/* Define to 1 if you have the <memory.h> header file. */
#define HAVE_MEMORY_H 1
+/* Define to 1 to enable DNSSEC - not currently functional */
+#define ENABLE_DNSSEC_CERTS 0
+
/* Define to 1 if keychain is used */
#if TARGET_OS_EMBEDDED
#undef HAVE_KEYCHAIN
#define HAVE_GETIFADDRS 1
-#if TARGET_OS_EMBEDDED
+#if 1
#undef HAVE_OPENSSL
#else
#define HAVE_OPENSSL 1
p->sadb_x_ipsecif_exttype = SADB_X_EXT_IPSECIF;
if (internal_if != NULL)
- strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if));
+ strncpy(p->sadb_x_ipsecif_internal_if, internal_if, sizeof(p->sadb_x_ipsecif_internal_if) - 1);
if (outgoing_if != NULL)
- strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if));
+ strncpy(p->sadb_x_ipsecif_outgoing_if, outgoing_if, sizeof(p->sadb_x_ipsecif_outgoing_if) - 1);
if (ipsec_if != NULL)
- strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if));
+ strncpy(p->sadb_x_ipsecif_ipsec_if, ipsec_if, sizeof(p->sadb_x_ipsecif_ipsec_if) - 1);
p->sadb_x_ipsecif_init_disabled = init_disabled;
#include "isakmp_frag.h"
#include "session.h"
#ifdef ENABLE_HYBRID
-#include "resolv.h"
#include "isakmp_unity.h"
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#ifdef ENABLE_HYBRID
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
- if (icc->dns4_index > MAXNS) {
+ if (icc->dns4_index >= MAXNS) {
racoon_yyerror("No more than %d DNS", MAXNS);
return -1;
}
* Framework and CSSM
*/
+#include "config.h"
+
#include <Security/SecCertificate.h>
#include <Security/SecPolicy.h>
#include <Security/SecTrust.h>
-#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
#include <Security/SecIdentity.h>
#include <Security/SecItem.h>
#include <TargetConditionals.h>
#include <Security/SecItemPriv.h>
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
#include <Security/SecTrustPriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecCertificatePriv.h>
#else
#include <Security/SecBase.h>
#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentitySearch.h>
-#include <Security/SecKeychain.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecKeychainItemPriv.h>
#include <Security/SecCertificateOIDs.h>
#include <Security/SecKeyPriv.h>
#include <Security/oidsalg.h>
#endif
#include <CoreFoundation/CoreFoundation.h>
#if !TARGET_OS_EMBEDDED
+#include <Security/SecIdentitySearch.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecKeychainItemPriv.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#endif
#include "plog.h"
static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef);
-#if !TARGET_OS_EMBEDDED
-#endif
+
static SecPolicyRef
crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname)
}
-static cert_status_t
+cert_status_t
crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef)
{
cert_status_t certStatus = CERT_STATUS_OK;
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
CFAbsoluteTime timeNow = 0;
CFAbsoluteTime notvalidbeforedate = 0;
CFAbsoluteTime notvalidafterdate = 0;
CFDateRef notvalidbeforedatedata = NULL;
CFDateRef notvalidafterdatedata = NULL;
CFArrayRef certProparray = NULL;
- CFDictionaryRef propDict = NULL;
- const void *datevalue = NULL;
- const void *labelvalue = NULL;
- CFGregorianDate gregoriandate;
- CFIndex count;
- CFIndex i;
-
- if ((certProparray = SecCertificateCopyProperties(certificateRef))){
- if ((count = CFArrayGetCount( certProparray ))){
- for( i = 0; i < count; i++) {
- if ((propDict = CFArrayGetValueAtIndex(certProparray, i))) {
- if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){
- /* get kSecPropertyKeyLabel */
- if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){
- if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){
- if ( (notvalidbeforedate = CFDateGetAbsoluteTime(datevalue))) {
- if (notvalidbeforedatedata) {
- CFRelease(notvalidbeforedatedata);
- }
- notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate);
- }
- }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){
- if ( (notvalidafterdate = CFDateGetAbsoluteTime(datevalue))) {
- if (notvalidafterdatedata) {
- CFRelease(notvalidafterdatedata);
- }
- notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate);
- }
- }
- }
- }
+
+ if ((timeNow = CFAbsoluteTimeGetCurrent())) {
+ if (SecCertificateIsValid(certificateRef, timeNow)) {
+ plog(ASL_LEVEL_NOTICE, "Certificate expiration date is OK\n");
+ certStatus = CERT_STATUS_OK;
+ } else {
+ nowcfdatedata = CFDateCreate( NULL, timeNow);
+
+ if ((notvalidbeforedate = SecCertificateNotValidBefore(certificateRef))) {
+ notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate);
+ }
+
+ if ((notvalidafterdate = SecCertificateNotValidAfter(certificateRef))) {
+ notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate);
+ }
+
+ int year = 0;
+ int month = 0;
+ int day = 0;
+ int hour = 0;
+ int minute = 0;
+ CFCalendarRef calendar = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar);
+ if (calendar)
+ {
+ if (notvalidbeforedate) {
+ CFCalendarDecomposeAbsoluteTime(calendar, notvalidbeforedate, "yMdHm", &year, &month, &day, &hour, &minute);
+ plog(ASL_LEVEL_DEBUG, "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute);
}
- }
- }
- }
- if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){
- if ( notvalidbeforedatedata ){
- gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL);
- plog(ASL_LEVEL_DEBUG,
- "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
- gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL);
- plog(ASL_LEVEL_DEBUG,
- "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", (int)gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute);
- if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){
- plog(ASL_LEVEL_ERR,
- "current time before valid time\n");
- certStatus = CERT_STATUS_PREMATURE;
- } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){
- plog(ASL_LEVEL_ERR,
- "current time after valid time\n");
- certStatus = CERT_STATUS_EXPIRED;
- }else {
- plog(ASL_LEVEL_INFO, "Certificate expiration date is OK\n");
- certStatus = CERT_STATUS_OK;
+ if (notvalidafterdate) {
+ CFCalendarDecomposeAbsoluteTime(calendar, notvalidafterdate, "yMdHm", &year, &month, &day, &hour, &minute);
+ plog(ASL_LEVEL_DEBUG, "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute);
+ }
+ CFRelease(calendar);
+ }
+
+ if (nowcfdatedata != NULL) {
+ if (notvalidbeforedatedata && CFDateCompare(nowcfdatedata, notvalidbeforedatedata, NULL) == kCFCompareLessThan){
+ plog(ASL_LEVEL_ERR,
+ "current time before valid time\n");
+ certStatus = CERT_STATUS_PREMATURE;
+ } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){
+ plog(ASL_LEVEL_ERR,
+ "current time after valid time\n");
+ certStatus = CERT_STATUS_EXPIRED;
+ }
}
}
+ } else {
+ plog(ASL_LEVEL_ERR, "CFAbsoluteTimeGetCurrent() failed");
+ certStatus = CERT_STATUS_INVALID;
}
if (notvalidbeforedatedata)
if (status != noErr && status != -1) {
plog(ASL_LEVEL_ERR,
- "error %d %s.\n", (int)status, GetSecurityErrorString(status));
+ "check_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status));
status = -1;
} else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) {
status = -1;
if (status != noErr && status != -1) {
plog(ASL_LEVEL_ERR,
- "error %d %s.\n", (int)status, GetSecurityErrorString(status));
+ "getsign error %d %s.\n", (int)status, GetSecurityErrorString(status));
status = -1;
}
return sig;
if (status != noErr && status != -1) {
plog(ASL_LEVEL_ERR,
- "error %d %s.\n", (int)status, GetSecurityErrorString(status));
+ "get_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status));
status = -1;
}
return cert;
if (status != noErr && status != -1) {
plog(ASL_LEVEL_ERR,
- "error %d %s.\n", (int)status, GetSecurityErrorString(status));
+ "EvaluateCert error %d %s.\n", (int)status, GetSecurityErrorString(status));
status = -1;
}
return status;
return "paramErr";
case unimpErr:
return "unimpErr";
+#endif
+#ifndef HAVE_OPENSSL
/* SecBase.h: */
case errSecReadOnly:
return "errSecReadOnly";
#include <Security/SecBase.h>
+extern cert_status_t crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef);
extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef);
extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature, Boolean useSHA1);
extern SecCertificateRef crypto_cssm_x509cert_CreateSecCertificateRef (vchar_t *cert);
#include "config.h"
+#if ENABLE_DNSSEC_CERTS
+
#include <sys/types.h>
#include <sys/param.h>
#include <stdlib.h>
goto end;
}
+
+#endif /* ENABLE_DNSSEC_CERTS */
#ifndef _DNSSEC_H
#define _DNSSEC_H
+#include "config.h"
+
+#if ENABLE_DNSSEC_CERTS
+
extern cert_t *dnssec_getcert (vchar_t *);
+#endif /* ENABLE_DNSSEC_CERTS */
+
#endif /* _DNSSEC_H */
fsm_set_state(int *var, int state)
{
*var = state;
- plog(ASL_LEVEL_DEBUG, "****** state changed to: %s\n", s_isakmp_state(0, 0, state));
+ plog(ASL_LEVEL_NOTICE, "state changed to: %s\n", s_isakmp_state(0, 0, state));
}
#include "config.h"
+#if ENABLE_DNSSEC_CERTS
+
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser_compat.h>
+
+// Note: this is currently compiled out because ENABLE_DNSSEC_CERTS=0
+// TODO: switch to DNSServiceRef APIs before enabling
+#error "Need to switch to DNSServiceRef APIs before enabling"
#include <resolv.h>
+
#ifdef HAVE_LWRES_GETRRSETBYNAME
#include <lwres/netdb.h>
#include <lwres/lwres.h>
}
answer = p;
+ // Note: this is currently compiled out because ENABLE_DNSSEC_CERTS=0
+ // TODO: switch to DNSServiceRef APIs before enabling
+ #error "Need to switch to DNSServiceRef APIs before enabling"
+
anslen = res_query(name, C_IN, T_CERT, answer, buflen);
if (anslen == -1)
goto end;
exit(0);
}
#endif
+
+#endif /* ENABLE_DNSSEC_CERTS */
#include "debug.h"
#include "fsm.h"
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
#include "schedule.h"
#include "grabmyaddr.h"
#include "algorithm.h"
iph1->ping_sched = NULL;
#endif
iph1->is_dying = 0;
- plog(ASL_LEVEL_DEBUG, "*** New Phase 1\n");
+ plog(ASL_LEVEL_NOTICE, "New Phase 1\n");
return iph1;
}
LIST_FOREACH_SAFE(p, &session->ph1tree, ph1ofsession_chain, next) {
if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Skipping Phase 1 %s that's asserted...\n",
isakmp_pindex(&p->index, 0));
continue;
if (FSM_STATE_IS_ESTABLISHED(p->status)) {
if (ignore_estab_or_assert_handles &&
(ike_session_has_negoing_ph2(p->parent_session) || ike_session_has_established_ph2(p->parent_session))) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Skipping Phase 1 %s that's established... because it's needed by children Phase 2s\n",
isakmp_pindex(&p->index, 0));
continue;
}
/* send delete information */
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Got a Phase 1 %s to flush...\n",
isakmp_pindex(&p->index, 0));
isakmp_info_send_d1(p);
ike_session_t *session = NULL;
ike_session_t *next_session = NULL;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Flushing Phase 1 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles);
LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) {
p->retry_counter == 0
&& p->sce == 0 && p->scr == 0 &&
p->retry_checkph1 == 0){
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Zombie ph2 found, expiring it\n");
isakmp_ph2expire(p);
}else
iph2->phase2_type = type;
iph2->is_dying = 0;
- plog(ASL_LEVEL_DEBUG, "*** New Phase 2\n");
+ plog(ASL_LEVEL_NOTICE, "New Phase 2\n");
return iph2;
}
continue;
}
if (ignore_estab_or_assert_handles && p->parent_session && !p->parent_session->stopped_by_vpn_controller && p->parent_session->is_asserted) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"skipping phase2 handle that's asserted...\n");
continue;
}
if (FSM_STATE_IS_ESTABLISHED(p->status)){
if (ignore_estab_or_assert_handles) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"skipping ph2 handler that's established...\n");
continue;
}
/* send delete information */
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"got an established ph2 handler to flush...\n");
isakmp_info_send_d2(p);
}else{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"got a ph2 handler to flush (state %d)\n", p->status);
}
ike_session_t *session = NULL;
ike_session_t *next_session = NULL;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"flushing ph2 handles: ignore_estab_or_assert %d...\n", ignore_estab_or_assert_handles);
LIST_FOREACH_SAFE(session, &ike_session_tree, chain, next_session) {
}
continue;
zap_it:
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"deleteallph2: got a ph2 handler...\n");
if (FSM_STATE_IS_ESTABLISHED(iph2->status))
isakmp_info_send_d2(iph2);
cmpsaddrwop(dst, iph1->remote) != 0) {
continue;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"deleteallph1: got a ph1 handler...\n");
if (FSM_STATE_IS_ESTABLISHED(iph1->status))
isakmp_info_send_d1(iph1);
if (r->retry_counter <= 0) {
ike_session_rem_recvdpkt(r);
ike_session_del_recvdpkt(r);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"deleted the retransmission packet to %s.\n",
saddr2str((struct sockaddr *)remote));
} else {
continue;
}
if (cmpsaddrwop(remote, p2->dst) == 0) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"in %s... purging Phase 2 structures\n", __FUNCTION__);
if (FSM_STATE_IS_ESTABLISHED(p2->status))
isakmp_info_send_d2(p2);
continue;
}
if (cmpsaddrwop(remote, p->remote) == 0) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"in %s... purging Phase 1 and related Phase 2 structures\n", __FUNCTION__);
ike_session_purge_ph2s_by_ph1(p);
if (FSM_STATE_IS_ESTABLISHED(p->status))
isakmp_info_send_r_u(p);
status = 0;
} else {
- plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (dpd already in progress).\n");
+ plog(ASL_LEVEL_NOTICE, "Skipping forced-DPD for Phase 1 (dpd already in progress).\n");
}
if (p->parent_session) {
p->parent_session->controller_awaiting_peer_resp = 1;
}
} else {
- plog(ASL_LEVEL_DEBUG, "Skipping forced-DPD for Phase 1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n",
+ plog(ASL_LEVEL_NOTICE, "Skipping forced-DPD for Phase 1 (status %d, dying %d, dpd-support %d, dpd-interval %d).\n",
p->status, p->is_dying, p->dpd_support, p->rmconf->dpd_interval);
}
}
// do the ph1s.
LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) {
if (iph1->parent_session && iph1->parent_session->is_asserted) {
- plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's been asserted.\n",
+ plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 1 %s because it's been asserted.\n",
isakmp_pindex(&iph1->index, 0));
continue;
}
if (iph1->is_dying || FSM_STATE_IS_EXPIRED(iph1->status)) {
- plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 1 %s because it's already expired.\n",
+ plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 1 %s because it's already expired.\n",
isakmp_pindex(&iph1->index, 0));
continue;
}
fsm_set_state(&iph1->status, IKEV1_STATE_PHASE1_EXPIRED);
ike_session_update_ph1_ph2tree(iph1); // move unbind/rebind ph2s to from current ph1
iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
- plog(ASL_LEVEL_DEBUG, "Phase 1 %s expired while sleeping: quick deletion.\n",
+ plog(ASL_LEVEL_NOTICE, "Phase 1 %s expired while sleeping: quick deletion.\n",
isakmp_pindex(&iph1->index, 0));
}
}
// do ph2's next
LIST_FOREACH_SAFE(iph2, &session->ph2tree, ph2ofsession_chain, next_iph2) {
if (iph2->parent_session && iph2->parent_session->is_asserted) {
- plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's been asserted.\n");
+ plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 2 because it's been asserted.\n");
continue;
}
if (iph2->is_dying || FSM_STATE_IS_EXPIRED(iph2->status)) {
- plog(ASL_LEVEL_DEBUG, "Skipping sweep of Phase 2 because it's already expired.\n");
+ plog(ASL_LEVEL_NOTICE, "Skipping sweep of Phase 2 because it's already expired.\n");
continue;
}
if (iph2->sce) {
isakmp_ph2expire(iph2); // iph2 will go down 1 second later.
ike_session_stopped_by_controller(iph2->parent_session,
ike_session_stopped_by_sleepwake);
- plog(ASL_LEVEL_DEBUG, "Phase 2 expired while sleeping: quick deletion.\n");
+ plog(ASL_LEVEL_NOTICE, "Phase 2 expired while sleeping: quick deletion.\n");
}
}
}
ike_session_t *session;
if (!id) {
- plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
session->term_reason);
}
// do MessageTracer cleanup here
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Freeing IKE-Session to %s.\n",
saddr2str((struct sockaddr *)&session->session_id.remote));
LIST_REMOVE(session, chain);
if (!session_id)
return NULL;
- plog(ASL_LEVEL_DEBUG, "New IKE Session to %s.\n", saddr2str((struct sockaddr *)&session_id->remote));
+ plog(ASL_LEVEL_NOTICE, "New IKE Session to %s.\n", saddr2str((struct sockaddr *)&session_id->remote));
return new_ike_session(session_id);
}
int is_isakmp_remote_port;
if (!local || !remote) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
if (!iph1->parent_session->traffic_monitor.interv_idle) {
iph1->parent_session->traffic_monitor.interv_idle = iph1->rmconf->idle_timeout;
}
+
if (!iph1->parent_session->traffic_monitor.dir_idle) {
iph1->parent_session->traffic_monitor.dir_idle = iph1->rmconf->idle_timeout_dir;
}
-
+
if (!iph1->parent_session->traffic_monitor.interv_mon) {
int min_period, max_period, sample_period = 0;
{
if (!session || !iph1) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
ike_session_link_phase2 (ike_session_t *session, phase2_handle_t *iph2)
{
if (!iph2) {
- plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
if (iph2->parent_session) {
int error = 0;
if (!iph2) {
- plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "Invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
if (iph2->ph1) {
ike_session_t *session;
if (!iph1 || !iph1->parent_session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
ike_session_t *session;
if (!iph2 || !iph2->parent_session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
sched_scrub_param(iph2);
phase1_handle_t *new_iph1 = NULL;
if (!iph1) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
new_iph1 = ike_session_get_established_ph1(iph1->parent_session);
if (!new_iph1) {
- plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. NULL ph1.\n");
+ plog(ASL_LEVEL_NOTICE, "no ph1bind replacement found. NULL ph1.\n");
ike_session_unbind_all_ph2_from_ph1(iph1);
} else if (iph1 == new_iph1) {
- plog(ASL_LEVEL_DEBUG, "no ph1bind replacement found. same ph1.\n");
+ plog(ASL_LEVEL_NOTICE, "no ph1bind replacement found. same ph1.\n");
ike_session_unbind_all_ph2_from_ph1(iph1);
} else {
ike_session_rebind_all_ph12_to_new_ph1(iph1, new_iph1);
}
} else {
- plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__);
}
return new_iph1;
}
phase1_handle_t *iph1;
if (!iph2 || iph2->phase2_type != PHASE2_TYPE_SA) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
phase1_handle_t *p, *iph1 = NULL;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
phase1_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return NULL;
}
phase1_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase2_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase2_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
set_port(remote, extract_port(iph1->remote));
}
} else {
- plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__);
}
}
/* get traffic query from kernel */
if (pk_sendget_inbound_sastats(session) < 0) {
// log message
- plog(ASL_LEVEL_DEBUG, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "pk_sendget_inbound_sastats failed in %s.\n", __FUNCTION__);
}
if (pk_sendget_outbound_sastats(session) < 0) {
// log message
- plog(ASL_LEVEL_DEBUG, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "pk_sendget_outbound_sastats failed in %s.\n", __FUNCTION__);
}
session->traffic_monitor.sc_mon = sched_new(session->traffic_monitor.interv_mon,
ike_session_traffic_cop,
session);
} else {
// log message
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
}
}
if (session->traffic_monitor.dir_idle == IPSEC_DIR_INBOUND ||
session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) {
if (session->peer_sent_data_sc_idle) {
- plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because peer sent data. monitoring dir %d.\n",
- __FUNCTION__, session->traffic_monitor.dir_idle);
+ plog(ASL_LEVEL_NOTICE, "%s: restart idle-timeout because peer sent data. monitoring dir %d. idle timer %d s\n",
+ __FUNCTION__, session->traffic_monitor.dir_idle, session->traffic_monitor.interv_idle);
SCHED_KILL(session->traffic_monitor.sc_idle);
if (session->traffic_monitor.interv_idle) {
session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle,
if (session->traffic_monitor.dir_idle == IPSEC_DIR_OUTBOUND ||
session->traffic_monitor.dir_idle == IPSEC_DIR_ANY) {
if (session->i_sent_data_sc_idle) {
- plog(ASL_LEVEL_DEBUG, "%s: restart idle-timeout because i sent data. monitoring dir %d.\n",
- __FUNCTION__, session->traffic_monitor.dir_idle);
+ plog(ASL_LEVEL_NOTICE, "%s: restart idle-timeout because i sent data. monitoring dir %d. idle times %d s\n",
+ __FUNCTION__, session->traffic_monitor.dir_idle, session->traffic_monitor.interv_idle);
SCHED_KILL(session->traffic_monitor.sc_idle);
if (session->traffic_monitor.interv_idle) {
session->traffic_monitor.sc_idle = sched_new(session->traffic_monitor.interv_idle,
ike_session_ph2_established (phase2_handle_t *iph2)
{
if (!iph2->parent_session || iph2->phase2_type != PHASE2_TYPE_SA) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
SCHED_KILL(iph2->parent_session->sc_xauth);
#ifdef ENABLE_VPNCONTROL_PORT
vpncontrol_notify_peer_resp_ph2(1, iph2);
#endif /* ENABLE_VPNCONTROL_PORT */
- plog(ASL_LEVEL_DEBUG, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid);
+ plog(ASL_LEVEL_NOTICE, "%s: ph2 established, spid %d\n", __FUNCTION__, iph2->spid);
}
void
session = new_iph1->parent_session;
if (!session || !new_iph1 || !old_iph1 || session != old_iph1->parent_session || new_iph1 == old_iph1) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
STRDUP_FATAL(local);
STRDUP_FATAL(remote);
STRDUP_FATAL(index);
- plog(ASL_LEVEL_DEBUG, "ISAKMP-SA %s-%s (spi:%s) needs to be deleted, replaced by (spi:%s)\n", local, remote, index, isakmp_pindex(&new_iph1->index, 0));
+ plog(ASL_LEVEL_NOTICE, "ISAKMP-SA %s-%s (spi:%s) needs to be deleted, replaced by (spi:%s)\n", local, remote, index, isakmp_pindex(&new_iph1->index, 0));
racoon_free(local);
racoon_free(remote);
racoon_free(index);
char *local, *remote;
if (!session || !new_iph1 || session != new_iph1->parent_session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
remote = racoon_strdup(saddr2str((struct sockaddr *)p->remote));
STRDUP_FATAL(local);
STRDUP_FATAL(remote);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"ISAKMP-SA needs to be deleted %s-%s spi:%s\n",
local, remote, isakmp_pindex(&p->index, 0));
racoon_free(local);
phase2_handle_t *p, *next;
if (!session || !new_iph2 || session != new_iph2->parent_session || new_iph2->phase2_type != PHASE2_TYPE_SA) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
p->is_dying = 1;
//log deletion
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"IPsec-SA needs to be deleted: %s\n",
sadbsecas2str(p->src, p->dst,
p->satype, p->spid, 0));
const char *reason)
{
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
if (session->stop_timestamp.tv_sec ||
session->stop_timestamp.tv_usec) {
- plog(ASL_LEVEL_DEBUG, "already stopped %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "already stopped %s.\n", __FUNCTION__);
return;
}
session->stopped_by_vpn_controller = 1;
ike_session_t *next_session = NULL;
if (!remote) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
phase1_handle_t *next_iph1 = NULL;
LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) {
- plog(ASL_LEVEL_DEBUG, "deleteallph1 of given session: got a ph1 handler...\n");
+ plog(ASL_LEVEL_NOTICE, "deleteallph1 of given session: got a ph1 handler...\n");
vpncontrol_notify_ike_failed(VPNCTL_NTYPE_NO_PROPOSAL_CHOSEN, FROM_REMOTE,
iph1_get_remote_v4_address(iph1), 0, NULL);
phase2_handle_t *p, *next;
if (!iph1 || !iph1->parent_session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
p->is_dying = 1;
//log deletion
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"IPsec-SA needs to be purged: %s\n",
sadbsecas2str(p->src, p->dst,
p->satype, p->spid, 0));
set_port(iph2->src, extract_port(local));
set_port(iph2->dst, extract_port(remote));
} else {
- plog(ASL_LEVEL_DEBUG, "invalid parent session in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "invalid parent session in %s.\n", __FUNCTION__);
}
}
phase2_handle_t *iph2;
if (!session || !seq || !stats || !max_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) {
- plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid args in %s.\n", __FUNCTION__);
return found;
}
int i, j, found = 0, idle = 1;
if (!session || !new_stats || (dir != IPSEC_DIR_INBOUND && dir != IPSEC_DIR_OUTBOUND)) {
- plog(ASL_LEVEL_DEBUG, "invalid args in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid args in %s.\n", __FUNCTION__);
return;
}
if (!session->established || session->stopped_by_vpn_controller || session->stop_timestamp.tv_sec || session->stop_timestamp.tv_usec) {
- plog(ASL_LEVEL_DEBUG, "dropping update on invalid session in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_NOTICE, "dropping update on invalid session in %s.\n", __FUNCTION__);
return;
}
// new SA.... check for any activity
if (!found) {
if (new_stats[i].lft_c.sadb_lifetime_bytes) {
- plog(ASL_LEVEL_DEBUG, "new SA: dir %d....\n", dir);
+ plog(ASL_LEVEL_NOTICE, "new SA: dir %d....\n", dir);
idle = 0;
}
}
phase2_handle_t *next_iph2 = NULL;
phase1_handle_t *iph1 = NULL;
phase1_handle_t *next_iph1 = NULL;
+ nw_nat64_prefix_t nat64_prefix;
if (!session)
return;
+ memset(&nat64_prefix, 0, sizeof(nat64_prefix));
session->is_dying = 1;
ike_session_stopped_by_controller(session, reason);
// do the ph1s last.
LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) {
+
+ if (iph1->nat64_prefix.length > 0) {
+ memcpy(&nat64_prefix, &iph1->nat64_prefix, sizeof(nat64_prefix));
+ }
+
if (FSM_STATE_IS_ESTABLISHED(iph1->status)) {
isakmp_info_send_d1(iph1);
}
// send ipsecManager a notification
if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect
&& reason != ike_session_stopped_by_controller_comm_lost) {
- u_int32_t address;
+ u_int32_t address = 0;
if ((&session->session_id.remote)->ss_family == AF_INET) {
address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr;
} else {
- address = 0;
+ if (nat64_prefix.length > 0) {
+ struct in_addr inaddr;
+ nw_nat64_extract_v4(&nat64_prefix,
+ &((struct sockaddr_in6 *)&session->session_id.remote)->sin6_addr,
+ &inaddr);
+ address = inaddr.s_addr;
+ }
}
// TODO: log
if (reason == ike_session_stopped_by_idle) {
phase1_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase1_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase2_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase2_handle_t *p;
if (!session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return 0;
}
phase1_handle_t *next_iph1 = NULL;
if (!iph2 || !iph2->parent_session) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
time_t now = time(NULL);
if ((now - session->last_time_data_sc_detected) > (session->traffic_monitor.interv_mon << 1)) {
- plog(ASL_LEVEL_DEBUG, "btmm session is idle: drop ph%drekey.\n",
+ plog(ASL_LEVEL_NOTICE, "btmm session is idle: drop ph%drekey.\n",
rekey_type);
return 1;
}
if (rekey_type == IKE_SESSION_REKEY_TYPE_PH1 &&
!ike_session_has_negoing_ph2(session) && !ike_session_has_established_ph2(session)) {
// for vpn: only drop ph1 if there are no more ph2s.
- plog(ASL_LEVEL_DEBUG, "vpn session is idle: drop ph1 rekey.\n");
+ plog(ASL_LEVEL_NOTICE, "vpn session is idle: drop ph1 rekey.\n");
return 1;
}
}
// flag session as dying if all ph1/ph2 are dead/dying
LIST_FOREACH_SAFE(p, &ike_session_tree, chain, next_session) {
if (p->is_dying) {
- plog(ASL_LEVEL_DEBUG, "skipping sweep of dying session.\n");
+ plog(ASL_LEVEL_NOTICE, "skipping sweep of dying session.\n");
continue;
}
SCHED_KILL(p->sc_xauth);
// for asserted session, traffic monitors will be restared after phase2 becomes established.
SCHED_KILL(p->traffic_monitor.sc_mon);
SCHED_KILL(p->traffic_monitor.sc_idle);
- plog(ASL_LEVEL_DEBUG, "skipping sweep of asserted session.\n");
+ plog(ASL_LEVEL_NOTICE, "skipping sweep of asserted session.\n");
continue;
}
// cleanup any stopped sessions as they will go down
if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) {
- plog(ASL_LEVEL_DEBUG, "sweeping stopped session.\n");
+ plog(ASL_LEVEL_NOTICE, "sweeping stopped session.\n");
ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
continue;
}
if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) {
- plog(ASL_LEVEL_DEBUG, "session died while sleeping.\n");
+ plog(ASL_LEVEL_NOTICE, "session died while sleeping.\n");
ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
continue;
}
phase1_handle_t *iph1_next = NULL;
if (!session || session->is_dying) {
- plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
if (pr->ok) {
//log deletion
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Assert: Phase 2 %s deleted\n",
sadbsecas2str(iph2->src, iph2->dst, iph2->satype, iph2->spid, ipsecdoi2pfkey_mode(pr->encmode)));
iph1->is_dying = 1;
//log deletion
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Assert: Phase 1 %s deleted\n",
isakmp_pindex(&iph1->index, 0));
ike_session_t *sess;
if (!local || !remote) {
- plog(ASL_LEVEL_DEBUG, "invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return -1;
}
*
* in all these cases, one sure way to know is to trigger a phase1 rekey early.
