1 /* $NetBSD: isakmp_cfg.c,v 1.25 2013/04/12 10:03:45 tteras Exp $ */ 2 3 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2006 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <utmpx.h> 42 #if defined(__APPLE__) && defined(__MACH__) 43 #include <util.h> 44 #endif 45 46 #ifdef __FreeBSD__ 47 # include <libutil.h> 48 #endif 49 #ifdef __NetBSD__ 50 # include <util.h> 51 #endif 52 53 #include <netinet/in.h> 54 #include <arpa/inet.h> 55 56 #include <stdlib.h> 57 #include <stdio.h> 58 #include <string.h> 59 #include <errno.h> 60 #if TIME_WITH_SYS_TIME 61 # include <sys/time.h> 62 # include <time.h> 63 #else 64 # if HAVE_SYS_TIME_H 65 # include <sys/time.h> 66 # else 67 # include <time.h> 68 # endif 69 #endif 70 #include <netdb.h> 71 #ifdef HAVE_UNISTD_H 72 #include <unistd.h> 73 #endif 74 #if HAVE_STDINT_H 75 #include <stdint.h> 76 #endif 77 #include <ctype.h> 78 #include <resolv.h> 79 80 #ifdef HAVE_LIBRADIUS 81 #include <sys/utsname.h> 82 #include <radlib.h> 83 #endif 84 85 #include "var.h" 86 #include "misc.h" 87 #include "vmbuf.h" 88 #include "plog.h" 89 #include "sockmisc.h" 90 #include "schedule.h" 91 #include "debug.h" 92 93 #include "isakmp_var.h" 94 #include "isakmp.h" 95 #include "handler.h" 96 #include "evt.h" 97 #include "throttle.h" 98 #include "remoteconf.h" 99 #include "crypto_openssl.h" 100 #include "isakmp_inf.h" 101 #include "isakmp_xauth.h" 102 #include "isakmp_unity.h" 103 #include "isakmp_cfg.h" 104 #include "strnames.h" 105 #include "admin.h" 106 #include "privsep.h" 107 108 struct isakmp_cfg_config isakmp_cfg_config; 109 110 static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); 111 static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *); 112 #if 0 113 static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *); 114 #endif 115 static vchar_t *isakmp_cfg_addr4(struct ph1handle *, 116 struct isakmp_data *, in_addr_t *); 117 static vchar_t *isakmp_cfg_addrnet4(struct ph1handle *, 118 struct isakmp_data *, in_addr_t *, in_addr_t *); 119 static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); 120 static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, 121 struct isakmp_data *, in_addr_t *, int); 122 static void isakmp_cfg_appendaddr4(struct isakmp_data *, 123 struct in_addr *, int *, int); 124 static void isakmp_cfg_getstring(struct isakmp_data *,char *); 125 void isakmp_cfg_iplist_to_str(char *, int, void *, int); 126 127 #define ISAKMP_CFG_LOGIN 1 128 #define ISAKMP_CFG_LOGOUT 2 129 static int isakmp_cfg_accounting(struct ph1handle *, int); 130 #ifdef HAVE_LIBRADIUS 131 static int isakmp_cfg_accounting_radius(struct ph1handle *, int); 132 #endif 133 134 /* 135 * Handle an ISAKMP config mode packet 136 * We expect HDR, HASH, ATTR 137 */ 138 void 139 isakmp_cfg_r(iph1, msg) 140 struct ph1handle *iph1; 141 vchar_t *msg; 142 { 143 struct isakmp *packet; 144 struct isakmp_gen *ph; 145 int tlen; 146 char *npp; 147 int np; 148 vchar_t *dmsg; 149 struct isakmp_ivm *ivm; 150 151 /* Check that the packet is long enough to have a header */ 152 if (msg->l < sizeof(*packet)) { 153 plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n"); 154 return; 155 } 156 157 packet = (struct isakmp *)msg->v; 158 159 /* Is it encrypted? It should be encrypted */ 160 if ((packet->flags & ISAKMP_FLAG_E) == 0) { 161 plog(LLV_ERROR, LOCATION, NULL, 162 "User credentials sent in cleartext!\n"); 163 return; 164 } 165 166 /* 167 * Decrypt the packet. If this is the beginning of a new 168 * exchange, reinitialize the IV 169 */ 170 if (iph1->mode_cfg->ivm == NULL || 171 iph1->mode_cfg->last_msgid != packet->msgid ) 172 iph1->mode_cfg->ivm = 173 isakmp_cfg_newiv(iph1, packet->msgid); 174 ivm = iph1->mode_cfg->ivm; 175 176 dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); 177 if (dmsg == NULL) { 178 plog(LLV_ERROR, LOCATION, NULL, 179 "failed to decrypt message\n"); 180 return; 181 } 182 183 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n"); 184 plogdump(LLV_DEBUG, dmsg->v, dmsg->l); 185 186 /* Now work with the decrypted packet */ 187 packet = (struct isakmp *)dmsg->v; 188 tlen = dmsg->l - sizeof(*packet); 189 ph = (struct isakmp_gen *)(packet + 1); 190 191 np = packet->np; 192 while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) { 193 /* Check that the payload header fits in the packet */ 194 if (tlen < sizeof(*ph)) { 195 plog(LLV_WARNING, LOCATION, NULL, 196 "Short payload header\n"); 197 goto out; 198 } 199 200 /* Check that the payload fits in the packet */ 201 if (tlen < ntohs(ph->len)) { 202 plog(LLV_WARNING, LOCATION, NULL, 203 "Short payload\n"); 204 goto out; 205 } 206 207 plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np); 208 plogdump(LLV_DEBUG, ph, ntohs(ph->len)); 209 210 switch(np) { 211 case ISAKMP_NPTYPE_HASH: { 212 vchar_t *check; 213 vchar_t *payload; 214 size_t plen; 215 struct isakmp_gen *nph; 216 217 plen = ntohs(ph->len); 218 nph = (struct isakmp_gen *)((char *)ph + plen); 219 plen = ntohs(nph->len); 220 221 if ((payload = vmalloc(plen)) == NULL) { 222 plog(LLV_ERROR, LOCATION, NULL, 223 "Cannot allocate memory\n"); 224 goto out; 225 } 226 memcpy(payload->v, nph, plen); 227 228 if ((check = oakley_compute_hash1(iph1, 229 packet->msgid, payload)) == NULL) { 230 plog(LLV_ERROR, LOCATION, NULL, 231 "Cannot compute hash\n"); 232 vfree(payload); 233 goto out; 234 } 235 236 if (memcmp(ph + 1, check->v, check->l) != 0) { 237 plog(LLV_ERROR, LOCATION, NULL, 238 "Hash verification failed\n"); 239 vfree(payload); 240 vfree(check); 241 goto out; 242 } 243 vfree(payload); 244 vfree(check); 245 break; 246 } 247 case ISAKMP_NPTYPE_ATTR: { 248 struct isakmp_pl_attr *attrpl; 249 250 attrpl = (struct isakmp_pl_attr *)ph; 251 isakmp_cfg_attr_r(iph1, packet->msgid, attrpl); 252 253 break; 254 } 255 default: 256 plog(LLV_WARNING, LOCATION, NULL, 257 "Unexpected next payload %d\n", np); 258 /* Skip to the next payload */ 259 break; 260 } 261 262 /* Move to the next payload */ 263 np = ph->np; 264 tlen -= ntohs(ph->len); 265 npp = (char *)ph; 266 ph = (struct isakmp_gen *)(npp + ntohs(ph->len)); 267 } 268 269 out: 270 vfree(dmsg); 271 } 272 273 int 274 isakmp_cfg_attr_r(iph1, msgid, attrpl) 275 struct ph1handle *iph1; 276 u_int32_t msgid; 277 struct isakmp_pl_attr *attrpl; 278 { 279 int type = attrpl->type; 280 281 plog(LLV_DEBUG, LOCATION, NULL, 282 "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); 283 switch (type) { 284 case ISAKMP_CFG_ACK: 285 /* ignore, but this is the time to reinit the IV */ 286 oakley_delivm(iph1->mode_cfg->ivm); 287 iph1->mode_cfg->ivm = NULL; 288 return 0; 289 break; 290 291 case ISAKMP_CFG_REPLY: 292 return isakmp_cfg_reply(iph1, attrpl); 293 break; 294 295 case ISAKMP_CFG_REQUEST: 296 iph1->msgid = msgid; 297 return isakmp_cfg_request(iph1, attrpl); 298 break; 299 300 case ISAKMP_CFG_SET: 301 iph1->msgid = msgid; 302 return isakmp_cfg_set(iph1, attrpl); 303 break; 304 305 default: 306 plog(LLV_WARNING, LOCATION, NULL, 307 "Unepected configuration exchange type %d\n", type); 308 return -1; 309 break; 310 } 311 312 return 0; 313 } 314 315 int 316 isakmp_cfg_reply(iph1, attrpl) 317 struct ph1handle *iph1; 318 struct isakmp_pl_attr *attrpl; 319 { 320 struct isakmp_data *attr; 321 int tlen; 322 size_t alen; 323 char *npp; 324 int type; 325 struct sockaddr_in *sin; 326 int error; 327 328 tlen = ntohs(attrpl->h.len); 329 attr = (struct isakmp_data *)(attrpl + 1); 330 tlen -= sizeof(*attrpl); 331 332 while (tlen > 0) { 333 type = ntohs(attr->type); 334 335 /* Handle short attributes */ 336 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 337 type &= ~ISAKMP_GEN_MASK; 338 339 plog(LLV_DEBUG, LOCATION, NULL, 340 "Short attribute %s = %d\n", 341 s_isakmp_cfg_type(type), ntohs(attr->lorv)); 342 343 switch (type) { 344 case XAUTH_TYPE: 345 if ((error = xauth_attr_reply(iph1, 346 attr, ntohs(attrpl->id))) != 0) 347 return error; 348 break; 349 350 default: 351 plog(LLV_WARNING, LOCATION, NULL, 352 "Ignored short attribute %s\n", 353 s_isakmp_cfg_type(type)); 354 break; 355 } 356 357 tlen -= sizeof(*attr); 358 attr++; 359 continue; 360 } 361 362 type = ntohs(attr->type); 363 alen = ntohs(attr->lorv); 364 365 /* Check that the attribute fit in the packet */ 366 if (tlen < alen) { 367 plog(LLV_ERROR, LOCATION, NULL, 368 "Short attribute %s\n", 369 s_isakmp_cfg_type(type)); 370 return -1; 371 } 372 373 plog(LLV_DEBUG, LOCATION, NULL, 374 "Attribute %s, len %zu\n", 375 s_isakmp_cfg_type(type), alen); 376 377 switch(type) { 378 case XAUTH_TYPE: 379 case XAUTH_USER_NAME: 380 case XAUTH_USER_PASSWORD: 381 case XAUTH_PASSCODE: 382 case XAUTH_MESSAGE: 383 case XAUTH_CHALLENGE: 384 case XAUTH_DOMAIN: 385 case XAUTH_STATUS: 386 case XAUTH_NEXT_PIN: 387 case XAUTH_ANSWER: 388 if ((error = xauth_attr_reply(iph1, 389 attr, ntohs(attrpl->id))) != 0) 390 return error; 391 break; 392 case INTERNAL_IP4_ADDRESS: 393 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4); 394 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4; 395 break; 396 case INTERNAL_IP4_NETMASK: 397 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4); 398 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4; 399 break; 400 case INTERNAL_IP4_DNS: 401 isakmp_cfg_appendaddr4(attr, 402 &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index], 403 &iph1->mode_cfg->dns4_index, MAXNS); 404 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4; 405 break; 406 case INTERNAL_IP4_NBNS: 407 isakmp_cfg_appendaddr4(attr, 408 &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index], 409 &iph1->mode_cfg->wins4_index, MAXNS); 410 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4; 411 break; 412 case UNITY_DEF_DOMAIN: 413 isakmp_cfg_getstring(attr, 414 iph1->mode_cfg->default_domain); 415 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN; 416 break; 417 case UNITY_SPLIT_INCLUDE: 418 case UNITY_LOCAL_LAN: 419 case UNITY_SPLITDNS_NAME: 420 case UNITY_BANNER: 421 case UNITY_SAVE_PASSWD: 422 case UNITY_NATT_PORT: 423 case UNITY_PFS: 424 case UNITY_FW_TYPE: 425 case UNITY_BACKUP_SERVERS: 426 case UNITY_DDNS_HOSTNAME: 427 isakmp_unity_reply(iph1, attr); 428 break; 429 case INTERNAL_IP4_SUBNET: 430 case INTERNAL_ADDRESS_EXPIRY: 431 default: 432 plog(LLV_WARNING, LOCATION, NULL, 433 "Ignored attribute %s\n", 434 s_isakmp_cfg_type(type)); 435 break; 436 } 437 438 npp = (char *)attr; 439 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); 440 tlen -= (sizeof(*attr) + alen); 441 } 442 443 /* 444 * Call the SA up script hook now that we have the configuration 445 * It is done at the end of phase 1 if ISAKMP mode config is not 446 * requested. 447 */ 448 449 if ((iph1->status == PHASE1ST_ESTABLISHED) && 450 iph1->rmconf->mode_cfg) { 451 switch (iph1->approval->authmethod) { 452 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 453 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 454 /* Unimplemented */ 455 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 456 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 457 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 458 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 459 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 460 script_hook(iph1, SCRIPT_PHASE1_UP); 461 break; 462 default: 463 break; 464 } 465 } 466 467 468 #ifdef ENABLE_ADMINPORT 469 { 470 vchar_t *buf; 471 472 alen = ntohs(attrpl->h.len) - sizeof(*attrpl); 473 if ((buf = vmalloc(alen)) == NULL) { 474 plog(LLV_WARNING, LOCATION, NULL, 475 "Cannot allocate memory: %s\n", strerror(errno)); 476 } else { 477 memcpy(buf->v, attrpl + 1, buf->l); 478 evt_phase1(iph1, EVT_PHASE1_MODE_CFG, buf); 479 vfree(buf); 480 } 481 } 482 #endif 483 484 return 0; 485 } 486 487 int 488 isakmp_cfg_request(iph1, attrpl) 489 struct ph1handle *iph1; 490 struct isakmp_pl_attr *attrpl; 491 { 492 struct isakmp_data *attr; 493 int tlen; 494 size_t alen; 495 char *npp; 496 vchar_t *payload; 497 struct isakmp_pl_attr *reply; 498 vchar_t *reply_attr; 499 int type; 500 int error = -1; 501 502 if ((payload = vmalloc(sizeof(*reply))) == NULL) { 503 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 504 return -1; 505 } 506 memset(payload->v, 0, sizeof(*reply)); 507 508 tlen = ntohs(attrpl->h.len); 509 attr = (struct isakmp_data *)(attrpl + 1); 510 tlen -= sizeof(*attrpl); 511 512 while (tlen > 0) { 513 reply_attr = NULL; 514 type = ntohs(attr->type); 515 516 /* Handle short attributes */ 517 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 518 type &= ~ISAKMP_GEN_MASK; 519 520 plog(LLV_DEBUG, LOCATION, NULL, 521 "Short attribute %s = %d\n", 522 s_isakmp_cfg_type(type), ntohs(attr->lorv)); 523 524 switch (type) { 525 case XAUTH_TYPE: 526 reply_attr = isakmp_xauth_req(iph1, attr); 527 break; 528 default: 529 plog(LLV_WARNING, LOCATION, NULL, 530 "Ignored short attribute %s\n", 531 s_isakmp_cfg_type(type)); 532 break; 533 } 534 535 tlen -= sizeof(*attr); 536 attr++; 537 538 if (reply_attr != NULL) { 539 payload = buffer_cat(payload, reply_attr); 540 vfree(reply_attr); 541 } 542 543 continue; 544 } 545 546 type = ntohs(attr->type); 547 alen = ntohs(attr->lorv); 548 549 /* Check that the attribute fit in the packet */ 550 if (tlen < alen) { 551 plog(LLV_ERROR, LOCATION, NULL, 552 "Short attribute %s\n", 553 s_isakmp_cfg_type(type)); 554 goto end; 555 } 556 557 plog(LLV_DEBUG, LOCATION, NULL, 558 "Attribute %s, len %zu\n", 559 s_isakmp_cfg_type(type), alen); 560 561 switch(type) { 562 case INTERNAL_IP4_ADDRESS: 563 case INTERNAL_IP4_NETMASK: 564 case INTERNAL_IP4_DNS: 565 case INTERNAL_IP4_NBNS: 566 case INTERNAL_IP4_SUBNET: 567 reply_attr = isakmp_cfg_net(iph1, attr); 568 break; 569 570 case XAUTH_TYPE: 571 case XAUTH_USER_NAME: 572 case XAUTH_USER_PASSWORD: 573 case XAUTH_PASSCODE: 574 case XAUTH_MESSAGE: 575 case XAUTH_CHALLENGE: 576 case XAUTH_DOMAIN: 577 case XAUTH_STATUS: 578 case XAUTH_NEXT_PIN: 579 case XAUTH_ANSWER: 580 reply_attr = isakmp_xauth_req(iph1, attr); 581 