+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#ifndef _IPSECMESSAGETRACER_H
-#define _IPSECMESSAGETRACER_H
-
-#import <asl.h>
-
-#define CONSTSTR(str) (const char *)str
-
-#define L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.l2tpipsec")
-#define CISCOIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.ciscoipsec")
-#define BTMMIPSEC_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.btmm")
-#define PLAINIPSEC_CONNECTION_ESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.disconnect.plain")
-#define L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.connect.l2tpipsec")
-#define CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.connect.ciscoipsec")
-#define BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.connect.btmm")
-#define PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN CONSTSTR("com.apple.Networking.ipsec.connect.plain")
-#define L2TPIPSECVPN_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.l2tpipsec")
-#define CISCOIPSECVPN_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.ciscoipsec")
-#define BTMMIPSEC_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.btmm")
-#define PLAINIPSEC_PHASE_DOMAIN CONSTSTR("com.apple.Networking.ipsec.phasestats.plain")
-#define PLAINIPSECDOMAIN CONSTSTR("com.apple.Networking.ipsec.main")
-
-#define IPSECASLDOMAIN CONSTSTR("com.apple.Networking.ipsec.asl")
-#define IPSECASLKEY CONSTSTR("IPSEC")
-
-#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
-
-#define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason)
-
-#define IPSECPOLICYTRACEREVENT(policy, eventCode, message, failure_reason)
-
-#define IPSECSESSIONTRACERSTART(session)
-#define IPSECSESSIONTRACEREVENT(session, eventCode, message, failure_reason)
-#define IPSECSESSIONTRACERSTOP(session, is_failure, reason)
-#define IPSECSESSIONTRACERESTABLISHED(session)
-
-#else // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
-
-#define IPSECCONFIGTRACEREVENT(config, eventCode, message, failure_reason) ipsecConfigTracerEvent(config, eventCode, message, failure_reason)
-
-#define IPSECPOLICYTRACEREVENT(policy, eventCode, message, failure_reason) ipsecPolicyTracerEvent(policy, eventCode, message, failure_reason)
-
-#define IPSECSESSIONTRACERSTART(session) ipsecSessionTracerStart(session)
-#define IPSECSESSIONTRACEREVENT(session, eventCode, message, failure_reason) ipsecSessionTracerEvent(session, eventCode, message, failure_reason)
-#define IPSECSESSIONTRACERSTOP(session, is_failure, reason) ipsecSessionTracerStop(session, is_failure, reason)
-#define IPSECSESSIONTRACERESTABLISHED(session) ipsecSessionTracerLogEstablished(session)
-
-#endif // (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
-
-#if 1
-#define IPSECLOGASLMSG(format, args...) plog(ASL_LEVEL_NOTICE, format, ##args);
-#else
-#define IPSECLOGASLMSG(format, args...) do { \
- aslmsg m = asl_new(ASL_TYPE_MSG); \
- asl_set(m, ASL_KEY_FACILITY, IPSECASLDOMAIN); \
- asl_set(m, ASL_KEY_MSG, IPSECASLKEY); \
- asl_log(NULL, m, ASL_LEVEL_NOTICE, format, ##args); \
- asl_free(m); \
- } while(0)
-#endif
-
-static inline double get_percentage (double numerator, double denominator)
-{
- if (numerator >= denominator || denominator == 0) {
- return((double)100);
- }
- return((numerator/denominator)*100);
-}
-
-#endif /* _IPSECMESSAGETRACER_H */
#include "strnames.h"
#include "gcmalloc.h"
#include "vendorid.h"
-#include "ipsecConfigTracer.h"
-#include "ipsecMessageTracer.h"
static int num2dhgroup[] = {
0,
yycf_init_buffer();
if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
- IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
- IPSECCONFIGEVENTCODE_PARSE_ERROR,
- CONSTSTR("could not read configuration file"),
- CONSTSTR("cfparse: yycf_switch_buffer erred"));
plog(ASL_LEVEL_ERR,
"could not read configuration file \"%s\"\n",
lcconf->racoon_conf);
plog(ASL_LEVEL_ERR,
"fatal parse failure.\n");
}
- IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
- IPSECCONFIGEVENTCODE_PARSE_ERROR,
- CONSTSTR("fatal parse failure"),
- CONSTSTR("cfparse: yyparse erred"));
yycf_clean_buffer();
return -1;
}
plog(ASL_LEVEL_ERR,
"parse error is nothing, but yyerrorcount is %d.\n",
yyerrorcount);
- IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
- IPSECCONFIGEVENTCODE_PARSE_ERROR,
- CONSTSTR("ambivalent error code"),
- CONSTSTR("cfparse: error == 0 && yerrorcount"));
yycf_clean_buffer();
exit(1);
}
plog(ASL_LEVEL_DEBUG, "==== Got %s signal - re-parsing configuration.\n", sys_signame[sig]);
} else {
plog(ASL_LEVEL_ERR, "==== Got Unknown signal - re-parsing configuration.\n");
- IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"),
- IPSECCONFIGEVENTCODE_REPARSE_ERROR,
- CONSTSTR("Unknown signal"),
- CONSTSTR("cfreparse: triggered by unknown signal"));
}
plog(ASL_LEVEL_DEBUG, "==== %s sessions.\n", ignore_estab_or_assert_handles? "flush negotiating" : "flush all");
extern int f_local;
extern int vflag;
+#define IPSECLOGASLMSG(format, args...) plog(ASL_LEVEL_NOTICE, format, ##args);
+
#endif /* _DEBUG_H */
#ifdef INET6
static int suitable_ifaddr6 (const char *, const struct sockaddr *);
#endif
+static bool exclude_interfaces(const char *);
#ifndef HAVE_GETIFADDRS
static unsigned int
)
continue;
+ if (exclude_interfaces(ifap->ifa_name)) {
+ continue;
+ }
+
if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) {
plog(ASL_LEVEL_DEBUG,
"unsuitable address: %s %s\n",
freeifaddrs(ifa0);
}
+static bool
+exclude_interfaces(ifname)
+ const char *ifname;
+{
+ if (ifname == NULL) {
+ return false;
+ }
+
+ if (strnstr(ifname, "awdl", IFNAMSIZ) != NULL) {
+ return true;
+ } else if (strnstr(ifname, "llw", IFNAMSIZ) != NULL) {
+ return true;
+ }
+
+ return false;
+}
+
/*
* check the interface is suitable or not
#include "schedule.h"
#include "pfkey.h"
#include "ipsec_doi.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#include "isakmp_inf.h"
#include "localconf.h"
#include "remoteconf.h"
LIST_INIT(&session->ph1tree);
LIST_INIT(&session->ph2tree);
LIST_INSERT_HEAD(&ike_session_tree, session, chain);
- IPSECSESSIONTRACERSTART(session);
}
return session;
}
session->term_reason != ike_session_stopped_by_idle) {
is_failure = FALSE;
}
- IPSECSESSIONTRACERSTOP(session,
- is_failure,
- session->term_reason);
}
// do MessageTracer cleanup here
plog(ASL_LEVEL_NOTICE,
if (!iph2->parent_session->established) {
gettimeofday(&iph2->parent_session->estab_timestamp, NULL);
iph2->parent_session->established = 1;
- IPSECSESSIONTRACERESTABLISHED(iph2->parent_session);
ike_session_start_traffic_mon(iph2->parent_session);
} else if (iph2->parent_session->is_asserted) {
ike_session_start_traffic_mon(iph2->parent_session);
#include <netinet/in.h>
#include <dispatch/dispatch.h>
#include "handler.h"
-#include "ipsecSessionTracer.h"
typedef struct ike_session_id {
struct sockaddr_storage local;
struct sockaddr_storage remote;
} ike_session_id_t;
-typedef struct ike_session_stats {
- u_int32_t counters[IPSECSESSIONEVENTCODE_MAX];
-} ike_session_stats_t;
-
typedef struct ike_session_ikev1 {
/* list of ph1s */
int active_ph1cnt;
struct timeval stop_timestamp;
ike_session_ikev1_t ikev1_state;
- ike_session_stats_t stats;
-
ike_sesssion_sastats_t traffic_monitor;
schedule_ref sc_idle;
schedule_ref sc_xauth;
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#import <asl.h>
-#include <sys/types.h>
-#include "ipsecConfigTracer.h"
-#include "ipsecMessageTracer.h"
-
-const char * ipsecConfigTracerFailedString = "Tracer Failed";