*/
- plog(ASL_LEVEL_DEBUG, "Many Phase 2 retransmits: try Phase 1 rekey and this Phase 2 to quit earlier.\n");
+ plog(ASL_LEVEL_NOTICE, "Many Phase 2 retransmits: try Phase 1 rekey and this Phase 2 to quit earlier.\n");
isakmp_ph1rekeyexpire(iph2->ph1, TRUE);
iph2->retry_counter = 0;
}
!ike_session_has_other_negoing_ph1(iph1->parent_session, iph1)) {
num_retransmits = iph1->rmconf->retry_counter - iph1->retry_counter;
if (num_retransmits == 3) {
- plog(ASL_LEVEL_DEBUG, "Many Phase 1 retransmits: try quit earlier.\n");
+ plog(ASL_LEVEL_NOTICE, "Many Phase 1 retransmits: try quit earlier.\n");
iph1->retry_counter = 0;
}
}
oakley_delivm(iph2->ivm);
if (FSM_STATE_IS_ESTABLISHED(new_ph1->status)) {
iph2->ivm = oakley_newiv2(new_ph1, iph2->msgid);
- plog(ASL_LEVEL_DEBUG, "Phase 1-2 binding changed... recalculated ivm.\n");
+ plog(ASL_LEVEL_NOTICE, "Phase 1-2 binding changed... recalculated ivm.\n");
} else {
iph2->ivm = NULL;
}
phase2_handle_t *next = NULL;
if (old_iph1 == new_iph1 || !old_iph1 || !new_iph1) {
- plog(ASL_LEVEL_DEBUG, "Invalid parameters in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "invalid parameters in %s.\n", __FUNCTION__);
return;
}
if (old_iph1->parent_session != new_iph1->parent_session) {
- plog(ASL_LEVEL_DEBUG, "Invalid parent sessions in %s.\n", __FUNCTION__);
+ plog(ASL_LEVEL_ERR, "Invalid parent sessions in %s.\n", __FUNCTION__);
return;
}
// IKEv1 sends encode mode in SA - uses diferent codes when NATT being used
#ifdef ENABLE_NATT
if (iph2->ph1->natt_flags & NAT_DETECTED) {
- plog (ASL_LEVEL_INFO, "NAT detected -> UDP encapsulation\n");
+ plog (ASL_LEVEL_NOTICE, "NAT detected -> UDP encapsulation\n");
b->udp_encap = 1;
if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1) {
int udp_diff = iph2->ph1->natt_options->mode_udp_diff;
#define IDTYPE_LOGIN 6
#define IDTYPE_SUBNET 7
#define IDTYPE_KEYIDUSE 8
-#define IDTYPE_MAX IDTYPE_KEYIDUSE
+#define IDTYPE_MAX IDTYPE_KEYIDUSE + 1
/* shared secret type, it's internal use. */
#define SECRETTYPE_USE 0
#include <unistd.h>
#endif
#include <ctype.h>
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#include "var.h"
#include "misc.h"
int error = -1;
if (slept_at || woke_at) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_DEBUG, /* this log is high volume */
"ignoring isakmp port until power-mgmt event is handled.\n");
return;
}
session = ike_session_get_session(local, remote, 1, NULL);
}
if (!session) {
- plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n");
+ plog (ASL_LEVEL_NOTICE, "failed to allocate or find ike session.\n");
fatal_error(-1);
}
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
CONSTSTR("Malformed or unexpected cookie"),
CONSTSTR("Failed to process packet (malformed/unexpected cookie)"));
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Malformed cookie received or "
"the initiator's cookies collide.\n");
return;
iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
/* print some neat info */
- plog (ASL_LEVEL_INFO,
+ plog (ASL_LEVEL_NOTICE,
"NAT-T: ports changed to: %s\n",
saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local));
}
if (memcmp(&isakmp->r_ck, r_ck0,
sizeof(cookie_t)) != 0) {
- plog(ASL_LEVEL_DEBUG, "Malformed cookie received "
+ plog(ASL_LEVEL_NOTICE, "Malformed cookie received "
"or the spi expired.\n");
return;
}
if (session == NULL) {
session = ike_session_get_session(local, remote, 1, NULL);
if (!session) {
- plog (ASL_LEVEL_INFO, "failed to allocate or find ike session.\n");
+ plog (ASL_LEVEL_NOTICE, "failed to allocate or find ike session.\n");
fatal_error(-1);
}
}
}
if (ike_session_link_phase1(session, iph1) != 0) {
- plog(ASL_LEVEL_DEBUG, "Failed to link ph1 to session\n");
+ plog(ASL_LEVEL_NOTICE, "Failed to link ph1 to session\n");
ike_session_delph1(iph1);
return -1;
}
a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
STRDUP_FATAL(a);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"initiate new phase 1 negotiation: %s<=>%s\n",
a, saddr2str((struct sockaddr *)iph1->remote));
racoon_free(a);
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"begin %s mode.\n",
s_isakmp_etype(iph1->etype));
iph1->version = isakmp->v;
iph1->msgid = 0;
- if (iph1->etype == ISAKMP_ETYPE_IDENT)
+ if (iph1->etype == ISAKMP_ETYPE_IDENT) {
fsm_set_state(&iph1->status, IKEV1_STATE_IDENT_R_START);
- else if (iph1->etype == ISAKMP_ETYPE_AGG)
+ } else if (iph1->etype == ISAKMP_ETYPE_AGG) {
fsm_set_state(&iph1->status, IKEV1_STATE_AGG_R_START);
- else
+ } else {
+ ike_session_delph1(iph1);
return -1;
+ }
#ifdef ENABLE_HYBRID
a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
STRDUP_FATAL(a);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"respond new phase 1 negotiation: %s<=>%s\n",
a, saddr2str((struct sockaddr *)iph1->remote));
racoon_free(a);
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"begin %s mode.\n", s_isakmp_etype(etype));
#ifdef ENABLE_STATS
a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
STRDUP_FATAL(a);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"initiate new phase 2 negotiation: %s<=>%s\n",
a, saddr2str((struct sockaddr *)iph2->dst));
racoon_free(a);
a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
STRDUP_FATAL(a);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"respond new phase 2 negotiation: %s<=>%s\n",
a, saddr2str((struct sockaddr *)iph2->dst));
racoon_free(a);
} else {
memcpy(raddr->v, &addr->redirect_address, sizeof(u_int32_t));
(void)isakmp_info_send_n1(iph1, ISAKMP_NTYPE_LOAD_BALANCE, raddr);
- plog(ASL_LEVEL_DEBUG, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address));
+ plog(ASL_LEVEL_NOTICE, "sent redirect notification - address = %x.\n", ntohl(addr->redirect_address));
vfree(raddr);
if (addr->force) {
(void)ike_session_update_ph1_ph2tree(iph1);
if (tlen <= sizeof(struct isakmp_gen)) {
/* don't send information, see isakmp_ident_r1() */
plog(ASL_LEVEL_ERR,
- "invalid length of payload\n");
+ "isakmp_parsewoh invalid length of payload (1)\n");
vfree(result);
return NULL;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
p->type = np;
p->len = ntohs(gen->len);
if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
- plog(ASL_LEVEL_DEBUG,
- "invalid length of payload\n");
+ plog(ASL_LEVEL_NOTICE,
+ "isakmp_parsewoh invalid length of payload (2)\n");
vfree(result);
return NULL;
}
off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v;
result = vrealloc(result, result->l * 2);
if (result == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"failed to realloc buffer.\n");
vfree(result);
return NULL;
IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
p->addr)->sin6_addr))
{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Ignoring multicast address %s\n",
saddr2str((struct sockaddr *)p->addr));
racoon_free(p->addr);
dispatch_release(the_source);
}); dispatch_resume(p->source);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"%s used as isakmp port (fd=%d)\n",
saddr2str((struct sockaddr *)p->addr), p->sock);
continue;
CONSTSTR(NULL));
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Resend Phase 1 packet %s\n",
isakmp_pindex(&iph1->index, iph1->msgid));
CONSTSTR(NULL));
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Resend Phase 2 packet %s\n",
isakmp_pindex(&iph2->ph1->index, iph2->msgid));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"ISAKMP-SA expired %s-%s spi:%s\n",
src, dst,
isakmp_pindex(&iph1->index, 0));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"ISAKMP-SA rekey-timer expired %s-%s spi:%s\n",
src, dst,
isakmp_pindex(&iph1->index, 0));
// exit if there is another ph1 that is established (with a pending rekey timer)
if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Request for ISAKMP-SA rekey was ignored "
"due to another established ph1.\n");
return;
if (rmconf) {
/* begin quick mode */
- plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n");
+ plog(ASL_LEVEL_NOTICE, "Begin Phase 1 rekey.\n");
/* start phase 1 negotiation as a initiator. */
if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) {
- plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n");
+ plog(ASL_LEVEL_NOTICE, "Phase 1 rekey Failed.\n");
}
iph1->is_rekey = TRUE;
} else {
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"ISAKMP-SA rekey failed... retrying %s-%s spi:%s\n",
src, dst,
isakmp_pindex(&iph1->index, 0));
racoon_free(dst);
if (ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"request for ISAKMP-SA rekey was ignored "
"due to idleness.\n");
return 0;
// exit if there is another ph1 that is established (with a pending rekey timer)
if (ike_session_has_other_established_ph1(iph1->parent_session, iph1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"request to retry ISAKMP-SA rekey was ignored "
"due to another established ph1.\n");
return -1;
rmconf = getrmconf(iph1->remote);
if (rmconf) {
/* begin quick mode */
- plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n");
+ plog(ASL_LEVEL_NOTICE, "begin Phase 1 rekey retry.\n");
/* start phase 1 negotiation as a initiator. */
if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) {
- plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n");
+ plog(ASL_LEVEL_NOTICE, "Phase 1 rekey retry Failed.\n");
return -1;
}
iph1->is_rekey = TRUE;
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
+ "ISAKMP-SA deleted spi:%s\n",
+ isakmp_pindex(&iph1->index, 0));
+ plog(ASL_LEVEL_DEBUG,
"ISAKMP-SA deleted %s-%s spi:%s\n",
src, dst, isakmp_pindex(&iph1->index, 0));
racoon_free(src);
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Phase 2 sa expired %s-%s\n", src, dst);
racoon_free(src);
racoon_free(dst);
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Phase 2 sa deleted %s-%s\n", src, dst);
racoon_free(src);
racoon_free(dst);
}
/* if passive mode, ignore the acquire message */
if (rmconf->passive) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Because of passive mode, ignore the acquire message for %s.\n",
saddrwop2str((struct sockaddr *)iph2->dst));
return 0;
// what if there is another ph2 that is negotiating
if (ike_session_has_other_negoing_ph2(iph2->parent_session, iph2)) {
// TODO: postpone this rekey for a second later
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Request for establishing IPsec-SA was ignored due to another negoing ph2.\n");
return -1;
}
/* start phase 1 negotiation as a initiator. */
sched_new(1, isakmp_chkph1there_stub, iph2);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"IPsec-SA request for %s queued due to no Phase 1 found.\n",
saddrwop2str((struct sockaddr *)iph2->dst));
// exit if there is another ph1 that is established (with a pending rekey timer)
if (ike_session_has_negoing_ph1(iph2->parent_session)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Request for Phase 1 was ignored due to another negotiating Phase 1.\n");
return 0;
}
if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, &iph2->nat64_prefix) < 0) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Request for Phase 1 failed. Will try later.\n");
}
return 0;
if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
iph2->retry_checkph1 = lcconf->retry_checkph1;
sched_new(1, isakmp_chkph1there_stub, iph2);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Request for establishing IPsec-SA was queued due to no phase1 found.\n");
return 0;
/*NOTREACHED*/
/* found ISAKMP-SA. */
/* begin quick mode */
- plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n");
+ plog(ASL_LEVEL_NOTICE, "Begin QUICK mode.\n");
if (ikev1_ph2begin_i(iph1, iph2))
return -1;
return 0;
if ((iph2->version == ISAKMP_VERSION_NUMBER_IKEV1 && iph2->status != IKEV1_STATE_QUICK_I_START) ||
iph2->is_dying) {
- plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying);
+ plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: ph2 handle has advanced too far (status %d, START %d, dying %d)... ignoring\n", iph2->status, IKEV1_STATE_QUICK_I_START, iph2->is_dying);
return;
}
sadbsecas2str(iph2->dst, iph2->src,
iph2->satype, 0, 0));
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"delete Phase 2 handler.\n");
/* send acquire to kernel as error */
/* start phase 1 negotiation as a initiator. */
if (rmconf) {
if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, iph1 != NULL ? &iph1->nat64_prefix : NULL) < 0) {
- plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
+ plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
}
} else if (rmconf == NULL) {
- plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n");
+ plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n");
}
}
- plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established ph1 handler found\n");
+ plog(ASL_LEVEL_NOTICE, "CHKPH1THERE: no established ph1 handler found\n");
/* no isakmp-sa found */
sched_new(1, isakmp_chkph1there_stub, iph2);
}
#ifdef ENABLE_NATT
if ( port != NULL && *port == htons(lcconf->port_isakmp_natt) ) {
- plog (ASL_LEVEL_DEBUG, "Marking ports as changed\n");
+ plog (ASL_LEVEL_NOTICE, "Marking ports as changed\n");
iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
}
#endif
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
- plog(ASL_LEVEL_INFO,
- "ISAKMP-SA established %s-%s spi:%s\n",
- src, dst,
+ plog(ASL_LEVEL_NOTICE,
+ "ISAKMP-SA established spi:%s\n",
isakmp_pindex(&iph1->index, 0));
+ plog(ASL_LEVEL_DEBUG,
+ "ISAKMP-SA established %s-%s spi:%s\n",
+ src, dst,
+ isakmp_pindex(&iph1->index, 0));