break; 582 583 case APPLICATION_VERSION: 584 reply_attr = isakmp_cfg_string(iph1, 585 attr, ISAKMP_CFG_RACOON_VERSION); 586 break; 587 588 case UNITY_BANNER: 589 case UNITY_PFS: 590 case UNITY_SAVE_PASSWD: 591 case UNITY_DEF_DOMAIN: 592 case UNITY_DDNS_HOSTNAME: 593 case UNITY_FW_TYPE: 594 case UNITY_SPLITDNS_NAME: 595 case UNITY_SPLIT_INCLUDE: 596 case UNITY_LOCAL_LAN: 597 case UNITY_NATT_PORT: 598 case UNITY_BACKUP_SERVERS: 599 reply_attr = isakmp_unity_req(iph1, attr); 600 break; 601 602 case INTERNAL_ADDRESS_EXPIRY: 603 default: 604 plog(LLV_WARNING, LOCATION, NULL, 605 "Ignored attribute %s\n", 606 s_isakmp_cfg_type(type)); 607 break; 608 } 609 610 npp = (char *)attr; 611 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); 612 tlen -= (sizeof(*attr) + alen); 613 614 if (reply_attr != NULL) { 615 payload = buffer_cat(payload, reply_attr); 616 vfree(reply_attr); 617 } 618 619 } 620 621 reply = (struct isakmp_pl_attr *)payload->v; 622 reply->h.len = htons(payload->l); 623 reply->type = ISAKMP_CFG_REPLY; 624 reply->id = attrpl->id; 625 626 plog(LLV_DEBUG, LOCATION, NULL, 627 "Sending MODE_CFG REPLY\n"); 628 629 error = isakmp_cfg_send(iph1, payload, 630 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); 631 632 if (iph1->status == PHASE1ST_ESTABLISHED) { 633 switch (iph1->approval->authmethod) { 634 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 635 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 636 /* Unimplemented */ 637 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 638 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 640 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 641 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 642 script_hook(iph1, SCRIPT_PHASE1_UP); 643 break; 644 default: 645 break; 646 } 647 } 648 649 end: 650 vfree(payload); 651 652 return error; 653 } 654 655 int 656 isakmp_cfg_set(iph1, attrpl) 657 struct ph1handle *iph1; 658 struct isakmp_pl_attr *attrpl; 659 { 660 struct isakmp_data *attr; 661 int tlen; 662 size_t alen; 663 char *npp; 664 vchar_t *payload; 665 struct isakmp_pl_attr *reply; 666 vchar_t *reply_attr; 667 int type; 668 int error = -1; 669 670 if ((payload = vmalloc(sizeof(*reply))) == NULL) { 671 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 672 return -1; 673 } 674 memset(payload->v, 0, sizeof(*reply)); 675 676 tlen = ntohs(attrpl->h.len); 677 attr = (struct isakmp_data *)(attrpl + 1); 678 tlen -= sizeof(*attrpl); 679 680 /* 681 * We should send ack for the attributes we accepted 682 */ 683 while (tlen > 0) { 684 reply_attr = NULL; 685 type = ntohs(attr->type); 686 687 plog(LLV_DEBUG, LOCATION, NULL, 688 "Attribute %s\n", 689 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); 690 691 switch (type & ~ISAKMP_GEN_MASK) { 692 case XAUTH_STATUS: 693 reply_attr = isakmp_xauth_set(iph1, attr); 694 break; 695 default: 696 plog(LLV_DEBUG, LOCATION, NULL, 697 "Unexpected SET attribute %s\n", 698 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); 699 break; 700 } 701 702 if (reply_attr != NULL) { 703 payload = buffer_cat(payload, reply_attr); 704 vfree(reply_attr); 705 } 706 707 /* 708 * Move to next attribute. If we run out of the packet, 709 * tlen becomes negative and we exit. 710 */ 711 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 712 tlen -= sizeof(*attr); 713 attr++; 714 } else { 715 alen = ntohs(attr->lorv); 716 tlen -= (sizeof(*attr) + alen); 717 npp = (char *)attr; 718 attr = (struct isakmp_data *) 719 (npp + sizeof(*attr) + alen); 720 } 721 } 722 723 reply = (struct isakmp_pl_attr *)payload->v; 724 reply->h.len = htons(payload->l); 725 reply->type = ISAKMP_CFG_ACK; 726 reply->id = attrpl->id; 727 728 plog(LLV_DEBUG, LOCATION, NULL, 729 "Sending MODE_CFG ACK\n"); 730 731 error = isakmp_cfg_send(iph1, payload, 732 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); 733 734 if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) { 735 if (iph1->status == PHASE1ST_ESTABLISHED || 736 iph1->status == PHASE1ST_DYING) 737 isakmp_info_send_d1(iph1); 738 remph1(iph1); 739 delph1(iph1); 740 iph1 = NULL; 741 } 742 end: 743 vfree(payload); 744 745 /* 746 * If required, request ISAKMP mode config information 747 */ 748 if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0)) 749 error = isakmp_cfg_getconfig(iph1); 750 751 return error; 752 } 753 754 755 static vchar_t * 756 buffer_cat(s, append) 757 vchar_t *s; 758 vchar_t *append; 759 { 760 vchar_t *new; 761 762 new = vmalloc(s->l + append->l); 763 if (new == NULL) { 764 plog(LLV_ERROR, LOCATION, NULL, 765 "Cannot allocate memory\n"); 766 return s; 767 } 768 769 memcpy(new->v, s->v, s->l); 770 memcpy(new->v + s->l, append->v, append->l); 771 772 vfree(s); 773 return new; 774 } 775 776 static vchar_t * 777 isakmp_cfg_net(iph1, attr) 778 struct ph1handle *iph1; 779 struct isakmp_data *attr; 780 { 781 int type; 782 int confsource; 783 in_addr_t addr4; 784 785 type = ntohs(attr->type); 786 787 /* 788 * Don't give an address to a peer that did not succeed Xauth 789 */ 790 if (xauth_check(iph1) != 0) { 791 plog(LLV_ERROR, LOCATION, NULL, 792 "Attempt to start phase config whereas Xauth failed\n"); 793 return NULL; 794 } 795 796 confsource = isakmp_cfg_config.confsource; 797 /* 798 * If we have to fall back to a local 799 * configuration source, we will jump 800 * back to this point. 801 */ 802 retry_source: 803 804 switch(type) { 805 case INTERNAL_IP4_ADDRESS: 806 switch(confsource) { 807 #ifdef HAVE_LIBLDAP 808 case ISAKMP_CFG_CONF_LDAP: 809 if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) 810 break; 811 plog(LLV_INFO, LOCATION, NULL, 812 "No IP from LDAP, using local pool\n"); 813 /* FALLTHROUGH */ 814 confsource = ISAKMP_CFG_CONF_LOCAL; 815 goto retry_source; 816 #endif 817 #ifdef HAVE_LIBRADIUS 818 case ISAKMP_CFG_CONF_RADIUS: 819 if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) 820 && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) 821 /* 822 * -2 is 255.255.255.254, RADIUS uses that 823 * to instruct the NAS to use a local pool 824 */ 825 break; 826 plog(LLV_INFO, LOCATION, NULL, 827 "No IP from RADIUS, using local pool\n"); 828 /* FALLTHROUGH */ 829 confsource = ISAKMP_CFG_CONF_LOCAL; 830 goto retry_source; 831 #endif 832 case ISAKMP_CFG_CONF_LOCAL: 833 if (isakmp_cfg_getport(iph1) == -1) { 834 plog(LLV_ERROR, LOCATION, NULL, 835 "Port pool depleted\n"); 836 break; 837 } 838 839 iph1->mode_cfg->addr4.s_addr = 840 htonl(ntohl(isakmp_cfg_config.network4) 841 + iph1->mode_cfg->port); 842 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL; 843 break; 844 845 default: 846 plog(LLV_ERROR, LOCATION, NULL, 847 "Unexpected confsource\n"); 848 } 849 850 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0) 851 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); 852 853 return isakmp_cfg_addr4(iph1, 854 attr, &iph1->mode_cfg->addr4.s_addr); 855 break; 856 857 case INTERNAL_IP4_NETMASK: 858 switch(confsource) { 859 #ifdef HAVE_LIBLDAP 