Sync usage with man page.
[netbsd-mini2440.git] / crypto / dist / ipsec-tools / src / racoon / isakmp_cfg.c
blobf2a173391d82e1402e815063c1cac4cd5e013532
1 /* $NetBSD: isakmp_cfg.c,v 1.21 2009/01/23 08:23:51 tteras Exp $ */
3 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
5 /*
6 * Copyright (C) 2004-2006 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
34 #include "config.h"
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
41 #include <utmp.h>
42 #if defined(__APPLE__) && defined(__MACH__)
43 #include <util.h>
44 #endif
46 #ifdef __FreeBSD__
47 # include <libutil.h>
48 #endif
49 #ifdef __NetBSD__
50 # include <util.h>
51 #endif
53 #include <netinet/in.h>
54 #include <arpa/inet.h>
56 #include <stdlib.h>
57 #include <stdio.h>
58 #include <string.h>
59 #include <errno.h>
60 #if TIME_WITH_SYS_TIME
61 # include <sys/time.h>
62 # include <time.h>
63 #else
64 # if HAVE_SYS_TIME_H
65 # include <sys/time.h>
66 # else
67 # include <time.h>
68 # endif
69 #endif
70 #include <netdb.h>
71 #ifdef HAVE_UNISTD_H
72 #include <unistd.h>
73 #endif
74 #if HAVE_STDINT_H
75 #include <stdint.h>
76 #endif
77 #include <ctype.h>
78 #include <resolv.h>
80 #ifdef HAVE_LIBRADIUS
81 #include <sys/utsname.h>
82 #include <radlib.h>
83 #endif
85 #include "var.h"
86 #include "misc.h"
87 #include "vmbuf.h"
88 #include "plog.h"
89 #include "sockmisc.h"
90 #include "schedule.h"
91 #include "debug.h"
93 #include "isakmp_var.h"
94 #include "isakmp.h"
95 #include "handler.h"
96 #include "evt.h"
97 #include "throttle.h"
98 #include "remoteconf.h"
99 #include "crypto_openssl.h"
100 #include "isakmp_inf.h"
101 #include "isakmp_xauth.h"
102 #include "isakmp_unity.h"
103 #include "isakmp_cfg.h"
104 #include "strnames.h"
105 #include "admin.h"
106 #include "privsep.h"
108 struct isakmp_cfg_config isakmp_cfg_config;
110 static vchar_t *buffer_cat(vchar_t *s, vchar_t *append);
111 static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *);
112 #if 0
113 static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *);
114 #endif
115 static vchar_t *isakmp_cfg_addr4(struct ph1handle *,
116 struct isakmp_data *, in_addr_t *);
117 static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
118 static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
119 struct isakmp_data *, in_addr_t *, int);
120 static void isakmp_cfg_appendaddr4(struct isakmp_data *,
121 struct in_addr *, int *, int);
122 static void isakmp_cfg_getstring(struct isakmp_data *,char *);
123 void isakmp_cfg_iplist_to_str(char *, int, void *, int);
125 #define ISAKMP_CFG_LOGIN 1
126 #define ISAKMP_CFG_LOGOUT 2
127 static int isakmp_cfg_accounting(struct ph1handle *, int);
128 #ifdef HAVE_LIBRADIUS
129 static int isakmp_cfg_accounting_radius(struct ph1handle *, int);
130 #endif
133 * Handle an ISAKMP config mode packet
134 * We expect HDR, HASH, ATTR
136 void
137 isakmp_cfg_r(iph1, msg)
138 struct ph1handle *iph1;
139 vchar_t *msg;
141 struct isakmp *packet;
142 struct isakmp_gen *ph;
143 int tlen;
144 char *npp;
145 int np;
146 vchar_t *dmsg;
147 struct isakmp_ivm *ivm;
149 /* Check that the packet is long enough to have a header */
150 if (msg->l < sizeof(*packet)) {
151 plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n");
152 return;
155 packet = (struct isakmp *)msg->v;
157 /* Is it encrypted? It should be encrypted */
158 if ((packet->flags & ISAKMP_FLAG_E) == 0) {
159 plog(LLV_ERROR, LOCATION, NULL,
160 "User credentials sent in cleartext!\n");
161 return;
165 * Decrypt the packet. If this is the beginning of a new
166 * exchange, reinitialize the IV
168 if (iph1->mode_cfg->ivm == NULL ||
169 iph1->mode_cfg->last_msgid != packet->msgid )
170 iph1->mode_cfg->ivm =
171 isakmp_cfg_newiv(iph1, packet->msgid);
172 ivm = iph1->mode_cfg->ivm;
174 dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
175 if (dmsg == NULL) {
176 plog(LLV_ERROR, LOCATION, NULL,
177 "failed to decrypt message\n");
178 return;
181 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n");
182 plogdump(LLV_DEBUG, dmsg->v, dmsg->l);
184 /* Now work with the decrypted packet */
185 packet = (struct isakmp *)dmsg->v;
186 tlen = dmsg->l - sizeof(*packet);
187 ph = (struct isakmp_gen *)(packet + 1);
189 np = packet->np;
190 while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) {
191 /* Check that the payload header fits in the packet */
192 if (tlen < sizeof(*ph)) {
193 plog(LLV_WARNING, LOCATION, NULL,
194 "Short payload header\n");
195 goto out;
198 /* Check that the payload fits in the packet */
199 if (tlen < ntohs(ph->len)) {
200 plog(LLV_WARNING, LOCATION, NULL,
201 "Short payload\n");
202 goto out;
205 plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np);
206 plogdump(LLV_DEBUG, ph, ntohs(ph->len));
208 switch(np) {
209 case ISAKMP_NPTYPE_HASH: {
210 vchar_t *check;
211 vchar_t *payload;
212 size_t plen;
213 struct isakmp_gen *nph;
215 plen = ntohs(ph->len);
216 nph = (struct isakmp_gen *)((char *)ph + plen);
217 plen = ntohs(nph->len);
219 if ((payload = vmalloc(plen)) == NULL) {
220 plog(LLV_ERROR, LOCATION, NULL,
221 "Cannot allocate memory\n");
222 goto out;
224 memcpy(payload->v, nph, plen);
226 if ((check = oakley_compute_hash1(iph1,
227 packet->msgid, payload)) == NULL) {
228 plog(LLV_ERROR, LOCATION, NULL,
229 "Cannot compute hash\n");
230 vfree(payload);
231 goto out;
234 if (memcmp(ph + 1, check->v, check->l) != 0) {
235 plog(LLV_ERROR, LOCATION, NULL,
236 "Hash verification failed\n");
237 vfree(payload);
238 vfree(check);
239 goto out;
241 vfree(payload);
242 vfree(check);
243 break;
245 case ISAKMP_NPTYPE_ATTR: {
246 struct isakmp_pl_attr *attrpl;
248 attrpl = (struct isakmp_pl_attr *)ph;
249 isakmp_cfg_attr_r(iph1, packet->msgid, attrpl);
251 break;
253 default:
254 plog(LLV_WARNING, LOCATION, NULL,
255 "Unexpected next payload %d\n", np);
256 /* Skip to the next payload */
257 break;
260 /* Move to the next payload */
261 np = ph->np;
262 tlen -= ntohs(ph->len);
263 npp = (char *)ph;
264 ph = (struct isakmp_gen *)(npp + ntohs(ph->len));
267 out:
268 vfree(dmsg);
272 isakmp_cfg_attr_r(iph1, msgid, attrpl)
273 struct ph1handle *iph1;
274 u_int32_t msgid;
275 struct isakmp_pl_attr *attrpl;
