X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/65c257469f746e64364e5df94f3ed8c6698a9d0a..c8d8bee0bee0298e25cb827876f57e58cc0a938c:/ipsec-tools/racoon/pfkey_racoon.c diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 1f20ca8..63c61dd 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -101,8 +101,6 @@ #include "ipsecMessageTracer.h" #include "power_mgmt.h" #include "session.h" -#include "ikev2_rfc.h" -#include "api_support.h" #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC @@ -159,10 +157,11 @@ NULL, /* SADB_X_SPDSETIDX */ pk_recvspdexpire, NULL, /* SADB_X_SPDDELETE2 */ pk_recvgetsastat, /* SADB_GETSASTAT */ -NULL, /* SADB_X_NAT_T_NEW_MAPPING */ -NULL, /* SADB_X_MIGRATE */ -#if (SADB_MAX > 25) -#error "SADB extra message?" +NULL, /* SADB_X_SPDENABLE */ +NULL, /* SADB_X_SPDDISNABLE */ +NULL, /* SADB_MIGRATE */ +#if (SADB_MAX > 26) +#warning "SADB extra message?" #endif }; @@ -234,7 +233,6 @@ pfkey_process(msg) strerror(msg->sadb_msg_errno)); goto end; } - /* safety check */ if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { @@ -794,6 +792,7 @@ pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype, if ((*a_keylen = keylen_aalg(hashtype)) == ~0) goto bad; *a_keylen >>= 3; + if (*e_type == SADB_EALG_NONE) { plog(ASL_LEVEL_ERR, "no ESP algorithm.\n"); goto bad; @@ -1096,7 +1095,6 @@ pk_sendupdate(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; - struct satrns *tr; int authtype; /* sanity check */ @@ -1170,15 +1168,18 @@ pk_sendupdate(iph2) memset (&natt, 0, sizeof (natt)); natt.sport = extract_port (iph2->ph1->remote); flags |= SADB_X_EXT_NATT; - if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + src->ss_family == AF_INET) { + flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; } else { - if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - src->ss_family == AF_INET) { - flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; - } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE flags |= SADB_X_EXT_NATT_DETECTED_PEER; @@ -1293,7 +1294,6 @@ pk_recvupdate(mhp) iph2->status); return -1; } - //%%%% fix for IKEv2 if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA && iph2->status != IKEV1_STATE_QUICK_R_ADDSA) { plog(ASL_LEVEL_ERR, @@ -1406,7 +1406,6 @@ pk_sendadd(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; - struct satrns *tr; int authtype; /* sanity check */ @@ -1481,15 +1480,18 @@ pk_sendadd(iph2) memset (&natt, 0, sizeof (natt)); natt.dport = extract_port (iph2->ph1->remote); flags |= SADB_X_EXT_NATT; - if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + src->ss_family == AF_INET) { + flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; } else { - if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - dst->ss_family == AF_INET) { - flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; - } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE flags |= SADB_X_EXT_NATT_DETECTED_PEER; @@ -1703,31 +1705,29 @@ pk_recvexpire(mhp) /* turn off the timer for calling isakmp_ph2expire() */ SCHED_KILL(iph2->sce); + + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); + + /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ + /* allocate buffer for status management of pfkey message */ + if (iph2->side == INITIATOR && + !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && + !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { + + ike_session_initph2(iph2); + + /* start isakmp initiation by using ident exchange */ + if (isakmp_post_acquire(iph2) < 0) { + plog(ASL_LEVEL_ERR, + "failed to begin ipsec sa " + "re-negotiation.\n"); + ike_session_unlink_phase2(iph2); + return -1; + } - fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); - - { - /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ - /* allocate buffer for status management of pfkey message */ - if (iph2->side == INITIATOR && - !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && - !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { - - ike_session_initph2(iph2); - - /* start isakmp initiation by using ident exchange */ - if (isakmp_post_acquire(iph2) < 0) { - plog(ASL_LEVEL_ERR, - "failed to begin ipsec sa " - "re-negotiation.\n"); - ike_session_unlink_phase2(iph2); - return -1; - } - - return 0; - /*NOTREACHED*/ - } - } + return 0; + /*NOTREACHED*/ + } /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ @@ -1968,7 +1968,7 @@ pk_recvacquire(mhp) } if (session == NULL) - session = ike_session_get_session(iph2->src, iph2->dst, 1); + session = ike_session_get_session(iph2->src, iph2->dst, 1, NULL); if (session == NULL) fatal_error(-1);