]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-93.6.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
1 /* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
2
3 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44
45 #ifndef HAVE_NETINET6_IPSEC
46 #include <netinet/ipsec.h>
47 #else
48 #include <netinet6/ipsec.h>
49 #endif
50
51 #include <stdlib.h>
52 #include <stdio.h>
53 #include <string.h>
54 #include <errno.h>
55
56 #include "var.h"
57 #include "misc.h"
58 #include "vmbuf.h"
59 #include "plog.h"
60 #include "sockmisc.h"
61 #include "genlist.h"
62 #include "debug.h"
63
64 #include "isakmp_var.h"
65 #ifdef ENABLE_HYBRID
66 #include "isakmp_xauth.h"
67 #endif
68 #include "isakmp.h"
69 #include "ipsec_doi.h"
70 #include "oakley.h"
71 #include "remoteconf.h"
72 #include "localconf.h"
73 #include "grabmyaddr.h"
74 #include "policy.h"
75 #include "proposal.h"
76 #include "vendorid.h"
77 #include "gcmalloc.h"
78 #include "strnames.h"
79 #include "algorithm.h"
80 #include "nattraversal.h"
81 #include "isakmp_frag.h"
82 #include "genlist.h"
83 #include "rsalist.h"
84
85 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
86
87 /*
88 * Script hook names and script hook paths
89 */
90 char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
91
92 /*%%%*/
93 /*
94 * search remote configuration.
95 * don't use port number to search if its value is either IPSEC_PORT_ANY.
96 * If matching anonymous entry, then new entry is copied from anonymous entry.
97 * If no anonymous entry found, then return NULL.
98 * OUT: NULL: NG
99 * Other: remote configuration entry.
100 */
101 struct remoteconf *
102 getrmconf_strict(remote, allow_anon)
103 struct sockaddr *remote;
104 int allow_anon;
105 {
106 struct remoteconf *p;
107 struct remoteconf *p_withport_besteffort = NULL;
108 struct remoteconf *anon = NULL;
109 int withport;
110 char buf[NI_MAXHOST + NI_MAXSERV + 10];
111 char addr[NI_MAXHOST], port[NI_MAXSERV];
112
113 withport = 0;
114
115 /*
116 * We never have ports set in our remote configurations, but when
117 * NAT-T is enabled, the kernel can have policies with ports and
118 * send us an acquire message for a destination that has a port set.
119 * If we do this port check here, we have to fallback to a best-effort result (without the port).
120 *
121 * In an ideal world, we would be able to have remote conf with
122 * port, and the port could be a wildcard. That test could be used.
123 */
124 switch (remote->sa_family) {
125 case AF_INET:
126 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
127 withport = 1;
128 break;
129 #ifdef INET6
130 case AF_INET6:
131 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
132 withport = 1;
133 break;
134 #endif
135 case AF_UNSPEC:
136 break;
137
138 default:
139 plog(LLV_ERROR2, LOCATION, NULL,
140 "invalid ip address family: %d\n", remote->sa_family);
141 return NULL;
142 }
143
144 if (remote->sa_family == AF_UNSPEC)
145 snprintf (buf, sizeof(buf), "%s", "anonymous");
146 else {
147 GETNAMEINFO(remote, addr, port);
148 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
149 withport ? "[" : "",
150 withport ? port : "",
151 withport ? "]" : "");
152 }
153
154 TAILQ_FOREACH(p, &rmtree, chain) {
155 #ifdef __APPLE__
156 if (p->to_delete || p->to_remove) {
157 continue;
158 }
159 #endif
160 if ((remote->sa_family == AF_UNSPEC
161 && remote->sa_family == p->remote->sa_family)
162 || (!withport && cmpsaddrwop(remote, p->remote) == 0)
163 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
164 plog(LLV_DEBUG, LOCATION, NULL,
165 "configuration found for %s.\n", buf);
166 return p;
167 } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
168 // for withport: save the pointer for the best-effort search
169 p_withport_besteffort = p;
170 }
171
172 /* save the pointer to the anonymous configuration */
173 if (p->remote->sa_family == AF_UNSPEC)
174 anon = p;
175 }
176
177 if (p_withport_besteffort) {
178 plog(LLV_DEBUG, LOCATION, NULL,
179 "configuration found for %s.\n", buf);
180 return p_withport_besteffort;
181 }
182
183 if (allow_anon && anon != NULL) {
184 plog(LLV_DEBUG, LOCATION, NULL,
185 "anonymous configuration selected for %s.\n", buf);
