X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/d1e348cfd503b08e7d34b7683d23aae209af0a71..674a30cecc483b9b8740e4571080bc9c8ddb6545:/ipsec-tools/racoon/isakmp_cfg.c diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index c72600a..4308558 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -39,9 +39,8 @@ #include #include -#if defined(__APPLE__) && defined(__MACH__) #include -#endif + #ifdef __FreeBSD__ # include @@ -75,12 +74,6 @@ #include #endif #include -#include - -#ifdef HAVE_LIBRADIUS -#include -#include -#endif #include "var.h" #include "misc.h" @@ -89,11 +82,11 @@ #include "sockmisc.h" #include "schedule.h" #include "debug.h" +#include "fsm.h" #include "isakmp_var.h" #include "isakmp.h" #include "handler.h" -#include "evt.h" #include "throttle.h" #include "remoteconf.h" #include "localconf.h" @@ -103,8 +96,6 @@ #include "isakmp_unity.h" #include "isakmp_cfg.h" #include "strnames.h" -#include "admin.h" -#include "privsep.h" #include "vpn_control.h" #include "vpn_control_var.h" #include "ike_session.h" @@ -114,27 +105,23 @@ struct isakmp_cfg_config isakmp_cfg_config; -static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); -static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *); +static vchar_t *buffer_cat (vchar_t *s, vchar_t *append); +static vchar_t *isakmp_cfg_net (phase1_handle_t *, struct isakmp_data *); #if 0 -static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *); +static vchar_t *isakmp_cfg_void (phase1_handle_t *, struct isakmp_data *); #endif -static vchar_t *isakmp_cfg_addr4(struct ph1handle *, +static vchar_t *isakmp_cfg_addr4 (phase1_handle_t *, struct isakmp_data *, in_addr_t *); -static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); -static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, +static void isakmp_cfg_getaddr4 (struct isakmp_data *, struct in_addr *); +static vchar_t *isakmp_cfg_addr4_list (phase1_handle_t *, struct isakmp_data *, in_addr_t *, int); -static void isakmp_cfg_appendaddr4(struct isakmp_data *, +static void isakmp_cfg_appendaddr4 (struct isakmp_data *, struct in_addr *, int *, int); -static void isakmp_cfg_getstring(struct isakmp_data *,char *); -void isakmp_cfg_iplist_to_str(char *, int, void *, int); +static void isakmp_cfg_getstring (struct isakmp_data *,char *); +void isakmp_cfg_iplist_to_str (char *, int, void *, int); #define ISAKMP_CFG_LOGIN 1 #define ISAKMP_CFG_LOGOUT 2 -static int isakmp_cfg_accounting(struct ph1handle *, int); -#ifdef HAVE_LIBRADIUS -static int isakmp_cfg_accounting_radius(struct ph1handle *, int); -#endif /* * Handle an ISAKMP config mode packet @@ -142,7 +129,7 @@ static int isakmp_cfg_accounting_radius(struct ph1handle *, int); */ void isakmp_cfg_r(iph1, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *msg; { struct isakmp *packet; @@ -152,7 +139,7 @@ isakmp_cfg_r(iph1, msg) int np; vchar_t *dmsg; struct isakmp_ivm *ivm; - struct ph2handle *iph2; + phase2_handle_t *iph2; int error = -1; /* Check that the packet is long enough to have a header */ @@ -161,7 +148,7 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. Unexpected short packet"), CONSTSTR("Failed to process short MODE-Config packet")); - plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n"); + plog(ASL_LEVEL_ERR, "Unexpected short packet\n"); return; } @@ -173,7 +160,7 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. User credentials sent in cleartext"), CONSTSTR("Dropped cleattext User credentials")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "User credentials sent in cleartext!\n"); return; } @@ -194,13 +181,12 @@ isakmp_cfg_r(iph1, msg) IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL, CONSTSTR("MODE-Config. Failed to decrypt packet"), CONSTSTR("Failed to decrypt MODE-Config packet")); - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to decrypt message\n"); return; } - plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n"); - plogdump(LLV_DEBUG, dmsg->v, dmsg->l); + plog(ASL_LEVEL_NOTICE, "MODE_CFG packet\n"); /* Now work with the decrypted packet */ packet = (struct isakmp *)dmsg->v; @@ -211,20 +197,19 @@ isakmp_cfg_r(iph1, msg) while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) { /* Check that the payload header fits in the packet */ if (tlen < sizeof(*ph)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Short payload header\n"); goto out; } /* Check that the payload fits in the packet */ if (tlen < ntohs(ph->len)) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Short payload\n"); goto out; } - plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np); - plogdump(LLV_DEBUG, ph, ntohs(ph->len)); + plog(ASL_LEVEL_DEBUG, "Seen payload %d\n", np); switch(np) { case ISAKMP_NPTYPE_HASH: { @@ -236,9 +221,17 @@ isakmp_cfg_r(iph1, msg) plen = ntohs(ph->len); nph = (struct isakmp_gen *)((char *)ph + plen); plen = ntohs(nph->len); - + /* Check that the hash payload fits in the packet */ + if (tlen < (plen + ntohs(ph->len))) { + plog(ASL_LEVEL_WARNING, + "Invalid Hash payload. len %d, overall-len %d\n", + ntohs(nph->len), + (int)plen); + goto out; + } + if ((payload = vmalloc(plen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } @@ -246,14 +239,14 @@ isakmp_cfg_r(iph1, msg) if ((check = oakley_compute_hash1(iph1, packet->msgid, payload)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot compute hash\n"); vfree(payload); goto out; } - if (memcmp(ph + 1, check->v, check->l) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (timingsafe_bcmp(ph + 1, check->v, check->l) != 0) { + plog(ASL_LEVEL_ERR, "Hash verification failed\n"); vfree(payload); vfree(check); @@ -272,7 +265,7 @@ isakmp_cfg_r(iph1, msg) break; } default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unexpected next payload %d\n", np); /* Skip to the next payload */ break; @@ -287,13 +280,11 @@ isakmp_cfg_r(iph1, msg) error = 0; /* find phase 2 in case pkt scheduled for resend */ - iph2 = getph2bymsgid(iph1, packet->msgid); + iph2 = ike_session_getph2bymsgid(iph1, packet->msgid); if (iph2 == NULL) goto out; /* no resend scheduled */ SCHED_KILL(iph2->scr); /* turn off schedule */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); IPSECSESSIONTRACEREVENT(iph1->parent_session, IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC, @@ -311,14 +302,14 @@ out: int isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; u_int32_t msgid; struct isakmp_pl_attr *attrpl; vchar_t *msg; { int type = attrpl->type; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); switch (type) { case ISAKMP_CFG_ACK: @@ -343,7 +334,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Unepected configuration exchange type %d\n", type); return -1; break; @@ -354,7 +345,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) int isakmp_cfg_reply(iph1, attrpl) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; { struct isakmp_data *attr; @@ -372,13 +363,19 @@ isakmp_cfg_reply(iph1, attrpl) tlen -= sizeof(*attrpl); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_reply invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } type = ntohs(attr->type); /* Handle short attributes */ if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { type &= ~ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Short attribute %s = %d\n", s_isakmp_cfg_type(type), ntohs(attr->lorv)); @@ -392,7 +389,7 @@ isakmp_cfg_reply(iph1, attrpl) break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -407,14 +404,14 @@ isakmp_cfg_reply(iph1, attrpl) alen = ntohs(attr->lorv); /* Check that the attribute fit in the packet */ - if (tlen < alen) { - plog(LLV_ERROR, LOCATION, NULL, - "Short attribute %s\n", - s_isakmp_cfg_type(type)); + if (tlen < (alen + sizeof(struct isakmp_data))) { + plog(ASL_LEVEL_ERR, + "Short attribute %s len %zu\n", + s_isakmp_cfg_type(type), alen); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s, len %zu\n", s_isakmp_cfg_type(type), alen); @@ -487,7 +484,7 @@ isakmp_cfg_reply(iph1, attrpl) break; /* not actually ignored - don't fall thru */ // else fall thru default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -503,67 +500,33 @@ isakmp_cfg_reply(iph1, attrpl) /* connection was started by API - save attr list for passing to VPN controller */ if (iph1->mode_cfg->attr_list != NULL) /* shouldn't happen */ vfree(iph1->mode_cfg->attr_list); + if (ntohs(attrpl->h.len) < sizeof(*attrpl)) { + plog(ASL_LEVEL_ERR, + "invalid cfg-attr-list, attr-len %d\n", + ntohs(attrpl->h.len)); + return -1; + } alen = ntohs(attrpl->h.len) - sizeof(*attrpl); if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory for mode-cfg attribute list\n"); return -1; } memcpy(iph1->mode_cfg->attr_list->v, attrpl + 1, alen); } - /* - * Call the SA up script hook now that we have the configuration - * It is done at the end of phase 1 if ISAKMP mode config is not - * requested. - */ - - if ((iph1->status == PHASE1ST_ESTABLISHED) && - iph1->rmconf->mode_cfg) { - switch (AUTHMETHOD(iph1)) { - case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: - /* Unimplemented */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; - default: - break; - } - } #ifdef ENABLE_VPNCONTROL_PORT - if (iph1->status == PHASE1ST_ESTABLISHED) + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); #endif -#ifdef ENABLE_ADMINPORT - { - vchar_t *buf; - - alen = ntohs(attrpl->h.len) - sizeof(*attrpl); - if ((buf = vmalloc(alen)) == NULL) { - plog(LLV_WARNING, LOCATION, NULL, - "Cannot allocate memory: %s\n", strerror(errno)); - } else { - memcpy(buf->v, attrpl + 1, buf->l); - EVT_PUSH(iph1->local, iph1->remote, - EVTT_ISAKMP_CFG_DONE, buf); - vfree(buf); - } - } -#endif - return 0; } int isakmp_cfg_request(iph1, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; vchar_t *msg; { @@ -601,16 +564,25 @@ isakmp_cfg_request(iph1, attrpl, msg) iph1->xauth_awaiting_userinput = 1; iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later ike_session_start_xauth_timer(iph1); + + IPSECLOGASLMSG("IPSec Extended Authentication requested.