racoon_free(src);
racoon_free(dst);
phase2_handle_t *iph2;
phase1_handle_t *new_iph1;
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purging ISAKMP-SA spi=%s.\n",
isakmp_pindex(&(iph1->index), iph1->msgid));
*/
buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
if (buf == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey_dump_sadb returned nothing.\n");
return;
}
if (iph2 == NULL) {
/* No handler... still send a pfkey_delete message, but log this !*/
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Unknown IPsec-SA spi=%u, hmmmm?\n",
ntohl(sa->sadb_sa_spi));
}else{
/* If the ph2handle is established, do not purge IPsec-SA */
if (FSM_STATE_IS_ESTABLISHED_OR_EXPIRED(iph2->status)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
ntohl(sa->sadb_sa_spi),
isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
ike_session_unlink_phase2(iph2);
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purged IPsec-SA spi=%u.\n",
ntohl(sa->sadb_sa_spi));
vfree(buf);
/* Mark the phase1 handler as EXPIRED */
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purged ISAKMP-SA spi=%s.\n",
isakmp_pindex(&(iph1->index), iph1->msgid));
int error;
int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"generated policy, deleting it.\n");
memset(&u.spidx, 0, sizeof(u.spidx));
} else {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Get a destination address of SP index "
"from Phase 1 address "
"due to no ID payloads found "
}
} else {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Get a source address of SP index "
"from Phase 1 address "
"due to no ID payloads found "
#undef _XIDT
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
+ "get src/dst address from ID payload "
+ "prefixlen=%u ul_proto=%u\n",
+ u.spidx.prefs, u.spidx.ul_proto);
+ plog(ASL_LEVEL_DEBUG,
"get a src address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&u.spidx.src),
u.spidx.prefs, u.spidx.ul_proto);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_DEBUG,
"get dst address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
saddr2str((struct sockaddr *)&u.spidx.dst),
plog(ASL_LEVEL_ERR,
"pfkey spddelete(inbound) failed.\n");
}else{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey spddelete(inbound) sent.\n");
}
plog(ASL_LEVEL_ERR,
"pfkey spddelete(forward) failed.\n");
}else{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey spddelete(forward) sent.\n");
}
}
plog(ASL_LEVEL_ERR,
"pfkey spddelete(outbound) failed.\n");
}else{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey spddelete(outbound) sent.\n");
}
purge:
cptr = notp_ini->v + sizeof(struct isakmp_pl_n) - sizeof(struct isakmp_gen);
memcpy(cptr, &iph1->index, sizeof(isakmp_index));
plist = isakmp_plist_append(plist, notp_ini, ISAKMP_NPTYPE_N);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"added initial-contact payload.\n");
/* insert a node into contacted list. */
return NULL;
}
} else {
- plog(ASL_LEVEL_DEBUG, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n",
+ plog(ASL_LEVEL_NOTICE, "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n",
iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, ike_session_getcontacted(iph1->remote)? 1:0);
}
return NULL;
#include "schedule.h"
#include "debug.h"
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
#include "fsm.h"
#include "localconf.h"
#include "remoteconf.h"
if (isakmp_p2ph (&natd->payload, pa->ptr) < 0) {
plog(ASL_LEVEL_ERR,
"failed to process NATD payload");
+ racoon_free(natd);
goto end;
}
struct natd_payload *natd = NULL;
int natd_verified;
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
natd_verified = natt_compare_addr_hash (iph1,
natd->payload, natd->seq);
- plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
natd->seq - 1,
natd_verified ? "verified" : "doesn't match");
racoon_free (natd);
}
- plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
#ifdef ENABLE_NATT
/* generate NAT-D payloads */
if (NATT_AVAILABLE(iph1)) {
- plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
+ plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(ASL_LEVEL_ERR,
"NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
ike_session_update_natt_version(iph1);
vid_natt = set_vendorid(iph1->natt_options->version);
/* generate NAT-D payloads */
- plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
+ plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(ASL_LEVEL_ERR,
"NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
#ifdef ENABLE_HYBRID
if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n");
+ plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n");
if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
plog(ASL_LEVEL_ERR,
"Cannot create Xauth vendor ID\n");
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
- plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1))
- plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
#include <stdint.h>
#endif
#include <ctype.h>
-#include <resolv.h>
#include "var.h"
#include "misc.h"
return;
}
- plog(ASL_LEVEL_DEBUG, "MODE_CFG packet\n");
+ plog(ASL_LEVEL_NOTICE, "MODE_CFG packet\n");
/* Now work with the decrypted packet */
packet = (struct isakmp *)dmsg->v;
{
int type = attrpl->type;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
switch (type) {
case ISAKMP_CFG_ACK:
reply->type = ISAKMP_CFG_REPLY;
reply->id = attrpl->id;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Sending MODE_CFG REPLY\n");
error = isakmp_cfg_send(iph1, payload,
reply->type = ISAKMP_CFG_ACK;
reply->id = attrpl->id;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Sending MODE_CFG ACK\n");
error = isakmp_cfg_send(iph1, payload,
isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
#endif
- plog(ASL_LEVEL_DEBUG, "MODE_CFG packet to send\n");
+ plog(ASL_LEVEL_NOTICE, "MODE_CFG packet to send\n");
/* encoding */
if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
}
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"sendto mode config %s.\n", s_isakmp_nptype(np));
/*
isakmp_cfg_config.port_pool[i].used = 1;
- plog(ASL_LEVEL_INFO, "Using port %d\n", i);
+ plog(ASL_LEVEL_NOTICE, "Using port %d\n", i);
iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
iph1->mode_cfg->port = i;
isakmp_cfg_config.port_pool[index].used = 0;
iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
- plog(ASL_LEVEL_INFO, "Released port %d\n", index);
+ plog(ASL_LEVEL_NOTICE, "Released port %d\n", index);
return 0;
}
}
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Sending MODE_CFG REQUEST\n");
error = isakmp_cfg_send(iph1, buffer,
if (size == isakmp_cfg_config.pool_size)
return 0;
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Resize address pool from %zu to %d\n",
isakmp_cfg_config.pool_size, size);
#include "racoon_types.h"
-#include <resolv.h>
/* For the wins servers -- XXX find the value somewhere ? */
#define MAXWINS 4
+#ifndef MAXNS
+#define MAXNS 3
+#endif
+
/*
* Global configuration for ISAKMP mode confiration address allocation
* Read from the mode_cfg section of racoon.conf
#include "nattraversal.h"
#endif
#ifdef ENABLE_HYBRID
-#include <resolv.h>
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
ike_session_update_natt_version(iph1);
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
- plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1)) {
- plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
ike_session_update_natt_version(iph1);
#ifdef ENABLE_HYBRID
if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- plog (ASL_LEVEL_INFO, "Adding xauth VID payload.\n");
+ plog (ASL_LEVEL_NOTICE, "Adding xauth VID payload.\n");
if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
plog(ASL_LEVEL_ERR,
"Cannot create Xauth vendor ID\n");
natd_verified = natt_compare_addr_hash (iph1,
natd_received, natd_seq++);
- plog (ASL_LEVEL_INFO, "NAT-D payload #%d %s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT-D payload #%d %s\n",
natd_seq - 1,
natd_verified ? "verified" : "doesn't match");
#ifdef ENABLE_NATT
if (NATT_AVAILABLE(iph1))
- plog (ASL_LEVEL_INFO, "NAT %s %s%s\n",
+ plog (ASL_LEVEL_NOTICE, "NAT %s %s%s\n",
iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
goto end;
}
- plog (ASL_LEVEL_INFO, "Adding remote and local NAT-D payloads.\n");
+ plog (ASL_LEVEL_NOTICE, "Adding remote and local NAT-D payloads.\n");
/* old Apple version sends natd payloads in the wrong order */
if (iph1->natt_options->version == VENDORID_NATT_APPLE) {
plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
# include <time.h>
# endif
#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#include "libpfkey.h"
}
spi = val2str((char *)(notify + 1), notify->spi_size);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"notification message ISAKMP-SA RESPONDER-LIFETIME, "
"doi=%d proto_id=%d spi=%s(size=%d).\n",
ntohl(notify->doi), notify->proto_id, spi, notify->spi_size);
}
spi = val2str((char *)(notify + 1), notify->spi_size);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"notification message IPSEC-SA RESPONDER-LIFETIME, "
"doi=%d proto_id=%d spi=%s(size=%d).\n",
ntohl(notify->doi), notify->proto_id, spi, notify->spi_size);
int flag = 0;
int disconnect = 0;
- plog(ASL_LEVEL_DEBUG, "receive Information.\n");
+ plog(ASL_LEVEL_NOTICE, "receive Information.\n");
encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E);
msgid = ((struct isakmp *)msg0->v)->msgid;
}
spi = val2str((char *)(notify + 1), notify->spi_size);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Notification message %d:%s, "
"doi=%d proto_id=%d spi=%s(size=%d).\n",
type, s_isakmp_notify_msg(type),
return 0;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"delete payload for protocol %s\n",
s_ipsecdoi_proto(delete->proto_id));
#endif
if (del_ph1->rmconf->natt_multiple_user &&
del_ph1->parent_session->is_l2tpvpn_ipsec) {
- plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n");
+ plog(ASL_LEVEL_NOTICE, "Ignoring IKE delete from peer for L2TP server\n");
break;
}
isakmp_ph1expire(del_ph1);
if (iph2 != NULL) {
iph2->is_defunct = 1;
- plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n");
+ plog(ASL_LEVEL_NOTICE, "Ignoring SA delete from peer for L2TP server\n");
break;
}
}
return 0;
}
- plog(ASL_LEVEL_DEBUG, "purged SAs.\n");
+ plog(ASL_LEVEL_NOTICE, "purged SAs.\n");
return 0;
}
IPSECSESSIONEVENTCODE_IKEV1_INFO_NOTICE_TX_FAIL,
CONSTSTR("Delete IPSEC-SA"),
CONSTSTR("Failed to transmit Delete-IPSEC-SA message"));
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"No ph1 handler found, could not send DELETE_SA\n");
return 0;
}
goto err;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"sendto Information %s.\n", s_isakmp_nptype(np));
/*
buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto));
if (buf == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey_dump_sadb returned nothing.\n");
return;
}
}
}
- plog(ASL_LEVEL_INFO, "Purged IPsec-SA proto_id=%s spi=%u.\n",
+ plog(ASL_LEVEL_NOTICE, "Purged IPsec-SA proto_id=%s spi=%u.\n",
s_ipsecdoi_proto(proto),
ntohl(spi[i]));
}
for (i = 0; i < pfkey_nsatypes; i++) {
proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purging %s SAs for %s -> %s\n",
pfkey_satypes[i].ps_name, loc, rem);
if (pfkey_send_delete_all(lcconf->sock_pfkey,
ike_session_deleteallph2(iph1->local, iph1->remote, proto_id);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purging %s SAs for %s -> %s\n",
pfkey_satypes[i].ps_name, rem, loc);
if (pfkey_send_delete_all(lcconf->sock_pfkey,
buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
if (buf == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"pfkey_dump_sadb returned nothing.\n");
return;
}
continue;
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
pfkey_send_delete(lcconf->sock_pfkey,
msg->sadb_msg_satype,
{
struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Notify Message received\n");
switch (ntohs(notify->type)) {
{
struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Phase 2 Notify Message received\n");
switch (ntohs(notify->type)) {
if (iph1->side != INITIATOR)
{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"LOAD-BALANCE notification ignored - we are not the initiator.\n");
return 0;
}
if (!encrypted) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"LOAD-BALANCE notification ignored - not protected.\n");
return 0;
}
if (ntohs(n->h.len) != sizeof(struct isakmp_pl_lb)) {
- plog(ASL_LEVEL_DEBUG,
- "Invalid length of payload\n");
+ plog(ASL_LEVEL_NOTICE,
+ "isakmp_info_recv_lb Invalid length of payload\n");
return -1;
}
"Received LOAD_BALANCE notification.\n");
if (((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr != ntohl(n->address)) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"Deleting old Phase 1 because of LOAD_BALANCE notification - redirect address=%x.\n",
ntohl(n->address));
int tlen;
int error = 0;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"DPD R-U-There received\n");
/* XXX should compare cookies with iph1->index?
CONSTSTR(NULL));
}
- plog(ASL_LEVEL_DEBUG, "received a valid R-U-THERE, ACK sent\n");
+ plog(ASL_LEVEL_NOTICE, "received a valid R-U-THERE, ACK sent\n");
/* Should we mark tunnel as active ? */
return error;
isakmp_info_recv_r_u_ack (phase1_handle_t *iph1, struct isakmp_pl_ru *ru, u_int32_t msgid)
{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"DPD R-U-There-Ack received\n");
/* XXX Maintain window of acceptable sequence numbers ?
