X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/85f41bec1acc617e559a0eb4ae1c926b61c3169f..c8d8bee0bee0298e25cb827876f57e58cc0a938c:/ipsec-tools/racoon/pfkey_racoon.c?ds=inline diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 88ec5f7..63c61dd 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -30,6 +30,7 @@ */ #include "config.h" +#include "racoon_types.h" #include #include @@ -54,7 +55,7 @@ #include #include -#include +#include #include #ifndef HAVE_NETINET6_IPSEC @@ -71,6 +72,8 @@ #include "plog.h" #include "sockmisc.h" #include "debug.h" +#include "fsm.h" +#include "ike_session.h" #include "schedule.h" #include "localconf.h" @@ -86,10 +89,7 @@ #include "algorithm.h" #include "sainfo.h" #include "proposal.h" -#include "admin.h" -#include "privsep.h" #include "strnames.h" -#include "backupsa.h" #include "gcmalloc.h" #include "nattraversal.h" #include "crypto_openssl.h" @@ -100,38 +100,39 @@ #include "ipsecSessionTracer.h" #include "ipsecMessageTracer.h" #include "power_mgmt.h" +#include "session.h" #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC #endif /* prototype */ -static u_int ipsecdoi2pfkey_aalg __P((u_int)); -static u_int ipsecdoi2pfkey_ealg __P((u_int)); -static u_int ipsecdoi2pfkey_calg __P((u_int)); -static u_int ipsecdoi2pfkey_alg __P((u_int, u_int)); -static u_int keylen_aalg __P((u_int)); -static u_int keylen_ealg __P((u_int, int)); - -static int pk_recvgetspi __P((caddr_t *)); -static int pk_recvupdate __P((caddr_t *)); -static int pk_recvadd __P((caddr_t *)); -static int pk_recvdelete __P((caddr_t *)); -static int pk_recvacquire __P((caddr_t *)); -static int pk_recvexpire __P((caddr_t *)); -static int pk_recvflush __P((caddr_t *)); -static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *)); -static int pk_recvspdupdate __P((caddr_t *)); -static int pk_recvspdadd __P((caddr_t *)); -static int pk_recvspddelete __P((caddr_t *)); -static int pk_recvspdexpire __P((caddr_t *)); -static int pk_recvspdget __P((caddr_t *)); -static int pk_recvspddump __P((caddr_t *)); -static int pk_recvspdflush __P((caddr_t *)); -static int pk_recvgetsastat __P((caddr_t *)); -static struct sadb_msg *pk_recv __P((int, ssize_t *)); - -static int (*pkrecvf[]) __P((caddr_t *)) = { +static u_int ipsecdoi2pfkey_aalg (u_int); +static u_int ipsecdoi2pfkey_ealg (u_int); +static u_int ipsecdoi2pfkey_calg (u_int); +static u_int ipsecdoi2pfkey_alg (u_int, u_int); +static u_int keylen_aalg (u_int); +static u_int keylen_ealg (u_int, int); + +static int pk_recvgetspi (caddr_t *); +static int pk_recvupdate (caddr_t *); +static int pk_recvadd (caddr_t *); +static int pk_recvdelete (caddr_t *); +static int pk_recvacquire (caddr_t *); +static int pk_recvexpire (caddr_t *); +static int pk_recvflush (caddr_t *); +static int getsadbpolicy (caddr_t *, int *, int, phase2_handle_t *); +static int pk_recvspdupdate (caddr_t *); +static int pk_recvspdadd (caddr_t *); +static int pk_recvspddelete (caddr_t *); +static int pk_recvspdexpire (caddr_t *); +static int pk_recvspdget (caddr_t *); +static int pk_recvspddump (caddr_t *); +static int pk_recvspdflush (caddr_t *); +static int pk_recvgetsastat (caddr_t *); +static struct sadb_msg *pk_recv (int, ssize_t *); + +static int (*pkrecvf[]) (caddr_t *) = { NULL, pk_recvgetspi, pk_recvupdate, @@ -156,14 +157,15 @@ NULL, /* SADB_X_SPDSETIDX */ pk_recvspdexpire, NULL, /* SADB_X_SPDDELETE2 */ pk_recvgetsastat, /* SADB_GETSASTAT */ -NULL, /* SADB_X_NAT_T_NEW_MAPPING */ -NULL, /* SADB_X_MIGRATE */ -#if (SADB_MAX > 25) -#error "SADB extra message?" +NULL, /* SADB_X_SPDENABLE */ +NULL, /* SADB_X_SPDDISNABLE */ +NULL, /* SADB_MIGRATE */ +#if (SADB_MAX > 26) +#warning "SADB extra message?" #endif }; -static int addnewsp __P((caddr_t *)); +static int addnewsp (caddr_t *); /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 @@ -195,54 +197,53 @@ pfkey_process(msg) caddr_t mhp[SADB_EXT_MAX + 1]; int error = -1; - //plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", - // s_pfkey_type(msg->sadb_msg_type)); - //plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); + // Special debug use only - creates large logs + // plogdump(ASL_LEVEL_DEBUG, msg, msg->sadb_msg_len << 3, "get pfkey %s message\n", + // s_pfkey_type(msg->sadb_msg_type)); /* validity check */ + /* check pfkey message. */ + if (pfkey_align(msg, mhp)) { + plog(ASL_LEVEL_ERR, + "libipsec failed pfkey align (%s)\n", + ipsec_strerror()); + goto end; + } + if (pfkey_check(mhp)) { + plog(ASL_LEVEL_ERR, + "libipsec failed pfkey check (%s)\n", + ipsec_strerror()); + goto end; + } + msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer + if (msg->sadb_msg_errno) { int pri; /* when SPD is empty, treat the state as no error. */ if (msg->sadb_msg_type == SADB_X_SPDDUMP && msg->sadb_msg_errno == ENOENT) - pri = LLV_DEBUG; + pri = ASL_LEVEL_DEBUG; else - pri = LLV_ERROR; + pri = ASL_LEVEL_ERR; - plog(pri, LOCATION, NULL, + plog(pri, "pfkey %s failed: %s\n", s_pfkey_type(msg->sadb_msg_type), strerror(msg->sadb_msg_errno)); - goto end; } - - /* check pfkey message. */ - if (pfkey_align(msg, mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey align (%s)\n", - ipsec_strerror()); - goto end; - } - if (pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey check (%s)\n", - ipsec_strerror()); - goto end; - } - msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer - + /* safety check */ if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unknown PF_KEY message type=%u\n", msg->sadb_msg_type); goto end; } if (pkrecvf[msg->sadb_msg_type] == NULL) { - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "unsupported PF_KEY message %s\n", s_pfkey_type(msg->sadb_msg_type)); goto end; @@ -263,35 +264,37 @@ end: * 0: success * -1: fail */ -int -pfkey_handler() + +//%%%%%%%%%%%%%%%%%% need to handle errors encountered here - this no longer returns a result +void +pfkey_handler(void *unused) { struct sadb_msg *msg; ssize_t len; if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignoring pfkey port until power-mgmt event is handled.\n"); - return 0; + return; } /* receive pfkey message. */ len = 0; msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len); + if (msg == NULL) { if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to recv from pfkey (%s)\n", strerror(errno)); - return -1; + return; } else { /* short message - msg not ready */ - plog(LLV_ERROR, LOCATION, NULL, - "recv short message from pfkey\n"); - return 0; + plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n"); + return; } } - return pfkey_process(msg); + pfkey_process(msg); } void @@ -301,7 +304,7 @@ pfkey_post_handler() struct saved_msg_elem *elem_tmp = NULL; if (slept_at || woke_at) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); return; } @@ -342,16 +345,16 @@ pfkey_dump_sadb(satype) size_t bl, ml; ssize_t len; - if ((s = privsep_pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if ((s = pfkey_open()) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed pfkey open: %s\n", ipsec_strerror()); return NULL; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_dump\n"); if (pfkey_send_dump(s, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed dump: %s\n", ipsec_strerror()); goto fail; } @@ -385,7 +388,7 @@ pfkey_dump_sadb(satype) bl = buf ? buf->l : 0; buf = vrealloc(buf, bl + ml); if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to reallocate buffer to dump.