1 /*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <unistd.h>
21 #include <sys/param.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <netinet/ip.h>
26 #include <netdb.h>
27 #include <fcntl.h>
28
29 #include "config.h"
30 #include "gcmalloc.h"
31 #include "libpfkey.h"
32 #include "var.h"
33 #include "isakmp_var.h"
34 #include "isakmp.h"
35 #include "isakmp_xauth.h"
36 #include "vmbuf.h"
37 #include "crypto_openssl.h"
38 #include "oakley.h"
39 #include "ipsec_doi.h"
40 #include "algorithm.h"
41 #include "vendorid.h"
42 #include "schedule.h"
43 #include "pfkey.h"
44 #include "nattraversal.h"
45 #include "proposal.h"
46 #include "sainfo.h"
47 #include "localconf.h"
48 #include "remoteconf.h"
49 #include "sockmisc.h"
50 #include "grabmyaddr.h"
51 #include "plog.h"
52 #include "admin.h"
53 #include "privsep.h"
54 #include "throttle.h"
55 #include "misc.h"
56 #include "handler.h"
57
58 static struct localconf localconf;
59 static struct sainfo sainfo;
60 static char *pre_shared_key;
61
62 static struct sockaddr *targets[2];
63 static struct sockaddr *source;
64 static struct myaddrs myaddrs[2];
65
66 struct localconf *lcconf = &localconf;
67 int f_local = 0;
68
69 /*****************************************************************************/
70
add_sainfo_algorithm(int class,int algorithm,int length)71 static void add_sainfo_algorithm(int class, int algorithm, int length)
72 {
73 struct sainfoalg *p = calloc(1, sizeof(struct sainfoalg));
74 p->alg = algorithm;
75 p->encklen = length;
76
77 if (!sainfo.algs[class]) {
78 sainfo.algs[class] = p;
79 } else {
80 struct sainfoalg *q = sainfo.algs[class];
81 while (q->next) {
82 q = q->next;
83 }
84 q->next = p;
85 }
86 }
87
add_sainfo()88 static void add_sainfo() {
89 if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_512, 0) == 0) {
90 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, 0);
91 } else {
92 do_plog(LLV_WARNING, "Kernel does not support SHA512, not enabling\n");
93 }
94 if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_384, 0) == 0) {
95 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_384, 0);
96 } else {
97 do_plog(LLV_WARNING, "Kernel does not support SHA384, not enabling\n");
98 }
99 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
100 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, 0);
101 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
102 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256);
103 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
104 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
105 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
106 }
107
set_globals(char * server)108 static void set_globals(char *server)
109 {
110 struct addrinfo hints = {
111 .ai_flags = AI_NUMERICSERV,
112 #ifndef INET6
113 .ai_family = AF_INET,
114 #else
115 .ai_family = AF_UNSPEC,
116 #endif
117 .ai_socktype = SOCK_DGRAM,
118 };
119 struct addrinfo *info;
120
121 if (getaddrinfo(server, "500", &hints, &info) != 0) {
122 do_plog(LLV_ERROR, "Cannot resolve address: %s\n", server);
123 exit(1);
124 }
125 if (info->ai_next) {
126 do_plog(LLV_WARNING, "Found multiple addresses. Use the first one.\n");
127 }
128 targets[0] = dupsaddr(info->ai_addr);
129 freeaddrinfo(info);
130
131 source = getlocaladdr(targets[0]);
132 if (!source) {
133 do_plog(LLV_ERROR, "Cannot get local address\n");
134 exit(1);
135 }
136 set_port(targets[0], 0);
137 set_port(source, 0);
138
139 myaddrs[0].addr = dupsaddr(source);
140 set_port(myaddrs[0].addr, PORT_ISAKMP);
141 myaddrs[0].sock = -1;
142 #ifdef ENABLE_NATT
143 myaddrs[0].next = &myaddrs[1];
144 myaddrs[1].addr = dupsaddr(myaddrs[0].addr);
145 set_port(myaddrs[1].addr, PORT_ISAKMP_NATT);
146 myaddrs[1].sock = -1;
147 myaddrs[1].udp_encap = 1;
148 #endif
149
