1 /*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <unistd.h>
21 #include <sys/param.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <netinet/ip.h>
26 #include <netdb.h>
27 #include <fcntl.h>
28
29 #include "config.h"
30 #include "gcmalloc.h"
31 #include "libpfkey.h"
32 #include "var.h"
33 #include "isakmp_var.h"
34 #include "isakmp.h"
35 #include "isakmp_xauth.h"
36 #include "vmbuf.h"
37 #include "crypto_openssl.h"
38 #include "oakley.h"
39 #include "ipsec_doi.h"
40 #include "algorithm.h"
41 #include "vendorid.h"
42 #include "schedule.h"
43 #include "pfkey.h"
44 #include "nattraversal.h"
45 #include "proposal.h"
46 #include "sainfo.h"
47 #include "localconf.h"
48 #include "remoteconf.h"
49 #include "sockmisc.h"
50 #include "grabmyaddr.h"
51 #include "plog.h"
52 #include "admin.h"
53 #include "privsep.h"
54 #include "throttle.h"
55 #include "misc.h"
56
57 static struct localconf localconf;
58 static struct sainfo sainfo;
59 static char *pre_shared_key;
60
61 static struct sockaddr *targets[2];
62 static struct sockaddr *source;
63 static struct myaddrs myaddrs[2];
64
65 struct localconf *lcconf = &localconf;
66 int f_local = 0;
67
68 /*****************************************************************************/
69
add_sainfo_algorithm(int class,int algorithm,int length)70 static void add_sainfo_algorithm(int class, int algorithm, int length)
71 {
72 struct sainfoalg *p = calloc(1, sizeof(struct sainfoalg));
73 p->alg = algorithm;
74 p->encklen = length;
75
76 if (!sainfo.algs[class]) {
77 sainfo.algs[class] = p;
78 } else {
79 struct sainfoalg *q = sainfo.algs[class];
80 while (q->next) {
81 q = q->next;
82 }
83 q->next = p;
84 }
85 }
86
set_globals(char * server)87 static void set_globals(char *server)
88 {
89 struct addrinfo hints = {
90 .ai_flags = AI_NUMERICSERV,
91 #ifndef INET6
92 .ai_family = AF_INET,
93 #else
94 .ai_family = AF_UNSPEC,
95 #endif
96 .ai_socktype = SOCK_DGRAM,
97 };
98 struct addrinfo *info;
99
100 if (getaddrinfo(server, "500", &hints, &info) != 0) {
101 do_plog(LLV_ERROR, "Cannot resolve address: %s\n", server);
102 exit(1);
103 }
104 if (info->ai_next) {
105 do_plog(LLV_WARNING, "Found multiple addresses. Use the first one.\n");
106 }
107 targets[0] = dupsaddr(info->ai_addr);
108 freeaddrinfo(info);
109
110 source = getlocaladdr(targets[0]);
111 if (!source) {
112 do_plog(LLV_ERROR, "Cannot get local address\n");
113 exit(1);
114 }
115 set_port(targets[0], 0);
116 set_port(source, 0);
117
118 myaddrs[0].addr = dupsaddr(source);
119 set_port(myaddrs[0].addr, PORT_ISAKMP);
120 myaddrs[0].sock = -1;
121 #ifdef ENABLE_NATT
122 myaddrs[0].next = &myaddrs[1];
123 myaddrs[1].addr = dupsaddr(myaddrs[0].addr);
124 set_port(myaddrs[1].addr, PORT_ISAKMP_NATT);
125 myaddrs[1].sock = -1;
126 myaddrs[1].udp_encap = 1;
127 #endif
128
129 localconf.myaddrs = &myaddrs[0];
130 localconf.port_isakmp = PORT_ISAKMP;
131 localconf.port_isakmp_natt = PORT_ISAKMP_NATT;
132 localconf.default_af = AF_INET;
133 localconf.pathinfo[LC_PATHTYPE_CERT] = "./";
134 localconf.pad_random = LC_DEFAULT_PAD_RANDOM;
135 localconf.pad_randomlen = LC_DEFAULT_PAD_RANDOM;
136 localconf.pad_strict = LC_DEFAULT_PAD_STRICT;
137 localconf.pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
138 localconf.retry_counter = 10;
139 localconf.retry_interval = 3;
140 localconf.count_persend = LC_DEFAULT_COUNT_PERSEND;
141 localconf.secret_size = LC_DEFAULT_SECRETSIZE;
142 localconf.retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
143 localconf.wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
