1 /* $OpenBSD: config.c,v 1.42 2016/06/01 11:16:41 patrick Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/queue.h> 20 #include <sys/wait.h> 21 #include <sys/socket.h> 22 #include <sys/uio.h> 23 24 #include <stdlib.h> 25 #include <stdio.h> 26 #include <unistd.h> 27 #include <string.h> 28 #include <signal.h> 29 #include <errno.h> 30 #include <err.h> 31 #include <pwd.h> 32 #include <event.h> 33 34 #include "iked.h" 35 #include "ikev2.h" 36 37 struct iked_sa * 38 config_new_sa(struct iked *env, int initiator) 39 { 40 struct iked_sa *sa; 41 42 if ((sa = calloc(1, sizeof(*sa))) == NULL) 43 return (NULL); 44 45 TAILQ_INIT(&sa->sa_proposals); 46 TAILQ_INIT(&sa->sa_childsas); 47 TAILQ_INIT(&sa->sa_flows); 48 TAILQ_INIT(&sa->sa_requests); 49 TAILQ_INIT(&sa->sa_responses); 50 sa->sa_hdr.sh_initiator = initiator; 51 sa->sa_type = IKED_SATYPE_LOCAL; 52 53 if (initiator) 54 sa->sa_hdr.sh_ispi = config_getspi(); 55 else 56 sa->sa_hdr.sh_rspi = config_getspi(); 57 58 gettimeofday(&sa->sa_timecreated, NULL); 59 memcpy(&sa->sa_timeused, &sa->sa_timecreated, sizeof(sa->sa_timeused)); 60 61 return (sa); 62 } 63 64 uint64_t 65 config_getspi(void) 66 { 67 uint64_t spi; 68 69 do { 70 arc4random_buf(&spi, sizeof spi); 71 } while (spi == 0); 72 73 return (spi); 74 } 75 76 void 77 config_free_kex(struct iked_kex *kex) 78 { 79 if (kex == NULL) 80 return; 81 82 ibuf_release(kex->kex_inonce); 83 ibuf_release(kex->kex_rnonce); 84 85 if (kex->kex_dhgroup != NULL) 86 group_free(kex->kex_dhgroup); 87 ibuf_release(kex->kex_dhiexchange); 88 ibuf_release(kex->kex_dhrexchange); 89 90 free(kex); 91 } 92 93 void 94 config_free_sa(struct iked *env, struct iked_sa *sa) 95 { 96 timer_del(env, &sa->sa_timer); 97 timer_del(env, &sa->sa_rekey); 98 99 config_free_proposals(&sa->sa_proposals, 0); 100 config_free_childsas(env, &sa->sa_childsas, NULL, NULL); 101 sa_free_flows(env, &sa->sa_flows); 102 103 if (sa->sa_addrpool) { 104 (void)RB_REMOVE(iked_addrpool, &env->sc_addrpool, sa); 105 free(sa->sa_addrpool); 106 } 107 if (sa->sa_addrpool6) { 108 (void)RB_REMOVE(iked_addrpool6, &env->sc_addrpool6, sa); 109 free(sa->sa_addrpool6); 110 } 111 112 if (sa->sa_policy) { 113 TAILQ_REMOVE(&sa->sa_policy->pol_sapeers, sa, sa_peer_entry); 114 policy_unref(env, sa->sa_policy); 115 } 116 117 ikev2_msg_flushqueue(env, &sa->sa_requests); 118 ikev2_msg_flushqueue(env, &sa->sa_responses); 119 120 ibuf_release(sa->sa_inonce); 121 ibuf_release(sa->sa_rnonce); 122 123 if (sa->sa_dhgroup != NULL) 124 group_free(sa->sa_dhgroup); 125 ibuf_release(sa->sa_dhiexchange); 126 ibuf_release(sa->sa_dhrexchange); 127 128 hash_free(sa->sa_prf); 129 hash_free(sa->sa_integr); 130 cipher_free(sa->sa_encr); 131 132 ibuf_release(sa->sa_key_d); 133 ibuf_release(sa->sa_key_iauth); 134 ibuf_release(sa->sa_key_rauth); 135 ibuf_release(sa->sa_key_iencr); 136 ibuf_release(sa->sa_key_rencr); 137 ibuf_release(sa->sa_key_iprf); 138 ibuf_release(sa->sa_key_rprf); 139 140 ibuf_release(sa->sa_1stmsg); 141 ibuf_release(sa->sa_2ndmsg); 142 143 ibuf_release(sa->sa_iid.id_buf); 144 ibuf_release(sa->sa_rid.id_buf); 145 ibuf_release(sa->sa_icert.id_buf); 146 ibuf_release(sa->sa_rcert.id_buf); 147 148 