\n"); + return 0; } if ((payload = vmalloc(sizeof(*reply))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } memset(payload->v, 0, sizeof(*reply)); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_request invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + goto end; + } reply_attr = NULL; type = ntohs(attr->type); @@ -618,7 +590,7 @@ isakmp_cfg_request(iph1, attrpl, msg) if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { type &= ~ISAKMP_GEN_MASK; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Short attribute %s = %d\n", s_isakmp_cfg_type(type), ntohs(attr->lorv)); @@ -627,7 +599,7 @@ isakmp_cfg_request(iph1, attrpl, msg) reply_attr = isakmp_xauth_req(iph1, attr); break; default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -648,14 +620,14 @@ isakmp_cfg_request(iph1, attrpl, msg) alen = ntohs(attr->lorv); /* Check that the attribute fit in the packet */ - if (tlen < alen) { - plog(LLV_ERROR, LOCATION, NULL, - "Short attribute %s\n", - s_isakmp_cfg_type(type)); + if (tlen < (sizeof(struct isakmp_data) + alen)) { + plog(ASL_LEVEL_ERR, + "Short attribute %s len %zu\n", + s_isakmp_cfg_type(type), alen); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s, len %zu\n", s_isakmp_cfg_type(type), alen); @@ -702,7 +674,7 @@ isakmp_cfg_request(iph1, attrpl, msg) case INTERNAL_ADDRESS_EXPIRY: default: - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); break; @@ -723,32 +695,12 @@ isakmp_cfg_request(iph1, attrpl, msg) reply->type = ISAKMP_CFG_REPLY; reply->id = attrpl->id; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG REPLY\n"); error = isakmp_cfg_send(iph1, payload, ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg); - if (iph1->status == PHASE1ST_ESTABLISHED) { - switch (AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - /* Unimplemented */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; - default: - break; - } -#ifdef ENABLE_VPNCONTROL_PORT - vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL); -#endif - - } end: vfree(payload); @@ -758,7 +710,7 @@ end: int isakmp_cfg_set(iph1, attrpl, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_pl_attr *attrpl; vchar_t *msg; { @@ -773,7 +725,7 @@ isakmp_cfg_set(iph1, attrpl, msg) int error = -1; if ((payload = vmalloc(sizeof(*reply))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } memset(payload->v, 0, sizeof(*reply)); @@ -786,10 +738,17 @@ isakmp_cfg_set(iph1, attrpl, msg) * We should send ack for the attributes we accepted */ while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_set invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + vfree(payload); + return error; + } reply_attr = NULL; type = ntohs(attr->type); - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Attribute %s\n", s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); @@ -798,7 +757,7 @@ isakmp_cfg_set(iph1, attrpl, msg) reply_attr = isakmp_xauth_set(iph1, attr); break; default: - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "Unexpected SET attribute %s\n", s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); break; @@ -818,6 +777,13 @@ isakmp_cfg_set(iph1, attrpl, msg) attr++; } else { alen = ntohs(attr->lorv); + if (tlen < (sizeof(*attr) + alen)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_set packet too short for type %d, expected %zu actual %zu\n", + type, alen, tlen - sizeof(*attr)); + vfree(payload); + return error; + } tlen -= (sizeof(*attr) + alen); npp = (char *)attr; attr = (struct isakmp_data *) @@ -830,17 +796,16 @@ isakmp_cfg_set(iph1, attrpl, msg) reply->type = ISAKMP_CFG_ACK; reply->id = attrpl->id; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG ACK\n"); error = isakmp_cfg_send(iph1, payload, ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg); if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) { - if (iph1->status == PHASE1ST_ESTABLISHED) + if (FSM_STATE_IS_ESTABLISHED(iph1->status)) isakmp_info_send_d1(iph1); - remph1(iph1); - delph1(iph1); + isakmp_ph1expire(iph1); iph1 = NULL; } vfree(payload); @@ -864,7 +829,7 @@ buffer_cat(s, append) new = vmalloc(s->l + append->l); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return s; } @@ -878,12 +843,11 @@ buffer_cat(s, append) static vchar_t * isakmp_cfg_net(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { int type; int confsource; - in_addr_t addr4; type = ntohs(attr->type); @@ -891,7 +855,7 @@ isakmp_cfg_net(iph1, attr) * Don't give an address to a peer that did not succeed Xauth */ if (xauth_check(iph1) != 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Attempt to start phase config whereas Xauth failed\n"); return NULL; } @@ -902,39 +866,13 @@ isakmp_cfg_net(iph1, attr) * configuration source, we will jump * back to this point. */ -retry_source: switch(type) { case INTERNAL_IP4_ADDRESS: switch(confsource) { -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_CONF_LDAP: - if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No IP from LDAP, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif -#ifdef HAVE_LIBRADIUS - case ISAKMP_CFG_CONF_RADIUS: - if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) - && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) - /* - * -2 is 255.255.255.254, RADIUS uses that - * to instruct the NAS to use a local pool - */ - break; - plog(LLV_INFO, LOCATION, NULL, - "No IP from