1837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh/* 2e9fc376dc7e9ee22358b872c3eb2808fa42160f0Chia-chi Yeh * Copyright (C) 2011 The Android Open Source Project 3837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * 4837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * Licensed under the Apache License, Version 2.0 (the "License"); 5837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * you may not use this file except in compliance with the License. 6837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * You may obtain a copy of the License at 7837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * 8837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * http://www.apache.org/licenses/LICENSE-2.0 9837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * 10837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * Unless required by applicable law or agreed to in writing, software 11837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * distributed under the License is distributed on an "AS IS" BASIS, 12837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * See the License for the specific language governing permissions and 14837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh * limitations under the License. 15837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh */ 16837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 17837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <stdio.h> 18837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <stdlib.h> 19837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <string.h> 20f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include <unistd.h> 218f3b38855d8849959825acc45dd11144adc7d862Chia-chi Yeh#include <sys/param.h> 22837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <sys/types.h> 23837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <sys/socket.h> 24c454954382b81262dc81ac54e147f4dc7fc0af75Chia-chi Yeh#include <netinet/in.h> 25837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include <netinet/ip.h> 267197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh#include <netdb.h> 27f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include <fcntl.h> 28837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 29837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "config.h" 30f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "gcmalloc.h" 31837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "libpfkey.h" 32837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "var.h" 33837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "isakmp_var.h" 34837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "isakmp.h" 35dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#include "isakmp_xauth.h" 36837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "vmbuf.h" 37f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "crypto_openssl.h" 38837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "oakley.h" 39837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "ipsec_doi.h" 40837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "algorithm.h" 41837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "vendorid.h" 42f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "schedule.h" 43f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "pfkey.h" 44f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "nattraversal.h" 45837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "proposal.h" 46837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "sainfo.h" 47837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "localconf.h" 48837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "remoteconf.h" 49837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "sockmisc.h" 50837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "grabmyaddr.h" 51837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#include "plog.h" 52bd5fa3c99638830d3fa1ae5b4fc4988de5ee0f4dChia-chi Yeh#include "admin.h" 53bd5fa3c99638830d3fa1ae5b4fc4988de5ee0f4dChia-chi Yeh#include "privsep.h" 54514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh#include "throttle.h" 55f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#include "misc.h" 56837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 57837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehstatic struct localconf localconf; 58837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehstatic struct sainfo sainfo; 59837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehstatic char *pre_shared_key; 60f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 61b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yehstatic struct sockaddr *targets[2]; 62c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehstatic struct sockaddr *source; 63c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehstatic struct myaddrs myaddrs[2]; 64837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 65837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehstruct localconf *lcconf = &localconf; 66f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehint f_local = 0; 67f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 68f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh/*****************************************************************************/ 69837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 70f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehstatic void add_sainfo_algorithm(int class, int algorithm, int length) 71837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 72f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct sainfoalg *p = calloc(1, sizeof(struct sainfoalg)); 73f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->alg = algorithm; 74f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->encklen = length; 75837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 76f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (!sainfo.algs[class]) { 77f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh sainfo.algs[class] = p; 78f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } else { 79f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct sainfoalg *q = sainfo.algs[class]; 80f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh while (q->next) { 81f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh q = q->next; 82f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 83f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh q->next = p; 84f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 85837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 86837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 87c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehstatic void set_globals(char *server) 887197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh{ 897197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh struct addrinfo hints = { 907197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh .ai_flags = AI_NUMERICSERV, 917197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh#ifndef INET6 927197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh .ai_family = AF_INET, 937197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh#else 94c454954382b81262dc81ac54e147f4dc7fc0af75Chia-chi Yeh .ai_family = AF_UNSPEC, 957197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh#endif 967197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh .ai_socktype = SOCK_DGRAM, 977197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh }; 98f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct addrinfo *info; 997197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh 100b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh if (getaddrinfo(server, "500", &hints, &info) != 0) { 101f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh do_plog(LLV_ERROR, "Cannot resolve address: %s\n", server); 1027197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh exit(1); 1037197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh } 104f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (info->ai_next) { 105f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh do_plog(LLV_WARNING, "Found multiple addresses. Use the first one.