X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/d9c572c0d1634988834f2a68361f92bc7242cce4..HEAD:/ipsec-tools/racoon/pfkey_racoon.c diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index 665f69e..57c2fa9 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -97,8 +97,6 @@ #include "vpn_control.h" #include "vpn_control_var.h" #include "ike_session.h" -#include "ipsecSessionTracer.h" -#include "ipsecMessageTracer.h" #include "power_mgmt.h" #include "session.h" @@ -157,15 +155,14 @@ NULL, /* SADB_X_SPDSETIDX */ pk_recvspdexpire, NULL, /* SADB_X_SPDDELETE2 */ pk_recvgetsastat, /* SADB_GETSASTAT */ -NULL, /* SADB_X_NAT_T_NEW_MAPPING */ -NULL, /* SADB_X_MIGRATE */ -#if (SADB_MAX > 25) -#error "SADB extra message?" +NULL, /* SADB_X_SPDENABLE */ +NULL, /* SADB_X_SPDDISNABLE */ +NULL, /* SADB_MIGRATE */ +#if (SADB_MAX > 26) +#warning "SADB extra message?" #endif }; -static int addnewsp (caddr_t *); - /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 #define SADB_X_AALG_MD5 SADB_AALG_MD5 @@ -222,7 +219,7 @@ pfkey_process(msg) /* when SPD is empty, treat the state as no error. */ if (msg->sadb_msg_type == SADB_X_SPDDUMP && msg->sadb_msg_errno == ENOENT) - pri = ASL_LEVEL_DEBUG; + pri = ASL_LEVEL_NOTICE; else pri = ASL_LEVEL_ERR; @@ -242,7 +239,7 @@ pfkey_process(msg) } if (pkrecvf[msg->sadb_msg_type] == NULL) { - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, "unsupported PF_KEY message %s\n", s_pfkey_type(msg->sadb_msg_type)); goto end; @@ -272,7 +269,7 @@ pfkey_handler(void *unused) ssize_t len; if (slept_at || woke_at) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_DEBUG, "ignoring pfkey port until power-mgmt event is handled.\n"); return; } @@ -289,7 +286,7 @@ pfkey_handler(void *unused) return; } else { /* short message - msg not ready */ - plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n"); + plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n"); return; } } @@ -303,7 +300,7 @@ pfkey_post_handler() struct saved_msg_elem *elem_tmp = NULL; if (slept_at || woke_at) { - plog(ASL_LEVEL_DEBUG, + plog(ASL_LEVEL_NOTICE, "ignoring (saved) pfkey messages until power-mgmt event is handled.\n"); return; } @@ -1326,11 +1323,14 @@ pk_recvupdate(mhp) sa->sadb_sa_spi, sa_mode)); - plog(ASL_LEVEL_INFO, - "IPsec-SA established: %s\n", - sadbsecas2str(iph2->dst, iph2->src, - msg->sadb_msg_satype, sa->sadb_sa_spi, - sa_mode)); + plog(ASL_LEVEL_NOTICE, + "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, + "IPsec-SA established (update): %s\n", + sadbsecas2str(iph2->dst, iph2->src, + msg->sadb_msg_satype, sa->sadb_sa_spi, + sa_mode)); } if (pr->ok == 0) @@ -1346,18 +1346,6 @@ pk_recvupdate(mhp) /* update status */ fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED); - if (iph2->side == INITIATOR) { - IPSECSESSIONTRACEREVENT(iph2->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC, - CONSTSTR("Initiator, Quick-Mode"), - CONSTSTR(NULL)); - } else { - IPSECSESSIONTRACEREVENT(iph2->parent_session, - IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC, - CONSTSTR("Responder, Quick-Mode"), - CONSTSTR(NULL)); - } - ike_session_ph2_established(iph2); IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n", @@ -1608,8 +1596,11 @@ pk_recvadd(mhp) * because they must be updated by SADB_UPDATE message */ - plog(ASL_LEVEL_INFO, - "IPsec-SA established: %s\n", + plog(ASL_LEVEL_NOTICE, + "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, + "IPsec-SA