]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-332.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "config.h"
35
36#include <sys/types.h>
37#include <sys/param.h>
38#include <sys/socket.h>
39#include <sys/queue.h>
40
41#include <netinet/in.h>
42#include <netinet/in_systm.h>
43#include <netinet/ip.h>
44
45#ifndef HAVE_NETINET6_IPSEC
46#include <netinet/ipsec.h>
47#else
48#include <netinet6/ipsec.h>
49#endif
50
51#include <stdlib.h>
52#include <stdio.h>
53#include <string.h>
54#include <errno.h>
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "genlist.h"
62#include "debug.h"
63
64#include "isakmp_var.h"
d1e348cf
A		 65#ifdef ENABLE_HYBRID
66#include "isakmp_xauth.h"
67#endif
52b7d2ce
A		 68#include "isakmp.h"
69#include "ipsec_doi.h"
70#include "oakley.h"
71#include "remoteconf.h"
72#include "localconf.h"
73#include "grabmyaddr.h"
d1e348cf 74#include "policy.h"
52b7d2ce
A		 75#include "proposal.h"
76#include "vendorid.h"
77#include "gcmalloc.h"
78#include "strnames.h"
79#include "algorithm.h"
80#include "nattraversal.h"
d1e348cf 81#include "isakmp_frag.h"
52b7d2ce 82#include "genlist.h"
d06a7ccb 83#include "vpn_control_var.h"
52b7d2ce
A		 84
85static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
86
52b7d2ce
A		 87
88/*%%%*/
89/*
90 * search remote configuration.
91 * don't use port number to search if its value is either IPSEC_PORT_ANY.
92 * If matching anonymous entry, then new entry is copied from anonymous entry.
93 * If no anonymous entry found, then return NULL.
94 * OUT: NULL: NG
95 * Other: remote configuration entry.
96 */
97struct remoteconf *
98getrmconf_strict(remote, allow_anon)
85f41bec 99 struct sockaddr_storage *remote;
52b7d2ce
A		 100 int allow_anon;
101{
102 struct remoteconf *p;
47612122 103 struct remoteconf *p_withport_besteffort = NULL;
85f41bec
A		 104 struct remoteconf *p_with_prefix = NULL;
105 struct remoteconf *p_with_prefix_besteffort = NULL;
106 int last_prefix = 0;
52b7d2ce 107 struct remoteconf *anon = NULL;
85f41bec 108
52b7d2ce
A		 109 int withport;
110 char buf[NI_MAXHOST + NI_MAXSERV + 10];
111 char addr[NI_MAXHOST], port[NI_MAXSERV];
112
113 withport = 0;
114
52b7d2ce
A		 115 /*
116 * We never have ports set in our remote configurations, but when
117 * NAT-T is enabled, the kernel can have policies with ports and
118 * send us an acquire message for a destination that has a port set.
47612122 119 * If we do this port check here, we have to fallback to a best-effort result (without the port).
52b7d2ce
A		 120 *
121 * In an ideal world, we would be able to have remote conf with
122 * port, and the port could be a wildcard. That test could be used.