150 localconf.myaddrs = &myaddrs[0];
151 localconf.port_isakmp = PORT_ISAKMP;
152 localconf.port_isakmp_natt = PORT_ISAKMP_NATT;
153 localconf.default_af = AF_INET;
154 localconf.pathinfo[LC_PATHTYPE_CERT] = "./";
155 localconf.pad_random = LC_DEFAULT_PAD_RANDOM;
156 localconf.pad_randomlen = LC_DEFAULT_PAD_RANDOM;
157 localconf.pad_strict = LC_DEFAULT_PAD_STRICT;
158 localconf.pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
159 localconf.retry_counter = 10;
160 localconf.retry_interval = 3;
161 localconf.count_persend = LC_DEFAULT_COUNT_PERSEND;
162 localconf.secret_size = LC_DEFAULT_SECRETSIZE;
163 localconf.retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
164 localconf.wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
165 localconf.natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
166
167 sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
168 sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
169
170 memset(script_names, 0, sizeof(script_names));
171 }
172
173 /*****************************************************************************/
174
policy_match(struct sadb_address * address)175 static int policy_match(struct sadb_address *address)
176 {
177 if (address) {
178 struct sockaddr *addr = PFKEY_ADDR_SADDR(address);
179 return !cmpsaddrwop(addr, targets[0]) || !cmpsaddrwop(addr, targets[1]);
180 }
181 return 0;
182 }
183
184 /* flush; spdflush; */
flush()185 static void flush()
186 {
187 struct sadb_msg *p;
188 int replies = 0;
189 int key = pfkey_open();
190
191 if (pfkey_send_dump(key, SADB_SATYPE_UNSPEC) <= 0 ||
192 pfkey_send_spddump(key) <= 0) {
193 do_plog(LLV_ERROR, "Cannot dump SAD and SPD\n");
194 exit(1);
195 }
196
197 for (p = NULL; replies < 2 && (p = pfkey_recv(key)) != NULL; free(p)) {
198 caddr_t q[SADB_EXT_MAX + 1];
199
200 if (p->sadb_msg_type != SADB_DUMP &&
201 p->sadb_msg_type != SADB_X_SPDDUMP) {
202 continue;
203 }
204 replies += !p->sadb_msg_seq;
205
206 if (p->sadb_msg_errno || pfkey_align(p, q) || pfkey_check(q)) {
207 continue;
208 }
209 if (policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_SRC]) ||
210 policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_DST])) {
211 p->sadb_msg_type = (p->sadb_msg_type == SADB_DUMP) ?
212 SADB_DELETE : SADB_X_SPDDELETE;
213 p->sadb_msg_reserved = 0;
214 p->sadb_msg_seq = 0;
215 pfkey_send(key, p, PFKEY_UNUNIT64(p->sadb_msg_len));
216 }
217 }
218
219 pfkey_close(key);
220 }
221
222 /* spdadd src dst protocol -P out ipsec esp/transport//require;
223 * spdadd dst src protocol -P in ipsec esp/transport//require;
224 * or
225 * spdadd src any protocol -P out ipsec esp/tunnel/local-remote/require;
226 * spdadd any src protocol -P in ipsec esp/tunnel/remote-local/require; */
spdadd(struct sockaddr * src,struct sockaddr * dst,int protocol,struct sockaddr * local,struct sockaddr * remote)227 static void spdadd(struct sockaddr *src, struct sockaddr *dst,
228 int protocol, struct sockaddr *local, struct sockaddr *remote)
229 {
230 struct __attribute__((packed)) {
231 struct sadb_x_policy p;
232 struct sadb_x_ipsecrequest q;
233 char addresses[sizeof(struct sockaddr_storage) * 2];
234 } policy;
235
236 struct sockaddr_storage any = {
237 #ifndef __linux__
238 .ss_len = src->sa_len,
239 #endif
240 .ss_family = src->sa_family,
241 };
242
243 int src_prefix = (src->sa_family == AF_INET) ? 32 : 128;
244 int dst_prefix = src_prefix;
245 int length = 0;
246 int key;
247
248 /* Fill values for outbound policy. */
249 memset(&policy, 0, sizeof(policy));
250 policy.p.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
251 policy.p.sadb_x_policy_type = IPSEC_POLICY_IPSEC;
252 policy.p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
253 #ifdef HAVE_PFKEY_POLICY_PRIORITY
254 policy.p.sadb_x_policy_priority = PRIORITY_DEFAULT;
