 | int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk); 42 | 43 | #endif /* crypto_api_h */ 44 | -------------------------------------------------------------------------------- /iked/crypto_hash.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: crypto_hash.c,v 1.1 2021/05/28 18:01:39 tobhe Exp $ */ 2 | /* 3 | * Public domain. Author: Christian Weisgerber 4 | * API compatible reimplementation of function from nacl 5 | */ 6 | 7 | #include "crypto_api.h" 8 | #include 9 | 10 | int 11 | crypto_hash_sha512(unsigned char *out, const unsigned char *in, 12 | unsigned long long inlen) 13 | { 14 | u_int mdlen; 15 | 16 | if (!EVP_Digest(in, inlen, out, &mdlen, EVP_sha512(), NULL)) 17 | return -1; 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /iked/dh.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: dh.h,v 1.15 2021/05/28 18:01:39 tobhe Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2010-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #ifndef DH_GROUP_H 20 | #define DH_GROUP_H 21 | 22 | enum group_type { 23 | GROUP_MODP = 0, 24 | GROUP_ECP = 1, 25 | GROUP_CURVE25519 = 2, 26 | GROUP_SNTRUP761X25519 = 3 27 | }; 28 | 29 | struct group_id { 30 | enum group_type type; 31 | unsigned int id; 32 | int bits; 33 | char *prime; 34 | char *generator; 35 | int nid; 36 | }; 37 | 38 | struct dh_group { 39 | int id; 40 | const struct group_id 41 | *spec; 42 | 43 | void *dh; 44 | void *ec; 45 | void *curve25519; 46 | void *kemsx; 47 | 48 | int (*init)(struct dh_group *); 49 | int (*getlen)(struct dh_group *); 50 | int (*secretlen)(struct dh_group *); 51 | int (*exchange)(struct dh_group *, uint8_t *); 52 | int (*exchange2)(struct dh_group *, struct ibuf **, struct ibuf *); 53 | int (*shared)(struct dh_group *, uint8_t *, uint8_t *); 54 | int (*shared2)(struct dh_group *, struct ibuf **, struct ibuf *); 55 | }; 56 | 57 | #define DH_MAXSZ 1024 /* 8192 bits */ 58 | 59 | void group_init(void); 60 | void group_free(struct dh_group *); 61 | struct dh_group *group_get(uint32_t); 62 | const struct group_id 63 | *group_getid(uint32_t); 64 | 65 | int dh_create_exchange(struct dh_group *, struct ibuf **, struct ibuf *); 66 | int dh_create_shared(struct dh_group *, struct ibuf **, struct ibuf *); 67 | 68 | #endif /* DH_GROUP_H */ 69 | -------------------------------------------------------------------------------- /iked/eap.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: eap.h,v 1.6 2020/09/16 21:37:35 tobhe Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2010-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #ifndef IKED_EAP_H 20 | #define IKED_EAP_H 21 | 22 | #include "openbsd-compat.h" 23 | 24 | struct eap_header { 25 | uint8_t eap_code; 26 | uint8_t eap_id; 27 | uint16_t eap_length; 28 | } __packed; 29 | 30 | struct eap_message { 31 | uint8_t eap_code; 32 | uint8_t eap_id; 33 | uint16_t eap_length; 34 | uint8_t eap_type; 35 | /* Followed by type-specific data */ 36 | } __packed; 37 | 38 | #define EAP_CODE_REQUEST 1 /* Request */ 39 | #define EAP_CODE_RESPONSE 2 /* Response */ 40 | #define EAP_CODE_SUCCESS 3 /* Success */ 41 | #define EAP_CODE_FAILURE 4 /* Failure */ 42 | 43 | extern struct iked_constmap eap_code_map[]; 44 | 45 | /* http://www.iana.org/assignments/eap-numbers */ 46 | #define EAP_TYPE_NONE 0 /* NONE */ 47 | #define EAP_TYPE_IDENTITY 1 /* RFC3748 */ 48 | #define EAP_TYPE_NOTIFICATION 2 /* RFC3748 */ 49 | #define EAP_TYPE_NAK 3 /* RFC3748 */ 50 | #define EAP_TYPE_MD5 4 /* RFC3748 */ 51 | #define EAP_TYPE_OTP 5 /* RFC3748 */ 52 | #define EAP_TYPE_GTC 6 /* RFC3748 */ 53 | #define EAP_TYPE_RSA 9 /* Whelan */ 54 | #define EAP_TYPE_DSS 10 /* Nace */ 55 | #define EAP_TYPE_KEA 11 /* Nace */ 56 | #define EAP_TYPE_KEA_VALIDATE 12 /* Nace */ 57 | #define EAP_TYPE_TLS 13 /* RFC5216 */ 58 | #define EAP_TYPE_AXENT 14 /* Rosselli */ 59 | #define EAP_TYPE_SECURID 15 /* Nystrm */ 60 | #define EAP_TYPE_ARCOT 16 /* Jerdonek */ 61 | #define EAP_TYPE_CISCO 17 /* Norman */ 62 | #define EAP_TYPE_SIM 18 /* RFC4186 */ 63 | #define EAP_TYPE_SRP_SHA1 19 /* Carlson */ 64 | #define EAP_TYPE_TTLS 21 /* Funk */ 65 | #define EAP_TYPE_RAS 22 /* Fields */ 66 | #define EAP_TYPE_OAAKA 23 /* RFC4187 */ 67 | #define EAP_TYPE_3COM 24 /* Young */ 68 | #define EAP_TYPE_PEAP 25 /* Palekar */ 69 | #define EAP_TYPE_MSCHAP_V2 26 /* Palekar */ 70 | #define EAP_TYPE_MAKE 27 /* Berrendonner */ 71 | #define EAP_TYPE_CRYPTOCARD 28 /* Webb */ 72 | #define EAP_TYPE_MSCHAP_V2_2 29 /* Potter */ 73 | #define EAP_TYPE_DYNAMID 30 /* Merlin */ 74 | #define EAP_TYPE_ROB 31 /* Ullah */ 75 | #define EAP_TYPE_POTP 32 /* RFC4794 */ 76 | #define EAP_TYPE_MS_TLV 33 /* Palekar */ 77 | #define EAP_TYPE_SENTRINET 34 /* Kelleher */ 78 | #define EAP_TYPE_ACTIONTEC 35 /* Chang */ 79 | #define EAP_TYPE_BIOMETRICS 36 /* Xiong */ 80 | #define EAP_TYPE_AIRFORTRESS 37 /* Hibbard */ 81 | #define EAP_TYPE_HTTP_DIGEST 38 /* Tavakoli */ 82 | #define EAP_TYPE_SECURESUITE 39 /* Clements */ 83 | #define EAP_TYPE_DEVICECONNECT 40 /* Pitard */ 84 | #define EAP_TYPE_SPEKE 41 /* Zick */ 85 | #define EAP_TYPE_MOBAC 42 /* Rixom */ 86 | #define EAP_TYPE_FAST 43 /* Cam-Winget */ 87 | #define EAP_TYPE_ZLX 44 /* Bogue */ 88 | #define EAP_TYPE_LINK 45 /* Zick */ 89 | #define EAP_TYPE_PAX 46 /* Clancy */ 90 | #define EAP_TYPE_PSK 47 /* RFC-bersani-eap-psk-11.txt */ 91 | #define EAP_TYPE_SAKE 48 /* RFC-vanderveen-eap-sake-02.txt */ 92 | #define EAP_TYPE_IKEV2 49 /* RFC5106 */ 93 | #define EAP_TYPE_AKA2 50 /* RFC5448 */ 94 | #define EAP_TYPE_GPSK 51 /* RFC5106 */ 95 | #define EAP_TYPE_PWD 52 /* RFC-harkins-emu-eap-pwd-12.txt */ 96 | #define EAP_TYPE_EXPANDED_TYPE 254 /* RFC3748 */ 97 | #define EAP_TYPE_EXPERIMENTAL 255 /* RFC3748 */ 98 | 99 | extern struct iked_constmap eap_type_map[]; 100 | 101 | /* 102 | * EAP MSCHAP-V2 103 | */ 104 | 105 | #define EAP_MSCHAP_CHALLENGE_SZ 16 106 | #define EAP_MSCHAP_RESPONSE_SZ 49 107 | #define EAP_MSCHAP_NTRESPONSE_SZ 24 108 | #define EAP_MSCHAP_SUCCESS_SZ 42 109 | 110 | #define EAP_MSOPCODE_CHALLENGE 1 /* Challenge */ 111 | #define EAP_MSOPCODE_RESPONSE 2 /* Response */ 112 | #define EAP_MSOPCODE_SUCCESS 3 /* Success */ 113 | #define EAP_MSOPCODE_FAILURE 4 /* Failure */ 114 | #define EAP_MSOPCODE_CHANGE_PASSWORD 7 /* Change Password */ 115 | 116 | extern struct iked_constmap eap_msopcode_map[]; 117 | 118 | struct eap_mschap { 119 | uint8_t ms_opcode; 120 | } __packed; 121 | 122 | struct eap_mschap_challenge { 123 | uint8_t msc_opcode; 124 | uint8_t msc_id; 125 | uint16_t msc_length; 126 | uint8_t msc_valuesize; 127 | uint8_t msc_challenge[EAP_MSCHAP_CHALLENGE_SZ]; 128 | /* Followed by variable-size name field */ 129 | } __packed; 130 | 131 | struct eap_mschap_peer { 132 | uint8_t msp_challenge[EAP_MSCHAP_CHALLENGE_SZ]; 133 | uint8_t msp_reserved[8]; 134 | uint8_t msp_ntresponse[EAP_MSCHAP_NTRESPONSE_SZ]; 135 | uint8_t msp_flags; 136 | }; 137 | 138 | struct eap_mschap_response { 139 | uint8_t msr_opcode; 140 | uint8_t msr_id; 141 | uint16_t msr_length; 142 | uint8_t msr_valuesize; 143 | union { 144 | uint8_t resp_data[EAP_MSCHAP_RESPONSE_SZ]; 145 | struct eap_mschap_peer resp_peer; 146 | } msr_response; 147 | /* Followed by variable-size name field */ 148 | } __packed; 149 | 150 | struct eap_mschap_success { 151 | uint8_t mss_opcode; 152 | uint8_t mss_id; 153 | uint16_t mss_length; 154 | /* Followed by variable-size success message */ 155 | } __packed; 