1 /* $NetBSD: isakmp_cfg.c,v 1.22 2009/07/03 06:41:46 tteras Exp $ */ 2 3 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2006 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <utmp.h> 42 #if defined(__APPLE__) && defined(__MACH__) 43 #include <util.h> 44 #endif 45 46 #ifdef __FreeBSD__ 47 # include <libutil.h> 48 #endif 49 #ifdef __NetBSD__ 50 # include <util.h> 51 #endif 52 53 #include <netinet/in.h> 54 #include <arpa/inet.h> 55 56 #include <stdlib.h> 57 #include <stdio.h> 58 #include <string.h> 59 #include <errno.h> 60 #if TIME_WITH_SYS_TIME 61 # include <sys/time.h> 62 # include <time.h> 63 #else 64 # if HAVE_SYS_TIME_H 65 # include <sys/time.h> 66 # else 67 # include <time.h> 68 # endif 69 #endif 70 #include <netdb.h> 71 #ifdef HAVE_UNISTD_H 72 #include <unistd.h> 73 #endif 74 #if HAVE_STDINT_H 75 #include <stdint.h> 76 #endif 77 #include <ctype.h> 78 #include <resolv.h> 79 80 #ifdef HAVE_LIBRADIUS 81 #include <sys/utsname.h> 82 #include <radlib.h> 83 #endif 84 85 #include "var.h" 86 #include "misc.h" 87 #include "vmbuf.h" 88 #include "plog.h" 89 #include "sockmisc.h" 90 #include "schedule.h" 91 #include "debug.h" 92 93 #include "isakmp_var.h" 94 #include "isakmp.h" 95 #include "handler.h" 96 #include "evt.h" 97 #include "throttle.h" 98 #include "remoteconf.h" 99 #include "crypto_openssl.h" 100 #include "isakmp_inf.h" 101 #include "isakmp_xauth.h" 102 #include "isakmp_unity.h" 103 #include "isakmp_cfg.h" 104 #include "strnames.h" 105 #include "admin.h" 106 #include "privsep.h" 107 108 struct isakmp_cfg_config isakmp_cfg_config; 109 110 static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); 111 static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *); 112 #if 0 113 static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *); 114 #endif 115 static vchar_t *isakmp_cfg_addr4(struct ph1handle *, 116 struct isakmp_data *, in_addr_t *); 117 static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *); 118 static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *, 119 struct isakmp_data *, in_addr_t *, int); 120 static void isakmp_cfg_appendaddr4(struct isakmp_data *, 121 struct in_addr *, int *, int); 122 static void isakmp_cfg_getstring(struct isakmp_data *,char *); 123 void isakmp_cfg_iplist_to_str(char *, int, void *, int); 124 125 #define ISAKMP_CFG_LOGIN 1 126 #define ISAKMP_CFG_LOGOUT 2 127 static int isakmp_cfg_accounting(struct ph1handle *, int); 128 #ifdef HAVE_LIBRADIUS 129 static int isakmp_cfg_accounting_radius(struct ph1handle *, int); 130 #endif 131 132 /* 133 * Handle an ISAKMP config mode packet 134 * We expect HDR, HASH, ATTR 135 */ 136 void 137 isakmp_cfg_r(iph1, msg) 138 struct ph1handle *iph1; 139 vchar_t *msg; 140 { 141 struct isakmp *packet; 142 struct isakmp_gen *ph; 143 int tlen; 144 char *npp; 145 int np; 146 vchar_t *dmsg; 147 struct isakmp_ivm *ivm; 148 149 /* Check that the packet is long enough to have a header */ 150 if (msg->l < sizeof(*packet)) { 151 plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n"); 152 return; 153 } 154 155 packet = (struct isakmp *)msg->v; 156 157 /* Is it encrypted? It should be encrypted */ 158 if ((packet->flags & ISAKMP_FLAG_E) == 0) { 159 plog(LLV_ERROR, LOCATION, NULL, 160 "User credentials sent in cleartext!\n"); 161 return; 162 } 163 164 /* 165 * Decrypt the packet. If this is the beginning of a new 166 * exchange, reinitialize the IV 167 */ 168 if (iph1->mode_cfg->ivm == NULL || 169 iph1->mode_cfg->last_msgid != packet->msgid ) 170 iph1->mode_cfg->ivm = 171 isakmp_cfg_newiv(iph1, packet->msgid); 172 ivm = iph1->mode_cfg->ivm; 173 174 dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive); 175 if (dmsg == NULL) { 176 plog(LLV_ERROR, LOCATION, NULL, 177 "failed to decrypt message\n"); 178 return; 179 } 180 181 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n"); 182 plogdump(LLV_DEBUG, dmsg->v, dmsg->l); 183 184 /* Now work with the decrypted packet */ 185 packet = (struct isakmp *)dmsg->v; 186 tlen = dmsg->l - sizeof(*packet); 187 ph = (struct isakmp_gen *)(packet + 1); 188 189 np = packet->np; 190 while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) { 191 /* Check that the payload header fits in the packet */ 192 if (tlen < sizeof(*ph)) { 193 plog(LLV_WARNING, LOCATION, NULL, 194 "Short payload header\n"); 195 goto out; 196 } 197 198 /* Check that the payload fits in the packet */ 199 if (tlen < ntohs(ph->len)) { 200 plog(LLV_WARNING, LOCATION, NULL, 201 "Short payload\n"); 202 goto out; 203 } 204 205 plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np); 206 plogdump(LLV_DEBUG, ph, ntohs(ph->len)); 207 208 switch(np) { 209 case ISAKMP_NPTYPE_HASH: { 210 vchar_t *check; 211 vchar_t *payload; 212 size_t plen; 213 struct isakmp_gen *nph; 214 215 plen = ntohs(ph->len); 216 nph = (struct isakmp_gen *)((char *)ph + plen); 217 plen = ntohs(nph->len); 218 219 if ((payload = vmalloc(plen)) == NULL) { 220 plog(LLV_ERROR, LOCATION, NULL, 221 "Cannot allocate memory\n"); 222 goto out; 223 } 224 memcpy(payload->v, nph, plen); 225 226 if ((check = oakley_compute_hash1(iph1, 227 packet->msgid, payload)) == NULL) { 228 plog(LLV_ERROR, LOCATION, NULL, 229 "Cannot compute hash\n"); 230 vfree(payload); 231 goto out; 232 } 233 234 if (memcmp(ph + 1, check->v, check->l) != 0) { 235 plog(LLV_ERROR, LOCATION, NULL, 236 "Hash verification failed\n"); 237 vfree(payload); 238 vfree(check); 239 goto out; 240 } 241 vfree(payload); 242 vfree(check); 243 break; 244 } 245 case ISAKMP_NPTYPE_ATTR: { 246 struct isakmp_pl_attr *attrpl; 247 248 attrpl = (struct isakmp_pl_attr *)ph; 249 isakmp_cfg_attr_r(iph1, packet->msgid, attrpl); 250 251 break; 252 } 253 default: 254 plog(LLV_WARNING, LOCATION, NULL, 255 "Unexpected next payload %d\n", np); 256 /* Skip to the next payload */ 257 break; 258 } 259 260 /* Move to the next payload */ 261 np = ph->np; 262 tlen -= ntohs(ph->len); 263 npp = (char *)ph; 264 ph = (struct isakmp_gen *)(npp + ntohs(ph->len)); 265 } 266 267 out: 268 vfree(dmsg); 269 } 270 271 int 272 isakmp_cfg_attr_r(iph1, msgid, attrpl) 273 struct ph1handle *iph1; 274 u_int32_t msgid; 275 struct isakmp_pl_attr *attrpl; 276 { 277 int type = attrpl->type; 278 279 plog(LLV_DEBUG, LOCATION, NULL, 280 "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); 281 switch (type) { 282 case ISAKMP_CFG_ACK: 283 /* ignore, but this is the time to reinit the IV */ 284 oakley_delivm(iph1->mode_cfg->ivm); 285 iph1->mode_cfg->ivm = NULL; 286 return 0; 287 break; 288 289 case ISAKMP_CFG_REPLY: 290 return isakmp_cfg_reply(iph1, attrpl); 291 break; 292 293 case ISAKMP_CFG_REQUEST: 294 iph1->msgid = msgid; 295 return isakmp_cfg_request(iph1, attrpl); 296 break; 297 298 case ISAKMP_CFG_SET: 299 iph1->msgid = msgid; 300 return isakmp_cfg_set(iph1, attrpl); 301 break; 302 303 default: 304 plog(LLV_WARNING, LOCATION, NULL, 