\n"); 1067197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh } 107b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh targets[0] = dupsaddr(info->ai_addr); 108f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh freeaddrinfo(info); 1097197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh 110c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh source = getlocaladdr(targets[0]); 111c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (!source) { 112c454954382b81262dc81ac54e147f4dc7fc0af75Chia-chi Yeh do_plog(LLV_ERROR, "Cannot get local address\n"); 1137197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh exit(1); 1147197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh } 115b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh set_port(targets[0], 0); 116c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh set_port(source, 0); 1177197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh 118c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[0].addr = dupsaddr(source); 119c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh set_port(myaddrs[0].addr, PORT_ISAKMP); 120c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[0].sock = -1; 121c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#ifdef ENABLE_NATT 122c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[0].next = &myaddrs[1]; 123c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[1].addr = dupsaddr(myaddrs[0].addr); 124c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh set_port(myaddrs[1].addr, PORT_ISAKMP_NATT); 125c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[1].sock = -1; 126c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh myaddrs[1].udp_encap = 1; 127c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 128c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 129c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh localconf.myaddrs = &myaddrs[0]; 130f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.port_isakmp = PORT_ISAKMP; 131f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.port_isakmp_natt = PORT_ISAKMP_NATT; 132f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.default_af = AF_INET; 133e9fc376dc7e9ee22358b872c3eb2808fa42160f0Chia-chi Yeh localconf.pathinfo[LC_PATHTYPE_CERT] = "./"; 134f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.pad_random = LC_DEFAULT_PAD_RANDOM; 135f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.pad_randomlen = LC_DEFAULT_PAD_RANDOM; 136f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.pad_strict = LC_DEFAULT_PAD_STRICT; 137f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.pad_excltail = LC_DEFAULT_PAD_EXCLTAIL; 138f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.retry_counter = 10; 139f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.retry_interval = 3; 140f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.count_persend = LC_DEFAULT_COUNT_PERSEND; 141f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.secret_size = LC_DEFAULT_SECRETSIZE; 142f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1; 143f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE; 144f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh localconf.natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL; 145837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 146f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; 147f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX; 148f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0); 149f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0); 150f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256); 151f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128); 152f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0); 153f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0); 154e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh 155e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh memset(script_names, 0, sizeof(script_names)); 156837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 157837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 158f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh/*****************************************************************************/ 159837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 160f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehstatic int policy_match(struct sadb_address *address) 1613473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh{ 1623473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh if (address) { 163b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh struct sockaddr *addr = PFKEY_ADDR_SADDR(address); 164c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return !cmpsaddrwop(addr, targets[0]) || !cmpsaddrwop(addr, targets[1]); 1653473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh } 1663473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh return 0; 1673473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh} 1683473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 169837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh/* flush; spdflush; */ 170837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehstatic void flush() 171837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 1723473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh struct sadb_msg *p; 1733473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh int replies = 0; 174837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh int key = pfkey_open(); 1753473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 1763473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh if (pfkey_send_dump(key, SADB_SATYPE_UNSPEC) <= 0 || 1773473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh pfkey_send_spddump(key) <= 0) { 178b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh do_plog(LLV_ERROR, "Cannot dump SAD and SPD\n"); 1793473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh exit(1); 180837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh } 1813473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 1823473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh for (p = NULL; replies < 2 && (p = pfkey_recv(key)) != NULL; free(p)) { 1833473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh caddr_t q[SADB_EXT_MAX + 1]; 1843473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 1853473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh if (p->sadb_msg_type != SADB_DUMP && 1863473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh p->sadb_msg_type != SADB_X_SPDDUMP) { 1873473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh continue; 1883473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh } 1893473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh replies += !p->sadb_msg_seq; 1903473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 1913473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh if (p->sadb_msg_errno || pfkey_align(p, q) || pfkey_check(q)) { 1923473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh continue; 1933473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh } 194f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_SRC]) || 195f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_DST])) { 1963473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh p->sadb_msg_type = (p->sadb_msg_type == SADB_DUMP) ? 