156 | 157 | struct eap_mschap_failure { 158 | uint8_t msf_opcode; 159 | uint8_t msf_id; 160 | uint16_t msf_length; 161 | /* Followed by variable-size message field */ 162 | } __packed; 163 | 164 | #define EAP_MSERROR_RESTRICTED_LOGON_HOURS 646 /* eap-mschapv2 */ 165 | #define EAP_MSERROR_ACCT_DISABLED 647 /* eap-mschapv2 */ 166 | #define EAP_MSERROR_PASSWD_EXPIRED 648 /* eap-mschapv2 */ 167 | #define EAP_MSERROR_NO_DIALIN_PERMISSION 649 /* eap-mschapv2 */ 168 | #define EAP_MSERROR_AUTHENTICATION_FAILURE 691 /* eap-mschapv2 */ 169 | #define EAP_MSERROR_CHANGING_PASSWORD 709 /* eap-mschapv2 */ 170 | 171 | extern struct iked_constmap eap_mserror_map[]; 172 | 173 | #endif /* IKED_EAP_H */ 174 | -------------------------------------------------------------------------------- /iked/genmap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # $OpenBSD: genmap.sh,v 1.7 2015/01/16 06:39:58 deraadt Exp $ 3 | 4 | # Copyright (c) 2010-2013 Reyk Floeter 5 | # 6 | # Permission to use, copy, modify, and distribute this software for any 7 | # purpose with or without fee is hereby granted, provided that the above 8 | # copyright notice and this permission notice appear in all copies. 9 | # 10 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | 18 | TOK=$(echo ${2} | tr "[:lower:]" "[:upper:]") 19 | tok=$(echo ${2} | tr "[:upper:]" "[:lower:]") 20 | 21 | MAP=$(grep "struct iked_constmap" $1 | 22 | sed -Ee "s/.*${tok}_([^_]+)_map.*/\1/g") 23 | 24 | # Print license/copyright notice and headers 25 | cat < 32 | 33 | #include "types.h" 34 | #include "${tok}.h" 35 | 36 | EOF 37 | 38 | for i in $MAP; do 39 | lower=$(echo $i | tr "[:upper:]" "[:lower:]") 40 | upper=$(echo $i | tr "[:lower:]" "[:upper:]") 41 | 42 | echo "struct iked_constmap ${tok}_${lower}_map[] = {" 43 | 44 | X="${TOK}_${upper}" 45 | grep "$X" $1 | grep -v '\\' | sed -Ee \ 46 | "s/#define.*${X}_([^[:blank:]]+).*\/\* (.+) \*\/$\ 47 | / { ${X}_\1, \"\1\", \"\2\" },/" 48 | 49 | echo " { 0 }" 50 | echo "};" 51 | done 52 | -------------------------------------------------------------------------------- /iked/iked.8: -------------------------------------------------------------------------------- 1 | .\" $OpenBSD: iked.8,v 1.30 2021/11/29 13:20:24 jmc Exp $ 2 | .\" 3 | .\" Copyright (c) 2010 - 2014 Reyk Floeter 4 | .\" 5 | .\" Permission to use, copy, modify, and distribute this software for any 6 | .\" purpose with or without fee is hereby granted, provided that the above 7 | .\" copyright notice and this permission notice appear in all copies. 8 | .\" 9 | .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 | .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 | .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 | .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 | .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 | .\" 17 | .Dd $Mdocdate: November 29 2021 $ 18 | .Dt IKED 8 19 | .Os 20 | .Sh NAME 21 | .Nm iked 22 | .Nd Internet Key Exchange version 2 (IKEv2) daemon 23 | .Sh SYNOPSIS 24 | .Nm iked 25 | .Op Fl dnSTtVv 26 | .Op Fl D Ar macro Ns = Ns Ar value 27 | .Op Fl f Ar file 28 | .Op Fl p Ar udpencap_port 29 | .Op Fl s Ar socket 30 | .Sh DESCRIPTION 31 | .Nm 32 | is an Internet Key Exchange (IKEv2) daemon which performs mutual 33 | authentication and which establishes and maintains IPsec flows and 34 | security associations (SAs) between the two peers. 35 | .Pp 36 | The IKEv2 protocol is defined in RFC 7296, 37 | which combines and updates the previous standards: 38 | ISAKMP/Oakley (RFC 2408), 39 | IKE (RFC 2409), 40 | and the Internet DOI (RFC 2407). 41 | .Nm 42 | only supports the IKEv2 protocol; 43 | support for 44 | ISAKMP/Oakley and IKEv1 45 | is provided by 46 | .Xr isakmpd 8 . 47 | .Pp 48 | .Nm 49 | supports mutual authentication using RSA or ECDSA public keys and X.509 50 | certificates. 51 | See the 52 | .Sx PUBLIC KEY AUTHENTICATION 53 | section below and PKI AND CERTIFICATE AUTHORITY COMMANDS in 54 | .Xr ikectl 8 55 | for more information about creating and maintaining the public key 56 | infrastructure. 57 | .Pp 58 | The options are as follows: 59 | .Bl -tag -width Ds 60 | .It Fl D Ar macro Ns = Ns Ar value 61 | Define 62 | .Ar macro 63 | to be set to 64 | .Ar value 65 | on the command line. 66 | Overrides the definition of 67 | .Ar macro 68 | in the configuration file. 69 | .It Fl d 70 | Do not daemonize and log to 71 | .Em stderr . 72 | .It Fl f Ar file 73 | Use 74 | .Ar file 75 | as the configuration file, instead of the default 76 | .Pa /etc/iked.conf . 77 | .It Fl n 78 | Configtest mode. 79 | Only check the configuration file for validity. 80 | .It Fl p Ar udpencap_port 81 | Specify the listen port for encapsulated UDP that 82 | the daemon will bind to as well as the UDP encapsulation port set 83 | in resulting IPsec SAs. 84 | In order to receive UDP encapsulated IPsec packets on ports other 85 | than 4500, the 86 | .Em net.inet.esp.udpencap_port 87 | .Xr sysctl 2 88 | variable has to be set accordingly. 89 | Implies -t. 90 | .It Fl S 91 | Start 92 | .Nm 93 | in passive mode. 94 | See the 95 | .Ic set passive 96 | option in 97 | .Xr iked.conf 5 98 | for more information. 99 | .It Fl s Ar socket 100 | Use 101 | .Ar socket 102 | as the control socket, instead of the default 103 | .Pa /var/run/iked.sock . 104 | .It Fl T 105 | Disable NAT-Traversal and do not propose NAT-Traversal support to the peers. 106 | .It Fl t 107 | Enforce NAT-Traversal and only listen to NAT-Traversal messages. 108 | This option is only recommended for testing; the default is to 109 | negotiate NAT-Traversal with the peers. 110 | .It Fl V 111 | Show the version and exit. 112 | .It Fl v 113 | Produce more verbose output. 114 | .El 115 | .Sh PUBLIC KEY AUTHENTICATION 116 | It is possible to store trusted public keys to make them directly 117 | usable by 118 | .Nm , 119 | bypassing the need to use certificates. 120 | The keys should be saved in PEM format (see 121 | .Xr openssl 1 ) 122 | and named and stored as follows: 123 | .Pp 124 | .Bl -tag -width "for_ufqdn_identitiesXX" -offset 3n -compact 125 | .It For IPv4 identities: 126 | /etc/iked/pubkeys/ipv4/A.B.C.D 127 | .It For IPv6 identities: 128 | /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc 129 | .It For FQDN identities: 130 | /etc/iked/pubkeys/fqdn/foo.bar.org 131 | .It For UFQDN identities: 132 | /etc/iked/pubkeys/ufqdn/user@foo.bar.org 133 | .El 134 | .Pp 135 | Depending on the 136 | .Ic srcid 137 | and 138 | .Ic dstid 139 | specifications in 140 | .Xr iked.conf 5 , 141 | keys may be named after their IPv4 address, IPv6 address, 142 | fully qualified domain name (FQDN) or user fully qualified domain name (UFQDN). 143 | .Pp 144 | For example, 145 | .Nm 146 | can authenticate using the pre-generated keys if the local public key, 147 | by default 148 | .Pa /etc/iked/local.pub , 149 | is copied to the remote gateway as 150 | .Pa /etc/iked/pubkeys/ipv4/local.gateway.ip.address 151 | and the remote gateway's public key 152 | is copied to the local gateway as 153 | .Pa /etc/iked/pubkeys/ipv4/remote.gateway.ip.address . 154 | Of course, new keys may also be generated 155 | (the user is not required to use the pre-generated keys). 156 | In this example, 157 | .Ic srcid 158 | and 159 | .Ic dstid 160 | would also have to be set to the specified addresses 161 | in 162 | .Xr iked.conf 5 . 