123 */
85f41bec 124 switch (remote->ss_family) {
52b7d2ce
A		 125 case AF_INET:
126 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
127 withport = 1;
128 break;
129#ifdef INET6
130 case AF_INET6:
131 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
132 withport = 1;
133 break;
134#endif
135 case AF_UNSPEC:
136 break;
137
138 default:
65c25746 139 plog(ASL_LEVEL_ERR,
85f41bec 140 "invalid ip address family: %d\n", remote->ss_family);
47612122 141 return NULL;
52b7d2ce 142 }
52b7d2ce 143
85f41bec 144 if (remote->ss_family == AF_UNSPEC)
52b7d2ce
A		 145 snprintf (buf, sizeof(buf), "%s", "anonymous");
146 else {
85f41bec 147 GETNAMEINFO((struct sockaddr *)remote, addr, port);
52b7d2ce
A		 148 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
149 withport ? "[" : "",
150 withport ? port : "",
151 withport ? "]" : "");
152 }
153
154 TAILQ_FOREACH(p, &rmtree, chain) {
85f41bec
A		 155 if (remote->ss_family == AF_UNSPEC
156 && remote->ss_family == p->remote->ss_family) {
65c25746 157 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
52b7d2ce 158 return p;
85f41bec
A		 159 }
160 if (p->remote_prefix == 0) {
161 if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
162 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
65c25746 163 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
85f41bec
A		 164 return p;
165 } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
166 // for withport: save the pointer for the best-effort search
167 p_withport_besteffort = p;
168 }
169 } else {
170 if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
171 || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
172 if (p->remote_prefix >= last_prefix) {
173 p_with_prefix = p;
174 last_prefix = p->remote_prefix;
175 }
176 } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
177 if (p->remote_prefix >= last_prefix) {
178 p_with_prefix_besteffort = p;
179 last_prefix = p->remote_prefix;
180 }
181 }
182 }
52b7d2ce
A		 183
184 /* save the pointer to the anonymous configuration */
85f41bec 185 if (p->remote->ss_family == AF_UNSPEC)
52b7d2ce
A		 186 anon = p;
187 }
188
47612122 189 if (p_withport_besteffort) {
65c25746 190 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
47612122
A		 191 return p_withport_besteffort;
192 }
85f41bec 193 if (p_with_prefix) {
65c25746 194 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
85f41bec
A		 195 return p_with_prefix;
196 }
197 if (p_with_prefix_besteffort) {
65c25746 198 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
85f41bec
A		 199 return p_with_prefix_besteffort;
200 }
52b7d2ce 201 if (allow_anon && anon != NULL) {
65c25746 202 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 203 "anonymous configuration selected for %s.\n", buf);
204 return anon;
205 }
206
65c25746 207 plog(ASL_LEVEL_DEBUG,
52b7d2ce
A		 208 "no remote configuration found.\n");
209
210 return NULL;
211}
212
d1e348cf 213int
93762ec7
A		 214no_remote_configs(ignore_anonymous)
215 int ignore_anonymous;
d1e348cf
A		 216{
217
218 struct remoteconf *p;
4aae5213 219#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
93762ec7
A		 220 static const char default_idv[] = "macuser@localhost";
221 static const int default_idv_len = sizeof(default_idv) - 1;
4aae5213 222#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
d1e348cf
A		 223
224 TAILQ_FOREACH(p, &rmtree, chain) {
93762ec7 225 if (ignore_anonymous) {
85f41bec 226 if (p->remote->ss_family == AF_UNSPEC) /* anonymous */
93762ec7
A		 227 continue;
228 }
4aae5213 229#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
93762ec7 230 // ignore the default btmm ipv6 config thats always present in racoon.conf
85f41bec 231 if (p->remote->ss_family == AF_INET6 &&
93762ec7
A		 232 p->idvtype == IDTYPE_USERFQDN &&
233 p->idv != NULL &&
234 p->idv->l == default_idv_len &&
235 strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
d1e348cf 236 continue;
93762ec7 237 }
4aae5213 238#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