established (add): %s\n", sadbsecas2str(iph2->src, iph2->dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -1617,12 +1608,6 @@ pk_recvadd(mhp) #ifdef ENABLE_VPNCONTROL_PORT { - u_int32_t address; - - if (iph2->dst->ss_family == AF_INET) - address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr; - else - address = 0; vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2); } #endif @@ -1668,7 +1653,10 @@ pk_recvexpire(mhp) return -1; } - plog(ASL_LEVEL_INFO, + plog(ASL_LEVEL_NOTICE, + "IPsec-SA expired: satype=%u spi=%#x mode=%u\n", + msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode); + plog(ASL_LEVEL_DEBUG, "IPsec-SA expired: %s\n", sadbsecas2str(src, dst, msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); @@ -1903,6 +1891,7 @@ pk_recvacquire(mhp) iph2->satype = msg->sadb_msg_satype; iph2->seq = msg->sadb_msg_seq; + vpncontrol_set_nat64_prefix(&iph2->nat64_prefix); /* set end addresses of SA */ // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); @@ -1982,13 +1971,13 @@ pk_recvacquire(mhp) goto err; } -#if !TARGET_OS_EMBEDDED +#if !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) if ( lcconf->vt == NULL){ if (!(lcconf->vt = vproc_transaction_begin(NULL))) plog(ASL_LEVEL_ERR, "vproc_transaction_begin returns NULL.\n"); } -#endif +#endif // !(TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) return 0; @@ -2924,13 +2913,14 @@ pk_getseq() return eay_random(); } -static int +int addnewsp(mhp) caddr_t *mhp; { struct secpolicy *new; struct sadb_address *saddr, *daddr; struct sadb_x_policy *xpl; + struct sadb_ext *ext; /* sanity check */ if (mhp[SADB_EXT_ADDRESS_SRC] == NULL @@ -2943,7 +2933,14 @@ addnewsp(mhp) saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + /* validity check */ + if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { + plog(ASL_LEVEL_ERR, + "invalid msg length.\n"); + return -1; + } new = newsp(); if (new == NULL) { @@ -2972,17 +2969,16 @@ addnewsp(mhp) struct sadb_x_ipsecrequest *xisr; struct ipsecrequest **p_isr = &new->req; - /* validity check */ - if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { - plog(ASL_LEVEL_ERR, - "invalid msg length.\n"); - return -1; - } - tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); while (tlen > 0) { + if (tlen < sizeof(*xisr) || + tlen < xisr->sadb_x_ipsecrequest_len) { + plog(ASL_LEVEL_ERR, + "invalid msg length for ipsec request.\n"); + return -1; + } /* length check */ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { @@ -3049,13 +3045,28 @@ addnewsp(mhp) /* set IP addresses if there */ if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { struct sockaddr *paddr; + int rem_buf_len = xisr->sadb_x_ipsecrequest_len - sizeof(*xisr); paddr = (struct sockaddr *)(xisr + 1); + if (rem_buf_len < sizeof(*paddr) || + rem_buf_len < sysdep_sa_len(paddr)) { + plog(ASL_LEVEL_ERR, + "invalid msg length for src ip address.\n"); + return -1; + } bcopy(paddr, &(*p_isr)->saidx.src, sysdep_sa_len(paddr)); + rem_buf_len -= sysdep_sa_len(paddr); + paddr = (struct sockaddr *)((caddr_t)paddr + sysdep_sa_len(paddr)); + if (rem_buf_len < sizeof(*paddr) || + rem_buf_len < sysdep_sa_len(paddr)) { + plog(ASL_LEVEL_ERR, + "invalid msg length for dst ip address.\n"); + return -1; + } bcopy(paddr, &(*p_isr)->saidx.dst, sysdep_sa_len(paddr)); } @@ -3080,6 +3091,7 @@ addnewsp(mhp) default: plog(ASL_LEVEL_ERR, "invalid policy type.\n"); + delsp(new); return -1; }