/* Processs a SADB_ACQUIRE message from KLIPS.
* Try to build an opportunistic connection!
* See RFC 2367 "PF_KEY Key Management API, Version 2" 3.1.6
* <base, address(SD), (address(P)), (identity(SD),) (sensitivity,) proposal>
* - extensions for source and data IP addresses
* - optional extensions for identity [not useful for us?]
* - optional extension for sensitivity [not useful for us?]
* - expension for proposal [not useful for us?]
*
* ??? We must use the sequence number in creating an SA.
* We actually need to create up to 4 SAs each way. Which one?
* I guess it depends on the protocol present in the sadb_msg_satype.
* For now, we'll ignore this requirement.
*
* ??? We need some mechanism to make sure that multiple ACQUIRE messages
* don't cause a whole bunch of redundant negotiations.
*/
static void
process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
{
struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
int src_proto = srcx->sadb_address_proto;
int dst_proto = dstx->sadb_address_proto;
ip_address *src = (ip_address*)&srcx[1];
ip_address *dst = (ip_address*)&dstx[1];
ip_subnet ours, his;
err_t ugh = NULL;
/* assumption: we're only catching our own outgoing packets
* so source is our end and destination is the other end.
* Verifying this is not actually convenient.
*
* This stylized control structure yields a complaint or
* desired results. For compactness, a pointer value is
* treated as a boolean. Logically, the structure is:
* keep going as long as things are OK.
*/
if (buf->msg.sadb_msg_pid == 0 /* we only wish to hear from kernel */
&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
&& !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
&& !(ugh = addrtosubnet(src, &ours))
&& !(ugh = addrtosubnet(dst, &his)))
record_and_initiate_opportunistic(&ours, &his, 0, "%acquire-pfkey");
if (ugh != NULL)
plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
}
void init_constants(void)
{
happy(anyaddr(AF_INET, &ipv4_any));
happy(anyaddr(AF_INET6, &ipv6_any));
happy(addrtosubnet(&ipv4_any, &ipv4_wildcard));
happy(addrtosubnet(&ipv6_any, &ipv6_wildcard));
happy(initsubnet(&ipv4_any, 0, '0', &ipv4_all));
happy(initsubnet(&ipv6_any, 0, '0', &ipv6_all));
}
static void
netlink_acquire(struct nlmsghdr *n)
{
struct xfrm_user_acquire *acquire;
const xfrm_address_t *srcx, *dstx;
int src_proto, dst_proto;
ip_address src, dst;
ip_subnet ours, his;
unsigned family;
unsigned transport_proto;
err_t ugh = NULL;
if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
{
openswan_log("netlink_acquire got message with length %lu < %lu bytes; ignore message"
, (unsigned long) n->nlmsg_len
, (unsigned long) sizeof(*acquire));
return;
}
acquire = NLMSG_DATA(n);
srcx = &acquire->sel.saddr;
dstx = &acquire->sel.daddr;
family = acquire->policy.sel.family;
transport_proto = acquire->sel.proto;
src_proto = 0; /* XXX-MCR where to get protocol from? */
dst_proto = 0; /* ditto */
/* XXX also the type of src/dst should be checked to make sure
* that they aren't v4 to v6 or something goofy
*/
if (!(ugh = xfrm_to_ip_address(family, srcx, &src))
&& !(ugh = xfrm_to_ip_address(family, dstx, &dst))
&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
&& !(ugh = addrtosubnet(&src, &ours))
&& !(ugh = addrtosubnet(&dst, &his)))
record_and_initiate_opportunistic(&ours, &his, transport_proto
, "%acquire-netlink");
if (ugh != NULL)
openswan_log("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
}
/** Lookup information about the hostpair, and set things like bandwidth
* relative crypto strength, compression and credentials.