CONSTSTR("Responder DPD Response"),
CONSTSTR(NULL));
}
- plog(ASL_LEVEL_DEBUG, "received an R-U-THERE-ACK\n");
+ plog(ASL_LEVEL_NOTICE, "received an R-U-THERE-ACK\n");
#ifdef ENABLE_VPNCONTROL_PORT
vpncontrol_notify_peer_resp_ph1(1, iph1);
int error = 0;
if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
- plog(ASL_LEVEL_DEBUG, "DPD r-u send aborted, invalid Phase 1 status %d....\n",
+ plog(ASL_LEVEL_NOTICE, "DPD r-u send aborted, invalid Phase 1 status %d....\n",
iph1->status);
return;
}
(void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL);
purge_remote(iph1);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"DPD: remote seems to be dead\n");
/* Do not reschedule here: phase1 is deleted,
CONSTSTR("Responder DPD Request"),
CONSTSTR(NULL));
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"DPD R-U-There sent (%d)\n", error);
/* will be decreased if ACK received... */
* will be deleted/rescheduled if ACK received before */
isakmp_sched_r_u(iph1, 1);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry);
}
isakmp_info_monitor_r_u_algo_inbound_detect (phase1_handle_t *iph1)
{
if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
- plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid Phase 1 status %d....\n",
+ plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) aborted, invalid Phase 1 status %d....\n",
iph1->status);
return;
}
- plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n");
+ plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_INBOUND_DETECT) ....\n");
// check phase1 for ike packets received from peer
if (iph1->peer_sent_ike) {
/* ike packets received from peer... reschedule dpd */
isakmp_sched_r_u(iph1, 0);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"ike packets received from peer... reschedule monitor.\n");
return;
} else {
isakmp_sched_r_u(iph1, 0);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"rescheduling DPD monitoring (for ALGORITHM_INBOUND_DETECT).\n");
}
iph1->parent_session->peer_sent_data_sc_dpd = 0;
isakmp_info_monitor_r_u_algo_blackhole_detect (phase1_handle_t *iph1)
{
if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
- plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid Phase 1 status %d....\n",
+ plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) aborted, invalid Phase 1 status %d....\n",
iph1->status);
return;
}
- plog(ASL_LEVEL_DEBUG, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n");
+ plog(ASL_LEVEL_NOTICE, "DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) ....\n");
// check if data was sent but none was received
if (iph1->parent_session->i_sent_data_sc_dpd &&
} else {
isakmp_sched_r_u(iph1, 0);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"rescheduling DPD monitoring (for ALGORITHM_BLACKHOLE_DETECT) i = %d, peer %d.\n",
iph1->parent_session->i_sent_data_sc_dpd,
iph1->parent_session->peer_sent_data_sc_dpd);
} else if (iph1->rmconf->dpd_algo == DPD_ALGO_BLACKHOLE_DETECT) {
isakmp_info_monitor_r_u_algo_blackhole_detect(iph1);
} else {
- plog(ASL_LEVEL_DEBUG, "DPD monitoring aborted, invalid algorithm %d....\n",
+ plog(ASL_LEVEL_NOTICE, "DPD monitoring aborted, invalid algorithm %d....\n",
iph1->rmconf->dpd_algo);
}
}
isakmp_sched_r_u(iph1, 0);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"%s... rescheduling send_r_u.\n",
reason);
}
# include <time.h>
# endif
#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
plog(ASL_LEVEL_ERR,
"failed to generate a proposal template "
"from client's proposal.\n");
- return ISAKMP_INTERNAL_ERROR;
+ error = ISAKMP_INTERNAL_ERROR;
+ goto end;
}
/*FALLTHROUGH*/
case 0:
if (sp_in == NULL || sp_in->policy == IPSEC_POLICY_GENERATE) {
if (iph2->ph1->rmconf->gen_policy) {
if (sp_in)
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"Update the generated policy : %s\n",
spidx2str(&spidx));
else
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"no policy found, "
"try to generate the policy : %s\n",
spidx2str(&spidx));
#include <unistd.h>
#endif
#include <ctype.h>
-#include <resolv.h>
#include "var.h"
#include "misc.h"
#include <unistd.h>
#endif
#include <ctype.h>
-#include <resolv.h>
#ifdef HAVE_SHADOW_H
#include <shadow.h>
return;
}
- plog(ASL_LEVEL_INFO, "Sending Xauth request\n");
+ plog(ASL_LEVEL_NOTICE, "Sending Xauth request\n");
tlen = sizeof(*attr) +
+ sizeof(*typeattr) +
char *usr = xst->authdata.generic.usr;
if (iph1->is_dying) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"dropped login for user \"%s\"\n", usr);
return -1;
}
if (port != -1)
isakmp_cfg_putport(iph1, port);
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"login failed for user \"%s\"\n", usr);
xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
}
xst->status = XAUTHST_OK;
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"login succeeded for user \"%s\"\n", usr);
xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
while ((member = gr->gr_mem[index++])!=NULL) {
if (!strcmp(member,usr)) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"membership validated\n");
return 0;
}
}
if( !res ) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"user \"%s\" is a member of group \"%s\"\n",
usr,
grp_list[grp_index]);
break;
} else {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"user \"%s\" is not a member of group \"%s\"\n",
usr,
grp_list[grp_index]);
#include <unistd.h>
#endif
#include <err.h>
-#include <sys/ioctl.h>
-#include <resolv.h>
+#include <sys/ioctl.h>
#include "libpfkey.h"
LIST_ENTRY(vpnctl_socket_elem) chain;
int sock;
dispatch_source_t source;
+ uint32_t read_bytes_len;
+ uint32_t pending_bytes_len;
+ uint8_t *buffer;
LIST_HEAD(_bound_addrs, bound_addr) bound_addresses;
};
#include "cfparse_proto.h"
#include "isakmp_var.h"
#ifdef ENABLE_HYBRID
-#include <resolv.h>
#include "isakmp.h"
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
parse(ac, av);
- plog(ASL_LEVEL_INFO, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
- plog(ASL_LEVEL_INFO, "%s\n", version);
+ plog(ASL_LEVEL_NOTICE, "racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
+ plog(ASL_LEVEL_NOTICE, "%s\n", version);
#ifdef HAVE_OPENSSL
- plog(ASL_LEVEL_INFO, "@(#)"
+ plog(ASL_LEVEL_NOTICE, "@(#)"
"This product linked %s (http://www.openssl.org/)"
"\n", eay_version());
#endif
- plog(ASL_LEVEL_INFO, "Reading configuration from \"%s\"\n",
+ plog(ASL_LEVEL_NOTICE, "Reading configuration from \"%s\"\n",
lcconf->racoon_conf);
//%%%%% this sould probably be moved to session()
close(0);
else {
if ( !exec_done && launchdlaunched ){
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"racoon launched by launchd.\n");
exec_done = 1;
if (atexit(cleanup_pidfile) < 0) {
size_t buf_size, addr_size;
if (iph1->approval) {
- plog(ASL_LEVEL_INFO, "Hashing %s with algo #%d %s\n",
+ plog(ASL_LEVEL_NOTICE, "Hashing %s with algo #%d %s\n",
saddr2str((struct sockaddr *)addr), iph1->approval->hashtype,
(iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":"");
}
#ifndef _NETDB_DNSSEC_H
#define _NETDB_DNSSEC_H
+#include "config.h"
+
+#if ENABLE_DNSSEC_CERTS
+
#ifndef T_CERT
#define T_CERT 37 /* defined by RFC2538 section 2 */
#endif
extern void freecertinfo (struct certinfo *);
extern int getcertsbyname (char *, struct certinfo **);
+#endif /* ENABLE_DNSSEC_CERTS */
+
#endif /* _NETDB_DNSSEC_H */
# include <time.h>
# endif
#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#include "var.h"
#include "misc.h"
#if HAVE_OPENDIR
#include "open_dir.h"
#endif
-#include "dnssec.h"
#include "sockmisc.h"
#include "strnames.h"
#include "gcmalloc.h"
#include <CoreFoundation/CoreFoundation.h>
#include "remoteconf.h"
#include "vpn_control.h"
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#endif
len = 1 + sizeof(u_int32_t) + body->l;
buf = vmalloc(len);
if (buf == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"failed to get hash buffer\n");
goto end;
}
len = sizeof(u_int32_t) + body->l;
buf = vmalloc(len);
if (buf == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"failed to get hash buffer\n");
goto end;
}
cert_t *p;
vchar_t *user_id;
int user_id_found = 0;
+#ifndef HAVE_OPENSSL
+ SecCertificateRef certificate;
+ CFArrayRef commonNames;
+ CFIndex i, l;
+ CFStringRef name;
+#endif /* HAVE_OPENSSL */
for (p = iph1->cert_p; p; p = p->chain) {
+#ifdef HAVE_OPENSSL
user_id = eay_get_x509_common_name(&p->cert); //%%%%%%%% fix this
if (user_id) {
user_id_found = 1;
}
vfree(user_id);
}
+#else /* HAVE_OPENSSL */
+ certificate = crypto_cssm_x509cert_CreateSecCertificateRef(&p->cert);
+ if (certificate == NULL) {
+ plog(ASL_LEVEL_ERR,
+ "ovuid failed to get SecCertificateRef\n");
+ continue;
+ }
+
+ commonNames = SecCertificateCopyCommonNames(certificate);
+ if (commonNames == NULL) {
+ plog(ASL_LEVEL_ERR,
+ "ovuid failed to get commonNames\n");
+ CFRelease(certificate);
+ continue;
+ }
+
+ l = CFArrayGetCount(commonNames);
+ for (i = 0; i < l; i++) {
+ name = CFArrayGetValueAtIndex(commonNames, i);
+ user_id = vmalloc(CFStringGetMaximumSizeForEncoding(CFStringGetLength(name),
+ kCFStringEncodingUTF8) + 1);
+ if (user_id) {
+ if (CFStringGetCString(name, user_id->v, user_id->l,
+ kCFStringEncodingUTF8)) {
+ user_id_found = 1;
+ // the following functions will check if user_id == 0
+ if (open_dir_authorize_id(user_id, iph1->rmconf->open_dir_auth_group)) {
+ vfree(user_id);
+ CFRelease(certificate);
+ CFRelease(commonNames);
+ return 0;
+ }
+ }
+ vfree(user_id);
+ }
+ }
+ CFRelease(certificate);
+ CFRelease(commonNames);
+#endif /* HAVE_OPENSSL */
}
if (user_id_found) {
plog(ASL_LEVEL_ERR,
return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
}
- plog(ASL_LEVEL_DEBUG, "*** SIGN passed\n");
+ plog(ASL_LEVEL_DEBUG, "SIGN passed\n");
/* get peer's cert */
switch (iph1->rmconf->getcert_method) {
return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
break;
}
- plog(ASL_LEVEL_INFO, "No SIG was passed, "
+ plog(ASL_LEVEL_NOTICE, "No SIG was passed, "
"but hybrid auth is enabled\n");
return 0;
int
oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, int notify_initiator)
{
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
if (premature || expired) {
vpncontrol_notify_ike_failed(fail_reason, notify_initiator, iph1_get_remote_v4_address(iph1), 0, NULL);
return -1;
}
-#endif /* TARGET_OS_EMBEDDED */
+#endif /* HAVE_OPENSSL */
return 0;
}
oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_status_t *certStatus)
{
- int len;
+ int len = 0;
int error = 0;
-#if !TARGET_OS_EMBEDDED
+#ifdef HAVE_OPENSSL
int type;
char *altname = NULL;
#endif
{
CFDataRef subject;
SecCertificateRef certificate;
- UInt8* namePtr;
+ UInt8* namePtr = NULL;
certificate = crypto_cssm_x509cert_CreateSecCertificateRef(cert);
if (certificate == NULL) {
if (error) {
plog(ASL_LEVEL_ERR,
"ID mismatched with certificate subjectName\n");
- plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n",
- s_ipsecdoi_ident(idtype));
+ if (namePtr != NULL) {
+ plogdump(ASL_LEVEL_ERR, namePtr, len, "subjectName (type %s):\n",
+ s_ipsecdoi_ident(idtype));
+ } else {
+ plog(ASL_LEVEL_ERR, "subjectName (type %s):\n", s_ipsecdoi_ident(idtype));
+ }
plogdump(ASL_LEVEL_ERR, id, idlen, "ID:\n");
if (certStatus && !*certStatus) {
*certStatus = CERT_STATUS_INVALID_SUBJNAME;
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV6_ADDR:
{
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
CFIndex pos, count;
SecCertificateRef certificate;
CFArrayRef addresses;
*certStatus = CERT_STATUS_INVALID_SUBJALTNAME;
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-#endif /* TARGET_OS_EMBEDDED */
+#endif /* HAVE_OPENSSL */
}
-#if TARGET_OS_EMBEDDED
+#ifndef HAVE_OPENSSL
case IPSECDOI_ID_FQDN:
{
CFIndex pos, count;
/* when SPD is empty, treat the state as no error. */
if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
msg->sadb_msg_errno == ENOENT)
- pri = ASL_LEVEL_DEBUG;
+ pri = ASL_LEVEL_NOTICE;
else
pri = ASL_LEVEL_ERR;
}
if (pkrecvf[msg->sadb_msg_type] == NULL) {
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"unsupported PF_KEY message %s\n",
s_pfkey_type(msg->sadb_msg_type));
goto end;
ssize_t len;
if (slept_at || woke_at) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_DEBUG,
"ignoring pfkey port until power-mgmt event is handled.\n");
return;
}
return;
} else {
/* short message - msg not ready */
- plog(ASL_LEVEL_DEBUG, "recv short message from pfkey\n");
+ plog(ASL_LEVEL_NOTICE, "recv short message from pfkey\n");
return;
}
}
struct saved_msg_elem *elem_tmp = NULL;
if (slept_at || woke_at) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
return;
}
sa->sadb_sa_spi,
sa_mode));
- plog(ASL_LEVEL_INFO,
- "IPsec-SA established: %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- msg->sadb_msg_satype, sa->sadb_sa_spi,
- sa_mode));
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA established (update): satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
+ "IPsec-SA established (update): %s\n",
+ sadbsecas2str(iph2->dst, iph2->src,
+ msg->sadb_msg_satype, sa->sadb_sa_spi,
+ sa_mode));
}
if (pr->ok == 0)
* because they must be updated by SADB_UPDATE message
*/
- plog(ASL_LEVEL_INFO,
- "IPsec-SA established: %s\n",
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA established (add): satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
+ "IPsec-SA established (add): %s\n",
sadbsecas2str(iph2->src, iph2->dst,
msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
return -1;
}
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
+ "IPsec-SA expired: satype=%u spi=%#x mode=%u\n",
+ msg->sadb_msg_satype, ntohl(sa->sadb_sa_spi), sa_mode);
+ plog(ASL_LEVEL_DEBUG,
"IPsec-SA expired: %s\n",
sadbsecas2str(src, dst,
msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
default:
plog(ASL_LEVEL_ERR,
"invalid policy type.\n");
+ delsp(new);
return -1;
}
if (natt_udp_encap(pr2->encmode)) {
prev = pr2->encmode;
saprop_udp_encap(pr2);
- plog(ASL_LEVEL_INFO, "Adjusting my encmode %s(%d)->%s(%d)\n",
+ plog(ASL_LEVEL_NOTICE, "Adjusting my encmode %s(%d)->%s(%d)\n",
s_ipsecdoi_encmode(prev),
prev,
s_ipsecdoi_encmode(pr2->encmode),
if (natt_udp_encap(pr1->encmode)) {
prev = pr1->encmode;
saprop_udp_encap(pr1);
- plog(ASL_LEVEL_INFO, "Adjusting peer's encmode %s(%d)->%s(%d)\n",
+ plog(ASL_LEVEL_NOTICE, "Adjusting peer's encmode %s(%d)->%s(%d)\n",
s_ipsecdoi_encmode(prev),
prev,
s_ipsecdoi_encmode(pr1->encmode),
s_idtype (id->idtype));
if (id->id)
pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", id->id->v);
- plog(ASL_LEVEL_INFO, "%s;\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
return NULL;
}
if (p->inherited_from)
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
saddr2str((struct sockaddr *)p->inherited_from->remote));
- plog(ASL_LEVEL_INFO, "%s {\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s {\n", buf);
pbuf = buf;
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
while (etype) {
etype->next != NULL ? ", " : ";\n");
etype = etype->next;
}
- plog(ASL_LEVEL_INFO, "%s", buf);
- plog(ASL_LEVEL_INFO, "\tdoi %s;\n", s_doi(p->doitype));
+ plog(ASL_LEVEL_NOTICE, "%s", buf);
+ plog(ASL_LEVEL_NOTICE, "\tdoi %s;\n", s_doi(p->doitype));
pbuf = buf;
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\tmy_identifier %s", s_idtype (p->idvtype));
if (p->idvtype == IDTYPE_ASN1DN) {
- plog(ASL_LEVEL_INFO, "%s;\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
switch (p->getcert_method) {
case 0:
break;
case ISAKMP_GETCERT_PAYLOAD:
- plog(ASL_LEVEL_INFO, "\t/* peers certificate from payload */\n");
+ plog(ASL_LEVEL_NOTICE, "\t/* peers certificate from payload */\n");
break;
default:
- plog(ASL_LEVEL_INFO, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
+ plog(ASL_LEVEL_NOTICE, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
}
}
else {
if (p->idv)
pbuf += snprintf (pbuf, sizeof(buf) - (pbuf - buf), " \"%s\"", p->idv->v);
- plog(ASL_LEVEL_INFO, "%s;\n", buf);
+ plog(ASL_LEVEL_NOTICE, "%s;\n", buf);
genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
}
- plog(ASL_LEVEL_INFO, "\tsend_cert %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsend_cert %s;\n",
s_switch (p->send_cert));
- plog(ASL_LEVEL_INFO, "\tsend_cr %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsend_cr %s;\n",
s_switch (p->send_cr));
- plog(ASL_LEVEL_INFO, "\tverify_cert %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tverify_cert %s;\n",
s_switch (p->verify_cert));
- plog(ASL_LEVEL_INFO, "\tverify_identifier %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tverify_identifier %s;\n",
s_switch (p->verify_identifier));
- plog(ASL_LEVEL_INFO, "\tnat_traversal %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnat_traversal %s;\n",
p->nat_traversal == NATT_FORCE ?
"force" : s_switch (p->nat_traversal));
- plog(ASL_LEVEL_INFO, "\tnatt_multiple_user %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnatt_multiple_user %s;\n",
s_switch (p->natt_multiple_user));
- plog(ASL_LEVEL_INFO, "\tnonce_size %d;\n",
+ plog(ASL_LEVEL_NOTICE, "\tnonce_size %d;\n",
p->nonce_size);
- plog(ASL_LEVEL_INFO, "\tpassive %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tpassive %s;\n",
s_switch (p->passive));
- plog(ASL_LEVEL_INFO, "\tike_frag %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tike_frag %s;\n",
p->ike_frag == ISAKMP_FRAG_FORCE ?
