]> git.saurik.com Git - apple/ipsec.git/blobdiff - ipsec-tools/racoon/isakmp_cfg.c
projects / apple / ipsec.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ipsec-326.120.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / isakmp_cfg.c
diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c
index c72600ac82abd29453a0c91a41fb3e06a5454c37..430855890f0f63b394fff4a9424996ff1c000941 100644 (file)
--- a/ipsec-tools/racoon/isakmp_cfg.c
+++ b/ipsec-tools/racoon/isakmp_cfg.c
@@ -39,9 +39,8 @@
 #include <sys/queue.h>
 
 #include <utmpx.h>
 #include <sys/queue.h>
 
 #include <utmpx.h>
-#if defined(__APPLE__) && defined(__MACH__)
 #include <util.h>
 #include <util.h>
-#endif
+
 
 #ifdef __FreeBSD__
 # include <libutil.h>
 
 #ifdef __FreeBSD__
 # include <libutil.h>
@@ -75,12 +74,6 @@
 #include <stdint.h>
 #endif
 #include <ctype.h>
 #include <stdint.h>
 #endif
 #include <ctype.h>
-#include <resolv.h>
-
-#ifdef HAVE_LIBRADIUS
-#include <sys/utsname.h>
-#include <radlib.h>
-#endif
 
 #include "var.h"
 #include "misc.h"
 
 #include "var.h"
 #include "misc.h"
@@ -89,11 +82,11 @@
 #include "sockmisc.h"
 #include "schedule.h"
 #include "debug.h"
 #include "sockmisc.h"
 #include "schedule.h"
 #include "debug.h"
+#include "fsm.h"
 
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "handler.h"
 
 #include "isakmp_var.h"
 #include "isakmp.h"
 #include "handler.h"
-#include "evt.h"
 #include "throttle.h"
 #include "remoteconf.h"
 #include "localconf.h"
 #include "throttle.h"
 #include "remoteconf.h"
 #include "localconf.h"
@@ -103,8 +96,6 @@
 #include "isakmp_unity.h"
 #include "isakmp_cfg.h"
 #include "strnames.h"
 #include "isakmp_unity.h"
 #include "isakmp_cfg.h"
 #include "strnames.h"
-#include "admin.h"
-#include "privsep.h"
 #include "vpn_control.h"
 #include "vpn_control_var.h"
 #include "ike_session.h"
 #include "vpn_control.h"
 #include "vpn_control_var.h"
 #include "ike_session.h"
@@ -114,27 +105,23 @@
 
 struct isakmp_cfg_config isakmp_cfg_config;
 
 
 struct isakmp_cfg_config isakmp_cfg_config;
 
-static vchar_t *buffer_cat(vchar_t *s, vchar_t *append);
-static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *);
+static vchar_t *buffer_cat (vchar_t *s, vchar_t *append);
+static vchar_t *isakmp_cfg_net (phase1_handle_t *, struct isakmp_data *);
 #if 0
 #if 0
-static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *);
+static vchar_t *isakmp_cfg_void (phase1_handle_t *, struct isakmp_data *);
 #endif
 #endif
-static vchar_t *isakmp_cfg_addr4(struct ph1handle *, 
+static vchar_t *isakmp_cfg_addr4 (phase1_handle_t *, 
                                 struct isakmp_data *, in_addr_t *);
                                 struct isakmp_data *, in_addr_t *);
-static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
-static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
+static void isakmp_cfg_getaddr4 (struct isakmp_data *, struct in_addr *);
+static vchar_t *isakmp_cfg_addr4_list (phase1_handle_t *,
                                      struct isakmp_data *, in_addr_t *, int);
                                      struct isakmp_data *, in_addr_t *, int);
-static void isakmp_cfg_appendaddr4(struct isakmp_data *, 
+static void isakmp_cfg_appendaddr4 (struct isakmp_data *, 
                                   struct in_addr *, int *, int);
                                   struct in_addr *, int *, int);
-static void isakmp_cfg_getstring(struct isakmp_data *,char *);
-void isakmp_cfg_iplist_to_str(char *, int, void *, int);
+static void isakmp_cfg_getstring (struct isakmp_data *,char *);
+void isakmp_cfg_iplist_to_str (char *, int, void *, int);
 
 #define ISAKMP_CFG_LOGIN       1
 #define ISAKMP_CFG_LOGOUT      2
 
 #define ISAKMP_CFG_LOGIN       1
 #define ISAKMP_CFG_LOGOUT      2
-static int isakmp_cfg_accounting(struct ph1handle *, int);
-#ifdef HAVE_LIBRADIUS
-static int isakmp_cfg_accounting_radius(struct ph1handle *, int);
-#endif
 
 /* 
  * Handle an ISAKMP config mode packet
 
 /* 
  * Handle an ISAKMP config mode packet
@@ -142,7 +129,7 @@ static int isakmp_cfg_accounting_radius(struct ph1handle *, int);
  */
 void
 isakmp_cfg_r(iph1, msg)
  */
 void
 isakmp_cfg_r(iph1, msg)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        vchar_t *msg;
 {
        struct isakmp *packet;
        vchar_t *msg;
 {
        struct isakmp *packet;
@@ -152,7 +139,7 @@ isakmp_cfg_r(iph1, msg)
        int np;
        vchar_t *dmsg;
        struct isakmp_ivm *ivm;
        int np;
        vchar_t *dmsg;
        struct isakmp_ivm *ivm;
-       struct ph2handle *iph2;
+       phase2_handle_t *iph2;
        int               error = -1;
 
        /* Check that the packet is long enough to have a header */
        int               error = -1;
 
        /* Check that the packet is long enough to have a header */
@@ -161,7 +148,7 @@ isakmp_cfg_r(iph1, msg)
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. Unexpected short packet"),
                                                                CONSTSTR("Failed to process short MODE-Config packet"));
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. Unexpected short packet"),
                                                                CONSTSTR("Failed to process short MODE-Config packet"));
-               plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n");
+               plog(ASL_LEVEL_ERR, "Unexpected short packet\n");
                return;
        }
 
                return;
        }
 
@@ -173,7 +160,7 @@ isakmp_cfg_r(iph1, msg)
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. User credentials sent in cleartext"),
                                                                CONSTSTR("Dropped cleattext User credentials"));
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. User credentials sent in cleartext"),
                                                                CONSTSTR("Dropped cleattext User credentials"));
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "User credentials sent in cleartext!\n");
                return;
        }
                    "User credentials sent in cleartext!\n");
                return;
        }
@@ -194,13 +181,12 @@ isakmp_cfg_r(iph1, msg)
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. Failed to decrypt packet"),
                                                                CONSTSTR("Failed to decrypt MODE-Config packet"));
                                                                IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
                                                                CONSTSTR("MODE-Config. Failed to decrypt packet"),
                                                                CONSTSTR("Failed to decrypt MODE-Config packet"));
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "failed to decrypt message\n");
                return;
        }
 
                    "failed to decrypt message\n");
                return;
        }
 
-       plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n");
-       plogdump(LLV_DEBUG, dmsg->v, dmsg->l);
+       plog(ASL_LEVEL_NOTICE, "MODE_CFG packet\n");
 
        /* Now work with the decrypted packet */
        packet = (struct isakmp *)dmsg->v;
 
        /* Now work with the decrypted packet */
        packet = (struct isakmp *)dmsg->v;
@@ -211,20 +197,19 @@ isakmp_cfg_r(iph1, msg)
        while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) {
                /* Check that the payload header fits in the packet */
                if (tlen < sizeof(*ph)) {
        while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) {
                /* Check that the payload header fits in the packet */
                if (tlen < sizeof(*ph)) {
-                        plog(LLV_WARNING, LOCATION, NULL
+                        plog(ASL_LEVEL_WARNING
                              "Short payload header\n");
                         goto out;
                }
 
                /* Check that the payload fits in the packet */
                if (tlen < ntohs(ph->len)) {
                              "Short payload header\n");
                         goto out;
                }
 
                /* Check that the payload fits in the packet */
                if (tlen < ntohs(ph->len)) {
-                       plog(LLV_WARNING, LOCATION, NULL
+                       plog(ASL_LEVEL_WARNING
                              "Short payload\n");
                        goto out;
                }
                
                              "Short payload\n");
                        goto out;
                }
                
-               plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np);
-               plogdump(LLV_DEBUG, ph, ntohs(ph->len));
+               plog(ASL_LEVEL_DEBUG, "Seen payload %d\n", np);
 
                switch(np) {
                case ISAKMP_NPTYPE_HASH: {
 
                switch(np) {
                case ISAKMP_NPTYPE_HASH: {
@@ -236,9 +221,17 @@ isakmp_cfg_r(iph1, msg)
                        plen = ntohs(ph->len);
                        nph = (struct isakmp_gen *)((char *)ph + plen);
                        plen = ntohs(nph->len);
                        plen = ntohs(ph->len);
                        nph = (struct isakmp_gen *)((char *)ph + plen);
                        plen = ntohs(nph->len);
-
+            /* Check that the hash payload fits in the packet */
+                       if (tlen < (plen + ntohs(ph->len))) {
+                               plog(ASL_LEVEL_WARNING, 
+                                        "Invalid Hash payload. len %d, overall-len %d\n",
+                                        ntohs(nph->len),
+                                        (int)plen);
+                               goto out;
+                       }
+            
                        if ((payload = vmalloc(plen)) == NULL) {
                        if ((payload = vmalloc(plen)) == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL
+                               plog(ASL_LEVEL_ERR
                                    "Cannot allocate memory\n");
                                goto out;
                        }
                                    "Cannot allocate memory\n");
                                goto out;
                        }
@@ -246,14 +239,14 @@ isakmp_cfg_r(iph1, msg)
 