163 | .Sh FILES 164 | .Bl -tag -width "/etc/iked/private/XXX" -compact 165 | .It Pa /etc/iked.conf 166 | The default 167 | .Nm 168 | configuration file. 169 | .It Pa /etc/iked/ca/ 170 | The directory where CA certificates are kept. 171 | .It Pa /etc/iked/certs/ 172 | The directory where IKE certificates are kept, both the local 173 | certificate(s) and those of the peers, if a choice to have them kept 174 | permanently has been made. 175 | .It Pa /etc/iked/crls/ 176 | The directory where CRLs are kept. 177 | .It Pa /etc/iked/private/ 178 | The directory where local private keys used for public key authentication 179 | are kept. 180 | The file 181 | .Pa local.key 182 | is used to store the local private key. 183 | .It Pa /etc/iked/pubkeys/ 184 | The directory in which trusted public keys are kept. 185 | The keys must be named in the fashion described above. 186 | .It Pa /var/run/iked.sock 187 | The default 188 | .Nm 189 | control socket. 190 | .El 191 | .Sh SEE ALSO 192 | .Xr iked.conf 5 , 193 | .Xr ikectl 8 , 194 | .Xr isakmpd 8 195 | .Sh STANDARDS 196 | .Rs 197 | .%A C. Kaufman 198 | .%A P. Hoffman 199 | .%A Y. Nir 200 | .%A P. Eronen 201 | .%A T. Kivinen 202 | .%D October 2014 203 | .%R RFC 7296 204 | .%T Internet Key Exchange Protocol Version 2 (IKEv2) 205 | .Re 206 | .Sh HISTORY 207 | The 208 | .Nm 209 | program first appeared in 210 | .Ox 4.8 . 211 | .Sh AUTHORS 212 | The 213 | .Nm 214 | program was written by 215 | .An Reyk Floeter Aq Mt reyk@openbsd.org . 216 | -------------------------------------------------------------------------------- /iked/imsg_util.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: imsg_util.c,v 1.22 2023/12/12 15:52:58 claudio Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2010-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "iked.h" 34 | 35 | /* 36 | * Extending the imsg buffer API for internal use 37 | */ 38 | 39 | struct ibuf * 40 | ibuf_new(const void *data, size_t len) 41 | { 42 | struct ibuf *buf; 43 | 44 | if ((buf = ibuf_dynamic(len, 45 | IKED_MSGBUF_MAX)) == NULL) 46 | return (NULL); 47 | 48 | if (len == 0) 49 | return (buf); 50 | 51 | if (data == NULL) { 52 | if (ibuf_add_zero(buf, len) != 0) { 53 | ibuf_free(buf); 54 | return (NULL); 55 | } 56 | } else { 57 | if (ibuf_add(buf, data, len) != 0) { 58 | ibuf_free(buf); 59 | return (NULL); 60 | } 61 | } 62 | 63 | return (buf); 64 | } 65 | 66 | struct ibuf * 67 | ibuf_static(void) 68 | { 69 | return ibuf_open(IKED_MSGBUF_MAX); 70 | } 71 | 72 | size_t 73 | ibuf_length(struct ibuf *buf) 74 | { 75 | if (buf == NULL) 76 | return (0); 77 | return (ibuf_size(buf)); 78 | } 79 | 80 | struct ibuf * 81 | ibuf_getdata(struct ibuf *buf, size_t len) 82 | { 83 | struct ibuf tmp; 84 | 85 | if (ibuf_get_ibuf(buf, len, &tmp) == -1) 86 | return (NULL); 87 | 88 | return (ibuf_new(ibuf_data(&tmp), ibuf_size(&tmp))); 89 | } 90 | 91 | struct ibuf * 92 | ibuf_dup(struct ibuf *buf) 93 | { 94 | if (buf == NULL) 95 | return (NULL); 96 | return (ibuf_new(ibuf_data(buf), ibuf_size(buf))); 97 | } 98 | 99 | struct ibuf * 100 | ibuf_random(size_t len) 101 | { 102 | struct ibuf *buf; 103 | void *ptr; 104 | 105 | if ((buf = ibuf_open(len)) == NULL) 106 | return (NULL); 107 | if ((ptr = ibuf_reserve(buf, len)) == NULL) { 108 | ibuf_free(buf); 109 | return (NULL); 110 | } 111 | arc4random_buf(ptr, len); 112 | return (buf); 113 | } 114 | 115 | int 116 | ibuf_setsize(struct ibuf *buf, size_t len) 117 | { 118 | if (len > buf->size) 119 | return (-1); 120 | buf->wpos = len; 121 | return (0); 122 | } 123 | -------------------------------------------------------------------------------- /iked/ipsec.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: $ */ 2 | 3 | /* 4 | * Copyright (c) 2020-2021 Tobias Heider 5 | * Copyright (c) 2020 Markus Friedl 6 | * 7 | * Permission to use, copy, modify, and distribute this software for any 8 | * purpose with or without fee is hereby granted, provided that the above 9 | * copyright notice and this permission notice appear in all copies. 10 | * 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 | */ 19 | 20 | #include 21 | #include 22 | #include 23 | 24 | #include "iked.h" 25 | 26 | int 27 | ipsec_couple(struct iked *env, struct iked_sas *sas, int couple) 28 | { 29 | return pfkey_couple(env, sas, couple); 30 | } 31 | 32 | int 33 | ipsec_sa_last_used(struct iked *env, struct iked_childsa *sa, uint64_t *last_used) 34 | { 35 | return pfkey_sa_last_used(env, sa, last_used); 36 | } 37 | 38 | int 39 | ipsec_flow_add(struct iked *env, struct iked_flow *flow) 40 | { 41 | return pfkey_flow_add(env, flow); 42 | } 43 | 44 | int 45 | ipsec_flow_delete(struct iked *env, struct iked_flow *flow) 46 | { 47 | return pfkey_flow_delete(env, flow); 48 | } 49 | 50 | int 51 | ipsec_sa_init(struct iked *env, struct iked_childsa *sa, uint32_t *spi) 52 | { 53 | return pfkey_sa_init(env, sa, spi); 54 | } 55 | 56 | int 57 | ipsec_sa_add(struct iked *env, struct iked_childsa *sa, struct iked_childsa *last) 58 | { 59 | return pfkey_sa_add(env, sa, last); 60 | } 61 | 62 | int 63 | ipsec_sa_update_addresses(struct iked *env, struct iked_childsa *sa) 64 | { 65 | return pfkey_sa_update_addresses(env, sa); 66 | } 67 | 68 | int 69 | ipsec_sa_delete(struct iked *env, struct iked_childsa *sa) 70 | { 71 | return pfkey_sa_delete(env, sa); 72 | } 73 | 74 | int 75 | ipsec_socket(struct iked *env) 76 | { 77 | return pfkey_socket(env); 78 | } 79 | 80 | void 81 | ipsec_init(struct iked *env, int fd) 82 | { 83 | pfkey_init(env, fd); 84 | } 85 | -------------------------------------------------------------------------------- /iked/log.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: log.c,v 1.12 2017/03/21 12:06:55 bluhm Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2003, 2004 Henning Brauer 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | static int debug; 28 | static int verbose; 29 | const char *log_procname; 30 | 31 | void log_init(int, int); 32 | void log_procinit(const char *); 33 | void log_setverbose(int); 34 | int log_getverbose(void); 35 | void log_warn(const char *, ...) 36 | __attribute__((__format__ (printf, 1, 2))); 37 | void log_warnx(const char *, ...) 38 | __attribute__((__format__ (printf, 1, 2))); 39 | void log_info(const char *, ...) 40 | __attribute__((__format__ (printf, 1, 2))); 41 | void log_debug(const char *, ...) 42 | __attribute__((__format__ (printf, 1, 2))); 43 | void logit(int, const char *, ...) 44 | __attribute__((__format__ (printf, 2, 3))); 45 | void vlog(int, const char *, va_list) 46 | __attribute__((__format__ (printf, 2, 0))); 47 | __dead void fatal(const char *, ...) 48 | __attribute__((__format__ (printf, 1, 2))); 49 | __dead void fatalx(const char *, ...) 50 | __attribute__((__format__ (printf, 1, 2))); 51 | 52 | void 53 | log_init(int n_debug, int facility) 54 | { 55 | extern char *__progname; 56 | 57 | debug = n_debug; 58 | verbose = n_debug; 59 | log_procinit(__progname); 60 | 61 | if (!debug) 62 | openlog(__progname, LOG_PID | LOG_NDELAY, facility); 63 | 64 | tzset(); 65 | } 66 | 67 | void 68 | log_procinit(const char *procname) 69 | { 70 | if (procname != NULL) 71 | log_procname = procname; 72 | } 73 | 74 | void 75 | log_setverbose(int v) 76 | { 77 | verbose = v; 78 | } 79 | 80 | int 81 | log_getverbose(void) 82 | { 83 | return (verbose); 84 | } 85 | 86 | void 87 | logit(int pri, const char *fmt, ...) 