]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-326.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
1 /* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "genlist.h"
62 #include "debug.h"
63
64 #include "isakmp_var.h"
65 #ifdef ENABLE_HYBRID
66 #include "isakmp_xauth.h"
67 #endif
68 #include "isakmp.h"
69 #include "ipsec_doi.h"
70 #include "oakley.h"
71 #include "remoteconf.h"
72 #include "localconf.h"
73 #include "grabmyaddr.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "vendorid.h"
77 #include "gcmalloc.h"
78 #include "strnames.h"
79 #include "algorithm.h"
80 #include "nattraversal.h"
81 #include "isakmp_frag.h"
82 #include "genlist.h"
83 #include "vpn_control_var.h"
84
85 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
86
87
88 /*%%%*/
89 /*
90 * search remote configuration.
91 * don't use port number to search if its value is either IPSEC_PORT_ANY.
92 * If matching anonymous entry, then new entry is copied from anonymous entry.
93 * If no anonymous entry found, then return NULL.
94 * OUT: NULL: NG
95 * Other: remote configuration entry.
96 */
97 struct remoteconf *
98 getrmconf_strict(remote, allow_anon)
99 struct sockaddr_storage *remote;
100 int allow_anon;
101 {
102 struct remoteconf *p;
103 struct remoteconf *p_withport_besteffort = NULL;
104 struct remoteconf *p_with_prefix = NULL;
105 struct remoteconf *p_with_prefix_besteffort = NULL;
106 int last_prefix = 0;
107 struct remoteconf *anon = NULL;
108
109 int withport;
110 char buf[NI_MAXHOST + NI_MAXSERV + 10];
111 char addr[NI_MAXHOST], port[NI_MAXSERV];
112
113 withport = 0;
114
115 /*
116 * We never have ports set in our remote configurations, but when
117 * NAT-T is enabled, the kernel can have policies with ports and
118 * send us an acquire message for a destination that has a port set.
119 * If we do this port check here, we have to fallback to a best-effort result (without the port).
120 *
121 * In an ideal world, we would be able to have remote conf with
122 * port, and the port could be a wildcard. That test could be used.
123 */
124 switch (remote->ss_family) {
125 case AF_INET:
126 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
127 withport = 1;
128 break;
129 #ifdef INET6
130 case AF_INET6:
131 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
132 withport = 1;
133 break;
134 #endif
135 case AF_UNSPEC:
136 break;
137
138 default:
139 plog(ASL_LEVEL_ERR,
140 "invalid ip address family: %d\n", remote->ss_family);
141 return NULL;
142 }
143
144 if (remote->ss_family == AF_UNSPEC)
145 snprintf (buf, sizeof(buf), "%s", "anonymous");
146 else {
147 GETNAMEINFO((struct sockaddr *)remote, addr, port);
148 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
149 withport ? "[" : "",
150 withport ? port : "",
151 withport ? "]" : "");
152 }
153
154 TAILQ_FOREACH(p, &rmtree, chain) {
155 if (remote->ss_family == AF_UNSPEC
156 && remote->ss_family == p->remote->ss_family) {
157 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
158 return p;
159 }
160 if (p->remote_prefix == 0) {
161 if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
162 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
163 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
164 return p;
165 } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
166 // for withport: save the pointer for the best-effort search
167 p_withport_besteffort = p;
168 }
169 } else {
170 if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
171 || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
172 if (p->remote_prefix >= last_prefix) {
173 p_with_prefix = p;
174 last_prefix = p->remote_prefix;
175 }
176 } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
177 if (p->remote_prefix >= last_prefix) {
178 p_with_prefix_besteffort = p;
179 last_prefix = p->remote_prefix;
180 }
181 }
182 }
183
184 /* save the pointer to the anonymous configuration */
185 if (p->remote->ss_family == AF_UNSPEC)
186 anon = p;
187 }
188
189 if (p_withport_besteffort) {
190 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
191 return p_withport_besteffort;
192 }
193 if (p_with_prefix) {
194 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
195 return p_with_prefix;
196 }
197 if (p_with_prefix_besteffort) {
198 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
199 return p_with_prefix_besteffort;
200 }
201 if (allow_anon && anon != NULL) {
202 plog(ASL_LEVEL_DEBUG,
203 "anonymous configuration selected for %s.\n", buf);
204 return anon;
205 }
206
207 plog(ASL_LEVEL_DEBUG,
