1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | |
---|
3 | /* $NetBSD: isakmp_cfg.c,v 1.24.4.1 2013/04/12 10:04:21 tteras Exp $ */ |
---|
4 | |
---|
5 | /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ |
---|
6 | |
---|
7 | /* |
---|
8 | * Copyright (C) 2004-2006 Emmanuel Dreyfus |
---|
9 | * All rights reserved. |
---|
10 | * |
---|
11 | * Redistribution and use in source and binary forms, with or without |
---|
12 | * modification, are permitted provided that the following conditions |
---|
13 | * are met: |
---|
14 | * 1. Redistributions of source code must retain the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer. |
---|
16 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
17 | * notice, this list of conditions and the following disclaimer in the |
---|
18 | * documentation and/or other materials provided with the distribution. |
---|
19 | * 3. Neither the name of the project nor the names of its contributors |
---|
20 | * may be used to endorse or promote products derived from this software |
---|
21 | * without specific prior written permission. |
---|
22 | * |
---|
23 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
24 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
33 | * SUCH DAMAGE. |
---|
34 | */ |
---|
35 | |
---|
36 | #include "config.h" |
---|
37 | |
---|
38 | #include <sys/types.h> |
---|
39 | #include <sys/param.h> |
---|
40 | #include <sys/socket.h> |
---|
41 | #include <sys/queue.h> |
---|
42 | |
---|
43 | #if __FreeBSD_version >= 900007 |
---|
44 | #include <utmpx.h> |
---|
45 | #endif |
---|
46 | #if defined(__APPLE__) && defined(__MACH__) |
---|
47 | #include <util.h> |
---|
48 | #endif |
---|
49 | |
---|
50 | #ifdef __FreeBSD__ |
---|
51 | # include <libutil.h> |
---|
52 | #endif |
---|
53 | #ifdef __NetBSD__ |
---|
54 | # include <util.h> |
---|
55 | #endif |
---|
56 | |
---|
57 | #include <netinet/in.h> |
---|
58 | #include <arpa/inet.h> |
---|
59 | |
---|
60 | #include <stdlib.h> |
---|
61 | #include <stdio.h> |
---|
62 | #include <string.h> |
---|
63 | #include <errno.h> |
---|
64 | #if TIME_WITH_SYS_TIME |
---|
65 | # include <sys/time.h> |
---|
66 | # include <time.h> |
---|
67 | #else |
---|
68 | # if HAVE_SYS_TIME_H |
---|
69 | # include <sys/time.h> |
---|
70 | # else |
---|
71 | # include <time.h> |
---|
72 | # endif |
---|
73 | #endif |
---|
74 | #include <netdb.h> |
---|
75 | #ifdef HAVE_UNISTD_H |
---|
76 | #include <unistd.h> |
---|
77 | #endif |
---|
78 | #if HAVE_STDINT_H |
---|
79 | #include <stdint.h> |
---|
80 | #endif |
---|
81 | #include <ctype.h> |
---|
82 | #include <resolv.h> |
---|
83 | |
---|
84 | #ifdef HAVE_LIBRADIUS |
---|
85 | #include <sys/utsname.h> |
---|
86 | #include <radlib.h> |
---|
87 | #endif |
---|
88 | |
---|
89 | #include "var.h" |
---|
90 | #include "misc.h" |
---|
91 | #include "vmbuf.h" |
---|
92 | #include "plog.h" |
---|
93 | #include "sockmisc.h" |
---|
94 | #include "schedule.h" |
---|
95 | #include "debug.h" |
---|
96 | |
---|
97 | #include "isakmp_var.h" |
---|
98 | #include "isakmp.h" |
---|
99 | #include "handler.h" |
---|
100 | #include "evt.h" |
---|
101 | #include "throttle.h" |
---|
102 | #include "remoteconf.h" |
---|
103 | #include "crypto_openssl.h" |
---|
104 | #include "isakmp_inf.h" |
---|
105 | #include "isakmp_xauth.h" |
---|
106 | #include "isakmp_unity.h" |
---|
107 | #include "isakmp_cfg.h" |
---|
108 | #include "strnames.h" |
---|
109 | #include "admin.h" |
---|
110 | #include "privsep.h" |
---|
111 | |
---|
112 | struct isakmp_cfg_config isakmp_cfg_config; |
---|
113 | |
---|
114 | static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); |
---|
115 | static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *); |
---|
116 | #if 0 |
---|
117 | static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *); |
---|
118 | #endif |
---|
119 | static vchar_t *isakmp_cfg_addr4(struct ph1handle *, |
---|
120 | struct isakmp_data *, in_addr_t *); |
---|
121 | static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *, |
---|
122 | struct isakmp_data *, in_addr_t *, in_addr_t *); |
---|
123 | static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); |
---|
124 | static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, |
---|
125 | struct isakmp_data *, in_addr_t *, int); |
---|
126 | static void isakmp_cfg_appendaddr4(struct isakmp_data *, |
---|
127 | struct in_addr *, int *, int); |
---|
128 | static void isakmp_cfg_getstring(struct isakmp_data *,char *); |
---|
129 | void isakmp_cfg_iplist_to_str(char *, int, void *, int); |
---|
130 | |
---|
131 | #define ISAKMP_CFG_LOGIN 1 |
---|
132 | #define ISAKMP_CFG_LOGOUT 2 |
---|
133 | static int isakmp_cfg_accounting(struct ph1handle *, int); |
---|
134 | #ifdef HAVE_LIBRADIUS |
---|
135 | static int isakmp_cfg_accounting_radius(struct ph1handle *, int); |
---|
136 | #endif |
---|
137 | |
---|
138 | /* |
---|
139 | * Handle an ISAKMP config mode packet |
---|
140 | * We expect HDR, HASH, ATTR |
---|
141 | */ |
---|
142 | void |
---|
143 | isakmp_cfg_r(iph1, msg) |
---|
144 | struct ph1handle *iph1; |
---|
145 | vchar_t *msg; |
---|
146 | { |
---|
147 | struct isakmp *packet; |
---|
148 | struct isakmp_gen *ph; |
---|
149 | int tlen; |
---|
150 | char *npp; |
---|
151 | int np; |
---|
152 | vchar_t *dmsg; |
---|
153 | struct isakmp_ivm *ivm; |
---|
154 | |
---|
155 | /* Check that the packet is long enough to have a header */ |
---|
156 | if (msg->l < sizeof(*packet)) { |
---|
157 | plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n"); |
---|
158 | return; |
---|
159 | } |
---|
160 | |
---|
161 | packet = (struct isakmp *)msg->v; |
---|
162 | |
---|
163 | /* Is it encrypted? It should be encrypted */ |
---|
164 | if ((packet->flags & ISAKMP_FLAG_E) == 0) { |
---|
165 | plog(LLV_ERROR, LOCATION, NULL, |
---|
166 | "User credentials sent in cleartext!\n"); |
---|
167 | return; |
---|
168 | } |
---|
169 | |
---|
170 | /* |
---|
171 | * Decrypt the packet. If this is the beginning of a new |
---|
172 | * exchange, reinitialize the IV |
---|
173 | */ |
---|
174 | if (iph1->mode_cfg->ivm == NULL || |
---|
175 | iph1->mode_cfg->last_msgid != packet->msgid ) |
---|
176 | iph1->mode_cfg->ivm = |
---|
177 | isakmp_cfg_newiv(iph1, packet->msgid); |
---|
178 | ivm = iph1->mode_cfg->ivm; |
---|
179 | |
---|
180 | dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); |
---|
181 | if (dmsg == NULL) { |
---|
182 | plog(LLV_ERROR, LOCATION, NULL, |
---|
183 | "failed to decrypt message\n"); |
---|
184 | return; |
---|
185 | } |
---|
186 | |
---|
187 | plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n"); |
---|
188 | plogdump(LLV_DEBUG, dmsg->v, dmsg->l); |
---|
189 | |
---|
190 | /* Now work with the decrypted packet */ |
---|
191 | packet = (struct isakmp *)dmsg->v; |
---|
192 | tlen = dmsg->l - sizeof(*packet); |
---|
193 | ph = (struct isakmp_gen *)(packet + 1); |
---|
194 | |
---|
195 | np = packet->np; |
---|
196 | while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) { |
---|
197 | /* Check that the payload header fits in the packet */ |
---|
198 | if (tlen < sizeof(*ph)) { |
---|
199 | plog(LLV_WARNING, LOCATION, NULL, |
---|
200 | "Short payload header\n"); |
---|
201 | goto out; |
---|
202 | } |
---|
203 | |
---|
204 | /* Check that the payload fits in the packet */ |
---|
205 | if (tlen < ntohs(ph->len)) { |
---|
206 | plog(LLV_WARNING, LOCATION, NULL, |
---|
207 | "Short payload\n"); |
---|
208 | goto out; |
---|
209 | } |
---|
210 | |
---|
211 | plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np); |
---|
212 | plogdump(LLV_DEBUG, ph, ntohs(ph->len)); |
---|
213 | |
---|
214 | switch(np) { |
---|
215 | case ISAKMP_NPTYPE_HASH: { |
---|
216 | vchar_t *check; |
---|
217 | vchar_t *payload; |
---|
218 | size_t plen; |
---|
219 | struct isakmp_gen *nph; |
---|
220 | |
---|
221 | plen = ntohs(ph->len); |
---|
222 | nph = (struct isakmp_gen *)((char *)ph + plen); |
---|
223 | plen = ntohs(nph->len); |
---|
224 | |
---|
225 | if ((payload = vmalloc(plen)) == NULL) { |
---|
226 | plog(LLV_ERROR, LOCATION, NULL, |
---|
227 | "Cannot allocate memory\n"); |
---|
228 | goto out; |
---|
229 | } |
---|
230 | memcpy(payload->v, nph, plen); |
---|
231 | |
---|
232 | if ((check = oakley_compute_hash1(iph1, |
---|
233 | packet->msgid, payload)) == NULL) { |
---|
234 | plog(LLV_ERROR, LOCATION, NULL, |
---|
235 | "Cannot compute hash\n"); |
---|
236 | vfree(payload); |
---|
237 | goto out; |
---|
238 | } |
---|
239 | |
---|
240 | if (memcmp(ph + 1, check->v, check->l) != 0) { |
---|
241 | plog(LLV_ERROR, LOCATION, NULL, |
---|
242 | "Hash verification failed\n"); |
---|
243 | vfree(payload); |
---|
244 | vfree(check); |
---|
245 | goto out; |
---|
246 | } |
---|
247 | vfree(payload); |
---|
248 | vfree(check); |
---|
249 | break; |
---|
250 | } |
---|
251 | case ISAKMP_NPTYPE_ATTR: { |
---|
252 | struct isakmp_pl_attr *attrpl; |
---|
253 | |
---|
254 | attrpl = (struct isakmp_pl_attr *)ph; |
---|
255 | isakmp_cfg_attr_r(iph1, packet->msgid, attrpl); |
---|
256 | |
---|
257 | break; |
---|
258 | } |
---|
259 | default: |
---|
260 | plog(LLV_WARNING, LOCATION, NULL, |
---|
261 | "Unexpected next payload %d\n", np); |
---|
262 | /* Skip to the next payload */ |
---|
263 | break; |
---|
264 | } |
---|
265 | |
---|
266 | /* Move to the next payload */ |
---|
267 | np = ph->np; |
---|
268 | tlen -= ntohs(ph->len); |
---|
269 | npp = (char *)ph; |
---|
270 | ph = (struct isakmp_gen *)(npp + ntohs(ph->len)); |
---|
271 | } |
---|
272 | |
---|
273 | out: |
---|
274 | vfree(dmsg); |
---|
275 | } |
---|
276 | |
---|
277 | int |
---|
278 | isakmp_cfg_attr_r(iph1, msgid, attrpl) |