d1e348cf
A		 239 return 0;
240 }
241 return 1;
242}
243
52b7d2ce
A		 244struct remoteconf *
245getrmconf(remote)
85f41bec 246 struct sockaddr_storage *remote;
52b7d2ce 247{
d06a7ccb
A		 248 struct remoteconf *rmconf = getrmconf_strict(remote, 1);
249 if (rmconf != NULL) {
250 return rmconf;
251 }
252 if (remote->ss_family == AF_INET6) {
253 struct sockaddr_in v4dst;
254 v4dst.sin_family = AF_INET;
255 v4dst.sin_len = sizeof(struct sockaddr_in);
256 v4dst.sin_port = 0;
257
258 nw_nat64_prefix_t nat64_prefix;
259 if (vpncontrol_set_nat64_prefix(&nat64_prefix)) {
260 nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr);
261
262 rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst);
263 if (rmconf != NULL) {
264 return rmconf;
265 }
266 }
267 }
268
269 return NULL;
52b7d2ce
A		 270}
271
272struct remoteconf *
65c25746 273create_rmconf()
52b7d2ce
A		 274{
275 struct remoteconf *new;
52b7d2ce
A		 276
277 new = racoon_calloc(1, sizeof(*new));
278 if (new == NULL)
279 return NULL;
280
65c25746
A		 281 new->refcount = 1;
282 new->in_list = 0;
52b7d2ce
A		 283 new->proposal = NULL;
284
285 /* set default */
286 new->doitype = IPSEC_DOI;
287 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
65c25746 288 new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
52b7d2ce
A		 289 new->idvtype = IDTYPE_UNDEFINED;
290 new->idvl_p = genlist_init();
291 new->nonce_size = DEFAULT_NONCE_SIZE;
292 new->passive = FALSE;
65ab2577 293 new->ike_frag = ISAKMP_FRAG_ON;
52b7d2ce
A		 294 new->esp_frag = IP_MAXPACKET;
295 new->ini_contact = TRUE;
296 new->mode_cfg = FALSE;
297 new->pcheck_level = PROP_CHECK_STRICT;
298 new->verify_identifier = FALSE;
299 new->verify_cert = TRUE;
300 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
52b7d2ce 301 new->cacerttype = ISAKMP_CERT_X509SIGN;
d1e348cf 302 new->certtype = ISAKMP_CERT_NONE;
52b7d2ce
A		 303 new->send_cert = TRUE;
304 new->send_cr = TRUE;
305 new->support_proxy = FALSE;
52b7d2ce
A		 306 new->gen_policy = FALSE;
307 new->retry_counter = lcconf->retry_counter;
308 new->retry_interval = lcconf->retry_interval;
52b7d2ce
A		 309 new->nat_traversal = NATT_ON;
310 new->natt_multiple_user = FALSE;
d1e348cf 311 new->natt_keepalive = TRUE;
52b7d2ce
A		 312 new->idv = NULL;
313 new->key = NULL;
314
315 new->dpd = TRUE; /* Enable DPD support by default */
316 new->dpd_interval = 0; /* Disable DPD checks by default */
317 new->dpd_retry = 5;
318 new->dpd_maxfails = 5;
d1e348cf
A		 319 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
320 new->idle_timeout = 0;
52b7d2ce 321
d1e348cf
A		 322 new->weak_phase1_check = 0;
323
324#ifdef ENABLE_HYBRID
325 new->xauth = NULL;
326#endif
327 new->initiate_ph1rekey = TRUE;
52b7d2ce
A		 328 return new;
329}
330
331struct remoteconf *
65c25746 332copyrmconf(struct sockaddr_storage *remote)
52b7d2ce
A		 333{
334 struct remoteconf *new, *old;
335
336 old = getrmconf_strict (remote, 0);
337 if (old == NULL) {
65c25746 338 plog (ASL_LEVEL_ERR,
52b7d2ce 339 "Remote configuration for '%s' not found!\n",
85f41bec 340 saddr2str((struct sockaddr *)remote));
52b7d2ce
A		 341 return NULL;
342 }
343
344 new = duprmconf (old);
345
346 return new;
347}
348
349void *
65c25746 350dupidvl(void *entry, void *arg)
52b7d2ce
A		 351{
352 struct idspec *id;
353 struct idspec *old = (struct idspec *) entry;
354 id = newidspec();
355 if (!id) return (void *) -1;
356
d1e348cf
A		 357 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
358 racoon_free(id);
52b7d2ce 359 return (void *) -1;
d1e348cf 360 }
52b7d2ce
A		 361
362 id->idtype = old->idtype;
363
364 genlist_append(arg, id);
365 return NULL;
366}
367
368struct remoteconf *
65c25746 369duprmconf (struct remoteconf *rmconf)
52b7d2ce 370{
65c25746
A		 371 struct remoteconf *new;
372
373 new = racoon_calloc(1, sizeof(*new));
374 if (new == NULL)
375 return NULL;
376 memcpy (new, rmconf, sizeof (*new));
377 // FIXME: We should duplicate remote, proposal, etc.
