]> git.saurik.com Git - apple/ipsec.git/blobdiff - ipsec-tools/racoon/remoteconf.c
ipsec-317.220.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.c
index c7790da4d62b923ee10d7ffa49bda07d3eb4b19b..59a634195ef8f1ea9255e2a1bb0c5bd7bf9db25b 100644 (file)
 #include "nattraversal.h"
 #include "isakmp_frag.h"
 #include "genlist.h"
 #include "nattraversal.h"
 #include "isakmp_frag.h"
 #include "genlist.h"
-#include "rsalist.h"
+#include "vpn_control_var.h"
 
 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
 
 
 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
 
-/* 
- * Script hook names and script hook paths
- */
-char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
 
 /*%%%*/
 /*
 
 /*%%%*/
 /*
@@ -100,28 +96,32 @@ char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
  */
 struct remoteconf *
 getrmconf_strict(remote, allow_anon)
  */
 struct remoteconf *
 getrmconf_strict(remote, allow_anon)
-       struct sockaddr *remote;
+       struct sockaddr_storage *remote;
        int allow_anon;
 {
        struct remoteconf *p;
        int allow_anon;
 {
        struct remoteconf *p;
+       struct remoteconf *p_withport_besteffort = NULL;
+       struct remoteconf *p_with_prefix = NULL;
+       struct remoteconf *p_with_prefix_besteffort = NULL;
+    int                last_prefix = 0;
        struct remoteconf *anon = NULL;
        struct remoteconf *anon = NULL;
+    
        int withport;
        char buf[NI_MAXHOST + NI_MAXSERV + 10];
        char addr[NI_MAXHOST], port[NI_MAXSERV];
 
        withport = 0;
 
        int withport;
        char buf[NI_MAXHOST + NI_MAXSERV + 10];
        char addr[NI_MAXHOST], port[NI_MAXSERV];
 
        withport = 0;
 
-#ifndef ENABLE_NATT
        /* 
         * We never have ports set in our remote configurations, but when
         * NAT-T is enabled, the kernel can have policies with ports and
         * send us an acquire message for a destination that has a port set.
        /* 
         * We never have ports set in our remote configurations, but when
         * NAT-T is enabled, the kernel can have policies with ports and
         * send us an acquire message for a destination that has a port set.
-        * If we do this port check here, we don't find the remote config.
+        * If we do this port check here, we have to fallback to a best-effort result (without the port).
         *
         * In an ideal world, we would be able to have remote conf with
         * port, and the port could be a wildcard. That test could be used.
         */
         *
         * In an ideal world, we would be able to have remote conf with
         * port, and the port could be a wildcard. That test could be used.
         */
-       switch (remote->sa_family) {
+       switch (remote->ss_family) {
        case AF_INET:
                if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
                        withport = 1;
        case AF_INET:
                if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
                        withport = 1;
@@ -136,16 +136,15 @@ getrmconf_strict(remote, allow_anon)
                break;
 
        default:
                break;
 
        default:
-               plog(LLV_ERROR2, LOCATION, NULL,
-                       "invalid ip address family: %d\n", remote->sa_family);
-               exit(1);
+               plog(ASL_LEVEL_ERR, 
+                       "invalid ip address family: %d\n", remote->ss_family);
+               return NULL;
        }
        }
-#endif /* ENABLE_NATT */
 
 
-       if (remote->sa_family == AF_UNSPEC)
+       if (remote->ss_family == AF_UNSPEC)
                snprintf (buf, sizeof(buf), "%s", "anonymous");
        else {
                snprintf (buf, sizeof(buf), "%s", "anonymous");
        else {
-               GETNAMEINFO(remote, addr, port);
+               GETNAMEINFO((struct sockaddr *)remote, addr, port);
                snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
                        withport ? "[" : "",
                        withport ? port : "",
                snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
                        withport ? "[" : "",
                        withport ? port : "",
@@ -153,46 +152,90 @@ getrmconf_strict(remote, allow_anon)
        }
 