---|
279 | struct ph1handle *iph1; |
---|
280 | u_int32_t msgid; |
---|
281 | struct isakmp_pl_attr *attrpl; |
---|
282 | { |
---|
283 | int type = attrpl->type; |
---|
284 | |
---|
285 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
286 | "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); |
---|
287 | switch (type) { |
---|
288 | case ISAKMP_CFG_ACK: |
---|
289 | /* ignore, but this is the time to reinit the IV */ |
---|
290 | oakley_delivm(iph1->mode_cfg->ivm); |
---|
291 | iph1->mode_cfg->ivm = NULL; |
---|
292 | return 0; |
---|
293 | break; |
---|
294 | |
---|
295 | case ISAKMP_CFG_REPLY: |
---|
296 | return isakmp_cfg_reply(iph1, attrpl); |
---|
297 | break; |
---|
298 | |
---|
299 | case ISAKMP_CFG_REQUEST: |
---|
300 | iph1->msgid = msgid; |
---|
301 | return isakmp_cfg_request(iph1, attrpl); |
---|
302 | break; |
---|
303 | |
---|
304 | case ISAKMP_CFG_SET: |
---|
305 | iph1->msgid = msgid; |
---|
306 | return isakmp_cfg_set(iph1, attrpl); |
---|
307 | break; |
---|
308 | |
---|
309 | default: |
---|
310 | plog(LLV_WARNING, LOCATION, NULL, |
---|
311 | "Unepected configuration exchange type %d\n", type); |
---|
312 | return -1; |
---|
313 | break; |
---|
314 | } |
---|
315 | |
---|
316 | return 0; |
---|
317 | } |
---|
318 | |
---|
319 | int |
---|
320 | isakmp_cfg_reply(iph1, attrpl) |
---|
321 | struct ph1handle *iph1; |
---|
322 | struct isakmp_pl_attr *attrpl; |
---|
323 | { |
---|
324 | struct isakmp_data *attr; |
---|
325 | int tlen; |
---|
326 | size_t alen; |
---|
327 | char *npp; |
---|
328 | int type; |
---|
329 | struct sockaddr_in *sin; |
---|
330 | int error; |
---|
331 | |
---|
332 | tlen = ntohs(attrpl->h.len); |
---|
333 | attr = (struct isakmp_data *)(attrpl + 1); |
---|
334 | tlen -= sizeof(*attrpl); |
---|
335 | |
---|
336 | while (tlen > 0) { |
---|
337 | type = ntohs(attr->type); |
---|
338 | |
---|
339 | /* Handle short attributes */ |
---|
340 | if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { |
---|
341 | type &= ~ISAKMP_GEN_MASK; |
---|
342 | |
---|
343 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
344 | "Short attribute %s = %d\n", |
---|
345 | s_isakmp_cfg_type(type), ntohs(attr->lorv)); |
---|
346 | |
---|
347 | switch (type) { |
---|
348 | case XAUTH_TYPE: |
---|
349 | if ((error = xauth_attr_reply(iph1, |
---|
350 | attr, ntohs(attrpl->id))) != 0) |
---|
351 | return error; |
---|
352 | break; |
---|
353 | |
---|
354 | default: |
---|
355 | plog(LLV_WARNING, LOCATION, NULL, |
---|
356 | "Ignored short attribute %s\n", |
---|
357 | s_isakmp_cfg_type(type)); |
---|
358 | break; |
---|
359 | } |
---|
360 | |
---|
361 | tlen -= sizeof(*attr); |
---|
362 | attr++; |
---|
363 | continue; |
---|
364 | } |
---|
365 | |
---|
366 | type = ntohs(attr->type); |
---|
367 | alen = ntohs(attr->lorv); |
---|
368 | |
---|
369 | /* Check that the attribute fit in the packet */ |
---|
370 | if (tlen < alen) { |
---|
371 | plog(LLV_ERROR, LOCATION, NULL, |
---|
372 | "Short attribute %s\n", |
---|
373 | s_isakmp_cfg_type(type)); |
---|
374 | return -1; |
---|
375 | } |
---|
376 | |
---|
377 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
378 | "Attribute %s, len %zu\n", |
---|
379 | s_isakmp_cfg_type(type), alen); |
---|
380 | |
---|
381 | switch(type) { |
---|
382 | case XAUTH_TYPE: |
---|
383 | case XAUTH_USER_NAME: |
---|
384 | case XAUTH_USER_PASSWORD: |
---|
385 | case XAUTH_PASSCODE: |
---|
386 | case XAUTH_MESSAGE: |
---|
387 | case XAUTH_CHALLENGE: |
---|
388 | case XAUTH_DOMAIN: |
---|
389 | case XAUTH_STATUS: |
---|
390 | case XAUTH_NEXT_PIN: |
---|
391 | case XAUTH_ANSWER: |
---|
392 | if ((error = xauth_attr_reply(iph1, |
---|
393 | attr, ntohs(attrpl->id))) != 0) |
---|
394 | return error; |
---|
395 | break; |
---|
396 | case INTERNAL_IP4_ADDRESS: |
---|
397 | isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4); |
---|
398 | iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4; |
---|
399 | break; |
---|
400 | case INTERNAL_IP4_NETMASK: |
---|
401 | isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4); |
---|
402 | iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4; |
---|
403 | break; |
---|
404 | case INTERNAL_IP4_DNS: |
---|
405 | isakmp_cfg_appendaddr4(attr, |
---|
406 | &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index], |
---|
407 | &iph1->mode_cfg->dns4_index, MAXNS); |
---|
408 | iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4; |
---|
409 | break; |
---|
410 | case INTERNAL_IP4_NBNS: |
---|
411 | isakmp_cfg_appendaddr4(attr, |
---|
412 | &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index], |
---|
413 | &iph1->mode_cfg->wins4_index, MAXNS); |
---|
414 | iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4; |
---|
415 | break; |
---|
416 | case UNITY_DEF_DOMAIN: |
---|
417 | isakmp_cfg_getstring(attr, |
---|
418 | iph1->mode_cfg->default_domain); |
---|
419 | iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN; |
---|
420 | break; |
---|
421 | case UNITY_SPLIT_INCLUDE: |
---|
422 | case UNITY_LOCAL_LAN: |
---|
423 | case UNITY_SPLITDNS_NAME: |
---|
424 | case UNITY_BANNER: |
---|
425 | case UNITY_SAVE_PASSWD: |
---|
426 | case UNITY_NATT_PORT: |
---|
427 | case UNITY_PFS: |
---|
428 | case UNITY_FW_TYPE: |
---|
429 | case UNITY_BACKUP_SERVERS: |
---|
430 | case UNITY_DDNS_HOSTNAME: |
---|
431 | isakmp_unity_reply(iph1, attr); |
---|
432 | break; |
---|
433 | case INTERNAL_IP4_SUBNET: |
---|
434 | case INTERNAL_ADDRESS_EXPIRY: |
---|
435 | default: |
---|
436 | plog(LLV_WARNING, LOCATION, NULL, |
---|
437 | "Ignored attribute %s\n", |
---|
438 | s_isakmp_cfg_type(type)); |
---|
439 | break; |
---|
440 | } |
---|
441 | |
---|
442 | npp = (char *)attr; |
---|
443 | attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); |
---|
444 | tlen -= (sizeof(*attr) + alen); |
---|
445 | } |
---|
446 | |
---|
447 | /* |
---|
448 | * Call the SA up script hook now that we have the configuration |
---|
449 | * It is done at the end of phase 1 if ISAKMP mode config is not |
---|
450 | * requested. |
---|
451 | */ |
---|
452 | |
---|
453 | if ((iph1->status == PHASE1ST_ESTABLISHED) && |
---|
454 | iph1->rmconf->mode_cfg) { |
---|
455 | switch (iph1->approval->authmethod) { |
---|
456 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: |
---|
457 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: |
---|
458 | /* Unimplemented */ |
---|
459 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: |
---|
460 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: |
---|
461 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: |
---|
462 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: |
---|
463 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: |
---|
464 | script_hook(iph1, SCRIPT_PHASE1_UP); |
---|
465 | break; |
---|
466 | default: |
---|
467 | break; |
---|
468 | } |
---|
469 | } |
---|
470 | |
---|
471 | |
---|
472 | #ifdef ENABLE_ADMINPORT |
---|
473 | { |
---|
474 | vchar_t *buf; |
---|
475 | |
---|
476 | alen = ntohs(attrpl->h.len) - sizeof(*attrpl); |
---|
477 | if ((buf = vmalloc(alen)) == NULL) { |
---|
478 | plog(LLV_WARNING, LOCATION, NULL, |
---|
479 | "Cannot allocate memory: %s\n", strerror(errno)); |
---|
480 | } else { |
---|
481 | memcpy(buf->v, attrpl + 1, buf->l); |
---|
482 | evt_phase1(iph1, EVT_PHASE1_MODE_CFG, buf); |
---|
483 | vfree(buf); |
---|
484 | } |
---|
485 | } |
---|
486 | #endif |
---|
487 | |
---|
488 | return 0; |
---|
489 | } |
---|
490 | |
---|
491 | int |
---|
492 | isakmp_cfg_request(iph1, attrpl) |
---|
493 | struct ph1handle *iph1; |
---|
494 | struct isakmp_pl_attr *attrpl; |
---|
495 | { |
---|
496 | struct isakmp_data *attr; |
---|
497 | int tlen; |
---|
498 | size_t alen; |
---|
499 | char *npp; |
---|
500 | vchar_t *payload; |
---|
501 | struct isakmp_pl_attr *reply; |
---|
502 | vchar_t *reply_attr; |
---|
503 | int type; |
---|
504 | int error = -1; |
---|
505 | |
---|
506 | if ((payload = vmalloc(sizeof(*reply))) == NULL) { |
---|
507 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
508 | return -1; |
---|
509 | } |
---|
510 | memset(payload->v, 0, sizeof(*reply)); |
---|
511 | |
---|
512 | tlen = ntohs(attrpl->h.len); |
---|
513 | attr = (struct isakmp_data *)(attrpl + 1); |
---|
514 | tlen -= sizeof(*attrpl); |
---|
515 | |
---|
516 | while (tlen > 0) { |
---|
517 | reply_attr = NULL; |
---|
518 | type = ntohs(attr->type); |
---|
519 | |
---|
520 | /* Handle short attributes */ |
---|
521 | if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { |
---|
522 | type &= ~ISAKMP_GEN_MASK; |
---|
523 | |
---|
524 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
525 | "Short attribute %s = %d\n", |
---|
526 | s_isakmp_cfg_type(type), ntohs(attr->lorv)); |
---|
527 | |
---|
528 | switch (type) { |
---|
529 | case XAUTH_TYPE: |
---|
530 | reply_attr = isakmp_xauth_req(iph1, attr); |
---|
531 | break; |
---|
532 | default: |
---|
533 | plog(LLV_WARNING, LOCATION, NULL, |
---|
534 | "Ignored short attribute %s\n", |
---|
535 | s_isakmp_cfg_type(type)); |
---|
536 | break; |
---|
537 | } |
---|
538 | |
---|
539 | tlen -= sizeof(*attr); |
---|
540 | attr++; |
---|
541 | |
---|
542 | if (reply_attr != NULL) { |
---|
543 | payload = buffer_cat(payload, reply_attr); |
---|
544 | vfree(reply_attr); |
---|
545 | } |
---|
546 | |
---|
547 | continue; |
---|
548 | } |
---|
549 | |
---|
550 | type = ntohs(attr->type); |
---|
551 | alen = ntohs(attr->lorv); |
---|
552 | |
---|
553 | /* Check that the attribute fit in the packet */ |
---|
554 | if (tlen < alen) { |
---|
555 | plog(LLV_ERROR, LOCATION, NULL, |
---|
556 | "Short attribute %s\n", |
---|