860 case ISAKMP_CFG_CONF_LDAP: 861 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) 862 break; 863 plog(LLV_INFO, LOCATION, NULL, 864 "No mask from LDAP, using local pool\n"); 865 /* FALLTHROUGH */ 866 confsource = ISAKMP_CFG_CONF_LOCAL; 867 goto retry_source; 868 #endif 869 #ifdef HAVE_LIBRADIUS 870 case ISAKMP_CFG_CONF_RADIUS: 871 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) 872 break; 873 plog(LLV_INFO, LOCATION, NULL, 874 "No mask from RADIUS, using local pool\n"); 875 /* FALLTHROUGH */ 876 confsource = ISAKMP_CFG_CONF_LOCAL; 877 goto retry_source; 878 #endif 879 case ISAKMP_CFG_CONF_LOCAL: 880 iph1->mode_cfg->mask4.s_addr 881 = isakmp_cfg_config.netmask4; 882 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL; 883 break; 884 885 default: 886 plog(LLV_ERROR, LOCATION, NULL, 887 "Unexpected confsource\n"); 888 } 889 return isakmp_cfg_addr4(iph1, attr, 890 &iph1->mode_cfg->mask4.s_addr); 891 break; 892 893 case INTERNAL_IP4_DNS: 894 return isakmp_cfg_addr4_list(iph1, 895 attr, &isakmp_cfg_config.dns4[0], 896 isakmp_cfg_config.dns4_index); 897 break; 898 899 case INTERNAL_IP4_NBNS: 900 return isakmp_cfg_addr4_list(iph1, 901 attr, &isakmp_cfg_config.nbns4[0], 902 isakmp_cfg_config.nbns4_index); 903 break; 904 905 case INTERNAL_IP4_SUBNET: 906 if(isakmp_cfg_config.splitnet_count > 0){ 907 return isakmp_cfg_addrnet4(iph1, attr, 908 &isakmp_cfg_config.splitnet_list->network.addr4.s_addr, 909 &isakmp_cfg_config.splitnet_list->network.mask4.s_addr); 910 }else{ 911 plog(LLV_INFO, LOCATION, NULL, 912 "%s requested but no splitnet in configuration\n", 913 s_isakmp_cfg_type(type)); 914 } 915 break; 916 917 default: 918 plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type); 919 break; 920 } 921 return NULL; 922 } 923 924 #if 0 925 static vchar_t * 926 isakmp_cfg_void(iph1, attr) 927 struct ph1handle *iph1; 928 struct isakmp_data *attr; 929 { 930 vchar_t *buffer; 931 struct isakmp_data *new; 932 933 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 934 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 935 return NULL; 936 } 937 938 new = (struct isakmp_data *)buffer->v; 939 940 new->type = attr->type; 941 new->lorv = htons(0); 942 943 return buffer; 944 } 945 #endif 946 947 vchar_t * 948 isakmp_cfg_copy(iph1, attr) 949 struct ph1handle *iph1; 950 struct isakmp_data *attr; 951 { 952 vchar_t *buffer; 953 size_t len = 0; 954 955 if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV) 956 len = ntohs(attr->lorv); 957 958 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 959 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 960 return NULL; 961 } 962 963 memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv)); 964 965 return buffer; 966 } 967 968 vchar_t * 969 isakmp_cfg_short(iph1, attr, value) 970 struct ph1handle *iph1; 971 struct isakmp_data *attr; 972 int value; 973 { 974 vchar_t *buffer; 975 struct isakmp_data *new; 976 int type; 977 978 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 979 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 980 return NULL; 981 } 982 983 new = (struct isakmp_data *)buffer->v; 984 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 985 986 new->type = htons(type | ISAKMP_GEN_TV); 987 new->lorv = htons(value); 988 989 return buffer; 990 } 991 992 vchar_t * 993 isakmp_cfg_varlen(iph1, attr, string, len) 994 struct ph1handle *iph1; 995 struct isakmp_data *attr; 996 char *string; 997 size_t len; 998 { 999 vchar_t *buffer; 1000 struct isakmp_data *new; 1001 char *data; 1002 1003 if (!len) 1004 return NULL; 1005 1006 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 1007 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1008 return NULL; 1009 } 1010 1011 new = (struct isakmp_data *)buffer->v; 1012 1013 new->type = attr->type; 1014 new->lorv = htons(len); 1015 data = (char *)(new + 1); 1016 1017 memcpy(data, string, len); 1018 1019 return buffer; 1020 } 1021 vchar_t * 1022 isakmp_cfg_string(iph1, attr, string) 1023 struct ph1handle *iph1; 1024 struct isakmp_data *attr; 1025 char *string; 1026 { 1027 size_t len = strlen(string); 1028 return isakmp_cfg_varlen(iph1, attr, string, len); 1029 } 1030 1031 static vchar_t * 1032 isakmp_cfg_addr4(iph1, attr, addr) 1033 struct ph1handle *iph1; 1034 struct isakmp_data *attr; 1035 in_addr_t *addr; 1036 { 1037 vchar_t *buffer; 1038 struct isakmp_data *new; 1039 size_t len; 1040 1041 len = sizeof(*addr); 1042 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 1043 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1044 return NULL; 1045 } 1046 1047 new = (struct isakmp_data *)buffer->v; 1048 1049 new->type = attr->type; 1050 new->lorv = htons(len); 1051 memcpy(new + 1, addr, len); 1052 1053 return buffer; 1054 } 1055 1056 static vchar_t * 1057 isakmp_cfg_addrnet4(iph1, attr, addr, mask) 1058 struct ph1handle *iph1; 1059 struct isakmp_data *attr; 1060 in_addr_t *addr; 1061 in_addr_t *mask; 1062 { 1063 vchar_t *buffer; 1064 struct isakmp_data *new; 1065 size_t len; 1066 in_addr_t netbuff[2]; 1067 1068 len = sizeof(netbuff); 1069 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 1070 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1071 return NULL; 1072 } 1073 1074 new = (struct isakmp_data *)buffer->v; 1075 1076 new->type = attr->type; 1077 new->lorv = htons(len); 1078 netbuff[0]=*addr; 1079 netbuff[1]=*mask; 1080 memcpy(new + 1, netbuff, len); 1081 1082 return buffer; 1083 } 1084 1085 1086 static vchar_t * 1087 isakmp_cfg_addr4_list(iph1, attr, addr, nbr) 1088 struct ph1handle *iph1; 1089 struct isakmp_data *attr; 1090 in_addr_t *addr; 1091 int nbr; 1092 { 1093 int error = -1; 1094 vchar_t *buffer = NULL; 1095 vchar_t *bufone = NULL; 1096 struct isakmp_data *new; 1097 size_t len; 1098 int i; 1099 1100 len = sizeof(*addr); 1101 if ((buffer = vmalloc(0)) == NULL) { 1102 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1103 goto out; 1104 } 1105 for(i = 0; i < nbr; i++) { 1106 if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) { 1107 plog(LLV_ERROR, LOCATION, NULL, 1108 "Cannot allocate memory\n"); 1109 goto out; 1110 } 1111 new = (struct isakmp_data *)bufone->v; 1112 new->type = attr->type; 1113 new->lorv = htons(len); 1114 memcpy(new + 1, &addr[i], len); 1115 new += (len + sizeof(*attr)); 1116 buffer = buffer_cat(buffer, bufone); 1117 vfree(bufone); 1118 } 1119 1120 error = 0; 1121 1122 out: 1123 if ((error != 0) && (buffer != NULL)) { 1124 vfree(buffer); 1125 buffer = NULL; 1126 } 1127 1128 return buffer; 1129 } 1130 1131 struct isakmp_ivm * 1132 isakmp_cfg_newiv(iph1, msgid) 1133 struct ph1handle *iph1; 1134 u_int32_t msgid; 1135 { 1136 struct isakmp_cfg_state *ics = iph1->mode_cfg; 1137 1138 if (ics == NULL) { 1139 plog(LLV_ERROR, LOCATION, NULL, 1140 "isakmp_cfg_newiv called without mode config state\n"); 1141 return NULL; 1142 } 1143 1144 if (ics->ivm != NULL) 1145 oakley_delivm(ics->ivm); 1146 1147 ics->ivm = oakley_newiv2(iph1, msgid); 1148 ics->last_msgid = msgid; 1149 1150 return ics->ivm; 1151 } 1152 1153 /* Derived from isakmp_info_send_common */ 1154 int 1155 isakmp_cfg_send(iph1, payload, np, flags, new_exchange) 1156 struct ph1handle *iph1; 1157 vchar_t *payload; 1158 u_int32_t np; 1159 int flags; 1160 int new_exchange; 1161 { 1162 struct ph2handle *iph2 = NULL; 1163 vchar_t *hash = NULL; 1164 struct isakmp *isakmp; 1165 struct isakmp_gen *gen; 1166 char *p; 1167 int tlen; 1168 int error = -1; 1169 struct isakmp_cfg_state *ics = iph1->mode_cfg; 1170 1171 /* Check if phase 1 is established */ 1172 if ((iph1->status < PHASE1ST_ESTABLISHED) || 1173 (iph1->local == NULL) || 1174 (iph1->remote == NULL)) { 1175 plog(LLV_ERROR, LOCATION, NULL, 1176 "ISAKMP mode config exchange with immature phase 1\n"); 1177 goto end; 1178 } 1179 1180 /* add new entry to isakmp status table */ 1181 iph2 = newph2(); 1182 if (iph2 == NULL) 1183 goto end; 1184 1185 iph2->dst = dupsaddr(iph1->remote); 1186 if (iph2->dst == NULL) { 1187 delph2(iph2); 1188 goto end; 1189 } 1190 iph2->src = dupsaddr(iph1->local); 1191 if (iph2->src == NULL) { 1192 delph2(iph2); 1193 goto end; 1194 } 1195 1196 iph2->side = INITIATOR; 1197 iph2->status = PHASE2ST_START; 1198 1199 if (new_exchange) 1200 iph2->msgid = isakmp_newmsgid2(iph1); 1201 else 1202 iph2->msgid = iph1->msgid; 1203 1204 /* get IV and HASH(1) if skeyid_a was generated. */ 1205 if (iph1->skeyid_a != NULL) { 1206 if (new_exchange) { 1207 if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) { 1208 delph2(iph2); 1209 goto end; 1210 } 1211 } 1212 1213 /* generate HASH(1) */ 1214 hash = oakley_compute_hash1(iph1, iph2->msgid, payload); 1215 if (hash == NULL) { 1216 delph2(iph2); 1217 goto end; 1218 } 1219 1220 /* initialized total buffer length */ 1221 tlen = hash->l; 1222 tlen += sizeof(*gen); 1223 } else { 1224 /* IKE-SA is not established */ 1225 hash = NULL; 1226 1227 /* initialized total buffer length */ 1228 tlen = 0; 1229 } 1230 if ((flags & ISAKMP_FLAG_A) == 0) 1231 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); 1232 else 1233 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); 1234 1235 insph2(iph2); 1236 bindph12(iph1, iph2); 1237 1238 tlen += sizeof(*isakmp) + payload->l; 1239 1240 /* create buffer for isakmp payload */ 1241 iph2->sendbuf = vmalloc(tlen); 1242 if (iph2->sendbuf == NULL) { 1243 plog(LLV_ERROR, LOCATION, NULL, 1244 "failed to get buffer to send.\n"); 1245 goto err; 1246 } 1247 1248 /* create isakmp header */ 1249 isakmp = (struct isakmp *)iph2->sendbuf->v; 1250 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 1251 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 1252 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; 1253 isakmp->v = iph1->version; 1254 isakmp->etype = ISAKMP_ETYPE_CFG; 1255 isakmp->flags = iph2->flags; 1256 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); 1257 isakmp->len = htonl(tlen); 1258 p = (char *)(isakmp + 1); 1259 1260 /* create HASH payload */ 1261 if (hash != NULL) { 1262 gen = (struct isakmp_gen *)p; 1263 gen->np = np & 0xff; 1264 gen->len = htons(sizeof(*gen) + hash->l); 1265 p += sizeof(*gen); 1266 memcpy(p, hash->v, hash->l); 1267 p += hash->l; 1268 } 1269 1270 /* add payload */ 1271 memcpy(p, payload->v, payload->l); 1272 p += payload->l; 1273 1274 #ifdef HAVE_PRINT_ISAKMP_C 1275 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); 1276 #endif 1277 1278 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n"); 1279 plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); 1280 1281 /* encoding */ 1282 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { 1283 vchar_t *tmp; 1284 1285 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, 1286 ics->ivm->ive, ics->ivm->iv); 1287 VPTRINIT(iph2->sendbuf); 1288 if (tmp == NULL) 1289 goto err; 1290 iph2->sendbuf = tmp; 1291 } 1292 1293 /* HDR*, HASH(1), ATTR */ 1294 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { 1295 VPTRINIT(iph2->sendbuf); 1296 goto err; 1297 } 1298 1299 plog(LLV_DEBUG, LOCATION, NULL, 1300 "sendto mode config %s.\n", s_isakmp_nptype(np)); 1301 1302 /* 1303 * XXX We might need to resend the message... 1304 */ 1305 1306 error = 0; 1307 VPTRINIT(iph2->sendbuf); 1308 1309 err: 1310 if (iph2->sendbuf != NULL) 1311 vfree(iph2->sendbuf); 1312 1313 remph2(iph2); 1314 delph2(iph2); 1315 end: 1316 if (hash) 1317 vfree(hash); 1318 return error; 1319 } 1320 1321 1322 void 1323 isakmp_cfg_rmstate(iph1) 1324 struct ph1handle *iph1; 1325 { 1326 struct isakmp_cfg_state *state = iph1->mode_cfg; 1327 1328 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0) 1329 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); 1330 1331 if (state->flags & ISAKMP_CFG_PORT_ALLOCATED) 1332 isakmp_cfg_putport(iph1, state->port); 1333 1334 /* Delete the IV if it's still there */ 1335 if(iph1->mode_cfg->ivm) { 1336 oakley_delivm(iph1->mode_cfg->ivm); 1337 iph1->mode_cfg->ivm = NULL; 1338 } 1339 1340 /* Free any allocated splitnet lists */ 1341 if(iph1->mode_cfg->split_include != NULL) 1342 splitnet_list_free(iph1->mode_cfg->split_include, 1343 &iph1->mode_cfg->include_count); 1344 if(iph1->mode_cfg->split_local != NULL) 1345 splitnet_list_free(iph1->mode_cfg->split_local, 1346 &iph1->mode_cfg->local_count); 1347 1348 xauth_rmstate(&state->xauth); 1349 1350 racoon_free(state); 1351 iph1->mode_cfg = NULL; 1352 1353 return; 1354 } 1355 1356 struct isakmp_cfg_state * 1357 isakmp_cfg_mkstate(void) 1358 { 1359 struct isakmp_cfg_state *state; 1360 1361 if ((state = racoon_malloc(sizeof(*state))) == NULL) { 1362 plog(LLV_ERROR, LOCATION, NULL, 1363 "Cannot allocate memory for mode config state\n"); 1364 return NULL; 1365 } 1366 memset(state, 0, sizeof(*state)); 1367 1368 return state; 1369 } 1370 1371 int 1372 isakmp_cfg_getport(iph1) 1373 struct ph1handle *iph1; 1374 { 1375 unsigned int i; 1376 size_t size = isakmp_cfg_config.pool_size; 1377 1378 if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED) 1379 return iph1->mode_cfg->port; 1380 1381 if (isakmp_cfg_config.port_pool == NULL) { 1382 plog(LLV_ERROR, LOCATION, NULL, 1383 "isakmp_cfg_config.port_pool == NULL\n"); 1384 return -1; 1385 } 1386 1387 for (i = 0; i < size; i++) { 1388 if (isakmp_cfg_config.port_pool[i].used == 0) 1389 break; 1390 } 1391 1392 if (i == size) { 1393 plog(LLV_ERROR, LOCATION, NULL, 1394 "No more addresses available\n"); 1395 return -1; 1396 } 1397 1398 isakmp_cfg_config.port_pool[i].used = 1; 1399 1400 plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i); 1401 1402 iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; 1403 iph1->mode_cfg->port = i; 1404 1405 return i; 1406 } 1407 1408 int 1409 isakmp_cfg_putport(iph1, index) 1410 struct ph1handle *iph1; 1411 unsigned int index; 1412 { 1413 if (isakmp_cfg_config.port_pool == NULL) { 1414 plog(LLV_ERROR, LOCATION, NULL, 1415 "isakmp_cfg_config.port_pool == NULL\n"); 1416 return -1; 1417 } 1418 1419 if (isakmp_cfg_config.port_pool[index].used == 0) { 1420 