        TAILQ_FOREACH(p, &rmtree, chain) {
        }
 
        TAILQ_FOREACH(p, &rmtree, chain) {
-#ifdef __APPLE__
-               if (p->to_delete || p->to_remove) {
-                       continue;
-               }
-#endif
-               if ((remote->sa_family == AF_UNSPEC
-                    && remote->sa_family == p->remote->sa_family)
-                || (!withport && cmpsaddrwop(remote, p->remote) == 0)
-                || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
-                       plog(LLV_DEBUG, LOCATION, NULL,
-                               "configuration found for %s.\n", buf);
+               if (remote->ss_family == AF_UNSPEC
+                    && remote->ss_family == p->remote->ss_family) {
+            plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
                        return p;
                        return p;
-               }
+        }
+        if (p->remote_prefix == 0) {
+            if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
+                || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
+                    plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+                    return p;
+                } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
+                    // for withport: save the pointer for the best-effort search
+                    p_withport_besteffort = p;
+                }
+        } else {
+            if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
+                || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
+                if (p->remote_prefix >= last_prefix) {
+                    p_with_prefix = p;
+                    last_prefix = p->remote_prefix;
+                }
+            } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
+                if (p->remote_prefix >= last_prefix) {
+                    p_with_prefix_besteffort = p;
+                    last_prefix = p->remote_prefix;
+                }
+            }
+        }
 
                /* save the pointer to the anonymous configuration */
 
                /* save the pointer to the anonymous configuration */
-               if (p->remote->sa_family == AF_UNSPEC)
+               if (p->remote->ss_family == AF_UNSPEC)
                        anon = p;
        }
 
                        anon = p;
        }
 
+       if (p_withport_besteffort) {
+               plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+               return p_withport_besteffort;
+       }
+    if (p_with_prefix) {
+        plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+        return p_with_prefix;
+    }
+    if (p_with_prefix_besteffort) {
+        plog(ASL_LEVEL_DEBUG, "configuration found for %s.\n", buf);
+        return p_with_prefix_besteffort;
+    }
        if (allow_anon && anon != NULL) {
        if (allow_anon && anon != NULL) {
-               plog(LLV_DEBUG, LOCATION, NULL,
+               plog(ASL_LEVEL_DEBUG, 
                        "anonymous configuration selected for %s.\n", buf);
                return anon;
        }
 
                        "anonymous configuration selected for %s.\n", buf);
                return anon;
        }
 
-       plog(LLV_DEBUG, LOCATION, NULL,
+       plog(ASL_LEVEL_DEBUG, 
                "no remote configuration found.\n");
 
        return NULL;
 }
 
 int
                "no remote configuration found.\n");
 
        return NULL;
 }
 
 int
-no_remote_configs()
+no_remote_configs(ignore_anonymous)
+       int ignore_anonymous;
 {
        
        struct remoteconf *p;
 {
        
        struct remoteconf *p;
+#if !TARGET_OS_EMBEDDED
+       static const char default_idv[] = "macuser@localhost";
+       static const int default_idv_len = sizeof(default_idv) - 1;
+#endif
 
        TAILQ_FOREACH(p, &rmtree, chain) {
 
        TAILQ_FOREACH(p, &rmtree, chain) {
-               if (p->remote->sa_family == AF_UNSPEC)  /* anonymous */
+               if (ignore_anonymous) {
+                       if (p->remote->ss_family == AF_UNSPEC)  /* anonymous */
+                               continue;
+               }
+#if !TARGET_OS_EMBEDDED
+               // ignore the default btmm ipv6 config thats always present in racoon.conf
+               if (p->remote->ss_family == AF_INET6 &&
+                       p->idvtype == IDTYPE_USERFQDN &&
+                       p->idv != NULL &&
+                       p->idv->l == default_idv_len &&
+                       strncmp(p->idv->v, default_idv, p->idv->l) == 0) {
                        continue;
                        continue;
+               }
+#endif
                return 0;
        }
        return 1;
                return 0;
        }
        return 1;
@@ -200,68 +243,54 @@ no_remote_configs()
 