277 int type = attrpl->type;
279 plog(LLV_DEBUG, LOCATION, NULL,
280 "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
281 switch (type) {
282 case ISAKMP_CFG_ACK:
283 /* ignore, but this is the time to reinit the IV */
284 oakley_delivm(iph1->mode_cfg->ivm);
285 iph1->mode_cfg->ivm = NULL;
286 return 0;
287 break;
289 case ISAKMP_CFG_REPLY:
290 return isakmp_cfg_reply(iph1, attrpl);
291 break;
293 case ISAKMP_CFG_REQUEST:
294 iph1->msgid = msgid;
295 return isakmp_cfg_request(iph1, attrpl);
296 break;
298 case ISAKMP_CFG_SET:
299 iph1->msgid = msgid;
300 return isakmp_cfg_set(iph1, attrpl);
301 break;
303 default:
304 plog(LLV_WARNING, LOCATION, NULL,
305 "Unepected configuration exchange type %d\n", type);
306 return -1;
307 break;
310 return 0;
314 isakmp_cfg_reply(iph1, attrpl)
315 struct ph1handle *iph1;
316 struct isakmp_pl_attr *attrpl;
318 struct isakmp_data *attr;
319 int tlen;
320 size_t alen;
321 char *npp;
322 int type;
323 struct sockaddr_in *sin;
324 int error;
326 tlen = ntohs(attrpl->h.len);
327 attr = (struct isakmp_data *)(attrpl + 1);
328 tlen -= sizeof(*attrpl);
330 while (tlen > 0) {
331 type = ntohs(attr->type);
333 /* Handle short attributes */
334 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
335 type &= ~ISAKMP_GEN_MASK;
337 plog(LLV_DEBUG, LOCATION, NULL,
338 "Short attribute %s = %d\n",
339 s_isakmp_cfg_type(type), ntohs(attr->lorv));
341 switch (type) {
342 case XAUTH_TYPE:
343 if ((error = xauth_attr_reply(iph1,
344 attr, ntohs(attrpl->id))) != 0)
345 return error;
346 break;
348 default:
349 plog(LLV_WARNING, LOCATION, NULL,
350 "Ignored short attribute %s\n",
351 s_isakmp_cfg_type(type));
352 break;
355 tlen -= sizeof(*attr);
356 attr++;
357 continue;
360 type = ntohs(attr->type);
361 alen = ntohs(attr->lorv);
363 /* Check that the attribute fit in the packet */
364 if (tlen < alen) {
365 plog(LLV_ERROR, LOCATION, NULL,
366 "Short attribute %s\n",
367 s_isakmp_cfg_type(type));
368 return -1;
371 plog(LLV_DEBUG, LOCATION, NULL,
372 "Attribute %s, len %zu\n",
373 s_isakmp_cfg_type(type), alen);
375 switch(type) {
376 case XAUTH_TYPE:
377 case XAUTH_USER_NAME:
378 case XAUTH_USER_PASSWORD:
379 case XAUTH_PASSCODE:
380 case XAUTH_MESSAGE:
381 case XAUTH_CHALLENGE:
382 case XAUTH_DOMAIN:
383 case XAUTH_STATUS:
384 case XAUTH_NEXT_PIN:
385 case XAUTH_ANSWER:
386 if ((error = xauth_attr_reply(iph1,
387 attr, ntohs(attrpl->id))) != 0)
388 return error;
389 break;
390 case INTERNAL_IP4_ADDRESS:
391 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4);
392 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4;
393 break;
394 case INTERNAL_IP4_NETMASK:
395 isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4);
396 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4;
397 break;
398 case INTERNAL_IP4_DNS:
399 isakmp_cfg_appendaddr4(attr,
400 &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index],
401 &iph1->mode_cfg->dns4_index, MAXNS);
402 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4;
403 break;
404 case INTERNAL_IP4_NBNS:
405 isakmp_cfg_appendaddr4(attr,
406 &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index],
407 &iph1->mode_cfg->wins4_index, MAXNS);
408 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4;
409 break;
410 case UNITY_DEF_DOMAIN:
411 isakmp_cfg_getstring(attr,
412 iph1->mode_cfg->default_domain);
413 iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN;
414 break;
415 case UNITY_SPLIT_INCLUDE:
416 case UNITY_LOCAL_LAN:
417 case UNITY_SPLITDNS_NAME:
418 case UNITY_BANNER:
419 case UNITY_SAVE_PASSWD:
420 case UNITY_NATT_PORT:
421 case UNITY_PFS:
422 case UNITY_FW_TYPE:
423 case UNITY_BACKUP_SERVERS:
424 case UNITY_DDNS_HOSTNAME:
425 isakmp_unity_reply(iph1, attr);
426 break;
427 case INTERNAL_IP4_SUBNET:
428 case INTERNAL_ADDRESS_EXPIRY:
429 default:
430 plog(LLV_WARNING, LOCATION, NULL,
431 "Ignored attribute %s\n",
432 s_isakmp_cfg_type(type));
433 break;
436 npp = (char *)attr;
437 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
438 tlen -= (sizeof(*attr) + alen);
442 * Call the SA up script hook now that we have the configuration
443 * It is done at the end of phase 1 if ISAKMP mode config is not
444 * requested.
447 if ((iph1->status == PHASE1ST_ESTABLISHED) &&
448 iph1->rmconf->mode_cfg) {
449 switch (iph1->approval->authmethod) {
450 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
451 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
452 /* Unimplemented */
453 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
454 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
455 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
456 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
457 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
458 script_hook(iph1, SCRIPT_PHASE1_UP);
459 break;
460 default:
461 break;
466 #ifdef ENABLE_ADMINPORT
468 vchar_t *buf;
470 alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
471 if ((buf = vmalloc(alen)) == NULL) {
472 plog(LLV_WARNING, LOCATION, NULL,
473 "Cannot allocate memory: %s\n", strerror(errno));
474 } else {
475 memcpy(buf->v, attrpl + 1, buf->l);
476 evt_phase1(iph1, EVT_PHASE1_MODE_CFG, buf);
477 vfree(buf);
480 #endif
482 return 0;
486 isakmp_cfg_request(iph1, attrpl)
487 struct ph1handle *iph1;
488 struct isakmp_pl_attr *attrpl;
490 struct isakmp_data *attr;
491 int tlen;
492 size_t alen;
493 char *npp;
494 vchar_t *payload;
495 struct isakmp_pl_attr *reply;
496 vchar_t *reply_attr;
497 int type;
498 int error = -1;
500 if ((payload = vmalloc(sizeof(*reply))) == NULL) {
501 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
502 return -1;
504 memset(payload->v, 0, sizeof(*reply));
506 tlen = ntohs(attrpl->h.len);
507 attr = (struct isakmp_data *)(attrpl + 1);
508 tlen -= sizeof(*attrpl);
510 while (tlen > 0) {
511 reply_attr = NULL;
512 type = ntohs(attr->type);
514 /* Handle short attributes */
515 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
516 type &= ~ISAKMP_GEN_MASK;
518 plog(LLV_DEBUG, LOCATION, NULL,
519 "Short attribute %s = %d\n",
520 s_isakmp_cfg_type(type), ntohs(attr->lorv));
522 switch (type) {
523 case XAUTH_TYPE:
524 reply_attr = isakmp_xauth_req(iph1, attr);
