]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
1 /* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "genlist.h"
62 #include "debug.h"
63
64 #include "isakmp_var.h"
65 #ifdef ENABLE_HYBRID
66 #include "isakmp_xauth.h"
67 #endif
68 #include "isakmp.h"
69 #include "ipsec_doi.h"
70 #include "oakley.h"
71 #include "remoteconf.h"
72 #include "localconf.h"
73 #include "grabmyaddr.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "vendorid.h"
77 #include "gcmalloc.h"
78 #include "strnames.h"
79 #include "algorithm.h"
80 #include "nattraversal.h"
81 #include "isakmp_frag.h"
82 #include "genlist.h"
83 #ifdef HAVE_OPENSSL
84 #include "rsalist.h"
85 #endif
86
87 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
88
89 /*
90 * Script hook names and script hook paths
91 */
92 char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
93
94 /*%%%*/
95 /*
96 * search remote configuration.
97 * don't use port number to search if its value is either IPSEC_PORT_ANY.
98 * If matching anonymous entry, then new entry is copied from anonymous entry.
99 * If no anonymous entry found, then return NULL.
100 * OUT: NULL: NG
101 * Other: remote configuration entry.
102 */
103 struct remoteconf *
104 getrmconf_strict(remote, allow_anon)
105 struct sockaddr *remote;
106 int allow_anon;
107 {
108 struct remoteconf *p;
109 struct remoteconf *p_withport_besteffort = NULL;
110 struct remoteconf *anon = NULL;
111 int withport;
112 char buf[NI_MAXHOST + NI_MAXSERV + 10];
113 char addr[NI_MAXHOST], port[NI_MAXSERV];
114
115 withport = 0;
116
117 /*
118 * We never have ports set in our remote configurations, but when
119 * NAT-T is enabled, the kernel can have policies with ports and
120 * send us an acquire message for a destination that has a port set.
121 * If we do this port check here, we have to fallback to a best-effort result (without the port).
122 *
123 * In an ideal world, we would be able to have remote conf with
124 * port, and the port could be a wildcard. That test could be used.
125 */
126 switch (remote->sa_family) {
127 case AF_INET:
128 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
129 withport = 1;
130 break;
131 #ifdef INET6
132 case AF_INET6:
133 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
134 withport = 1;
135 break;
136 #endif
137 case AF_UNSPEC:
138 break;
139
140 default:
141 plog(LLV_ERROR2, LOCATION, NULL,
142 "invalid ip address family: %d\n", remote->sa_family);
143 return NULL;
144 }
145
146 if (remote->sa_family == AF_UNSPEC)
147 snprintf (buf, sizeof(buf), "%s", "anonymous");
148 else {
149 GETNAMEINFO(remote, addr, port);
150 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
151 withport ? "[" : "",
152 withport ? port : "",
153 withport ? "]" : "");
154 }
155
156 TAILQ_FOREACH(p, &rmtree, chain) {
157 if (p->to_delete || p->to_remove) {
158 continue;
159 }
160 if ((remote->sa_family == AF_UNSPEC
161 && remote->sa_family == p->remote->sa_family)
162 || (!withport && cmpsaddrwop(remote, p->remote) == 0)
163 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
164 plog(LLV_DEBUG, LOCATION, NULL,
165 "configuration found for %s.\n", buf);
166 return p;
167 } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
168 // for withport: save the pointer for the best-effort search
169 p_withport_besteffort = p;
170 }
171
172 /* save the pointer to the anonymous configuration */
173 if (p->remote->sa_family == AF_UNSPEC)
174 anon = p;
175 }
176
177 if (p_withport_besteffort) {
178 plog(LLV_DEBUG, LOCATION, NULL,
179 "configuration found for %s.\n", buf);
180 return p_withport_besteffort;
181 }
182
183 if (allow_anon && anon != NULL) {
184 plog(LLV_DEBUG, LOCATION, NULL,
185 "anonymous configuration selected for %s.\n", buf);
186 return anon;
187 }
188
189 plog(LLV_DEBUG, LOCATION, NULL,
190 "no remote configuration found.\n");
191
192 return NULL;
193 }
194
195 int
196 no_remote_configs(ignore_anonymous)
197 int ignore_anonymous;
198 {
199
200 struct remoteconf *p;
201 #if !TARGET_OS_EMBEDDED
202 static const char default_idv[] = "macuser@localhost";
203 static const int default_idv_len = sizeof(default_idv) - 1;
204 #endif
205
206 TAILQ_FOREACH(p, &rmtree, chain) {
207 if (ignore_anonymous) {
