1 /* $NetBSD: isakmp_cfg.c,v 1.12.6.4 2008/11/27 15:25:20 vanhu Exp $ */
2
3 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004-2006 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #ifndef ANDROID_PATCHED
42 #include <utmp.h>
43 #endif
44 #if defined(__APPLE__) && defined(__MACH__)
45 #include <util.h>
46 #endif
47
48 #ifdef __FreeBSD__
49 # include <libutil.h>
50 #endif
51 #ifdef __NetBSD__
52 # include <util.h>
53 #endif
54
55 #include <netinet/in.h>
56 #include <arpa/inet.h>
57
58 #include <stdlib.h>
59 #include <stdio.h>
60 #include <string.h>
61 #include <errno.h>
62 #if TIME_WITH_SYS_TIME
63 # include <sys/time.h>
64 # include <time.h>
65 #else
66 # if HAVE_SYS_TIME_H
67 # include <sys/time.h>
68 # else
69 # include <time.h>
70 # endif
71 #endif
72 #include <netdb.h>
73 #ifdef HAVE_UNISTD_H
74 #include <unistd.h>
75 #endif
76 #if HAVE_STDINT_H
77 #include <stdint.h>
78 #endif
79 #include <ctype.h>
80 #include <resolv.h>
81
82 #ifdef HAVE_LIBRADIUS
83 #include <sys/utsname.h>
84 #include <radlib.h>
85 #endif
86
87 #include "var.h"
88 #include "misc.h"
89 #include "vmbuf.h"
90 #include "plog.h"
91 #include "sockmisc.h"
92 #include "schedule.h"
93 #include "debug.h"
94
95 #include "isakmp_var.h"
96 #include "isakmp.h"
97 #include "handler.h"
98 #include "evt.h"
99 #include "throttle.h"
100 #include "remoteconf.h"
101 #include "crypto_openssl.h"
102 #include "isakmp_inf.h"
103 #include "isakmp_xauth.h"
104 #include "isakmp_unity.h"
105 #include "isakmp_cfg.h"
106 #include "strnames.h"
107 #include "admin.h"
108 #include "privsep.h"
109
110 struct isakmp_cfg_config isakmp_cfg_config;
111
112 static vchar_t *buffer_cat(vchar_t *s, vchar_t *append);
113 static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *);
114 #if 0
115 static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *);
116 #endif
117 static vchar_t *isakmp_cfg_addr4(struct ph1handle *,
118 struct isakmp_data *, in_addr_t *);
119 static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
120 static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
121 struct isakmp_data *, in_addr_t *, int);
122 static void isakmp_cfg_appendaddr4(struct isakmp_data *,
123 struct in_addr *, int *, int);
124 static void isakmp_cfg_getstring(struct isakmp_data *,char *);
125 void isakmp_cfg_iplist_to_str(char *, int, void *, int);
126
127 #define ISAKMP_CFG_LOGIN 1
128 #define ISAKMP_CFG_LOGOUT 2
129 static int isakmp_cfg_accounting(struct ph1handle *, int);
130 #ifdef HAVE_LIBRADIUS
131 static int isakmp_cfg_accounting_radius(struct ph1handle *, int);
132 #endif
133
134 /*
135 * Handle an ISAKMP config mode packet
136 * We expect HDR, HASH, ATTR
137 */
138 void
isakmp_cfg_r(iph1,msg)139 isakmp_cfg_r(iph1, msg)
140 struct ph1handle *iph1;
141 vchar_t *msg;
142 {
143 struct isakmp *packet;
144 struct isakmp_gen *ph;
145 int tlen;
146 char *npp;
147 int np;
148 vchar_t *dmsg;
149 struct isakmp_ivm *ivm;
150
151 /* Check that the packet is long enough to have a header */
152 if (msg->l < sizeof(*packet)) {
153 plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n");
154 return;
155 }
156
157 packet = (struct isakmp *)msg->v;
158
159 /* Is it encrypted? It should be encrypted */
160 if ((packet->flags & ISAKMP_FLAG_E) == 0) {
161 plog(LLV_ERROR, LOCATION, NULL,
162 "User credentials sent in cleartext!\n");
163 return;
164 }
165
166 /*
167 * Decrypt the packet. If this is the beginning of a new
168 * exchange, reinitialize the IV
169 */
170 if (iph1->mode_cfg->ivm == NULL ||
171 iph1->mode_cfg->last_msgid != packet->msgid )
172 iph1->mode_cfg->ivm =
173 isakmp_cfg_newiv(iph1, packet->msgid);
174 ivm = iph1->mode_cfg->ivm;
175
176 dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
177 if (dmsg == NULL) {
178 plog(LLV_ERROR, LOCATION, NULL,
179 "failed to decrypt message\n");
180 return;
181 }
182
183 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n");
184 plogdump(LLV_DEBUG, dmsg->v, dmsg->l);
185
186 /* Now work with the decrypted packet */
187 packet = (struct isakmp *)dmsg->v;
188 tlen = dmsg->l - sizeof(*packet);
189 ph = (struct isakmp_gen *)(packet + 1);
190
191 np = packet->np;
192 while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) {
193 /* Check that the payload header fits in the packet */
194 if (tlen < sizeof(*ph)) {
195 plog(LLV_WARNING, LOCATION, NULL,
196 "Short payload header\n");
197 goto out;
198 }
199
200 /* Check that the payload fits in the packet */
201 if (tlen < ntohs(ph->len)) {
202 plog(LLV_WARNING, LOCATION, NULL,
203 "Short payload\n");
204 goto out;
205 }
206
207 plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np);
208 plogdump(LLV_DEBUG, ph, ntohs(ph->len));
209
210 switch(np) {
211 case ISAKMP_NPTYPE_HASH: {
212 vchar_t *check;
213 vchar_t *payload;
214 size_t plen;
215 struct isakmp_gen *nph;
216
217 plen = ntohs(ph->len);
218 nph = (struct isakmp_gen *)((char *)ph + plen);
219 plen = ntohs(nph->len);
220
221 if ((payload = vmalloc(plen)) == NULL) {
222 plog(LLV_ERROR, LOCATION, NULL,
223 "Cannot allocate memory\n");
224 goto out;
225 }
226 memcpy(payload->v, nph, plen);
227
228 if ((check = oakley_compute_hash1(iph1,
229 packet->msgid, payload)) == NULL) {
230 plog(LLV_ERROR, LOCATION, NULL,
231 "Cannot compute hash\n");
232 vfree(payload);
233 goto out;
234 }
235
236 if (memcmp(ph + 1, check->v, check->l) != 0) {
237 plog(LLV_ERROR, LOCATION, NULL,
238 "Hash verification failed\n");
239 vfree(payload);
240 vfree(check);
241 goto out;
242 }
243 vfree(payload);
244 vfree(check);
245 break;
246 }
247 case ISAKMP_NPTYPE_ATTR: {
248 struct isakmp_pl_attr *attrpl;
249
250 attrpl = (struct isakmp_pl_attr *)ph;
251 isakmp_cfg_attr_r(iph1, packet->msgid, attrpl);
252
253 break;
254 }
255 default:
256 plog(LLV_WARNING, LOCATION, NULL,
257 "Unexpected next payload %d\n", np);
258 /* Skip to the next payload */
259 break;
260 }
261
262 /* Move to the next payload */
263 np = ph->np;
264 tlen -= ntohs(ph->len);
265 npp = (char *)ph;
266 ph = (struct isakmp_gen *)(npp + ntohs(ph->len));
267 }
268
269 out:
270 vfree(dmsg);
271 }
272
273 int
isakmp_cfg_attr_r(iph1,msgid,attrpl)274 isakmp_cfg_attr_r(iph1, msgid, attrpl)
275 struct ph1handle *iph1;
276 u_int32_t msgid;
277 struct isakmp_pl_attr *attrpl;
278 {
279 int type = attrpl->type;
280
281 plog(LLV_DEBUG, LOCATION, NULL,
282 "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
283 switch (type) {
284 case ISAKMP_CFG_ACK:
285 /* ignore, but this is the time to reinit the IV */
