ipsec-tools: Make racoon an easy-to-use command line tool and reduce its size.
The original executable is ~350KB and now it is ~160KB.
Removing debug messages reduces about 20KB.
Others are mainly contributed by removing lex/yacc generated code,
which was used to parse configuration files.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..52d3187
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,31 @@
+all:
+ gcc -O3 -Wall -o racoon -I. -Isrc/include-glibc -Isrc/libipsec \
+ -Isrc/racoon -Isrc/racoon/missing -DHAVE_CONFIG_H -lcrypto \
+ src/libipsec/pfkey.c \
+ src/libipsec/ipsec_strerror.c \
+ src/racoon/isakmp.c \
+ src/racoon/isakmp_agg.c \
+ src/racoon/isakmp_base.c \
+ src/racoon/isakmp_frag.c \
+ src/racoon/isakmp_ident.c \
+ src/racoon/isakmp_inf.c \
+ src/racoon/isakmp_newg.c \
+ src/racoon/isakmp_quick.c \
+ src/racoon/handler.c \
+ src/racoon/pfkey.c \
+ src/racoon/ipsec_doi.c \
+ src/racoon/oakley.c \
+ src/racoon/vendorid.c \
+ src/racoon/policy.c \
+ src/racoon/crypto_openssl.c \
+ src/racoon/algorithm.c \
+ src/racoon/proposal.c \
+ src/racoon/strnames.c \
+ src/racoon/schedule.c \
+ src/racoon/str2val.c \
+ src/racoon/genlist.c \
+ src/racoon/vmbuf.c \
+ src/racoon/sockmisc.c \
+ src/racoon/nattraversal.c \
+ main.c \
+ setup.c
diff --git a/config.h b/config.h
new file mode 100644
index 0000000..b0fb71b
--- /dev/null
+++ b/config.h
@@ -0,0 +1,24 @@
+#define ENABLE_FRAG
+#define ENABLE_NATT
+#define ENABLE_NATT_00
+#define ENABLE_NATT_02
+#define ENABLE_NATT_RFC
+#undef ENABLE_DPD
+
+#define HAVE_OPENSSL_AES_H
+#define HAVE_OPENSSL_ENGINE_H
+#define WITH_SHA2
+#define HAVE_SHA2_IN_SHA_H
+
+#undef INET6
+#undef INET6_ADVAPI
+
+#define PATH_IPSEC_H <netinet/ipsec.h>
+#define HAVE_POLICY_FWD
+#define HAVE_PFKEY_POLICY_PRIORITY
+
+#define TIME_WITH_SYS_TIME 1
+#define HAVE_SYS_TIME_H 1
+#define HAVE_UNISTD_H
+
+#define ANDROID_PATCHED
diff --git a/main.c b/main.c
new file mode 100644
index 0000000..a698da9
--- /dev/null
+++ b/main.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/select.h>
+
+#include "config.h"
+#include "libpfkey.h"
+#include "ipsec_strerror.h"
+#include "gcmalloc.h"
+#include "vmbuf.h"
+#include "crypto_openssl.h"
+#include "oakley.h"
+#include "vendorid.h"
+#include "pfkey.h"
+#include "schedule.h"
+#include "isakmp_var.h"
+#include "nattraversal.h"
+#include "plog.h"
+#include "grabmyaddr.h"
+#include "localconf.h"
+#include "sockmisc.h"
+#include "admin.h"
+#include "privsep.h"
+#include "misc.h"
+
+extern int setup(int argc, char **argv);
+int f_local = 0;
+
+static void interrupt(int signal)
+{
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ fd_set fdset;
+ int fdset_size;
+ struct myaddrs *p;
+
+ do_plog(LLV_INFO, "ipsec-tools 0.7.2 (http://ipsec-tools.sf.net)\n");
+
+ signal(SIGHUP, interrupt);
+ signal(SIGINT, interrupt);
+ signal(SIGTERM, interrupt);
+ signal(SIGCHLD, interrupt);
+ signal(SIGPIPE, SIG_IGN);
+
+ eay_init();
+ oakley_dhinit();
+ compute_vendorids();
+ sched_init();
+
+ if (setup(argc, argv) < 0 || pfkey_init() < 0 || isakmp_init() < 0) {
+ exit(1);
+ }
+
+#ifdef ENABLE_NATT
+ natt_keepalive_init();
+#endif
+
+ FD_ZERO(&fdset);
+ FD_SET(lcconf->sock_pfkey, &fdset);
+ fdset_size = lcconf->sock_pfkey;
+ for (p = lcconf->myaddrs; p; p = p->next) {
+ FD_SET(p->sock, &fdset);
+ if (fdset_size < p->sock) {
+ fdset_size = p->sock;
+ }
+ }
+ ++fdset_size;
+
+ while (1) {
+ fd_set readset = fdset;
+ struct timeval *timeout = schedular();
+ if (select(fdset_size, &readset, NULL, NULL, timeout) < 0) {
+ exit(1);
+ }
+ if (FD_ISSET(lcconf->sock_pfkey, &readset)) {
+ pfkey_handler();
+ }
+ for (p = lcconf->myaddrs; p; p = p->next) {
+ if (FD_ISSET(p->sock, &readset)) {
+ isakmp_handler(p->sock);
+ }
+ }
+ }
+ return 0;
+}
+
+/* plog.h */
+
+void do_plog(int level, char *format, ...)