208 if (p->remote->sa_family == AF_UNSPEC) /* anonymous */
209 continue;
210 }
211 #if !TARGET_OS_EMBEDDED
212 // ignore the default btmm ipv6 config thats always present in racoon.conf
213 if (p->remote->sa_family == AF_INET6 &&
214 p->idvtype == IDTYPE_USERFQDN &&
215 p->idv != NULL &&
216 p->idv->l == default_idv_len &&
217 strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
218 continue;
219 }
220 #endif
221 return 0;
222 }
223 return 1;
224 }
225
226 struct remoteconf *
227 getrmconf(remote)
228 struct sockaddr *remote;
229 {
230 return getrmconf_strict(remote, 1);
231 }
232
233 int
234 link_rmconf_to_ph1 (struct remoteconf *new)
235 {
236 if (!new) {
237 return(-1);
238 }
239 if (new->to_delete ||
240 new->to_remove) {
241 return(-1);
242 }
243 new->linked_to_ph1++;
244 return(0);
245 }
246
247 int
248 unlink_rmconf_from_ph1 (struct remoteconf *old)
249 {
250 if (!old) {
251 return(-1);
252 }
253 if (old->linked_to_ph1 <= 0) {
254 return(-1);
255 }
256 old->linked_to_ph1--;
257 if (old->linked_to_ph1 == 0) {
258 if (old->to_remove) {
259 remrmconf(old);
260 }
261 if (old->to_delete) {
262 delrmconf(old);
263 }
264 }
265 return(0);
266 }
267
268 struct remoteconf *
269 newrmconf()
270 {
271 struct remoteconf *new;
272 int i;
273
274 new = racoon_calloc(1, sizeof(*new));
275 if (new == NULL)
276 return NULL;
277
278 new->proposal = NULL;
279
280 /* set default */
281 new->doitype = IPSEC_DOI;
282 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
283 new->idvtype = IDTYPE_UNDEFINED;
284 new->idvl_p = genlist_init();
285 new->nonce_size = DEFAULT_NONCE_SIZE;
286 new->passive = FALSE;
287 new->ike_frag = FALSE;
288 new->esp_frag = IP_MAXPACKET;
289 new->ini_contact = TRUE;
290 new->mode_cfg = FALSE;
291 new->pcheck_level = PROP_CHECK_STRICT;
292 new->verify_identifier = FALSE;
293 new->verify_cert = TRUE;
294 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
295 new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
296 new->cacerttype = ISAKMP_CERT_X509SIGN;
297 new->certtype = ISAKMP_CERT_NONE;
298 new->cacertfile = NULL;
299 new->send_cert = TRUE;
300 new->send_cr = TRUE;
301 new->support_proxy = FALSE;
302 for (i = 0; i <= SCRIPT_MAX; i++)
303 new->script[i] = NULL;
304 new->gen_policy = FALSE;
305 new->retry_counter = lcconf->retry_counter;
306 new->retry_interval = lcconf->retry_interval;
307 new->nat_traversal = NATT_ON;
308 new->natt_multiple_user = FALSE;
309 new->natt_keepalive = TRUE;
310 new->to_remove = FALSE;
311 new->to_delete = FALSE;
312 new->linked_to_ph1 = 0;
313 #ifdef HAVE_OPENSSL
314 new->rsa_private = genlist_init();
315 new->rsa_public = genlist_init();
316 #endif
317 new->idv = NULL;
318 new->key = NULL;
319
320 new->dpd = TRUE; /* Enable DPD support by default */
321 new->dpd_interval = 0; /* Disable DPD checks by default */
322 new->dpd_retry = 5;
323 new->dpd_maxfails = 5;
324 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
325 new->idle_timeout = 0;
326
327 new->weak_phase1_check = 0;
328
329 #ifdef ENABLE_HYBRID
330 new->xauth = NULL;
331 #endif
332 new->initiate_ph1rekey = TRUE;
333 return new;
334 }
335
336 struct remoteconf *
337 copyrmconf(remote)
338 struct sockaddr *remote;
339 {
340 struct remoteconf *new, *old;
341
342 old = getrmconf_strict (remote, 0);
343 if (old == NULL) {
344 plog (LLV_ERROR, LOCATION, NULL,
345 "Remote configuration for '%s' not found!\n",
346 saddr2str (remote));
347 return NULL;
348 }
349
350 new = duprmconf (old);
351
352 return new;
353 }
354
355 void *
356 dupidvl(entry, arg)
357 void *entry;
358 void *arg;
359 {
360 struct idspec *id;
361 struct idspec *old = (struct idspec *) entry;
362 id = newidspec();
363 if (!id) return (void *) -1;
364
365 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
366 racoon_free(id);
367 return (void *) -1;
368 }
369
370 id->idtype = old->idtype;
371
372 genlist_append(arg, id);
373 return NULL;
374 }
375
376 struct remoteconf *
377 duprmconf (rmconf)
378 struct remoteconf *rmconf;
379 {
380 struct remoteconf *new;
381
382 new = racoon_calloc(1, sizeof(*new));
383 if (new == NULL)
384 return NULL;
385 memcpy (new, rmconf, sizeof (*new));
386 // FIXME: We should duplicate the proposal as well.