*
* @param IPsec Policy Query
* @return void
*/
static void
info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq)
{
struct connection *c;
struct state *p1st, *p2st;
/* default result: no crypto */
ipcq->strength = IPSEC_PRIVACY_NONE;
ipcq->bandwidth = IPSEC_QOS_WIRESPEED;
ipcq->credential_count = 0;
#ifdef DEBUG
{
char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF];
addrtot(&ipcq->query_local, 0, sstr, sizeof(sstr));
addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr));
DBG_log("info request for %s -> %s", sstr, dstr);
}
#endif
/* okay, look up what connection handles this ip pair */
c = find_connection_for_clients(NULL,
&ipcq->query_local,
&ipcq->query_remote,
ipcq->proto);
if (c == NULL)
{
/* try reversing it */
c = find_connection_for_clients(NULL,
&ipcq->query_remote,
&ipcq->query_local,
ipcq->proto);
if (c != NULL)
{
ip_address tmp;
/* If it is reversed, swap it */
tmp = ipcq->query_local;
ipcq->query_local = ipcq->query_remote;
ipcq->query_remote = tmp;
}
}
if (c == NULL)
{
#ifdef DEBUG
DBG_log("no connection found");
#endif
return; /* no crypto */
}
if (c->newest_ipsec_sa == SOS_NOBODY)
{
ip_subnet us, them;
DBG_log("connection %s found, no ipsec state, looking again", c->name);
addrtosubnet(&ipcq->query_local, &us);
addrtosubnet(&ipcq->query_remote, &them);
c = find_client_connection(c, &us, &them, 0, 0, 0, 0);
if (c == NULL)
return; /* no crypto */
}
DBG_log("connection %s[%ld] with state %u"
, c->name, c->instance_serial
, (unsigned int)c->newest_ipsec_sa);
if (c->newest_ipsec_sa == SOS_NOBODY)
return; /* no crypto */
/* we found a connection, try to lookup the state */
p2st = state_with_serialno(c->newest_ipsec_sa);
p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
if (p1st == NULL || p2st == NULL)
{
DBG_log("connection %s[%ld] has missing states %s %s"
, c->name, c->instance_serial
, (p1st ? "phase1" : "")
, (p2st ? "phase1" : ""));
return; /* no crypto */
}
/* if we have AH present, then record minimal info */
if (p2st->st_ah.present)
{
ipcq->strength = IPSEC_PRIVACY_INTEGRAL;
ipcq->auth_detail = p2st->st_esp.attrs.transattrs.integ_hash;
}
if (p2st->st_esp.present)
{
/*
* XXX-mcr Please do not shout at me about relative strengths
* here. I'm not a cryptographer. I just diddle bits.
*/
switch (p2st->st_esp.attrs.transattrs.encrypt)
{
case ESP_NULL:
/* actually, do not change it if we set it from AH */
break;
case ESP_DES:
case ESP_DES_IV64:
case ESP_DES_IV32:
case ESP_RC4:
ipcq->strength = IPSEC_PRIVACY_ROT13;
break;
case ESP_RC5:
case ESP_IDEA:
case ESP_CAST:
case ESP_BLOWFISH:
case ESP_3DES:
ipcq->strength = IPSEC_PRIVACY_PRIVATE;
ipcq->bandwidth = IPSEC_QOS_VOIP;
break;
case ESP_3IDEA:
ipcq->strength = IPSEC_PRIVACY_STRONG;
ipcq->bandwidth = IPSEC_QOS_INTERACTIVE;
break;
case ESP_AES:
ipcq->strength = IPSEC_PRIVACY_STRONG;
ipcq->bandwidth = IPSEC_QOS_FTP;
break;
}
ipcq->esp_detail = p2st->st_esp.attrs.transattrs.encrypt;
}
if (p2st->st_ipcomp.present)
ipcq->comp_detail = p2st->st_esp.attrs.transattrs.encrypt;
/* now! the credentails that were used */
/* for the moment we only have 1 credential, the DNS name,
* because the DNS servers do not return the chain of SIGs yet
*/
if(!c->spd.this.key_from_DNS_on_demand)
{
/* the key didn't come from the DNS in some way,
* so it must have been loaded locally.
