]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blob
? search:


aea9b0b09ea6397c5cf56fe2ccfce441aef5297d
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
1 /* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "genlist.h"
62 #include "debug.h"
63
64 #include "isakmp_var.h"
65 #ifdef ENABLE_HYBRID
66 #include "isakmp_xauth.h"
67 #endif
68 #include "isakmp.h"
69 #include "ipsec_doi.h"
70 #include "oakley.h"
71 #include "remoteconf.h"
72 #include "localconf.h"
73 #include "grabmyaddr.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "vendorid.h"
77 #include "gcmalloc.h"
78 #include "strnames.h"
79 #include "algorithm.h"
80 #include "nattraversal.h"
81 #include "isakmp_frag.h"
82 #include "genlist.h"
83
84 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
85
86
87 /*%%%*/
88 /*
89 * search remote configuration.
90 * don't use port number to search if its value is either IPSEC_PORT_ANY.
91 * If matching anonymous entry, then new entry is copied from anonymous entry.
92 * If no anonymous entry found, then return NULL.
93 * OUT: NULL: NG
94 * Other: remote configuration entry.
95 */
96 struct remoteconf *
97 getrmconf_strict(remote, allow_anon)
98 struct sockaddr_storage *remote;
99 int allow_anon;
100 {
101 struct remoteconf *p;
102 struct remoteconf *p_withport_besteffort = NULL;
103 struct remoteconf *p_with_prefix = NULL;
104 struct remoteconf *p_with_prefix_besteffort = NULL;
105 int last_prefix = 0;
106 struct remoteconf *anon = NULL;
107
108 int withport;
109 char buf[NI_MAXHOST + NI_MAXSERV + 10];
110 char addr[NI_MAXHOST], port[NI_MAXSERV];
111
112 withport = 0;
113
114 /*
115 * We never have ports set in our remote configurations, but when
116 * NAT-T is enabled, the kernel can have policies with ports and
117 * send us an acquire message for a destination that has a port set.
118 * If we do this port check here, we have to fallback to a best-effort result (without the port).
119 *
120 * In an ideal world, we would be able to have remote conf with
121 * port, and the port could be a wildcard. That test could be used.
122 */
123 switch (remote->ss_family) {
124 case AF_INET:
125 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
126 withport = 1;
127 break;
128 #ifdef INET6
129 case AF_INET6:
130 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
131 withport = 1;
132 break;
133 #endif
134 case AF_UNSPEC:
135 break;
136
137 default:
138 plog(ASL_LEVEL_ERR,
139 "invalid ip address family: %d\n", remote->ss_family);
140 return NULL;
141 }
142
143 if (remote->ss_family == AF_UNSPEC)
144 snprintf (buf, sizeof(buf), "%s", "anonymous");
145 else {
146 GETNAMEINFO((struct sockaddr *)remote, addr, port);
147 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
148 withport ? "[" : "",
149 withport ? port : "",
150 withport ? "]" : "");
151 }
152
153 TAILQ_FOREACH(p, &rmtree, chain) {
154 if (remote->ss_family == AF_UNSPEC
155 && remote->ss_family == p->remote->ss_family) {
156 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
157 return p;
158 }
159 if (p->remote_prefix == 0) {
160 if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
161 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
162 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
163 return p;
164 } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
165 // for withport: save the pointer for the best-effort search
166 p_withport_besteffort = p;
167 }
168 } else {
169 if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
170 || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
171 if (p->remote_prefix >= last_prefix) {
172 p_with_prefix = p;
173 last_prefix = p->remote_prefix;
174 }
175 } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
176 if (p->remote_prefix >= last_prefix) {
177 p_with_prefix_besteffort = p;
178 last_prefix = p->remote_prefix;
179 }
180 }
181 }
182
183 /* save the pointer to the anonymous configuration */
184 if (p->remote->ss_family == AF_UNSPEC)
185 anon = p;
186 }
187
188 if (p_withport_besteffort) {
189 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
190 return p_withport_besteffort;
191 }
192 if (p_with_prefix) {
193 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
194 return p_with_prefix;
195 }
196 if (p_with_prefix_besteffort) {
197 plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
198 return p_with_prefix_besteffort;
199 }
200 if (allow_anon && anon != NULL) {
201 plog(ASL_LEVEL_DEBUG,
202 "anonymous configuration selected for %s.\n", buf);
203 return anon;
204 }
205
206 plog(ASL_LEVEL_DEBUG,
207 "no remote configuration found.\n");
208
209 return NULL;
210 }
211
212 int
213 no_remote_configs(ignore_anonymous)
214 int ignore_anonymous;
215 {
216
217 struct remoteconf *p;
218 #if !TARGET_OS_EMBEDDED
219 static const char default_idv[] = "macuser@localhost";
220 static const int default_idv_len = sizeof(default_idv) - 1;
221 #endif
222
223 TAILQ_FOREACH(p, &rmtree, chain) {
224 if (ignore_anonymous) {
225 if (p->remote->ss_family == AF_UNSPEC) /* anonymous */
226 continue;
227 }
228 #if !TARGET_OS_EMBEDDED
229 // ignore the default btmm ipv6 config thats always present in racoon.conf
230 if (p->remote->ss_family == AF_INET6 &&
231 p->idvtype == IDTYPE_USERFQDN &&
232 p->idv != NULL &&
233 p->idv->l == default_idv_len &&
234 strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
235 continue;
236 }
237 #endif
238 return 0;
239 }
240 return 1;
241 }
242
243 struct remoteconf *
244 getrmconf(remote)
245 struct sockaddr_storage *remote;
246 {
247 return getrmconf_strict(remote, 1);
248 }
249
250 struct remoteconf *
251 create_rmconf()
252 {
253 struct remoteconf *new;
254
255 new = racoon_calloc(1, sizeof(*new));
256 if (new == NULL)
257 return NULL;
258
259 new->refcount = 1;
260 new->in_list = 0;
261 new->proposal = NULL;
262
263 /* set default */
264 new->doitype = IPSEC_DOI;
265 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
266 new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
267 new->idvtype = IDTYPE_UNDEFINED;
268 new->idvl_p = genlist_init();
269 new->nonce_size = DEFAULT_NONCE_SIZE;
270 new->passive = FALSE;
271 new->ike_frag = ISAKMP_FRAG_ON;
272 new->esp_frag = IP_MAXPACKET;
273 new->ini_contact = TRUE;
274 new->mode_cfg = FALSE;
275 new->pcheck_level = PROP_CHECK_STRICT;
276 new->verify_identifier = FALSE;
277 new->verify_cert = TRUE;
278 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
279 new->cacerttype = ISAKMP_CERT_X509SIGN;
280 new->certtype = ISAKMP_CERT_NONE;
281 new->send_cert = TRUE;
282 new->send_cr = TRUE;
283 new->support_proxy = FALSE;
284 new->gen_policy = FALSE;
285 new->retry_counter = lcconf->retry_counter;
286 new->retry_interval = lcconf->retry_interval;
287 new->nat_traversal = NATT_ON;
288 new->natt_multiple_user = FALSE;
289 new->natt_keepalive = TRUE;
290 new->idv = NULL;
291 new->key = NULL;
292
293 new->dpd = TRUE; /* Enable DPD support by default */
294 new->dpd_interval = 0; /* Disable DPD checks by default */
295 new->dpd_retry = 5;
296 new->dpd_maxfails = 5;
297 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
298 new->idle_timeout = 0;
299
300 new->weak_phase1_check = 0;
301
302 #ifdef ENABLE_HYBRID
303 new->xauth = NULL;
304 #endif
305 new->initiate_ph1rekey = TRUE;
306 return new;
307 }
308
309 struct remoteconf *
310 copyrmconf(struct sockaddr_storage *remote)
311 {
312 struct remoteconf *new, *old;
313
314 old = getrmconf_strict (remote, 0);
315 if (old == NULL) {
316 plog (ASL_LEVEL_ERR,
317 "Remote configuration for '%s' not found!\n",
318 saddr2str((struct sockaddr *)remote));
319 return NULL;
320 }
321
322 new = duprmconf (old);
323
324 return new;
325 }
326
327 void *
328 dupidvl(void *entry, void *arg)
329 {
330 struct idspec *id;
331 struct idspec *old = (struct idspec *) entry;
332 id = newidspec();
333 if (!id) return (void *) -1;
334
335 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
336 racoon_free(id);
337 return (void *) -1;
338 }
339
340 id->idtype = old->idtype;
341
342 genlist_append(arg, id);
343 return NULL;
344 }
345
346 struct remoteconf *
347 duprmconf (struct remoteconf *rmconf)
348 {
349 struct remoteconf *new;
350
351 new = racoon_calloc(1, sizeof(*new));
352 if (new == NULL)
353 return NULL;
354 memcpy (new, rmconf, sizeof (*new));
355 // FIXME: We should duplicate remote, proposal, etc.
356 // This is now handled in the cfparse.y
357 // new->proposal = ...;
358
359 // zero-out pointers
360 new->remote = NULL;
361 new->forced_local = NULL;
362 new->keychainCertRef = NULL; /* peristant keychain ref for cert */
363 new->shared_secret = NULL; /* shared secret */
364 new->open_dir_auth_group = NULL; /* group to be used to authorize user */
365 new->proposal = NULL;
366 new->in_list = 0;
367 new->refcount = 1;
368 new->idv = NULL;
369 new->key = NULL;
370 #ifdef ENABLE_HYBRID
371 new->xauth = NULL;
372 #endif
373
374 /* duplicate dynamic structures */
375 if (new->etypes)
376 new->etypes=dupetypes(new->etypes);
377 new->idvl_p = genlist_init();
378 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
379
380 return new;
381 }
382
383 static void
384 idspec_free(void *data)
385 {
386 vfree (((struct idspec *)data)->id);
387 free (data);
388 }
389
390 static void
391 proposalspec_free(struct proposalspec *head)
392 {
393
394 struct proposalspec* next_propsp = head;
395
396 while (next_propsp) {
397 struct proposalspec* curr_propsp;
398 struct secprotospec* next_protosp;
399
400 curr_propsp = next_propsp;
401 next_propsp = next_propsp->next;
402 next_protosp = curr_propsp->spspec;
403 while (next_protosp) {
404 struct secprotospec* curr_protosp;
405
406 curr_protosp = next_protosp;
407 next_protosp = next_protosp->next;
408
409 if (curr_protosp->gssid)
410 free(curr_protosp->gssid);
411 if (curr_protosp->remote)
412 free(curr_protosp->remote);
413 racoon_free(curr_protosp);
414 }
415 racoon_free(curr_propsp);
416 }
417 }
418
419 void
420 delrmconf(struct remoteconf *rmconf)
421 {
422 if (rmconf->remote)
423 racoon_free(rmconf->remote);
424 if (rmconf->forced_local)
425 racoon_free(rmconf->forced_local);
426 #ifdef ENABLE_HYBRID
427 if (rmconf->xauth)
428 xauth_rmconf_delete(&rmconf->xauth);
429 #endif
430 if (rmconf->etypes) {
431 deletypes(rmconf->etypes);
432 rmconf->etypes=NULL;
433 }
434 if (rmconf->idv)
435 vfree(rmconf->idv);
436 if (rmconf->idvl_p)
437 genlist_free(rmconf->idvl_p, idspec_free);
438 if (rmconf->dhgrp)
439 oakley_dhgrp_free(rmconf->dhgrp);
440 if (rmconf->proposal)
441 delisakmpsa(rmconf->proposal);
442 if (rmconf->prhead)
443 proposalspec_free(rmconf->prhead);
444 if (rmconf->shared_secret)
445 vfree(rmconf->shared_secret);
446 if (rmconf->keychainCertRef)
447 vfree(rmconf->keychainCertRef);
448 if (rmconf->open_dir_auth_group)
449 vfree(rmconf->open_dir_auth_group);
450
451 racoon_free(rmconf);
452 }
453
454 void
455 delisakmpsa(struct isakmpsa *sa)
456 {
457 if (sa->dhgrp)
458 oakley_dhgrp_free(sa->dhgrp);
459 if (sa->next)
460 delisakmpsa(sa->next);
461 racoon_free(sa);
462 }
463
464 struct etypes *
465 dupetypes(struct etypes *orig)
466 {
467 struct etypes *new;
468
469 if (!orig)
470 return NULL;
471
472 new = racoon_malloc(sizeof(struct etypes));
473 if (new == NULL)
474 return NULL;
475
476 new->type = orig->type;
477 new->next = NULL;
478
479 if (orig->next)
480 new->next=dupetypes(orig->next);
481
482 return new;
483 }
484
485 void
486 deletypes(struct etypes *e)
487 {
488 if (e->next)
489 deletypes(e->next);
490 racoon_free(e);
491 }
492
493 /*
494 * insert into head of list.
495 */
496 void
497 insrmconf(struct remoteconf *new)
498 {
499 TAILQ_INSERT_HEAD(&rmtree, new, chain);
500 new->in_list = 1;
501 }
502
503 void
504 remrmconf(struct remoteconf *rmconf)
505 {
506 if (rmconf->in_list)
507 TAILQ_REMOVE(&rmtree, rmconf, chain);
508 rmconf->in_list = 0;
509 }
510
511 void
512 retain_rmconf(struct remoteconf *rmconf)
513 {
514 (rmconf->refcount)++;
515 }
516
517 void
518 release_rmconf(struct remoteconf *rmconf)
519 {
520 if (--(rmconf->refcount) <= 0) {
521 remrmconf(rmconf);
522 delrmconf(rmconf);
523 }
524 }
525
526 void
527 flushrmconf()
528 {
529 struct remoteconf *p, *next;
530
531 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
532 next = TAILQ_NEXT(p, chain);
533 remrmconf(p);
534 if (--(p->refcount) <= 0)
535 delrmconf(p);
536 }
537 }
538
539 void
540 initrmconf()
541 {
542 TAILQ_INIT(&rmtree);
543 }
544
545 /* check exchange type to be acceptable */
546 struct etypes *
547 check_etypeok(struct remoteconf *rmconf, u_int8_t etype)
548 {
549 struct etypes *e;
550
551 for (e = rmconf->etypes; e != NULL; e = e->next) {
552 if (e->type == etype)
553 break;
554 }
555
556 return e;
557 }
558
559 /*%%%*/
560 struct isakmpsa *
561 newisakmpsa()
562 {
563 struct isakmpsa *new;
564
565 new = racoon_calloc(1, sizeof(*new));
566 if (new == NULL)
567 return NULL;
568
569 /*
570 * Just for sanity, make sure this is initialized. This is
571 * filled in for real when the ISAKMP proposal is configured.
572 */
573 new->vendorid = VENDORID_UNKNOWN;
574
575 new->next = NULL;
576 new->rmconf = NULL;
577
578 return new;
579 }
580
581 /*
582 * insert into tail of list.
583 */
584 void
585 insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf)
586 {
587 struct isakmpsa *p;
588
589 new->rmconf = rmconf;
590
591 if (rmconf->proposal == NULL) {
592 rmconf->proposal = new;
593 return;
594 }
595
596 for (p = rmconf->proposal; p->next != NULL; p = p->next)
597 ;
598 p->next = new;
599
600 return;
601 }
602
603 struct remoteconf *
604 foreachrmconf(rmconf_func_t rmconf_func, void *data)
605 {
606 struct remoteconf *p, *ret = NULL;
607
608 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
609 ret = (*rmconf_func)(p, data);
610 if (ret)
611 break;
612 }
613
614 return ret;
615 }
616
617 static void *
618 dump_peers_identifiers (void *entry, void *arg)
619 {
620 struct idspec *id = (struct idspec*) entry;
621 char buf[1024], *pbuf;
622 pbuf = buf;
623 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
624 s_idtype (id->idtype));
625 if (id->id)
626 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
627 plog(ASL_LEVEL_INFO, "%s;\n", buf);
628 return NULL;
629 }
630
631 static struct remoteconf *
632 dump_rmconf_single (struct remoteconf *p, void *data)
633 {
634 struct etypes *etype = p->etypes;
635 struct isakmpsa *prop = p->proposal;
636 char buf[1024], *pbuf;
637
638 pbuf = buf;
639 if (p->remote_prefix)
640 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s",
641 saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
642 else
643 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
644 if (p->inherited_from)
645 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
646 saddr2str((struct sockaddr *)p->inherited_from->remote));
647 plog(ASL_LEVEL_INFO, "%s {\n", buf);
648 pbuf = buf;
649 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
650 while (etype) {
651 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
652 etype->next != NULL ? ", " : ";\n");
653 etype = etype->next;
654 }
655 plog(ASL_LEVEL_INFO, "%s", buf);
656 plog(ASL_LEVEL_INFO, "\tdoi %s;\n", s_doi(p->doitype));
657 pbuf = buf;
658 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
659 if (p->idvtype == IDTYPE_ASN1DN) {
660 plog(ASL_LEVEL_INFO, "%s;\n", buf);
661 switch (p->getcert_method) {
662 case 0:
663 break;
664 case ISAKMP_GETCERT_PAYLOAD:
665 plog(ASL_LEVEL_INFO, "\t/* peers certificate from payload */\n");
666 break;
667 default:
668 plog(ASL_LEVEL_INFO, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
669 }
670 }
671 else {
672 if (p->idv)
673 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
674 plog(ASL_LEVEL_INFO, "%s;\n", buf);
675 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
676 }
677
678 plog(ASL_LEVEL_INFO, "\tsend_cert %s;\n",
679 s_switch (p->send_cert));
680 plog(ASL_LEVEL_INFO, "\tsend_cr %s;\n",
681 s_switch (p->send_cr));
682 plog(ASL_LEVEL_INFO, "\tverify_cert %s;\n",
683 s_switch (p->verify_cert));
684 plog(ASL_LEVEL_INFO, "\tverify_identifier %s;\n",
685 s_switch (p->verify_identifier));
686 plog(ASL_LEVEL_INFO, "\tnat_traversal %s;\n",
687 p->nat_traversal == NATT_FORCE ?
688 "force" : s_switch (p->nat_traversal));
689 plog(ASL_LEVEL_INFO, "\tnatt_multiple_user %s;\n",
690 s_switch (p->natt_multiple_user));
691 plog(ASL_LEVEL_INFO, "\tnonce_size %d;\n",
692 p->nonce_size);
693 plog(ASL_LEVEL_INFO, "\tpassive %s;\n",
694 s_switch (p->passive));
695 plog(ASL_LEVEL_INFO, "\tike_frag %s;\n",
696 p->ike_frag == ISAKMP_FRAG_FORCE ?
697 "force" : s_switch (p->ike_frag));
698 plog(ASL_LEVEL_INFO, "\tesp_frag %d;\n", p->esp_frag);
699 plog(ASL_LEVEL_INFO, "\tinitial_contact %s;\n",
700 s_switch (p->ini_contact));
701 plog(ASL_LEVEL_INFO, "\tgenerate_policy %s;\n",
702 s_switch (p->gen_policy));
703 plog(ASL_LEVEL_INFO, "\tsupport_proxy %s;\n",
704 s_switch (p->support_proxy));
705
706 while (prop) {
707 plog(ASL_LEVEL_INFO, "\n");
708 plog(ASL_LEVEL_INFO,
709 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
710 prop->prop_no, prop->trns_no,
711 saddr2str((struct sockaddr *)prop->rmconf->remote));
712 plog(ASL_LEVEL_INFO, "\tproposal {\n");
713 plog(ASL_LEVEL_INFO, "\t\tlifetime time %lu sec;\n",
714 (long)prop->lifetime);
715 plog(ASL_LEVEL_INFO, "\t\tlifetime bytes %zd;\n",
716 prop->lifebyte);
717 plog(ASL_LEVEL_INFO, "\t\tdh_group %s;\n",
718 alg_oakley_dhdef_name(prop->dh_group));
719 plog(ASL_LEVEL_INFO, "\t\tencryption_algorithm %s;\n",
720 alg_oakley_encdef_name(prop->enctype));
721 plog(ASL_LEVEL_INFO, "\t\thash_algorithm %s;\n",
722 alg_oakley_hashdef_name(prop->hashtype));
723 plog(ASL_LEVEL_INFO, "\t\tprf_algorithm %s;\n",
724 alg_oakley_hashdef_name(prop->prf));
725 plog(ASL_LEVEL_INFO, "\t\tauthentication_method %s;\n",
726 alg_oakley_authdef_name(prop->authmethod));
727 plog(ASL_LEVEL_INFO, "\t}\n");
728 prop = prop->next;
729 }
730 plog(ASL_LEVEL_INFO, "}\n");
731 plog(ASL_LEVEL_INFO, "\n");
732
733 return NULL;
734 }
735
736 void
737 dumprmconf()
738 {
739 foreachrmconf (dump_rmconf_single, NULL);
740 }
741
742 struct idspec *
743 newidspec()
744 {
745 struct idspec *new;
746
747 new = racoon_calloc(1, sizeof(*new));
748 if (new == NULL)
749 return NULL;
750 new->idtype = IDTYPE_ADDRESS;
751
752 return new;
753 }
754
755
756 struct isakmpsa *
757 dupisakmpsa(struct isakmpsa *sa)
758 {
759 struct isakmpsa *res = NULL;
760
761 if (sa == NULL)
762 return NULL;
763
764 res = newisakmpsa();
765 if(res == NULL)
766 return NULL;
767
768 *res = *sa;
769 res->next=NULL;
770
771 if (sa->dhgrp != NULL)
772 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
773
774 return res;
775
776 }
777
mirror of ipsec