                        if ((check = oakley_compute_hash1(iph1, 
                            packet->msgid, payload)) == NULL) {
 
                        if ((check = oakley_compute_hash1(iph1, 
                            packet->msgid, payload)) == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL
+                               plog(ASL_LEVEL_ERR
                                    "Cannot compute hash\n");
                                vfree(payload);
                                goto out;
                        }
 
                                    "Cannot compute hash\n");
                                vfree(payload);
                                goto out;
                        }
 
-                       if (memcmp(ph + 1, check->v, check->l) != 0) {
-                               plog(LLV_ERROR, LOCATION, NULL
+                       if (timingsafe_bcmp(ph + 1, check->v, check->l) != 0) {
+                               plog(ASL_LEVEL_ERR
                                    "Hash verification failed\n");
                                vfree(payload);
                                vfree(check);
                                    "Hash verification failed\n");
                                vfree(payload);
                                vfree(check);
@@ -272,7 +265,7 @@ isakmp_cfg_r(iph1, msg)
                        break;
                }
                default:
                        break;
                }
                default:
-                        plog(LLV_WARNING, LOCATION, NULL
+                        plog(ASL_LEVEL_WARNING
                              "Unexpected next payload %d\n", np);
                         /* Skip to the next payload */
                         break;
                              "Unexpected next payload %d\n", np);
                         /* Skip to the next payload */
                         break;
@@ -287,13 +280,11 @@ isakmp_cfg_r(iph1, msg)
 
        error = 0;
        /* find phase 2 in case pkt scheduled for resend */
 
        error = 0;
        /* find phase 2 in case pkt scheduled for resend */
-       iph2 = getph2bymsgid(iph1, packet->msgid);
+       iph2 = ike_session_getph2bymsgid(iph1, packet->msgid);
        if (iph2 == NULL)
                goto out;               /* no resend scheduled */
        SCHED_KILL(iph2->scr);  /* turn off schedule */
        if (iph2 == NULL)
                goto out;               /* no resend scheduled */
        SCHED_KILL(iph2->scr);  /* turn off schedule */
-       unbindph12(iph2);
-       remph2(iph2);
-       delph2(iph2);
+       ike_session_unlink_phase2(iph2);
 
        IPSECSESSIONTRACEREVENT(iph1->parent_session,
                                                        IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
 
        IPSECSESSIONTRACEREVENT(iph1->parent_session,
                                                        IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
@@ -311,14 +302,14 @@ out:
 
 int
 isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) 
 
 int
 isakmp_cfg_attr_r(iph1, msgid, attrpl, msg) 
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        u_int32_t msgid;
        struct isakmp_pl_attr *attrpl;
        vchar_t *msg;
 {
        int type = attrpl->type;
 
        u_int32_t msgid;
        struct isakmp_pl_attr *attrpl;
        vchar_t *msg;
 {
        int type = attrpl->type;
 
-       plog(LLV_DEBUG, LOCATION, NULL,
+       plog(ASL_LEVEL_NOTICE,
             "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
        switch (type) {
        case ISAKMP_CFG_ACK:
             "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
        switch (type) {
        case ISAKMP_CFG_ACK:
@@ -343,7 +334,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg)
                break;
 
        default:
                break;
 
        default:
-               plog(LLV_WARNING, LOCATION, NULL,
+               plog(ASL_LEVEL_WARNING, 
                     "Unepected configuration exchange type %d\n", type);
                return -1;
                break;
                     "Unepected configuration exchange type %d\n", type);
                return -1;
                break;
@@ -354,7 +345,7 @@ isakmp_cfg_attr_r(iph1, msgid, attrpl, msg)
 
 int
 isakmp_cfg_reply(iph1, attrpl)
 
 int
 isakmp_cfg_reply(iph1, attrpl)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_pl_attr *attrpl;
 {
        struct isakmp_data *attr;
        struct isakmp_pl_attr *attrpl;
 {
        struct isakmp_data *attr;
@@ -372,13 +363,19 @@ isakmp_cfg_reply(iph1, attrpl)
        tlen -= sizeof(*attrpl);
 
        while (tlen > 0) {
        tlen -= sizeof(*attrpl);
 
        while (tlen > 0) {
+               if (tlen < sizeof(struct isakmp_data)) {
+                       plog(ASL_LEVEL_ERR,
+                                "isakmp_cfg_reply invalid length of isakmp data, expected %zu actual %d\n",
+                                sizeof(struct isakmp_data), tlen);
+                       return -1;
+               }
                type = ntohs(attr->type);
 
                /* Handle short attributes */
                if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
                        type &= ~ISAKMP_GEN_MASK;
 
                type = ntohs(attr->type);
 
                /* Handle short attributes */
                if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
                        type &= ~ISAKMP_GEN_MASK;
 
-                       plog(LLV_DEBUG, LOCATION, NULL,
+                       plog(ASL_LEVEL_DEBUG, 
                             "Short attribute %s = %d\n", 
                             s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
                             "Short attribute %s = %d\n", 
                             s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
@@ -392,7 +389,7 @@ isakmp_cfg_reply(iph1, attrpl)
                                break;
 
                        default:
                                break;
 
                        default:
-                               plog(LLV_WARNING, LOCATION, NULL,
+                               plog(ASL_LEVEL_WARNING, 
                                     "Ignored short attribute %s\n",
                                     s_isakmp_cfg_type(type));
                                break;
                                     "Ignored short attribute %s\n",
                                     s_isakmp_cfg_type(type));
                                break;
@@ -407,14 +404,14 @@ isakmp_cfg_reply(iph1, attrpl)
                alen = ntohs(attr->lorv);
 
                /* Check that the attribute fit in the packet */
                alen = ntohs(attr->lorv);
 
                /* Check that the attribute fit in the packet */
-               if (tlen < alen) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                            "Short attribute %s\n",
-                            s_isakmp_cfg_type(type));
+               if (tlen < (alen + sizeof(struct isakmp_data))) {
+                       plog(ASL_LEVEL_ERR,
+                                "Short attribute %s len %zu\n",
+                                s_isakmp_cfg_type(type), alen);
                        return -1;
                }
 
                        return -1;
                }
 
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_DEBUG, 
                     "Attribute %s, len %zu\n", 
                     s_isakmp_cfg_type(type), alen);
 
                     "Attribute %s, len %zu\n", 
                     s_isakmp_cfg_type(type), alen);
 
@@ -487,7 +484,7 @@ isakmp_cfg_reply(iph1, attrpl)
                                break;  /* not actually ignored - don't fall thru */
                        // else fall thru
                default:
                                break;  /* not actually ignored - don't fall thru */
                        // else fall thru
                default:
-                       plog(LLV_WARNING, LOCATION, NULL,
+                       plog(ASL_LEVEL_WARNING, 
                             "Ignored attribute %s\n",
                             s_isakmp_cfg_type(type));
                        break;
                             "Ignored attribute %s\n",
                             s_isakmp_cfg_type(type));
                        break;
@@ -503,67 +500,33 @@ isakmp_cfg_reply(iph1, attrpl)
                /* connection was started by API - save attr list for passing to VPN controller */
                if (iph1->mode_cfg->attr_list != NULL)  /* shouldn't happen */
                        vfree(iph1->mode_cfg->attr_list);
                /* connection was started by API - save attr list for passing to VPN controller */
                if (iph1->mode_cfg->attr_list != NULL)  /* shouldn't happen */
                        vfree(iph1->mode_cfg->attr_list);
+               if (ntohs(attrpl->h.len) < sizeof(*attrpl)) {
+                       plog(ASL_LEVEL_ERR, 
+                                "invalid cfg-attr-list, attr-len %d\n",
+                                ntohs(attrpl->h.len));
+                       return -1;
+               }
                alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
                if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) {
                alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
                if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                             "Cannot allocate memory for mode-cfg attribute list\n");
                        return -1;
                }
                memcpy(iph1->mode_cfg->attr_list->v, attrpl + 1, alen);
        }
                
                             "Cannot allocate memory for mode-cfg attribute list\n");
                        return -1;
                }
                memcpy(iph1->mode_cfg->attr_list->v, attrpl + 1, alen);
        }
                
-       /* 
-        * Call the SA up script hook now that we have the configuration
-        * It is done at the end of phase 1 if ISAKMP mode config is not
-        * requested.
-        */
-       
-       if ((iph1->status == PHASE1ST_ESTABLISHED) && 
-           iph1->rmconf->mode_cfg) {
-               switch (AUTHMETHOD(iph1)) {
-               case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
-               case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
-               /* Unimplemented */
-               case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 
-                       script_hook(iph1, SCRIPT_PHASE1_UP);
-                       break;
-               default:
-                       break;
-               }
-       }
                
