Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.1
novell-ipsec-tools
novell-ipsec-tools_plugins-support-nortel.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File novell-ipsec-tools_plugins-support-nortel.patch of Package novell-ipsec-tools
Index: ipsec-tools-0.7.3/src/racoon/oakley.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/oakley.c +++ ipsec-tools-0.7.3/src/racoon/oakley.c @@ -96,6 +96,13 @@ #include "gssapi.h" #endif +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif // PLUGINS_SUPPORT + #define OUTBOUND_SA 0 #define INBOUND_SA 1 @@ -131,6 +138,10 @@ static cert_t *save_certbuf __P((struct static cert_t *save_certx509 __P((X509 *)); static int oakley_padlen __P((int, int)); +#ifdef PLUGINS_SUPPORT +static int plugin_generate_psk __P((u_int8_t, u_int8_t, int, vchar_t **)); +#endif // PLUGINS_SUPPORT + int oakley_get_defaultlifetime() { @@ -2465,6 +2476,9 @@ oakley_skeyid(iph1) char *p; int len; int error = -1; +#ifdef PLUGINS_SUPPORT + int status = PLUGIN_FRAME_STATUS_SUCCESS; +#endif // PLUGINS_SUPPORT /* SKEYID */ switch (AUTHMETHOD(iph1)) { @@ -2474,7 +2488,22 @@ oakley_skeyid(iph1) case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: #endif if (iph1->etype != ISAKMP_ETYPE_IDENT) { - iph1->authstr = getpskbyname(iph1->id_p); + +#ifdef PLUGINS_SUPPORT + status = plugin_generate_psk(iph1->etype, + (iph1->side == INITIATOR)? TPIKE_MIDX_INITIATOR: TPIKE_MIDX_RESPONDER, + iph1->approval->authmethod, + &(iph1->authstr)); + if (status == TPIKE_ERR_HASH_MATCH_NOT_FOUND + || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) + { +#endif // PLUGINS_SUPPORT + iph1->authstr = getpskbyname(iph1->id_p); + +#ifdef PLUGINS_SUPPORT + } +#endif // PLUGINS_SUPPORT + if (iph1->authstr == NULL) { if (iph1->rmconf->verify_identifier) { plog(LLV_ERROR, LOCATION, iph1->remote, @@ -3313,3 +3342,54 @@ oakley_padlen(len, base) return padlen; } +#ifdef PLUGINS_SUPPORT +int +plugin_generate_psk(etype, side, authmethod, psk) + u_int8_t etype; + u_int8_t side; + int authmethod; + vchar_t **psk; +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + void *inarr = NULL, *outarr = NULL, *outp = NULL; + u_int32_t myposition = 0, status = TPIKE_STATUS_SUCCESS; + u_int8_t sendorrecv = 0, msgindx = 0; + char *keyval = NULL; + + switch(etype) + { + case ISAKMP_ETYPE_IDENT: + sendorrecv = TPIKE_MIDX_SEND; + + msgindx = (side == TPIKE_MIDX_INITIATOR) ? 3 : 2; + break; + case ISAKMP_ETYPE_AGG: + sendorrecv = (side == TPIKE_MIDX_INITIATOR) ? TPIKE_MIDX_RECEIVE :TPIKE_MIDX_SEND ; + msgindx = (side == TPIKE_MIDX_INITIATOR) ? 1 : 2; + break; + case ISAKMP_ETYPE_BASE: + myposition = (side == INITIATOR) ? ((authmethod == OAKLEY_ATTR_AUTH_METHOD_RSASIG || authmethod == OAKLEY_ATTR_AUTH_METHOD_DSSSIG) ? INITIATOR_RCVD_THREE : INITIATOR_SEND_TWO) : RESPONDER_RCVD_TWO; + break; + default: + //invalid state - log it + return -2; //framework needs to define an error code for invalid state + } + + hp = &hpoint; + mk_hookpoint(PAYLOAD_TYPE, ISAKMP_NPTYPE_NONE, ISAKMP_NPTYPE_NONE, MAKE_POS(etype, side, sendorrecv, msgindx, 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTVCHAR, &outp)) == TPIKE_STATUS_SUCCESS) { + + *psk = vmalloc(((vchar_t *)outp)->l); + memcpy((*psk)->v, ((vchar_t *)outp)->v, ((vchar_t *)outp)->l); + } + } + + return status; +} +#endif // PLUGINS_SUPPORT Index: ipsec-tools-0.7.3/src/racoon/ipsec_doi.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/ipsec_doi.c +++ ipsec-tools-0.7.3/src/racoon/ipsec_doi.c @@ -97,6 +97,13 @@ static int switch_authmethod(int); #endif #endif +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + int verbose_proposal_check = 1; static vchar_t *get_ph1approval __P((struct ph1handle *, struct prop_pair **)); @@ -160,6 +167,13 @@ static vchar_t *setph2proposal0 __P((con static vchar_t *getidval __P((int, vchar_t *)); +#ifdef PLUGINS_SUPPORT +static int plugin_generate_idval __P((u_int8_t, u_int8_t, vchar_t **)); +static int plugin_check_attr_ipsec __P((struct isakmp_data *, int)); +static int plugin_check_attr_isakmp __P((struct isakmp_data *data, int type)); +#endif + + #ifdef HAVE_GSSAPI static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *, struct isakmpsa *)); @@ -1214,6 +1228,12 @@ found: if (!x) goto err; /* XXX */ +#ifdef PLUGINS_SUPPORT + if (iph2->ph1->natt_flags & NAT_DETECTED) { + sp->udp_encap = 1; + } +#endif + n = racoon_calloc(1, sizeof(struct prop_pair)); if (n == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -2059,6 +2079,10 @@ check_attr_isakmp(trns) int tlen; int flag, type; u_int16_t lorv; +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; +#endif + tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); @@ -2229,9 +2253,16 @@ check_attr_isakmp(trns) break; default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attribute type %d.\n", type); - return -1; +#ifdef PLUGINS_SUPPORT + status = plugin_check_attr_isakmp(d, type); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif + plog(LLV_ERROR, LOCATION, NULL, + "invalid attribute type %d.\n", type); + return -1; +#ifdef PLUGINS_SUPPORT + } +#endif } if (flag) { @@ -2275,6 +2306,9 @@ check_attr_ipsec(proto_id, trns) int flag, type = 0; u_int16_t lorv; int attrseen[16]; /* XXX magic number */ +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; +#endif tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); @@ -2453,9 +2487,16 @@ ahmismatch: return -1; default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attribute type %d.\n", type); - return -1; +#ifdef PLUGINS_SUPPORT + status = plugin_check_attr_ipsec(d, type); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif + plog(LLV_ERROR, LOCATION, NULL, + "invalid attribute type %d.\n", type); + return -1; +#ifdef PLUGINS_SUPPORT + } +#endif } if (flag) { @@ -2737,7 +2778,11 @@ setph1trns(sa, buf) } attrlen = setph1attr(sa, p); +#ifdef PLUGINS_SUPPORT + trnslen += attrlen + ((sa->pluginikeattribs) ? sa->pluginikeattribs->l : 0); +#else trnslen += attrlen; +#endif if (buf) p += attrlen; @@ -2754,6 +2799,10 @@ setph1attr(sa, buf) { caddr_t p = buf; int attrlen = 0; +#ifdef PLUGINS_SUPPORT + struct isakmp_data *attrib = NULL; + int lenread = 0, dlen = 0; +#endif if (sa->lifetime) { u_int32_t lifetime = htonl((u_int32_t)sa->lifetime); @@ -2854,6 +2903,26 @@ setph1attr(sa, buf) break; } +#ifdef PLUGINS_SUPPORT + //check if the plugin has any attribs to send + if(buf && sa->pluginikeattribs) + { + lenread = 0; + for( ; lenread < sa->pluginikeattribs->l; lenread += (sizeof(struct isakmp_data) + dlen)) + { + attrib = (struct isakmp_data *)(sa->pluginikeattribs->v + lenread); + if(attrib->type & ISAKMP_GEN_TV) { + p = isakmp_set_attr_l(p, (attrib->type & ~ISAKMP_GEN_MASK), attrib->lorv); + dlen = 0; + } + else { + p = isakmp_set_attr_v(p, attrib->type, (caddr_t)(attrib + 1), attrib->lorv ); + dlen = attrib->lorv; + } + } + } +#endif + #ifdef HAVE_GSSAPI if (sa->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && sa->gssid != NULL) { @@ -3439,39 +3508,39 @@ ipsecdoi_chkcmpids( idt, ids, exact ) { /* * special exception for comparing - * address to subnet id types when - * the netmask is address length - */ + * address to subnet id types when + * the netmask is address length + */ if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&& - (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) { + (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) { result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s); goto cmpid_result; } if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&& - (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) { + (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) { result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t); goto cmpid_result; } #ifdef INET6 if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&& - (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { + (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s); goto cmpid_result; } if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&& - (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) { + (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) { result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t); goto cmpid_result; } #endif plog(LLV_DEBUG, LOCATION, NULL, - "check and compare ids : id type mismatch %s != %s\n", - s_ipsecdoi_ident(id_bs->type), - s_ipsecdoi_ident(id_bt->type)); + "check and compare ids : id type mismatch %s != %s\n", + s_ipsecdoi_ident(id_bs->type), + s_ipsecdoi_ident(id_bt->type)); return 1; } @@ -3487,8 +3556,8 @@ ipsecdoi_chkcmpids( idt, ids, exact ) /* compare the ID data. */ switch (id_bt->type) { - case IPSECDOI_ID_DER_ASN1_DN: - case