1 /* $NetBSD: remoteconf.c,v 1.26 2011/03/14 15:50:36 vanhu Exp $ */ 2 3 /* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 #include <netinet/in_systm.h> 43 #include <netinet/ip.h> 44 45 #include PATH_IPSEC_H 46 47 #include <stdlib.h> 48 #include <stdio.h> 49 #include <string.h> 50 #include <errno.h> 51 52 #include "var.h" 53 #include "misc.h" 54 #include "vmbuf.h" 55 #include "plog.h" 56 #include "sockmisc.h" 57 #include "genlist.h" 58 #include "debug.h" 59 60 #include "isakmp_var.h" 61 #ifdef ENABLE_HYBRID 62 #include "isakmp_xauth.h" 63 #endif 64 #include "isakmp.h" 65 #include "ipsec_doi.h" 66 #include "crypto_openssl.h" 67 #include "oakley.h" 68 #include "remoteconf.h" 69 #include "localconf.h" 70 #include "grabmyaddr.h" 71 #include "policy.h" 72 #include "proposal.h" 73 #include "vendorid.h" 74 #include "gcmalloc.h" 75 #include "strnames.h" 76 #include "algorithm.h" 77 #include "nattraversal.h" 78 #include "isakmp_frag.h" 79 #include "handler.h" 80 #include "genlist.h" 81 #include "rsalist.h" 82 83 typedef TAILQ_HEAD(_rmtree, remoteconf) remoteconf_tailq_head_t; 84 static remoteconf_tailq_head_t rmtree, rmtree_save; 85 86 /* 87 * Script hook names and script hook paths 88 */ 89 char *script_names[SCRIPT_MAX + 1] = { 90 "phase1_up", "phase1_down", "phase1_dead" }; 91 92 /*%%%*/ 93 94 int 95 rmconf_match_identity(rmconf, id_p) 96 struct remoteconf *rmconf; 97 vchar_t *id_p; 98 { 99 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id_p->v; 100 struct sockaddr *sa; 101 caddr_t sa1, sa2; 102 vchar_t ident; 103 struct idspec *id; 104 struct genlist_entry *gpb; 105 106 /* compare with the ID if specified. */ 107 if (!genlist_next(rmconf->idvl_p, 0)) 108 return 0; 109 110 for (id = genlist_next(rmconf->idvl_p, &gpb); id; id = genlist_next(0, &gpb)) { 111 /* No ID specified in configuration, so it is ok */ 112 if (id->id == 0) 113 return 0; 114 115 /* check the type of both IDs */ 116 if (id->idtype != doi2idtype(id_b->type)) 117 continue; /* ID type mismatch */ 118 119 /* compare defined ID with the ID sent by peer. */ 120 switch (id->idtype) { 121 case IDTYPE_ASN1DN: 122 ident.v = id_p->v + sizeof(*id_b); 123 ident.l = id_p->l - sizeof(*id_b); 124 if (eay_cmp_asn1dn(id->id, &ident) == 0) 125 return 0; 126 break; 127 case IDTYPE_ADDRESS: 128 sa = (struct sockaddr *)id->id->v; 129 sa2 = (caddr_t)(id_b + 1); 130 switch (sa->sa_family) { 131 case AF_INET: 132 if (id_p->l - sizeof(*id_b) != sizeof(struct in_addr)) 133 continue; /* ID value mismatch */ 134 sa1 = (caddr_t) &((struct sockaddr_in *)sa)->sin_addr; 135 if (memcmp(sa1, sa2, sizeof(struct in_addr)) == 0) 136 return 0; 137 break; 138 #ifdef INET6 139 case AF_INET6: 140 if (id_p->l - sizeof(*id_b) != sizeof(struct in6_addr)) 141 continue; /* ID value mismatch */ 142 sa1 = (caddr_t) &((struct sockaddr_in6 *)sa)->sin6_addr; 143 if (memcmp(sa1, sa2, sizeof(struct in6_addr)) == 0) 144 return 0; 145 break; 146 #endif 147 default: 148 break; 149 } 150 break; 151 default: 152 if (memcmp(id->id->v, id_b + 1, id->id->l) == 0) 153 return 0; 154 break; 155 } 156 } 157 158 plog(LLV_WARNING, LOCATION, NULL, "No ID match.\n"); 159 if (rmconf->verify_identifier) 160 return ISAKMP_NTYPE_INVALID_ID_INFORMATION; 161 162 return 0; 163 } 164 165 static int 166 rmconf_match_etype_and_approval(rmconf, etype, approval) 167 struct remoteconf *rmconf; 168 int etype; 169 struct isakmpsa *approval; 170 { 171 struct isakmpsa *p; 172 173 if (check_etypeok(rmconf, (void *) (intptr_t) etype) == 0) 174 return ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 175 176 if (approval == NULL) 177 return 0; 178 179 if (etype == ISAKMP_ETYPE_AGG && 180 approval->dh_group != rmconf->dh_group) 181 return ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 182 183 if (checkisakmpsa(rmconf->pcheck_level, approval, 184 rmconf->proposal) == NULL) 185 return ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; 186 187 return 0; 188 } 189 190 enum rmconf_match_t { 191 MATCH_NONE = 0, 192 MATCH_BASIC = 0x0000001, 193 MATCH_ADDRESS = 0x0000002, 194 MATCH_SA = 0x0000004, 195 MATCH_IDENTITY = 0x0000008, 196 MATCH_AUTH_IDENTITY = 0x0000010, 197 }; 198 199 static int 200 rmconf_match_type(rmsel, rmconf) 201 struct rmconfselector *rmsel; 202 struct remoteconf *rmconf; 203 { 204 int ret = MATCH_NONE, tmp; 205 206 /* No match at all: unwanted anonymous */ 207 if ((rmsel->flags & GETRMCONF_F_NO_ANONYMOUS) && 208 rmconf->remote->sa_family == AF_UNSPEC){ 209 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 210 "Not matched: Anonymous conf.