\n"); goto fail; } @@ -404,34 +407,10 @@ done: if (msg) racoon_free(msg); if (s >= 0) - privsep_pfkey_close(s); + pfkey_close_sock(s); return buf; } -#ifdef ENABLE_ADMINPORT -/* - * flush SADB - */ -void -pfkey_flush_sadb(proto) - u_int proto; -{ - int satype; - - /* convert to SADB_SATYPE */ - if ((satype = admin2pfkey_proto(proto)) < 0) - return; - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n"); - if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send flush (%s)\n", ipsec_strerror()); - return; - } - - return; -} -#endif /* * These are the SATYPEs that we manage. We register to get @@ -451,24 +430,24 @@ const int pfkey_nsatypes = * PF_KEY initialization */ int -pfkey_init() +pfkey_init(void) { - int i, reg_fail; + int i, reg_fail, sock; - if ((lcconf->sock_pfkey = privsep_pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if ((lcconf->sock_pfkey = pfkey_open()) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed pfkey open (%s)\n", ipsec_strerror()); return -1; } for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "call pfkey_send_register for %s\n", pfkey_satypes[i].ps_name); if (pfkey_send_register(lcconf->sock_pfkey, pfkey_satypes[i].ps_satype) < 0 || pfkey_recv_register(lcconf->sock_pfkey) < 0) { - plog(LLV_WARNING, LOCATION, NULL, + plog(ASL_LEVEL_WARNING, "failed to register %s (%s)\n", pfkey_satypes[i].ps_name, ipsec_strerror()); @@ -477,30 +456,50 @@ pfkey_init() } if (reg_fail == pfkey_nsatypes) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to regist any protocol.\n"); - pfkey_close(lcconf->sock_pfkey); + close(lcconf->sock_pfkey); return -1; } - - initsp(); + initsp(); + + lcconf->pfkey_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_pfkey, 0, dispatch_get_main_queue()); + if (lcconf->pfkey_source == NULL) { + plog(ASL_LEVEL_ERR, "could not create pfkey socket source."); + return -1; + } + dispatch_source_set_event_handler_f(lcconf->pfkey_source, pfkey_handler); + sock = lcconf->sock_pfkey; + dispatch_source_set_cancel_handler(lcconf->pfkey_source, + ^{ + pfkey_close_sock(sock); + }); + dispatch_resume(lcconf->pfkey_source); if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec sending spddump failed: %s\n", ipsec_strerror()); - pfkey_close(lcconf->sock_pfkey); + pfkey_close(); return -1; } #if 0 if (pfkey_promisc_toggle(1) < 0) { - pfkey_close(lcconf->sock_pfkey); + pfkey_close(); return -1; } #endif + return 0; } +void +pfkey_close(void) +{ + dispatch_source_cancel(lcconf->pfkey_source); + lcconf->pfkey_source = NULL; +} + /* %%% for conversion */ /* IPSECDOI_ATTR_AUTH -> SADB_AALG */ static u_int @@ -508,44 +507,46 @@ ipsecdoi2pfkey_aalg(hashtype) u_int hashtype; { switch (hashtype) { - case IPSECDOI_ATTR_AUTH_HMAC_MD5: - return SADB_AALG_MD5HMAC; - case IPSECDOI_ATTR_AUTH_HMAC_SHA1: - return SADB_AALG_SHA1HMAC; - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: + case IPSECDOI_ATTR_AUTH_HMAC_MD5: + case IPSECDOI_ATTR_AUTH_HMAC_MD5_96: + return SADB_AALG_MD5HMAC; + case IPSECDOI_ATTR_AUTH_HMAC_SHA1: + case IPSECDOI_ATTR_AUTH_HMAC_SHA1_96: + return SADB_AALG_SHA1HMAC; + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256: #if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC) - return SADB_X_AALG_SHA2_256; + return SADB_X_AALG_SHA2_256; #else - return SADB_X_AALG_SHA2_256HMAC; + return SADB_X_AALG_SHA2_256HMAC; #endif - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384: #if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC) - return SADB_X_AALG_SHA2_384; + return SADB_X_AALG_SHA2_384; #else - return SADB_X_AALG_SHA2_384HMAC; + return SADB_X_AALG_SHA2_384HMAC; #endif - case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: + case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512: #if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC) - return SADB_X_AALG_SHA2_512; + return SADB_X_AALG_SHA2_512; #else - return SADB_X_AALG_SHA2_512HMAC; + return SADB_X_AALG_SHA2_512HMAC; #endif - case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ - return SADB_AALG_NONE; - - /* not supported */ - case IPSECDOI_ATTR_AUTH_DES_MAC: - plog(LLV_ERROR, LOCATION, NULL, - "Not supported hash type: %u\n", hashtype); - return ~0; - - case 0: /* reserved */ - default: - return SADB_AALG_NONE; - - plog(LLV_ERROR, LOCATION, NULL, - "Invalid hash type: %u\n", hashtype); - return ~0; + case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ + return SADB_AALG_NONE; + + /* not supported */ + case IPSECDOI_ATTR_AUTH_DES_MAC: + plog(ASL_LEVEL_ERR, + "Not supported hash type: %u\n", hashtype); + return ~0; + + case 0: /* reserved */ + default: + return SADB_AALG_NONE; + + plog(ASL_LEVEL_ERR, + "Invalid hash type: %u\n", hashtype); + return ~0; } /*NOTREACHED*/ } @@ -588,13 +589,13 @@ ipsecdoi2pfkey_ealg(t_id) case IPSECDOI_ESP_3IDEA: case IPSECDOI_ESP_IDEA: case IPSECDOI_ESP_RC4: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Not supported transform: %u\n", t_id); return ~0; case 0: /* reserved */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid transform id: %u\n", t_id); return ~0; } @@ -616,7 +617,7 @@ ipsecdoi2pfkey_calg(t_id) case 0: /* reserved */ default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid transform id: %u\n", t_id); return ~0; } @@ -637,7 +638,7 @@ ipsecdoi2pfkey_proto(proto) return SADB_X_SATYPE_IPCOMP; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid ipsec_doi proto: %u\n", proto); return ~0; } @@ -656,7 +657,7 @@ ipsecdoi2pfkey_alg(algclass, type) case IPSECDOI_PROTO_IPCOMP: return ipsecdoi2pfkey_calg(type); default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid ipsec_doi algclass: %u\n", algclass); return ~0; } @@ -677,7 +678,7 @@ pfkey2ipsecdoi_proto(satype) return IPSECDOI_PROTO_IPCOMP; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "Invalid pfkey proto: %u\n", satype); return ~0; } @@ -703,7 +704,7 @@ ipsecdoi2pfkey_mode(mode) #endif return IPSEC_MODE_TRANSPORT; default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); + plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode); return ~0; } /*NOTREACHED*/ @@ -722,7 +723,7 @@ pfkey2ipsecdoi_mode(mode) case IPSEC_MODE_ANY: return IPSECDOI_ATTR_ENC_MODE_ANY; default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); + plog(ASL_LEVEL_ERR, "Invalid mode type: %u\n", mode); return ~0; } /*NOTREACHED*/ @@ -740,7 +741,7 @@ keylen_aalg(hashtype) res = alg_ipsec_hmacdef_hashlen(hashtype); if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid hmac algorithm %u.