525 break;
526 default:
527 plog(LLV_WARNING, LOCATION, NULL,
528 "Ignored short attribute %s\n",
529 s_isakmp_cfg_type(type));
530 break;
533 tlen -= sizeof(*attr);
534 attr++;
536 if (reply_attr != NULL) {
537 payload = buffer_cat(payload, reply_attr);
538 vfree(reply_attr);
541 continue;
544 type = ntohs(attr->type);
545 alen = ntohs(attr->lorv);
547 /* Check that the attribute fit in the packet */
548 if (tlen < alen) {
549 plog(LLV_ERROR, LOCATION, NULL,
550 "Short attribute %s\n",
551 s_isakmp_cfg_type(type));
552 goto end;
555 plog(LLV_DEBUG, LOCATION, NULL,
556 "Attribute %s, len %zu\n",
557 s_isakmp_cfg_type(type), alen);
559 switch(type) {
560 case INTERNAL_IP4_ADDRESS:
561 case INTERNAL_IP4_NETMASK:
562 case INTERNAL_IP4_DNS:
563 case INTERNAL_IP4_NBNS:
564 case INTERNAL_IP4_SUBNET:
565 reply_attr = isakmp_cfg_net(iph1, attr);
566 break;
568 case XAUTH_TYPE:
569 case XAUTH_USER_NAME:
570 case XAUTH_USER_PASSWORD:
571 case XAUTH_PASSCODE:
572 case XAUTH_MESSAGE:
573 case XAUTH_CHALLENGE:
574 case XAUTH_DOMAIN:
575 case XAUTH_STATUS:
576 case XAUTH_NEXT_PIN:
577 case XAUTH_ANSWER:
578 reply_attr = isakmp_xauth_req(iph1, attr);
579 break;
581 case APPLICATION_VERSION:
582 reply_attr = isakmp_cfg_string(iph1,
583 attr, ISAKMP_CFG_RACOON_VERSION);
584 break;
586 case UNITY_BANNER:
587 case UNITY_PFS:
588 case UNITY_SAVE_PASSWD:
589 case UNITY_DEF_DOMAIN:
590 case UNITY_DDNS_HOSTNAME:
591 case UNITY_FW_TYPE:
592 case UNITY_SPLITDNS_NAME:
593 case UNITY_SPLIT_INCLUDE:
594 case UNITY_LOCAL_LAN:
595 case UNITY_NATT_PORT:
596 case UNITY_BACKUP_SERVERS:
597 reply_attr = isakmp_unity_req(iph1, attr);
598 break;
600 case INTERNAL_ADDRESS_EXPIRY:
601 default:
602 plog(LLV_WARNING, LOCATION, NULL,
603 "Ignored attribute %s\n",
604 s_isakmp_cfg_type(type));
605 break;
608 npp = (char *)attr;
609 attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
610 tlen -= (sizeof(*attr) + alen);
612 if (reply_attr != NULL) {
613 payload = buffer_cat(payload, reply_attr);
614 vfree(reply_attr);
619 reply = (struct isakmp_pl_attr *)payload->v;
620 reply->h.len = htons(payload->l);
621 reply->type = ISAKMP_CFG_REPLY;
622 reply->id = attrpl->id;
624 plog(LLV_DEBUG, LOCATION, NULL,
625 "Sending MODE_CFG REPLY\n");
627 error = isakmp_cfg_send(iph1, payload,
628 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
630 if (iph1->status == PHASE1ST_ESTABLISHED) {
631 switch (iph1->approval->authmethod) {
632 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
633 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
634 /* Unimplemented */
635 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
636 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
637 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
638 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
640 script_hook(iph1, SCRIPT_PHASE1_UP);
641 break;
642 default:
643 break;
647 end:
648 vfree(payload);
650 return error;
654 isakmp_cfg_set(iph1, attrpl)
655 struct ph1handle *iph1;
656 struct isakmp_pl_attr *attrpl;
658 struct isakmp_data *attr;
659 int tlen;
660 size_t alen;
661 char *npp;
662 vchar_t *payload;
663 struct isakmp_pl_attr *reply;
664 vchar_t *reply_attr;
665 int type;
666 int error = -1;
668 if ((payload = vmalloc(sizeof(*reply))) == NULL) {
669 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
670 return -1;
672 memset(payload->v, 0, sizeof(*reply));
674 tlen = ntohs(attrpl->h.len);
675 attr = (struct isakmp_data *)(attrpl + 1);
676 tlen -= sizeof(*attrpl);
679 * We should send ack for the attributes we accepted
681 while (tlen > 0) {
682 reply_attr = NULL;
683 type = ntohs(attr->type);
685 plog(LLV_DEBUG, LOCATION, NULL,
686 "Attribute %s\n",
687 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
689 switch (type & ~ISAKMP_GEN_MASK) {
690 case XAUTH_STATUS:
691 reply_attr = isakmp_xauth_set(iph1, attr);
692 break;
693 default:
694 plog(LLV_DEBUG, LOCATION, NULL,
695 "Unexpected SET attribute %s\n",
696 s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
697 break;
700 if (reply_attr != NULL) {
701 payload = buffer_cat(payload, reply_attr);
702 vfree(reply_attr);
706 * Move to next attribute. If we run out of the packet,
707 * tlen becomes negative and we exit.
709 if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
710 tlen -= sizeof(*attr);
711 attr++;
712 } else {
713 alen = ntohs(attr->lorv);
714 tlen -= (sizeof(*attr) + alen);
715 npp = (char *)attr;
716 attr = (struct isakmp_data *)
717 (npp + sizeof(*attr) + alen);
721 reply = (struct isakmp_pl_attr *)payload->v;
722 reply->h.len = htons(payload->l);
723 reply->type = ISAKMP_CFG_ACK;
724 reply->id = attrpl->id;
726 plog(LLV_DEBUG, LOCATION, NULL,
727 "Sending MODE_CFG ACK\n");
729 error = isakmp_cfg_send(iph1, payload,
730 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
732 if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
733 if (iph1->status == PHASE1ST_ESTABLISHED ||
734 iph1->status == PHASE1ST_DYING)
735 isakmp_info_send_d1(iph1);
736 remph1(iph1);
737 delph1(iph1);
738 iph1 = NULL;
740 end:
741 vfree(payload);
744 * If required, request ISAKMP mode config information
746 if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0))
747 error = isakmp_cfg_getconfig(iph1);
749 return error;
753 static vchar_t *
754 buffer_cat(s, append)
755 vchar_t *s;
756 vchar_t *append;
758 vchar_t *new;
760 new = vmalloc(s->l + append->l);
761 if (new == NULL) {
762 plog(LLV_ERROR, LOCATION, NULL,
763 "Cannot allocate memory\n");
764 return s;
767 memcpy(new->v, s->v, s->l);
768 memcpy(new->v + s->l, append->v, append->l);
770 vfree(s);
771 return new;
774 static vchar_t *
775 isakmp_cfg_net(iph1, attr)
776 struct ph1handle *iph1;
777 struct isakmp_data *attr;
779 int type;
780 int confsource;
781 in_addr_t addr4;
783 type = ntohs(attr->type);
786 * Don't give an address to a peer that did not succeed Xauth
788 if (xauth_check(iph1) != 0) {
789 plog(LLV_ERROR, LOCATION, NULL,
790 "Attempt to start phase config whereas Xauth failed\n");
791 return NULL;
794 confsource = isakmp_cfg_config.confsource;
796 * If we have to fall back to a local
797 * configuration source, we will jump
798 * back to this point.