 #ifdef ENABLE_VPNCONTROL_PORT
                
 #ifdef ENABLE_VPNCONTROL_PORT
-       if (iph1->status == PHASE1ST_ESTABLISHED)
+       if (FSM_STATE_IS_ESTABLISHED(iph1->status))
                vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
 #endif
 
                vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
 #endif
 
-#ifdef ENABLE_ADMINPORT
-       {
-               vchar_t *buf;
-
-               alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
-               if ((buf = vmalloc(alen)) == NULL) {
-                       plog(LLV_WARNING, LOCATION, NULL, 
-                           "Cannot allocate memory: %s\n", strerror(errno));
-               } else {
-                       memcpy(buf->v, attrpl + 1, buf->l);
-                       EVT_PUSH(iph1->local, iph1->remote, 
-                           EVTT_ISAKMP_CFG_DONE, buf);
-                       vfree(buf);
-               }
-       }
-#endif
-
        return 0;
 }
 
 int
 isakmp_cfg_request(iph1, attrpl, msg)
        return 0;
 }
 
 int
 isakmp_cfg_request(iph1, attrpl, msg)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_pl_attr *attrpl;
        vchar_t *msg;
 {
        struct isakmp_pl_attr *attrpl;
        vchar_t *msg;
 {
@@ -601,16 +564,25 @@ isakmp_cfg_request(iph1, attrpl, msg)
                iph1->xauth_awaiting_userinput = 1;
                iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later
                ike_session_start_xauth_timer(iph1);
                iph1->xauth_awaiting_userinput = 1;
                iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later
                ike_session_start_xauth_timer(iph1);
+
+               IPSECLOGASLMSG("IPSec Extended Authentication requested.\n");
+
                return 0;
        }
 
        if ((payload = vmalloc(sizeof(*reply))) == NULL) {
                return 0;
        }
 
        if ((payload = vmalloc(sizeof(*reply))) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return -1;
        }
        memset(payload->v, 0, sizeof(*reply));
        
        while (tlen > 0) {
                return -1;
        }
        memset(payload->v, 0, sizeof(*reply));
        
        while (tlen > 0) {
+               if (tlen < sizeof(struct isakmp_data)) {
+                       plog(ASL_LEVEL_ERR,
+                                "isakmp_cfg_request invalid length of isakmp data, expected %zu actual %d\n",
+                                sizeof(struct isakmp_data), tlen);
+                       goto end;
+               }
                reply_attr = NULL;
                type = ntohs(attr->type);
 
                reply_attr = NULL;
                type = ntohs(attr->type);
 
@@ -618,7 +590,7 @@ isakmp_cfg_request(iph1, attrpl, msg)
                if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
                        type &= ~ISAKMP_GEN_MASK;
 
                if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
                        type &= ~ISAKMP_GEN_MASK;
 
-                       plog(LLV_DEBUG, LOCATION, NULL,
+                       plog(ASL_LEVEL_DEBUG, 
                             "Short attribute %s = %d\n", 
                             s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
                             "Short attribute %s = %d\n", 
                             s_isakmp_cfg_type(type), ntohs(attr->lorv));
 
@@ -627,7 +599,7 @@ isakmp_cfg_request(iph1, attrpl, msg)
                                reply_attr = isakmp_xauth_req(iph1, attr);
                                break;
                        default:
                                reply_attr = isakmp_xauth_req(iph1, attr);
                                break;
                        default:
-                               plog(LLV_WARNING, LOCATION, NULL,
+                               plog(ASL_LEVEL_WARNING, 
                                     "Ignored short attribute %s\n",
                                     s_isakmp_cfg_type(type));
                                break;
                                     "Ignored short attribute %s\n",
                                     s_isakmp_cfg_type(type));
                                break;
@@ -648,14 +620,14 @@ isakmp_cfg_request(iph1, attrpl, msg)
                alen = ntohs(attr->lorv);
 
                /* Check that the attribute fit in the packet */
                alen = ntohs(attr->lorv);
 
                /* Check that the attribute fit in the packet */
-               if (tlen < alen) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                            "Short attribute %s\n",
-                            s_isakmp_cfg_type(type));
+               if (tlen < (sizeof(struct isakmp_data) + alen)) {
+                       plog(ASL_LEVEL_ERR,
+                                "Short attribute %s len %zu\n",
+                                s_isakmp_cfg_type(type), alen);
                        goto end;
                }
 
                        goto end;
                }
 
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_DEBUG, 
                     "Attribute %s, len %zu\n",
                     s_isakmp_cfg_type(type), alen);
 
                     "Attribute %s, len %zu\n",
                     s_isakmp_cfg_type(type), alen);
 
@@ -702,7 +674,7 @@ isakmp_cfg_request(iph1, attrpl, msg)
 
                case INTERNAL_ADDRESS_EXPIRY:
                default:
 
                case INTERNAL_ADDRESS_EXPIRY:
                default:
-                       plog(LLV_WARNING, LOCATION, NULL,
+                       plog(ASL_LEVEL_WARNING, 
                             "Ignored attribute %s\n",
                             s_isakmp_cfg_type(type));
                        break;
                             "Ignored attribute %s\n",
                             s_isakmp_cfg_type(type));
                        break;
@@ -723,32 +695,12 @@ isakmp_cfg_request(iph1, attrpl, msg)
        reply->type = ISAKMP_CFG_REPLY;
        reply->id = attrpl->id;
 
        reply->type = ISAKMP_CFG_REPLY;
        reply->id = attrpl->id;
 
-       plog(LLV_DEBUG, LOCATION, NULL, 
+       plog(ASL_LEVEL_NOTICE,
                    "Sending MODE_CFG REPLY\n");
 
        error = isakmp_cfg_send(iph1, payload, 
            ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg);
 
                    "Sending MODE_CFG REPLY\n");
 
        error = isakmp_cfg_send(iph1, payload, 
            ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg);
 
-       if (iph1->status == PHASE1ST_ESTABLISHED) {
-               switch (AUTHMETHOD(iph1)) {
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-               case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-               /* Unimplemented */
-               case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 
-               case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 
-                       script_hook(iph1, SCRIPT_PHASE1_UP);
-                       break;
-               default:
-                       break;
-               }
-#ifdef ENABLE_VPNCONTROL_PORT
-               vpncontrol_notify_phase_change(0, FROM_LOCAL, iph1, NULL);
-#endif
-
-       }
        
 end:
        vfree(payload);
        
 end:
        vfree(payload);
@@ -758,7 +710,7 @@ end:
 
 int
 isakmp_cfg_set(iph1, attrpl, msg)
 
 int
 isakmp_cfg_set(iph1, attrpl, msg)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_pl_attr *attrpl;
     vchar_t *msg;
 {
        struct isakmp_pl_attr *attrpl;
     vchar_t *msg;
 {
@@ -773,7 +725,7 @@ isakmp_cfg_set(iph1, attrpl, msg)
        int error = -1;
 
        if ((payload = vmalloc(sizeof(*reply))) == NULL) {
        int error = -1;
 
        if ((payload = vmalloc(sizeof(*reply))) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return -1;
        }
        memset(payload->v, 0, sizeof(*reply));
                return -1;
        }
        memset(payload->v, 0, sizeof(*reply));
@@ -786,10 +738,17 @@ isakmp_cfg_set(iph1, attrpl, msg)
         * We should send ack for the attributes we accepted 
         */
        while (tlen > 0) {
         * We should send ack for the attributes we accepted 
         */
        while (tlen > 0) {
+               if (tlen < sizeof(struct isakmp_data)) {
+                       plog(ASL_LEVEL_ERR,
+                                "isakmp_cfg_set invalid length of isakmp data, expected %zu actual %d\n",
+                                sizeof(struct isakmp_data), tlen);
+                       vfree(payload);
+                       return error;
+               }
                reply_attr = NULL;
                type = ntohs(attr->type);
 
                reply_attr = NULL;
                type = ntohs(attr->type);
 
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_DEBUG, 
                     "Attribute %s\n", 
                     s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
                
                     "Attribute %s\n", 
                     s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
                
@@ -798,7 +757,7 @@ isakmp_cfg_set(iph1, attrpl, msg)
                        reply_attr = isakmp_xauth_set(iph1, attr);
                        break;
                default:
                        reply_attr = isakmp_xauth_set(iph1, attr);
                        break;
                default:
-                       plog(LLV_DEBUG, LOCATION, NULL,
+                       plog(ASL_LEVEL_DEBUG, 
                             "Unexpected SET attribute %s\n", 
                             s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
                        break;
                             "Unexpected SET attribute %s\n", 
                             s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
                        break;
@@ -818,6 +777,13 @@ isakmp_cfg_set(iph1, attrpl, msg)
                        attr++;
                } else {
                        alen = ntohs(attr->lorv);
                        attr++;
                } else {
                        alen = ntohs(attr->lorv);
+                       if (tlen < (sizeof(*attr) + alen)) {
+                               plog(ASL_LEVEL_ERR,
+                                        "isakmp_cfg_set packet too short for type %d, expected %zu actual %zu\n",
+                                        type, alen, tlen - sizeof(*attr));
+                               vfree(payload);
+                               return error;
+                       }
                        tlen -= (sizeof(*attr) + alen);
                        npp = (char *)attr;
                        attr = (struct isakmp_data *)
                        tlen -= (sizeof(*attr) + alen);
                        npp = (char *)attr;
                        attr = (struct isakmp_data *)
@@ -830,17 +796,16 @@ isakmp_cfg_set(iph1, attrpl, msg)
        reply->type = ISAKMP_CFG_ACK;
        reply->id = attrpl->id;
 
        reply->type = ISAKMP_CFG_ACK;
        reply->id = attrpl->id;
 