\n", hashtype); return ~0; } @@ -757,7 +758,7 @@ keylen_ealg(enctype, encklen) res = alg_ipsec_encdef_keylen(enctype, encklen); if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encryption algorithm %u.\n", enctype); return ~0; } @@ -765,8 +766,9 @@ keylen_ealg(enctype, encklen) } int -pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, +pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype, e_type, e_keylen, a_type, a_keylen, flags) + phase2_handle_t *iph2; u_int proto_id; u_int t_id; u_int hashtype; @@ -790,9 +792,9 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, if ((*a_keylen = keylen_aalg(hashtype)) == ~0) goto bad; *a_keylen >>= 3; - + if (*e_type == SADB_EALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n"); + plog(ASL_LEVEL_ERR, "no ESP algorithm.\n"); goto bad; } break; @@ -813,7 +815,7 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, *e_type = SADB_EALG_NONE; *e_keylen = 0; if (*a_type == SADB_AALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n"); + plog(ASL_LEVEL_ERR, "no AH algorithm.\n"); goto bad; } break; @@ -828,13 +830,13 @@ pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, *a_type = SADB_AALG_NONE; *a_keylen = 0; if (*e_type == SADB_X_CALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n"); + plog(ASL_LEVEL_ERR, "no IPCOMP algorithm.\n"); goto bad; } break; default: - plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n"); + plog(ASL_LEVEL_ERR, "unknown IPsec protocol.\n"); goto bad; } @@ -851,14 +853,14 @@ pfkey_timeover_stub(p) void *p; { - pfkey_timeover((struct ph2handle *)p); + pfkey_timeover((phase2_handle_t *)p); } void pfkey_timeover(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s give up to get IPsec-SA due to time up to wait.\n", saddrwop2str((struct sockaddr *)iph2->dst)); SCHED_KILL(iph2->sce); @@ -867,9 +869,7 @@ pfkey_timeover(iph2) if (iph2->side == INITIATOR) pk_sendeacquire(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return; } @@ -883,7 +883,7 @@ pfkey_timeover(iph2) */ int pk_sendgetspi(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct sockaddr_storage *src = NULL, *dst = NULL; u_int satype, mode; @@ -916,7 +916,7 @@ pk_sendgetspi(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); return -1; } @@ -932,12 +932,12 @@ pk_sendgetspi(iph2) } mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_getspi\n"); if (pfkey_send_getspi( lcconf->sock_pfkey, satype, @@ -945,13 +945,14 @@ pk_sendgetspi(iph2) dst, /* src of SA */ src, /* dst of SA */ minspi, maxspi, - pr->reqid_in, iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + pr->reqid_in, 0, 0, iph2->seq, 0) < 0) { + plog(ASL_LEVEL_ERR, "ipseclib failed send getspi (%s)\n", ipsec_strerror()); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + + plog(ASL_LEVEL_DEBUG, "pfkey GETSPI sent: %s\n", sadbsecas2str(dst, src, satype, 0, mode)); } @@ -968,7 +969,7 @@ pk_recvgetspi(mhp) { struct sadb_msg *msg; struct sadb_sa *sa; - struct ph2handle *iph2; + phase2_handle_t *iph2; struct sockaddr_storage *dst; int proto_id; int allspiok, notfound; @@ -978,8 +979,8 @@ pk_recvgetspi(mhp) /* validity check */ if (mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb getspi message passed.\n"); + plog(ASL_LEVEL_ERR, + "Inappropriate sadb getspi message passed.\n"); return -1; } msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer @@ -988,7 +989,7 @@ pk_recvgetspi(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -996,40 +997,43 @@ pk_recvgetspi(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", + plog(ASL_LEVEL_DEBUG, + "Seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } if (iph2->is_dying) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch phase2 dying (db:%d msg:%d)\n", - iph2->status, PHASE2ST_GETSPISENT); + plog(ASL_LEVEL_ERR, + "Status mismatch Phase 2 dying (db:%d)\n", + iph2->status); return -1; } - - if (iph2->status != PHASE2ST_GETSPISENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_GETSPISENT); - return -1; - } - - // check the underlying iph2->ph1 - if (!iph2->ph1) { - if (!ike_session_update_ph2_ph1bind(iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "can't proceed with getspi for %s. no suitable ISAKMP-SA found \n", - saddrwop2str((struct sockaddr *)iph2->dst)); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + + switch (iph2->version) { + case ISAKMP_VERSION_NUMBER_IKEV1: + if (iph2->status != IKEV1_STATE_QUICK_I_GETSPISENT && + iph2->status != IKEV1_STATE_QUICK_R_GETSPISENT) { + plog(ASL_LEVEL_ERR, "Status mismatch (db:%d)\n", iph2->status); + return -1; + } + // check the underlying iph2->ph1 + if (!iph2->ph1) { + if (!ike_session_update_ph2_ph1bind(iph2)) { + plog(ASL_LEVEL_ERR, + "Can't proceed with getspi for %s. no suitable ISAKMP-SA found \n", + saddrwop2str((struct sockaddr *)iph2->dst)); + ike_session_unlink_phase2(iph2); + return -1; + } + } + break; + default: + plog(ASL_LEVEL_ERR, "Internal error: invalid IKE major version %d\n", iph2->version); return -1; - } } /* set SPI, and check to get all spi whether or not */ @@ -1042,7 +1046,7 @@ pk_recvgetspi(mhp) if (pr->proto_id == proto_id && pr->spi == 0) { pr->spi = sa->sadb_sa_spi; notfound = 0; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey GETSPI succeeded: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, @@ -1054,29 +1058,25 @@ pk_recvgetspi(mhp) } if (notfound) { - plog(LLV_ERROR, LOCATION, NULL, - "get spi for unknown address %s\n", + plog(ASL_LEVEL_ERR, + "Get spi for unknown address %s\n", saddrwop2str((struct sockaddr *)iph2->dst)); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return -1; } if (allspiok) { - /* update status */ - iph2->status = PHASE2ST_GETSPIDONE; - if (isakmp_post_getspi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to start post getspi.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - iph2 = NULL; - return -1; - } - } - + switch (iph2->version) { + case ISAKMP_VERSION_NUMBER_IKEV1: + if (isakmp_post_getspi(iph2) < 0) { + plog(ASL_LEVEL_ERR, "IKEv1 post getspi failed.\n"); + ike_session_unlink_phase2(iph2); + iph2 = NULL; + return -1; + } + break; + } + } return 0; } @@ -1085,7 +1085,7 @@ pk_recvgetspi(mhp) */ int pk_sendupdate(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saproto *pr; struct sockaddr_storage *src = NULL, *dst = NULL; @@ -1095,11 +1095,12 @@ pk_sendupdate(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; + int authtype; /* sanity check */ if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no approvaled SAs found.\n"); + plog(ASL_LEVEL_ERR, + "No approved SAs found.