]> git.saurik.com Git - apple/ipsec.git/blame - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec-92.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
CommitLineData
d1e348cf
A		 1/* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
52b7d2ce
A		 4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "config.h"
35
36#include <sys/types.h>
37#include <sys/param.h>
38#include <sys/socket.h>
39#include <sys/queue.h>
40
41#include <netinet/in.h>
42#include <netinet/in_systm.h>
43#include <netinet/ip.h>
44
45#ifndef HAVE_NETINET6_IPSEC
46#include <netinet/ipsec.h>
47#else
48#include <netinet6/ipsec.h>
49#endif
50
51#include <stdlib.h>
52#include <stdio.h>
53#include <string.h>
54#include <errno.h>
55
56#include "var.h"
57#include "misc.h"
58#include "vmbuf.h"
59#include "plog.h"
60#include "sockmisc.h"
61#include "genlist.h"
62#include "debug.h"
63
64#include "isakmp_var.h"
d1e348cf
A		 65#ifdef ENABLE_HYBRID
66#include "isakmp_xauth.h"
67#endif
52b7d2ce
A		 68#include "isakmp.h"
69#include "ipsec_doi.h"
70#include "oakley.h"
71#include "remoteconf.h"
72#include "localconf.h"
73#include "grabmyaddr.h"
d1e348cf 74#include "policy.h"
52b7d2ce
A		 75#include "proposal.h"
76#include "vendorid.h"
77#include "gcmalloc.h"
78#include "strnames.h"
79#include "algorithm.h"
80#include "nattraversal.h"
d1e348cf 81#include "isakmp_frag.h"
52b7d2ce
A		 82#include "genlist.h"
83#include "rsalist.h"
84
85static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
86
87/*
88 * Script hook names and script hook paths
89 */
90char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
52b7d2ce
A		 91
92/*%%%*/
93/*
94 * search remote configuration.
95 * don't use port number to search if its value is either IPSEC_PORT_ANY.
96 * If matching anonymous entry, then new entry is copied from anonymous entry.
97 * If no anonymous entry found, then return NULL.
98 * OUT: NULL: NG
99 * Other: remote configuration entry.
100 */
101struct remoteconf *
102getrmconf_strict(remote, allow_anon)
103 struct sockaddr *remote;
104 int allow_anon;
105{
106 struct remoteconf *p;
107 struct remoteconf *anon = NULL;
108 int withport;
109 char buf[NI_MAXHOST + NI_MAXSERV + 10];
110 char addr[NI_MAXHOST], port[NI_MAXSERV];
111
112 withport = 0;
113
114#ifndef ENABLE_NATT
115 /*
116 * We never have ports set in our remote configurations, but when
117 * NAT-T is enabled, the kernel can have policies with ports and
118 * send us an acquire message for a destination that has a port set.
119 * If we do this port check here, we don't find the remote config.
120 *
121 * In an ideal world, we would be able to have remote conf with
122 * port, and the port could be a wildcard. That test could be used.