387 // This is now handled in the cfparse.y
388 // new->proposal = ...;
389
390 /* duplicate dynamic structures */
391 if (new->etypes)
392 new->etypes=dupetypes(new->etypes);
393 new->idvl_p = genlist_init();
394 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
395
396 return new;
397 }
398
399 static void
400 idspec_free(void *data)
401 {
402 vfree (((struct idspec *)data)->id);
403 free (data);
404 }
405
406 static void
407 proposalspec_free(struct proposalspec *head)
408 {
409
410 struct proposalspec* next_propsp = head;
411
412 while (next_propsp) {
413 struct proposalspec* curr_propsp;
414 struct secprotospec* next_protosp;
415
416 curr_propsp = next_propsp;
417 next_propsp = next_propsp->next;
418 next_protosp = curr_propsp->spspec;
419 while (next_protosp) {
420 struct secprotospec* curr_protosp;
421
422 curr_protosp = next_protosp;
423 next_protosp = next_protosp->next;
424
425 if (curr_protosp->gssid)
426 free(curr_protosp->gssid);
427 if (curr_protosp->remote)
428 free(curr_protosp->remote);
429 racoon_free(curr_protosp);
430 }
431 racoon_free(curr_propsp);
432 }
433 }
434
435 void
436 delrmconf(rmconf)
437 struct remoteconf *rmconf;
438 {
439 if (rmconf->linked_to_ph1) {
440 rmconf->to_delete = TRUE;
441 return;
442 }
443 if (rmconf->remote)
444 racoon_free(rmconf->remote);
445 #ifdef ENABLE_HYBRID
446 if (rmconf->xauth)
447 xauth_rmconf_delete(&rmconf->xauth);
448 #endif
449 if (rmconf->etypes) {
450 deletypes(rmconf->etypes);
451 rmconf->etypes=NULL;
452 }
453 if (rmconf->idv)
454 vfree(rmconf->idv);
455 if (rmconf->idvl_p)
456 genlist_free(rmconf->idvl_p, idspec_free);
457 if (rmconf->dhgrp)
458 oakley_dhgrp_free(rmconf->dhgrp);
459 if (rmconf->proposal)
460 delisakmpsa(rmconf->proposal);
461 if (rmconf->mycertfile)
462 racoon_free(rmconf->mycertfile);
463 if (rmconf->myprivfile)
464 racoon_free(rmconf->myprivfile);
465 if (rmconf->peerscertfile)
466 racoon_free(rmconf->peerscertfile);
467 if (rmconf->cacertfile)
468 racoon_free(rmconf->cacertfile);
469 if (rmconf->prhead)
470 proposalspec_free(rmconf->prhead);
471 #ifdef HAVE_OPENSSL
472 if (rmconf->rsa_private)
473 genlist_free(rmconf->rsa_private, rsa_key_free);
474 if (rmconf->rsa_public)
475 genlist_free(rmconf->rsa_public, rsa_key_free);
476 #endif
477 if (rmconf->shared_secret)
478 vfree(rmconf->shared_secret);
479 if (rmconf->keychainCertRef)
480 vfree(rmconf->keychainCertRef);
481 if (rmconf->open_dir_auth_group)
482 vfree(rmconf->open_dir_auth_group);
483
484 racoon_free(rmconf);
485 }
486
487 void
488 delisakmpsa(sa)
489 struct isakmpsa *sa;
490 {
491 if (sa->dhgrp)
492 oakley_dhgrp_free(sa->dhgrp);
493 if (sa->next)
494 delisakmpsa(sa->next);
495 #ifdef HAVE_GSSAPI
496 if (sa->gssid)
497 vfree(sa->gssid);
498 #endif
499 racoon_free(sa);
500 }
501
502 struct etypes *
503 dupetypes(orig)
504 struct etypes *orig;
505 {
506 struct etypes *new;
507
508 if (!orig)
509 return NULL;
510
511 new = racoon_malloc(sizeof(struct etypes));
512 if (new == NULL)
513 return NULL;
514
515 new->type = orig->type;
516 new->next = NULL;
517
518 if (orig->next)
519 new->next=dupetypes(orig->next);
520
521 return new;
522 }
523
524 void
525 deletypes(e)
526 struct etypes *e;
527 {
528 if (e->next)
529 deletypes(e->next);
530 racoon_free(e);
531 }
532
533 /*
534 * insert into head of list.