\n"); } if (iph2->side == INITIATOR) @@ -1121,8 +1122,8 @@ pk_sendupdate(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); + plog(ASL_LEVEL_ERR, + "Invalid proto_id %d\n", pr->proto_id); return -1; } else if (satype == SADB_X_SATYPE_IPCOMP) { @@ -1134,18 +1135,21 @@ pk_sendupdate(iph2) #else mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); + plog(ASL_LEVEL_ERR, + "Invalid encmode %d\n", pr->encmode); return -1; } #endif /* set algorithm type and key length */ e_keylen = pr->head->encklen; + authtype = pr->head->authtype; + a_keylen = 0; if (pfkey_convertfromipsecdoi( + iph2, pr->proto_id, pr->head->trns_id, - pr->head->authtype, + authtype, &e_type, &e_keylen, &a_type, &a_keylen, &flags) < 0) return -1; @@ -1157,20 +1161,25 @@ pk_sendupdate(iph2) #endif #ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); + //plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_update: e_type %d, e_klen %d, a_type %d, a_klen %d\n", + e_type, e_keylen, a_type, a_keylen); if (pr->udp_encap) { memset (&natt, 0, sizeof (natt)); natt.sport = extract_port (iph2->ph1->remote); flags |= SADB_X_EXT_NATT; - if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + src->ss_family == AF_INET) { + flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; } else { - if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - src->ss_family == AF_INET) { - flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; - } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE flags |= SADB_X_EXT_NATT_DETECTED_PEER; @@ -1192,14 +1201,14 @@ pk_sendupdate(iph2) pr->keymat->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, natt.sport) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, natt.sport, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send update (%s)\n", ipsec_strerror()); return -1; } #else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_update\n"); if (pfkey_send_update( lcconf->sock_pfkey, satype, @@ -1212,39 +1221,15 @@ pk_sendupdate(iph2) pr->keymat->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, 0, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send update (%s)\n", ipsec_strerror()); return -1; } #endif /* ENABLE_NATT */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, (struct sockaddr *)dst, (struct sockaddr *)src, - pr->spi, pr->reqid_in, 4, - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); } return 0; @@ -1257,7 +1242,7 @@ pk_recvupdate(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int proto_id, encmode, sa_mode; int incomplete = 0; struct saproto *pr; @@ -1271,7 +1256,7 @@ pk_recvupdate(mhp) || mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb update message passed.\n"); return -1; } @@ -1286,7 +1271,7 @@ pk_recvupdate(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -1294,26 +1279,26 @@ pk_recvupdate(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", + plog(ASL_LEVEL_DEBUG, + "Seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } if (iph2->is_dying) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch phase2 dying (db:%d msg:%d)\n", - iph2->status, PHASE2ST_ADDSA); + plog(ASL_LEVEL_ERR, + "Status mismatch Phase 2 dying (db:%d)\n", + iph2->status); return -1; } - - if (iph2->status != PHASE2ST_ADDSA) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_ADDSA); + if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA && + iph2->status != IKEV1_STATE_QUICK_R_ADDSA) { + plog(ASL_LEVEL_ERR, + "Status mismatch (db:%d)\n", + iph2->status); return -1; } @@ -1321,13 +1306,13 @@ pk_recvupdate(mhp) for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } encmode = pfkey2ipsecdoi_mode(sa_mode); if (encmode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", sa_mode); return -1; } @@ -1335,14 +1320,14 @@ pk_recvupdate(mhp) if (pr->proto_id == proto_id && pr->spi == sa->sadb_sa_spi) { pr->ok = 1; - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "pfkey UPDATE succeeded: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA established: %s\n", sadbsecas2str(iph2->dst, iph2->src, msg->sadb_msg_satype, sa->sadb_sa_spi, @@ -1360,7 +1345,7 @@ pk_recvupdate(mhp) SCHED_KILL(iph2->sce); /* update status */ - iph2->status = PHASE2ST_ESTABLISHED; + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED); if (iph2->side == INITIATOR) { IPSECSESSIONTRACEREVENT(iph2->parent_session, @@ -1376,13 +1361,13 @@ pk_recvupdate(mhp) ike_session_ph2_established(iph2); - IPSECLOGASLMSG("IPSec Phase2 established (Initiated by %s).\n", + IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n", (iph2->side == INITIATOR)? "me" : "peer"); #ifdef ENABLE_STATS gettimeofday(&iph2->end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", "quick", timedelta(&iph2->start, &iph2->end)); + plog(ASL_LEVEL_NOTICE, "%s(%s): %8.6f", + "Phase 2", "quick", timedelta(&iph2->start, &iph2->end)); #endif /* count up */ @@ -1397,12 +1382,12 @@ pk_recvupdate(mhp) * since we are going to reuse the phase2 handler, we need to * remain it and refresh all the references between ph1 and ph2 to use. */ - unbindph12(iph2); + ike_session_unbindph12(iph2); //%%%%% fix this iph2->sce = sched_new(iph2->approval->lifetime, isakmp_ph2expire_stub, iph2); - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); return 0; } @@ -1411,7 +1396,7 @@ pk_recvupdate(mhp) */ int pk_sendadd(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct saproto *pr; struct sockaddr_storage *src = NULL, *dst = NULL; @@ -1421,10 +1406,11 @@ pk_sendadd(iph2) u_int wsize = 4; /* XXX static size of window */ int proxy = 0; struct ph2natt natt; + int authtype; /* sanity check */ if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no approvaled SAs found.\n"); } @@ -1447,7 +1433,7 @@ pk_sendadd(iph2) /* validity check */ satype = ipsecdoi2pfkey_proto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); return -1; } @@ -1460,7 +1446,7 @@ pk_sendadd(iph2) #else mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); return -1; } @@ -1468,10 +1454,13 @@ pk_sendadd(iph2) /* set algorithm type and key length */ e_keylen = pr->head->encklen; + authtype = pr->head->authtype; + a_keylen = 0; if (pfkey_convertfromipsecdoi( + iph2, pr->proto_id, pr->head->trns_id, - pr->head->authtype, + authtype, &e_type, &e_keylen, &a_type, &a_keylen, &flags) < 0) return -1; @@ -1483,21 +1472,26 @@ pk_sendadd(iph2) #endif #ifdef ENABLE_NATT - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); + //plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_add: e_type %d, e_klen %d, a_type %d, a_klen %d\n", + e_type, e_keylen, a_type, a_keylen); if (pr->udp_encap) { memset (&natt, 0, sizeof (natt)); natt.dport = extract_port (iph2->ph1->remote); flags |= SADB_X_EXT_NATT; - if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { + if (iph2->ph1->rmconf->natt_multiple_user == TRUE && + mode == IPSEC_MODE_TRANSPORT && + src->ss_family == AF_INET) { + flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; + if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { + // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE + flags |= SADB_X_EXT_NATT_DETECTED_PEER; + } + } else if (iph2->ph1->natt_flags & NAT_DETECTED_ME) { if (iph2->ph1->rmconf->natt_keepalive == TRUE) flags |= SADB_X_EXT_NATT_KEEPALIVE; } else { - if (iph2->ph1->rmconf->natt_multiple_user == TRUE && - mode == IPSEC_MODE_TRANSPORT && - dst->ss_family == AF_INET) { - flags |= SADB_X_EXT_NATT_MULTIPLEUSERS; - } if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { // is mutually exclusive with SADB_X_EXT_NATT_KEEPALIVE flags |= SADB_X_EXT_NATT_DETECTED_PEER; @@ -1523,14 +1517,14 @@ pk_sendadd(iph2) pr->keymat_p->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq,natt.dport) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq,natt.dport, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send add (%s)\n", ipsec_strerror()); return -1; } #else - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_add\n"); /* Remove port information, it is not used without NAT-T */ //set_port(src, 0); @@ -1548,38 +1542,13 @@ pk_sendadd(iph2) pr->keymat_p->v, e_type, e_keylen, a_type, a_keylen, flags, 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + iph2->seq, 0, 0) < 0) { + plog(ASL_LEVEL_ERR, "libipsec failed send add (%s)\n", ipsec_strerror()); return -1; } #endif /* ENABLE_NATT */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, (struct sockaddr *)src, (struct sockaddr *)dst, - pr->spi_p, pr->reqid_out, 4, - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); } return 0; @@ -1592,7 +1561,7 @@ pk_recvadd(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int sa_mode; /* ignore this message because of local test mode. */ @@ -1604,7 +1573,7 @@ pk_recvadd(mhp) || mhp[SADB_EXT_SA] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb add message passed.\n"); return -1; } @@ -1619,7 +1588,7 @@ pk_recvadd(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -1627,21 +1596,20 @@ pk_recvadd(mhp) return -1; } - iph2 = getph2byseq(msg->sadb_msg_seq); + iph2 = ike_session_getph2byseq(msg->sadb_msg_seq); if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "seq %d of %s message not interesting.\n", msg->sadb_msg_seq, s_pfkey_type(msg->sadb_msg_type)); return -1; } - /* * NOTE don't update any status of phase2 handle * because they must be updated by SADB_UPDATE message */ - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA established: %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -1660,7 +1628,7 @@ pk_recvadd(mhp) } #endif - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); + plog(ASL_LEVEL_DEBUG, "===\n"); return 0; } @@ -1671,7 +1639,7 @@ pk_recvexpire(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2; + phase2_handle_t *iph2; u_int proto_id, sa_mode; /* sanity check */ @@ -1681,7 +1649,7 @@ pk_recvexpire(mhp) || mhp[SADB_EXT_ADDRESS_DST] == NULL || (mhp[SADB_EXT_LIFETIME_HARD] != NULL && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb expire message passed.\n"); return -1; } @@ -1696,31 +1664,31 @@ pk_recvexpire(mhp) proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } - plog(LLV_INFO, LOCATION, NULL, + plog(ASL_LEVEL_INFO, "IPsec-SA expired: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); if (iph2 == NULL) { /* * Ignore it because two expire messages are come up. * phase2 handler has been deleted already when 2nd message * is received. */ - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "no such a SA found: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); return 0; } - if (iph2->is_dying || iph2->status != PHASE2ST_ESTABLISHED) { + if (iph2->is_dying || !FSM_STATE_IS_ESTABLISHED(iph2->status)) { /* * If the status is not equal to PHASE2ST_ESTABLISHED, * racoon ignores this expire message. There are two reason. @@ -1729,36 +1697,31 @@ pk_recvexpire(mhp) * without receiving a expire message. Another is that racoon * may receive the multiple expire messages from the kernel. */ - plog(LLV_WARNING, LOCATION, NULL, - "the expire message is received " - "but the handler is dying or has not been established.\n"); + plog(ASL_LEVEL_WARNING, + "The expire message is received but the handler %s (status = 0x%x).\n", + iph2->is_dying ? "is dying" : "has not been established", iph2->status); return 0; } /* turn off the timer for calling isakmp_ph2expire() */ SCHED_KILL(iph2->sce); - - iph2->status = PHASE2ST_EXPIRED; - + + fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED); + /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */ /* allocate buffer for status management of pfkey message */ if (iph2->side == INITIATOR && !ike_session_has_other_established_ph2(iph2->parent_session, iph2) && !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) { - initph2(iph2); - - /* update status for re-use */ - iph2->status = PHASE2ST_STATUS2; + ike_session_initph2(iph2); /* start isakmp initiation by using ident exchange */ if (isakmp_post_acquire(iph2) < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, + plog(ASL_LEVEL_ERR, "failed to begin ipsec sa " "re-negotiation.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return -1; } @@ -1766,12 +1729,11 @@ pk_recvexpire(mhp) /*NOTREACHED*/ } + /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't * manage IPsec SA, so delete the list */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2); return 0; } @@ -1783,10 +1745,10 @@ pk_recvacquire(mhp) struct sadb_msg *msg; struct sadb_x_policy *xpl; struct secpolicy *sp_out = NULL, *sp_in = NULL; -#define MAXNESTEDSA 5 /* XXX */ - struct ph2handle *iph2[MAXNESTEDSA]; + phase2_handle_t *iph2; struct sockaddr_storage *src, *dst; - int n; /* # of phase 2 handler */ + ike_session_t *session = NULL; + struct remoteconf *rmconf; /* ignore this message because of local test mode. */ if (f_local) @@ -1797,7 +1759,7 @@ pk_recvacquire(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb acquire message passed.\n"); return -1; } @@ -1808,7 +1770,7 @@ pk_recvacquire(mhp) /* ignore if type is not IPSEC_POLICY_IPSEC */ if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore ACQUIRE message. type is not IPsec.\n"); return 0; } @@ -1824,7 +1786,7 @@ pk_recvacquire(mhp) && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr)) #endif ) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore due to multicast address: %s.\n", saddrwop2str((struct sockaddr *)sa)); return 0; @@ -1845,7 +1807,12 @@ pk_recvacquire(mhp) struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); struct myaddrs *p; int do_listen = 0; + char * str; for (p = lcconf->myaddrs; p; p = p->next) { + str = saddr2str((struct sockaddr *)p->addr); + plog(ASL_LEVEL_DEBUG, + "checking listen addrs: %s", str); + if (!cmpsaddrwop(p->addr, sa)) { do_listen = 1; break; @@ -1853,7 +1820,7 @@ pk_recvacquire(mhp) } if (!do_listen) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "ignore because do not listen on source address : %s.