557 | s_isakmp_cfg_type(type)); |
---|
558 | goto end; |
---|
559 | } |
---|
560 | |
---|
561 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
562 | "Attribute %s, len %zu\n", |
---|
563 | s_isakmp_cfg_type(type), alen); |
---|
564 | |
---|
565 | switch(type) { |
---|
566 | case INTERNAL_IP4_ADDRESS: |
---|
567 | case INTERNAL_IP4_NETMASK: |
---|
568 | case INTERNAL_IP4_DNS: |
---|
569 | case INTERNAL_IP4_NBNS: |
---|
570 | case INTERNAL_IP4_SUBNET: |
---|
571 | reply_attr = isakmp_cfg_net(iph1, attr); |
---|
572 | break; |
---|
573 | |
---|
574 | case XAUTH_TYPE: |
---|
575 | case XAUTH_USER_NAME: |
---|
576 | case XAUTH_USER_PASSWORD: |
---|
577 | case XAUTH_PASSCODE: |
---|
578 | case XAUTH_MESSAGE: |
---|
579 | case XAUTH_CHALLENGE: |
---|
580 | case XAUTH_DOMAIN: |
---|
581 | case XAUTH_STATUS: |
---|
582 | case XAUTH_NEXT_PIN: |
---|
583 | case XAUTH_ANSWER: |
---|
584 | reply_attr = isakmp_xauth_req(iph1, attr); |
---|
585 | break; |
---|
586 | |
---|
587 | case APPLICATION_VERSION: |
---|
588 | reply_attr = isakmp_cfg_string(iph1, |
---|
589 | attr, ISAKMP_CFG_RACOON_VERSION); |
---|
590 | break; |
---|
591 | |
---|
592 | case UNITY_BANNER: |
---|
593 | case UNITY_PFS: |
---|
594 | case UNITY_SAVE_PASSWD: |
---|
595 | case UNITY_DEF_DOMAIN: |
---|
596 | case UNITY_DDNS_HOSTNAME: |
---|
597 | case UNITY_FW_TYPE: |
---|
598 | case UNITY_SPLITDNS_NAME: |
---|
599 | case UNITY_SPLIT_INCLUDE: |
---|
600 | case UNITY_LOCAL_LAN: |
---|
601 | case UNITY_NATT_PORT: |
---|
602 | case UNITY_BACKUP_SERVERS: |
---|
603 | reply_attr = isakmp_unity_req(iph1, attr); |
---|
604 | break; |
---|
605 | |
---|
606 | case INTERNAL_ADDRESS_EXPIRY: |
---|
607 | default: |
---|
608 | plog(LLV_WARNING, LOCATION, NULL, |
---|
609 | "Ignored attribute %s\n", |
---|
610 | s_isakmp_cfg_type(type)); |
---|
611 | break; |
---|
612 | } |
---|
613 | |
---|
614 | npp = (char *)attr; |
---|
615 | attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); |
---|
616 | tlen -= (sizeof(*attr) + alen); |
---|
617 | |
---|
618 | if (reply_attr != NULL) { |
---|
619 | payload = buffer_cat(payload, reply_attr); |
---|
620 | vfree(reply_attr); |
---|
621 | } |
---|
622 | |
---|
623 | } |
---|
624 | |
---|
625 | reply = (struct isakmp_pl_attr *)payload->v; |
---|
626 | reply->h.len = htons(payload->l); |
---|
627 | reply->type = ISAKMP_CFG_REPLY; |
---|
628 | reply->id = attrpl->id; |
---|
629 | |
---|
630 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
631 | "Sending MODE_CFG REPLY\n"); |
---|
632 | |
---|
633 | error = isakmp_cfg_send(iph1, payload, |
---|
634 | ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); |
---|
635 | |
---|
636 | if (iph1->status == PHASE1ST_ESTABLISHED) { |
---|
637 | switch (iph1->approval->authmethod) { |
---|
638 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: |
---|
639 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: |
---|
640 | /* Unimplemented */ |
---|
641 | case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: |
---|
642 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: |
---|
643 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: |
---|
644 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: |
---|
645 | case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: |
---|
646 | script_hook(iph1, SCRIPT_PHASE1_UP); |
---|
647 | break; |
---|
648 | default: |
---|
649 | break; |
---|
650 | } |
---|
651 | } |
---|
652 | |
---|
653 | end: |
---|
654 | vfree(payload); |
---|
655 | |
---|
656 | return error; |
---|
657 | } |
---|
658 | |
---|
659 | int |
---|
660 | isakmp_cfg_set(iph1, attrpl) |
---|
661 | struct ph1handle *iph1; |
---|
662 | struct isakmp_pl_attr *attrpl; |
---|
663 | { |
---|
664 | struct isakmp_data *attr; |
---|
665 | int tlen; |
---|
666 | size_t alen; |
---|
667 | char *npp; |
---|
668 | vchar_t *payload; |
---|
669 | struct isakmp_pl_attr *reply; |
---|
670 | vchar_t *reply_attr; |
---|
671 | int type; |
---|
672 | int error = -1; |
---|
673 | |
---|
674 | if ((payload = vmalloc(sizeof(*reply))) == NULL) { |
---|
675 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
676 | return -1; |
---|
677 | } |
---|
678 | memset(payload->v, 0, sizeof(*reply)); |
---|
679 | |
---|
680 | tlen = ntohs(attrpl->h.len); |
---|
681 | attr = (struct isakmp_data *)(attrpl + 1); |
---|
682 | tlen -= sizeof(*attrpl); |
---|
683 | |
---|
684 | /* |
---|
685 | * We should send ack for the attributes we accepted |
---|
686 | */ |
---|
687 | while (tlen > 0) { |
---|
688 | reply_attr = NULL; |
---|
689 | type = ntohs(attr->type); |
---|
690 | |
---|
691 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
692 | "Attribute %s\n", |
---|
693 | s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); |
---|
694 | |
---|
695 | switch (type & ~ISAKMP_GEN_MASK) { |
---|
696 | case XAUTH_STATUS: |
---|
697 | reply_attr = isakmp_xauth_set(iph1, attr); |
---|
698 | break; |
---|
699 | default: |
---|
700 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
701 | "Unexpected SET attribute %s\n", |
---|
702 | s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); |
---|
703 | break; |
---|
704 | } |
---|
705 | |
---|
706 | if (reply_attr != NULL) { |
---|
707 | payload = buffer_cat(payload, reply_attr); |
---|
708 | vfree(reply_attr); |
---|
709 | } |
---|
710 | |
---|
711 | /* |
---|
712 | * Move to next attribute. If we run out of the packet, |
---|
713 | * tlen becomes negative and we exit. |
---|
714 | */ |
---|
715 | if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { |
---|
716 | tlen -= sizeof(*attr); |
---|
717 | attr++; |
---|
718 | } else { |
---|
719 | alen = ntohs(attr->lorv); |
---|
720 | tlen -= (sizeof(*attr) + alen); |
---|
721 | npp = (char *)attr; |
---|
722 | attr = (struct isakmp_data *) |
---|
723 | (npp + sizeof(*attr) + alen); |
---|
724 | } |
---|
725 | } |
---|
726 | |
---|
727 | reply = (struct isakmp_pl_attr *)payload->v; |
---|
728 | reply->h.len = htons(payload->l); |
---|
729 | reply->type = ISAKMP_CFG_ACK; |
---|
730 | reply->id = attrpl->id; |
---|
731 | |
---|
732 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
733 | "Sending MODE_CFG ACK\n"); |
---|
734 | |
---|
735 | error = isakmp_cfg_send(iph1, payload, |
---|
736 | ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); |
---|
737 | |
---|
738 | if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) { |
---|
739 | if (iph1->status == PHASE1ST_ESTABLISHED || |
---|
740 | iph1->status == PHASE1ST_DYING) |
---|
741 | isakmp_info_send_d1(iph1); |
---|
742 | remph1(iph1); |
---|
743 | delph1(iph1); |
---|
744 | iph1 = NULL; |
---|
745 | } |
---|
746 | end: |
---|
747 | vfree(payload); |
---|
748 | |
---|
749 | /* |
---|
750 | * If required, request ISAKMP mode config information |
---|
751 | */ |
---|
752 | if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0)) |
---|
753 | error = isakmp_cfg_getconfig(iph1); |
---|
754 | |
---|
755 | return error; |
---|
756 | } |
---|
757 | |
---|
758 | |
---|
759 | static vchar_t * |
---|
760 | buffer_cat(s, append) |
---|
761 | vchar_t *s; |
---|
762 | vchar_t *append; |
---|
763 | { |
---|
764 | vchar_t *new; |
---|
765 | |
---|
766 | new = vmalloc(s->l + append->l); |
---|
767 | if (new == NULL) { |
---|
768 | plog(LLV_ERROR, LOCATION, NULL, |
---|
769 | "Cannot allocate memory\n"); |
---|
770 | return s; |
---|
771 | } |
---|
772 | |
---|
773 | memcpy(new->v, s->v, s->l); |
---|
774 | memcpy(new->v + s->l, append->v, append->l); |
---|
775 | |
---|
776 | vfree(s); |
---|
777 | return new; |
---|
778 | } |
---|
779 | |
---|
780 | static vchar_t * |
---|
781 | isakmp_cfg_net(iph1, attr) |
---|
782 | struct ph1handle *iph1; |
---|
783 | struct isakmp_data *attr; |
---|
784 | { |
---|
785 | int type; |
---|
786 | int confsource; |
---|
787 | in_addr_t addr4; |
---|
788 | |
---|
789 | type = ntohs(attr->type); |
---|
790 | |
---|
791 | /* |
---|
792 | * Don't give an address to a peer that did not succeed Xauth |
---|
793 | */ |
---|
794 | if (xauth_check(iph1) != 0) { |
---|
795 | plog(LLV_ERROR, LOCATION, NULL, |
---|
796 | "Attempt to start phase config whereas Xauth failed\n"); |
---|
797 | return NULL; |
---|
798 | } |
---|
799 | |
---|
800 | confsource = isakmp_cfg_config.confsource; |
---|
801 | /* |
---|
802 | * If we have to fall back to a local |
---|
803 | * configuration source, we will jump |
---|
804 | * back to this point. |
---|
805 | */ |
---|
806 | retry_source: |
---|
807 | |
---|
808 | switch(type) { |
---|
809 | case INTERNAL_IP4_ADDRESS: |
---|
810 | switch(confsource) { |
---|
811 | #ifdef HAVE_LIBLDAP |
---|
812 | case ISAKMP_CFG_CONF_LDAP: |
---|
813 | if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) |
---|
814 | break; |
---|
815 | plog(LLV_INFO, LOCATION, NULL, |
---|
816 | "No IP from LDAP, using local pool\n"); |
---|
817 | /* FALLTHROUGH */ |
---|
818 | confsource = ISAKMP_CFG_CONF_LOCAL; |
---|
819 | goto retry_source; |
---|
820 | #endif |
---|
821 | #ifdef HAVE_LIBRADIUS |
---|
822 | case ISAKMP_CFG_CONF_RADIUS: |
---|
823 | if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) |
---|
824 | && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) |
---|
825 | /* |
---|
826 | * -2 is 255.255.255.254, RADIUS uses that |
---|
827 | * to instruct the NAS to use a local pool |
---|
828 | */ |
---|
829 | break; |
---|
830 | plog(LLV_INFO, LOCATION, NULL, |
---|
831 | "No IP from RADIUS, using local pool\n"); |
---|
832 | /* FALLTHROUGH */ |
---|
833 | confsource = ISAKMP_CFG_CONF_LOCAL; |
---|
834 | goto retry_source; |
---|
835 | #endif |
---|
836 | case ISAKMP_CFG_CONF_LOCAL: |
---|
837 | if (isakmp_cfg_getport(iph1) == -1) { |