 struct remoteconf *
 getrmconf(remote)
 
 struct remoteconf *
 getrmconf(remote)
-       struct sockaddr *remote;
-{
-       return getrmconf_strict(remote, 1);
-}
-
-#ifdef __APPLE__
-int
-link_rmconf_to_ph1 (struct remoteconf *new)
-{
-       if (!new) {
-               return(-1);
-       }
-       if (new->to_delete ||
-               new->to_remove) {
-               return(-1);
-       }
-       new->linked_to_ph1++;
-       return(0);
-}
-
-int
-unlink_rmconf_from_ph1 (struct remoteconf *old)
+       struct sockaddr_storage *remote;
 {
 {
-       if (!old) {
-               return(-1);
+       struct remoteconf *rmconf = getrmconf_strict(remote, 1);
+       if (rmconf != NULL) {
+               return rmconf;
        }
        }
-       if (old->linked_to_ph1 <= 0) {
-               return(-1);
-       }
-       old->linked_to_ph1--;
-       if (old->linked_to_ph1 == 0) {
-               if (old->to_remove) {
-                       remrmconf(old);
-               }
-               if (old->to_delete) {
-                       delrmconf(old);
+       if (remote->ss_family == AF_INET6) {
+               struct sockaddr_in v4dst;
+               v4dst.sin_family = AF_INET;
+               v4dst.sin_len = sizeof(struct sockaddr_in);
+               v4dst.sin_port = 0;
+
+               nw_nat64_prefix_t nat64_prefix;
+               if (vpncontrol_set_nat64_prefix(&nat64_prefix)) {
+                       nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr);
+
+                       rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst);
+                       if (rmconf != NULL) {
+                               return rmconf;
+                       }
                }
        }
                }
        }
-       return(0);
+
+       return NULL;
 }
 }
-#endif
 
 struct remoteconf *
 
 struct remoteconf *
-newrmconf()
+create_rmconf()
 {
        struct remoteconf *new;
 {
        struct remoteconf *new;
-       int i;
 
        new = racoon_calloc(1, sizeof(*new));
        if (new == NULL)
                return NULL;
 
 
        new = racoon_calloc(1, sizeof(*new));
        if (new == NULL)
                return NULL;
 
+    new->refcount = 1;
+    new->in_list = 0;
        new->proposal = NULL;
 
        /* set default */
        new->doitype = IPSEC_DOI;
        new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
        new->proposal = NULL;
 
        /* set default */
        new->doitype = IPSEC_DOI;
        new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
+    new->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
        new->idvtype = IDTYPE_UNDEFINED;
        new->idvl_p = genlist_init();
        new->nonce_size = DEFAULT_NONCE_SIZE;
        new->passive = FALSE;
        new->idvtype = IDTYPE_UNDEFINED;
        new->idvl_p = genlist_init();
        new->nonce_size = DEFAULT_NONCE_SIZE;
        new->passive = FALSE;
-       new->ike_frag = FALSE;
+       new->ike_frag = ISAKMP_FRAG_ON;
        new->esp_frag = IP_MAXPACKET;
        new->ini_contact = TRUE;
        new->mode_cfg = FALSE;
        new->esp_frag = IP_MAXPACKET;
        new->ini_contact = TRUE;
        new->mode_cfg = FALSE;
@@ -269,30 +298,17 @@ newrmconf()
        new->verify_identifier = FALSE;
        new->verify_cert = TRUE;
        new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
        new->verify_identifier = FALSE;
        new->verify_cert = TRUE;
        new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
-       new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
        new->cacerttype = ISAKMP_CERT_X509SIGN;
        new->certtype = ISAKMP_CERT_NONE;
        new->cacerttype = ISAKMP_CERT_X509SIGN;
        new->certtype = ISAKMP_CERT_NONE;
-       new->cacertfile = NULL;
        new->send_cert = TRUE;
        new->send_cr = TRUE;
        new->support_proxy = FALSE;
        new->send_cert = TRUE;
        new->send_cr = TRUE;
        new->support_proxy = FALSE;
-       for (i = 0; i <= SCRIPT_MAX; i++)
-               new->script[i] = NULL;
        new->gen_policy = FALSE;
        new->retry_counter = lcconf->retry_counter;
        new->retry_interval = lcconf->retry_interval;
        new->gen_policy = FALSE;
        new->retry_counter = lcconf->retry_counter;
        new->retry_interval = lcconf->retry_interval;
-#ifdef __APPLE__
        new->nat_traversal = NATT_ON;
        new->natt_multiple_user = FALSE;
        new->natt_keepalive = TRUE;
        new->nat_traversal = NATT_ON;
        new->natt_multiple_user = FALSE;
        new->natt_keepalive = TRUE;
-       new->to_remove = FALSE;
-       new->to_delete = FALSE;
-       new->linked_to_ph1 = 0;
-#else
-       new->nat_traversal = NATT_OFF;
-#endif
-       new->rsa_private = genlist_init();
-       new->rsa_public = genlist_init();
        new->idv = NULL;
        new->key = NULL;
 