\n", saddrwop2str((struct sockaddr *)sa)); return 0; @@ -1870,138 +1837,148 @@ pk_recvacquire(mhp) * has to process such a acquire message because racoon may * have lost the expire message. */ - iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id); - if (iph2[0] != NULL) { - if (iph2[0]->status < PHASE2ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, NULL, + iph2 = ike_session_getph2byid(src, dst, xpl->sadb_x_policy_id); + if (iph2 != NULL) { + session = iph2->parent_session; + if (!FSM_STATE_IS_ESTABLISHED(iph2->status)) { + plog(ASL_LEVEL_DEBUG, "ignore the acquire because ph2 found\n"); return -1; } - if (iph2[0]->status == PHASE2ST_EXPIRED) - iph2[0] = NULL; + if (FSM_STATE_IS_EXPIRED(iph2->status)) + iph2 = NULL; /*FALLTHROUGH*/ } /* search for proper policyindex */ sp_out = getspbyspid(xpl->sadb_x_policy_id); if (sp_out == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n", + plog(ASL_LEVEL_ERR, "no policy found: id:%d.\n", xpl->sadb_x_policy_id); return -1; } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx)); /* get inbound policy */ { - struct policyindex spidx; - - spidx.dir = IPSEC_DIR_INBOUND; - memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); - memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); - spidx.prefs = sp_out->spidx.prefd; - spidx.prefd = sp_out->spidx.prefs; - spidx.ul_proto = sp_out->spidx.ul_proto; - - sp_in = getsp(&spidx); - if (sp_in) { - plog(LLV_DEBUG, LOCATION, NULL, - "suitable inbound SP found: %s.\n", - spidx2str(&sp_in->spidx)); - } else { - plog(LLV_NOTIFY, LOCATION, NULL, - "no in-bound policy found: %s\n", - spidx2str(&spidx)); - } + struct policyindex spidx; + + spidx.dir = IPSEC_DIR_INBOUND; + memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); + memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); + spidx.prefs = sp_out->spidx.prefd; + spidx.prefd = sp_out->spidx.prefs; + spidx.ul_proto = sp_out->spidx.ul_proto; + + sp_in = getsp(&spidx); + if (sp_in) { + plog(ASL_LEVEL_DEBUG, + "Suitable inbound SP found: %s.\n", + spidx2str(&sp_in->spidx)); + } else { + plog(ASL_LEVEL_NOTICE, + "No in-bound policy found: %s\n", + spidx2str(&spidx)); + } } - - memset(iph2, 0, MAXNESTEDSA); - - n = 0; - + /* allocate a phase 2 */ - iph2[n] = newph2(); - if (iph2[n] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate phase2 entry.\n"); + rmconf = getrmconf(dst); + if (rmconf == NULL) { + plog(ASL_LEVEL_ERR, "No configuration found for %s.\n", + saddrwop2str((struct sockaddr *)dst)); return -1; } - iph2[n]->side = INITIATOR; - iph2[n]->spid = xpl->sadb_x_policy_id; - iph2[n]->satype = msg->sadb_msg_satype; - iph2[n]->seq = msg->sadb_msg_seq; - iph2[n]->status = PHASE2ST_STATUS2; + iph2 = ike_session_newph2(rmconf->ike_version, PHASE2_TYPE_SA); + if (iph2 == NULL) { + plog(ASL_LEVEL_ERR, + "Failed to allocate Phase 2 entry.\n"); + return -1; + } + plog(ASL_LEVEL_DEBUG, "Got new Phase 2 version %d\n", iph2->version); + iph2->version = rmconf->ike_version; + iph2->side = INITIATOR; + iph2->spid = xpl->sadb_x_policy_id; + + iph2->satype = msg->sadb_msg_satype; + iph2->seq = msg->sadb_msg_seq; /* set end addresses of SA */ // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer - iph2[n]->dst = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); - if (iph2[n]->dst == NULL) { - delph2(iph2[n]); + iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); + if (iph2->src == NULL) { + ike_session_delph2(iph2); return -1; } - iph2[n]->src = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); - if (iph2[n]->src == NULL) { - delph2(iph2[n]); + iph2->dst = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); + if (iph2->dst == NULL) { + ike_session_delph2(iph2); return -1; + } + + if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) { + fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START); } - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "new acquire %s\n", spidx2str(&sp_out->spidx)); /* get sainfo */ { - vchar_t *idsrc, *iddst; - - idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src, - sp_out->spidx.prefs, sp_out->spidx.ul_proto); - if (idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - delph2(iph2[n]); - return -1; - } - iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst, - sp_out->spidx.prefd, sp_out->spidx.ul_proto); - if (iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - vfree(idsrc); - delph2(iph2[n]); - return -1; - } - iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, 0); - vfree(idsrc); - vfree(iddst); - if (iph2[n]->sainfo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get sainfo.\n"); - delph2(iph2[n]); - return -1; - /* XXX should use the algorithm list from register message */ - } - if (link_sainfo_to_ph2(iph2[n]->sainfo) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to link sainfo\n"); - iph2[n]->sainfo = NULL; - delph2(iph2[n]); - return -1; - } + vchar_t *idsrc, *iddst; + + idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src, + sp_out->spidx.prefs, sp_out->spidx.ul_proto); + if (idsrc == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get ID for %s\n", + spidx2str(&sp_out->spidx)); + ike_session_delph2(iph2); + return -1; + } + iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst, + sp_out->spidx.prefd, sp_out->spidx.ul_proto); + if (iddst == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get ID for %s\n", + spidx2str(&sp_out->spidx)); + vfree(idsrc); + ike_session_delph2(iph2); + return -1; + } + iph2->sainfo = getsainfo(idsrc, iddst, NULL, 0); + vfree(idsrc); + vfree(iddst); + if (iph2->sainfo == NULL) { + plog(ASL_LEVEL_ERR, + "failed to get sainfo.\n"); + ike_session_delph2(iph2); + return -1; + /* XXX should use the algorithm list from register message */ + } } + retain_sainfo(iph2->sainfo); - if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to create saprop.\n"); - delph2(iph2[n]); + if (set_proposal_from_policy(iph2, sp_out, sp_in) < 0) { + plog(ASL_LEVEL_ERR, + "failed to create saprop.\n"); + ike_session_delph2(iph2); return -1; } - insph2(iph2[n]); + + if (session == NULL) + session = ike_session_get_session(iph2->src, iph2->dst, 1, NULL); + if (session == NULL) + fatal_error(-1); + + if (ike_session_link_phase2(session, iph2)) + fatal_error(-1); //????? fix ??? /* start isakmp initiation by using ident exchange */ /* XXX should be looped if there are multiple phase 2 handler. */ - if (isakmp_post_acquire(iph2[n]) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + if (isakmp_post_acquire(iph2) < 0) { + plog(ASL_LEVEL_ERR, "failed to begin ipsec sa negotiation.\n"); goto err; } @@ -2009,7 +1986,7 @@ pk_recvacquire(mhp) #if !TARGET_OS_EMBEDDED if ( lcconf->vt == NULL){ if (!