800 retry_source:
802 switch(type) {
803 case INTERNAL_IP4_ADDRESS:
804 switch(confsource) {
805 #ifdef HAVE_LIBLDAP
806 case ISAKMP_CFG_CONF_LDAP:
807 if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
808 break;
809 plog(LLV_INFO, LOCATION, NULL,
810 "No IP from LDAP, using local pool\n");
811 /* FALLTHROUGH */
812 confsource = ISAKMP_CFG_CONF_LOCAL;
813 goto retry_source;
814 #endif
815 #ifdef HAVE_LIBRADIUS
816 case ISAKMP_CFG_CONF_RADIUS:
817 if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
818 && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
820 * -2 is 255.255.255.254, RADIUS uses that
821 * to instruct the NAS to use a local pool
823 break;
824 plog(LLV_INFO, LOCATION, NULL,
825 "No IP from RADIUS, using local pool\n");
826 /* FALLTHROUGH */
827 confsource = ISAKMP_CFG_CONF_LOCAL;
828 goto retry_source;
829 #endif
830 case ISAKMP_CFG_CONF_LOCAL:
831 if (isakmp_cfg_getport(iph1) == -1) {
832 plog(LLV_ERROR, LOCATION, NULL,
833 "Port pool depleted\n");
834 break;
837 iph1->mode_cfg->addr4.s_addr =
838 htonl(ntohl(isakmp_cfg_config.network4)
839 + iph1->mode_cfg->port);
840 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL;
841 break;
843 default:
844 plog(LLV_ERROR, LOCATION, NULL,
845 "Unexpected confsource\n");
848 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0)
849 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
851 return isakmp_cfg_addr4(iph1,
852 attr, &iph1->mode_cfg->addr4.s_addr);
853 break;
855 case INTERNAL_IP4_NETMASK:
856 switch(confsource) {
857 #ifdef HAVE_LIBLDAP
858 case ISAKMP_CFG_CONF_LDAP:
859 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
860 break;
861 plog(LLV_INFO, LOCATION, NULL,
862 "No mask from LDAP, using local pool\n");
863 /* FALLTHROUGH */
864 confsource = ISAKMP_CFG_CONF_LOCAL;
865 goto retry_source;
866 #endif
867 #ifdef HAVE_LIBRADIUS
868 case ISAKMP_CFG_CONF_RADIUS:
869 if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
870 break;
871 plog(LLV_INFO, LOCATION, NULL,
872 "No mask from RADIUS, using local pool\n");
873 /* FALLTHROUGH */
874 confsource = ISAKMP_CFG_CONF_LOCAL;
875 goto retry_source;
876 #endif
877 case ISAKMP_CFG_CONF_LOCAL:
878 iph1->mode_cfg->mask4.s_addr
879 = isakmp_cfg_config.netmask4;
880 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL;
881 break;
883 default:
884 plog(LLV_ERROR, LOCATION, NULL,
885 "Unexpected confsource\n");
887 return isakmp_cfg_addr4(iph1, attr,
888 &iph1->mode_cfg->mask4.s_addr);
889 break;
891 case INTERNAL_IP4_DNS:
892 return isakmp_cfg_addr4_list(iph1,
893 attr, &isakmp_cfg_config.dns4[0],
894 isakmp_cfg_config.dns4_index);
895 break;
897 case INTERNAL_IP4_NBNS:
898 return isakmp_cfg_addr4_list(iph1,
899 attr, &isakmp_cfg_config.nbns4[0],
900 isakmp_cfg_config.nbns4_index);
901 break;
903 case INTERNAL_IP4_SUBNET:
904 return isakmp_cfg_addr4(iph1,
905 attr, &isakmp_cfg_config.network4);
906 break;
908 default:
909 plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type);
910 break;
912 return NULL;
915 #if 0
916 static vchar_t *
917 isakmp_cfg_void(iph1, attr)
918 struct ph1handle *iph1;
919 struct isakmp_data *attr;
921 vchar_t *buffer;
922 struct isakmp_data *new;
924 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
925 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
926 return NULL;
929 new = (struct isakmp_data *)buffer->v;
931 new->type = attr->type;
932 new->lorv = htons(0);
934 return buffer;
936 #endif
938 vchar_t *
939 isakmp_cfg_copy(iph1, attr)
940 struct ph1handle *iph1;
941 struct isakmp_data *attr;
943 vchar_t *buffer;
944 size_t len = 0;
946 if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV)
947 len = ntohs(attr->lorv);
949 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
950 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
951 return NULL;
954 memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv));
956 return buffer;
959 vchar_t *
960 isakmp_cfg_short(iph1, attr, value)
961 struct ph1handle *iph1;
962 struct isakmp_data *attr;
963 int value;
965 vchar_t *buffer;
966 struct isakmp_data *new;
967 int type;
969 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
970 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
971 return NULL;
974 new = (struct isakmp_data *)buffer->v;
975 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
977 new->type = htons(type | ISAKMP_GEN_TV);
978 new->lorv = htons(value);
980 return buffer;
983 vchar_t *
984 isakmp_cfg_varlen(iph1, attr, string, len)
985 struct ph1handle *iph1;
986 struct isakmp_data *attr;
987 char *string;
988 size_t len;
990 vchar_t *buffer;
991 struct isakmp_data *new;
992 char *data;
994 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
995 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
996 return NULL;
999 new = (struct isakmp_data *)buffer->v;
1001 new->type = attr->type;
1002 new->lorv = htons(len);
1003 data = (char *)(new + 1);
1005 memcpy(data, string, len);
1007 return buffer;
1009 vchar_t *
1010 isakmp_cfg_string(iph1, attr, string)
1011 struct ph1handle *iph1;
1012 struct isakmp_data *attr;
1013 char *string;
1015 size_t len = strlen(string);
1016 return isakmp_cfg_varlen(iph1, attr, string, len);
1019 static vchar_t *
1020 isakmp_cfg_addr4(iph1, attr, addr)
1021 struct ph1handle *iph1;
1022 struct isakmp_data *attr;
1023 in_addr_t *addr;
1025 vchar_t *buffer;
1026 struct isakmp_data *new;
1027 size_t len;
1029 len = sizeof(*addr);
1030 if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
1031 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1032 return NULL;
1035 new = (struct isakmp_data *)buffer->v;
1037 new->type = attr->type;
1038 new->lorv = htons(len);
1039 memcpy(new + 1, addr, len);
1041 return buffer;
1044 static vchar_t *
1045 isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
1046 struct ph1handle *iph1;
1047 struct isakmp_data *attr;
1048 in_addr_t *addr;
1049 int nbr;
1051 int error = -1;
1052 vchar_t *buffer = NULL;
1053 vchar_t *bufone = NULL;
1054 struct isakmp_data *new;
1055 size_t len;
1056 int i;
1058 len = sizeof(*addr);
1059 if ((buffer = vmalloc(0)) == NULL) {
1060 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1061 goto out;
1063 for(i = 0; i < nbr; i++) {
1064 if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
1065 plog(LLV_ERROR, LOCATION, NULL,
1066 "Cannot allocate memory\n");
1067 goto out;
1069 new = (struct isakmp_data *)bufone->v;
1070 new->type = attr->type;
1071 new->lorv = htons(len);
