X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/52b7d2ce06d68d0a9160d16f6e7c08c21c149d0d..e627a751fc4d26304657fc20440abb72632b1e6e:/ipsec-tools/racoon/remoteconf.c diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c index 0185db6..59a6341 100644 --- a/ipsec-tools/racoon/remoteconf.c +++ b/ipsec-tools/racoon/remoteconf.c @@ -1,4 +1,6 @@ -/* $Id: remoteconf.c,v 1.26.2.5 2005/11/06 17:18:26 monas Exp $ */ +/* $NetBSD: remoteconf.c,v 1.9.4.1 2007/08/01 11:52:22 vanhu Exp $ */ + +/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -60,28 +62,28 @@ #include "debug.h" #include "isakmp_var.h" +#ifdef ENABLE_HYBRID +#include "isakmp_xauth.h" +#endif #include "isakmp.h" #include "ipsec_doi.h" #include "oakley.h" #include "remoteconf.h" #include "localconf.h" #include "grabmyaddr.h" +#include "policy.h" #include "proposal.h" #include "vendorid.h" #include "gcmalloc.h" #include "strnames.h" #include "algorithm.h" #include "nattraversal.h" +#include "isakmp_frag.h" #include "genlist.h" -#include "rsalist.h" +#include "vpn_control_var.h" static TAILQ_HEAD(_rmtree, remoteconf) rmtree; -/* - * Script hook names and script hook paths - */ -char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" }; -vchar_t *script_paths = NULL; /*%%%*/ /* @@ -94,28 +96,32 @@ vchar_t *script_paths = NULL; */ struct remoteconf * getrmconf_strict(remote, allow_anon) - struct sockaddr *remote; + struct sockaddr_storage *remote; int allow_anon; { struct remoteconf *p; + struct remoteconf *p_withport_besteffort = NULL; + struct remoteconf *p_with_prefix = NULL; + struct remoteconf *p_with_prefix_besteffort = NULL; + int last_prefix = 0; struct remoteconf *anon = NULL; + int withport; char buf[NI_MAXHOST + NI_MAXSERV + 10]; char addr[NI_MAXHOST], port[NI_MAXSERV]; withport = 0; -#ifndef ENABLE_NATT /* * We never have ports set in our remote configurations, but when * NAT-T is enabled, the kernel can have policies with ports and * send us an acquire message for a destination that has a port set. - * If we do this port check here, we don't find the remote config. + * If we do this port check here, we have to fallback to a best-effort result (without the port). * * In an ideal world, we would be able to have remote conf with * port, and the port could be a wildcard. That test could be used. */ - switch (remote->sa_family) { + switch (remote->ss_family) { case AF_INET: if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY) withport = 1; @@ -130,16 +136,15 @@ getrmconf_strict(remote, allow_anon) break; default: - plog(LLV_ERROR2, LOCATION, NULL, - "invalid ip address family: %d\n", remote->sa_family); - exit(1); + plog(ASL_LEVEL_ERR, + "invalid ip address family: %d\n", remote->ss_family); + return NULL; } -#endif /* ENABLE_NATT */ - if (remote->sa_family == AF_UNSPEC) + if (remote->ss_family == AF_UNSPEC) snprintf (buf, sizeof(buf), "%s", "anonymous"); else { - GETNAMEINFO(remote, addr, port); + GETNAMEINFO((struct sockaddr *)remote, addr, port); snprintf(buf, sizeof(buf), "%s%s%s%s", addr, withport ? "[" : "", withport ? port : "", @@ -147,59 +152,145 @@ getrmconf_strict(remote, allow_anon) } TAILQ_FOREACH(p, &rmtree, chain) { - if ((remote->sa_family == AF_UNSPEC - && remote->sa_family == p->remote->sa_family) - || (!withport && cmpsaddrwop(remote, p->remote) == 0) - || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); + if (remote->ss_family == AF_UNSPEC + && remote->ss_family == p->remote->ss_family) { + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); return p; - } + } + if (p->remote_prefix == 0) { + if ((!withport && cmpsaddrwop(remote, p->remote) == 0) + || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); + return p; + } else if (withport && cmpsaddrwop(remote, p->remote) == 0) { + // for withport: save the pointer for the best-effort search + p_withport_besteffort = p; + } + } else { + if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) + || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) { + if (p->remote_prefix >= last_prefix) { + p_with_prefix = p; + last_prefix = p->remote_prefix; + } + } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) { + if (p->remote_prefix >= last_prefix) { + p_with_prefix_besteffort = p; + last_prefix = p->remote_prefix; + } + } + } /* save the pointer to the anonymous configuration */ - if (p->remote->sa_family == AF_UNSPEC) + if (p->remote->ss_family == AF_UNSPEC) anon = p; } + if (p_withport_besteffort) { + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); + return p_withport_besteffort; + } + if (p_with_prefix) { + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); + return p_with_prefix; + } + if (p_with_prefix_besteffort) { + plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf); + return p_with_prefix_besteffort; + } if (allow_anon && anon != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "anonymous configuration selected for %s.\n", buf); return anon; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "no remote configuration found.\n"); return NULL; } +int +no_remote_configs(ignore_anonymous) + int ignore_anonymous; +{ + + struct remoteconf *p; +#if !TARGET_OS_EMBEDDED + static const char default_idv[] = "macuser@localhost"; + static const int default_idv_len = sizeof(default_idv) - 1; +#endif + + TAILQ_FOREACH(p, &rmtree, chain) { + if (ignore_anonymous) { + if (p->remote->ss_family == AF_UNSPEC) /* anonymous */ + continue; + } +#if !TARGET_OS_EMBEDDED + // ignore the default btmm ipv6 config thats always present in racoon.conf + if (p->remote->ss_family == AF_INET6 && + p->idvtype == IDTYPE_USERFQDN && + p->idv != NULL && + p->idv->l == default_idv_len && + strncmp(p->idv->v, default_idv, p->idv->l) == 0) { + continue; + } +#endif + return 0; + } + return 1; +} + struct remoteconf * getrmconf(remote) - struct sockaddr *remote; + struct sockaddr_storage *remote; { - return getrmconf_strict(remote, 1); + struct remoteconf *rmconf = getrmconf_strict(remote, 1); + if (rmconf != NULL) { + return rmconf; + } + if (remote->ss_family == AF_INET6) { + struct sockaddr_in v4dst; + v4dst.sin_family = AF_INET; + v4dst.sin_len = sizeof(struct sockaddr_in); + v4dst.sin_port = 0; + + nw_nat64_prefix_t nat64_prefix; + if (vpncontrol_set_nat64_prefix(&nat64_prefix)) { + nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr); + + rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst); + if (rmconf != NULL) { + return rmconf; + } + } + } + + return NULL; } struct remoteconf * -newrmconf() +create_rmconf() { struct remoteconf *new; - int i; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) return NULL; + new->refcount = 1; + new->in_list = 0; new->proposal = NULL; /* set default */ new->doitype = IPSEC_DOI; new->sittype = IPSECDOI_SIT_IDENTITY_ONLY; + new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1; new->idvtype = IDTYPE_UNDEFINED; new->idvl_p = genlist_init(); new->nonce_size = DEFAULT_NONCE_SIZE; new->passive = FALSE; - new->ike_frag = FALSE; + new->ike_frag = ISAKMP_FRAG_ON; new->esp_frag = IP_MAXPACKET; new->ini_contact = TRUE; new->mode_cfg = FALSE; @@ -207,25 +298,17 @@ newrmconf() new->verify_identifier = FALSE; new->verify_cert = TRUE; new->getcert_method = ISAKMP_GETCERT_PAYLOAD; - new->getcacert_method = ISAKMP_GETCERT_LOCALFILE; new->cacerttype = ISAKMP_CERT_X509SIGN; - new->cacertfile = NULL; + new->certtype = ISAKMP_CERT_NONE; new->send_cert = TRUE; new->send_cr = TRUE; new->support_proxy = FALSE; - for (i = 0; i <= SCRIPT_MAX; i++) - new->script[i] = -1; new->gen_policy = FALSE; new->retry_counter = lcconf->retry_counter; new->retry_interval = lcconf->retry_interval; -#ifdef __APPLE__ new->nat_traversal = NATT_ON; new->natt_multiple_user = FALSE; -#else - new->nat_traversal = NATT_OFF; -#endif - new->rsa_private = genlist_init(); - new->rsa_public = genlist_init(); + new->natt_keepalive = TRUE; new->idv = NULL; new->key = NULL; @@ -233,21 +316,28 @@ newrmconf() new->dpd_interval = 0; /* Disable DPD checks by default */ new->dpd_retry = 5; new->dpd_maxfails = 5; + new->dpd_algo = DPD_ALGO_INBOUND_DETECT; + new->idle_timeout = 0; + new->weak_phase1_check = 0; + +#ifdef ENABLE_HYBRID + new->xauth = NULL; +#endif + new->initiate_ph1rekey = TRUE; return new; } struct remoteconf * -copyrmconf(remote) - struct sockaddr *remote; +copyrmconf(struct sockaddr_storage *remote) { struct remoteconf *new, *old; old = getrmconf_strict (remote, 0); if (old == NULL) { - plog (LLV_ERROR, LOCATION, NULL, + plog (ASL_LEVEL_ERR, "Remote configuration for '%s' not found!