(lcconf->vt = vproc_transaction_begin(NULL))) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "vproc_transaction_begin returns NULL.\n"); } #endif @@ -2018,13 +1995,7 @@ pk_recvacquire(mhp) return 0; err: - while (n >= 0) { - unbindph12(iph2[n]); - remph2(iph2[n]); - delph2(iph2[n]); - iph2[n] = NULL; - n--; - } + ike_session_unlink_phase2(iph2); return -1; } @@ -2035,7 +2006,7 @@ pk_recvdelete(mhp) struct sadb_msg *msg; struct sadb_sa *sa; struct sockaddr_storage *src, *dst; - struct ph2handle *iph2 = NULL; + phase2_handle_t *iph2 = NULL; u_int proto_id; /* ignore this message because of local test mode. */ @@ -2046,7 +2017,7 @@ pk_recvdelete(mhp) if (mhp[0] == NULL || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb delete message passed.\n"); return -1; } @@ -2057,7 +2028,7 @@ pk_recvdelete(mhp) /* the message has to be processed or not ? */ if (msg->sadb_msg_pid == getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because the message was originated by me.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2066,44 +2037,44 @@ pk_recvdelete(mhp) proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", msg->sadb_msg_satype); return -1; } - plog(LLV_DEBUG2, LOCATION, NULL, "SADB delete message: proto-id %d\n", proto_id); - plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src)); - plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst)); + plog(ASL_LEVEL_DEBUG, "SADB delete message: proto-id %d\n", proto_id); + plog(ASL_LEVEL_DEBUG, "src: %s\n", saddr2str((struct sockaddr *)src)); + plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)dst)); if (!sa) { - deleteallph2(src, dst, proto_id); - deleteallph1(src, dst); + ike_session_deleteallph2(src, dst, proto_id); + ike_session_deleteallph1(src, dst); return 0; } - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); + iph2 = ike_session_getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); if (iph2 == NULL) { /* ignore */ - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no iph2 found: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); return 0; } - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "pfkey DELETE received: %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); /* send delete information */ - if (iph2->status == PHASE2ST_ESTABLISHED) + + /* TODO: Look into handling this properly. Currently, if we get here, we can end up sending delete messages to the server for their own SAs, which is rejected. */ + /*if (FSM_STATE_IS_ESTABLISHED(iph2->status)) isakmp_info_send_d2(iph2); ike_session_cleanup_ph1s_by_ph2(iph2); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); + ike_session_unlink_phase2(iph2);*/ return 0; } @@ -2112,19 +2083,15 @@ static int pk_recvflush(mhp) caddr_t *mhp; { - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb flush message passed.\n"); return -1; } - flushph2(false); - flushph1(false); + ike_session_flush_all_phase2(false); + ike_session_flush_all_phase1(false); return 0; } @@ -2133,7 +2100,7 @@ static int getsadbpolicy(policy0, policylen0, type, iph2) caddr_t *policy0; int *policylen0, type; - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; struct sadb_x_policy *xpl; @@ -2161,7 +2128,7 @@ getsadbpolicy(policy0, policylen0, type, iph2) /* make policy structure */ policy = racoon_malloc(policylen); if (!policy) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "buffer allocation failed.\n"); return -1; } @@ -2186,13 +2153,13 @@ getsadbpolicy(policy0, policylen0, type, iph2) satype = doi2ipproto(pr->proto_id); if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto_id %d\n", pr->proto_id); goto err; } mode = ipsecdoi2pfkey_mode(pr->encmode); if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid encmode %d\n", pr->encmode); goto err; } @@ -2241,7 +2208,7 @@ err: int pk_sendspdupdate2(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; @@ -2252,7 +2219,7 @@ pk_sendspdupdate2(iph2) vtime = 0; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2266,12 +2233,12 @@ pk_sendspdupdate2(iph2) spidx->ul_proto, ltime, vtime, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spdupdate2 (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdupdate2\n"); end: if (policy) @@ -2294,7 +2261,7 @@ pk_recvspdupdate(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdupdate message passed.\n"); return -1; } @@ -2323,7 +2290,7 @@ pk_recvspdupdate(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy does not already exist: \"%s\"\n", spidx2str(&spidx)); } else { @@ -2342,7 +2309,7 @@ pk_recvspdupdate(mhp) */ int pk_sendspdadd2(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; @@ -2353,7 +2320,7 @@ pk_sendspdadd2(iph2) vtime = 0; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2367,12 +2334,12 @@ pk_sendspdadd2(iph2) spidx->ul_proto, ltime, vtime, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spdadd2 (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spdadd2\n"); end: if (policy) @@ -2395,7 +2362,7 @@ pk_recvspdadd(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdadd message passed.\n"); return -1; } @@ -2424,7 +2391,7 @@ pk_recvspdadd(mhp) sp = getsp(&spidx); if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy already exists. " "anyway replace it: %s\n", spidx2str(&spidx)); @@ -2443,14 +2410,14 @@ pk_recvspdadd(mhp) */ int pk_sendspddelete(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct policyindex *spidx = iph2->spidx_gen; caddr_t policy = NULL; int policylen; if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "getting sadb policy failed.\n"); return -1; } @@ -2463,12 +2430,12 @@ pk_sendspddelete(iph2) spidx->prefd, spidx->ul_proto, policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "libipsec failed send spddelete (%s)\n", ipsec_strerror()); goto end; } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n"); + plog(ASL_LEVEL_DEBUG, "call pfkey_send_spddelete\n"); end: if (policy) @@ -2491,7 +2458,7 @@ pk_recvspddelete(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddelete message passed.\n"); return -1; } @@ -2520,13 +2487,13 @@ pk_recvspddelete(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found: %s\n", spidx2str(&spidx)); return -1; } - purgephXbyspid(xpl->sadb_x_policy_id, true); + ike_session_purgephXbyspid(xpl->sadb_x_policy_id, true); remsp(sp); delsp(sp); @@ -2548,7 +2515,7 @@ pk_recvspdexpire(mhp) || mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdexpire message passed.\n"); return -1; } @@ -2577,13 +2544,13 @@ pk_recvspdexpire(mhp) sp = getsp(&spidx); if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "no policy found: %s\n", spidx2str(&spidx)); return -1; } - purgephXbyspid(xpl->sadb_x_policy_id, false); + ike_session_purgephXbyspid(xpl->sadb_x_policy_id, false); remsp(sp); delsp(sp); @@ -2597,7 +2564,7 @@ pk_recvspdget(mhp) { /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdget message passed.