X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/05434fec7cb5667469bfde135b4d0a93524a9bc0..6b88cae0d0da46a0b1b6418a44da86af3e4527c3:/ipsec-tools/racoon/localconf.c diff --git a/ipsec-tools/racoon/localconf.c b/ipsec-tools/racoon/localconf.c index 381d1e8..317baaa 100644 --- a/ipsec-tools/racoon/localconf.c +++ b/ipsec-tools/racoon/localconf.c @@ -49,8 +49,6 @@ #include "localconf.h" #include "algorithm.h" -#include "admin.h" -#include "privsep.h" #include "isakmp_var.h" #include "isakmp.h" #include "ipsec_doi.h" @@ -58,18 +56,18 @@ #include "vendorid.h" #include "str2val.h" #include "safefile.h" -#include "admin.h" #include "gcmalloc.h" #include "session.h" -#ifdef __APPLE__ #include +#if HAVE_SECURITY_FRAMEWORK #include #endif struct localconf *lcconf; +struct localconf *saved_lcconf; -static void setdefault __P((void)); +static void setdefault (void); void initlcconf() @@ -81,6 +79,7 @@ initlcconf() setdefault(); lcconf->sock_vpncontrol = -1; /* not to be done during flush */ lcconf->racoon_conf = LC_DEFAULT_CF; + TAILQ_INIT(&lcconf->saved_msg_queue); } void @@ -96,7 +95,7 @@ flushlcconf() lcconf->pathinfo[i] = NULL; } } - for (i = 0; i < LC_IDENTTYPE_MAX; i++) { + for (i = 0; i < IDTYPE_MAX; i++) { if (lcconf->ident[i]) vfree(lcconf->ident[i]); lcconf->ident[i] = NULL; @@ -112,7 +111,6 @@ setdefault() { lcconf->uid = 0; lcconf->gid = 0; - lcconf->chroot = NULL; lcconf->autograbaddr = 1; lcconf->port_isakmp = PORT_ISAKMP; lcconf->port_isakmp_natt = PORT_ISAKMP_NATT; @@ -130,12 +128,31 @@ setdefault() lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE; lcconf->strict_address = FALSE; lcconf->complex_bundle = TRUE; /*XXX FALSE;*/ - lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */ lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL; lcconf->auto_exit_delay = 0; lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET; + lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT; /* always auto exit as default */ } + +void +savelcconf(void) +{ + saved_lcconf = lcconf; + lcconf = NULL; + initlcconf(); +} + +void +restorelcconf(void) +{ + flushlcconf(); + racoon_free(lcconf); + lcconf = saved_lcconf; + saved_lcconf = NULL; +} + + /* * get PSK by string. */ @@ -146,9 +163,11 @@ getpskbyname(id0) char *id; vchar_t *key = NULL; + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by name.\n"); + id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b)); if (id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get psk buffer.\n"); goto end; } @@ -156,7 +175,7 @@ getpskbyname(id0) id0->l - sizeof(struct ipsecdoi_id_b)); id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0'; - key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); + key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); end: if (id) @@ -164,7 +183,7 @@ end: return key; } -#ifdef __APPLE__ +#if HAVE_KEYCHAIN /* * get PSK from keyChain. */ @@ -178,9 +197,11 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id OSStatus status; char serviceName[] = "com.apple.net.racoon"; + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from keychain.\n"); + status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem); if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to set system keychain domain.\n"); goto end; } @@ -188,7 +209,7 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &keychain); if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get system keychain domain.\n"); goto end; } @@ -196,9 +217,9 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) { /* try looking up based on peers id */ - char* peer_id; + char* peer_id = NULL; int idlen = id_p->l - sizeof(struct ipsecdoi_id_b); - u_int8_t id_type = ((struct ipsecdoi_id_b *)(id_p->v))->type; + u_int8_t id_type = (ALIGNED_CAST(struct ipsecdoi_id_b *)(id_p->v))->type; switch (id_type) { case IPSECDOI_ID_IPV4_ADDR: @@ -209,18 +230,18 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id case IPSECDOI_ID_IPV6_ADDR_RANGE: case IPSECDOI_ID_DER_ASN1_DN: case IPSECDOI_ID_DER_ASN1_GN: - goto end; + goto no_id; break; case IPSECDOI_ID_FQDN: case IPSECDOI_ID_USER_FQDN: case IPSECDOI_ID_KEY_ID: - peer_id = racoon_malloc(idlen); + peer_id = racoon_malloc(1 + idlen); if (peer_id == NULL) goto end; memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen); *(peer_id + idlen) = '\0'; - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting shared secret from keychain using %s.\n", peer_id); break; @@ -238,11 +259,24 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id &cur_password, NULL); + /* try find it using using only the peer id. */ + if (status == errSecItemNotFound) + status = SecKeychainFindGenericPassword(keychain, + idlen, + peer_id, + 0, + 0, + &cur_password_len, + &cur_password, + NULL); + if (peer_id) + racoon_free(peer_id); if (status == noErr) goto end; /* otherwise fall through to use the default value */ } +no_id: /* use the value in remote config sharedsecret field this is either the value specified for lookup or the default when lookup by id fails. @@ -277,21 +311,19 @@ getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id break; default : - plog(LLV_ERROR, LOCATION, NULL, - "failed to get preshared key from system keychain (error %d).\n", status); + plog(ASL_LEVEL_ERR, + "failed to get preshared key from system keychain (error %ld).\n", (long)status); } end: if (cur_password) { - key = vmalloc(cur_password_len + 1); + key = vmalloc(cur_password_len); if (key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate key buffer.\n"); - } else { - memcpy(key->v, cur_password, key->l); - key->v[cur_password_len] = 0; - } + } else + memcpy(key->v, cur_password, cur_password_len); free(cur_password); } @@ -307,14 +339,16 @@ end: */ vchar_t * getpskbyaddr(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { vchar_t *key = NULL; char addr[NI_MAXHOST], port[NI_MAXSERV]; - GETNAMEINFO(remote, addr, port); + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by addr.\n"); + + GETNAMEINFO((struct sockaddr *)remote, addr, port); - key = privsep_getpsk(addr, strlen(addr)); + key = getpsk(addr, strlen(addr)); return key; } @@ -330,13 +364,15 @@ getpsk(str, len) char *p, *q; size_t keylen; char *k = NULL; + + plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from file.\n"); if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0) fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r"); else fp = NULL; if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to open pre_share_key file %s\n", lcconf->pathinfo[LC_PATHTYPE_PSK]); return NULL; @@ -370,7 +406,7 @@ getpsk(str, len) if (strncmp(p, "0x", 2) == 0) { k = str2val(p + 2, 16, &keylen); if (k == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get psk buffer.\n"); goto end; } @@ -379,7 +415,7 @@ getpsk(str, len) key = vmalloc(keylen); if (key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate key buffer.\n"); goto end; } @@ -409,7 +445,7 @@ getpathname(path, len, type, name) name[0] == '/' ? "" : "/", name); - plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path); + plog(ASL_LEVEL_DEBUG, "filename: %s\n", path); } #if 0 /* DELETEIT */ @@ -481,3 +517,5 @@ doitype2doi(doitype) return -1; } + +