-/* $Id: remoteconf.c,v 1.26.2.5 2005/11/06 17:18:26 monas Exp $ */
+/* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */
+
+/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
#include "debug.h"
#include "isakmp_var.h"
+#ifdef ENABLE_HYBRID
+#include "isakmp_xauth.h"
+#endif
#include "isakmp.h"
#include "ipsec_doi.h"
#include "oakley.h"
#include "remoteconf.h"
#include "localconf.h"
#include "grabmyaddr.h"
+#include "policy.h"
#include "proposal.h"
#include "vendorid.h"
#include "gcmalloc.h"
#include "strnames.h"
#include "algorithm.h"
#include "nattraversal.h"
+#include "isakmp_frag.h"
#include "genlist.h"
-#include "rsalist.h"
+#include "vpn_control_var.h"
static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
-/*
- * Script hook names and script hook paths
- */
-char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
-vchar_t *script_paths = NULL;
/*%%%*/
/*
*/
struct remoteconf *
getrmconf_strict(remote, allow_anon)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
int allow_anon;
{
struct remoteconf *p;
+ struct remoteconf *p_withport_besteffort = NULL;
+ struct remoteconf *p_with_prefix = NULL;
+ struct remoteconf *p_with_prefix_besteffort = NULL;
+ int last_prefix = 0;
struct remoteconf *anon = NULL;
+
int withport;
char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST], port[NI_MAXSERV];
withport = 0;
-#ifndef ENABLE_NATT
/*
* We never have ports set in our remote configurations, but when
* NAT-T is enabled, the kernel can have policies with ports and
* send us an acquire message for a destination that has a port set.
- * If we do this port check here, we don't find the remote config.
+ * If we do this port check here, we have to fallback to a best-effort result (without the port).
*
* In an ideal world, we would be able to have remote conf with
* port, and the port could be a wildcard. That test could be used.
*/
- switch (remote->sa_family) {
+ switch (remote->ss_family) {
case AF_INET:
if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
withport = 1;
break;
default:
- plog(LLV_ERROR2, LOCATION, NULL,
- "invalid ip address family: %d\n", remote->sa_family);
- exit(1);
+ plog(ASL_LEVEL_ERR,
+ "invalid ip address family: %d\n", remote->ss_family);
+ return NULL;
}
-#endif /* ENABLE_NATT */
- if (remote->sa_family == AF_UNSPEC)
+ if (remote->ss_family == AF_UNSPEC)
snprintf (buf, sizeof(buf), "%s", "anonymous");
else {
- GETNAMEINFO(remote, addr, port);
+ GETNAMEINFO((struct sockaddr *)remote, addr, port);
snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
withport ? "[" : "",
withport ? port : "",
}
TAILQ_FOREACH(p, &rmtree, chain) {
- if ((remote->sa_family == AF_UNSPEC
- && remote->sa_family == p->remote->sa_family)
- || (!withport && cmpsaddrwop(remote, p->remote) == 0)
- || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "configuration found for %s.\n", buf);
+ if (remote->ss_family == AF_UNSPEC
+ && remote->ss_family == p->remote->ss_family) {
+ plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
return p;
- }
+ }
+ if (p->remote_prefix == 0) {
+ if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
+ || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
+ plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+ return p;
+ } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
+ // for withport: save the pointer for the best-effort search
+ p_withport_besteffort = p;
+ }
+ } else {
+ if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
+ || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
+ if (p->remote_prefix >= last_prefix) {
+ p_with_prefix = p;
+ last_prefix = p->remote_prefix;
+ }
+ } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
+ if (p->remote_prefix >= last_prefix) {
+ p_with_prefix_besteffort = p;
+ last_prefix = p->remote_prefix;