plog(LLV_ERROR, LOCATION, NULL, 1421 "Attempt to release an unallocated address (port %d)\n", 1422 index); 1423 return -1; 1424 } 1425 1426 #ifdef HAVE_LIBPAM 1427 /* Cleanup PAM status associated with the port */ 1428 if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM) 1429 privsep_cleanup_pam(index); 1430 #endif 1431 isakmp_cfg_config.port_pool[index].used = 0; 1432 iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; 1433 1434 plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index); 1435 1436 return 0; 1437 } 1438 1439 #ifdef HAVE_LIBPAM 1440 void 1441 cleanup_pam(port) 1442 int port; 1443 { 1444 if (isakmp_cfg_config.port_pool[port].pam != NULL) { 1445 pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS); 1446 isakmp_cfg_config.port_pool[port].pam = NULL; 1447 } 1448 1449 return; 1450 } 1451 #endif 1452 1453 /* Accounting, only for RADIUS or PAM */ 1454 static int 1455 isakmp_cfg_accounting(iph1, inout) 1456 struct ph1handle *iph1; 1457 int inout; 1458 { 1459 #ifdef HAVE_LIBPAM 1460 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM) 1461 return privsep_accounting_pam(iph1->mode_cfg->port, 1462 inout); 1463 #endif 1464 #ifdef HAVE_LIBRADIUS 1465 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) 1466 return isakmp_cfg_accounting_radius(iph1, inout); 1467 #endif 1468 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) 1469 return privsep_accounting_system(iph1->mode_cfg->port, 1470 iph1->remote, iph1->mode_cfg->login, inout); 1471 return 0; 1472 } 1473 1474 #ifdef HAVE_LIBPAM 1475 int 1476 isakmp_cfg_accounting_pam(port, inout) 1477 int port; 1478 int inout; 1479 { 1480 int error = 0; 1481 pam_handle_t *pam; 1482 1483 if (isakmp_cfg_config.port_pool == NULL) { 1484 plog(LLV_ERROR, LOCATION, NULL, 1485 "isakmp_cfg_config.port_pool == NULL\n"); 1486 return -1; 1487 } 1488 1489 pam = isakmp_cfg_config.port_pool[port].pam; 1490 if (pam == NULL) { 1491 plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n"); 1492 return -1; 1493 } 1494 1495 switch (inout) { 1496 case ISAKMP_CFG_LOGIN: 1497 error = pam_open_session(pam, 0); 1498 break; 1499 case ISAKMP_CFG_LOGOUT: 1500 error = pam_close_session(pam, 0); 1501 pam_end(pam, error); 1502 isakmp_cfg_config.port_pool[port].pam = NULL; 1503 break; 1504 default: 1505 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1506 break; 1507 } 1508 1509 if (error != 0) { 1510 plog(LLV_ERROR, LOCATION, NULL, 1511 "pam_open_session/pam_close_session failed: %s\n", 1512 pam_strerror(pam, error)); 1513 return -1; 1514 } 1515 1516 return 0; 1517 } 1518 #endif /* HAVE_LIBPAM */ 1519 1520 #ifdef HAVE_LIBRADIUS 1521 static int 1522 isakmp_cfg_accounting_radius(iph1, inout) 1523 struct ph1handle *iph1; 1524 int inout; 1525 { 1526 if (rad_create_request(radius_acct_state, 1527 RAD_ACCOUNTING_REQUEST) != 0) { 1528 plog(LLV_ERROR, LOCATION, NULL, 1529 "rad_create_request failed: %s\n", 1530 rad_strerror(radius_acct_state)); 1531 return -1; 1532 } 1533 1534 if (rad_put_string(radius_acct_state, RAD_USER_NAME, 1535 iph1->mode_cfg->login) != 0) { 1536 plog(LLV_ERROR, LOCATION, NULL, 1537 "rad_put_string failed: %s\n", 1538 rad_strerror(radius_acct_state)); 1539 return -1; 1540 } 1541 1542 switch (inout) { 1543 case ISAKMP_CFG_LOGIN: 1544 inout = RAD_START; 1545 break; 1546 case ISAKMP_CFG_LOGOUT: 1547 inout = RAD_STOP; 1548 break; 1549 default: 1550 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1551 break; 1552 } 1553 1554 if (rad_put_addr(radius_acct_state, 1555 RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) { 1556 plog(LLV_ERROR, LOCATION, NULL, 1557 "rad_put_addr failed: %s\n", 1558 rad_strerror(radius_acct_state)); 1559 return -1; 1560 } 1561 1562 if (rad_put_addr(radius_acct_state, 1563 RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) { 1564 plog(LLV_ERROR, LOCATION, NULL, 1565 "rad_put_addr failed: %s\n", 1566 rad_strerror(radius_acct_state)); 1567 return -1; 1568 } 1569 1570 if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) { 1571 plog(LLV_ERROR, LOCATION, NULL, 1572 "rad_put_int failed: %s\n", 1573 rad_strerror(radius_acct_state)); 1574 return -1; 1575 } 1576 1577 if (isakmp_cfg_radius_common(radius_acct_state, 1578 iph1->mode_cfg->port) != 0) 1579 return -1; 1580 1581 if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) { 1582 plog(LLV_ERROR, LOCATION, NULL, 1583 "rad_send_request failed: %s\n", 1584 rad_strerror(radius_acct_state)); 1585 return -1; 1586 } 1587 1588 return 0; 1589 } 1590 #endif /* HAVE_LIBRADIUS */ 1591 1592 /* 1593 * Attributes common to all RADIUS requests 1594 */ 1595 #ifdef HAVE_LIBRADIUS 1596 int 1597 isakmp_cfg_radius_common(radius_state, port) 1598 struct rad_handle *radius_state; 1599 int port; 1600 { 1601 struct utsname name; 1602 static struct hostent *host = NULL; 1603 struct in_addr nas_addr; 1604 1605 /* 1606 * Find our own IP by resolving our nodename 1607 */ 1608 if (host == NULL) { 1609 if (uname(&name) != 0) { 1610 plog(LLV_ERROR, LOCATION, NULL, 1611 "uname failed: %s\n", strerror(errno)); 1612 return -1; 1613 } 1614 1615 if ((host = gethostbyname(name.nodename)) == NULL) { 1616 plog(LLV_ERROR, LOCATION, NULL, 1617 "gethostbyname failed: %s\n", strerror(errno)); 1618 return -1; 1619 } 1620 } 1621 1622 memcpy(&nas_addr, host->h_addr, sizeof(nas_addr)); 1623 if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) { 1624 plog(LLV_ERROR, LOCATION, NULL, 1625 "rad_put_addr failed: %s\n", 1626 rad_strerror(radius_state)); 1627 return -1; 1628 } 1629 1630 if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) { 1631 plog(LLV_ERROR, LOCATION, NULL, 1632 "rad_put_int failed: %s\n", 1633 rad_strerror(radius_state)); 1634 return -1; 1635 } 1636 1637 if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) { 1638 plog(LLV_ERROR, LOCATION, NULL, 1639 "rad_put_int failed: %s\n", 1640 rad_strerror(radius_state)); 1641 return -1; 1642 } 1643 1644 if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) { 1645 plog(LLV_ERROR, LOCATION, NULL, 1646 "rad_put_int failed: %s\n", 1647 rad_strerror(radius_state)); 1648 return -1; 1649 } 1650 1651 return 0; 1652 } 1653 #endif 1654 1655 /* 1656 Logs the user into the utmp system files. 1657 */ 1658 1659 int 1660 isakmp_cfg_accounting_system(port, raddr, usr, inout) 1661 int port; 1662 struct sockaddr *raddr; 1663 char *usr; 1664 int inout; 1665 { 1666 int error = 0; 1667 struct utmpx ut; 1668 char addr[NI_MAXHOST]; 1669 1670 if (usr == NULL || usr[0]=='\0') { 1671 plog(LLV_ERROR, LOCATION, NULL, 1672 "system accounting : no login found\n"); 1673 return -1; 1674 } 1675 1676 memset(&ut, 0, sizeof ut); 1677 gettimeofday((struct timeval *)&ut.ut_tv, NULL); 1678 snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); 1679 1680 switch (inout) { 1681 case ISAKMP_CFG_LOGIN: 1682 ut.ut_type = USER_PROCESS; 1683 strncpy(ut.ut_user, usr, sizeof ut.ut_user); 1684 1685 GETNAMEINFO_NULL(raddr, addr); 1686 strncpy(ut.ut_host, addr, sizeof ut.ut_host); 1687 1688 plog(LLV_INFO, LOCATION, NULL, 1689 "Accounting : '%s' logging on '%s' from %s.