\n", - saddr2str (remote)); + saddr2str((struct sockaddr *)remote)); return NULL; } @@ -257,17 +347,17 @@ copyrmconf(remote) } void * -dupidvl(entry, arg) - void *entry; - void *arg; +dupidvl(void *entry, void *arg) { struct idspec *id; struct idspec *old = (struct idspec *) entry; id = newidspec(); if (!id) return (void *) -1; - if (set_identifier(&id->id, old->idtype, old->id) != 0) + if (set_identifier(&id->id, old->idtype, old->id) != 0) { + racoon_free(id); return (void *) -1; + } id->idtype = old->idtype; @@ -276,19 +366,33 @@ dupidvl(entry, arg) } struct remoteconf * -duprmconf (rmconf) - struct remoteconf *rmconf; +duprmconf (struct remoteconf *rmconf) { - struct remoteconf *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - memcpy (new, rmconf, sizeof (*new)); - // FIXME: We should duplicate the proposal as well. - // This is now handled in the cfparse.y - // new->proposal = ...; - + struct remoteconf *new; + + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL) + return NULL; + memcpy (new, rmconf, sizeof (*new)); + // FIXME: We should duplicate remote, proposal, etc. + // This is now handled in the cfparse.y + // new->proposal = ...; + + // zero-out pointers + new->remote = NULL; + new->forced_local = NULL; + new->keychainCertRef = NULL; /* peristant keychain ref for cert */ + new->shared_secret = NULL; /* shared secret */ + new->open_dir_auth_group = NULL; /* group to be used to authorize user */ + new->proposal = NULL; + new->in_list = 0; + new->refcount = 1; + new->idv = NULL; + new->key = NULL; +#ifdef ENABLE_HYBRID + new->xauth = NULL; +#endif + /* duplicate dynamic structures */ if (new->etypes) new->etypes=dupetypes(new->etypes); @@ -335,13 +439,20 @@ proposalspec_free(struct proposalspec *head) } void -delrmconf(rmconf) - struct remoteconf *rmconf; +delrmconf(struct remoteconf *rmconf) { if (rmconf->remote) racoon_free(rmconf->remote); - if (rmconf->etypes) + if (rmconf->forced_local) + racoon_free(rmconf->forced_local); +#ifdef ENABLE_HYBRID + if (rmconf->xauth) + xauth_rmconf_delete(&rmconf->xauth); +#endif + if (rmconf->etypes) { deletypes(rmconf->etypes); + rmconf->etypes=NULL; + } if (rmconf->idv) vfree(rmconf->idv); if (rmconf->idvl_p) @@ -350,50 +461,30 @@ delrmconf(rmconf) oakley_dhgrp_free(rmconf->dhgrp); if (rmconf->proposal) delisakmpsa(rmconf->proposal); - if (rmconf->mycertfile) - racoon_free(rmconf->mycertfile); - if (rmconf->myprivfile) - racoon_free(rmconf->myprivfile); - if (rmconf->peerscertfile) - racoon_free(rmconf->peerscertfile); - if (rmconf->cacertfile) - racoon_free(rmconf->cacertfile); if (rmconf->prhead) proposalspec_free(rmconf->prhead); - if (rmconf->rsa_private) - genlist_free(rmconf->rsa_private, rsa_key_free); - if (rmconf->rsa_public) - genlist_free(rmconf->rsa_public, rsa_key_free); -#ifdef __APPLE__ if (rmconf->shared_secret) vfree(rmconf->shared_secret); if (rmconf->keychainCertRef) vfree(rmconf->keychainCertRef); if (rmconf->open_dir_auth_group) vfree(rmconf->open_dir_auth_group); -#endif racoon_free(rmconf); } void -delisakmpsa(sa) - struct isakmpsa *sa; +delisakmpsa(struct isakmpsa *sa) { if (sa->dhgrp) oakley_dhgrp_free(sa->dhgrp); if (sa->next) delisakmpsa(sa->next); -#ifdef HAVE_GSSAPI - if (sa->gssid) - vfree(sa->gssid); -#endif racoon_free(sa); } struct etypes * -dupetypes(orig) - struct etypes *orig; +dupetypes(struct etypes *orig) { struct etypes *new; @@ -414,8 +505,7 @@ dupetypes(orig) } void -deletypes(e) - struct etypes *e; +deletypes(struct etypes *e) { if (e->next) deletypes(e->next); @@ -426,17 +516,33 @@ deletypes(e) * insert into head of list. */ void -insrmconf(new) - struct remoteconf *new; +insrmconf(struct remoteconf *new) { TAILQ_INSERT_HEAD(&rmtree, new, chain); + new->in_list = 1; +} + +void +remrmconf(struct remoteconf *rmconf) +{ + if (rmconf->in_list) + TAILQ_REMOVE(&rmtree, rmconf, chain); + rmconf->in_list = 0; } void -remrmconf(rmconf) - struct remoteconf *rmconf; +retain_rmconf(struct remoteconf *rmconf) { - TAILQ_REMOVE(&rmtree, rmconf, chain); + (rmconf->refcount)++; +} + +void +release_rmconf(struct remoteconf *rmconf) +{ + if (--(rmconf->refcount) <= 0) { + remrmconf(rmconf); + delrmconf(rmconf); + } } void @@ -447,7 +553,8 @@ flushrmconf() for (p = TAILQ_FIRST(&rmtree); p; p = next) { next = TAILQ_NEXT(p, chain); remrmconf(p); - delrmconf(p); + if (--(p->refcount) <= 0) + delrmconf(p); } } @@ -459,9 +566,7 @@ initrmconf() /* check exchange type to be acceptable */ struct etypes * -check_etypeok(rmconf, etype) - struct remoteconf *rmconf; - u_int8_t etype; +check_etypeok(struct remoteconf *rmconf, u_int8_t etype) { struct etypes *e; @@ -491,9 +596,6 @@ newisakmpsa() new->next = NULL; new->rmconf = NULL; -#ifdef HAVE_GSSAPI - new->gssid = NULL; -#endif return new; } @@ -502,9 +604,7 @@ newisakmpsa() * insert into tail of list. */ void -insisakmpsa(new, rmconf) - struct isakmpsa *new; - struct remoteconf *rmconf; +insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf) { struct isakmpsa *p; @@ -546,7 +646,7 @@ dump_peers_identifiers (void *entry, void *arg) s_idtype (id->idtype)); if (id->id) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v); - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); return NULL; } @@ -558,11 +658,15 @@ dump_rmconf_single (struct remoteconf *p, void *data) char buf[1024], *pbuf; pbuf = buf; - pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote)); + if (p->remote_prefix) + pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", + saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix)); + else + pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote)); if (p->inherited_from) pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s", - saddr2str(p->inherited_from->remote)); - plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf); + saddr2str((struct sockaddr *)p->inherited_from->remote)); + plog(ASL_LEVEL_NOTICE, "%s {\n", buf); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type "); while (etype) { @@ -570,91 +674,83 @@ dump_rmconf_single (struct remoteconf *p, void *data) etype->next != NULL ? ", " : ";\n"); etype = etype->next; } - plog(LLV_INFO, LOCATION, NULL, "%s", buf); - plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype)); + plog(ASL_LEVEL_NOTICE, "%s", buf); + plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype)); pbuf = buf; pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype)); if (p->idvtype == IDTYPE_ASN1DN) { - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); - plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n", - p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*", - p->mycertfile, p->myprivfile); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); switch (p->getcert_method) { case 0: break; case ISAKMP_GETCERT_PAYLOAD: - plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n"); - break; - case ISAKMP_GETCERT_LOCALFILE: - plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile); - break; - case ISAKMP_GETCERT_DNS: - plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n"); + plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n"); break; default: - plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); + plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method); } } else { if (p->idv) pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v); - plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); + plog(ASL_LEVEL_NOTICE, "%s;\n", buf); genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL); } - plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n", s_switch (p->send_cert)); - plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n", s_switch (p->send_cr)); - plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n", + plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n", s_switch (p->verify_cert)); - plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n", + plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n", s_switch (p->verify_identifier)); - plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n", + plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n", p->nat_traversal == NATT_FORCE ? "force" : s_switch (p->nat_traversal)); -#ifdef __APPLE__ - plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n", + plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n", s_switch (p->natt_multiple_user)); -#endif - plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n", + plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n", p->nonce_size); - plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n", + plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n", s_switch (p->passive)); - plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n", - s_switch (p->ike_frag)); - plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag); - plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n", + plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n", + p->ike_frag == ISAKMP_FRAG_FORCE ? + "force" : s_switch (p->ike_frag)); + plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag); + plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n", s_switch (p->ini_contact)); - plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n", + plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n", s_switch (p->gen_policy)); - plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n", + plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n", s_switch (p->support_proxy)); while (prop) { - plog(LLV_INFO, LOCATION, NULL, "\n"); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "\n"); + plog(ASL_LEVEL_NOTICE, "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n", prop->prop_no, prop->trns_no, - saddr2str(prop->rmconf->remote)); - plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n"); - plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n", + saddr2str((struct sockaddr *)prop->rmconf->remote)); + plog(ASL_LEVEL_NOTICE, "\tproposal {\n"); + plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n", (long)prop->lifetime); - plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n", + plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n", prop->lifebyte); - plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n", alg_oakley_dhdef_name(prop->dh_group)); - plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n", alg_oakley_encdef_name(prop->enctype)); - plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n", alg_oakley_hashdef_name(prop->hashtype)); - plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n", + plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n", + alg_oakley_hashdef_name(prop->prf)); + plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n", alg_oakley_authdef_name(prop->authmethod)); - plog(LLV_INFO, LOCATION, NULL, "\t}\n"); + plog(ASL_LEVEL_NOTICE, "\t}\n"); prop = prop->next; } - plog(LLV_INFO, LOCATION, NULL, "}\n"); - plog(LLV_INFO, LOCATION, NULL, "\n"); + plog(ASL_LEVEL_NOTICE, "}\n"); + plog(ASL_LEVEL_NOTICE, "\n"); return NULL; } @@ -678,64 +774,9 @@ newidspec() return new; } -int -script_path_add(path) - vchar_t *path; -{ - char *script_dir; - vchar_t *new_storage; - vchar_t *new_path; - vchar_t **sp; - size_t len; - size_t size; - - script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT]; - - /* Try to find the script in the script directory */ - if ((path->v[0] != '/') && (script_dir != NULL)) { - len = strlen(script_dir) + sizeof("/") + path->l + 1; - - if ((new_path = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - - new_path->v[0] = '\0'; - (void)strlcat(new_path->v, script_dir, len); - (void)strlcat(new_path->v, "/", len); - (void)strlcat(new_path->v, path->v, len); - - vfree(path); - path = new_path; - } - - /* First time, initialize */ - if (script_paths == NULL) - len = sizeof(vchar_t *); - else - len = script_paths->l; - - /* Add a slot for a new path */ - len += sizeof(vchar_t *); - if ((new_storage = vrealloc(script_paths, len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - return -1; - } - script_paths = new_storage; - - size = len / sizeof(vchar_t *); - sp = (vchar_t **)script_paths->v; - sp[size - 1] = NULL; - sp[size - 2] = path; - - return (size - 2); -} struct isakmpsa * -dupisakmpsa(sa) - struct isakmpsa *sa; +dupisakmpsa(struct isakmpsa *sa) { struct isakmpsa *res = NULL; @@ -747,11 +788,6 @@ dupisakmpsa(sa) return NULL; *res = *sa; -#ifdef HAVE_GSSAPI - /* - * XXX gssid - */ -#endif res->next=NULL; if (sa->dhgrp != NULL) @@ -761,16 +797,3 @@ dupisakmpsa(sa) } -void -rsa_key_free(void *entry) -{ - struct rsa_key *key = (struct rsa_key *)entry; - - if (key->src) - free(key->src); - if (key->dst) - free(key->dst); - if (key->rsa) - RSA_free(key->rsa); - free(key); -}