ibuf_release(sa->sa_eap.id_buf); 149 free(sa->sa_eapid); 150 ibuf_release(sa->sa_eapmsk); 151 152 free(sa); 153 } 154 155 struct iked_policy * 156 config_new_policy(struct iked *env) 157 { 158 struct iked_policy *pol; 159 160 if ((pol = calloc(1, sizeof(*pol))) == NULL) 161 return (NULL); 162 163 /* XXX caller does this again */ 164 TAILQ_INIT(&pol->pol_proposals); 165 TAILQ_INIT(&pol->pol_sapeers); 166 RB_INIT(&pol->pol_flows); 167 168 return (pol); 169 } 170 171 void 172 config_free_policy(struct iked *env, struct iked_policy *pol) 173 { 174 struct iked_sa *sa; 175 176 if (pol->pol_flags & IKED_POLICY_REFCNT) 177 goto remove; 178 179 TAILQ_REMOVE(&env->sc_policies, pol, pol_entry); 180 181 TAILQ_FOREACH(sa, &pol->pol_sapeers, sa_peer_entry) { 182 /* Remove from the policy list, but keep for existing SAs */ 183 if (sa->sa_policy == pol) 184 policy_ref(env, pol); 185 else 186 log_warnx("%s: ERROR: sa_policy %p != pol %p", 187 __func__, sa->sa_policy, pol); 188 } 189 190 if (pol->pol_refcnt) 191 return; 192 193 remove: 194 config_free_proposals(&pol->pol_proposals, 0); 195 config_free_flows(env, &pol->pol_flows); 196 free(pol); 197 } 198 199 struct iked_proposal * 200 config_add_proposal(struct iked_proposals *head, unsigned int id, 201 unsigned int proto) 202 { 203 struct iked_proposal *pp; 204 205 TAILQ_FOREACH(pp, head, prop_entry) { 206 if (pp->prop_protoid == proto && 207 pp->prop_id == id) 208 return (pp); 209 } 210 211 if ((pp = calloc(1, sizeof(*pp))) == NULL) 212 return (NULL); 213 214 pp->prop_protoid = proto; 215 pp->prop_id = id; 216 217 TAILQ_INSERT_TAIL(head, pp, prop_entry); 218 219 return (pp); 220 } 221 222 void 223 config_free_proposals(struct iked_proposals *head, unsigned int proto) 224 { 225 struct iked_proposal *prop, *next; 226 227 for (prop = TAILQ_FIRST(head); prop != NULL; prop = next) { 228 next = TAILQ_NEXT(prop, prop_entry); 229 230 /* Free any proposal or only selected SA proto */ 231 if (proto != 0 && prop->prop_protoid != proto) 232 continue; 233 234 log_debug("%s: free %p", __func__, prop); 235 236 TAILQ_REMOVE(head, prop, prop_entry); 237 if (prop->prop_nxforms) 238 free(prop->prop_xforms); 239 free(prop); 240 } 241 } 242 243 void 244 config_free_flows(struct iked *env, struct iked_flows *head) 245 { 246 struct iked_flow *flow, *next; 247 248 for (flow = RB_MIN(iked_flows, head); flow != NULL; flow = next) { 249 next = RB_NEXT(iked_flows, head, flow); 250 log_debug("%s: free %p", __func__, flow); 251 RB_REMOVE(iked_flows, head, flow); 252 flow_free(flow); 253 } 254 } 255 256 void 257 config_free_childsas(struct iked *env, struct iked_childsas *head, 258 struct iked_spi *peerspi, struct iked_spi *localspi) 259 { 260 struct iked_childsa *csa, *nextcsa; 261 262 if (localspi != NULL) 263 bzero(localspi, sizeof(*localspi)); 264 265 for (csa = TAILQ_FIRST(head); csa != NULL; csa = nextcsa) { 266 nextcsa = TAILQ_NEXT(csa, csa_entry); 267 268 if (peerspi != NULL) { 269 /* Only delete matching peer SPIs */ 270 if (peerspi->spi != csa->csa_peerspi) 271 continue; 272 273 /* Store assigned local SPI */ 274 if (localspi != NULL && localspi->spi == 0) 275 memcpy(localspi, &csa->csa_spi, 276 sizeof(*localspi)); 277 } 278 log_debug("%s: free %p", __func__, csa); 279 280 TAILQ_REMOVE(head, csa, csa_entry); 281 if (csa->csa_loaded) { 282 RB_REMOVE(iked_activesas, &env->sc_activesas, csa); 283 (void)pfkey_sa_delete(env->sc_pfkey, csa); 284 } 285 childsa_free(csa); 286 } 287 } 288 289 struct iked_transform * 290 config_add_transform(struct iked_proposal *prop, unsigned int type, 291 unsigned int id, unsigned int length, unsigned int keylength) 292 { 293 struct iked_transform *xform; 294 struct iked_constmap *map = NULL; 295 int score = 1; 296 unsigned int i; 297 298 switch (type) { 299 case IKEV2_XFORMTYPE_ENCR: 300 map = ikev2_xformencr_map; 301 break; 302 case IKEV2_XFORMTYPE_PRF: 303 map = ikev2_xformprf_map; 304 break; 305 case IKEV2_XFORMTYPE_INTEGR: 306 map = ikev2_xformauth_map; 307 break; 308 case IKEV2_XFORMTYPE_DH: 309 map = ikev2_xformdh_map; 310 break; 311 case IKEV2_XFORMTYPE_ESN: 312 map = ikev2_xformesn_map; 313 break; 314 default: 315 log_debug("%s: invalid transform type %d", __func__, type); 316 return (NULL); 317 } 318 319 for (i = 0; i < prop->prop_nxforms; i++) { 320 xform = prop->prop_xforms + i; 321 if (xform->xform_type == type && 322 xform->xform_id == id && 323 xform->xform_length == length) 324 return (xform); 325 } 326 327 for (i = 0; i < prop->prop_nxforms; i++) { 328 xform = prop->prop_xforms + i; 329 if (xform->xform_type == type) { 330 switch (type) { 331 case IKEV2_XFORMTYPE_ENCR: 332 case IKEV2_XFORMTYPE_INTEGR: 333 score += 3; 334 break; 335 case IKEV2_XFORMTYPE_DH: 336 score += 2; 337 break; 338 default: 339 score += 1; 340 break; 341 } 342 } 343 } 344 345 if ((xform = reallocarray(prop->prop_xforms, 346 prop->prop_nxforms + 1, sizeof(*xform))) == NULL) { 347 return (NULL); 348 } 349 350 prop->prop_xforms = xform; 351 xform = prop->prop_xforms + prop->prop_nxforms++; 352 bzero(xform, sizeof(*xform)); 353 354 xform->xform_type = type; 355 xform->xform_id = id; 356 xform->xform_length = length; 357 xform->xform_keylength = keylength; 358 xform->xform_score = score; 359 xform->xform_map = map; 360 361 return (xform); 362 } 363 364 struct iked_transform * 365 config_findtransform(struct iked_proposals *props, uint8_t type, 366 unsigned int proto) 367 { 368 struct iked_proposal *prop; 369 struct iked_transform *xform; 370 unsigned int i; 371 372 /* Search of the first transform with the desired type */ 373 TAILQ_FOREACH(prop, props, prop_entry) { 374 /* Find any proposal or only selected SA proto */ 375 if (proto != 0 && prop->prop_protoid != proto) 376 continue; 377 for (i = 0; i < prop->prop_nxforms; i++) { 378 xform = prop->prop_xforms + i; 379 if (xform->xform_type == type) 380 return (xform); 381 } 382 } 383 384 return (NULL); 385 } 386 387 struct iked_user * 388 config_new_user(struct iked *env, struct iked_user *new) 389 { 390 struct iked_user *usr, *old; 391 392 if ((usr = calloc(1, sizeof(*usr))) == NULL) 393 return (NULL); 394 395 memcpy(usr, new, sizeof(*usr)); 396 397 if ((old = RB_INSERT(iked_users, &env->sc_users, usr)) != NULL) { 398 /* Update the password of an existing user*/ 399 memcpy(old, new, sizeof(*old)); 400 401 log_debug("%s: updating user %s", __func__, usr->usr_name); 402 free(usr); 403 404 return (old); 405 } 406 407 log_debug("%s: inserting new user %s", __func__, usr->usr_name); 408 return (usr); 409 } 410 411 /* 412 * Inter-process communication of configuration items. 