208 "no remote configuration found.\n");
209
210 return NULL;
211 }
212
213 int
214 no_remote_configs(ignore_anonymous)
215 int ignore_anonymous;
216 {
217
218 struct remoteconf *p;
219 #if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
220 static const char default_idv[] = "macuser@localhost";
221 static const int default_idv_len = sizeof(default_idv) - 1;
222 #endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
223
224 TAILQ_FOREACH(p, &rmtree, chain) {
225 if (ignore_anonymous) {
226 if (p->remote->ss_family == AF_UNSPEC) /* anonymous */
227 continue;
228 }
229 #if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
230 // ignore the default btmm ipv6 config thats always present in racoon.conf
231 if (p->remote->ss_family == AF_INET6 &&
232 p->idvtype == IDTYPE_USERFQDN &&
233 p->idv != NULL &&
234 p->idv->l == default_idv_len &&
235 strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
236 continue;
237 }
238 #endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
239 return 0;
240 }
241 return 1;
242 }
243
244 struct remoteconf *
245 getrmconf(remote)
246 struct sockaddr_storage *remote;
247 {
248 struct remoteconf *rmconf = getrmconf_strict(remote, 1);
249 if (rmconf != NULL) {
250 return rmconf;
251 }
252 if (remote->ss_family == AF_INET6) {
253 struct sockaddr_in v4dst;
254 v4dst.sin_family = AF_INET;
255 v4dst.sin_len = sizeof(struct sockaddr_in);
256 v4dst.sin_port = 0;
257
258 nw_nat64_prefix_t nat64_prefix;
259 if (vpncontrol_set_nat64_prefix(&nat64_prefix)) {
260 nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr);
261
262 rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst);
263 if (rmconf != NULL) {
264 return rmconf;
265 }
266 }
267 }
268
269 return NULL;
270 }
271
272 struct remoteconf *
273 create_rmconf()
274 {
275 struct remoteconf *new;
276
277 new = racoon_calloc(1, sizeof(*new));
278 if (new == NULL)
279 return NULL;
280
281 new->refcount = 1;
282 new->in_list = 0;
283 new->proposal = NULL;
284
285 /* set default */
286 new->doitype = IPSEC_DOI;
287 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
288 new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
289 new->idvtype = IDTYPE_UNDEFINED;
290 new->idvl_p = genlist_init();
291 new->nonce_size = DEFAULT_NONCE_SIZE;
292 new->passive = FALSE;
293 new->ike_frag = ISAKMP_FRAG_ON;
294 new->esp_frag = IP_MAXPACKET;
295 new->ini_contact = TRUE;
296 new->mode_cfg = FALSE;
297 new->pcheck_level = PROP_CHECK_STRICT;
298 new->verify_identifier = FALSE;
299 new->verify_cert = TRUE;
300 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
301 new->cacerttype = ISAKMP_CERT_X509SIGN;
302 new->certtype = ISAKMP_CERT_NONE;
303 new->send_cert = TRUE;
304 new->send_cr = TRUE;
305 new->support_proxy = FALSE;
306 new->gen_policy = FALSE;
307 new->retry_counter = lcconf->retry_counter;
308 new->retry_interval = lcconf->retry_interval;
309 new->nat_traversal = NATT_ON;
310 new->natt_multiple_user = FALSE;
311 new->natt_keepalive = TRUE;
312 new->idv = NULL;
313 new->key = NULL;
314
315 new->dpd = TRUE; /* Enable DPD support by default */
316 new->dpd_interval = 0; /* Disable DPD checks by default */
317 new->dpd_retry = 5;
318 new->dpd_maxfails = 5;
319 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
320 new->idle_timeout = 0;
321
322 new->weak_phase1_check = 0;
323
324 #ifdef ENABLE_HYBRID
325 new->xauth = NULL;
326 #endif
327 new->initiate_ph1rekey = TRUE;
328 return new;
329 }
330
331 struct remoteconf *
332 copyrmconf(struct sockaddr_storage *remote)
333 {
334 struct remoteconf *new, *old;
335
336 old = getrmconf_strict (remote, 0);
337 if (old == NULL) {
338 plog (ASL_LEVEL_ERR,
339 "Remote configuration for '%s' not found!\n",
340 saddr2str((struct sockaddr *)remote));
341 return NULL;
342 }
343
344 new = duprmconf (old);
345
346 return new;
347 }
348
349 void *
350 dupidvl(void *entry, void *arg)
351 {
352 struct idspec *id;
353 struct idspec *old = (struct idspec *) entry;
354 id = newidspec();
355 if (!id) return (void *) -1;
356
357 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
358 racoon_free(id);
359 return (void *) -1;
360 }
361
362 id->idtype = old->idtype;
363
364 genlist_append(arg, id);
365 return NULL;
366 }
367
368 struct remoteconf *
369 duprmconf (struct remoteconf *rmconf)
370 {
371 struct remoteconf *new;
372
373 new = racoon_calloc(1, sizeof(*new));
374 if (new == NULL)
375 return NULL;
376 memcpy (new, rmconf, sizeof (*new));
377 // FIXME: We should duplicate remote, proposal, etc.