-const char * ipsecConfigInvalidEventString = "Invalid Event";
-const char * ipsecConfigString = "IPSEC";
-
-const char * const ipsecConfigEventStrings[IPSECCONFIGEVENTCODE_MAX] = { CONSTSTR("NONE") /* index place holder */,
- CONSTSTR("Configuration Reparse Error"),
- CONSTSTR("Configuration Parse Error"),
- CONSTSTR("Signal Error"),
- };
-
-const char *
-ipsecConfigEventCodeToString (ipsecConfigEventCode_t eventCode)
-{
- if (eventCode <= IPSECCONFIGEVENTCODE_NONE || eventCode >= IPSECCONFIGEVENTCODE_MAX)
- return ipsecConfigInvalidEventString;
- return(ipsecConfigEventStrings[eventCode]);
-}
-
-static
-void
-ipsecConfigLogEvent (const char *event_msg, const char *failure_signature)
-{
- aslmsg m;
-
- if (!event_msg) {
- return;
- }
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, ASL_KEY_FACILITY, PLAINIPSECDOMAIN);
- asl_set(m, ASL_KEY_MSG, ipsecConfigString);
-#if 0 /* <rdar://problem/6468252> is flooding 300000+ events to MessageTracer servers */
- if (failure_signature) {
- asl_set(m, "com.apple.message.domain", PLAINIPSECDOMAIN);
- asl_set(m, "com.apple.message.result", "failure"); // failure
- asl_set(m, "com.apple.message.signature", failure_signature);
- }
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
-#else
- if (failure_signature) {
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s (failure: %s)", event_msg, failure_signature);
- } else {
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
- }
-#endif
- asl_free(m);
-}
-
-void
-ipsecConfigTracerEvent (const char *filename, ipsecConfigEventCode_t eventCode, const char *event, const char *failure_reason)
-{
- char buf[1024];
-
- if (filename == NULL) {
- ipsecConfigLogEvent(CONSTSTR("tracer failed. (Invalid filename)."), ipsecConfigTracerFailedString);
- return;
- }
- if (eventCode <= IPSECCONFIGEVENTCODE_NONE || eventCode >= IPSECCONFIGEVENTCODE_MAX) {
- ipsecConfigLogEvent(CONSTSTR("tracer failed. (Invalid event code)."), ipsecConfigTracerFailedString);
- return;
- }
- if (event == NULL) {
- ipsecConfigLogEvent(CONSTSTR("tracer failed. (Invalid event)."), ipsecConfigTracerFailedString);
- return;
- }
-
- buf[0] = (char)0;
- snprintf(buf, sizeof(buf), "%s. (%s, filename %s).", ipsecConfigEventCodeToString(eventCode), failure_reason, filename);
- ipsecConfigLogEvent(CONSTSTR(buf), event);
-}
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#ifndef _IPSECCONFIGTRACER_H
-#define _IPSECCONFIGTRACER_H
-
-typedef enum ipsecConfigEventCode {
- IPSECCONFIGEVENTCODE_NONE = 0,
- IPSECCONFIGEVENTCODE_REPARSE_ERROR,
- IPSECCONFIGEVENTCODE_PARSE_ERROR,
- IPSECCONFIGEVENTCODE_SIGNAL_ERROR,
- IPSECCONFIGEVENTCODE_MAX,
-} ipsecConfigEventCode_t;
-
-const char * ipsecConfigEventCodeToString (ipsecConfigEventCode_t);
-void ipsecConfigTracerEvent (const char *, ipsecConfigEventCode_t, const char *, const char *);
-
-#endif /* _IPSECCONFIGTRACER_H */
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#import <asl.h>
-#include <sys/types.h>
-#include "ike_session.h"
-#include "ipsecMessageTracer.h"
-#include "misc.h"
-#include "nattraversal.h"
-
-#define TRUE 1
-#define FALSE 0
-const char *ipsecSessionInvalidEventString = "Invalid Event";
-const char *ipsecSessionString = "IPSEC";
-
-/* tells us the event's description */
-const char * const ipsecSessionEventStrings[IPSECSESSIONEVENTCODE_MAX] = { CONSTSTR("NONE") /* index place holder */,
- CONSTSTR("IKE Packet: transmit success"),
- CONSTSTR("IKE Packet: transmit failed"),
- CONSTSTR("IKE Packet: receive success"),
- CONSTSTR("IKE Packet: receive failed"),
- CONSTSTR("IKEv1 Phase 1 Initiator: success"),
- CONSTSTR("IKEv1 Phase 1 Initiator: failed"),
- CONSTSTR("IKEv1 Phase 1 Initiator: dropped"),
- CONSTSTR("IKEv1 Phase 1 Responder: success"),
- CONSTSTR("IKEv1 Phase 1 Responder: failed"),
- CONSTSTR("IKEv1 Phase 1 Responder: drop"),
- CONSTSTR("IKEv1 Phase 1: maximum retransmits"),
- CONSTSTR("IKEv1 Phase 1 AUTH: success"),
- CONSTSTR("IKEv1 Phase 1 AUTH: failed"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: request transmitted"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: response received"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: request retransmitted"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: request received"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: response transmitted"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: response retransmitted"),
- CONSTSTR("IKEv1 Dead-Peer-Detection: maximum retransmits"),
- CONSTSTR("IKEv1 Config: retransmited"),
- CONSTSTR("IKEv1 Mode-Config: success"),
- CONSTSTR("IKEv1 Mode-Config: failed"),
- CONSTSTR("IKEv1 Mode-Config: dropped"),
- CONSTSTR("IKEv1 XAUTH: success"),
- CONSTSTR("IKEv1 XAUTH: failed"),
- CONSTSTR("IKEv1 XAUTH: dropped"),
- CONSTSTR("IKEv1 Phase 2 Initiator: success"),
- CONSTSTR("IKEv1 Phase 2 Initiator: failed"),
- CONSTSTR("IKEv1 Phase 2 Initiator: dropped"),
- CONSTSTR("IKEv1 Phase 2 Responder: success"),
- CONSTSTR("IKEv1 Phase 2 Responder: fail"),
- CONSTSTR("IKEv1 Phase 2 Responder: drop"),
- CONSTSTR("IKEv1 Phase 2: maximum retransmits"),
- CONSTSTR("IKEv1 Phase 2 AUTH: success"),
- CONSTSTR("IKEv1 Phase 2 AUTH: failed"),
- CONSTSTR("IKEv1 Information-Notice: transmit success"),
- CONSTSTR("IKEv1 Information-Notice: transmit failed"),
- CONSTSTR("IKEv1 Information-Notice: receive success"),
- CONSTSTR("IKEv1 Information-Notice: receive failed"),
- };
-
-/* tells us if we can ignore the failure_reason passed into the event tracer */
-const int ipsecSessionEventIgnoreReason[IPSECSESSIONEVENTCODE_MAX] = {TRUE/* index place holder */,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- FALSE,
- TRUE,
- TRUE,
- FALSE,
- TRUE,
- FALSE,
- TRUE,
- FALSE,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- FALSE,
- TRUE,
- TRUE,
- FALSE,
- FALSE,
- TRUE,
- FALSE,
- FALSE,
- TRUE,
- FALSE,
- TRUE,
- TRUE,
- FALSE,
- TRUE,
- FALSE,
- TRUE,
- FALSE,
- TRUE,
- TRUE,
- TRUE,
- TRUE,
- };
-
-
-const char *
-ipsecSessionEventCodeToString (ipsecSessionEventCode_t eventCode)
-{
- if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX)
- return ipsecSessionInvalidEventString;
- return(ipsecSessionEventStrings[eventCode]);
-}
-
-const char *
-ipsecSessionGetConnectionDomain (ike_session_t *session)
-{
- if (session) {
- if (session->is_cisco_ipsec) {
- if (session->established) {
- return CISCOIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
- } else {
- return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
- }
- } else if (session->is_l2tpvpn_ipsec) {
- if (session->established) {
- return L2TPIPSECVPN_CONNECTION_ESTABLISHED_DOMAIN;
- } else {
- return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
- }
- } else if (session->is_btmm_ipsec) {
- if (session->established) {
- return BTMMIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
- } else {
- return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
- }
- } else {
- if (session->established) {
- return PLAINIPSEC_CONNECTION_ESTABLISHED_DOMAIN;
- } else {
- return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
- }
- }
- }
- return PLAINIPSECDOMAIN;
-}
-
-const char *
-ipsecSessionGetConnectionLessDomain (ike_session_t *session)
-{
- if (session) {
- if (session->is_cisco_ipsec) {
- return CISCOIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
- } else if (session->is_l2tpvpn_ipsec) {
- return L2TPIPSECVPN_CONNECTION_NOTESTABLISHED_DOMAIN;
- } else if (session->is_btmm_ipsec) {