IPSECDOI_ID_DER_ASN1_GN: + case IPSECDOI_ID_DER_ASN1_DN: + case IPSECDOI_ID_DER_ASN1_GN: /* compare asn1 ids */ result = eay_cmp_asn1dn(&ident_t, &ident_s); goto cmpid_result; @@ -3496,7 +3565,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) case IPSECDOI_ID_IPV4_ADDR: /* validate lengths */ if ((ident_t.l != sizeof(struct in_addr))|| - (ident_s.l != sizeof(struct in_addr))) + (ident_s.l != sizeof(struct in_addr))) goto cmpid_invalid; break; @@ -3504,7 +3573,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) case IPSECDOI_ID_IPV4_ADDR_RANGE: /* validate lengths */ if ((ident_t.l != (sizeof(struct in_addr)*2))|| - (ident_s.l != (sizeof(struct in_addr)*2))) + (ident_s.l != (sizeof(struct in_addr)*2))) goto cmpid_invalid; break; @@ -3512,7 +3581,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) case IPSECDOI_ID_IPV6_ADDR: /* validate lengths */ if ((ident_t.l != sizeof(struct in6_addr))|| - (ident_s.l != sizeof(struct in6_addr))) + (ident_s.l != sizeof(struct in6_addr))) goto cmpid_invalid; break; @@ -3520,7 +3589,7 @@ ipsecdoi_chkcmpids( idt, ids, exact ) case IPSECDOI_ID_IPV6_ADDR_RANGE: /* validate lengths */ if ((ident_t.l != (sizeof(struct in6_addr)*2))|| - (ident_s.l != (sizeof(struct in6_addr)*2))) + (ident_s.l != (sizeof(struct in6_addr)*2))) goto cmpid_invalid; break; #endif @@ -3531,8 +3600,8 @@ ipsecdoi_chkcmpids( idt, ids, exact ) default: plog(LLV_ERROR, LOCATION, NULL, - "Unhandled id type %i specified for comparison\n", - id_bt->type); + "Unhandled id type %i specified for comparison\n", + id_bt->type); return -1; } @@ -3752,6 +3821,9 @@ ipsecdoi_setid1(iph1) struct ipsecdoi_id_b id_b; vchar_t *ident = NULL; struct sockaddr *ipid = NULL; +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; +#endif /* init */ id_b.proto_id = 0; @@ -3769,7 +3841,15 @@ ipsecdoi_setid1(iph1) break; case IDTYPE_KEYID: id_b.type = IPSECDOI_ID_KEY_ID; +#ifdef PLUGINS_SUPPORT + status = plugin_generate_idval(iph1->etype, iph1->side, &ident); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) + { +#endif ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); +#ifdef PLUGINS_SUPPORT + } +#endif break; case IDTYPE_ASN1DN: id_b.type = IPSECDOI_ID_DER_ASN1_DN; @@ -4238,6 +4318,48 @@ ipsecdoi_sockrange2id(laddr, haddr, ul_p return new; } +extern vchar_t * +get_ipsecdoi_id(addr, proto) + admin_com_addrinfo *addr; + u_int proto; +{ + vchar_t *id; + + switch (addr->addrtype) { + case IPSECDOI_ID_IPV4_ADDR: + case IPSECDOI_ID_IPV6_ADDR: + return (ipsecdoi_sockaddr2id((struct sockaddr *)&(addr->addrt.addr), + sizeof(struct in_addr) << 3, + proto)); + break; + case IPSECDOI_ID_IPV4_ADDR_SUBNET: + case IPSECDOI_ID_IPV6_ADDR_SUBNET: + return (ipsecdoi_sockaddr2id((struct sockaddr *)&(addr->addrt.addr), + sizeof(struct in_addr), + proto)); + break; + case IPSECDOI_ID_IPV4_ADDR_RANGE: + case IPSECDOI_ID_IPV6_ADDR_RANGE: + return (ipsecdoi_sockrange2id((struct sockaddr *)&(addr->addrt.range.laddr), + (struct sockaddr *)&(addr->addrt.range.haddr), + proto)); + + break; + default: + break; + } + return NULL; +} + +void +ipsecdoi_idtype2doi(id) + vchar_t *id; +{ + int newtype = ((struct ipsecdoi_id_b *)id->v)->type; + if ((newtype = idtype2doi(newtype)) != 255) + ((struct ipsecdoi_id_b *)id->v)->type = newtype; + return; +} /* * create sockaddr structure from ID payload (buf). @@ -4931,3 +5053,101 @@ switch_authmethod(authmethod) return authmethod; } #endif +#ifdef PLUGINS_SUPPORT +int +plugin_generate_idval(etype, side, idv) + u_int8_t etype; + u_int8_t side; + vchar_t **idv; +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + vchar_t *outp = NULL; + void *inarr = NULL, *outarr = NULL; + u_int32_t myposition = 0, status = TPIKE_STATUS_SUCCESS; + char *keyval = NULL; + + if(etype == ISAKMP_ETYPE_IDENT) + myposition = (side == INITIATOR) ? INITIATOR_SEND_THREE : RESPONDER_SEND_THREE; + else if(etype == ISAKMP_ETYPE_AGG || etype == ISAKMP_ETYPE_BASE) + myposition = (side == INITIATOR) ? INITIATOR_SEND_ONE : RESPONDER_SEND_ONE; + else + { + //invalid state - log it + return -2; //frameowrk needs to define an error code for invalid state + } + + hp = &hpoint; + + mk_hookpoint(PAYLOAD_TYPE, ISAKMP_NPTYPE_ID, IPSECDOI_ID_KEY_ID, MAKE_POS2(etype, myposition, 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTVCHAR, &outp)) == TPIKE_STATUS_SUCCESS) { + *idv = vmalloc(((vchar_t *)outp)->l); + memcpy((*idv)->v, ((vchar_t *)outp)->v, ((vchar_t *)outp)->l); + } + } + return status; +} + +int plugin_check_attr_ipsec(struct isakmp_data *data, int type) +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + vchar_t *outp = NULL; + void *inarr = NULL, *outarr = NULL; + u_int32_t myposition = 0, status = TPIKE_STATUS_SUCCESS; + void *keyval = NULL; + + hp = &hpoint; + keyval = &type; + + mk_hookpoint (ATTRIBUTE_TYPE, + IPSEC_ATTRIB_TYPE, + 0, + MAKE_POS(ISAKMP_ETYPE_QUICK, TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, 0, 0xff, 0xff), + 1, sizeof(type), keyval, hp); + + if ((status = tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, data) == TPIKE_STATUS_SUCCESS)) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + tpike_pack_out(outarr, 0); + } + } + + return status; +} + +int plugin_check_attr_isakmp(struct isakmp_data *data, int type) +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + vchar_t *outp = NULL; + void *inarr = NULL, *outarr = NULL; + u_int32_t myposition = 0, status = TPIKE_STATUS_SUCCESS; + void *keyval = NULL; + + hp = &hpoint; + keyval = &type; + + mk_hookpoint (ATTRIBUTE_TYPE, + ISAKMP_ATTRIB_TYPE, + 0, + MAKE_POS(0, 0, TPIKE_MIDX_RECEIVE, 0, 0xff, 0xff), + 1, sizeof(type), keyval, hp); + + if ((status = tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, data) == TPIKE_STATUS_SUCCESS)) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + tpike_pack_out(outarr, 0); + } + } + + return status; +} +#endif Index: ipsec-tools-0.7.3/src/racoon/ipsec_doi.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/ipsec_doi.h +++ ipsec-tools-0.7.3/src/racoon/ipsec_doi.h @@ -34,6 +34,8 @@ #ifndef _IPSEC_DOI_H #define _IPSEC_DOI_H +#include "admin.h" + /* refered to RFC2407 */ #define IPSEC_DOI 1 @@ -224,6 +226,8 @@ extern int ipsecdoi_id2sockaddr __P((vch extern char *ipsecdoi_id2str __P((const vchar_t *)); extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *, struct sockaddr *, u_int)); +extern vchar_t *get_ipsecdoi_id __P((admin_com_addrinfo *, u_int)); +extern void ipsecdoi_idtype2doi __P((vchar_t *id)); extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); Index: ipsec-tools-0.7.3/src/racoon/isakmp_agg.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_agg.c +++ ipsec-tools-0.7.3/src/racoon/isakmp_agg.c @@ -95,6 +95,13 @@ #include "gssapi.h" #endif +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + /* * begin Aggressive Mode as initiator. */ @@ -134,7 +141,14 @@ agg_i1send(iph1, msg) #ifdef ENABLE_DPD vchar_t *vid_dpd = NULL; #endif - +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + struct isakmp_data *ikeattr = NULL; + int ikeattrlen = 0, *val = NULL ; + struct isakmpsa *prop = NULL; + struct hookpoint hpoint, *hp = NULL; + char *keyval = NULL; +#endif /* validity check */ if (msg != NULL) { @@ -156,6 +170,30 @@ agg_i1send(iph1, msg) if (ipsecdoi_setid1(iph1) < 0) goto end; +#ifdef PLUGINS_SUPPORT + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(ATTRIBUTE_TYPE, IKE_ATTRIB_TYPE, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_AGG, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_SEND, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 2, TPIKE_DTYPE_STRUCTISAKMPDATA, &ikeattr, TPIKE_DTYPE_INT32PT, &val) == TPIKE_STATUS_SUCCESS) { + ikeattrlen = *val; + //set ike attribs in all sa structures + prop = iph1->rmconf->proposal; + while(prop) { + + prop->pluginikeattribs = vmalloc(ikeattrlen); + memcpy(prop->pluginikeattribs->v, ikeattr, ikeattrlen); + + prop = prop->next; + } + } + } +#endif + /* create SA payload for my proposal */ iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); if (iph1->sa == NULL) @@ -265,6 +303,9 @@ agg_i1send(iph1, msg) */ if (iph1->rmconf->nat_traversal) plist = isakmp_plist_append_natt_vids(plist, vid_natt); + else + vid_natt[0] = NULL; + #endif #ifdef ENABLE_HYBRID if (vid_xauth) @@ -282,6 +323,10 @@ agg_i1send(iph1, msg) } #endif +#ifdef PLUGINS_SUPPORT + plist = isakmp_plist_insert_vendorid_payload(plist, iph1, INITIATOR_SEND_ONE); +#endif + iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); #ifdef HAVE_PRINT_ISAKMP_C @@ -364,6 +409,11 @@ agg_i2recv(iph1, msg) TAILQ_INIT(&natd_tree); #endif +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; + void *resp = NULL; +#endif + /* validity check */ if (iph1->status != PHASE1ST_MSG1SENT) { plog(LLV_ERROR, LOCATION, NULL, @@ -425,6 +475,19 @@ agg_i2recv(iph1, msg) goto end; break; case ISAKMP_NPTYPE_VID: +#ifdef PLUGINS_SUPPORT + //status = verify_payload(ISAKMP_NPTYPE_VID, ISAKMP_ETYPE_AGG, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_RECEIVE, 1, (void *)pa->ptr,(void **) &resp); + status = verify_payload(ISAKMP_NPTYPE_VID, ISAKMP_ETYPE_AGG, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_RECEIVE, 1, (void *)pa->ptr,&resp); + if(status == TPIKE_STATUS_SUCCESS) { + if(((struct isakmp_data *)resp)->type == PRIVATE_NATTVID_PAYLOAD_TYPE) { + //need to fill natt options + natt_handle_private_vendorid(iph1, (struct isakmp_data *)resp); + } + break; + } + else if(status != TPIKE_ERR_HASH_MATCH_NOT_FOUND && status != TPIKE_ERR_HASH_TABLE_OVERFLOW) + goto end; +#endif vid_numeric = check_vendorid(pa->ptr); #ifdef ENABLE_NATT if (iph1->rmconf->nat_traversal && @@ -561,7 +624,12 @@ agg_i2recv(iph1, msg) iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : ""); if (iph1->natt_flags & NAT_DETECTED) +#if 1 + // Nortel changes hard coded here. to be in plugin later. Change header also + nortel_natt_float_ports(iph1); +#else natt_float_ports (iph1); +#endif } #endif @@ -734,6 +802,7 @@ agg_i2send(iph1, msg) #ifdef ENABLE_NATT /* generate NAT-D payloads */ +#if 0 if (NATT_AVAILABLE(iph1)) { vchar_t *natd[2] = { NULL, NULL }; @@ -760,6 +829,7 @@ agg_i2send(iph1, msg) natd[1], iph1->natt_options->payload_nat_d); } #endif +#endif iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); @@ -812,6 +882,10 @@ agg_r1recv(iph1, msg) #ifdef HAVE_GSSAPI vchar_t *gsstoken = NULL; #endif +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; + void *resp = NULL; +#endif /* validity check */ if (iph1->status != PHASE1ST_START) { @@ -860,6 +934,18 @@ agg_r1recv(iph1, msg) goto end; break; case ISAKMP_NPTYPE_VID: +#ifdef PLUGINS_SUPPORT + status = verify_payload(ISAKMP_NPTYPE_VID, ISAKMP_ETYPE_AGG, TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, ONE, (void *)pa->ptr, &resp); + if(status == TPIKE_STATUS_SUCCESS) { + if(((struct isakmp_data *)resp)->type == PRIVATE_NATTVID_PAYLOAD_TYPE) { + //need to fill natt options + natt_handle_private_vendorid(iph1, (struct isakmp_data *)resp); + } + break; + } + else if(status != TPIKE_ERR_HASH_MATCH_NOT_FOUND && status != TPIKE_ERR_HASH_TABLE_OVERFLOW) + goto end; +#endif vid_numeric = check_vendorid(pa->ptr); #ifdef ENABLE_NATT @@ -1311,6 +1397,9 @@ agg_r1send(iph1, msg) plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID); #endif +#ifdef PLUGINS_SUPPORT + plist = isakmp_plist_insert_vendorid_payload(plist, iph1, RESPONDER_SEND_ONE); +#endif iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); #ifdef HAVE_PRINT_ISAKMP_C Index: ipsec-tools-0.7.3/src/racoon/nattraversal.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/nattraversal.h +++ ipsec-tools-0.7.3/src/racoon/nattraversal.h @@ -79,9 +79,19 @@ vchar_t *natt_hash_addr (struct ph1handl int natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, int natd_seq); int natt_udp_encap (int encmode); int natt_fill_options (struct ph1natt_options *opts, int version); + +#if 1 +// Nortel changes hard coded here. to be in plugin later. +void nortel_natt_float_ports (struct ph1handle *iph1); +#endif + void natt_float_ports (struct ph1handle *iph1); void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric); +#ifdef PLUGINS_SUPPORT +void natt_handle_private_vendorid(struct ph1handle *ph1, void *resp); +int plugin_update_natt_options(struct ph2handle *ph2, int sendorrecv); +#endif struct payload_list * isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]); Index: ipsec-tools-0.7.3/src/racoon/nattraversal.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/nattraversal.c +++ ipsec-tools-0.7.3/src/racoon/nattraversal.c @@ -68,6 +68,13 @@ #include "nattraversal.h" #include "grabmyaddr.h" +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + struct natt_ka_addrs { struct sockaddr *src; struct sockaddr *dst; @@ -284,6 +291,48 @@ natt_fill_options (struct ph1natt_option return 0; } +struct ph2natt globalNatt; + +#ifdef PLUGINS_SUPPORT +int plugin_update_natt_options(struct ph2handle *ph2, int sendorrecv) +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + struct ph2natt *natt; + void *outarr = NULL, *inarr = NULL; + int index = 0, incount = 0; + u_int8_t side; + u_int32_t position = 0, status = TPIKE_STATUS_SUCCESS; + char *keyval = NULL; + + hp = &hpoint; + + side = (ph2->side == INITIATOR) ? TPIKE_MIDX_INITIATOR : TPIKE_MIDX_RESPONDER ; + mk_hookpoint(NATT_OPTIONS_TYPE, 0, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_QUICK, side, sendorrecv, 0, 0xff, 0xff), 0, 0, keyval, hp); + + if((status = tpike_pack_in(&inarr, 0)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTNATTOPTIONS, &natt) + ) == TPIKE_STATUS_SUCCESS) { + if (ph2->ph1 && ph2->ph1->natt_options) + { + ph2->ph1->natt_options->encaps_type = natt->type; + //set_port(ph2->ph1->local, natt->sport); + //set_port(ph2->ph1->remote, natt->dport); + globalNatt.sport=natt->sport; + globalNatt.dport=natt->dport; + + } + } + } + + } + return status; +} +#endif + void natt_float_ports (struct ph1handle *iph1) { @@ -303,6 +352,19 @@ natt_float_ports (struct ph1handle *iph1 } void +nortel_natt_float_ports (struct ph1handle *iph1) +{ + if (! (iph1->natt_flags && NAT_DETECTED) ) + return; + if (! iph1->natt_options->float_port){ + /* Drafts 00 / 01, just schedule keepalive */ + natt_keepalive_add_ph1 (iph1); + return; + } + natt_keepalive_add (iph1->local, iph1->remote); +} + +void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric) { if (! iph1->natt_options) @@ -328,6 +390,31 @@ natt_keepalive_delete (struct natt_ka_ad racoon_free (ka); } +#ifdef PLUGINS_SUPPORT +void +natt_handle_private_vendorid (struct ph1handle *iph1, void *d) +{ + struct isakmp_data *data = (struct isakmp_data *)d; + + if (! iph1->natt_options) + iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options)); + + if (! iph1->natt_options) { + plog (LLV_ERROR, LOCATION, NULL, + "Allocating memory for natt_options failed!\n"); + return; + } + + if(!data) + return; + if(data->lorv) { + memcpy(iph1->natt_options, data + 1, data->lorv); + iph1->natt_flags |= NAT_ANNOUNCED; + iph1->natt_flags |= NAT_DETECTED; + } +} +#endif + /* NAT keepalive functions */ static void natt_keepalive_send (void *param) Index: ipsec-tools-0.7.3/src/racoon/pfkey.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c +++ ipsec-tools-0.7.3/src/racoon/pfkey.c @@ -100,6 +100,15 @@ #include "crypto_openssl.h" #include "grabmyaddr.h" +#ifdef PLUGINS_SUPPORT +//EVT - remove this after private events +#include "evt.h" +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC #endif @@ -185,6 +194,9 @@ static int addnewsp __P((caddr_t *)); #endif #endif +int assignedinPolicySPID; +int assignedoutPolicySPID; + /* * PF_KEY packet handler * 0: success @@ -197,6 +209,11 @@ pfkey_handler() int len; caddr_t mhp[SADB_EXT_MAX + 1]; int error = -1; +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + struct hookpoint hpoint, *hp = NULL; + char *keyval = NULL; +#endif /* receive pfkey message. */ len = 0; @@ -270,6 +287,25 @@ pfkey_handler() goto end; error = 0; +#ifdef PLUGINS_SUPPORT + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(PFKEY_MSG_TYPE, msg->sadb_msg_type, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_ALL, TPIKE_MIDX_ANY, TPIKE_MIDX_ANY, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 0) == TPIKE_STATUS_SUCCESS) { + plog(LLV_INFO, LOCATION, NULL, "PF_KEY message type %d notified to plugin\n", msg->sadb_msg_type); + + ; + } + } + else + plog(LLV_DEBUG2, LOCATION, NULL, "PF_KEY message type %d not registered by plugin\n", msg->sadb_msg_type); +#endif + end: if (msg) racoon_free(msg); @@ -352,6 +388,75 @@ done: return buf; } +#ifdef ENABLE_AP_CLIENTMODE + +/* + * Adding policies to the SPD + * OUT: + * 0 : success + * NEGATIVE : error occured and errno returned. + */ +int +pfkey_add_policy_to_SPD(srcaddr, prefs, dstaddr, prefd, proto, policyin, policyout, seq) + struct sockaddr *srcaddr, *dstaddr; + u_int prefs, prefd, proto; + caddr_t policyin, policyout; + u_int32_t seq; +{ + int pfkey_so; + struct sadb_msg *msg; + caddr_t mhp[SADB_EXT_MAX + 1]; //some null ptr check to be done in failure case + + + if((pfkey_so = pfkey_open()) < 0){ + plog(LLV_ERROR, LOCATION, NULL,"pfkey_open failed\n"); + return -1; + } + + if(pfkey_send_spdadd(pfkey_so, srcaddr, prefs,dstaddr, prefd, proto, policyout, ipsec_get_policylen(policyout), 0) < 0){ plog(LLV_ERROR, LOCATION, NULL,"pfkey_send_spadd failed\n"); + pfkey_close(pfkey_so); + return -2; + } + else{ + //pfkey_send_spadd succeeded - retrieve SP ID value + if((msg = pfkey_recv(pfkey_so)) == NULL){ + plog(LLV_ERROR, LOCATION, NULL,"pfkey_recv failed\n"); + } + if(pfkey_align(msg,mhp) < 0){ + plog(LLV_ERROR, LOCATION, NULL,"pfkey_align failed\n"); + } + //temporary + else{ + //assignedoutPolicySPID = ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id; + } + } + + if(pfkey_send_spdadd(pfkey_so, dstaddr, prefd, srcaddr, prefs, proto, policyin, ipsec_get_policylen(policyin), 0) < 0){ + //delete the added rule + pfkey_send_spddelete(pfkey_so, srcaddr, prefs,dstaddr, prefd, proto, policyout, ipsec_get_policylen(policyout), 0); + plog(LLV_ERROR, LOCATION, NULL,"pfkey_send_spadd failed\n"); + pfkey_close(pfkey_so); + return -3; + } + else{ + if((msg = pfkey_recv(pfkey_so)) == NULL){ + plog(LLV_ERROR, LOCATION, NULL,"pfkey_recv failed\n"); + } + if(pfkey_align(msg,mhp) < 0){ + plog(LLV_ERROR, LOCATION, NULL,"pfkey_align failed\n"); + } + //temporary + else{ + //assignedinPolicySPID = ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id; + } + } + + pfkey_close(pfkey_so); + + return 0; +} +#endif + #ifdef ENABLE_ADMINPORT /* * flush SADB @@ -1020,6 +1125,7 @@ pk_recvgetspi(mhp) /* * set inbound SA */ +extern struct ph2natt globalNatt; int pk_sendupdate(iph2) struct ph2handle *iph2; @@ -1107,8 +1213,15 @@ pk_sendupdate(iph2) #ifdef ENABLE_NATT if (pr->udp_encap) { sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; - sa_args.l_natt_sport = extract_port (iph2->ph1->remote); - sa_args.l_natt_dport = extract_port (iph2->ph1->local); + + if (globalNatt.sport != 0 && globalNatt.dport != 0) { + sa_args.l_natt_sport = globalNatt.sport; + sa_args.l_natt_dport = globalNatt.dport; + } else { + sa_args.l_natt_sport = extract_port (iph2->ph1->remote); + sa_args.l_natt_dport = extract_port (iph2->ph1->local); + } + sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!! #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; @@ -1252,6 +1365,10 @@ pk_recvupdate(mhp) sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); +#ifdef PLUGINS_SUPPORT +//EVT - remove this after private events + EVT_PUSH(iph2->dst, iph2->src, EVTT_PHASE2_UP, NULL); +#endif } if (pr->ok == 0) @@ -1396,8 +1513,16 @@ pk_sendadd(iph2) if (pr->udp_encap) { sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; - sa_args.l_natt_sport = extract_port(iph2->ph1->local); - sa_args.l_natt_dport = extract_port(iph2->ph1->remote); + + if (globalNatt.sport != 0 && globalNatt.dport != 0) { + sa_args.l_natt_sport = globalNatt.sport; + sa_args.l_natt_dport = globalNatt.dport; + } + else{ + sa_args.l_natt_sport = extract_port(iph2->ph1->local); + sa_args.l_natt_dport = extract_port(iph2->ph1->remote); + } + sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!! #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; @@ -1511,6 +1636,11 @@ pk_recvadd(mhp) sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); +#ifdef PLUGINS_SUPPORT +//EVT - remove this after private events + EVT_PUSH(iph2->src, iph2->dst, EVTT_PHASE2_UP, NULL); +#endif + plog(LLV_DEBUG, LOCATION, NULL, "===\n"); return 0; } @@ -2218,6 +2348,8 @@ pk_recvspdupdate(mhp) struct secpolicy *sp; u_int64_t created; + plog(LLV_DEBUG, LOCATION, NULL, "call pk_recvspdupdate\n"); + /* sanity check */ if (mhp[0] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL @@ -2340,6 +2472,8 @@ pk_recvspdadd(mhp) struct secpolicy *sp; u_int64_t created; + plog(LLV_DEBUG, LOCATION, NULL, "call pk_recvspdadd\n"); + /* sanity check */ if (mhp[0] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL @@ -2624,6 +2758,8 @@ pk_recvspddump(mhp) struct secpolicy *sp; u_int64_t created; + plog(LLV_DEBUG, LOCATION, NULL, "call pk_recvspddump\n"); + /* sanity check */ if (mhp[0] == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -2872,6 +3008,8 @@ addnewsp(mhp) struct sadb_lifetime *lt; u_int64_t created; + plog(LLV_DEBUG, LOCATION, NULL, "call addnewsp\n"); + /* sanity check */ if (mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL Index: ipsec-tools-0.7.3/src/racoon/pfkey.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/pfkey.h +++ ipsec-tools-0.7.3/src/racoon/pfkey.h @@ -44,6 +44,8 @@ extern const int pfkey_nsatypes; extern int pfkey_handler __P((void)); extern vchar_t *pfkey_dump_sadb __P((int)); + +extern int pfkey_add_policy_to_SPD __P((struct sockaddr *, u_int, struct sockaddr *, u_int, u_int, caddr_t, caddr_t, u_int32_t)); extern void pfkey_flush_sadb __P((u_int)); extern int pfkey_init __P((void)); Index: ipsec-tools-0.7.3/src/racoon/remoteconf.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/remoteconf.h +++ ipsec-tools-0.7.3/src/racoon/remoteconf.h @@ -146,9 +146,14 @@ struct isakmpsa { #ifdef HAVE_GSSAPI vchar_t *gssid; #endif + int dh_group; /* don't use it if aggressive mode */ struct dhgroup *dhgrp; /* don't use it if aggressive mode */ +#ifdef PLUGINS_SUPPORT + vchar_t *pluginikeattribs; +#endif + struct isakmpsa *next; /* next transform */ struct remoteconf *rmconf; /* backpointer to remoteconf */ }; Index: ipsec-tools-0.7.3/src/racoon/sainfo.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/sainfo.h +++ ipsec-tools-0.7.3/src/racoon/sainfo.h @@ -71,6 +71,7 @@ struct sainfoalg { extern struct sainfo *getsainfo __P((const vchar_t *, const vchar_t *, const vchar_t *, int)); extern struct sainfo *newsainfo __P((void)); +extern struct sainfo *dupsainfo __P((struct sainfo *)); extern void delsainfo __P((struct sainfo *)); extern void inssainfo __P((struct sainfo *)); extern void remsainfo __P((struct sainfo *)); @@ -79,6 +80,7 @@ extern void initsainfo __P((void)); extern struct sainfoalg *newsainfoalg __P((void)); extern void delsainfoalg __P((struct sainfoalg *)); extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *)); +extern struct sainfoalg *dupsainfoalg __P((struct sainfoalg *si)); extern const char * sainfo2str __P((const struct sainfo *)); extern void save_sainfotree __P((void)); Index: ipsec-tools-0.7.3/src/racoon/sainfo.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/sainfo.c +++ ipsec-tools-0.7.3/src/racoon/sainfo.c @@ -90,39 +90,39 @@ getsainfo(loc, rmt, peer, remoteid) /* debug level output */ if(loglevel >= LLV_DEBUG) { char *dloc, *drmt, *dpeer, *dclient; - + if (loc == NULL) dloc = strdup("ANONYMOUS"); else dloc = ipsecdoi_id2str(loc); - + if (rmt == NULL) drmt = strdup("ANONYMOUS"); else drmt = ipsecdoi_id2str(rmt); - + if (peer == NULL) dpeer = strdup("NULL"); else dpeer = ipsecdoi_id2str(peer); - + plog(LLV_DEBUG, LOCATION, NULL, - "getsainfo params: loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%i\n", - dloc, drmt, dpeer, remoteid ); - - racoon_free(dloc); - racoon_free(drmt); - racoon_free(dpeer); + "getsainfo params: loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%i\n", + dloc, drmt, dpeer, remoteid ); + + racoon_free(dloc); + racoon_free(drmt); + racoon_free(dpeer); } - again: +again: plog(LLV_DEBUG, LOCATION, NULL, - "getsainfo pass #%i\n", pass); - + "getsainfo pass #%i\n", pass); + LIST_FOREACH(s, &sitree, chain) { const char *sainfostr = sainfo2str(s); plog(LLV_DEBUG, LOCATION, NULL, - "evaluating sainfo: %s\n", sainfostr); + "evaluating sainfo: %s\n", sainfostr); if(s->remoteid != remoteid) continue; @@ -148,7 +148,7 @@ getsainfo(loc, rmt, peer, remoteid) /* compare the ids */ if (!ipsecdoi_chkcmpids(loc, s->idsrc, 0) && - !ipsecdoi_chkcmpids(rmt, s->iddst, 0)) + !ipsecdoi_chkcmpids(rmt, s->iddst, 0)) return s; } @@ -171,7 +171,72 @@ newsainfo() new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX; + new->id_i = NULL; + + return new; +} + +struct sainfo * +dupsainfo(si) + struct sainfo *si; +{ + struct sainfo *new; + int alg_class = 0, ac = 0; + + if (si == NULL){ + plog(LLV_DEBUG, LOCATION, NULL, + "Request for copying Null sainfo received."); + return NULL; + } + new = racoon_calloc(1, sizeof(*new)); + if (new == NULL){ + plog(LLV_DEBUG, LOCATION, NULL, + "Failed to allocate memory for sainfo\n"); + return NULL; + } + + /* Copy idsrc and iddst */ + if (si->idsrc != NULL){ + new->idsrc = vmalloc(si->idsrc->l); + new->idsrc->l = si->idsrc->l; + memcpy(new->idsrc->v, si->idsrc->v, si->idsrc->l); + } + + if (si->iddst != NULL){ + new->iddst = vmalloc(si->iddst->l); + new->iddst->l = si->iddst->l; + memcpy(new->iddst->v, si->iddst->v, si->iddst->l); + } + /* Copy lifetime, lifebyte, pfs_group */ + new->lifetime = si->lifetime; + new->lifebyte = si->lifebyte; + new->pfs_group = si->pfs_group; + + /* Deep Copy sainfoalg structure */ + for (alg_class = algclass_ipsec_enc; + alg_class <= algclass_isakmp_ameth; + alg_class++){ + if (si->algs[alg_class] != NULL){ + if (!