File novell-ipsec-tools_plugins-support-core.patch of Package novell-ipsec-tools
Index: ipsec-tools-0.7.3/src/plugin_frame/common.h
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/common.h
@@ -0,0 +1,160 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+#ifndef __TPIKE_COMMON_H__
+#define __TPIKE_COMMON_H__
+
+/****************NOTES ************************
+1. Multiple plugins will be stored in the struct pluginlist with priority.
+2. A Global priv data for each plugin (in addition to the hook point specific priv data) that will be opaque to framework.
+3. Register Handler returns ALREADYREGISTERED if someother plugins has registered.
+4. Before registering the plugin should check for dependencies with other plugins using isPluginRegisterted,
+*************************************************/
+
+#include <sys/types.h>
+
+/* Defines */
+
+/* DataTypes */
+#define TPIKE_DTYPE_STRUCTISAKMPGEN 0x0001
+#define TPIKE_DTYPE_STRUCTISAKMPDATA 0x0002
+#define TPIKE_DTYPE_STRUCTVCHAR 0x0004
+#define TPIKE_DTYPE_STRUCTPAYLOADLIST 0x0008
+#define TPIKE_DTYPE_INT32PT 0x0010
+#define TPIKE_DTYPE_STRUCTIPH1 0x0020
+#define TPIKE_DTYPE_STRUCTNATTOPTIONS 0x0040
+
+//Payload types
+#define PRIVATE_NATTVID_PAYLOAD_TYPE 0x0001
+#define PRIVATE_VID_PAYLOAD_TYPE 0x0002
+
+//#define STRUCTIPH1 0x0010
+//#define STRUCTIPH2 0x0020
+//#define STRUCTCADDRT 0x0040
+
+/* Types */
+#define PAYLOAD_TYPE 0x01
+#define ATTRIBUTE_TYPE 0x02
+#define NATT_OPTIONS_TYPE 0x03
+
+#define IS_REKEYREQ_TYPE 0x04
+#define IS_PLECHECK_TYPE 0x05
+
+#define PFKEY_MSG_TYPE 0x06
+#define IKE_NEGO_STATE_TYPE 0x07
+
+
+/* Attribute types */
+#define IKE_ATTRIB_TYPE 0x01
+#define CONFIG_ATTRIB_TYPE 0x02
+#define IPSEC_ATTRIB_TYPE 0x03
+#define ISAKMP_ATTRIB_TYPE 0x04
+#define CONFIG_ATTRIB_ACK_TYPE 0x05
+
+#if 0
+/* Attribute types */
+#define IKEATTR_TYPE 0x01
+#define CFGATTR_TYPE 0x02
+#endif
+
+/* Data Structures */
+
+/*TV */
+typedef struct tv
+{
+ int type;
+ void *val;
+}TV;
+
+struct tvarr {
+ int noofvals;
+ struct tv tv[1];
+};
+
+/* Updated Hookpoint */
+struct hookpoint {
+ u_int8_t type;
+ u_int8_t payloadtype; /*If type==payload => payload type as defined, else 0 */
+ u_int8_t subtype; /* Config attr => SET/ACK/REQ/REP/PrivType. Payload => SubType */
+ u_int32_t position; /* ijk */
+ u_int8_t isoptional;
+ /*Identifying the payload/ike attr type */
+ u_int32_t keylen;
+ void *key; /*Payload =>, attribute etc. */
+};
+
+/* Updated Handler Info */
+struct handlerinfo {
+ char *plugin_name;
+ void *hprivdata; /*Plug-in's priv data */
+ u_int32_t datatypein; /* Flag logical OR of IN DataTypes defiend above */
+ u_int32_t datatypeout; /* Flag logical OR of OUT DataTypes defiend above */
+ int (*callback)(void *, void *, void *, void **); /* Prototype will be int func(void *gprivdata, void *hprivdata, void *INARRAY, void **OUTARRAY); */
+};
+
+typedef int (*plugin_init)(void *gprivdata, void *hprivdata,
+ void *inarray, void **outarray);
+typedef int (*plugin_getdata)(int inlen, char *inbuf,
+ int *outlen, char **outbuf);
+
+/* Consumed by plugin */
+u_int8_t tpike_is_plugin_registered(char *plugin_name);
+int tpike_register_handler(struct hookpoint *,
+ struct handlerinfo *);
+int tpike_deregister_handlers(char *plugin_name);
+
+/* Consumed by Racoon */
+int tpike_gethook_handlerinfo(struct hookpoint *hp,
+ int absolutepos, struct handlerinfo **hi,
+ int *incount, void **tv);
+int tpike_dispatch_generic(struct hookpoint *hp, void *in, void **out);
+int tpike_pack_in(void **inarr, u_int32_t noofparams, ...);
+int tpike_pack_out(void *outarr, u_int32_t noofparams, ...);
+
+/* Consumed by adminport */
+int tpike_register_plugin(short ver, const char *pluginso, char *pluginname, void *cp);
+int tpike_plugin_getdata(short ver, char *pluginname, int inlen, char *inbuf,
+ int *outlen, char **outbuf);
+int tpike_deregister_plugin_all();
+
+
+/* Helper macro to make the 'hookpoint'. Consumed by racoon alone. */
+#define mk_hookpoint(typ, pratype, prasubtype, pos, optional, klen, keyval, hp) \
+ { \
+ hp->type = (typ); hp->payloadtype = (pratype); hp->subtype = (prasubtype); hp->position = (pos); \
+ hp->keylen = (klen); \
+ if (hp->keylen == 0) \
+ hp->key = 0; \
+ else { \
+ hp->key = vmalloc(hp->keylen); \
+ if (hp->key && (keyval)) memcpy(hp->key, (keyval), (klen)); else hp->keylen = 0; \
+ }\
+ }
+
+#endif
Index: ipsec-tools-0.7.3/src/plugin_frame/dispatch.c
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/dispatch.c
@@ -0,0 +1,140 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include "common.h"
+#include "framework.h"
+#include "error.h"
+#include "hashtable.h"
+
+int get_hook_handler_info(struct hookpoint *hp, int absolutepos, struct handlerinfo **hi, int *incount, void **tv)
+{
+ int status = TPIKE_ERR_HASH_MATCH_NOT_FOUND;
+
+ status = get_handler_match_in_hash_bucket(hp, hi);
+
+ // *incount = getType((*hi)->DataTypeToBeSent, tv); //return value?
+
+ return status;
+}
+
+#if 0
+int getType (u_int32_t dataTypeMask, TV *tvl)
+{
+ int i = 0;
+ u_int32_t j = 1;
+ while (j != 0x80000000 ){
+ if ( dataTypeMask & j )
+ {
+ tvl[i].t = j;
+ tvl[i].v = NULL;
+ i++;
+ }
+ j<<=1;
+ }
+ return i;
+}
+#endif
+
+int tpike_dispatch_generic(struct hookpoint *hp, void *in, void **out)
+{
+ struct handlerinfo *hi;
+ int status;
+ struct plugininfo *plugin;
+
+ if ((status = get_handler_match_in_hash_bucket(hp, &hi)) == TPIKE_STATUS_SUCCESS) {
+ // TODO: Validate that the minimum input arguments are present
+ // TODO: Validate that the output arguments are sufficient
+ if (hi->callback) {
+ // Obtain gpriv data
+ plugin = get_plugin_info(hi->plugin_name);
+
+ if(!plugin)
+ return TPIKE_ERR_PLUGIN_NOT_REGISTERED;
+
+ status = (*(hi->callback))(plugin->gprivdata, hi->hprivdata, in, out);
+ return status;
+ }
+ else
+ return TPIKE_ERR_HASH_MATCH_NOT_FOUND;
+ }
+ return status;
+}
+
+int tpike_pack_in(void **inarr, u_int32_t noofparams, ...)
+{
+ int i;
+ struct tvarr *in;
+ va_list(ap);
+
+ if (noofparams == 0) /* no parameters to pass, send NULL */
+ return TPIKE_STATUS_SUCCESS;
+
+ va_start(ap, noofparams);
+ if (((*inarr) = malloc(sizeof(struct tvarr) + (noofparams - 1) * (sizeof(struct tv)))) == NULL)
+ return TPIKE_ERR_MEM_ALLOC_FAILED;
+ in = (*inarr);
+
+ in->noofvals = noofparams;
+ for (i = 0; i < noofparams; i++)
+ {
+ in->tv[i].type = va_arg(ap, int);
+ in->tv[i].val = va_arg(ap, void *);
+ }
+ return TPIKE_STATUS_SUCCESS;
+}
+
+int tpike_pack_out(void *outarr, u_int32_t noofparams, ...)
+{
+ int i, j;
+ int type, found = 0;
+ struct tvarr *out = (struct tvarr *)(outarr);
+ va_list(ap);
+
+ va_start(ap, noofparams);
+ for (i = 0; i < noofparams; i++)
+ {
+ type = va_arg(ap, int);
+ found = 0;
+ for (j = 0; j < out->noofvals; j++)
+ {
+ if (type == out->tv[i].type)
+ {
+ *(va_arg(ap, void **)) = out->tv[i].val;
+ found = 1;
+ break;
+ }
+ if (!found)
+ return TPIKE_ERR_PLUGIN_ARG_MISMATCH;
+ }
+ }
+ return TPIKE_STATUS_SUCCESS;
+}
Index: ipsec-tools-0.7.3/src/plugin_frame/error.h
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/error.h
@@ -0,0 +1,53 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+#ifndef _PLUGIN_ERROR_H
+#define _PLUGIN_ERROR_H
+
+#define TPIKE_STATUS_SUCCESS 0x00000000
+#define PLUGIN_FRAME_STATUS_SUCCESS 0x00000000
+
+/* Framework errors start at 0xFFFFFFFF (-1) */
+#define TPIKE_ERR_HASH_TABLE_OVERFLOW 0xFFFFFFFF
+#define TPIKE_ERR_MEM_ALLOC_FAILED 0xFFFFFFFE
+#define TPIKE_ERR_PLUGIN_NOT_REGISTERED 0xFFFFFFFD
+#define TPIKE_ERR_HOOK_ALREADY_REGISTERED 0xFFFFFFFC
+#define TPIKE_ERR_PLUGIN_REGISTRATION_FAILURE 0xFFFFFFFB
+#define TPIKE_ERR_SYM_LOAD_FAILURE 0xFFFFFFFA
+#define TPIKE_ERR_HASH_MATCH_NOT_FOUND 0xFFFFFFF9
+#define TPIKE_ERR_SO_LOAD_FAILURE 0xFFFFFFF8
+#define TPIKE_ERR_PLUGIN_ARG_MISMATCH 0xFFFFFFF9
+
+/* Generic plugin errors start at 0xFFFFFF00 (-255) */
+#define TPIKE_ERR_PLUGIN_GENERIC 0xFFFFFF00
+#define TPIKE_ERR_PLUGIN_MEM_ALLOC_FAILED 0xFFFFFE00
+
+#define TPIKE_OK(x) ((x) == TPIKE_STATUS_SUCCESS)
+
+#endif /* _PLUGIN_ERROR_H */
Index: ipsec-tools-0.7.3/src/plugin_frame/framework.h
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/framework.h
@@ -0,0 +1,87 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+#ifndef __TPIKE_FRAMEWORK__
+#define __TPIKE_FRAMEWORK__
+
+/****************NOTES ************************
+1. Multiple plugins will be stored in the struct pluginlist with priority.
+2. A Global priv data for each plugin (in addition to the hook point specific priv data) that will be opaque to framework.
+3. Register Handler returns ALREADYREGISTERED if someother plugins has registered.
+4. Before registering the plugin should check for dependencies with other plugins using isPluginRegisterted,
+*************************************************/
+
+#include <sys/types.h>
+#include <stdlib.h>
+
+/* Defines */
+
+#if 0
+/* Types */
+#define PAYLOAD_TYPE 0x01
+#define ATTRIBUTE_TYPE 0x02
+
+/* Attribute types */
+#define IKE_ATTRIB_TYPE 0x01
+#define CONFIG_ATTRIB_TYPE 0x02
+#endif
+
+typedef int (tpike_plugin_init_func_t)(short ver, void *cp, void **privdata);
+typedef int (tpike_plugin_getdata_func_t)(short version, void *gpdata, int inlen, char *inbuf, int *outlen, char **outbuf);
+typedef int (tpike_plugin_deregister_func_t)(void *privdata);
+/* Data Structures */
+
+/* Structure handling multiple plugins */
+struct plugininfo {
+ char *plugin_name; /* Got thru' adminport */
+ void *gprivdata; /* Global (common to whole plugin) priv data */
+ void *so_handle;
+
+ tpike_plugin_init_func_t *init_fn;
+ tpike_plugin_getdata_func_t *getdata_fn;
+ tpike_plugin_deregister_func_t *deregister_fn;
+
+ struct plugininfo *next;
+};
+
+
+
+/* Functions to be implemented by Framework for framework only!*/
+struct plugininfo *get_plugin_info(char *plugin_name);
+
+
+/*Updated Register Handler */
+
+/*Consumed by plugin */
+struct plugininfo *get_registered_plugin(char *);
+struct plugininfo *add_plugin_to_list(char *);
+void remove_plugin_from_list(char *);
+void free_plugin_info_all(struct plugininfo *);
+
+#endif
Index: ipsec-tools-0.7.3/src/plugin_frame/hashtable.c
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/hashtable.c
@@ -0,0 +1,384 @@
+
+/************************************************************************************
+ * Copyright (c) 2005, Novell Inc., *
+ * All rights reserved. *
+ * *
+ * Redistribution and use in source and binary forms, with or without *
+ * modification, are permitted provided that the following conditions *
+ * are met: *
+ * 1. Redistributions of source code must retain the above copyright *
+ * notice, this list of conditions and the following disclaimer. *
+ * 2. Redistributions in binary form must reproduce the above copyright *
+ * notice, this list of conditions and the following disclaimer in the *
+ * documentation and/or other materials provided with the distribution. *
+ * 3. Neither the name of the Novell nor the names of its contributors *
+ * may be used to endorse or promote products derived from this software *
+ * without specific prior written permission. *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+ * SUCH DAMAGE. *
+ *************************************************************************************/
+
+#include <stdio.h>
+#include <string.h>
+#include <malloc.h>
+#include <sys/types.h>
+
+#include "config.h"
+#include "misc.h"
+
+#include "position.h"
+#include "hashtable.h"
+#include "common.h"
+#include "framework.h"
+#include "error.h"
+
+static int get_hash_index(struct hookpoint *hp);
+
+void init_hash_table()
+{
+ int i;
+
+ for(i = 0; i < MAX_TURN_HASH_SIZE; i++)
+ turnhash[i] = NULL;
+}
+
+void clear_hash_table()
+{
+ int i;
+ struct hookdata *hd, *temp = NULL;
+
+ for(i = 0; i < MAX_TURN_HASH_SIZE; i++)
+ {
+ for(hd = turnhash[i]; hd; hd = temp)
+ {
+ if(hd->hi)
+ free(hd->hi);
+ if(hd->hp)
+ {
+ if(hd->hp->keylen)
+ free(hd->hp->key);
+ free(hd->hp);
+ }
+ temp = hd->next;
+ free(hd);
+ }
+ turnhash[i] = NULL;
+ }
+}
+
+int dump_hash(void)
+{
+ int i;
+ struct hookdata *hd;
+ struct hookpoint *hp;
+ for (i = 0; i < MAX_TURN_HASH_SIZE; i++)
+ {
+ if (!(hd = turnhash[i]))
+ continue;
+#if 0
+ plog(LLV_DEBUG2, LOCATION, NULL, "Hash Bucket: %d\n", i);
+#else
+ printf("Hash Bucket: %d\n", i);
+#endif
+
+ while (hd)
+ {
+ hp = hd->hp;
+#if 0
+ plog(LLV_DEBUG2, LOCATION, NULL, "\n--------- Entry Info ---------\n");
+#else
+ printf("\n--------- Entry Info ---------\n");
+#endif
+ printf( "type = 0x%x, payloadtype = 0x%x, AttrOrPayloadSubtype = 0x%x, \
+ Exchange = 0x%x, Message Index = 0x%x, Payload1 = 0x%x, Payload2 = 0x%x, \
+ Keylen = 0x%x callback:%p\n",
+ (unsigned int) hp->type,
+ (unsigned int) hp->payloadtype,
+ (unsigned int) hp->subtype,
+ GET_EXCH(hp->position),
+ GET_MIDX(hp->position),
+ GET_PAYLOAD_1(hp->position),
+ GET_PAYLOAD_2(hp->position),
+ hp->keylen,
+ hd->hi->callback);
+ hd = hd->next;
+ }
+ }
+ return 0;
+}
+
+static int get_hash_index(struct hookpoint *hp)
+{
+ u_int32_t hash_index = 0, temp = 0;
+ size_t i;
+
+ // For incoming paths: Mode(i), Position(j), type, payloadtype, Key are used for hashing
+ // For outgoing paths: Mode(i), Position(j), type, payloadtype, AttrOrPayloadSubtype are used for hashing
+
+
+ if ((temp = GET_EXCH(hp->position)) != ISAKMP_ETYPE_ALL) {
+ hash_index |= SET_EXCH(temp);
+ }
+ if ((temp = GET_MIDX(hp->position)) != TPIKE_MIDX_ANY) {
+ hash_index |= SET_MIDX(temp);
+ }
+ if (hp->type == PAYLOAD_TYPE) {
+ hash_index ^= (hp->type ^ hp->payloadtype ^ hp->subtype);
+ }
+ else {
+ hash_index ^= (hp->type ^ hp->payloadtype ^ ((hp->payloadtype == CONFIG_ATTRIB_TYPE)?hp->subtype:0));
+ }
+ if (GET_MIDX(hp->position) & TPIKE_MIDX_RECEIVE) {
+ for (i = 0; (i + 3) <= hp->keylen; i+=sizeof(u_int32_t)) {
+ temp ^= (((char *)(hp->key))[i] << 24) |
+ (((char *)(hp->key))[i + 1] << 16) |
+ (((char *)(hp->key))[i + 2] << 8) |
+ (((char *)(hp->key))[i + 3]);
+ }
+ for (; i < hp->keylen; i++)
+ temp |= ((char *)(hp->key))[i];
+ }
+ hash_index ^= temp;
+ hash_index = hash_index % MAX_TURN_HASH_PRIME_SIZE;
+ return hash_index;
+}
+
+/* TODO -Ramu : As of now the only wild card handled is etype. Extend/Rewrite this to others also */
+static int get_handler_match_wild_card(struct hookpoint *hp, struct handlerinfo **hi )
+{
+ struct hookdata *hd;
+ u_int16_t hash_index = 0;
+ int status = TPIKE_ERR_HASH_MATCH_NOT_FOUND;
+ int etype = 0;
+ int is_all_phases_checked = 0;
+ *hi = NULL;
+
+ /*Logic: Considering only wild cards are etypes. For generic stuff this logic may be too narrow.
+ * 1. Determine whether the etype belongs to the class of phase1 or phase2.
+ * 2. Depending on 1 check either phase1 bucket or phase2 bucket.
+ * 3. If no match found in both these buckets check all phases bucket.
+ */
+ etype = GET_EXCH(hp->position);
+
+ if(etype == ISAKMP_ETYPE_IDENT || etype == ISAKMP_ETYPE_AGG || etype == ISAKMP_ETYPE_BASE || etype == ISAKMP_ETYPE_ALLPHASE1){
+ // etype = ISAKMP_ETYPE_ALLPHASE1;
+ hash_index = MAX_TURN_HASH_PRIME_SIZE;
+
+ }
+ else
+ if(etype == ISAKMP_ETYPE_QUICK || etype == ISAKMP_ETYPE_ALLPHASE2)
+ //etype = ISAKMP_ETYPE_ALLPHASE2;
+ hash_index = MAX_TURN_HASH_PRIME_SIZE + 1;
+ else //all phases
+ hash_index = MAX_TURN_HASH_PRIME_SIZE + 2;
+
+wildcardloop:
+
+ hd = turnhash[hash_index];
+
+ /* As of now i am scanning for REKEYREQ_TYPE alone. Extend this for all other types */
+ while(hd)
+ {
+ if(hd->hp && !memcmp(hd->hp, hp, sizeof(hd->hp->type) + sizeof(hd->hp->payloadtype) + sizeof(hd->hp->subtype) /*+ sizeof(u_int16_t)*/))
+ {
+ /* TODO: As this is always put into fixed buckets we need to check the position (and other variable params) also while matching. */
+ if (GET_MIDX (hp->position) == GET_MIDX(hd->hp->position) &&
+ hd->hi->callback){
+ (*hi) = hd->hi;
+ status = TPIKE_STATUS_SUCCESS;
+ break;
+ }
+ }
+ hd = hd->next;
+ }
+
+ if(status != TPIKE_STATUS_SUCCESS && is_all_phases_checked == 0 && hash_index != MAX_TURN_HASH_PRIME_SIZE + 2){
+ /* Check in ALL phases bucket */
+ hash_index = MAX_TURN_HASH_PRIME_SIZE + 2;
+ is_all_phases_checked = 1;
+ goto wildcardloop; //TODO: Remove this goto.