- return BTMMIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
- } else {
- return PLAINIPSEC_CONNECTION_NOTESTABLISHED_DOMAIN;
- }
- }
- return PLAINIPSECDOMAIN;
-}
-
-const char *
-ipsecSessionGetPhaseDomain (ike_session_t *session)
-{
- if (session) {
- if (session->is_cisco_ipsec) {
- return CISCOIPSECVPN_PHASE_DOMAIN;
- } else if (session->is_l2tpvpn_ipsec) {
- return L2TPIPSECVPN_PHASE_DOMAIN;
- } else if (session->is_btmm_ipsec) {
- return BTMMIPSEC_PHASE_DOMAIN;
- }
- }
- return PLAINIPSEC_PHASE_DOMAIN;
-}
-
-static
-void
-ipsecSessionLogEvent (ike_session_t *session, const char *event_msg)
-{
- aslmsg m;
-
- if (!event_msg) {
- return;
- }
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, ASL_KEY_FACILITY, ipsecSessionGetPhaseDomain(session));
- asl_set(m, ASL_KEY_MSG, ipsecSessionString);
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
- asl_free(m);
-}
-
-void
-ipsecSessionTracerStart (ike_session_t *session)
-{
- if (session == NULL) {
- return;
- }
- bzero(&session->stats, sizeof(session->stats));
- bzero(&session->stop_timestamp, sizeof(session->stop_timestamp));
- bzero(&session->estab_timestamp, sizeof(session->estab_timestamp));
- gettimeofday(&session->start_timestamp, NULL);
- ipsecSessionLogEvent(session, CONSTSTR("Connecting."));
-}
-
-void
-ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCode, const char *event, const char *failure_reason)
-{
- char buf[1024];
-
- if (session == NULL) {
- //ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
- return;
- }
- if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX) {
- ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event code)."));
- return;
- }
- if (event == NULL) {
- ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid event)."));
- return;
- }
-
- if (failure_reason) {
- if (!session->term_reason &&
- !ipsecSessionEventIgnoreReason[eventCode]) {
- session->term_reason = (char*)failure_reason;
- }
- }
-
- session->stats.counters[eventCode]++;
- buf[0] = (char)0;
- snprintf(buf, sizeof(buf), "%s. (%s).", ipsecSessionEventCodeToString(eventCode), event);
- ipsecSessionLogEvent(session, CONSTSTR(buf));
-}
-
-static void
-ipsecSessionTracerLogFailureRate (ike_session_t *session, const char *signature, double failure_rate)
-{
- aslmsg m;
- char buf[128];
- const char *domain = ipsecSessionGetPhaseDomain(session);
-
- if (!signature || failure_rate <= 0.001) {
- return;
- }
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, "com.apple.message.domain", domain);
- asl_set(m, ASL_KEY_FACILITY, domain);
- asl_set(m, ASL_KEY_MSG, ipsecSessionString);
- asl_set(m, "com.apple.message.result", "noop");
- asl_set(m, "com.apple.message.signature", signature);
- snprintf(buf, sizeof(buf), "%.3f", failure_rate);
- asl_set(m, "com.apple.message.value", buf); // stuff the up time into value
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s. (Failure-Rate = %s).", signature, buf);
- asl_free(m);
-}
-
-static void
-ipsecSessionTracerLogStop (ike_session_t *session, int caused_by_failure, const char *reason)
-{
- aslmsg m;
- char nat_buf[128];
- char buf[128];
- const char *domain = (session->established)? ipsecSessionGetConnectionDomain(session) : ipsecSessionGetConnectionLessDomain(session);
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, "com.apple.message.domain", domain);
- asl_set(m, ASL_KEY_FACILITY, domain);
- asl_set(m, ASL_KEY_MSG, ipsecSessionString);
- if (caused_by_failure ||
- (reason && reason != ike_session_stopped_by_flush && reason != ike_session_stopped_by_vpn_disconnect)) {
- asl_set(m, "com.apple.message.result", CONSTSTR("failure")); // failure
- } else {
- asl_set(m, "com.apple.message.result", CONSTSTR("success")); // success
- }
- if (reason) {
- if (session->natt_flags & NAT_DETECTED_ME) {
- snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Me", reason);
- asl_set(m, "com.apple.message.signature", nat_buf);
- } else if (session->natt_flags & NAT_DETECTED_PEER) {
- snprintf(nat_buf, sizeof(nat_buf), "%s. NAT detected by Peer", reason);
- asl_set(m, "com.apple.message.signature", nat_buf);
- } else {
- asl_set(m, "com.apple.message.signature", reason);
- }
- } else {
- // reason was NULL; make sure success/failure have different signature
- if (caused_by_failure) {
- asl_set(m, "com.apple.message.signature", CONSTSTR("Internal/Server-side error"));
- } else {
- asl_set(m, "com.apple.message.signature", CONSTSTR("User/System initiated the disconnect"));
- }
- }
- if (session->established) {
- snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->estab_timestamp, &session->stop_timestamp));
- asl_set(m, "com.apple.message.value", buf); // stuff the up time into value
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection was up for, %s seconds).", buf);
- } else {
- snprintf(buf, sizeof(buf), "%8.6f", timedelta(&session->start_timestamp, &session->stop_timestamp));
- asl_set(m, "com.apple.message.value2", buf); /// stuff the negoing time into value2
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "Disconnecting. (Connection tried to negotiate for, %s seconds).", buf);
- }
- asl_free(m);
-}
-
-void
-ipsecSessionTracerStop (ike_session_t *session, int caused_by_failure, const char *reason)
-{
- if (session == NULL) {
- return;
- }
-
- gettimeofday(&session->stop_timestamp, NULL);
-
- ipsecSessionTracerLogStop(session, caused_by_failure, reason);
-
- // go thru counters logging failure-rate events
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Packets Transmit Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Packets Receive Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC]));
- }
- //if (session->version == IKE_VERSION_1) {
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] ||
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] ||
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 1 Failure-Rate Statistic"),
- get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]),
- (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC])));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 1 Initiator Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 1 Responder Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 1 Authentication Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Dead-Peer-Detection Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT],
- (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ])));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] ||
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Dead-Peer-Detect Retransmit-Rate Statistic"),
- get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT]),
- (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_REQ])));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE MODE-Config Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_MODECFG_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE XAUTH Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] ||
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] ||
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 2 Failure-Rate Statistic"),
- get_percentage((double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]),
- (double)(session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC] +