        new->idv = NULL;
        new->key = NULL;
 
@@ -313,16 +329,15 @@ newrmconf()
 }
 
 struct remoteconf *
 }
 
 struct remoteconf *
-copyrmconf(remote)
-       struct sockaddr *remote;
+copyrmconf(struct sockaddr_storage *remote)
 {
        struct remoteconf *new, *old;
 
        old = getrmconf_strict (remote, 0);
        if (old == NULL) {
 {
        struct remoteconf *new, *old;
 
        old = getrmconf_strict (remote, 0);
        if (old == NULL) {
-               plog (LLV_ERROR, LOCATION, NULL,
+               plog (ASL_LEVEL_ERR, 
                      "Remote configuration for '%s' not found!\n",
                      "Remote configuration for '%s' not found!\n",
-                     saddr2str (remote));
+                     saddr2str((struct sockaddr *)remote));
                return NULL;
        }
 
                return NULL;
        }
 
@@ -332,9 +347,7 @@ copyrmconf(remote)
 }
 
 void *
 }
 
 void *
-dupidvl(entry, arg)
-       void *entry;
-       void *arg;
+dupidvl(void *entry, void *arg)
 {
        struct idspec *id;
        struct idspec *old = (struct idspec *) entry;
 {
        struct idspec *id;
        struct idspec *old = (struct idspec *) entry;
@@ -353,19 +366,33 @@ dupidvl(entry, arg)
 }
 
 struct remoteconf *
 }
 
 struct remoteconf *
-duprmconf (rmconf)
-       struct remoteconf *rmconf;
+duprmconf (struct remoteconf *rmconf)
 {
 {
-       struct remoteconf *new;
-
-       new = racoon_calloc(1, sizeof(*new));
-       if (new == NULL)
-               return NULL;
-       memcpy (new, rmconf, sizeof (*new));
-       // FIXME: We should duplicate the proposal as well.
-       // This is now handled in the cfparse.y
-       // new->proposal = ...;
-       
+    struct remoteconf *new;
+
+    new = racoon_calloc(1, sizeof(*new));
+    if (new == NULL)
+        return NULL;
+    memcpy (new, rmconf, sizeof (*new));
+    // FIXME: We should duplicate remote, proposal, etc.
+    // This is now handled in the cfparse.y
+    // new->proposal = ...;
+
+    // zero-out pointers
+    new->remote = NULL;
+    new->forced_local = NULL;
+    new->keychainCertRef = NULL;       /* peristant keychain ref for cert */
+    new->shared_secret = NULL; /* shared secret */
+    new->open_dir_auth_group = NULL;   /* group to be used to authorize user */
+    new->proposal = NULL;
+    new->in_list = 0;
+    new->refcount = 1;
+    new->idv = NULL;
+    new->key = NULL;
+#ifdef ENABLE_HYBRID
+    new->xauth = NULL;
+#endif
+    
        /* duplicate dynamic structures */
        if (new->etypes)
                new->etypes=dupetypes(new->etypes);
        /* duplicate dynamic structures */
        if (new->etypes)
                new->etypes=dupetypes(new->etypes);
@@ -412,17 +439,12 @@ proposalspec_free(struct proposalspec *head)
 }
 