\n"); 211 return MATCH_NONE; 212 } 213 214 if ((rmsel->flags & GETRMCONF_F_NO_PASSIVE) && rmconf->passive){ 215 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 216 "Not matched: passive conf.\n"); 217 return MATCH_NONE; 218 } 219 220 ret |= MATCH_BASIC; 221 222 /* Check address */ 223 if (rmsel->remote != NULL) { 224 if (rmconf->remote->sa_family != AF_UNSPEC) { 225 if (cmpsaddr(rmsel->remote, rmconf->remote) == CMPSADDR_MISMATCH){ 226 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 227 "Not matched: address mismatch.\n"); 228 return MATCH_NONE; 229 } 230 231 /* Address matched */ 232 ret |= MATCH_ADDRESS; 233 } 234 } 235 236 /* Check etype and approval */ 237 if (rmsel->etype != ISAKMP_ETYPE_NONE) { 238 tmp=rmconf_match_etype_and_approval(rmconf, rmsel->etype, 239 rmsel->approval); 240 if (tmp != 0){ 241 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 242 "Not matched: etype (%d)/approval mismatch (%d).\n", rmsel->etype, tmp); 243 return MATCH_NONE; 244 } 245 ret |= MATCH_SA; 246 } 247 248 /* Check identity */ 249 if (rmsel->identity != NULL && rmconf->verify_identifier) { 250 if (rmconf_match_identity(rmconf, rmsel->identity) != 0){ 251 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 252 "Not matched: identity mismatch.\n"); 253 return MATCH_NONE; 254 } 255 ret |= MATCH_IDENTITY; 256 } 257 258 /* Check certificate request */ 259 if (rmsel->certificate_request != NULL) { 260 if (oakley_get_certtype(rmsel->certificate_request) != 261 oakley_get_certtype(rmconf->mycert)){ 262 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 263 "Not matched: cert type mismatch.\n"); 264 return MATCH_NONE; 265 } 266 267 if (rmsel->certificate_request->l > 1) { 268 vchar_t *issuer; 269 270 issuer = eay_get_x509asn1issuername(rmconf->mycert); 271 if (rmsel->certificate_request->l - 1 != issuer->l || 272 memcmp(rmsel->certificate_request->v + 1, 273 issuer->v, issuer->l) != 0) { 274 vfree(issuer); 275 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 276 "Not matched: cert issuer mismatch.\n"); 277 return MATCH_NONE; 278 } 279 vfree(issuer); 280 } else { 281 if (!rmconf->match_empty_cr){ 282 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 283 "Not matched: empty certificate request.\n"); 284 return MATCH_NONE; 285 } 286 } 287 288 ret |= MATCH_AUTH_IDENTITY; 289 } 290 291 return ret; 292 } 293 294 void rmconf_selector_from_ph1(rmsel, iph1) 295 struct rmconfselector *rmsel; 296 struct ph1handle *iph1; 297 { 298 memset(rmsel, 0, sizeof(*rmsel)); 299 rmsel->flags = 0; 300 rmsel->remote = iph1->remote; 301 rmsel->etype = iph1->etype; 302 rmsel->approval = iph1->approval; 303 rmsel->identity = iph1->id_p; 304 rmsel->certificate_request = iph1->cr_p; 305 } 306 307 int 308 enumrmconf(rmsel, enum_func, enum_arg) 309 struct rmconfselector *rmsel; 310 int (* enum_func)(struct remoteconf *rmconf, void *arg); 311 void *enum_arg; 312 { 313 struct remoteconf *p; 314 int ret = 0; 315 316 RACOON_TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) { 317 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 318 "Checking remote conf \"%s\" %s.\n", p->name, 319 p->remote->sa_family == AF_UNSPEC ? 320 "anonymous" : saddr2str(p->remote)); 321 322 if (rmsel != NULL) { 323 if (rmconf_match_type(rmsel, p) == MATCH_NONE){ 324 plog(LLV_DEBUG2, LOCATION, rmsel->remote, 325 "Not matched.\n"); 326 continue; 327 } 328 } 329 330 plog(LLV_DEBUG2, LOCATION, NULL, 331 "enumrmconf: \"%s\" matches.