305 "Unepected configuration exchange type %d\n", type); 306 return -1; 307 break; 308 } 309 310 return 0; 311 } 312 313 int 314 isakmp_cfg_reply(iph1, attrpl) 315 struct ph1handle *iph1; 316 struct isakmp_pl_attr *attrpl; 317 { 318 struct isakmp_data *attr; 319 int tlen; 320 size_t alen; 321 char *npp; 322 int type; 323 struct sockaddr_in *sin; 324 int error; 325 326 tlen = ntohs(attrpl->h.len); 327 attr = (struct isakmp_data *)(attrpl + 1); 328 tlen -= sizeof(*attrpl); 329 330 while (tlen > 0) { 331 type = ntohs(attr->type); 332 333 /* Handle short attributes */ 334 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 335 type &= ~ISAKMP_GEN_MASK; 336 337 plog(LLV_DEBUG, LOCATION, NULL, 338 "Short attribute %s = %d\n", 339 s_isakmp_cfg_type(type), ntohs(attr->lorv)); 340 341 switch (type) { 342 case XAUTH_TYPE: 343 if ((error = xauth_attr_reply(iph1, 344 attr, ntohs(attrpl->id))) != 0) 345 return error; 346 break; 347 348 default: 349 plog(LLV_WARNING, LOCATION, NULL, 350 "Ignored short attribute %s\n", 351 s_isakmp_cfg_type(type)); 352 break; 353 } 354 355 tlen -= sizeof(*attr); 356 attr++; 357 continue; 358 } 359 360 type = ntohs(attr->type); 361 alen = ntohs(attr->lorv); 362 363 /* Check that the attribute fit in the packet */ 364 if (tlen < alen) { 365 plog(LLV_ERROR, LOCATION, NULL, 366 "Short attribute %s\n", 367 s_isakmp_cfg_type(type)); 368 return -1; 369 } 370 371 plog(LLV_DEBUG, LOCATION, NULL, 372 "Attribute %s, len %zu\n", 373 s_isakmp_cfg_type(type), alen); 374 375 switch(type) { 376 case XAUTH_TYPE: 377 case XAUTH_USER_NAME: 378 case XAUTH_USER_PASSWORD: 379 case XAUTH_PASSCODE: 380 case XAUTH_MESSAGE: 381 case XAUTH_CHALLENGE: 382 case XAUTH_DOMAIN: 383 case XAUTH_STATUS: 384 case XAUTH_NEXT_PIN: 385 case XAUTH_ANSWER: 386 if ((error = xauth_attr_reply(iph1, 387 attr, ntohs(attrpl->id))) != 0) 388 return error; 389 break; 390 case INTERNAL_IP4_ADDRESS: 391 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4); 392 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4; 393 break; 394 case INTERNAL_IP4_NETMASK: 395 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4); 396 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4; 397 break; 398 case INTERNAL_IP4_DNS: 399 isakmp_cfg_appendaddr4(attr, 400 &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index], 401 &iph1->mode_cfg->dns4_index, MAXNS); 402 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4; 403 break; 404 case INTERNAL_IP4_NBNS: 405 isakmp_cfg_appendaddr4(attr, 406 &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index], 407 &iph1->mode_cfg->wins4_index, MAXNS); 408 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4; 409 break; 410 case UNITY_DEF_DOMAIN: 411 isakmp_cfg_getstring(attr, 412 iph1->mode_cfg->default_domain); 413 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN; 414 break; 415 case UNITY_SPLIT_INCLUDE: 416 case UNITY_LOCAL_LAN: 417 case UNITY_SPLITDNS_NAME: 418 case UNITY_BANNER: 419 case UNITY_SAVE_PASSWD: 420 case UNITY_NATT_PORT: 421 case UNITY_PFS: 422 case UNITY_FW_TYPE: 423 case UNITY_BACKUP_SERVERS: 424 case UNITY_DDNS_HOSTNAME: 425 isakmp_unity_reply(iph1, attr); 426 break; 427 case INTERNAL_IP4_SUBNET: 428 case INTERNAL_ADDRESS_EXPIRY: 429 default: 430 plog(LLV_WARNING, LOCATION, NULL, 431 "Ignored attribute %s\n", 432 s_isakmp_cfg_type(type)); 433 break; 434 } 435 436 npp = (char *)attr; 437 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); 438 tlen -= (sizeof(*attr) + alen); 439 } 440 441 /* 442 * Call the SA up script hook now that we have the configuration 443 * It is done at the end of phase 1 if ISAKMP mode config is not 444 * requested. 445 */ 446 447 if ((iph1->status == PHASE1ST_ESTABLISHED) && 448 iph1->rmconf->mode_cfg) { 449 switch (iph1->approval->authmethod) { 450 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 451 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 452 /* Unimplemented */ 453 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 454 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 455 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 456 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 457 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 458 script_hook(iph1, SCRIPT_PHASE1_UP); 459 break; 460 default: 461 break; 462 } 463 } 464 465 466 #ifdef ENABLE_ADMINPORT 467 { 468 vchar_t *buf; 469 470 alen = ntohs(attrpl->h.len) - sizeof(*attrpl); 471 if ((buf = vmalloc(alen)) == NULL) { 472 plog(LLV_WARNING, LOCATION, NULL, 473 "Cannot allocate memory: %s\n", strerror(errno)); 474 } else { 475 memcpy(buf->v, attrpl + 1, buf->l); 476 evt_phase1(iph1, EVT_PHASE1_MODE_CFG, buf); 477 vfree(buf); 478 } 479 } 480 #endif 481 482 return 0; 483 } 484 485 int 486 isakmp_cfg_request(iph1, attrpl) 487 struct ph1handle *iph1; 488 struct isakmp_pl_attr *attrpl; 489 { 490 struct isakmp_data *attr; 491 int tlen; 492 size_t alen; 493 char *npp; 494 vchar_t *payload; 495 struct isakmp_pl_attr *reply; 496 vchar_t *reply_attr; 497 int type; 498 int error = -1; 499 500 if ((payload = vmalloc(sizeof(*reply))) == NULL) { 501 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 502 return -1; 503 } 504 memset(payload->v, 0, sizeof(*reply)); 505 506 tlen = ntohs(attrpl->h.len); 507 attr = (struct isakmp_data *)(attrpl + 1); 508 tlen -= sizeof(*attrpl); 509 510 while (tlen > 0) { 511 reply_attr = NULL; 512 type = ntohs(attr->type); 513 514 /* Handle short attributes */ 515 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 516 type &= ~ISAKMP_GEN_MASK; 517 518 plog(LLV_DEBUG, LOCATION, NULL, 519 "Short attribute %s = %d\n", 520 s_isakmp_cfg_type(type), ntohs(attr->lorv)); 521 522 switch (type) { 523 case XAUTH_TYPE: 524 reply_attr = isakmp_xauth_req(iph1, attr); 525 break; 526 default: 527 plog(LLV_WARNING, LOCATION, NULL, 528 "Ignored short attribute %s\n", 529 s_isakmp_cfg_type(type)); 530 break; 531 } 532 533 tlen -= sizeof(*attr); 534 attr++; 535 536 if (reply_attr != NULL) { 537 payload = buffer_cat(payload, reply_attr); 538 vfree(reply_attr); 539 } 540 541 continue; 542 } 543 544 type = ntohs(attr->type); 545 alen = ntohs(attr->lorv); 546 547 /* Check that the attribute fit in the packet */ 548 if (tlen < alen) { 549 plog(LLV_ERROR, LOCATION, NULL, 550 "Short attribute %s\n", 551 s_isakmp_cfg_type(type)); 552 goto end; 553 } 554 555 plog(LLV_DEBUG, LOCATION, NULL, 556 "Attribute %s, len %zu\n", 557 s_isakmp_cfg_type(type), alen); 558 559 switch(type) { 560 case INTERNAL_IP4_ADDRESS: 561 case INTERNAL_IP4_NETMASK: 562 case INTERNAL_IP4_DNS: 563 case INTERNAL_IP4_NBNS: 564 case INTERNAL_IP4_SUBNET: 565 reply_attr = isakmp_cfg_net(iph1, attr); 566 break; 567 568 case XAUTH_TYPE: 569 case XAUTH_USER_NAME: 570 case XAUTH_USER_PASSWORD: 571 case XAUTH_PASSCODE: 572 case XAUTH_MESSAGE: 573 case XAUTH_CHALLENGE: 