378 // This is now handled in the cfparse.y
379 // new->proposal = ...;
380
381 // zero-out pointers
382 new->remote = NULL;
383 new->forced_local = NULL;
384 new->keychainCertRef = NULL; /* peristant keychain ref for cert */
385 new->shared_secret = NULL; /* shared secret */
386 new->open_dir_auth_group = NULL; /* group to be used to authorize user */
387 new->proposal = NULL;
388 new->in_list = 0;
389 new->refcount = 1;
390 new->idv = NULL;
391 new->key = NULL;
392 #ifdef ENABLE_HYBRID
393 new->xauth = NULL;
394 #endif
395
396 /* duplicate dynamic structures */
397 if (new->etypes)
398 new->etypes=dupetypes(new->etypes);
399 new->idvl_p = genlist_init();
400 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
401
402 return new;
403 }
404
405 static void
406 idspec_free(void *data)
407 {
408 vfree (((struct idspec *)data)->id);
409 free (data);
410 }
411
412 static void
413 proposalspec_free(struct proposalspec *head)
414 {
415
416 struct proposalspec* next_propsp = head;
417
418 while (next_propsp) {
419 struct proposalspec* curr_propsp;
420 struct secprotospec* next_protosp;
421
422 curr_propsp = next_propsp;
423 next_propsp = next_propsp->next;
424 next_protosp = curr_propsp->spspec;
425 while (next_protosp) {
426 struct secprotospec* curr_protosp;
427
428 curr_protosp = next_protosp;
429 next_protosp = next_protosp->next;
430
431 if (curr_protosp->gssid)
432 free(curr_protosp->gssid);
433 if (curr_protosp->remote)
434 free(curr_protosp->remote);
435 racoon_free(curr_protosp);
436 }
437 racoon_free(curr_propsp);
438 }
439 }
440
441 void
442 delrmconf(struct remoteconf *rmconf)
443 {
444 if (rmconf->remote)
445 racoon_free(rmconf->remote);
446 if (rmconf->forced_local)
447 racoon_free(rmconf->forced_local);
448 #ifdef ENABLE_HYBRID
449 if (rmconf->xauth)
450 xauth_rmconf_delete(&rmconf->xauth);
451 #endif
452 if (rmconf->etypes) {
453 deletypes(rmconf->etypes);
454 rmconf->etypes=NULL;
455 }
456 if (rmconf->idv)
457 vfree(rmconf->idv);
458 if (rmconf->idvl_p)
459 genlist_free(rmconf->idvl_p, idspec_free);
460 if (rmconf->dhgrp)
461 oakley_dhgrp_free(rmconf->dhgrp);
462 if (rmconf->proposal)
463 delisakmpsa(rmconf->proposal);
464 if (rmconf->prhead)
465 proposalspec_free(rmconf->prhead);
466 if (rmconf->shared_secret)
467 vfree(rmconf->shared_secret);
468 if (rmconf->keychainCertRef)
469 vfree(rmconf->keychainCertRef);
470 if (rmconf->open_dir_auth_group)
471 vfree(rmconf->open_dir_auth_group);
472
473 racoon_free(rmconf);
474 }
475
476 void
477 delisakmpsa(struct isakmpsa *sa)
478 {
479 if (sa->dhgrp)
480 oakley_dhgrp_free(sa->dhgrp);
481 if (sa->next)
482 delisakmpsa(sa->next);
483 racoon_free(sa);
484 }
485
486 struct etypes *
487 dupetypes(struct etypes *orig)
488 {
489 struct etypes *new;
490
491 if (!orig)
492 return NULL;
493
494 new = racoon_malloc(sizeof(struct etypes));
495 if (new == NULL)
496 return NULL;
497
498 new->type = orig->type;
499 new->next = NULL;
500
501 if (orig->next)
502 new->next=dupetypes(orig->next);
503
504 return new;
505 }
506
507 void
508 deletypes(struct etypes *e)
509 {
510 if (e->next)
511 deletypes(e->next);
512 racoon_free(e);
513 }
514
515 /*
516 * insert into head of list.