(new->algs[alg_class]=dupsainfoalg(si->algs[alg_class]))){ + delsainfoalg(new->algs[alg_class]); + if (new->idsrc != NULL) + racoon_free(new->idsrc); + if (new->iddst != NULL) + racoon_free(new->iddst); + + /* Remove all the previously allocated sainfoalg classes */ + for(ac=alg_class; ac<=0 ; ac--){ + delsainfoalg(new->algs[ac]); + } + + racoon_free(new); + plog(LLV_DEBUG, LOCATION, NULL, + "Failed to copy sainfoalg...\n"); + return NULL; + } + } + } return new; } @@ -268,6 +333,20 @@ inssainfoalg(head, new) *head = new; } +struct sainfoalg * +dupsainfoalg(alg) + struct sainfoalg *alg; +{ + struct sainfoalg *old, *new = NULL, *newhead = NULL; + for (old = alg; old; old = old->next) { + new = newsainfoalg(); + memcpy(new, old, sizeof(struct sainfoalg)); + new->next = NULL; + inssainfoalg(&newhead, new); + } + return newhead; +} + const char * sainfo2str(si) const struct sainfo *si; Index: ipsec-tools-0.7.3/src/racoon/isakmp_quick.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_quick.c +++ ipsec-tools-0.7.3/src/racoon/isakmp_quick.c @@ -87,11 +87,26 @@ #include "admin.h" #include "strnames.h" +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif +#ifdef ENABLE_NATT +#include "nattraversal.h" +#endif + /* quick mode */ static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); static int get_sainfo_r __P((struct ph2handle *)); static int get_proposal_r __P((struct ph2handle *)); +#if 1 +//shud be in plugin +extern struct ph2natt globalNatt; +#endif + /* %%% * Quick Mode */ @@ -653,6 +668,13 @@ quick_i2send(iph2, msg0) goto end; } +#ifdef PLUGINS_SUPPORT + //Does the vendor plugin have any NATT options + globalNatt.sport=0; + globalNatt.dport=0; + plugin_update_natt_options(iph2, TPIKE_MIDX_SEND); +#endif + /* Do UPDATE for initiator */ plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { @@ -796,6 +818,13 @@ quick_i3recv(iph2, msg0) goto end; } +#ifdef PLUGINS_SUPPORT + //Does the vendor plugin have any NATT options + globalNatt.sport=0; + globalNatt.dport=0; + plugin_update_natt_options(iph2, TPIKE_MIDX_RECEIVE); +#endif + /* Do UPDATE for initiator */ plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { @@ -843,6 +872,13 @@ quick_r1recv(iph2, msg0) int tlen; int f_id_order; /* for ID payload detection */ int error = ISAKMP_INTERNAL_ERROR; +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + int *val = NULL ; + struct hookpoint hpoint, *hp = NULL; + int isplecheckrqd = 0; + char *keyval = NULL; +#endif /* validity check */ if (iph2->status != PHASE2ST_START) { @@ -1014,6 +1050,23 @@ quick_r1recv(iph2, msg0) tlen += pa->len; } +#ifdef PLUGINS_SUPPORT + //Get to know if the registered plugins want the payload existency checks. + hp = &hpoint; + mk_hookpoint(IS_PLECHECK_TYPE, 0, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_QUICK, TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 1, TPIKE_DTYPE_INT32PT, &val) == TPIKE_STATUS_SUCCESS) + isplecheckrqd = *val; + } + + if(isplecheckrqd ){ + plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, "PL E CHECK RQD.\n"); +#endif + /* payload existency check */ if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { plog(LLV_ERROR, LOCATION, iph2->ph1->remote, @@ -1021,6 +1074,12 @@ quick_r1recv(iph2, msg0) error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; goto end; } +#ifdef PLUGINS_SUPPORT + } + else{ + plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, "PL E CHECK NOT RQD.\n"); + } +#endif if (iph2->id_p) { plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); @@ -1117,6 +1176,25 @@ quick_r1recv(iph2, msg0) /* change status of isakmp status entry */ iph2->status = PHASE2ST_STATUS2; +#ifdef PLUGINS_SUPPORT + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(IKE_NEGO_STATE_TYPE, 0, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_QUICK, TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, 1 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 0) == TPIKE_STATUS_SUCCESS) { + plog(LLV_INFO, LOCATION, NULL, "Quick Mode start message notified to plugin\n"); + ; + } + } + else + plog(LLV_DEBUG2, LOCATION, NULL, " Quick mode start message not registered by plugin\n"); + +#endif + error = 0; end: @@ -1641,6 +1719,13 @@ quick_r3prep(iph2, msg0) goto end; } +#ifdef PLUGINS_SUPPORT + //Does the vendor plugin have any NATT options + globalNatt.sport=0; + globalNatt.dport=0; + plugin_update_natt_options(iph2, TPIKE_MIDX_ANY); +#endif + /* Do UPDATE as responder */ plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); if (pk_sendupdate(iph2) < 0) { Index: ipsec-tools-0.7.3/src/racoon/isakmp_var.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_var.h +++ ipsec-tools-0.7.3/src/racoon/isakmp_var.h @@ -111,6 +111,12 @@ extern struct payload_list *isakmp_plist extern vchar_t *isakmp_plist_set_all __P((struct payload_list **plist, struct ph1handle *iph1)); +#ifdef PLUGINS_SUPPORT +extern struct payload_list *isakmp_plist_insert_vendorid_payload __P((struct payload_list *plist, struct ph1handle *iph1, u_int8_t position)); +extern int verify_payload __P((u_int8_t payloadtype, u_int8_t etype, u_int8_t , u_int8_t, u_int8_t, void *pl, void **data)); +#endif + + #ifdef HAVE_PRINT_ISAKMP_C extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *, struct sockaddr *, int)); Index: ipsec-tools-0.7.3/src/racoon/isakmp_inf.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_inf.c +++ ipsec-tools-0.7.3/src/racoon/isakmp_inf.c @@ -98,6 +98,13 @@ #include "nattraversal.h" #endif +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + /* information exchange */ static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int); static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int); @@ -418,6 +425,12 @@ isakmp_info_recv_n(iph1, notify, msgid, racoon_free(spi); } +#ifdef PLUGINS_SUPPORT + if (type ==ISAKMP_NTYPE_AUTHENTICATION_FAILED){ + evt_push(NULL,NULL,EVTT_XAUTH_FAILED,NULL); + } +#endif + /* Send the message data to the logs */ if(type >= ISAKMP_NTYPE_MINERROR && type <= ISAKMP_NTYPE_MAXERROR) { @@ -794,6 +807,37 @@ isakmp_info_send_n1(iph1, type, data) * by cookie and SPI has no meaning, 0 <= SPI size <= 16. * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16. */ +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + struct isakmp_data *ikeattr = NULL; + int ikeattrlen = 0, *val = NULL ; + struct isakmpsa *prop = NULL; + struct hookpoint hpoint, *hp = NULL; + char *keyval = NULL; + + /* Initialize spisiz and n for stopping gcc to crib */ + plog(LLV_INFO, LOCATION, NULL, "iN ISAKMP_INFO_SEND_N1"); + + spisiz = 0; + n = NULL; + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(PAYLOAD_TYPE, ISAKMP_NPTYPE_NONE, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_INFO, TPIKE_MIDX_ANY, TPIKE_MIDX_ANY, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp) ; + tpike_pack_in(&inarr, 2, TPIKE_DTYPE_STRUCTIPH1, iph1, TPIKE_DTYPE_INT32PT, &type ); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTVCHAR , &payload) == TPIKE_STATUS_SUCCESS) { + plog(LLV_DEBUG2, LOCATION, NULL,"Sending info payload got from plugin\n" ); + } + else + goto normalpath; + + } + else +normalpath: + { +#endif if (type == ISAKMP_NTYPE_INITIAL_CONTACT) spisiz = sizeof(isakmp_index); else @@ -822,7 +866,19 @@ isakmp_info_send_n1(iph1, type, data) memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags); - vfree(payload); + +#ifdef PLUGINS_SUPPORT + } + if (payload) + { + n = (struct isakmp_pl_n *)payload->v; + + plog(LLV_DEBUG2,LOCATION,NULL,"h.np = %d, h.reserved = %d, h.len = %d, doi = %d, proto = %d, spi size = %d, type=%d, spi = %d\n ", n->h.np, n->h.reserved, n->h.len, n->doi, n->proto_id, n->spi_size, n->type, *(u_int32_t *)(n+1)); +#endif + vfree(payload); +#ifdef PLUGINS_SUPPORT + } +#endif return error; } Index: ipsec-tools-0.7.3/src/racoon/isakmp_ident.