 void
 }
 
 void
-delrmconf(rmconf)
-       struct remoteconf *rmconf;
+delrmconf(struct remoteconf *rmconf)
 {
 {
-#ifdef __APPLE__
-       if (rmconf->linked_to_ph1) {
-               rmconf->to_delete = TRUE;
-               return;
-       }
-#endif
        if (rmconf->remote)
                racoon_free(rmconf->remote);
        if (rmconf->remote)
                racoon_free(rmconf->remote);
+       if (rmconf->forced_local)
+               racoon_free(rmconf->forced_local);
 #ifdef ENABLE_HYBRID
        if (rmconf->xauth)
                xauth_rmconf_delete(&rmconf->xauth);
 #ifdef ENABLE_HYBRID
        if (rmconf->xauth)
                xauth_rmconf_delete(&rmconf->xauth);
@@ -439,50 +461,30 @@ delrmconf(rmconf)
                oakley_dhgrp_free(rmconf->dhgrp);
        if (rmconf->proposal)
                delisakmpsa(rmconf->proposal);
                oakley_dhgrp_free(rmconf->dhgrp);
        if (rmconf->proposal)
                delisakmpsa(rmconf->proposal);
-       if (rmconf->mycertfile)
-               racoon_free(rmconf->mycertfile);
-       if (rmconf->myprivfile)
-               racoon_free(rmconf->myprivfile);
-       if (rmconf->peerscertfile)
-               racoon_free(rmconf->peerscertfile);
-       if (rmconf->cacertfile)
-               racoon_free(rmconf->cacertfile);
        if (rmconf->prhead)
                proposalspec_free(rmconf->prhead);
        if (rmconf->prhead)
                proposalspec_free(rmconf->prhead);
-       if (rmconf->rsa_private)
-               genlist_free(rmconf->rsa_private, rsa_key_free);
-       if (rmconf->rsa_public)
-               genlist_free(rmconf->rsa_public, rsa_key_free); 
-#ifdef __APPLE__
        if (rmconf->shared_secret)
                vfree(rmconf->shared_secret);
        if (rmconf->keychainCertRef)
                vfree(rmconf->keychainCertRef);
        if (rmconf->open_dir_auth_group)
                vfree(rmconf->open_dir_auth_group);
        if (rmconf->shared_secret)
                vfree(rmconf->shared_secret);
        if (rmconf->keychainCertRef)
                vfree(rmconf->keychainCertRef);
        if (rmconf->open_dir_auth_group)
                vfree(rmconf->open_dir_auth_group);
-#endif
 
        racoon_free(rmconf);
 }
 
 void
 
        racoon_free(rmconf);
 }
 
 void
-delisakmpsa(sa)
-       struct isakmpsa *sa;
+delisakmpsa(struct isakmpsa *sa)
 {
        if (sa->dhgrp)
                oakley_dhgrp_free(sa->dhgrp);
        if (sa->next)
                delisakmpsa(sa->next);
 {
        if (sa->dhgrp)
                oakley_dhgrp_free(sa->dhgrp);
        if (sa->next)
                delisakmpsa(sa->next);
-#ifdef HAVE_GSSAPI
-       if (sa->gssid)
-               vfree(sa->gssid);
-#endif
        racoon_free(sa);
 }
 
 struct etypes *
        racoon_free(sa);
 }
 
 struct etypes *
-dupetypes(orig)
-       struct etypes *orig;
+dupetypes(struct etypes *orig)
 {
        struct etypes *new;
 
 {
        struct etypes *new;
 
