#include <sys/queue.h>
#include <utmpx.h>
-#if defined(__APPLE__) && defined(__MACH__)
#include <util.h>
-#endif
+
#ifdef __FreeBSD__
# include <libutil.h>
plen = ntohs(ph->len);
nph = (struct isakmp_gen *)((char *)ph + plen);
plen = ntohs(nph->len);
-
+ /* Check that the hash payload fits in the packet */
+ if (tlen < (plen + ntohs(ph->len))) {
+ plog(LLV_WARNING, LOCATION, NULL,
+ "Invalid Hash payload. len %d, overall-len %d\n",
+ ntohs(nph->len),
+ plen);
+ goto out;
+ }
+
if ((payload = vmalloc(plen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"Cannot allocate memory\n");
/* connection was started by API - save attr list for passing to VPN controller */
if (iph1->mode_cfg->attr_list != NULL) /* shouldn't happen */
vfree(iph1->mode_cfg->attr_list);
+ if (ntohs(attrpl->h.len) < sizeof(*attrpl)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid cfg-attr-list, attr-len %d\n",
+ ntohs(attrpl->h.len));
+ return -1;
+ }
alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
if ((iph1->mode_cfg->attr_list = vmalloc(alen)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
{
vchar_t *buf;
+ if (ntohs(attrpl->h.len) < sizeof(*attrpl)) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "invalid cfg-attr-list, attr-len %d\n",
+ ntohs(attrpl->h.len));
+ return -1;
+ }
alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
if ((buf = vmalloc(alen)) == NULL) {
plog(LLV_WARNING, LOCATION, NULL,
iph1->xauth_awaiting_userinput = 1;
iph1->xauth_awaiting_userinput_msg = vdup(msg); // dup the message for later
ike_session_start_xauth_timer(iph1);
+
+ IPSECLOGASLMSG("IPSec Extended Authentication requested.\n");
+
return 0;
}
if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
if (iph1->status == PHASE1ST_ESTABLISHED)
isakmp_info_send_d1(iph1);
- remph1(iph1);
- delph1(iph1);
+ isakmp_ph1expire(iph1);
iph1 = NULL;
}
vfree(payload);
if (msg) {
/* the sending message is added to the received-list. */
if (add_recvdpkt(iph1->remote, iph1->local, iph2->sendbuf, msg,
- PH2_NON_ESP_EXTRA_LEN(iph2)) == -1) {
+ PH2_NON_ESP_EXTRA_LEN(iph2), PH1_FRAG_FLAGS(iph1)) == -1) {
plog(LLV_ERROR , LOCATION, NULL,
"failed to add a response packet to the tree.\n");
}
if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
return isakmp_cfg_accounting_radius(iph1, inout);
#endif
+#ifdef HAVE_OPENSSL
if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
return privsep_accounting_system(iph1->mode_cfg->port,
iph1->remote, iph1->mode_cfg->login, inout);
+#endif
return 0;
}
vfree(buffer);
+ IPSECLOGASLMSG("IPSec Network Configuration requested.\n");
+
return error;
}
/* If a pool already exists, check if we can shrink it */
if ((isakmp_cfg_config.port_pool != NULL) &&
(size < isakmp_cfg_config.pool_size)) {
- for (i = isakmp_cfg_config.pool_size; i >= size; --i) {
+ for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) {
if (isakmp_cfg_config.port_pool[i].used) {
plog(LLV_ERROR, LOCATION, NULL,
"resize pool from %zu to %d impossible "
isakmp_cfg_config.splitdns_list = NULL;
isakmp_cfg_config.splitdns_len = 0;
+#if 0
if (cold == ISAKMP_CFG_INIT_COLD) {
if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
return error;
}
+#endif
return 0;
}
projects / apple / ipsec.git / blobdiff