RADIUS, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif case ISAKMP_CFG_CONF_LOCAL: if (isakmp_cfg_getport(iph1) == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Port pool depleted\n"); break; } @@ -946,39 +884,16 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected confsource\n"); } - if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0) - plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); - return isakmp_cfg_addr4(iph1, attr, &iph1->mode_cfg->addr4.s_addr); break; case INTERNAL_IP4_NETMASK: switch(confsource) { -#ifdef HAVE_LIBLDAP - case ISAKMP_CFG_CONF_LDAP: - if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No mask from LDAP, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif -#ifdef HAVE_LIBRADIUS - case ISAKMP_CFG_CONF_RADIUS: - if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) - break; - plog(LLV_INFO, LOCATION, NULL, - "No mask from RADIUS, using local pool\n"); - /* FALLTHROUGH */ - confsource = ISAKMP_CFG_CONF_LOCAL; - goto retry_source; -#endif case ISAKMP_CFG_CONF_LOCAL: iph1->mode_cfg->mask4.s_addr = isakmp_cfg_config.netmask4; @@ -986,7 +901,7 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Unexpected confsource\n"); } return isakmp_cfg_addr4(iph1, attr, @@ -1011,7 +926,7 @@ retry_source: break; default: - plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type); + plog(ASL_LEVEL_ERR, "Unexpected type %d\n", type); break; } return NULL; @@ -1020,14 +935,14 @@ retry_source: #if 0 static vchar_t * isakmp_cfg_void(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { vchar_t *buffer; struct isakmp_data *new; if ((buffer = vmalloc(sizeof(*attr))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1042,7 +957,7 @@ isakmp_cfg_void(iph1, attr) vchar_t * isakmp_cfg_copy(iph1, attr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; { vchar_t *buffer; @@ -1052,7 +967,7 @@ isakmp_cfg_copy(iph1, attr) len = ntohs(attr->lorv); if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1063,7 +978,7 @@ isakmp_cfg_copy(iph1, attr) vchar_t * isakmp_cfg_short(iph1, attr, value) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; int value; { @@ -1072,7 +987,7 @@ isakmp_cfg_short(iph1, attr, value) int type; if ((buffer = vmalloc(sizeof(*attr))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1087,7 +1002,7 @@ isakmp_cfg_short(iph1, attr, value) vchar_t * isakmp_cfg_varlen(iph1, attr, string, len) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; char *string; size_t len; @@ -1097,7 +1012,7 @@ isakmp_cfg_varlen(iph1, attr, string, len) char *data; if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1113,7 +1028,7 @@ isakmp_cfg_varlen(iph1, attr, string, len) } vchar_t * isakmp_cfg_string(iph1, attr, string) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; char *string; { @@ -1123,7 +1038,7 @@ isakmp_cfg_string(iph1, attr, string) static vchar_t * isakmp_cfg_addr4(iph1, attr, addr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; in_addr_t *addr; { @@ -1133,7 +1048,7 @@ isakmp_cfg_addr4(iph1, attr, addr) len = sizeof(*addr); if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return NULL; } @@ -1148,7 +1063,7 @@ isakmp_cfg_addr4(iph1, attr, addr) static vchar_t * isakmp_cfg_addr4_list(iph1, attr, addr, nbr) - struct ph1handle *iph1; + phase1_handle_t *iph1; struct isakmp_data *attr; in_addr_t *addr; int nbr; @@ -1162,12 +1077,12 @@ isakmp_cfg_addr4_list(iph1, attr, addr, nbr) len = sizeof(*addr); if ((buffer = vmalloc(0)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } for(i = 0; i < nbr; i++) { if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); goto out; } @@ -1193,13 +1108,13 @@ out: struct isakmp_ivm * isakmp_cfg_newiv(iph1, msgid) - struct ph1handle *iph1; + phase1_handle_t *iph1; u_int32_t msgid; { struct isakmp_cfg_state *ics = iph1->mode_cfg; if (ics == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_newiv called without mode config state\n"); return NULL; } @@ -1216,7 +1131,7 @@ isakmp_cfg_newiv(iph1, msgid) /* Derived from isakmp_info_send_common */ int isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) - struct ph1handle *iph1; + phase1_handle_t *iph1; vchar_t *payload; u_int32_t np; int flags; @@ -1224,7 +1139,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) int retry_count; vchar_t *msg; { - struct ph2handle *iph2 = NULL; + phase2_handle_t *iph2 = NULL; vchar_t *hash = NULL; struct isakmp *isakmp; struct isakmp_gen *gen; @@ -1234,38 +1149,38 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) struct isakmp_cfg_state *ics = iph1->mode_cfg; /* Check if phase 1 is established */ - if ((iph1->status != PHASE1ST_ESTABLISHED) || + if ((!FSM_STATE_IS_ESTABLISHED(iph1->status)) || (iph1->local == NULL) || (iph1->remote == NULL)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "ISAKMP mode config exchange with immature phase 1\n"); goto end; } /* add new entry to isakmp status table */ - iph2 = newph2(); + iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_CFG); if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate ph2"); goto end; } iph2->dst = dupsaddr(iph1->remote); if (iph2->dst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate remote address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } iph2->src = dupsaddr(iph1->local); if (iph2->src == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to duplicate local address"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } - switch (iph1->remote->sa_family) { + switch (iph1->remote->ss_family) { case AF_INET: #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT)) ((struct sockaddr_in *)iph2->dst)->sin_port = 0; @@ -1281,14 +1196,13 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) break; #endif default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); - delph2(iph2); + plog(ASL_LEVEL_ERR, + "invalid family: %d\n", iph1->remote->ss_family); + ike_session_delph2(iph2); goto end; } - iph2->ph1 = iph1; iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; + fsm_set_state(&iph2->status, IKEV1_STATE_INFO); if (new_exchange) iph2->msgid = isakmp_newmsgid2(iph1); @@ -1299,19 +1213,19 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) if (iph1->skeyid_a != NULL) { if (new_exchange) { if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate IV"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } } /* generate HASH(1) */ - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload); + hash = oakley_compute_hash1(iph1, iph2->msgid, payload); if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to generate HASH"); - delph2(iph2); + ike_session_delph2(iph2); goto end; } @@ -1330,15 +1244,14 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) else iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); - insph2(iph2); - bindph12(iph1, iph2); + ike_session_link_ph2_to_ph1(iph1, iph2); tlen += sizeof(*isakmp) + payload->l; /* create buffer for isakmp payload */ iph2->sendbuf = vmalloc(tlen); if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send.\n"); goto err; } @@ -1373,18 +1286,17 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); #endif - plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n"); - plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); + plog(ASL_LEVEL_NOTICE, "MODE_CFG packet to send\n"); /* encoding */ if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { vchar_t *tmp; - tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, + tmp = oakley_do_encrypt(iph1, iph2->sendbuf, ics->ivm->ive, ics->ivm->iv); VPTRINIT(iph2->sendbuf); if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to encrypt packet"); goto err; } @@ -1396,7 +1308,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) if (retry_count > 0) { iph2->retry_counter = retry_count; if (isakmp_ph2resend(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to resend packet"); VPTRINIT(iph2->sendbuf); goto err; @@ -1410,21 +1322,21 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg) } if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to send packet"); VPTRINIT(iph2->sendbuf); goto err; } if (msg) { /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg, - PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) { - plog(LLV_ERROR , LOCATION, NULL, + if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg, + PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) { + plog(ASL_LEVEL_ERR , "failed to add a response packet to the tree.\n"); } } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "sendto mode config %s.\n", s_isakmp_nptype(np)); /* @@ -1446,9 +1358,7 @@ err: CONSTSTR("Mode-Config message"), CONSTSTR("Failed to transmit Mode-Config message")); } - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); end: if (hash) vfree(hash); @@ -1456,40 +1366,39 @@ end: } -void -isakmp_cfg_rmstate(iph1) - struct ph1handle *iph1; +void +isakmp_cfg_rmstate(phase1_handle_t *iph1) { - struct isakmp_cfg_state *state = iph1->mode_cfg; - - if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0) - plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); - - if (state->flags & ISAKMP_CFG_PORT_ALLOCATED) - isakmp_cfg_putport(iph1, state->port); - + struct isakmp_cfg_state **state = &iph1->mode_cfg; + + if (*state == NULL) + return; + + if ((*state)->flags & ISAKMP_CFG_PORT_ALLOCATED) + isakmp_cfg_putport(iph1, (*state)->port); + /* Delete the IV if it's still there */ - if(iph1->mode_cfg->ivm) { - oakley_delivm(iph1->mode_cfg->ivm); - iph1->mode_cfg->ivm = NULL; + if((*state)->ivm) { + oakley_delivm((*state)->ivm); + (*state)->ivm = NULL; } - + /* Free any allocated splitnet lists */ - if(iph1->mode_cfg->split_include != NULL) - splitnet_list_free(iph1->mode_cfg->split_include, - &iph1->mode_cfg->include_count); - if(iph1->mode_cfg->split_local != NULL) - splitnet_list_free(iph1->mode_cfg->split_local, - &iph1->mode_cfg->local_count); - - xauth_rmstate(&state->xauth); + if((*state)->split_include != NULL) + splitnet_list_free((*state)->split_include, + &(*state)->include_count); + if((*state)->split_local != NULL) + splitnet_list_free((*state)->split_local, + &(*state)->local_count); + + xauth_rmstate(&(*state)->xauth); - if (state->attr_list) - vfree(state->attr_list); - - racoon_free(state); - iph1->mode_cfg = NULL; - + if ((*state)->attr_list) + vfree((*state)->attr_list); + + racoon_free((*state)); + (*state) = NULL; + return; } @@ -1499,7 +1408,7 @@ isakmp_cfg_mkstate(void) struct isakmp_cfg_state *state; if ((state = racoon_malloc(sizeof(*state))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Cannot allocate memory for mode config state\n"); return NULL; } @@ -1510,7 +1419,7 @@ isakmp_cfg_mkstate(void) int isakmp_cfg_getport(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { unsigned int i; size_t size = isakmp_cfg_config.pool_size; @@ -1519,7 +1428,7 @@ isakmp_cfg_getport(iph1) return iph1->mode_cfg->port; if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_config.port_pool == NULL\n"); return -1; } @@ -1530,14 +1439,14 @@ isakmp_cfg_getport(iph1) } if (i == size) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "No more addresses available\n"); return -1; } isakmp_cfg_config.port_pool[i].used = 1; - plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i); + plog(ASL_LEVEL_NOTICE, "Using port %d\n", i); iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; iph1->mode_cfg->port = i; @@ -1547,341 +1456,34 @@ isakmp_cfg_getport(iph1) int isakmp_cfg_putport(iph1, index) - struct ph1handle *iph1; + phase1_handle_t *iph1; unsigned int index; { if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "isakmp_cfg_config.port_pool == NULL\n"); return -1; } if (isakmp_cfg_config.port_pool[index].used == 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Attempt to release an unallocated address (port %d)\n", index); return -1; } -#ifdef HAVE_LIBPAM - /* Cleanup PAM status associated with the port */ - if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM) - privsep_cleanup_pam(index); -#endif isakmp_cfg_config.port_pool[index].used = 0; iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; - plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index); - - return 0; -} - -#ifdef HAVE_LIBPAM -void -cleanup_pam(port) - int port; -{ - if (isakmp_cfg_config.port_pool[port].pam != NULL) { - pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS); - isakmp_cfg_config.port_pool[port].pam = NULL; - } - - return; -} -#endif - -/* Accounting, only for RADIUS or PAM */ -static int -isakmp_cfg_accounting(iph1, inout) - struct ph1handle *iph1; - int inout; -{ -#ifdef HAVE_LIBPAM - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM) - return privsep_accounting_pam(iph1->mode_cfg->port, - inout); -#endif -#ifdef HAVE_LIBRADIUS - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) - return isakmp_cfg_accounting_radius(iph1, inout); -#endif - if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) - return privsep_accounting_system(iph1->mode_cfg->port, - iph1->remote, iph1->mode_cfg->login, inout); - return 0; -} - -#ifdef HAVE_LIBPAM -int -isakmp_cfg_accounting_pam(port, inout) - int port; - int inout; -{ - int error = 0; - pam_handle_t *pam; - - if (isakmp_cfg_config.port_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "isakmp_cfg_config.port_pool == NULL\n"); - return -1; - } - - pam = isakmp_cfg_config.port_pool[port].pam; - if (pam == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n"); - return -1; - } - - switch (inout) { - case ISAKMP_CFG_LOGIN: - error = pam_open_session(pam, 0); - break; - case ISAKMP_CFG_LOGOUT: - error = pam_close_session(pam, 0); - pam_end(pam, error); - isakmp_cfg_config.port_pool[port].pam = NULL; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pam_open_session/pam_close_session failed: %s\n", - pam_strerror(pam, error)); - return -1; - } - - return 0; -} -#endif /* HAVE_LIBPAM */ - -#ifdef HAVE_LIBRADIUS -static int -isakmp_cfg_accounting_radius(iph1, inout) - struct ph1handle *iph1; - int inout; -{ - /* For first time use, initialize Radius */ - if (radius_acct_state == NULL) { - if ((radius_acct_state = rad_acct_open()) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot init librradius\n"); - return -1; - } - - if (rad_config(radius_acct_state, NULL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot open librarius config file: %s\n", - rad_strerror(radius_acct_state)); - rad_close(radius_acct_state); - radius_acct_state = NULL; - return -1; - } - } - - if (rad_create_request(radius_acct_state, - RAD_ACCOUNTING_REQUEST) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_create_request failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_string(radius_acct_state, RAD_USER_NAME, - iph1->mode_cfg->login) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_string failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - switch (inout) { - case ISAKMP_CFG_LOGIN: - inout = RAD_START; - break; - case ISAKMP_CFG_LOGOUT: - inout = RAD_STOP; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - if (rad_put_addr(radius_acct_state, - RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_addr(radius_acct_state, - RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } - - if (isakmp_cfg_radius_common(radius_acct_state, - iph1->mode_cfg->port) != 0) - return -1; - - if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_send_request failed: %s\n", - rad_strerror(radius_acct_state)); - return -1; - } + plog(ASL_LEVEL_NOTICE, "Released port %d\n", index); return 0; } -#endif /* HAVE_LIBRADIUS */ - -/* - * Attributes common to all RADIUS requests - */ -#ifdef HAVE_LIBRADIUS -int -isakmp_cfg_radius_common(radius_state, port) - struct rad_handle *radius_state; - int port; -{ - struct utsname name; - static struct hostent *host = NULL; - struct in_addr nas_addr; - /* - * Find our own IP by resolving our nodename - */ - if (host == NULL) { - if (uname(&name) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "uname failed: %s\n", strerror(errno)); - return -1; - } - - if ((host = gethostbyname(name.nodename)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gethostbyname failed: %s\n", strerror(errno)); - return -1; - } - } - - memcpy(&nas_addr, host->h_addr, sizeof(nas_addr)); - if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_addr failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "rad_put_int failed: %s\n", - rad_strerror(radius_state)); - return -1; - } - - return 0; -} -#endif - -/* - Logs the user into the utmp system files. -*/ - -int -isakmp_cfg_accounting_system(port, raddr, usr, inout) - int port; - struct sockaddr *raddr; - char *usr; - int inout; -{ - int error = 0; - struct utmpx ut; - char term[_UTX_LINESIZE]; - char addr[NI_MAXHOST]; - - if (usr == NULL || usr[0]=='\0') { - plog(LLV_ERROR, LOCATION, NULL, - "system accounting : no login found\n"); - return -1; - } - - snprintf(term, sizeof(term), TERMSPEC, port); - - switch (inout) { - case ISAKMP_CFG_LOGIN: - strlcpy(ut.ut_user, usr, sizeof(ut.ut_user)); - - strlcpy(ut.ut_line, term, sizeof(ut.ut_line)); - - GETNAMEINFO_NULL(raddr, addr); - strlcpy(ut.ut_host, addr, sizeof(ut.ut_host)); - - ut.ut_pid = getpid(); - - ut.ut_type = UTMPX_AUTOFILL_MASK | USER_PROCESS; - - gettimeofday(&ut.ut_tv, NULL); - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' logging on '%s' from %s.\n", - ut.ut_user, ut.ut_line, ut.ut_host); - - if (pututxline(&ut) == NULL) - return -1; - - break; - case ISAKMP_CFG_LOGOUT: - - plog(LLV_INFO, LOCATION, NULL, - "Accounting : '%s' unlogging from '%s'.\n", - usr, term); - - ut.ut_type = UTMPX_AUTOFILL_MASK | DEAD_PROCESS; - - gettimeofday(&ut.ut_tv, NULL); - - if (pututxline(&ut) == NULL) - return -1; - - break; - default: - plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); - break; - } - - return 0; -} int isakmp_cfg_getconfig(iph1) - struct ph1handle *iph1; + phase1_handle_t *iph1; { vchar_t *buffer; struct isakmp_pl_attr *attrpl; @@ -1909,7 +1511,7 @@ isakmp_cfg_getconfig(iph1) len = sizeof(*attrpl) + sizeof(*attr) * attrcount; if (iph1->started_by_api) { - if (iph1->remote->sa_family == AF_INET) { + if (iph1->remote->ss_family == AF_INET) { struct vpnctl_socket_elem *sock_elem; struct bound_addr *bound_addr; u_int32_t address; @@ -1918,7 +1520,7 @@ isakmp_cfg_getconfig(iph1) LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) { LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) { if (bound_addr->address == address) { - if (version = bound_addr->version) + if ((version = bound_addr->version)) len += bound_addr->version->l; break; } @@ -1928,7 +1530,7 @@ isakmp_cfg_getconfig(iph1) } if ((buffer = vmalloc(len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); + plog(ASL_LEVEL_ERR, "Cannot allocate memory\n"); return -1; } @@ -1957,7 +1559,7 @@ isakmp_cfg_getconfig(iph1) } } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "Sending MODE_CFG REQUEST\n"); error = isakmp_cfg_send(iph1, buffer, @@ -1965,6 +1567,8 @@ isakmp_cfg_getconfig(iph1) vfree(buffer); + IPSECLOGASLMSG("IPSec Network Configuration requested.\n"); + return error; } @@ -1977,11 +1581,11 @@ isakmp_cfg_getaddr4(attr, ip) in_addr_t *addr; if (alen != sizeof(*ip)) { - plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); + plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n"); return; } - addr = (in_addr_t *)(attr + 1); + addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t ip->s_addr = *addr; return; @@ -1998,15 +1602,15 @@ isakmp_cfg_appendaddr4(attr, ip, num, max) in_addr_t *addr; if (alen != sizeof(*ip)) { - plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); + plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n"); return; } if (*num == max) { - plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n"); + plog(ASL_LEVEL_ERR, "Too many addresses given\n"); return; } - addr = (in_addr_t *)(attr + 1); + addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t ip->s_addr = *addr; (*num)++; @@ -2067,186 +1671,6 @@ isakmp_cfg_iplist_to_str(dest, count, addr, withmask) dest[0] = '\0'; } -int -isakmp_cfg_setenv(iph1, envp, envc) - struct ph1handle *iph1; - char ***envp; - int *envc; -{ - char addrstr[IP_MAX]; - char addrlist[IP_MAX * MAXNS + MAXNS]; - char *splitlist = addrlist; - char defdom[MAXPATHLEN + 1]; - int cidr, tmp; - char cidrstr[4]; - int i, p; - int test; - - plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); - - /* - * Internal IPv4 address, either if - * we are a client or a server. - */ - if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || -#ifdef