\n", p->name); 332 333 ret = (*enum_func)(p, enum_arg); 334 if (ret) 335 break; 336 } 337 338 return ret; 339 } 340 341 struct rmconf_find_context { 342 struct rmconfselector sel; 343 344 struct remoteconf *rmconf; 345 int match_type; 346 int num_found; 347 }; 348 349 static int 350 rmconf_find(rmconf, ctx) 351 struct remoteconf *rmconf; 352 void *ctx; 353 { 354 struct rmconf_find_context *fctx = (struct rmconf_find_context *) ctx; 355 int match_type; 356 357 /* First matching remote conf? */ 358 match_type = rmconf_match_type(&fctx->sel, rmconf); 359 360 if (fctx->rmconf != NULL) { 361 /* More ambiguous matches are ignored. */ 362 if (match_type < fctx->match_type) 363 return 0; 364 365 if (match_type == fctx->match_type) { 366 /* Ambiguous match */ 367 fctx->num_found++; 368 return 0; 369 } 370 } 371 372 /* More exact match found */ 373 fctx->match_type = match_type; 374 fctx->num_found = 1; 375 fctx->rmconf = rmconf; 376 377 return 0; 378 } 379 380 /* 381 * search remote configuration. 382 * don't use port number to search if its value is either IPSEC_PORT_ANY. 383 * If matching anonymous entry, then new entry is copied from anonymous entry. 384 * If no anonymous entry found, then return NULL. 385 * OUT: NULL: NG 386 * Other: remote configuration entry. 387 */ 388 389 struct remoteconf * 390 getrmconf(remote, flags) 391 struct sockaddr *remote; 392 int flags; 393 { 394 struct rmconf_find_context ctx; 395 int n = 0; 396 397 memset(&ctx, 0, sizeof(ctx)); 398 ctx.sel.flags = flags; 399 ctx.sel.remote = remote; 400 401 if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) { 402 plog(LLV_ERROR, LOCATION, remote, 403 "multiple exact configurations.\n"); 404 return NULL; 405 } 406 407 if (ctx.rmconf == NULL) { 408 plog(LLV_DEBUG, LOCATION, remote, 409 "no remote configuration found.\n"); 410 return NULL; 411 } 412 413 if (ctx.num_found != 1) { 414 plog(LLV_DEBUG, LOCATION, remote, 415 "multiple non-exact configurations found.\n"); 416 return NULL; 417 } 418 419 plog(LLV_DEBUG, LOCATION, remote, 420 "configuration \"%s\" selected.\n", 421 ctx.rmconf->name); 422 423 return ctx.rmconf; 424 } 425 426 struct remoteconf * 427 getrmconf_by_ph1(iph1) 428 struct ph1handle *iph1; 429 { 430 struct rmconf_find_context ctx; 431 432 memset(&ctx, 0, sizeof(ctx)); 433 rmconf_selector_from_ph1(&ctx.sel, iph1); 434 if (loglevel >= LLV_DEBUG) { 435 char *idstr = NULL; 436 437 if (iph1->id_p != NULL) 438 idstr = ipsecdoi_id2str(iph1->id_p); 439 440 plog(LLV_DEBUG, LOCATION, iph1->remote, 441 "getrmconf_by_ph1: remote %s, identity %s.\n", 442 saddr2str(iph1->remote), idstr ? idstr : "<any>"); 443 444 if (idstr) 445 racoon_free(idstr); 446 } 447 448 if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) { 449 plog(LLV_ERROR, LOCATION, iph1->remote, 450 "multiple exact configurations.\n"); 451 return RMCONF_ERR_MULTIPLE; 452 } 453 454 if (ctx.rmconf == NULL) { 455 plog(LLV_DEBUG, LOCATION, iph1->remote, 456 "no remote configuration found\n"); 457 return NULL; 458 } 459 460 if (ctx.num_found != 1) { 461 plog(LLV_DEBUG, LOCATION, iph1->remote, 462 "multiple non-exact configurations found.\n"); 463 return RMCONF_ERR_MULTIPLE; 464 } 465 466 plog(LLV_DEBUG, LOCATION, iph1->remote, 467 "configuration \"%s\" selected.\n", 468 ctx.rmconf->name); 469 470 return ctx.rmconf; 471 } 472 473 struct remoteconf * 474 getrmconf_by_name(name) 475 const char *name; 476 { 477 struct remoteconf *p; 478 479 plog(LLV_DEBUG, LOCATION, NULL, 480 "getrmconf_by_name: remote \"%s\".