574 case XAUTH_DOMAIN: 575 case XAUTH_STATUS: 576 case XAUTH_NEXT_PIN: 577 case XAUTH_ANSWER: 578 reply_attr = isakmp_xauth_req(iph1, attr); 579 break; 580 581 case APPLICATION_VERSION: 582 reply_attr = isakmp_cfg_string(iph1, 583 attr, ISAKMP_CFG_RACOON_VERSION); 584 break; 585 586 case UNITY_BANNER: 587 case UNITY_PFS: 588 case UNITY_SAVE_PASSWD: 589 case UNITY_DEF_DOMAIN: 590 case UNITY_DDNS_HOSTNAME: 591 case UNITY_FW_TYPE: 592 case UNITY_SPLITDNS_NAME: 593 case UNITY_SPLIT_INCLUDE: 594 case UNITY_LOCAL_LAN: 595 case UNITY_NATT_PORT: 596 case UNITY_BACKUP_SERVERS: 597 reply_attr = isakmp_unity_req(iph1, attr); 598 break; 599 600 case INTERNAL_ADDRESS_EXPIRY: 601 default: 602 plog(LLV_WARNING, LOCATION, NULL, 603 "Ignored attribute %s\n", 604 s_isakmp_cfg_type(type)); 605 break; 606 } 607 608 npp = (char *)attr; 609 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen); 610 tlen -= (sizeof(*attr) + alen); 611 612 if (reply_attr != NULL) { 613 payload = buffer_cat(payload, reply_attr); 614 vfree(reply_attr); 615 } 616 617 } 618 619 reply = (struct isakmp_pl_attr *)payload->v; 620 reply->h.len = htons(payload->l); 621 reply->type = ISAKMP_CFG_REPLY; 622 reply->id = attrpl->id; 623 624 plog(LLV_DEBUG, LOCATION, NULL, 625 "Sending MODE_CFG REPLY\n"); 626 627 error = isakmp_cfg_send(iph1, payload, 628 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); 629 630 if (iph1->status == PHASE1ST_ESTABLISHED) { 631 switch (iph1->approval->authmethod) { 632 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 633 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 634 /* Unimplemented */ 635 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 636 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 637 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 638 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 640 script_hook(iph1, SCRIPT_PHASE1_UP); 641 break; 642 default: 643 break; 644 } 645 } 646 647 end: 648 vfree(payload); 649 650 return error; 651 } 652 653 int 654 isakmp_cfg_set(iph1, attrpl) 655 struct ph1handle *iph1; 656 struct isakmp_pl_attr *attrpl; 657 { 658 struct isakmp_data *attr; 659 int tlen; 660 size_t alen; 661 char *npp; 662 vchar_t *payload; 663 struct isakmp_pl_attr *reply; 664 vchar_t *reply_attr; 665 int type; 666 int error = -1; 667 668 if ((payload = vmalloc(sizeof(*reply))) == NULL) { 669 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 670 return -1; 671 } 672 memset(payload->v, 0, sizeof(*reply)); 673 674 tlen = ntohs(attrpl->h.len); 675 attr = (struct isakmp_data *)(attrpl + 1); 676 tlen -= sizeof(*attrpl); 677 678 /* 679 * We should send ack for the attributes we accepted 680 */ 681 while (tlen > 0) { 682 reply_attr = NULL; 683 type = ntohs(attr->type); 684 685 plog(LLV_DEBUG, LOCATION, NULL, 686 "Attribute %s\n", 687 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); 688 689 switch (type & ~ISAKMP_GEN_MASK) { 690 case XAUTH_STATUS: 691 reply_attr = isakmp_xauth_set(iph1, attr); 692 break; 693 default: 694 plog(LLV_DEBUG, LOCATION, NULL, 695 "Unexpected SET attribute %s\n", 696 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); 697 break; 698 } 699 700 if (reply_attr != NULL) { 701 payload = buffer_cat(payload, reply_attr); 702 vfree(reply_attr); 703 } 704 705 /* 706 * Move to next attribute. If we run out of the packet, 707 * tlen becomes negative and we exit. 708 */ 709 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) { 710 tlen -= sizeof(*attr); 711 attr++; 712 } else { 713 alen = ntohs(attr->lorv); 714 tlen -= (sizeof(*attr) + alen); 715 npp = (char *)attr; 716 attr = (struct isakmp_data *) 717 (npp + sizeof(*attr) + alen); 718 } 719 } 720 721 reply = (struct isakmp_pl_attr *)payload->v; 722 reply->h.len = htons(payload->l); 723 reply->type = ISAKMP_CFG_ACK; 724 reply->id = attrpl->id; 725 726 plog(LLV_DEBUG, LOCATION, NULL, 727 "Sending MODE_CFG ACK\n"); 728 729 error = isakmp_cfg_send(iph1, payload, 730 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0); 731 732 if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) { 733 if (iph1->status == PHASE1ST_ESTABLISHED || 734 iph1->status == PHASE1ST_DYING) 735 isakmp_info_send_d1(iph1); 736 remph1(iph1); 737 delph1(iph1); 738 iph1 = NULL; 739 } 740 end: 741 vfree(payload); 742 743 /* 744 * If required, request ISAKMP mode config information 745 */ 746 if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0)) 747 error = isakmp_cfg_getconfig(iph1); 748 749 return error; 750 } 751 752 753 static vchar_t * 754 buffer_cat(s, append) 755 vchar_t *s; 756 vchar_t *append; 757 { 758 vchar_t *new; 759 760 new = vmalloc(s->l + append->l); 761 if (new == NULL) { 762 plog(LLV_ERROR, LOCATION, NULL, 763 "Cannot allocate memory\n"); 764 return s; 765 } 766 767 memcpy(new->v, s->v, s->l); 768 memcpy(new->v + s->l, append->v, append->l); 769 770 vfree(s); 771 return new; 772 } 773 774 static vchar_t * 775 isakmp_cfg_net(iph1, attr) 776 struct ph1handle *iph1; 777 struct isakmp_data *attr; 778 { 779 int type; 780 int confsource; 781 in_addr_t addr4; 782 783 type = ntohs(attr->type); 784 785 /* 786 * Don't give an address to a peer that did not succeed Xauth 787 */ 788 if (xauth_check(iph1) != 0) { 789 plog(LLV_ERROR, LOCATION, NULL, 790 "Attempt to start phase config whereas Xauth failed\n"); 791 return NULL; 792 } 793 794 confsource = isakmp_cfg_config.confsource; 795 /* 796 * If we have to fall back to a local 797 * configuration source, we will jump 798 * back to this point. 799 */ 800 retry_source: 801 802 switch(type) { 803 case INTERNAL_IP4_ADDRESS: 804 switch(confsource) { 805 #ifdef HAVE_LIBLDAP 806 case ISAKMP_CFG_CONF_LDAP: 807 if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) 808 break; 809 plog(LLV_INFO, LOCATION, NULL, 810 "No IP from LDAP, using local pool\n"); 811 /* FALLTHROUGH */ 812 confsource = ISAKMP_CFG_CONF_LOCAL; 813 goto retry_source; 814 #endif 815 #ifdef HAVE_LIBRADIUS 816 case ISAKMP_CFG_CONF_RADIUS: 817 if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) 818 && (iph1->mode_cfg->addr4.s_addr != htonl(-2))) 819 /* 820 * -2 is 255.255.255.254, RADIUS uses that 821 * to instruct the NAS to use a local pool 822 */ 823 break; 824 plog(LLV_INFO, LOCATION, NULL, 825 "No IP from RADIUS, using local pool\n"); 826 /* FALLTHROUGH */ 827 confsource = ISAKMP_CFG_CONF_LOCAL; 828 goto retry_source; 829 #endif 830 case ISAKMP_CFG_CONF_LOCAL: 831 if (isakmp_cfg_getport(iph1) == -1) { 832 plog(LLV_ERROR, LOCATION, NULL, 833 "Port pool depleted\n"); 834 break; 835 } 836 837 iph1->mode_cfg->addr4.s_addr = 838 htonl(ntohl(isakmp_cfg_config.network4) 839 + iph1->mode_cfg->port); 840 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL; 841 break; 842 843 default: 844 plog(LLV_ERROR, LOCATION, NULL, 845 "Unexpected confsource\n"); 846 } 847 848 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0) 849 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); 850 851 return isakmp_cfg_addr4(iph1, 852 attr, &iph1->mode_cfg->addr4.s_addr); 853 break; 854 855 case INTERNAL_IP4_NETMASK: 856 switch(confsource) { 857 #ifdef HAVE_LIBLDAP 858 case ISAKMP_CFG_CONF_LDAP: 859 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) 860 break; 861 plog(LLV_INFO, LOCATION, NULL, 862 "No mask from LDAP, using local pool\n"); 863 /* FALLTHROUGH */ 864 confsource = ISAKMP_CFG_CONF_LOCAL; 865 goto retry_source; 866 #endif 867 #ifdef HAVE_LIBRADIUS 868 case ISAKMP_CFG_CONF_RADIUS: 869 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN) 870 break; 871 plog(LLV_INFO, LOCATION, NULL, 872 "No mask from RADIUS, using local pool\n"); 873 /* FALLTHROUGH */ 874 confsource = ISAKMP_CFG_CONF_LOCAL; 875 goto retry_source; 876 #endif 877 case ISAKMP_CFG_CONF_LOCAL: 878 iph1->mode_cfg->mask4.s_addr 879 = isakmp_cfg_config.netmask4; 880 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL; 881 break; 882 883 default: 884 plog(LLV_ERROR, LOCATION, NULL, 885 "Unexpected confsource\n"); 886 } 887 return isakmp_cfg_addr4(iph1, attr, 888 &iph1->mode_cfg->mask4.s_addr); 889 break; 890 891 case INTERNAL_IP4_DNS: 892 return isakmp_cfg_addr4_list(iph1, 893 attr, &isakmp_cfg_config.dns4[0], 894 isakmp_cfg_config.dns4_index); 895 break; 896 897 case INTERNAL_IP4_NBNS: 898 return isakmp_cfg_addr4_list(iph1, 899 attr, &isakmp_cfg_config.nbns4[0], 900 isakmp_cfg_config.nbns4_index); 901 break; 902 903 case INTERNAL_IP4_SUBNET: 904 return isakmp_cfg_addr4(iph1, 905 attr, &isakmp_cfg_config.network4); 906 break; 907 908 default: 909 plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type); 910 break; 911 } 912 return NULL; 913 } 914 915 #if 0 916 static vchar_t * 917 isakmp_cfg_void(iph1, attr) 918 struct ph1handle *iph1; 919 struct isakmp_data *attr; 920 { 921 vchar_t *buffer; 922 struct isakmp_data *new; 923 924 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 925 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 926 return NULL; 927 } 928 929 new = (struct isakmp_data *)buffer->v; 930 931 new->type = attr->type; 932 new->lorv = htons(0); 933 934 return buffer; 935 } 936 #endif 937 938 vchar_t * 939 isakmp_cfg_copy(iph1, attr) 940 struct ph1handle *iph1; 941 struct isakmp_data *attr; 942 { 943 vchar_t *buffer; 944 size_t len = 0; 945 946 if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV) 947 len = ntohs(attr->lorv); 948 949 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 950 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 951 return NULL; 952 } 953 954 memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv)); 955 956 return buffer; 957 } 958 959 vchar_t * 960 isakmp_cfg_short(iph1, attr, value) 961 struct ph1handle *iph1; 962 struct isakmp_data *attr; 963 int value; 964 { 965 vchar_t *buffer; 966 struct isakmp_data *new; 967 int type; 968 969 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 970 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 971 return NULL; 972 } 973 974 new = (struct isakmp_data *)buffer->v; 975 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 976 977 new->type = htons(type | ISAKMP_GEN_TV); 978 new->lorv = htons(value); 979 980 return buffer; 981 } 982 983 vchar_t * 984 isakmp_cfg_varlen(iph1, attr, string, len) 985 struct ph1handle *iph1; 986 struct isakmp_data *attr; 987 char *string; 988 size_t len; 989 { 990 vchar_t *buffer; 991 struct isakmp_data *new; 992 char *data; 993 994 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 995 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 996 return NULL; 997 } 998 999 new = (struct isakmp_data *)buffer->v; 1000 1001 new->type = attr->type; 1002 new->lorv = htons(len); 1003 data = (char *)(new + 1); 1004 1005 memcpy(data, string, len); 1006 1007 return buffer; 1008 } 1009 vchar_t * 1010 isakmp_cfg_string(iph1, attr, string) 1011 struct ph1handle *iph1; 1012 struct isakmp_data *attr; 1013 char *string; 1014 { 1015 size_t len = strlen(string); 1016 return isakmp_cfg_varlen(iph1, attr, string, len); 1017 } 1018 1019 static vchar_t * 1020 isakmp_cfg_addr4(iph1, attr, addr) 1021 struct ph1handle *iph1; 1022 struct isakmp_data *attr; 1023 in_addr_t *addr; 1024 { 1025 vchar_t *buffer; 1026 struct isakmp_data *new; 1027 size_t len; 1028 1029 len = sizeof(*addr); 1030 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) { 1031 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1032 return NULL; 1033 } 1034 1035 new = (struct isakmp_data *)buffer->v; 1036 1037 new->type = attr->type; 1038 new->lorv = htons(len); 1039 memcpy(new + 1, addr, len); 1040 1041 return buffer; 1042 } 1043 1044 static vchar_t * 1045 isakmp_cfg_addr4_list(iph1, attr, addr, nbr) 1046 struct ph1handle *iph1; 1047 struct isakmp_data *attr; 1048 in_addr_t *addr; 1049 int nbr; 1050 { 1051 int error = -1; 1052 vchar_t *buffer = NULL; 1053 vchar_t *bufone = NULL; 1054 struct isakmp_data *new; 1055 size_t len; 1056 int i; 1057 1058 len = sizeof(*addr); 1059 if ((buffer = vmalloc(0)) == NULL) { 1060 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1061 goto out; 1062 } 1063 for(i = 0; i < nbr; i++) { 1064 if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) { 1065 plog(LLV_ERROR, LOCATION, NULL, 1066 "Cannot allocate memory\n"); 1067 goto out; 1068 } 1069 new = (struct isakmp_data *)bufone->v; 1070 new->type = attr->type; 1071 new->lorv = htons(len); 1072 memcpy(new + 1, &addr[i], len); 1073 new += (len + sizeof(*attr)); 1074 buffer = buffer_cat(buffer, bufone); 1075 vfree(bufone); 1076 } 1077 1078 error = 0; 1079 1080 out: 1081 if ((error != 0) && (buffer != NULL)) { 1082 vfree(buffer); 1083 buffer = NULL; 1084 } 1085 1086 return buffer; 1087 } 1088 1089 struct isakmp_ivm * 1090 isakmp_cfg_newiv(iph1, msgid) 1091 struct ph1handle *iph1; 1092 u_int32_t msgid; 1093 { 1094 struct isakmp_cfg_state *ics = iph1->mode_cfg; 1095 1096 if (ics == NULL) { 1097 plog(LLV_ERROR, LOCATION, NULL, 1098 "isakmp_cfg_newiv called without mode config state\n"); 1099 return NULL; 1100 } 1101 1102 if (ics->ivm != NULL) 1103 oakley_delivm(ics->ivm); 1104 1105 ics->ivm = oakley_newiv2(iph1, msgid); 1106 ics->last_msgid = msgid; 1107 1108 return ics->ivm; 1109 } 1110 1111 /* Derived from isakmp_info_send_common */ 1112 int 1113 isakmp_cfg_send(iph1, payload, np, flags, new_exchange) 1114 struct ph1handle *iph1; 1115 vchar_t *payload; 1116 u_int32_t np; 1117 int flags; 1118 int new_exchange; 1119 { 1120 struct ph2handle *iph2 = NULL; 1121 vchar_t *hash = NULL; 1122 struct isakmp *isakmp; 1123 struct isakmp_gen *gen; 1124 char *p; 1125 int tlen; 1126 int error = -1; 1127 struct isakmp_cfg_state *ics = iph1->mode_cfg; 1128 1129 /* Check if phase 1 is established */ 1130 if ((iph1->status < PHASE1ST_ESTABLISHED) || 1131 (iph1->local == NULL) || 1132 (iph1->remote == NULL)) { 1133 plog(LLV_ERROR, LOCATION, NULL, 1134 "ISAKMP mode config exchange with immature phase 1\n"); 1135 goto end; 1136 } 1137 1138 /* add new entry to isakmp status table */ 1139 iph2 = newph2(); 1140 if (iph2 == NULL) 1141 goto end; 1142 1143 iph2->dst = dupsaddr(iph1->remote); 1144 if (iph2->dst == NULL) { 1145 delph2(iph2); 1146 goto end; 1147 } 1148 iph2->src = dupsaddr(iph1->local); 1149 if (iph2->src == NULL) { 1150 delph2(iph2); 1151 goto end; 1152 } 1153 1154 iph2->side = INITIATOR; 1155 iph2->status = PHASE2ST_START; 1156 1157 if (new_exchange) 1158 iph2->msgid = isakmp_newmsgid2(iph1); 1159 else 1160 iph2->msgid = iph1->msgid; 1161 1162 /* get IV and HASH(1) if skeyid_a was generated. */ 1163 if (iph1->skeyid_a != NULL) { 1164 if (new_exchange) { 1165 if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) { 1166 delph2(iph2); 1167 goto end; 1168 } 1169 } 1170 1171 /* generate HASH(1) */ 1172 hash = oakley_compute_hash1(iph1, iph2->msgid, payload); 1173 if (hash == NULL) { 1174 delph2(iph2); 1175 goto end; 1176 } 1177 1178 /* initialized total buffer length */ 1179 tlen = hash->l; 1180 tlen += sizeof(*gen); 1181 } else { 1182 /* IKE-SA is not established */ 1183 hash = NULL; 1184 1185 /* initialized total buffer length */ 1186 tlen = 0; 1187 } 1188 if ((flags & ISAKMP_FLAG_A) == 0) 1189 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); 1190 else 1191 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); 1192 1193 insph2(iph2); 1194 bindph12(iph1, iph2); 1195 1196 tlen += sizeof(*isakmp) + payload->l; 1197 1198 /* create buffer for isakmp payload */ 1199 iph2->sendbuf = vmalloc(tlen); 1200 if (iph2->sendbuf == NULL) { 1201 plog(LLV_ERROR, LOCATION, NULL, 1202 "failed to get buffer to send.\n"); 1203 goto err; 1204 } 1205 1206 /* create isakmp header */ 1207 isakmp = (struct isakmp *)iph2->sendbuf->v; 1208 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); 1209 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); 1210 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; 1211 isakmp->v = iph1->version; 1212 isakmp->etype = ISAKMP_ETYPE_CFG; 1213 isakmp->flags = iph2->flags; 1214 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); 1215 isakmp->len = htonl(tlen); 1216 p = (char *)(isakmp + 1); 1217 1218 /* create HASH payload */ 1219 if (hash != NULL) { 1220 gen = (struct isakmp_gen *)p; 1221 gen->np = np & 0xff; 1222 gen->len = htons(sizeof(*gen) + hash->l); 1223 p += sizeof(*gen); 1224 memcpy(p, hash->v, hash->l); 1225 p += hash->l; 1226 } 1227 1228 /* add payload */ 1229 memcpy(p, payload->v, payload->l); 1230 p += payload->l; 1231 1232 #ifdef HAVE_PRINT_ISAKMP_C 1233 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); 1234 #endif 1235 1236 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n"); 1237 plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); 1238 1239 /* encoding */ 1240 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { 1241 vchar_t *tmp; 1242 1243 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, 1244 ics->ivm->ive, ics->ivm->iv); 1245 VPTRINIT(iph2->sendbuf); 1246 if (tmp == NULL) 1247 goto err; 1248 iph2->sendbuf = tmp; 1249 } 1250 1251 /* HDR*, HASH(1), ATTR */ 1252 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { 1253 VPTRINIT(iph2->sendbuf); 1254 goto err; 1255 } 1256 1257 plog(LLV_DEBUG, LOCATION, NULL, 1258 "sendto mode config %s.\n", s_isakmp_nptype(np)); 1259 1260 /* 1261 * XXX We might need to resend the message... 1262 */ 1263 1264 error = 0; 1265 VPTRINIT(iph2->sendbuf); 1266 1267 err: 1268 if (iph2->sendbuf != NULL) 1269 vfree(iph2->sendbuf); 1270 1271 remph2(iph2); 1272 delph2(iph2); 1273 end: 1274 if (hash) 1275 vfree(hash); 1276 return error; 1277 } 1278 1279 1280 void 1281 isakmp_cfg_rmstate(iph1) 1282 struct ph1handle *iph1; 1283 { 1284 struct isakmp_cfg_state *state = iph1->mode_cfg; 1285 1286 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0) 1287 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n"); 1288 1289 if (state->flags & ISAKMP_CFG_PORT_ALLOCATED) 1290 isakmp_cfg_putport(iph1, state->port); 1291 1292 /* Delete the IV if it's still there */ 1293 if(iph1->mode_cfg->ivm) { 1294 oakley_delivm(iph1->mode_cfg->ivm); 1295 iph1->mode_cfg->ivm = NULL; 1296 } 1297 1298 /* Free any allocated splitnet lists */ 1299 if(iph1->mode_cfg->split_include != NULL) 1300 splitnet_list_free(iph1->mode_cfg->split_include, 1301 &iph1->mode_cfg->include_count); 1302 if(iph1->mode_cfg->split_local != NULL) 1303 splitnet_list_free(iph1->mode_cfg->split_local, 1304 &iph1->mode_cfg->local_count); 1305 1306 xauth_rmstate(&state->xauth); 1307 1308 racoon_free(state); 1309 iph1->mode_cfg = NULL; 1310 1311 return; 1312 } 1313 1314 struct isakmp_cfg_state * 1315 isakmp_cfg_mkstate(void) 1316 { 1317 struct isakmp_cfg_state *state; 1318 1319 if ((state = racoon_malloc(sizeof(*state))) == NULL) { 1320 plog(LLV_ERROR, LOCATION, NULL, 1321 "Cannot allocate memory for mode config state\n"); 1322 return NULL; 1323 } 1324 memset(state, 0, sizeof(*state)); 1325 1326 return state; 1327 } 1328 1329 int 1330 isakmp_cfg_getport(iph1) 1331 struct ph1handle *iph1; 1332 { 1333 unsigned int i; 1334 size_t size = isakmp_cfg_config.pool_size; 1335 1336 if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED) 1337 return iph1->mode_cfg->port; 1338 1339 if (isakmp_cfg_config.port_pool == NULL) { 1340 plog(LLV_ERROR, LOCATION, NULL, 1341 "isakmp_cfg_config.port_pool == NULL\n"); 1342 return -1; 1343 } 1344 1345 for (i = 0; i < size; i++) { 1346 if (isakmp_cfg_config.port_pool[i].used == 0) 1347 break; 1348 } 1349 1350 if (i == size) { 1351 plog(LLV_ERROR, LOCATION, NULL, 1352 "No more addresses available\n"); 1353 return -1; 1354 } 1355 1356 isakmp_cfg_config.port_pool[i].used = 1; 1357 1358 plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i); 1359 1360 iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED; 1361 iph1->mode_cfg->port = i; 1362 1363 return i; 1364 } 1365 1366 int 1367 isakmp_cfg_putport(iph1, index) 1368 struct ph1handle *iph1; 1369 unsigned int index; 1370 { 1371 if (isakmp_cfg_config.port_pool == NULL) { 1372 plog(LLV_ERROR, LOCATION, NULL, 1373 "isakmp_cfg_config.port_pool == NULL\n"); 1374 return -1; 1375 } 1376 1377 if (isakmp_cfg_config.port_pool[index].used == 0) { 1378 plog(LLV_ERROR, LOCATION, NULL, 1379 "Attempt to release an unallocated address (port %d)\n", 1380 index); 1381 return -1; 1382 } 1383 1384 #ifdef HAVE_LIBPAM 1385 /* Cleanup PAM status associated with the port */ 1386 if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM) 1387 privsep_cleanup_pam(index); 1388 #endif 1389 isakmp_cfg_config.port_pool[index].used = 0; 1390 iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED; 1391 1392 plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index); 1393 1394 return 0; 1395 } 1396 1397 #ifdef HAVE_LIBPAM 1398 void 1399 cleanup_pam(port) 1400 int port; 1401 { 1402 if (isakmp_cfg_config.port_pool[port].pam != NULL) { 1403 pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS); 1404 isakmp_cfg_config.port_pool[port].pam = NULL; 1405 } 1406 1407 return; 1408 } 1409 #endif 1410 1411 /* Accounting, only for RADIUS or PAM */ 1412 static int 1413 isakmp_cfg_accounting(iph1, inout) 1414 struct ph1handle *iph1; 1415 int inout; 1416 { 1417 #ifdef HAVE_LIBPAM 1418 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM) 1419 return privsep_accounting_pam(iph1->mode_cfg->port, 1420 inout); 1421 #endif 1422 #ifdef HAVE_LIBRADIUS 1423 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) 1424 return isakmp_cfg_accounting_radius(iph1, inout); 1425 #endif 1426 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM) 1427 return privsep_accounting_system(iph1->mode_cfg->port, 1428 iph1->remote, iph1->mode_cfg->login, inout); 1429 return 0; 1430 } 1431 1432 #ifdef HAVE_LIBPAM 1433 int 1434 isakmp_cfg_accounting_pam(port, inout) 1435 int port; 1436 int inout; 1437 { 1438 int error = 0; 1439 pam_handle_t *pam; 1440 1441 if (isakmp_cfg_config.port_pool == NULL) { 1442 plog(LLV_ERROR, LOCATION, NULL, 1443 "isakmp_cfg_config.port_pool == NULL\n"); 1444 return -1; 1445 } 1446 1447 pam = isakmp_cfg_config.port_pool[port].pam; 1448 if (pam == NULL) { 1449 plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n"); 1450 return -1; 1451 } 1452 1453 switch (inout) { 1454 case ISAKMP_CFG_LOGIN: 1455 error = pam_open_session(pam, 0); 1456 break; 1457 case ISAKMP_CFG_LOGOUT: 1458 error = pam_close_session(pam, 0); 1459 pam_end(pam, error); 1460 isakmp_cfg_config.port_pool[port].pam = NULL; 1461 break; 1462 default: 1463 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1464 break; 1465 } 1466 1467 if (error != 0) { 1468 plog(LLV_ERROR, LOCATION, NULL, 1469 "pam_open_session/pam_close_session failed: %s\n", 1470 pam_strerror(pam, error)); 1471 return -1; 1472 } 1473 1474 return 0; 1475 } 1476 #endif /* HAVE_LIBPAM */ 1477 1478 #ifdef HAVE_LIBRADIUS 1479 static int 1480 isakmp_cfg_accounting_radius(iph1, inout) 1481 struct ph1handle *iph1; 1482 int inout; 1483 { 1484 if (rad_create_request(radius_acct_state, 1485 RAD_ACCOUNTING_REQUEST) != 0) { 1486 plog(LLV_ERROR, LOCATION, NULL, 1487 "rad_create_request failed: %s\n", 1488 rad_strerror(radius_acct_state)); 1489 return -1; 1490 } 1491 1492 if (rad_put_string(radius_acct_state, RAD_USER_NAME, 1493 iph1->mode_cfg->login) != 0) { 1494 plog(LLV_ERROR, LOCATION, NULL, 1495 "rad_put_string failed: %s\n", 1496 rad_strerror(radius_acct_state)); 1497 return -1; 1498 } 1499 1500 switch (inout) { 1501 case ISAKMP_CFG_LOGIN: 1502 inout = RAD_START; 1503 break; 1504 case ISAKMP_CFG_LOGOUT: 1505 inout = RAD_STOP; 1506 break; 1507 default: 1508 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1509 break; 1510 } 1511 1512 if (rad_put_addr(radius_acct_state, 1513 RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) { 1514 plog(LLV_ERROR, LOCATION, NULL, 1515 "rad_put_addr failed: %s\n", 1516 rad_strerror(radius_acct_state)); 1517 return -1; 1518 } 1519 1520 if (rad_put_addr(radius_acct_state, 1521 RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) { 1522 plog(LLV_ERROR, LOCATION, NULL, 1523 "rad_put_addr failed: %s\n", 1524 rad_strerror(radius_acct_state)); 1525 return -1; 1526 } 1527 1528 if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) { 1529 plog(LLV_ERROR, LOCATION, NULL, 1530 "rad_put_int failed: %s\n", 1531 rad_strerror(radius_acct_state)); 1532 return -1; 1533 } 1534 1535 if (isakmp_cfg_radius_common(radius_acct_state, 1536 iph1->mode_cfg->port) != 0) 1537 return -1; 1538 1539 if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) { 1540 plog(LLV_ERROR, LOCATION, NULL, 1541 "rad_send_request failed: %s\n", 1542 rad_strerror(radius_acct_state)); 1543 return -1; 1544 } 1545 1546 return 0; 1547 } 1548 #endif /* HAVE_LIBRADIUS */ 1549 1550 /* 1551 * Attributes common to all RADIUS requests 1552 */ 1553 #ifdef HAVE_LIBRADIUS 1554 int 1555 isakmp_cfg_radius_common(radius_state, port) 1556 struct rad_handle *radius_state; 1557 int port; 1558 { 1559 struct utsname name; 1560 static struct hostent *host = NULL; 1561 struct in_addr nas_addr; 1562 1563 /* 1564 * Find our own IP by resolving our nodename 1565 */ 1566 if (host == NULL) { 1567 if (uname(&name) != 0) { 1568 plog(LLV_ERROR, LOCATION, NULL, 1569 "uname failed: %s\n", strerror(errno)); 1570 return -1; 1571 } 1572 1573 if ((host = gethostbyname(name.nodename)) == NULL) { 1574 plog(LLV_ERROR, LOCATION, NULL, 1575 "gethostbyname failed: %s\n", strerror(errno)); 1576 return -1; 1577 } 1578 } 1579 1580 memcpy(&nas_addr, host->h_addr, sizeof(nas_addr)); 1581 if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) { 1582 plog(LLV_ERROR, LOCATION, NULL, 1583 "rad_put_addr failed: %s\n", 1584 rad_strerror(radius_state)); 1585 return -1; 1586 } 1587 1588 if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) { 1589 plog(LLV_ERROR, LOCATION, NULL, 1590 "rad_put_int failed: %s\n", 1591 rad_strerror(radius_state)); 1592 return -1; 1593 } 1594 1595 if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) { 1596 plog(LLV_ERROR, LOCATION, NULL, 1597 "rad_put_int failed: %s\n", 1598 rad_strerror(radius_state)); 1599 return -1; 1600 } 1601 1602 if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) { 1603 plog(LLV_ERROR, LOCATION, NULL, 1604 "rad_put_int failed: %s\n", 1605 rad_strerror(radius_state)); 1606 return -1; 1607 } 1608 1609 return 0; 1610 } 1611 #endif 1612 1613 /* 1614 Logs the user into the utmp system files. 1615 */ 1616 1617 int 1618 isakmp_cfg_accounting_system(port, raddr, usr, inout) 1619 int port; 1620 struct sockaddr *raddr; 1621 char *usr; 1622 int inout; 1623 { 1624 int error = 0; 1625 struct utmp ut; 1626 char term[UT_LINESIZE]; 1627 char addr[NI_MAXHOST]; 1628 1629 if (usr == NULL || usr[0]=='\0') { 1630 plog(LLV_ERROR, LOCATION, NULL, 1631 "system accounting : no login found\n"); 1632 return -1; 1633 } 1634 1635 sprintf(term, TERMSPEC, port); 1636 1637 switch (inout) { 1638 case ISAKMP_CFG_LOGIN: 1639 strncpy(ut.ut_name, usr, UT_NAMESIZE); 1640 ut.ut_name[UT_NAMESIZE - 1] = '\0'; 1641 1642 strncpy(ut.ut_line, term, UT_LINESIZE); 1643 ut.ut_line[UT_LINESIZE - 1] = '\0'; 1644 1645 GETNAMEINFO_NULL(raddr, addr); 1646 strncpy(ut.ut_host, addr, UT_HOSTSIZE); 1647 ut.ut_host[UT_HOSTSIZE - 1] = '\0'; 1648 1649 ut.ut_time = time(NULL); 1650 1651 plog(LLV_INFO, LOCATION, NULL, 1652 "Accounting : '%s' logging on '%s' from %s.\n", 1653 ut.ut_name, ut.ut_line, ut.ut_host); 1654 1655 login(&ut); 1656 1657 break; 1658 case ISAKMP_CFG_LOGOUT: 1659 1660 plog(LLV_INFO, LOCATION, NULL, 1661 "Accounting : '%s' unlogging from '%s'.\n", 1662 usr, term); 1663 1664 logout(term); 1665 1666 break; 1667 default: 1668 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); 1669 break; 1670 } 1671 1672 return 0; 1673 } 1674 1675 int 1676 isakmp_cfg_getconfig(iph1) 1677 struct ph1handle *iph1; 1678 { 1679 vchar_t *buffer; 1680 struct isakmp_pl_attr *attrpl; 1681 struct isakmp_data *attr; 1682 size_t len; 1683 int error; 1684 int attrcount; 1685 int i; 1686 int attrlist[] = { 1687 INTERNAL_IP4_ADDRESS, 1688 INTERNAL_IP4_NETMASK, 1689 INTERNAL_IP4_DNS, 1690 INTERNAL_IP4_NBNS, 1691 UNITY_BANNER, 1692 UNITY_DEF_DOMAIN, 1693 UNITY_SPLITDNS_NAME, 1694 UNITY_SPLIT_INCLUDE, 1695 UNITY_LOCAL_LAN, 1696 APPLICATION_VERSION, 1697 }; 1698 1699 attrcount = sizeof(attrlist) / sizeof(*attrlist); 1700 len = sizeof(*attrpl) + sizeof(*attr) * attrcount; 1701 1702 if ((buffer = vmalloc(len)) == NULL) { 1703 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); 1704 return -1; 1705 } 1706 1707 attrpl = (struct isakmp_pl_attr *)buffer->v; 1708 attrpl->h.len = htons(len); 1709 attrpl->type = ISAKMP_CFG_REQUEST; 1710 attrpl->id = htons((u_int16_t)(eay_random() & 0xffff)); 1711 1712 attr = (struct isakmp_data *)(attrpl + 1); 1713 1714 for (i = 0; i < attrcount; i++) { 1715 attr->type = htons(attrlist[i]); 1716 attr->lorv = htons(0); 1717 attr++; 1718 } 1719 1720 plog(LLV_DEBUG, LOCATION, NULL, 1721 "Sending MODE_CFG REQUEST\n"); 1722 1723 error = isakmp_cfg_send(iph1, buffer, 1724 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 1725 1726 vfree(buffer); 1727 1728 return error; 1729 } 1730 1731 static void 1732 isakmp_cfg_getaddr4(attr, ip) 1733 struct isakmp_data *attr; 1734 struct in_addr *ip; 1735 { 1736 size_t alen = ntohs(attr->lorv); 1737 in_addr_t *addr; 1738 1739 if (alen != sizeof(*ip)) { 1740 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); 1741 return; 1742 } 1743 1744 addr = (in_addr_t *)(attr + 1); 1745 ip->s_addr = *addr; 1746 1747 return; 1748 } 1749 1750 static void 1751 isakmp_cfg_appendaddr4(attr, ip, num, max) 1752 struct isakmp_data *attr; 1753 struct in_addr *ip; 1754 int *num; 1755 int max; 1756 { 1757 size_t alen = ntohs(attr->lorv); 1758 in_addr_t *addr; 1759 1760 if (alen != sizeof(*ip)) { 1761 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n"); 1762 return; 1763 } 1764 if (*num == max) { 1765 plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n"); 1766 return; 1767 } 1768 1769 addr = (in_addr_t *)(attr + 1); 1770 ip->s_addr = *addr; 1771 (*num)++; 1772 1773 return; 1774 } 1775 1776 static void 1777 isakmp_cfg_getstring(attr, str) 1778 struct isakmp_data *attr; 1779 char *str; 1780 { 1781 size_t alen = ntohs(attr->lorv); 1782 char *src; 1783 src = (char *)(attr + 1); 1784 1785 memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen)); 1786 1787 return; 1788 } 1789 1790 #define IP_MAX 40 1791 1792 void 1793 isakmp_cfg_iplist_to_str(dest, count, addr, withmask) 1794 char *dest; 1795 int count; 1796 void *addr; 1797 int withmask; 1798 { 1799 int i; 1800 int p; 1801 int l; 1802 struct unity_network tmp; 1803 for(i = 0, p = 0; i < count; i++) { 1804 if(withmask == 1) 1805 l = sizeof(struct unity_network); 1806 else 1807 l = sizeof(struct in_addr); 1808 memcpy(&tmp, addr, l); 1809 addr += l; 1810 if((uint32_t)tmp.addr4.s_addr == 0) 1811 break; 1812 1813 inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX); 1814 p += strlen(dest + p); 1815 if(withmask == 1) { 1816 dest[p] = '/'; 1817 p++; 1818 inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX); 1819 p += strlen(dest + p); 1820 } 1821 dest[p] = ' '; 1822 p++; 1823 } 1824 if(p > 0) 1825 dest[p-1] = '\0'; 1826 else 1827 dest[0] = '\0'; 1828 } 1829 1830 int 1831 isakmp_cfg_setenv(iph1, envp, envc) 1832 struct ph1handle *iph1; 1833 char ***envp; 1834 int *envc; 1835 { 1836 char addrstr[IP_MAX]; 1837 char addrlist[IP_MAX * MAXNS + MAXNS]; 1838 char *splitlist = addrlist; 1839 char *splitlist_cidr; 1840 char defdom[MAXPATHLEN + 1]; 1841 int cidr, tmp; 1842 char cidrstr[4]; 1843 int i, p; 1844 int test; 1845 1846 plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n"); 1847 1848 /* 1849 * Internal IPv4 address, either if 1850 * we are a client or a server. 1851 */ 1852 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) || 1853 #ifdef HAVE_LIBLDAP 1854 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 1855 #endif 1856 #ifdef HAVE_LIBRADIUS 1857 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || 1858 #endif 1859 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) { 1860 inet_ntop(AF_INET, &iph1->mode_cfg->addr4, 1861 addrstr, IP_MAX); 1862 } else 1863 addrstr[0] = '\0'; 1864 1865 if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) { 1866 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n"); 1867 return -1; 1868 } 1869 1870 if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) { 1871 if (script_env_append(envp, envc, "XAUTH_USER", 1872 iph1->mode_cfg->xauth.authdata.generic.usr) != 0) { 1873 plog(LLV_ERROR, LOCATION, NULL, 1874 "Cannot set XAUTH_USER\n"); 1875 return -1; 1876 } 1877 } 1878 1879 /* Internal IPv4 mask */ 1880 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) 1881 inet_ntop(AF_INET, &iph1->mode_cfg->mask4, 1882 addrstr, IP_MAX); 1883 else 1884 addrstr[0] = '\0'; 1885 1886 /* 1887 * During several releases, documentation adverised INTERNAL_NETMASK4 1888 * while code was using INTERNAL_MASK4. We now do both. 1889 */ 1890 1891 if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { 1892 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n"); 1893 return -1; 1894 } 1895 1896 if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { 1897 plog(LLV_ERROR, LOCATION, NULL, 1898 "Cannot set INTERNAL_NETMASK4\n"); 1899 return -1; 1900 } 1901 1902 tmp = ntohl(iph1->mode_cfg->mask4.s_addr); 1903 for (cidr = 0; tmp != 0; cidr++) 1904 tmp <<= 1; 1905 snprintf(cidrstr, 3, "%d", cidr); 1906 1907 if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) { 1908 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n"); 1909 return -1; 1910 } 1911 1912 /* Internal IPv4 DNS */ 1913 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) { 1914 /* First Internal IPv4 DNS (for compatibilty with older code */ 1915 inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], 1916 addrstr, IP_MAX); 1917 1918 /* Internal IPv4 DNS - all */ 1919 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index, 1920 (void *)iph1->mode_cfg->dns4, 0); 1921 } else { 1922 addrstr[0] = '\0'; 1923 addrlist[0] = '\0'; 1924 } 1925 1926 if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) { 1927 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n"); 1928 return -1; 1929 } 1930 if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) { 1931 plog(LLV_ERROR, LOCATION, NULL, 1932 "Cannot set INTERNAL_DNS4_LIST\n"); 1933 return -1; 1934 } 1935 1936 /* Internal IPv4 WINS */ 1937 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) { 1938 /* 1939 * First Internal IPv4 WINS 1940 * (for compatibilty with older code 1941 */ 1942 inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], 1943 addrstr, IP_MAX); 1944 1945 /* Internal IPv4 WINS - all */ 1946 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index, 1947 (void *)iph1->mode_cfg->wins4, 0); 1948 } else { 1949 addrstr[0] = '\0'; 1950 addrlist[0] = '\0'; 1951 } 1952 1953 if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) { 1954 plog(LLV_ERROR, LOCATION, NULL, 1955 "Cannot set INTERNAL_WINS4\n"); 1956 return -1; 1957 } 1958 if (script_env_append(envp, envc, 1959 "INTERNAL_WINS4_LIST", addrlist) != 0) { 1960 plog(LLV_ERROR, LOCATION, NULL, 1961 "Cannot set INTERNAL_WINS4_LIST\n"); 1962 return -1; 1963 } 1964 1965 /* Deault domain */ 1966 if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) 1967 strncpy(defdom, 1968 iph1->mode_cfg->default_domain, 1969 MAXPATHLEN + 1); 1970 else 1971 defdom[0] = '\0'; 1972 1973 if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { 1974 plog(LLV_ERROR, LOCATION, NULL, 1975 "Cannot set DEFAULT_DOMAIN\n"); 1976 return -1; 1977 } 1978 1979 /* Split networks */ 1980 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) { 1981 splitlist = 1982 splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK); 1983 splitlist_cidr = 1984 splitnet_list_2str(iph1->mode_cfg->split_include, CIDR); 1985 } else { 1986 splitlist = addrlist; 1987 splitlist_cidr = addrlist; 1988 addrlist[0] = '\0'; 1989 } 1990 1991 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) { 1992 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n"); 1993 return -1; 1994 } 1995 if (script_env_append(envp, envc, 1996 "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) { 1997 plog(LLV_ERROR, LOCATION, NULL, 1998 "Cannot set SPLIT_INCLUDE_CIDR\n"); 1999 return -1; 2000 } 2001 if (splitlist != addrlist) 2002 racoon_free(splitlist); 2003 if (splitlist_cidr != addrlist) 2004 racoon_free(splitlist_cidr); 2005 2006 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) { 2007 splitlist = 2008 splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK); 2009 splitlist_cidr = 2010 splitnet_list_2str(iph1->mode_cfg->split_local, CIDR); 2011 } else { 2012 splitlist = addrlist; 2013 splitlist_cidr = addrlist; 2014 addrlist[0] = '\0'; 2015 } 2016 2017 if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) { 2018 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n"); 2019 return -1; 2020 } 2021 if (script_env_append(envp, envc, 2022 "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) { 2023 plog(LLV_ERROR, LOCATION, NULL, 2024 "Cannot set SPLIT_LOCAL_CIDR\n"); 2025 return -1; 2026 } 2027 if (splitlist != addrlist) 2028 racoon_free(splitlist); 2029 if (splitlist_cidr != addrlist) 2030 racoon_free(splitlist_cidr); 2031 2032 return 0; 2033 } 2034 2035 int 2036 isakmp_cfg_resize_pool(size) 2037 int size; 2038 { 2039 struct isakmp_cfg_port *new_pool; 2040 size_t len; 2041 int i; 2042 2043 if (size == isakmp_cfg_config.pool_size) 2044 return 0; 2045 2046 plog(LLV_INFO, LOCATION, NULL, 2047 "Resize address pool from %zu to %d\n", 2048 isakmp_cfg_config.pool_size, size); 2049 2050 /* If a pool already exists, check if we can shrink it */ 2051 if ((isakmp_cfg_config.port_pool != NULL) && 2052 (size < isakmp_cfg_config.pool_size)) { 2053 for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) { 2054 if (isakmp_cfg_config.port_pool[i].used) { 2055 plog(LLV_ERROR, LOCATION, NULL, 2056 "resize pool from %zu to %d impossible " 2057 "port %d is in use\n", 2058 isakmp_cfg_config.pool_size, size, i); 2059 size = i; 2060 break; 2061 } 2062 } 2063 } 2064 2065 len = size * sizeof(*isakmp_cfg_config.port_pool); 2066 new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len); 2067 if (new_pool == NULL) { 2068 plog(LLV_ERROR, LOCATION, NULL, 2069 "resize pool from %zu to %d impossible: %s", 2070 isakmp_cfg_config.pool_size, size, strerror(errno)); 2071 return -1; 2072 } 2073 2074 /* If size increase, intialize correctly the new records */ 2075 if (size > isakmp_cfg_config.pool_size) { 2076 size_t unit; 2077 size_t old_size; 2078 2079 unit = sizeof(*isakmp_cfg_config.port_pool); 2080 old_size = isakmp_cfg_config.pool_size; 2081 2082 bzero((char *)new_pool + (old_size * unit), 2083 (size - old_size) * unit); 2084 } 2085 2086 isakmp_cfg_config.port_pool = new_pool; 2087 isakmp_cfg_config.pool_size = size; 2088 2089 return 0; 2090 } 2091 2092 int 2093 isakmp_cfg_init(cold) 2094 int cold; 2095 { 2096 int i; 2097 int error; 2098 2099 isakmp_cfg_config.network4 = (in_addr_t)0x00000000; 2100 isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000; 2101 for (i = 0; i < MAXNS; i++) 2102 isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000; 2103 isakmp_cfg_config.dns4_index = 0; 2104 for (i = 0; i < MAXWINS; i++) 2105 isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000; 2106 isakmp_cfg_config.nbns4_index = 0; 2107 if (cold == ISAKMP_CFG_INIT_COLD) 2108 isakmp_cfg_config.port_pool = NULL; 2109 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 2110 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 2111 if (cold == ISAKMP_CFG_INIT_COLD) { 2112 if (isakmp_cfg_config.grouplist != NULL) { 2113 for (i = 0; i < isakmp_cfg_config.groupcount; i++) 2114 racoon_free(isakmp_cfg_config.grouplist[i]); 2115 racoon_free(isakmp_cfg_config.grouplist); 2116 } 2117 } 2118 isakmp_cfg_config.grouplist = NULL; 2119 isakmp_cfg_config.groupcount = 0; 2120 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 2121 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 2122 if (cold == ISAKMP_CFG_INIT_COLD) 2123 isakmp_cfg_config.pool_size = 0; 2124 isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY; 2125 strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN, 2126 MAXPATHLEN); 2127 strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN); 2128 2129 if (cold != ISAKMP_CFG_INIT_COLD ) 2130 if (isakmp_cfg_config.splitnet_list != NULL) 2131 splitnet_list_free(isakmp_cfg_config.splitnet_list, 2132 &isakmp_cfg_config.splitnet_count); 2133 isakmp_cfg_config.splitnet_list = NULL; 2134 isakmp_cfg_config.splitnet_count = 0; 2135 isakmp_cfg_config.splitnet_type = 0; 2136 2137 isakmp_cfg_config.pfs_group = 0; 2138 isakmp_cfg_config.save_passwd = 0; 2139 2140 if (cold != ISAKMP_CFG_INIT_COLD ) 2141 if (isakmp_cfg_config.splitdns_list != NULL) 2142 racoon_free(isakmp_cfg_config.splitdns_list); 2143 isakmp_cfg_config.splitdns_list = NULL; 2144 isakmp_cfg_config.splitdns_len = 0; 2145 2146 #if 0 2147 if (cold == ISAKMP_CFG_INIT_COLD) { 2148 if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0) 2149 return error; 2150 } 2151 #endif 2152 2153 return 0; 2154 } 2155 2156