"force" : s_switch (p->ike_frag));
- plog(ASL_LEVEL_INFO, "\tesp_frag %d;\n", p->esp_frag);
- plog(ASL_LEVEL_INFO, "\tinitial_contact %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tesp_frag %d;\n", p->esp_frag);
+ plog(ASL_LEVEL_NOTICE, "\tinitial_contact %s;\n",
s_switch (p->ini_contact));
- plog(ASL_LEVEL_INFO, "\tgenerate_policy %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tgenerate_policy %s;\n",
s_switch (p->gen_policy));
- plog(ASL_LEVEL_INFO, "\tsupport_proxy %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\tsupport_proxy %s;\n",
s_switch (p->support_proxy));
while (prop) {
- plog(ASL_LEVEL_INFO, "\n");
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE, "\n");
+ plog(ASL_LEVEL_NOTICE,
"\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
prop->prop_no, prop->trns_no,
saddr2str((struct sockaddr *)prop->rmconf->remote));
- plog(ASL_LEVEL_INFO, "\tproposal {\n");
- plog(ASL_LEVEL_INFO, "\t\tlifetime time %lu sec;\n",
+ plog(ASL_LEVEL_NOTICE, "\tproposal {\n");
+ plog(ASL_LEVEL_NOTICE, "\t\tlifetime time %lu sec;\n",
(long)prop->lifetime);
- plog(ASL_LEVEL_INFO, "\t\tlifetime bytes %zd;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tlifetime bytes %zd;\n",
prop->lifebyte);
- plog(ASL_LEVEL_INFO, "\t\tdh_group %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tdh_group %s;\n",
alg_oakley_dhdef_name(prop->dh_group));
- plog(ASL_LEVEL_INFO, "\t\tencryption_algorithm %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tencryption_algorithm %s;\n",
alg_oakley_encdef_name(prop->enctype));
- plog(ASL_LEVEL_INFO, "\t\thash_algorithm %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\thash_algorithm %s;\n",
alg_oakley_hashdef_name(prop->hashtype));
- plog(ASL_LEVEL_INFO, "\t\tprf_algorithm %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tprf_algorithm %s;\n",
alg_oakley_hashdef_name(prop->prf));
- plog(ASL_LEVEL_INFO, "\t\tauthentication_method %s;\n",
+ plog(ASL_LEVEL_NOTICE, "\t\tauthentication_method %s;\n",
alg_oakley_authdef_name(prop->authmethod));
- plog(ASL_LEVEL_INFO, "\t}\n");
+ plog(ASL_LEVEL_NOTICE, "\t}\n");
prop = prop->next;
}
- plog(ASL_LEVEL_INFO, "}\n");
- plog(ASL_LEVEL_INFO, "\n");
+ plog(ASL_LEVEL_NOTICE, "}\n");
+ plog(ASL_LEVEL_NOTICE, "\n");
return NULL;
}
}
// TODO: handle wildcard port numbers in the id
- if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) {
+ if ((src->l == s->idsrc->l) && memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0) {
if (use_nat_addr) {
if (memcmp(lcconf->ext_nat_id->v, s->iddst->v, s->iddst->l) == 0) {
plogdump(ASL_LEVEL_DEBUG, lcconf->ext_nat_id->v, lcconf->ext_nat_id->l, "matched external nat address.\n");
return s;
}
- } else if (memcmp(dst->v, s->iddst->v, s->iddst->l) == 0)
+ } else if ((dst->l == s->iddst->l) && memcmp(dst->v, s->iddst->v, s->iddst->l) == 0) {
return s;
+ }
}
}
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
-#include <resolv.h>
#include <TargetConditionals.h>
#include <vproc_priv.h>
#include <dispatch/dispatch.h>
(void)launchd_update_racoon_keepalive(false);
#endif // !TARGET_OS_EMBEDDED
- plog(ASL_LEVEL_INFO, "racoon shutdown\n");
+ plog(ASL_LEVEL_NOTICE, "racoon shutdown\n");
exit(0);
}
void
auto_exit_do(void *p)
{
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"performing auto exit\n");
#if ENABLE_NO_SA_FLUSH
close_session(0);
case SIGINT:
case SIGTERM:
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"caught signal %d\n", sig);
#if ENABLE_NO_SA_FLUSH
close_session(0);
break;
default:
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"caught signal %d\n", sig);
break;
}
signal_handler(int sig, siginfo_t *sigi, void *ctx)
{
#if 0
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"%s received signal %d from pid %d uid %d\n\n",
__FUNCTION__, sig, sigi->si_pid, sigi->si_uid);
#endif
cm = (struct cmsghdr *)cmsgbuf;
m.msg_control = (caddr_t)cm;
m.msg_controllen = sizeof(cmsgbuf);
+ m.msg_flags = 0;
while ((len = recvmsg(s, &m, flags)) < 0) {
if (errno == EINTR)
continue;
#include <stdio.h>
#include <stdlib.h>
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#include "var.h"
#include "misc.h"
#include <sys/socket.h>
#include <netinet/in.h>
-#include <resolv.h>
#include "vmbuf.h"
#include "misc.h"
goto unknown;
if (current->hash->l < vidlen)
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"received broken Microsoft ID: %s\n",
current->string);
else
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"received Vendor ID: %s\n",
current->string);
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
#include "var.h"
#include "misc.h"
if (set_port(local, port) == NULL)
goto out1;
- plog(ASL_LEVEL_INFO,
+ plog(ASL_LEVEL_NOTICE,
"accept a request to establish IKE-SA: "
"%s\n", saddrwop2str((struct sockaddr *)remote));
* Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* The contents of this file constitute Original Code as defined in and
* are subject to the Apple Public Source License Version 1.1 (the
* "License"). You may not use this file except in compliance with the
* License. Please obtain a copy of the License at
* http://www.apple.com/publicsource and read it before using this file.
- *
+ *
* This Original Code and all software distributed under the License are
* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
* License for the specific language governing rights and limitations
* under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#include <netinet/in.h>
#ifndef HAVE_NETINET6_IPSEC
#include <netinet/ipsec.h>
-#else
+#else
#include <netinet6/ipsec.h>
#endif
extern int vpn_xauth_reply (u_int32_t, void *, size_t);
-int
-checklaunchd()
-{
- launch_data_t checkin_response = NULL;
+int
+checklaunchd()
+{
+ launch_data_t checkin_response = NULL;
#ifdef LION_TEST
launch_data_t checkin_request = NULL;
#endif
#else
if ((checkin_response = launch_socket_service_check_in()) == NULL) {
#endif
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to launch_socket_service_check_in.\n");
goto done;
}
}
#endif
if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"launch_data_get_type error %d\n",
launch_data_get_errno(checkin_response));
goto done;
}
if ( (sockets_dict = launch_data_dict_lookup(checkin_response, LAUNCH_JOBKEY_SOCKETS)) == NULL){
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to launch_data_dict_lookup.\n");
goto done;
}
if ( !(socketct = launch_data_dict_get_count(sockets_dict))){
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"launch_data_dict_get_count returns no socket defined.\n");
goto done;
}
if ( (listening_fd_array = launch_data_dict_lookup(sockets_dict, "Listeners")) == NULL ){
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to launch_data_dict_lookup.\n");
goto done;
}
continue;
}
- /* Is this the VPN control socket? */
- if ( fdsockaddr.ss_family == AF_UNIX &&
+ /* Is this the VPN control socket? */
+ if ( fdsockaddr.ss_family == AF_UNIX &&
(!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path))))
- {
- plog(ASL_LEVEL_INFO,
+ {
+ plog(ASL_LEVEL_NOTICE,
"found launchd socket.\n");
returnval = fd;
break;
}
// TODO: check if we have any leaked fd
if ( listenerct == i){
- plog(ASL_LEVEL_ERR,
- "failed to find launchd socket\n");
+ plog(ASL_LEVEL_ERR,
+ "failed to find launchd socket\n");
returnval = 0;
}
-done:
+done:
if (checkin_response)
launch_data_free(checkin_response);
return(returnval);
struct vpnctl_socket_elem *sock_elem;
- sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem));
+ sock_elem = racoon_calloc(1, sizeof(struct vpnctl_socket_elem));
if (sock_elem == NULL) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"memory error: %s\n", strerror(errno));
return; //%%%%%% terminate
}
LIST_INIT(&sock_elem->bound_addresses);
-
+
sock_elem->sock = accept(lcconf->sock_vpncontrol, (struct sockaddr *)&from, &fromlen);
if (sock_elem->sock < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to accept vpn_control command: %s\n", strerror(errno));
racoon_free(sock_elem);
return; //%%%%% terminate
}
LIST_INSERT_HEAD(&lcconf->vpnctl_comm_socks, sock_elem, chain);
-
+
sock_elem->source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, sock_elem->sock, 0, dispatch_get_main_queue());
if (sock_elem->source == NULL) {
plog(ASL_LEVEL_ERR, "could not create comm socket source.");
racoon_free(sock_elem);
return; //%%%%% terminate
}
- dispatch_source_set_event_handler(sock_elem->source,
+ dispatch_source_set_event_handler(sock_elem->source,
^{
vpncontrol_comm_handler(sock_elem);
});
dispatch_release(the_source); /* Release the source on cancel */
});
dispatch_resume(sock_elem->source);
-
- plog(ASL_LEVEL_NOTICE,
+
+ plog(ASL_LEVEL_NOTICE,
"accepted connection on vpn control socket.\n");
check_auto_exit();
vpncontrol_comm_handler(struct vpnctl_socket_elem *elem)
{
struct vpnctl_hdr hdr;
- char *combuf = NULL;
ssize_t len;
/* get buffer length */
- while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) {
- if (errno == EINTR)
- continue;
- plog(ASL_LEVEL_ERR,
- "failed to recv vpn_control command: %s\n", strerror(errno));
- goto end;
- }
- if (len == 0) {
- plog(ASL_LEVEL_DEBUG,
- "vpn_control socket closed by peer.\n");
- /* kill all related connections */
- vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost);
- vpncontrol_close_comm(elem);
- return; // %%%%%% terminate
- }
-
- /* sanity check */
- if (len < sizeof(hdr)) {
- plog(ASL_LEVEL_ERR,
- "invalid header length of vpn_control command - len=%ld - expected %ld\n", len, sizeof(hdr));
- goto end;
- }
+ if (elem->buffer == NULL) {
+ while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) {
+ if (errno == EINTR)
+ continue;
+ plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n", strerror(errno));
+ return;
+ }
+ if (len == 0) {
+ plog(ASL_LEVEL_NOTICE, "vpn_control socket closed by peer.\n");
+ /* kill all related connections */
+ vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost);
+ vpncontrol_close_comm(elem);
+ return; // %%%%%% terminate
+ }
- /* get buffer to receive */
- if ((combuf = racoon_malloc(ntohs(hdr.len) + sizeof(hdr))) == 0) {
- plog(ASL_LEVEL_ERR,
- "failed to alloc buffer for vpn_control command\n");
- goto end;
+ /* sanity check */
+ if (len < sizeof(hdr)) {
+ plog(ASL_LEVEL_ERR,
+ "invalid header length of vpn_control command - len=%ld - expected %ld\n", len, sizeof(hdr));
+ return;
+ }
+
+ elem->read_bytes_len = 0; // Sanity
+ elem->pending_bytes_len = ntohs(hdr.len) + sizeof(hdr);
+
+ /* get buffer to receive */
+ elem->buffer = racoon_malloc(elem->pending_bytes_len);
+ if (elem->buffer == NULL) {
+ plog(ASL_LEVEL_ERR,
+ "failed to alloc buffer for vpn_control command\n");
+ return;
+ }
}
/* get real data */
- while ((len = recv(elem->sock, combuf, ntohs(hdr.len) + sizeof(hdr), 0)) < 0) {
+ while ((len = recv(elem->sock, elem->buffer + elem->read_bytes_len, elem->pending_bytes_len, 0)) < 0) {
if (errno == EINTR)
continue;
- plog(ASL_LEVEL_ERR,
- "failed to recv vpn_control command: %s\n",
- strerror(errno));
- goto end;
+ plog(ASL_LEVEL_ERR, "failed to recv vpn_control command: %s\n",
+ strerror(errno));
+ return;
}
- if (len < (sizeof(hdr) + ntohs(hdr.len))) {
- plog(ASL_LEVEL_ERR,
- "invalid length of vpn_control command - len=%ld - expected %ld\n", len, (sizeof(hdr) + ntohs(hdr.len)));
- goto end;
+ if (len == 0) {
+ plog(ASL_LEVEL_NOTICE, "vpn_control socket closed by peer while reading packet\n");
+ /* kill all related connections */
+ vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost);
+ vpncontrol_close_comm(elem);
+ return;
}
- (void)vpncontrol_process(elem, combuf, len);
+ elem->read_bytes_len += len;
-end:
- if (combuf)
- racoon_free(combuf);
- return;
+ if (len < elem->pending_bytes_len) {
+ plog(ASL_LEVEL_NOTICE,
+ "received partial vpn_control command - len=%ld - expected %u\n", len, elem->pending_bytes_len);
+ elem->pending_bytes_len -= len;
+ return;
+ } else {
+ (void)vpncontrol_process(elem, elem->buffer, elem->read_bytes_len);
+ free(elem->buffer);
+ elem->buffer = NULL;
+ elem->read_bytes_len = 0;
+ elem->pending_bytes_len = 0;
+ }
}
static int
break;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received bind command on vpn control socket.\n");
addr = racoon_calloc(1, sizeof(struct bound_addr));
if (addr == NULL) {
plog(ASL_LEVEL_ERR,
"memory error: %s\n", strerror(errno));
error = -1;
+ racoon_free(addr);
break;
}
memcpy(addr->version->v, pkt + 1, ntohs(pkt->vers_len));
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received unbind command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == 0xFFFFFFFF ||
struct redirect *t_raddr;
int found = 0;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received redirect command on vpn control socket - address = %x.\n", ntohl(redirect_msg->redirect_address));
LIST_FOREACH_SAFE(raddr, &lcconf->redirect_addresses, chain, t_raddr) {
if (!found) {
raddr = racoon_malloc(sizeof(struct redirect));
if (raddr == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_ERR,
"cannot allcoate memory for redirect address.\n");
error = -1;
break;
break;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received xauth info command vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received set v6 prefix of len %u command on vpn control socket, adding to all addresses.\n", pkt->nat64_prefix.length);
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
memcpy(&addr->nat64_prefix, &pkt->nat64_prefix, sizeof(addr->nat64_prefix));
pending_signal_handle = 0;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received connect command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received disconnect command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG, "received start_ph2 command on vpn control socket.\n");
+ plog(ASL_LEVEL_NOTICE, "received start_ph2 command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
/* start the connection */
struct bound_addr *srv;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received start_dpd command on vpn control socket.\n");
LIST_FOREACH_SAFE(srv, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == srv->address) {
struct sockaddr_in saddr;
struct sockaddr_in daddr;
- plogdump(ASL_LEVEL_DEBUG, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr), "received assert command on vpn control socket.\n");
+ plogdump(ASL_LEVEL_NOTICE, pkt, ntohs(hdr->len) + sizeof(struct vpnctl_hdr), "received assert command on vpn control socket.\n");
// LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
// if (pkt->dst_address == addr->address) {
bzero(&saddr, sizeof(saddr));
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"received reconnect command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
break;
default:
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"invalid command: %d\n", ntohs(hdr->msg_type));
error = -1; // for now
break;
tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0);
if (tlen < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to send vpn_control message: %s\n", strerror(errno));
return -1;
}
int
vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len)
{
- struct vpnctl_status_need_authinfo *msg = NULL;
+ struct vpnctl_status_need_authinfo *msg = NULL;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
size_t msg_size;
if (!iph1)
goto end;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"sending vpn_control xauth need info status\n");
msg = (struct vpnctl_status_need_authinfo *)racoon_malloc(msg_size = sizeof(struct vpnctl_status_need_authinfo) + attr_len);
if (msg == NULL) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"unable to allocate space for vpn control message.\n");
return -1;
}
plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size);
tlen = send(sock_elem->sock, msg, msg_size, 0);
if (tlen < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to send vpn_control need authinfo status: %s\n", strerror(errno));
}
break;
int
vpncontrol_notify_ike_failed(u_int16_t notify_code, u_int16_t from, u_int32_t address, u_int16_t data_len, u_int8_t *data)
{
- struct vpnctl_status_failed *msg = NULL;
+ struct vpnctl_status_failed *msg = NULL;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
size_t len;
msg = (struct vpnctl_status_failed *)racoon_malloc(len);
if (msg == NULL) {
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_ERR,
"unable to allcate memory for vpn control status message.\n");
return -1;
}
msg->from = htons(from);
if (data_len > 0)
memcpy(msg->data, data, data_len);
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_ERR,
"sending vpn_control ike failed message - code=%d from=%s.\n", notify_code,
(from == FROM_LOCAL ? "local" : "remote"));
bound_addr->address == address) {
tlen = send(sock_elem->sock, msg, len, 0);
if (tlen < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"Unable to send vpn_control ike notify failed: %s\n", strerror(errno));
+ } else {
+ plog(ASL_LEVEL_DEBUG,
+ "Sent %zd/%zu bytes\n", tlen, len);
}
break;
}
int
vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2)
{
- struct vpnctl_status_phase_change *msg;
+ struct vpnctl_status_phase_change *msg;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
ssize_t tlen;
}
if (msg == NULL) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"unable to allocate space for vpn control message.\n");
return -1;
}
plog(ASL_LEVEL_ERR, "bad address for ph1 status change.\n");
goto end;
}
- msg->hdr.msg_type = htons(start ?