144 localconf.natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
145
146 sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
147 sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
148 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, 0);
149 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
150 add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
151 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256);
152 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
153 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
154 add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
155
156 memset(script_names, 0, sizeof(script_names));
157 }
158
159 /*****************************************************************************/
160
policy_match(struct sadb_address * address)161 static int policy_match(struct sadb_address *address)
162 {
163 if (address) {
164 struct sockaddr *addr = PFKEY_ADDR_SADDR(address);
165 return !cmpsaddrwop(addr, targets[0]) || !cmpsaddrwop(addr, targets[1]);
166 }
167 return 0;
168 }
169
170 /* flush; spdflush; */
flush()171 static void flush()
172 {
173 struct sadb_msg *p;
174 int replies = 0;
175 int key = pfkey_open();
176
177 if (pfkey_send_dump(key, SADB_SATYPE_UNSPEC) <= 0 ||
178 pfkey_send_spddump(key) <= 0) {
179 do_plog(LLV_ERROR, "Cannot dump SAD and SPD\n");
180 exit(1);
181 }
182
183 for (p = NULL; replies < 2 && (p = pfkey_recv(key)) != NULL; free(p)) {
184 caddr_t q[SADB_EXT_MAX + 1];
185
186 if (p->sadb_msg_type != SADB_DUMP &&
187 p->sadb_msg_type != SADB_X_SPDDUMP) {
188 continue;
189 }
190 replies += !p->sadb_msg_seq;
191
192 if (p->sadb_msg_errno || pfkey_align(p, q) || pfkey_check(q)) {
193 continue;
194 }
195 if (policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_SRC]) ||
196 policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_DST])) {
197 p->sadb_msg_type = (p->sadb_msg_type == SADB_DUMP) ?
198 SADB_DELETE : SADB_X_SPDDELETE;
199 p->sadb_msg_reserved = 0;
200 p->sadb_msg_seq = 0;
201 pfkey_send(key, p, PFKEY_UNUNIT64(p->sadb_msg_len));
202 }
203 }
204
205 pfkey_close(key);
206 }
207
208 /* spdadd src dst protocol -P out ipsec esp/transport//require;
209 * spdadd dst src protocol -P in ipsec esp/transport//require;
210 * or
211 * spdadd src any protocol -P out ipsec esp/tunnel/local-remote/require;
212 * spdadd any src protocol -P in ipsec esp/tunnel/remote-local/require; */
spdadd(struct sockaddr * src,struct sockaddr * dst,int protocol,struct sockaddr * local,struct sockaddr * remote)213 static void spdadd(struct sockaddr *src, struct sockaddr *dst,
214 int protocol, struct sockaddr *local, struct sockaddr *remote)
215 {
216 struct __attribute__((packed)) {
217 struct sadb_x_policy p;
218 struct sadb_x_ipsecrequest q;
219 char addresses[sizeof(struct sockaddr_storage) * 2];
220 } policy;
221
222 struct sockaddr_storage any = {
223 #ifndef __linux__
224 .ss_len = src->sa_len,
225 #endif
226 .ss_family = src->sa_family,
227 };
228
229 int src_prefix = (src->sa_family == AF_INET) ? 32 : 128;
230 int dst_prefix = src_prefix;
231 int length = 0;
232 int key;
233
234 /* Fill values for outbound policy. */
235 memset(&policy, 0, sizeof(policy));
236 policy.p.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
237 policy.p.sadb_x_policy_type = IPSEC_POLICY_IPSEC;
238 policy.p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
239 #ifdef HAVE_PFKEY_POLICY_PRIORITY
240 policy.p.sadb_x_policy_priority = PRIORITY_DEFAULT;
241 #endif
242 policy.q.sadb_x_ipsecrequest_proto = IPPROTO_ESP;