- session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL])));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 2 Initiator Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 2 Responder Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Phase 2 Authentication Failure-Rate Statistics"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_SUCC]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Information-Notice Transmit Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL]));
- }
- if (session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL]) {
- ipsecSessionTracerLogFailureRate(session,
- CONSTSTR("IKE Information-Notice Receive Failure-Rate Statistic"),
- get_percentage((double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL], (double)session->stats.counters[IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_SUCC]));
- }
- //}
-}
-
-void
-ipsecSessionTracerLogEstablished (ike_session_t *session)
-{
- aslmsg m;
- const char *domain = ipsecSessionGetConnectionLessDomain(session);
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, "com.apple.message.domain", domain);
- asl_set(m, ASL_KEY_FACILITY, domain);
- asl_set(m, ASL_KEY_MSG, ipsecSessionString);
- asl_set(m, "com.apple.message.result", "success"); // success
- asl_set(m, "com.apple.message.signature", "success");
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "Connected.");
- asl_free(m);
-}
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#ifndef _IPSECSESSIONTRACER_H
-#define _IPSECSESSIONTRACER_H
-
-typedef enum ipsecSessionEventCode {
- IPSECSESSIONEVENTCODE_NONE = 0,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RESP,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_REQ,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RESP,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_CFG_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_MODECFG_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_MODECFG_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_MODECFG_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_DROP,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_AUTH_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_SUCC,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_RX_FAIL,
- IPSECSESSIONEVENTCODE_MAX,
-} ipsecSessionEventCode_t;
-
-const char * ipsecSessionEventCodeToString (ipsecSessionEventCode_t);
-void ipsecSessionTracerStart (ike_session_t *);
-void ipsecSessionTracerEvent (ike_session_t *, ipsecSessionEventCode_t, const char *, const char *);
-void ipsecSessionTracerStop (ike_session_t *, int, const char *);
-void ipsecSessionTracerLogEstablished (ike_session_t *session);
-
-#endif /* _IPSECSESSIONTRACER_H */
# include <netinet/in_systm.h>
# include <netinet/ip.h>
# define SOL_UDP IPPROTO_UDP
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#include "power_mgmt.h"
extern caddr_t val2str (const char *, size_t);
/* validity check */
if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
iph1->side == INITIATOR) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Malformed or unexpected cookie"),
- CONSTSTR("Failed to process packet (malformed/unexpected cookie)"));
plog(ASL_LEVEL_NOTICE,
"Malformed cookie received or "
"the initiator's cookies collide.\n");
/* copy-in new addresses */
iph1->remote = dupsaddr(remote);
if (iph1->remote == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Failed to duplicate remote address"),
- CONSTSTR("Failed to process Phase 1 message (can't duplicate remote address"));
plog(ASL_LEVEL_ERR,
"Phase 1 failed: dupsaddr failed.\n");
fatal_error(-1);
}
iph1->local = dupsaddr(local);
if (iph1->local == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Failed to duplicate local address"),
- CONSTSTR("Failed to process Phase 1 message (can't duplicate local address"));
plog(ASL_LEVEL_ERR,
"Phase 1 failed: dupsaddr failed.\n");
fatal_error(-1);
* because of no authentication has been completed.
*/
if (iph1->etype != isakmp->etype) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Mismatched exchange type"),
- CONSTSTR("Failed to process Phase 1 message (mismatched exchange type)"));
plog(ASL_LEVEL_ERR,
"Exchange type is mismatched: "
"db=%s packet=%s, ignore it.\n",
/* check status of phase 1 whether negotiated or not. */
if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP,
- CONSTSTR("Can't start Phase 2 without valid Phase 1"),
- CONSTSTR("Failed to start Phase 2 responder (no established Phase 1"));
plog(ASL_LEVEL_ERR, "can't start the quick mode, "
"there is no valid ISAKMP-SA, %s\n", isakmp_pindex(&iph1->index, iph1->msgid));
return;
if (ISSET(isakmp->flags, ISAKMP_FLAG_E) &&
(iph2->ph1 == NULL || iph2->ph1->approval == NULL)) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_DROP,
- CONSTSTR("Can't continue Phase 2 without valid Phase 1"),
- CONSTSTR("Failed to continue Phase 2 resonder (invalid linked Phase 1"));
plog(ASL_LEVEL_ERR, "can't start the quick mode, "
"invalid linked ISAKMP-SA\n");
return;
/* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
*/
if (iph1->retry_counter <= 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_MAX_RETRANSMIT,
- CONSTSTR("Phase 1 Maximum Retransmits"),
- CONSTSTR("Phase 1 negotiation failed (Maximum retransmits)"));
-
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Phase 1 negotiation failed due to time up. %s\n",
isakmp_pindex(&iph1->index, iph1->msgid));
if (iph1->side == INITIATOR && iph1->is_rekey && iph1->parent_session && iph1->parent_session->is_client) {
}
if (isakmp_send(iph1, iph1->sendbuf) < 0){
- if (iph1->rmconf->retry_counter != iph1->retry_counter) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Phase 1 Retransmit"),
- CONSTSTR("Failed to retrasmit Phase1"));
- }
plog(ASL_LEVEL_ERR,
"Phase 1 negotiation failed due to send error. %s\n",
isakmp_pindex(&iph1->index, iph1->msgid));
return -1;
}
- if (iph1->rmconf->retry_counter != iph1->retry_counter) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Phase 1 Retransmit"),
- CONSTSTR(NULL));
- }
-
plog(ASL_LEVEL_NOTICE,
"Resend Phase 1 packet %s\n",
isakmp_pindex(&iph1->index, iph1->msgid));
}
if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)){
- IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT,
- CONSTSTR("Underlying Phase 1 expired"),
- CONSTSTR("Failed to retransmit Phase 2 (underlying Phase 1 expired)"));
plog(ASL_LEVEL_ERR,
"Phase 2 negotiation failed due to Phase 1 expired. %s\n",
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
}
if (iph2->retry_counter <= 0) {
- IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_MAX_RETRANSMIT,
- CONSTSTR("Phase 2 maximum retransmits"),
- CONSTSTR("Phase 2 negotiation failed (maximum retransmits)"));
plog(ASL_LEVEL_ERR,
"Phase 2 negotiation failed due to time up. %s\n",
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
}
if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
- if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) {
- IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Phase 2 Retransmit"),
- CONSTSTR("Failed to retransmit Phase2 message"));
- }
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Phase 2 negotiation failed due to send error. %s\n",
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
return -1;
}
- if (iph2->ph1->rmconf->retry_counter != iph2->retry_counter) {
- IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Phase 2 Retransmit"),
- CONSTSTR(NULL));
- }
plog(ASL_LEVEL_NOTICE,
"Resend Phase 2 packet %s\n",
#include "vpn_control.h"
#include "vpn_control_var.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#ifndef HAVE_OPENSSL
#include <Security/SecDH.h>