1072 memcpy(new + 1, &addr[i], len);
1073 new += (len + sizeof(*attr));
1074 buffer = buffer_cat(buffer, bufone);
1075 vfree(bufone);
1078 error = 0;
1080 out:
1081 if ((error != 0) && (buffer != NULL)) {
1082 vfree(buffer);
1083 buffer = NULL;
1086 return buffer;
1089 struct isakmp_ivm *
1090 isakmp_cfg_newiv(iph1, msgid)
1091 struct ph1handle *iph1;
1092 u_int32_t msgid;
1094 struct isakmp_cfg_state *ics = iph1->mode_cfg;
1096 if (ics == NULL) {
1097 plog(LLV_ERROR, LOCATION, NULL,
1098 "isakmp_cfg_newiv called without mode config state\n");
1099 return NULL;
1102 if (ics->ivm != NULL)
1103 oakley_delivm(ics->ivm);
1105 ics->ivm = oakley_newiv2(iph1, msgid);
1106 ics->last_msgid = msgid;
1108 return ics->ivm;
1111 /* Derived from isakmp_info_send_common */
1113 isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
1114 struct ph1handle *iph1;
1115 vchar_t *payload;
1116 u_int32_t np;
1117 int flags;
1118 int new_exchange;
1120 struct ph2handle *iph2 = NULL;
1121 vchar_t *hash = NULL;
1122 struct isakmp *isakmp;
1123 struct isakmp_gen *gen;
1124 char *p;
1125 int tlen;
1126 int error = -1;
1127 struct isakmp_cfg_state *ics = iph1->mode_cfg;
1129 /* Check if phase 1 is established */
1130 if ((iph1->status < PHASE1ST_ESTABLISHED) ||
1131 (iph1->local == NULL) ||
1132 (iph1->remote == NULL)) {
1133 plog(LLV_ERROR, LOCATION, NULL,
1134 "ISAKMP mode config exchange with immature phase 1\n");
1135 goto end;
1138 /* add new entry to isakmp status table */
1139 iph2 = newph2();
1140 if (iph2 == NULL)
1141 goto end;
1143 iph2->dst = dupsaddr(iph1->remote);
1144 if (iph2->dst == NULL) {
1145 delph2(iph2);
1146 goto end;
1148 iph2->src = dupsaddr(iph1->local);
1149 if (iph2->src == NULL) {
1150 delph2(iph2);
1151 goto end;
1154 iph2->side = INITIATOR;
1155 iph2->status = PHASE2ST_START;
1157 if (new_exchange)
1158 iph2->msgid = isakmp_newmsgid2(iph1);
1159 else
1160 iph2->msgid = iph1->msgid;
1162 /* get IV and HASH(1) if skeyid_a was generated. */
1163 if (iph1->skeyid_a != NULL) {
1164 if (new_exchange) {
1165 if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) {
1166 delph2(iph2);
1167 goto end;
1171 /* generate HASH(1) */
1172 hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
1173 if (hash == NULL) {
1174 delph2(iph2);
1175 goto end;
1178 /* initialized total buffer length */
1179 tlen = hash->l;
1180 tlen += sizeof(*gen);
1181 } else {
1182 /* IKE-SA is not established */
1183 hash = NULL;
1185 /* initialized total buffer length */
1186 tlen = 0;
1188 if ((flags & ISAKMP_FLAG_A) == 0)
1189 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
1190 else
1191 iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
1193 insph2(iph2);
1194 bindph12(iph1, iph2);
1196 tlen += sizeof(*isakmp) + payload->l;
1198 /* create buffer for isakmp payload */
1199 iph2->sendbuf = vmalloc(tlen);
1200 if (iph2->sendbuf == NULL) {
1201 plog(LLV_ERROR, LOCATION, NULL,
1202 "failed to get buffer to send.\n");
1203 goto err;
1206 /* create isakmp header */
1207 isakmp = (struct isakmp *)iph2->sendbuf->v;
1208 memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
1209 memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
1210 isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
1211 isakmp->v = iph1->version;
1212 isakmp->etype = ISAKMP_ETYPE_CFG;
1213 isakmp->flags = iph2->flags;
1214 memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
1215 isakmp->len = htonl(tlen);
1216 p = (char *)(isakmp + 1);
1218 /* create HASH payload */
1219 if (hash != NULL) {
1220 gen = (struct isakmp_gen *)p;
1221 gen->np = np & 0xff;
1222 gen->len = htons(sizeof(*gen) + hash->l);
1223 p += sizeof(*gen);
1224 memcpy(p, hash->v, hash->l);
1225 p += hash->l;
1228 /* add payload */
1229 memcpy(p, payload->v, payload->l);
1230 p += payload->l;
1232 #ifdef HAVE_PRINT_ISAKMP_C
1233 isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
1234 #endif
1236 plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n");
1237 plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l);
1239 /* encoding */
1240 if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
1241 vchar_t *tmp;
1243 tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf,
1244 ics->ivm->ive, ics->ivm->iv);
1245 VPTRINIT(iph2->sendbuf);
1246 if (tmp == NULL)
1247 goto err;
1248 iph2->sendbuf = tmp;
1251 /* HDR*, HASH(1), ATTR */
1252 if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
1253 VPTRINIT(iph2->sendbuf);
1254 goto err;
1257 plog(LLV_DEBUG, LOCATION, NULL,
1258 "sendto mode config %s.\n", s_isakmp_nptype(np));
1261 * XXX We might need to resend the message...
1264 error = 0;
1265 VPTRINIT(iph2->sendbuf);
1267 err:
1268 if (iph2->sendbuf != NULL)
1269 vfree(iph2->sendbuf);
1271 remph2(iph2);
1272 delph2(iph2);
1273 end:
1274 if (hash)
1275 vfree(hash);
1276 return error;
1280 void
1281 isakmp_cfg_rmstate(iph1)
1282 struct ph1handle *iph1;
1284 struct isakmp_cfg_state *state = iph1->mode_cfg;
1286 if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0)
1287 plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
1289 if (state->flags & ISAKMP_CFG_PORT_ALLOCATED)
1290 isakmp_cfg_putport(iph1, state->port);
1292 /* Delete the IV if it's still there */
1293 if(iph1->mode_cfg->ivm) {
1294 oakley_delivm(iph1->mode_cfg->ivm);
1295 iph1->mode_cfg->ivm = NULL;
1298 /* Free any allocated splitnet lists */
1299 if(iph1->mode_cfg->split_include != NULL)
1300 splitnet_list_free(iph1->mode_cfg->split_include,
1301 &iph1->mode_cfg->include_count);
1302 if(iph1->mode_cfg->split_local != NULL)
1303 splitnet_list_free(iph1->mode_cfg->split_local,
1304 &iph1->mode_cfg->local_count);
1306 xauth_rmstate(&state->xauth);
1308 racoon_free(state);
1309 iph1->mode_cfg = NULL;
1311 return;
1314 struct isakmp_cfg_state *
1315 isakmp_cfg_mkstate(void)
1317 struct isakmp_cfg_state *state;
1319 if ((state = racoon_malloc(sizeof(*state))) == NULL) {
1320 plog(LLV_ERROR, LOCATION, NULL,
1321 "Cannot allocate memory for mode config state\n");
1322 return NULL;
1324 memset(state, 0, sizeof(*state));
1326 return state;
1329 int
1330 isakmp_cfg_getport(iph1)
1331 struct ph1handle *iph1;
1333 unsigned int i;
1334 size_t size = isakmp_cfg_config.pool_size;
1336 if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED)
1337 return iph1->mode_cfg->port;
1339 if (isakmp_cfg_config.port_pool == NULL) {
1340 plog(LLV_ERROR, LOCATION, NULL,
1341 "isakmp_cfg_config.port_pool == NULL\n");
1342 return -1;