255 #endif
256 policy.q.sadb_x_ipsecrequest_proto = IPPROTO_ESP;
257 policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
258 policy.q.sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
259
260 /* Deal with tunnel mode. */
261 if (!dst) {
262 int size = sysdep_sa_len(local);
263 memcpy(policy.addresses, local, size);
264 memcpy(&policy.addresses[size], remote, size);
265 length += size + size;
266
267 policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL;
268 dst = (struct sockaddr *)&any;
269 dst_prefix = 0;
270
271 /* Also use the source address to filter policies. */
272 targets[1] = dupsaddr(src);
273 }
274
275 /* Fix lengths. */
276 length += sizeof(policy.q);
277 policy.q.sadb_x_ipsecrequest_len = length;
278 length += sizeof(policy.p);
279 policy.p.sadb_x_policy_len = PFKEY_UNIT64(length);
280
281 /* Always do a flush before adding new policies. */
282 flush();
283
284 /* Set outbound policy. */
285 key = pfkey_open();
286 if (pfkey_send_spdadd(key, src, src_prefix, dst, dst_prefix, protocol,
287 (caddr_t)&policy, length, 0) <= 0) {
288 do_plog(LLV_ERROR, "Cannot set outbound policy\n");
289 exit(1);
290 }
291
292 /* Flip values for inbound policy. */
293 policy.p.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
294 if (!dst_prefix) {
295 int size = sysdep_sa_len(local);
296 memcpy(policy.addresses, remote, size);
297 memcpy(&policy.addresses[size], local, size);
298 }
299
300 /* Set inbound policy. */
301 if (pfkey_send_spdadd(key, dst, dst_prefix, src, src_prefix, protocol,
302 (caddr_t)&policy, length, 0) <= 0) {
303 do_plog(LLV_ERROR, "Cannot set inbound policy\n");
304 exit(1);
305 }
306
307 pfkey_close(key);
308 atexit(flush);
309 }
310
311 /*****************************************************************************/
312
add_proposal(struct remoteconf * remoteconf,int auth,int hash,int encryption,int length)313 static void add_proposal(struct remoteconf *remoteconf,
314 int auth, int hash, int encryption, int length)
315 {
316 struct isakmpsa *p = racoon_calloc(1, sizeof(struct isakmpsa));
317 p->prop_no = 1;
318 p->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
319 p->enctype = encryption;
320 p->encklen = length;
321 p->authmethod = auth;
322 p->hashtype = hash;
323 p->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
324 p->vendorid = VENDORID_UNKNOWN;
325 p->rmconf = remoteconf;
326
327 if (!remoteconf->proposal) {
328 p->trns_no = 1;
329 remoteconf->proposal = p;
330 } else {
331 struct isakmpsa *q = remoteconf->proposal;
332 while (q->next) {
333 q = q->next;
334 }
335 p->trns_no = q->trns_no + 1;
336 q->next = p;
337 }
338 }
339
strtovchar(char * string)340 static vchar_t *strtovchar(char *string)
341 {
342 vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL;
343 if (vchar) {
344 memcpy(vchar->v, string, vchar->l);
345 vchar->l -= 1;
346 }
347 return vchar;
348 }
349
set_pre_shared_key(struct remoteconf * remoteconf,char * identifier,char * key)350 static void set_pre_shared_key(struct remoteconf *remoteconf,
351 char *identifier, char *key)
352 {
353 pre_shared_key = key;
354 if (identifier[0]) {
355 remoteconf->idv = strtovchar(identifier);
356 remoteconf->etypes->type = ISAKMP_ETYPE_AGG;
357
358 remoteconf->idvtype = IDTYPE_KEYID;
359 if (strchr(identifier, '.')) {
360 remoteconf->idvtype = IDTYPE_FQDN;
361 if (strchr(identifier, '@')) {
362 remoteconf->idvtype = IDTYPE_USERFQDN;
363 }
364 }
365 }
366 }
367
set_certificates(struct remoteconf * remoteconf,char * user_private_key,char * user_certificate,char * ca_certificate,char * server_certificate)368 static void set_certificates(struct remoteconf *remoteconf,
369 char *user_private_key, char *user_certificate,
370 char *ca_certificate, char *server_certificate)
371 {
372 remoteconf->myprivfile = user_private_key;
373 remoteconf->mycertfile = user_certificate;
374 if (user_certificate) {
375 remoteconf->idvtype = IDTYPE_ASN1DN;
376 }
377 if (!ca_certificate[0]) {
378 remoteconf->verify_cert = FALSE;
379 } else {
380 remoteconf->cacertfile = ca_certificate;
381 }
382 if (server_certificate[0]) {
383 remoteconf->peerscertfile = server_certificate;
384 remoteconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
385 }
386 }
387
388 #ifdef ENABLE_HYBRID
389
set_xauth_and_more(struct remoteconf * remoteconf,char * username,char * password,char * phase1_up,char * script_arg)390 static void set_xauth_and_more(struct remoteconf *remoteconf,
391 char *username, char *password, char *phase1_up, char *script_arg)
392 {
393 struct xauth_rmconf *xauth = racoon_calloc(1, sizeof(struct xauth_rmconf));
394 xauth->login = strtovchar(username);
395 xauth->login->l += 1;
396 xauth->pass = strtovchar(password);
397 // Unlike the code that reads login, the code that reads pass does not
398 // strip trailing nulls, so don't add one here.
399 remoteconf->xauth = xauth;
400 remoteconf->mode_cfg = TRUE;
401 remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(phase1_up);
402 script_names[SCRIPT_PHASE1_UP] = script_arg;
403 }
404
405 #endif
406
407 extern void monitor_fd(int fd, void (*callback)(int));
408
add_isakmp_handler(int fd,const char * interface)409 void add_isakmp_handler(int fd, const char *interface)
410 {
411 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
412 interface, strlen(interface))) {
413 do_plog(LLV_WARNING, "Cannot bind socket to %s\n", interface);
414 }
415 monitor_fd(fd, (void *)isakmp_handler);
416 }
417
setup(int argc,char ** argv)418 void setup(int argc, char **argv)
419 {
420 struct remoteconf *remoteconf = NULL;
421 int auth;
422
423 if (argc > 2) {
424 set_globals(argv[2]);
425
426 /* Initialize everything else. */
427 eay_init();
428 initrmconf();
429 oakley_dhinit();
430 compute_vendorids();
431 sched_init();
432 if (pfkey_init() < 0 || isakmp_init() < 0) {
433 exit(1);
434 }
435 add_sainfo();
436 monitor_fd(localconf.sock_pfkey, (void *)pfkey_handler);
437 add_isakmp_handler(myaddrs[0].sock, argv[1]);
438
439 #ifdef ENABLE_NATT
440 add_isakmp_handler(myaddrs[1].sock, argv[1]);
441 natt_keepalive_init();
442 #endif
443
444 /* Create remote configuration. */
445 remoteconf = newrmconf();
446 remoteconf->etypes = racoon_calloc(1, sizeof(struct etypes));
447 remoteconf->etypes->type = ISAKMP_ETYPE_IDENT;
448 remoteconf->idvtype = IDTYPE_ADDRESS;
449 remoteconf->ike_frag = TRUE;
450 remoteconf->pcheck_level = PROP_CHECK_CLAIM;
451 remoteconf->certtype = ISAKMP_CERT_X509SIGN;
452 remoteconf->gen_policy = TRUE;
453 remoteconf->nat_traversal = TRUE;
454 remoteconf->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
455 remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar("");
456 remoteconf->script[SCRIPT_PHASE1_DOWN] = strtovchar("");
457 oakley_setdhgroup(remoteconf->dh_group, &remoteconf->dhgrp);
458 remoteconf->remote = dupsaddr(targets[0]);
459 }
460
461 /* Set authentication method and credentials. */
462 if (argc == 7 && !strcmp(argv[3], "udppsk")) {
463 set_pre_shared_key(remoteconf, argv[4], argv[5]);
464 auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY;
465
466 set_port(targets[0], atoi(argv[6]));
467 spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
468 } else if (argc == 9 && !strcmp(argv[3], "udprsa")) {
469 set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
470 auth = OAKLEY_ATTR_AUTH_METHOD_RSASIG;
471
472 set_port(targets[0], atoi(argv[8]));
473 spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
474 #ifdef ENABLE_HYBRID
475 } else if (argc == 10 && !strcmp(argv[3], "xauthpsk")) {
476 set_pre_shared_key(remoteconf, argv[4], argv[5]);
477 set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
478 auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
479 } else if (argc == 12 && !strcmp(argv[3], "xauthrsa")) {
480 set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
481 set_xauth_and_more(remoteconf, argv[8], argv[9], argv[10], argv[11]);
482 auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
483 } else if (argc == 10 && !strcmp(argv[3], "hybridrsa")) {
484 set_certificates(remoteconf, NULL, NULL, argv[4], argv[5]);
485 set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
486 auth = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I;
487 #endif
488 } else {
489 printf("Usage: %s <interface> <server> [...], where [...] can be:\n"
490 " udppsk <identifier> <pre-shared-key> <port>; \n"
491 " udprsa <user-private-key> <user-certificate> \\\n"
492 " <ca-certificate> <server-certificate> <port>;\n"
493 #ifdef ENABLE_HYBRID
494 " xauthpsk <identifier> <pre-shared-key> \\\n"
495 " <username> <password> <phase1-up> <script-arg>;\n"
496 " xauthrsa <user-private-key> <user-certificate> \\\n"
497 " <ca-certificate> <server-certificate> \\\n"
498 " <username> <password> <phase1-up> <script-arg>;\n"
499 " hybridrsa <ca-certificate> <server-certificate> \\\n"
500 " <username> <password> <phase1-up> <script-arg>;\n"
501 #endif
502 "", argv[0]);
503 exit(0);
504 }
505
506 /* Add proposals. */
507 add_proposal(remoteconf, auth,
508 OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 256);
509 add_proposal(remoteconf, auth,
510 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
511 // VPNs to openswan breaks when SHA2_512 is used as the first proposal.
512 // openswan supports SHA2_256 or lower hash alg. With this add_proposal
513 // order, openswan picks SHA2_256 and others pick SHA2_384
514 add_proposal(remoteconf, auth,
515 OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
516 add_proposal(remoteconf, auth,
517 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
518 add_proposal(remoteconf, auth,
519 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 256);
520 add_proposal(remoteconf, auth,
521 OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 128);
522 add_proposal(remoteconf, auth,
523 OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 128);
524 add_proposal(remoteconf, auth,
525 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 128);
526 add_proposal(remoteconf, auth,
527 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128);
528 add_proposal(remoteconf, auth,
529 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 128);
530 add_proposal(remoteconf, auth,
531 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_3DES, 0);
532 add_proposal(remoteconf, auth,
533 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_3DES, 0);
534 add_proposal(remoteconf, auth,
535 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_3DES, 0);
536 add_proposal(remoteconf, auth,
537 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_DES, 0);
538 add_proposal(remoteconf, auth,
539 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_DES, 0);
540 add_proposal(remoteconf, auth,
541 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_DES, 0);
542
543 /* Install remote configuration. */
544 insrmconf(remoteconf);
545
546 /* Start phase 1 negotiation for xauth. */
547 if (remoteconf->xauth) {
548 isakmp_ph1begin_i(remoteconf, remoteconf->remote, source);
549 }
550 }
551
552 /*****************************************************************************/
553
554 /* localconf.h */
555
getpskbyaddr(struct sockaddr * addr)556 vchar_t *getpskbyaddr(struct sockaddr *addr)
557 {
558 return strtovchar(pre_shared_key);
559 }
560
getpskbyname(vchar_t * name)561 vchar_t *getpskbyname(vchar_t *name)
562 {
563 return NULL;
564 }
565