- (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER)
+ msg->hdr.msg_type = htons(start ?
+ (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER)
: VPNCTL_STATUS_PH1_ESTABLISHED);
// TODO: indicate version
} else {
plog(ASL_LEVEL_DEBUG, "vpn control writing %zu bytes\n", msg_size);
tlen = send(sock_elem->sock, msg, msg_size, 0);
if (tlen < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"failed to send vpn_control phase change status: %s\n", strerror(errno));
}
break;
static int
vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address)
{
- struct vpnctl_status_peer_resp msg;
+ struct vpnctl_status_peer_resp msg;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
ssize_t tlen;
msg.hdr.len = htons(sizeof(msg) - sizeof(msg.hdr));
msg.address = address;
msg.ike_code = notify_code;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"sending vpn_control status (peer response) message - code=%d addr=%x.\n", notify_code, address);
LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
bound_addr->address == address) {
tlen = send(sock_elem->sock, &msg, sizeof(msg), 0);
if (tlen < 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"unable to send vpn_control status (peer response): %s\n", strerror(errno));
} else {
rc = 0;
vpncontrol_init(void)
{
int sock;
-
+
if (vpncontrolsock_path == NULL) {
lcconf->sock_vpncontrol = -1;
return 0;
}
- if ( (lcconf->sock_vpncontrol = checklaunchd()) == 0 ) {
+ if ( (lcconf->sock_vpncontrol = checklaunchd()) == 0 ) {
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
lcconf->sock_vpncontrol = socket(AF_UNIX, SOCK_STREAM, 0);
if (lcconf->sock_vpncontrol == -1) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"socket: %s\n", strerror(errno));
return -1;
}
if (fcntl(lcconf->sock_vpncontrol, F_SETFL, O_NONBLOCK) == -1) {
plog(ASL_LEVEL_ERR, "failed to put VPN-Control socket in non-blocking mode\n");
}
-
+
unlink(sunaddr.sun_path);
if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr,
sizeof(sunaddr)) != 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"bind(sockname:%s): %s\n",
sunaddr.sun_path, strerror(errno));
(void)close(lcconf->sock_vpncontrol);
}
if (chown(sunaddr.sun_path, vpncontrolsock_owner, vpncontrolsock_group) != 0) {
- plog(ASL_LEVEL_ERR,
- "chown(%s, %d, %d): %s\n",
- sunaddr.sun_path, vpncontrolsock_owner,
+ plog(ASL_LEVEL_ERR,
+ "chown(%s, %d, %d): %s\n",
+ sunaddr.sun_path, vpncontrolsock_owner,
vpncontrolsock_group, strerror(errno));
(void)close(lcconf->sock_vpncontrol);
return -1;
}
if (chmod(sunaddr.sun_path, vpncontrolsock_mode) != 0) {
- plog(ASL_LEVEL_ERR,
- "chmod(%s, 0%03o): %s\n",
+ plog(ASL_LEVEL_ERR,
+ "chmod(%s, 0%03o): %s\n",
sunaddr.sun_path, vpncontrolsock_mode, strerror(errno));
(void)close(lcconf->sock_vpncontrol);
return -1;
}
if (listen(lcconf->sock_vpncontrol, 5) != 0) {
- plog(ASL_LEVEL_ERR,
+ plog(ASL_LEVEL_ERR,
"listen(sockname:%s): %s\n",
sunaddr.sun_path, strerror(errno));
(void)close(lcconf->sock_vpncontrol);
return -1;
}
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"opened %s as racoon management.\n", sunaddr.sun_path);
}
lcconf->vpncontrol_source = dispatch_source_create(DISPATCH_SOURCE_TYPE_READ, lcconf->sock_vpncontrol, 0, dispatch_get_main_queue());
}
dispatch_source_set_event_handler_f(lcconf->vpncontrol_source, vpncontrol_handler);
sock = lcconf->sock_vpncontrol;
- dispatch_source_set_cancel_handler(lcconf->vpncontrol_source,
+ dispatch_source_set_cancel_handler(lcconf->vpncontrol_source,
^{
close(sock);
});
{
struct bound_addr *addr;
struct bound_addr *t_addr;
-
- plog(ASL_LEVEL_DEBUG,
+
+ plog(ASL_LEVEL_NOTICE,
"received disconnect all command.\n");
-
+
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
/* stop any connections */
vpn_disconnect(addr, reason);
struct vpnctl_socket_elem *elem;
struct vpnctl_socket_elem *t_elem;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"vpncontrol_close.\n");
dispatch_source_cancel(lcconf->vpncontrol_source);
lcconf->vpncontrol_source = NULL;
-
+
lcconf->sock_vpncontrol = -1;
LIST_FOREACH_SAFE(elem, &lcconf->vpnctl_comm_socks, chain, t_elem)
vpncontrol_close_comm(elem);
struct bound_addr *addr;
struct bound_addr *t_addr;
- plog(ASL_LEVEL_DEBUG,
+ plog(ASL_LEVEL_NOTICE,
"vpncontrol_close_comm.\n");
LIST_REMOVE(elem, chain);
- if (elem->sock != -1)
+ if (elem->sock != -1) {
dispatch_source_cancel(elem->source);
+ elem->sock = -1;
+ }
+ if (elem->buffer != NULL) {
+ free(elem->buffer);
+ elem->buffer = NULL;
+ elem->pending_bytes_len = 0;
+ elem->read_bytes_len = 0;
+ }
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
flushsainfo_dynamic(addr->address);
LIST_REMOVE(addr, chain);
--- /dev/null
+//
+// racoon_certs_data.h
+// ipsec
+//
+// Copyright (c) 2017 Apple Inc. All rights reserved.
+//
+
+#ifndef certs_data_h
+#define certs_data_h
+
+unsigned char future_cert_der[] = {
+ 0x30, 0x82, 0x03, 0x83, 0x30, 0x82, 0x02, 0x6b, 0x02, 0x01, 0x01, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
+ 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x13, 0x09, 0x43, 0x61, 0x6c, 0x69, 0x6f, 0x72, 0x6e,
+ 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
+ 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1e,
+ 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x49, 0x6e, 0x74,
+ 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6e, 0x6f,
+ 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 0x69, 0x6e, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x13, 0x13, 0x44, 0x65, 0x6c, 0x7a, 0x69, 0x65, 0x6c, 0x49, 0x73, 0x59,
+ 0x6f, 0x75, 0x72, 0x43, 0x41, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17,
+ 0x0d, 0x33, 0x37, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x36, 0x34,
+ 0x32, 0x5a, 0x17, 0x0d, 0x33, 0x37, 0x30, 0x31, 0x30, 0x32, 0x30, 0x30,
+ 0x30, 0x36, 0x34, 0x32, 0x5a, 0x30, 0x81, 0x85, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69,
+ 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69,
+ 0x6e, 0x6f, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+ 0x15, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65,
+ 0x63, 0x68, 0x6e, 0x6f, 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13,
+ 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74,
+ 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x14, 0x0f, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65,
+ 0x5f, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01,
+ 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x06, 0x00, 0xe1, 0x3d, 0x45,
+ 0x35, 0x0a, 0xda, 0x45, 0x78, 0xfa, 0x11, 0x23, 0x5d, 0xe9, 0x8c, 0xbb,
+ 0xd1, 0xf4, 0x23, 0xe1, 0xaf, 0x5d, 0xca, 0x35, 0xe0, 0x42, 0xd6, 0x84,
+ 0x80, 0x1a, 0x73, 0x07, 0xe1, 0x43, 0x80, 0x1c, 0x97, 0xac, 0x8a, 0x29,
+ 0x0e, 0x98, 0xfe, 0x21, 0xee, 0xe8, 0x9f, 0x15, 0x20, 0xd9, 0x10, 0xb2,
+ 0x03, 0x85, 0xfc, 0xd9, 0x69, 0x6a, 0x95, 0x59, 0xe4, 0x2b, 0x73, 0xf5,
+ 0x73, 0xb1, 0x5a, 0xa2, 0x1c, 0x25, 0xf3, 0x31, 0xc4, 0x9d, 0xc3, 0x8b,
+ 0x21, 0x42, 0x0d, 0x16, 0x45, 0x06, 0xe0, 0x1a, 0x6d, 0xd5, 0x80, 0x71,
+ 0xb6, 0x6c, 0xe4, 0xc0, 0xfd, 0x6d, 0x4b, 0xef, 0x54, 0xa4, 0xd8, 0xe8,
+ 0x10, 0x77, 0x74, 0x3e, 0x08, 0x86, 0x2a, 0x5f, 0xaf, 0x35, 0x9a, 0xd4,
+ 0x1a, 0x5d, 0x45, 0x0e, 0x43, 0x64, 0x25, 0xd0, 0x5d, 0x66, 0x27, 0x16,
+ 0x19, 0x15, 0x81, 0x95, 0xb9, 0x8b, 0xa3, 0xea, 0xad, 0x08, 0xc8, 0xd2,
+ 0x03, 0x7d, 0x48, 0x06, 0x81, 0x4f, 0x8e, 0xda, 0x9e, 0x4c, 0x68, 0xc0,
+ 0x2d, 0xf3, 0x40, 0x8e, 0x79, 0xb2, 0x4f, 0xca, 0x71, 0xc8, 0xa5, 0xe7,
+ 0x6e, 0xdf, 0xa7, 0xa8, 0x7e, 0x1a, 0x14, 0xc1, 0x99, 0xf9, 0x21, 0x91,
+ 0x87, 0x4c, 0xf9, 0xb8, 0xd8, 0x20, 0x0b, 0x29, 0xf4, 0x32, 0x37, 0x93,
+ 0x8d, 0x4d, 0x78, 0xb2, 0xad, 0x7e, 0xbb, 0x13, 0xcb, 0xe6, 0x4b, 0x35,
+ 0xe9, 0x9a, 0x0b, 0x06, 0x9e, 0xb4, 0x9f, 0x08, 0xe6, 0x46, 0x52, 0x01,
+ 0x63, 0x7c, 0x3e, 0xfd, 0x0f, 0x6c, 0x42, 0x3c, 0x44, 0xbd, 0x00, 0xed,
+ 0x65, 0x3f, 0x31, 0xde, 0x9f, 0x44, 0x71, 0xd2, 0xf6, 0xb5, 0x34, 0x1c,
+ 0x13, 0x66, 0xe5, 0x70, 0xb8, 0xcd, 0x6e, 0x85, 0xe5, 0xa8, 0xc0, 0x21,
+ 0x0b, 0xce, 0x9e, 0xc8, 0xb0, 0x0c, 0xc2, 0x94, 0xa0, 0xb3, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x15,
+ 0x78, 0xc3, 0x8e, 0xfe, 0x65, 0xaf, 0x54, 0xaf, 0x56, 0x89, 0x64, 0x6c,
+ 0x8f, 0x16, 0x35, 0x1b, 0x34, 0x02, 0x20, 0x9c, 0x98, 0xf7, 0xdf, 0xec,
+ 0xc0, 0xe5, 0x37, 0x22, 0xb7, 0xbb, 0xc7, 0x25, 0x71, 0x56, 0xb7, 0x6e,
+ 0xa0, 0x88, 0x4c, 0x81, 0x43, 0xf0, 0x05, 0x3e, 0x9c, 0x1b, 0xf7, 0x58,
+ 0xb9, 0xfd, 0xae, 0x3b, 0xc7, 0xfb, 0xea, 0xc5, 0xfa, 0x7b, 0x42, 0x66,
+ 0x12, 0xa1, 0xe4, 0x8b, 0xe1, 0x14, 0x66, 0x6b, 0x42, 0xdc, 0xb5, 0x3c,
+ 0x3f, 0xbb, 0xf0, 0xc7, 0xf5, 0x58, 0x94, 0xc7, 0x3f, 0x11, 0x97, 0xd7,
+ 0x6f, 0xc0, 0xfe, 0xd4, 0x84, 0xc7, 0xfd, 0x05, 0x5d, 0x7d, 0x24, 0x49,
+ 0xab, 0xc6, 0xe9, 0x61, 0xab, 0x3b, 0x01, 0x47, 0xb3, 0x0a, 0xb5, 0x53,
+ 0x2b, 0x13, 0xae, 0x46, 0x03, 0xe5, 0x81, 0x9f, 0xa0, 0x46, 0x1e, 0xe5,