378 // This is now handled in the cfparse.y
379 // new->proposal = ...;
380
381 // zero-out pointers
382 new->remote = NULL;
d9c572c0 383 new->forced_local = NULL;
65c25746
A		 384 new->keychainCertRef = NULL; /* peristant keychain ref for cert */
385 new->shared_secret = NULL; /* shared secret */
386 new->open_dir_auth_group = NULL; /* group to be used to authorize user */
387 new->proposal = NULL;
388 new->in_list = 0;
389 new->refcount = 1;
390 new->idv = NULL;
391 new->key = NULL;
85f41bec 392#ifdef ENABLE_HYBRID
65c25746 393 new->xauth = NULL;
85f41bec 394#endif
65c25746 395
52b7d2ce
A		 396 /* duplicate dynamic structures */
397 if (new->etypes)
398 new->etypes=dupetypes(new->etypes);
399 new->idvl_p = genlist_init();
400 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
401
402 return new;
403}
404
405static void
406idspec_free(void *data)
407{
408 vfree (((struct idspec *)data)->id);
409 free (data);
410}
411
412static void
413proposalspec_free(struct proposalspec *head)
414{
415
416 struct proposalspec* next_propsp = head;
417
418 while (next_propsp) {
419 struct proposalspec* curr_propsp;
420 struct secprotospec* next_protosp;
421
422 curr_propsp = next_propsp;
423 next_propsp = next_propsp->next;
424 next_protosp = curr_propsp->spspec;
425 while (next_protosp) {
426 struct secprotospec* curr_protosp;
427
428 curr_protosp = next_protosp;
429 next_protosp = next_protosp->next;
430
431 if (curr_protosp->gssid)
432 free(curr_protosp->gssid);
433 if (curr_protosp->remote)
434 free(curr_protosp->remote);
435 racoon_free(curr_protosp);
436 }
437 racoon_free(curr_propsp);
438 }
439}
440
441void
65c25746 442delrmconf(struct remoteconf *rmconf)
52b7d2ce
A		 443{
444 if (rmconf->remote)
445 racoon_free(rmconf->remote);
d9c572c0
A		 446 if (rmconf->forced_local)
447 racoon_free(rmconf->forced_local);
d1e348cf
A		 448#ifdef ENABLE_HYBRID
449 if (rmconf->xauth)
450 xauth_rmconf_delete(&rmconf->xauth);
451#endif
452 if (rmconf->etypes) {
52b7d2ce 453 deletypes(rmconf->etypes);
d1e348cf
A		 454 rmconf->etypes=NULL;
455 }
52b7d2ce
A		 456 if (rmconf->idv)
457 vfree(rmconf->idv);
458 if (rmconf->idvl_p)
459 genlist_free(rmconf->idvl_p, idspec_free);
460 if (rmconf->dhgrp)
461 oakley_dhgrp_free(rmconf->dhgrp);
462 if (rmconf->proposal)
463 delisakmpsa(rmconf->proposal);
52b7d2ce
A		 464 if (rmconf->prhead)
465 proposalspec_free(rmconf->prhead);
52b7d2ce
A		 466 if (rmconf->shared_secret)
467 vfree(rmconf->shared_secret);
468 if (rmconf->keychainCertRef)
469 vfree(rmconf->keychainCertRef);
470 if (rmconf->open_dir_auth_group)
471 vfree(rmconf->open_dir_auth_group);
52b7d2ce
A		 472
473 racoon_free(rmconf);
474}
475
476void
65c25746 477delisakmpsa(struct isakmpsa *sa)
52b7d2ce
A		 478{
479 if (sa->dhgrp)
480 oakley_dhgrp_free(sa->dhgrp);
481 if (sa->next)
482 delisakmpsa(sa->next);
52b7d2ce
A		 483 racoon_free(sa);
484}
485
486struct etypes *
65c25746 487dupetypes(struct etypes *orig)
52b7d2ce
A		 488{
489 struct etypes *new;
490
491 if (!orig)
492 return NULL;
493
494 new = racoon_malloc(sizeof(struct etypes));
495 if (new == NULL)
496 return NULL;
497
498 new->type = orig->type;
499 new->next = NULL;
500
501 if (orig->next)
502 new->next=dupetypes(orig->next);
503
504 return new;
505}
506
507void
65c25746 508deletypes(struct etypes *e)
52b7d2ce
A		 509{
510 if (e->next)
511 deletypes(e->next);
512 racoon_free(e);
513}
514
515/*
516 * insert into head of list.