*/
ipcq->credential_count = 1;
ipcq->credentials[0].ii_type = c->spd.this.id.kind;
ipcq->credentials[0].ii_format = CERT_RAW_RSA;
}
#if 0
switch (c->spd.id.kind)
{
case ID_IPV4_ADDR:
}
if (c->gw_info == NULL)
{
plog("rcv_info: connection %s had NULL gw_info.", c->name);
return
}
#endif
ipcq->credential_count = 1;
/* pull credentials out of gw_info */
switch (p1st->st_peer_pubkey->dns_auth_level)
{
case DAL_UNSIGNED:
case DAL_NOTSEC:
/* these seem to be the same for this purpose */
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_type = CERT_NONE;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
break;
case DAL_SIGNED:
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
if (p1st->st_peer_pubkey->dns_sig != NULL)
{
strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig
, p1st->st_peer_pubkey->dns_sig
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig) - strlen(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig -1));
}
break;
case DAL_LOCAL:
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_format = CERT_RAW_RSA;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name
, sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name));
break;
}
}
static bool validate_end(struct ub_ctx *dnsctx ,
#endif
struct starter_conn *conn_st,
struct starter_end *end,
const char *leftright,
bool resolvip UNUSED,
err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
# define ERR_FOUND(...) { err |= error_append(&err_str, __VA_ARGS__); }
if (!end->options_set[KNCF_IP])
conn_st->state = STATE_INCOMPLETE;
end->addrtype = end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch (end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_IFACE", leftright);
break;
case KH_IPADDR:
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0] == '%') {
pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (!starter_iface_find(end->iface, family,
&end->addr,
&end->nexthop))
conn_st->state = STATE_INVALID;
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family,
&(end->addr));
if (er != NULL) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if (end->id == NULL) {
ipstr_buf b;
end->id = clone_str(ipstr(&end->addr, &b), "end if");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPORTUNISTIC;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPORTUNISTIC | POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* generally, this doesn't show up at this stage */
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_IPHOSTNAME", leftright);
break;
case KH_DEFAULTROUTE:
starter_log(LOG_LEVEL_DEBUG,
"starter: %s is KH_DEFAULTROUTE", leftright);
break;
case KH_NOTSET:
starter_log(LOG_LEVEL_DEBUG, "starter: %s is KH_NOTSET", leftright);
break;
}
/* validate the KSCF_SUBNET */
if (end->strings_set[KSCF_SUBNET]) {
char *value = end->strings[KSCF_SUBNET];
if (end->strings_set[KSCF_ADDRESSPOOL]) {
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=", leftright,
leftright);
}
if (startswith(value, "vhost:") || startswith(value, "vnet:")) {
er = NULL;
end->virt = clone_str(value, "validate_end item");
} else {
end->has_client = TRUE;
er = ttosubnet(value, 0, family, &(end->subnet));
}
if (er != NULL)
ERR_FOUND("bad subnet %ssubnet=%s [%s]", leftright,
value, er);
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if (end->strings_set[KSCF_NEXTHOP]) {
char *value = end->strings[KSCF_NEXTHOP];
if (strcaseeq(value, "%defaultroute")) {
end->nexttype = KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %snexthop value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->nexthop)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->nexthop)))
ERR_FOUND("bad value for %snexthop=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family,
&(end->nexthop));
if (er != NULL)
ERR_FOUND("bad value for %snexthop=%s [%s]",
leftright, value,
er);
#endif
}
end->nexttype = KH_IPADDR;
}
} else {
#if 0
if (conn_st->policy & POLICY_OPPORTUNISTIC)
end->nexttype = KH_DEFAULTROUTE;
#endif
anyaddr(family, &end->nexthop);
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
}
/* validate the KSCF_ID */
if (end->strings_set[KSCF_ID]) {