123 */
124 switch (remote->sa_family) {
125 case AF_INET:
126 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
127 withport = 1;
128 break;
129#ifdef INET6
130 case AF_INET6:
131 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
132 withport = 1;
133 break;
134#endif
135 case AF_UNSPEC:
136 break;
137
138 default:
139 plog(LLV_ERROR2, LOCATION, NULL,
140 "invalid ip address family: %d\n", remote->sa_family);
141 exit(1);
142 }
143#endif /* ENABLE_NATT */
144
145 if (remote->sa_family == AF_UNSPEC)
146 snprintf (buf, sizeof(buf), "%s", "anonymous");
147 else {
148 GETNAMEINFO(remote, addr, port);
149 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
150 withport ? "[" : "",
151 withport ? port : "",
152 withport ? "]" : "");
153 }
154
155 TAILQ_FOREACH(p, &rmtree, chain) {
d1e348cf
A		 156#ifdef __APPLE__
157 if (p->to_delete || p->to_remove) {
158 continue;
159 }
160#endif
52b7d2ce
A		 161 if ((remote->sa_family == AF_UNSPEC
162 && remote->sa_family == p->remote->sa_family)
163 || (!withport && cmpsaddrwop(remote, p->remote) == 0)
164 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
165 plog(LLV_DEBUG, LOCATION, NULL,
166 "configuration found for %s.\n", buf);
167 return p;
168 }
169
170 /* save the pointer to the anonymous configuration */
171 if (p->remote->sa_family == AF_UNSPEC)
172 anon = p;
173 }
174
175 if (allow_anon && anon != NULL) {
176 plog(LLV_DEBUG, LOCATION, NULL,
177 "anonymous configuration selected for %s.\n", buf);
178 return anon;
179 }
180
181 plog(LLV_DEBUG, LOCATION, NULL,
182 "no remote configuration found.\n");
183
184 return NULL;
185}
186
d1e348cf
A		 187int
188no_remote_configs()
189{
190
191 struct remoteconf *p;
192
193 TAILQ_FOREACH(p, &rmtree, chain) {
194 if (p->remote->sa_family == AF_UNSPEC) /* anonymous */
195 continue;
196 return 0;
197 }
198 return 1;
199}
200
52b7d2ce
A		 201struct remoteconf *
202getrmconf(remote)
203 struct sockaddr *remote;
204{
205 return getrmconf_strict(remote, 1);
206}
207
d1e348cf
A		 208#ifdef __APPLE__
209int
210link_rmconf_to_ph1 (struct remoteconf *new)
211{
212 if (!new) {
213 return(-1);
214 }
215 if (new->to_delete ||
216 new->to_remove) {
217 return(-1);
218 }
219 new->linked_to_ph1++;
220 return(0);
221}
222
223int
224unlink_rmconf_from_ph1 (struct remoteconf *old)
225{
226 if (!old) {
227 return(-1);
228 }
229 if (old->linked_to_ph1 <= 0) {
230 return(-1);
231 }
232 old->linked_to_ph1--;
233 if (old->linked_to_ph1 == 0) {
234 if (old->to_remove) {
235 remrmconf(old);
236 }
237 if (old->to_delete) {
238 delrmconf(old);
239 }
240 }
241 return(0);
242}
243#endif
244
52b7d2ce
A		 245struct remoteconf *
246newrmconf()
247{
248 struct remoteconf *new;
249 int i;
250
251 new = racoon_calloc(1, sizeof(*new));
252 if (new == NULL)
253 return NULL;
254
255 new->proposal = NULL;
256
257 /* set default */
258 new->doitype = IPSEC_DOI;
259 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
260 new->idvtype = IDTYPE_UNDEFINED;
261 new->idvl_p = genlist_init();
262 new->nonce_size = DEFAULT_NONCE_SIZE;
263 new->passive = FALSE;
264 new->ike_frag = FALSE;
265 new->esp_frag = IP_MAXPACKET;
266 new->ini_contact = TRUE;
267 new->mode_cfg = FALSE;
268 new->pcheck_level = PROP_CHECK_STRICT;
269 new->verify_identifier = FALSE;
270 new->verify_cert = TRUE;
271 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
272 new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
273 new->cacerttype = ISAKMP_CERT_X509SIGN;
d1e348cf 274 new->certtype = ISAKMP_CERT_NONE;