---|
838 | plog(LLV_ERROR, LOCATION, NULL, |
---|
839 | "Port pool depleted\n"); |
---|
840 | break; |
---|
841 | } |
---|
842 | |
---|
843 | iph1->mode_cfg->addr4.s_addr = |
---|
844 | htonl(ntohl(isakmp_cfg_config.network4) |
---|
845 | + iph1->mode_cfg->port); |
---|
846 | iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL; |
---|
847 | break; |
---|
848 | |
---|
849 | default: |
---|
850 | plog(LLV_ERROR, LOCATION, NULL, |
---|
851 | "Unexpected confsource\n"); |
---|
852 | } |
---|
853 | |
---|
854 | if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0) |
---|
855 | plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); |
---|
856 | |
---|
857 | return isakmp_cfg_addr4(iph1, |
---|
858 | attr, &iph1->mode_cfg->addr4.s_addr); |
---|
859 | break; |
---|
860 | |
---|
861 | case INTERNAL_IP4_NETMASK: |
---|
862 | switch(confsource) { |
---|
863 | #ifdef HAVE_LIBLDAP |
---|
864 | case ISAKMP_CFG_CONF_LDAP: |
---|
865 | if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) |
---|
866 | break; |
---|
867 | plog(LLV_INFO, LOCATION, NULL, |
---|
868 | "No mask from LDAP, using local pool\n"); |
---|
869 | /* FALLTHROUGH */ |
---|
870 | confsource = ISAKMP_CFG_CONF_LOCAL; |
---|
871 | goto retry_source; |
---|
872 | #endif |
---|
873 | #ifdef HAVE_LIBRADIUS |
---|
874 | case ISAKMP_CFG_CONF_RADIUS: |
---|
875 | if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) |
---|
876 | break; |
---|
877 | plog(LLV_INFO, LOCATION, NULL, |
---|
878 | "No mask from RADIUS, using local pool\n"); |
---|
879 | /* FALLTHROUGH */ |
---|
880 | confsource = ISAKMP_CFG_CONF_LOCAL; |
---|
881 | goto retry_source; |
---|
882 | #endif |
---|
883 | case ISAKMP_CFG_CONF_LOCAL: |
---|
884 | iph1->mode_cfg->mask4.s_addr |
---|
885 | = isakmp_cfg_config.netmask4; |
---|
886 | iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL; |
---|
887 | break; |
---|
888 | |
---|
889 | default: |
---|
890 | plog(LLV_ERROR, LOCATION, NULL, |
---|
891 | "Unexpected confsource\n"); |
---|
892 | } |
---|
893 | return isakmp_cfg_addr4(iph1, attr, |
---|
894 | &iph1->mode_cfg->mask4.s_addr); |
---|
895 | break; |
---|
896 | |
---|
897 | case INTERNAL_IP4_DNS: |
---|
898 | return isakmp_cfg_addr4_list(iph1, |
---|
899 | attr, &isakmp_cfg_config.dns4[0], |
---|
900 | isakmp_cfg_config.dns4_index); |
---|
901 | break; |
---|
902 | |
---|
903 | case INTERNAL_IP4_NBNS: |
---|
904 | return isakmp_cfg_addr4_list(iph1, |
---|
905 | attr, &isakmp_cfg_config.nbns4[0], |
---|
906 | isakmp_cfg_config.nbns4_index); |
---|
907 | break; |
---|
908 | |
---|
909 | case INTERNAL_IP4_SUBNET: |
---|
910 | if(isakmp_cfg_config.splitnet_count > 0){ |
---|
911 | return isakmp_cfg_addrnet4(iph1, attr, |
---|
912 | &isakmp_cfg_config.splitnet_list->network.addr4.s_addr, |
---|
913 | &isakmp_cfg_config.splitnet_list->network.mask4.s_addr); |
---|
914 | }else{ |
---|
915 | plog(LLV_INFO, LOCATION, NULL, |
---|
916 | "%s requested but no splitnet in configuration\n", |
---|
917 | s_isakmp_cfg_type(type)); |
---|
918 | } |
---|
919 | break; |
---|
920 | |
---|
921 | default: |
---|
922 | plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type); |
---|
923 | break; |
---|
924 | } |
---|
925 | return NULL; |
---|
926 | } |
---|
927 | |
---|
928 | #if 0 |
---|
929 | static vchar_t * |
---|
930 | isakmp_cfg_void(iph1, attr) |
---|
931 | struct ph1handle *iph1; |
---|
932 | struct isakmp_data *attr; |
---|
933 | { |
---|
934 | vchar_t *buffer; |
---|
935 | struct isakmp_data *new; |
---|
936 | |
---|
937 | if ((buffer = vmalloc(sizeof(*attr))) == NULL) { |
---|
938 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
939 | return NULL; |
---|
940 | } |
---|
941 | |
---|
942 | new = (struct isakmp_data *)buffer->v; |
---|
943 | |
---|
944 | new->type = attr->type; |
---|
945 | new->lorv = htons(0); |
---|
946 | |
---|
947 | return buffer; |
---|
948 | } |
---|
949 | #endif |
---|
950 | |
---|
951 | vchar_t * |
---|
952 | isakmp_cfg_copy(iph1, attr) |
---|
953 | struct ph1handle *iph1; |
---|
954 | struct isakmp_data *attr; |
---|
955 | { |
---|
956 | vchar_t *buffer; |
---|
957 | size_t len = 0; |
---|
958 | |
---|
959 | if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV) |
---|
960 | len = ntohs(attr->lorv); |
---|
961 | |
---|
962 | if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { |
---|
963 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
964 | return NULL; |
---|
965 | } |
---|
966 | |
---|
967 | memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv)); |
---|
968 | |
---|
969 | return buffer; |
---|
970 | } |
---|
971 | |
---|
972 | vchar_t * |
---|
973 | isakmp_cfg_short(iph1, attr, value) |
---|
974 | struct ph1handle *iph1; |
---|
975 | struct isakmp_data *attr; |
---|
976 | int value; |
---|
977 | { |
---|
978 | vchar_t *buffer; |
---|
979 | struct isakmp_data *new; |
---|
980 | int type; |
---|
981 | |
---|
982 | if ((buffer = vmalloc(sizeof(*attr))) == NULL) { |
---|
983 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
984 | return NULL; |
---|
985 | } |
---|
986 | |
---|
987 | new = (struct isakmp_data *)buffer->v; |
---|
988 | type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; |
---|
989 | |
---|
990 | new->type = htons(type | ISAKMP_GEN_TV); |
---|
991 | new->lorv = htons(value); |
---|
992 | |
---|
993 | return buffer; |
---|
994 | } |
---|
995 | |
---|
996 | vchar_t * |
---|
997 | isakmp_cfg_varlen(iph1, attr, string, len) |
---|
998 | struct ph1handle *iph1; |
---|
999 | struct isakmp_data *attr; |
---|
1000 | char *string; |
---|
1001 | size_t len; |
---|
1002 | { |
---|
1003 | vchar_t *buffer; |
---|
1004 | struct isakmp_data *new; |
---|
1005 | char *data; |
---|
1006 | |
---|
1007 | if (!len) |
---|
1008 | return NULL; |
---|
1009 | |
---|
1010 | if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { |
---|
1011 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
1012 | return NULL; |
---|
1013 | } |
---|
1014 | |
---|
1015 | new = (struct isakmp_data *)buffer->v; |
---|
1016 | |
---|
1017 | new->type = attr->type; |
---|
1018 | new->lorv = htons(len); |
---|
1019 | data = (char *)(new + 1); |
---|
1020 | |
---|
1021 | memcpy(data, string, len); |
---|
1022 | |
---|
1023 | return buffer; |
---|
1024 | } |
---|
1025 | vchar_t * |
---|
1026 | isakmp_cfg_string(iph1, attr, string) |
---|
1027 | struct ph1handle *iph1; |
---|
1028 | struct isakmp_data *attr; |
---|
1029 | char *string; |
---|
1030 | { |
---|
1031 | size_t len = strlen(string); |
---|
1032 | return isakmp_cfg_varlen(iph1, attr, string, len); |
---|
1033 | } |
---|
1034 | |
---|
1035 | static vchar_t * |
---|
1036 | isakmp_cfg_addr4(iph1, attr, addr) |
---|
1037 | struct ph1handle *iph1; |
---|
1038 | struct isakmp_data *attr; |
---|
1039 | in_addr_t *addr; |
---|
1040 | { |
---|
1041 | vchar_t *buffer; |
---|
1042 | struct isakmp_data *new; |
---|
1043 | size_t len; |
---|
1044 | |
---|
1045 | len = sizeof(*addr); |
---|
1046 | if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { |
---|
1047 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
1048 | return NULL; |
---|
1049 | } |
---|
1050 | |
---|
1051 | new = (struct isakmp_data *)buffer->v; |
---|
1052 | |
---|
1053 | new->type = attr->type; |
---|
1054 | new->lorv = htons(len); |
---|
1055 | memcpy(new + 1, addr, len); |
---|
1056 | |
---|
1057 | return buffer; |
---|
1058 | } |
---|
1059 | |
---|
1060 | static vchar_t * |
---|
1061 | isakmp_cfg_addrnet4(iph1, attr, addr, mask) |
---|
1062 | struct ph1handle *iph1; |
---|
1063 | struct isakmp_data *attr; |
---|
1064 | in_addr_t *addr; |
---|
1065 | in_addr_t *mask; |
---|
1066 | { |
---|
1067 | vchar_t *buffer; |
---|
1068 | struct isakmp_data *new; |
---|
1069 | size_t len; |
---|
1070 | in_addr_t netbuff[2]; |
---|
1071 | |
---|
1072 | len = sizeof(netbuff); |
---|
1073 | if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { |
---|
1074 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
1075 | return NULL; |
---|
1076 | } |
---|
1077 | |
---|
1078 | new = (struct isakmp_data *)buffer->v; |
---|
1079 | |
---|
1080 | new->type = attr->type; |
---|
1081 | new->lorv = htons(len); |
---|
1082 | netbuff[0]=*addr; |
---|
1083 | netbuff[1]=*mask; |
---|
1084 | memcpy(new + 1, netbuff, len); |
---|
1085 | |
---|
1086 | return buffer; |
---|
1087 | } |
---|
1088 | |
---|
1089 | |
---|
1090 | static vchar_t * |
---|
1091 | isakmp_cfg_addr4_list(iph1, attr, addr, nbr) |
---|
1092 | struct ph1handle *iph1; |
---|
1093 | struct isakmp_data *attr; |
---|
1094 | in_addr_t *addr; |
---|
1095 | int nbr; |
---|
1096 | { |
---|
1097 | int error = -1; |
---|
1098 | vchar_t *buffer = NULL; |
---|
1099 | vchar_t *bufone = NULL; |
---|
1100 | struct isakmp_data *new; |
---|
1101 | size_t len; |
---|
1102 | int i; |
---|
1103 | |
---|
1104 | len = sizeof(*addr); |
---|
1105 | if ((buffer = vmalloc(0)) == NULL) { |
---|
1106 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
1107 | goto out; |
---|
1108 | } |
---|
1109 | for(i = 0; i < nbr; i++) { |
---|
1110 | if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) { |
---|
1111 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1112 | "Cannot allocate memory\n"); |
---|
1113 | goto out; |
---|
1114 | } |
---|
1115 | new = (struct isakmp_data *)bufone->v; |
---|
1116 | new->type = attr->type; |
---|
1117 | new->lorv = htons(len); |
---|
1118 | memcpy(new + 1, &addr[i], len); |
---|
1119 | new += (len + sizeof(*attr)); |
---|
1120 | buffer = buffer_cat(buffer, bufone); |
---|
1121 | vfree(bufone); |
---|
1122 | } |
---|
1123 | |
---|
1124 | error = 0; |
---|
1125 | |
---|
1126 | out: |
---|
1127 | if ((error != 0) && (buffer != NULL)) { |