+ }
+ }
+ }
/* save the pointer to the anonymous configuration */
- if (p->remote->sa_family == AF_UNSPEC)
+ if (p->remote->ss_family == AF_UNSPEC)
anon = p;
}
+ if (p_withport_besteffort) {
+ plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+ return p_withport_besteffort;
+ }
+ if (p_with_prefix) {
+ plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+ return p_with_prefix;
+ }
+ if (p_with_prefix_besteffort) {
+ plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+ return p_with_prefix_besteffort;
+ }
if (allow_anon && anon != NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"anonymous configuration selected for %s.\n", buf);
return anon;
}
- plog(LLV_DEBUG, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"no remote configuration found.\n");
return NULL;
}
+int
+no_remote_configs(ignore_anonymous)
+ int ignore_anonymous;
+{
+
+ struct remoteconf *p;
+#if !TARGET_OS_EMBEDDED
+ static const char default_idv[] = "macuser@localhost";
+ static const int default_idv_len = sizeof(default_idv) - 1;
+#endif
+
+ TAILQ_FOREACH(p, &rmtree, chain) {
+ if (ignore_anonymous) {
+ if (p->remote->ss_family == AF_UNSPEC) /* anonymous */
+ continue;
+ }
+#if !TARGET_OS_EMBEDDED
+ // ignore the default btmm ipv6 config thats always present in racoon.conf
+ if (p->remote->ss_family == AF_INET6 &&
+ p->idvtype == IDTYPE_USERFQDN &&
+ p->idv != NULL &&
+ p->idv->l == default_idv_len &&
+ strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
+ continue;
+ }
+#endif
+ return 0;
+ }
+ return 1;
+}
+
struct remoteconf *
getrmconf(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
- return getrmconf_strict(remote, 1);
+ struct remoteconf *rmconf = getrmconf_strict(remote, 1);
+ if (rmconf != NULL) {
+ return rmconf;
+ }
+ if (remote->ss_family == AF_INET6) {
+ struct sockaddr_in v4dst;
+ v4dst.sin_family = AF_INET;
+ v4dst.sin_len = sizeof(struct sockaddr_in);
+ v4dst.sin_port = 0;
+
+ nw_nat64_prefix_t nat64_prefix;
+ if (vpncontrol_set_nat64_prefix(&nat64_prefix)) {
+ nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr);
+
+ rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst);
+ if (rmconf != NULL) {
+ return rmconf;
+ }
+ }
+ }
+
+ return NULL;
}
struct remoteconf *
-newrmconf()
+create_rmconf()
{
struct remoteconf *new;
- int i;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
+ new->refcount = 1;
+ new->in_list = 0;
new->proposal = NULL;
/* set default */
new->doitype = IPSEC_DOI;
new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
+ new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
new->idvtype = IDTYPE_UNDEFINED;
new->idvl_p = genlist_init();
new->nonce_size = DEFAULT_NONCE_SIZE;
new->passive = FALSE;
- new->ike_frag = FALSE;
+ new->ike_frag = ISAKMP_FRAG_ON;
new->esp_frag = IP_MAXPACKET;
new->ini_contact = TRUE;
new->mode_cfg = FALSE;
new->verify_identifier = FALSE;
new->verify_cert = TRUE;
new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
- new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
new->cacerttype = ISAKMP_CERT_X509SIGN;
- new->cacertfile = NULL;
+ new->certtype = ISAKMP_CERT_NONE;
new->send_cert = TRUE;
new->send_cr = TRUE;
new->support_proxy = FALSE;
- for (i = 0; i <= SCRIPT_MAX; i++)
- new->script[i] = -1;
new->gen_policy = FALSE;
new->retry_counter = lcconf->retry_counter;
new->retry_interval = lcconf->retry_interval;
-#ifdef __APPLE__
new->nat_traversal = NATT_ON;
new->natt_multiple_user = FALSE;
-#else
- new->nat_traversal = NATT_OFF;
-#endif
- new->rsa_private = genlist_init();
- new->rsa_public = genlist_init();
+ new->natt_keepalive = TRUE;
new->idv = NULL;
new->key = NULL;
new->dpd_interval = 0; /* Disable DPD checks by default */
new->dpd_retry = 5;
new->dpd_maxfails = 5;
+ new->dpd_algo = DPD_ALGO_INBOUND_DETECT;