186 return anon;
187 }
188
189 plog(LLV_DEBUG, LOCATION, NULL,
190 "no remote configuration found.\n");
191
192 return NULL;
193 }
194
195 int
196 no_remote_configs()
197 {
198
199 struct remoteconf *p;
200
201 TAILQ_FOREACH(p, &rmtree, chain) {
202 if (p->remote->sa_family == AF_UNSPEC) /* anonymous */
203 continue;
204 return 0;
205 }
206 return 1;
207 }
208
209 struct remoteconf *
210 getrmconf(remote)
211 struct sockaddr *remote;
212 {
213 return getrmconf_strict(remote, 1);
214 }
215
216 #ifdef __APPLE__
217 int
218 link_rmconf_to_ph1 (struct remoteconf *new)
219 {
220 if (!new) {
221 return(-1);
222 }
223 if (new->to_delete ||
224 new->to_remove) {
225 return(-1);
226 }
227 new->linked_to_ph1++;
228 return(0);
229 }
230
231 int
232 unlink_rmconf_from_ph1 (struct remoteconf *old)
233 {
234 if (!old) {
235 return(-1);
236 }
237 if (old->linked_to_ph1 <= 0) {
238 return(-1);
239 }
240 old->linked_to_ph1--;
241 if (old->linked_to_ph1 == 0) {
242 if (old->to_remove) {
243 remrmconf(old);
244 }
245 if (old->to_delete) {
246 delrmconf(old);
247 }
248 }
249 return(0);
250 }
251 #endif
252
253 struct remoteconf *
254 newrmconf()
255 {
256 struct remoteconf *new;
257 int i;
258
259 new = racoon_calloc(1, sizeof(*new));
260 if (new == NULL)
261 return NULL;
262
263 new->proposal = NULL;
264
265 /* set default */
266 new->doitype = IPSEC_DOI;
267 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
268 new->idvtype = IDTYPE_UNDEFINED;
269 new->idvl_p = genlist_init();
270 new->nonce_size = DEFAULT_NONCE_SIZE;
271 new->passive = FALSE;
272 new->ike_frag = FALSE;
273 new->esp_frag = IP_MAXPACKET;
274 new->ini_contact = TRUE;
275 new->mode_cfg = FALSE;
276 new->pcheck_level = PROP_CHECK_STRICT;
277 new->verify_identifier = FALSE;
278 new->verify_cert = TRUE;
279 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
280 new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
281 new->cacerttype = ISAKMP_CERT_X509SIGN;
282 new->certtype = ISAKMP_CERT_NONE;
283 new->cacertfile = NULL;
284 new->send_cert = TRUE;
285 new->send_cr = TRUE;
286 new->support_proxy = FALSE;
287 for (i = 0; i <= SCRIPT_MAX; i++)
288 new->script[i] = NULL;
289 new->gen_policy = FALSE;
290 new->retry_counter = lcconf->retry_counter;
291 new->retry_interval = lcconf->retry_interval;
292 #ifdef __APPLE__
293 new->nat_traversal = NATT_ON;
294 new->natt_multiple_user = FALSE;
295 new->natt_keepalive = TRUE;
296 new->to_remove = FALSE;
297 new->to_delete = FALSE;
298 new->linked_to_ph1 = 0;
299 #else
300 new->nat_traversal = NATT_OFF;
301 #endif
302 new->rsa_private = genlist_init();
303 new->rsa_public = genlist_init();
304 new->idv = NULL;
305 new->key = NULL;
306
307 new->dpd = TRUE; /* Enable DPD support by default */
308 new->dpd_interval = 0; /* Disable DPD checks by default */
309 new->dpd_retry = 5;
310 new->dpd_maxfails = 5;
311 new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
312 new->idle_timeout = 0;
313
314 new->weak_phase1_check = 0;
315
316 #ifdef ENABLE_HYBRID
317 new->xauth = NULL;
318 #endif
319 new->initiate_ph1rekey = TRUE;
320 return new;
321 }
322
323 struct remoteconf *
324 copyrmconf(remote)
325 struct sockaddr *remote;
326 {
327 struct remoteconf *new, *old;
328
329 old = getrmconf_strict (remote, 0);
330 if (old == NULL) {
331 plog (LLV_ERROR, LOCATION, NULL,
332 "Remote configuration for '%s' not found!\n",
333 saddr2str (remote));
334 return NULL;
335 }
336
337 new = duprmconf (old);
338
339 return new;
340 }
341
342 void *
343 dupidvl(entry, arg)
344 void *entry;
345 void *arg;
346 {
347 struct idspec *id;
348 struct idspec *old = (struct idspec *) entry;
349 id = newidspec();
350 if (!id) return (void *) -1;
351
352 if (set_identifier(&id->id, old->idtype, old->id) != 0) {
353 racoon_free(id);
354 return (void *) -1;
355 }
356
357 id->idtype = old->idtype;
358
359 genlist_append(arg, id);
360 return NULL;
361 }
362
363 struct remoteconf *
364 duprmconf (rmconf)
365 struct remoteconf *rmconf;
366 {
367 struct remoteconf *new;
368
369 new = racoon_calloc(1, sizeof(*new));
370 if (new == NULL)
371 return NULL;
372 memcpy (new, rmconf, sizeof (*new));
373 // FIXME: We should duplicate the proposal as well.
374 // This is now handled in the cfparse.y
375 // new->proposal = ...;
376
377 /* duplicate dynamic structures */
378 if (new->etypes)
379 new->etypes=dupetypes(new->etypes);
380 new->idvl_p = genlist_init();
381 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
382
383 return new;
384 }
385
386 static void
387 idspec_free(void *data)
388 {
389 vfree (((struct idspec *)data)->id);
390 free (data);
391 }
392
393 static void
394 proposalspec_free(struct proposalspec *head)
395 {
396
397 struct proposalspec* next_propsp = head;
398
399 while (next_propsp) {
400 struct proposalspec* curr_propsp;
401 struct secprotospec* next_protosp;
402
403 curr_propsp = next_propsp;
404 next_propsp = next_propsp->next;
405 next_protosp = curr_propsp->spspec;
406 while (next_protosp) {
407 struct secprotospec* curr_protosp;
408
409 curr_protosp = next_protosp;
410 next_protosp = next_protosp->next;
411
412 if (curr_protosp->gssid)
413 free(curr_protosp->gssid);
414 if (curr_protosp->remote)
415 free(curr_protosp->remote);
416 racoon_free(curr_protosp);
417 }
418 racoon_free(curr_propsp);
419 }
420 }
421
422 void
423 delrmconf(rmconf)
424 struct remoteconf *rmconf;
425 {
426 #ifdef __APPLE__
427 if (rmconf->linked_to_ph1) {
428 rmconf->to_delete = TRUE;
429 return;
430 }
431 #endif
432 if (rmconf->remote)
433 racoon_free(rmconf->remote);
434 #ifdef ENABLE_HYBRID
435 if (rmconf->xauth)
436 xauth_rmconf_delete(&rmconf->xauth);
437 #endif
438 if (rmconf->etypes) {
439 deletypes(rmconf->etypes);
440 rmconf->etypes=NULL;
441 }
442 if (rmconf->idv)
443 vfree(rmconf->idv);
444 if (rmconf->idvl_p)
445 genlist_free(rmconf->idvl_p, idspec_free);
446 if (rmconf->dhgrp)
447 oakley_dhgrp_free(rmconf->dhgrp);
448 if (rmconf->proposal)
449 delisakmpsa(rmconf->proposal);
450 if (rmconf->mycertfile)
451 racoon_free(rmconf->mycertfile);
452 if (rmconf->myprivfile)
453 racoon_free(rmconf->myprivfile);
454 if (rmconf->peerscertfile)
455 racoon_free(rmconf->peerscertfile);
456 if (rmconf->cacertfile)
457 racoon_free(rmconf->cacertfile);
458 if (rmconf->prhead)
459 proposalspec_free(rmconf->prhead);
460 if (rmconf->rsa_private)
461 genlist_free(rmconf->rsa_private, rsa_key_free);
462 if (rmconf->rsa_public)
463 genlist_free(rmconf->rsa_public, rsa_key_free);
464 #ifdef __APPLE__
465 if (rmconf->shared_secret)
466 vfree(rmconf->shared_secret);
467 if (rmconf->keychainCertRef)
468 vfree(rmconf->keychainCertRef);
469 if (rmconf->open_dir_auth_group)
470 vfree(rmconf->open_dir_auth_group);
471 #endif
472
473 racoon_free(rmconf);
474 }
475
476 void
477 delisakmpsa(sa)
478 struct isakmpsa *sa;
479 {
480 if (sa->dhgrp)
481 oakley_dhgrp_free(sa->dhgrp);
482 if (sa->next)
483 delisakmpsa(sa->next);
484 #ifdef HAVE_GSSAPI
485 if (sa->gssid)
486 vfree(sa->gssid);
487 #endif
488 racoon_free(sa);
489 }
490
491 struct etypes *
492 dupetypes(orig)
493 struct etypes *orig;
494 {
495 struct etypes *new;
496
497 if (!orig)
498 return NULL;
499
500 new = racoon_malloc(sizeof(struct etypes));
501 if (new == NULL)
502 return NULL;
503
504 new->type = orig->type;
505 new->next = NULL;
506
507 if (orig->next)
508 new->next=dupetypes(orig->next);
509
510 return new;
511 }
512
513 void
514 deletypes(e)
515 struct etypes *e;
516 {
517 if (e->next)
518 deletypes(e->next);
519 racoon_free(e);
520 }
521
522 /*
523 * insert into head of list.
524 */
525 void
526 insrmconf(new)
527 struct remoteconf *new;
528 {
529 TAILQ_INSERT_HEAD(&rmtree, new, chain);
530 }
531
532 void
533 remrmconf(rmconf)
534 struct remoteconf *rmconf;
535 {
536 #ifdef __APPLE__
537 if (rmconf->linked_to_ph1) {
538 rmconf->to_remove = TRUE;
539 return;
540 }
541 #endif
542 TAILQ_REMOVE(&rmtree, rmconf, chain);
543 }
544
545 void
546 flushrmconf()
547 {
548 struct remoteconf *p, *next;
549
550 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
551 next = TAILQ_NEXT(p, chain);
552 remrmconf(p);
553 delrmconf(p);
554 }
555 }
556
557 void
558 initrmconf()
559 {
560 TAILQ_INIT(&rmtree);
561 }
562
563 /* check exchange type to be acceptable */
564 struct etypes *
565 check_etypeok(rmconf, etype)
566 struct remoteconf *rmconf;
567 u_int8_t etype;
568 {
569 struct etypes *e;
570
571 for (e = rmconf->etypes; e != NULL; e = e->next) {
572 if (e->type == etype)
573 break;
574 }
575
576 return e;
577 }
578
579 /*%%%*/
580 struct isakmpsa *
581 newisakmpsa()
582 {
583 struct isakmpsa *new;
584
585 new = racoon_calloc(1, sizeof(*new));
586 if (new == NULL)
587 return NULL;
588
589 /*
590 * Just for sanity, make sure this is initialized. This is
591 * filled in for real when the ISAKMP proposal is configured.
592 */
593 new->vendorid = VENDORID_UNKNOWN;
594
595 new->next = NULL;
596 new->rmconf = NULL;
597 #ifdef HAVE_GSSAPI
598 new->gssid = NULL;
599 #endif
600
601 return new;
602 }
603
604 /*
605 * insert into tail of list.
606 */
607 void
608 insisakmpsa(new, rmconf)
609 struct isakmpsa *new;
610 struct remoteconf *rmconf;
611 {
612 struct isakmpsa *p;
613
614 new->rmconf = rmconf;
615
616 if (rmconf->proposal == NULL) {
617 rmconf->proposal = new;
618 return;
619 }
620
621 for (p = rmconf->proposal; p->next != NULL; p = p->next)
622 ;
623 p->next = new;
624
625 return;
626 }
627
628 struct remoteconf *
629 foreachrmconf(rmconf_func_t rmconf_func, void *data)
630 {
631 struct remoteconf *p, *ret = NULL;
632
633 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
634 ret = (*rmconf_func)(p, data);
635 if (ret)
636 break;
637 }
638
639 return ret;
640 }
641
642 static void *
643 dump_peers_identifiers (void *entry, void *arg)
644 {
645 struct idspec *id = (struct idspec*) entry;
646 char buf[1024], *pbuf;
647 pbuf = buf;
648 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "\tpeers_identifier %s",
649 s_idtype (id->idtype));
650 if (id->id)
651 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
652 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
653 return NULL;
654 }
655
656 static struct remoteconf *
657 dump_rmconf_single (struct remoteconf *p, void *data)
658 {
659 struct etypes *etype = p->etypes;
660 struct isakmpsa *prop = p->proposal;
661 char buf[1024], *pbuf;
662
663 pbuf = buf;
664 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
665 if (p->inherited_from)
666 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
667 saddr2str(p->inherited_from->remote));
668 plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
669 pbuf = buf;
670 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
671 while (etype) {
672 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), "%s%s", s_etype(etype->type),
673 etype->next != NULL ? ", " : ";\n");
674 etype = etype->next;
675 }
676 plog(LLV_INFO, LOCATION, NULL, "%s", buf);
677 plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
678 pbuf = buf;
679 pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
680 if (p->idvtype == IDTYPE_ASN1DN) {
681 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
682 plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
683 p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
684 p->mycertfile, p->myprivfile);
685 switch (p->getcert_method) {
686 case 0:
687 break;
688 case ISAKMP_GETCERT_PAYLOAD:
689 plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
690 break;
691 case ISAKMP_GETCERT_LOCALFILE:
692 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
693 break;
694 case ISAKMP_GETCERT_DNS:
695 plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
696 break;
697 default:
698 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
699 }
700 }
701 else {
702 if (p->idv)
703 pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
704 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
705 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
706 }
707
708 plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
709 s_switch (p->send_cert));
710 plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
711 s_switch (p->send_cr));
712 plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
713 s_switch (p->verify_cert));
714 plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
715 s_switch (p->verify_identifier));
716 plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
717 p->nat_traversal == NATT_FORCE ?
718 "force" : s_switch (p->nat_traversal));
719 #ifdef __APPLE__
720 plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
721 s_switch (p->natt_multiple_user));
722 #endif
723 plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
724 p->nonce_size);
725 plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
726 s_switch (p->passive));
727 plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
728 p->ike_frag == ISAKMP_FRAG_FORCE ?
729 "force" : s_switch (p->ike_frag));
730 plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
731 plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
732 s_switch (p->ini_contact));
733 plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
734 s_switch (p->gen_policy));
735 plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
736 s_switch (p->support_proxy));
737
738 while (prop) {
739 plog(LLV_INFO, LOCATION, NULL, "\n");
740 plog(LLV_INFO, LOCATION, NULL,
741 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
742 prop->prop_no, prop->trns_no,
743 saddr2str(prop->rmconf->remote));
744 plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
745 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
746 (long)prop->lifetime);
747 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
748 prop->lifebyte);
749 plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
750 alg_oakley_dhdef_name(prop->dh_group));
751 plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
752 alg_oakley_encdef_name(prop->enctype));
753 plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
754 alg_oakley_hashdef_name(prop->hashtype));
755 plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
756 alg_oakley_authdef_name(prop->authmethod));
757 plog(LLV_INFO, LOCATION, NULL, "\t}\n");
758 prop = prop->next;
759 }
760 plog(LLV_INFO, LOCATION, NULL, "}\n");
761 plog(LLV_INFO, LOCATION, NULL, "\n");
762
763 return NULL;
764 }
765
766 void
767 dumprmconf()
768 {
769 foreachrmconf (dump_rmconf_single, NULL);
770 }
771
772 struct idspec *
773 newidspec()
774 {
775 struct idspec *new;
776
777 new = racoon_calloc(1, sizeof(*new));
778 if (new == NULL)
779 return NULL;
780 new->idtype = IDTYPE_ADDRESS;
781
782 return new;
783 }
784
785 vchar_t *
786 script_path_add(path)
787 vchar_t *path;
788 {
789 char *script_dir;
790 vchar_t *new_path;
791 vchar_t *new_storage;
792 vchar_t **sp;
793 size_t len;
794 size_t size;
795
796 script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
797
798 /* Try to find the script in the script directory */
799 if ((path->v[0] != '/') && (script_dir != NULL)) {
800 len = strlen(script_dir) + sizeof("/") + path->l + 1;
801
802 if ((new_path = vmalloc(len)) == NULL) {
803 plog(LLV_ERROR, LOCATION, NULL,
804 "Cannot allocate memory: %s\n", strerror(errno));
805 return NULL;
806 }
807
808 new_path->v[0] = '\0';
809 (void)strlcat(new_path->v, script_dir, new_path->l);
810 (void)strlcat(new_path->v, "/", new_path->l);
811 (void)strlcat(new_path->v, path->v, new_path->l);
812
813 vfree(path);
814 path = new_path;
815 }
816
817 return path;
818 }
819
820
821 struct isakmpsa *
822 dupisakmpsa(struct isakmpsa *sa)
823 {
824 struct isakmpsa *res = NULL;
825
826 if (sa == NULL)
827 return NULL;
828
829 res = newisakmpsa();
830 if(res == NULL)
831 return NULL;
832
833 *res = *sa;
834 #ifdef HAVE_GSSAPI
835 res->gssid=vdup(sa->gssid);
836 #endif
837 res->next=NULL;
838
839 if (sa->dhgrp != NULL)
840 oakley_setdhgroup(sa->dh_group, &(res->dhgrp));
841
842 return res;
843
844 }
845
846 void
847 rsa_key_free(void *entry)
848 {
849 struct rsa_key *key = (struct rsa_key *)entry;
850
851 if (key->src)
852 free(key->src);
853 if (key->dst)
854 free(key->dst);
855 if (key->rsa)
856 RSA_free(key->rsa);
857 free(key);
858 }
mirror of ipsec