\n", 1690 ut.ut_user, ut.ut_id, addr); 1691 1692 pututxline(&ut); 1693 1694 break; 1695 case ISAKMP_CFG_LOGOUT: 1696 ut.ut_type = DEAD_PROCESS; 1697 1698 plog(LLV_INFO, LOCATION, NULL, 1699 "Accounting : '%s' unlogging from '%s'.\n", 1700 usr, ut.ut_id); 1701 1702 pututxline(&ut); 1703 1704 break; 1705 default: 1706 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1707 break; 1708 } 1709 1710 return 0; 1711 } 1712 1713 int 1714 isakmp_cfg_getconfig(iph1) 1715 struct ph1handle *iph1; 1716 { 1717 vchar_t *buffer; 1718 struct isakmp_pl_attr *attrpl; 1719 struct isakmp_data *attr; 1720 size_t len; 1721 int error; 1722 int attrcount; 1723 int i; 1724 int attrlist[] = { 1725 INTERNAL_IP4_ADDRESS, 1726 INTERNAL_IP4_NETMASK, 1727 INTERNAL_IP4_DNS, 1728 INTERNAL_IP4_NBNS, 1729 UNITY_BANNER, 1730 UNITY_DEF_DOMAIN, 1731 UNITY_SPLITDNS_NAME, 1732 UNITY_SPLIT_INCLUDE, 1733 UNITY_LOCAL_LAN, 1734 APPLICATION_VERSION, 1735 }; 1736 1737 attrcount = sizeof(attrlist) / sizeof(*attrlist); 1738 len = sizeof(*attrpl) + sizeof(*attr) * attrcount; 1739 1740 if ((buffer = vmalloc(len)) == NULL) { 1741 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1742 return -1; 1743 } 1744 1745 attrpl = (struct isakmp_pl_attr *)buffer->v; 1746 attrpl->h.len = htons(len); 1747 attrpl->type = ISAKMP_CFG_REQUEST; 1748 attrpl->id = htons((u_int16_t)(eay_random() & 0xffff)); 1749 1750 attr = (struct isakmp_data *)(attrpl + 1); 1751 1752 for (i = 0; i < attrcount; i++) { 1753 attr->type = htons(attrlist[i]); 1754 attr->lorv = htons(0); 1755 attr++; 1756 } 1757 1758 plog(LLV_DEBUG, LOCATION, NULL, 1759 "Sending MODE_CFG REQUEST\n"); 1760 1761 error = isakmp_cfg_send(iph1, buffer, 1762 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 1763 1764 vfree(buffer); 1765 1766 return error; 1767 } 1768 1769 static void 1770 isakmp_cfg_getaddr4(attr, ip) 1771 struct isakmp_data *attr; 1772 struct in_addr *ip; 1773 { 1774 size_t alen = ntohs(attr->lorv); 1775 in_addr_t *addr; 1776 1777 if (alen != sizeof(*ip)) { 1778 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); 1779 return; 1780 } 1781 1782 addr = (in_addr_t *)(attr + 1); 1783 ip->s_addr = *addr; 1784 1785 return; 1786 } 1787 1788 static void 1789 isakmp_cfg_appendaddr4(attr, ip, num, max) 1790 struct isakmp_data *attr; 1791 struct in_addr *ip; 1792 int *num; 1793 int max; 1794 { 1795 size_t alen = ntohs(attr->lorv); 1796 in_addr_t *addr; 1797 1798 if (alen != sizeof(*ip)) { 1799 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); 1800 return; 1801 } 1802 if (*num == max) { 1803 plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n"); 1804 return; 1805 } 1806 1807 addr = (in_addr_t *)(attr + 1); 1808 ip->s_addr = *addr; 1809 (*num)++; 1810 1811 return; 1812 } 1813 1814 static void 1815 isakmp_cfg_getstring(attr, str) 1816 struct isakmp_data *attr; 1817 char *str; 1818 { 1819 size_t alen = ntohs(attr->lorv); 1820 char *src; 1821 src = (char *)(attr + 1); 1822 1823 memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen)); 1824 1825 return; 1826 } 1827 1828 #define IP_MAX 40 1829 1830 void 1831 isakmp_cfg_iplist_to_str(dest, count, addr, withmask) 1832 char *dest; 1833 int count; 1834 void *addr; 1835 int withmask; 1836 { 1837 int i; 1838 int p; 1839 int l; 1840 struct unity_network tmp; 1841 for(i = 0, p = 0; i < count; i++) { 1842 if(withmask == 1) 1843 l = sizeof(struct unity_network); 1844 else 1845 l = sizeof(struct in_addr); 1846 memcpy(&tmp, addr, l); 1847 addr += l; 1848 if((uint32_t)tmp.addr4.s_addr == 0) 1849 break; 1850 1851 inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX); 1852 p += strlen(dest + p); 1853 if(withmask == 1) { 1854 dest[p] = '/'; 1855 p++; 1856 inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX); 1857 p += strlen(dest + p); 1858 } 1859 dest[p] = ' '; 1860 p++; 1861 } 1862 if(p > 0) 1863 dest[p-1] = '\0'; 1864 else 1865 dest[0] = '\0'; 1866 } 1867 1868 int 1869 isakmp_cfg_setenv(iph1, envp, envc) 1870 struct ph1handle *iph1; 1871 char ***envp; 1872 int *envc; 1873 { 1874 char addrstr[IP_MAX]; 1875 char addrlist[IP_MAX * MAXNS + MAXNS]; 1876 char *splitlist = addrlist; 1877 char *splitlist_cidr; 1878 char defdom[MAXPATHLEN + 1]; 1879 int cidr, tmp; 1880 char cidrstr[4]; 1881 int i, p; 1882 int test; 1883 1884 plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); 1885 1886 /* 1887 * Internal IPv4 address, either if 1888 * we are a client or a server. 1889 */ 1890 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || 1891 #ifdef HAVE_LIBLDAP 1892 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 1893 #endif 1894 #ifdef HAVE_LIBRADIUS 1895 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 1896 #endif 1897 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { 1898 inet_ntop(AF_INET, &iph1->mode_cfg->addr4, 1899 addrstr, IP_MAX); 1900 } else 1901 addrstr[0] = '\0'; 1902 1903 if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) { 1904 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n"); 1905 return -1; 1906 } 1907 1908 if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) { 1909 if (script_env_append(envp, envc, "XAUTH_USER", 1910 iph1->mode_cfg->xauth.authdata.generic.usr) != 0) { 1911 plog(LLV_ERROR, LOCATION, NULL, 1912 "Cannot set XAUTH_USER\n"); 1913 return -1; 1914 } 1915 } 1916 1917 /* Internal IPv4 mask */ 1918 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) 1919 inet_ntop(AF_INET, &iph1->mode_cfg->mask4, 1920 addrstr, IP_MAX); 1921 else 1922 addrstr[0] = '\0'; 1923 1924 /* 1925 * During several releases, documentation adverised INTERNAL_NETMASK4 1926 * while code was using INTERNAL_MASK4. We now do both. 1927 */ 1928 1929 if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { 1930 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n"); 1931 return -1; 1932 } 1933 1934 if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { 1935 plog(LLV_ERROR, LOCATION, NULL, 1936 "Cannot set INTERNAL_NETMASK4\n"); 1937 return -1; 1938 } 1939 1940 tmp = ntohl(iph1->mode_cfg->mask4.s_addr); 1941 for (cidr = 0; tmp != 0; cidr++) 1942 tmp <<= 1; 1943 snprintf(cidrstr, 3, "%d", cidr); 1944 1945 if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) { 1946 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n"); 1947 return -1; 1948 } 1949 1950 /* Internal IPv4 DNS */ 1951 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) { 1952 /* First Internal IPv4 DNS (for compatibilty with older code */ 1953 inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], 1954 addrstr, IP_MAX); 1955 1956 /* Internal IPv4 DNS - all */ 1957 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index, 1958 (void *)iph1->mode_cfg->dns4, 0); 1959 } else { 1960 addrstr[0] = '\0'; 1961 addrlist[0] = '\0'; 1962 } 1963 1964 if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { 1965 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n"); 1966 return -1; 1967 } 1968 