#endif
fsm_set_state(&iph1->status, IKEV1_STATE_AGG_I_MSG1SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Aggressive-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Aggressive-Mode Message 1"),
- CONSTSTR("Failed to transmit Aggressive-Mode Message 1"));
- }
if (cr)
vfree(cr);
#ifdef ENABLE_FRAG
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
if (ptype != 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
- CONSTSTR("Initiator, Aggressive-Mode Message 2"),
- CONSTSTR("Failed to authenticate, Aggressive-Mode Message 2"));
if (ptype == -1) {
/* message printed inner oakley_validate_auth() */
goto end;
isakmp_info_send_n1(iph1, ptype, NULL);
goto end;
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
- CONSTSTR("Initiator, Aggressive-Mode Message 2"),
- CONSTSTR(NULL));
-
+
if (oakley_checkcr(iph1) < 0) {
/* Ignore this error in order to be interoperability. */
;
#endif
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Aggressive-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Aggressive-Mode Message 2"),
- CONSTSTR("Failure processing Aggressive-Mode Message 2"));
- }
-
if (pbuf)
vfree(pbuf);
if (satmp)
fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
- CONSTSTR("Initiator, Aggressive-Mode"),
- CONSTSTR(NULL));
-
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Aggressive-Mode message 3"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Aggressive-Mode Message 3"),
- CONSTSTR("Failed to transmit Aggressive-Mode Message 3"));
- }
#ifdef ENABLE_NATT
if (natd[0])
vfree(natd[0]);
fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG1RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Aggressive-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Aggressive-Mode Message 1"),
- CONSTSTR("Failed to process Aggressive-Mode Message 1"));
- }
-
if (pbuf)
vfree(pbuf);
if (error) {
#endif
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Aggressive-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Aggressive-Mode Message 2"),
- CONSTSTR("Failed to process Aggressive-Mode Message 2"));
- }
if (cr)
vfree(cr);
#ifdef ENABLE_HYBRID
/* validate authentication value */
ptype = oakley_validate_auth(iph1);
if (ptype != 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
- CONSTSTR("Responder, Aggressive-Mode Message 3"),
- CONSTSTR("Failed to authenticate Aggressive-Mode Message 3"));
if (ptype == -1) {
/* message printed inner oakley_validate_auth() */
goto end;
isakmp_info_send_n1(iph1, ptype, NULL);
goto end;
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
- CONSTSTR("Responder, Aggressive-Mode Message 3"),
- CONSTSTR(NULL));
-
fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_MSG3RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Aggressive-Mode message 3"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Aggressive-Mode Message 3"),
- CONSTSTR("Failed to process Aggressive-Mode Message 3"));
- }
if (pbuf)
vfree(pbuf);
if (msg)
iph1->flags |= ISAKMP_FLAG_E;
fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
- CONSTSTR("Responder, Aggressive-Mode"),
- CONSTSTR(NULL));
-
error = 0;
end:
#include "vpn_control.h"
#include "vpn_control_var.h"
#include "ike_session.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#include "nattraversal.h"
struct isakmp_cfg_config isakmp_cfg_config;
/* Check that the packet is long enough to have a header */
if (msg->l < sizeof(*packet)) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("MODE-Config. Unexpected short packet"),
- CONSTSTR("Failed to process short MODE-Config packet"));
plog(ASL_LEVEL_ERR, "Unexpected short packet\n");
return;
}
/* Is it encrypted? It should be encrypted */
if ((packet->flags & ISAKMP_FLAG_E) == 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("MODE-Config. User credentials sent in cleartext"),
- CONSTSTR("Dropped cleattext User credentials"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"User credentials sent in cleartext!\n");
return;
}
dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
if (dmsg == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("MODE-Config. Failed to decrypt packet"),
- CONSTSTR("Failed to decrypt MODE-Config packet"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to decrypt message\n");
return;
}
goto out; /* no resend scheduled */
SCHED_KILL(iph2->scr); /* turn off schedule */
ike_session_unlink_phase2(iph2);
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("MODE-Config"),
- CONSTSTR(NULL));
out:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("MODE-Config"),
- CONSTSTR("Failed to process Mode-Config packet"));
- }
vfree(dmsg);
}
VPTRINIT(iph2->sendbuf);
goto err;
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_CFG_RETRANSMIT,
- CONSTSTR("Mode-Config retransmit"),
- CONSTSTR(NULL));
error = 0;
goto end;
}
error = 0;
VPTRINIT(iph2->sendbuf);
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Mode-Config message"),
- CONSTSTR(NULL));
-
err:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Mode-Config message"),
- CONSTSTR("Failed to transmit Mode-Config message"));
- }
ike_session_unlink_phase2(iph2);
end:
if (hash)
#include "vpn_control.h"
#include "vpn_control_var.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#ifndef HAVE_OPENSSL
#include <Security/SecDH.h>
#endif
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG1SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 1"),
- CONSTSTR("Failed to transmit Main-Mode Message 1"));
- }
#ifdef ENABLE_FRAG
if (vid_frag)
vfree(vid_frag);
#endif
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 2"),
- CONSTSTR("Failed to process Main-Mode Message 2"));
- }
if (pbuf)
vfree(pbuf);
if (satmp)
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG3SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 3"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 3"),
- CONSTSTR("Failed to transmit Main-Mode Message 3"));
- }
return error;
}
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG4RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 4"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 4"),
- CONSTSTR("Failed to process Main-Mode Message 4"));
- }
if (pbuf)
vfree(pbuf);
if (error) {
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG5SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 5"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 5"),
- CONSTSTR("Failed to transmit Main-Mode Message 5"));
- }
return error;
}
/* validate authentication value */
type = oakley_validate_auth(iph1);
if (type != 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 6"),
- CONSTSTR("Failed to authenticate Main-Mode Message 6"));
if (type == -1) {
/* msg printed inner oakley_validate_auth() */
goto end;
isakmp_info_send_n1(iph1, type, NULL);
goto end;
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
- CONSTSTR("Initiator, Main-Mode Message 6"),
- CONSTSTR(NULL));
-
/*
* XXX: Should we do compare two addresses, ph1handle's and ID
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_I_MSG6RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Main-Mode message 6"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Main-Mode Message 6"),
- CONSTSTR("Failed to transmit Main-Mode Message 6"));
- }
if (pbuf)
vfree(pbuf);
if (msg)
memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_INIT_SUCC,
- CONSTSTR("Initiator, Main-Mode"),
- CONSTSTR(NULL));
-
error = 0;
-
end:
return error;
}