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if (end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch (end->options[KSCF_RSAKEY1]) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if (end->strings[KSCF_RSAKEY1] != NULL) {
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if (end->strings[KSCF_RSAKEY2] != NULL) {
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if (end->strings_set[KSCF_SOURCEIP]) {
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->sourceip)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->sourceip)) != NULL) {
#ifdef DNSSEC
starter_log(LOG_LEVEL_DEBUG,
"Calling unbound_resolve() for %ssourceip value",
leftright);
if (!unbound_resolve(dnsctx, value,
strlen(value), AF_INET,
&(end->sourceip)) &&
!unbound_resolve(dnsctx, value,
strlen(value), AF_INET6,
&(end->sourceip)))
ERR_FOUND("bad value for %ssourceip=%s\n",
leftright, value);
#else
er = ttoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad addr %ssourceip=%s [%s]",
leftright, value, er);
#endif
} else {
er = tnatoaddr(value, 0, family, &(end->sourceip));
if (er != NULL)
ERR_FOUND("bad numerical addr %ssourceip=%s [%s]",
leftright, value, er);
}
if (!end->has_client) {
starter_log(LOG_LEVEL_INFO,
"%ssourceip= used but not %ssubnet= defined, defaulting %ssubnet to %s",
leftright, leftright, leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er != NULL) {
ERR_FOUND("attempt to default %ssubnet from %s failed: %s",
leftright, value, er);
}
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if (end->strings_set[KSCF_CERT])
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
if (end->strings_set[KSCF_CA])
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
if (end->strings_set[KSCF_UPDOWN])
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
if (end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
&end->has_port_wildcard);
if (ugh != NULL)
ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value,
ugh);
}
if (end->strings_set[KSCF_ADDRESSPOOL]) {
char *addresspool = end->strings[KSCF_ADDRESSPOOL];
if (end->strings_set[KSCF_SUBNET])
ERR_FOUND("cannot specify both %ssubnet= and %saddresspool=",
leftright, leftright);
starter_log(LOG_LEVEL_DEBUG,
"connection's %saddresspool set to: %s",
leftright, end->strings[KSCF_ADDRESSPOOL] );
er = ttorange(addresspool, 0, AF_INET, &end->pool_range, TRUE);
if (er != NULL)
ERR_FOUND("bad %saddresspool=%s [%s]", leftright,
addresspool, er);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT])
conn_st->policy |= POLICY_XAUTH;
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if (err)
*perr = err_str;
return err;
# undef ERR_FOUND
}
/**
* Validate that yes in fact we are one side of the tunnel
*
* The function checks that IP addresses are valid, nexthops are
* present (if needed) as well as policies, and sets the leftID
* from the left= if it isn't set.
*
* @param conn_st a connection definition
* @param end a connection end
* @param left boolean (are we 'left'? 1 = yes, 0 = no)
* @param perr pointer to char containing error value
* @return bool TRUE if failed
*/
static bool validate_end(struct starter_conn *conn_st
, struct starter_end *end
, bool left
, bool resolvip UNUSED
, err_t *perr)
{
err_t er = NULL;
char *err_str = NULL;
const char *leftright=(left ? "left" : "right");
int family = conn_st->options[KBF_CONNADDRFAMILY];
bool err = FALSE;
#define ERR_FOUND(args...) do { err += error_append(&err_str, ##args); } while(0)
if(!end->options_set[KNCF_IP]) {
conn_st->state = STATE_INCOMPLETE;
}
end->addrtype=end->options[KNCF_IP];
end->addr_family = family;
/* validate the KSCF_IP/KNCF_IP */
switch(end->addrtype) {
case KH_ANY:
anyaddr(family, &(end->addr));
break;
case KH_IFACE:
/* generally, this doesn't show up at this stage */
break;
case KH_IPADDR:
/* right=/left= */
assert(end->strings[KSCF_IP] != NULL);
if (end->strings[KSCF_IP][0]=='%') {
if (end->iface) pfree(end->iface);
end->iface = clone_str(end->strings[KSCF_IP] + 1, "KH_IPADDR end->iface");
if (starter_iface_find(end->iface, family, &(end->addr),
&(end->nexthop)) == -1) {
conn_st->state = STATE_INVALID;
}
/* not numeric, so set the type to the iface type */
end->addrtype = KH_IFACE;
break;
}
er = ttoaddr_num(end->strings[KNCF_IP], 0, family, &(end->addr));
if(er) {