413 */ 414 415 int 416 config_setcoupled(struct iked *env, unsigned int couple) 417 { 418 unsigned int type; 419 420 type = couple ? IMSG_CTL_COUPLE : IMSG_CTL_DECOUPLE; 421 proc_compose(&env->sc_ps, PROC_IKEV2, type, NULL, 0); 422 423 return (0); 424 } 425 426 int 427 config_getcoupled(struct iked *env, unsigned int type) 428 { 429 return (pfkey_couple(env->sc_pfkey, &env->sc_sas, 430 type == IMSG_CTL_COUPLE ? 1 : 0)); 431 } 432 433 int 434 config_setmode(struct iked *env, unsigned int passive) 435 { 436 unsigned int type; 437 438 type = passive ? IMSG_CTL_PASSIVE : IMSG_CTL_ACTIVE; 439 proc_compose(&env->sc_ps, PROC_IKEV2, type, NULL, 0); 440 441 return (0); 442 } 443 444 int 445 config_getmode(struct iked *env, unsigned int type) 446 { 447 uint8_t old; 448 unsigned char *mode[] = { "active", "passive" }; 449 450 old = env->sc_passive ? 1 : 0; 451 env->sc_passive = type == IMSG_CTL_PASSIVE ? 1 : 0; 452 453 if (old == env->sc_passive) 454 return (0); 455 456 log_debug("%s: mode %s -> %s", __func__, 457 mode[old], mode[env->sc_passive]); 458 459 return (0); 460 } 461 462 int 463 config_setreset(struct iked *env, unsigned int mode, enum privsep_procid id) 464 { 465 proc_compose(&env->sc_ps, id, IMSG_CTL_RESET, &mode, sizeof(mode)); 466 return (0); 467 } 468 469 int 470 config_getreset(struct iked *env, struct imsg *imsg) 471 { 472 struct iked_policy *pol, *nextpol; 473 struct iked_sa *sa, *nextsa; 474 struct iked_user *usr, *nextusr; 475 unsigned int mode; 476 477 IMSG_SIZE_CHECK(imsg, &mode); 478 memcpy(&mode, imsg->data, sizeof(mode)); 479 480 if (mode == RESET_ALL || mode == RESET_POLICY) { 481 log_debug("%s: flushing policies", __func__); 482 for (pol = TAILQ_FIRST(&env->sc_policies); 483 pol != NULL; pol = nextpol) { 484 nextpol = TAILQ_NEXT(pol, pol_entry); 485 config_free_policy(env, pol); 486 } 487 } 488 489 if (mode == RESET_ALL || mode == RESET_SA) { 490 log_debug("%s: flushing SAs", __func__); 491 for (sa = RB_MIN(iked_sas, &env->sc_sas); 492 sa != NULL; sa = nextsa) { 493 nextsa = RB_NEXT(iked_sas, &env->sc_sas, sa); 494 RB_REMOVE(iked_sas, &env->sc_sas, sa); 495 config_free_sa(env, sa); 496 } 497 } 498 499 if (mode == RESET_ALL || mode == RESET_USER) { 500 log_debug("%s: flushing users", __func__); 501 for (usr = RB_MIN(iked_users, &env->sc_users); 502 usr != NULL; usr = nextusr) { 503 nextusr = RB_NEXT(iked_users, &env->sc_users, usr); 504 RB_REMOVE(iked_users, &env->sc_users, usr); 505 free(usr); 506 } 507 } 508 509 return (0); 510 } 511 512 int 513 config_setsocket(struct iked *env, struct sockaddr_storage *ss, 514 in_port_t port, enum privsep_procid id) 515 { 516 int s; 517 518 if ((s = udp_bind((struct sockaddr *)ss, port)) == -1) 519 return (-1); 520 proc_compose_imsg(&env->sc_ps, id, -1, 521 IMSG_UDP_SOCKET, -1, s, ss, sizeof(*ss)); 522 return (0); 523 } 524 525 int 526 config_getsocket(struct iked *env, struct imsg *imsg, 527 void (*cb)(int, short, void *)) 528 { 529 struct iked_socket *sock, **sptr, **nptr; 