+
+ }
+ return status;
+}
+
+int get_handler_match_in_hash_bucket(struct hookpoint *hp, struct handlerinfo **hi )
+{
+ struct hookdata *hd;
+ u_int16_t hash_index = 0;
+ int status = TPIKE_ERR_HASH_MATCH_NOT_FOUND;
+
+ *hi = NULL;
+
+ //compute hash index
+ hash_index = get_hash_index(hp);
+ printf("Hash index in get_handler_match = %d\n",hash_index);
+ //sanity check
+ if(hash_index > MAX_TURN_HASH_SIZE - 1)
+ return TPIKE_ERR_HASH_TABLE_OVERFLOW;
+
+ hd = turnhash[hash_index];
+
+ while(hd)
+ {
+ /*
+ if(hd->hp && !memcmp(hd->hp, hp, sizeof(struct hookpoint) - sizeof(void *) -sizeof(hd->hp->keylen) - sizeof(hd->hp->isoptional) - sizeof(u_int16_t)))
+ */
+ if(hd->hp && !memcmp(hd->hp, hp, sizeof(hd->hp->type) + sizeof(hd->hp->payloadtype) + sizeof(hd->hp->subtype) /*+ sizeof(u_int16_t)*/))
+ {
+ if(hp->payloadtype == CONFIG_ATTRIB_TYPE && hp->subtype == 3 /* SET */){
+ if((hd->hp->keylen == hp->keylen) && (memcmp(hp->key, hd->hp->key, (size_t) hd->hp->keylen) == 0)){
+ if(hd->hi->callback){
+ (*hi) = hd->hi;
+ status = TPIKE_STATUS_SUCCESS;
+ break;
+ }
+
+ }
+ }
+ else{
+
+ if(hd->hi->callback){
+ (*hi) = hd->hi;
+ status = TPIKE_STATUS_SUCCESS;
+ break;
+ }
+ }
+ }
+ hd = hd->next;
+ }
+
+ if(status != TPIKE_STATUS_SUCCESS)
+ status = get_handler_match_wild_card(hp,hi);
+
+ return status;
+
+}
+
+u_int32_t insert_in_hash_bucket(struct hookpoint *hp, struct handlerinfo *hi, struct plugininfo *plugin)
+{
+ int hash_index = 0;
+ int status = TPIKE_STATUS_SUCCESS;
+ struct hookdata *hd = NULL;
+ struct handlerinfo *hi_already = NULL;
+
+ //compute hash index
+
+ /* TODO - Ramu: As of now handle wildcards by assigning one bucket for allphase1, one for allphase2 and one for allphases. Later change them to take other params also. */
+
+ switch(GET_EXCH(hp->position)){
+
+ case ISAKMP_ETYPE_ALLPHASE1:
+
+ hash_index = MAX_TURN_HASH_PRIME_SIZE;
+ break;
+
+ case ISAKMP_ETYPE_ALLPHASE2:
+
+ hash_index = MAX_TURN_HASH_PRIME_SIZE + 1;
+ break;
+
+ case ISAKMP_ETYPE_ALL:
+
+ hash_index = MAX_TURN_HASH_PRIME_SIZE + 2;
+ break;
+
+ default: /* Not a wild card case */
+ hash_index = get_hash_index(hp);
+ }
+
+
+ //sanity check
+ if(hash_index < 0 || hash_index > MAX_TURN_HASH_SIZE - 1)
+ {
+ status = TPIKE_ERR_HASH_TABLE_OVERFLOW;
+ goto end_func;
+ }
+#if 0
+ plog(LLV_DEBUG2, LOCATION, NULL, "Inserting in %d\n",hash_index);
+#else
+ printf("Inserting in %d\n",hash_index);
+#endif
+
+ /* FIX:
+ *
+ * 'hi' was used as second param which gets destroyed after
+ * the call to this function (becomes NULL as it is the first time
+ * insertion. So passing a temperory handlerinfo
+ * to check if it is already inserted
+ *
+ */
+
+ if(get_handler_match_in_hash_bucket(hp, &hi_already) == 0 )
+ {
+ status = TPIKE_ERR_HOOK_ALREADY_REGISTERED;
+ goto end_func;
+ }
+
+ if((hd = (struct hookdata *)malloc(sizeof(struct hookdata))) == NULL)
+ {
+ status = TPIKE_ERR_MEM_ALLOC_FAILED;
+ goto end_func;
+ }
+
+ hd->hi = (struct handlerinfo *)malloc(sizeof(struct handlerinfo));
+ if(hd->hi && hi )
+ memcpy(hd->hi, hi, sizeof(struct handlerinfo));//TODO: For hprivdata, we need the length of the data, so that we malloc and copy the priv data locally
+ else
+ {
+ status = TPIKE_ERR_MEM_ALLOC_FAILED;
+ goto end_func;
+ }
+
+ hd->hp = (struct hookpoint *)malloc(sizeof(struct hookpoint));
+ if(hd->hp && hp)
+ memcpy(hd->hp, hp, sizeof(struct hookpoint));//TODO: For KEY, we need the length of the data, so that we malloc and copy the priv data locally
+ else
+ {
+ status = TPIKE_ERR_MEM_ALLOC_FAILED;
+ goto end_func;
+ }
+ if(hd->hp->keylen){
+ // NOTE: KEY LEN IS COPIED IN PRV MEMCPY
+ hd->hp->key = malloc(hd->hp->keylen);
+ memcpy(hd->hp->key,hp->key,hd->hp->keylen);
+ }
+ hd->plugin = plugin; // back pointer to plugin
+
+ hd->next = turnhash[hash_index];
+
+ turnhash[hash_index] = hd;
+
+end_func:
+ if(status != TPIKE_STATUS_SUCCESS)
+ {
+ //cleanup all that we've malloced
+ if (hd)
+ {
+ if(hd->hi)
+ {
+ free(hd->hi);
+ hd->hi = NULL;
+ }
+ if(hd->hp)
+ {
+ free(hd->hp);
+ hd->hp = NULL;
+ }
+ if(hd)
+ {
+ free(hd);
+ }
+ }
+ }
+ return status;
+}
Index: ipsec-tools-0.7.3/src/plugin_frame/hashtable.h
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/hashtable.h
@@ -0,0 +1,57 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+#ifndef __TPIKE_HASHTABLE_H__
+#define __TPIKE_HASHTABLE_H__
+
+/*Hash Table for Hook Point Info*/
+#include <sys/types.h>
+
+#define MAX_TURN_HASH_PRIME_SIZE 553
+#define MAX_TURN_HASH_SIZE MAX_TURN_HASH_PRIME_SIZE + 3 /* bucket 553 for all phase1, bucket 554 for all phase 2 and bucket 555 for all phases */
+
+struct hookdata {
+ struct handlerinfo *hi;
+ struct hookpoint *hp;
+ struct plugininfo *plugin;
+ struct hookdata *next;
+};
+
+/* Global Hash Table */
+struct hookdata *turnhash[MAX_TURN_HASH_SIZE];
+
+/* Functions for the Hash Table */
+void init_hash_table();
+void clear_hash_table();
+u_int32_t insert_in_hash_bucket(struct hookpoint *, struct handlerinfo *, struct plugininfo *plugin);
+int get_handler_match_in_hash_bucket(struct hookpoint *, struct handlerinfo **);
+
+int dump_hash(void);
+
+#endif
Index: ipsec-tools-0.7.3/src/plugin_frame/position.h
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/position.h
@@ -0,0 +1,175 @@
+
+/************************************************************************************
+* Copyright (c) 2005, Novell Inc., *
+* All rights reserved. *
+* *
+* Redistribution and use in source and binary forms, with or without *
+* modification, are permitted provided that the following conditions *
+* are met: *
+* 1. Redistributions of source code must retain the above copyright *
+* notice, this list of conditions and the following disclaimer. *
+* 2. Redistributions in binary form must reproduce the above copyright *
+* notice, this list of conditions and the following disclaimer in the *
+* documentation and/or other materials provided with the distribution. *
+* 3. Neither the name of the Novell nor the names of its contributors *
+* may be used to endorse or promote products derived from this software *
+* without specific prior written permission. *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+* SUCH DAMAGE. *
+*************************************************************************************/
+
+/*
+The paylaod state will be defined as follows:
+
+u_int32_t payload_state = i|j|k1|k2
+
+i- 0ne byte
+j - One byte
+k1 -One byte
+k2 - One byte
+
+i- exchange type
+j- Message index
+k1- after payload
+k2- before payload
+*/
+
+/*'i' - exchange type is defined as in RFC as follows: u_int8_t*/
+
+#define ISAKMP_ETYPE_BASE 1 /* Base */
+#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
+/*#define ISAKMP_ETYPE_AUTH 3*/ /* Authentication Only */
+#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
+#define ISAKMP_ETYPE_INFO 5 /* Informational */
+#define ISAKMP_ETYPE_CFG 6 /* Mode config */
+#define ISAKMP_ETYPE_QUICK 32/* Quick Mode */
+#define ISAKMP_ETYPE_ALLPHASE1 0xfd
+#define ISAKMP_ETYPE_ALLPHASE2 0xfe
+#define ISAKMP_ETYPE_ALL 0xff
+
+/*'j' - Message Index - u_int8_t*/
+/*
+MSb:
+Initiator - 0
+Responsder - 1
+
+Next bit:
+Recv: 0
+Send: 1
+
+Next 6 bits:
+Message Index
+*/
+
+#define TPIKE_MIDX_INITIATOR 0x10
+#define TPIKE_MIDX_RESPONDER 0x20
+#define TPIKE_MIDX_RECEIVE 0x40
+#define TPIKE_MIDX_SEND 0x80
+#define TPIKE_MIDX_ANY 0x00
+
+#define TPIKE_MAX_MESSAGE 16
+
+#define ONE 1
+
+/*Initiator */
+
+#define INITIATOR_RECIEVE TPIKE_MIDX_INITIATOR|TPIKE_MIDX_RECEIVE
+#define INITIATOR_SEND TPIKE_MIDX_INITIATOR|TPIKE_MIDX_SEND
+
+/*Responder*/
+#define RESPONDER_RECEIVE TPIKE_MIDX_RESPONDER|TPIKE_MIDX_RECEIVE
+#define RESPONDER_SEND TPIKE_MIDX_RESPONDER|TPIKE_MIDX_SEND|(ONE)
+
+/*Initiator */
+
+#define INITIATOR_RECIEVE_ONE INITIATOR_RECIEVE|ONE
+#define INITIATOR_SEND_ONE INITIATOR_SEND|ONE
+
+#define INITIATOR_RECIEVE_TWO INITIATOR_RECIEVE|(ONE<<1)
+#define INITIATOR_SEND_TWO INITIATOR_SEND|(ONE<<1)
+
+#define INITIATOR_RCVD_THREE INITIATOR_RECIEVE|(ONE<<2)
+#define INITIATOR_SEND_THREE INITIATOR_SEND|(ONE<<2)
+
+/*Responder*/
+#define RESPONDER_RCVD_ONE RESPONDER_RECEIVE|(ONE)
+#define RESPONDER_SEND_ONE RESPONDER_SEND|(ONE)
+
+#define RESPONDER_RCVD_TWO RESPONDER_RECEIVE|(ONE<<1)
+#define RESPONDER_SEND_TWO RESPONDER_SEND|(ONE<<1)
+
+#define RESPONDER_RCVD_THREE RESPONDER_RECEIVE|(ONE<<2)
+#define RESPONDER_SEND_THREE RESPONDER_SEND|(ONE<<2)
+
+/*
+
+'k1' (is payload after) - u_int8_t
+'k2' (is payload before) - u_int8_t
+
+Wild card positions
+k1=k2=0 => First Payload in message
+k1=k2=0xff => Any, Last Payload in Message
+
+Relative position
+k1=0,k2=x => before payload x , where x- payload type defined below
+k1=x,k2=0 => after payload x , where x- payload type defined below
+k1=x,k2=y => after payload x and before payload y, where x,y - payload types defined below.
+
+Absolute position
+k1=k2=i => at absolute 'ith' payload. 1<=i<=0xfe
+
+*/
+
+#define ISAKMP_NPTYPE_SA 1 /* Security Association */
+#define ISAKMP_NPTYPE_P 2 /* Proposal */
+#define ISAKMP_NPTYPE_T 3 /* Transform */
+#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
+#define ISAKMP_NPTYPE_ID 5 /* Identification */
+#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
+#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
+#define ISAKMP_NPTYPE_HASH 8 /* Hash */
+#define ISAKMP_NPTYPE_SIG 9 /* Signature */
+#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
+#define ISAKMP_NPTYPE_N 11 /* Notification */
+#define ISAKMP_NPTYPE_D 12 /* Delete */
+#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
+#define ISAKMP_NPTYPE_ATTR 14 /* Attribute */
+
+#define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
+#define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
+
+#define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
+#define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
+
+/* 128 - 255 -Private Payloads */
+
+
+#define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
+#define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
+#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
+
+#define GET_EXCH(x) ((((u_int32_t) (x) & 0xff000000) >> 24))
+#define SET_EXCH(x) (((u_int32_t)(x) << 24))
+#define GET_MIDX(x) ((((u_int32_t)(x) & 0x00ff0000) >> 16))
+#define SET_MIDX(x) (((u_int32_t) (x) << 16))
+#define GET_PAYLOAD_1(x) (((u_int32_t) (x) & 0x0000ff00) >> 8)
+#define GET_PAYLOAD_2(y) ((u_int32_t) (y) & 0xff)
+#define SET_PAYLOADS(x, y) ((((u_int32_t) (x) << 8) | (y)))
+
+#define MAKE_POS2(exch, j, payload1, payload2) \
+ (u_int32_t) (((exch) << 24) | \
+ (j << 16) | \
+ ((payload1) << 8) | \
+ ((payload2)))
+
+#define MAKE_POS(exch, initorresp, sendorrecv, messageno, payload1, payload2) \
+ ( (u_int32_t) MAKE_POS2(exch, ((initorresp)|(sendorrecv)|(messageno)) , payload1, payload2) )
Index: ipsec-tools-0.7.3/src/plugin_frame/registration.c
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/registration.c
@@ -0,0 +1,357 @@
+
+/************************************************************************************
+ * Copyright (c) 2005, Novell Inc., *
+ * All rights reserved. *
+ * *
+ * Redistribution and use in source and binary forms, with or without *
+ * modification, are permitted provided that the following conditions *
+ * are met: *
+ * 1. Redistributions of source code must retain the above copyright *
+ * notice, this list of conditions and the following disclaimer. *
+ * 2. Redistributions in binary form must reproduce the above copyright *
+ * notice, this list of conditions and the following disclaimer in the *
+ * documentation and/or other materials provided with the distribution. *
+ * 3. Neither the name of the Novell nor the names of its contributors *
+ * may be used to endorse or promote products derived from this software *
+ * without specific prior written permission. *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND *
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE *
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE *
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL *
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS *
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) *
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT *
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY *
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF *
+ * SUCH DAMAGE. *
+ *************************************************************************************/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <dlfcn.h>
+
+#include "config.h"
+/* Framework headers */
+#include "common.h"
+#include "framework.h"
+#include "hashtable.h"
+#include "error.h"
+
+/* Racoon headers for logging */
+#include "plog.h"
+#include "misc.h"
+
+/* Global plugininfo list */
+struct plugininfo *plugin_info = NULL;
+
+
+struct plugininfo *get_plugin_info(char *plugin_name)
+{
+ struct plugininfo *temp;
+
+ temp = plugin_info;
+ while(temp != NULL) {
+ if(strcmp(temp->plugin_name, plugin_name) == 0)
+ return temp;
+ temp = temp->next;
+ }
+ return NULL;
+}
+
+/************************************************************************************************************
+Function - is_plugin_registered
+Input - plugin name
+Output - pointer to the plugin
+Description - This will search for the plugin in the pluginInfo list based on the plugin name.
+************************************************************************************************************/
+
+u_int8_t is_plugin_registered(char *plugin_name)
+{
+ if(get_plugin_info(plugin_name))
+ return 1;
+
+ return 0;
+}
+
+/************************************************************************************************************
+Function - addPluginToList
+Input - plugin name
+Output - pointer to the plugin
+Description - This will add the plugin in the pluginInfo list based on the plugin name.
+************************************************************************************************************/
+struct plugininfo *add_plugin_to_list(char *plugin_name)
+{
+ struct plugininfo *newinfo, *temp;
+ int plugin_len = 0;
+
+ if(plugin_name == NULL)
+ return NULL;
+
+ newinfo = (struct plugininfo *)malloc(sizeof(struct plugininfo));
+ if(newinfo == NULL)
+ return NULL;
+
+ memset(newinfo,0,sizeof(newinfo));
+
+ plugin_len = strlen(plugin_name);
+
+ newinfo->plugin_name = (char *)malloc(plugin_len + 1);
+ if(newinfo->plugin_name == NULL) //malloc failed
+ return NULL;
+
+ memset(newinfo->plugin_name, 0, plugin_len + 1);
+ strncpy(newinfo->plugin_name, plugin_name, plugin_len);
+
+ newinfo->gprivdata = NULL;
+ newinfo->so_handle = NULL;
+ newinfo->next = NULL;
+
+ //add to end of list
+ temp = plugin_info;
+ if(!temp)
+ {
+ plugin_info = newinfo;
+ }
+ else
+ {
+ while(temp->next)
+ {
+ temp = temp->next;
+ }
+ temp->next = newinfo;
+ }
+ return newinfo;
+}
+
+
+/* *****************************************************************************/
+/* Function - removePluginFromList */
+/* Input - plugin name */
+/* Output - */
+/* Description - This will remove the plugin in the pluginInfo list */
+/* based on the plugin name */
+/* ******************************************************************************/
+void remove_plugin_from_list(char *plugin_name)
+{
+ struct plugininfo *toremove, *temp;
+
+ if(!strcmp(plugin_info->plugin_name, plugin_name))
+ {
+ toremove = plugin_info;
+ plugin_info = plugin_info->next;
+ //deep free plugin info
+ free_plugin_info_all(toremove);
+ free(toremove);
+ }
+ else
+ {
+ temp = plugin_info;
+ while(temp->next)
+ {
+ if(!strcmp(temp->next->plugin_name, plugin_name))
+ {
+ toremove = temp->next;
+ temp->next = temp->next->next;
+ //deep free plugin info
+ free_plugin_info_all(toremove);
+ free(toremove);
+ }
+ temp = temp->next;
+ }
+ }
+
+}
+
+void free_plugin_info_all(struct plugininfo *plugin)
+{
+ if(plugin->plugin_name)
+ free(plugin->plugin_name);
+ /* Plugin would have freed the private data by now */
+ /*
+ // No need to free so_handle as it never got allocated (9.3 racoon crash on disconnect problem fix )
+ if(plugin->so_handle)
+ free(plugin->so_handle);
+ */
+}
+
+/***************************************************************************
+ * Function - registerHandler
+ * Input - plugin name, hookpoint, handlerinfo
+ * Output - success or failure or already registered
+ * Description - This function will be called by the IKE plugin for each
+ * hookpoint to register the handlerinfo.
+ **************************************************************************/
+int tpike_register_handler(struct hookpoint *hp, struct handlerinfo *hi)
+{
+ int status;
+ struct plugininfo *plugin;
+
+ if((plugin = get_plugin_info(hi->plugin_name)) == NULL)
+ return TPIKE_ERR_PLUGIN_NOT_REGISTERED;
+
+ // update the handlerInfo for each hookpoint to have a backpointer to the plugin.
+ //handlerInfo->plugin = plugin;
+
+ //insert in hash table
+ status = insert_in_hash_bucket(hp, hi, plugin);
+
+ return status;
+}
+
+int tpike_deregister_handlers(char *plugin_name)
+{
+ /* just clean up the hash_table.
+TODO: Maintain a chain of handlers for each plugin,
+clean up only the handlers registered by this plugin
+*/
+ clear_hash_table ();
+ return 0;
+}
+
+int tpike_deregister_plugin_all()
+{
+ struct plugininfo *plugin = NULL;
+ char sym_name[256];
+ char *plugin_name = NULL;
+ int retval = TPIKE_ERR_PLUGIN_GENERIC;
+ int (*deregister_fn)(void *) = NULL;
+
+ //de-register all plugins
+ plugin = plugin_info;
+
+ while(plugin)
+ {
+ if (!plugin->so_handle)
+ return TPIKE_ERR_SO_LOAD_FAILURE;
+
+ plugin_name = plugin->plugin_name;
+
+ sprintf(sym_name, "turnpike_%s_deregister", plugin_name);
+ if (!(deregister_fn = dlsym(plugin->so_handle, sym_name)))
+ return TPIKE_ERR_SYM_LOAD_FAILURE;
+
+ plugin->deregister_fn = deregister_fn;
+
+ /* plugin's deregister function will clean-up private data
+ and deregister handlers */
+ retval = (*deregister_fn)(plugin->gprivdata);
+
+ /* plugin's IKE .so related clean-up is over, unload the .so */
+ if(retval == TPIKE_STATUS_SUCCESS)
+ retval = dlclose(plugin->so_handle);
+
+ plugin = plugin->next;
+
+ /* remove the plugin from the framework's plugin list */
+ if(!retval)
+ {
+ remove_plugin_from_list(plugin_name);
+ }
+ }
+ return retval;
+}
+
+int tpike_register_plugin(short ver, const char *pluginso, char *pluginname, void *cp)
+{
+ char sym_name[256] = "\0";
+ void *so_handle = NULL;
+ tpike_plugin_init_func_t *plugin_init_fn = NULL;
+ struct plugininfo *plugin = NULL;
+
+#if 0
+ plog(LLV_DEBUG2, LOCATION, NULL, "about to call so: %s plugin name is :%s \n",pluginso, pluginname);
+#else
+ printf("about to call so: %s plugin name is :%s \n",pluginso, pluginname);
+#endif
+ if (is_plugin_registered(pluginname) == 0 )
+ {
+ //Add this plugin to my plugin list
+ plugin = add_plugin_to_list(pluginname); //(plugin name)
+ if(plugin == NULL)
+ return TPIKE_ERR_PLUGIN_REGISTRATION_FAILURE;
+ }
+ else
+ {
+ plugin = get_plugin_info(pluginname);
+ }
+
+ //load plugin.