286 oakley_delivm(iph1->mode_cfg->ivm);
287 iph1->mode_cfg->ivm = NULL;
288 return 0;
289 break;
290
291 case ISAKMP_CFG_REPLY:
292 return isakmp_cfg_reply(iph1, attrpl);
293 break;
294
295 case ISAKMP_CFG_REQUEST:
296 iph1->msgid = msgid;
297 return isakmp_cfg_request(iph1, attrpl);
298 break;
299
300 case ISAKMP_CFG_SET:
301 iph1->msgid = msgid;
302 return isakmp_cfg_set(iph1, attrpl);
303 break;
304
305 default:
306 plog(LLV_WARNING, LOCATION, NULL,
307 "Unepected configuration exchange type %d\n", type);
308 return -1;
309 break;
310 }
311
312 return 0;
313 }
314
315 int
isakmp_cfg_reply(iph1,attrpl)316 isakmp_cfg_reply(iph1, attrpl)
317 struct ph1handle *iph1;
318 struct isakmp_pl_attr *attrpl;
319 {
320 struct isakmp_data *attr;
321 int tlen;
322 size_t alen;
323 char *npp;
324 int type;
325 struct sockaddr_in *sin;
326 int error;
327
328 tlen = ntohs(attrpl->h.len);
329 attr = (struct isakmp_data *)(attrpl + 1);
330 tlen -= sizeof(*attrpl);
331
332 while (tlen > 0) {
333 type = ntohs(attr->type);
334
335 /* Handle short attributes */
336 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
337 type &= ~ISAKMP_GEN_MASK;
338
339 plog(LLV_DEBUG, LOCATION, NULL,
340 "Short attribute %s = %d\n",
341 s_isakmp_cfg_type(type), ntohs(attr->lorv));
342
343 switch (type) {
344 case XAUTH_TYPE:
345 if ((error = xauth_attr_reply(iph1,
346 attr, ntohs(attrpl->id))) != 0)
347 return error;
348 break;
349
350 default:
351 plog(LLV_WARNING, LOCATION, NULL,
352 "Ignored short attribute %s\n",
353 s_isakmp_cfg_type(type));
354 break;
355 }
356
357 tlen -= sizeof(*attr);
358 attr++;
359 continue;
360 }
361
362 type = ntohs(attr->type);
363 alen = ntohs(attr->lorv);
364
365 /* Check that the attribute fit in the packet */
366 if (tlen < alen) {
367 plog(LLV_ERROR, LOCATION, NULL,
368 "Short attribute %s\n",
369 s_isakmp_cfg_type(type));
370 return -1;
371 }
372
373 plog(LLV_DEBUG, LOCATION, NULL,
374 "Attribute %s, len %zu\n",
375 s_isakmp_cfg_type(type), alen);
376
377 switch(type) {
378 case XAUTH_TYPE:
379 case XAUTH_USER_NAME:
380 case XAUTH_USER_PASSWORD:
381 case XAUTH_PASSCODE:
382 case XAUTH_MESSAGE:
383 case XAUTH_CHALLENGE:
384 case XAUTH_DOMAIN:
385 case XAUTH_STATUS:
386 case XAUTH_NEXT_PIN:
387 case XAUTH_ANSWER:
388 if ((error = xauth_attr_reply(iph1,
389 attr, ntohs(attrpl->id))) != 0)
390 return error;
391 break;
392 case INTERNAL_IP4_ADDRESS:
393 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4);
394 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4;
395 break;
396 case INTERNAL_IP4_NETMASK:
397 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4);
398 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4;
399 break;
400 case INTERNAL_IP4_DNS:
401 isakmp_cfg_appendaddr4(attr,
402 &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index],
403 &iph1->mode_cfg->dns4_index, MAXNS);
404 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4;
405 break;
406 case INTERNAL_IP4_NBNS:
407 isakmp_cfg_appendaddr4(attr,
408 &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index],
409 &iph1->mode_cfg->wins4_index, MAXNS);
410 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4;
411 break;
412 case UNITY_DEF_DOMAIN:
413 isakmp_cfg_getstring(attr,
414 iph1->mode_cfg->default_domain);
415 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN;
416 break;
417 case UNITY_SPLIT_INCLUDE:
418 case UNITY_LOCAL_LAN:
419 case UNITY_SPLITDNS_NAME:
420 case UNITY_BANNER:
421 case UNITY_SAVE_PASSWD:
422 case UNITY_NATT_PORT:
423 case UNITY_PFS:
424 case UNITY_FW_TYPE:
425 case UNITY_BACKUP_SERVERS:
426 case UNITY_DDNS_HOSTNAME:
427 isakmp_unity_reply(iph1, attr);
428 break;
429 case INTERNAL_IP4_SUBNET:
430 case INTERNAL_ADDRESS_EXPIRY:
431 default:
432 plog(LLV_WARNING, LOCATION, NULL,
433 "Ignored attribute %s\n",
434 s_isakmp_cfg_type(type));
435 break;
436 }
437
438 npp = (char *)attr;
439 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
440 tlen -= (sizeof(*attr) + alen);
441 }
442
443 /*
444 * Call the SA up script hook now that we have the configuration
445 * It is done at the end of phase 1 if ISAKMP mode config is not
446 * requested.
447 */
448
449 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
450 iph1->rmconf->mode_cfg) {
451 switch (AUTHMETHOD(iph1)) {
452 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
453 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
454 /* Unimplemented */
455 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
456 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
457 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
458 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
459 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
460 script_hook(iph1, SCRIPT_PHASE1_UP);
461 break;
462 default:
463 break;
464 }
465 }
466
467
468 #ifdef ENABLE_ADMINPORT
469 {
470 vchar_t *buf;
471
472 alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
473 if ((buf = vmalloc(alen)) == NULL) {
474 plog(LLV_WARNING, LOCATION, NULL,
475 "Cannot allocate memory: %s\n", strerror(errno));
476 } else {
477 memcpy(buf->v, attrpl + 1, buf->l);
478 EVT_PUSH(iph1->local, iph1->remote,
479 EVTT_ISAKMP_CFG_DONE, buf);
480 vfree(buf);
481 }
482 }
483 #endif
484
485 return 0;
486 }
487
488 int
isakmp_cfg_request(iph1,attrpl)489 isakmp_cfg_request(iph1, attrpl)
490 struct ph1handle *iph1;
491 struct isakmp_pl_attr *attrpl;
492 {
493 struct isakmp_data *attr;
494 int tlen;
495 size_t alen;
496 char *npp;
497 vchar_t *payload;
498 struct isakmp_pl_attr *reply;
499 vchar_t *reply_attr;
500 int type;
501 int error = -1;
502
503 if ((payload = vmalloc(sizeof(*reply))) == NULL) {
504 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
505 return -1;
506 }
507 memset(payload->v, 0, sizeof(*reply));
508
509 tlen = ntohs(attrpl->h.len);
510 attr = (struct isakmp_data *)(attrpl + 1);
511 tlen -= sizeof(*attrpl);
512
513 while (tlen > 0) {
514 reply_attr = NULL;
515 type = ntohs(attr->type);
516
517 /* Handle short attributes */
518 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
519 type &= ~ISAKMP_GEN_MASK;
520
521 plog(LLV_DEBUG, LOCATION, NULL,
522 "Short attribute %s = %d\n",
523 s_isakmp_cfg_type(type), ntohs(attr->lorv));
524
525 switch (type) {
526 case XAUTH_TYPE:
527 reply_attr = isakmp_xauth_req(iph1, attr);
528 break;
529 default:
530 plog(LLV_WARNING, LOCATION, NULL,
531 "Ignored short attribute %s\n",
532 s_isakmp_cfg_type(type));