HAVE_LIBLDAP - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || -#endif -#ifdef HAVE_LIBRADIUS - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || -#endif - (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { - inet_ntop(AF_INET, &iph1->mode_cfg->addr4, - addrstr, IP_MAX); - } else - addrstr[0] = '\0'; - - if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n"); - return -1; - } - - if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) { - if (script_env_append(envp, envc, "XAUTH_USER", - iph1->mode_cfg->xauth.authdata.generic.usr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set XAUTH_USER\n"); - return -1; - } - } - - /* Internal IPv4 mask */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) - inet_ntop(AF_INET, &iph1->mode_cfg->mask4, - addrstr, IP_MAX); - else - addrstr[0] = '\0'; - - /* - * During several releases, documentation adverised INTERNAL_NETMASK4 - * while code was using INTERNAL_MASK4. We now do both. - */ - - if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n"); - return -1; - } - - if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_NETMASK4\n"); - return -1; - } - - tmp = ntohl(iph1->mode_cfg->mask4.s_addr); - for (cidr = 0; tmp != 0; cidr++) - tmp <<= 1; - snprintf(cidrstr, 3, "%d", cidr); - - if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n"); - return -1; - } - - /* Internal IPv4 DNS */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) { - /* First Internal IPv4 DNS (for compatibilty with older code */ - inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], - addrstr, IP_MAX); - - /* Internal IPv4 DNS - all */ - isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index, - (void *)iph1->mode_cfg->dns4, 0); - } else { - addrstr[0] = '\0'; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n"); - return -1; - } - if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_DNS4_LIST\n"); - return -1; - } - - /* Internal IPv4 WINS */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) { - /* - * First Internal IPv4 WINS - * (for compatibilty with older code - */ - inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], - addrstr, IP_MAX); - - /* Internal IPv4 WINS - all */ - isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index, - (void *)iph1->mode_cfg->wins4, 0); - } else { - addrstr[0] = '\0'; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_WINS4\n"); - return -1; - } - if (script_env_append(envp, envc, - "INTERNAL_WINS4_LIST", addrlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set INTERNAL_WINS4_LIST\n"); - return -1; - } - - /* Deault domain */ - if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) - strlcpy(defdom, - iph1->mode_cfg->default_domain, - sizeof(defdom)); - else - defdom[0] = '\0'; - - if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Cannot set DEFAULT_DOMAIN\n"); - return -1; - } - - /* Split networks */ - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) - splitlist = splitnet_list_2str(iph1->mode_cfg->split_include); - else { - splitlist = addrlist; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); - return -1; - } - if (splitlist != addrlist) - racoon_free(splitlist); - - if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) - splitlist = splitnet_list_2str(iph1->mode_cfg->split_local); - else { - splitlist = addrlist; - addrlist[0] = '\0'; - } - - if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) { - plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n"); - return -1; - } - if (splitlist != addrlist) - racoon_free(splitlist); - - return 0; -} - int isakmp_cfg_resize_pool(size) int size; @@ -2258,16 +1682,16 @@ isakmp_cfg_resize_pool(size) if (size == isakmp_cfg_config.pool_size) return 0; - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_NOTICE, "Resize address pool from %zu to %d\n", isakmp_cfg_config.pool_size, size); /* If a pool already exists, check if we can shrink it */ if ((isakmp_cfg_config.port_pool != NULL) && (size < isakmp_cfg_config.pool_size)) { - for (i = isakmp_cfg_config.pool_size; i >= size; --i) { + for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) { if (isakmp_cfg_config.port_pool[i].used) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "resize pool from %zu to %d impossible " "port %d is in use\n", isakmp_cfg_config.pool_size, size, i); @@ -2280,7 +1704,7 @@ isakmp_cfg_resize_pool(size) len = size * sizeof(*isakmp_cfg_config.port_pool); new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len); if (new_pool == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "resize pool from %zu to %d impossible: %s", isakmp_cfg_config.pool_size, size, strerror(errno)); return -1; @@ -2309,7 +1733,9 @@ isakmp_cfg_init(cold) int cold; { int i; +#if 0 int error; +#endif isakmp_cfg_config.network4 = (in_addr_t)0x00000000; isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000; @@ -2361,10 +1787,12 @@ isakmp_cfg_init(cold) isakmp_cfg_config.splitdns_list = NULL; isakmp_cfg_config.splitdns_len = 0; +#if 0 if (cold == ISAKMP_CFG_INIT_COLD) { if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0) return error; } +#endif return 0; }