/* not numeric, so set the type to the string type */
end->addrtype = KH_IPHOSTNAME;
}
if(end->id == NULL) {
char idbuf[ADDRTOT_BUF];
addrtot(&end->addr, 0, idbuf, sizeof(idbuf));
end->id= clone_str(idbuf, "end id");
}
break;
case KH_OPPO:
conn_st->policy |= POLICY_OPPO;
break;
case KH_OPPOGROUP:
conn_st->policy |= POLICY_OPPO|POLICY_GROUP;
break;
case KH_GROUP:
conn_st->policy |= POLICY_GROUP;
break;
case KH_IPHOSTNAME:
/* XXX */
break;
case KH_DEFAULTROUTE:
break;
case KH_NOTSET:
break;
}
/* validate the KSCF_SUBNET */
if(end->strings_set[KSCF_SUBNET])
{
char *value = end->strings[KSCF_SUBNET];
if ( ((strlen(value)>=6) && (strncmp(value,"vhost:",6)==0)) ||
((strlen(value)>=5) && (strncmp(value,"vnet:",5)==0)) ) {
er = NULL;
end->virt = clone_str(value, "end->virt");
}
else {
end->has_client = TRUE;
er = ttosubnet(value, 0, 0, &(end->subnet));
}
if (er) ERR_FOUND("bad subnet %ssubnet=%s [%s] family=%s", leftright, value, er, family2str(family));
}
/* set nexthop address to something consistent, by default */
anyaddr(family, &end->nexthop);
anyaddr(addrtypeof(&end->addr), &end->nexthop);
/* validate the KSCF_NEXTHOP */
if(end->strings_set[KSCF_NEXTHOP])
{
char *value = end->strings[KSCF_NEXTHOP];
if(strcasecmp(value, "%defaultroute")==0) {
end->nexttype=KH_DEFAULTROUTE;
} else {
if (tnatoaddr(value, strlen(value), AF_INET,
&(end->nexthop)) != NULL &&
tnatoaddr(value, strlen(value), AF_INET6,
&(end->nexthop)) != NULL) {
er = ttoaddr(value, 0, family, &(end->nexthop));
if (er) ERR_FOUND("bad addr %snexthop=%s [%s]", leftright, value, er);
}
end->nexttype = KH_IPADDR;
}
} else {
if (end->addrtype == KH_DEFAULTROUTE) {
end->nexttype = KH_DEFAULTROUTE;
}
anyaddr(family, &end->nexthop);
}
/* validate the KSCF_ID */
if(end->strings_set[KSCF_ID])
{
char *value = end->strings[KSCF_ID];
pfreeany(end->id);
end->id = clone_str(value, "end->id");
}
if(end->options_set[KSCF_RSAKEY1]) {
end->rsakey1_type = end->options[KSCF_RSAKEY1];
end->rsakey2_type = end->options[KSCF_RSAKEY2];
switch(end->rsakey1_type) {
case PUBKEY_DNS:
case PUBKEY_DNSONDEMAND:
end->key_from_DNS_on_demand = TRUE;
break;
default:
end->key_from_DNS_on_demand = FALSE;
/* validate the KSCF_RSAKEY1/RSAKEY2 */
if(end->strings[KSCF_RSAKEY1] != NULL)
{
char *value = end->strings[KSCF_RSAKEY1];
pfreeany(end->rsakey1);
end->rsakey1 = (unsigned char *)clone_str(value,"end->rsakey1");
}
if(end->strings[KSCF_RSAKEY2] != NULL)
{
char *value = end->strings[KSCF_RSAKEY2];
pfreeany(end->rsakey2);
end->rsakey2 = (unsigned char *)clone_str(value,"end->rsakey2");
}
}
}
/* validate the KSCF_SOURCEIP, if any, and if set,
* set the subnet to same value, if not set.
*/
if(end->strings_set[KSCF_SOURCEIP])
{
char *value = end->strings[KSCF_SOURCEIP];
if (tnatoaddr(value, strlen(value), AF_INET, &(end->sourceip)) != NULL
&& tnatoaddr(value, strlen(value), AF_INET6, &(end->sourceip)) != NULL) {
er = ttoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad addr %ssourceip=%s [%s]", leftright, value, er);
} else {
er = tnatoaddr(value, 0, 0, &(end->sourceip));
if (er) ERR_FOUND("bad numerical addr %ssourceip=%s [%s]", leftright, value, er);
}
if(!end->has_client) {
starter_log(LOG_LEVEL_INFO, "defaulting %ssubnet to %s\n", leftright, value);
er = addrtosubnet(&end->sourceip, &end->subnet);
if (er) ERR_FOUND("attempt to default %ssubnet from %s failed: %s", leftright, value, er);
end->has_client = TRUE;
end->has_client_wildcard = FALSE;
}
}
/* copy certificate path name */
if(end->strings_set[KSCF_CERT]) {
end->cert = clone_str(end->strings[KSCF_CERT], "KSCF_CERT");
}
if(end->strings_set[KSCF_CA]) {
end->ca = clone_str(end->strings[KSCF_CA], "KSCF_CA");
}
if(end->strings_set[KSCF_UPDOWN]) {
end->updown = clone_str(end->strings[KSCF_UPDOWN], "KSCF_UPDOWN");
}
if(end->strings_set[KSCF_PROTOPORT]) {
err_t ugh;
char *value = end->strings[KSCF_PROTOPORT];
ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &end->has_port_wildcard);
if (ugh) ERR_FOUND("bad %sprotoport=%s [%s]", leftright, value, ugh);
}
if (end->options_set[KNCF_XAUTHSERVER] ||
end->options_set[KNCF_XAUTHCLIENT]) {
conn_st->policy |= POLICY_XAUTH;
}
/*
KSCF_SUBNETWITHIN --- not sure what to do with it.
