#include "vpn_control.h"
#include "vpn_control_var.h"
#include "ike_session.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#include "power_mgmt.h"
#include "session.h"
#endif
};
-static int addnewsp (caddr_t *);
-
/* cope with old kame headers - ugly */
#ifndef SADB_X_AALG_MD5
#define SADB_X_AALG_MD5 SADB_AALG_MD5
/* when SPD is empty, treat the state as no error. */
if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
msg->sadb_msg_errno == ENOENT)
- pri = ASL_LEVEL_DEBUG;
+ pri = ASL_LEVEL_NOTICE;
else
pri = ASL_LEVEL_ERR;
}
if (pkrecvf[msg->sadb_msg_type] == NULL) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"unsupported PF_KEY message %s\n",
s_pfkey_type(msg->sadb_msg_type));
goto end;
ssize_t len;
if (slept_at || woke_at) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_DEBUG,
"ignoring pfkey port until power-mgmt event is handled.\n");
return;
}
return;
} else {
/* short message - msg not ready */
- plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n");
+ plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n");
return;
}
}
struct saved_msg_elem *elem_tmp = NULL;
if (slept_at || woke_at) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
return;
}
sa->sadb_sa_spi,
sa_mode));
- plog(ASL_LEVEL_INFO,
- "IPsec-SA established: %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- msg->sadb_msg_satype, sa->sadb_sa_spi,
- sa_mode));
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
+ "IPsec-SA established (update): %s\n",
+ sadbsecas2str(iph2->dst, iph2->src,
+ msg->sadb_msg_satype, sa->sadb_sa_spi,
+ sa_mode));
}
if (pr->ok == 0)
/* update status */
fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED);
- if (iph2->side == INITIATOR) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC,
- CONSTSTR("Initiator, Quick-Mode"),
- CONSTSTR(NULL));
- } else {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC,
- CONSTSTR("Responder, Quick-Mode"),
- CONSTSTR(NULL));
- }
-
ike_session_ph2_established(iph2);
IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n",
* because they must be updated by SADB_UPDATE message
*/
- plog(ASL_LEVEL_INFO,
- "IPsec-SA established: %s\n",
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
+ "IPsec-SA established (add): %s\n",
sadbsecas2str(iph2->src, iph2->dst,
msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
return -1;
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA expired: satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
"IPsec-SA expired: %s\n",
sadbsecas2str(src, dst,
msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
goto err;
}
-#if !TARGET_OS_EMBEDDED
+#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
if ( lcconf->vt == NULL){
if (!(lcconf->vt = vproc_transaction_begin(NULL)))
plog(ASL_LEVEL_ERR,
"vproc_transaction_begin returns NULL.\n");
}
-#endif
+#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
return 0;
return eay_random();
}
-static int
+int
addnewsp(mhp)
caddr_t *mhp;
{
struct secpolicy *new;
struct sadb_address *saddr, *daddr;
struct sadb_x_policy *xpl;
+ struct sadb_ext *ext;
/* sanity check */
if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+
xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ /* validity check */
+ if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
+ plog(ASL_LEVEL_ERR,
+ "invalid msg length.\n");
+ return -1;
+ }
new = newsp();
if (new == NULL) {
struct sadb_x_ipsecrequest *xisr;
struct ipsecrequest **p_isr = &new->req;
- /* validity check */
- if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
- plog(ASL_LEVEL_ERR,
- "invalid msg length.\n");
- return -1;
- }
-
tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
while (tlen > 0) {
+ if (tlen < sizeof(*xisr) ||
+ tlen < xisr->sadb_x_ipsecrequest_len) {
+ plog(ASL_LEVEL_ERR,
+ "invalid msg length for ipsec request.\n");
+ return -1;
+ }
/* length check */
if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
/* set IP addresses if there */
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
struct sockaddr *paddr;
+ int rem_buf_len = xisr->sadb_x_ipsecrequest_len - sizeof(*xisr);
paddr = (struct sockaddr *)(xisr + 1);
+ if (rem_buf_len < sizeof(*paddr) ||
+ rem_buf_len < sysdep_sa_len(paddr)) {
+ plog(ASL_LEVEL_ERR,
+ "invalid msg length for src ip address.\n");
+ return -1;
+ }
bcopy(paddr, &(*p_isr)->saidx.src,
sysdep_sa_len(paddr));
+ rem_buf_len -= sysdep_sa_len(paddr);
+
paddr = (struct sockaddr *)((caddr_t)paddr
+ sysdep_sa_len(paddr));
+ if (rem_buf_len < sizeof(*paddr) ||
+ rem_buf_len < sysdep_sa_len(paddr)) {
+ plog(ASL_LEVEL_ERR,
+ "invalid msg length for dst ip address.\n");
+ return -1;
+ }
bcopy(paddr, &(*p_isr)->saidx.dst,
sysdep_sa_len(paddr));
}
default:
plog(ASL_LEVEL_ERR,
"invalid policy type.\n");
+ delsp(new);
return -1;
}
projects / apple / ipsec.git / blobdiff