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG1RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Main-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 1"),
- CONSTSTR("Failed to process Main-Mode Message 1"));
- }
if (pbuf)
vfree(pbuf);
if (error) {
#endif
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Main-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 2"),
- CONSTSTR("Failed to transmit Main-Mode Message 2"));
- }
#ifdef ENABLE_NATT
if (vid_natt)
vfree(vid_natt);
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG3RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Main-Mode message 3"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 3"),
- CONSTSTR("Failed to process Main-Mode Message 3"));
- }
if (pbuf)
vfree(pbuf);
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG4SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Main-Mode message 4"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 4"),
- CONSTSTR("Failed to transmit Main-Mode Message 4"));
- }
return error;
}
type = oakley_validate_auth(iph1);
if (type != 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_FAIL,
- CONSTSTR("Responder, Main-Mode Message 5"),
- CONSTSTR("Failed to authenticate Main-Mode Message 5"));
if (type == -1) {
/* msg printed inner oakley_validate_auth() */
goto end;
isakmp_info_send_n1(iph1, type, NULL);
goto end;
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_AUTH_SUCC,
- CONSTSTR("Responder, Main-Mode Message 5"),
- CONSTSTR(NULL));
if (oakley_checkcr(iph1) < 0) {
/* Ignore this error in order to be interoperability. */
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_MSG5RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Main-Mode message 5"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 5"),
- CONSTSTR("Failed to process Main-Mode Message 5"));
- }
if (pbuf)
vfree(pbuf);
if (msg)
memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_ESTABLISHED);
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH1_RESP_SUCC,
- CONSTSTR("Responder, Main-Mode"),
- CONSTSTR(NULL));
-
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Main-Mode message 6"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Main-Mode Message 6"),
- CONSTSTR("Failed to process Main-Mode Message 6"));
- }
-
return error;
}
#include "vpn_control_var.h"
#include "vpn_control.h"
#include "ike_session.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
/* information exchange */
static int isakmp_info_recv_n (phase1_handle_t *, struct isakmp_pl_n *, u_int32_t, int);
if (iph1->ivm == NULL) {
plog(ASL_LEVEL_ERR, "iph1->ivm == NULL\n");
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to process Information Message (no IV)"));
return -1;
}
if (ivm == NULL) {
plog(ASL_LEVEL_ERR,
"failed to compute IV\n");
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to process Information Message (can't compute IV)"));
return -1;
}
if (msg == NULL) {
plog(ASL_LEVEL_ERR,
"failed to decrypt packet\n");
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to decrypt Information message"));
return -1;
}
flag |= error;
}
}
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Information message"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to process Information Message"));
- }
if (msg != NULL)
vfree(msg);
if (pbuf != NULL)
error = isakmp_info_send_common(iph1, payload,
ISAKMP_NPTYPE_D, 0);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("Delete ISAKMP-SA"),
- CONSTSTR("Failed to transmit Delete-ISAKMP-SA message"));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("Delete ISAKMP-SA"),
- CONSTSTR(NULL));
- }
-
return error;
}
iph1 = ike_session_getph1byaddr(iph2->parent_session, iph2->src, iph2->dst);
}
if (iph1 == NULL){
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information message"));
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("Delete IPSEC-SA"),
- CONSTSTR("Failed to transmit Delete-IPSEC-SA message"));
plog(ASL_LEVEL_NOTICE,
"No ph1 handler found, could not send DELETE_SA\n");
return 0;
tlen = sizeof(*d) + pr->spisize;
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information message"));
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("Delete IPSEC-SA"),
- CONSTSTR("Failed to transmit Delete-IPSEC-SA message"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer for payload.\n");
return errno;
}
error = isakmp_info_send_common(iph1, payload,
ISAKMP_NPTYPE_D, 0);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("Delete IPSEC-SA"),
- CONSTSTR("Failed to transmit Delete-IPSEC-SA"));
- } else {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("Delete IPSEC-SA"),
- CONSTSTR(NULL));
- }
}
return error;
/* search appropreate configuration */
rmconf = getrmconf(remote);
if (rmconf == NULL) {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information message (no remote configuration)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"no configuration found for peer address.\n");
goto end;
}
/* add new entry to isakmp status table. */
iph1 = ike_session_newph1(ISAKMP_VERSION_NUMBER_IKEV1);
if (iph1 == NULL) {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information message (no new Phase 1)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to allocate ph1");
return -1;
}
/* copy remote address */
if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information Message (can't copy Phase 1 addresses)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to copy ph1 addresses");
error = -1;
iph1 = NULL; /* deleted in copy_ph1addresses */
tlen += data->l;
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information Message (can't allocate payload)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
error = -1;
goto end;
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("Without ISAKMP-SA"),
- CONSTSTR("Failed to transmit Without-ISAKMP-SA message"));
- } else {
- IPSECSESSIONTRACEREVENT(sess,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("Without ISAKMP-SA"),
- CONSTSTR(NULL));
- }
-
- end:
+end:
if (iph1 != NULL)
ike_session_unlink_phase1(iph1);
tlen += data->l;
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("ISAKMP-SA"),
- CONSTSTR("Failed to transmit ISAKMP-SA message (can't allocate payload)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
return errno;
}
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("ISAKMP-SA"),
- CONSTSTR("Can't transmit ISAKMP-SA message"));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("ISAKMP-SA"),
- CONSTSTR(NULL));
- }
-
return error;
}
tlen += data->l;
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("IPSEC-SA"),
- CONSTSTR("Failed to transmit IPSEC-SA message (can't allocate payload)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
return errno;
}
iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("IPSEC-SA"),
- CONSTSTR("Failed to transmit IPSEC-SA message"));
- } else {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("IPSEC-SA"),
- CONSTSTR(NULL));
- }
-
return error;
}
/* XXX If Acknowledged Informational required, don't delete ph2handle */
error = 0;
VPTRINIT(iph2->sendbuf);
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Information message"),
- CONSTSTR(NULL));
-
goto err; /* XXX */
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Information message"),
- CONSTSTR("Failed to transmit Information message"));
- }
if (hash)
vfree(hash);
return error;
tlen = sizeof(*ru_ack);
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("R-U-THERE? ACK"),