1973473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh SADB_DELETE : SADB_X_SPDDELETE; 1983473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh p->sadb_msg_reserved = 0; 1993473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh p->sadb_msg_seq = 0; 2003473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh pfkey_send(key, p, PFKEY_UNUNIT64(p->sadb_msg_len)); 2013473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh } 2023473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh } 2033473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh 2043473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh pfkey_close(key); 205837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 206837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 2072871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh/* spdadd src dst protocol -P out ipsec esp/transport//require; 2082871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh * spdadd dst src protocol -P in ipsec esp/transport//require; 2092871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh * or 2102871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh * spdadd src any protocol -P out ipsec esp/tunnel/local-remote/require; 2112871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh * spdadd any src protocol -P in ipsec esp/tunnel/remote-local/require; */ 212f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehstatic void spdadd(struct sockaddr *src, struct sockaddr *dst, 213f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int protocol, struct sockaddr *local, struct sockaddr *remote) 214837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 215837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh struct __attribute__((packed)) { 216837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh struct sadb_x_policy p; 217837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh struct sadb_x_ipsecrequest q; 218f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh char addresses[sizeof(struct sockaddr_storage) * 2]; 219837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh } policy; 220837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 221f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct sockaddr_storage any = { 222f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#ifndef __linux__ 223f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh .ss_len = src->sa_len, 224f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh#endif 225f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh .ss_family = src->sa_family, 226f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh }; 227f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 228f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int src_prefix = (src->sa_family == AF_INET) ? 32 : 128; 229f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int dst_prefix = src_prefix; 230f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int length = 0; 231f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int key; 232f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 2332871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh /* Fill values for outbound policy. */ 234837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh memset(&policy, 0, sizeof(policy)); 235837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.p.sadb_x_policy_exttype = SADB_X_EXT_POLICY; 236837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.p.sadb_x_policy_type = IPSEC_POLICY_IPSEC; 237837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; 238837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#ifdef HAVE_PFKEY_POLICY_PRIORITY 239837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.p.sadb_x_policy_priority = PRIORITY_DEFAULT; 240837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#endif 241837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.q.sadb_x_ipsecrequest_proto = IPPROTO_ESP; 242837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; 243837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh policy.q.sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE; 244837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 245f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Deal with tunnel mode. */ 246f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (!dst) { 2472871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh int size = sysdep_sa_len(local); 2482871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh memcpy(policy.addresses, local, size); 2492871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh memcpy(&policy.addresses[size], remote, size); 2502871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh length += size + size; 2512871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh 252f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; 253f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh dst = (struct sockaddr *)&any; 254f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh dst_prefix = 0; 255f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 256b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh /* Also use the source address to filter policies. */ 257b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh targets[1] = dupsaddr(src); 258f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 259f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 260f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Fix lengths. */ 261f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh length += sizeof(policy.q); 262f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh policy.q.sadb_x_ipsecrequest_len = length; 263f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh length += sizeof(policy.p); 264f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh policy.p.sadb_x_policy_len = PFKEY_UNIT64(length); 265f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 2662871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh /* Always do a flush before adding new policies. */ 2673473d8ebd2f370edcc83c7455c76cf3b2daef4aeChia-chi Yeh flush(); 2682871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh 2692871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh /* Set outbound policy. */ 270f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh key = pfkey_open(); 271f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (pfkey_send_spdadd(key, src, src_prefix, dst, dst_prefix, protocol, 272f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh (caddr_t)&policy, length, 0) <= 0) { 2732871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh do_plog(LLV_ERROR, "Cannot set outbound policy\n"); 2742871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh exit(1); 2752871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh } 2762871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh 2772871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh /* Flip values for inbound policy. */ 2782871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh policy.p.sadb_x_policy_dir = IPSEC_DIR_INBOUND; 2792871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh if (!dst_prefix) { 2802871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh int size = sysdep_sa_len(local); 2812871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh memcpy(policy.addresses, remote, size); 2822871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh memcpy(&policy.addresses[size], local, size); 2832871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh } 2842871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh 2852871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh /* Set inbound policy. */ 2862871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh if (pfkey_send_spdadd(key, dst, dst_prefix, src, src_prefix, protocol, 2872871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh (caddr_t)&policy, length, 0) <= 0) { 2882871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh do_plog(LLV_ERROR, "Cannot set inbound policy\n"); 2897197eb77ef21feeedc5a47de31ded3a19c2af021Chia-chi Yeh exit(1); 290837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh } 2912871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74Chia-chi Yeh 292837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh pfkey_close(key); 293c454954382b81262dc81ac54e147f4dc7fc0af75Chia-chi Yeh atexit(flush); 294837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 295837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 296f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh/*****************************************************************************/ 297f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 298f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehstatic void add_proposal(struct remoteconf *remoteconf, 299f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int auth, int hash, int encryption, int length) 300837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 301f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct isakmpsa *p = racoon_calloc(1, sizeof(struct isakmpsa)); 302f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->prop_no = 1; 303f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT; 304f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->enctype = encryption; 305f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->encklen = length; 306f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->authmethod = auth; 307f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->hashtype = hash; 308f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024; 309f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->vendorid = VENDORID_UNKNOWN; 310c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh p->rmconf = remoteconf; 311837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 312f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (!remoteconf->proposal) { 313f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->trns_no = 1; 314f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->proposal = p; 315f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } else { 316f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh struct isakmpsa *q = remoteconf->proposal; 317f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh while (q->next) { 318f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh q = q->next; 319f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 320f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh p->trns_no = q->trns_no + 1; 321f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh q->next = p; 322f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 323f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh} 324837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 32571076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yehstatic vchar_t *strtovchar(char *string) 32671076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh{ 32771076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL; 32871076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh if (vchar) { 32971076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh memcpy(vchar->v, string, vchar->l); 330c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh vchar->l -= 1; 33171076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh } 33271076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh return vchar; 33371076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh} 33471076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh 33571076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yehstatic void set_pre_shared_key(struct remoteconf *remoteconf, 33671076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh char *identifier, char *key) 33771076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh{ 33871076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh pre_shared_key = key; 33971076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh if (identifier[0]) { 34071076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idv = strtovchar(identifier); 34171076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->etypes->type = ISAKMP_ETYPE_AGG; 34271076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh 34371076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idvtype = IDTYPE_KEYID; 34471076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh if (strchr(identifier, '.')) { 34571076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idvtype = IDTYPE_FQDN; 34671076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh if (strchr(identifier, '@')) { 34771076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idvtype = IDTYPE_USERFQDN; 34871076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh } 34971076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh } 35071076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh } 35171076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh} 35271076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh 353dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yehstatic void set_certificates(struct remoteconf *remoteconf, 354fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh char *user_private_key, char *user_certificate, 355fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh char *ca_certificate, char *server_certificate) 356dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh{ 357dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->myprivfile = user_private_key; 358dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->mycertfile = user_certificate; 359dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh if (user_certificate) { 36071076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idvtype = IDTYPE_ASN1DN; 361dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh } 362dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh if (!ca_certificate[0]) { 363dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->verify_cert = FALSE; 364dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh } else { 365dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->cacertfile = ca_certificate; 366dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh } 367fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh if (server_certificate[0]) { 368c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh remoteconf->peerscertfile = server_certificate; 369c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh remoteconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; 370fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh } 371dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh} 372dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 373dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#ifdef ENABLE_HYBRID 374dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 375dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yehstatic void set_xauth_and_more(struct remoteconf *remoteconf, 376dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh char *username, char *password, char *phase1_up, char *script_arg) 377dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh{ 378dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh struct xauth_rmconf *xauth = racoon_calloc(1, sizeof(struct xauth_rmconf)); 3791070097bb11002f8b5e289982cee9e324ea2f153Chia-chi Yeh xauth->login = strtovchar(username); 380c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh xauth->login->l += 1; 3811070097bb11002f8b5e289982cee9e324ea2f153Chia-chi Yeh xauth->pass = strtovchar(password); 382c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh xauth->pass->l += 1; 383dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->xauth = xauth; 384dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->mode_cfg = TRUE; 385dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(phase1_up); 386dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh script_names[SCRIPT_PHASE1_UP] = script_arg; 387dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh} 388dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 389dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#endif 390dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 391c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehextern void monitor_fd(int fd, void (*callback)(int)); 392c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 393c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehvoid add_isakmp_handler(int fd, const char *interface) 394c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh{ 395c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, 396c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh interface, strlen(interface))) { 397c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh do_plog(LLV_WARNING, "Cannot bind socket to %s\n", interface); 398c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh } 399c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh monitor_fd(fd, (void *)isakmp_handler); 400c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh} 401c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 402f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehvoid setup(int argc, char **argv) 403f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh{ 404dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh struct remoteconf *remoteconf = NULL; 405f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh int auth; 406837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 407f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (argc > 2) { 408c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh set_globals(argv[2]); 409f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 410f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Initialize everything else. */ 411f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh eay_init(); 412f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh initrmconf(); 413f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh oakley_dhinit(); 414f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh compute_vendorids(); 415f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh sched_init(); 416f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh if (pfkey_init() < 0 || isakmp_init() < 0) { 417f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh exit(1); 418f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 419c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh monitor_fd(localconf.sock_pfkey, (void *)pfkey_handler); 420c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh add_isakmp_handler(myaddrs[0].sock, argv[1]); 421837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#ifdef ENABLE_NATT 422c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh add_isakmp_handler(myaddrs[1].sock, argv[1]); 423f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh natt_keepalive_init(); 424837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh#endif 425837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 426f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Create remote configuration. */ 427f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf = newrmconf(); 428f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->etypes = racoon_calloc(1, sizeof(struct etypes)); 429f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->etypes->type = ISAKMP_ETYPE_IDENT; 43071076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->idvtype = IDTYPE_ADDRESS; 431f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->ike_frag = TRUE; 432f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh remoteconf->pcheck_level = PROP_CHECK_CLAIM; 433c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh remoteconf->certtype = ISAKMP_CERT_X509SIGN; 434f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->gen_policy = TRUE; 435f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh remoteconf->nat_traversal = TRUE; 43671076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh remoteconf->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024; 437e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(""); 438e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh remoteconf->script[SCRIPT_PHASE1_DOWN] = strtovchar(""); 43971076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh oakley_setdhgroup(remoteconf->dh_group, &remoteconf->dhgrp); 440b0d8f175b6317669d3b43b7032b1c3aadb65c524Chia-chi Yeh remoteconf->remote = dupsaddr(targets[0]); 441f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } 442f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 443f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Set authentication method and credentials. */ 44471076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh if (argc == 7 && !strcmp(argv[3], "udppsk")) { 44571076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh set_pre_shared_key(remoteconf, argv[4], argv[5]); 446837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY; 447dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 44871076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh set_port(targets[0], atoi(argv[6])); 449c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL); 450fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh } else if (argc == 9 && !strcmp(argv[3], "udprsa")) { 451fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]); 452dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh auth = OAKLEY_ATTR_AUTH_METHOD_RSASIG; 453dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh 454fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_port(targets[0], atoi(argv[8])); 455c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL); 456dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#ifdef ENABLE_HYBRID 457dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh } else if (argc == 10 && !strcmp(argv[3], "xauthpsk")) { 45871076533ea2d32b0573b30b6f9507b88cd3a95f3Chia-chi Yeh set_pre_shared_key(remoteconf, argv[4], argv[5]); 459dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]); 460dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I; 461fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh } else if (argc == 12 && !strcmp(argv[3], "xauthrsa")) { 462fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]); 463fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_xauth_and_more(remoteconf, argv[8], argv[9], argv[10], argv[11]); 464dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I; 465fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh } else if (argc == 10 && !strcmp(argv[3], "hybridrsa")) { 466fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_certificates(remoteconf, NULL, NULL, argv[4], argv[5]); 467fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]); 468dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh auth = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I; 469dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#endif 470f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh } else { 471dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh printf("Usage: %s <interface> <server> [...], where [...] can be:\n" 472fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " udppsk <identifier> <pre-shared-key> <port>; \n" 473fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " udprsa <user-private-key> <user-certificate> \\\n" 474fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " <ca-certificate> <server-certificate> <port>;\n" 475dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#ifdef ENABLE_HYBRID 476fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " xauthpsk <identifier> <pre-shared-key> \\\n" 477fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " <username> <password> <phase1-up> <script-arg>;\n" 478fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " xauthrsa <user-private-key> <user-certificate> \\\n" 479fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " <ca-certificate> <server-certificate> \\\n" 480fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " <username> <password> <phase1-up> <script-arg>;\n" 481fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " hybridrsa <ca-certificate> <server-certificate> \\\n" 482fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6Chia-chi Yeh " <username> <password> <phase1-up> <script-arg>;\n" 483dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh#endif 484dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh "", argv[0]); 485f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh exit(0); 486837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh } 487837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 488f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Add proposals. */ 489f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_proposal(remoteconf, auth, 490f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256); 491f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_proposal(remoteconf, auth, 492f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 256); 493f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_proposal(remoteconf, auth, 494f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128); 495f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_proposal(remoteconf, auth, 496f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 128); 497f82b8262b2f1f72a4361878acfa07161bed78f9aChia-chi Yeh add_proposal(remoteconf, auth, 498f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_3DES, 0); 499f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_proposal(remoteconf, auth, 500f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_3DES, 0); 501f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_proposal(remoteconf, auth, 502f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_DES, 0); 503f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh add_proposal(remoteconf, auth, 504f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_DES, 0); 505f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 506f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh /* Install remote configuration. */ 507f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh insrmconf(remoteconf); 508f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 509dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh /* Start phase 1 negotiation for xauth. */ 510dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh if (remoteconf->xauth) { 511c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh isakmp_ph1begin_i(remoteconf, remoteconf->remote, source); 512dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh } 513837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 514837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 515f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh/*****************************************************************************/ 516f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 517837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh/* localconf.h */ 518837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 519837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehvchar_t *getpskbyaddr(struct sockaddr *addr) 520837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 521dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yeh return strtovchar(pre_shared_key); 522837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 523837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 524837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehvchar_t *getpskbyname(vchar_t *name) 525837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 526837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh return NULL; 527837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 528837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 529837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yehvoid getpathname(char *path, int length, int type, const char *name) 530837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 5318f3b38855d8849959825acc45dd11144adc7d862Chia-chi Yeh if (pname) { 5328f3b38855d8849959825acc45dd11144adc7d862Chia-chi Yeh snprintf(path, length, pname, name); 533e9fc376dc7e9ee22358b872c3eb2808fa42160f0Chia-chi Yeh } else { 534e9fc376dc7e9ee22358b872c3eb2808fa42160f0Chia-chi Yeh strncpy(path, name, length); 535e9fc376dc7e9ee22358b872c3eb2808fa42160f0Chia-chi Yeh } 536fd76ec530c3f9cd0b9cc03501d02b6cb3ba705edChia-chi Yeh path[length - 1] = '\0'; 537837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 538837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 539514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh/* grabmyaddr.h */ 540514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh 541514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yehint myaddr_getsport(struct sockaddr *addr) 542514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh{ 543514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh return 0; 544514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh} 545514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh 546c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehint getsockmyaddr(struct sockaddr *addr) 547514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh{ 548514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh#ifdef ENABLE_NATT 549c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (!cmpsaddrstrict(addr, myaddrs[1].addr)) { 550c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return myaddrs[1].sock; 551514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh } 552514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh#endif 553c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (!cmpsaddrwop(addr, myaddrs[0].addr)) { 554c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return myaddrs[0].sock; 555514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh } 556514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh return -1; 557514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh} 558514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh 559f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh/* privsep.h */ 560f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 561c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehint privsep_pfkey_open() 562837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 563c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return pfkey_open(); 564837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 