ipsec-332.100.1.tar.gz

[apple/ipsec.git] / ipsec-tools / racoon / pfkey_racoon.c
diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c

index 665f69e6f3648b532b38696695d26dbaf1483a2e..57c2fa9e279b907ee50452dec8b03056c76dca45 100644 (file)
--- a/ipsec-tools/racoon/pfkey_racoon.c
+++ b/ipsec-tools/racoon/pfkey_racoon.c
@@ -97,8 +97,6 @@
  #include "vpn_control.h"
  #include "vpn_control_var.h"
  #include "ike_session.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
  #include "power_mgmt.h"
  #include "session.h"
  
@@ -157,15 +155,14 @@ NULL,     /* SADB_X_SPDSETIDX */
  pk_recvspdexpire,
  NULL,  /* SADB_X_SPDDELETE2 */
  pk_recvgetsastat, /* SADB_GETSASTAT */
-NULL,  /* SADB_X_NAT_T_NEW_MAPPING */
-NULL, /* SADB_X_MIGRATE */
-#if (SADB_MAX > 25)
-#error "SADB extra message?"
+NULL,  /* SADB_X_SPDENABLE */
+NULL, /* SADB_X_SPDDISNABLE */
+NULL, /* SADB_MIGRATE */
+#if (SADB_MAX > 26)
+#warning "SADB extra message?"
  #endif
  };
  
-static int addnewsp (caddr_t *);
-
  /* cope with old kame headers - ugly */
  #ifndef SADB_X_AALG_MD5
  #define SADB_X_AALG_MD5                SADB_AALG_MD5   
@@ -222,7 +219,7 @@ pfkey_process(msg)
                 /* when SPD is empty, treat the state as no error. */
                 if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
                     msg->sadb_msg_errno == ENOENT)
-                       pri = ASL_LEVEL_DEBUG;
+                       pri = ASL_LEVEL_NOTICE;
                 else
                         pri = ASL_LEVEL_ERR;
  
@@ -242,7 +239,7 @@ pfkey_process(msg)
         }
  
         if (pkrecvf[msg->sadb_msg_type] == NULL) {
-               plog(ASL_LEVEL_INFO, 
+               plog(ASL_LEVEL_NOTICE, 
                         "unsupported PF_KEY message %s\n",
                         s_pfkey_type(msg->sadb_msg_type));
                 goto end;
@@ -272,7 +269,7 @@ pfkey_handler(void *unused)
         ssize_t len;
  
         if (slept_at || woke_at) {
-               plog(ASL_LEVEL_DEBUG, 
+               plog(ASL_LEVEL_DEBUG,
                          "ignoring pfkey port until power-mgmt event is handled.\n");
                 return;
         }
@@ -289,7 +286,7 @@ pfkey_handler(void *unused)
                         return;                 
                 } else {
                         /* short message - msg not ready */
-                       plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n");
+                       plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n");
                         return;
                 }
         }
@@ -303,7 +300,7 @@ pfkey_post_handler()
         struct saved_msg_elem *elem_tmp = NULL;
  
         if (slept_at || woke_at) {
-               plog(ASL_LEVEL_DEBUG, 
+               plog(ASL_LEVEL_NOTICE,
                          "ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
                 return;
         }
@@ -1326,11 +1323,14 @@ pk_recvupdate(mhp)
                                     sa->sadb_sa_spi,
                                     sa_mode));
  
-                       plog(ASL_LEVEL_INFO, 
-                               "IPsec-SA established: %s\n",
-                               sadbsecas2str(iph2->dst, iph2->src,
-                                       msg->sadb_msg_satype, sa->sadb_sa_spi,
-                                       sa_mode));
+                       plog(ASL_LEVEL_NOTICE, 
+                                "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n",
+                                msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+                       plog(ASL_LEVEL_DEBUG,
+                                "IPsec-SA established (update): %s\n",
+                                sadbsecas2str(iph2->dst, iph2->src,
+                                                          msg->sadb_msg_satype, sa->sadb_sa_spi,
+                                                          sa_mode));
                 }
  
                 if (pr->ok == 0)
@@ -1346,18 +1346,6 @@ pk_recvupdate(mhp)
         /* update status */
         fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED);
  
-       if (iph2->side == INITIATOR) {
-               IPSECSESSIONTRACEREVENT(iph2->parent_session,
-                                                               IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC,
-                                                               CONSTSTR("Initiator, Quick-Mode"),
-                                                               CONSTSTR(NULL));
-       } else {
-               IPSECSESSIONTRACEREVENT(iph2->parent_session,
-                                                               IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC,
-                                                               CONSTSTR("Responder, Quick-Mode"),
-                                                               CONSTSTR(NULL));
-       }
-
         ike_session_ph2_established(iph2);
  
         IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n",
@@ -1608,8 +1596,11 @@ pk_recvadd(mhp)
          * because they must be updated by SADB_UPDATE message
          */
  