- CONSTSTR("Failed to transmit DPD response"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer to send.\n");
return errno;
}
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N,
ISAKMP_FLAG_E);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("R-U-THERE? ACK"),
- CONSTSTR("Failed to transmit DPD ack"));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("R-U-THERE? ACK"),
- CONSTSTR(NULL));
- }
-
plog(ASL_LEVEL_NOTICE, "received a valid R-U-THERE, ACK sent\n");
/* Should we mark tunnel as active ? */
isakmp_sched_r_u(iph1, 0);
- if (iph1->side == INITIATOR) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RESP,
- CONSTSTR("Initiator DPD Response"),
- CONSTSTR(NULL));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RESP,
- CONSTSTR("Responder DPD Response"),
- CONSTSTR(NULL));
- }
plog(ASL_LEVEL_NOTICE, "received an R-U-THERE-ACK\n");
#ifdef ENABLE_VPNCONTROL_PORT
}
if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT,
- CONSTSTR("DPD maximum retransmits"),
- CONSTSTR("maxed-out of DPD requests without receiving an ack"));
-
(void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL);
purge_remote(iph1);
tlen = sizeof(*ru);
payload = vmalloc(tlen);
if (payload == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("R-U-THERE?"),
- CONSTSTR("Failed to transmit DPD request"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to get buffer for payload.\n");
return;
}
error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
vfree(payload);
- if (error) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
- CONSTSTR("R-U-THERE?"),
- CONSTSTR("Failed to transmit DPD request"));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_SUCC,
- CONSTSTR("R-U-THERE?"),
- CONSTSTR(NULL));
- }
-
- if (iph1->side == INITIATOR) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- iph1->dpd_fails? IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_RETRANSMIT : IPSECSESSIONEVENTCODE_IKEV1_DPD_INIT_REQ,
- CONSTSTR("Initiator DPD Request"),
- CONSTSTR(NULL));
- } else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- iph1->dpd_fails? IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_RETRANSMIT : IPSECSESSIONEVENTCODE_IKEV1_DPD_RESP_REQ,
- CONSTSTR("Responder DPD Request"),
- CONSTSTR(NULL));
- }
plog(ASL_LEVEL_NOTICE,
"DPD R-U-There sent (%d)\n", error);
#include "sainfo.h"
#include "strnames.h"
#include "nattraversal.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#ifndef HAVE_OPENSSL
#include <Security/SecDH.h>
#endif
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG1SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Quick-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Quick-Mode Message 1"),
- CONSTSTR("Failed to transmit Quick-Mode Message 1"));
- }
if (body != NULL)
vfree(body);
if (hash != NULL)
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_MSG2RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Quick-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Quick-Mode Message 2"),
- CONSTSTR("Failed to process Quick-Mode Message 2 "));
- }
if (hbuf)
vfree(hbuf);
if (pbuf)
goto end;
}
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Initiator, Quick-Mode message 3"),
- CONSTSTR(NULL));
packet_error = 0;
/* compute both of KEYMATs */
error = 0;
end:
- if (packet_error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Initiator, Quick-Mode Message 3"),
- CONSTSTR("Failed to transmit Quick-Mode Message 3"));
- }
if (buf != NULL)
vfree(buf);
if (msg != NULL)
}
}
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Initiator, Quick-Mode message 4"),
- CONSTSTR(NULL));
packet_error = 0;
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_ADDSA);
error = 0;
end:
- if (packet_error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Initiator, Quick-Mode Message 4"),
- CONSTSTR("Failed to process Quick-Mode Message 4"));
- }
if (msg != NULL)
vfree(msg);
if (pbuf != NULL)
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG1RCVD);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Quick-Mode message 1"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Quick-Mode Message 1"),
- CONSTSTR("Failed to process Quick-Mode Message 1"));
- }
if (hbuf)
vfree(hbuf);
if (msg)
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_MSG2SENT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Quick-Mode message 2"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Quick-Mode Message 2"),
- CONSTSTR("Failed to transmit Quick-Mode Message 2"));
- }
if (body != NULL)
vfree(body);
if (hash != NULL)
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_SUCC,
- CONSTSTR("Responder, Quick-Mode message 3"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
- CONSTSTR("Responder, Quick-Mode Message 3"),
- CONSTSTR("Failed to process Quick-Mode Message 3"));
- }
if (pbuf != NULL)
vfree(pbuf);
if (msg != NULL)
fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_R_COMMIT);
error = 0;
-
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_SUCC,
- CONSTSTR("Responder, Quick-Mode message 4"),
- CONSTSTR(NULL));
-
end:
- if (error) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKE_PACKET_TX_FAIL,
- CONSTSTR("Responder, Quick-Mode Message 4"),
- CONSTSTR("Failed to transmit Quick-Mode Message 4"));
- }
if (buf != NULL)
vfree(buf);
if (myhash != NULL)
#include "localconf.h"
#include "vpn_control.h"
#include "vpn_control_var.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
-
void
xauth_sendreq(iph1)
vchar_t *mdata = NULL;
if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- CONSTSTR("XAUTH is not supported by peer"),
- CONSTSTR("XAUTH dropped (not supported by peer)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Xauth mode config set but peer "
"did not declare itself as Xauth capable\n");
return NULL;
switch(AUTHMETHOD(iph1)) {
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
if (!iph1->is_rekey) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- CONSTSTR("Unexpected XAUTH Status"),
- CONSTSTR("Xauth dropped (unexpected Xauth status)... not a Phase 1 rekey"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Unexpected XAUTH_STATUS_OK... not a Phase 1 rekey\n");
return NULL;
}
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
break;
default:
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- CONSTSTR("Unexpected XAUTH Status"),
- CONSTSTR("Xauth dropped (unexpected Xauth status)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Unexpected XAUTH_STATUS_OK\n");
return NULL;
break;
/* If we got a failure, delete iph1 */
if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_FAIL,
- CONSTSTR("XAUTH Status is not OK"),
- CONSTSTR("Xauth Failed (status not ok)"));
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Xauth authentication failed\n");
vpncontrol_notify_ike_failed(VPNCTL_NTYPE_AUTHENTICATION_FAILED, FROM_LOCAL,
IPSECLOGASLMSG("IPSec Extended Authentication Failed.\n");
} else {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_SUCC,
- CONSTSTR("XAUTH Status is OK"),
- CONSTSTR(NULL));
if (iph1->is_rekey) {
xst->status = XAUTHST_OK;
}
}
default:
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- CONSTSTR("ignored attribute"),
- CONSTSTR("Xauth dropped (ignored attribute)"));
- plog(ASL_LEVEL_WARNING,
+ plog(ASL_LEVEL_WARNING,
"Ignored attribute %s\n", s_isakmp_cfg_type(type));
return NULL;
break;
}
if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
- IPSECSESSIONTRACEREVENT(iph1->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_XAUTH_DROP,
