#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <ctype.h>
#include <err.h>
#include "var.h"
#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "debug.h"
#include "localconf.h"
#include "algorithm.h"
#include "isakmp_var.h"
#include "isakmp.h"
#include "ipsec_doi.h"
#include "grabmyaddr.h"
#include "vendorid.h"
#include "str2val.h"
#include "safefile.h"
#include "gcmalloc.h"
#include "session.h"
#include <CoreFoundation/CoreFoundation.h>
#if HAVE_SECURITY_FRAMEWORK
#include <Security/Security.h>
#endif
struct localconf *lcconf;
struct localconf *saved_lcconf;
static void setdefault (void);
void
initlcconf()
{
lcconf = racoon_calloc(1, sizeof(*lcconf));
if (lcconf == NULL)
errx(1, "failed to allocate local conf.");
setdefault();
lcconf->sock_vpncontrol = -1;
lcconf->racoon_conf = LC_DEFAULT_CF;
TAILQ_INIT(&lcconf->saved_msg_queue);
}
void
flushlcconf()
{
int i;
setdefault();
clear_myaddr();
for (i = 0; i < LC_PATHTYPE_MAX; i++) {
if (lcconf->pathinfo[i]) {
racoon_free(lcconf->pathinfo[i]);
lcconf->pathinfo[i] = NULL;
}
}
for (i = 0; i < IDTYPE_MAX; i++) {
if (lcconf->ident[i])
vfree(lcconf->ident[i]);
lcconf->ident[i] = NULL;
}
if (lcconf->ext_nat_id) {
vfree(lcconf->ext_nat_id);
lcconf->ext_nat_id = NULL;
}
}
static void
setdefault()
{
lcconf->uid = 0;
lcconf->gid = 0;
lcconf->autograbaddr = 1;
lcconf->port_isakmp = PORT_ISAKMP;
lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
lcconf->default_af = AF_INET;
lcconf->pad_random = LC_DEFAULT_PAD_RANDOM;
lcconf->pad_randomlen = LC_DEFAULT_PAD_RANDOMLEN;
lcconf->pad_maxsize = LC_DEFAULT_PAD_MAXSIZE;
lcconf->pad_strict = LC_DEFAULT_PAD_STRICT;
lcconf->pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
lcconf->retry_counter = LC_DEFAULT_RETRY_COUNTER;
lcconf->retry_interval = LC_DEFAULT_RETRY_INTERVAL;
lcconf->count_persend = LC_DEFAULT_COUNT_PERSEND;
lcconf->secret_size = LC_DEFAULT_SECRETSIZE;
lcconf->retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
lcconf->strict_address = FALSE;
lcconf->complex_bundle = TRUE;
lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
lcconf->auto_exit_delay = 0;
lcconf->auto_exit_state &= ~LC_AUTOEXITSTATE_SET;
lcconf->auto_exit_state |= LC_AUTOEXITSTATE_CLIENT;
}
void
savelcconf(void)
{
saved_lcconf = lcconf;
lcconf = NULL;
initlcconf();
}
void
restorelcconf(void)
{
flushlcconf();
racoon_free(lcconf);
lcconf = saved_lcconf;
saved_lcconf = NULL;
}
vchar_t *
getpskbyname(id0)
vchar_t *id0;
{
char *id;
vchar_t *key = NULL;
plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by name.\n");
id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
if (id == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get psk buffer.\n");
goto end;
}
memcpy(id, id0->v + sizeof(struct ipsecdoi_id_b),
id0->l - sizeof(struct ipsecdoi_id_b));
id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
end:
if (id)
racoon_free(id);
return key;
}
#if HAVE_KEYCHAIN
vchar_t *
getpskfromkeychain(const char *name, u_int8_t etype, int secrettype, vchar_t *id_p)
{
SecKeychainRef keychain = NULL;
vchar_t *key = NULL;
void *cur_password = NULL;
UInt32 cur_password_len = 0;
OSStatus status;
char serviceName[] = "com.apple.net.racoon";
plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from keychain.\n");
status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
if (status != noErr) {
plog(ASL_LEVEL_ERR,
"failed to set system keychain domain.\n");
goto end;
}
status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem,
&keychain);
if (status != noErr) {
plog(ASL_LEVEL_ERR,
"failed to get system keychain domain.\n");
goto end;
}
if (secrettype == SECRETTYPE_KEYCHAIN_BY_ID && etype == ISAKMP_ETYPE_AGG) {
char* peer_id = NULL;
int idlen = id_p->l - sizeof(struct ipsecdoi_id_b);
u_int8_t id_type = (ALIGNED_CAST(struct ipsecdoi_id_b *)(id_p->v))->type;
switch (id_type) {
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR:
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
case IPSECDOI_ID_IPV4_ADDR_RANGE:
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
case IPSECDOI_ID_IPV6_ADDR_RANGE:
case IPSECDOI_ID_DER_ASN1_DN:
case IPSECDOI_ID_DER_ASN1_GN:
goto no_id;
break;
case IPSECDOI_ID_FQDN:
case IPSECDOI_ID_USER_FQDN:
case IPSECDOI_ID_KEY_ID:
peer_id = racoon_malloc(1 + idlen);
if (peer_id == NULL)
goto end;
memcpy(peer_id, id_p->v + sizeof(struct ipsecdoi_id_b), idlen);
*(peer_id + idlen) = '\0';
plog(ASL_LEVEL_ERR,
"getting shared secret from keychain using %s.\n", peer_id);
break;
default:
goto end;
break;
}
status = SecKeychainFindGenericPassword(keychain,
strlen(serviceName),
serviceName,
idlen,
peer_id,
&cur_password_len,
&cur_password,
NULL);
if (status == errSecItemNotFound)
status = SecKeychainFindGenericPassword(keychain,
idlen,
peer_id,
0,
0,
&cur_password_len,
&cur_password,
NULL);
if (peer_id)
racoon_free(peer_id);
if (status == noErr)
goto end;
}
no_id:
status = SecKeychainFindGenericPassword(keychain,
strlen(serviceName),
serviceName,
strlen(name),
name,
&cur_password_len,
&cur_password,
NULL);
if (status == errSecItemNotFound)
status = SecKeychainFindGenericPassword(keychain,
strlen(name),
name,
0,
0,
&cur_password_len,
&cur_password,
NULL);
switch (status) {
case noErr :
goto end;
break;
case errSecItemNotFound :
break;
default :
plog(ASL_LEVEL_ERR,
"failed to get preshared key from system keychain (error %ld).\n", (long)status);
}
end:
if (cur_password) {
key = vmalloc(cur_password_len);
if (key == NULL) {
plog(ASL_LEVEL_ERR,
"failed to allocate key buffer.\n");
} else
memcpy(key->v, cur_password, cur_password_len);
free(cur_password);
}
if (keychain)
CFRelease(keychain);
return key;
}
#endif
vchar_t *
getpskbyaddr(remote)
struct sockaddr_storage *remote;
{
vchar_t *key = NULL;
char addr[NI_MAXHOST], port[NI_MAXSERV];
plog(ASL_LEVEL_DEBUG, "Getting pre-shared key by addr.\n");
GETNAMEINFO((struct sockaddr *)remote, addr, port);
key = getpsk(addr, strlen(addr));
return key;
}
vchar_t *
getpsk(str, len)
const char *str;
const int len;
{
FILE *fp;
char buf[1024];
vchar_t *key = NULL;
char *p, *q;
size_t keylen;
char *k = NULL;
plog(ASL_LEVEL_DEBUG, "Getting pre-shared key from file.\n");
if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
else
fp = NULL;
if (fp == NULL) {
plog(ASL_LEVEL_ERR,
"failed to open pre_share_key file %s\n",
lcconf->pathinfo[LC_PATHTYPE_PSK]);
return NULL;
}
while (fgets(buf, sizeof(buf), fp) != NULL) {
if (buf[0] == '#')
continue;
for (p = buf; *p != '\0' && !isspace((int)*p); p++)
;
if (*p == '\0')
continue;
*p = '\0';
while (isspace((int)*++p))
;
if (*p == '\0')
continue;
p--;
if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
p++;
keylen = 0;
for (q = p; *q != '\0' && *q != '\n'; q++)
keylen++;
*q = '\0';
if (strncmp(p, "0x", 2) == 0) {
k = str2val(p + 2, 16, &keylen);
if (k == NULL) {
plog(ASL_LEVEL_ERR,
"failed to get psk buffer.\n");
goto end;
}
p = k;
}
key = vmalloc(keylen);
if (key == NULL) {
plog(ASL_LEVEL_ERR,
"failed to allocate key buffer.\n");
goto end;
}
memcpy(key->v, p, key->l);
if (k)
racoon_free(k);
goto end;
}
}
end:
fclose(fp);
return key;
}
void
getpathname(path, len, type, name)
char *path;
int len, type;
const char *name;
{
snprintf(path, len, "%s%s%s",
name[0] == '/' ? "" : lcconf->pathinfo[type],
name[0] == '/' ? "" : "/",
name);
plog(ASL_LEVEL_DEBUG, "filename: %s\n", path);
}
#if 0
static int lc_doi2idtype[] = {
-1,
-1,
LC_IDENTTYPE_FQDN,
LC_IDENTTYPE_USERFQDN,
-1,
-1,
-1,
-1,
-1,
LC_IDENTTYPE_CERTNAME,
-1,
LC_IDENTTYPE_KEYID,
};
int
doi2idtype(idtype)
int idtype;
{
if (ARRAYLEN(lc_doi2idtype) > idtype)
return lc_doi2idtype[idtype];
return -1;
}
#endif
static int lc_sittype2doi[] = {
IPSECDOI_SIT_IDENTITY_ONLY,
IPSECDOI_SIT_SECRECY,
IPSECDOI_SIT_INTEGRITY,
};
int
sittype2doi(sittype)
int sittype;
{
if (ARRAYLEN(lc_sittype2doi) > sittype)
return lc_sittype2doi[sittype];
return -1;
}
static int lc_doitype2doi[] = {
IPSEC_DOI,
};
int
doitype2doi(doitype)
int doitype;
{
if (ARRAYLEN(lc_doitype2doi) > doitype)
return lc_doitype2doi[doitype];
return -1;
}