+ if (!plugin)
+ return TPIKE_ERR_PLUGIN_REGISTRATION_FAILURE;
+
+ sprintf(sym_name, "turnpike_%s_init", pluginname);
+
+ //so_handle = dlopen(pluginso, RTLD_LAZY);
+ if (!plugin->so_handle)
+ plugin->so_handle = dlopen(pluginso, RTLD_GLOBAL | RTLD_LAZY);
+
+ if (plugin->so_handle){
+#if 0
+ plog(LLV_DEBUG, LOCATION, NULL, "Opened so: %s -- Searching for symbol %s\n",pluginso, sym_name);
+#else
+ printf("Opened so: %s -- Searching for symbol %s\n",pluginso, sym_name);
+
+#endif
+
+ plugin_init_fn = dlsym(plugin->so_handle, sym_name);
+ }
+ else
+ {
+#if 0
+ plog(LLV_ERROR, LOCATION, NULL, "Failed opening so:%s, dlopen returned error:%s\n", pluginso, dlerror());
+#else
+ printf( "Failed opening so:%s, dlopen returned error:%s\n", pluginso, dlerror());
+
+#endif
+ //remove plugin from plugin list
+ remove_plugin_from_list(pluginname);
+ return TPIKE_ERR_SO_LOAD_FAILURE;
+ }
+
+#if 0
+ plog(LLV_DEBUG2, LOCATION, NULL, "About to call init at memory location %x with cp %x and plugin %x\n", plugin_init_fn, cp, plugin);
+#else
+ printf("About to call init at memory location %p with cp %p and plugin %p\n", plugin_init_fn,
+ cp, plugin);
+
+#endif
+
+ if(plugin_init_fn){
+ (*plugin_init_fn)(ver, cp, &(plugin->gprivdata)); //(short, void *cp, void **gp)
+ plugin->init_fn = plugin_init_fn;
+ }
+ else
+ {
+ //remove plugin from plugin list
+ // Commenting for debugging
+ remove_plugin_from_list(pluginname);
+ return TPIKE_ERR_SYM_LOAD_FAILURE;
+ }
+#ifndef NODEBUG
+ dump_hash();
+#endif
+
+ return 0;
+}
+
+int tpike_plugin_getdata(short ver, char *pluginname, int inlen, char *inbuf,
+ int *outlen, char **outbuf)
+{
+ struct plugininfo *plugin = NULL;
+ char sym_name[256];
+ tpike_plugin_getdata_func_t *getdata_fn = NULL;
+
+ if ((plugin = get_plugin_info(pluginname)) == NULL)
+ return TPIKE_ERR_PLUGIN_NOT_REGISTERED;
+
+ if (!plugin->so_handle)
+ return TPIKE_ERR_SO_LOAD_FAILURE;
+ sprintf(sym_name, "turnpike_%s_getdata", pluginname);
+ if (!(getdata_fn = dlsym(plugin->so_handle, sym_name)))
+ return TPIKE_ERR_SYM_LOAD_FAILURE;
+ plugin->getdata_fn = getdata_fn;
+ return (int) ((*getdata_fn)(ver, plugin->gprivdata, inlen, inbuf, outlen, outbuf));
+}
+
Index: ipsec-tools-0.7.3/src/plugin_frame/Makefile.am
===================================================================
--- /dev/null
+++ ipsec-tools-0.7.3/src/plugin_frame/Makefile.am
@@ -0,0 +1,17 @@
+include_plugin_framedir = ${includedir}/plugin_frame
+
+noinst_LTLIBRARIES = libplugin_frame.la
+
+INCLUDES=-I${srcdir}/../racoon/ -I${srcdir}/../libipsec/
+AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
+ -DADMINPORTDIR=\"${adminsockdir}\"
+
+libplugin_frame_la_SOURCES = \
+ hashtable.c registration.c dispatch.c
+
+libplugin_framedir = $(includedir)/plugin_frame
+
+include_plugin_frame_HEADERS= \
+ hashtable.h common.h framework.h error.h position.h
+
+libplugin_frame_la_LDFLAGS = -version-info 1:0:0 -static
Index: ipsec-tools-0.7.3/src/Makefile.am
===================================================================
--- ipsec-tools-0.7.3.orig/src/Makefile.am
+++ ipsec-tools-0.7.3/src/Makefile.am
@@ -1,3 +1,3 @@
-SUBDIRS = @INCLUDE_GLIBC@ libipsec setkey racoon
+SUBDIRS = @INCLUDE_GLIBC@ plugin_frame libipsec setkey racoon
-DIST_SUBDIRS = include-glibc libipsec setkey racoon
+DIST_SUBDIRS = include-glibc plugin_frame libipsec setkey racoon
Index: ipsec-tools-0.7.3/src/racoon/admin.h
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/admin.h
+++ ipsec-tools-0.7.3/src/racoon/admin.h
@@ -77,11 +77,22 @@ struct admin_com {
*/
#define ADMIN_ESTABLISH_SA_PSK 0x0203
+/* 0x03xx is used for supporting plugin_frame features*/
+#define ADMIN_PUSH_PHASE1CONFIG 0x0301
+#define ADMIN_PUSH_PHASE1PROPOSAL 0x0302
+#define ADMIN_PUSH_PHASE2CONFIG 0x0303
+#define ADMIN_DISCONNECT_DST 0x0304
+#define ADMIN_REPARSE_RACOON_CONF 0x0305
+#define ADMIN_REPLACE_SAINFO 0x0306
+#define ADMIN_SET_VENDOR_CONFIG_DATA 0x0307
+#define ADMIN_GET_VENDOR_PRIV_DATA 0X0308
+
/*
* user login follows
*/
#define ADMIN_LOGOUT_USER 0x0205 /* Delete SA for a given Xauth user */
+
/*
* Range 0x08xx is reserved for privilege separation, see privsep.h
*/
@@ -93,6 +104,11 @@ struct admin_com {
#define ADMIN_PROTO_ESP 0x0202
#define ADMIN_PROTO_INTERNAL 0x0301
+/* the value of policy action for supporting plugin_frame features*/
+#define ACTION_ENCRYPT 0x0000
+#define ACTION_DENY 0x0001
+#define ACTION_BYPASS 0x0002
+
struct admin_com_indexes {
u_int8_t prefs;
u_int8_t prefd;
@@ -109,6 +125,89 @@ struct admin_com_psk {
/* Followed by id and key */
};
+struct peer_identifier {
+ u_int8_t id_type;
+ u_int16_t id_len;
+ char idv[1];
+};
+
+struct admin_com_ph1config {
+ struct sockaddr_storage dst;
+ u_int8_t mode; /* exchange type*/
+ u_int8_t verify_cert;
+ u_int8_t verify_identifier;
+ u_int8_t my_identifier_type;
+ u_int16_t my_identifier_len;
+ u_int16_t num_peer_identifier;
+ char id[1];
+ /* id[1] format:my_identifier followed by peer_identifier struct(s)*/
+};
+
+struct admin_com_ph1proposal {
+ u_int8_t encryption_algo;
+ u_int8_t hash_algo;
+ u_int8_t auth_method;
+ u_int8_t dh_group;
+};
+
+struct admin_com_ph1proposal_list{
+ struct sockaddr_storage dst;
+ u_int8_t num_proposal; /* number of proposals being sent */
+ struct admin_com_ph1proposal ph1proposal[1];/* if num_proposal > 1, */
+ /*this will be a list of proposals */
+};
+
+struct admin_com_ph2_ikeattrib {
+ u_int8_t pfs_group;
+ u_int8_t encryption_algorithm;
+ u_int8_t authentication_algorithm;
+ u_int8_t compression_algorithm;
+ u_int32_t lifetime;
+};
+
+struct admin_com_ph2policy {
+ struct sockaddr_storage dst_addr;
+ u_int8_t dst_prefixlen;
+ u_int8_t upperspec;
+ u_int8_t direction;
+ u_int8_t action;
+ u_int8_t protocol;
+ u_int8_t mode;
+};
+
+struct admin_com_ph2config {
+ struct sockaddr_storage src_end_point;
+ struct sockaddr_storage dst_end_point;
+ short num_ph2_policies;
+ char pad;
+ char policy[1];
+};
+
+typedef struct {
+ int addrtype; /* Use IPSECDOI_ID_xxxx_xxxx types. eg. IPSECDOI_ID_IPV4_ADDR */
+ union {
+ struct sockaddr_storage addr;
+ struct {
+ struct sockaddr_storage laddr;
+ struct sockaddr_storage haddr;
+ } range;
+ } addrt;
+} admin_com_addrinfo;
+
+struct admin_com_replace_sainfo{
+ admin_com_addrinfo old_src_addr;
+ admin_com_addrinfo old_dst_addr;
+ admin_com_addrinfo new_src_addr;
+ admin_com_addrinfo new_dst_addr;
+ struct sockaddr_storage peeraddr;
+};
+
+
extern int admin2pfkey_proto __P((u_int));
+#define POLICY_STR_LEN 512
+
+/* TEMPORARY STUFF for supporting plugin_frame */
+extern int add_default_policy_to_SPD(int);
+
#endif /* _ADMIN_H */
Index: ipsec-tools-0.7.3/src/racoon/admin.c
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/admin.c
+++ ipsec-tools-0.7.3/src/racoon/admin.c
@@ -5,7 +5,7 @@
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -40,6 +40,7 @@
#include <sys/stat.h>
#include <sys/un.h>
+#include <arpa/inet.h>
#include <net/pfkeyv2.h>
#include <netinet/in.h>
@@ -85,16 +86,37 @@
#include "session.h"
#include "gcmalloc.h"
+#include "algorithm.h"
+#include "sainfo.h"
+
+#ifdef PLUGINS_SUPPORT
+#include "plugin_frame/common.h"
+#endif
+
+#include "cfparse_proto.h"
+
#ifdef ENABLE_ADMINPORT
char *adminsock_path = ADMINSOCK_PATH;
uid_t adminsock_owner = 0;
gid_t adminsock_group = 0;
mode_t adminsock_mode = 0600;
+static const char *protocol[] = {
+ "esp", "ah", "ipcomp"
+};
+
+static const char *mode[] = {
+ "tunnel", "transport"
+};
+
static struct sockaddr_un sunaddr;
static int admin_process __P((int, char *));
static int admin_reply __P((int, struct admin_com *, vchar_t *));
+static void isakmp_flush_sa __P((struct ph1handle *, char *, char *));
+int add_policy_to_SPD __P((struct sockaddr_storage *,
+ struct sockaddr_storage *, struct admin_com_ph2policy *));
+
int
admin_handler()
{
@@ -166,7 +188,7 @@ admin_handler()
/*
* main child's process.