\n", 481 name); 482 483 RACOON_TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) { 484 if (p->name == NULL) 485 continue; 486 487 if (strcmp(name, p->name) == 0) 488 return p; 489 } 490 491 return NULL; 492 } 493 494 struct remoteconf * 495 newrmconf() 496 { 497 struct remoteconf *new; 498 int i; 499 500 new = racoon_calloc(1, sizeof(*new)); 501 if (new == NULL) 502 return NULL; 503 504 new->proposal = NULL; 505 506 /* set default */ 507 new->doitype = IPSEC_DOI; 508 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY; 509 new->idvtype = IDTYPE_UNDEFINED; 510 new->idvl_p = genlist_init(); 511 new->nonce_size = DEFAULT_NONCE_SIZE; 512 new->passive = FALSE; 513 new->ike_frag = FALSE; 514 new->esp_frag = IP_MAXPACKET; 515 new->ini_contact = TRUE; 516 new->mode_cfg = FALSE; 517 new->pcheck_level = PROP_CHECK_STRICT; 518 new->verify_identifier = FALSE; 519 new->verify_cert = TRUE; 520 new->cacertfile = NULL; 521 new->send_cert = TRUE; 522 new->send_cr = TRUE; 523 new->match_empty_cr = FALSE; 524 new->support_proxy = FALSE; 525 for (i = 0; i <= SCRIPT_MAX; i++) 526 new->script[i] = NULL; 527 new->gen_policy = FALSE; 528 new->nat_traversal = FALSE; 529 new->rsa_private = genlist_init(); 530 new->rsa_public = genlist_init(); 531 new->idv = NULL; 532 new->key = NULL; 533 534 new->dpd = TRUE; /* Enable DPD support by default */ 535 new->dpd_interval = 0; /* Disable DPD checks by default */ 536 new->dpd_retry = 5; 537 new->dpd_maxfails = 5; 538 539 new->rekey = REKEY_ON; 540 541 new->weak_phase1_check = 0; 542 543 #ifdef ENABLE_HYBRID 544 new->xauth = NULL; 545 #endif 546 547 new->lifetime = oakley_get_defaultlifetime(); 548 549 return new; 550 } 551 552 #ifndef ANDROID_PATCHED 553 554 void * 555 dupidvl(entry, arg) 556 void *entry; 557 void *arg; 558 { 559 struct idspec *id; 560 struct idspec *old = (struct idspec *) entry; 561 id = newidspec(); 562 if (!id) return (void *) -1; 563 564 if (set_identifier(&id->id, old->idtype, old->id) != 0) { 565 racoon_free(id); 566 return (void *) -1; 567 } 568 569 id->idtype = old->idtype; 570 571 genlist_append(arg, id); 572 return NULL; 573 } 574 575 void * 576 duprsa(entry, arg) 577 void *entry; 578 void *arg; 579 { 580 struct rsa_key *new; 581 582 new = rsa_key_dup((struct rsa_key *)entry); 583 if (new == NULL) 584 return (void *) -1; 585 genlist_append(arg, new); 586 587 /* keep genlist_foreach going */ 588 return NULL; 589 } 590 591 /* Creates shallow copy of a remote config. Used for "inherit" keyword. */ 592 struct remoteconf * 593 duprmconf_shallow (rmconf) 594 struct remoteconf *rmconf; 595 { 596 struct remoteconf *new; 597 struct proposalspec *prspec; 598 599 new = racoon_calloc(1, sizeof(*new)); 600 if (new == NULL) 601 return NULL; 602 603 memcpy(new, rmconf, sizeof(*new)); 604 new->name = NULL; 605 new->inherited_from = rmconf; 606 607 new->proposal = NULL; /* will be filled by set_isakmp_proposal() */ 608 609 return new; 610 } 611 612 /* Copies pointer structures of an inherited remote config. 613 * Used by "inherit" mechanism in a two step copy method, necessary to 614 * prevent both double free() and memory leak during config reload. 615 */ 616 int 617 duprmconf_finish (new) 618 struct remoteconf *new; 619 { 620 struct remoteconf *rmconf; 621 int i; 622 623 if (new->inherited_from == NULL) 624 return 0; /* nothing todo, no inheritance */ 625 626 rmconf = new->inherited_from; 627 628 /* duplicate dynamic structures unless value overridden */ 629 if (new->etypes != NULL && new->etypes == rmconf->etypes) 630 new->etypes = dupetypes(new->etypes); 631 if (new->idvl_p == rmconf->idvl_p) { 632 new->idvl_p = genlist_init(); 633 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p); 634 } 635 636 if (new->rsa_private == rmconf->rsa_private) { 637 new->rsa_private = genlist_init(); 638 genlist_foreach(rmconf->rsa_private, duprsa, new->rsa_private); 639 } 640 if (new->rsa_public == rmconf->rsa_public) { 641 new->rsa_public = genlist_init(); 642 genlist_foreach(rmconf->rsa_public, duprsa, new->rsa_public); 643 } 644 if (new->remote != NULL && new->remote == rmconf->remote) { 645 new->remote = racoon_malloc(sizeof(*new->remote)); 646 if (new->remote == NULL) { 647 plog(LLV_ERROR, LOCATION, NULL, 648 "duprmconf_finish: malloc failed (remote)\n"); 649 exit(1); 650 } 651 memcpy(new->remote, rmconf->remote, sizeof(*new->remote)); 652 } 653 if (new->spspec != NULL && new->spspec == rmconf->spspec) { 654 dupspspec_list(new, rmconf); 655 } 656 657 /* proposal has been deep copied already from spspec's, see 658 * cfparse.y:set_isakmp_proposal, which in turn calls 659 * cfparse.y:expand_isakmpspec where the copying happens. 