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_ident.c +++ ipsec-tools-0.7.3/src/racoon/isakmp_ident.c @@ -90,6 +90,13 @@ #include "isakmp_frag.h" #endif +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + static vchar_t *ident_ir2mx __P((struct ph1handle *)); static vchar_t *ident_ir3mx __P((struct ph1handle *)); @@ -124,6 +131,16 @@ ident_i1send(iph1, msg) #ifdef ENABLE_DPD vchar_t *vid_dpd = NULL; #endif + +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + struct isakmp_data *ikeattr = NULL; + int ikeattrlen = 0, *val = NULL ; + struct isakmpsa *prop = NULL; + struct hookpoint hpoint, *hp = NULL; + char *keyval = NULL; +#endif + /* validity check */ if (msg != NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -140,6 +157,30 @@ ident_i1send(iph1, msg) memset(&iph1->index, 0, sizeof(iph1->index)); isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); +#ifdef PLUGINS_SUPPORT + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(ATTRIBUTE_TYPE, IKE_ATTRIB_TYPE, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_IDENT, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_SEND, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) + { + if (tpike_pack_out(outarr, 2, TPIKE_DTYPE_STRUCTISAKMPDATA, &ikeattr, TPIKE_DTYPE_INT32PT, &val) == TPIKE_STATUS_SUCCESS) + { + ikeattrlen = *val; + //set ike attribs in all sa structures + prop = iph1->rmconf->proposal; + while(prop) + { + prop->pluginikeattribs = vmalloc(ikeattrlen); + memcpy(prop->pluginikeattribs->v, ikeattr, ikeattrlen); + prop = prop->next; + } + } + } +#endif + /* create SA payload for my proposal */ iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); if (iph1->sa == NULL) @@ -152,6 +193,8 @@ ident_i1send(iph1, msg) /* set VID payload for NAT-T if NAT-T support allowed in the config file */ if (iph1->rmconf->nat_traversal) plist = isakmp_plist_append_natt_vids(plist, vid_natt); + else + vid_natt[0]=NULL; #endif #ifdef ENABLE_HYBRID /* Do we need Xauth VID? */ @@ -203,6 +246,9 @@ ident_i1send(iph1, msg) } #endif +#ifdef PLUGINS_SUPPORT + plist = (struct payload_list *)isakmp_plist_insert_vendorid_payload(plist, iph1, INITIATOR_SEND_ONE); +#endif iph1->sendbuf = isakmp_plist_set_all (&plist, iph1); #ifdef HAVE_PRINT_ISAKMP_C @@ -258,6 +304,11 @@ ident_i2recv(iph1, msg) vchar_t *satmp = NULL; int error = -1; int vid_numeric; +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; + void *resp = NULL; +#endif + /* validity check */ if (iph1->status != PHASE1ST_MSG1SENT) { @@ -300,6 +351,20 @@ ident_i2recv(iph1, msg) switch (pa->type) { case ISAKMP_NPTYPE_VID: vid_numeric = check_vendorid(pa->ptr); +#ifdef PLUGINS_SUPPORT + //status = verify_payload(ISAKMP_NPTYPE_VID, ISAKMP_ETYPE_AGG, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_RECEIVE, 1, (void *)pa->ptr,(void **) &resp); + status = verify_payload(ISAKMP_NPTYPE_VID, ISAKMP_ETYPE_IDENT, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_RECEIVE, 1, (void *)pa->ptr,&resp); + if(status == TPIKE_STATUS_SUCCESS) { + if(((struct isakmp_data *)resp)->type == PRIVATE_NATTVID_PAYLOAD_TYPE) { + //need to fill natt options + natt_handle_private_vendorid(iph1, (struct isakmp_data *)resp); + } + break; + } + else if(status != TPIKE_ERR_HASH_MATCH_NOT_FOUND && status != TPIKE_ERR_HASH_TABLE_OVERFLOW) + goto end; +#endif // PLUGINS_SUPPORT + #ifdef ENABLE_NATT if (iph1->rmconf->nat_traversal && natt_vendorid(vid_numeric)) natt_handle_vendorid(iph1, vid_numeric); @@ -969,10 +1034,16 @@ ident_r1recv(iph1, msg) } #ifdef ENABLE_NATT - if (NATT_AVAILABLE(iph1)) + if (NATT_AVAILABLE(iph1)) { plog(LLV_INFO, LOCATION, iph1->remote, - "Selected NAT-T version: %s\n", - vid_string_by_id(iph1->natt_options->version)); + "Selected NAT-T version: %s\n", + vid_string_by_id(iph1->natt_options->version)); + + if(((struct sockaddr_in *)iph1->remote)->sin_port == htons(4500) && ((struct sockaddr_in *)iph1->local)->sin_port == htons(4500) ){ + iph1->natt_flags |= NAT_PORTS_CHANGED; + plog (LLV_DEBUG2, LOCATION, NULL, "NON-ESP MARKER NON-ENFORCEMENT\n"); + } + } #endif /* check SA payload and set approval SA for use */ Index: ipsec-tools-0.7.3/src/racoon/isakmp_cfg.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp_cfg.c +++ ipsec-tools-0.7.3/src/racoon/isakmp_cfg.c @@ -105,6 +105,13 @@ #include "admin.h" #include "privsep.h" +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/framework.h" +#include "plugin_frame/common.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + struct isakmp_cfg_config isakmp_cfg_config; static vchar_t *buffer_cat(vchar_t *s, vchar_t *append); @@ -129,6 +136,12 @@ static int isakmp_cfg_accounting(struct static int isakmp_cfg_accounting_radius(struct ph1handle *, int); #endif +#ifdef PLUGINS_SUPPORT +static int isakmp_plugin_cfg_priv (struct ph1handle *iph1, struct isakmp_pl_attr *attrpl); +static int isakmp_plugin_cfg_req (struct ph1handle *iph1, struct isakmp_data *attr, vchar_t **reply_attr); +static int isakmp_plugin_cfg_set (struct ph1handle *iph1, struct isakmp_data *attr, vchar_t **reply_attr); + +#endif /* * Handle an ISAKMP config mode packet * We expect HDR, HASH, ATTR @@ -275,6 +288,9 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl) struct isakmp_pl_attr *attrpl; { int type = attrpl->type; +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; +#endif plog(LLV_DEBUG, LOCATION, NULL, "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type)); @@ -301,9 +317,23 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl) break; default: +#ifdef PLUGINS_SUPPORT + iph1->msgid = msgid; + if((status = isakmp_plugin_cfg_priv(iph1, attrpl)) == TPIKE_STATUS_SUCCESS) { + //Temporary - to make NORTEL work + oakley_delivm(iph1->mode_cfg->ivm); + iph1->mode_cfg->ivm = NULL; + //end Temporary + return status; + } + else { +#endif plog(LLV_WARNING, LOCATION, NULL, "Unepected configuration exchange type %d\n", type); return -1; +#ifdef PLUGINS_SUPPORT + } +#endif break; } @@ -497,6 +527,9 @@ isakmp_cfg_request(iph1, attrpl) vchar_t *reply_attr; int type; int error = -1; +#ifdef PLUGINS_SUPPORT + int status = TPIKE_STATUS_SUCCESS; +#endif if ((payload = vmalloc(sizeof(*reply))) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); @@ -522,12 +555,26 @@ isakmp_cfg_request(iph1, attrpl) switch (type) { case XAUTH_TYPE: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_req(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif reply_attr = isakmp_xauth_req(iph1, attr); +#ifdef PLUGINS_SUPPORT + } +#endif break; default: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_req(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif plog(LLV_WARNING, LOCATION, NULL, "Ignored short attribute %s\n", s_isakmp_cfg_type(type)); +#ifdef PLUGINS_SUPPORT + } +#endif break; } @@ -576,7 +623,14 @@ isakmp_cfg_request(iph1, attrpl) case XAUTH_STATUS: case XAUTH_NEXT_PIN: case XAUTH_ANSWER: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_req(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif reply_attr = isakmp_xauth_req(iph1, attr); +#ifdef PLUGINS_SUPPORT + } +#endif break; case APPLICATION_VERSION: @@ -600,9 +654,16 @@ isakmp_cfg_request(iph1, attrpl) case INTERNAL_ADDRESS_EXPIRY: default: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_req(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif plog(LLV_WARNING, LOCATION, NULL, "Ignored attribute %s\n", s_isakmp_cfg_type(type)); +#ifdef PLUGINS_SUPPORT + } +#endif break; } @@ -665,6 +726,9 @@ isakmp_cfg_set(iph1, attrpl) vchar_t *reply_attr; int type; int error = -1; +#ifdef PLUGINS_SUPPORT + int status = 0; +#endif if ((payload = vmalloc(sizeof(*reply))) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); @@ -689,16 +753,34 @@ isakmp_cfg_set(iph1, attrpl) switch (type & ~ISAKMP_GEN_MASK) { case XAUTH_STATUS: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_set(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif reply_attr = isakmp_xauth_set(iph1, attr); +#ifdef PLUGINS_SUPPORT + } +#endif break; default: +#ifdef PLUGINS_SUPPORT + status = isakmp_plugin_cfg_set(iph1, attr, &reply_attr); + if(status == TPIKE_ERR_HASH_MATCH_NOT_FOUND || status == TPIKE_ERR_HASH_TABLE_OVERFLOW) { +#endif plog(LLV_DEBUG, LOCATION, NULL, "Unexpected SET attribute %s\n", s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK)); +#ifdef PLUGINS_SUPPORT + } +#endif break; } +#if 1 if (reply_attr != NULL) { +#else + if ((reply_attr = vmalloc(sizeof(*reply_attr))) != NULL) { +#endif payload = buffer_cat(payload, reply_attr); vfree(reply_attr); } @@ -724,6 +806,39 @@ isakmp_cfg_set(iph1, attrpl) reply->type = ISAKMP_CFG_ACK; reply->id = attrpl->id; +#ifdef PLUGINS_SUPPORT + { + /* FIXME : is this correct to add a new subtype for ATTRIB_ACK hook */ + /* before sending cfg ack */ + void *outarr = NULL, *inarr = NULL, *keyval = NULL; + int status = TPIKE_STATUS_SUCCESS; + struct hookpoint * hp, hpoint; + + hp = &hpoint; + + mk_hookpoint(ATTRIBUTE_TYPE, + CONFIG_ATTRIB_ACK_TYPE, + ISAKMP_CFG_SET, + MAKE_POS(ISAKMP_ETYPE_CFG, + (iph1->side == INITIATOR) ? TPIKE_MIDX_INITIATOR : TPIKE_MIDX_RESPONDER, + TPIKE_MIDX_RECEIVE, + /*ANY*/0, 0xff, 0xff), + 0, 0, keyval, hp); + + if (! TPIKE_OK(status = tpike_pack_in(&inarr, 0))) + plog(LLV_WARNING, LOCATION, NULL, "packin failed\n"); + + if (TPIKE_OK (status)) { + if(! TPIKE_OK (status = tpike_dispatch_generic(&hpoint, inarr, &outarr))) + plog(LLV_WARNING, LOCATION, NULL, "dispatch failed \n"); + if (TPIKE_OK (status)) { + if(! TPIKE_OK (status = tpike_pack_out(outarr, 0))) + plog(LLV_ERROR, LOCATION, NULL, "pack out