*/
-static int
+int
admin_process(so2, combuf)
int so2;
char *combuf;
@@ -177,6 +199,7 @@ admin_process(so2, combuf)
vchar_t *key = NULL;
int idtype = 0;
int error = -1;
+ int i = 0;
com->ac_errno = 0;
@@ -210,7 +233,7 @@ out2:
case ADMIN_SHOW_EVT:
/* It's not really an error, don't force racoonctl to quit */
if ((buf = evt_dump()) == NULL)
- com->ac_errno = 0;
+ com->ac_errno = 0;
break;
case ADMIN_SHOW_SA:
@@ -290,7 +313,7 @@ out2:
STRDUP_FATAL(rem);
if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"phase 1 for %s -> %s not found\n", loc, rem);
} else {
if (iph1->status == PHASE1ST_ESTABLISHED)
@@ -320,7 +343,7 @@ out2:
user[len] = 0;
found = purgeph1bylogin(user);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"deleted %d SA for user \"%s\"\n", found, user);
break;
@@ -339,7 +362,7 @@ out2:
rem = racoon_strdup(saddrwop2str(dst));
STRDUP_FATAL(rem);
- plog(LLV_INFO, LOCATION, NULL,
+ plog(LLV_INFO, LOCATION, NULL,
"Flushing all SAs for peer %s\n", rem);
while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
@@ -365,14 +388,14 @@ out2:
com->ac_cmd = ADMIN_ESTABLISH_SA;
acp = (struct admin_com_psk *)
- ((char *)com + sizeof(*com) +
+ ((char *)com + sizeof(*com) +
sizeof(struct admin_com_indexes));
idtype = acp->id_type;
if ((id = vmalloc(acp->id_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
break;
}
@@ -381,7 +404,7 @@ out2:
if ((key = vmalloc(acp->key_len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
+ "cannot allocate memory: %s\n",
strerror(errno));
vfree(id);
id = NULL;
@@ -455,7 +478,7 @@ out2:
rmconf->xauth->pass = key;
}
#endif
-
+
plog(LLV_INFO, LOCATION, NULL,
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str(remote));
@@ -481,6 +504,626 @@ out1:
}
}
break;
+#ifdef ENABLE_AP_CLIENTMODE
+ case ADMIN_PUSH_PHASE1CONFIG:
+ {
+ struct sockaddr *dst = NULL;
+ struct remoteconf *remoteconf = NULL, *new_rmconf = NULL;
+ struct admin_com_ph1config *ph1ptr = NULL;
+ struct idspec *id = NULL;
+ vchar_t *my_id = NULL;
+ vchar_t *peer_id_val = NULL;
+
+#if 0
+ cfreparse();
+#endif
+
+ ph1ptr = (struct admin_com_ph1config *)
+ ((caddr_t)com + sizeof(*com));
+
+ dst = (struct sockaddr *)&ph1ptr->dst;
+
+ remoteconf = getrmconf(dst);
+
+ if(!remoteconf || remoteconf->remote->sa_family == AF_UNSPEC){
+ /* we've hit the anonymous remote configuration */
+ remoteconf = new_rmconf = newrmconf();
+ if(remoteconf == NULL){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get new remoteconf\n");
+ goto out;
+ }
+ remoteconf->remote = (struct sockaddr *)
+ racoon_calloc(1,sizeof(struct sockaddr));
+ if(remoteconf->remote == NULL){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to allocate for remote IPAddr\n");
+ delrmconf(remoteconf);
+ goto out;
+ }
+ memcpy(remoteconf->remote, dst, sizeof(struct sockaddr));
+ }
+
+ if(remoteconf->etypes == NULL){
+ remoteconf->etypes = (struct etypes *)racoon_calloc
+ (1,sizeof(struct etypes));
+ if(remoteconf->etypes == NULL){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to allocate for exchange type list\n");
+ delrmconf(remoteconf);
+ goto out;
+ }
+ }
+
+ remoteconf->etypes->type = ph1ptr->mode;
+ remoteconf->proposal = NULL;
+ remoteconf->verify_cert = ph1ptr->verify_cert;
+#if 0
+ //changes to be made - begin
+ remoteconf->certtype = ISAKMP_CERT_X509SIGN;
+ remoteconf->mycertfile = strdup("usercert.pem");
+ remoteconf->myprivfile = strdup("userkeyunenc.pem");
+ //changes to be made - end
+
+
+ remoteconf->certtype = ph1ptr->certtype;
+ strcpy(remoteconf->mycertfile, ph1ptr->mycertfile);
+ strcpy(remoteconf->myprivfile,ph1ptr->myprivfile);
+ strcpy(remoteconf->peerscertfile,ph1ptr->peerscertfile);
+#endif
+ /* my Identifier */
+ remoteconf->idvtype = ph1ptr->my_identifier_type;
+ if(ph1ptr->my_identifier_len > 0){
+ /* populate my_identifier's value */
+ if ((my_id = vmalloc(ph1ptr->my_identifier_len))
+ == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot allocate memory: %s\n",
+ strerror(errno));
+ delrmconf(remoteconf);
+ goto out;
+ }
+ memcpy(my_id->v, ph1ptr->id, my_id->l);
+
+ if(set_identifier(&remoteconf->idv,
+ remoteconf->idvtype, my_id) != 0){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to set my identifier\n");
+
+ vfree(my_id);
+ delrmconf(remoteconf);
+ goto out;
+ }
+ }
+
+ /* peer Identifiers */
+ remoteconf->verify_identifier = ph1ptr->verify_identifier;
+
+ if(remoteconf->verify_identifier == TRUE){
+ int i = 0, peer_id_hdrlen = 0;
+ struct peer_identifier *peer_id =
+ (struct peer_identifier *)
+ (ph1ptr->id+ph1ptr->my_identifier_len);
+
+ peer_id_hdrlen = sizeof(struct peer_identifier);
+
+ for( ; i < ph1ptr->num_peer_identifier ;
+ i++, peer_id += peer_id_hdrlen + peer_id->id_len - 1){
+ id = newidspec();
+ if (id == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate idspec\n");
+ delrmconf(remoteconf);
+ vfree(my_id);
+ racoon_free(id);
+ goto out;
+ }
+
+ /* populate peer_identifier's value */
+ if ((peer_id_val = vmalloc(peer_id->id_len)) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "cannot allocate memory: %s\n",
+ strerror(errno));
+ racoon_free(id);
+ vfree(my_id);
+ delrmconf(remoteconf);
+ goto out;
+ }
+ memcpy(peer_id_val->v, peer_id->idv, peer_id_val->l);
+
+ if (set_identifier
+ (&id->id, peer_id->id_type, peer_id_val) != 0){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to set identifer\n");
+ vfree(peer_id_val);
+ racoon_free(id);
+ vfree(my_id);
+ delrmconf(remoteconf);
+ goto out;
+ }
+ id->idtype = peer_id->id_type;
+ genlist_append (remoteconf->idvl_p, id);
+ }
+ }
+ if (new_rmconf)
+ insrmconf(remoteconf);
+ }
+ break;
+ case ADMIN_PUSH_PHASE1PROPOSAL:
+ {
+ struct admin_com_ph1proposal_list *ph1_proposal_list = NULL;
+ struct admin_com_ph1proposal *ph1_proposal = NULL;
+ struct sockaddr *dst = NULL;
+ struct remoteconf *remoteconf = NULL;
+ struct proposalspec *prspec = NULL;
+ struct isakmpsa *new_proposal = NULL;
+ int i = 0;
+
+ ph1_proposal_list =
+ (struct admin_com_ph1proposal_list *)
+ ((caddr_t)com + sizeof(*com));
+
+ ph1_proposal = ph1_proposal_list->ph1proposal;
+ dst = (struct sockaddr *)&ph1_proposal_list->dst;
+
+ remoteconf = getrmconf_strict(dst,0);
+ if(!remoteconf || remoteconf->remote->sa_family == AF_UNSPEC){
+ /* we've hit the anonymous remote configuration */
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get remoteconf for %s\n",
+ saddr2str(dst));
+ goto out;
+ }
+
+ /* Got the corresponding remoteconf. Add the policies */
+ for (i = 0;i<ph1_proposal_list->num_proposal;
+ i++, ph1_proposal++){
+ new_proposal = newisakmpsa();
+ if (new_proposal == NULL){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to allocate new isakmpsa\n");
+ goto out;
+ }
+ new_proposal->lifetime = oakley_get_defaultlifetime();
+ new_proposal->enctype = ph1_proposal->encryption_algo;
+ new_proposal->authmethod = ph1_proposal->auth_method;
+ new_proposal->hashtype = ph1_proposal->hash_algo;
+ new_proposal->dh_group = ph1_proposal->dh_group;
+
+ insisakmpsa(new_proposal, remoteconf);
+ }
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(remoteconf, ISAKMP_ETYPE_AGG) != NULL) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = remoteconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+ b = p->dh_group;
+ continue;
+ }
+ plog(LLV_ERROR, LOCATION, NULL,
+ "DH group must be equal "
+ "in all proposals "
+ "when aggressive mode is "
+ "used\n");
+ goto out;
+ }
+ remoteconf->dh_group = b;
+
+ if (remoteconf->dh_group == 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "DH group must be set in the proposal\n");
+ goto out;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(remoteconf->dh_group,
+ &remoteconf->dhgrp) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to set DH value.\n");
+ goto out;
+ }
+ }
+ }
+ break;
+ case ADMIN_PUSH_PHASE2CONFIG:
+ {
+ struct admin_com_ph2config *ph2ptr = NULL;
+ struct admin_com_ph2policy *ph2policy = NULL;
+ struct admin_com_ph2_ikeattrib *ph2ikeattrib = NULL;
+ struct sainfo *new_sainfo = NULL,
+ *check = NULL,
+ *old_sainfo = NULL;
+ struct sockaddr_storage *src_end_point = NULL,
+ *dst_end_point = NULL;
+ struct sainfoalg *alg = NULL;
+ struct sockaddr *dst_addr = NULL;
+ vchar_t *s_id = NULL, *d_id = NULL;
+ short num_ph2_policies = 0;
+ int i = 0, sa_count = 0;
+ int encalgtype = 0, hmacalgtype = 0;
+
+
+ ph2ptr = (struct admin_com_ph2config *)
+ ((caddr_t)com + sizeof(*com));
+ ph2policy = (struct admin_com_ph2policy *)(ph2ptr->policy);
+
+ for(; i < ph2ptr->num_ph2_policies; i++, ph2policy++){
+ /* push policy to SPD */
+ if (add_policy_to_SPD
+ (&ph2ptr->src_end_point, &ph2ptr->dst_end_point,
+ ph2policy) == -1)
+ continue;
+ }
+
+ }
+ break;
+ case ADMIN_DISCONNECT_DST:
+ {
+ struct ph1handle *iph1;
+ struct sockaddr *dst;
+ char *loc, *rem;
+ int pfkey_proto, pfkey_so;;
+
+ dst = (struct sockaddr *)
+ &((struct admin_com_indexes *)
+ ((caddr_t)com + sizeof(*com)))->dst;
+
+ if ((rem = strdup(saddrwop2str(dst))) == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate memory\n");
+ break;
+ }
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "Flushing all SA for peer %s\n", rem);
+
+ while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
+ if ((loc = strdup(saddrwop2str(iph1->local))) == NULL){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate memory\n");
+ break;
+ }
+
+ /* flush all SAs associated with this connection */