@@ -503,8 +505,7 @@ dupetypes(orig)
 }
 
 void
 }
 
 void
-deletypes(e)
-       struct etypes *e;
+deletypes(struct etypes *e)
 {
        if (e->next)
                deletypes(e->next);
 {
        if (e->next)
                deletypes(e->next);
@@ -515,23 +516,33 @@ deletypes(e)
  * insert into head of list.
  */
 void
  * insert into head of list.
  */
 void
-insrmconf(new)
-       struct remoteconf *new;
+insrmconf(struct remoteconf *new)
 {
        TAILQ_INSERT_HEAD(&rmtree, new, chain);
 {
        TAILQ_INSERT_HEAD(&rmtree, new, chain);
+    new->in_list = 1;
 }
 
 void
 }
 
 void
-remrmconf(rmconf)
-       struct remoteconf *rmconf;
+remrmconf(struct remoteconf *rmconf)
 {
 {
-#ifdef __APPLE__
-       if (rmconf->linked_to_ph1) {
-               rmconf->to_remove = TRUE;
-               return;
-       }
-#endif
-       TAILQ_REMOVE(&rmtree, rmconf, chain);
+       if (rmconf->in_list)
+        TAILQ_REMOVE(&rmtree, rmconf, chain);
+    rmconf->in_list = 0;
+}
+
+void
+retain_rmconf(struct remoteconf *rmconf)
+{
+    (rmconf->refcount)++;
+}
+
+void
+release_rmconf(struct remoteconf *rmconf)
+{
+    if (--(rmconf->refcount) <= 0) {
+        remrmconf(rmconf);
+        delrmconf(rmconf);
+    }
 }
 
 void
 }
 
 void
@@ -542,7 +553,8 @@ flushrmconf()
        for (p = TAILQ_FIRST(&rmtree); p; p = next) {
                next = TAILQ_NEXT(p, chain);
                remrmconf(p);
        for (p = TAILQ_FIRST(&rmtree); p; p = next) {
                next = TAILQ_NEXT(p, chain);
                remrmconf(p);
-               delrmconf(p);
+        if (--(p->refcount) <= 0)
+            delrmconf(p);
        }
 }
 
        }
 }
 
@@ -554,9 +566,7 @@ initrmconf()
 
 /* check exchange type to be acceptable */
 struct etypes *
 
 /* check exchange type to be acceptable */
 struct etypes *
-check_etypeok(rmconf, etype)
-       struct remoteconf *rmconf;
-       u_int8_t etype;
+check_etypeok(struct remoteconf *rmconf, u_int8_t etype)
 {
        struct etypes *e;
 
 {
        struct etypes *e;
 
@@ -586,9 +596,6 @@ newisakmpsa()
 
        new->next = NULL;
        new->rmconf = NULL;
 
        new->next = NULL;
        new->rmconf = NULL;
-#ifdef HAVE_GSSAPI
-       new->gssid = NULL;
-#endif
 
        return new;
 }
 
        return new;
 }
@@ -597,9 +604,7 @@ newisakmpsa()
  * insert into tail of list.
  */
 void
  * insert into tail of list.
  */
 void
-insisakmpsa(new, rmconf)
-       struct isakmpsa *new;
-       struct remoteconf *rmconf;
+insisakmpsa(struct isakmpsa *new, struct remoteconf *rmconf)
 {
        struct isakmpsa *p;
 
 {
        struct isakmpsa *p;
 
@@ -641,7 +646,7 @@ dump_peers_identifiers (void *entry, void *arg)
                         s_idtype (id->idtype));
        if (id->id)
                pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
                         s_idtype (id->idtype));
        if (id->id)
                pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
-       plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
+       plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
        return NULL;
 }
 
        return NULL;
 }
 
@@ -653,11 +658,15 @@ dump_rmconf_single (struct remoteconf *p, void *data)
        char buf[1024], *pbuf;
 
        pbuf = buf;
        char buf[1024], *pbuf;
 