failed\n"); + } + } + } +#endif + plog(LLV_DEBUG, LOCATION, NULL, "Sending MODE_CFG ACK\n"); @@ -2157,3 +2272,166 @@ isakmp_cfg_init(cold) return 0; } +#ifdef PLUGINS_SUPPORT +int +isakmp_plugin_cfg_req(iph1, attr, reply_attr) + struct ph1handle *iph1; + struct isakmp_data *attr; + vchar_t **reply_attr; +{ + struct hookpoint hpoint, *hp = NULL; + struct isakmp_data *attrval = NULL, *temp = NULL; + vchar_t *value = NULL; + void *outarr = NULL, *inarr = NULL; + u_int16_t attrtype = 0; + int status = TPIKE_STATUS_SUCCESS; + int datalen = 0; + void *keyval = NULL; + + attrtype = ntohs(attr->type); + + if(attrtype & ISAKMP_GEN_TV) + attrtype = attrtype & ~ISAKMP_GEN_TV; + + hp = &hpoint; + keyval = &attrtype; + + mk_hookpoint (ATTRIBUTE_TYPE, + CONFIG_ATTRIB_TYPE, + ISAKMP_CFG_REQUEST, + MAKE_POS(ISAKMP_ETYPE_CFG, + (iph1->side == INITIATOR) ? TPIKE_MIDX_INITIATOR : TPIKE_MIDX_RESPONDER, + TPIKE_MIDX_RECEIVE, + /*ANY*/0, 0xff, 0xff), + 1, sizeof(attrtype), keyval, hp); + + tpike_pack_in(&inarr, 0); + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, &attrval)) == TPIKE_STATUS_SUCCESS) { + + if((attrval->type) & ISAKMP_GEN_TV) + datalen = 0; + else + datalen = attrval->lorv; + if((*reply_attr = vmalloc(sizeof(struct isakmp_data) + datalen)) == NULL) + { + //log & set error, and come out! + status = TPIKE_ERR_MEM_ALLOC_FAILED; + goto tpike_req_end; + } + + value = *reply_attr; + temp = (struct isakmp_data *)value->v; + if(datalen == 0) //its a TV value + { + temp->type = htons(attrval->type); + temp->lorv = attrval->lorv; + } + else + { + temp->type = htons(attrval->type); + temp->lorv = htons(datalen); + memcpy(temp + 1, attrval + 1, datalen); + + } + } + } + +tpike_req_end: + return status; //should return status returned by plugin + +} + +int +isakmp_plugin_cfg_set(iph1, attr, resp) + struct ph1handle *iph1; + struct isakmp_data *attr; + vchar_t **resp; +{ + struct hookpoint hpoint, *hp; + struct isakmp_data *setresp = NULL, *temp = NULL; + vchar_t *value = NULL; + void *outarr = NULL, *inarr = NULL; + u_int16_t attrtype = 0; + int status = TPIKE_STATUS_SUCCESS; + int datalen = 0; + + attrtype = ntohs(attr->type); + + if(attrtype & ISAKMP_GEN_TV) + attrtype = attrtype & ~ISAKMP_GEN_TV; + + hp = &hpoint; + + mk_hookpoint(ATTRIBUTE_TYPE, CONFIG_ATTRIB_TYPE, ISAKMP_CFG_SET, MAKE_POS(ISAKMP_ETYPE_CFG, (iph1->side == INITIATOR) ? TPIKE_MIDX_INITIATOR : TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, /*ANY*/0, 0xff, 0xff), 1, sizeof(attr->type), &(attr->type), hp); + + if((status = tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, attr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, &setresp)) == TPIKE_STATUS_SUCCESS) { + + if(setresp->type & ISAKMP_GEN_TV) + datalen = 0; + else + datalen = setresp->lorv; + if((*resp = vmalloc(sizeof(struct isakmp_data) + datalen)) == NULL) + { + //log & set error, and come out! + status = TPIKE_ERR_MEM_ALLOC_FAILED; + goto tpike_set_end; + } + + value = *resp; + temp = (struct isakmp_data *)value->v; + if(datalen == 0) //its a TV value + { + temp->type = setresp->type; + temp->lorv = setresp->lorv; + } + else + { + temp->type = setresp->type; + temp->lorv = datalen; + memcpy(temp + 1, setresp + 1, datalen); + + } + } + } + } + +tpike_set_end: + return status; //should return status returned by plugin +} + +int +isakmp_plugin_cfg_priv(iph1, attrpl) + struct ph1handle *iph1; + struct isakmp_pl_attr *attrpl; +{ + struct hookpoint hpoint, *hp; + struct isakmp_data *setresp = NULL, *temp = NULL; + vchar_t *value = NULL; + void *outarr = NULL, *inarr = NULL; + u_int16_t attrtype = 0; + int status = TPIKE_STATUS_SUCCESS; + char *keyval = NULL; + + attrtype = (attrpl->type); + hp = &hpoint; + + mk_hookpoint(ATTRIBUTE_TYPE, CONFIG_ATTRIB_TYPE, attrtype, MAKE_POS(ISAKMP_ETYPE_CFG, (iph1->side == INITIATOR) ? TPIKE_MIDX_INITIATOR : TPIKE_MIDX_RESPONDER, TPIKE_MIDX_RECEIVE, /*ANY*/0, 0xff, 0xff), 1, 0, keyval, hp); + + if((status = tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, NULL)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + tpike_pack_out(outarr, 0); //plugin should respond with success/error value + } + } + + return status; //should return status returned by plugin +} +#endif Index: ipsec-tools-0.7.3/src/racoon/localconf.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/localconf.c +++ ipsec-tools-0.7.3/src/racoon/localconf.c @@ -126,6 +126,19 @@ setdefault() lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL; } +/* Replace the racoon_conf_file */ +int +setracoonconf(conffile) + char *conffile; +{ + if (lcconf->racoon_conf && (strcmp (lcconf->racoon_conf, LC_DEFAULT_CF) != 0)) + { + free(lcconf->racoon_conf); + } + lcconf->racoon_conf = strdup(conffile); + return 0; +} + /* * get PSK by string. */ Index: ipsec-tools-0.7.3/src/racoon/localconf.h =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/localconf.h +++ ipsec-tools-0.7.3/src/racoon/localconf.h @@ -34,6 +34,8 @@ #ifndef _LOCALCONF_H #define _LOCALCONF_H +#include "config.h" + /* local configuration */ #define LC_DEFAULT_CF SYSCONFDIR "/racoon.conf" @@ -118,12 +120,19 @@ struct localconf { */ int gss_id_enc; /* GSS ID encoding to use */ + +#ifdef PLUGINS_SUPPORT + int plugins_support; /* whether enable the plugins support or not */ + char *plugins_name; + char *plugins_path; /* plugins' filename or path */ +#endif /* PLUGINS_SUPPORT */ }; extern struct localconf *lcconf; extern void initlcconf __P((void)); extern void flushlcconf __P((void)); +extern int setracoonconf __P((char *)); extern vchar_t *getpskbyname __P((vchar_t *)); extern vchar_t *getpskbyaddr __P((struct sockaddr *)); extern void getpathname __P((char *, int, int, const char *)); Index: ipsec-tools-0.7.3/src/racoon/main.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/main.c +++ ipsec-tools-0.7.3/src/racoon/main.c @@ -340,7 +340,7 @@ parse(ac, av) exit(1); #endif case 'f': - lcconf->racoon_conf = optarg; + lcconf->racoon_conf = strdup(optarg); break; case 'l': plogset(optarg); Index: ipsec-tools-0.7.3/src/racoon/Makefile.am =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/Makefile.am +++ ipsec-tools-0.7.3/src/racoon/Makefile.am @@ -4,7 +4,8 @@ sbin_PROGRAMS = racoon racoonctl plainrs noinst_PROGRAMS = eaytest include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ schedule.h sockmisc.h vmbuf.h isakmp_var.h isakmp.h isakmp_xauth.h \ - isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h + isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h oakley.h nattraversal.h vendorid.h \ + handler.h remoteconf.h genlist.h isakmp_inf.h gnuc.h lib_LTLIBRARIES = libracoon.la adminsockdir=${localstatedir}/racoon @@ -12,8 +13,8 @@ adminsockdir=${localstatedir}/racoon BUILT_SOURCES = cfparse.h prsa_par.h INCLUDES = -I${srcdir}/../libipsec AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \ - -DADMINPORTDIR=\"${adminsockdir}\" -AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto + -DADMINPORTDIR=\"${adminsockdir}\" @PLUGINS_SUPPORT_CFLAGS@ +AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto @PLUGINS_SUPPORT_LDFLAGS@ AM_YFLAGS = -d ${$*_YFLAGS} AM_LFLAGS = ${$*_LFLAGS} @@ -39,7 +40,8 @@ racoon_SOURCES = \ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ - $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la + $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la \ + ../plugin_frame/libplugin_frame.la racoon_DEPENDENCIES = \ $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ vmbuf.o sockmisc.o misc.o Index: ipsec-tools-0.7.3/configure.ac =================================================================== --- ipsec-tools-0.7.3.orig/configure.ac +++ ipsec-tools-0.7.3/configure.ac @@ -2,7 +2,7 @@ dnl -*- mode: m4 -*- dnl Id: configure.ac,v 1.77 2006/07/20 19:19:27 manubsd Exp AC_PREREQ(2.52) -AC_INIT(ipsec-tools, 0.7.3) +AC_INIT(novell-ipsec-tools, 0.7.3) AC_CONFIG_SRCDIR([configure.ac]) AM_CONFIG_HEADER(config.h) @@ -260,6 +260,21 @@ if test $enable_adminport = "yes"; then fi AC_MSG_RESULT($enable_adminport) +# Option --enable-apclient +AC_MSG_CHECKING(if --enable-apclient option specified) +AC_ARG_ENABLE(apclient, + [ --enable-apclient enable admin port client extensions], + [],[enable_apclient=no]) +if test $enable_apclient = "yes"; then + if test $enable_adminport = "yes"; then + AC_MSG_RESULT(ok) ; + AC_DEFINE([ENABLE_AP_CLIENTMODE],[],[Enable Admin Port Client Extensions]) + else + AC_MSG_ERROR([Enabling Admin port Client without enabling admin port Aborting]); + fi +fi +AC_MSG_RESULT($enable_apclient) + # Option RC5 AC_MSG_CHECKING(if --enable-rc5 option is specified) AC_ARG_ENABLE(rc5, @@ -801,7 +816,17 @@ AC_ARG_ENABLE(plugins-support, [], [enable_plugins_support=no]) if test "x$enable_plugins_support" = "xyes"; then AC_DEFINE([PLUGINS_SUPPORT], [], [Enable plugins support]) + PLUGINS_SUPPORT_CFLAGS='-I${top_srcdir}/src -export-dynamic' + PLUGINS_SUPPORT_CPPFLAGS='-I${top_srcdir}/src -export-dynamic' + PLUGINS_SUPPORT_LDFLAGS='-Wl,--export-dynamic' + PLUGINS_SUPPROT_LDADD='${top_builddir}/src/plugin_frame/libplugin_frame.la' + + AC_SUBST(PLUGINS_SUPPORT_CPPFLAGS) + AC_SUBST(PLUGINS_SUPPORT_CFLAGS) + AC_SUBST(PLUGINS_SUPPORT_LDFLAGS) + AC_SUBST(PLUGINS_SUPPORT_LDADD) fi + AC_MSG_RESULT($enable_plugins_support) @@ -827,6 +852,7 @@ AC_CONFIG_FILES([ src/include-glibc/Makefile src/libipsec/Makefile src/setkey/Makefile + src/plugin_frame/Makefile src/racoon/Makefile src/racoon/samples/psk.txt src/racoon/samples/racoon.conf Index: ipsec-tools-0.7.3/src/racoon/isakmp.