243 policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
244 policy.q.sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
245
246 /* Deal with tunnel mode. */
247 if (!dst) {
248 int size = sysdep_sa_len(local);
249 memcpy(policy.addresses, local, size);
250 memcpy(&policy.addresses[size], remote, size);
251 length += size + size;
252
253 policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL;
254 dst = (struct sockaddr *)&any;
255 dst_prefix = 0;
256
257 /* Also use the source address to filter policies. */
258 targets[1] = dupsaddr(src);
259 }
260
261 /* Fix lengths. */
262 length += sizeof(policy.q);
263 policy.q.sadb_x_ipsecrequest_len = length;
264 length += sizeof(policy.p);
265 policy.p.sadb_x_policy_len = PFKEY_UNIT64(length);
266
267 /* Always do a flush before adding new policies. */
268 flush();
269
270 /* Set outbound policy. */
271 key = pfkey_open();
272 if (pfkey_send_spdadd(key, src, src_prefix, dst, dst_prefix, protocol,
273 (caddr_t)&policy, length, 0) <= 0) {
274 do_plog(LLV_ERROR, "Cannot set outbound policy\n");
275 exit(1);
276 }
277
278 /* Flip values for inbound policy. */
279 policy.p.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
280 if (!dst_prefix) {
281 int size = sysdep_sa_len(local);
282 memcpy(policy.addresses, remote, size);
283 memcpy(&policy.addresses[size], local, size);
284 }
285
286 /* Set inbound policy. */
287 if (pfkey_send_spdadd(key, dst, dst_prefix, src, src_prefix, protocol,
288 (caddr_t)&policy, length, 0) <= 0) {
289 do_plog(LLV_ERROR, "Cannot set inbound policy\n");
290 exit(1);
291 }
292
293 pfkey_close(key);
294 atexit(flush);
295 }
296
297 /*****************************************************************************/
298
add_proposal(struct remoteconf * remoteconf,int auth,int hash,int encryption,int length)299 static void add_proposal(struct remoteconf *remoteconf,
300 int auth, int hash, int encryption, int length)
301 {
302 struct isakmpsa *p = racoon_calloc(1, sizeof(struct isakmpsa));
303 p->prop_no = 1;
304 p->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
305 p->enctype = encryption;
306 p->encklen = length;
307 p->authmethod = auth;
308 p->hashtype = hash;
309 p->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
310 p->vendorid = VENDORID_UNKNOWN;
311 p->rmconf = remoteconf;
312
313 if (!remoteconf->proposal) {
314 p->trns_no = 1;
315 remoteconf->proposal = p;
316 } else {
317 struct isakmpsa *q = remoteconf->proposal;
318 while (q->next) {
319 q = q->next;
320 }
321 p->trns_no = q->trns_no + 1;
322 q->next = p;
323 }
324 }
325
strtovchar(char * string)326 static vchar_t *strtovchar(char *string)
327 {
328 vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL;
329 if (vchar) {
330 memcpy(vchar->v, string, vchar->l);
331 vchar->l -= 1;
332 }
333 return vchar;
334 }
335
set_pre_shared_key(struct remoteconf * remoteconf,char * identifier,char * key)336 static void set_pre_shared_key(struct remoteconf *remoteconf,
337 char *identifier, char *key)
338 {
339 pre_shared_key = key;
340 if (identifier[0]) {
341 remoteconf->idv = strtovchar(identifier);
342 remoteconf->etypes->type = ISAKMP_ETYPE_AGG;
343
344 remoteconf->idvtype = IDTYPE_KEYID;
345 if (strchr(identifier, '.')) {
346 remoteconf->idvtype = IDTYPE_FQDN;
347 if (strchr(identifier, '@')) {
348 remoteconf->idvtype = IDTYPE_USERFQDN;
349 }
350 }
351 }
352 }
353
set_certificates(struct remoteconf * remoteconf,char * user_private_key,char * user_certificate,char * ca_certificate,char * server_certificate)354 static void set_certificates(struct remoteconf *remoteconf,