1345 for (i = 0; i < size; i++) {
1346 if (isakmp_cfg_config.port_pool[i].used == 0)
1347 break;
1350 if (i == size) {
1351 plog(LLV_ERROR, LOCATION, NULL,
1352 "No more addresses available\n");
1353 return -1;
1356 isakmp_cfg_config.port_pool[i].used = 1;
1358 plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i);
1360 iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
1361 iph1->mode_cfg->port = i;
1363 return i;
1366 int
1367 isakmp_cfg_putport(iph1, index)
1368 struct ph1handle *iph1;
1369 unsigned int index;
1371 if (isakmp_cfg_config.port_pool == NULL) {
1372 plog(LLV_ERROR, LOCATION, NULL,
1373 "isakmp_cfg_config.port_pool == NULL\n");
1374 return -1;
1377 if (isakmp_cfg_config.port_pool[index].used == 0) {
1378 plog(LLV_ERROR, LOCATION, NULL,
1379 "Attempt to release an unallocated address (port %d)\n",
1380 index);
1381 return -1;
1384 #ifdef HAVE_LIBPAM
1385 /* Cleanup PAM status associated with the port */
1386 if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM)
1387 privsep_cleanup_pam(index);
1388 #endif
1389 isakmp_cfg_config.port_pool[index].used = 0;
1390 iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
1392 plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index);
1394 return 0;
1397 #ifdef HAVE_LIBPAM
1398 void
1399 cleanup_pam(port)
1400 int port;
1402 if (isakmp_cfg_config.port_pool[port].pam != NULL) {
1403 pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS);
1404 isakmp_cfg_config.port_pool[port].pam = NULL;
1407 return;
1409 #endif
1411 /* Accounting, only for RADIUS or PAM */
1412 static int
1413 isakmp_cfg_accounting(iph1, inout)
1414 struct ph1handle *iph1;
1415 int inout;
1417 #ifdef HAVE_LIBPAM
1418 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM)
1419 return privsep_accounting_pam(iph1->mode_cfg->port,
1420 inout);
1421 #endif
1422 #ifdef HAVE_LIBRADIUS
1423 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
1424 return isakmp_cfg_accounting_radius(iph1, inout);
1425 #endif
1426 if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
1427 return privsep_accounting_system(iph1->mode_cfg->port,
1428 iph1->remote, iph1->mode_cfg->login, inout);
1429 return 0;
1432 #ifdef HAVE_LIBPAM
1433 int
1434 isakmp_cfg_accounting_pam(port, inout)
1435 int port;
1436 int inout;
1438 int error = 0;
1439 pam_handle_t *pam;
1441 if (isakmp_cfg_config.port_pool == NULL) {
1442 plog(LLV_ERROR, LOCATION, NULL,
1443 "isakmp_cfg_config.port_pool == NULL\n");
1444 return -1;
1447 pam = isakmp_cfg_config.port_pool[port].pam;
1448 if (pam == NULL) {
1449 plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n");
1450 return -1;
1453 switch (inout) {
1454 case ISAKMP_CFG_LOGIN:
1455 error = pam_open_session(pam, 0);
1456 break;
1457 case ISAKMP_CFG_LOGOUT:
1458 error = pam_close_session(pam, 0);
1459 pam_end(pam, error);
1460 isakmp_cfg_config.port_pool[port].pam = NULL;
1461 break;
1462 default:
1463 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1464 break;
1467 if (error != 0) {
1468 plog(LLV_ERROR, LOCATION, NULL,
1469 "pam_open_session/pam_close_session failed: %s\n",
1470 pam_strerror(pam, error));
1471 return -1;
1474 return 0;
1476 #endif /* HAVE_LIBPAM */
1478 #ifdef HAVE_LIBRADIUS
1479 static int
1480 isakmp_cfg_accounting_radius(iph1, inout)
1481 struct ph1handle *iph1;
1482 int inout;
1484 if (rad_create_request(radius_acct_state,
1485 RAD_ACCOUNTING_REQUEST) != 0) {
1486 plog(LLV_ERROR, LOCATION, NULL,
1487 "rad_create_request failed: %s\n",
1488 rad_strerror(radius_acct_state));
1489 return -1;
1492 if (rad_put_string(radius_acct_state, RAD_USER_NAME,
1493 iph1->mode_cfg->login) != 0) {
1494 plog(LLV_ERROR, LOCATION, NULL,
1495 "rad_put_string failed: %s\n",
1496 rad_strerror(radius_acct_state));
1497 return -1;
1500 switch (inout) {
1501 case ISAKMP_CFG_LOGIN:
1502 inout = RAD_START;
1503 break;
1504 case ISAKMP_CFG_LOGOUT:
1505 inout = RAD_STOP;
1506 break;
1507 default:
1508 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1509 break;
1512 if (rad_put_addr(radius_acct_state,
1513 RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) {
1514 plog(LLV_ERROR, LOCATION, NULL,
1515 "rad_put_addr failed: %s\n",
1516 rad_strerror(radius_acct_state));
1517 return -1;
1520 if (rad_put_addr(radius_acct_state,
1521 RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) {
1522 plog(LLV_ERROR, LOCATION, NULL,
1523 "rad_put_addr failed: %s\n",
1524 rad_strerror(radius_acct_state));
1525 return -1;
1528 if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) {
1529 plog(LLV_ERROR, LOCATION, NULL,
1530 "rad_put_int failed: %s\n",
1531 rad_strerror(radius_acct_state));
1532 return -1;
1535 if (isakmp_cfg_radius_common(radius_acct_state,
1536 iph1->mode_cfg->port) != 0)
1537 return -1;
1539 if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) {
1540 plog(LLV_ERROR, LOCATION, NULL,
1541 "rad_send_request failed: %s\n",
1542 rad_strerror(radius_acct_state));
1543 return -1;
1546 return 0;
1548 #endif /* HAVE_LIBRADIUS */
1551 * Attributes common to all RADIUS requests
1553 #ifdef HAVE_LIBRADIUS
1555 isakmp_cfg_radius_common(radius_state, port)
1556 struct rad_handle *radius_state;
1557 int port;
1559 struct utsname name;
1560 static struct hostent *host = NULL;
1561 struct in_addr nas_addr;
1564 * Find our own IP by resolving our nodename
1566 if (host == NULL) {
1567 if (uname(&name) != 0) {
1568 plog(LLV_ERROR, LOCATION, NULL,
1569 "uname failed: %s\n", strerror(errno));
1570 return -1;
1573 if ((host = gethostbyname(name.nodename)) == NULL) {
1574 plog(LLV_ERROR, LOCATION, NULL,
1575 "gethostbyname failed: %s\n", strerror(errno));
1576 return -1;
1580 memcpy(&nas_addr, host->h_addr, sizeof(nas_addr));
1581 if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) {
1582 plog(LLV_ERROR, LOCATION, NULL,
1583 "rad_put_addr failed: %s\n",
1584 rad_strerror(radius_state));
1585 return -1;
1588 if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) {
1589 plog(LLV_ERROR, LOCATION, NULL,
1590 "rad_put_int failed: %s\n",
1591 rad_strerror(radius_state));
1592 return -1;
1595 if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) {
1596 plog(LLV_ERROR, LOCATION, NULL,
1597 "rad_put_int failed: %s\n",
1598 rad_strerror(radius_state));
1599 return -1;
1602 if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) {
1603 plog(LLV_ERROR, LOCATION, NULL,
1604 "rad_put_int failed: %s\n",
1605 rad_strerror(radius_state));
1606 return -1;
1609 return 0;