-       plog(LLV_DEBUG, LOCATION, NULL,
+       plog(ASL_LEVEL_NOTICE,
                     "Sending MODE_CFG ACK\n");
 
        error = isakmp_cfg_send(iph1, payload, 
            ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg);
 
        if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
                     "Sending MODE_CFG ACK\n");
 
        error = isakmp_cfg_send(iph1, payload, 
            ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0, 0, msg);
 
        if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
-               if (iph1->status == PHASE1ST_ESTABLISHED)
+               if (FSM_STATE_IS_ESTABLISHED(iph1->status))
                        isakmp_info_send_d1(iph1);
                        isakmp_info_send_d1(iph1);
-               remph1(iph1);
-               delph1(iph1);
+               isakmp_ph1expire(iph1);
                iph1 = NULL;
        }
        vfree(payload);
                iph1 = NULL;
        }
        vfree(payload);
@@ -864,7 +829,7 @@ buffer_cat(s, append)
 
        new = vmalloc(s->l + append->l);
        if (new == NULL) {
 
        new = vmalloc(s->l + append->l);
        if (new == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "Cannot allocate memory\n");
                return s;
        }
                    "Cannot allocate memory\n");
                return s;
        }
@@ -878,12 +843,11 @@ buffer_cat(s, append)
 
 static vchar_t *
 isakmp_cfg_net(iph1, attr)
 
 static vchar_t *
 isakmp_cfg_net(iph1, attr)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
 {
        int type;
        int confsource;
        struct isakmp_data *attr;
 {
        int type;
        int confsource;
-       in_addr_t addr4;
 
        type = ntohs(attr->type);
 
 
        type = ntohs(attr->type);
 
@@ -891,7 +855,7 @@ isakmp_cfg_net(iph1, attr)
         * Don't give an address to a peer that did not succeed Xauth
         */
        if (xauth_check(iph1) != 0) {
         * Don't give an address to a peer that did not succeed Xauth
         */
        if (xauth_check(iph1) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                    "Attempt to start phase config whereas Xauth failed\n");
                return NULL;
        }
                    "Attempt to start phase config whereas Xauth failed\n");
                return NULL;
        }
@@ -902,39 +866,13 @@ isakmp_cfg_net(iph1, attr)
         * configuration source, we will jump
         * back to this point.
         */
         * configuration source, we will jump
         * back to this point.
         */
-retry_source:
 
        switch(type) {
        case INTERNAL_IP4_ADDRESS:
                switch(confsource) {
 
        switch(type) {
        case INTERNAL_IP4_ADDRESS:
                switch(confsource) {
-#ifdef HAVE_LIBLDAP
-               case ISAKMP_CFG_CONF_LDAP:
-                       if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
-                           break;
-                       plog(LLV_INFO, LOCATION, NULL, 
-                           "No IP from LDAP, using local pool\n");
-                       /* FALLTHROUGH */
-                       confsource = ISAKMP_CFG_CONF_LOCAL;
-                       goto retry_source;
-#endif
-#ifdef HAVE_LIBRADIUS
-               case ISAKMP_CFG_CONF_RADIUS:
-                       if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
-                           && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
-                           /*
-                            * -2 is 255.255.255.254, RADIUS uses that
-                            * to instruct the NAS to use a local pool
-                            */
-                           break;
-                       plog(LLV_INFO, LOCATION, NULL, 
-                           "No IP from RADIUS, using local pool\n");
-                       /* FALLTHROUGH */
-                       confsource = ISAKMP_CFG_CONF_LOCAL;
-                       goto retry_source;
-#endif
                case ISAKMP_CFG_CONF_LOCAL:
                        if (isakmp_cfg_getport(iph1) == -1) {
                case ISAKMP_CFG_CONF_LOCAL:
                        if (isakmp_cfg_getport(iph1) == -1) {
-                               plog(LLV_ERROR, LOCATION, NULL
+                               plog(ASL_LEVEL_ERR
                                    "Port pool depleted\n");
                                break;
                        }
                                    "Port pool depleted\n");
                                break;
                        }
@@ -946,39 +884,16 @@ retry_source:
                        break;
 
                default:
                        break;
 
                default:
-                       plog(LLV_ERROR, LOCATION, NULL
+                       plog(ASL_LEVEL_ERR
                            "Unexpected confsource\n");
                }
                        
                            "Unexpected confsource\n");
                }
                        
-               if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0)
-                       plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
-
                return isakmp_cfg_addr4(iph1, 
                    attr, &iph1->mode_cfg->addr4.s_addr);
                break;
 
        case INTERNAL_IP4_NETMASK:
                switch(confsource) {
                return isakmp_cfg_addr4(iph1, 
                    attr, &iph1->mode_cfg->addr4.s_addr);
                break;
 
        case INTERNAL_IP4_NETMASK:
                switch(confsource) {
-#ifdef HAVE_LIBLDAP
-               case ISAKMP_CFG_CONF_LDAP:
-                       if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
-                               break;
-                       plog(LLV_INFO, LOCATION, NULL, 
-                           "No mask from LDAP, using local pool\n");
-                       /* FALLTHROUGH */
-                       confsource = ISAKMP_CFG_CONF_LOCAL;
-                       goto retry_source;
-#endif
-#ifdef HAVE_LIBRADIUS
-               case ISAKMP_CFG_CONF_RADIUS:
-                       if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
-                               break;
-                       plog(LLV_INFO, LOCATION, NULL, 
-                           "No mask from RADIUS, using local pool\n");
-                       /* FALLTHROUGH */
-                       confsource = ISAKMP_CFG_CONF_LOCAL;
-                       goto retry_source;
-#endif
                case ISAKMP_CFG_CONF_LOCAL:
                        iph1->mode_cfg->mask4.s_addr 
                            = isakmp_cfg_config.netmask4;
                case ISAKMP_CFG_CONF_LOCAL:
                        iph1->mode_cfg->mask4.s_addr 
                            = isakmp_cfg_config.netmask4;
@@ -986,7 +901,7 @@ retry_source:
                        break;
 
                default:
                        break;
 
                default:
-                       plog(LLV_ERROR, LOCATION, NULL
+                       plog(ASL_LEVEL_ERR
                            "Unexpected confsource\n");
                }
                return isakmp_cfg_addr4(iph1, attr, 
                            "Unexpected confsource\n");
                }
                return isakmp_cfg_addr4(iph1, attr, 
@@ -1011,7 +926,7 @@ retry_source:
                break;
 
        default:
                break;
 
        default:
-               plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type);
+               plog(ASL_LEVEL_ERR, "Unexpected type %d\n", type);
                break;
        }
        return NULL;
                break;
        }
        return NULL;
@@ -1020,14 +935,14 @@ retry_source:
 #if 0
 static vchar_t *
 isakmp_cfg_void(iph1, attr)
 #if 0
 static vchar_t *
 isakmp_cfg_void(iph1, attr)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
 {
        vchar_t *buffer;
        struct isakmp_data *new;
 
        if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
        struct isakmp_data *attr;
 {
        vchar_t *buffer;
        struct isakmp_data *new;
 
        if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return NULL;
        }
 
                return NULL;
        }
 
@@ -1042,7 +957,7 @@ isakmp_cfg_void(iph1, attr)
 
 vchar_t *
 isakmp_cfg_copy(iph1, attr)
 
 vchar_t *
 isakmp_cfg_copy(iph1, attr)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
 {
        vchar_t *buffer;
        struct isakmp_data *attr;
 {
        vchar_t *buffer;
@@ -1052,7 +967,7 @@ isakmp_cfg_copy(iph1, attr)
                len = ntohs(attr->lorv);
 
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
                len = ntohs(attr->lorv);
 
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return NULL;
        }
 
                return NULL;
        }
 
@@ -1063,7 +978,7 @@ isakmp_cfg_copy(iph1, attr)
 
 vchar_t *
 isakmp_cfg_short(iph1, attr, value)
 
 vchar_t *
 isakmp_cfg_short(iph1, attr, value)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
        int value;
 {
        struct isakmp_data *attr;
        int value;
 {
@@ -1072,7 +987,7 @@ isakmp_cfg_short(iph1, attr, value)
        int type;
 
        if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
        int type;
 
        if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return NULL;
        }
 
                return NULL;
        }
 
@@ -1087,7 +1002,7 @@ isakmp_cfg_short(iph1, attr, value)
 
 vchar_t *
 isakmp_cfg_varlen(iph1, attr, string, len)
 
 vchar_t *
 isakmp_cfg_varlen(iph1, attr, string, len)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
        char *string;
        size_t len;
        struct isakmp_data *attr;
        char *string;
        size_t len;
@@ -1097,7 +1012,7 @@ isakmp_cfg_varlen(iph1, attr, string, len)
        char *data;
 