355 char *user_private_key, char *user_certificate,
356 char *ca_certificate, char *server_certificate)
357 {
358 remoteconf->myprivfile = user_private_key;
359 remoteconf->mycertfile = user_certificate;
360 if (user_certificate) {
361 remoteconf->idvtype = IDTYPE_ASN1DN;
362 }
363 if (!ca_certificate[0]) {
364 remoteconf->verify_cert = FALSE;
365 } else {
366 remoteconf->cacertfile = ca_certificate;
367 }
368 if (server_certificate[0]) {
369 remoteconf->peerscertfile = server_certificate;
370 remoteconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
371 }
372 }
373
374 #ifdef ENABLE_HYBRID
375
set_xauth_and_more(struct remoteconf * remoteconf,char * username,char * password,char * phase1_up,char * script_arg)376 static void set_xauth_and_more(struct remoteconf *remoteconf,
377 char *username, char *password, char *phase1_up, char *script_arg)
378 {
379 struct xauth_rmconf *xauth = racoon_calloc(1, sizeof(struct xauth_rmconf));
380 xauth->login = strtovchar(username);
381 xauth->login->l += 1;
382 xauth->pass = strtovchar(password);
383 xauth->pass->l += 1;
384 remoteconf->xauth = xauth;
385 remoteconf->mode_cfg = TRUE;
386 remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(phase1_up);
387 script_names[SCRIPT_PHASE1_UP] = script_arg;
388 }
389
390 #endif
391
392 extern void monitor_fd(int fd, void (*callback)(int));
393
add_isakmp_handler(int fd,const char * interface)394 void add_isakmp_handler(int fd, const char *interface)
395 {
396 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
397 interface, strlen(interface))) {
398 do_plog(LLV_WARNING, "Cannot bind socket to %s\n", interface);
399 }
400 monitor_fd(fd, (void *)isakmp_handler);
401 }
402
setup(int argc,char ** argv)403 void setup(int argc, char **argv)
404 {
405 struct remoteconf *remoteconf = NULL;
406 int auth;
407
408 if (argc > 2) {
409 set_globals(argv[2]);
410
411 /* Initialize everything else. */
412 eay_init();
413 initrmconf();
414 oakley_dhinit();
415 compute_vendorids();
416 sched_init();
417 if (pfkey_init() < 0 || isakmp_init() < 0) {
418 exit(1);
419 }
420 monitor_fd(localconf.sock_pfkey, (void *)pfkey_handler);
421 add_isakmp_handler(myaddrs[0].sock, argv[1]);
422 #ifdef ENABLE_NATT
423 add_isakmp_handler(myaddrs[1].sock, argv[1]);
424 natt_keepalive_init();
425 #endif
426
427 /* Create remote configuration. */
428 remoteconf = newrmconf();
429 remoteconf->etypes = racoon_calloc(1, sizeof(struct etypes));
430 remoteconf->etypes->type = ISAKMP_ETYPE_IDENT;
431 remoteconf->idvtype = IDTYPE_ADDRESS;
432 remoteconf->ike_frag = TRUE;
433 remoteconf->pcheck_level = PROP_CHECK_CLAIM;
434 remoteconf->certtype = ISAKMP_CERT_X509SIGN;
435 remoteconf->gen_policy = TRUE;
436 remoteconf->nat_traversal = TRUE;
437 remoteconf->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
438 remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar("");
439 remoteconf->script[SCRIPT_PHASE1_DOWN] = strtovchar("");
440 oakley_setdhgroup(remoteconf->dh_group, &remoteconf->dhgrp);
441 remoteconf->remote = dupsaddr(targets[0]);
442 }
443
444 /* Set authentication method and credentials. */
445 if (argc == 7 && !strcmp(argv[3], "udppsk")) {
446 set_pre_shared_key(remoteconf, argv[4], argv[5]);
447 auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY;
448
449 set_port(targets[0], atoi(argv[6]));
450 spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
451 } else if (argc == 9 && !strcmp(argv[3], "udprsa")) {
452 set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