1611 #endif
1614 Logs the user into the utmp system files.
1618 isakmp_cfg_accounting_system(port, raddr, usr, inout)
1619 int port;
1620 struct sockaddr *raddr;
1621 char *usr;
1622 int inout;
1624 int error = 0;
1625 struct utmp ut;
1626 char term[UT_LINESIZE];
1627 char addr[NI_MAXHOST];
1629 if (usr == NULL || usr[0]=='\0') {
1630 plog(LLV_ERROR, LOCATION, NULL,
1631 "system accounting : no login found\n");
1632 return -1;
1635 sprintf(term, TERMSPEC, port);
1637 switch (inout) {
1638 case ISAKMP_CFG_LOGIN:
1639 strncpy(ut.ut_name, usr, UT_NAMESIZE);
1640 ut.ut_name[UT_NAMESIZE - 1] = '\0';
1642 strncpy(ut.ut_line, term, UT_LINESIZE);
1643 ut.ut_line[UT_LINESIZE - 1] = '\0';
1645 GETNAMEINFO_NULL(raddr, addr);
1646 strncpy(ut.ut_host, addr, UT_HOSTSIZE);
1647 ut.ut_host[UT_HOSTSIZE - 1] = '\0';
1649 ut.ut_time = time(NULL);
1651 plog(LLV_INFO, LOCATION, NULL,
1652 "Accounting : '%s' logging on '%s' from %s.\n",
1653 ut.ut_name, ut.ut_line, ut.ut_host);
1655 login(&ut);
1657 break;
1658 case ISAKMP_CFG_LOGOUT:
1660 plog(LLV_INFO, LOCATION, NULL,
1661 "Accounting : '%s' unlogging from '%s'.\n",
1662 usr, term);
1664 logout(term);
1666 break;
1667 default:
1668 plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
1669 break;
1672 return 0;
1675 int
1676 isakmp_cfg_getconfig(iph1)
1677 struct ph1handle *iph1;
1679 vchar_t *buffer;
1680 struct isakmp_pl_attr *attrpl;
1681 struct isakmp_data *attr;
1682 size_t len;
1683 int error;
1684 int attrcount;
1685 int i;
1686 int attrlist[] = {
1687 INTERNAL_IP4_ADDRESS,
1688 INTERNAL_IP4_NETMASK,
1689 INTERNAL_IP4_DNS,
1690 INTERNAL_IP4_NBNS,
1691 UNITY_BANNER,
1692 UNITY_DEF_DOMAIN,
1693 UNITY_SPLITDNS_NAME,
1694 UNITY_SPLIT_INCLUDE,
1695 UNITY_LOCAL_LAN,
1696 APPLICATION_VERSION,
1699 attrcount = sizeof(attrlist) / sizeof(*attrlist);
1700 len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
1702 if ((buffer = vmalloc(len)) == NULL) {
1703 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
1704 return -1;
1707 attrpl = (struct isakmp_pl_attr *)buffer->v;
1708 attrpl->h.len = htons(len);
1709 attrpl->type = ISAKMP_CFG_REQUEST;
1710 attrpl->id = htons((u_int16_t)(eay_random() & 0xffff));
1712 attr = (struct isakmp_data *)(attrpl + 1);
1714 for (i = 0; i < attrcount; i++) {
1715 attr->type = htons(attrlist[i]);
1716 attr->lorv = htons(0);
1717 attr++;
1720 plog(LLV_DEBUG, LOCATION, NULL,
1721 "Sending MODE_CFG REQUEST\n");
1723 error = isakmp_cfg_send(iph1, buffer,
1724 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
1726 vfree(buffer);
1728 return error;
1731 static void
1732 isakmp_cfg_getaddr4(attr, ip)
1733 struct isakmp_data *attr;
1734 struct in_addr *ip;
1736 size_t alen = ntohs(attr->lorv);
1737 in_addr_t *addr;
1739 if (alen != sizeof(*ip)) {
1740 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
1741 return;
1744 addr = (in_addr_t *)(attr + 1);
1745 ip->s_addr = *addr;
1747 return;
1750 static void
1751 isakmp_cfg_appendaddr4(attr, ip, num, max)
1752 struct isakmp_data *attr;
1753 struct in_addr *ip;
1754 int *num;
1755 int max;
1757 size_t alen = ntohs(attr->lorv);
1758 in_addr_t *addr;
1760 if (alen != sizeof(*ip)) {
1761 plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
1762 return;
1764 if (*num == max) {
1765 plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n");
1766 return;
1769 addr = (in_addr_t *)(attr + 1);
1770 ip->s_addr = *addr;
1771 (*num)++;
1773 return;
1776 static void
1777 isakmp_cfg_getstring(attr, str)
1778 struct isakmp_data *attr;
1779 char *str;
1781 size_t alen = ntohs(attr->lorv);
1782 char *src;
1783 src = (char *)(attr + 1);
1785 memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen));
1787 return;
1790 #define IP_MAX 40
1792 void
1793 isakmp_cfg_iplist_to_str(dest, count, addr, withmask)
1794 char *dest;
1795 int count;
1796 void *addr;
1797 int withmask;
1799 int i;
1800 int p;
1801 int l;
1802 struct unity_network tmp;
1803 for(i = 0, p = 0; i < count; i++) {
1804 if(withmask == 1)
1805 l = sizeof(struct unity_network);
1806 else
1807 l = sizeof(struct in_addr);
1808 memcpy(&tmp, addr, l);
1809 addr += l;
1810 if((uint32_t)tmp.addr4.s_addr == 0)
1811 break;
1813 inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX);
1814 p += strlen(dest + p);
1815 if(withmask == 1) {
1816 dest[p] = '/';
1817 p++;
1818 inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX);
1819 p += strlen(dest + p);
1821 dest[p] = ' ';
1822 p++;
1824 if(p > 0)
1825 dest[p-1] = '\0';
1826 else
1827 dest[0] = '\0';
1831 isakmp_cfg_setenv(iph1, envp, envc)
1832 struct ph1handle *iph1;
1833 char ***envp;
1834 int *envc;
1836 char addrstr[IP_MAX];
1837 char addrlist[IP_MAX * MAXNS + MAXNS];
1838 char *splitlist = addrlist;
1839 char *splitlist_cidr;
1840 char defdom[MAXPATHLEN + 1];
1841 int cidr, tmp;
1842 char cidrstr[4];
1843 int i, p;
1844 int test;
1846 plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
1849 * Internal IPv4 address, either if
1850 * we are a client or a server.
1852 if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
1853 #ifdef HAVE_LIBLDAP
1854 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
1855 #endif
1856 #ifdef HAVE_LIBRADIUS
1857 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
1858 #endif
1859 (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
1860 inet_ntop(AF_INET, &iph1->mode_cfg->addr4,
1861 addrstr, IP_MAX);
1862 } else
1863 addrstr[0] = '\0';
1865 if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) {
1866 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n");
1867 return -1;
1870 if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) {
1871 if (script_env_append(envp, envc, "XAUTH_USER",
1872 iph1->mode_cfg->xauth.authdata.generic.usr) != 0) {
1873 plog(LLV_ERROR, LOCATION, NULL,
1874 "Cannot set XAUTH_USER\n");
1875 return -1;
1879 /* Internal IPv4 mask */
1880 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4)
1881 inet_ntop(AF_INET, &iph1->mode_cfg->mask4,
1882 addrstr, IP_MAX);
1883 else
1884 addrstr[0] = '\0';
1887 * During several releases, documentation adverised INTERNAL_NETMASK4
1888 * while code was using INTERNAL_MASK4. We now do both.