517 */
518 void
519 insrmconf(struct remoteconf *new)
520 {
521 TAILQ_INSERT_HEAD(&rmtree, new, chain);
522 new->in_list = 1;
523 }
524
525 void
526 remrmconf(struct remoteconf *rmconf)
527 {
528 if (rmconf->in_list)
529 TAILQ_REMOVE(&rmtree, rmconf, chain);
530 rmconf->in_list = 0;
531 }
532
533 void
534 retain_rmconf(struct remoteconf *rmconf)
535 {
536 (rmconf->refcount)++;
537 }
538
539 void
540 release_rmconf(struct remoteconf *rmconf)
541 {
542 if (--(rmconf->refcount) <= 0) {
543 remrmconf(rmconf);
544 delrmconf(rmconf);
545 }
546 }
547
548 void
549 flushrmconf()
550 {
551 struct remoteconf *p, *next;
552
553 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
554 next = TAILQ_NEXT(p, chain);
555 remrmconf(p);
556 if (--(p->refcount) <= 0)
557 delrmconf(p);
558 }
559 }
560
561 void
562 initrmconf()
563 {
564 TAILQ_INIT(&rmtree);
565 }
566
567 /* check exchange type to be acceptable */
568 struct etypes *
569 check_etypeok(struct remoteconf *rmconf, u_int8_t etype)
570 {
571 struct etypes *e;
572
573 for (e = rmconf->etypes; e != NULL; e = e->next) {
574 if (e->type == etype)
575 break;
576 }
577
578 return e;
579 }
580
581 /*%%%*/
582 struct isakmpsa *
583 newisakmpsa()
584 {
585 struct isakmpsa *new;
586
587 new = racoon_calloc(1, sizeof(*new));
588 if (new == NULL)
589 return NULL;
590
591 /*
592 * Just for sanity, make sure this is initialized. This is
593 * filled in for real when the ISAKMP proposal is configured.
594 */
595 new->vendorid = VENDORID_UNKNOWN;
596
597 new->next = NULL;
598 new->rmconf = NULL;
599
600 return new;
601 }
602
603 /*
604 * insert into tail of list.
