Google Git
Sign in
ara-mdk / platform / external / ipsec-tools / 3473d8ebd2f370edcc83c7455c76cf3b2daef4ae / . / src / racoon / remoteconf.c
blob: c9c803fd915ac4ad16dfec98d109cd300e59f52d [file] [log] [blame]
/* $NetBSD: remoteconf.c,v 1.9.4.2 2008/06/18 07:30:19 mgrooms Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/queue.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include PATH_IPSEC_H
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "sockmisc.h"
#include "genlist.h"
#include "debug.h"
#include "isakmp_var.h"
#ifdef ENABLE_HYBRID
#include "isakmp_xauth.h"
#endif
#include "isakmp.h"
#include "ipsec_doi.h"
#include "oakley.h"
#include "remoteconf.h"
#include "localconf.h"
#include "grabmyaddr.h"
#include "policy.h"
#include "proposal.h"
#include "vendorid.h"
#include "gcmalloc.h"
#include "strnames.h"
#include "algorithm.h"
#include "nattraversal.h"
#include "isakmp_frag.h"
#include "genlist.h"
static TAILQ_HEAD(_rmtree, remoteconf) rmtree, rmtree_save, rmtree_tmp;
/*
* Script hook names and script hook paths
*/
char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
/*%%%*/
/*
* search remote configuration.
* don't use port number to search if its value is either IPSEC_PORT_ANY.
* If matching anonymous entry, then new entry is copied from anonymous entry.
* If no anonymous entry found, then return NULL.
* OUT: NULL: NG
* Other: remote configuration entry.
*/
struct remoteconf *
getrmconf_strict(remote, allow_anon)
struct sockaddr *remote;
int allow_anon;
{
struct remoteconf *p;
struct remoteconf *anon = NULL;
int withport;
char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST], port[NI_MAXSERV];
withport = 0;
#ifndef ENABLE_NATT
/*
* We never have ports set in our remote configurations, but when
* NAT-T is enabled, the kernel can have policies with ports and
* send us an acquire message for a destination that has a port set.
* If we do this port check here, we don't find the remote config.
*
* In an ideal world, we would be able to have remote conf with
* port, and the port could be a wildcard. That test could be used.
*/
if (remote->sa_family != AF_UNSPEC &&
extract_port(remote) != IPSEC_PORT_ANY)
withport = 1;
#endif /* ENABLE_NATT */
if (remote->sa_family == AF_UNSPEC)
snprintf (buf, sizeof(buf), "%s", "anonymous");
else {
GETNAMEINFO(remote, addr, port);
snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
withport ? "[" : "",
withport ? port : "",
withport ? "]" : "");
}
TAILQ_FOREACH(p, &rmtree, chain) {
if ((remote->sa_family == AF_UNSPEC
&& remote->sa_family == p->remote->sa_family)
|| (!withport && cmpsaddrwop(remote, p->remote) == 0)
|| (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
plog(LLV_DEBUG, LOCATION, NULL,
"configuration found for %s.\n", buf);
return p;
}
/* save the pointer to the anonymous configuration */
if (p->remote->sa_family == AF_UNSPEC)
anon = p;
}
if (allow_anon && anon != NULL) {
plog(LLV_DEBUG, LOCATION, NULL,
"anonymous configuration selected for %s.\n", buf);
return anon;
}
plog(LLV_DEBUG, LOCATION, NULL,
"no remote configuration found.\n");
return NULL;
}
struct remoteconf *
getrmconf(remote)
struct sockaddr *remote;
{
return getrmconf_strict(remote, 1);
}
struct remoteconf *
newrmconf()
{
struct remoteconf *new;
int i;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
new->proposal = NULL;
/* set default */
new->doitype = IPSEC_DOI;
new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
new->idvtype = IDTYPE_UNDEFINED;
new->idvl_p = genlist_init();
new->nonce_size = DEFAULT_NONCE_SIZE;
new->passive = FALSE;
new->ike_frag = FALSE;
new->esp_frag = IP_MAXPACKET;
new->ini_contact = TRUE;
new->mode_cfg = FALSE;
new->pcheck_level = PROP_CHECK_STRICT;
new->verify_identifier = FALSE;
new->verify_cert = TRUE;
new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
new->cacerttype = ISAKMP_CERT_X509SIGN;
new->certtype = ISAKMP_CERT_NONE;
new->cacertfile = NULL;
new->send_cert = TRUE;
new->send_cr = TRUE;
new->support_proxy = FALSE;
for (i = 0; i <= SCRIPT_MAX; i++)
new->script[i] = NULL;
new->gen_policy = FALSE;
new->retry_counter = lcconf->retry_counter;
new->retry_interval = lcconf->retry_interval;
new->nat_traversal = FALSE;
new->rsa_private = genlist_init();
new->rsa_public = genlist_init();
new->idv = NULL;
new->key = NULL;
new->dpd = TRUE; /* Enable DPD support by default */
new->dpd_interval = 0; /* Disable DPD checks by default */
new->dpd_retry = 5;
new->dpd_maxfails = 5;
new->weak_phase1_check = 0;
#ifdef ENABLE_HYBRID
new->xauth = NULL;
#endif
return new;
}
struct remoteconf *
copyrmconf(remote)
struct sockaddr *remote;
{
struct remoteconf *new, *old;
old = getrmconf_strict (remote, 0);
if (old == NULL) {
plog (LLV_ERROR, LOCATION, NULL,
"Remote configuration for '%s' not found!\n",
saddr2str (remote));
return NULL;
}
new = duprmconf (old);
return new;
}
void *
dupidvl(entry, arg)
void *entry;
void *arg;
{
struct idspec *id;
struct idspec *old = (struct idspec *) entry;
id = newidspec();
if (!id) return (void *) -1;
if (set_identifier(&id->id, old->idtype, old->id) != 0) {
racoon_free(id);
return (void *) -1;
}
id->idtype = old->idtype;
genlist_append(arg, id);
return NULL;
}
struct remoteconf *
duprmconf (rmconf)
struct remoteconf *rmconf;
{
struct remoteconf *new;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
memcpy (new, rmconf, sizeof (*new));
// FIXME: We should duplicate the proposal as well.