660 */ 661 662 #ifdef ENABLE_HYBRID 663 if (new->xauth != NULL && new->xauth == rmconf->xauth) { 664 new->xauth = xauth_rmconf_dup(new->xauth); 665 if (new->xauth == NULL) 666 exit(1); 667 } 668 #endif 669 670 /* duplicate strings unless value overridden */ 671 if (new->mycertfile != NULL && new->mycertfile == rmconf->mycertfile) { 672 new->mycertfile = racoon_strdup(new->mycertfile); 673 STRDUP_FATAL(new->mycertfile); 674 } 675 if (new->myprivfile != NULL && new->myprivfile == rmconf->myprivfile) { 676 new->myprivfile = racoon_strdup(new->myprivfile); 677 STRDUP_FATAL(new->myprivfile); 678 } 679 if (new->peerscertfile != NULL && new->peerscertfile == rmconf->peerscertfile) { 680 new->peerscertfile = racoon_strdup(new->peerscertfile); 681 STRDUP_FATAL(new->peerscertfile); 682 } 683 if (new->cacertfile != NULL && new->cacertfile == rmconf->cacertfile) { 684 new->cacertfile = racoon_strdup(new->cacertfile); 685 STRDUP_FATAL(new->cacertfile); 686 } 687 if (new->idv != NULL && new->idv == rmconf->idv) { 688 new->idv = vdup(new->idv); 689 STRDUP_FATAL(new->idv); 690 } 691 if (new->key != NULL && new->key == rmconf->key) { 692 new->key = vdup(new->key); 693 STRDUP_FATAL(new->key); 694 } 695 if (new->mycert != NULL && new->mycert == rmconf->mycert) { 696 new->mycert = vdup(new->mycert); 697 STRDUP_FATAL(new->mycert); 698 } 699 if (new->peerscert != NULL && new->peerscert == rmconf->peerscert) { 700 new->peerscert = vdup(new->peerscert); 701 STRDUP_FATAL(new->peerscert); 702 } 703 if (new->cacert != NULL && new->cacert == rmconf->cacert) { 704 new->cacert = vdup(new->cacert); 705 STRDUP_FATAL(new->cacert); 706 } 707 for (i = 0; i <= SCRIPT_MAX; i++) 708 if (new->script[i] != NULL && new->script[i] == rmconf->script[i]) { 709 new->script[i] = vdup(new->script[i]); 710 STRDUP_FATAL(new->script[i]); 711 } 712 713 return 0; 714 } 715 716 static void 717 idspec_free(void *data) 718 { 719 vfree (((struct idspec *)data)->id); 720 free (data); 721 } 722 723 void 724 delrmconf(rmconf) 725 struct remoteconf *rmconf; 726 { 727 int i; 728 729 #ifdef ENABLE_HYBRID 730 if (rmconf->xauth) 731 xauth_rmconf_delete(&rmconf->xauth); 732 #endif 733 if (rmconf->etypes){ 734 deletypes(rmconf->etypes); 735 rmconf->etypes=NULL; 736 } 737 if (rmconf->idv) 738 vfree(rmconf->idv); 739 if (rmconf->key) 740 vfree(rmconf->key); 741 if (rmconf->idvl_p) 742 genlist_free(rmconf->idvl_p, idspec_free); 743 if (rmconf->dhgrp) 744 oakley_dhgrp_free(rmconf->dhgrp); 745 if (rmconf->proposal) 746 delisakmpsa(rmconf->proposal); 747 flushspspec(rmconf); 748 if (rmconf->mycert) 749 vfree(rmconf->mycert); 750 if (rmconf->mycertfile) 751 racoon_free(rmconf->mycertfile); 752 if (rmconf->myprivfile) 753 racoon_free(rmconf->myprivfile); 754 if (rmconf->peerscert) 755 vfree(rmconf->peerscert); 756 if (rmconf->peerscertfile) 757 racoon_free(rmconf->peerscertfile); 758 if (rmconf->cacert) 759 vfree(rmconf->cacert); 760 if (rmconf->cacertfile) 761 racoon_free(rmconf->cacertfile); 762 if (rmconf->rsa_private) 763 genlist_free(rmconf->rsa_private, rsa_key_free); 764 if (rmconf->rsa_public) 765 genlist_free(rmconf->rsa_public, rsa_key_free); 766 if (rmconf->name) 767 racoon_free(rmconf->name); 768 if (rmconf->remote) 769 racoon_free(rmconf->remote); 770 for (i = 0; i <= SCRIPT_MAX; i++) 771 if (rmconf->script[i]) 772 vfree(rmconf->script[i]); 773 774 racoon_free(rmconf); 775 } 776 777 #else 778 779 void delrmconf(struct remoteconf *rmconf) 780 { 781 exit(1); 782 } 783 784 #endif 785 786 void 787 delisakmpsa(sa) 788 struct isakmpsa *sa; 789 { 790 if (sa->dhgrp) 791 oakley_dhgrp_free(sa->dhgrp); 792 if (sa->next) 793 delisakmpsa(sa->next); 794 #ifdef HAVE_GSSAPI 795 if (sa->gssid) 796 vfree(sa->gssid); 797 #endif 798 racoon_free(sa); 799 } 800 801 struct etypes * 