\n"); return -1; } @@ -2617,7 +2584,7 @@ pk_recvspddump(mhp) /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddump message passed.\n"); return -1; } @@ -2628,7 +2595,7 @@ pk_recvspddump(mhp) xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; if (saddr == NULL || daddr == NULL || xpl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spddump message passed.\n"); return -1; } @@ -2654,7 +2621,7 @@ pk_recvspddump(mhp) sp = getsp(&spidx); if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "such policy already exists. " "anyway replace it: %s\n", spidx2str(&spidx)); @@ -2674,13 +2641,13 @@ pk_recvspdflush(mhp) { /* sanity check */ if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spdflush message passed.\n"); return -1; } - flushph2(false); - flushph1(false); + ike_session_flush_all_phase2(false); + ike_session_flush_all_phase1(false); flushsp(); return 0; @@ -2691,7 +2658,7 @@ pk_recvspdflush(mhp) */ int pk_sendeacquire(iph2) - struct ph2handle *iph2; + phase2_handle_t *iph2; { struct sadb_msg *newmsg; int len; @@ -2699,7 +2666,7 @@ pk_sendeacquire(iph2) len = sizeof(struct sadb_msg); newmsg = racoon_calloc(1, len); if (newmsg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get buffer to send acquire.\n"); return -1; } @@ -2729,7 +2696,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) u_int32_t seq; if (!session) { - plog(LLV_DEBUG, LOCATION, NULL, "invalid args in %s \n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__); return -1; } @@ -2745,7 +2712,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) max_stats))) { u_int64_t session_ids[] = {(u_int64_t)session, 0}; - plog(LLV_DEBUG, LOCATION, NULL, "about to call %s\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__); if (pfkey_send_getsastats(lcconf->sock_pfkey, seq, @@ -2756,7 +2723,7 @@ pk_sendget_inbound_sastats(ike_session_t *session) session->traffic_monitor.num_in_curr_req) < 0) { return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "%s successful\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__); return session->traffic_monitor.num_in_curr_req; } @@ -2770,7 +2737,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) u_int32_t seq; if (!session) { - plog(LLV_DEBUG, LOCATION, NULL, "invalid args in %s \n", __FUNCTION__); + plog(ASL_LEVEL_DEBUG, "invalid args in %s \n", __FUNCTION__); return -1; } @@ -2786,7 +2753,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) max_stats))) { u_int64_t session_ids[] = {(u_int64_t)session, 0}; - plog(LLV_DEBUG, LOCATION, NULL, "about to call %s\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "about to call %s\n", __FUNCTION__); if (pfkey_send_getsastats(lcconf->sock_pfkey, seq, @@ -2797,7 +2764,7 @@ pk_sendget_outbound_sastats(ike_session_t *session) session->traffic_monitor.num_out_curr_req) < 0) { return -1; } - plog(LLV_DEBUG, LOCATION, NULL, "%s successful\n", __FUNCTION__); + //plog(ASL_LEVEL_DEBUG, "%s successful\n", __FUNCTION__); return session->traffic_monitor.num_out_curr_req; } @@ -2820,7 +2787,7 @@ caddr_t *mhp; if (mhp[0] == NULL || mhp[SADB_EXT_SESSION_ID] == NULL || mhp[SADB_EXT_SASTAT] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb getsastat response.\n"); return -1; } @@ -2830,7 +2797,7 @@ caddr_t *mhp; /* the message has to be processed or not ? */ if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is not interesting " "because pid %d is not mine.\n", s_pfkey_type(msg->sadb_msg_type), @@ -2838,7 +2805,7 @@ caddr_t *mhp; return -1; } if (!session_id->sadb_session_id_v[0]) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is bad " "because session-id[0] is invalid.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2847,7 +2814,7 @@ caddr_t *mhp; session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0]; if (!stat_resp->sadb_sastat_list_len) { - plog(LLV_DEBUG, LOCATION, NULL, + plog(ASL_LEVEL_DEBUG, "%s message is bad " "because it has no sastats.\n", s_pfkey_type(msg->sadb_msg_type)); @@ -2882,12 +2849,9 @@ pk_checkalg(class, calg, keylen) sup = SADB_EXT_SUPPORTED_AUTH; break; case IPSECDOI_PROTO_IPCOMP: - //plog(LLV_DEBUG, LOCATION, NULL, - // "compression algorithm can not be checked " - // "because sadb message doesn't support it.\n"); return 0; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid algorithm class.\n"); return -1; } @@ -2897,7 +2861,7 @@ pk_checkalg(class, calg, keylen) if (keylen == 0) { if (ipsec_get_keylen(sup, alg, &alg0)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s.\n", ipsec_strerror()); return -1; } @@ -2906,7 +2870,7 @@ pk_checkalg(class, calg, keylen) error = ipsec_check_keylen(sup, alg, keylen); if (error) - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "%s.\n", ipsec_strerror()); return error; @@ -2940,8 +2904,7 @@ pk_recv(so, lenp) while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) { if (errno == EINTR) continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv pfkey message: %s\n", strerror(errno)); + plog(ASL_LEVEL_ERR, "failed to recv pfkey message: %s\n", strerror(errno)); break; } if (*lenp < 0) { @@ -2974,7 +2937,7 @@ addnewsp(mhp) if (mhp[SADB_EXT_ADDRESS_SRC] == NULL || mhp[SADB_EXT_ADDRESS_DST] == NULL || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "inappropriate sadb spd management message passed.\n"); return -1; } @@ -2985,7 +2948,7 @@ addnewsp(mhp) new = newsp(); if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to allocate buffer\n"); return -1; } @@ -3012,7 +2975,7 @@ addnewsp(mhp) /* validity check */ if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid msg length.\n"); return -1; } @@ -3024,7 +2987,7 @@ addnewsp(mhp) /* length check */ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid msg length.\n"); return -1; } @@ -3032,7 +2995,7 @@ addnewsp(mhp) /* allocate request buffer */ *p_isr = newipsecreq(); if (*p_isr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "failed to get new ipsecreq.\n"); return -1; } @@ -3046,7 +3009,7 @@ addnewsp(mhp) case IPPROTO_IPCOMP: break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid proto type: %u\n", xisr->sadb_x_ipsecrequest_proto); return -1; @@ -3059,7 +3022,7 @@ addnewsp(mhp) break; case IPSEC_MODE_ANY: default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid mode: %u\n", xisr->sadb_x_ipsecrequest_mode); return -1; @@ -3077,7 +3040,7 @@ addnewsp(mhp) break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid level: %u\n", xisr->sadb_x_ipsecrequest_level); return -1; @@ -3106,7 +3069,7 @@ addnewsp(mhp) /* validity check */ if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "becoming tlen < 0\n"); } @@ -3116,7 +3079,7 @@ addnewsp(mhp) } break; default: - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "invalid policy type.\n"); return -1; }