88 | { 89 | va_list ap; 90 | 91 | va_start(ap, fmt); 92 | vlog(pri, fmt, ap); 93 | va_end(ap); 94 | } 95 | 96 | void 97 | vlog(int pri, const char *fmt, va_list ap) 98 | { 99 | char *nfmt; 100 | int saved_errno = errno; 101 | 102 | if (debug) { 103 | /* best effort in out of mem situations */ 104 | if (asprintf(&nfmt, "%s\n", fmt) == -1) { 105 | vfprintf(stderr, fmt, ap); 106 | fprintf(stderr, "\n"); 107 | } else { 108 | vfprintf(stderr, nfmt, ap); 109 | free(nfmt); 110 | } 111 | fflush(stderr); 112 | } else 113 | vsyslog(pri, fmt, ap); 114 | 115 | errno = saved_errno; 116 | } 117 | 118 | void 119 | log_warn(const char *emsg, ...) 120 | { 121 | char *nfmt; 122 | va_list ap; 123 | int saved_errno = errno; 124 | 125 | /* best effort to even work in out of memory situations */ 126 | if (emsg == NULL) 127 | logit(LOG_ERR, "%s", strerror(saved_errno)); 128 | else { 129 | va_start(ap, emsg); 130 | 131 | if (asprintf(&nfmt, "%s: %s", emsg, 132 | strerror(saved_errno)) == -1) { 133 | /* we tried it... */ 134 | vlog(LOG_ERR, emsg, ap); 135 | logit(LOG_ERR, "%s", strerror(saved_errno)); 136 | } else { 137 | vlog(LOG_ERR, nfmt, ap); 138 | free(nfmt); 139 | } 140 | va_end(ap); 141 | } 142 | 143 | errno = saved_errno; 144 | } 145 | 146 | void 147 | log_warnx(const char *emsg, ...) 148 | { 149 | va_list ap; 150 | 151 | va_start(ap, emsg); 152 | vlog(LOG_ERR, emsg, ap); 153 | va_end(ap); 154 | } 155 | 156 | void 157 | log_info(const char *emsg, ...) 158 | { 159 | va_list ap; 160 | 161 | va_start(ap, emsg); 162 | vlog(LOG_INFO, emsg, ap); 163 | va_end(ap); 164 | } 165 | 166 | void 167 | log_debug(const char *emsg, ...) 168 | { 169 | va_list ap; 170 | 171 | if (verbose > 1) { 172 | va_start(ap, emsg); 173 | vlog(LOG_DEBUG, emsg, ap); 174 | va_end(ap); 175 | } 176 | } 177 | 178 | static void 179 | vfatalc(int code, const char *emsg, va_list ap) 180 | { 181 | static char s[BUFSIZ]; 182 | const char *sep; 183 | 184 | if (emsg != NULL) { 185 | (void)vsnprintf(s, sizeof(s), emsg, ap); 186 | sep = ": "; 187 | } else { 188 | s[0] = '\0'; 189 | sep = ""; 190 | } 191 | if (code) 192 | logit(LOG_CRIT, "%s: %s%s%s", 193 | log_procname, s, sep, strerror(code)); 194 | else 195 | logit(LOG_CRIT, "%s%s%s", log_procname, sep, s); 196 | } 197 | 198 | void 199 | fatal(const char *emsg, ...) 200 | { 201 | va_list ap; 202 | 203 | va_start(ap, emsg); 204 | vfatalc(errno, emsg, ap); 205 | va_end(ap); 206 | exit(1); 207 | } 208 | 209 | void 210 | fatalx(const char *emsg, ...) 211 | { 212 | va_list ap; 213 | 214 | va_start(ap, emsg); 215 | vfatalc(0, emsg, ap); 216 | va_end(ap); 217 | exit(1); 218 | } 219 | -------------------------------------------------------------------------------- /iked/sntrup761.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # $OpenBSD: sntrup761.sh,v 1.1 2021/05/28 18:01:39 tobhe Exp $ 3 | # Placed in the Public Domain. 4 | # 5 | AUTHOR="supercop-20201130/crypto_kem/sntrup761/ref/implementors" 6 | FILES=" 7 | supercop-20201130/crypto_sort/int32/portable4/int32_minmax.inc 8 | supercop-20201130/crypto_sort/int32/portable4/sort.c 9 | supercop-20201130/crypto_sort/uint32/useint32/sort.c 10 | supercop-20201130/crypto_kem/sntrup761/ref/uint32.c 11 | supercop-20201130/crypto_kem/sntrup761/ref/int32.c 12 | supercop-20201130/crypto_kem/sntrup761/ref/paramsmenu.h 13 | supercop-20201130/crypto_kem/sntrup761/ref/params.h 14 | supercop-20201130/crypto_kem/sntrup761/ref/Decode.h 15 | supercop-20201130/crypto_kem/sntrup761/ref/Decode.c 16 | supercop-20201130/crypto_kem/sntrup761/ref/Encode.h 17 | supercop-20201130/crypto_kem/sntrup761/ref/Encode.c 18 | supercop-20201130/crypto_kem/sntrup761/ref/kem.c 19 | " 20 | ### 21 | 22 | set -e 23 | cd $1 24 | echo -n '/* $' 25 | echo 'OpenBSD: $ */' 26 | echo 27 | echo '/*' 28 | echo ' * Public Domain, Authors:' 29 | sed -e '/Alphabetical order:/d' -e 's/^/ * - /' < $AUTHOR 30 | echo ' */' 31 | echo 32 | echo '#include ' 33 | echo '#include "crypto_api.h"' 34 | echo 35 | # Map the types used in this code to the ones in crypto_api.h. We use #define 36 | # instead of typedef since some systems have existing intXX types and do not 37 | # permit multiple typedefs even if they do not conflict. 38 | for t in int8 uint8 int16 uint16 int32 uint32 int64 uint64; do 39 | echo "#define $t crypto_${t}" 40 | done 41 | echo 42 | for i in $FILES; do 43 | echo "/* from $i */" 44 | # Changes to all files: 45 | # - remove all includes, we inline everything required. 46 | # - make functions not required elsewhere static. 47 | # - rename the functions we do use. 48 | # - remove unneccesary defines and externs. 49 | sed -e "/#include/d" \ 50 | -e "s/crypto_kem_/crypto_kem_sntrup761_/g" \ 51 | -e "s/^void /static void /g" \ 52 | -e "s/^int16 /static int16 /g" \ 53 | -e "s/^uint16 /static uint16 /g" \ 54 | -e "/^extern /d" \ 55 | -e '/CRYPTO_NAMESPACE/d' \ 56 | -e "/^#define int32 crypto_int32/d" \ 57 | $i | \ 58 | case "$i" in 59 | # Use int64_t for intermediate values in int32_MINMAX to prevent signed 60 | # 32-bit integer overflow when called by crypto_sort_uint32. 61 | */int32_minmax.inc) 62 | sed -e "s/int32 ab = b ^ a/int64_t ab = (int64_t)b ^ (int64_t)a/" \ 63 | -e "s/int32 c = b - a/int64_t c = (int64_t)b - (int64_t)a/" 64 | ;; 65 | */int32/portable4/sort.c) 66 | sed -e "s/void crypto_sort/void crypto_sort_int32/g" 67 | ;; 68 | */uint32/useint32/sort.c) 69 | sed -e "s/void crypto_sort/void crypto_sort_uint32/g" 70 | ;; 71 | # Remove unused function to prevent warning. 72 | */crypto_kem/sntrup761/ref/int32.c) 73 | sed -e '/ int32_div_uint14/,/^}$/d' 74 | ;; 75 | # Remove unused function to prevent warning. 76 | */crypto_kem/sntrup761/ref/uint32.c) 77 | sed -e '/ uint32_div_uint14/,/^}$/d' 78 | ;; 79 | # Default: pass through. 80 | *) 81 | cat 82 | ;; 83 | esac 84 | echo 85 | done 86 | -------------------------------------------------------------------------------- /iked/timer.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: timer.c,v 1.13 2016/09/13 10:49:52 mikeb Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2010-2013 Reyk Floeter 5 | * 6 | * Permission to use, copy, modify, and distribute this software for any 7 | * purpose with or without fee is hereby granted, provided that the above 8 | * copyright notice and this permission notice appear in all copies. 9 | * 10 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | #include "iked.h" 33 | 34 | void timer_callback(int, short, void *); 35 | 36 | void 37 | timer_set(struct iked *env, struct iked_timer *tmr, 38 | void (*cb)(struct iked *, void *), void *arg) 39 | { 40 | if (evtimer_initialized(&tmr->tmr_ev) && 41 | evtimer_pending(&tmr->tmr_ev, NULL)) 42 | evtimer_del(&tmr->tmr_ev); 43 | 44 | tmr->tmr_env = env; 45 | tmr->tmr_cb = cb; 46 | tmr->tmr_cbarg = arg; 47 | evtimer_set(&tmr->tmr_ev, timer_callback, tmr); 48 | } 49 | 50 | void 51 | timer_add(struct iked *env, struct iked_timer *tmr, int timeout) 52 | { 53 | struct timeval tv = { timeout }; 54 | 55 | evtimer_add(&tmr->tmr_ev, &tv); 56 | } 57 | 58 | void 59 | timer_del(struct iked *env, struct iked_timer *tmr) 60 | { 61 | if (tmr->tmr_env == env && tmr->tmr_cb && 62 | evtimer_initialized(&tmr->tmr_ev)) 63 | evtimer_del(&tmr->tmr_ev); 64 | } 65 | 66 | void 67 | timer_callback(int fd, short event, void *arg) 68 | { 69 | struct iked_timer *tmr = arg; 70 | 71 | if (tmr->tmr_cb) 72 | tmr->tmr_cb(tmr->tmr_env, tmr->tmr_cbarg); 73 | } 74 | -------------------------------------------------------------------------------- /iked/types.