802 dupetypes(orig) 803 struct etypes *orig; 804 { 805 struct etypes *new; 806 807 if (!orig) 808 return NULL; 809 810 new = racoon_malloc(sizeof(struct etypes)); 811 if (new == NULL) 812 return NULL; 813 814 new->type = orig->type; 815 new->next = NULL; 816 817 if (orig->next) 818 new->next=dupetypes(orig->next); 819 820 return new; 821 } 822 823 void 824 deletypes(e) 825 struct etypes *e; 826 { 827 if (e->next) 828 deletypes(e->next); 829 racoon_free(e); 830 } 831 832 /* 833 * insert into head of list. 834 */ 835 void 836 insrmconf(new) 837 struct remoteconf *new; 838 { 839 if (new->name == NULL) { 840 new->name = racoon_strdup(saddr2str(new->remote)); 841 } 842 if (new->remote == NULL) { 843 new->remote = newsaddr(sizeof(struct sockaddr)); 844 new->remote->sa_family = AF_UNSPEC; 845 } 846 847 TAILQ_INSERT_HEAD(&rmtree, new, chain); 848 } 849 850 void 851 remrmconf(rmconf) 852 struct remoteconf *rmconf; 853 { 854 TAILQ_REMOVE(&rmtree, rmconf, chain); 855 } 856 857 void 858 flushrmconf() 859 { 860 struct remoteconf *p, *next; 861 862 for (p = TAILQ_FIRST(&rmtree); p; p = next) { 863 next = TAILQ_NEXT(p, chain); 864 remrmconf(p); 865 delrmconf(p); 866 } 867 } 868 869 void 870 initrmconf() 871 { 872 TAILQ_INIT(&rmtree); 873 } 874 875 void 876 rmconf_start_reload() 877 { 878 rmtree_save=rmtree; 879 initrmconf(); 880 } 881 882 void 883 rmconf_finish_reload() 884 { 885 remoteconf_tailq_head_t rmtree_tmp; 886 887 rmtree_tmp=rmtree; 888 rmtree=rmtree_save; 889 flushrmconf(); 890 initrmconf(); 891 rmtree=rmtree_tmp; 892 } 893 894 895 896 /* check exchange type to be acceptable */ 897 int 898 check_etypeok(rmconf, ctx) 899 struct remoteconf *rmconf; 900 void *ctx; 901 { 902 u_int8_t etype = (u_int8_t) (intptr_t) ctx; 903 struct etypes *e; 904 905 for (e = rmconf->etypes; e != NULL; e = e->next) { 906 if (e->type == etype) 907 return 1; 908 plog(LLV_DEBUG2, LOCATION, NULL, 909 "Etype mismatch: got %d, expected %d.\n", e->type, etype); 910 } 911 912 return 0; 913 } 914 915 /*%%%*/ 916 struct isakmpsa * 917 newisakmpsa() 918 { 919 struct isakmpsa *new; 920 921 new = racoon_calloc(1, sizeof(*new)); 922 if (new == NULL) 923 return NULL; 924 925 /* 926 * Just for sanity, make sure this is initialized. This is 927 * filled in for real when the ISAKMP proposal is configured. 928 */ 929 new->vendorid = VENDORID_UNKNOWN; 930 931 new->next = NULL; 932 #ifdef HAVE_GSSAPI 933 new->gssid = NULL; 934 #endif 935 936 return new; 937 } 938 939 /* 940 * insert into tail of list. 941 */ 942 void 943 insisakmpsa(new, rmconf) 944 struct isakmpsa *new; 945 struct remoteconf *rmconf; 946 { 947 struct isakmpsa *p; 948 949 if (rmconf->proposal == NULL) { 950 rmconf->proposal = new; 951 return; 952 } 953 954 for (p = rmconf->proposal; p->next != NULL; p = p->next) 955 ; 956 p->next = new; 957 } 958 959 static void * 960 dump_peers_identifiers (void *entry, void *arg) 961 { 962 struct idspec *id = (struct idspec*) entry; 963 char buf[1024], *pbuf; 964 pbuf = buf; 965 pbuf += sprintf (pbuf, "\tpeers_identifier %s", 966 s_idtype (id->idtype)); 967 if (id->id) 968 pbuf += sprintf (pbuf, " \"%s\"", id->id->v); 969 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); 970 return NULL; 971 } 972 973 static int 974 dump_rmconf_single (struct remoteconf *p, void *data) 975 { 976 struct etypes *etype = p->etypes; 977 struct isakmpsa *prop = p->proposal; 978 char buf[1024], *pbuf; 979 980 pbuf = buf; 981 982 pbuf += sprintf(pbuf, "remote \"%s\"", p->name); 983 if (p->inherited_from) 984 pbuf += sprintf(pbuf, " inherit \"%s\"", 985 p->inherited_from->name); 986 plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf); 987 pbuf = buf; 988 pbuf += sprintf(pbuf, "\texchange_type "); 989 while (etype) { 990 pbuf += sprintf (pbuf, "%s%s", s_etype(etype->type), 991 etype->next != NULL ? ", " : ";\n"); 992 etype = etype->next; 993 } 994 plog(LLV_INFO, LOCATION, NULL, "%s", buf); 995 plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype)); 996 pbuf = buf; 997 pbuf += sprintf(pbuf, "\tmy_identifier %s", s_idtype (p->idvtype)); 998 if (p->idvtype == IDTYPE_ASN1DN) { 999 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); 1000 plog(LLV_INFO, LOCATION, NULL, 1001 "\tcertificate_type %s \"%s\" \"%s\";\n", 1002 oakley_get_certtype(p->mycert) == ISAKMP_CERT_X509SIGN 1003 ? "x509" : "*UNKNOWN*", 1004 p->mycertfile, p->myprivfile); 1005 1006 switch (oakley_get_certtype(p->peerscert)) { 1007 case ISAKMP_CERT_NONE: 1008 plog(LLV_INFO, LOCATION, NULL, 1009 "\t/* peers certificate from payload */\n"); 1010 break; 1011 case ISAKMP_CERT_X509SIGN: 1012 plog(LLV_INFO, LOCATION, NULL, 1013 "\tpeers_certfile \"%s\";\n", p->peerscertfile); 1014 break; 1015 case ISAKMP_CERT_DNS: 1016 plog(LLV_INFO, LOCATION, NULL, 1017 "\tpeers_certfile dnssec;\n"); 1018 break; 1019 default: 1020 plog(LLV_INFO, LOCATION, NULL, 1021 "\tpeers_certfile *UNKNOWN* (%d)\n", 1022 oakley_get_certtype(p->peerscert)); 1023 break; 1024 } 1025 } 1026 else { 1027 if (p->idv) 1028 pbuf += sprintf (pbuf, " \"%s\"", p->idv->v); 1029 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf); 1030 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL); 1031 } 1032 1033 plog(LLV_INFO, LOCATION, NULL, "\trekey %s;\n", 1034 p->rekey == REKEY_FORCE ? "force" : s_switch (p->rekey)); 1035 plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n", 1036 s_switch (p->send_cert)); 1037 plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n", 1038 s_switch (p->send_cr)); 1039 plog(LLV_INFO, LOCATION, NULL, "\tmatch_empty_cr %s;\n", 1040 s_switch (p->match_empty_cr)); 1041 plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n", 1042 s_switch (p->verify_cert)); 1043 plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n", 1044 s_switch (p->verify_identifier)); 1045 plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n", 1046 p->nat_traversal == NATT_FORCE ? 1047 "force" : s_switch (p->nat_traversal)); 1048 plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n", 1049 p->nonce_size); 1050 plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n", 1051 s_switch (p->passive)); 1052 plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n", 1053 p->ike_frag == ISAKMP_FRAG_FORCE ? 1054 "force" : s_switch (p->ike_frag)); 1055 plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag); 1056 plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n", 1057 s_switch (p->ini_contact)); 1058 plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n", 1059 s_switch (p->gen_policy)); 1060 plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n", 1061 s_switch (p->support_proxy)); 1062 1063 while (prop) { 1064 plog(LLV_INFO, LOCATION, NULL, "\n"); 1065 plog(LLV_INFO, LOCATION, NULL, 1066 "\t/* prop_no=%d, trns_no=%d */\n", 1067 prop->prop_no, prop->trns_no); 1068 plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n"); 1069 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n", 1070 (long)prop->lifetime); 1071 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n", 1072 prop->lifebyte); 1073 plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n", 1074 alg_oakley_dhdef_name(prop->dh_group)); 1075 plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n", 1076 alg_oakley_encdef_name(prop->enctype)); 1077 plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n", 1078 alg_oakley_hashdef_name(prop->hashtype)); 1079 plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n", 1080 alg_oakley_authdef_name(prop->authmethod)); 1081 plog(LLV_INFO, LOCATION, NULL, "\t}\n"); 1082 prop = prop->next; 1083 } 1084 plog(LLV_INFO, LOCATION, NULL, "}\n"); 1085 plog(LLV_INFO, LOCATION, NULL, "\n"); 1086 1087 return 0; 1088 } 1089 1090 void 1091 dumprmconf() 1092 { 1093 enumrmconf(NULL, dump_rmconf_single, NULL); 1094 } 1095 1096 struct idspec * 1097 newidspec() 1098 { 1099 struct idspec *new; 1100 1101 new = racoon_calloc(1, sizeof(*new)); 1102 if (new == NULL) 1103 return NULL; 1104 new->idtype = IDTYPE_ADDRESS; 1105 1106 return