+ new->idle_timeout = 0;
+ new->weak_phase1_check = 0;
+
+#ifdef ENABLE_HYBRID
+ new->xauth = NULL;
+#endif
+ new->initiate_ph1rekey = TRUE;
return new;
}
struct remoteconf *
-copyrmconf(remote)
- struct sockaddr *remote;
+copyrmconf(struct sockaddr_storage *remote)
{
struct remoteconf *new, *old;
old = getrmconf_strict (remote, 0);
if (old == NULL) {
- plog (LLV_ERROR, LOCATION, NULL,
+ plog (ASL_LEVEL_ERR,
"Remote configuration for '%s' not found!\n",
- saddr2str (remote));
+ saddr2str((struct sockaddr *)remote));
return NULL;
}
}
void *
-dupidvl(entry, arg)
- void *entry;
- void *arg;
+dupidvl(void *entry, void *arg)
{
struct idspec *id;
struct idspec *old = (struct idspec *) entry;
id = newidspec();
if (!id) return (void *) -1;
- if (set_identifier(&id->id, old->idtype, old->id) != 0)
+ if (set_identifier(&id->id, old->idtype, old->id) != 0) {
+ racoon_free(id);
return (void *) -1;
+ }
id->idtype = old->idtype;
}
struct remoteconf *
-duprmconf (rmconf)
- struct remoteconf *rmconf;
+duprmconf (struct remoteconf *rmconf)
{
- struct remoteconf *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
- memcpy (new, rmconf, sizeof (*new));
- // FIXME: We should duplicate the proposal as well.
- // This is now handled in the cfparse.y
- // new->proposal = ...;
-
+ struct remoteconf *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL)
+ return NULL;
+ memcpy (new, rmconf, sizeof (*new));
+ // FIXME: We should duplicate remote, proposal, etc.
+ // This is now handled in the cfparse.y
+ // new->proposal = ...;
+
+ // zero-out pointers
+ new->remote = NULL;
+ new->forced_local = NULL;
+ new->keychainCertRef = NULL; /* peristant keychain ref for cert */
+ new->shared_secret = NULL; /* shared secret */
+ new->open_dir_auth_group = NULL; /* group to be used to authorize user */
+ new->proposal = NULL;
+ new->in_list = 0;
+ new->refcount = 1;
+ new->idv = NULL;
+ new->key = NULL;
+#ifdef ENABLE_HYBRID
+ new->xauth = NULL;
+#endif
+
/* duplicate dynamic structures */
if (new->etypes)
new->etypes=dupetypes(new->etypes);
}
void
-delrmconf(rmconf)
- struct remoteconf *rmconf;
+delrmconf(struct remoteconf *rmconf)
{
if (rmconf->remote)
racoon_free(rmconf->remote);
- if (rmconf->etypes)
+ if (rmconf->forced_local)
+ racoon_free(rmconf->forced_local);
+#ifdef ENABLE_HYBRID
+ if (rmconf->xauth)
+ xauth_rmconf_delete(&rmconf->xauth);
+#endif
+ if (rmconf->etypes) {
deletypes(rmconf->etypes);
+ rmconf->etypes=NULL;
+ }
if (rmconf->idv)
vfree(rmconf->idv);
if (rmconf->idvl_p)
oakley_dhgrp_free(rmconf->dhgrp);
if (rmconf->proposal)
delisakmpsa(rmconf->proposal);
- if (rmconf->mycertfile)
- racoon_free(rmconf->mycertfile);
- if (rmconf->myprivfile)
- racoon_free(rmconf->myprivfile);
- if (rmconf->peerscertfile)
- racoon_free(rmconf->peerscertfile);
- if (rmconf->cacertfile)
- racoon_free(rmconf->cacertfile);
if (rmconf->prhead)
proposalspec_free(rmconf->prhead);
- if (rmconf->rsa_private)
- genlist_free(rmconf->rsa_private, rsa_key_free);
- if (rmconf->rsa_public)
- genlist_free(rmconf->rsa_public, rsa_key_free);
-#ifdef __APPLE__
if (rmconf->shared_secret)
vfree(rmconf->shared_secret);
if (rmconf->keychainCertRef)
vfree(rmconf->keychainCertRef);
if (rmconf->open_dir_auth_group)
vfree(rmconf->open_dir_auth_group);
-#endif
racoon_free(rmconf);
}
void
-delisakmpsa(sa)
- struct isakmpsa *sa;
+delisakmpsa(struct isakmpsa *sa)
{
if (sa->dhgrp)
oakley_dhgrp_free(sa->dhgrp);
if (sa->next)
delisakmpsa(sa->next);
-#ifdef HAVE_GSSAPI
- if (sa->gssid)
- vfree(sa->gssid);
-#endif
racoon_free(sa);
}
struct etypes *
-dupetypes(orig)
- struct etypes *orig;
+dupetypes(struct etypes *orig)
{
struct etypes *new;
}
void
-deletypes(e)
- struct etypes *e;
+deletypes(struct etypes *e)
{
if (e->next)
deletypes(e->next);
* insert into head of list.