52b7d2ce
A		 275 new->cacertfile = NULL;
276 new->send_cert = TRUE;
277 new->send_cr = TRUE;
278 new->support_proxy = FALSE;
279 for (i = 0; i <= SCRIPT_MAX; i++)
d1e348cf 280 new->script[i] = NULL;
52b7d2ce
A		 281 new->gen_policy = FALSE;
282 new->retry_counter = lcconf->retry_counter;
283 new->retry_interval = lcconf->retry_interval;
284#ifdef __APPLE__
285 new->nat_traversal = NATT_ON;
286 new->natt_multiple_user = FALSE;
d1e348cf
A		 287 new->natt_keepalive = TRUE;
288 new->to_remove = FALSE;
289 new->to_delete = FALSE;
290 new->linked_to_ph1 = 0;
52b7d2ce
A		 291#else
292 new->nat_traversal = NATT_OFF;
293#endif
294 new->rsa_private = genlist_init();
295 new->rsa_public = genlist_init();
296 new->idv = NULL;
297 new->key = NULL;
298
299 new->dpd = TRUE; /* Enable DPD support by default */
300 new->dpd_interval = 0; /* Disable DPD checks by default */
301 new->dpd_retry = 5;
302 new->dpd_maxfails = 5;
d1e348cf
A		 303 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
304 new->idle_timeout = 0;
52b7d2ce 305
d1e348cf
A		 306 new->weak_phase1_check = 0;
307
308#ifdef ENABLE_HYBRID
309 new->xauth = NULL;
310#endif
311 new->initiate_ph1rekey = TRUE;
52b7d2ce
A		 312 return new;
313}
314
315struct remoteconf *
316copyrmconf(remote)
317 struct sockaddr *remote;
318{
319 struct remoteconf *new, *old;
320
321 old = getrmconf_strict (remote, 0);
322 if (old == NULL) {
323 plog (LLV_ERROR, LOCATION, NULL,
324 "Remote configuration for '%s' not found!\n",
325 saddr2str (remote));
326 return NULL;
327 }
328
329 new = duprmconf (old);
330
331 return new;
332}
333
334void *
335dupidvl(entry, arg)
336 void *entry;
337 void *arg;
338{
339 struct idspec *id;
340 struct idspec *old = (struct idspec *) entry;
341 id = newidspec();
342 if (!id) return (void *) -1;
343
d1e348cf
A		 344 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
345 racoon_free(id);
52b7d2ce 346 return (void *) -1;
d1e348cf 347 }
52b7d2ce
A		 348
349 id->idtype = old->idtype;
350
351 genlist_append(arg, id);
352 return NULL;
353}
354
355struct remoteconf *
356duprmconf (rmconf)
357 struct remoteconf *rmconf;
358{
359 struct remoteconf *new;
360
361 new = racoon_calloc(1, sizeof(*new));
362 if (new == NULL)
363 return NULL;
364 memcpy (new, rmconf, sizeof (*new));
365 // FIXME: We should duplicate the proposal as well.
366 // This is now handled in the cfparse.y
367 // new->proposal = ...;
368
369 /* duplicate dynamic structures */
370 if (new->etypes)
371 new->etypes=dupetypes(new->etypes);
372 new->idvl_p = genlist_init();
373 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
374
375 return new;
376}
377
378static void
379idspec_free(void *data)
380{
381 vfree (((struct idspec *)data)->id);
382 free (data);
383}
384
385static void
386proposalspec_free(struct proposalspec *head)
387{
388
389 struct proposalspec* next_propsp = head;
390
391 while (next_propsp) {
392 struct proposalspec* curr_propsp;
393 struct secprotospec* next_protosp;
394
395 curr_propsp = next_propsp;
396 next_propsp = next_propsp->next;
397 next_protosp = curr_propsp->spspec;
398 while (next_protosp) {
399 struct secprotospec* curr_protosp;
400
401 curr_protosp = next_protosp;
402 next_protosp = next_protosp->next;
403
404 if (curr_protosp->gssid)
405 free(curr_protosp->gssid);
406 if (curr_protosp->remote)
407 free(curr_protosp->remote);
408 racoon_free(curr_protosp);
409 }
410 racoon_free(curr_propsp);
411 }
412}
413
414void
415delrmconf(rmconf)
416 struct remoteconf *rmconf;
417{
d1e348cf
A		 418#ifdef __APPLE__
419 if (rmconf->linked_to_ph1) {
420 rmconf->to_delete = TRUE;
421 return;
422 }
423#endif
52b7d2ce
A		 424 if (rmconf->remote)
425 racoon_free(rmconf->remote);
d1e348cf
A		 426#ifdef ENABLE_HYBRID
427 if (rmconf->xauth)
428 xauth_rmconf_delete(&rmconf->xauth);
429#endif
430 if (rmconf->etypes) {
52b7d2ce 431 deletypes(rmconf->etypes);
d1e348cf
A		 432 rmconf->etypes=NULL;
433 }
52b7d2ce
A		 434 if (rmconf->idv)
435 vfree(rmconf->idv);
436 if (rmconf->idvl_p)
437 genlist_free(rmconf->idvl_p, idspec_free);
438 if (rmconf->dhgrp)
439 oakley_dhgrp_free(rmconf->dhgrp);
440 if (rmconf->proposal)
441 delisakmpsa(rmconf->proposal);
442 if (rmconf->mycertfile)
443 racoon_free(rmconf->mycertfile);
444 if (rmconf->myprivfile)
445 racoon_free(rmconf->myprivfile);
446 if (rmconf->peerscertfile)
447 racoon_free(rmconf->peerscertfile);
448 if (rmconf->cacertfile)
449 racoon_free(rmconf->cacertfile);
450 if (rmconf->prhead)
451 proposalspec_free(rmconf->prhead);
452 if (rmconf->rsa_private)
453 genlist_free(rmconf->rsa_private, rsa_key_free);
454 if (rmconf->rsa_public)
455 genlist_free(rmconf->rsa_public, rsa_key_free);
456#ifdef __APPLE__
457 if (rmconf->shared_secret)
458 vfree(rmconf->shared_secret);
459 if (rmconf->keychainCertRef)
460 vfree(rmconf->keychainCertRef);
461 if (rmconf->open_dir_auth_group)
462 vfree(rmconf->open_dir_auth_group);
463#endif
464
465 racoon_free(rmconf);
466}
467
468void
469delisakmpsa(sa)
470 struct isakmpsa *sa;
471{
472 if (sa->dhgrp)
473 oakley_dhgrp_free(sa->dhgrp);
474 if (sa->next)
475 delisakmpsa(sa->next);
476#ifdef HAVE_GSSAPI
477 if (sa->gssid)
478 vfree(sa->gssid);
479#endif
480 racoon_free(sa);
481}
482
483struct etypes *
484dupetypes(orig)
485 struct etypes *orig;
486{
487 struct etypes *new;
488
489 if (!orig)
490 return NULL;
491
492 new = racoon_malloc(sizeof(struct etypes));
493 if (new == NULL)
494 return NULL;
495
496 new->type = orig->type;
497 new->next = NULL;
498
499 if (orig->next)
500 new->next=dupetypes(orig->next);
501
502 return new;
503}
504
505void
506deletypes(e)
507 struct etypes *e;
508{
509 if (e->next)
510 deletypes(e->next);
511 racoon_free(e);
512}
513
514/*
515 * insert into head of list.
516 */
517void
518insrmconf(new)
519 struct remoteconf *new;
520{
521 TAILQ_INSERT_HEAD(&rmtree, new, chain);
522}
523
524void
525remrmconf(rmconf)
526 struct remoteconf *rmconf;
527{
d1e348cf
A		 528#ifdef __APPLE__
529 if (rmconf->linked_to_ph1) {
530 rmconf->to_remove = TRUE;
531 return;
532 }
533#endif
52b7d2ce
A		 534 TAILQ_REMOVE(&rmtree, rmconf, chain);
535}
536
537void
538flushrmconf()
539{
540 struct remoteconf *p, *next;
541
542 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
543 next = TAILQ_NEXT(p, chain);
544 remrmconf(p);
545 delrmconf(p);
546 }
547}
548
549void
550initrmconf()
551{
552 TAILQ_INIT(&rmtree);
553}
554
555/* check exchange type to be acceptable */
556struct etypes *
557check_etypeok(rmconf, etype)
558 struct remoteconf *rmconf;
559 u_int8_t etype;
560{
561 struct etypes *e;
562
563 for (e = rmconf->etypes; e != NULL; e = e->next) {
564 if (e->type == etype)
565 break;
566 }
567
568 return e;
569}
570
571/*%%%*/
572struct isakmpsa *
573newisakmpsa()
574{
575 struct isakmpsa *new;
576
577 new = racoon_calloc(1, sizeof(*new));
578 if (new == NULL)
579 return NULL;
580
581 /*
582 * Just for sanity, make sure this is initialized. This is
583 * filled in for real when the ISAKMP proposal is configured.