530 531 log_debug("%s: received socket fd %d", __func__, imsg->fd); 532 533 if ((sock = calloc(1, sizeof(*sock))) == NULL) 534 fatal("config_getsocket: calloc"); 535 536 IMSG_SIZE_CHECK(imsg, &sock->sock_addr); 537 538 memcpy(&sock->sock_addr, imsg->data, sizeof(sock->sock_addr)); 539 sock->sock_fd = imsg->fd; 540 sock->sock_env = env; 541 542 switch (sock->sock_addr.ss_family) { 543 case AF_INET: 544 sptr = &env->sc_sock4[0]; 545 nptr = &env->sc_sock4[1]; 546 break; 547 case AF_INET6: 548 sptr = &env->sc_sock6[0]; 549 nptr = &env->sc_sock6[1]; 550 break; 551 default: 552 fatal("config_getsocket: socket af"); 553 /* NOTREACHED */ 554 } 555 if (*sptr == NULL) 556 *sptr = sock; 557 if (*nptr == NULL && 558 socket_getport((struct sockaddr *)&sock->sock_addr) == 559 IKED_NATT_PORT) 560 *nptr = sock; 561 562 event_set(&sock->sock_ev, sock->sock_fd, 563 EV_READ|EV_PERSIST, cb, sock); 564 event_add(&sock->sock_ev, NULL); 565 566 return (0); 567 } 568 569 int 570 config_setpfkey(struct iked *env, enum privsep_procid id) 571 { 572 int s; 573 574 if ((s = pfkey_socket()) == -1) 575 return (-1); 576 proc_compose_imsg(&env->sc_ps, id, -1, 577 IMSG_PFKEY_SOCKET, -1, s, NULL, 0); 578 return (0); 579 } 580 581 int 582 config_getpfkey(struct iked *env, struct imsg *imsg) 583 { 584 log_debug("%s: received pfkey fd %d", __func__, imsg->fd); 585 pfkey_init(env, imsg->fd); 586 return (0); 587 } 588 589 int 590 config_setuser(struct iked *env, struct iked_user *usr, enum privsep_procid id) 591 { 592 if (env->sc_opts & IKED_OPT_NOACTION) { 593 print_user(usr); 594 return (0); 595 } 596 597 proc_compose(&env->sc_ps, id, IMSG_CFG_USER, usr, sizeof(*usr)); 598 return (0); 599 } 600 601 int 602 config_getuser(struct iked *env, struct imsg *imsg) 603 { 604 struct iked_user usr; 605 606 IMSG_SIZE_CHECK(imsg, &usr); 607 memcpy(&usr, imsg->data, sizeof(usr)); 608 609 if (config_new_user(env, &usr) == NULL) 610 return (-1); 611 612 print_user(&usr); 613 614 return (0); 615 } 616 617 int 618 config_setpolicy(struct iked *env, struct iked_policy *pol, 619 enum privsep_procid id) 620 { 621 struct iked_proposal *prop; 622 struct iked_flow *flow; 623 struct iked_transform *xform; 624 size_t size, iovcnt, j, c = 0; 625 struct iovec iov[IOV_MAX]; 626 627 iovcnt = 1; 628 size = sizeof(*pol); 629 TAILQ_FOREACH(prop, &pol->pol_proposals, prop_entry) { 630 size += (prop->prop_nxforms * sizeof(*xform)) + 631 (sizeof(*prop)); 632 iovcnt += prop->prop_nxforms + 1; 633 } 634 635 iovcnt += pol->pol_nflows; 636 637 if (iovcnt > IOV_MAX) { 638 log_warn("%s: too many proposals/flows", __func__); 639 return (-1); 640 } 641 642 iov[c].iov_base = pol; 643 iov[c++].iov_len = sizeof(*pol); 644 645 TAILQ_FOREACH(prop, &pol->pol_proposals, prop_entry) { 646 iov[c].iov_base = prop; 647 iov[c++].iov_len = sizeof(*prop); 648 649 for (j = 0; j < prop->prop_nxforms; j++) { 650 xform = prop->prop_xforms + j; 651 652 iov[c].iov_base = xform; 653 iov[c++].iov_len = sizeof(*xform); 654 } 655 } 656 657 RB_FOREACH(flow, iked_flows, &pol->pol_flows) { 658 iov[c].iov_base = flow; 659 iov[c++].iov_len = sizeof(*flow); 660 } 661 662 print_policy(pol); 663 664 if (env->sc_opts & IKED_OPT_NOACTION) 