517 */
518void
65c25746 519insrmconf(struct remoteconf *new)
52b7d2ce
A		 520{
521 TAILQ_INSERT_HEAD(&rmtree, new, chain);
65c25746 522 new->in_list = 1;
52b7d2ce
A		 523}
524
525void
65c25746 526remrmconf(struct remoteconf *rmconf)
52b7d2ce 527{
65c25746
A		 528 if (rmconf->in_list)
529 TAILQ_REMOVE(&rmtree, rmconf, chain);
530 rmconf->in_list = 0;
531}
532
533void
534retain_rmconf(struct remoteconf *rmconf)
535{
536 (rmconf->refcount)++;
537}
538
539void
540release_rmconf(struct remoteconf *rmconf)
541{
542 if (--(rmconf->refcount) <= 0) {
543 remrmconf(rmconf);
544 delrmconf(rmconf);
545 }
52b7d2ce
A		 546}
547
548void
549flushrmconf()
550{
551 struct remoteconf *p, *next;
552
553 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
554 next = TAILQ_NEXT(p, chain);
555 remrmconf(p);
65c25746
A		 556 if (--(p->refcount) <= 0)
557 delrmconf(p);
52b7d2ce
A		 558 }
559}
560
561void
562initrmconf()
563{
564 TAILQ_INIT(&rmtree);
565}
566
567/* check exchange type to be acceptable */
568struct etypes *
65c25746 569check_etypeok(struct remoteconf *rmconf, u_int8_t etype)
52b7d2ce
A		 570{
571 struct etypes *e;
572
573 for (e = rmconf->etypes; e != NULL; e = e->next) {
574 if (e->type == etype)
575 break;
576 }
577
578 return e;
579}
580
581/*%%%*/
582struct isakmpsa *
583newisakmpsa()
584{
585 struct isakmpsa *new;
586
587 new = racoon_calloc(1, sizeof(*new));
588 if (new == NULL)
589 return NULL;
590
591 /*
592 * Just for sanity, make sure this is initialized. This is
593 * filled in for real when the ISAKMP proposal is configured.
594 */
595 new->vendorid = VENDORID_UNKNOWN;
596
597 new->next = NULL;
598 new->rmconf = NULL;
52b7d2ce
A		 599
600 return new;
601}
602
603/*
604 * insert into tail of list.
605 */
606void
65c25746 607insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf)
52b7d2ce
A		 608{
609 struct isakmpsa *p;
610
611 new->rmconf = rmconf;
612
613 if (rmconf->proposal == NULL) {
614 rmconf->proposal = new;
615 return;
616 }
617
618 for (p = rmconf->proposal; p->next != NULL; p = p->next)
619 ;
620 p->next = new;
621
622 return;
623}
624
625struct remoteconf *
626foreachrmconf(rmconf_func_t rmconf_func, void *data)
627{
628 struct remoteconf *p, *ret = NULL;
629
630 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
631 ret = (*rmconf_func)(p, data);
632 if (ret)
633 break;
634 }
635
636 return ret;
637}
638
639static void *
640dump_peers_identifiers (void *entry, void *arg)
641{
642 struct idspec *id = (struct idspec*) entry;
643 char buf[1024], *pbuf;
644 pbuf = buf;
645 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
646 s_idtype (id->idtype));
647 if (id->id)
648 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
7ebaebe2 649 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
52b7d2ce
A		 650 return NULL;
651}
652
653static struct remoteconf *
654dump_rmconf_single (struct remoteconf *p, void *data)
655{
656 struct etypes *etype = p->etypes;
657 struct isakmpsa *prop = p->proposal;
658 char buf[1024], *pbuf;
659
660 pbuf = buf;
85f41bec
A		 661 if (p->remote_prefix)
662 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s",
663 saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
664 else
665 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
52b7d2ce
A		 666 if (p->inherited_from)
667 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
85f41bec 668 saddr2str((struct sockaddr *)p->inherited_from->remote));
7ebaebe2 669 plog(ASL_LEVEL_NOTICE, "%s {\n", buf);
52b7d2ce
A		 670 pbuf = buf;
671 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
672 while (etype) {
673 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
674 etype->next != NULL ? ", " : ";\n");
675 etype = etype->next;
676 }
7ebaebe2
A		 677 plog(ASL_LEVEL_NOTICE, "%s", buf);
678 plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype));
52b7d2ce
A		 679 pbuf = buf;
680 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
681 if (p->idvtype == IDTYPE_ASN1DN) {
7ebaebe2 682 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
52b7d2ce
A		 683 switch (p->getcert_method) {
684 case 0:
685 break;
686 case ISAKMP_GETCERT_PAYLOAD:
7ebaebe2 687 plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n");
52b7d2ce
A		 688 break;
689 default:
7ebaebe2 690 plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
52b7d2ce
A		 691 }
692 }
693 else {
694 if (p->idv)
695 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
7ebaebe2 696 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
52b7d2ce
A		 697 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
698 }
699
7ebaebe2 700 plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n",
52b7d2ce 701 s_switch (p->send_cert));
7ebaebe2 702 plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n",
52b7d2ce 703 s_switch (p->send_cr));
7ebaebe2 704 plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n",
52b7d2ce 705 s_switch (p->verify_cert));
7ebaebe2 706 plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n",
52b7d2ce 707 s_switch (p->verify_identifier));
7ebaebe2 708 plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n",
52b7d2ce
A		 709 p->nat_traversal == NATT_FORCE ?
