#include "localconf.h"
#include "algorithm.h"
-#include "admin.h"
-#include "privsep.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "vendorid.h"
#include "str2val.h"
#include "safefile.h"
-#include "admin.h"
#include "gcmalloc.h"
#include "session.h"
-#ifdef __APPLE__
#include <CoreFoundation/CoreFoundation.h>
+#if HAVE_SECURITY_FRAMEWORK
#include <Security/Security.h>
#endif
struct localconf *lcconf;
+struct localconf *saved_lcconf;
-static void setdefault __P((void));
+static void setdefault (void);
void
initlcconf()
setdefault();
lcconf->sock_vpncontrol = -1; /* not to be done during flush */
lcconf->racoon_conf = LC_DEFAULT_CF;
+ TAILQ_INIT(&lcconf->saved_msg_queue);
}
void
lcconf->pathinfo[i] = NULL;
}
}
- for (i = 0; i < LC_IDENTTYPE_MAX; i++) {
+ for (i = 0; i < IDTYPE_MAX; i++) {
if (lcconf->ident[i])
vfree(lcconf->ident[i]);
lcconf->ident[i] = NULL;
}
+ if (lcconf->ext_nat_id) {
+ vfree(lcconf->ext_nat_id);
+ lcconf->ext_nat_id = NULL;
+ }
}
static void
{
lcconf->uid = 0;
lcconf->gid = 0;
- lcconf->chroot = NULL;
lcconf->autograbaddr = 1;
lcconf->port_isakmp = PORT_ISAKMP;
lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
lcconf->strict_address = FALSE;
lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
- lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */
lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
lcconf->auto_exit_delay = 0;
lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET;
+ lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT; /* always auto exit as default */
+}
+
+
+void
+savelcconf(void)
+{
+ saved_lcconf = lcconf;
+ lcconf = NULL;
+ initlcconf();
}
+void
+restorelcconf(void)
+{
+ flushlcconf();
+ racoon_free(lcconf);
+ lcconf = saved_lcconf;
+ saved_lcconf = NULL;
+}
+
+
/*
* get PSK by string.
*/
char *id;
vchar_t *key = NULL;
+ plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by name.\n");
+
id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
if (id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to get psk buffer.\n");
goto end;
}
id0->l - sizeof(struct ipsecdoi_id_b));
id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
- key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
+ key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
end:
if (id)
return key;
}
-#ifdef __APPLE__
+#if HAVE_KEYCHAIN
/*
* get PSK from keyChain.
*/
OSStatus status;
char serviceName[] = "com.apple.net.racoon";
+ plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from keychain.\n");
+
status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
if (status != noErr) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to set system keychain domain.\n");
goto end;
}
status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem,
&keychain);
if (status != noErr) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to get system keychain domain.\n");
goto end;
}
if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) {
/* try looking up based on peers id */
- char* peer_id;
+ char* peer_id = NULL;
int idlen = id_p->l - sizeof(struct ipsecdoi_id_b);
- u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type;
+ u_int8_t id_type = (ALIGNED_CAST(struct ipsecdoi_id_b *)(id_p->v))->type;
switch (id_type) {
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR_RANGE:
case IPSECDOI_ID_DER_ASN1_DN:
case IPSECDOI_ID_DER_ASN1_GN:
- goto end;
+ goto no_id;
break;
case IPSECDOI_ID_FQDN:
case IPSECDOI_ID_USER_FQDN:
case IPSECDOI_ID_KEY_ID:
- peer_id = racoon_malloc(idlen);
+ peer_id = racoon_malloc(1 + idlen);
if (peer_id == NULL)
goto end;
memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen);
*(peer_id + idlen) = '\0';
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"getting shared secret from keychain using %s.\n", peer_id);
break;
&cur_password,
NULL);
+ /* try find it using using only the peer id. */
+ if (status == errSecItemNotFound)
+ status = SecKeychainFindGenericPassword(keychain,
+ idlen,
+ peer_id,
+ 0,
+ 0,
+ &cur_password_len,
+ &cur_password,
+ NULL);
+ if (peer_id)
+ racoon_free(peer_id);
if (status == noErr)
goto end;
/* otherwise fall through to use the default value */
}
+no_id:
/* use the value in remote config sharedsecret field
this is either the value specified for lookup or the
default when lookup by id fails.
break;
default :
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get preshared key from system keychain (error %d).\n", status);
+ plog(ASL_LEVEL_ERR,
+ "failed to get preshared key from system keychain (error %ld).\n", (long)status);
}
end:
if (cur_password) {
- key = vmalloc(cur_password_len + 1);
+ key = vmalloc(cur_password_len);
if (key == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to allocate key buffer.\n");
- } else {
- memcpy(key->v, cur_password, key->l);
- key->v[cur_password_len] = 0;
- }
+ } else
+ memcpy(key->v, cur_password, cur_password_len);
free(cur_password);
}
*/
vchar_t *
getpskbyaddr(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
vchar_t *key = NULL;
char addr[NI_MAXHOST], port[NI_MAXSERV];
- GETNAMEINFO(remote, addr, port);
+ plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by addr.\n");
+
+ GETNAMEINFO((struct sockaddr *)remote, addr, port);
- key = privsep_getpsk(addr, strlen(addr));
+ key = getpsk(addr, strlen(addr));
return key;
}
char *p, *q;
size_t keylen;
char *k = NULL;
+
+ plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from file.\n");
if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
else
fp = NULL;
if (fp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to open pre_share_key file %s\n",
lcconf->pathinfo[LC_PATHTYPE_PSK]);
return NULL;
if (strncmp(p, "0x", 2) == 0) {
k = str2val(p + 2, 16, &keylen);
if (k == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to get psk buffer.\n");
goto end;
}
key = vmalloc(keylen);
if (key == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to allocate key buffer.\n");
goto end;
}
name[0] == '/' ? "" : "/",
name);
- plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path);
+ plog(ASL_LEVEL_DEBUG, "filename: %s\n", path);
}
#if 0 /* DELETEIT */
return -1;
}
+
+