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
        char *data;
 
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return NULL;
        }
 
                return NULL;
        }
 
@@ -1113,7 +1028,7 @@ isakmp_cfg_varlen(iph1, attr, string, len)
 }
 vchar_t *
 isakmp_cfg_string(iph1, attr, string)
 }
 vchar_t *
 isakmp_cfg_string(iph1, attr, string)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
        char *string;
 {
        struct isakmp_data *attr;
        char *string;
 {
@@ -1123,7 +1038,7 @@ isakmp_cfg_string(iph1, attr, string)
 
 static vchar_t *
 isakmp_cfg_addr4(iph1, attr, addr)
 
 static vchar_t *
 isakmp_cfg_addr4(iph1, attr, addr)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
        in_addr_t *addr;
 {
        struct isakmp_data *attr;
        in_addr_t *addr;
 {
@@ -1133,7 +1048,7 @@ isakmp_cfg_addr4(iph1, attr, addr)
 
        len = sizeof(*addr);
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
 
        len = sizeof(*addr);
        if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return NULL;
        }
 
                return NULL;
        }
 
@@ -1148,7 +1063,7 @@ isakmp_cfg_addr4(iph1, attr, addr)
 
 static vchar_t *
 isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
 
 static vchar_t *
 isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        struct isakmp_data *attr;
        in_addr_t *addr;
        int nbr;
        struct isakmp_data *attr;
        in_addr_t *addr;
        int nbr;
@@ -1162,12 +1077,12 @@ isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
 
        len = sizeof(*addr);
        if ((buffer = vmalloc(0)) == NULL) {
 
        len = sizeof(*addr);
        if ((buffer = vmalloc(0)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                goto out;
        }
        for(i = 0; i < nbr; i++) {
                if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
                goto out;
        }
        for(i = 0; i < nbr; i++) {
                if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL
+                       plog(ASL_LEVEL_ERR
                            "Cannot allocate memory\n");
                        goto out;
                }
                            "Cannot allocate memory\n");
                        goto out;
                }
@@ -1193,13 +1108,13 @@ out:
 
 struct isakmp_ivm *
 isakmp_cfg_newiv(iph1, msgid)
 
 struct isakmp_ivm *
 isakmp_cfg_newiv(iph1, msgid)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        u_int32_t msgid;
 {
        struct isakmp_cfg_state *ics = iph1->mode_cfg;
 
        if (ics == NULL) {
        u_int32_t msgid;
 {
        struct isakmp_cfg_state *ics = iph1->mode_cfg;
 
        if (ics == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                    "isakmp_cfg_newiv called without mode config state\n");
                return NULL;
        }
                    "isakmp_cfg_newiv called without mode config state\n");
                return NULL;
        }
@@ -1216,7 +1131,7 @@ isakmp_cfg_newiv(iph1, msgid)
 /* Derived from isakmp_info_send_common */
 int
 isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
 /* Derived from isakmp_info_send_common */
 int
 isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        vchar_t *payload;
        u_int32_t np;
        int flags;
        vchar_t *payload;
        u_int32_t np;
        int flags;
@@ -1224,7 +1139,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        int retry_count;
     vchar_t *msg;
 {
        int retry_count;
     vchar_t *msg;
 {
-       struct ph2handle *iph2 = NULL;
+       phase2_handle_t *iph2 = NULL;
        vchar_t *hash = NULL;
        struct isakmp *isakmp;
        struct isakmp_gen *gen;
        vchar_t *hash = NULL;
        struct isakmp *isakmp;
        struct isakmp_gen *gen;
@@ -1234,38 +1149,38 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        struct isakmp_cfg_state *ics = iph1->mode_cfg;
 
        /* Check if phase 1 is established */
        struct isakmp_cfg_state *ics = iph1->mode_cfg;
 
        /* Check if phase 1 is established */
-       if ((iph1->status != PHASE1ST_ESTABLISHED) || 
+       if ((!FSM_STATE_IS_ESTABLISHED(iph1->status)) || 
            (iph1->local == NULL) ||
            (iph1->remote == NULL)) {
            (iph1->local == NULL) ||
            (iph1->remote == NULL)) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "ISAKMP mode config exchange with immature phase 1\n");
                goto end;
        }
 
        /* add new entry to isakmp status table */
                    "ISAKMP mode config exchange with immature phase 1\n");
                goto end;
        }
 
        /* add new entry to isakmp status table */
-       iph2 = newph2();
+       iph2 = ike_session_newph2(ISAKMP_VERSION_NUMBER_IKEV1, PHASE2_TYPE_CFG);
        if (iph2 == NULL) {
        if (iph2 == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR,
                         "failed to allocate ph2");
                goto end;
        }
 
        iph2->dst = dupsaddr(iph1->remote);
        if (iph2->dst == NULL) {
                         "failed to allocate ph2");
                goto end;
        }
 
        iph2->dst = dupsaddr(iph1->remote);
        if (iph2->dst == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR,
                         "failed to duplicate remote address");
                         "failed to duplicate remote address");
-               delph2(iph2);
+               ike_session_delph2(iph2);
                goto end;
        }
        iph2->src = dupsaddr(iph1->local);
        if (iph2->src == NULL) {
                goto end;
        }
        iph2->src = dupsaddr(iph1->local);
        if (iph2->src == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR,
                         "failed to duplicate local address");
                         "failed to duplicate local address");
-               delph2(iph2);
+               ike_session_delph2(iph2);
                goto end;
        }
 
                goto end;
        }
 
-       switch (iph1->remote->sa_family) {
+       switch (iph1->remote->ss_family) {
        case AF_INET:
 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
                ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
        case AF_INET:
 #if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
                ((struct sockaddr_in *)iph2->dst)->sin_port = 0;
@@ -1281,14 +1196,13 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
                break;
 #endif
        default:
                break;
 #endif
        default:
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "invalid family: %d\n", iph1->remote->sa_family);
-               delph2(iph2);
+               plog(ASL_LEVEL_ERR, 
+                       "invalid family: %d\n", iph1->remote->ss_family);
+               ike_session_delph2(iph2);
                goto end;
        }
                goto end;
        }
-       iph2->ph1 = iph1;
        iph2->side = INITIATOR;
        iph2->side = INITIATOR;
-       iph2->status = PHASE2ST_START;
+       fsm_set_state(&iph2->status, IKEV1_STATE_INFO);  
 
        if (new_exchange)
                iph2->msgid = isakmp_newmsgid2(iph1);
 
        if (new_exchange)
                iph2->msgid = isakmp_newmsgid2(iph1);
@@ -1299,19 +1213,19 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        if (iph1->skeyid_a != NULL) {
                if (new_exchange) {
                        if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) {
        if (iph1->skeyid_a != NULL) {
                if (new_exchange) {
                        if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) {
-                               plog(LLV_ERROR, LOCATION, NULL,
+                               plog(ASL_LEVEL_ERR, 
                                         "failed to generate IV");
                                         "failed to generate IV");
-                               delph2(iph2);
+                               ike_session_delph2(iph2);
                                goto end;
                        }
                }
 
                /* generate HASH(1) */
                                goto end;
                        }
                }
 
                /* generate HASH(1) */
-               hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
+               hash = oakley_compute_hash1(iph1, iph2->msgid, payload);
                if (hash == NULL) {
                if (hash == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to generate HASH");
                                 "failed to generate HASH");
-                       delph2(iph2);
+                       ike_session_delph2(iph2);
                        goto end;
                }
 
                        goto end;
                }
 
@@ -1330,15 +1244,14 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        else
                iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
 
        else
                iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
 
-       insph2(iph2);
-       bindph12(iph1, iph2);
+       ike_session_link_ph2_to_ph1(iph1, iph2);
 
        tlen += sizeof(*isakmp) + payload->l;
 
        /* create buffer for isakmp payload */
        iph2->sendbuf = vmalloc(tlen);
        if (iph2->sendbuf == NULL) { 
 
        tlen += sizeof(*isakmp) + payload->l;
 
        /* create buffer for isakmp payload */
        iph2->sendbuf = vmalloc(tlen);
        if (iph2->sendbuf == NULL) { 
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                        "failed to get buffer to send.\n");
                goto err;
        }
                        "failed to get buffer to send.\n");
                goto err;
        }
@@ -1373,18 +1286,17 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
 #endif
        
        isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
 #endif
        
-       plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n");
-       plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l);
+       plog(ASL_LEVEL_NOTICE, "MODE_CFG packet to send\n");
 
        /* encoding */
        if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
                vchar_t *tmp;
 
 
        /* encoding */
        if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
                vchar_t *tmp;
 