535 */
536 void
537 insrmconf(new)
538 struct remoteconf *new;
539 {
540 TAILQ_INSERT_HEAD(&rmtree, new, chain);
541 }
542
543 void
544 remrmconf(rmconf)
545 struct remoteconf *rmconf;
546 {
547 if (rmconf->linked_to_ph1) {
548 rmconf->to_remove = TRUE;
549 return;
550 }
551 TAILQ_REMOVE(&rmtree, rmconf, chain);
552 }
553
554 void
555 flushrmconf()
556 {
557 struct remoteconf *p, *next;
558
559 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
560 next = TAILQ_NEXT(p, chain);
561 remrmconf(p);
562 delrmconf(p);
563 }
564 }
565
566 void
567 initrmconf()
568 {
569 TAILQ_INIT(&rmtree);
570 }
571
572 /* check exchange type to be acceptable */
573 struct etypes *
574 check_etypeok(rmconf, etype)
575 struct remoteconf *rmconf;
576 u_int8_t etype;
577 {
578 struct etypes *e;
579
580 for (e = rmconf->etypes; e != NULL; e = e->next) {
581 if (e->type == etype)
582 break;
583 }
584
585 return e;
586 }
587
588 /*%%%*/
589 struct isakmpsa *
590 newisakmpsa()
591 {
592 struct isakmpsa *new;
593
594 new = racoon_calloc(1, sizeof(*new));
595 if (new == NULL)
596 return NULL;
597
598 /*
599 * Just for sanity, make sure this is initialized. This is
600 * filled in for real when the ISAKMP proposal is configured.
601 */
602 new->vendorid = VENDORID_UNKNOWN;
603
604 new->next = NULL;
605 new->rmconf = NULL;
606 #ifdef HAVE_GSSAPI
607 new->gssid = NULL;
608 #endif
609
610 return new;
611 }
612
613 /*
614 * insert into tail of list.
615 */
616 void
617 insisakmpsa(new, rmconf)
618 struct isakmpsa *new;
619 struct remoteconf *rmconf;
620 {
621 struct isakmpsa *p;
622
623 new->rmconf = rmconf;
624
625 if (rmconf->proposal == NULL) {
626 rmconf->proposal = new;
627 return;
628 }
629
630 for (p = rmconf->proposal; p->next != NULL; p = p->next)
631 ;
632 p->next = new;
633
634 return;
635 }
636
637 struct remoteconf *
638 foreachrmconf(rmconf_func_t rmconf_func, void *data)
639 {
640 struct remoteconf *p, *ret = NULL;
641
642 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
643 ret = (*rmconf_func)(p, data);
644 if (ret)
645 break;
646 }
647
648 return ret;
649 }
650
651 static void *
652 dump_peers_identifiers (void *entry, void *arg)
653 {
654 struct idspec *id = (struct idspec*) entry;
655 char buf[1024], *pbuf;
656 pbuf = buf;
657 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
658 s_idtype (id->idtype));
659 if (id->id)
660 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
661 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
662 return NULL;
663 }
664
665 static struct remoteconf *
666 dump_rmconf_single (struct remoteconf *p, void *data)
667 {
668 struct etypes *etype = p->etypes;
669 struct isakmpsa *prop = p->proposal;
670 char buf[1024], *pbuf;
671
672 pbuf = buf;
673 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
674 if (p->inherited_from)
675 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
676 saddr2str(p->inherited_from->remote));
677 plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
678 pbuf = buf;
679 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
680 while (etype) {
681 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
682 etype->next != NULL ? ", " : ";\n");
683 etype = etype->next;
684 }
685 plog(LLV_INFO, LOCATION, NULL, "%s", buf);
686 plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
687 pbuf = buf;
688 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
689 if (p->idvtype == IDTYPE_ASN1DN) {
690 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
691 plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
692 p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
693 p->mycertfile, p->myprivfile);
694 switch (p->getcert_method) {
695 case 0:
696 break;
697 case ISAKMP_GETCERT_PAYLOAD:
698 plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
699 break;
700 case ISAKMP_GETCERT_LOCALFILE:
701 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
702 break;
703 case ISAKMP_GETCERT_DNS:
704 plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
705 break;
706 default:
707 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
708 }
709 }
710 else {
711 if (p->idv)
712 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
713 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
714 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
715 }
716
717 plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
718 s_switch (p->send_cert));
719 plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
720 s_switch (p->send_cr));
721 plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
722 s_switch (p->verify_cert));
723 plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
724 s_switch (p->verify_identifier));
725 plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
726 p->nat_traversal == NATT_FORCE ?
727 "force" : s_switch (p->nat_traversal));
728 plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
729 s_switch (p->natt_multiple_user));
730 plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
731 p->nonce_size);
732 plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
733 s_switch (p->passive));
734 plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
735 p->ike_frag == ISAKMP_FRAG_FORCE ?
736 "force" : s_switch (p->ike_frag));
737 plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
738 plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
739 s_switch (p->ini_contact));
740 plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
741 s_switch (p->gen_policy));
742 plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
743 s_switch (p->support_proxy));
744
745 while (prop) {
746 plog(LLV_INFO, LOCATION, NULL, "\n");
747 plog(LLV_INFO, LOCATION, NULL,
748 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
749 prop->prop_no, prop->trns_no,
750 saddr2str(prop->rmconf->remote));
751 plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
752 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
753 (long)prop->lifetime);
754 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
755 prop->lifebyte);
756 plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
757 alg_oakley_dhdef_name(prop->dh_group));
758 plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
759 alg_oakley_encdef_name(prop->enctype));
760 plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
761 alg_oakley_hashdef_name(prop->hashtype));
762 plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
763 alg_oakley_authdef_name(prop->authmethod));
764 plog(LLV_INFO, LOCATION, NULL, "\t}\n");
765 prop = prop->next;
766 }
767 plog(LLV_INFO, LOCATION, NULL, "}\n");
768 plog(LLV_INFO, LOCATION, NULL, "\n");
769
770 return NULL;
771 }
772
773 void
774 dumprmconf()
775 {
776 foreachrmconf (dump_rmconf_single, NULL);
777 }
778
779 struct idspec *
780 newidspec()
781 {
782 struct idspec *new;
783
784 new = racoon_calloc(1, sizeof(*new));
785 if (new == NULL)
786 return NULL;
787 new->idtype = IDTYPE_ADDRESS;
788
789 return new;
790 }
791
792 vchar_t *
793 script_path_add(path)
794 vchar_t *path;
795 {
796 char *script_dir;
797 vchar_t *new_path;
798 vchar_t *new_storage;
799 vchar_t **sp;
800 size_t len;
801 size_t size;
802
803 script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
804
805 /* Try to find the script in the script directory */
806 if ((path->v[0] != '/') && (script_dir != NULL)) {
807 len = strlen(script_dir) + sizeof("/") + path->l + 1;
808
809 if ((new_path = vmalloc(len)) == NULL) {
810 plog(LLV_ERROR, LOCATION, NULL,
811 "Cannot allocate memory: %s\n", strerror(errno));
812 return NULL;
813 }
814
815 new_path->v[0] = '\0';
816 (void)strlcat(new_path->v, script_dir, new_path->l);
817 (void)strlcat(new_path->v, "/", new_path->l);
818 (void)strlcat(new_path->v, path->v, new_path->l);
819
820 vfree(path);
821 path = new_path;
822 }
823
824 return path;
825 }
826
827
828 struct isakmpsa *
829 dupisakmpsa(struct isakmpsa *sa)
830 {
831 struct isakmpsa *res = NULL;
832
833 if (sa == NULL)
834 return NULL;
835
836 res = newisakmpsa();
837 if(res == NULL)
838 return NULL;
839
840 *res = *sa;
841 #ifdef HAVE_GSSAPI
842 res->gssid=vdup(sa->gssid);
843 #endif
844 res->next=NULL;
845
846 if (sa->dhgrp != NULL)
847 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
848
849 return res;
850
851 }
852
853 #ifdef HAVE_OPENSSL
854 void
855 rsa_key_free(void *entry)
856 {
857 struct rsa_key *key = (struct rsa_key *)entry;
858
859 if (key->src)
860 free(key->src);
861 if (key->dst)
862 free(key->dst);
863 if (key->rsa)
864 RSA_free(key->rsa);
865 free(key);
866 }
867 #endif
mirror of ipsec