665 return (0); 666 667 if (proc_composev(&env->sc_ps, id, IMSG_CFG_POLICY, iov, iovcnt) == -1) 668 return (-1); 669 670 return (0); 671 } 672 673 int 674 config_getpolicy(struct iked *env, struct imsg *imsg) 675 { 676 struct iked_policy *pol; 677 struct iked_proposal pp, *prop; 678 struct iked_transform xf, *xform; 679 struct iked_flow *flow; 680 off_t offset = 0; 681 unsigned int i, j; 682 uint8_t *buf = (uint8_t *)imsg->data; 683 684 IMSG_SIZE_CHECK(imsg, pol); 685 log_debug("%s: received policy", __func__); 686 687 if ((pol = config_new_policy(NULL)) == NULL) 688 fatal("config_getpolicy: new policy"); 689 690 memcpy(pol, buf, sizeof(*pol)); 691 offset += sizeof(*pol); 692 693 TAILQ_INIT(&pol->pol_proposals); 694 TAILQ_INIT(&pol->pol_sapeers); 695 RB_INIT(&pol->pol_flows); 696 697 for (i = 0; i < pol->pol_nproposals; i++) { 698 memcpy(&pp, buf + offset, sizeof(pp)); 699 offset += sizeof(pp); 700 701 if ((prop = config_add_proposal(&pol->pol_proposals, 702 pp.prop_id, pp.prop_protoid)) == NULL) 703 fatal("config_getpolicy: add proposal"); 704 705 for (j = 0; j < pp.prop_nxforms; j++) { 706 memcpy(&xf, buf + offset, sizeof(xf)); 707 offset += sizeof(xf); 708 709 if ((xform = config_add_transform(prop, xf.xform_type, 710 xf.xform_id, xf.xform_length, 711 xf.xform_keylength)) == NULL) 712 fatal("config_getpolicy: add transform"); 713 } 714 } 715 716 for (i = 0; i < pol->pol_nflows; i++) { 717 if ((flow = calloc(1, sizeof(*flow))) == NULL) 718 fatal("config_getpolicy: new flow"); 719 720 memcpy(flow, buf + offset, sizeof(*flow)); 721 offset += sizeof(*flow); 722 723 if (RB_INSERT(iked_flows, &pol->pol_flows, flow)) 724 free(flow); 725 } 726 727 TAILQ_INSERT_TAIL(&env->sc_policies, pol, pol_entry); 728 729 if (pol->pol_flags & IKED_POLICY_DEFAULT) { 730 /* Only one default policy, just free/unref the old one */ 731 if (env->sc_defaultcon != NULL) 732 config_free_policy(env, env->sc_defaultcon); 733 env->sc_defaultcon = pol; 734 } 735 736 return (0); 737 } 738 739 int 740 config_setcompile(struct iked *env, enum privsep_procid id) 741 { 742 if (env->sc_opts & IKED_OPT_NOACTION) 743 return (0); 744 745 proc_compose(&env->sc_ps, id, IMSG_COMPILE, NULL, 0); 746 return (0); 747 } 748 749 int 750 config_getcompile(struct iked *env, struct imsg *imsg) 751 { 752 /* 753 * Do any necessary steps after configuration, for now we 754 * only need to compile the skip steps. 755 */ 756 policy_calc_skip_steps(&env->sc_policies); 757 758 log_debug("%s: compilation done", __func__); 759 return (0); 760 } 761 762 int 763 config_setocsp(struct iked *env) 764 { 765 if (env->sc_opts & IKED_OPT_NOACTION) 766 return (0); 767 proc_compose(&env->sc_ps, PROC_CERT, 768 IMSG_OCSP_URL, env->sc_ocsp_url, 769 env->sc_ocsp_url ? strlen(env->sc_ocsp_url) : 0); 770 771 return (0); 772 } 773 774 int 775 config_getocsp(struct iked *env, struct imsg *imsg) 776 { 777 free(env->sc_ocsp_url); 778 if (IMSG_DATA_SIZE(imsg) > 0) 779 env->sc_ocsp_url = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); 780 else 781 env->sc_ocsp_url = NULL; 782 log_debug("%s: ocsp_url %s", __func__, 783 env->sc_ocsp_url ? env->sc_ocsp_url : "none"); 784 return (0); 785 } 786