if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) { 1969 plog(LLV_ERROR, LOCATION, NULL, 1970 "Cannot set INTERNAL_DNS4_LIST\n"); 1971 return -1; 1972 } 1973 1974 /* Internal IPv4 WINS */ 1975 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) { 1976 /* 1977 * First Internal IPv4 WINS 1978 * (for compatibilty with older code 1979 */ 1980 inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], 1981 addrstr, IP_MAX); 1982 1983 /* Internal IPv4 WINS - all */ 1984 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index, 1985 (void *)iph1->mode_cfg->wins4, 0); 1986 } else { 1987 addrstr[0] = '\0'; 1988 addrlist[0] = '\0'; 1989 } 1990 1991 if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { 1992 plog(LLV_ERROR, LOCATION, NULL, 1993 "Cannot set INTERNAL_WINS4\n"); 1994 return -1; 1995 } 1996 if (script_env_append(envp, envc, 1997 "INTERNAL_WINS4_LIST", addrlist) != 0) { 1998 plog(LLV_ERROR, LOCATION, NULL, 1999 "Cannot set INTERNAL_WINS4_LIST\n"); 2000 return -1; 2001 } 2002 2003 /* Deault domain */ 2004 if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) 2005 strncpy(defdom, 2006 iph1->mode_cfg->default_domain, 2007 MAXPATHLEN + 1); 2008 else 2009 defdom[0] = '\0'; 2010 2011 if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { 2012 plog(LLV_ERROR, LOCATION, NULL, 2013 "Cannot set DEFAULT_DOMAIN\n"); 2014 return -1; 2015 } 2016 2017 /* Split networks */ 2018 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) { 2019 splitlist = 2020 splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK); 2021 splitlist_cidr = 2022 splitnet_list_2str(iph1->mode_cfg->split_include, CIDR); 2023 } else { 2024 splitlist = addrlist; 2025 splitlist_cidr = addrlist; 2026 addrlist[0] = '\0'; 2027 } 2028 2029 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { 2030 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); 2031 return -1; 2032 } 2033 if (script_env_append(envp, envc, 2034 "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) { 2035 plog(LLV_ERROR, LOCATION, NULL, 2036 "Cannot set SPLIT_INCLUDE_CIDR\n"); 2037 return -1; 2038 } 2039 if (splitlist != addrlist) 2040 racoon_free(splitlist); 2041 if (splitlist_cidr != addrlist) 2042 racoon_free(splitlist_cidr); 2043 2044 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) { 2045 splitlist = 2046 splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK); 2047 splitlist_cidr = 2048 splitnet_list_2str(iph1->mode_cfg->split_local, CIDR); 2049 } else { 2050 splitlist = addrlist; 2051 splitlist_cidr = addrlist; 2052 addrlist[0] = '\0'; 2053 } 2054 2055 if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) { 2056 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n"); 2057 return -1; 2058 } 2059 if (script_env_append(envp, envc, 2060 "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) { 2061 plog(LLV_ERROR, LOCATION, NULL, 2062 "Cannot set SPLIT_LOCAL_CIDR\n"); 2063 return -1; 2064 } 2065 if (splitlist != addrlist) 2066 racoon_free(splitlist); 2067 if (splitlist_cidr != addrlist) 2068 racoon_free(splitlist_cidr); 2069 2070 return 0; 2071 } 2072 2073 int 2074 isakmp_cfg_resize_pool(size) 2075 int size; 2076 { 2077 struct isakmp_cfg_port *new_pool; 2078 size_t len; 2079 int i; 2080 2081 if (size == isakmp_cfg_config.pool_size) 2082 return 0; 2083 2084 plog(LLV_INFO, LOCATION, NULL, 2085 "Resize address pool from %zu to %d\n", 2086 isakmp_cfg_config.pool_size, size); 2087 2088 /* If a pool already exists, check if we can shrink it */ 2089 if ((isakmp_cfg_config.port_pool != NULL) && 2090 (size < isakmp_cfg_config.pool_size)) { 2091 for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) { 2092 if (isakmp_cfg_config.port_pool[i].used) { 2093 plog(LLV_ERROR, LOCATION, NULL, 2094 "resize pool from %zu to %d impossible " 2095 "port %d is in use\n", 2096 isakmp_cfg_config.pool_size, size, i); 2097 size = i; 2098 break; 2099 } 2100 } 2101 } 2102 2103 len = size * sizeof(*isakmp_cfg_config.port_pool); 2104 new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len); 2105 if (new_pool == NULL) { 2106 plog(LLV_ERROR, LOCATION, NULL, 2107 "resize pool from %zu to %d impossible: %s", 2108 isakmp_cfg_config.pool_size, size, strerror(errno)); 2109 return -1; 2110 } 2111 2112 /* If size increase, intialize correctly the new records */ 2113 if (size > isakmp_cfg_config.pool_size) { 2114 size_t unit; 2115 size_t old_size; 2116 2117 unit = sizeof(*isakmp_cfg_config.port_pool); 2118 old_size = isakmp_cfg_config.pool_size; 2119 2120 bzero((char *)new_pool + (old_size * unit), 2121 (size - old_size) * unit); 2122 } 2123 2124 isakmp_cfg_config.port_pool = new_pool; 2125 isakmp_cfg_config.pool_size = size; 2126 2127 return 0; 2128 } 2129 2130 int 2131 isakmp_cfg_init(cold) 2132 int cold; 2133 { 2134 int i; 2135 int error; 2136 2137 isakmp_cfg_config.network4 = (in_addr_t)0x00000000; 2138 isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000; 2139 for (i = 0; i < MAXNS; i++) 2140 isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000; 2141 isakmp_cfg_config.dns4_index = 0; 2142 for (i = 0; i < MAXWINS; i++) 2143 isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000; 2144 isakmp_cfg_config.nbns4_index = 0; 2145 if (cold == ISAKMP_CFG_INIT_COLD) 2146 isakmp_cfg_config.port_pool = NULL; 2147 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 2148 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 2149 if (cold == ISAKMP_CFG_INIT_COLD) { 2150 if (isakmp_cfg_config.grouplist != NULL) { 2151 for (i = 0; i < isakmp_cfg_config.groupcount; i++) 2152 racoon_free(isakmp_cfg_config.grouplist[i]); 2153 racoon_free(isakmp_cfg_config.grouplist); 2154 } 2155 } 2156 isakmp_cfg_config.grouplist = NULL; 2157 isakmp_cfg_config.groupcount = 0; 2158 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 2159 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 2160 if (cold == ISAKMP_CFG_INIT_COLD) 2161 isakmp_cfg_config.pool_size = 0; 2162 isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY; 2163 strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN, 2164 MAXPATHLEN); 2165 strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN); 2166 2167 if (cold != ISAKMP_CFG_INIT_COLD ) 2168 if (isakmp_cfg_config.splitnet_list != NULL) 2169 splitnet_list_free(isakmp_cfg_config.splitnet_list, 2170 &isakmp_cfg_config.splitnet_count); 2171 isakmp_cfg_config.splitnet_list = NULL; 2172 isakmp_cfg_config.splitnet_count = 0; 2173 isakmp_cfg_config.splitnet_type = 0; 2174 2175 isakmp_cfg_config.pfs_group = 0; 2176 isakmp_cfg_config.save_passwd = 0; 2177 2178 if (cold != ISAKMP_CFG_INIT_COLD ) 2179 if (isakmp_cfg_config.splitdns_list != NULL) 2180 racoon_free(isakmp_cfg_config.splitdns_list); 2181 isakmp_cfg_config.splitdns_list = NULL; 2182 isakmp_cfg_config.splitdns_len = 0; 2183 2184 #if 0 2185 if (cold == ISAKMP_CFG_INIT_COLD) { 2186 if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0) 2187 return error; 2188 } 2189 #endif 2190 2191 return 0; 2192 } 2193 2194