+ if((pfkey_so = pfkey_open()) < 0){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_open failed\n");
+ }
+ else {
+ //pfkey_proto = admin2pfkey_proto(com->ac_proto);
+ //struct sockaddr_in sa_dst, sa_src;
+ if(pfkey_send_spdflush(pfkey_so) == -1){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_send_spdflush failed\n");
+ }
+ if(pfkey_send_flush(
+ pfkey_so, SADB_SATYPE_UNSPEC) == -1){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "pfkey_send_sadflush failed\n");
+ }
+ /* sa_dst.sin_family = AF_INET;
+ sa_dst.sin_addr.s_addr = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
+ sa_dst.sin_port = 0;
+
+ sa_src.sin_family = AF_INET;
+ sa_src.sin_addr.s_addr = ((struct sockaddr_in *)(iph1->local))->sin_addr.s_addr;
+ sa_src.sin_port = 0;
+
+ if (pfkey_send_delete_all(pfkey_so,
+ pfkey_proto, IPSEC_MODE_TUNNEL,
+ (struct sockaddr *)&sa_src, (struct sockaddr *)&sa_dst) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "delete_all %s -> %s failed \n",
+ rem, loc
+ );
+ }
+ */
+ pfkey_close(pfkey_so);
+ }
+ isakmp_flush_sa(iph1, loc, rem);
+
+ racoon_free(loc);
+ }
+ racoon_free(rem);
+#ifdef PLUGINS_SUPPORT
+ tpike_deregister_plugin_all();
+#endif
+ }
+ break;
+ case ADMIN_REPARSE_RACOON_CONF:
+ {
+ int file_name_len;
+ char conf_file_name[512];
+ struct stat finfo;
+ caddr_t recvd_data = NULL;
+
+ /* Get the params */
+ recvd_data = (caddr_t)com + sizeof(*com);
+ file_name_len = *((int *)(recvd_data));
+ recvd_data += sizeof(int);
+
+ if (file_name_len >= sizeof(conf_file_name))
+ goto out;
+
+ memcpy(conf_file_name,
+ (char *)(recvd_data), file_name_len);
+
+ conf_file_name[file_name_len] = '\0';
+
+ /* Check for File security */
+ if (stat(conf_file_name, &finfo) != 0){
+ plog(LLV_ERROR, LOCATION, NULL,
+ "stat failed for file %s : %s\n",
+ conf_file_name, strerror(errno));
+ goto out;
+ }
+ /* Checking to see if the file has the same owner or group
+ * as adminsock
+ */
+ if ((finfo.st_uid != adminsock_owner) &&
+ (finfo.st_gid != adminsock_group)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Group for the conf file %s does not match"
+ "with the group of admin port(%d:%d)\n",
+ conf_file_name, finfo.st_gid, adminsock_group);
+ goto out;
+ }
+
+
+ /* Verify that the file does not give more
+ * permissions than what is allowed for adminsock
+ */
+ mode_t curr_mode = finfo.st_mode & ~S_IFMT;
+
+ if ((curr_mode & adminsock_mode) != curr_mode) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "File does not have correct permissions. "
+ "Expected : %d Has : %d\n",
+ adminsock_mode, (curr_mode & S_IRWXU));
+ goto out;
+ }
+ setracoonconf(conf_file_name);
+ kill (getpid(), SIGHUP);
+ }
+ break;
+ case ADMIN_REPLACE_SAINFO:
+ {
+ struct admin_com_replace_sainfo *ap_replace_sai = NULL;
+ struct sainfo *old_sainfo = NULL, *new_sainfo = NULL;
+ admin_com_addrinfo *src = NULL, *dst = NULL;
+ struct sockaddr_in *temp_addr;
+ vchar_t *s_id = NULL, *d_id = NULL, *p_id = NULL, *temp_id = NULL,
+ *new_s_id = NULL, *new_d_id = NULL;
+ int sa_count = 0;
+ int remoteid = 0;
+ int new_remoteid = 0;
+ struct remoteconf *conf = NULL; /// get the remoteid
+
+ ap_replace_sai = (struct admin_com_replace_sainfo *)
+ ((caddr_t)com + sizeof(*com));
+
+ s_id = get_ipsecdoi_id(&(ap_replace_sai->old_src_addr),
+ IPSEC_ULPROTO_ANY);
+
+ d_id = get_ipsecdoi_id(&(ap_replace_sai->old_dst_addr), IPSEC_ULPROTO_ANY);
+
+ p_id = ipsecdoi_sockaddr2id((struct sockaddr *)&(ap_replace_sai->peeraddr),
+ sizeof(struct in_addr),
+ IPSEC_ULPROTO_ANY);
+ ipsecdoi_idtype2doi(p_id);
+
+ src = &(ap_replace_sai->new_src_addr);
+ dst = &(ap_replace_sai->new_dst_addr);
+
+
+ new_s_id = get_ipsecdoi_id(src, IPSEC_ULPROTO_ANY);
+ new_d_id = get_ipsecdoi_id(dst, IPSEC_ULPROTO_ANY);
+
+
+ temp_addr = (struct sockaddr_in *)&(ap_replace_sai->old_src_addr.addrt.addr);
+ printf("Old src addr : %x\n",
+ temp_addr->sin_addr.s_addr
+ );
+ temp_addr = (struct sockaddr_in *)&(ap_replace_sai->old_dst_addr.addrt.addr);
+ printf("Old dst addr : %x\n",
+ temp_addr->sin_addr.s_addr
+ );
+
+ temp_addr = (struct sockaddr_in *)&(ap_replace_sai->new_src_addr.addrt.addr);
+ printf("New src addr : %x\n",
+ temp_addr->sin_addr.s_addr
+ );
+
+ temp_addr = (struct sockaddr_in *)&(ap_replace_sai->new_dst_addr.addrt.addr);
+ printf("New dst addr : %x\n",
+ temp_addr->sin_addr.s_addr
+ );
+
+ /// how to get the remote addr?
+ conf = getrmconf((struct sockaddr *)&(ap_replace_sai->old_dst_addr.addrt.addr));
+ if (conf != NULL) {
+ remoteid = conf->ph1id;
+ plog(LLV_DEBUG, LOCATION, NULL, "Get remoteid success(%d).\n", remoteid);
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
+ remoteid = 0;
+ }
+
+ /// how to get the remote addr?
+ conf = getrmconf((struct sockaddr *)&(ap_replace_sai->new_dst_addr.addrt.addr));
+ if (conf != NULL) {
+ new_remoteid = conf->ph1id;
+ plog(LLV_DEBUG, LOCATION, NULL, "Get new_remoteid success(%d).\n", remoteid);
+ } else {
+ plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
+ new_remoteid = 0;
+ }
+
+ do {
+ sa_count++;
+ // getsainfo(loc, rmt, peer, remoteid)
+ old_sainfo = getsainfo(s_id, d_id, NULL, remoteid);
+
+ if (old_sainfo && old_sainfo->idsrc){
+ /* Corressponding Entry found.
+ * Allocate a new sa_info struct
+ * copy the new addresses
+ * delete the old one and insert the new one
+ */
+ new_sainfo = dupsainfo(old_sainfo);
+ if (new_sainfo == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to allocate sainfo\n");
+ if (sa_count == 2){
+ /* Remove already added policy */
+ new_sainfo =
+ getsainfo(new_s_id, new_d_id, p_id, new_remoteid);
+ if ((new_sainfo) &&
+ (new_sainfo->idsrc != NULL)){
+ /* Not an anonymous entry */
+ remsainfo(new_sainfo);
+ delsainfo(new_sainfo);
+ }
+ }
+ goto out;
+ }
+ new_sainfo->idsrc = new_s_id;
+ new_sainfo->iddst = new_d_id;
+
+ inssainfo(new_sainfo);
+ remsainfo(old_sainfo);
+ delsainfo(old_sainfo);
+ }
+ else{
+ /*
+ plog(LLV_ERROR, LOCATION, NULL,
+ "No matching sa_info found. Src(%s):Dst(%s)",
+ saddr2str((struct sockaddr *)&(src->addrt.addr)), saddr2str((struct sockaddr *)&(dst->addrt.addr)));
+ */
+ plog(LLV_ERROR, LOCATION, NULL,
+ "No matching sa_info found...\n");
+ goto out;
+ }
+
+ //Repeat for the opposite direction
+ temp_id = s_id;
+ s_id = d_id;
+ d_id = temp_id;
+
+ temp_id = new_s_id;
+ new_s_id = vdup(new_d_id);
+ new_d_id = vdup(temp_id);
+
+ } while (sa_count < 2);
+ }
+ break;
+ case ADMIN_GET_VENDOR_PRIV_DATA:
+ {
+ caddr_t vendor_conf_opq_data = NULL;
+
+ vendor_conf_opq_data = (caddr_t)com + sizeof(*com);
+#ifdef PLUGINS_SUPPORT
+ {
+ size_t *gw_type_len = NULL;
+ size_t *inbuf_len = NULL;
+ int outbuf_len = 0;
+ char gw_type[128];
+ caddr_t inbuf = NULL, outbuf = NULL;
+ caddr_t plugin_private_data = NULL;
+ short *ver = NULL;
+
+ /*
+ * The private data structure is as follows:
+ * Version +
+ * Gateway type in LV Format +
+ * Private data to be passed on to the IKE Plugin in LV Format
+ */
+
+ /* Version */
+ ver = (short *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(short);
+
+ /* Gateway Type in LV format */
+ gw_type_len = (size_t *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(size_t);
+
+ memcpy(gw_type, (char *)vendor_conf_opq_data,
+ *gw_type_len);
+ gw_type[*gw_type_len] = '\0';
+ vendor_conf_opq_data += *gw_type_len;
+
+ /* Length of private data */
+ inbuf_len = (size_t *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(size_t);
+ inbuf = vendor_conf_opq_data;
+
+ tpike_plugin_getdata(*ver, gw_type, *inbuf_len, inbuf,
+ &outbuf_len, &outbuf);
+
+ for (i = 0; i < sizeof(u_int32_t) * 2; i++)
+ plog(LLV_DEBUG, LOCATION, NULL, "0x%2x ", *(((char *)outbuf) + i));
+ plog(LLV_DEBUG, LOCATION, NULL, "\n");
+
+ buf = vmalloc(outbuf_len);
+ if (buf == NULL)
+ com->ac_errno = -1;
+ else
+ memcpy(buf->v, outbuf, outbuf_len);
+
+ }
+#endif
+ }
+ break;
+ case ADMIN_SET_VENDOR_CONFIG_DATA :
+ {
+ caddr_t vendor_conf_opq_data = NULL;
+
+ vendor_conf_opq_data = (caddr_t)com + sizeof(*com);
+
+#ifdef PLUGINS_SUPPORT
+ {
+ size_t *gw_type_len = NULL, *plugin_so_len = NULL;
+ char plugin_so[256] = {'\0'}, gw_type[128] = {'\0'};
+ caddr_t plugin_private_data = NULL;
+ short *ver = NULL;
+ /*
+ * The Private data structure is as follows:
+ * Version no(short) +
+ * Length of the Gateway type string(int) +
+ * Gateway type string (char *)+
+ * Length of Plugin so name string(int) +
+ * Name of the plugin so(char *) +
+ * Private Data to be passed on to the IKE plugin(void *)
+ */
+
+ /* Get Version info */
+ ver = (short *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(short);
+
+ /* Gateway type in LV format */
+ gw_type_len = (size_t *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(size_t);
+ memcpy(gw_type, (char *)vendor_conf_opq_data, *gw_type_len);
+ gw_type[*gw_type_len] = '\0';
+ vendor_conf_opq_data += *gw_type_len;
+
+ /* Plugin so name in LV format */
+ plugin_so_len = (size_t *)vendor_conf_opq_data;
+ vendor_conf_opq_data += sizeof(size_t);
+ memcpy(plugin_so, (char *)vendor_conf_opq_data, *plugin_so_len );
+ plugin_so[*plugin_so_len] = '\0';
+ vendor_conf_opq_data += *plugin_so_len;
+
+ tpike_register_plugin(*ver,plugin_so,gw_type,vendor_conf_opq_data);
+ }
+#endif
+ }
+ break;
+#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
@@ -589,17 +1232,17 @@ admin_init()
}
if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chown(%s, %d, %d): %s\n",
- sunaddr.sun_path, adminsock_owner,
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chown(%s, %d, %d): %s\n",
+ sunaddr.sun_path, adminsock_owner,
adminsock_group, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
}
if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chmod(%s, 0%03o): %s\n",
+ plog(LLV_ERROR, LOCATION, NULL,
+ "chmod(%s, 0%03o): %s\n",
sunaddr.sun_path, adminsock_mode, strerror(errno));
(void)close(lcconf->sock_admin);
return -1;
@@ -624,5 +1267,153 @@ admin_close()
close(lcconf->sock_admin);
return 0;
}
+
+#ifdef ENABLE_AP_CLIENTMODE
+int
+add_policy_to_SPD(src_end_point, dst_end_point, policy)
+ struct sockaddr_storage *src_end_point;
+ struct sockaddr_storage *dst_end_point;
+ struct admin_com_ph2policy *policy;
+{
+ char outpolicystr[POLICY_STR_LEN], inpolicystr[POLICY_STR_LEN];
+ char *policyout = NULL, *policyin = NULL;
+ char *local_ip_addr = NULL, *remote_ip_addr = NULL;
+
+ struct sockaddr srcaddr;
+ struct sockaddr dstaddr;
+ struct sockaddr *addr = NULL;
+
+ addr = (struct sockaddr *)src_end_point;
+ local_ip_addr = strdup(saddrwop2str(addr));
+
+ addr = (struct sockaddr *)dst_end_point;
+ remote_ip_addr = strdup(saddrwop2str(addr));
+
+ /* end-points and policy for outbound trafic */
+ switch(policy->action){
+ case ACTION_ENCRYPT:
+ sprintf(outpolicystr, "out ipsec %s/%s/%s-%s/unique",
+ protocol[policy->protocol], mode[policy->mode],
+ local_ip_addr,remote_ip_addr);
+ sprintf(inpolicystr, "in ipsec %s/%s/%s-%s/unique",
+ protocol[policy->protocol], mode[policy->mode],
+ remote_ip_addr,local_ip_addr);
+ break;
+ case ACTION_BYPASS:
+ sprintf(outpolicystr, "out none");
+ sprintf(inpolicystr, "in none");
+ break;
+ case ACTION_DENY:
+ sprintf(outpolicystr, "out discard");
+ sprintf(inpolicystr, "in discard");
+ break;
+ default:
+ plog(LLV_ERROR, LOCATION, NULL, "Unknown policy action\n");
+ }
+ /* set outbound policy */
+ policyout = ipsec_set_policy(outpolicystr, strlen(outpolicystr));
+ /* set inbound policy */
+ policyin = ipsec_set_policy(inpolicystr, strlen(inpolicystr));
+
+ racoon_free(local_ip_addr);
+ racoon_free(remote_ip_addr);
+
+ /* Add the policy to SPD */
+ bzero(&srcaddr, sizeof(struct sockaddr));
+ bzero(&dstaddr, sizeof(struct sockaddr));
+
+ memcpy(&srcaddr, (struct sockaddr *)src_end_point,
+ sizeof(struct sockaddr));
+ memcpy(&dstaddr, (struct sockaddr *)&policy->dst_addr,
+ sizeof(struct sockaddr));
+ pfkey_add_policy_to_SPD(&srcaddr, 32, &dstaddr, policy->dst_prefixlen,
+ policy->upperspec, policyin, policyout,0);
+ return 0;
+}
+#endif
#endif
+static void
+isakmp_flush_sa(iph1, loc, rem)
+ struct ph1handle *iph1;
+ char *loc;
+ char *rem;
+{
+ plog(LLV_INFO, LOCATION, NULL,
+ "Flushing SA for %s -> %s\n", loc, rem);
+
+ if (iph1->status == PHASE1ST_ESTABLISHED)
+ isakmp_info_send_d1(iph1);
+
+ remph1(iph1);
+ delph1(iph1);
+
+ return;
+}
+
+/*
+ * Temporary stuff being done for VPN Client for NLD
+ * IMPORTANT: To be removed as soon as the fix is available
+ * in gui plugin and plugin so
+ */
+
+//static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
+extern LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
+int
+add_default_policy_to_SPD(src_addr)
+ int src_addr;
+{
+ struct ph1handle *p = NULL;
+ struct sockaddr srcaddr;
+ struct sockaddr dstaddr;
+
+ char outpolicystr[POLICY_STR_LEN], inpolicystr[POLICY_STR_LEN];
+ char *policyout = NULL, *policyin = NULL;
+ char *local_ip_addr = NULL, *remote_ip_addr = NULL;
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "call add_default_policy_to_SPD(%08x).\n", src_addr);
+
+ p = LIST_FIRST(&ph1tree);
+
+ local_ip_addr = strdup(saddrwop2str(p->local));
+ remote_ip_addr = strdup(saddrwop2str(p->remote));
+
+ /* end-points and policy for outbound trafic
+ Action is always ENCRYPT
+ */
+#if 0
+ sprintf(outpolicystr, "out ipsec esp/tunnel/%s-%s/unique",
+ local_ip_addr,remote_ip_addr);
+ sprintf(inpolicystr, "in ipsec esp/tunnel/%s-%s/unique",
+ remote_ip_addr, local_ip_addr);
+#else
+ sprintf(outpolicystr, "out ipsec esp/tunnel/%s-%s/require",
+ local_ip_addr,remote_ip_addr);
+ sprintf(inpolicystr, "in ipsec esp/tunnel/%s-%s/require",
+ remote_ip_addr, local_ip_addr);
+
+#endif
+ /* set outbound policy */
+ policyout = ipsec_set_policy(outpolicystr, strlen(outpolicystr));
+ /* set inbound policy */
+ policyin = ipsec_set_policy(inpolicystr, strlen(inpolicystr));
+
+ racoon_free(local_ip_addr);
+ racoon_free(remote_ip_addr);
+
+ /* Add the policy to SPD */
+ bzero(&srcaddr, sizeof(struct sockaddr));
+ bzero(&dstaddr, sizeof(struct sockaddr));
+
+ ((struct sockaddr_in *)(&srcaddr))->sin_family = AF_INET;
+ ((struct sockaddr_in *)(&srcaddr))->sin_addr.s_addr = (src_addr);
+
+ ((struct sockaddr_in *)(&dstaddr))->sin_family = AF_INET;
+ ((struct sockaddr_in *)(&dstaddr))->sin_addr.s_addr = INADDR_ANY;
+
+ pfkey_add_policy_to_SPD(&srcaddr, 32, &dstaddr, 0/*policy->dst_prefixlen*/,
+ 0 , policyin, policyout,0);
+ EVT_PUSH(0, 0, EVTT_ISAKMP_CFG_DONE, NULL);
+ return 0;
+}
Index: ipsec-tools-0.7.3/src/racoon/algorithm.h
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/algorithm.h
+++ ipsec-tools-0.7.3/src/racoon/algorithm.h
@@ -213,4 +213,6 @@ extern const char *alg_oakley_hashdef_na
extern const char *alg_oakley_dhdef_name __P((int));
extern const char *alg_oakley_authdef_name __P((int));
+extern int algdoi2type(int, int);
+
#endif /* _ALGORITHM_H */
Index: ipsec-tools-0.7.3/src/racoon/algorithm.c
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/algorithm.c
+++ ipsec-tools-0.7.3/src/racoon/algorithm.c
@@ -955,3 +955,20 @@ algclass2doi(class)
/*NOTREACHED*/
return -1;
}
+
+int
+algdoi2type(class, doi)
+ int class, doi;
+{
+ int res = -1;
+
+ switch (class) {
+ case algclass_ipsec_enc:
+ res = ((struct enc_algorithm*)alg_ipsec_encdef(doi))->type;
+ break;
+ case algclass_ipsec_auth:
+ res = ((struct hmac_algorithm*)alg_ipsec_hmacdef(doi))->type;
+ break;
+ }
+ return res;
+}
Index: ipsec-tools-0.7.3/src/racoon/cfparse_proto.h
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/cfparse_proto.h
+++ ipsec-tools-0.7.3/src/racoon/cfparse_proto.h
@@ -39,4 +39,6 @@ extern int yyparse __P((void));
extern int cfparse __P((void));
extern int cfreparse __P((void));
+extern int cfreparse_withfname __P((char *fname));
+
#endif /* _CFPARSE_PROTO_H */
Index: ipsec-tools-0.7.3/src/racoon/cfparse.y
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/cfparse.y
+++ ipsec-tools-0.7.3/src/racoon/cfparse.y
@@ -1220,7 +1220,7 @@ sainfo_id
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
{
char portbuf[10];
- struct sockaddr *saddr;
+ struct sockaddr *saddr = NULL;
if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
&& ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
@@ -1630,13 +1630,14 @@ remote_specs_block
/* DH group */
for (p = cur_rmconf->proposal; p; p = p->next) {
if (b == 0 || (b && b == p->dh_group)) {
+ yywarn("b=%d, dh_group=%d\n", b, p->dh_group);
b = p->dh_group;
continue;
}
yyerror("DH group must be equal "
"in all proposals "
"when aggressive mode is "
- "used.\n");
+ "used.%d != %d\n", b, p->dh_group);
return -1;
}
cur_rmconf->dh_group = b;
@@ -2276,7 +2277,7 @@ set_isakmp_proposal(rmconf, prspec)
struct secprotospec *s;
int prop_no = 1;
int trns_no = 1;
- int32_t types[MAXALGCLASS];
+ u_int32_t types[MAXALGCLASS];
p = prspec;
if (p->next != 0) {
@@ -2334,7 +2335,7 @@ set_isakmp_proposal(rmconf, prspec)
/* expanding spspec */
clean_tmpalgtype();
- trns_no = expand_isakmpspec(prop_no, trns_no, types,
+ trns_no = expand_isakmpspec(prop_no, trns_no, (int *)types,
algclass_isakmp_enc, algclass_isakmp_ameth + 1,
s->lifetime ? s->lifetime : p->lifetime,
s->lifebyte ? s->lifebyte : p->lifebyte,
@@ -2556,6 +2557,64 @@ cfreparse()
return(cfparse());
}
+#ifdef ENABLE_AP_CLIENTMODE
+int
+cfparse_withfname(conf_fname)
+ char *conf_fname;
+{
+ int error;
+
+ yycf_init_buffer();
+
+ if (yycf_switch_buffer(conf_fname) != 0)
+ return -1;
+
+ error = yyparse();
+ if (error != 0) {
+ if (yyerrorcount) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "fatal parse failure (%d errors)\n",
+ yyerrorcount);
+ } else {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "fatal parse failure.\n");
+ }
+ return -1;
+ }
+
+ if (error == 0 && yyerrorcount) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "parse error is nothing, but yyerrorcount is %d.\n",
+ yyerrorcount);
+ exit(1);
+ }
+
+ yycf_clean_buffer();
+
+ plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
+
+ return 0;
+}
+
+int
+cfreparse_withfname(conf_fname)
+ char *conf_fname;
+{
+ flushph2();
+ flushph1();
+ flushrmconf();
+ flushsainfo();
+ clean_tmpalgtype();
+ yycf_init_buffer();
+
+ if (yycf_switch_buffer(conf_fname) != 0)
+ return -1;
+
+ return(cfparse_withfname(conf_fname));
+}
+
+#endif
+
#ifdef ENABLE_ADMINPORT
static void
adminsock_conf(path, owner, group, mode_dec)
Index: ipsec-tools-0.7.3/src/racoon/handler.c
===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/handler.c
+++ ipsec-tools-0.7.3/src/racoon/handler.c
@@ -81,7 +81,12 @@
#include "gssapi.h"
#endif
+#if 0
static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
+#else
+LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
+#endif
+
static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
static LIST_HEAD(_ctdtree_, contacted) ctdtree;
static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