453 auth = OAKLEY_ATTR_AUTH_METHOD_RSASIG;
454
455 set_port(targets[0], atoi(argv[8]));
456 spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
457 #ifdef ENABLE_HYBRID
458 } else if (argc == 10 && !strcmp(argv[3], "xauthpsk")) {
459 set_pre_shared_key(remoteconf, argv[4], argv[5]);
460 set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
461 auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
462 } else if (argc == 12 && !strcmp(argv[3], "xauthrsa")) {
463 set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
464 set_xauth_and_more(remoteconf, argv[8], argv[9], argv[10], argv[11]);
465 auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
466 } else if (argc == 10 && !strcmp(argv[3], "hybridrsa")) {
467 set_certificates(remoteconf, NULL, NULL, argv[4], argv[5]);
468 set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
469 auth = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I;
470 #endif
471 } else {
472 printf("Usage: %s <interface> <server> [...], where [...] can be:\n"
473 " udppsk <identifier> <pre-shared-key> <port>; \n"
474 " udprsa <user-private-key> <user-certificate> \\\n"
475 " <ca-certificate> <server-certificate> <port>;\n"
476 #ifdef ENABLE_HYBRID
477 " xauthpsk <identifier> <pre-shared-key> \\\n"
478 " <username> <password> <phase1-up> <script-arg>;\n"
479 " xauthrsa <user-private-key> <user-certificate> \\\n"
480 " <ca-certificate> <server-certificate> \\\n"
481 " <username> <password> <phase1-up> <script-arg>;\n"
482 " hybridrsa <ca-certificate> <server-certificate> \\\n"
483 " <username> <password> <phase1-up> <script-arg>;\n"
484 #endif
485 "", argv[0]);
486 exit(0);
487 }
488
489 /* Add proposals. */
490 add_proposal(remoteconf, auth,
491 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
492 add_proposal(remoteconf, auth,
493 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
494 add_proposal(remoteconf, auth,
495 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 256);
496 add_proposal(remoteconf, auth,
497 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 128);
498 add_proposal(remoteconf, auth,
499 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128);
500 add_proposal(remoteconf, auth,
501 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 128);
502 add_proposal(remoteconf, auth,
503 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_3DES, 0);
504 add_proposal(remoteconf, auth,
505 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_3DES, 0);
506 add_proposal(remoteconf, auth,
507 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_3DES, 0);
508 add_proposal(remoteconf, auth,
509 OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_DES, 0);
510 add_proposal(remoteconf, auth,
511 OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_DES, 0);
512 add_proposal(remoteconf, auth,
513 OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_DES, 0);
514
515 /* Install remote configuration. */
516 insrmconf(remoteconf);
517
518 /* Start phase 1 negotiation for xauth. */
519 if (remoteconf->xauth) {
520 isakmp_ph1begin_i(remoteconf, remoteconf->remote, source);
521 }
522 }
523
524 /*****************************************************************************/
525
526 /* localconf.h */
527
getpskbyaddr(struct sockaddr * addr)528 vchar_t *getpskbyaddr(struct sockaddr *addr)
529 {
530 return strtovchar(pre_shared_key);
531 }
532
getpskbyname(vchar_t * name)533 vchar_t *getpskbyname(vchar_t *name)
534 {
535 return NULL;
536 }
537
getpathname(char * path,int length,int type,const char * name)538 void getpathname(char *path, int length, int type, const char *name)