// This is now handled in the cfparse.y
// new->proposal = ...;
/* duplicate dynamic structures */
if (new->etypes)
new->etypes=dupetypes(new->etypes);
new->idvl_p = genlist_init();
genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
return new;
}
static void
idspec_free(void *data)
{
vfree (((struct idspec *)data)->id);
free (data);
}
void
delrmconf(rmconf)
struct remoteconf *rmconf;
{
#ifdef ENABLE_HYBRID
if (rmconf->xauth)
xauth_rmconf_delete(&rmconf->xauth);
#endif
if (rmconf->etypes){
deletypes(rmconf->etypes);
rmconf->etypes=NULL;
}
if (rmconf->idvl_p)
genlist_free(rmconf->idvl_p, idspec_free);
if (rmconf->dhgrp)
oakley_dhgrp_free(rmconf->dhgrp);
if (rmconf->proposal)
delisakmpsa(rmconf->proposal);
racoon_free(rmconf);
}
void
delisakmpsa(sa)
struct isakmpsa *sa;
{
if (sa->dhgrp)
oakley_dhgrp_free(sa->dhgrp);
if (sa->next)
delisakmpsa(sa->next);
#ifdef HAVE_GSSAPI
if (sa->gssid)
vfree(sa->gssid);
#endif
racoon_free(sa);
}
struct etypes *
dupetypes(orig)
struct etypes *orig;
{
struct etypes *new;
if (!orig)
return NULL;
new = racoon_malloc(sizeof(struct etypes));
if (new == NULL)
return NULL;
new->type = orig->type;
new->next = NULL;
if (orig->next)
new->next=dupetypes(orig->next);
return new;
}
void
deletypes(e)
struct etypes *e;
{
if (e->next)
deletypes(e->next);
racoon_free(e);
}
/*
* insert into head of list.
*/
void
insrmconf(new)
struct remoteconf *new;
{
TAILQ_INSERT_HEAD(&rmtree, new, chain);
}
void
remrmconf(rmconf)
struct remoteconf *rmconf;
{
TAILQ_REMOVE(&rmtree, rmconf, chain);
}
void
flushrmconf()
{
struct remoteconf *p, *next;
for (p = TAILQ_FIRST(&rmtree); p; p = next) {
next = TAILQ_NEXT(p, chain);
remrmconf(p);
delrmconf(p);
}
}
void
initrmconf()
{
TAILQ_INIT(&rmtree);
}
void
save_rmconf()
{
rmtree_save=rmtree;
initrmconf();
}
void
save_rmconf_flush()
{
rmtree_tmp=rmtree;
rmtree=rmtree_save;
flushrmconf();
initrmconf();
rmtree=rmtree_tmp;
}
/* check exchange type to be acceptable */
struct etypes *
check_etypeok(rmconf, etype)
struct remoteconf *rmconf;
u_int8_t etype;
{
struct etypes *e;
for (e = rmconf->etypes; e != NULL; e = e->next) {
if (e->type == etype)
break;
}
return e;
}
/*%%%*/
struct isakmpsa *
newisakmpsa()
{
struct isakmpsa *new;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
/*
* Just for sanity, make sure this is initialized. This is
* filled in for real when the ISAKMP proposal is configured.
*/
new->vendorid = VENDORID_UNKNOWN;
new->next = NULL;
new->rmconf = NULL;
#ifdef HAVE_GSSAPI
new->gssid = NULL;
#endif
return new;
}
/*
* insert into tail of list.