        pbuf = buf;
-       pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
+    if (p->remote_prefix)
+        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", 
+                         saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
+    else
+        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
        if (p->inherited_from)
                pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
        if (p->inherited_from)
                pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
-                               saddr2str(p->inherited_from->remote));
-       plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
+                               saddr2str((struct sockaddr *)p->inherited_from->remote));
+       plog(ASL_LEVEL_NOTICE, "%s {\n", buf);
        pbuf = buf;
        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
        while (etype) {
        pbuf = buf;
        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
        while (etype) {
@@ -665,92 +674,83 @@ dump_rmconf_single (struct remoteconf *p, void *data)
                                 etype->next != NULL ? ", " : ";\n");
                etype = etype->next;
        }
                                 etype->next != NULL ? ", " : ";\n");
                etype = etype->next;
        }
-       plog(LLV_INFO, LOCATION, NULL, "%s", buf);
-       plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
+       plog(ASL_LEVEL_NOTICE, "%s", buf);
+       plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype));
        pbuf = buf;
        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
        if (p->idvtype == IDTYPE_ASN1DN) {
        pbuf = buf;
        pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
        if (p->idvtype == IDTYPE_ASN1DN) {
-               plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
-               plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
-                       p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
-                       p->mycertfile, p->myprivfile);
+               plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
                switch (p->getcert_method) {
                  case 0:
                        break;
                  case ISAKMP_GETCERT_PAYLOAD:
                switch (p->getcert_method) {
                  case 0:
                        break;
                  case ISAKMP_GETCERT_PAYLOAD:
-                       plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
-                       break;
-                 case ISAKMP_GETCERT_LOCALFILE:
-                       plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
-                       break;
-                 case ISAKMP_GETCERT_DNS:
-                       plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
+                       plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n");
                        break;
                  default:
                        break;
                  default:
-                       plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
+                       plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
                }
        }
        else {
                if (p->idv)
                        pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
                }
        }
        else {
                if (p->idv)
                        pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
-               plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
+               plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
                genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
        }
 
                genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
        }
 
-       plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n",
                s_switch (p->send_cert));
                s_switch (p->send_cert));
-       plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n",
                s_switch (p->send_cr));
                s_switch (p->send_cr));
-       plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n",
                s_switch (p->verify_cert));
                s_switch (p->verify_cert));
-       plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n",
                s_switch (p->verify_identifier));
                s_switch (p->verify_identifier));
-       plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n",
                p->nat_traversal == NATT_FORCE ?
                        "force" : s_switch (p->nat_traversal));
                p->nat_traversal == NATT_FORCE ?
                        "force" : s_switch (p->nat_traversal));
-#ifdef __APPLE__
-       plog(LLV_INFO, LOCATION, NULL, "\tnatt_multiple_user %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n",
                s_switch (p->natt_multiple_user));
                s_switch (p->natt_multiple_user));
-#endif
-       plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
+       plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n",
                p->nonce_size);
                p->nonce_size);
-       plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n",
                s_switch (p->passive));
                s_switch (p->passive));
-       plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n",
                p->ike_frag == ISAKMP_FRAG_FORCE ?
                        "force" : s_switch (p->ike_frag));
                p->ike_frag == ISAKMP_FRAG_FORCE ?
                        "force" : s_switch (p->ike_frag));
-       plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
-       plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag);
+       plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n",
                s_switch (p->ini_contact));
                s_switch (p->ini_contact));
-       plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n",
                s_switch (p->gen_policy));
                s_switch (p->gen_policy));
-       plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
+       plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n",
                s_switch (p->support_proxy));
 
        while (prop) {
                s_switch (p->support_proxy));
 