-               tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, 
+               tmp = oakley_do_encrypt(iph1, iph2->sendbuf,
                        ics->ivm->ive, ics->ivm->iv);
                VPTRINIT(iph2->sendbuf);
                if (tmp == NULL) {
                        ics->ivm->ive, ics->ivm->iv);
                VPTRINIT(iph2->sendbuf);
                if (tmp == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to encrypt packet");
                        goto err;
                }
                                 "failed to encrypt packet");
                        goto err;
                }
@@ -1396,7 +1308,7 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        if (retry_count > 0) {
                iph2->retry_counter = retry_count;
                if (isakmp_ph2resend(iph2) < 0) {
        if (retry_count > 0) {
                iph2->retry_counter = retry_count;
                if (isakmp_ph2resend(iph2) < 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(ASL_LEVEL_ERR, 
                                 "failed to resend packet");
                        VPTRINIT(iph2->sendbuf);
                        goto err;
                                 "failed to resend packet");
                        VPTRINIT(iph2->sendbuf);
                        goto err;
@@ -1410,21 +1322,21 @@ isakmp_cfg_send(iph1, payload, np, flags, new_exchange, retry_count, msg)
        }
        
        if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
        }
        
        if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                         "failed to send packet");
                VPTRINIT(iph2->sendbuf);
                goto err;
        }
        if (msg) {
                /* the sending message is added to the received-list. */
                         "failed to send packet");
                VPTRINIT(iph2->sendbuf);
                goto err;
        }
        if (msg) {
                /* the sending message is added to the received-list. */
-               if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg,
-                                PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
-                       plog(LLV_ERROR , LOCATION, NULL,
+               if (ike_session_add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg,
+                                PH2_NON_ESP_EXTRA_LEN(iph2, iph2->sendbuf), PH1_FRAG_FLAGS(iph1)) == -1) {
+                       plog(ASL_LEVEL_ERR , 
                             "failed to add a response packet to the tree.\n");
                }
        }
     
                             "failed to add a response packet to the tree.\n");
                }
        }
     
-       plog(LLV_DEBUG, LOCATION, NULL,
+       plog(ASL_LEVEL_NOTICE,
                "sendto mode config %s.\n", s_isakmp_nptype(np));
 
        /*
                "sendto mode config %s.\n", s_isakmp_nptype(np));
 
        /*
@@ -1446,9 +1358,7 @@ err:
                                                                CONSTSTR("Mode-Config message"),
                                                                CONSTSTR("Failed to transmit Mode-Config message"));
        }
                                                                CONSTSTR("Mode-Config message"),
                                                                CONSTSTR("Failed to transmit Mode-Config message"));
        }
-       unbindph12(iph2);
-       remph2(iph2);
-       delph2(iph2);
+       ike_session_unlink_phase2(iph2);
 end:
        if (hash)
                vfree(hash);
 end:
        if (hash)
                vfree(hash);
@@ -1456,40 +1366,39 @@ end:
 }
 
 
 }
 
 
-void 
-isakmp_cfg_rmstate(iph1)
-       struct ph1handle *iph1;
+void
+isakmp_cfg_rmstate(phase1_handle_t *iph1)
 {
 {
-       struct isakmp_cfg_state *state = iph1->mode_cfg;
-
-       if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0)
-               plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
-
-       if (state->flags & ISAKMP_CFG_PORT_ALLOCATED)
-               isakmp_cfg_putport(iph1, state->port);  
-
+       struct isakmp_cfg_state **state = &iph1->mode_cfg;
+    
+    if (*state == NULL)
+        return;
+    
+       if ((*state)->flags & ISAKMP_CFG_PORT_ALLOCATED)
+               isakmp_cfg_putport(iph1, (*state)->port);
+    
        /* Delete the IV if it's still there */
        /* Delete the IV if it's still there */
-       if(iph1->mode_cfg->ivm) {
-               oakley_delivm(iph1->mode_cfg->ivm);
-               iph1->mode_cfg->ivm = NULL;
+       if((*state)->ivm) {
+               oakley_delivm((*state)->ivm);
+               (*state)->ivm = NULL;
        }
        }
-
+    
        /* Free any allocated splitnet lists */
        /* Free any allocated splitnet lists */
-       if(iph1->mode_cfg->split_include != NULL)
-               splitnet_list_free(iph1->mode_cfg->split_include,
-                       &iph1->mode_cfg->include_count);
-       if(iph1->mode_cfg->split_local != NULL)
-               splitnet_list_free(iph1->mode_cfg->split_local,
-                       &iph1->mode_cfg->local_count);
-
-       xauth_rmstate(&state->xauth);
+       if((*state)->split_include != NULL)
+               splitnet_list_free((*state)->split_include,
+                           &(*state)->include_count);
+       if((*state)->split_local != NULL)
+               splitnet_list_free((*state)->split_local,
+                           &(*state)->local_count);
+    
+       xauth_rmstate(&(*state)->xauth);
        
        
-       if (state->attr_list)
-               vfree(state->attr_list);
-
-       racoon_free(state);
-       iph1->mode_cfg = NULL;
-
+       if ((*state)->attr_list)
+               vfree((*state)->attr_list);
+    
+       racoon_free((*state));
+       (*state) = NULL;
+    
        return;
 }
 
        return;
 }
 
@@ -1499,7 +1408,7 @@ isakmp_cfg_mkstate(void)
        struct isakmp_cfg_state *state;
 
        if ((state = racoon_malloc(sizeof(*state))) == NULL) {
        struct isakmp_cfg_state *state;
 
        if ((state = racoon_malloc(sizeof(*state))) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                    "Cannot allocate memory for mode config state\n");
                return NULL;
        }
                    "Cannot allocate memory for mode config state\n");
                return NULL;
        }
@@ -1510,7 +1419,7 @@ isakmp_cfg_mkstate(void)
 
 int 
 isakmp_cfg_getport(iph1)
 
 int 
 isakmp_cfg_getport(iph1)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
 {
        unsigned int i;
        size_t size = isakmp_cfg_config.pool_size;
 {
        unsigned int i;
        size_t size = isakmp_cfg_config.pool_size;
@@ -1519,7 +1428,7 @@ isakmp_cfg_getport(iph1)
                return iph1->mode_cfg->port;
 
        if (isakmp_cfg_config.port_pool == NULL) {
                return iph1->mode_cfg->port;
 
        if (isakmp_cfg_config.port_pool == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL,
+               plog(ASL_LEVEL_ERR, 
                    "isakmp_cfg_config.port_pool == NULL\n");
                return -1;
        }
                    "isakmp_cfg_config.port_pool == NULL\n");
                return -1;
        }
@@ -1530,14 +1439,14 @@ isakmp_cfg_getport(iph1)
        }
 
        if (i == size) {
        }
 
        if (i == size) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "No more addresses available\n");
                        return -1;
        }
 
        isakmp_cfg_config.port_pool[i].used = 1;
 
                    "No more addresses available\n");
                        return -1;
        }
 
        isakmp_cfg_config.port_pool[i].used = 1;
 
-       plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i);
+       plog(ASL_LEVEL_NOTICE, "Using port %d\n", i);
 
        iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
        iph1->mode_cfg->port = i;
 
        iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
        iph1->mode_cfg->port = i;
@@ -1547,341 +1456,34 @@ isakmp_cfg_getport(iph1)
 
 int 
 isakmp_cfg_putport(iph1, index)
 
 int 
 isakmp_cfg_putport(iph1, index)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
        unsigned int index;
 {
        if (isakmp_cfg_config.port_pool == NULL) {
        unsigned int index;
 {
        if (isakmp_cfg_config.port_pool == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "isakmp_cfg_config.port_pool == NULL\n");
                return -1;
        }
 
        if (isakmp_cfg_config.port_pool[index].used == 0) {
                    "isakmp_cfg_config.port_pool == NULL\n");
                return -1;
        }
 
        if (isakmp_cfg_config.port_pool[index].used == 0) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "Attempt to release an unallocated address (port %d)\n",
                    index);
                return -1;
        }
 
                    "Attempt to release an unallocated address (port %d)\n",
                    index);
                return -1;
        }
 
-#ifdef HAVE_LIBPAM
-       /* Cleanup PAM status associated with the port */
-       if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM)
-               privsep_cleanup_pam(index);
-#endif
        isakmp_cfg_config.port_pool[index].used = 0;
        iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
 
        isakmp_cfg_config.port_pool[index].used = 0;
        iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
 
