]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/isakmp_unity.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-326.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_unity.c
1 /* $NetBSD: isakmp_unity.c,v 1.7 2006/10/09 06:17:20 manu Exp $ */
2
3 /* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <fcntl.h>
47 #include <string.h>
48 #include <errno.h>
49 #if TIME_WITH_SYS_TIME
50 # include <sys/time.h>
51 # include <time.h>
52 #else
53 # if HAVE_SYS_TIME_H
54 # include <sys/time.h>
55 # else
56 # include <time.h>
57 # endif
58 #endif
59 #include <netdb.h>
60 #ifdef HAVE_UNISTD_H
61 #include <unistd.h>
62 #endif
63 #include <ctype.h>
64
65 #include "var.h"
66 #include "misc.h"
67 #include "vmbuf.h"
68 #include "plog.h"
69 #include "sockmisc.h"
70 #include "schedule.h"
71 #include "debug.h"
72
73 #include "isakmp_var.h"
74 #include "isakmp.h"
75 #include "handler.h"
76 #include "isakmp_xauth.h"
77 #include "isakmp_unity.h"
78 #include "isakmp_cfg.h"
79 #include "strnames.h"
80
81 static vchar_t *isakmp_cfg_split (phase1_handle_t *,
82 struct isakmp_data *, struct unity_netentry*,int);
83
84 vchar_t *
85 isakmp_unity_req(iph1, attr)
86 phase1_handle_t *iph1;
87 struct isakmp_data *attr;
88 {
89 int type;
90 vchar_t *reply_attr = NULL;
91
92 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) == 0) {
93 plog(ASL_LEVEL_ERR,
94 "Unity mode config request but the peer "
95 "did not declare itself as unity compliant\n");
96 return NULL;
97 }
98
99 type = ntohs(attr->type);
100
101 /* Handle short attributes */
102 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
103 type &= ~ISAKMP_GEN_MASK;
104
105 plog(ASL_LEVEL_DEBUG,
106 "Short attribute %s = %d\n",
107 s_isakmp_cfg_type(type), ntohs(attr->lorv));
108
109 switch (type) {
110 default:
111 plog(ASL_LEVEL_DEBUG,
112 "Ignored short attribute %s\n",
113 s_isakmp_cfg_type(type));
114 break;
115 }
116
117 return reply_attr;
118 }
119
120 switch(type) {
121 case UNITY_BANNER: {
122 #define MAXMOTD 65536
123 char buf[MAXMOTD + 1];
124 int fd;
125 char *filename = &isakmp_cfg_config.motd[0];
126 int len;
127
128 if ((fd = open(filename, O_RDONLY, 0)) == -1) {
129 plog(ASL_LEVEL_ERR,
130 "Cannot open \"%s\"\n", filename);
131 return NULL;
132 }
133
134 if ((len = read(fd, buf, MAXMOTD)) == -1) {
135 plog(ASL_LEVEL_ERR,
136 "Cannot read \"%s\"\n", filename);
137 close(fd);
138 return NULL;
139 }
140 close(fd);
141
142 buf[len] = '\0';
143 reply_attr = isakmp_cfg_string(iph1, attr, buf);
144
145 break;
146 }
147
148 case UNITY_PFS:
149 reply_attr = isakmp_cfg_short(iph1, attr,
150 isakmp_cfg_config.pfs_group);
151 break;
152
153 case UNITY_SAVE_PASSWD:
154 reply_attr = isakmp_cfg_short(iph1, attr,
155 isakmp_cfg_config.save_passwd);
156 break;
157
158 case UNITY_DDNS_HOSTNAME:
159 reply_attr = isakmp_cfg_copy(iph1, attr);
160 break;
161
162 case UNITY_DEF_DOMAIN:
163 reply_attr = isakmp_cfg_string(iph1,
164 attr, isakmp_cfg_config.default_domain);
165 break;
166
167 case UNITY_SPLIT_INCLUDE:
168 if(isakmp_cfg_config.splitnet_type == UNITY_SPLIT_INCLUDE)
169 reply_attr = isakmp_cfg_split(iph1, attr,
170 isakmp_cfg_config.splitnet_list,
171 isakmp_cfg_config.splitnet_count);
172 else
173 return NULL;
174 break;
175 case UNITY_LOCAL_LAN:
176 if(isakmp_cfg_config.splitnet_type == UNITY_LOCAL_LAN)
177 reply_attr = isakmp_cfg_split(iph1, attr,
178 isakmp_cfg_config.splitnet_list,
179 isakmp_cfg_config.splitnet_count);
180 else
181 return NULL;
182 break;
183 case UNITY_SPLITDNS_NAME:
184 reply_attr = isakmp_cfg_varlen(iph1, attr,
185 isakmp_cfg_config.splitdns_list,
186 isakmp_cfg_config.splitdns_len);
187 break;
188 case UNITY_FW_TYPE:
189 case UNITY_NATT_PORT:
190 case UNITY_BACKUP_SERVERS:
191 default:
192 plog(ASL_LEVEL_DEBUG,
193 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
194 return NULL;
195 break;
196 }
197
198 return reply_attr;
199 }
200
201 void
202 isakmp_unity_reply(iph1, attr)
203 phase1_handle_t *iph1;
204 struct isakmp_data *attr;
205 {
206 int type = ntohs(attr->type);
207 int alen = ntohs(attr->lorv);
208
209 type &= ~ISAKMP_GEN_MASK;
210
211 struct unity_network *network = (struct unity_network *)(attr + 1);
212 int index = 0;
213 int count = 0;
214
215 switch(type) {
216 case UNITY_SPLIT_INCLUDE:
217 {
218 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) == 0) {
219 if (alen)
220 count = alen / sizeof(struct unity_network);
221
222 for(;index < count; index++)