new; 1107 } 1108 1109 vchar_t * 1110 script_path_add(path) 1111 vchar_t *path; 1112 { 1113 char *script_dir; 1114 vchar_t *new_path; 1115 vchar_t *new_storage; 1116 vchar_t **sp; 1117 size_t len; 1118 size_t size; 1119 1120 script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT]; 1121 1122 /* Try to find the script in the script directory */ 1123 if ((path->v[0] != '/') && (script_dir != NULL)) { 1124 len = strlen(script_dir) + sizeof("/") + path->l + 1; 1125 1126 if ((new_path = vmalloc(len)) == NULL) { 1127 plog(LLV_ERROR, LOCATION, NULL, 1128 "Cannot allocate memory: %s\n", strerror(errno)); 1129 return NULL; 1130 } 1131 1132 new_path->v[0] = '\0'; 1133 (void)strlcat(new_path->v, script_dir, len); 1134 (void)strlcat(new_path->v, "/", len); 1135 (void)strlcat(new_path->v, path->v, len); 1136 1137 vfree(path); 1138 path = new_path; 1139 } 1140 1141 return path; 1142 } 1143 1144 1145 struct isakmpsa * 1146 dupisakmpsa(struct isakmpsa *sa) 1147 { 1148 struct isakmpsa *res = NULL; 1149 1150 if(sa == NULL) 1151 return NULL; 1152 1153 res = newisakmpsa(); 1154 if(res == NULL) 1155 return NULL; 1156 1157 *res = *sa; 1158 #ifdef HAVE_GSSAPI 1159 if (sa->gssid != NULL) 1160 res->gssid = vdup(sa->gssid); 1161 #endif 1162 res->next = NULL; 1163 1164 if(sa->dhgrp != NULL) 1165 oakley_setdhgroup(sa->dh_group, &res->dhgrp); 1166 1167 return res; 1168 1169 } 1170 1171 #ifdef ENABLE_HYBRID 1172 int 1173 isakmpsa_switch_authmethod(authmethod) 1174 int authmethod; 1175 { 1176 switch(authmethod) { 1177 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1178 authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I; 1179 break; 1180 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1181 authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I; 1182 break; 1183 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1184 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I; 1185 break; 1186 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1187 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I; 1188 break; 1189 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1190 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I; 1191 break; 1192 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1193 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I; 1194 break; 1195 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1196 authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I; 1197 break; 1198 default: 1199 break; 1200 } 1201 1202 return authmethod; 1203 } 1204 #endif 1205 1206 /* 1207 * Given a proposed ISAKMP SA, and a list of acceptable 1208 * ISAKMP SAs, it compares using pcheck_level policy and 1209 * returns first match (if any). 1210 */ 1211 struct isakmpsa * 1212 checkisakmpsa(pcheck_level, proposal, acceptable) 1213 int pcheck_level; 1214 struct isakmpsa *proposal, *acceptable; 1215 { 1216 struct isakmpsa *p; 1217 1218 for (p = acceptable; p != NULL; p = p->next){ 1219 plog(LLV_DEBUG2, LOCATION, NULL, 1220 "checkisakmpsa:\nauthmethod: %d / %d\n", 1221 isakmpsa_switch_authmethod(proposal->authmethod), isakmpsa_switch_authmethod(p->authmethod)); 1222 if (isakmpsa_switch_authmethod(proposal->authmethod) != isakmpsa_switch_authmethod(p->authmethod) || 1223 proposal->enctype != p->enctype || 1224 proposal->dh_group != p->dh_group || 1225 proposal->hashtype != p->hashtype) 1226 continue; 1227 1228 switch (pcheck_level) { 1229 case PROP_CHECK_OBEY: 1230 break; 1231 1232 case PROP_CHECK_CLAIM: 1233 case PROP_CHECK_STRICT: 1234 if (proposal->encklen < p->encklen || 1235 #if 0 1236 proposal->lifebyte > p->lifebyte || 1237 #endif 1238 proposal->lifetime > p->lifetime) 1239 continue; 1240 break; 1241 1242 case PROP_CHECK_EXACT: 1243 if (proposal->encklen != p->encklen || 1244 #if 0 1245 proposal->lifebyte != p->lifebyte || 1246 #endif 1247 proposal->lifetime != p->lifetime) 1248 continue; 1249 break; 1250 1251 default: 1252 continue; 1253 } 1254 1255 return p; 1256 } 1257 1258 return NULL; 1259 } 1260