-       plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index);
-
-       return 0;
-}
-
-#ifdef HAVE_LIBPAM
-void
-cleanup_pam(port)
-       int port;
-{
-       if (isakmp_cfg_config.port_pool[port].pam != NULL) {
-               pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS);
-               isakmp_cfg_config.port_pool[port].pam = NULL;
-       }
-
-       return;
-}
-#endif
-
-/* Accounting, only for RADIUS or PAM */
-static int
-isakmp_cfg_accounting(iph1, inout)
-       struct ph1handle *iph1;
-       int inout;
-{
-#ifdef HAVE_LIBPAM
-       if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM)
-               return privsep_accounting_pam(iph1->mode_cfg->port, 
-                   inout);
-#endif 
-#ifdef HAVE_LIBRADIUS
-       if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
-               return isakmp_cfg_accounting_radius(iph1, inout);
-#endif
-       if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
-               return privsep_accounting_system(iph1->mode_cfg->port,
-                       iph1->remote, iph1->mode_cfg->login, inout);
-       return 0;
-}
-
-#ifdef HAVE_LIBPAM
-int 
-isakmp_cfg_accounting_pam(port, inout)
-       int port;
-       int inout;
-{
-       int error = 0;
-       pam_handle_t *pam;
-
-       if (isakmp_cfg_config.port_pool == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "isakmp_cfg_config.port_pool == NULL\n");
-               return -1;
-       }
-       
-       pam = isakmp_cfg_config.port_pool[port].pam;
-       if (pam == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n");
-               return -1;
-       }
-
-       switch (inout) {
-       case ISAKMP_CFG_LOGIN:
-               error = pam_open_session(pam, 0);
-               break;
-       case ISAKMP_CFG_LOGOUT:
-               error = pam_close_session(pam, 0);
-               pam_end(pam, error);
-               isakmp_cfg_config.port_pool[port].pam = NULL;
-               break;
-       default:
-               plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
-               break;
-       }
-       
-       if (error != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "pam_open_session/pam_close_session failed: %s\n",
-                   pam_strerror(pam, error)); 
-               return -1;
-        }
-
-       return 0;
-}
-#endif /* HAVE_LIBPAM */
-
-#ifdef HAVE_LIBRADIUS
-static int
-isakmp_cfg_accounting_radius(iph1, inout)
-       struct ph1handle *iph1;
-       int inout;
-{
-       /* For first time use, initialize Radius */
-       if (radius_acct_state == NULL) {
-               if ((radius_acct_state = rad_acct_open()) == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                           "Cannot init librradius\n");
-                       return -1;
-               }
-
-               if (rad_config(radius_acct_state, NULL) != 0) {
-                        plog(LLV_ERROR, LOCATION, NULL,
-                            "Cannot open librarius config file: %s\n",
-                            rad_strerror(radius_acct_state));
-                         rad_close(radius_acct_state);
-                         radius_acct_state = NULL;
-                         return -1;
-               }
-       }
-
-       if (rad_create_request(radius_acct_state, 
-           RAD_ACCOUNTING_REQUEST) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_create_request failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
-
-       if (rad_put_string(radius_acct_state, RAD_USER_NAME, 
-           iph1->mode_cfg->login) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_string failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
-
-       switch (inout) {
-       case ISAKMP_CFG_LOGIN:
-               inout = RAD_START;
-               break;
-       case ISAKMP_CFG_LOGOUT:
-               inout = RAD_STOP;
-               break;
-       default:
-               plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
-               break;
-       }
-
-       if (rad_put_addr(radius_acct_state, 
-           RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_addr failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
-
-       if (rad_put_addr(radius_acct_state, 
-           RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_addr failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
-
-       if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_int failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
-
-       if (isakmp_cfg_radius_common(radius_acct_state, 
-           iph1->mode_cfg->port) != 0)
-               return -1;
-
-       if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_send_request failed: %s\n",
-                   rad_strerror(radius_acct_state));
-               return -1;
-       }
+       plog(ASL_LEVEL_NOTICE, "Released port %d\n", index);
 
        return 0;
 }
 
        return 0;
 }
-#endif /* HAVE_LIBRADIUS */
-
-/*
- * Attributes common to all RADIUS requests
- */
-#ifdef HAVE_LIBRADIUS
-int
-isakmp_cfg_radius_common(radius_state, port)
-       struct rad_handle *radius_state;
-       int port;
-{ 
-       struct utsname name;
-       static struct hostent *host = NULL;
-       struct in_addr nas_addr;
 
 
-       /* 
-        * Find our own IP by resolving our nodename
-        */
-       if (host == NULL) {
-               if (uname(&name) != 0) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                           "uname failed: %s\n", strerror(errno));
-                       return -1;
-               }
-
-               if ((host = gethostbyname(name.nodename)) == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                           "gethostbyname failed: %s\n", strerror(errno));
-                       return -1;
-               }
-       }
-
-       memcpy(&nas_addr, host->h_addr, sizeof(nas_addr));
-       if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_addr failed: %s\n",
-                   rad_strerror(radius_state));
-               return -1;
-       }
-
-       if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_int failed: %s\n",
-                   rad_strerror(radius_state));
-               return -1;
-       }
-
-       if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_int failed: %s\n",
-                   rad_strerror(radius_state));
-               return -1;
-       }
-
-       if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL,
-                   "rad_put_int failed: %s\n",
-                   rad_strerror(radius_state));
-               return -1;
-       }
-       
-       return 0;
-}
-#endif
-
-/*
-       Logs the user into the utmp system files.
-*/
-
-int
-isakmp_cfg_accounting_system(port, raddr, usr, inout)
-       int port;
-       struct sockaddr *raddr;
-       char *usr;
-       int inout;
-{
-       int error = 0;
-       struct utmpx ut;
-       char term[_UTX_LINESIZE];
-       char addr[NI_MAXHOST];
-       
-       if (usr == NULL || usr[0]=='\0') {
-               plog(LLV_ERROR, LOCATION, NULL,
-                       "system accounting : no login found\n");
-               return -1;
-       }
-
-       snprintf(term, sizeof(term), TERMSPEC, port);
-
-       switch (inout) {
-       case ISAKMP_CFG_LOGIN:
-               strlcpy(ut.ut_user, usr, sizeof(ut.ut_user));
-
-               strlcpy(ut.ut_line, term, sizeof(ut.ut_line));
-
-               GETNAMEINFO_NULL(raddr, addr);
-               strlcpy(ut.ut_host, addr, sizeof(ut.ut_host));
-
-               ut.ut_pid = getpid();
-
-               ut.ut_type = UTMPX_AUTOFILL_MASK | USER_PROCESS;
-
-               gettimeofday(&ut.ut_tv, NULL);
-               plog(LLV_INFO, LOCATION, NULL,
-                       "Accounting : '%s' logging on '%s' from %s.\n",
-                       ut.ut_user, ut.ut_line, ut.ut_host);
-
-               if (pututxline(&ut) == NULL)
-                       return -1;
-
-               break;
-       case ISAKMP_CFG_LOGOUT: 
-
-               plog(LLV_INFO, LOCATION, NULL,
-                       "Accounting : '%s' unlogging from '%s'.\n",
-                       usr, term);
-
-               ut.ut_type = UTMPX_AUTOFILL_MASK | DEAD_PROCESS;
-
-               gettimeofday(&ut.ut_tv, NULL);
-
-               if (pututxline(&ut) == NULL)
-                       return -1;
-
-               break;
-       default:
-               plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
-               break;
-       }
-
-       return 0;
-}
        
 int 
 isakmp_cfg_getconfig(iph1)
        
 int 
 isakmp_cfg_getconfig(iph1)
-       struct ph1handle *iph1;
+       phase1_handle_t *iph1;
 {
        vchar_t *buffer;
        struct isakmp_pl_attr *attrpl;
 {
        vchar_t *buffer;
        struct isakmp_pl_attr *attrpl;
@@ -1909,7 +1511,7 @@ isakmp_cfg_getconfig(iph1)
        len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
        
        if (iph1->started_by_api) {
        len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
        
        if (iph1->started_by_api) {
-               if (iph1->remote->sa_family == AF_INET) {
+               if (iph1->remote->ss_family == AF_INET) {
                        struct vpnctl_socket_elem *sock_elem;
                        struct bound_addr *bound_addr;
                        u_int32_t address;
                        struct vpnctl_socket_elem *sock_elem;
                        struct bound_addr *bound_addr;
                        u_int32_t address;
@@ -1918,7 +1520,7 @@ isakmp_cfg_getconfig(iph1)
                        LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
                                LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
                                        if (bound_addr->address == address) {
                        LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
                                LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
                                        if (bound_addr->address == address) {
-                                               if (version = bound_addr->version)
+                                               if ((version = bound_addr->version))
                                                        len += bound_addr->version->l;
                                                break;
                                        }
                                                        len += bound_addr->version->l;
                                                break;
                                        }
@@ -1928,7 +1530,7 @@ isakmp_cfg_getconfig(iph1)
        }
        
        if ((buffer = vmalloc(len)) == NULL) {
        }
        
        if ((buffer = vmalloc(len)) == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
+               plog(ASL_LEVEL_ERR, "Cannot allocate memory\n");
                return -1;
        }
 
                return -1;
        }
 
@@ -1957,7 +1559,7 @@ isakmp_cfg_getconfig(iph1)
                }
        }
 
                }
        }
 
-       plog(LLV_DEBUG, LOCATION, NULL, 
+       plog(ASL_LEVEL_NOTICE,
                    "Sending MODE_CFG REQUEST\n");
 
        error = isakmp_cfg_send(iph1, buffer,
                    "Sending MODE_CFG REQUEST\n");
 
        error = isakmp_cfg_send(iph1, buffer,
@@ -1965,6 +1567,8 @@ isakmp_cfg_getconfig(iph1)
 
        vfree(buffer);
 
 
        vfree(buffer);
 