*/
void
insisakmpsa(new, rmconf)
struct isakmpsa *new;
struct remoteconf *rmconf;
{
struct isakmpsa *p;
new->rmconf = rmconf;
if (rmconf->proposal == NULL) {
rmconf->proposal = new;
return;
}
for (p = rmconf->proposal; p->next != NULL; p = p->next)
;
p->next = new;
return;
}
struct remoteconf *
foreachrmconf(rmconf_func_t rmconf_func, void *data)
{
struct remoteconf *p, *ret = NULL;
RACOON_TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
ret = (*rmconf_func)(p, data);
if (ret)
break;
}
return ret;
}
static void *
dump_peers_identifiers (void *entry, void *arg)
{
struct idspec *id = (struct idspec*) entry;
char buf[1024], *pbuf;
pbuf = buf;
pbuf += sprintf (pbuf, "\tpeers_identifier %s",
s_idtype (id->idtype));
if (id->id)
pbuf += sprintf (pbuf, " \"%s\"", id->id->v);
plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
return NULL;
}
static struct remoteconf *
dump_rmconf_single (struct remoteconf *p, void *data)
{
struct etypes *etype = p->etypes;
struct isakmpsa *prop = p->proposal;
char buf[1024], *pbuf;
pbuf = buf;
pbuf += sprintf(pbuf, "remote %s", saddr2str(p->remote));
if (p->inherited_from)
pbuf += sprintf(pbuf, " inherit %s",
saddr2str(p->inherited_from->remote));
plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
pbuf = buf;
pbuf += sprintf(pbuf, "\texchange_type ");
while (etype) {
pbuf += sprintf (pbuf, "%s%s", s_etype(etype->type),
etype->next != NULL ? ", " : ";\n");
etype = etype->next;
}
plog(LLV_INFO, LOCATION, NULL, "%s", buf);
plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
pbuf = buf;
pbuf += sprintf(pbuf, "\tmy_identifier %s", s_idtype (p->idvtype));
if (p->idvtype == IDTYPE_ASN1DN) {
plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
p->mycertfile, p->myprivfile);
switch (p->getcert_method) {
case 0:
break;
case ISAKMP_GETCERT_PAYLOAD:
plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
break;
case ISAKMP_GETCERT_LOCALFILE:
plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
break;
case ISAKMP_GETCERT_DNS:
plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
break;
default:
plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
}
}
else {
if (p->idv)
pbuf += sprintf (pbuf, " \"%s\"", p->idv->v);
plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
}
plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
s_switch (p->send_cert));
plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
s_switch (p->send_cr));
plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
s_switch (p->verify_cert));
plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
s_switch (p->verify_identifier));
plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
p->nat_traversal == NATT_FORCE ?
"force" : s_switch (p->nat_traversal));
plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
p->nonce_size);
plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
s_switch (p->passive));
plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
p->ike_frag == ISAKMP_FRAG_FORCE ?
"force" : s_switch (p->ike_frag));
plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
s_switch (p->ini_contact));
plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
s_switch (p->gen_policy));
plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
s_switch (p->support_proxy));
while (prop) {
plog(LLV_INFO, LOCATION, NULL, "\n");
plog(LLV_INFO, LOCATION, NULL,
"\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
prop->prop_no, prop->trns_no,
saddr2str(prop->rmconf->remote));
plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
(long)prop->lifetime);
plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
prop->lifebyte);
plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
alg_oakley_dhdef_name(prop->dh_group));
plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
alg_oakley_encdef_name(prop->enctype));
plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
alg_oakley_hashdef_name(prop->hashtype));
plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
alg_oakley_authdef_name(prop->authmethod));
plog(LLV_INFO, LOCATION, NULL, "\t}\n");
prop = prop->next;
}
plog(LLV_INFO, LOCATION, NULL, "}\n");
plog(LLV_INFO, LOCATION, NULL, "\n");
return NULL;
}
void
dumprmconf()
{
foreachrmconf (dump_rmconf_single, NULL);
}
struct idspec *
newidspec()
{
struct idspec *new;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
new->idtype = IDTYPE_ADDRESS;
return new;
}
vchar_t *
script_path_add(path)
vchar_t *path;
{
char *script_dir;
vchar_t *new_path;
vchar_t *new_storage;
vchar_t **sp;
size_t len;
size_t size;
script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
/* Try to find the script in the script directory */
if ((path->v[0] != '/') && (script_dir != NULL)) {
len = strlen(script_dir) + sizeof("/") + path->l + 1;
if ((new_path = vmalloc(len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory: %s\n", strerror(errno));
return NULL;
}
new_path->v[0] = '\0';
(void)strlcat(new_path->v, script_dir, len);
(void)strlcat(new_path->v, "/", len);
(void)strlcat(new_path->v, path->v, len);
vfree(path);
path = new_path;
}
return path;
}
struct isakmpsa *
dupisakmpsa(struct isakmpsa *sa)
{
struct isakmpsa *res=NULL;
if(sa == NULL)
return NULL;
res=newisakmpsa();
if(res == NULL)
return NULL;
*res=*sa;
#ifdef HAVE_GSSAPI
/* XXX gssid
*/
#endif
res->next=NULL;
if(sa->dhgrp != NULL)
oakley_setdhgroup (sa->dh_group, &(res->dhgrp));
return res;
}