1891 if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) {
1892 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
1893 return -1;
1896 if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) {
1897 plog(LLV_ERROR, LOCATION, NULL,
1898 "Cannot set INTERNAL_NETMASK4\n");
1899 return -1;
1902 tmp = ntohl(iph1->mode_cfg->mask4.s_addr);
1903 for (cidr = 0; tmp != 0; cidr++)
1904 tmp <<= 1;
1905 snprintf(cidrstr, 3, "%d", cidr);
1907 if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) {
1908 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n");
1909 return -1;
1912 /* Internal IPv4 DNS */
1913 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) {
1914 /* First Internal IPv4 DNS (for compatibilty with older code */
1915 inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0],
1916 addrstr, IP_MAX);
1918 /* Internal IPv4 DNS - all */
1919 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index,
1920 (void *)iph1->mode_cfg->dns4, 0);
1921 } else {
1922 addrstr[0] = '\0';
1923 addrlist[0] = '\0';
1926 if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) {
1927 plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n");
1928 return -1;
1930 if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) {
1931 plog(LLV_ERROR, LOCATION, NULL,
1932 "Cannot set INTERNAL_DNS4_LIST\n");
1933 return -1;
1936 /* Internal IPv4 WINS */
1937 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) {
1939 * First Internal IPv4 WINS
1940 * (for compatibilty with older code
1942 inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0],
1943 addrstr, IP_MAX);
1945 /* Internal IPv4 WINS - all */
1946 isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index,
1947 (void *)iph1->mode_cfg->wins4, 0);
1948 } else {
1949 addrstr[0] = '\0';
1950 addrlist[0] = '\0';
1953 if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) {
1954 plog(LLV_ERROR, LOCATION, NULL,
1955 "Cannot set INTERNAL_WINS4\n");
1956 return -1;
1958 if (script_env_append(envp, envc,
1959 "INTERNAL_WINS4_LIST", addrlist) != 0) {
1960 plog(LLV_ERROR, LOCATION, NULL,
1961 "Cannot set INTERNAL_WINS4_LIST\n");
1962 return -1;
1965 /* Deault domain */
1966 if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN)
1967 strncpy(defdom,
1968 iph1->mode_cfg->default_domain,
1969 MAXPATHLEN + 1);
1970 else
1971 defdom[0] = '\0';
1973 if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) {
1974 plog(LLV_ERROR, LOCATION, NULL,
1975 "Cannot set DEFAULT_DOMAIN\n");
1976 return -1;
1979 /* Split networks */
1980 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) {
1981 splitlist =
1982 splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK);
1983 splitlist_cidr =
1984 splitnet_list_2str(iph1->mode_cfg->split_include, CIDR);
1985 } else {
1986 splitlist = addrlist;
1987 splitlist_cidr = addrlist;
1988 addrlist[0] = '\0';
1991 if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
1992 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
1993 return -1;
1995 if (script_env_append(envp, envc,
1996 "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) {
1997 plog(LLV_ERROR, LOCATION, NULL,
1998 "Cannot set SPLIT_INCLUDE_CIDR\n");
1999 return -1;
2001 if (splitlist != addrlist)
2002 racoon_free(splitlist);
2003 if (splitlist_cidr != addrlist)
2004 racoon_free(splitlist_cidr);
2006 if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) {
2007 splitlist =
2008 splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK);
2009 splitlist_cidr =
2010 splitnet_list_2str(iph1->mode_cfg->split_local, CIDR);
2011 } else {
2012 splitlist = addrlist;
2013 splitlist_cidr = addrlist;
2014 addrlist[0] = '\0';
2017 if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
2018 plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
2019 return -1;
2021 if (script_env_append(envp, envc,
2022 "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) {
2023 plog(LLV_ERROR, LOCATION, NULL,
2024 "Cannot set SPLIT_LOCAL_CIDR\n");
2025 return -1;
2027 if (splitlist != addrlist)
2028 racoon_free(splitlist);
2029 if (splitlist_cidr != addrlist)
2030 racoon_free(splitlist_cidr);
2032 return 0;
2036 isakmp_cfg_resize_pool(size)
2037 int size;
2039 struct isakmp_cfg_port *new_pool;
2040 size_t len;
2041 int i;
2043 if (size == isakmp_cfg_config.pool_size)
2044 return 0;
2046 plog(LLV_INFO, LOCATION, NULL,
2047 "Resize address pool from %zu to %d\n",
2048 isakmp_cfg_config.pool_size, size);
2050 /* If a pool already exists, check if we can shrink it */
2051 if ((isakmp_cfg_config.port_pool != NULL) &&
2052 (size < isakmp_cfg_config.pool_size)) {
2053 for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) {
2054 if (isakmp_cfg_config.port_pool[i].used) {
2055 plog(LLV_ERROR, LOCATION, NULL,
2056 "resize pool from %zu to %d impossible "
2057 "port %d is in use\n",
2058 isakmp_cfg_config.pool_size, size, i);
2059 size = i;
2060 break;
2065 len = size * sizeof(*isakmp_cfg_config.port_pool);
2066 new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
2067 if (new_pool == NULL) {
2068 plog(LLV_ERROR, LOCATION, NULL,
2069 "resize pool from %zu to %d impossible: %s",
2070 isakmp_cfg_config.pool_size, size, strerror(errno));
2071 return -1;
2074 /* If size increase, intialize correctly the new records */
2075 if (size > isakmp_cfg_config.pool_size) {
2076 size_t unit;
2077 size_t old_size;
2079 unit = sizeof(*isakmp_cfg_config.port_pool);
2080 old_size = isakmp_cfg_config.pool_size;
2082 bzero((char *)new_pool + (old_size * unit),
2083 (size - old_size) * unit);
2086 isakmp_cfg_config.port_pool = new_pool;
2087 isakmp_cfg_config.pool_size = size;
2089 return 0;
2093 isakmp_cfg_init(cold)
2094 int cold;
2096 int i;
2097 int error;
2099 isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
2100 isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
2101 for (i = 0; i < MAXNS; i++)
2102 isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000;
2103 isakmp_cfg_config.dns4_index = 0;
2104 for (i = 0; i < MAXWINS; i++)
2105 isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000;
2106 isakmp_cfg_config.nbns4_index = 0;
2107 if (cold == ISAKMP_CFG_INIT_COLD)
2108 isakmp_cfg_config.port_pool = NULL;
2109 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
2110 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
2111 if (cold == ISAKMP_CFG_INIT_COLD) {
2112 if (isakmp_cfg_config.grouplist != NULL) {
2113 for (i = 0; i < isakmp_cfg_config.groupcount; i++)
2114 racoon_free(isakmp_cfg_config.grouplist[i]);
2115 racoon_free(isakmp_cfg_config.grouplist);
2118 isakmp_cfg_config.grouplist = NULL;
2119 isakmp_cfg_config.groupcount = 0;
2120 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
2121 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
2122 if (cold == ISAKMP_CFG_INIT_COLD)
2123 isakmp_cfg_config.pool_size = 0;
2124 isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY;
2125 strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN,
2126 MAXPATHLEN);
2127 strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN);
2129 if (cold != ISAKMP_CFG_INIT_COLD )
2130 if (isakmp_cfg_config.splitnet_list != NULL)
2131 splitnet_list_free(isakmp_cfg_config.splitnet_list,
2132 &isakmp_cfg_config.splitnet_count);
2133 isakmp_cfg_config.splitnet_list = NULL;
2134 isakmp_cfg_config.splitnet_count = 0;
2135 isakmp_cfg_config.splitnet_type = 0;
2137 isakmp_cfg_config.pfs_group = 0;
2138 isakmp_cfg_config.save_passwd = 0;
2140 if (cold != ISAKMP_CFG_INIT_COLD )
2141 if (isakmp_cfg_config.splitdns_list != NULL)
2142 racoon_free(isakmp_cfg_config.splitdns_list);
2143 isakmp_cfg_config.splitdns_list = NULL;
2144 isakmp_cfg_config.splitdns_len = 0;
2146 #if 0
2147 if (cold == ISAKMP_CFG_INIT_COLD) {
2148 if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
2149 return error;
2151 #endif
2153 return 0;