+       IPSECLOGASLMSG("IPSec Network Configuration requested.\n");
+
        return error;
 }
 
        return error;
 }
 
@@ -1977,11 +1581,11 @@ isakmp_cfg_getaddr4(attr, ip)
        in_addr_t *addr;
 
        if (alen != sizeof(*ip)) {
        in_addr_t *addr;
 
        if (alen != sizeof(*ip)) {
-               plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
+               plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n");
                return;
        }
 
                return;
        }
 
-       addr = (in_addr_t *)(attr + 1);
+       addr = ALIGNED_CAST(in_addr_t *)(attr + 1);     // Wcast-align fix (void*) - attr comes from packet data in a vchar_t
        ip->s_addr = *addr;
 
        return;
        ip->s_addr = *addr;
 
        return;
@@ -1998,15 +1602,15 @@ isakmp_cfg_appendaddr4(attr, ip, num, max)
        in_addr_t *addr;
 
        if (alen != sizeof(*ip)) {
        in_addr_t *addr;
 
        if (alen != sizeof(*ip)) {
-               plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
+               plog(ASL_LEVEL_ERR, "Bad IPv4 address len\n");
                return;
        }
        if (*num == max) {
                return;
        }
        if (*num == max) {
-               plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n");
+               plog(ASL_LEVEL_ERR, "Too many addresses given\n");
                return;
        }
 
                return;
        }
 
-       addr = (in_addr_t *)(attr + 1);
+       addr = ALIGNED_CAST(in_addr_t *)(attr + 1);      // Wcast-align fix (void*) - attr comes from packet data in a vchar_t
        ip->s_addr = *addr;
        (*num)++;
 
        ip->s_addr = *addr;
        (*num)++;
 
@@ -2067,186 +1671,6 @@ isakmp_cfg_iplist_to_str(dest, count, addr, withmask)
                dest[0] = '\0';
 }
 
                dest[0] = '\0';
 }
 
-int
-isakmp_cfg_setenv(iph1, envp, envc)
-       struct ph1handle *iph1; 
-       char ***envp;
-       int *envc;
-{
-       char addrstr[IP_MAX];
-       char addrlist[IP_MAX * MAXNS + MAXNS];
-       char *splitlist = addrlist;
-       char defdom[MAXPATHLEN + 1];
-       int cidr, tmp;
-       char cidrstr[4];
-       int i, p;
-       int test;
-
-       plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
-
-       /* 
-        * Internal IPv4 address, either if 
-        * we are a client or a server.
-        */
-       if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
-#ifdef HAVE_LIBLDAP
-           (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
-#endif
-#ifdef HAVE_LIBRADIUS
-           (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
-#endif
-           (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
-               inet_ntop(AF_INET, &iph1->mode_cfg->addr4, 
-                   addrstr, IP_MAX);
-       } else
-               addrstr[0] = '\0';
-
-       if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n");
-               return -1;
-       }
-
-       if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) {
-               if (script_env_append(envp, envc, "XAUTH_USER", 
-                   iph1->mode_cfg->xauth.authdata.generic.usr) != 0) {
-                       plog(LLV_ERROR, LOCATION, NULL, 
-                           "Cannot set XAUTH_USER\n");
-                       return -1;
-               }
-       }
-
-       /* Internal IPv4 mask */
-       if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4) 
-               inet_ntop(AF_INET, &iph1->mode_cfg->mask4, 
-                   addrstr, IP_MAX);
-       else
-               addrstr[0] = '\0';
-
-       /*      
-        * During several releases, documentation adverised INTERNAL_NETMASK4
-        * while code was using INTERNAL_MASK4. We now do both.
-        */
-
-       if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) { 
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
-               return -1;
-       }
-
-       if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) { 
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "Cannot set INTERNAL_NETMASK4\n");
-               return -1;
-       }
-
-       tmp = ntohl(iph1->mode_cfg->mask4.s_addr);
-       for (cidr = 0; tmp != 0; cidr++)
-               tmp <<= 1;
-       snprintf(cidrstr, 3, "%d", cidr);
-
-       if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n");
-               return -1;
-       }
-
-       /* Internal IPv4 DNS */
-       if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) {
-               /* First Internal IPv4 DNS (for compatibilty with older code */
-               inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0], 
-                   addrstr, IP_MAX);
-
-               /* Internal IPv4 DNS - all */
-               isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index,
-                       (void *)iph1->mode_cfg->dns4, 0);
-       } else {
-               addrstr[0] = '\0';
-               addrlist[0] = '\0';
-       }
-
-       if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n");
-               return -1;
-       }
-       if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "Cannot set INTERNAL_DNS4_LIST\n");
-               return -1;
-       }
-       
-       /* Internal IPv4 WINS */
-       if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) {
-               /* 
-                * First Internal IPv4 WINS 
-                * (for compatibilty with older code 
-                */
-               inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0], 
-                   addrstr, IP_MAX);
-
-               /* Internal IPv4 WINS - all */
-               isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index,
-                       (void *)iph1->mode_cfg->wins4, 0);
-       } else {
-               addrstr[0] = '\0';
-               addrlist[0] = '\0';
-       }
-
-       if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "Cannot set INTERNAL_WINS4\n");
-               return -1;
-       }
-       if (script_env_append(envp, envc, 
-           "INTERNAL_WINS4_LIST", addrlist) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "Cannot set INTERNAL_WINS4_LIST\n");
-               return -1;
-       }
-
-       /* Deault domain */
-       if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN) 
-               strlcpy(defdom, 
-                   iph1->mode_cfg->default_domain, 
-                   sizeof(defdom));
-       else
-               defdom[0] = '\0';
-       
-       if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) { 
-               plog(LLV_ERROR, LOCATION, NULL, 
-                   "Cannot set DEFAULT_DOMAIN\n");
-               return -1;
-       }
-
-       /* Split networks */
-       if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE)
-               splitlist = splitnet_list_2str(iph1->mode_cfg->split_include);
-       else {
-               splitlist = addrlist;
-               addrlist[0] = '\0';
-       }
-
-       if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
-               return -1;
-       }
-       if (splitlist != addrlist)
-               racoon_free(splitlist);
-
-       if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL)
-               splitlist = splitnet_list_2str(iph1->mode_cfg->split_local);
-       else {
-               splitlist = addrlist;
-               addrlist[0] = '\0';
-       }
-
-       if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
-               plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
-               return -1;
-       }
-       if (splitlist != addrlist)
-               racoon_free(splitlist);
-       
-       return 0;
-}
-
 int
 isakmp_cfg_resize_pool(size)
        int size;
 int
 isakmp_cfg_resize_pool(size)
        int size;
@@ -2258,16 +1682,16 @@ isakmp_cfg_resize_pool(size)
        if (size == isakmp_cfg_config.pool_size)
                return 0;
 
        if (size == isakmp_cfg_config.pool_size)
                return 0;
 
-       plog(LLV_INFO, LOCATION, NULL,
+       plog(ASL_LEVEL_NOTICE,
            "Resize address pool from %zu to %d\n",
            isakmp_cfg_config.pool_size, size);
 
        /* If a pool already exists, check if we can shrink it */
        if ((isakmp_cfg_config.port_pool != NULL) &&
            (size < isakmp_cfg_config.pool_size)) {
            "Resize address pool from %zu to %d\n",
            isakmp_cfg_config.pool_size, size);
 
        /* If a pool already exists, check if we can shrink it */
        if ((isakmp_cfg_config.port_pool != NULL) &&
            (size < isakmp_cfg_config.pool_size)) {
-               for (i = isakmp_cfg_config.pool_size; i >= size; --i) {
+               for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) {
                        if (isakmp_cfg_config.port_pool[i].used) {
                        if (isakmp_cfg_config.port_pool[i].used) {
-                               plog(LLV_ERROR, LOCATION, NULL
+                               plog(ASL_LEVEL_ERR
                                    "resize pool from %zu to %d impossible "
                                    "port %d is in use\n", 
                                    isakmp_cfg_config.pool_size, size, i);
                                    "resize pool from %zu to %d impossible "
                                    "port %d is in use\n", 
                                    isakmp_cfg_config.pool_size, size, i);
@@ -2280,7 +1704,7 @@ isakmp_cfg_resize_pool(size)
        len = size * sizeof(*isakmp_cfg_config.port_pool);
        new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
        if (new_pool == NULL) {
        len = size * sizeof(*isakmp_cfg_config.port_pool);
        new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
        if (new_pool == NULL) {
-               plog(LLV_ERROR, LOCATION, NULL
+               plog(ASL_LEVEL_ERR
                    "resize pool from %zu to %d impossible: %s",
                    isakmp_cfg_config.pool_size, size, strerror(errno));
                return -1;
                    "resize pool from %zu to %d impossible: %s",
                    isakmp_cfg_config.pool_size, size, strerror(errno));
                return -1;
@@ -2309,7 +1733,9 @@ isakmp_cfg_init(cold)
        int cold;
 {
        int i;
        int cold;
 {
        int i;
+#if 0
        int error;
        int error;
+#endif
 
        isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
        isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
 
        isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
        isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
@@ -2361,10 +1787,12 @@ isakmp_cfg_init(cold)
        isakmp_cfg_config.splitdns_list = NULL;
        isakmp_cfg_config.splitdns_len = 0;
 
        isakmp_cfg_config.splitdns_list = NULL;
        isakmp_cfg_config.splitdns_len = 0;
 
+#if 0
        if (cold == ISAKMP_CFG_INIT_COLD) {
                if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
                        return error;
        }
        if (cold == ISAKMP_CFG_INIT_COLD) {
                if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
                        return error;
        }
+#endif
 
        return 0;
 }
 
        return 0;
 }
mirror of ipsec