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/isakmp.c +++ ipsec-tools-0.7.3/src/racoon/isakmp.c @@ -107,6 +107,13 @@ #include <fcntl.h> +#ifdef PLUGINS_SUPPORT +#include "plugin_frame/common.h" +#include "plugin_frame/framework.h" +#include "plugin_frame/position.h" +#include "plugin_frame/error.h" +#endif + #ifdef ENABLE_NATT # include "nattraversal.h" #endif @@ -779,6 +786,13 @@ ph1_main(iph1, msg) struct timeval start, end; #endif +#ifdef PLUGINS_SUPPORT + void *inarr = NULL, *outarr = NULL; + int *val = NULL ; + struct hookpoint hpoint, *hp = NULL; + int isrekeyreq = 0; + char *keyval = NULL; +#endif /* ignore a packet */ if (iph1->status == PHASE1ST_ESTABLISHED) return 0; @@ -853,32 +867,54 @@ ph1_main(iph1, msg) #ifdef ENABLE_STATS gettimeofday(&iph1->end, NULL); syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", s_isakmp_etype(iph1->etype), - timedelta(&iph1->start, &iph1->end)); + "phase1", s_isakmp_etype(iph1->etype), + timedelta(&iph1->start, &iph1->end)); #endif /* save created date. */ (void)time(&iph1->created); - /* add to the schedule to expire, and seve back pointer. */ - iph1->sce = sched_new(iph1->approval->lifetime, - isakmp_ph1expire_stub, iph1); +#ifdef PLUGINS_SUPPORT + //get the ike attribs from the registered plugins + hp = &hpoint; + mk_hookpoint(IS_REKEYREQ_TYPE, 0, /*ANY*/0, MAKE_POS(ISAKMP_ETYPE_AGG, TPIKE_MIDX_INITIATOR, TPIKE_MIDX_SEND, 0 /* Any. Change it to 1 */ , 0xff, 0xff), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 0); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) == TPIKE_STATUS_SUCCESS) { + + if (tpike_pack_out(outarr, 1, TPIKE_DTYPE_INT32PT, &val) == TPIKE_STATUS_SUCCESS) + isrekeyreq = *val; + } + + if(isrekeyreq){ + plog(LLV_DEBUG, LOCATION, iph1->remote, "ADDED PHASE1 REKEY TIMER.\n"); +#endif + /* add to the schedule to expire, and seve back pointer. */ + iph1->sce = sched_new(iph1->approval->lifetime, + isakmp_ph1expire_stub, iph1); +#ifdef PLUGINS_SUPPORT + } + else{ + plog(LLV_DEBUG, LOCATION, iph1->remote, "PHASE1 REKEY TIMER NOT CHOSEN.\n"); + } +#endif #ifdef ENABLE_HYBRID if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) { switch(AUTHMETHOD(iph1)) { - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - xauth_sendreq(iph1); - /* XXX Don't process INITIAL_CONTACT */ - iph1->rmconf->ini_contact = 0; - break; - default: - break; + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: + xauth_sendreq(iph1); + /* XXX Don't process INITIAL_CONTACT */ + iph1->rmconf->ini_contact = 0; + break; + default: + break; } } #endif @@ -891,14 +927,14 @@ ph1_main(iph1, msg) /* INITIAL-CONTACT processing */ /* don't anything if local test mode. */ if (!f_local - && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { + && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { /* send INITIAL-CONTACT */ isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INITIAL_CONTACT, NULL); /* insert a node into contacted list. */ if (inscontacted(iph1->remote) == -1) { plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to add contacted list.\n"); + "failed to add contacted list.\n"); /* ignore */ } } @@ -912,22 +948,22 @@ ph1_main(iph1, msg) * case it is done when we receive the configuration. */ if ((iph1->status == PHASE1ST_ESTABLISHED) && - !iph1->rmconf->mode_cfg) { + !iph1->rmconf->mode_cfg) { switch (AUTHMETHOD(iph1)) { #ifdef ENABLE_HYBRID - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: - /* Unimplemeted... */ - case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: - case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: - break; -#endif - default: - script_hook(iph1, SCRIPT_PHASE1_UP); - break; + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: + /* Unimplemeted... */ + case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: + case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: + break; +#endif + default: + script_hook(iph1, SCRIPT_PHASE1_UP); + break; } } } @@ -3626,3 +3662,111 @@ setscopeid(sp_addr0, sa_addr0) return 0; } #endif +#ifdef PLUGINS_SUPPORT +struct payload_list *isakmp_plist_insert_vendorid_payload( + struct payload_list *plist, + struct ph1handle *iph1, + u_int8_t myposition) +{ + int index = 0, incount = 0; + u_int32_t position = 0; + struct payload_list *newpayload = NULL, *current = NULL, *anchorpl = NULL, *pl = plist, *first; + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + void *inarr = NULL, *outarr = NULL; + char *keyval = NULL; + + /* Seek to the first item. */ + while (pl->prev) pl = pl->prev; + first = pl; + + hinfo = racoon_malloc(sizeof (struct handlerinfo)); + if(hinfo == NULL) + { + return first; + } + + hp = &hpoint; + + for( ;pl != NULL; pl = pl->next) + { + //TODO: Take care of inserting as first payload + mk_hookpoint(PAYLOAD_TYPE, ISAKMP_NPTYPE_VID, /*ANY*/0, MAKE_POS2(iph1->etype, myposition, pl->payload_type, (pl->next != NULL)? pl->next->payload_type : ISAKMP_NPTYPE_NONE), 0, 0, keyval, hp); + + tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTIPH1, iph1); + + if(tpike_dispatch_generic(&hpoint, inarr, &outarr) != TPIKE_STATUS_SUCCESS) + continue; + + if(tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTPAYLOADLIST, &newpayload) != TPIKE_STATUS_SUCCESS) + continue; + + anchorpl = pl; + for(; newpayload && pl; pl = pl->next) + { + //if((pl->next->prev = racoon_malloc (sizeof (struct payload_list))) == NULL) + if((current = racoon_malloc (sizeof (struct payload_list))) == NULL) + continue; //malloc has failed, do we want to continue? + current->payload = vmalloc(newpayload->payload->l); + memcpy(current->payload->v, newpayload->payload->v, newpayload->payload->l); + current->payload_type = newpayload->payload_type; + current->next = current->prev = NULL; + + if(!pl->next) { + current = pl->next; + current->prev = pl; + } + else { + pl->next->prev = current; + current->next = pl->next; + current->prev = pl; + pl->next = current; + } + + //if(!newpayload->next) + // break; + newpayload = newpayload->next; + + } + pl = anchorpl; + break; //remove once framework takes care of payload match according to k1 & k2 + + } + + return first; +} + + +int verify_payload( + u_int8_t payloadtype, + u_int8_t etype, + u_int8_t side, + u_int8_t sendorrecv, + u_int8_t msgindx, + void *pl, + void **buf) +{ + struct hookpoint hpoint, *hp; + struct handlerinfo *hinfo; + struct isakmp_data **resp = (struct isakmp_data **)buf; + void *outarr = NULL, *inarr = NULL; + int index = 0, incount = 0; + u_int32_t position = 0, status = TPIKE_STATUS_SUCCESS; + char *keyval = NULL; + + hp = &hpoint; + + mk_hookpoint(PAYLOAD_TYPE, payloadtype, /*ANY*/0, MAKE_POS(etype, side, sendorrecv, msgindx, 0xff, 0xff), 0, 0, keyval, hp); + + if((status = tpike_pack_in(&inarr, 1, TPIKE_DTYPE_STRUCTISAKMPGEN, pl)) == TPIKE_STATUS_SUCCESS) { + + if((status = tpike_dispatch_generic(&hpoint, inarr, &outarr)) == TPIKE_STATUS_SUCCESS) { + + status = tpike_pack_out(outarr, 1, TPIKE_DTYPE_STRUCTISAKMPDATA, resp); //plugin should respond with success/error value + } + + } + return status; //should return status returned by plugin +} + +#endif Index: ipsec-tools-0.7.3/src/racoon/remoteconf.c =================================================================== --- ipsec-tools-0.7.3.orig/src/racoon/remoteconf.c +++ ipsec-tools-0.7.3/src/racoon/remoteconf.c @@ -302,10 +302,15 @@ delrmconf(rmconf) if (rmconf->xauth) xauth_rmconf_delete(&rmconf->xauth); #endif + if (rmconf->remote) + racoon_free(rmconf->remote); + if (rmconf->etypes){ deletypes(rmconf->etypes); rmconf->etypes=NULL; } + if (rmconf->idv) + racoon_free(rmconf->idv); if (rmconf->idvl_p) genlist_free(rmconf->idvl_p, idspec_free); if (rmconf->dhgrp) @@ -453,6 +458,10 @@ newisakmpsa() new->gssid = NULL; #endif +#ifdef PLUGINS_SUPPORT + new->pluginikeattribs = NULL; +#endif + return new; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor