1 /* $Id: remoteconf.c,v 1.24 2004/12/01 10:59:41 vanhu Exp $ */
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <sys/types.h>
35 #include <sys/param.h>
36 #include <sys/socket.h>
37 #include <sys/queue.h>
39 #include <netinet/in.h>
41 #ifndef HAVE_NETINET6_IPSEC
42 #include <netinet/ipsec.h>
44 #include <netinet6/ipsec.h>
60 #include "isakmp_var.h"
62 #include "ipsec_doi.h"
64 #include "remoteconf.h"
65 #include "localconf.h"
66 #include "grabmyaddr.h"
71 #include "algorithm.h"
72 #include "nattraversal.h"
75 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
80 char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
84 * search remote configuration.
85 * don't use port number to search if its value is either IPSEC_PORT_ANY.
86 * If matching anonymous entry, then new entry is copied from anonymous entry.
87 * If no anonymous entry found, then return NULL.
89 * Other: remote configuration entry.
92 getrmconf_strict(remote, allow_anon)
93 struct sockaddr *remote;
97 struct remoteconf *anon = NULL;
99 char buf[NI_MAXHOST + NI_MAXSERV + 10];
100 char addr[NI_MAXHOST], port[NI_MAXSERV];
104 switch (remote->sa_family) {
106 if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
111 if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY)
119 plog(LLV_ERROR, LOCATION, NULL,
120 "invalid family: %d\n", remote->sa_family);
124 if (remote->sa_family == AF_UNSPEC)
125 snprintf (buf, sizeof(buf), "%s", "anonymous");
127 GETNAMEINFO(remote, addr, port);
128 snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
130 withport ? port : "",
131 withport ? "]" : "");
134 TAILQ_FOREACH(p, &rmtree, chain) {
135 if ((remote->sa_family == AF_UNSPEC
136 && remote->sa_family == p->remote->sa_family)
137 || (!withport && cmpsaddrwop(remote, p->remote) == 0)
138 || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
139 plog(LLV_DEBUG, LOCATION, NULL,
140 "configuration found for %s.\n", buf);
144 /* save the pointer to the anonymous configuration */
145 if (p->remote->sa_family == AF_UNSPEC)
149 if (allow_anon && anon != NULL) {
150 plog(LLV_DEBUG, LOCATION, NULL,
151 "anonymous configuration selected for %s.\n", buf);
155 plog(LLV_DEBUG, LOCATION, NULL,
156 "no remote configuration found.\n");
163 struct sockaddr *remote;
165 return getrmconf_strict(remote, 1);
171 struct remoteconf *new;
173 new = racoon_calloc(1, sizeof(*new));
177 new->proposal = NULL;
180 new->doitype = IPSEC_DOI;
181 new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
182 new->idvtype = IDTYPE_UNDEFINED;
183 new->idvl_p = genlist_init();
184 new->nonce_size = DEFAULT_NONCE_SIZE;
185 new->passive = FALSE;
186 new->ike_frag = FALSE;
187 new->ini_contact = TRUE;
188 new->mode_cfg = FALSE;
189 new->pcheck_level = PROP_CHECK_STRICT;
190 new->verify_identifier = FALSE;
191 new->verify_cert = TRUE;
192 new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
193 new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
194 new->cacerttype = ISAKMP_CERT_X509SIGN;
195 new->cacertfile = NULL;
196 new->send_cert = TRUE;
198 new->support_proxy = FALSE;
199 bzero(&new->script[0], sizeof(char *) * (SCRIPT_MAX + 1));
200 new->gen_policy = FALSE;
201 new->retry_counter = lcconf->retry_counter;
202 new->retry_interval = lcconf->retry_interval;
203 new->nat_traversal = FALSE;
204 new->rsa_private = genlist_init();
205 new->rsa_public = genlist_init();
209 new->dpd = TRUE; /* Enable DPD support by default */
210 new->dpd_interval = 0; /* Disable DPD checks by default */
212 new->dpd_maxfails = 5;
219 struct sockaddr *remote;
221 struct remoteconf *new, *old;
223 old = getrmconf_strict (remote, 0);
225 plog (LLV_ERROR, LOCATION, NULL,
226 "Remote configuration for '%s' not found!\n",
231 new = duprmconf (old);
242 struct idspec *old = (struct idspec *) entry;
244 if (!id) return (void *) -1;
246 if (set_identifier(&id->id, old->idtype, old->id) != 0)
249 id->idtype = old->idtype;
251 genlist_append(arg, id);
257 struct remoteconf *rmconf;
259 struct remoteconf *new;
261 new = racoon_calloc(1, sizeof(*new));
264 memcpy (new, rmconf, sizeof (*new));
265 // FIXME: We should duplicate the proposal as well.
266 // This is now handled in the cfparse.y
267 // new->proposal = ...;
269 /* duplicate dynamic structures */
271 new->etypes=dupetypes(new->etypes);
272 new->idvl_p = genlist_init();
273 genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
279 idspec_free(void *data)
281 vfree (((struct idspec *)data)->id);
287 struct remoteconf *rmconf;
290 deletypes(rmconf->etypes);
292 genlist_free(rmconf->idvl_p, idspec_free);
294 oakley_dhgrp_free(rmconf->dhgrp);
295 if (rmconf->proposal)
296 delisakmpsa(rmconf->proposal);
305 oakley_dhgrp_free(sa->dhgrp);
307 delisakmpsa(sa->next);
324 new = racoon_malloc(sizeof(struct etypes));
328 new->type = orig->type;
332 new->next=dupetypes(orig->next);
347 * insert into head of list.