539 {
540 if (pname) {
541 snprintf(path, length, pname, name);
542 } else {
543 strncpy(path, name, length);
544 }
545 path[length - 1] = '\0';
546 }
547
548 /* grabmyaddr.h */
549
myaddr_getsport(struct sockaddr * addr)550 int myaddr_getsport(struct sockaddr *addr)
551 {
552 return 0;
553 }
554
getsockmyaddr(struct sockaddr * addr)555 int getsockmyaddr(struct sockaddr *addr)
556 {
557 #ifdef ENABLE_NATT
558 if (!cmpsaddrstrict(addr, myaddrs[1].addr)) {
559 return myaddrs[1].sock;
560 }
561 #endif
562 if (!cmpsaddrwop(addr, myaddrs[0].addr)) {
563 return myaddrs[0].sock;
564 }
565 return -1;
566 }
567
568 /* privsep.h */
569
privsep_pfkey_open()570 int privsep_pfkey_open()
571 {
572 return pfkey_open();
573 }
574
privsep_pfkey_close(int key)575 void privsep_pfkey_close(int key)
576 {
577 pfkey_close(key);
578 }
579
privsep_eay_get_pkcs1privkey(char * file)580 vchar_t *privsep_eay_get_pkcs1privkey(char *file)
581 {
582 return eay_get_pkcs1privkey(file);
583 }
584
get_env(char * const * envp,char * key)585 static char *get_env(char * const *envp, char *key)
586 {
587 int length = strlen(key);
588 while (*envp && (strncmp(*envp, key, length) || (*envp)[length] != '=')) {
589 ++envp;
590 }
591 return *envp ? &(*envp)[length + 1] : "";
592 }
593
594 static int skip_script = 0;
595 extern const char *android_hook(char **envp);
596
privsep_script_exec(char * script,int name,char * const * envp)597 int privsep_script_exec(char *script, int name, char * const *envp)
598 {
599 if (skip_script) {
600 return 0;
601 }
602 skip_script = 1;
603
604 if (name == SCRIPT_PHASE1_DOWN) {
605 exit(1);
606 }
607 if (script_names[SCRIPT_PHASE1_UP]) {
608 /* Racoon ignores INTERNAL_IP6_ADDRESS, so we only do IPv4. */
609 struct sockaddr *addr4 = str2saddr(get_env(envp, "INTERNAL_ADDR4"),
610 NULL);
611 struct sockaddr *local = str2saddr(get_env(envp, "LOCAL_ADDR"),
612 get_env(envp, "LOCAL_PORT"));
613 struct sockaddr *remote = str2saddr(get_env(envp, "REMOTE_ADDR"),
614 get_env(envp, "REMOTE_PORT"));
615
616 if (addr4 && local && remote) {
617 #ifdef ANDROID_CHANGES
618 if (pname) {
619 script = (char *)android_hook((char **)envp);
620 }
621 #endif
622 spdadd(addr4, NULL, IPPROTO_IP, local, remote);
623 } else {
624 do_plog(LLV_ERROR, "Cannot get parameters for SPD policy.\n");
625 exit(1);
626 }
627
628 racoon_free(addr4);
629 racoon_free(local);
630 racoon_free(remote);
631 return script_exec(script, name, envp);
632 }
633 return 0;
634 }
635
privsep_accounting_system(int port,struct sockaddr * addr,char * user,int status)636 int privsep_accounting_system(int port, struct sockaddr *addr,
637 char *user, int status)
638 {
639 return 0;
640 }
641
privsep_xauth_login_system(char * user,char * password)642 int privsep_xauth_login_system(char *user, char *password)
643 {
644 return -1;
645 }
646
647 /* misc.h */
648
racoon_hexdump(void * data,size_t length)649 int racoon_hexdump(void *data, size_t length)
650 {
651 return 0;
652 }
653
654 /* sainfo.h */
655
getsainfo(const vchar_t * src,const vchar_t * dst,const vchar_t * peer,int remoteid)656 struct sainfo *getsainfo(const vchar_t *src, const vchar_t *dst,
657 const vchar_t *peer, int remoteid)
658 {
659 return &sainfo;
660 }
661
sainfo2str(const struct sainfo * si)662 const char *sainfo2str(const struct sainfo *si)
663 {
664 return "*";
665 }
666
667 /* throttle.h */
668
throttle_host(struct sockaddr * addr,int fail)669 int throttle_host(struct sockaddr *addr, int fail)
670 {
671 return 0;
672 }
673