]> git.saurik.com Git - apple/ipsec.git/blobdiff - ipsec-tools/racoon/localconf.c
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / localconf.c
index 381d1e8d3f57a3dafc2c3617f30cf4d14e311ba8..317baaa2476a2202f811a09f91df83a8c0c50a44 100644 (file)
@@ -49,8 +49,6 @@
 
 #include "localconf.h"
 #include "algorithm.h"
 
 #include "localconf.h"
 #include "algorithm.h"
-#include "admin.h"
-#include "privsep.h"
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "ipsec_doi.h"
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "ipsec_doi.h"
 #include "vendorid.h"
 #include "str2val.h"
 #include "safefile.h"
 #include "vendorid.h"
 #include "str2val.h"
 #include "safefile.h"
-#include "admin.h"
 #include "gcmalloc.h"
 #include "session.h"
 
 #include "gcmalloc.h"
 #include "session.h"
 
-#ifdef __APPLE__
 #include <CoreFoundation/CoreFoundation.h>
 #include <CoreFoundation/CoreFoundation.h>
+#if HAVE_SECURITY_FRAMEWORK
 #include <Security/Security.h>
 #endif
 
 struct localconf *lcconf;
 #include <Security/Security.h>
 #endif
 
 struct localconf *lcconf;
+struct localconf *saved_lcconf;
 
 
-static void setdefault __P((void));
+static void setdefault (void);
 
 void
 initlcconf()
 
 void
 initlcconf()
@@ -81,6 +79,7 @@ initlcconf()
        setdefault();
        lcconf->sock_vpncontrol = -1;   /* not to be done during flush */
        lcconf->racoon_conf = LC_DEFAULT_CF;
        setdefault();
        lcconf->sock_vpncontrol = -1;   /* not to be done during flush */
        lcconf->racoon_conf = LC_DEFAULT_CF;
+       TAILQ_INIT(&lcconf->saved_msg_queue);
 }
 
 void
 }
 
 void
@@ -96,7 +95,7 @@ flushlcconf()
                        lcconf->pathinfo[i] = NULL;
                }
        }
                        lcconf->pathinfo[i] = NULL;
                }
        }
-       for (i = 0; i < LC_IDENTTYPE_MAX; i++) {
+       for (i = 0; i < IDTYPE_MAX; i++) {
                if (lcconf->ident[i])
                        vfree(lcconf->ident[i]);
                lcconf->ident[i] = NULL;
                if (lcconf->ident[i])
                        vfree(lcconf->ident[i]);
                lcconf->ident[i] = NULL;
@@ -112,7 +111,6 @@ setdefault()
 {
        lcconf->uid = 0;
        lcconf->gid = 0;
 {
        lcconf->uid = 0;
        lcconf->gid = 0;
-       lcconf->chroot = NULL;
        lcconf->autograbaddr = 1;
        lcconf->port_isakmp = PORT_ISAKMP;
        lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
        lcconf->autograbaddr = 1;
        lcconf->port_isakmp = PORT_ISAKMP;
        lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
@@ -130,12 +128,31 @@ setdefault()
        lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
        lcconf->strict_address = FALSE;
        lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
        lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
        lcconf->strict_address = FALSE;
        lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
-       lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */
        lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
        lcconf->auto_exit_delay = 0;
        lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET;
        lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
        lcconf->auto_exit_delay = 0;
        lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET;
+       lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT;                             /* always auto exit as default */
 }
 
 }
 
+
+void
+savelcconf(void) 
+{
+    saved_lcconf = lcconf;
+    lcconf = NULL;
+    initlcconf();
+}
+
+void
+restorelcconf(void)
+{
+    flushlcconf();
+    racoon_free(lcconf);
+    lcconf = saved_lcconf;
+    saved_lcconf = NULL;
+}
+
+
 /*
  * get PSK by string.
  */
 /*
  * get PSK by string.
  */
@@ -146,9 +163,11 @@ getpskbyname(id0)
        char *id;
        vchar_t *key = NULL;
 
        char *id;
        vchar_t *key = NULL;
 
+       plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by name.\n");
+
        id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
        if (id == NULL) {
        id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
        if (id == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get psk buffer.\n");
                goto end;
        }
                        "failed to get psk buffer.\n");
                goto end;
        }
@@ -156,7 +175,7 @@ getpskbyname(id0)
                id0->l - sizeof(struct ipsecdoi_id_b));
        id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
 
                id0->l - sizeof(struct ipsecdoi_id_b));
        id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
 
-       key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
+       key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
 
 end:
        if (id)
 
 end:
        if (id)
@@ -164,7 +183,7 @@ end:
        return key;
 }
 
        return key;
 }
 
-#ifdef __APPLE__
+#if HAVE_KEYCHAIN
 /*
  * get PSK from keyChain.
  */
 /*
  * get PSK from keyChain.
  */
@@ -178,9 +197,11 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
        OSStatus status;
        char serviceName[] = "com.apple.net.racoon";
 
        OSStatus status;
        char serviceName[] = "com.apple.net.racoon";
 
+       plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from keychain.\n");
+
        status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
        if (status != noErr) {
        status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
        if (status != noErr) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to set system keychain domain.\n");
                goto end;
        }
                        "failed to set system keychain domain.\n");
                goto end;
        }
@@ -188,7 +209,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
        status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem,
                                              &keychain);
        if (status != noErr) {
        status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem,
                                              &keychain);
        if (status != noErr) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get system keychain domain.\n");
                goto end;
        }
                        "failed to get system keychain domain.\n");
                goto end;
        }
@@ -196,9 +217,9 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
        if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) {
                /* try looking up based on peers id */
                
        if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) {
                /* try looking up based on peers id */
                
-               char* peer_id;
+               char* peer_id = NULL;
                int idlen = id_p->l - sizeof(struct ipsecdoi_id_b);
                int idlen = id_p->l - sizeof(struct ipsecdoi_id_b);
-               u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type;
+               u_int8_t id_type = (ALIGNED_CAST(struct ipsecdoi_id_b *)(id_p->v))->type;
 
                switch (id_type) {
                        case IPSECDOI_ID_IPV4_ADDR:
 
                switch (id_type) {
                        case IPSECDOI_ID_IPV4_ADDR:
@@ -209,18 +230,18 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
                        case IPSECDOI_ID_IPV6_ADDR_RANGE:
                        case IPSECDOI_ID_DER_ASN1_DN:
                        case IPSECDOI_ID_DER_ASN1_GN:
                        case IPSECDOI_ID_IPV6_ADDR_RANGE:
                        case IPSECDOI_ID_DER_ASN1_DN:
                        case IPSECDOI_ID_DER_ASN1_GN:
-                               goto end;
+                               goto no_id;
                                break;
                                
                        case IPSECDOI_ID_FQDN:
                        case IPSECDOI_ID_USER_FQDN:
                        case IPSECDOI_ID_KEY_ID:
                                break;
                                
                        case IPSECDOI_ID_FQDN:
                        case IPSECDOI_ID_USER_FQDN:
                        case IPSECDOI_ID_KEY_ID:
-                               peer_id = racoon_malloc(idlen);
+                               peer_id = racoon_malloc(1 + idlen);
                                if (peer_id == NULL)
                                        goto end;
                                memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen);
                                *(peer_id + idlen) = '\0';
                                if (peer_id == NULL)
                                        goto end;
                                memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen);
                                *(peer_id + idlen) = '\0';
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "getting shared secret from keychain using %s.\n", peer_id);
 
                                break;
                                        "getting shared secret from keychain using %s.\n", peer_id);
 
                                break;
@@ -238,11 +259,24 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
                                                                &cur_password,
                                                                NULL);
 
                                                                &cur_password,
                                                                NULL);
 
+               /* try find it using using only the peer id. */
+               if (status == errSecItemNotFound) 
+                       status = SecKeychainFindGenericPassword(keychain,
+                                                               idlen,
+                                                               peer_id,
+                                                               0,
+                                                               0,
+                                                               &cur_password_len,
+                                                               &cur_password,
+                                                               NULL);
+               if (peer_id)
+                       racoon_free(peer_id);
                if (status == noErr)
                        goto end;
                /* otherwise fall through to use the default value */
        }
        
                if (status == noErr)
                        goto end;
                /* otherwise fall through to use the default value */
        }
        
+no_id:
        /*      use the value in remote config sharedsecret field
                this is either the value specified for lookup or the 
                default when lookup by id fails.
        /*      use the value in remote config sharedsecret field
                this is either the value specified for lookup or the 
                default when lookup by id fails.
@@ -277,21 +311,19 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id
                        break;
 
                default :
                        break;
 
                default :
-                       plog(LLV_ERROR, LOCATION, NULL,
-                               "failed to get preshared key from system keychain (error %d).\n", status);
+                       plog(ASL_LEVEL_ERR, 
+                               "failed to get preshared key from system keychain (error %ld).\n", (long)status);
        }
 
 end:
 
         if (cur_password) {
        }
 
 end:
 
         if (cur_password) {
-                key = vmalloc(cur_password_len + 1);
+                key = vmalloc(cur_password_len);
                 if (key == NULL) {
                 if (key == NULL) {
-                        plog(LLV_ERROR, LOCATION, NULL,
+                        plog(ASL_LEVEL_ERR, 
                                 "failed to allocate key buffer.\n");
                                 "failed to allocate key buffer.\n");
-                } else {
-                                       memcpy(key->v, cur_password, key->l);
-                                       key->v[cur_password_len] = 0;
-                }
+                } else
+                                       memcpy(key->v, cur_password, cur_password_len);
                        free(cur_password);
         }
         
                        free(cur_password);
         }
         
@@ -307,14 +339,16 @@ end:
  */
 vchar_t *
 getpskbyaddr(remote)
  */
 vchar_t *
 getpskbyaddr(remote)
-       struct sockaddr *remote;
+       struct sockaddr_storage *remote;
 {
        vchar_t *key = NULL;
        char addr[NI_MAXHOST], port[NI_MAXSERV];
 
 {
        vchar_t *key = NULL;
        char addr[NI_MAXHOST], port[NI_MAXSERV];
 
-       GETNAMEINFO(remote, addr, port);
+       plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by addr.\n");
+
+       GETNAMEINFO((struct sockaddr *)remote, addr, port);
 
 
-       key = privsep_getpsk(addr, strlen(addr));
+       key = getpsk(addr, strlen(addr));
 
        return key;
 }
 
        return key;
 }
@@ -330,13 +364,15 @@ getpsk(str, len)
        char *p, *q;
        size_t keylen;
        char *k = NULL;
        char *p, *q;
        size_t keylen;
        char *k = NULL;
+       
+       plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from file.\n");
 
        if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
                fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
        else
                fp = NULL;
        if (fp == NULL) {
 
        if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
                fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
        else
                fp = NULL;
        if (fp == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to open pre_share_key file %s\n",
                        lcconf->pathinfo[LC_PATHTYPE_PSK]);
                return NULL;
                        "failed to open pre_share_key file %s\n",
                        lcconf->pathinfo[LC_PATHTYPE_PSK]);
                return NULL;
@@ -370,7 +406,7 @@ getpsk(str, len)
                        if (strncmp(p, "0x", 2) == 0) {
                                k = str2val(p + 2, 16, &keylen);
                                if (k == NULL) {
                        if (strncmp(p, "0x", 2) == 0) {
                                k = str2val(p + 2, 16, &keylen);
                                if (k == NULL) {
-                                       plog(LLV_ERROR, LOCATION, NULL,
+                                       plog(ASL_LEVEL_ERR, 
                                                "failed to get psk buffer.\n");
                                        goto end;
                                }
                                                "failed to get psk buffer.\n");
                                        goto end;
                                }
@@ -379,7 +415,7 @@ getpsk(str, len)
 
                        key = vmalloc(keylen);
                        if (key == NULL) {
 
                        key = vmalloc(keylen);
                        if (key == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                        "failed to allocate key buffer.\n");
                                goto end;
                        }
                                        "failed to allocate key buffer.\n");
                                goto end;
                        }
@@ -409,7 +445,7 @@ getpathname(path, len, type, name)
                name[0] == '/' ? "" : "/",
                name);
 
                name[0] == '/' ? "" : "/",
                name);
 
-       plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path);
+       plog(ASL_LEVEL_DEBUG, "filename: %s\n", path);
 }
 
 #if 0 /* DELETEIT */
 }
 
 #if 0 /* DELETEIT */
@@ -481,3 +517,5 @@ doitype2doi(doitype)
        return -1;
 }
 
        return -1;
 }
 
+
+