584 */
585 new->vendorid = VENDORID_UNKNOWN;
586
587 new->next = NULL;
588 new->rmconf = NULL;
589#ifdef HAVE_GSSAPI
590 new->gssid = NULL;
591#endif
592
593 return new;
594}
595
596/*
597 * insert into tail of list.
598 */
599void
600insisakmpsa(new, rmconf)
601 struct isakmpsa *new;
602 struct remoteconf *rmconf;
603{
604 struct isakmpsa *p;
605
606 new->rmconf = rmconf;
607
608 if (rmconf->proposal == NULL) {
609 rmconf->proposal = new;
610 return;
611 }
612
613 for (p = rmconf->proposal; p->next != NULL; p = p->next)
614 ;
615 p->next = new;
616
617 return;
618}
619
620struct remoteconf *
621foreachrmconf(rmconf_func_t rmconf_func, void *data)
622{
623 struct remoteconf *p, *ret = NULL;
624
625 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
626 ret = (*rmconf_func)(p, data);
627 if (ret)
628 break;
629 }
630
631 return ret;
632}
633
634static void *
635dump_peers_identifiers (void *entry, void *arg)
636{
637 struct idspec *id = (struct idspec*) entry;
638 char buf[1024], *pbuf;
639 pbuf = buf;
640 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
641 s_idtype (id->idtype));
642 if (id->id)
643 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
644 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
645 return NULL;
646}
647
648static struct remoteconf *
649dump_rmconf_single (struct remoteconf *p, void *data)
650{
651 struct etypes *etype = p->etypes;
652 struct isakmpsa *prop = p->proposal;
653 char buf[1024], *pbuf;
654
655 pbuf = buf;
656 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
657 if (p->inherited_from)
658 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
659 saddr2str(p->inherited_from->remote));
660 plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
661 pbuf = buf;
662 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
663 while (etype) {
664 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
665 etype->next != NULL ? ", " : ";\n");
666 etype = etype->next;
667 }
668 plog(LLV_INFO, LOCATION, NULL, "%s", buf);
669 plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
670 pbuf = buf;
671 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
672 if (p->idvtype == IDTYPE_ASN1DN) {
673 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
674 plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
675 p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
676 p->mycertfile, p->myprivfile);
677 switch (p->getcert_method) {
678 case 0:
679 break;
680 case ISAKMP_GETCERT_PAYLOAD:
681 plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
682 break;
683 case ISAKMP_GETCERT_LOCALFILE:
684 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
685 break;
686 case ISAKMP_GETCERT_DNS:
687 plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
688 break;
689 default:
690 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
691 }
692 }
693 else {
694 if (p->idv)
695 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
696 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
697 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
698 }
699
700 plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
701 s_switch (p->send_cert));
702 plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
703 s_switch (p->send_cr));
704 plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
705 s_switch (p->verify_cert));
706 plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
707 s_switch (p->verify_identifier));
708 plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
709 p->nat_traversal == NATT_FORCE ?
710 "force" : s_switch (p->nat_traversal));
711#ifdef __APPLE__
712 plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
713 s_switch (p->natt_multiple_user));
714#endif
715 plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
716 p->nonce_size);
717 plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
718 s_switch (p->passive));
719 plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
d1e348cf
A		 720 p->ike_frag == ISAKMP_FRAG_FORCE ?