---|
1128 | vfree(buffer); |
---|
1129 | buffer = NULL; |
---|
1130 | } |
---|
1131 | |
---|
1132 | return buffer; |
---|
1133 | } |
---|
1134 | |
---|
1135 | struct isakmp_ivm * |
---|
1136 | isakmp_cfg_newiv(iph1, msgid) |
---|
1137 | struct ph1handle *iph1; |
---|
1138 | u_int32_t msgid; |
---|
1139 | { |
---|
1140 | struct isakmp_cfg_state *ics = iph1->mode_cfg; |
---|
1141 | |
---|
1142 | if (ics == NULL) { |
---|
1143 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1144 | "isakmp_cfg_newiv called without mode config state\n"); |
---|
1145 | return NULL; |
---|
1146 | } |
---|
1147 | |
---|
1148 | if (ics->ivm != NULL) |
---|
1149 | oakley_delivm(ics->ivm); |
---|
1150 | |
---|
1151 | ics->ivm = oakley_newiv2(iph1, msgid); |
---|
1152 | ics->last_msgid = msgid; |
---|
1153 | |
---|
1154 | return ics->ivm; |
---|
1155 | } |
---|
1156 | |
---|
1157 | /* Derived from isakmp_info_send_common */ |
---|
1158 | int |
---|
1159 | isakmp_cfg_send(iph1, payload, np, flags, new_exchange) |
---|
1160 | struct ph1handle *iph1; |
---|
1161 | vchar_t *payload; |
---|
1162 | u_int32_t np; |
---|
1163 | int flags; |
---|
1164 | int new_exchange; |
---|
1165 | { |
---|
1166 | struct ph2handle *iph2 = NULL; |
---|
1167 | vchar_t *hash = NULL; |
---|
1168 | struct isakmp *isakmp; |
---|
1169 | struct isakmp_gen *gen; |
---|
1170 | char *p; |
---|
1171 | int tlen; |
---|
1172 | int error = -1; |
---|
1173 | struct isakmp_cfg_state *ics = iph1->mode_cfg; |
---|
1174 | |
---|
1175 | /* Check if phase 1 is established */ |
---|
1176 | if ((iph1->status < PHASE1ST_ESTABLISHED) || |
---|
1177 | (iph1->local == NULL) || |
---|
1178 | (iph1->remote == NULL)) { |
---|
1179 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1180 | "ISAKMP mode config exchange with immature phase 1\n"); |
---|
1181 | goto end; |
---|
1182 | } |
---|
1183 | |
---|
1184 | /* add new entry to isakmp status table */ |
---|
1185 | iph2 = newph2(); |
---|
1186 | if (iph2 == NULL) |
---|
1187 | goto end; |
---|
1188 | |
---|
1189 | iph2->dst = dupsaddr(iph1->remote); |
---|
1190 | if (iph2->dst == NULL) { |
---|
1191 | delph2(iph2); |
---|
1192 | goto end; |
---|
1193 | } |
---|
1194 | iph2->src = dupsaddr(iph1->local); |
---|
1195 | if (iph2->src == NULL) { |
---|
1196 | delph2(iph2); |
---|
1197 | goto end; |
---|
1198 | } |
---|
1199 | |
---|
1200 | iph2->side = INITIATOR; |
---|
1201 | iph2->status = PHASE2ST_START; |
---|
1202 | |
---|
1203 | if (new_exchange) |
---|
1204 | iph2->msgid = isakmp_newmsgid2(iph1); |
---|
1205 | else |
---|
1206 | iph2->msgid = iph1->msgid; |
---|
1207 | |
---|
1208 | /* get IV and HASH(1) if skeyid_a was generated. */ |
---|
1209 | if (iph1->skeyid_a != NULL) { |
---|
1210 | if (new_exchange) { |
---|
1211 | if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) { |
---|
1212 | delph2(iph2); |
---|
1213 | goto end; |
---|
1214 | } |
---|
1215 | } |
---|
1216 | |
---|
1217 | /* generate HASH(1) */ |
---|
1218 | hash = oakley_compute_hash1(iph1, iph2->msgid, payload); |
---|
1219 | if (hash == NULL) { |
---|
1220 | delph2(iph2); |
---|
1221 | goto end; |
---|
1222 | } |
---|
1223 | |
---|
1224 | /* initialized total buffer length */ |
---|
1225 | tlen = hash->l; |
---|
1226 | tlen += sizeof(*gen); |
---|
1227 | } else { |
---|
1228 | /* IKE-SA is not established */ |
---|
1229 | hash = NULL; |
---|
1230 | |
---|
1231 | /* initialized total buffer length */ |
---|
1232 | tlen = 0; |
---|
1233 | } |
---|
1234 | if ((flags & ISAKMP_FLAG_A) == 0) |
---|
1235 | iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); |
---|
1236 | else |
---|
1237 | iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); |
---|
1238 | |
---|
1239 | insph2(iph2); |
---|
1240 | bindph12(iph1, iph2); |
---|
1241 | |
---|
1242 | tlen += sizeof(*isakmp) + payload->l; |
---|
1243 | |
---|
1244 | /* create buffer for isakmp payload */ |
---|
1245 | iph2->sendbuf = vmalloc(tlen); |
---|
1246 | if (iph2->sendbuf == NULL) { |
---|
1247 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1248 | "failed to get buffer to send.\n"); |
---|
1249 | goto err; |
---|
1250 | } |
---|
1251 | |
---|
1252 | /* create isakmp header */ |
---|
1253 | isakmp = (struct isakmp *)iph2->sendbuf->v; |
---|
1254 | memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); |
---|
1255 | memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); |
---|
1256 | isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; |
---|
1257 | isakmp->v = iph1->version; |
---|
1258 | isakmp->etype = ISAKMP_ETYPE_CFG; |
---|
1259 | isakmp->flags = iph2->flags; |
---|
1260 | memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); |
---|
1261 | isakmp->len = htonl(tlen); |
---|
1262 | p = (char *)(isakmp + 1); |
---|
1263 | |
---|
1264 | /* create HASH payload */ |
---|
1265 | if (hash != NULL) { |
---|
1266 | gen = (struct isakmp_gen *)p; |
---|
1267 | gen->np = np & 0xff; |
---|
1268 | gen->len = htons(sizeof(*gen) + hash->l); |
---|
1269 | p += sizeof(*gen); |
---|
1270 | memcpy(p, hash->v, hash->l); |
---|
1271 | p += hash->l; |
---|
1272 | } |
---|
1273 | |
---|
1274 | /* add payload */ |
---|
1275 | memcpy(p, payload->v, payload->l); |
---|
1276 | p += payload->l; |
---|
1277 | |
---|
1278 | #ifdef HAVE_PRINT_ISAKMP_C |
---|
1279 | isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); |
---|
1280 | #endif |
---|
1281 | |
---|
1282 | plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n"); |
---|
1283 | plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); |
---|
1284 | |
---|
1285 | /* encoding */ |
---|
1286 | if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { |
---|
1287 | vchar_t *tmp; |
---|
1288 | |
---|
1289 | tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, |
---|
1290 | ics->ivm->ive, ics->ivm->iv); |
---|
1291 | VPTRINIT(iph2->sendbuf); |
---|
1292 | if (tmp == NULL) |
---|
1293 | goto err; |
---|
1294 | iph2->sendbuf = tmp; |
---|
1295 | } |
---|
1296 | |
---|
1297 | /* HDR*, HASH(1), ATTR */ |
---|
1298 | if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { |
---|
1299 | VPTRINIT(iph2->sendbuf); |
---|
1300 | goto err; |
---|
1301 | } |
---|
1302 | |
---|
1303 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
1304 | "sendto mode config %s.\n", s_isakmp_nptype(np)); |
---|
1305 | |
---|
1306 | /* |
---|
1307 | * XXX We might need to resend the message... |
---|
1308 | */ |
---|
1309 | |
---|
1310 | error = 0; |
---|
1311 | VPTRINIT(iph2->sendbuf); |
---|
1312 | |
---|
1313 | err: |
---|
1314 | if (iph2->sendbuf != NULL) |
---|
1315 | vfree(iph2->sendbuf); |
---|
1316 | |
---|
1317 | remph2(iph2); |
---|
1318 | delph2(iph2); |
---|
1319 | end: |
---|
1320 | if (hash) |
---|
1321 | vfree(hash); |
---|
1322 | return error; |
---|
1323 | } |
---|
1324 | |
---|
1325 | |
---|
1326 | void |
---|
1327 | isakmp_cfg_rmstate(iph1) |
---|
1328 | struct ph1handle *iph1; |
---|
1329 | { |
---|
1330 | struct isakmp_cfg_state *state = iph1->mode_cfg; |
---|
1331 | |
---|
1332 | if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0) |
---|
1333 | plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); |
---|
1334 | |
---|
1335 | if (state->flags & ISAKMP_CFG_PORT_ALLOCATED) |
---|
1336 | isakmp_cfg_putport(iph1, state->port); |
---|
1337 | |
---|
1338 | /* Delete the IV if it's still there */ |
---|
1339 | if(iph1->mode_cfg->ivm) { |
---|
1340 | oakley_delivm(iph1->mode_cfg->ivm); |
---|
1341 | iph1->mode_cfg->ivm = NULL; |
---|
1342 | } |
---|
1343 | |
---|
1344 | /* Free any allocated splitnet lists */ |
---|
1345 | if(iph1->mode_cfg->split_include != NULL) |
---|
1346 | splitnet_list_free(iph1->mode_cfg->split_include, |
---|
1347 | &iph1->mode_cfg->include_count); |
---|
1348 | if(iph1->mode_cfg->split_local != NULL) |
---|
1349 | splitnet_list_free(iph1->mode_cfg->split_local, |
---|
1350 | &iph1->mode_cfg->local_count); |
---|
1351 | |
---|
1352 | xauth_rmstate(&state->xauth); |
---|
1353 | |
---|
1354 | racoon_free(state); |
---|
1355 | iph1->mode_cfg = NULL; |
---|
1356 | |
---|
1357 | return; |
---|
1358 | } |
---|
1359 | |
---|
1360 | struct isakmp_cfg_state * |
---|
1361 | isakmp_cfg_mkstate(void) |
---|
1362 | { |
---|
1363 | struct isakmp_cfg_state *state; |
---|
1364 | |
---|
1365 | if ((state = racoon_malloc(sizeof(*state))) == NULL) { |
---|
1366 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1367 | "Cannot allocate memory for mode config state\n"); |
---|
1368 | return NULL; |
---|
1369 | } |
---|
1370 | memset(state, 0, sizeof(*state)); |
---|
1371 | |
---|
1372 | return state; |
---|
1373 | } |
---|
1374 | |
---|
1375 | int |
---|
1376 | isakmp_cfg_getport(iph1) |
---|
1377 | struct ph1handle *iph1; |
---|
1378 | { |
---|
1379 | unsigned int i; |
---|
1380 | size_t size = isakmp_cfg_config.pool_size; |
---|
1381 | |
---|
1382 | if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED) |
---|
1383 | return iph1->mode_cfg->port; |
---|
1384 | |
---|
1385 | if (isakmp_cfg_config.port_pool == NULL) { |
---|
1386 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1387 | "isakmp_cfg_config.port_pool == NULL\n"); |
---|
1388 | return -1; |
---|
1389 | } |
---|
1390 | |
---|
1391 | for (i = 0; i < size; i++) { |
---|
1392 | if (isakmp_cfg_config.port_pool[i].used == 0) |
---|
1393 | break; |
---|
1394 | } |
---|
1395 | |
---|
1396 | if (i == size) { |
---|
1397 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1398 | "No more addresses available\n"); |
---|
1399 | return -1; |
---|
1400 | } |
---|
1401 | |
---|
1402 | isakmp_cfg_config.port_pool[i].used = 1; |
---|
1403 | |
---|
1404 | plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i); |