351 struct remoteconf *new;
353 TAILQ_INSERT_HEAD(&rmtree, new, chain);
358 struct remoteconf *rmconf;
360 TAILQ_REMOVE(&rmtree, rmconf, chain);
366 struct remoteconf *p, *next;
368 for (p = TAILQ_FIRST(&rmtree); p; p = next) {
369 next = TAILQ_NEXT(p, chain);
381 /* check exchange type to be acceptable */
383 check_etypeok(rmconf, etype)
384 struct remoteconf *rmconf;
389 for (e = rmconf->etypes; e != NULL; e = e->next) {
390 if (e->type == etype)
401 struct isakmpsa *new;
403 new = racoon_calloc(1, sizeof(*new));
408 * Just for sanity, make sure this is initialized. This is
409 * filled in for real when the ISAKMP proposal is configured.
411 new->vendorid = VENDORID_UNKNOWN;
423 * insert into tail of list.
426 insisakmpsa(new, rmconf)
427 struct isakmpsa *new;
428 struct remoteconf *rmconf;
432 new->rmconf = rmconf;
434 if (rmconf->proposal == NULL) {
435 rmconf->proposal = new;
439 for (p = rmconf->proposal; p->next != NULL; p = p->next)
447 foreachrmconf(rmconf_func_t rmconf_func, void *data)
449 struct remoteconf *p, *ret = NULL;
451 TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
452 ret = (*rmconf_func)(p, data);
461 dump_peers_identifiers (void *entry, void *arg)
463 struct idspec *id = (struct idspec*) entry;
464 char buf[1024], *pbuf;
466 pbuf += sprintf (pbuf, "\tpeers_identifier %s",
467 s_idtype (id->idtype));
469 pbuf += sprintf (pbuf, " \"%s\"", id->id->v);
470 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
474 static struct remoteconf *
475 dump_rmconf_single (struct remoteconf *p, void *data)
477 struct etypes *etype = p->etypes;
478 struct isakmpsa *prop = p->proposal;
479 char buf[1024], *pbuf;
482 pbuf += sprintf(pbuf, "remote %s", saddr2str(p->remote));
483 if (p->inherited_from)
484 pbuf += sprintf(pbuf, " inherit %s",
485 saddr2str(p->inherited_from->remote));
486 plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
488 pbuf += sprintf(pbuf, "\texchange_type ");
490 pbuf += sprintf (pbuf, "%s%s", s_etype(etype->type),
491 etype->next != NULL ? ", " : ";\n");
494 plog(LLV_INFO, LOCATION, NULL, "%s", buf);
495 plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
497 pbuf += sprintf(pbuf, "\tmy_identifier %s", s_idtype (p->idvtype));
498 if (p->idvtype == IDTYPE_ASN1DN) {
499 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
500 plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
501 p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
502 p->mycertfile, p->myprivfile);
503 switch (p->getcert_method) {
506 case ISAKMP_GETCERT_PAYLOAD:
507 plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
509 case ISAKMP_GETCERT_LOCALFILE:
510 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
512 case ISAKMP_GETCERT_DNS:
513 plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
516 plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
521 pbuf += sprintf (pbuf, " \"%s\"", p->idv->v);
522 plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
523 genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
526 plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
527 s_switch (p->send_cert));
528 plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
529 s_switch (p->send_cr));
530 plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
531 s_switch (p->verify_cert));
532 plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
533 s_switch (p->verify_identifier));
534 plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
535 p->nat_traversal == NATT_FORCE ?
536 "force" : s_switch (p->nat_traversal));
537 plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
539 plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
540 s_switch (p->passive));
541 plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
542 s_switch (p->ike_frag));
543 plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
544 s_switch (p->ini_contact));
545 plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
546 s_switch (p->gen_policy));
547 plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
548 s_switch (p->support_proxy));
551 plog(LLV_INFO, LOCATION, NULL, "\n");
552 plog(LLV_INFO, LOCATION, NULL,
553 "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
554 prop->prop_no, prop->trns_no,
555 saddr2str(prop->rmconf->remote));
556 plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
557 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
558 (long)prop->lifetime);
559 plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
561 plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
562 alg_oakley_dhdef_name(prop->dh_group));
563 plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
564 alg_oakley_encdef_name(prop->enctype));
565 plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
566 alg_oakley_hashdef_name(prop->hashtype));
567 plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
568 alg_oakley_authdef_name(prop->authmethod));
569 plog(LLV_INFO, LOCATION, NULL, "\t}\n");
572 plog(LLV_INFO, LOCATION, NULL, "}\n");
573 plog(LLV_INFO, LOCATION, NULL, "\n");
581 foreachrmconf (dump_rmconf_single, NULL);
589 new = racoon_calloc(1, sizeof(*new));
592 new->idtype = IDTYPE_ADDRESS;