721 "force" : s_switch (p->ike_frag));
52b7d2ce
A		 722 plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
723 plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
724 s_switch (p->ini_contact));
725 plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
726 s_switch (p->gen_policy));
727 plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
728 s_switch (p->support_proxy));
729
730 while (prop) {
731 plog(LLV_INFO, LOCATION, NULL, "\n");
732 plog(LLV_INFO, LOCATION, NULL,
733 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
734 prop->prop_no, prop->trns_no,
735 saddr2str(prop->rmconf->remote));
736 plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
737 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
738 (long)prop->lifetime);
739 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
740 prop->lifebyte);
741 plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
742 alg_oakley_dhdef_name(prop->dh_group));
743 plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
744 alg_oakley_encdef_name(prop->enctype));
745 plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
746 alg_oakley_hashdef_name(prop->hashtype));
747 plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
748 alg_oakley_authdef_name(prop->authmethod));
749 plog(LLV_INFO, LOCATION, NULL, "\t}\n");
750 prop = prop->next;
751 }
752 plog(LLV_INFO, LOCATION, NULL, "}\n");
753 plog(LLV_INFO, LOCATION, NULL, "\n");
754
755 return NULL;
756}
757
758void
759dumprmconf()
760{
761 foreachrmconf (dump_rmconf_single, NULL);
762}
763
764struct idspec *
765newidspec()
766{
767 struct idspec *new;
768
769 new = racoon_calloc(1, sizeof(*new));
770 if (new == NULL)
771 return NULL;
772 new->idtype = IDTYPE_ADDRESS;
773
774 return new;
775}
776
d1e348cf 777vchar_t *
52b7d2ce
A		 778script_path_add(path)
779 vchar_t *path;
780{
781 char *script_dir;
52b7d2ce 782 vchar_t *new_path;
d1e348cf 783 vchar_t *new_storage;
52b7d2ce
A		 784 vchar_t **sp;
785 size_t len;
786 size_t size;
787
788 script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
789
790 /* Try to find the script in the script directory */
791 if ((path->v[0] != '/') && (script_dir != NULL)) {
792 len = strlen(script_dir) + sizeof("/") + path->l + 1;
793
794 if ((new_path = vmalloc(len)) == NULL) {
795 plog(LLV_ERROR, LOCATION, NULL,
796 "Cannot allocate memory: %s\n", strerror(errno));
d1e348cf 797 return NULL;
52b7d2ce
A		 798 }
799
800 new_path->v[0] = '\0';
d1e348cf
A		 801 (void)strlcat(new_path->v, script_dir, new_path->l);
802 (void)strlcat(new_path->v, "/", new_path->l);
803 (void)strlcat(new_path->v, path->v, new_path->l);
52b7d2ce
A		 804
805 vfree(path);
806 path = new_path;
807 }
808
d1e348cf 809 return path;
52b7d2ce
A		 810}
811
d1e348cf 812
52b7d2ce 813struct isakmpsa *
d1e348cf 814dupisakmpsa(struct isakmpsa *sa)
52b7d2ce
A		 815{
816 struct isakmpsa *res = NULL;
817
818 if (sa == NULL)
819 return NULL;
820
821 res = newisakmpsa();
822 if(res == NULL)
823 return NULL;
824
825 *res = *sa;
826#ifdef HAVE_GSSAPI
d1e348cf 827 res->gssid=vdup(sa->gssid);
52b7d2ce
A		 828#endif
829 res->next=NULL;
830
831 if (sa->dhgrp != NULL)
832 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
833
834 return res;
835
836}
837
838void
839rsa_key_free(void *entry)
840{
841 struct rsa_key *key = (struct rsa_key *)entry;
842
843 if (key->src)
844 free(key->src);
845 if (key->dst)
846 free(key->dst);
847 if (key->rsa)
848 RSA_free(key->rsa);
849 free(key);
850}
mirror of ipsec