605 */
606 void
607 insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf)
608 {
609 struct isakmpsa *p;
610
611 new->rmconf = rmconf;
612
613 if (rmconf->proposal == NULL) {
614 rmconf->proposal = new;
615 return;
616 }
617
618 for (p = rmconf->proposal; p->next != NULL; p = p->next)
619 ;
620 p->next = new;
621
622 return;
623 }
624
625 struct remoteconf *
626 foreachrmconf(rmconf_func_t rmconf_func, void *data)
627 {
628 struct remoteconf *p, *ret = NULL;
629
630 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
631 ret = (*rmconf_func)(p, data);
632 if (ret)
633 break;
634 }
635
636 return ret;
637 }
638
639 static void *
640 dump_peers_identifiers (void *entry, void *arg)
641 {
642 struct idspec *id = (struct idspec*) entry;
643 char buf[1024], *pbuf;
644 pbuf = buf;
645 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
646 s_idtype (id->idtype));
647 if (id->id)
648 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
649 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
650 return NULL;
651 }
652
653 static struct remoteconf *
654 dump_rmconf_single (struct remoteconf *p, void *data)
655 {
656 struct etypes *etype = p->etypes;
657 struct isakmpsa *prop = p->proposal;
658 char buf[1024], *pbuf;
659
660 pbuf = buf;
661 if (p->remote_prefix)
662 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s",
663 saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
664 else
665 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
666 if (p->inherited_from)
667 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
668 saddr2str((struct sockaddr *)p->inherited_from->remote));
669 plog(ASL_LEVEL_NOTICE, "%s {\n", buf);
670 pbuf = buf;
671 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
672 while (etype) {
673 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
674 etype->next != NULL ? ", " : ";\n");
675 etype = etype->next;
676 }
677 plog(ASL_LEVEL_NOTICE, "%s", buf);
678 plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype));
679 pbuf = buf;
680 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
681 if (p->idvtype == IDTYPE_ASN1DN) {
682 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
683 switch (p->getcert_method) {
684 case 0:
685 break;
686 case ISAKMP_GETCERT_PAYLOAD:
687 plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n");
688 break;
689 default:
690 plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
691 }
692 }
693 else {
694 if (p->idv)
695 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
696 plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
697 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
698 }
699
700 plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n",
701 s_switch (p->send_cert));
702 plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n",
703 s_switch (p->send_cr));
704 plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n",
705 s_switch (p->verify_cert));
706 plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n",
707 s_switch (p->verify_identifier));
708 plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n",
709 p->nat_traversal == NATT_FORCE ?
710 "force" : s_switch (p->nat_traversal));
711 plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n",
712 s_switch (p->natt_multiple_user));
713 plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n",
714 p->nonce_size);
715 plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n",
716 s_switch (p->passive));
717 plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n",
718 p->ike_frag == ISAKMP_FRAG_FORCE ?
719 "force" : s_switch (p->ike_frag));
720 plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag);
721 plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n",
722 s_switch (p->ini_contact));
723 plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n",
724 s_switch (p->gen_policy));
725 plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n",
726 s_switch (p->support_proxy));
727
728 while (prop) {
729 plog(ASL_LEVEL_NOTICE, "\n");
730 plog(ASL_LEVEL_NOTICE,
731 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
732 prop->prop_no, prop->trns_no,
733 saddr2str((struct sockaddr *)prop->rmconf->remote));
734 plog(ASL_LEVEL_NOTICE, "\tproposal {\n");
735 plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n",
736 (long)prop->lifetime);
737 plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n",
738 prop->lifebyte);
739 plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n",
740 alg_oakley_dhdef_name(prop->dh_group));
741 plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n",
742 alg_oakley_encdef_name(prop->enctype));
743 plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n",
744 alg_oakley_hashdef_name(prop->hashtype));
745 plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n",
746 alg_oakley_hashdef_name(prop->prf));
747 plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n",
748 alg_oakley_authdef_name(prop->authmethod));
749 plog(ASL_LEVEL_NOTICE, "\t}\n");
750 prop = prop->next;
751 }
752 plog(ASL_LEVEL_NOTICE, "}\n");
753 plog(ASL_LEVEL_NOTICE, "\n");
754
755 return NULL;
756 }
757
758 void
759 dumprmconf()
760 {
761 foreachrmconf (dump_rmconf_single, NULL);
762 }
763
764 struct idspec *
765 newidspec()
766 {
767 struct idspec *new;
768
769 new = racoon_calloc(1, sizeof(*new));
770 if (new == NULL)
771 return NULL;
772 new->idtype = IDTYPE_ADDRESS;
773
774 return new;
775 }
776
777
778 struct isakmpsa *
779 dupisakmpsa(struct isakmpsa *sa)
780 {
781 struct isakmpsa *res = NULL;
782
783 if (sa == NULL)
784 return NULL;
785
786 res = newisakmpsa();
787 if(res == NULL)
788 return NULL;
789
790 *res = *sa;
791 res->next=NULL;
792
793 if (sa->dhgrp != NULL)
794 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
795
796 return res;
797
798 }
799
mirror of ipsec