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: types.h,v 1.54 2024/02/15 20:10:45 tobhe Exp $ */ 2 | 3 | /* 4 | * Copyright (c) 2019 Tobias Heider 5 | * Copyright (c) 2010-2013 Reyk Floeter 6 | * 7 | * Permission to use, copy, modify, and distribute this software for any 8 | * purpose with or without fee is hereby granted, provided that the above 9 | * copyright notice and this permission notice appear in all copies. 10 | * 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 | */ 19 | 20 | #ifndef IKED_TYPES_H 21 | #define IKED_TYPES_H 22 | 23 | #ifndef IKED_USER 24 | #define IKED_USER "_iked" 25 | #endif 26 | 27 | #ifndef IKED_CONFIG 28 | #define IKED_CONFIG "/etc/iked.conf" 29 | #endif 30 | 31 | #define IKED_SOCKET "/var/run/iked.sock" 32 | 33 | #ifndef IKED_CA 34 | #define IKED_CA "/etc/iked/" 35 | #endif 36 | 37 | #define IKED_CA_DIR "ca/" 38 | #define IKED_CRL_DIR "crls/" 39 | #define IKED_CERT_DIR "certs/" 40 | #define IKED_PUBKEY_DIR "pubkeys/" 41 | #define IKED_PRIVKEY IKED_CA "private/local.key" 42 | #define IKED_PUBKEY "local.pub" 43 | 44 | #define IKED_VENDOR_ID "OpenIKED-" 45 | 46 | #define IKED_OCSP_RESPCERT "ocsp/responder.crt" 47 | 48 | #define IKED_OPT_VERBOSE 0x00000001 49 | #define IKED_OPT_NOACTION 0x00000002 50 | #define IKED_OPT_PASSIVE 0x00000004 51 | 52 | #define IKED_IKE_PORT 500 53 | #define IKED_NATT_PORT 4500 54 | 55 | #define IKED_NONCE_MIN 16 /* XXX 128 bits */ 56 | #define IKED_NONCE_SIZE 32 /* XXX 256 bits */ 57 | 58 | #define IKED_COOKIE_MIN 1 /* min 1 bytes */ 59 | #define IKED_COOKIE_MAX 64 /* max 64 bytes */ 60 | 61 | #define IKED_COOKIE2_MIN 8 /* min 8 bytes */ 62 | #define IKED_COOKIE2_MAX 64 /* max 64 bytes */ 63 | 64 | #define IKED_ID_SIZE 1024 /* XXX should be dynamic */ 65 | #define IKED_PSK_SIZE 1024 /* XXX should be dynamic */ 66 | #define IKED_MSGBUF_MAX 8192 67 | #define IKED_CFG_MAX 16 /* maximum CP attributes */ 68 | #define IKED_IPPROTO_MAX 16 69 | #define IKED_TAG_SIZE 64 70 | #define IKED_CYCLE_BUFFERS 8 /* # of static buffers for mapping */ 71 | #define IKED_PASSWORD_SIZE 256 /* limited by most EAP types */ 72 | 73 | #define IKED_LIFETIME_BYTES 4294967296ULL /* 4 GB */ 74 | #define IKED_LIFETIME_SECONDS 10800 /* 3 hours */ 75 | 76 | #define IKED_E 0x1000 /* Decrypted flag */ 77 | 78 | struct iked_constmap { 79 | unsigned int cm_type; 80 | const char *cm_name; 81 | const char *cm_descr; 82 | }; 83 | 84 | struct iked_transform { 85 | uint8_t xform_type; 86 | uint16_t xform_id; 87 | uint16_t xform_length; 88 | uint16_t xform_keylength; 89 | unsigned int xform_score; 90 | struct iked_constmap *xform_map; 91 | }; 92 | 93 | enum imsg_type { 94 | IMSG_NONE, 95 | IMSG_CTL_OK, 96 | IMSG_CTL_FAIL, 97 | IMSG_CTL_VERBOSE, 98 | IMSG_CTL_NOTIFY, 99 | IMSG_CTL_RELOAD, 100 | IMSG_CTL_RESET, 101 | IMSG_CTL_COUPLE, 102 | IMSG_CTL_DECOUPLE, 103 | IMSG_CTL_ACTIVE, 104 | IMSG_CTL_PASSIVE, 105 | IMSG_CTL_RESET_ID, 106 | IMSG_CTL_SHOW_SA, 107 | IMSG_CTL_STATIC, 108 | IMSG_COMPILE, 109 | IMSG_UDP_SOCKET, 110 | IMSG_PFKEY_SOCKET, 111 | IMSG_IKE_MESSAGE, 112 | IMSG_CFG_POLICY, 113 | IMSG_CFG_FLOW, 114 | IMSG_CFG_USER, 115 | IMSG_CERTREQ, 116 | IMSG_CERT, 117 | IMSG_CERTVALID, 118 | IMSG_CERTINVALID, 119 | IMSG_SCERT, 120 | IMSG_IF_ADDADDR, 121 | IMSG_IF_DELADDR, 122 | IMSG_VROUTE_ADD, 123 | IMSG_VROUTE_DEL, 124 | IMSG_VROUTE_CLONE, 125 | IMSG_VDNS_ADD, 126 | IMSG_VDNS_DEL, 127 | IMSG_OCSP_FD, 128 | IMSG_OCSP_CFG, 129 | IMSG_AUTH, 130 | IMSG_PRIVKEY, 131 | IMSG_PUBKEY, 132 | IMSG_CTL_SHOW_CERTSTORE, 133 | IMSG_CTL_SHOW_STATS, 134 | IMSG_CTL_PROCFD, 135 | IMSG_CTL_PROCREADY, 136 | }; 137 | 138 | enum privsep_procid { 139 | PROC_PARENT = 0, 140 | PROC_CONTROL, 141 | PROC_CERT, 142 | PROC_IKEV2, 143 | PROC_MAX 144 | }; 145 | 146 | enum flushmode { 147 | RESET_RELOAD = 0, 148 | RESET_ALL, 149 | RESET_CA, 150 | RESET_POLICY, 151 | RESET_SA, 152 | RESET_USER, 153 | }; 154 | 155 | #ifndef nitems 156 | #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0])) 157 | #endif 158 | 159 | #endif /* IKED_TYPES_H */ 160 | -------------------------------------------------------------------------------- /iked/version.h: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: version.h,v 1.4 2024/03/02 15:55:58 tobhe Exp $ */ 2 | 3 | #define IKED_VERSION "7.4" 4 | -------------------------------------------------------------------------------- /linux/iked.apparmor: -------------------------------------------------------------------------------- 1 | # Last Modified: Thu Apr 14 17:48:19 2022 2 | abi , 3 | 4 | include 5 | 6 | profile iked /usr/sbin/iked { 7 | include 8 | 9 | capability kill, 10 | 11 | # address/route configuration 12 | capability net_admin, 13 | network netlink dgram, 14 | 15 | # config file 16 | include 17 | /etc/iked.conf r, 18 | /etc/iked/** r, 19 | 20 | # systemd-resolved 21 | unix bind type=stream addr=@*/bus/iked/system, 22 | dbus send 23 | bus=system 24 | path=/org/freedesktop/resolve1 25 | interface=org.freedesktop.resolve1.Manager 26 | member=SetLinkDNS 27 | peer=(name=(org.freedesktop.resolve1)), 28 | dbus send 29 | bus=system 30 | path=/org/freedesktop/resolve1 31 | interface=org.freedesktop.resolve1.Manager 32 | member=SetLinkDefaultRoute 33 | peer=(name=(org.freedesktop.resolve1)), 34 | dbus send 35 | bus=system 36 | path=/org/freedesktop/network1 37 | interface=org.freedesktop.network1.Manager 38 | member=SetLinkDNS 39 | peer=(name=(org.freedesktop.network1)), 40 | dbus send 41 | bus=system 42 | path=/org/freedesktop/network1 43 | interface=org.freedesktop.network1.Manager 44 | member=SetLinkDefaultRoute 45 | peer=(name=(org.freedesktop.network1)), 46 | 47 | # reexec 48 | /usr/sbin/iked ix, 49 | 50 | # priv dropping 51 | capability setuid, 52 | capability setgid, 53 | capability sys_chroot, 54 | 55 | # switch profile 56 | owner @{PROC}/@{tid}/mounts r, 57 | owner @{PROC}/@{tid}/attr/current w, 58 | change_profile -> iked//ca, 59 | change_profile -> iked//control, 60 | change_profile -> iked//ikev2, 61 | 62 | signal (send) peer=iked//ca, 63 | signal (send) peer=iked//control, 64 | signal (send) peer=iked//ikev2, 65 | signal (send) peer=iked//resolvectl, 66 | 67 | unix (send, receive) type=stream peer=(label=iked//control), 68 | unix (send, receive) type=stream peer=(label=iked//ikev2), 69 | unix (send, receive) type=stream peer=(label=iked//ca), 70 | 71 | owner /run/iked.sock w, 72 | network key raw, 73 | 74 | profile ca { 75 | include 76 | 77 | # privsep 78 | signal (receive) peer=iked, 79 | unix (send, receive) type=stream peer=(label=iked), 80 | 81 | # certs/keys 82 | /etc/iked/** r, 83 | } 84 | 85 | profile control { 86 | include 87 | 88 | # privsep 89 | signal (receive) peer=iked, 90 | unix (send, receive) type=stream peer=(label=iked), 91 | /run/iked.sock rw, 92 | 93 | # ikectl control sock 94 | network unix raw, 95 | } 96 | 97 | profile ikev2 { 98 | include 99 | 100 | # privsep 101 | signal (receive) peer=iked, 102 | unix (send, receive) type=stream peer=(label=iked), 103 | 104 | # IKEv2 105 | network inet dgram, 106 | network inet6 dgram, 107 | # PFKEY 108 | network key raw, 109 | } 110 | } 111 | -------------------------------------------------------------------------------- /linux/openiked.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenIKED IKEv2 daemon 3 | Documentation=man:iked(8) 4 | Requires=network-online.target 5 | 6 | [Service] 7 | Type=forking 8 | ExecStart=/usr/sbin/iked 9 | ExecReload=/usr/sbin/ikectl reload 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /regress/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.3 2020/01/16 11:41:14 bluhm Exp $ 2 | 3 | SUBDIR= test_helper dh parser live 4 | 5 | .include 6 | -------------------------------------------------------------------------------- /regress/Makefile.inc: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile.inc,v 1.1 2017/05/29 20:57:21 markus Exp $ 2 | 3 | CDIAGFLAGS= -Wall 4 | #CDIAGFLAGS+= -Werror 5 | CDIAGFLAGS+= -Wextra 6 | CDIAGFLAGS+= -Wpointer-arith 7 | CDIAGFLAGS+= -Wstrict-prototypes 8 | CDIAGFLAGS+= -Wmissing-prototypes 9 | CDIAGFLAGS+= -Wunused 10 | CDIAGFLAGS+= -Wsign-compare 11 | CDIAGFLAGS+= -Wshadow 12 | CDIAGFLAGS+= -Wpointer-sign 13 | CDIAGFLAGS+= -Wno-unused-parameter #-Wno-error=unused-parameter 14 | CDIAGFLAGS+= -Wuninitialized 15 | .if (${CC:L} == "gcc" || ${CC:L} == "cc") 16 | CDIAGFLAGS+= -Wbounded 17 | .endif 18 | 19 | DEBUG= -g 20 | -------------------------------------------------------------------------------- /regress/dh/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | set(SRCS) 16 | list(APPEND SRCS 17 | dhtest.c 18 | ${CMAKE_CURRENT_SOURCE_DIR}/../../iked/crypto_hash.c 19 | ${CMAKE_CURRENT_SOURCE_DIR}/../../iked/dh.c 20 | ${CMAKE_CURRENT_SOURCE_DIR}/../../iked/smult_curve25519_ref.c 21 | ${CMAKE_CURRENT_SOURCE_DIR}/../../iked/sntrup761.c 22 | ${CMAKE_CURRENT_SOURCE_DIR}/../../iked/imsg_util.c 23 | ) 24 | 25 | add_executable(dhtest ${SRCS}) 26 | 27 | target_include_directories(dhtest 28 | PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/../../iked 29 | ) 30 | 31 | target_link_libraries(dhtest 32 | PRIVATE util crypto compat 33 | ) 34 | 35 | target_compile_options(dhtest PRIVATE ${CFLAGS}) 36 | -------------------------------------------------------------------------------- /regress/dh/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.4 2021/05/28 21:09:01 tobhe Exp $ 2 | 3 | # Test DH: 4 | 5 | PROG= dhtest 6 | SRCS= dh.c dhtest.c smult_curve25519_ref.c imsg_util.c 7 | SRCS+= sntrup761.c crypto_hash.c 8 | TOPSRC= ${.CURDIR}/../../../../sbin/iked 9 | TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- 10 | .PATH: ${TOPSRC} ${TOPOBJ} 11 | CFLAGS+= -I${TOPSRC} -I${TOPOBJ} -Wall 12 | 13 | NOMAN= 14 | LDADD+= -lcrypto -lutil 15 | DPADD+= ${LIBCRYPTO} 16 | DEBUG= -g 17 | 18 | .include 19 | -------------------------------------------------------------------------------- /regress/dh/dhtest.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: dhtest.c,v 1.5 2021/05/28 21:09:01 tobhe Exp $ */ 2 | /* $EOM: dhtest.c,v 1.1 1998/07/18 21:14:20 provos Exp $ */ 3 | 4 | /* 5 | * Copyright (c) 2020 Tobias Heider 6 | * Copyright (c) 2010 Reyk Floeter 7 | * Copyright (c) 1998 Niels Provos. All rights reserved. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions 11 | * are met: 12 | * 1. Redistributions of source code must retain the above copyright 13 | * notice, this list of conditions and the following disclaimer. 14 | * 2. Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | /* 31 | * This code was written under funding by Ericsson Radio Systems. 32 | */ 33 | 34 | /* 35 | * This module does a Diffie-Hellman Exchange 36 | */ 37 | 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | 45 | #include 46 | #include 47 | #include 48 | 49 | #include "dh.h" 50 | #include "iked.h" 51 | 52 | int 53 | main(void) 54 | { 55 | int id; 56 | struct ibuf *buf, *buf2; 57 | struct ibuf *sec, *sec2; 58 | uint8_t *raw, *raw2; 59 | struct dh_group *group, *group2; 60 | const char *name[] = { "MODP", "ECP", "CURVE25519" }; 61 | 62 | group_init(); 63 | 64 | for (id = 0; id < 0xffff; id++) { 65 | if (((group = group_get(id)) == NULL || 66 | (group2 = group_get(id)) == NULL) || 67 | group->spec->type == GROUP_SNTRUP761X25519) 68 | continue; 69 | 70 | dh_create_exchange(group, &buf, NULL); 71 | dh_create_exchange(group2, &buf2, NULL); 72 | 73 | printf ("Testing group %d (%s-%d, length %zu): ", id, 74 | name[group->spec->type], 75 | group->spec->bits, ibuf_length(buf) * 8); 76 | 77 | dh_create_shared(group, &sec, buf2); 78 | dh_create_shared(group2, &sec2, buf); 79 | 80 | raw = ibuf_data(sec); 81 | raw2 = ibuf_data(sec2); 82 | 83 | if (memcmp (raw, raw2, ibuf_length(sec))) { 84 | printf("FAILED\n"); 85 | return (1); 86 | } else 87 | printf("OKAY\n"); 88 | 89 | group_free(group); 90 | group_free(group2); 91 | } 92 | 93 | return (0); 94 | } 95 | -------------------------------------------------------------------------------- /regress/live/crt.in: -------------------------------------------------------------------------------- 1 | # $OpenBSD: crt.in,v 1.3 2021/12/21 13:50:35 tobhe Exp $ 2 | 3 | [ req ] 4 | default_bits = 2048 # default strength of client certificates 5 | default_md = sha256 6 | encrypt_key = yes # "no" is equivalent to -nodes 7 | prompt = no 8 | string_mask = utf8only 9 | distinguished_name = dn # root certificate name 10 | req_extensions = req_cert_extensions 11 | 12 | [dn] 13 | C=DE 14 | ST=Bavaria 15 | L=Munich 16 | O=iked 17 | CN=${ENV::ALTNAME} 18 | 19 | [ req_cert_extensions ] 20 | subjectAltName = @alt_names #;otherName = ${ENV::ALTNAME}-other 21 | 22 | [ v3_intermediate_ca ] 23 | basicConstraints = critical, CA:true, pathlen:0 24 | 25 | [ alt_names ] 26 | DNS.1=${ENV::ALTNAME} 27 | DNS.2=${ENV::ALTNAME}-alternative 28 | email= ${ENV::ALTNAME}@openbsd.org 29 | -------------------------------------------------------------------------------- /regress/live/iked.in: -------------------------------------------------------------------------------- 1 | ikev2 "test" $MODE $IPCOMP $TMODE esp from $FROM to $TO \ 2 | peer $PEER_ADDR \ 3 | $IKESA \ 4 | srcid $SRCID $DSTID \ 5 | $AUTH \ 6 | $CONFIG 7 | -------------------------------------------------------------------------------- /regress/live/pf.in: -------------------------------------------------------------------------------- 1 | block inet proto icmp all icmp-type echoreq 2 | pass on enc0 inet proto icmp all icmp-type echoreq 3 | block inet6 proto icmp6 all icmp6-type echoreq 4 | pass on enc0 inet6 proto icmp6 all icmp6-type echoreq 5 | -------------------------------------------------------------------------------- /regress/parser-libfuzzer/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2022-2023 David Linder 2 | # Copyright (c) 2020-2021 Tobias Heider 3 | # 4 | # Permission to use, copy, modify, and distribute this software for any 5 | # purpose with or without fee is hereby granted, provided that the above 6 | # copyright notice and this permission notice appear in all copies. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 | 16 | 17 | set(SRCS) 18 | list(APPEND SRCS 19 | common.c 20 | test_parser_fuzz.c 21 | ) 22 | 23 | set(CMAKE_C_COMPILER clang) 24 | add_executable(test_libfuzzer ${SRCS}) 25 | 26 | target_include_directories(test_libfuzzer 27 | PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/../../iked 28 | ) 29 | 30 | # when using clusterfuzz we need static linking and clusterfuzz' compiler arguments 31 | if (DEFINED ENV{CLUSTERFUZZLITE}) 32 | target_link_libraries(test_libfuzzer 33 | "-lm -Wl,-Bstatic -lssl -lcrypto -levent" compat iked-shared $ENV{LIB_FUZZING_ENGINE} 34 | ) 35 | else() 36 | string(APPEND CMAKE_C_FLAGS " -fsanitize=fuzzer") 37 | string(APPEND CMAKE_EXE_LINKER_FLAGS " -fsanitize=fuzzer") 38 | target_link_libraries(test_libfuzzer 39 | PRIVATE event crypto ssl compat iked-shared 40 | ) 41 | file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/corpus) 42 | configure_file(run_test.sh run_test.sh COPYONLY) 43 | configure_file(test_libfuzzer.dict fuzz.dict COPYONLY) 44 | endif() 45 | 46 | target_compile_options(test_libfuzzer PRIVATE ${CFLAGS}) 47 | 48 | -------------------------------------------------------------------------------- /regress/parser-libfuzzer/run_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # script to run the parser-fuzzer for 5 minutes with the right options 4 | # use repo github.com/openiked/openiked-fuzzing/corpus/test_libfuzzer as corpus for faster results 5 | 6 | # ASAN-option to help finding the source of memory leaks 7 | export ASAN_OPTIONS=fast_unwind_on_malloc=0 8 | 9 | $(dirname "$0")/test_libfuzzer -dict=$(dirname "$0")/fuzz.dict -max_len=8164 -max_total_time=300 $(dirname "$0")/corpus 10 | -------------------------------------------------------------------------------- /regress/parser-libfuzzer/test_libfuzzer.options: -------------------------------------------------------------------------------- 1 | [libfuzzer] 2 | max_len = 8164 3 | -------------------------------------------------------------------------------- /regress/parser-libfuzzer/test_parser_fuzz.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD$ */ 2 | /* 3 | * Fuzz tests for payload parsing 4 | * 5 | * Placed in the public domain 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | #include "iked.h" 17 | #include "ikev2.h" 18 | 19 | u_int8_t cookies[] = { 20 | 0xde, 0xad, 0xbe, 0xef, 0xca, 0xfe, 0x00, 0x01, /* initator cookie */ 21 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* responder cookie */ 22 | }; 23 | 24 | u_int8_t genhdr[] = { 25 | 0x00, 0x20, 0x22, 0x08, /* next, major/minor, exchange type, flags */ 26 | 0x00, 0x00, 0x00, 0x00, /* message ID */ 27 | 0x00, 0x00, 0x00, 0x00 /* total length */ 28 | }; 29 | 30 | #define OFFSET_ICOOKIE 0 31 | #define OFFSET_RCOOKIE 8 32 | #define OFFSET_NEXTPAYLOAD (0 + sizeof(cookies)) 33 | #define OFFSET_VERSION (1 + sizeof(cookies)) 34 | #define OFFSET_EXCHANGE (2 + sizeof(cookies)) 35 | #define OFFSET_LENGTH (8 + sizeof(cookies)) 36 | 37 | static u_int8_t * 38 | get_icookie(u_int8_t *data) 39 | { 40 | return &data[OFFSET_ICOOKIE]; 41 | } 42 | 43 | static u_int8_t * 44 | get_rcookie(u_int8_t *data) 45 | { 46 | return &data[OFFSET_RCOOKIE]; 47 | } 48 | 49 | static u_int8_t 50 | get_nextpayload(u_int8_t *data) 51 | { 52 | return data[OFFSET_NEXTPAYLOAD]; 53 | } 54 | 55 | static u_int8_t 56 | get_version(u_int8_t *data) 57 | { 58 | return data[OFFSET_VERSION]; 59 | } 60 | 61 | static u_int8_t 62 | get_exchange(u_int8_t *data) 63 | { 64 | return data[OFFSET_EXCHANGE]; 65 | } 66 | 67 | static u_int32_t 68 | get_length(u_int8_t *data) 69 | { 70 | return *(u_int32_t *)&data[OFFSET_LENGTH]; 71 | } 72 | 73 | static void 74 | prepare_header(struct ike_header *hdr, struct ibuf *data) 75 | { 76 | bzero(hdr, sizeof(*hdr)); 77 | bcopy(get_icookie(ibuf_data(data)), &hdr->ike_ispi, 78 | sizeof(hdr->ike_ispi)); 79 | bcopy(get_rcookie(ibuf_data(data)), &hdr->ike_rspi, 80 | sizeof(hdr->ike_rspi)); 81 | hdr->ike_nextpayload = get_nextpayload(ibuf_data(data)); 82 | hdr->ike_version = get_version(ibuf_data(data)); 83 | hdr->ike_exchange = get_exchange(ibuf_data(data)); 84 | hdr->ike_length = get_length(ibuf_data(data)); 85 | } 86 | 87 | static void 88 | prepare_message(struct iked_message *msg, struct ibuf *data) 89 | { 90 | static struct iked_sa sa; 91 | 92 | bzero(&sa, sizeof(sa)); 93 | bzero(msg, sizeof(*msg)); 94 | 95 | msg->msg_sa = &sa; 96 | msg->msg_data = data; 97 | msg->msg_e = 1; 98 | msg->msg_parent = msg; 99 | 100 | TAILQ_INIT(&msg->msg_proposals); 101 | SIMPLEQ_INIT(&msg->msg_certreqs); 102 | } 103 | 104 | /* Entry-Point for libFuzzer */ 105 | int 106 | LLVMFuzzerTestOneInput(const char *data, size_t size) 107 | { 108 | struct ibuf *fuzzed; 109 | struct ike_header hdr; 110 | struct iked_message msg; 111 | 112 | bzero(&hdr, sizeof(hdr)); 113 | bzero(&msg, sizeof(msg)); 114 | 115 | fuzzed = ibuf_new(data, size); 116 | if (fuzzed == NULL){ 117 | fprintf(stderr, "%s\n", "ERROR: fuzzed == NULL! " 118 | "(hint: fuzz-input too long?)"); 119 | return -1; 120 | } 121 | 122 | /* size too small? */ 123 | if (size < sizeof(cookies) + sizeof(genhdr)){ 124 | ibuf_free(fuzzed); 125 | return 0; 126 | } 127 | 128 | prepare_header(&hdr, fuzzed); 129 | prepare_message(&msg, fuzzed); 130 | 131 | ikev2_pld_parse(NULL, &hdr, &msg, 0); 132 | 133 | ikev2_msg_cleanup(NULL, &msg); 134 | 135 | return 0; 136 | } 137 | -------------------------------------------------------------------------------- /regress/parser/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | set(SRCS) 16 | list(APPEND SRCS 17 | tests.c 18 | common.c 19 | test_parser_fuzz.c 20 | ) 21 | 22 | add_executable(test_parser ${SRCS}) 23 | 24 | target_include_directories(test_parser 25 | PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/../test_helper 26 | PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/../../iked 27 | ) 28 | 29 | target_link_libraries(test_parser 30 | PRIVATE util event crypto ssl test_helper compat iked-shared 31 | ) 32 | 33 | target_compile_options(test_parser PRIVATE ${CFLAGS}) 34 | -------------------------------------------------------------------------------- /regress/parser/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.3 2022/02/23 22:50:32 bluhm Exp $ 2 | 3 | WARNINGS=Yes 4 | 5 | PROG= test_parser 6 | SRCS= tests.c common.c test_parser_fuzz.c 7 | IKEOBJS= ikev2_pld.o imsg_util.o log.o util.o \ 8 | ikev2_map.o eap_map.o 9 | CLEANFILES= ${IKEOBJS} ${PROG}.log 10 | 11 | LDADD+= -lutil -lcrypto ${IKEOBJS} 12 | DPADD+= ${LIBUTIL} ${LIBCRYPTO} 13 | CFLAGS+= -I${.CURDIR}/../../../../sbin/iked 14 | CFLAGS+= -Wno-missing-field-initializers 15 | 16 | run-regress-${PROG}: ${PROG} 17 | ./${PROG} >${PROG}.log 2>&1 18 | 19 | test_parser: ${IKEOBJS} 20 | 21 | ${IKEOBJS}: 22 | cd ${.CURDIR}/../../../../sbin/iked && make $@ 23 | ln -sf ${.OBJDIR}/../../../../sbin/iked/$@ . 24 | 25 | LDADD+= -L${.OBJDIR} -ltest_helper 26 | DPADD+= libtest_helper.a 27 | CFLAGS+= -I${.CURDIR}/../test_helper 28 | 29 | libtest_helper.a: 30 | cd ${.CURDIR}/../test_helper && make $@ 31 | ln -sf ${.OBJDIR}/../test_helper/$@ . 32 | 33 | .include 34 | -------------------------------------------------------------------------------- /regress/parser/common.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: common.c,v 1.13 2022/12/03 22:34:35 tobhe Exp $ */ 2 | /* 3 | * A bunch of stub functions so we can compile and link ikev2_pld.c 4 | * in a standalone program for testing purposes. 5 | * 6 | * Placed in the public domain 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | 16 | #include "iked.h" 17 | #include "types.h" 18 | #include "test_helper.h" 19 | 20 | int eap_parse(struct iked *, const struct iked_sa *, 21 | struct iked_message *, void *, int); 22 | int ikev2_msg_frompeer(struct iked_message *); 23 | int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 24 | uint8_t, uint8_t, int); 25 | void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 26 | struct iked_childsa * 27 | childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 28 | int ikev2_childsa_delete(struct iked *, struct iked_sa *, 29 | uint8_t, uint64_t, uint64_t *, int); 30 | int sa_stateok(const struct iked_sa *, int); 31 | void sa_state(struct iked *, struct iked_sa *, int); 32 | void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 33 | void ikev2_init_ike_sa(struct iked *, void *); 34 | struct dh_group * 35 | group_get(uint32_t); 36 | void timer_set(struct iked *, struct iked_timer *, 37 | void (*)(struct iked *, void *), void *); 38 | void timer_add(struct iked *, struct iked_timer *, int); 39 | void timer_del(struct iked *, struct iked_timer *); 40 | ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 41 | void *, size_t, u_int, int); 42 | int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 43 | uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 44 | int ikev2_print_id(struct iked_id *, char *, size_t); 45 | int config_add_transform(struct iked_proposal *, u_int, u_int, u_int, 46 | u_int); 47 | struct iked_proposal * 48 | config_add_proposal(struct iked_proposals *, u_int, u_int); 49 | void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 50 | int ikev2_send_informational(struct iked *, struct iked_message *); 51 | struct ibuf * 52 | ikev2_msg_decrypt(struct iked *, struct iked_sa *, struct ibuf *, 53 | struct ibuf *); 54 | 55 | int 56 | eap_parse(struct iked *env, const struct iked_sa *sa, struct iked_message *msg, 57 | void *data, int response) 58 | { 59 | return (0); 60 | } 61 | 62 | int 63 | ikev2_msg_frompeer(struct iked_message *msg) 64 | { 65 | return (0); 66 | } 67 | 68 | int 69 | ikev2_send_ike_e(struct iked *env, struct iked_sa *sa, struct ibuf *buf, 70 | uint8_t firstpayload, uint8_t exchange, int response) 71 | { 72 | return (0); 73 | } 74 | 75 | void 76 | ikev2_ikesa_recv_delete(struct iked *env, struct iked_sa *sa) 77 | { 78 | } 79 | 80 | const char * 81 | ikev2_ikesa_info(uint64_t spi, const char *msg) 82 | { 83 | return ""; 84 | } 85 | 86 | struct iked_childsa * 87 | childsa_lookup(struct iked_sa *a, uint64_t b, uint8_t c) 88 | { 89 | return (NULL); 90 | } 91 | 92 | int 93 | ikev2_childsa_delete(struct iked *a, struct iked_sa *b, uint8_t c, 94 | uint64_t d, uint64_t *e , int f) 95 | { 96 | return (0); 97 | } 98 | 99 | int 100 | sa_stateok(const struct iked_sa *a, int b) 101 | { 102 | return (0); 103 | } 104 | 105 | void 106 | sa_state(struct iked * a, struct iked_sa *b, int c) 107 | { 108 | } 109 | 110 | void 111 | ikev2_disable_rekeying(struct iked *a, struct iked_sa *b) 112 | { 113 | } 114 | 115 | void 116 | ikev2_init_ike_sa(struct iked *a, void *b) 117 | { 118 | } 119 | 120 | const struct group_id * 121 | group_getid(uint32_t id) 122 | { 123 | return (NULL); 124 | } 125 | 126 | void 127 | timer_set(struct iked *env, struct iked_timer *tmr, 128 | void (*cb)(struct iked *, void *), void *arg) 129 | { 130 | } 131 | 132 | void 133 | timer_add(struct iked *env, struct iked_timer *tmr, int timeout) 134 | { 135 | } 136 | 137 | void 138 | timer_del(struct iked *env, struct iked_timer *tmr) 139 | { 140 | } 141 | 142 | ssize_t 143 | ikev2_nat_detection(struct iked *env, struct iked_message *msg, 144 | void *ptr, size_t len, u_int type, int frompeer) 145 | { 146 | return (0); 147 | } 148 | 149 | int 150 | ca_setreq(struct iked *env, struct iked_sa *sh, struct iked_static_id *localid, 151 | uint8_t type, uint8_t more, uint8_t *data, size_t len, 152 | enum privsep_procid procid) 153 | { 154 | return (0); 155 | } 156 | 157 | int 158 | ikev2_print_id(struct iked_id *id, char *idstr, size_t idstrlen) 159 | { 160 | return (0); 161 | } 162 | 163 | int 164 | config_add_transform(struct iked_proposal *prop, u_int type, 165 | u_int id, u_int length, u_int keylength) 166 | { 167 | return (0); 168 | } 169 | 170 | struct iked_proposal * 171 | config_add_proposal(struct iked_proposals *head, u_int id, u_int proto) 172 | { 173 | return (NULL); 174 | } 175 | 176 | void 177 | config_free_proposal(struct iked_proposals *head, struct iked_proposal *prop) 178 | { 179 | return; 180 | } 181 | 182 | void config_free_fragments(struct iked_frag *frag) 183 | { 184 | return; 185 | } 186 | 187 | int 188 | ikev2_send_informational(struct iked *env, struct iked_message *msg) 189 | { 190 | return (0); 191 | } 192 | 193 | struct ibuf * 194 | ikev2_msg_decrypt(struct iked *env, struct iked_sa *sa, 195 | struct ibuf *msg, struct ibuf *src) 196 | { 197 | ASSERT_PTR_NE(src, NULL); 198 | 199 | /* 200 | * Free src as caller uses ikev2_msg_decrypt() like this: 201 | * src = ikev2_msg_decrypt(..., src); 202 | */ 203 | ibuf_free(src); 204 | return (NULL); 205 | } 206 | 207 | void 208 | ikev2_ike_sa_setreason(struct iked_sa *sa, char *r) 209 | { 210 | } 211 | 212 | void 213 | ikev2_msg_dispose(struct iked *env, struct iked_msgqueue *queue, 214 | struct iked_msg_retransmit *mr) 215 | { 216 | } 217 | 218 | struct iked_msg_retransmit * 219 | ikev2_msg_lookup(struct iked *env, struct iked_msgqueue *queue, 220 | struct iked_message *msg, uint8_t exchange) 221 | { 222 | return NULL; 223 | } 224 | -------------------------------------------------------------------------------- /regress/parser/tests.c: -------------------------------------------------------------------------------- 1 | /* $OpenBSD: tests.c,v 1.1 2017/05/29 20:59:28 markus Exp $ */ 2 | /* 3 | * Regress test for iked payload parser 4 | * 5 | * Placed in the public domain 6 | */ 7 | 8 | #include "test_helper.h" 9 | 10 | void parser_fuzz_tests(void); 11 | 12 | void 13 | tests(void) 14 | { 15 | parser_fuzz_tests(); 16 | } 17 | -------------------------------------------------------------------------------- /regress/test_helper/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2020-2021 Tobias Heider 2 | # 3 | # Permission to use, copy, modify, and distribute this software for any 4 | # purpose with or without fee is hereby granted, provided that the above 5 | # copyright notice and this permission notice appear in all copies. 6 | # 7 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 | # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 | # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 | # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 | # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 | # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 | 15 | set(SRCS) 16 | list(APPEND SRCS 17 | test_helper.c 18 | fuzz.c 19 | ) 20 | 21 | add_library(test_helper ${SRCS}) 22 | 23 | target_include_directories(test_helper 24 | PUBLIC ${CMAKE_CURRENT_SOURCE_DIR} 25 | ) 26 | 27 | target_link_libraries(test_helper 28 | PRIVATE compat 29 | ) 30 | -------------------------------------------------------------------------------- /regress/test_helper/Makefile: -------------------------------------------------------------------------------- 1 | # $OpenBSD: Makefile,v 1.1 2017/05/29 20:59:32 markus Exp $ 2 | 3 | LIB= test_helper 4 | SRCS= test_helper.c 5 | 6 | DEBUGLIBS= no 7 | NOPROFILE= yes 8 | NOPIC= yes 9 | 10 | install: 11 | @echo -n 12 | 13 | .include 14 | -------------------------------------------------------------------------------- /useradd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | groupadd _iked 5 | useradd -M -d /var/empty -s $(which nologin) -c "IKEv2 Daemon" -g _iked _iked 6 | --------------------------------------------------------------------------------