710 "force" : s_switch (p->nat_traversal));
7ebaebe2 711 plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n",
52b7d2ce 712 s_switch (p->natt_multiple_user));
7ebaebe2 713 plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n",
52b7d2ce 714 p->nonce_size);
7ebaebe2 715 plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n",
52b7d2ce 716 s_switch (p->passive));
7ebaebe2 717 plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n",
d1e348cf
A		 718 p->ike_frag == ISAKMP_FRAG_FORCE ?
719 "force" : s_switch (p->ike_frag));
7ebaebe2
A		 720 plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag);
721 plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n",
52b7d2ce 722 s_switch (p->ini_contact));
7ebaebe2 723 plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n",
52b7d2ce 724 s_switch (p->gen_policy));
7ebaebe2 725 plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n",
52b7d2ce
A		 726 s_switch (p->support_proxy));
727
728 while (prop) {
7ebaebe2
A		 729 plog(ASL_LEVEL_NOTICE, "\n");
730 plog(ASL_LEVEL_NOTICE,
52b7d2ce
A		 731 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
732 prop->prop_no, prop->trns_no,
85f41bec 733 saddr2str((struct sockaddr *)prop->rmconf->remote));
7ebaebe2
A		 734 plog(ASL_LEVEL_NOTICE, "\tproposal {\n");
735 plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n",
52b7d2ce 736 (long)prop->lifetime);
7ebaebe2 737 plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n",
52b7d2ce 738 prop->lifebyte);
7ebaebe2 739 plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n",
52b7d2ce 740 alg_oakley_dhdef_name(prop->dh_group));
7ebaebe2 741 plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n",
52b7d2ce 742 alg_oakley_encdef_name(prop->enctype));
7ebaebe2 743 plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n",
52b7d2ce 744 alg_oakley_hashdef_name(prop->hashtype));
7ebaebe2 745 plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n",
65c25746 746 alg_oakley_hashdef_name(prop->prf));
7ebaebe2 747 plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n",
52b7d2ce 748 alg_oakley_authdef_name(prop->authmethod));
7ebaebe2 749 plog(ASL_LEVEL_NOTICE, "\t}\n");
52b7d2ce
A		 750 prop = prop->next;
751 }
7ebaebe2
A		 752 plog(ASL_LEVEL_NOTICE, "}\n");
753 plog(ASL_LEVEL_NOTICE, "\n");
52b7d2ce
A		 754
755 return NULL;
756}
757
758void
759dumprmconf()
760{
761 foreachrmconf (dump_rmconf_single, NULL);
762}
763
764struct idspec *
765newidspec()
766{
767 struct idspec *new;
768
769 new = racoon_calloc(1, sizeof(*new));
770 if (new == NULL)
771 return NULL;
772 new->idtype = IDTYPE_ADDRESS;
773
774 return new;
775}
776
d1e348cf 777
52b7d2ce 778struct isakmpsa *
d1e348cf 779dupisakmpsa(struct isakmpsa *sa)
52b7d2ce
A		 780{
781 struct isakmpsa *res = NULL;
782
783 if (sa == NULL)
784 return NULL;
785
786 res = newisakmpsa();
787 if(res == NULL)
788 return NULL;
789
790 *res = *sa;
52b7d2ce
A		 791 res->next=NULL;
792
793 if (sa->dhgrp != NULL)
794 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
795
796 return res;
797
798}
799
mirror of ipsec