KSCF_ESPENCKEY --- todo (manual keying)
KSCF_ESPAUTHKEY --- todo (manual keying)
KSCF_SOURCEIP = 16,
KSCF_MAX = 19
*/
if(err) *perr = err_str;
return err;
# undef ERR_FOUND
}
static void
cannot_oppo(struct connection *c
, struct find_oppo_bundle *b
, err_t ughmsg)
{
char pcb[ADDRTOT_BUF];
char ocb[ADDRTOT_BUF];
addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
addrtot(&b->our_client, 0, ocb, sizeof(ocb));
DBG(DBG_OPPO,
openswan_log("Can not opportunistically initiate for %s to %s: %s"
, ocb, pcb, ughmsg));
whack_log(RC_OPPOFAILURE
, "Can not opportunistically initiate for %s to %s: %s"
, ocb, pcb, ughmsg);
if (c != NULL && c->policy_next != NULL)
{
/* there is some policy that comes afterwards */
struct spd_route *shunt_spd;
struct connection *nc = c->policy_next;
struct state *st;
passert(c->kind == CK_TEMPLATE);
passert(nc->kind == CK_PERMANENT);
DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
, ocb, pcb, nc->name));
/*
* okay, here we need add to the "next" policy, which is ought
* to be an instance.
* We will add another entry to the spd_route list for the specific
* situation that we have.
*/
shunt_spd = clone_thing(nc->spd, "shunt eroute policy");
shunt_spd->next = nc->spd.next;
nc->spd.next = shunt_spd;
happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
shunt_spd->that.has_client = FALSE;
/*
* override the tunnel destination with the one from the secondaried
* policy
*/
shunt_spd->that.host_addr = nc->spd.that.host_addr;
/* now, lookup the state, and poke it up.
*/
st = state_with_serialno(nc->newest_ipsec_sa);
/* XXX what to do if the IPSEC SA has died? */
passert(st != NULL);
/* link the new connection instance to the state's list of
* connections
*/
DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
, nc->newest_ipsec_sa
, ocb, pcb));
#ifdef DEBUG
if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
{
char state_buf[LOG_WIDTH];
char state_buf2[LOG_WIDTH];
const time_t n = now();
fmt_state(st, n, state_buf, sizeof(state_buf)
, state_buf2, sizeof(state_buf2));
DBG_log("cannot_oppo, failure SA1: %s", state_buf);
DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
}
#endif /* DEBUG */
if (!route_and_eroute(c, shunt_spd, st))
{
whack_log(RC_OPPOFAILURE
, "failed to instantiate shunt policy %s for %s to %s"
, c->name
, ocb, pcb);
}
return;
}
/*
* NETKEY default for level param in tmpl is required, so no traffic will
* transmitted until an SA is fully up
*/
if (b->held && kern_interface != USE_NETKEY)
{
int failure_shunt = b->failure_shunt;
/* Replace HOLD with b->failure_shunt.
* If no failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
*/
if (failure_shunt == 0)
{
DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; removing spurious hold shunt"
, ocb, pcb));
}
(void) replace_bare_shunt(&b->our_client, &b->peer_client
, b->policy_prio
, failure_shunt
, failure_shunt != 0
, b->transport_proto
, ughmsg);
}
}