533 break;
534 }
535
536 tlen -= sizeof(*attr);
537 attr++;
538
539 if (reply_attr != NULL) {
540 payload = buffer_cat(payload, reply_attr);
541 vfree(reply_attr);
542 }
543
544 continue;
545 }
546
547 type = ntohs(attr->type);
548 alen = ntohs(attr->lorv);
549
550 /* Check that the attribute fit in the packet */
551 if (tlen < alen) {
552 plog(LLV_ERROR, LOCATION, NULL,
553 "Short attribute %s\n",
554 s_isakmp_cfg_type(type));
555 goto end;
556 }
557
558 plog(LLV_DEBUG, LOCATION, NULL,
559 "Attribute %s, len %zu\n",
560 s_isakmp_cfg_type(type), alen);
561
562 switch(type) {
563 case INTERNAL_IP4_ADDRESS:
564 case INTERNAL_IP4_NETMASK:
565 case INTERNAL_IP4_DNS:
566 case INTERNAL_IP4_NBNS:
567 case INTERNAL_IP4_SUBNET:
568 reply_attr = isakmp_cfg_net(iph1, attr);
569 break;
570
571 case XAUTH_TYPE:
572 case XAUTH_USER_NAME:
573 case XAUTH_USER_PASSWORD:
574 case XAUTH_PASSCODE:
575 case XAUTH_MESSAGE:
576 case XAUTH_CHALLENGE:
577 case XAUTH_DOMAIN:
578 case XAUTH_STATUS:
579 case XAUTH_NEXT_PIN:
580 case XAUTH_ANSWER:
581 reply_attr = isakmp_xauth_req(iph1, attr);
582 break;
583
584 case APPLICATION_VERSION:
585 reply_attr = isakmp_cfg_string(iph1,
586 attr, ISAKMP_CFG_RACOON_VERSION);
587 break;
588
589 case UNITY_BANNER:
590 case UNITY_PFS:
591 case UNITY_SAVE_PASSWD:
592 case UNITY_DEF_DOMAIN:
593 case UNITY_DDNS_HOSTNAME:
594 case UNITY_FW_TYPE:
595 case UNITY_SPLITDNS_NAME:
596 case UNITY_SPLIT_INCLUDE:
597 case UNITY_LOCAL_LAN:
598 case UNITY_NATT_PORT:
599 case UNITY_BACKUP_SERVERS:
600 reply_attr = isakmp_unity_req(iph1, attr);
601 break;
602
603 case INTERNAL_ADDRESS_EXPIRY:
604 default:
605 plog(LLV_WARNING, LOCATION, NULL,
606 "Ignored attribute %s\n",
607 s_isakmp_cfg_type(type));
608 break;
609 }
610
611 npp = (char *)attr;
612 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
613 tlen -= (sizeof(*attr) + alen);
614
615 if (reply_attr != NULL) {
616 payload = buffer_cat(payload, reply_attr);
617 vfree(reply_attr);
618 }
619
620 }
621
622 reply = (struct isakmp_pl_attr *)payload->v;
623 reply->h.len = htons(payload->l);
624 reply->type = ISAKMP_CFG_REPLY;
625 reply->id = attrpl->id;
626
627 plog(LLV_DEBUG, LOCATION, NULL,
628 "Sending MODE_CFG REPLY\n");
629
630 error = isakmp_cfg_send(iph1, payload,
631 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
632
633 if (iph1->status == PHASE1ST_ESTABLISHED) {
634 switch (AUTHMETHOD(iph1)) {
635 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
636 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
637 /* Unimplemented */
638 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
640 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
641 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
642 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
643 script_hook(iph1, SCRIPT_PHASE1_UP);
644 break;
645 default:
646 break;
647 }
648 }
649
650 end:
651 vfree(payload);
652
653 return error;
654 }
655
656 int
isakmp_cfg_set(iph1,attrpl)657 isakmp_cfg_set(iph1, attrpl)
658 struct ph1handle *iph1;
659 struct isakmp_pl_attr *attrpl;
660 {
661 struct isakmp_data *attr;
662 int tlen;
663 size_t alen;
664 char *npp;
665 vchar_t *payload;
666 struct isakmp_pl_attr *reply;
667 vchar_t *reply_attr;
668 int type;
669 int error = -1;
670
671 if ((payload = vmalloc(sizeof(*reply))) == NULL) {
672 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
673 return -1;
674 }
675 memset(payload->v, 0, sizeof(*reply));
676
677 tlen = ntohs(attrpl->h.len);
678 attr = (struct isakmp_data *)(attrpl + 1);
679 tlen -= sizeof(*attrpl);
680
681 /*
682 * We should send ack for the attributes we accepted
683 */
684 while (tlen > 0) {
685 reply_attr = NULL;
686 type = ntohs(attr->type);
687
688 plog(LLV_DEBUG, LOCATION, NULL,
689 "Attribute %s\n",
690 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
691
692 switch (type & ~ISAKMP_GEN_MASK) {
693 case XAUTH_STATUS:
694 reply_attr = isakmp_xauth_set(iph1, attr);
695 break;
696 default:
697 plog(LLV_DEBUG, LOCATION, NULL,
698 "Unexpected SET attribute %s\n",
699 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
700 break;
701 }
702
703 if (reply_attr != NULL) {
704 payload = buffer_cat(payload, reply_attr);
705 vfree(reply_attr);
706 }
707
708 /*
709 * Move to next attribute. If we run out of the packet,
710 * tlen becomes negative and we exit.
711 */
712 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
713 tlen -= sizeof(*attr);
714 attr++;
715 } else {
716 alen = ntohs(attr->lorv);
717 tlen -= (sizeof(*attr) + alen);
718 npp = (char *)attr;
719 attr = (struct isakmp_data *)
720 (npp + sizeof(*attr) + alen);
721 }
722 }
723
724 reply = (struct isakmp_pl_attr *)payload->v;
725 reply->h.len = htons(payload->l);
726 reply->type = ISAKMP_CFG_ACK;
727 reply->id = attrpl->id;
728
729 plog(LLV_DEBUG, LOCATION, NULL,
730 "Sending MODE_CFG ACK\n");
731
732 error = isakmp_cfg_send(iph1, payload,
733 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
734
735 if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
736 if (iph1->status == PHASE1ST_ESTABLISHED)
737 isakmp_info_send_d1(iph1);
738 remph1(iph1);
739 delph1(iph1);
740 iph1 = NULL;
741 }
742 end:
743 vfree(payload);
744
745 /*
746 * If required, request ISAKMP mode config information
747 */
748 if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0))
749 error = isakmp_cfg_getconfig(iph1);
750
751 return error;
752 }
753
754
755 static vchar_t *
buffer_cat(s,append)756 buffer_cat(s, append)
757 vchar_t *s;
758 vchar_t *append;
759 {
760 vchar_t *new;
761
762 new = vmalloc(s->l + append->l);
763 if (new == NULL) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "Cannot allocate memory\n");
766 return s;
767 }
768
769 memcpy(new->v, s->v, s->l);
770 memcpy(new->v + s->l, append->v, append->l);
771
772 vfree(s);
773 return new;
774 }
775
776 static vchar_t *
isakmp_cfg_net(iph1,attr)777 isakmp_cfg_net(iph1, attr)
778 struct ph1handle *iph1;
779 struct isakmp_data *attr;
780 {
781 int type;
782 int confsource;
783 in_addr_t addr4;
784
785 type = ntohs(attr->type);
786
787 /*
788 * Don't give an address to a peer that did not succeed Xauth
789 */
790 if (xauth_check(iph1) != 0) {
791 plog(LLV_ERROR, LOCATION, NULL,
792 "Attempt to start phase config whereas Xauth failed\n");
793 return NULL;
794 }
795
796 confsource = isakmp_cfg_config.confsource;
797 /*
798 * If we have to fall back to a local
799 * configuration source, we will jump
800 * back to this point.
801 */
802 retry_source:
803
804 switch(type) {
805 case INTERNAL_IP4_ADDRESS:
806 switch(confsource) {
807 #ifdef HAVE_LIBLDAP
808 case ISAKMP_CFG_CONF_LDAP:
809 if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
810 break;
811 plog(LLV_INFO, LOCATION, NULL,
812 "No IP from LDAP, using local pool\n");
813 /* FALLTHROUGH */
814 confsource = ISAKMP_CFG_CONF_LOCAL;
815 goto retry_source;
816 #endif
817 #ifdef HAVE_LIBRADIUS
818 case ISAKMP_CFG_CONF_RADIUS:
819 if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
820 && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
821 /*
822 * -2 is 255.255.255.254, RADIUS uses that
823 * to instruct the NAS to use a local pool
824 */
825 break;
826 plog(LLV_INFO, LOCATION, NULL,
827 "No IP from RADIUS, using local pool\n");
828 /* FALLTHROUGH */
829 confsource = ISAKMP_CFG_CONF_LOCAL;
830 goto retry_source;
831 #endif
832 case ISAKMP_CFG_CONF_LOCAL:
833 if (isakmp_cfg_getport(iph1) == -1) {
834 plog(LLV_ERROR, LOCATION, NULL,
835 "Port pool depleted\n");
836 break;
837 }
838
839 iph1->mode_cfg->addr4.s_addr =
840 htonl(ntohl(isakmp_cfg_config.network4)
841 + iph1->mode_cfg->port);
842 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL;
843 break;
844
845 default:
846 plog(LLV_ERROR, LOCATION, NULL,
847 "Unexpected confsource\n");
848 }
849
850 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0)
851 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
852
853 return isakmp_cfg_addr4(iph1,
854 attr, &iph1->mode_cfg->addr4.s_addr);
855 break;
856
857 case INTERNAL_IP4_NETMASK:
858 switch(confsource) {
859 #ifdef HAVE_LIBLDAP
860 case ISAKMP_CFG_CONF_LDAP:
861 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
862 break;
863 plog(LLV_INFO, LOCATION, NULL,
864 "No mask from LDAP, using local pool\n");
865 /* FALLTHROUGH */
866 confsource = ISAKMP_CFG_CONF_LOCAL;
867 goto retry_source;
868 #endif
869 #ifdef HAVE_LIBRADIUS
870 case ISAKMP_CFG_CONF_RADIUS:
871 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
872 break;
873 plog(LLV_INFO, LOCATION, NULL,
874 "No mask from RADIUS, using local pool\n");
875 /* FALLTHROUGH */
876 confsource = ISAKMP_CFG_CONF_LOCAL;
877 goto retry_source;
878 #endif
879 case ISAKMP_CFG_CONF_LOCAL:
880 iph1->mode_cfg->mask4.s_addr
881 = isakmp_cfg_config.netmask4;
882 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL;
883 break;
884
885 default:
886 plog(LLV_ERROR, LOCATION, NULL,
887 "Unexpected confsource\n");
888 }
889 return isakmp_cfg_addr4(iph1, attr,
890 &iph1->mode_cfg->mask4.s_addr);
891 break;
892
893 case INTERNAL_IP4_DNS:
894 return isakmp_cfg_addr4_list(iph1,
895 attr, &isakmp_cfg_config.dns4[0],
896 isakmp_cfg_config.dns4_index);
897 break;
898
899 case INTERNAL_IP4_NBNS:
900 return isakmp_cfg_addr4_list(iph1,
901 attr, &isakmp_cfg_config.nbns4[0],
902 isakmp_cfg_config.nbns4_index);
903 break;
904
905 case INTERNAL_IP4_SUBNET:
906 return isakmp_cfg_addr4(iph1,
907 attr, &isakmp_cfg_config.network4);
908 break;
909
910 default:
911 plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type);
912 break;
913 }
914 return NULL;
915 }
916
917 #if 0
918 static vchar_t *
919 isakmp_cfg_void(iph1, attr)
920 struct ph1handle *iph1;
921 struct isakmp_data *attr;
922 {
923 vchar_t *buffer;
924 struct isakmp_data *new;
925
926 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
927 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
928 return NULL;
929 }
930
931 new = (struct isakmp_data *)buffer->v;
932
933 new->type = attr->type;
934 new->lorv = htons(0);
935
936 return buffer;
937 }
938 #endif
939
940 vchar_t *
isakmp_cfg_copy(iph1,attr)941 isakmp_cfg_copy(iph1, attr)
942 struct ph1handle *iph1;
943 struct isakmp_data *attr;
944 {
945 vchar_t *buffer;
946 size_t len = 0;
947
948 if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV)
949 len = ntohs(attr->lorv);
950
951 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
952 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
953 return NULL;
954 }
955
956 memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv));
957
958 return buffer;
959 }
960
961 vchar_t *
isakmp_cfg_short(iph1,attr,value)962 isakmp_cfg_short(iph1, attr, value)
963 struct ph1handle *iph1;
964 struct isakmp_data *attr;
965 int value;
966 {
967 vchar_t *buffer;
968 struct isakmp_data *new;
969 int type;
970
971 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
972 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
973 return NULL;
974 }
975
976 new = (struct isakmp_data *)buffer->v;
977 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
978
979 new->type = htons(type | ISAKMP_GEN_TV);
980 new->lorv = htons(value);
981
982 return buffer;
983 }
984
985 vchar_t *
isakmp_cfg_varlen(iph1,attr,string,len)986 isakmp_cfg_varlen(iph1, attr, string, len)
987 struct ph1handle *iph1;
988 struct isakmp_data *attr;
989 char *string;
990 size_t len;
991 {
992 vchar_t *buffer;
993 struct isakmp_data *new;
994 char *data;
995
996 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
997 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
998 return NULL;
999 }
1000
1001 new = (struct isakmp_data *)buffer->v;
1002
1003 new->type = attr->type;
1004 new->lorv = htons(len);
1005 data = (char *)(new + 1);
1006
1007 memcpy(data, string, len);
1008
1009 return buffer;
1010 }
1011 vchar_t *
isakmp_cfg_string(iph1,attr,string)1012 isakmp_cfg_string(iph1, attr, string)
1013 struct ph1handle *iph1;
1014 struct isakmp_data *attr;
1015 char *string;
1016 {
1017 size_t len = strlen(string);
1018 return isakmp_cfg_varlen(iph1, attr, string, len);
1019 }
1020
1021 static vchar_t *
isakmp_cfg_addr4(iph1,attr,addr)1022 isakmp_cfg_addr4(iph1, attr, addr)
1023 struct ph1handle *iph1;
1024 struct isakmp_data *attr;
1025 in_addr_t *addr;
1026 {
1027 vchar_t *buffer;
1028 struct isakmp_data *new;
1029 size_t len;
1030
1031 len = sizeof(*addr);
1032 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
1033 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1034 return NULL;
1035 }
1036
1037 new = (struct isakmp_data *)buffer->v;
1038
1039 new->type = attr->type;
1040 new->lorv = htons(len);
1041 memcpy(new + 1, addr, len);
1042
1043 return buffer;
1044 }
1045
1046 static vchar_t *
isakmp_cfg_addr4_list(iph1,attr,addr,nbr)1047 isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
1048 struct ph1handle *iph1;
1049 struct isakmp_data *attr;
1050 in_addr_t *addr;
1051 int nbr;
1052 {
1053 int error = -1;
1054 vchar_t *buffer = NULL;
1055 vchar_t *bufone = NULL;
1056 struct isakmp_data *new;
1057 size_t len;
1058 int i;
1059
1060 len = sizeof(*addr);
1061 if ((buffer = vmalloc(0)) == NULL) {
1062 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1063 goto out;
1064 }
1065 for(i = 0; i < nbr; i++) {
1066 if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
1067 plog(LLV_ERROR, LOCATION, NULL,
1068 "Cannot allocate memory\n");
1069 goto out;
1070 }
1071 new = (struct isakmp_data *)bufone->v;
1072 new->type = attr->type;
1073 new->lorv = htons(len);
1074 memcpy(new + 1, &addr[i], len);
1075 new += (len + sizeof(*attr));
1076 buffer = buffer_cat(buffer, bufone);
1077 vfree(bufone);
1078 }
1079
1080 error = 0;
1081
1082 out:
1083 if ((error != 0) && (buffer != NULL)) {
1084 vfree(buffer);
1085 buffer = NULL;
1086 }
1087
1088 return buffer;
1089 }
1090
1091 struct isakmp_ivm *
isakmp_cfg_newiv(iph1,msgid)1092 isakmp_cfg_newiv(iph1, msgid)
1093 struct ph1handle *iph1;
1094 u_int32_t msgid;
1095 {
1096 struct isakmp_cfg_state *ics = iph1->mode_cfg;
1097
1098 if (ics == NULL) {
1099 plog(LLV_ERROR, LOCATION, NULL,
1100 "isakmp_cfg_newiv called without mode config state\n");
1101 return NULL;
1102 }
1103
1104 if (ics->ivm != NULL)
1105 oakley_delivm(ics->ivm);
1106
1107 ics->ivm = oakley_newiv2(iph1, msgid);
1108 ics->last_msgid = msgid;
1109
1110 return ics->ivm;
1111 }
1112
1113 /* Derived from isakmp_info_send_common */
1114 int
isakmp_cfg_send(iph1,payload,np,flags,new_exchange)1115 isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
1116 struct ph1handle *iph1;
1117 vchar_t *payload;
1118 u_int32_t np;
1119 int flags;
1120 int new_exchange;
1121 {
1122 struct ph2handle *iph2 = NULL;
1123 vchar_t *hash = NULL;
1124 struct isakmp *isakmp;
1125 struct isakmp_gen *gen;
1126 char *p;
1127 int tlen;
1128 int error = -1;
1129 struct isakmp_cfg_state *ics = iph1->mode_cfg;
1130
1131 /* Check if phase 1 is established */
1132 if ((iph1->status != PHASE1ST_ESTABLISHED) ||
1133 (iph1->local == NULL) ||
1134 (iph1->remote == NULL)) {
1135 plog(LLV_ERROR, LOCATION, NULL,
1136 "ISAKMP mode config exchange with immature phase 1\n");
1137 goto end;
1138 }
1139
1140 /* add new entry to isakmp status table */
1141 iph2 = newph2();
1142 if (iph2 == NULL)
1143 goto end;
1144
1145 iph2->dst = dupsaddr(iph1->remote);
1146 if (iph2->dst == NULL) {
1147 delph2(iph2);
1148 goto end;
1149 }
1150 iph2->src = dupsaddr(iph1->local);
1151 if (iph2->src == NULL) {
1152 delph2(iph2);
1153 goto end;
1154 }
1155
1156 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
1157 if (set_port(iph2->dst, 0) == NULL ||
1158 set_port(iph2->src, 0) == NULL) {
1159 plog(LLV_ERROR, LOCATION, NULL,
1160 "invalid family: %d\n", iph1->remote->sa_family);
1161 delph2(iph2);
1162 goto end;
1163 }
1164 #endif
1165 iph2->ph1 = iph1;
1166 iph2->side = INITIATOR;
1167 iph2->status = PHASE2ST_START;
1168
1169 if (new_exchange)
1170 iph2->msgid = isakmp_newmsgid2(iph1);
1171 else
1172 iph2->msgid = iph1->msgid;
1173
1174 /* get IV and HASH(1) if skeyid_a was generated. */
1175 if (iph1->skeyid_a != NULL) {
1176 if (new_exchange) {
1177 if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) {
1178 delph2(iph2);
1179 goto end;
1180 }
1181 }
1182
1183 /* generate HASH(1) */
1184 hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
1185 if (hash == NULL) {
1186 delph2(iph2);
1187 goto end;
1188 }
1189
1190 /* initialized total buffer length */
1191 tlen = hash->l;
1192 tlen += sizeof(*gen);
1193 } else {
1194 /* IKE-SA is not established */
1195 hash = NULL;
1196
1197 /* initialized total buffer length */
1198 tlen = 0;
1199 }
1200 if ((flags & ISAKMP_FLAG_A) == 0)
1201 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
1202 else
1203 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
1204
1205 insph2(iph2);
1206 bindph12(iph1, iph2);
1207
1208 tlen += sizeof(*isakmp) + payload->l;
1209
1210 /* create buffer for isakmp payload */
1211 iph2->sendbuf = vmalloc(tlen);
1212 if (iph2->sendbuf == NULL) {
1213 plog(LLV_ERROR, LOCATION, NULL,
1214 "failed to get buffer to send.\n");
1215 goto err;
1216 }
1217
1218 /* create isakmp header */
1219 isakmp = (struct isakmp *)iph2->sendbuf->v;
1220 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
1221 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
1222 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
1223 isakmp->v = iph1->version;
1224 isakmp->etype = ISAKMP_ETYPE_CFG;
1225 isakmp->flags = iph2->flags;
1226 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
1227 isakmp->len = htonl(tlen);
1228 p = (char *)(isakmp + 1);
1229
1230 /* create HASH payload */
1231 if (hash != NULL) {
1232 gen = (struct isakmp_gen *)p;
1233 gen->np = np & 0xff;
1234 gen->len = htons(sizeof(*gen) + hash->l);
1235 p += sizeof(*gen);
1236 memcpy(p, hash->v, hash->l);
1237 p += hash->l;
1238 }
1239
1240 /* add payload */
1241 memcpy(p, payload->v, payload->l);
1242 p += payload->l;
1243
1244 #ifdef HAVE_PRINT_ISAKMP_C
1245 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
1246 #endif
1247
1248 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n");
1249 plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l);
1250
1251 /* encoding */
1252 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
1253 vchar_t *tmp;
1254
1255 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf,
1256 ics->ivm->ive, ics->ivm->iv);
1257 VPTRINIT(iph2->sendbuf);
1258 if (tmp == NULL)
1259 goto err;
1260 iph2->sendbuf = tmp;
1261 }
1262
1263 /* HDR*, HASH(1), ATTR */
1264 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
1265 VPTRINIT(iph2->sendbuf);
1266 goto err;
1267 }
1268
1269 plog(LLV_DEBUG, LOCATION, NULL,
1270 "sendto mode config %s.\n", s_isakmp_nptype(np));
1271
1272 /*
1273 * XXX We might need to resend the message...
1274 */
1275
1276 error = 0;
1277 VPTRINIT(iph2->sendbuf);
1278
1279 err:
1280 if (iph2->sendbuf != NULL)
1281 vfree(iph2->sendbuf);
1282
1283 unbindph12(iph2);
1284 remph2(iph2);
1285 delph2(iph2);
1286 end:
1287 if (hash)
1288 vfree(hash);
1289 return error;
1290 }
1291
1292
1293 void
isakmp_cfg_rmstate(iph1)1294 isakmp_cfg_rmstate(iph1)
1295 struct ph1handle *iph1;
1296 {
1297 struct isakmp_cfg_state *state = iph1->mode_cfg;
1298
1299 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0)
1300 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
1301
1302 if (state->flags & ISAKMP_CFG_PORT_ALLOCATED)
1303 isakmp_cfg_putport(iph1, state->port);
1304
1305 /* Delete the IV if it's still there */
1306 if(iph1->mode_cfg->ivm) {
1307 oakley_delivm(iph1->mode_cfg->ivm);
1308 iph1->mode_cfg->ivm = NULL;
1309 }
1310
1311 /* Free any allocated splitnet lists */
1312 if(iph1->mode_cfg->split_include != NULL)
1313 splitnet_list_free(iph1->mode_cfg->split_include,
1314 &iph1->mode_cfg->include_count);
1315 if(iph1->mode_cfg->split_local != NULL)
1316 splitnet_list_free(iph1->mode_cfg->split_local,
1317 &iph1->mode_cfg->local_count);
1318
1319 xauth_rmstate(&state->xauth);
1320
1321 racoon_free(state);
1322 iph1->mode_cfg = NULL;
1323
1324 return;
1325 }
1326
1327 struct isakmp_cfg_state *
isakmp_cfg_mkstate(void)1328 isakmp_cfg_mkstate(void)
1329 {
1330 struct isakmp_cfg_state *state;
1331
1332 if ((state = racoon_malloc(sizeof(*state))) == NULL) {
1333 plog(LLV_ERROR, LOCATION, NULL,
1334 "Cannot allocate memory for mode config state\n");
1335 return NULL;
1336 }
1337 memset(state, 0, sizeof(*state));
1338
1339 return state;
1340 }
1341
1342 int
isakmp_cfg_getport(iph1)1343 isakmp_cfg_getport(iph1)
1344 struct ph1handle *iph1;
1345 {
1346 unsigned int i;
1347 size_t size = isakmp_cfg_config.pool_size;
1348
1349 if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED)
1350 return iph1->mode_cfg->port;
1351
1352 if (isakmp_cfg_config.port_pool == NULL) {
1353 plog(LLV_ERROR, LOCATION, NULL,
1354 "isakmp_cfg_config.port_pool == NULL\n");
1355 return -1;
1356 }
1357
1358 for (i = 0; i < size; i++) {
1359 if (isakmp_cfg_config.port_pool[i].used == 0)
1360 break;
1361 }
1362
1363 if (i == size) {
1364 plog(LLV_ERROR, LOCATION, NULL,
1365 "No more addresses available\n");
1366 return -1;
1367 }
1368
1369 isakmp_cfg_config.port_pool[i].used = 1;
1370
1371 plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i);
1372
1373 iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
1374 iph1->mode_cfg->port = i;
1375
1376 return i;
1377 }
1378
1379 int
isakmp_cfg_putport(iph1,index)1380 isakmp_cfg_putport(iph1, index)
1381 struct ph1handle *iph1;
1382 unsigned int index;
1383 {
1384 if (isakmp_cfg_config.port_pool == NULL) {
1385 plog(LLV_ERROR, LOCATION, NULL,
1386 "isakmp_cfg_config.port_pool == NULL\n");
1387 return -1;
1388 }
1389
1390 if (isakmp_cfg_config.port_pool[index].used == 0) {
1391 plog(LLV_ERROR, LOCATION, NULL,
1392 "Attempt to release an unallocated address (port %d)\n",
1393 index);
1394 return -1;
1395 }
1396
1397 #ifdef HAVE_LIBPAM
1398 /* Cleanup PAM status associated with the port */
1399 if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM)
1400 privsep_cleanup_pam(index);
1401 #endif
1402 isakmp_cfg_config.port_pool[index].used = 0;
1403 iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
1404
1405 plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index);
1406
1407 return 0;
1408 }
1409
1410 #ifdef HAVE_LIBPAM
1411 void
cleanup_pam(port)1412 cleanup_pam(port)
1413 int port;
1414 {
1415 if (isakmp_cfg_config.port_pool[port].pam != NULL) {
1416 pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS);
1417 isakmp_cfg_config.port_pool[port].pam = NULL;
1418 }
1419
1420 return;
1421 }
1422 #endif
1423
1424 /* Accounting, only for RADIUS or PAM */
1425 static int
isakmp_cfg_accounting(iph1,inout)1426 isakmp_cfg_accounting(iph1, inout)
1427 struct ph1handle *iph1;
1428 int inout;
1429 {
1430 #ifdef HAVE_LIBPAM
1431 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM)
1432 return privsep_accounting_pam(iph1->mode_cfg->port,
1433 inout);
1434 #endif
1435 #ifdef HAVE_LIBRADIUS
1436 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
1437 return isakmp_cfg_accounting_radius(iph1, inout);
1438 #endif
1439 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
1440 return privsep_accounting_system(iph1->mode_cfg->port,
1441 iph1->remote, iph1->mode_cfg->login, inout);
1442 return 0;
1443 }
1444
1445 #ifdef HAVE_LIBPAM
1446 int
isakmp_cfg_accounting_pam(port,inout)1447 isakmp_cfg_accounting_pam(port, inout)
1448 int port;
1449 int inout;
1450 {
1451 int error = 0;
1452 pam_handle_t *pam;
1453
1454 if (isakmp_cfg_config.port_pool == NULL) {
1455 plog(LLV_ERROR, LOCATION, NULL,
1456 "isakmp_cfg_config.port_pool == NULL\n");
1457 return -1;
1458 }
1459
1460 pam = isakmp_cfg_config.port_pool[port].pam;
1461 if (pam == NULL) {
1462 plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n");
1463 return -1;
1464 }
1465
1466 switch (inout) {
1467 case ISAKMP_CFG_LOGIN:
1468 error = pam_open_session(pam, 0);
1469 break;
1470 case ISAKMP_CFG_LOGOUT:
1471 error = pam_close_session(pam, 0);
1472 pam_end(pam, error);
1473 isakmp_cfg_config.port_pool[port].pam = NULL;
1474 break;
1475 default:
1476 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1477 break;
1478 }
1479
1480 if (error != 0) {
1481 plog(LLV_ERROR, LOCATION, NULL,
1482 "pam_open_session/pam_close_session failed: %s\n",
1483 pam_strerror(pam, error));
1484 return -1;
1485 }
1486
1487 return 0;
1488 }
1489 #endif /* HAVE_LIBPAM */
1490
1491 #ifdef HAVE_LIBRADIUS
1492 static int
isakmp_cfg_accounting_radius(iph1,inout)1493 isakmp_cfg_accounting_radius(iph1, inout)
1494 struct ph1handle *iph1;
1495 int inout;
1496 {
1497 /* For first time use, initialize Radius */
1498 if (radius_acct_state == NULL) {
1499 if ((radius_acct_state = rad_acct_open()) == NULL) {
1500 plog(LLV_ERROR, LOCATION, NULL,
1501 "Cannot init librradius\n");
1502 return -1;
1503 }
1504
1505 if (rad_config(radius_acct_state, NULL) != 0) {
1506 plog(LLV_ERROR, LOCATION, NULL,
1507 "Cannot open librarius config file: %s\n",
1508 rad_strerror(radius_acct_state));
1509 rad_close(radius_acct_state);
1510 radius_acct_state = NULL;
1511 return -1;
1512 }
1513 }
1514
1515 if (rad_create_request(radius_acct_state,
1516 RAD_ACCOUNTING_REQUEST) != 0) {
1517 plog(LLV_ERROR, LOCATION, NULL,
1518 "rad_create_request failed: %s\n",
1519 rad_strerror(radius_acct_state));
1520 return -1;
1521 }
1522
1523 if (rad_put_string(radius_acct_state, RAD_USER_NAME,
1524 iph1->mode_cfg->login) != 0) {
1525 plog(LLV_ERROR, LOCATION, NULL,
1526 "rad_put_string failed: %s\n",
1527 rad_strerror(radius_acct_state));
1528 return -1;
1529 }
1530
1531 switch (inout) {
1532 case ISAKMP_CFG_LOGIN:
1533 inout = RAD_START;
1534 break;
1535 case ISAKMP_CFG_LOGOUT:
1536 inout = RAD_STOP;
1537 break;
1538 default:
1539 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1540 break;
1541 }
1542
1543 if (rad_put_addr(radius_acct_state,
1544 RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) {
1545 plog(LLV_ERROR, LOCATION, NULL,
1546 "rad_put_addr failed: %s\n",
1547 rad_strerror(radius_acct_state));
1548 return -1;
1549 }
1550
1551 if (rad_put_addr(radius_acct_state,
1552 RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) {
1553 plog(LLV_ERROR, LOCATION, NULL,
1554 "rad_put_addr failed: %s\n",
1555 rad_strerror(radius_acct_state));
1556 return -1;
1557 }
1558
1559 if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) {
1560 plog(LLV_ERROR, LOCATION, NULL,
1561 "rad_put_int failed: %s\n",
1562 rad_strerror(radius_acct_state));
1563 return -1;
1564 }
1565
1566 if (isakmp_cfg_radius_common(radius_acct_state,
1567 iph1->mode_cfg->port) != 0)
1568 return -1;
1569
1570 if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) {
1571 plog(LLV_ERROR, LOCATION, NULL,
1572 "rad_send_request failed: %s\n",
1573 rad_strerror(radius_acct_state));
1574 return -1;
1575 }
1576
1577 return 0;
1578 }
1579 #endif /* HAVE_LIBRADIUS */
1580
1581 /*
1582 * Attributes common to all RADIUS requests
1583 */
1584 #ifdef HAVE_LIBRADIUS
1585 int
isakmp_cfg_radius_common(radius_state,port)1586 isakmp_cfg_radius_common(radius_state, port)
1587 struct rad_handle *radius_state;
1588 int port;
1589 {
1590 struct utsname name;
1591 static struct hostent *host = NULL;
1592 struct in_addr nas_addr;
1593
1594 /*
1595 * Find our own IP by resolving our nodename
1596 */
1597 if (host == NULL) {
1598 if (uname(&name) != 0) {
1599 plog(LLV_ERROR, LOCATION, NULL,
1600 "uname failed: %s\n", strerror(errno));
1601 return -1;
1602 }
1603
1604 if ((host = gethostbyname(name.nodename)) == NULL) {
1605 plog(LLV_ERROR, LOCATION, NULL,
1606 "gethostbyname failed: %s\n", strerror(errno));
1607 return -1;
1608 }
1609 }
1610
1611 memcpy(&nas_addr, host->h_addr, sizeof(nas_addr));
1612 if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) {
1613 plog(LLV_ERROR, LOCATION, NULL,
1614 "rad_put_addr failed: %s\n",
1615 rad_strerror(radius_state));
1616 return -1;
1617 }
1618
1619 if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) {
1620 plog(LLV_ERROR, LOCATION, NULL,
1621 "rad_put_int failed: %s\n",
1622 rad_strerror(radius_state));
1623 return -1;
1624 }
1625
1626 if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) {
1627 plog(LLV_ERROR, LOCATION, NULL,
1628 "rad_put_int failed: %s\n",
1629 rad_strerror(radius_state));
1630 return -1;
1631 }
1632
1633 if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) {
1634 plog(LLV_ERROR, LOCATION, NULL,
1635 "rad_put_int failed: %s\n",
1636 rad_strerror(radius_state));
1637 return -1;
1638 }
1639
1640 return 0;
1641 }
1642 #endif
1643
1644 #ifndef ANDROID_PATCHED
1645
1646 /*
1647 Logs the user into the utmp system files.
1648 */
1649
1650 int
isakmp_cfg_accounting_system(port,raddr,usr,inout)1651 isakmp_cfg_accounting_system(port, raddr, usr, inout)
1652 int port;
1653 struct sockaddr *raddr;
1654 char *usr;
1655 int inout;
1656 {
1657 int error = 0;
1658 struct utmp ut;
1659 char term[UT_LINESIZE];
1660 char addr[NI_MAXHOST];
1661
1662 if (usr == NULL || usr[0]=='\0') {
1663 plog(LLV_ERROR, LOCATION, NULL,
1664 "system accounting : no login found\n");
1665 return -1;
1666 }
1667
1668 sprintf(term, TERMSPEC, port);
1669
1670 switch (inout) {
1671 case ISAKMP_CFG_LOGIN:
1672 strncpy(ut.ut_name, usr, UT_NAMESIZE);
1673 ut.ut_name[UT_NAMESIZE - 1] = '\0';
1674
1675 strncpy(ut.ut_line, term, UT_LINESIZE);
1676 ut.ut_line[UT_LINESIZE - 1] = '\0';
1677
1678 GETNAMEINFO_NULL(raddr, addr);
1679 strncpy(ut.ut_host, addr, UT_HOSTSIZE);
1680 ut.ut_host[UT_HOSTSIZE - 1] = '\0';
1681
1682 ut.ut_time = time(NULL);
1683
1684 plog(LLV_INFO, LOCATION, NULL,
1685 "Accounting : '%s' logging on '%s' from %s.\n",
1686 ut.ut_name, ut.ut_line, ut.ut_host);
1687
1688 login(&ut);
1689
1690 break;
1691 case ISAKMP_CFG_LOGOUT:
1692
1693 plog(LLV_INFO, LOCATION, NULL,
1694 "Accounting : '%s' unlogging from '%s'.\n",
1695 usr, term);
1696
1697 logout(term);
1698
1699 break;
1700 default:
1701 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1702 break;
1703 }
1704
1705 return 0;
1706 }
1707
1708 #endif
1709
1710 int
isakmp_cfg_getconfig(iph1)1711 isakmp_cfg_getconfig(iph1)
1712 struct ph1handle *iph1;
1713 {
1714 vchar_t *buffer;
1715 struct isakmp_pl_attr *attrpl;
1716 struct isakmp_data *attr;
1717 size_t len;
1718 int error;
1719 int attrcount;
1720 int i;
1721 int attrlist[] = {
1722 INTERNAL_IP4_ADDRESS,
1723 INTERNAL_IP4_NETMASK,
1724 INTERNAL_IP4_DNS,
1725 INTERNAL_IP4_NBNS,
1726 UNITY_BANNER,
1727 UNITY_DEF_DOMAIN,
1728 UNITY_SPLITDNS_NAME,
1729 UNITY_SPLIT_INCLUDE,
1730 UNITY_LOCAL_LAN,
1731 APPLICATION_VERSION,
1732 };
1733
1734 attrcount = sizeof(attrlist) / sizeof(*attrlist);
1735 len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
1736
1737 if ((buffer = vmalloc(len)) == NULL) {
1738 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1739 return -1;
1740 }
1741
1742 attrpl = (struct isakmp_pl_attr *)buffer->v;
1743 attrpl->h.len = htons(len);
1744 attrpl->type = ISAKMP_CFG_REQUEST;
1745 attrpl->id = htons((u_int16_t)(eay_random() & 0xffff));
1746
1747 attr = (struct isakmp_data *)(attrpl + 1);
1748
1749 for (i = 0; i < attrcount; i++) {
1750 attr->type = htons(attrlist[i]);
1751 attr->lorv = htons(0);
1752 attr++;
1753 }
1754
1755 plog(LLV_DEBUG, LOCATION, NULL,
1756 "Sending MODE_CFG REQUEST\n");
1757
1758 error = isakmp_cfg_send(iph1, buffer,
1759 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
1760
1761 vfree(buffer);
1762
1763 return error;
1764 }
1765
1766 static void
isakmp_cfg_getaddr4(attr,ip)1767 isakmp_cfg_getaddr4(attr, ip)
1768 struct isakmp_data *attr;
1769 struct in_addr *ip;
1770 {
1771 size_t alen = ntohs(attr->lorv);
1772 in_addr_t *addr;
1773
1774 if (alen != sizeof(*ip)) {
1775 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
1776 return;
1777 }
1778
1779 addr = (in_addr_t *)(attr + 1);
1780 ip->s_addr = *addr;
1781
1782 return;
1783 }
1784
1785 static void
isakmp_cfg_appendaddr4(attr,ip,num,max)1786 isakmp_cfg_appendaddr4(attr, ip, num, max)
1787 struct isakmp_data *attr;
1788 struct in_addr *ip;
1789 int *num;
1790 int max;
1791 {
1792 size_t alen = ntohs(attr->lorv);
1793 in_addr_t *addr;
1794
1795 if (alen != sizeof(*ip)) {
1796 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
1797 return;
1798 }
1799 if (*num == max) {
1800 plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n");
1801 return;
1802 }
1803
1804 addr = (in_addr_t *)(attr + 1);
1805 ip->s_addr = *addr;
1806 (*num)++;
1807
1808 return;
1809 }
1810
1811 static void
isakmp_cfg_getstring(attr,str)1812 isakmp_cfg_getstring(attr, str)
1813 struct isakmp_data *attr;
1814 char *str;
1815 {
1816 size_t alen = ntohs(attr->lorv);
1817 char *src;
1818 src = (char *)(attr + 1);
1819
1820 memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen));
1821
1822 return;
1823 }
1824
1825 #define IP_MAX 40
1826
1827 void
isakmp_cfg_iplist_to_str(dest,count,addr,withmask)1828 isakmp_cfg_iplist_to_str(dest, count, addr, withmask)
1829 char *dest;
1830 int count;
1831 void *addr;
1832 int withmask;
1833 {
1834 int i;
1835 int p;
1836 int l;
1837 struct unity_network tmp;
1838 for(i = 0, p = 0; i < count; i++) {
1839 if(withmask == 1)
1840 l = sizeof(struct unity_network);
1841 else
1842 l = sizeof(struct in_addr);
1843 memcpy(&tmp, addr, l);
1844 #if defined(ANDROID_CHANGES)
1845 addr = ((uint8_t*) addr) + l;
1846 #else
1847 addr += l;
1848 #endif
1849 if((uint32_t)tmp.addr4.s_addr == 0)
1850 break;
1851
1852 inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX);
1853 p += strlen(dest + p);
1854 if(withmask == 1) {
1855 dest[p] = '/';
1856 p++;
1857 inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX);
1858 p += strlen(dest + p);
1859 }
1860 dest[p] = ' ';
1861 p++;
1862 }
1863 if(p > 0)
1864 dest[p-1] = '\0';
1865 else
1866 dest[0] = '\0';
1867 }
1868
1869 int
isakmp_cfg_setenv(iph1,envp,envc)1870 isakmp_cfg_setenv(iph1, envp, envc)
1871 struct ph1handle *iph1;
1872 char ***envp;
1873 int *envc;
1874 {
1875 char addrstr[IP_MAX];
1876 char addrlist[IP_MAX * MAXNS + MAXNS];
1877 char *splitlist = addrlist;
1878 char *splitlist_cidr;
1879 char defdom[MAXPATHLEN + 1];
1880 int cidr, tmp;
1881 char cidrstr[4];
1882 int i, p;
1883 int test;
1884
1885 plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
1886
1887 /*
1888 * Internal IPv4 address, either if
1889 * we are a client or a server.
1890 */
1891 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
1892 #ifdef HAVE_LIBLDAP
1893 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
1894 #endif
1895 #ifdef HAVE_LIBRADIUS
1896 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
1897 #endif
1898 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
1899 inet_ntop(AF_INET, &iph1->mode_cfg->addr4,
1900 addrstr, IP_MAX);
1901 } else
1902 addrstr[0] = '\0';
1903
1904 if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) {
1905 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n");
1906 return -1;
1907 }
1908
1909 if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) {
1910 if (script_env_append(envp, envc, "XAUTH_USER",
1911 iph1->mode_cfg->xauth.authdata.generic.usr) != 0) {
1912 plog(LLV_ERROR, LOCATION, NULL,
1913 "Cannot set XAUTH_USER\n");
1914 return -1;
1915 }
1916 }
1917
1918 /* Internal IPv4 mask */
1919 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4)
1920 inet_ntop(AF_INET, &iph1->mode_cfg->mask4,
1921 addrstr, IP_MAX);
1922 else
1923 addrstr[0] = '\0';
1924
1925 /*
1926 * During several releases, documentation adverised INTERNAL_NETMASK4
1927 * while code was using INTERNAL_MASK4. We now do both.
1928 */
1929
1930 if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) {
1931 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
1932 return -1;
1933 }
1934
1935 if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) {
1936 plog(LLV_ERROR, LOCATION, NULL,
1937 "Cannot set INTERNAL_NETMASK4\n");
1938 return -1;
1939 }
1940
1941 tmp = ntohl(iph1->mode_cfg->mask4.s_addr);
1942 for (cidr = 0; tmp != 0; cidr++)
1943 tmp <<= 1;
1944 snprintf(cidrstr, 3, "%d", cidr);
1945
1946 if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) {
1947 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n");
1948 return -1;
1949 }
1950
1951 /* Internal IPv4 DNS */
1952 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) {
1953 /* First Internal IPv4 DNS (for compatibilty with older code */
1954 inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0],
1955 addrstr, IP_MAX);
1956
1957 /* Internal IPv4 DNS - all */
1958 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index,
1959 (void *)iph1->mode_cfg->dns4, 0);
1960 } else {
1961 addrstr[0] = '\0';
1962 addrlist[0] = '\0';
1963 }
1964
1965 if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) {
1966 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n");
1967 return -1;
1968 }
1969 if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) {
1970 plog(LLV_ERROR, LOCATION, NULL,
1971 "Cannot set INTERNAL_DNS4_LIST\n");
1972 return -1;
1973 }
1974
1975 /* Internal IPv4 WINS */
1976 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) {
1977 /*
1978 * First Internal IPv4 WINS
1979 * (for compatibilty with older code
1980 */
1981 inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0],
1982 addrstr, IP_MAX);
1983
1984 /* Internal IPv4 WINS - all */
1985 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index,
1986 (void *)iph1->mode_cfg->wins4, 0);
1987 } else {
1988 addrstr[0] = '\0';
1989 addrlist[0] = '\0';
1990 }
1991
1992 if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) {
1993 plog(LLV_ERROR, LOCATION, NULL,
1994 "Cannot set INTERNAL_WINS4\n");
1995 return -1;
1996 }
1997 if (script_env_append(envp, envc,
1998 "INTERNAL_WINS4_LIST", addrlist) != 0) {
1999 plog(LLV_ERROR, LOCATION, NULL,
2000 "Cannot set INTERNAL_WINS4_LIST\n");
2001 return -1;
2002 }
2003
2004 /* Deault domain */
2005 if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN)
2006 strncpy(defdom,
2007 iph1->mode_cfg->default_domain,
2008 MAXPATHLEN + 1);
2009 else
2010 defdom[0] = '\0';
2011
2012 if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) {
2013 plog(LLV_ERROR, LOCATION, NULL,
2014 "Cannot set DEFAULT_DOMAIN\n");
2015 return -1;
2016 }
2017
2018 /* Split networks */
2019 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) {
2020 splitlist =
2021 splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK);
2022 splitlist_cidr =
2023 splitnet_list_2str(iph1->mode_cfg->split_include, CIDR);
2024 } else {
2025 splitlist = addrlist;
2026 splitlist_cidr = addrlist;
2027 addrlist[0] = '\0';
2028 }
2029
2030 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
2031 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
2032 return -1;
2033 }
2034 if (script_env_append(envp, envc,
2035 "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) {
2036 plog(LLV_ERROR, LOCATION, NULL,
2037 "Cannot set SPLIT_INCLUDE_CIDR\n");
2038 return -1;
2039 }
2040 if (splitlist != addrlist)
2041 racoon_free(splitlist);
2042 if (splitlist_cidr != addrlist)
2043 racoon_free(splitlist_cidr);
2044
2045 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) {
2046 splitlist =
2047 splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK);
2048 splitlist_cidr =
2049 splitnet_list_2str(iph1->mode_cfg->split_local, CIDR);
2050 } else {
2051 splitlist = addrlist;
2052 splitlist_cidr = addrlist;
2053 addrlist[0] = '\0';
2054 }
2055
2056 if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
2057 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
2058 return -1;
2059 }
2060 if (script_env_append(envp, envc,
2061 "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) {
2062 plog(LLV_ERROR, LOCATION, NULL,
2063 "Cannot set SPLIT_LOCAL_CIDR\n");
2064 return -1;
2065 }
2066 if (splitlist != addrlist)
2067 racoon_free(splitlist);
2068 if (splitlist_cidr != addrlist)
2069 racoon_free(splitlist_cidr);
2070
2071 return 0;
2072 }
2073
2074 int
isakmp_cfg_resize_pool(size)2075 isakmp_cfg_resize_pool(size)
2076 int size;
2077 {
2078 struct isakmp_cfg_port *new_pool;
2079 size_t len;
2080 int i;
2081
2082 if (size == isakmp_cfg_config.pool_size)
2083 return 0;
2084
2085 plog(LLV_INFO, LOCATION, NULL,
2086 "Resize address pool from %zu to %d\n",
2087 isakmp_cfg_config.pool_size, size);
2088
2089 /* If a pool already exists, check if we can shrink it */
2090 if ((isakmp_cfg_config.port_pool != NULL) &&
2091 (size < isakmp_cfg_config.pool_size)) {
2092 for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) {
2093 if (isakmp_cfg_config.port_pool[i].used) {
2094 plog(LLV_ERROR, LOCATION, NULL,
2095 "resize pool from %zu to %d impossible "
2096 "port %d is in use\n",
2097 isakmp_cfg_config.pool_size, size, i);
2098 size = i;
2099 break;
2100 }
2101 }
2102 }
2103
2104 len = size * sizeof(*isakmp_cfg_config.port_pool);
2105 new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
2106 if (new_pool == NULL) {
2107 plog(LLV_ERROR, LOCATION, NULL,
2108 "resize pool from %zu to %d impossible: %s",
2109 isakmp_cfg_config.pool_size, size, strerror(errno));
2110 return -1;
2111 }
2112
2113 /* If size increase, intialize correctly the new records */
2114 if (size > isakmp_cfg_config.pool_size) {
2115 size_t unit;
2116 size_t old_size;
2117
2118 unit = sizeof(*isakmp_cfg_config.port_pool);
2119 old_size = isakmp_cfg_config.pool_size;
2120
2121 bzero((char *)new_pool + (old_size * unit),
2122 (size - old_size) * unit);
2123 }
2124
2125 isakmp_cfg_config.port_pool = new_pool;
2126 isakmp_cfg_config.pool_size = size;
2127
2128 return 0;
2129 }
2130
2131 int
isakmp_cfg_init(cold)2132 isakmp_cfg_init(cold)
2133 int cold;
2134 {
2135 int i;
2136 int error;
2137
2138 isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
2139 isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
2140 for (i = 0; i < MAXNS; i++)
2141 isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000;
2142 isakmp_cfg_config.dns4_index = 0;
2143 for (i = 0; i < MAXWINS; i++)
2144 isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000;
2145 isakmp_cfg_config.nbns4_index = 0;
2146 if (cold == ISAKMP_CFG_INIT_COLD)
2147 isakmp_cfg_config.port_pool = NULL;
2148 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
2149 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
2150 if (cold == ISAKMP_CFG_INIT_COLD) {
2151 if (isakmp_cfg_config.grouplist != NULL) {
2152 for (i = 0; i < isakmp_cfg_config.groupcount; i++)
2153 racoon_free(isakmp_cfg_config.grouplist[i]);
2154 racoon_free(isakmp_cfg_config.grouplist);
2155 }
2156 }
2157 isakmp_cfg_config.grouplist = NULL;
2158 isakmp_cfg_config.groupcount = 0;
2159 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
2160 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
2161 if (cold == ISAKMP_CFG_INIT_COLD)
2162 isakmp_cfg_config.pool_size = 0;
2163 isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY;
2164 strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN,
2165 MAXPATHLEN);
2166 strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN);
2167
2168 if (cold != ISAKMP_CFG_INIT_COLD )
2169 if (isakmp_cfg_config.splitnet_list != NULL)
2170 splitnet_list_free(isakmp_cfg_config.splitnet_list,
2171 &isakmp_cfg_config.splitnet_count);
2172 isakmp_cfg_config.splitnet_list = NULL;
2173 isakmp_cfg_config.splitnet_count = 0;
2174 isakmp_cfg_config.splitnet_type = 0;
2175
2176 isakmp_cfg_config.pfs_group = 0;
2177 isakmp_cfg_config.save_passwd = 0;
2178
2179 if (cold != ISAKMP_CFG_INIT_COLD )
2180 if (isakmp_cfg_config.splitdns_list != NULL)
2181 racoon_free(isakmp_cfg_config.splitdns_list);
2182 isakmp_cfg_config.splitdns_list = NULL;
2183 isakmp_cfg_config.splitdns_len = 0;
2184
2185 #if 0
2186 if (cold == ISAKMP_CFG_INIT_COLD) {
2187 if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
2188 return error;
2189 }
2190 #endif
2191
2192 return 0;
2193 }
2194
2195