565837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 566c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehvoid privsep_pfkey_close(int key) 567837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 568c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh pfkey_close(key); 569837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 570837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 571f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yehvchar_t *privsep_eay_get_pkcs1privkey(char *file) 572837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 573f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh return eay_get_pkcs1privkey(file); 574837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 575837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 576e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yehstatic char *get_env(char * const *envp, char *key) 577e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh{ 578e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh int length = strlen(key); 579e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh while (*envp && (strncmp(*envp, key, length) || (*envp)[length] != '=')) { 580e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh ++envp; 581e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh } 582e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh return *envp ? &(*envp)[length + 1] : ""; 583e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh} 584e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh 585cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yehstatic int skip_script = 0; 586a9a07aca7cd1e611f2d73582f20623cd62b917baChia-chi Yehextern const char *android_hook(char **envp); 5871070097bb11002f8b5e289982cee9e324ea2f153Chia-chi Yeh 588dbbbd5f297294b2b1ff02b8fd578c8c677879a19Chia-chi Yehint privsep_script_exec(char *script, int name, char * const *envp) 589f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh{ 590cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh if (skip_script) { 591e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh return 0; 592e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh } 593e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh skip_script = 1; 594e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh 595e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh if (name == SCRIPT_PHASE1_DOWN) { 596e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh exit(1); 597e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh } 598e761171cf8053d42449f8a65aa33f716cbc53813Chia-chi Yeh if (script_names[SCRIPT_PHASE1_UP]) { 599cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh /* Racoon ignores INTERNAL_IP6_ADDRESS, so we only do IPv4. */ 600cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh struct sockaddr *addr4 = str2saddr(get_env(envp, "INTERNAL_ADDR4"), 601cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh NULL); 602cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh struct sockaddr *local = str2saddr(get_env(envp, "LOCAL_ADDR"), 603cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh get_env(envp, "LOCAL_PORT")); 604cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh struct sockaddr *remote = str2saddr(get_env(envp, "REMOTE_ADDR"), 605cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh get_env(envp, "REMOTE_PORT")); 606cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh 607cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh if (addr4 && local && remote) { 6081070097bb11002f8b5e289982cee9e324ea2f153Chia-chi Yeh#ifdef ANDROID_CHANGES 609a9a07aca7cd1e611f2d73582f20623cd62b917baChia-chi Yeh if (pname) { 610a9a07aca7cd1e611f2d73582f20623cd62b917baChia-chi Yeh script = (char *)android_hook((char **)envp); 611a9a07aca7cd1e611f2d73582f20623cd62b917baChia-chi Yeh } 6121070097bb11002f8b5e289982cee9e324ea2f153Chia-chi Yeh#endif 613cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh spdadd(addr4, NULL, IPPROTO_IP, local, remote); 614cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh } else { 615cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh do_plog(LLV_ERROR, "Cannot get parameters for SPD policy.\n"); 616cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh exit(1); 617cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh } 618e4b124759603438394e1cc42734d8a6388a3a7e4Chia-chi Yeh 619cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh racoon_free(addr4); 620cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh racoon_free(local); 621cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh racoon_free(remote); 622cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh return script_exec(script, name, envp); 623cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh } 624cfc417e4c9268b46d71d2fe17aa9ad21bde23f39Chia-chi Yeh return 0; 625f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh} 626837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 627514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yehint privsep_accounting_system(int port, struct sockaddr *addr, 628514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh char *user, int status) 629837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 630f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh return 0; 631837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh} 632837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh 633514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yehint privsep_xauth_login_system(char *user, char *password) 634837a1c77bab77bd62cccb33a15163a962f8dfb97Chia-chi Yeh{ 635f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh return -1; 636f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh} 637f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 6380ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh/* misc.h */ 6390ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh 6400ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yehint racoon_hexdump(void *data, size_t length) 6410ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh{ 6420ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh return 0; 6430ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh} 6440ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh 6450ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh/* sainfo.h */ 6460ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh 6470ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yehstruct sainfo *getsainfo(const vchar_t *src, const vchar_t *dst, 648c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh const vchar_t *peer, int remoteid) 6490ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh{ 6500ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh return &sainfo; 6510ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh} 6520ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh 6530ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yehconst char *sainfo2str(const struct sainfo *si) 6540ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh{ 6550ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh return "*"; 6560ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh} 6570ed32716f2689c53fe9884c1fa0f917acb9f113fChia-chi Yeh 658514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yeh/* throttle.h */ 659f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh 660514ffe2b8b4236d53f584fcd8382dd65bc4df532Chia-chi Yehint throttle_host(struct sockaddr *addr, int fail) 661f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh{ 662f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh return 0; 663f8a6a7636d53a5730c58ae041e4e09ae12e1657cChia-chi Yeh} 664