- CONSTSTR("Failed to allocate attribute"),
- CONSTSTR("Xauth dropped (failed to allocate attribute)"));
plog(ASL_LEVEL_ERR,
"Cannot allocate memory\n");
return NULL;
#include "vpn_control.h"
#include "vpn_control_var.h"
#include "ike_session.h"
-#include "ipsecSessionTracer.h"
-#include "ipsecMessageTracer.h"
#include "power_mgmt.h"
#include "session.h"
/* update status */
fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_ESTABLISHED);
- if (iph2->side == INITIATOR) {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_INIT_SUCC,
- CONSTSTR("Initiator, Quick-Mode"),
- CONSTSTR(NULL));
- } else {
- IPSECSESSIONTRACEREVENT(iph2->parent_session,
- IPSECSESSIONEVENTCODE_IKEV1_PH2_RESP_SUCC,
- CONSTSTR("Responder, Quick-Mode"),
- CONSTSTR(NULL));
- }
-
ike_session_ph2_established(iph2);
IPSECLOGASLMSG("IPSec Phase 2 established (Initiated by %s).\n",
#include "vpn_control_var.h"
#include "strnames.h"
#include "ike_session.h"
-#include "ipsecMessageTracer.h"
-
static int vpn_get_ph2pfs (phase1_handle_t *);
return;
}
-void
-ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCode, const char *event, const char *failure_reason)
-{
- __builtin_unreachable();
- return;
-}
-
static int
racoon_cert_validity_test(void)
{
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#import <asl.h>
-#include <sys/types.h>
-#include "ipsecPolicyTracer.h"
-#include "ipsecMessageTracer.h"
-
-const char *ipsecConfigTracerFailedString = "Tracer Failed";
-const char *ipsecPolicyInvalidEventString = "Invalid Event";
-const char *ipsecPolicyString = "IPSEC";
-
-const char * const ipsecPolicyEventStrings[IPSECPOLICYEVENTCODE_MAX] = { CONSTSTR("NONE") /* index place holder */,
- CONSTSTR("setkey Error"),
- };
-
-const char *
-ipsecPolicyEventCodeToString (ipsecPolicyEventCode_t eventCode)
-{
- if (eventCode <= IPSECPOLICYEVENTCODE_NONE || eventCode >= IPSECPOLICYEVENTCODE_MAX)
- return ipsecPolicyInvalidEventString;
- return(ipsecPolicyEventStrings[eventCode]);
-}
-
-static
-void
-ipsecPolicyLogEvent (const char *event_msg, const char *failure_signature)
-{
- aslmsg m;
-
- if (!event_msg) {
- return;
- }
-
- m = asl_new(ASL_TYPE_MSG);
- asl_set(m, ASL_KEY_FACILITY, PLAINIPSECDOMAIN);
- asl_set(m, ASL_KEY_MSG, ipsecPolicyString);
-#if 0 /* we don't want to send filenames to MessageTracer server */
- if (failure_signature) {
- asl_set(m, "com.apple.message.domain", PLAINIPSECDOMAIN);
- asl_set(m, "com.apple.message.result", "failure"); // failure
- asl_set(m, "com.apple.message.signature", failure_signature);
- }
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
-#else
- if (failure_signature) {
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s (failure: %s)", event_msg, failure_signature);
- } else {
- asl_log(NULL, m, ASL_LEVEL_NOTICE, "%s", event_msg);
- }
-#endif
- asl_free(m);
-}
-
-void
-ipsecPolicyTracerEvent (const char *filename, ipsecPolicyEventCode_t eventCode, const char *event, const char *failure_reason)
-{
- char buf[1024];
-
- if (filename == NULL) {
- ipsecPolicyLogEvent(CONSTSTR("tracer failed. (Invalid filename)."), ipsecConfigTracerFailedString);
- return;
- }
- if (eventCode <= IPSECPOLICYEVENTCODE_NONE || eventCode >= IPSECPOLICYEVENTCODE_MAX) {
- ipsecPolicyLogEvent(CONSTSTR("tracer failed. (Invalid event code)."), ipsecConfigTracerFailedString);
- return;
- }
- if (event == NULL) {
- ipsecPolicyLogEvent(CONSTSTR("tracer failed. (Invalid event)."), ipsecConfigTracerFailedString);
- return;
- }
-
- buf[0] = (char)0;
- snprintf(buf, sizeof(buf), "%s. (%s, filename %s).", ipsecPolicyEventCodeToString(eventCode), failure_reason, filename);
- ipsecPolicyLogEvent(CONSTSTR(buf), event);
-}
+++ /dev/null
-/*
- * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License"). You may not use this file except in compliance with the
- * License. Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#ifndef _IPSECPOLICYTRACER_H
-#define _IPSECPOLICYTRACER_H
-
-typedef enum ipsecPolicyEventCode {
- IPSECPOLICYEVENTCODE_NONE = 0,
- IPSECPOLICYEVENTCODE_SETKEY_ERROR,
- IPSECPOLICYEVENTCODE_MAX,
-} ipsecPolicyEventCode_t;
-
-const char * ipsecPolicyEventCodeToString (ipsecPolicyEventCode_t);
-void ipsecPolicyTracerEvent (const char *, ipsecPolicyEventCode_t, const char *, const char *);
-
-#endif /* _IPSECPOLICYTRACER_H */
//#include "package_version.h"
#define extern /* so that variables in extern.h are not extern... */
#include "extern.h"
-#include "ipsecPolicyTracer.h"
-#include "ipsecMessageTracer.h"
-
void usage (/*int*/);
int main (int, char **);
case 'f':
f_mode = MODE_SCRIPT;
if ((fp = fopen(optarg, "r")) == NULL) {
- IPSECPOLICYTRACEREVENT(optarg,
- IPSECPOLICYEVENTCODE_SETKEY_ERROR,
- CONSTSTR("could not open policy file"),
- CONSTSTR("setkey -f : fopen erred"));
err(1, "fopen");
/*NOTREACHED*/
}
if (argc > 0) {
while (argc--)
if (fileproc(*argv++) < 0) {
- IPSECPOLICYTRACEREVENT(argv[-1],
- IPSECPOLICYEVENTCODE_SETKEY_ERROR,
- CONSTSTR("could not parse policy file"),
- CONSTSTR("setkey: fileproc erred"));
err(1, "%s", argv[-1]);
/*NOTREACHED*/
}
so = pfkey_open();
if (so < 0) {
- IPSECPOLICYTRACEREVENT(argv[-1],
- IPSECPOLICYEVENTCODE_SETKEY_ERROR,
- CONSTSTR("couldn't open pfkey socket"),
- CONSTSTR("setkey: pfkey_open erred"));
perror("pfkey_open");
exit(1);
}
break;
case MODE_STDIN:
if (get_supported() < 0) {
- IPSECPOLICYTRACEREVENT("STDIN",
- IPSECPOLICYEVENTCODE_SETKEY_ERROR,
- CONSTSTR(ipsec_strerror()),
- CONSTSTR("setkey: get_supported erred"));
errx(1, "%s", ipsec_strerror());
/*NOTREACHED*/
}
BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; };
BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; };
BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; };
- BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; };
- BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; };
- BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */; };
- BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F290EC19F40003774E7 /* ipsecSessionTracer.c */; };
- BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
- BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; };
BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
25DE2DE90A8BD40E0010A46D /* vpn_control.c in Sources */,
81CA08920CE3BC870055C0AF /* vpn.c in Sources */,
BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */,
- BA5B6F2A0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */,
- BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */,
81CBCFE91447A1C20000D6E6 /* fsm.c in Sources */,
BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */,
25ECCDA209AD479A00883CA3 /* pfkey.c in Sources */,
25F258910988648C00D15623 /* setkey.c in Sources */,
25F258940988648C00D15623 /* token.l in Sources */,
- BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
812530F20D3FE9DC006BDF4F /* vpn_control.c in Sources */,
812530F30D3FE9DC006BDF4F /* vpn.c in Sources */,
BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */,
- BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */,
- BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */,
BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */,
72F5C72F1607A1AE004C192F /* api_support.c in Sources */,
81DDFD9E0D622C1700C5CB87 /* pfkey.c in Sources */,
81DDFD9F0D622C1700C5CB87 /* setkey.c in Sources */,
81DDFDA00D622C1700C5CB87 /* token.l in Sources */,
- BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
projects / apple / ipsec.git / commitdiff