-       plog(ASL_LEVEL_INFO, 
-               "IPsec-SA established: %s\n",
+       plog(ASL_LEVEL_NOTICE,
+                "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n",
+                msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+       plog(ASL_LEVEL_DEBUG,
+               "IPsec-SA established (add): %s\n",
                 sadbsecas2str(iph2->src, iph2->dst,
                         msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
                         
@@ -1617,12 +1608,6 @@ pk_recvadd(mhp)
         
  #ifdef ENABLE_VPNCONTROL_PORT
                 {
-                       u_int32_t address;
-                       
-                       if (iph2->dst->ss_family == AF_INET)
-                               address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
-                       else
-                               address = 0;
                         vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2);
                 }       
  #endif
@@ -1668,7 +1653,10 @@ pk_recvexpire(mhp)
                 return -1;
         }
  
-       plog(ASL_LEVEL_INFO, 
+       plog(ASL_LEVEL_NOTICE,
+                "IPsec-SA expired: satype=%u spi=%#x mode=%u\n",
+                msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+       plog(ASL_LEVEL_DEBUG,
                 "IPsec-SA expired: %s\n",
                 sadbsecas2str(src, dst,
                         msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
@@ -1903,6 +1891,7 @@ pk_recvacquire(mhp)
  
         iph2->satype = msg->sadb_msg_satype;
         iph2->seq = msg->sadb_msg_seq;
+       vpncontrol_set_nat64_prefix(&iph2->nat64_prefix);
         /* set end addresses of SA */
                                                  // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
         iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
@@ -1982,13 +1971,13 @@ pk_recvacquire(mhp)
                 goto err;
         }
         
-#if !TARGET_OS_EMBEDDED
+#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
         if ( lcconf->vt == NULL){
                 if (!(lcconf->vt = vproc_transaction_begin(NULL)))
                         plog(ASL_LEVEL_ERR, 
                                 "vproc_transaction_begin returns NULL.\n");
         }
-#endif                         
+#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
  
         
         return 0;
@@ -2924,13 +2913,14 @@ pk_getseq()
         return eay_random();
  }
  
-static int
+int
  addnewsp(mhp)
         caddr_t *mhp;
  {
         struct secpolicy *new;
         struct sadb_address *saddr, *daddr;
         struct sadb_x_policy *xpl;
+       struct sadb_ext *ext;
  
         /* sanity check */
         if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
@@ -2943,7 +2933,14 @@ addnewsp(mhp)
  
         saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];    // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
         daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+
         xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+       /* validity check */
+       if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
+               plog(ASL_LEVEL_ERR,
+                       "invalid msg length.\n");
+               return -1;
+       }
  
         new = newsp();
         if (new == NULL) {
@@ -2972,17 +2969,16 @@ addnewsp(mhp)
                 struct sadb_x_ipsecrequest *xisr;
                 struct ipsecrequest **p_isr = &new->req;
  
-               /* validity check */
-               if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
-                       plog(ASL_LEVEL_ERR, 
-                               "invalid msg length.\n");
-                       return -1;
-               }
-
                 tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
                 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
  
                 while (tlen > 0) {
+                       if (tlen < sizeof(*xisr) ||
+                               tlen < xisr->sadb_x_ipsecrequest_len) {
+                               plog(ASL_LEVEL_ERR,
+                                       "invalid msg length for ipsec request.\n");
+                               return -1;
+                       }
  
                         /* length check */
                         if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
@@ -3049,13 +3045,28 @@ addnewsp(mhp)
                         /* set IP addresses if there */
                         if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
                                 struct sockaddr *paddr;
+                               int rem_buf_len = xisr->sadb_x_ipsecrequest_len - sizeof(*xisr);
  
                                 paddr = (struct sockaddr *)(xisr + 1);
+                               if (rem_buf_len < sizeof(*paddr) ||
+                                       rem_buf_len < sysdep_sa_len(paddr)) {
+                                       plog(ASL_LEVEL_ERR,
+                                               "invalid msg length for src ip address.\n");
+                                       return -1;
+                               }
                                 bcopy(paddr, &(*p_isr)->saidx.src,
                                         sysdep_sa_len(paddr));
  
+                               rem_buf_len -= sysdep_sa_len(paddr);
+
                                 paddr = (struct sockaddr *)((caddr_t)paddr
                                                         + sysdep_sa_len(paddr));
+                               if (rem_buf_len < sizeof(*paddr) ||
+                                       rem_buf_len < sysdep_sa_len(paddr)) {
+                                       plog(ASL_LEVEL_ERR,
+                                               "invalid msg length for dst ip address.\n");
+                                       return -1;
+                               }
                                 bcopy(paddr, &(*p_isr)->saidx.dst,
                                         sysdep_sa_len(paddr));
                         }
@@ -3080,6 +3091,7 @@ addnewsp(mhp)
         default:
                 plog(ASL_LEVEL_ERR, 
                         "invalid policy type.\n");
+               delsp(new);
                 return -1;
         }