---|
1405 | |
---|
1406 | iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; |
---|
1407 | iph1->mode_cfg->port = i; |
---|
1408 | |
---|
1409 | return i; |
---|
1410 | } |
---|
1411 | |
---|
1412 | int |
---|
1413 | isakmp_cfg_putport(iph1, index) |
---|
1414 | struct ph1handle *iph1; |
---|
1415 | unsigned int index; |
---|
1416 | { |
---|
1417 | if (isakmp_cfg_config.port_pool == NULL) { |
---|
1418 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1419 | "isakmp_cfg_config.port_pool == NULL\n"); |
---|
1420 | return -1; |
---|
1421 | } |
---|
1422 | |
---|
1423 | if (isakmp_cfg_config.port_pool[index].used == 0) { |
---|
1424 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1425 | "Attempt to release an unallocated address (port %d)\n", |
---|
1426 | index); |
---|
1427 | return -1; |
---|
1428 | } |
---|
1429 | |
---|
1430 | #ifdef HAVE_LIBPAM |
---|
1431 | /* Cleanup PAM status associated with the port */ |
---|
1432 | if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM) |
---|
1433 | privsep_cleanup_pam(index); |
---|
1434 | #endif |
---|
1435 | isakmp_cfg_config.port_pool[index].used = 0; |
---|
1436 | iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; |
---|
1437 | |
---|
1438 | plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index); |
---|
1439 | |
---|
1440 | return 0; |
---|
1441 | } |
---|
1442 | |
---|
1443 | #ifdef HAVE_LIBPAM |
---|
1444 | void |
---|
1445 | cleanup_pam(port) |
---|
1446 | int port; |
---|
1447 | { |
---|
1448 | if (isakmp_cfg_config.port_pool[port].pam != NULL) { |
---|
1449 | pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS); |
---|
1450 | isakmp_cfg_config.port_pool[port].pam = NULL; |
---|
1451 | } |
---|
1452 | |
---|
1453 | return; |
---|
1454 | } |
---|
1455 | #endif |
---|
1456 | |
---|
1457 | /* Accounting, only for RADIUS or PAM */ |
---|
1458 | static int |
---|
1459 | isakmp_cfg_accounting(iph1, inout) |
---|
1460 | struct ph1handle *iph1; |
---|
1461 | int inout; |
---|
1462 | { |
---|
1463 | #ifdef HAVE_LIBPAM |
---|
1464 | if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM) |
---|
1465 | return privsep_accounting_pam(iph1->mode_cfg->port, |
---|
1466 | inout); |
---|
1467 | #endif |
---|
1468 | #ifdef HAVE_LIBRADIUS |
---|
1469 | if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) |
---|
1470 | return isakmp_cfg_accounting_radius(iph1, inout); |
---|
1471 | #endif |
---|
1472 | if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) |
---|
1473 | return privsep_accounting_system(iph1->mode_cfg->port, |
---|
1474 | iph1->remote, iph1->mode_cfg->login, inout); |
---|
1475 | return 0; |
---|
1476 | } |
---|
1477 | |
---|
1478 | #ifdef HAVE_LIBPAM |
---|
1479 | int |
---|
1480 | isakmp_cfg_accounting_pam(port, inout) |
---|
1481 | int port; |
---|
1482 | int inout; |
---|
1483 | { |
---|
1484 | int error = 0; |
---|
1485 | pam_handle_t *pam; |
---|
1486 | |
---|
1487 | if (isakmp_cfg_config.port_pool == NULL) { |
---|
1488 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1489 | "isakmp_cfg_config.port_pool == NULL\n"); |
---|
1490 | return -1; |
---|
1491 | } |
---|
1492 | |
---|
1493 | pam = isakmp_cfg_config.port_pool[port].pam; |
---|
1494 | if (pam == NULL) { |
---|
1495 | plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n"); |
---|
1496 | return -1; |
---|
1497 | } |
---|
1498 | |
---|
1499 | switch (inout) { |
---|
1500 | case ISAKMP_CFG_LOGIN: |
---|
1501 | error = pam_open_session(pam, 0); |
---|
1502 | break; |
---|
1503 | case ISAKMP_CFG_LOGOUT: |
---|
1504 | error = pam_close_session(pam, 0); |
---|
1505 | pam_end(pam, error); |
---|
1506 | isakmp_cfg_config.port_pool[port].pam = NULL; |
---|
1507 | break; |
---|
1508 | default: |
---|
1509 | plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); |
---|
1510 | break; |
---|
1511 | } |
---|
1512 | |
---|
1513 | if (error != 0) { |
---|
1514 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1515 | "pam_open_session/pam_close_session failed: %s\n", |
---|
1516 | pam_strerror(pam, error)); |
---|
1517 | return -1; |
---|
1518 | } |
---|
1519 | |
---|
1520 | return 0; |
---|
1521 | } |
---|
1522 | #endif /* HAVE_LIBPAM */ |
---|
1523 | |
---|
1524 | #ifdef HAVE_LIBRADIUS |
---|
1525 | static int |
---|
1526 | isakmp_cfg_accounting_radius(iph1, inout) |
---|
1527 | struct ph1handle *iph1; |
---|
1528 | int inout; |
---|
1529 | { |
---|
1530 | if (rad_create_request(radius_acct_state, |
---|
1531 | RAD_ACCOUNTING_REQUEST) != 0) { |
---|
1532 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1533 | "rad_create_request failed: %s\n", |
---|
1534 | rad_strerror(radius_acct_state)); |
---|
1535 | return -1; |
---|
1536 | } |
---|
1537 | |
---|
1538 | if (rad_put_string(radius_acct_state, RAD_USER_NAME, |
---|
1539 | iph1->mode_cfg->login) != 0) { |
---|
1540 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1541 | "rad_put_string failed: %s\n", |
---|
1542 | rad_strerror(radius_acct_state)); |
---|
1543 | return -1; |
---|
1544 | } |
---|
1545 | |
---|
1546 | switch (inout) { |
---|
1547 | case ISAKMP_CFG_LOGIN: |
---|
1548 | inout = RAD_START; |
---|
1549 | break; |
---|
1550 | case ISAKMP_CFG_LOGOUT: |
---|
1551 | inout = RAD_STOP; |
---|
1552 | break; |
---|
1553 | default: |
---|
1554 | plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); |
---|
1555 | break; |
---|
1556 | } |
---|
1557 | |
---|
1558 | if (rad_put_addr(radius_acct_state, |
---|
1559 | RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) { |
---|
1560 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1561 | "rad_put_addr failed: %s\n", |
---|
1562 | rad_strerror(radius_acct_state)); |
---|
1563 | return -1; |
---|
1564 | } |
---|
1565 | |
---|
1566 | if (rad_put_addr(radius_acct_state, |
---|
1567 | RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) { |
---|
1568 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1569 | "rad_put_addr failed: %s\n", |
---|
1570 | rad_strerror(radius_acct_state)); |
---|
1571 | return -1; |
---|
1572 | } |
---|
1573 | |
---|
1574 | if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) { |
---|
1575 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1576 | "rad_put_int failed: %s\n", |
---|
1577 | rad_strerror(radius_acct_state)); |
---|
1578 | return -1; |
---|
1579 | } |
---|
1580 | |
---|
1581 | if (isakmp_cfg_radius_common(radius_acct_state, |
---|
1582 | iph1->mode_cfg->port) != 0) |
---|
1583 | return -1; |
---|
1584 | |
---|
1585 | if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) { |
---|
1586 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1587 | "rad_send_request failed: %s\n", |
---|
1588 | rad_strerror(radius_acct_state)); |
---|
1589 | return -1; |
---|
1590 | } |
---|
1591 | |
---|
1592 | return 0; |
---|
1593 | } |
---|
1594 | #endif /* HAVE_LIBRADIUS */ |
---|
1595 | |
---|
1596 | /* |
---|
1597 | * Attributes common to all RADIUS requests |
---|
1598 | */ |
---|
1599 | #ifdef HAVE_LIBRADIUS |
---|
1600 | int |
---|
1601 | isakmp_cfg_radius_common(radius_state, port) |
---|
1602 | struct rad_handle *radius_state; |
---|
1603 | int port; |
---|
1604 | { |
---|
1605 | struct utsname name; |
---|
1606 | static struct hostent *host = NULL; |
---|
1607 | struct in_addr nas_addr; |
---|
1608 | |
---|
1609 | /* |
---|
1610 | * Find our own IP by resolving our nodename |
---|
1611 | */ |
---|
1612 | if (host == NULL) { |
---|
1613 | if (uname(&name) != 0) { |
---|
1614 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1615 | "uname failed: %s\n", strerror(errno)); |
---|
1616 | return -1; |
---|
1617 | } |
---|
1618 | |
---|
1619 | if ((host = gethostbyname(name.nodename)) == NULL) { |
---|
1620 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1621 | "gethostbyname failed: %s\n", strerror(errno)); |
---|
1622 | return -1; |
---|
1623 | } |
---|
1624 | } |
---|
1625 | |
---|
1626 | memcpy(&nas_addr, host->h_addr, sizeof(nas_addr)); |
---|
1627 | if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) { |
---|
1628 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1629 | "rad_put_addr failed: %s\n", |
---|
1630 | rad_strerror(radius_state)); |
---|
1631 | return -1; |
---|
1632 | } |
---|
1633 | |
---|
1634 | if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) { |
---|
1635 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1636 | "rad_put_int failed: %s\n", |
---|
1637 | rad_strerror(radius_state)); |
---|
1638 | return -1; |
---|
1639 | } |
---|
1640 | |
---|
1641 | if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) { |
---|
1642 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1643 | "rad_put_int failed: %s\n", |
---|
1644 | rad_strerror(radius_state)); |
---|
1645 | return -1; |
---|
1646 | } |
---|
1647 | |
---|
1648 | if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) { |
---|
1649 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1650 | "rad_put_int failed: %s\n", |
---|
1651 | rad_strerror(radius_state)); |
---|
1652 | return -1; |
---|
1653 | } |
---|
1654 | |
---|
1655 | return 0; |
---|
1656 | } |
---|
1657 | #endif |
---|
1658 | |
---|
1659 | /* |
---|
1660 | Logs the user into the utmp system files. |
---|
1661 | */ |
---|
1662 | |
---|
1663 | int |
---|
1664 | isakmp_cfg_accounting_system(port, raddr, usr, inout) |
---|
1665 | int port; |
---|
1666 | struct sockaddr *raddr; |
---|
1667 | char *usr; |
---|
1668 | int inout; |
---|
1669 | { |
---|
1670 | #if __FreeBSD_version >= 900007 |
---|
1671 | int error = 0; |
---|
1672 | struct utmpx ut; |
---|
1673 | char addr[NI_MAXHOST]; |
---|
1674 | |
---|
1675 | if (usr == NULL || usr[0]=='\0') { |
---|
1676 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1677 | "system accounting : no login found\n"); |
---|
1678 | return -1; |
---|
1679 | } |
---|
1680 | |
---|
1681 | memset(&ut, 0, sizeof ut); |
---|
1682 | gettimeofday((struct timeval *)&ut.ut_tv, NULL); |
---|
1683 | snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); |
---|
1684 | |
---|
1685 | switch (inout) { |
---|
1686 | case ISAKMP_CFG_LOGIN: |
---|
1687 | ut.ut_type = USER_PROCESS; |
---|
1688 | strncpy(ut.ut_user, usr, sizeof ut.ut_user); |
---|
1689 | |
---|
1690 | GETNAMEINFO_NULL(raddr, addr); |
---|
1691 | strncpy(ut.ut_host, addr, sizeof ut.ut_host); |
---|
1692 | |
---|
1693 | plog(LLV_INFO, LOCATION, NULL, |
---|
1694 | "Accounting : '%s' logging on '%s' from %s.\n", |
---|
1695 | ut.ut_user, ut.ut_id, addr); |
---|
1696 | |
---|
1697 | pututxline(&ut); |
---|
1698 | |
---|
1699 | break; |
---|
1700 | case ISAKMP_CFG_LOGOUT: |
---|
1701 | ut.ut_type = DEAD_PROCESS; |
---|
1702 | |
---|
1703 | plog(LLV_INFO, LOCATION, NULL, |
---|
1704 | "Accounting : '%s' unlogging from '%s'.\n", |
---|
1705 | usr, ut.ut_id); |
---|
1706 | |
---|
1707 | pututxline(&ut); |
---|
1708 | |
---|
1709 | break; |
---|
1710 | default: |
---|
1711 | plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); |
---|
1712 | break; |
---|
1713 | } |
---|
1714 | #endif |
---|
1715 | |
---|
1716 | return 0; |
---|
1717 | } |
---|
1718 | |
---|
1719 | int |
---|
1720 | isakmp_cfg_getconfig(iph1) |
---|
1721 | struct ph1handle *iph1; |
---|
1722 | { |
---|
1723 | vchar_t *buffer; |
---|
1724 | struct isakmp_pl_attr *attrpl; |
---|
1725 | struct isakmp_data *attr; |
---|
1726 | size_t len; |
---|
1727 | int error; |
---|
1728 | int attrcount; |
---|
1729 | int i; |
---|
1730 | int attrlist[] = { |
---|
1731 | INTERNAL_IP4_ADDRESS, |
---|
1732 | INTERNAL_IP4_NETMASK, |
---|
1733 | INTERNAL_IP4_DNS, |
---|
1734 | INTERNAL_IP4_NBNS, |
---|
1735 | UNITY_BANNER, |
---|
1736 | UNITY_DEF_DOMAIN, |
---|
1737 | UNITY_SPLITDNS_NAME, |
---|
1738 | UNITY_SPLIT_INCLUDE, |
---|
1739 | UNITY_LOCAL_LAN, |
---|
1740 | APPLICATION_VERSION, |
---|
1741 | }; |
---|
1742 | |
---|
1743 | attrcount = sizeof(attrlist) / sizeof(*attrlist); |
---|
1744 | len = sizeof(*attrpl) + sizeof(*attr) * attrcount; |
---|
1745 | |
---|
1746 | if ((buffer = vmalloc(len)) == NULL) { |
---|
1747 | plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); |
---|
1748 | return -1; |
---|
1749 | } |
---|
1750 | |
---|
1751 | attrpl = (struct isakmp_pl_attr *)buffer->v; |
---|
1752 | attrpl->h.len = htons(len); |
---|
1753 | attrpl->type = ISAKMP_CFG_REQUEST; |
---|
1754 | attrpl->id = htons((u_int16_t)(eay_random() & 0xffff)); |
---|
1755 | |
---|
1756 | attr = (struct isakmp_data *)(attrpl + 1); |
---|
1757 | |
---|
1758 | for (i = 0; i < attrcount; i++) { |
---|
1759 | attr->type = htons(attrlist[i]); |
---|
1760 | attr->lorv = htons(0); |
---|
1761 | attr++; |
---|
1762 | } |
---|
1763 | |
---|
1764 | plog(LLV_DEBUG, LOCATION, NULL, |
---|
1765 | "Sending MODE_CFG REQUEST\n"); |
---|
1766 | |
---|
1767 | error = isakmp_cfg_send(iph1, buffer, |
---|
1768 | ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); |
---|
1769 | |
---|
1770 | vfree(buffer); |
---|
1771 | |
---|
1772 | return error; |
---|
1773 | } |
---|
1774 | |
---|
1775 | static void |
---|
1776 | isakmp_cfg_getaddr4(attr, ip) |
---|
1777 | struct isakmp_data *attr; |
---|
1778 | struct in_addr *ip; |
---|
1779 | { |
---|
1780 | size_t alen = ntohs(attr->lorv); |
---|
1781 | in_addr_t *addr; |
---|
1782 | |
---|
1783 | if (alen != sizeof(*ip)) { |
---|
1784 | plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); |
---|
1785 | return; |
---|
1786 | } |
---|
1787 | |
---|
1788 | addr = (in_addr_t *)(attr + 1); |
---|
1789 | ip->s_addr = *addr; |
---|
1790 | |
---|
1791 | return; |
---|
1792 | } |
---|
1793 | |
---|
1794 | static void |
---|
1795 | isakmp_cfg_appendaddr4(attr, ip, num, max) |
---|
1796 | struct isakmp_data *attr; |
---|
1797 | struct in_addr *ip; |
---|
1798 | int *num; |
---|
1799 | int max; |
---|
1800 | { |
---|
1801 | size_t alen = ntohs(attr->lorv); |
---|
1802 | in_addr_t *addr; |
---|
1803 | |
---|
1804 | if (alen != sizeof(*ip)) { |
---|
1805 | plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); |
---|
1806 | return; |
---|
1807 | } |
---|
1808 | if (*num == max) { |
---|
1809 | plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n"); |
---|
1810 | return; |
---|
1811 | } |
---|
1812 | |
---|
1813 | addr = (in_addr_t *)(attr + 1); |
---|
1814 | ip->s_addr = *addr; |
---|
1815 | (*num)++; |
---|
1816 | |
---|
1817 | return; |
---|
1818 | } |
---|
1819 | |
---|
1820 | static void |
---|
1821 | isakmp_cfg_getstring(attr, str) |
---|
1822 | struct isakmp_data *attr; |
---|
1823 | char *str; |
---|
1824 | { |
---|
1825 | size_t alen = ntohs(attr->lorv); |
---|
1826 | char *src; |
---|
1827 | src = (char *)(attr + 1); |
---|
1828 | |
---|
1829 | memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen)); |
---|
1830 | |
---|
1831 | return; |
---|
1832 | } |
---|
1833 | |
---|
1834 | #define IP_MAX 40 |
---|
1835 | |
---|
1836 | void |
---|
1837 | isakmp_cfg_iplist_to_str(dest, count, addr, withmask) |
---|
1838 | char *dest; |
---|
1839 | int count; |
---|
1840 | void *addr; |
---|
1841 | int withmask; |
---|
1842 | { |
---|
1843 | int i; |
---|
1844 | int p; |
---|
1845 | int l; |
---|
1846 | struct unity_network tmp; |
---|
1847 | for(i = 0, p = 0; i < count; i++) { |
---|
1848 | if(withmask == 1) |
---|
1849 | l = sizeof(struct unity_network); |
---|
1850 | else |
---|
1851 | l = sizeof(struct in_addr); |
---|
1852 | memcpy(&tmp, addr, l); |
---|
1853 | addr += l; |
---|
1854 | if((uint32_t)tmp.addr4.s_addr == 0) |
---|
1855 | break; |
---|
1856 | |
---|
1857 | inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX); |
---|
1858 | p += strlen(dest + p); |
---|
1859 | if(withmask == 1) { |
---|
1860 | dest[p] = '/'; |
---|
1861 | p++; |
---|
1862 | inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX); |
---|
1863 | p += strlen(dest + p); |
---|
1864 | } |
---|
1865 | dest[p] = ' '; |
---|
1866 | p++; |
---|
1867 | } |
---|
1868 | if(p > 0) |
---|
1869 | dest[p-1] = '\0'; |
---|
1870 | else |
---|
1871 | dest[0] = '\0'; |
---|
1872 | } |
---|
1873 | |
---|
1874 | int |
---|
1875 | isakmp_cfg_setenv(iph1, envp, envc) |
---|
1876 | struct ph1handle *iph1; |
---|
1877 | char ***envp; |
---|
1878 | int *envc; |
---|
1879 | { |
---|
1880 | char addrstr[IP_MAX]; |
---|
1881 | char addrlist[IP_MAX * MAXNS + MAXNS]; |
---|
1882 | char *splitlist = addrlist; |
---|
1883 | char *splitlist_cidr; |
---|
1884 | char defdom[MAXPATHLEN + 1]; |
---|
1885 | int cidr, tmp; |
---|
1886 | char cidrstr[4]; |
---|
1887 | int i, p; |
---|
1888 | int test; |
---|
1889 | |
---|
1890 | plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); |
---|
1891 | |
---|
1892 | /* |
---|
1893 | * Internal IPv4 address, either if |
---|
1894 | * we are a client or a server. |
---|
1895 | */ |
---|
1896 | if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || |
---|
1897 | #ifdef HAVE_LIBLDAP |
---|
1898 | (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || |
---|
1899 | #endif |
---|
1900 | #ifdef HAVE_LIBRADIUS |
---|
1901 | (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || |
---|
1902 | #endif |
---|
1903 | (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { |
---|
1904 | inet_ntop(AF_INET, &iph1->mode_cfg->addr4, |
---|
1905 | addrstr, IP_MAX); |
---|
1906 | } else |
---|
1907 | addrstr[0] = '\0'; |
---|
1908 | |
---|
1909 | if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) { |
---|
1910 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n"); |
---|
1911 | return -1; |
---|
1912 | } |
---|
1913 | |
---|
1914 | if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) { |
---|
1915 | if (script_env_append(envp, envc, "XAUTH_USER", |
---|
1916 | iph1->mode_cfg->xauth.authdata.generic.usr) != 0) { |
---|
1917 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1918 | "Cannot set XAUTH_USER\n"); |
---|
1919 | return -1; |
---|
1920 | } |
---|
1921 | } |
---|
1922 | |
---|
1923 | /* Internal IPv4 mask */ |
---|
1924 | if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) |
---|
1925 | inet_ntop(AF_INET, &iph1->mode_cfg->mask4, |
---|
1926 | addrstr, IP_MAX); |
---|
1927 | else |
---|
1928 | addrstr[0] = '\0'; |
---|
1929 | |
---|
1930 | /* |
---|
1931 | * During several releases, documentation adverised INTERNAL_NETMASK4 |
---|
1932 | * while code was using INTERNAL_MASK4. We now do both. |
---|
1933 | */ |
---|
1934 | |
---|
1935 | if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { |
---|
1936 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n"); |
---|
1937 | return -1; |
---|
1938 | } |
---|
1939 | |
---|
1940 | if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { |
---|
1941 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1942 | "Cannot set INTERNAL_NETMASK4\n"); |
---|
1943 | return -1; |
---|
1944 | } |
---|
1945 | |
---|
1946 | tmp = ntohl(iph1->mode_cfg->mask4.s_addr); |
---|
1947 | for (cidr = 0; tmp != 0; cidr++) |
---|
1948 | tmp <<= 1; |
---|
1949 | snprintf(cidrstr, 3, "%d", cidr); |
---|
1950 | |
---|
1951 | if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) { |
---|
1952 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n"); |
---|
1953 | return -1; |
---|
1954 | } |
---|
1955 | |
---|
1956 | /* Internal IPv4 DNS */ |
---|
1957 | if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) { |
---|
1958 | /* First Internal IPv4 DNS (for compatibilty with older code */ |
---|
1959 | inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], |
---|
1960 | addrstr, IP_MAX); |
---|
1961 | |
---|
1962 | /* Internal IPv4 DNS - all */ |
---|
1963 | isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index, |
---|
1964 | (void *)iph1->mode_cfg->dns4, 0); |
---|
1965 | } else { |
---|
1966 | addrstr[0] = '\0'; |
---|
1967 | addrlist[0] = '\0'; |
---|
1968 | } |
---|
1969 | |
---|
1970 | if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { |
---|
1971 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n"); |
---|
1972 | return -1; |
---|
1973 | } |
---|
1974 | if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) { |
---|
1975 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1976 | "Cannot set INTERNAL_DNS4_LIST\n"); |
---|
1977 | return -1; |
---|
1978 | } |
---|
1979 | |
---|
1980 | /* Internal IPv4 WINS */ |
---|
1981 | if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) { |
---|
1982 | /* |
---|
1983 | * First Internal IPv4 WINS |
---|
1984 | * (for compatibilty with older code |
---|
1985 | */ |
---|
1986 | inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], |
---|
1987 | addrstr, IP_MAX); |
---|
1988 | |
---|
1989 | /* Internal IPv4 WINS - all */ |
---|
1990 | isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index, |
---|
1991 | (void *)iph1->mode_cfg->wins4, 0); |
---|
1992 | } else { |
---|
1993 | addrstr[0] = '\0'; |
---|
1994 | addrlist[0] = '\0'; |
---|
1995 | } |
---|
1996 | |
---|
1997 | if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { |
---|
1998 | plog(LLV_ERROR, LOCATION, NULL, |
---|
1999 | "Cannot set INTERNAL_WINS4\n"); |
---|
2000 | return -1; |
---|
2001 | } |
---|
2002 | if (script_env_append(envp, envc, |
---|
2003 | "INTERNAL_WINS4_LIST", addrlist) != 0) { |
---|
2004 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2005 | "Cannot set INTERNAL_WINS4_LIST\n"); |
---|
2006 | return -1; |
---|
2007 | } |
---|
2008 | |
---|
2009 | /* Deault domain */ |
---|
2010 | if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) |
---|
2011 | strncpy(defdom, |
---|
2012 | iph1->mode_cfg->default_domain, |
---|
2013 | MAXPATHLEN + 1); |
---|
2014 | else |
---|
2015 | defdom[0] = '\0'; |
---|
2016 | |
---|
2017 | if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { |
---|
2018 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2019 | "Cannot set DEFAULT_DOMAIN\n"); |
---|
2020 | return -1; |
---|
2021 | } |
---|
2022 | |
---|
2023 | /* Split networks */ |
---|
2024 | if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) { |
---|
2025 | splitlist = |
---|
2026 | splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK); |
---|
2027 | splitlist_cidr = |
---|
2028 | splitnet_list_2str(iph1->mode_cfg->split_include, CIDR); |
---|
2029 | } else { |
---|
2030 | splitlist = addrlist; |
---|
2031 | splitlist_cidr = addrlist; |
---|
2032 | addrlist[0] = '\0'; |
---|
2033 | } |
---|
2034 | |
---|
2035 | if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { |
---|
2036 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); |
---|
2037 | return -1; |
---|
2038 | } |
---|
2039 | if (script_env_append(envp, envc, |
---|
2040 | "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) { |
---|
2041 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2042 | "Cannot set SPLIT_INCLUDE_CIDR\n"); |
---|
2043 | return -1; |
---|
2044 | } |
---|
2045 | if (splitlist != addrlist) |
---|
2046 | racoon_free(splitlist); |
---|
2047 | if (splitlist_cidr != addrlist) |
---|
2048 | racoon_free(splitlist_cidr); |
---|
2049 | |
---|
2050 | if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) { |
---|
2051 | splitlist = |
---|
2052 | splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK); |
---|
2053 | splitlist_cidr = |
---|
2054 | splitnet_list_2str(iph1->mode_cfg->split_local, CIDR); |
---|
2055 | } else { |
---|
2056 | splitlist = addrlist; |
---|
2057 | splitlist_cidr = addrlist; |
---|
2058 | addrlist[0] = '\0'; |
---|
2059 | } |
---|
2060 | |
---|
2061 | if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) { |
---|
2062 | plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n"); |
---|
2063 | return -1; |
---|
2064 | } |
---|
2065 | if (script_env_append(envp, envc, |
---|
2066 | "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) { |
---|
2067 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2068 | "Cannot set SPLIT_LOCAL_CIDR\n"); |
---|
2069 | return -1; |
---|
2070 | } |
---|
2071 | if (splitlist != addrlist) |
---|
2072 | racoon_free(splitlist); |
---|
2073 | if (splitlist_cidr != addrlist) |
---|
2074 | racoon_free(splitlist_cidr); |
---|
2075 | |
---|
2076 | return 0; |
---|
2077 | } |
---|
2078 | |
---|
2079 | int |
---|
2080 | isakmp_cfg_resize_pool(size) |
---|
2081 | int size; |
---|
2082 | { |
---|
2083 | struct isakmp_cfg_port *new_pool; |
---|
2084 | size_t len; |
---|
2085 | int i; |
---|
2086 | |
---|
2087 | if (size == isakmp_cfg_config.pool_size) |
---|
2088 | return 0; |
---|
2089 | |
---|
2090 | plog(LLV_INFO, LOCATION, NULL, |
---|
2091 | "Resize address pool from %zu to %d\n", |
---|
2092 | isakmp_cfg_config.pool_size, size); |
---|
2093 | |
---|
2094 | /* If a pool already exists, check if we can shrink it */ |
---|
2095 | if ((isakmp_cfg_config.port_pool != NULL) && |
---|
2096 | (size < isakmp_cfg_config.pool_size)) { |
---|
2097 | for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) { |
---|
2098 | if (isakmp_cfg_config.port_pool[i].used) { |
---|
2099 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2100 | "resize pool from %zu to %d impossible " |
---|
2101 | "port %d is in use\n", |
---|
2102 | isakmp_cfg_config.pool_size, size, i); |
---|
2103 | size = i; |
---|
2104 | break; |
---|
2105 | } |
---|
2106 | } |
---|
2107 | } |
---|
2108 | |
---|
2109 | len = size * sizeof(*isakmp_cfg_config.port_pool); |
---|
2110 | new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len); |
---|
2111 | if (new_pool == NULL) { |
---|
2112 | plog(LLV_ERROR, LOCATION, NULL, |
---|
2113 | "resize pool from %zu to %d impossible: %s", |
---|
2114 | isakmp_cfg_config.pool_size, size, strerror(errno)); |
---|
2115 | return -1; |
---|
2116 | } |
---|
2117 | |
---|
2118 | /* If size increase, intialize correctly the new records */ |
---|
2119 | if (size > isakmp_cfg_config.pool_size) { |
---|
2120 | size_t unit; |
---|
2121 | size_t old_size; |
---|
2122 | |
---|
2123 | unit = sizeof(*isakmp_cfg_config.port_pool); |
---|
2124 | old_size = isakmp_cfg_config.pool_size; |
---|
2125 | |
---|
2126 | bzero((char *)new_pool + (old_size * unit), |
---|
2127 | (size - old_size) * unit); |
---|
2128 | } |
---|
2129 | |
---|
2130 | isakmp_cfg_config.port_pool = new_pool; |
---|
2131 | isakmp_cfg_config.pool_size = size; |
---|
2132 | |
---|
2133 | return 0; |
---|
2134 | } |
---|
2135 | |
---|
2136 | int |
---|
2137 | isakmp_cfg_init(cold) |
---|
2138 | int cold; |
---|
2139 | { |
---|
2140 | int i; |
---|
2141 | int error; |
---|
2142 | |
---|
2143 | isakmp_cfg_config.network4 = (in_addr_t)0x00000000; |
---|
2144 | isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000; |
---|
2145 | for (i = 0; i < MAXNS; i++) |
---|
2146 | isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000; |
---|
2147 | isakmp_cfg_config.dns4_index = 0; |
---|
2148 | for (i = 0; i < MAXWINS; i++) |
---|
2149 | isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000; |
---|
2150 | isakmp_cfg_config.nbns4_index = 0; |
---|
2151 | if (cold == ISAKMP_CFG_INIT_COLD) |
---|
2152 | isakmp_cfg_config.port_pool = NULL; |
---|
2153 | isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; |
---|
2154 | isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; |
---|
2155 | if (cold == ISAKMP_CFG_INIT_COLD) { |
---|
2156 | if (isakmp_cfg_config.grouplist != NULL) { |
---|
2157 | for (i = 0; i < isakmp_cfg_config.groupcount; i++) |
---|
2158 | racoon_free(isakmp_cfg_config.grouplist[i]); |
---|
2159 | racoon_free(isakmp_cfg_config.grouplist); |
---|
2160 | } |
---|
2161 | } |
---|
2162 | isakmp_cfg_config.grouplist = NULL; |
---|
2163 | isakmp_cfg_config.groupcount = 0; |
---|
2164 | isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; |
---|
2165 | isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; |
---|
2166 | if (cold == ISAKMP_CFG_INIT_COLD) |
---|
2167 | isakmp_cfg_config.pool_size = 0; |
---|
2168 | isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY; |
---|
2169 | strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN, |
---|
2170 | MAXPATHLEN); |
---|
2171 | strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN); |
---|
2172 | |
---|
2173 | if (cold != ISAKMP_CFG_INIT_COLD ) |
---|
2174 | if (isakmp_cfg_config.splitnet_list != NULL) |
---|
2175 | splitnet_list_free(isakmp_cfg_config.splitnet_list, |
---|
2176 | &isakmp_cfg_config.splitnet_count); |
---|
2177 | isakmp_cfg_config.splitnet_list = NULL; |
---|
2178 | isakmp_cfg_config.splitnet_count = 0; |
---|
2179 | isakmp_cfg_config.splitnet_type = 0; |
---|
2180 | |
---|
2181 | isakmp_cfg_config.pfs_group = 0; |
---|
2182 | isakmp_cfg_config.save_passwd = 0; |
---|
2183 | |
---|
2184 | if (cold != ISAKMP_CFG_INIT_COLD ) |
---|
2185 | if (isakmp_cfg_config.splitdns_list != NULL) |
---|
2186 | racoon_free(isakmp_cfg_config.splitdns_list); |
---|
2187 | isakmp_cfg_config.splitdns_list = NULL; |
---|
2188 | isakmp_cfg_config.splitdns_len = 0; |
---|
2189 | |
---|
2190 | #if 0 |
---|
2191 | if (cold == ISAKMP_CFG_INIT_COLD) { |
---|
2192 | if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0) |
---|
2193 | return error; |
---|
2194 | } |
---|
2195 | #endif |
---|
2196 | |
---|
2197 | return 0; |
---|
2198 | } |
---|
2199 | |
---|