        while (prop) {
-               plog(LLV_INFO, LOCATION, NULL, "\n");
-               plog(LLV_INFO, LOCATION, NULL,
+               plog(ASL_LEVEL_NOTICE, "\n");
+               plog(ASL_LEVEL_NOTICE, 
                        "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
                        prop->prop_no, prop->trns_no,
                        "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
                        prop->prop_no, prop->trns_no,
-                       saddr2str(prop->rmconf->remote));
-               plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
-               plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
+                       saddr2str((struct sockaddr *)prop->rmconf->remote));
+               plog(ASL_LEVEL_NOTICE, "\tproposal {\n");
+               plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n",
                        (long)prop->lifetime);
                        (long)prop->lifetime);
-               plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
+               plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n",
                        prop->lifebyte);
                        prop->lifebyte);
-               plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
+               plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n",
                        alg_oakley_dhdef_name(prop->dh_group));
                        alg_oakley_dhdef_name(prop->dh_group));
-               plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n", 
+               plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n", 
                        alg_oakley_encdef_name(prop->enctype));
                        alg_oakley_encdef_name(prop->enctype));
-               plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n", 
+               plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n",
                        alg_oakley_hashdef_name(prop->hashtype));
                        alg_oakley_hashdef_name(prop->hashtype));
-               plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n", 
+               plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n",
+                        alg_oakley_hashdef_name(prop->prf));
+               plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n",
                        alg_oakley_authdef_name(prop->authmethod));
                        alg_oakley_authdef_name(prop->authmethod));
-               plog(LLV_INFO, LOCATION, NULL, "\t}\n");
+               plog(ASL_LEVEL_NOTICE, "\t}\n");
                prop = prop->next;
        }
                prop = prop->next;
        }
-       plog(LLV_INFO, LOCATION, NULL, "}\n");
-       plog(LLV_INFO, LOCATION, NULL, "\n");
+       plog(ASL_LEVEL_NOTICE, "}\n");
+       plog(ASL_LEVEL_NOTICE, "\n");
 
        return NULL;
 }
 
        return NULL;
 }
@@ -774,41 +774,6 @@ newidspec()
        return new;
 }
 
        return new;
 }
 
-vchar_t *
-script_path_add(path)
-       vchar_t *path;
-{
-       char *script_dir;
-       vchar_t *new_path;
-       vchar_t *new_storage;
-       vchar_t **sp;
-       size_t len;
-       size_t size;
-
-       script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
-
-       /* Try to find the script in the script directory */
-       if ((path->v[0] != '/') && (script_dir != NULL)) {
-               len = strlen(script_dir) + sizeof("/") + path->l + 1;
-
-               if ((new_path = vmalloc(len)) == NULL) {
-                       plog(LLV_ERROR, LOCATION, NULL,
-                           "Cannot allocate memory: %s\n", strerror(errno));
-                       return NULL;
-               }
-
-               new_path->v[0] = '\0';
-               (void)strlcat(new_path->v, script_dir, new_path->l);
-               (void)strlcat(new_path->v, "/", new_path->l);
-               (void)strlcat(new_path->v, path->v, new_path->l);
-
-               vfree(path);
-               path = new_path;
-       }
-
-       return path;
-}
-
 
 struct isakmpsa *
 dupisakmpsa(struct isakmpsa *sa)
 
 struct isakmpsa *
 dupisakmpsa(struct isakmpsa *sa)
@@ -823,9 +788,6 @@ dupisakmpsa(struct isakmpsa *sa)
                return NULL;
 
        *res = *sa;
                return NULL;
 
        *res = *sa;
-#ifdef HAVE_GSSAPI
-       res->gssid=vdup(sa->gssid);
-#endif
        res->next=NULL;
 
        if (sa->dhgrp != NULL)
        res->next=NULL;
 
        if (sa->dhgrp != NULL)
@@ -835,16 +797,3 @@ dupisakmpsa(struct isakmpsa *sa)
 
 }
 
 
 }
 
-void
-rsa_key_free(void *entry)
-{
-       struct rsa_key *key = (struct rsa_key *)entry;
-       
-       if (key->src)
-               free(key->src);
-       if (key->dst)
-               free(key->dst);
-       if (key->rsa)
-               RSA_free(key->rsa);
-       free(key);
-}