+{
+ static char *levels = "EWNIDD";
+ fprintf(stderr, "%c: ", levels[level]);
+ va_list ap;
+ va_start(ap, format);
+ vfprintf(stderr, format, ap);
+ va_end(ap);
+}
+
+char *binsanitize(char *data, size_t length)
+{
+ char *output = racoon_malloc(length + 1);
+ if (output) {
+ size_t i;
+ for (i = 0; i < length; ++i) {
+ output[i] = isprint(data[i]) ? data[i] : '?';
+ }
+ output[length] = '\0';
+ }
+ return output;
+}
+
+/* libpfkey.h */
+
+ipsec_policy_t ipsec_set_policy(__ipsec_const char *message, int length)
+{
+ struct sadb_x_policy *p;
+ int direction;
+
+ if (!strcmp("in bypass", message)) {
+ direction = IPSEC_DIR_INBOUND;
+ } else if (!strcmp("out bypass", message)) {
+ direction = IPSEC_DIR_OUTBOUND;
+ } else {
+ __ipsec_errcode = EIPSEC_INVAL_POLICY;
+ return NULL;
+ }
+
+ p = calloc(1, sizeof(struct sadb_x_policy));
+ p->sadb_x_policy_len = PFKEY_UNIT64(sizeof(struct sadb_x_policy));
+ p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ p->sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+ p->sadb_x_policy_dir = direction;
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+ p->sadb_x_policy_priority = PRIORITY_DEFAULT;
+#endif
+ __ipsec_errcode = EIPSEC_NO_ERROR;
+ return (ipsec_policy_t)p;
+}
+
+int ipsec_get_policylen(ipsec_policy_t policy)
+{
+ return policy ? PFKEY_EXTLEN(policy) : -1;
+}
+
+/* grabmyaddr.h */
+
+int getsockmyaddr(struct sockaddr *addr)
+{
+ struct myaddrs *p;
+ for (p = lcconf->myaddrs; p; p = p->next) {
+ if (cmpsaddrstrict(addr, p->addr) == 0) {
+ return p->sock;
+ }
+ }
+ return -1;
+}
+
+/* privsep.h */
+
+int privsep_pfkey_open()
+{
+ return pfkey_open();
+}
+
+void privsep_pfkey_close(int key)
+{
+ pfkey_close(key);
+}
+
+vchar_t *privsep_eay_get_pkcs1privkey(char *file)
+{
+ return eay_get_pkcs1privkey(file);
+}
+
+int privsep_script_exec(char *script, int name, char * const *environ)
+{
+ return 0;
+}
+
+/* misc.h */
+
+int racoon_hexdump(void *data, size_t length)
+{
+ return 0;
+}
diff --git a/setup.c b/setup.c
new file mode 100644
index 0000000..37e3010
--- /dev/null
+++ b/setup.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+
+#include "config.h"
+#include "libpfkey.h"
+#include "var.h"
+#include "isakmp_var.h"
+#include "isakmp.h"
+#include "vmbuf.h"
+#include "oakley.h"
+#include "ipsec_doi.h"
+#include "algorithm.h"
+#include "vendorid.h"
+#include "proposal.h"
+#include "sainfo.h"
+#include "localconf.h"
+#include "remoteconf.h"
+#include "sockmisc.h"
+#include "grabmyaddr.h"
+#include "plog.h"
+
+static struct myaddrs myaddrs[2];
+static struct etypes main_mode = { .type = ISAKMP_ETYPE_IDENT };
+static struct localconf localconf;
+static struct remoteconf remoteconf;
+static struct sainfo sainfo;
+static char *pre_shared_key;
+
+struct localconf *lcconf = &localconf;
+char *script_names[SCRIPT_MAX + 1];
+
+static void init()
+{
+ localconf.myaddrs = &myaddrs[0];
+ localconf.port_isakmp = PORT_ISAKMP;
+ localconf.port_isakmp_natt = PORT_ISAKMP_NATT;
+ localconf.default_af = AF_INET;
+ localconf.pad_random = LC_DEFAULT_PAD_RANDOM;
+ localconf.pad_randomlen = LC_DEFAULT_PAD_RANDOM;
+ localconf.pad_strict = LC_DEFAULT_PAD_STRICT;
+ localconf.pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
+ localconf.retry_counter = LC_DEFAULT_RETRY_COUNTER;
+ localconf.retry_interval = LC_DEFAULT_RETRY_INTERVAL;
+ localconf.count_persend = LC_DEFAULT_COUNT_PERSEND;
+ localconf.secret_size = LC_DEFAULT_SECRETSIZE;
+ localconf.retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
+ localconf.wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
+ localconf.natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
+ localconf.pathinfo[LC_PATHTYPE_CERT] = "/";
+
+ remoteconf.etypes = &main_mode;
+ remoteconf.doitype = IPSEC_DOI;
+ remoteconf.sittype = IPSECDOI_SIT_IDENTITY_ONLY;
+ remoteconf.idvtype = IDTYPE_ADDRESS;
+ remoteconf.nonce_size = DEFAULT_NONCE_SIZE;
+
+ remoteconf.ike_frag = TRUE;
+ remoteconf.esp_frag = IP_MAXPACKET;
+ remoteconf.ini_contact = TRUE;
+ remoteconf.pcheck_level = PROP_CHECK_OBEY;
+ remoteconf.verify_identifier = FALSE;
+ remoteconf.verify_cert = TRUE;
+ remoteconf.getcert_method = ISAKMP_GETCERT_PAYLOAD;
+ remoteconf.certtype = ISAKMP_CERT_X509SIGN;
+ remoteconf.getcacert_method = ISAKMP_GETCERT_LOCALFILE;
+ remoteconf.cacerttype = ISAKMP_CERT_X509SIGN;
+ remoteconf.send_cert = TRUE;
+ remoteconf.send_cr = TRUE;
+ remoteconf.retry_counter = LC_DEFAULT_RETRY_COUNTER;
+ remoteconf.retry_interval = LC_DEFAULT_RETRY_INTERVAL;
+ remoteconf.nat_traversal = TRUE;
+ remoteconf.rsa_private = genlist_init();
+ remoteconf.rsa_public = genlist_init();
+ remoteconf.dpd = TRUE;
+ remoteconf.dpd_interval = 0;
+ remoteconf.dpd_retry = 5;
+ remoteconf.dpd_maxfails = 5;
+
+ sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
+ sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
+}
+
+static void add_proposal(int auth, int hash, int encryption, int length)
+{
+ struct isakmpsa *p = calloc(1, sizeof(struct isakmpsa));
+ p->prop_no = 1;
+ p->lifetime = 3600;
+ p->enctype = encryption;
+ p->encklen = length;
+ p->authmethod = auth;
+ p->hashtype = hash;
+ p->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
+ p->vendorid = VENDORID_UNKNOWN;
+ p->rmconf = &remoteconf;
+
+ if (!remoteconf.proposal) {
+ p->trns_no = 1;
+ remoteconf.proposal = p;
+ } else {
+ struct isakmpsa *q = remoteconf.proposal;
+ while (q->next) {
+ q = q->next;
+ }
+ p->trns_no = q->trns_no + 1;
+ q->next = p;
+ }
+}
+
+static void add_sainfo_algorithm(int class, int algorithm, int length)
+{
+ struct sainfoalg *p = calloc(1, sizeof(struct sainfoalg));
+ p->alg = algorithm;
+ p->encklen = length;
+
+ if (!sainfo.algs[class]) {
+ sainfo.algs[class] = p;
+ } else {
+ struct sainfoalg *q = sainfo.algs[class];
+ while (q->next) {
+ q = q->next;
+ }
+ q->next = p;
+ }
+}
+
+/* flush; spdflush; */
+static void flush()
+{
+ int key = pfkey_open();
+ if (key != -1) {
+ pfkey_send_flush(key, SADB_SATYPE_UNSPEC);
+ pfkey_send_spdflush(key);
+ pfkey_close(key);
+ }
+}
+
+/* flush; spdflush;
+ * spdadd local remote udp -P out ipsec esp/transport//require; */
+static int spdadd(struct sockaddr *local, struct sockaddr *remote)
+{
+ struct __attribute__((packed)) {
+ struct sadb_x_policy p;
+ struct sadb_x_ipsecrequest q;
+ } policy;
+ int mask = (local->sa_family == AF_INET) ? sizeof(struct in_addr) * 8
+ : sizeof(struct in6_addr) * 8;
+ int key = pfkey_open();
+ if (key == -1) {
+ return -1;
+ }
+
+ memset(&policy, 0, sizeof(policy));
+ policy.p.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy));
+ policy.p.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+ policy.p.sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+ policy.p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_PFKEY_POLICY_PRIORITY
+ policy.p.sadb_x_policy_priority = PRIORITY_DEFAULT;
+#endif
+ policy.q.sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
+ policy.q.sadb_x_ipsecrequest_proto = IPPROTO_ESP;
+ policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
+ policy.q.sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
+
+ if (pfkey_send_flush(key, SADB_SATYPE_UNSPEC) > 0
+ && pfkey_send_spdflush(key) > 0
+ && pfkey_send_spdadd(key, local, mask, remote, mask, IPPROTO_UDP,
+ (caddr_t)&policy, sizeof(policy), 0) > 0) {
+ mask = 0;
+ }
+ pfkey_close(key);
+ return mask ? -1 : 0;
+}
+
+/* The following usages are accepted:
+ * racoon local-ip remote-ip remote-port pre-shared-key
+ * racoon local-ip remote-ip remote-port my-key my-cert ca-cert */
+int setup(int argc, char **argv)
+{
+ int auth;
+ if (argc != 5 && argc != 7) {
+ printf("Usage: %s local remote port pre-shared-key\n"
+ " %s local remote port my-private-key my-cert ca-cert\n",
+ argv[0], argv[0]);
+ return -1;
+ }
+ init();
+
+ /* Set local address and remote address. */
+ myaddrs[0].addr = str2saddr(argv[1], NULL);
+ remoteconf.remote = str2saddr(argv[2], NULL);
+ if (!myaddrs[0].addr || !remoteconf.remote) {
+ plog(LLV_ERROR, "setup", NULL, "Cannot get IP address");
+ return -1;
+ }
+ if (myaddrs[0].addr->sa_family != remoteconf.remote->sa_family) {
+ plog(LLV_ERROR, "setup", NULL, "Address family mismatch");
+ return -1;
+ }
+#ifndef INET6
+ if (myaddrs[0].addr->sa_family != AF_INET) {
+ plog(LLV_ERROR, "setup", NULL, "IPv6 is disabled");
+ return -1;
+ }
+#endif
+
+ /* Initialize SA and SPD. */
+ set_port(remoteconf.remote, atoi(argv[3]));
+ if (spdadd(myaddrs[0].addr, remoteconf.remote) < 0) {
+ plog(LLV_ERROR, "setup", NULL, "Cannot initialize SA and SPD");
+ return -1;
+ }
+ atexit(flush);
+
+ /* Set local port and remote port. */
+ set_port(myaddrs[0].addr, localconf.port_isakmp);
+ set_port(remoteconf.remote, localconf.port_isakmp);
+#ifdef ENABLE_NATT
+ myaddrs[0].next = &myaddrs[1];
+ myaddrs[1].addr = dupsaddr(myaddrs[0].addr);
+ set_port(myaddrs[1].addr, localconf.port_isakmp_natt);
+ myaddrs[1].udp_encap = 1;
+#endif
+
+ /* Set authentication method. */
+ if (argc == 5) {
+ pre_shared_key = argv[4];
+ auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY;
+ } else {
+ remoteconf.myprivfile = argv[4];
+ remoteconf.mycertfile = argv[5];
+ remoteconf.cacertfile = argv[6];
+ auth = OAKLEY_ATTR_AUTH_METHOD_RSASIG;
+ }
+
+ /* Create proposals. */
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_3DES, 0);
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_3DES, 0);
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_DES, 0);
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_DES, 0);
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128);
+ add_proposal(auth, OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 128);
+
+ /* Create sainfo algorithms. */
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
+ add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
+ add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
+
+ return 0;
+}
+
+/* localconf.h */
+
+vchar_t *getpskbyaddr(struct sockaddr *addr)
+{
+ vchar_t *p = NULL;
+ if (pre_shared_key && (p = vmalloc(strlen(pre_shared_key)))) {
+ memcpy(p->v, pre_shared_key, p->l);
+ }
+ return p;
+}
+
+vchar_t *getpskbyname(vchar_t *name)
+{
+ return NULL;
+}
+
+void getpathname(char *path, int length, int type, const char *name)
+{
+ strncpy(path, name, length);
+}
+
+/* remoteconf.h */
+
+struct remoteconf *getrmconf(struct sockaddr *addr)
+{
+ return cmpsaddrwop(addr, remoteconf.remote) ? NULL : &remoteconf;
+}
+
+struct isakmpsa *dupisakmpsa(struct isakmpsa *sa)
+{
+ struct isakmpsa *p = NULL;
+ if (sa && (p = malloc(sizeof(struct isakmpsa)))) {
+ *p = *sa;
+ p->next = NULL;
+ if (sa->dhgrp) {
+ oakley_setdhgroup(sa->dh_group, &p->dhgrp);
+ }
+ }
+ return p;
+}
+
+void delisakmpsa(struct isakmpsa *sa)
+{
+ if (sa) {
+ if (sa->dhgrp) {
+ oakley_dhgrp_free(sa->dhgrp);
+ }
+ delisakmpsa(sa->next);
+ free(sa);
+ }
+}
+
+struct etypes *check_etypeok(struct remoteconf *rmconf, uint8_t etype)
+{
+ struct etypes *p = rmconf->etypes;
+ while (p && etype != p->type) {
+ p = p->next;
+ }
+ return p;
+}
+
+struct remoteconf *foreachrmconf(rmconf_func_t function, void *data)
+{
+ return (*function)(&remoteconf, data);
+}
+
+/* sainfo.h */
+
+struct sainfo *getsainfo(const vchar_t *src, const vchar_t *dst,
+ const vchar_t *peer, int remoteid)
+{
+ return &sainfo;
+}
+
+const char *sainfo2str(const struct sainfo *si)
+{
+ return "*";
+}
diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
index cc326e0..220d93e 100644
--- a/src/racoon/ipsec_doi.c
+++ b/src/racoon/ipsec_doi.c
@@ -3614,6 +3614,7 @@
id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+#ifndef ANDROID_PATCHED
/* In main mode with pre-shared key, only address type can be used. */
if (iph1->etype == ISAKMP_ETYPE_IDENT &&
iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
@@ -3625,6 +3626,7 @@
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
}
+#endif
/* if proper type for phase 1 ? */
switch (id_b->type) {
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
index abdc2c3..83741fc 100644
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -1757,6 +1757,7 @@
void
isakmp_close()
{
+#ifndef ANDROID_PATCHED
struct myaddrs *p, *next;
for (p = lcconf->myaddrs; p; p = next) {
@@ -1772,6 +1773,7 @@
}
lcconf->myaddrs = NULL;
+#endif
}
int
diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
index 0b4c2b3..51f3399 100644
--- a/src/racoon/isakmp_quick.c
+++ b/src/racoon/isakmp_quick.c
@@ -434,7 +434,7 @@
/* for IDcr */
vp = iph2->id_p;
}
-
+#ifndef ANDROID_PATCHED
if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -442,6 +442,7 @@