223 splitnet_list_add(
224 &iph1->mode_cfg->split_include,
225 &network[index],
226 &iph1->mode_cfg->include_count);
227
228 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_SPLIT_INCLUDE;
229 }
230 break;
231 }
232 case UNITY_LOCAL_LAN:
233 {
234 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) == 0) {
235 if (alen)
236 count = alen / sizeof(struct unity_network);
237
238 for(;index < count; index++)
239 splitnet_list_add(
240 &iph1->mode_cfg->split_local,
241 &network[index],
242 &iph1->mode_cfg->local_count);
243
244 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_SPLIT_LOCAL;
245 }
246 break;
247 }
248 case UNITY_PFS:
249 {
250 break;
251 }
252 case UNITY_SPLITDNS_NAME:
253 case UNITY_BANNER:
254 case UNITY_SAVE_PASSWD:
255 case UNITY_NATT_PORT:
256 case UNITY_FW_TYPE:
257 case UNITY_BACKUP_SERVERS:
258 case UNITY_DDNS_HOSTNAME:
259 default:
260 plog(ASL_LEVEL_WARNING,
261 "Ignored attribute %s\n",
262 s_isakmp_cfg_type(type));
263 break;
264 }
265 return;
266 }
267
268 static vchar_t *
269 isakmp_cfg_split(iph1, attr, netentry, count)
270 phase1_handle_t *iph1;
271 struct isakmp_data *attr;
272 struct unity_netentry *netentry;
273 int count;
274 {
275 vchar_t *buffer;
276 struct isakmp_data *new;
277 struct unity_network * network;
278 size_t len;
279 int index = 0;
280
281 char tmp1[40];
282 char tmp2[40];
283
284 len = sizeof(struct unity_network) * count;
285 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
286 plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
287 return NULL;
288 }
289
290 new = (struct isakmp_data *)buffer->v;
291 new->type = attr->type;
292 new->lorv = htons(len);
293
294 network = (struct unity_network *)(new + 1);
295 for (; index < count; index++) {
296
297 memcpy(&network[index],
298 &netentry->network,
299 sizeof(struct unity_network));
300
301 inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
302 inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
303 plog(ASL_LEVEL_DEBUG, "splitnet: %s/%s\n", tmp1, tmp2);
304
305 netentry = netentry->next;
306 }
307
308 return buffer;
309 }
310
311 int splitnet_list_add(list, network, count)
312 struct unity_netentry ** list;
313 struct unity_network * network;
314 int *count;
315 {
316 struct unity_netentry * newentry;
317
318 /*
319 * allocate new netentry and copy
320 * new splitnet network data
321 */
322 newentry = (struct unity_netentry *)
323 racoon_malloc(sizeof(struct unity_netentry));
324 if (newentry == NULL)
325 return -1;
326
327 memcpy(&newentry->network,network,
328 sizeof(struct unity_network));
329 newentry->next = NULL;
330
331 /*
332 * locate the last netentry in our
333 * splitnet list and add our entry
334 */
335 if (*list == NULL)
336 *list = newentry;
337 else {
338 struct unity_netentry * tmpentry = *list;
339 while (tmpentry->next != NULL)
340 tmpentry = tmpentry->next;
341 tmpentry->next = newentry;
342 }
343
344 (*count)++;
345
346 return 0;
347 }
348
349 void splitnet_list_free(list, count)
350 struct unity_netentry * list;
351 int *count;
352 {
353 struct unity_netentry * netentry = list;
354 struct unity_netentry * delentry;
355
356 *count = 0;
357
358 while (netentry != NULL) {
359 delentry = netentry;
360 netentry = netentry->next;
361 racoon_free(delentry);
362 }
363 }
364
365 char * splitnet_list_2str(list)
366 struct unity_netentry * list;
367 {
368 struct unity_netentry * netentry;
369 char tmp1[40];
370 char tmp2[40];
371 char * str;
372 int len;
373 int print_len;
374 int rc;
375
376 /* determine string length */
377 len = 0;
378 netentry = list;
379 while (netentry != NULL) {
380
381 inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
382 inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
383 len += strlen(tmp1);
384 len += strlen(tmp2);
385 len += 2;
386
387 netentry = netentry->next;
388 }
389
390 /* allocate network list string */
391 str = racoon_malloc(len);
392 if (str == NULL)
393 return NULL;
394
395 /* create network list string */
396 str[0] = 0;
397 print_len = 0;
398 netentry = list;
399 while (netentry != NULL && print_len < len) {
400
401 inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
402 inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
403
404 rc = snprintf(str+print_len, len-print_len, "%s/%s ", tmp1, tmp2);
405 if (rc < 0) {
406 // failure -> exit loop
407 break;
408 }
409 print_len += rc;
410
411 netentry = netentry->next;
412 }
413
414 return str;
415 }
mirror of ipsec