*/
void
-insrmconf(new)
- struct remoteconf *new;
+insrmconf(struct remoteconf *new)
{
TAILQ_INSERT_HEAD(&rmtree, new, chain);
+ new->in_list = 1;
+}
+
+void
+remrmconf(struct remoteconf *rmconf)
+{
+ if (rmconf->in_list)
+ TAILQ_REMOVE(&rmtree, rmconf, chain);
+ rmconf->in_list = 0;
}
void
-remrmconf(rmconf)
- struct remoteconf *rmconf;
+retain_rmconf(struct remoteconf *rmconf)
{
- TAILQ_REMOVE(&rmtree, rmconf, chain);
+ (rmconf->refcount)++;
+}
+
+void
+release_rmconf(struct remoteconf *rmconf)
+{
+ if (--(rmconf->refcount) <= 0) {
+ remrmconf(rmconf);
+ delrmconf(rmconf);
+ }
}
void
for (p = TAILQ_FIRST(&rmtree); p; p = next) {
next = TAILQ_NEXT(p, chain);
remrmconf(p);
- delrmconf(p);
+ if (--(p->refcount) <= 0)
+ delrmconf(p);
}
}
/* check exchange type to be acceptable */
struct etypes *
-check_etypeok(rmconf, etype)
- struct remoteconf *rmconf;
- u_int8_t etype;
+check_etypeok(struct remoteconf *rmconf, u_int8_t etype)
{
struct etypes *e;
new->next = NULL;
new->rmconf = NULL;
-#ifdef HAVE_GSSAPI
- new->gssid = NULL;
-#endif
return new;
}
* insert into tail of list.
*/
void
-insisakmpsa(new, rmconf)
- struct isakmpsa *new;
- struct remoteconf *rmconf;
+insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf)
{
struct isakmpsa *p;
s_idtype (id->idtype));
if (id->id)
pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
return NULL;
}
char buf[1024], *pbuf;
pbuf = buf;
- pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
+ if (p->remote_prefix)
+ pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s",
+ saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
+ else
+ pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
if (p->inherited_from)
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
- saddr2str(p->inherited_from->remote));
- plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
+ saddr2str((struct sockaddr *)p->inherited_from->remote));
+ plog(ASL_LEVEL_NOTICE, "%s {\n", buf);
pbuf = buf;
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
while (etype) {
etype->next != NULL ? ", " : ";\n");
etype = etype->next;
}
- plog(LLV_INFO, LOCATION, NULL, "%s", buf);
- plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
+ plog(ASL_LEVEL_NOTICE, "%s", buf);
+ plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype));
pbuf = buf;
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
if (p->idvtype == IDTYPE_ASN1DN) {
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
- plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
- p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
- p->mycertfile, p->myprivfile);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
switch (p->getcert_method) {
case 0:
break;
case ISAKMP_GETCERT_PAYLOAD:
- plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
- break;
- case ISAKMP_GETCERT_LOCALFILE:
- plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
- break;
- case ISAKMP_GETCERT_DNS:
- plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
+ plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n");
break;
default:
- plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
+ plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
}
}
else {
if (p->idv)
pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
}
- plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n",
s_switch (p->send_cert));
- plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n",
s_switch (p->send_cr));
- plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n",
s_switch (p->verify_cert));
- plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n",
s_switch (p->verify_identifier));
- plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n",
p->nat_traversal == NATT_FORCE ?
"force" : s_switch (p->nat_traversal));
-#ifdef __APPLE__
- plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n",
s_switch (p->natt_multiple_user));
-#endif
- plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n",
p->nonce_size);
- plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n",
s_switch (p->passive));
- plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
- s_switch (p->ike_frag));
- plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
- plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n",
+ p->ike_frag == ISAKMP_FRAG_FORCE ?
+ "force" : s_switch (p->ike_frag));
+ plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag);
+ plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n",
s_switch (p->ini_contact));
- plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n",
s_switch (p->gen_policy));
- plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n",
s_switch (p->support_proxy));
while (prop) {
- plog(LLV_INFO, LOCATION, NULL, "\n");
- plog(LLV_INFO, LOCATION, NULL,
+ plog(ASL_LEVEL_NOTICE, "\n");
+ plog(ASL_LEVEL_NOTICE,
"\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
prop->prop_no, prop->trns_no,
- saddr2str(prop->rmconf->remote));
- plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
- plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
+ saddr2str((struct sockaddr *)prop->rmconf->remote));
+ plog(ASL_LEVEL_NOTICE, "\tproposal {\n");
+ plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n",
(long)prop->lifetime);
- plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n",
prop->lifebyte);
- plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n",
alg_oakley_dhdef_name(prop->dh_group));
- plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n",
alg_oakley_encdef_name(prop->enctype));
- plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n",
alg_oakley_hashdef_name(prop->hashtype));
- plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n",
+ alg_oakley_hashdef_name(prop->prf));
+ plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n",
alg_oakley_authdef_name(prop->authmethod));
- plog(LLV_INFO, LOCATION, NULL, "\t}\n");
+ plog(ASL_LEVEL_NOTICE, "\t}\n");
prop = prop->next;
}
- plog(LLV_INFO, LOCATION, NULL, "}\n");
- plog(LLV_INFO, LOCATION, NULL, "\n");
+ plog(ASL_LEVEL_NOTICE, "}\n");
+ plog(ASL_LEVEL_NOTICE, "\n");
return NULL;
}
return new;
}
-int
-script_path_add(path)
- vchar_t *path;
-{
- char *script_dir;
- vchar_t *new_storage;
- vchar_t *new_path;
- vchar_t **sp;
- size_t len;
- size_t size;
-
- script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
-
- /* Try to find the script in the script directory */
- if ((path->v[0] != '/') && (script_dir != NULL)) {
- len = strlen(script_dir) + sizeof("/") + path->l + 1;
-
- if ((new_path = vmalloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
-
- new_path->v[0] = '\0';
- (void)strlcat(new_path->v, script_dir, len);
- (void)strlcat(new_path->v, "/", len);
- (void)strlcat(new_path->v, path->v, len);
-
- vfree(path);
- path = new_path;
- }
-
- /* First time, initialize */
- if (script_paths == NULL)
- len = sizeof(vchar_t *);
- else
- len = script_paths->l;
-
- /* Add a slot for a new path */
- len += sizeof(vchar_t *);
- if ((new_storage = vrealloc(script_paths, len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- script_paths = new_storage;
-
- size = len / sizeof(vchar_t *);
- sp = (vchar_t **)script_paths->v;
- sp[size - 1] = NULL;
- sp[size - 2] = path;
-
- return (size - 2);
-}
struct isakmpsa *
-dupisakmpsa(sa)
- struct isakmpsa *sa;
+dupisakmpsa(struct isakmpsa *sa)
{
struct isakmpsa *res = NULL;
return NULL;
*res = *sa;
-#ifdef HAVE_GSSAPI
- /*
- * XXX gssid
- */
-#endif
res->next=NULL;
if (sa->dhgrp != NULL)
}
-void
-rsa_key_free(void *entry)
-{
- struct rsa_key *key = (struct rsa_key *)entry;
-
- if (key->src)
- free(key->src);
- if (key->dst)
- free(key->dst);
- if (key->rsa)
- RSA_free(key->rsa);
- free(key);
-}
projects / apple / ipsec.git / blobdiff