error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
goto end;
}
+#endif
}
break;
diff --git a/src/racoon/oakley.c b/src/racoon/oakley.c
index 85b6586..0eff94a 100644
--- a/src/racoon/oakley.c
+++ b/src/racoon/oakley.c
@@ -1365,8 +1365,13 @@
}
error = get_cert_fromlocal(iph1, 0);
+#ifdef ANDROID_PATCHED
+ if (!error)
+ break;
+ default:
+ return ISAKMP_INTERNAL_ERROR;
+#else
break;
-
case ISAKMP_CERT_PLAINRSA:
error = get_plainrsa_fromlocal(iph1, 0);
break;
@@ -1393,6 +1398,7 @@
plog(LLV_ERROR, LOCATION, NULL,
"no CERT RR found.\n");
return ISAKMP_INTERNAL_ERROR;
+#endif
}
break;
default:
@@ -1502,12 +1508,14 @@
iph1->sig_p,
&iph1->cert_p->cert);
break;
+#ifndef ANDROID_PATCHED
case ISAKMP_CERT_PLAINRSA:
iph1->rsa_p = rsa_try_check_rsasign(my_hash,
iph1->sig_p, iph1->rsa_candidates);
error = iph1->rsa_p ? 0 : -1;
break;
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"no supported certtype %d\n",
@@ -1630,12 +1638,12 @@
if (iph1->cert)
return 0;
return get_cert_fromlocal(iph1, 1);
-
+#ifndef ANDROID_PATCHED
case ISAKMP_CERT_PLAINRSA:
if (iph1->rsa)
return 0;
return get_plainrsa_fromlocal(iph1, 1);
-
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
@@ -1734,6 +1742,7 @@
return error;
}
+#ifndef ANDROID_PATCHED
static int
get_plainrsa_fromlocal(iph1, my)
struct ph1handle *iph1;
@@ -1785,6 +1794,7 @@
end:
return error;
}
+#endif
/* get signature */
int
@@ -1818,9 +1828,11 @@
iph1->sig = eay_get_x509sign(iph1->hash, privkey);
break;
+#ifndef ANDROID_PATCHED
case ISAKMP_CERT_PLAINRSA:
iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
break;
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
index cec080e..cefd161 100644
--- a/src/racoon/pfkey.c
+++ b/src/racoon/pfkey.c
@@ -1133,6 +1133,7 @@
return -1;
}
+#ifndef ANDROID_PATCHED
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
@@ -1157,6 +1158,7 @@
"backuped SA: %s\n",
sadbsecas2str(sa_args.src, sa_args.dst,
sa_args.satype, sa_args.spi, sa_args.mode));
+#endif
}
return 0;
@@ -1427,6 +1429,7 @@
return -1;
}
+#ifndef ANDROID_PATCHED
if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
continue;
@@ -1446,6 +1449,7 @@
"backuped SA: %s\n",
sadbsecas2str(sa_args.src, sa_args.dst,
sa_args.satype, sa_args.spi, sa_args.mode));
+#endif
}
return 0;
}
diff --git a/src/racoon/plog.h b/src/racoon/plog.h
index 7bd6cf7..4d9a93f 100644
--- a/src/racoon/plog.h
+++ b/src/racoon/plog.h
@@ -34,6 +34,31 @@
#ifndef _PLOG_H
#define _PLOG_H
+#ifdef ANDROID_PATCHED
+
+#define LLV_ERROR 0
+#define LLV_WARNING 1
+#define LLV_NOTIFY 2
+#define LLV_INFO 3
+#define LLV_DEBUG 4
+#define LLV_DEBUG2 5
+
+#define loglevel LLV_INFO
+
+#define plog(level, location, address, ...) \
+ do { \
+ if ((level) >= LLV_ERROR && (level) <= LLV_INFO) { \
+ do_plog((level), __VA_ARGS__); \
+ } \
+ } while (0)
+
+#define plogdump(...)
+
+extern void do_plog(int level, char *format, ...);
+extern char* binsanitize(char *binary, size_t size);
+
+#else
+
#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
@@ -79,4 +104,6 @@
extern char* binsanitize __P((char*, size_t));
+#endif
+
#endif /* _PLOG_H */