getpathname(char * path,int length,int type,const char * name)566 void getpathname(char *path, int length, int type, const char *name)
567 {
568 if (pname) {
569 snprintf(path, length, pname, name);
570 } else {
571 strncpy(path, name, length);
572 }
573 path[length - 1] = '\0';
574 }
575
576 /* grabmyaddr.h */
577
myaddr_getsport(struct sockaddr * addr)578 int myaddr_getsport(struct sockaddr *addr)
579 {
580 return 0;
581 }
582
getsockmyaddr(struct sockaddr * addr)583 int getsockmyaddr(struct sockaddr *addr)
584 {
585 #ifdef ENABLE_NATT
586 if (!cmpsaddrstrict(addr, myaddrs[1].addr)) {
587 return myaddrs[1].sock;
588 }
589 #endif
590 if (!cmpsaddrwop(addr, myaddrs[0].addr)) {
591 return myaddrs[0].sock;
592 }
593 return -1;
594 }
595
596 /* privsep.h */
597
privsep_pfkey_open()598 int privsep_pfkey_open()
599 {
600 return pfkey_open();
601 }
602
privsep_pfkey_close(int key)603 void privsep_pfkey_close(int key)
604 {
605 pfkey_close(key);
606 }
607
privsep_eay_get_pkcs1privkey(char * file)608 vchar_t *privsep_eay_get_pkcs1privkey(char *file)
609 {
610 return eay_get_pkcs1privkey(file);
611 }
612
get_env(char * const * envp,char * key)613 static char *get_env(char * const *envp, char *key)
614 {
615 int length = strlen(key);
616 while (*envp && (strncmp(*envp, key, length) || (*envp)[length] != '=')) {
617 ++envp;
618 }
619 return *envp ? &(*envp)[length + 1] : "";
620 }
621
622 static int skip_script = 0;
623 extern const char *android_hook(char **envp);
624
privsep_script_exec(char * script,int name,char * const * envp)625 int privsep_script_exec(char *script, int name, char * const *envp)
626 {
627 if (skip_script) {
628 return 0;
629 }
630 skip_script = 1;
631
632 if (name == SCRIPT_PHASE1_DOWN) {
633 exit(1);
634 }
635 if (script_names[SCRIPT_PHASE1_UP]) {
636 /* Racoon ignores INTERNAL_IP6_ADDRESS, so we only do IPv4. */
637 struct sockaddr *addr4 = str2saddr(get_env(envp, "INTERNAL_ADDR4"),
638 NULL);
639 struct sockaddr *local = str2saddr(get_env(envp, "LOCAL_ADDR"),
640 get_env(envp, "LOCAL_PORT"));
641 struct sockaddr *remote = str2saddr(get_env(envp, "REMOTE_ADDR"),
642 get_env(envp, "REMOTE_PORT"));
643
644 if (addr4 && local && remote) {
645 #ifdef ANDROID_CHANGES
646 if (pname) {
647 script = (char *)android_hook((char **)envp);
648 }
649 #endif
650 spdadd(addr4, NULL, IPPROTO_IP, local, remote);
651 } else {
652 do_plog(LLV_ERROR, "Cannot get parameters for SPD policy.\n");
653 exit(1);
654 }
655
656 racoon_free(addr4);
657 racoon_free(local);
658 racoon_free(remote);
659 return script_exec(script, name, envp);
660 }
661 return 0;
662 }
663
privsep_accounting_system(int port,struct sockaddr * addr,char * user,int status)664 int privsep_accounting_system(int port, struct sockaddr *addr,
665 char *user, int status)
666 {
667 return 0;
668 }
669
privsep_xauth_login_system(char * user,char * password)670 int privsep_xauth_login_system(char *user, char *password)
671 {
672 return -1;
673 }
674
675 /* misc.h */
676
racoon_hexdump(void * data,size_t length)677 int racoon_hexdump(void *data, size_t length)
678 {
679 return 0;
680 }
681
682 /* sainfo.h */
683
getsainfo(const vchar_t * src,const vchar_t * dst,const vchar_t * peer,int remoteid)684 struct sainfo *getsainfo(const vchar_t *src, const vchar_t *dst,
685 const vchar_t *peer, int remoteid)
686 {
687 return &sainfo;
688 }
689
sainfo2str(const struct sainfo * si)690 const char *sainfo2str(const struct sainfo *si)
691 {
692 return "*";
693 }
694
695 /* throttle.h */
696
throttle_host(struct sockaddr * addr,int fail)697 int throttle_host(struct sockaddr *addr, int fail)
698 {
699 return 0;
700 }
701
shutdown_session()702 void shutdown_session()
703 {
704 flushph2();
705 flushph1();
706 isakmp_close();
707 pfkey_close(localconf.sock_pfkey);
708 }
709