+ 0x12, 0x9e, 0x1c, 0x5a, 0xe8, 0x55, 0x72, 0x20, 0xab, 0x54, 0xfe, 0x3e,
+ 0xa4, 0xbe, 0x31, 0x41, 0xff, 0x49, 0x08, 0x0a, 0x13, 0x15, 0x6b, 0x24,
+ 0x7d, 0xf1, 0x44, 0xd0, 0x79, 0x93, 0xbb, 0xd5, 0xa8, 0xa3, 0x21, 0xe1,
+ 0x04, 0x3a, 0xa6, 0x00, 0x14, 0xaf, 0x77, 0x20, 0x6c, 0x39, 0xb2, 0xcf,
+ 0x5c, 0xd6, 0xd1, 0x8e, 0x79, 0x16, 0x22, 0xee, 0x58, 0x4f, 0x68, 0xf9,
+ 0x2d, 0x1f, 0x06, 0xd7, 0xd8, 0xb0, 0x25, 0x09, 0xea, 0x06, 0x47, 0xcc,
+ 0x4b, 0xa9, 0xa8, 0x7d, 0x01, 0x04, 0x3b, 0x6e, 0x30, 0xb0, 0xa5, 0xef,
+ 0x1b, 0xb2, 0x73, 0x02, 0xc2, 0x5a, 0xc3, 0x2e, 0x36, 0x42, 0x37, 0xd0,
+ 0xe6, 0x6a, 0x91, 0xee, 0x94, 0x09, 0x35, 0xa6, 0x0e, 0x5d, 0x6b, 0xc9,
+ 0xf6, 0x8b, 0x7e, 0x2e, 0xe8, 0xd5, 0xcf, 0x17, 0x84, 0x6c, 0x5a, 0xd2,
+ 0x1b, 0x04, 0x0e, 0xb9, 0xa3, 0x68, 0x42, 0xec, 0x5d, 0x29, 0xb4, 0x48,
+ 0xd4, 0x8b, 0xe1
+};
+
+unsigned char past_cert_der[] = {
+ 0x30, 0x82, 0x03, 0x81, 0x30, 0x82, 0x02, 0x69, 0x02, 0x01, 0x01, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
+ 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x13, 0x09, 0x43, 0x61, 0x6c, 0x69, 0x6f, 0x72, 0x6e,
+ 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
+ 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1e,
+ 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x49, 0x6e, 0x74,
+ 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6e, 0x6f,
+ 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 0x69, 0x6e, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x13, 0x13, 0x44, 0x65, 0x6c, 0x7a, 0x69, 0x65, 0x6c, 0x49, 0x73, 0x59,
+ 0x6f, 0x75, 0x72, 0x43, 0x41, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17,
+ 0x0d, 0x31, 0x37, 0x30, 0x32, 0x31, 0x36, 0x30, 0x32, 0x34, 0x36, 0x30,
+ 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x32, 0x31, 0x37, 0x30, 0x32,
+ 0x34, 0x36, 0x30, 0x36, 0x5a, 0x30, 0x81, 0x83, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69,
+ 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69,
+ 0x6e, 0x6f, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+ 0x15, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65,
+ 0x63, 0x68, 0x6e, 0x6f, 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13,
+ 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74,
+ 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x31, 0x16, 0x30, 0x14, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x14, 0x0d, 0x70, 0x61, 0x73, 0x74, 0x5f, 0x63,
+ 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
+ 0x82, 0x01, 0x01, 0x00, 0xd5, 0x73, 0x4c, 0x5e, 0xf0, 0x05, 0x5e, 0x68,
+ 0x34, 0xf5, 0x1b, 0x21, 0x71, 0x73, 0x8d, 0x81, 0xb7, 0xef, 0x0f, 0x36,
+ 0x7f, 0x29, 0xeb, 0xae, 0x1a, 0x24, 0x29, 0xd5, 0xde, 0x44, 0x99, 0x6f,
+ 0xdc, 0x17, 0x23, 0xad, 0xda, 0xff, 0xaa, 0x67, 0x26, 0xc4, 0xa3, 0xc7,
+ 0x6f, 0x02, 0xbd, 0xfc, 0x0a, 0x87, 0xfa, 0x36, 0x22, 0xc2, 0x86, 0x45,
+ 0x95, 0x03, 0x16, 0x80, 0x78, 0x44, 0xa7, 0xd8, 0x45, 0x4b, 0x58, 0xbc,
+ 0x6c, 0x3b, 0xab, 0xfa, 0x63, 0xec, 0x4f, 0xfe, 0x0d, 0xa4, 0x3e, 0x81,
+ 0x3e, 0xb7, 0x17, 0x21, 0x50, 0x50, 0xf1, 0xd4, 0xbf, 0x51, 0x6c, 0xc1,
+ 0x70, 0x96, 0x9f, 0x94, 0x11, 0x3a, 0x2f, 0xdb, 0x92, 0x2e, 0x2e, 0xb0,
+ 0x16, 0x51, 0xd0, 0x99, 0x9d, 0x7e, 0x00, 0xfa, 0x6b, 0x91, 0x6e, 0x51,
+ 0xc0, 0xf5, 0xb1, 0x60, 0x17, 0xe9, 0x09, 0x17, 0xe9, 0x15, 0xa1, 0x7e,
+ 0x6d, 0x21, 0x0a, 0x2b, 0xf1, 0x07, 0xdd, 0xb2, 0x9b, 0x97, 0xba, 0xdb,
+ 0x50, 0x30, 0x25, 0x73, 0xd7, 0x4b, 0xdc, 0xda, 0x0c, 0x2d, 0xe0, 0xe0,
+ 0x9b, 0x8a, 0x36, 0x46, 0xf3, 0xd6, 0x7d, 0xe2, 0xbd, 0x28, 0xa3, 0x59,
+ 0x27, 0x4f, 0xf0, 0xa2, 0x69, 0x36, 0xec, 0x1b, 0x77, 0xcd, 0x83, 0x3f,
+ 0xce, 0x52, 0xea, 0x93, 0x7e, 0x6a, 0xbe, 0x9a, 0x4d, 0x42, 0x7b, 0x9d,
+ 0x56, 0xa6, 0x4b, 0x2e, 0x12, 0xb6, 0x27, 0x4d, 0x53, 0x0b, 0xbe, 0xc6,
+ 0x5a, 0x52, 0xb2, 0x51, 0x2f, 0xff, 0x68, 0x51, 0xf5, 0x03, 0x1f, 0xb7,
+ 0x59, 0xf1, 0x4e, 0x1d, 0x59, 0x2c, 0x14, 0x79, 0xdb, 0xb8, 0x26, 0x72,
+ 0x1a, 0x19, 0xd5, 0xdc, 0x16, 0xd8, 0x54, 0xe5, 0x77, 0x16, 0x77, 0x17,
+ 0x03, 0x3a, 0x7c, 0xd0, 0xeb, 0xbe, 0xb3, 0x9e, 0xe0, 0x12, 0xe3, 0x58,
+ 0x28, 0x9a, 0xf1, 0x6a, 0x76, 0x2a, 0xec, 0xb3, 0x02, 0x03, 0x01, 0x00,
+ 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xae, 0xfe, 0x23,
+ 0x89, 0xcf, 0xf0, 0x26, 0x3c, 0xe0, 0xc3, 0xf2, 0xe4, 0x24, 0x94, 0x94,
+ 0x34, 0xf8, 0xdf, 0x14, 0xfb, 0xb7, 0xd5, 0x0d, 0xd2, 0xb3, 0xbd, 0x6f,
+ 0xc5, 0xc1, 0x9e, 0x06, 0xe7, 0x28, 0xe3, 0x03, 0xc1, 0xb6, 0xeb, 0xee,
+ 0x3e, 0x77, 0xbd, 0x65, 0x3f, 0x58, 0xa7, 0xbc, 0x19, 0x1d, 0x26, 0x2b,
+ 0x75, 0x89, 0xee, 0x17, 0x67, 0x5b, 0xad, 0xda, 0xad, 0xe5, 0x57, 0x60,
+ 0xa1, 0x92, 0x92, 0x88, 0x6b, 0x3f, 0xc5, 0xe4, 0x49, 0xdb, 0x0a, 0x0f,
+ 0xd9, 0x68, 0x41, 0xef, 0x4d, 0x7c, 0x94, 0x12, 0x19, 0xce, 0x17, 0x04,
+ 0x9a, 0x03, 0x7c, 0xc8, 0x06, 0x95, 0xd9, 0xc0, 0x92, 0xb6, 0x3b, 0xa7,
+ 0xd1, 0xd3, 0xd5, 0xf9, 0x53, 0x43, 0xaa, 0x62, 0x97, 0x04, 0xd3, 0x05,
+ 0x73, 0xa5, 0x53, 0x80, 0x22, 0x0c, 0x06, 0x23, 0x3d, 0x7d, 0xaa, 0x58,
+ 0x28, 0xc9, 0xb2, 0xc8, 0x4c, 0x28, 0xd6, 0x8b, 0x40, 0xb6, 0x58, 0xb5,
+ 0x70, 0xae, 0x14, 0x50, 0xcd, 0x03, 0x13, 0x3b, 0xeb, 0x4c, 0xe7, 0x7f,
+ 0xd4, 0xb9, 0x5e, 0x6b, 0x26, 0xe6, 0x5a, 0x0b, 0xda, 0x8b, 0x21, 0xaf,
+ 0xdf, 0xc0, 0xce, 0xe1, 0x45, 0xab, 0x49, 0xec, 0x39, 0x68, 0x51, 0xbf,
+ 0xfc, 0xc5, 0x61, 0x43, 0xb2, 0x1b, 0xd9, 0x98, 0xdf, 0x29, 0xeb, 0x18,
+ 0x4c, 0x0e, 0x4c, 0xcc, 0x3f, 0xe2, 0x29, 0xff, 0xb1, 0x17, 0xeb, 0xbf,
+ 0xc1, 0x78, 0x26, 0x6e, 0x88, 0xb7, 0x53, 0x9e, 0xcf, 0xea, 0xd9, 0x0e,
+ 0xaf, 0x82, 0x0a, 0xf0, 0x31, 0x4b, 0xbd, 0x1e, 0xc6, 0x39, 0xfe, 0x25,
+ 0x40, 0xf6, 0x65, 0xb8, 0x17, 0xe3, 0x16, 0x98, 0x2b, 0xd5, 0x19, 0xd8,
+ 0x30, 0x08, 0xaa, 0x36, 0x5f, 0x0d, 0x95, 0x4b, 0x2e, 0x44, 0xf5, 0x26,
+ 0xdf, 0x46, 0xe1, 0x16, 0xce, 0x22, 0x0a, 0x45, 0xae, 0xdd, 0xfe, 0xb0,
+ 0x03
+};
+
+unsigned char valid_cert_der[] = {
+ 0x30, 0x82, 0x03, 0x82, 0x30, 0x82, 0x02, 0x6a, 0x02, 0x01, 0x01, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
+ 0x05, 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x13, 0x09, 0x43, 0x61, 0x6c, 0x69, 0x6f, 0x72, 0x6e,
+ 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
+ 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1e,
+ 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x49, 0x6e, 0x74,
+ 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6e, 0x6f,
+ 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 0x69, 0x6e, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x13, 0x13, 0x44, 0x65, 0x6c, 0x7a, 0x69, 0x65, 0x6c, 0x49, 0x73, 0x59,
+ 0x6f, 0x75, 0x72, 0x43, 0x41, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17,
+ 0x0d, 0x31, 0x37, 0x30, 0x33, 0x31, 0x36, 0x30, 0x31, 0x34, 0x37, 0x33,
+ 0x35, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, 0x32, 0x32, 0x37, 0x30, 0x31,
+ 0x34, 0x37, 0x33, 0x35, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69,
+ 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+ 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69,
+ 0x6e, 0x6f, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
+ 0x15, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x54, 0x65,
+ 0x63, 0x68, 0x6e, 0x6f, 0x6c, 0x6f, 0x67, 0x69, 0x65, 0x73, 0x31, 0x13,
+ 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x4e, 0x65, 0x74,
+ 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x31, 0x17, 0x30, 0x15, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x14, 0x0e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f,
+ 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xe6, 0x06, 0x8e, 0x79, 0xd6, 0x3e, 0x32,
+ 0x14, 0xfd, 0xca, 0x51, 0xca, 0x43, 0x33, 0xcf, 0xa7, 0x0b, 0x43, 0xdb,
+ 0xc4, 0xe2, 0xb4, 0x9e, 0x4d, 0xdd, 0x41, 0x20, 0x26, 0x30, 0x3c, 0xa0,
+ 0x71, 0x55, 0xe0, 0xf5, 0xf4, 0xd9, 0xc7, 0x5a, 0x22, 0x4d, 0x37, 0xe2,
+ 0xdf, 0x4d, 0x04, 0x47, 0xf5, 0x73, 0x33, 0x74, 0xd8, 0xb6, 0xe1, 0x25,
+ 0x0a, 0x58, 0x95, 0x07, 0x03, 0xc3, 0x94, 0x10, 0xaa, 0x37, 0xf6, 0xbb,
+ 0x14, 0xce, 0x44, 0xf9, 0x7c, 0x0b, 0x9c, 0x2e, 0x28, 0xab, 0x91, 0xe6,
+ 0xf2, 0x13, 0xc1, 0x90, 0x51, 0x4d, 0x6e, 0x03, 0xbb, 0x38, 0x14, 0x1c,
+ 0xef, 0xbe, 0xe4, 0x43, 0x79, 0xd6, 0xbb, 0xcc, 0x64, 0x1d, 0x6c, 0x37,
+ 0x1f, 0x2b, 0x94, 0xdd, 0x7f, 0xcc, 0xe8, 0xf6, 0xf5, 0x00, 0x46, 0x5d,
+ 0x2b, 0x84, 0xff, 0x10, 0xe3, 0x6f, 0xd0, 0x8c, 0xbd, 0x9c, 0x28, 0x49,
+ 0xac, 0x7c, 0x03, 0xdb, 0x44, 0xe1, 0xd5, 0xd0, 0x2a, 0xa6, 0x8d, 0xeb,
+ 0x2d, 0xbe, 0x93, 0xfc, 0xde, 0xbc, 0xc9, 0x38, 0xbf, 0x3c, 0x4f, 0xe2,
+ 0x78, 0xba, 0x39, 0x4d, 0xa1, 0x2a, 0x41, 0x38, 0xb7, 0x7e, 0x93, 0x01,
+ 0x09, 0x9f, 0xe5, 0xa0, 0xf1, 0x48, 0x38, 0x08, 0x20, 0x50, 0x3b, 0x50,
+ 0x7c, 0xf3, 0xa3, 0x7a, 0xed, 0xd6, 0x95, 0xed, 0x81, 0x98, 0x38, 0x59,
+ 0x87, 0x06, 0xba, 0x48, 0x6c, 0xba, 0x17, 0x5e, 0xa3, 0x99, 0x97, 0x54,
+ 0x5e, 0xd3, 0x0d, 0x13, 0x12, 0x8c, 0xd9, 0x08, 0xa5, 0x71, 0x7a, 0x33,
+ 0xcd, 0xa7, 0x8e, 0x91, 0x80, 0x33, 0x0b, 0xd0, 0x72, 0x77, 0x87, 0x10,
+ 0xaf, 0x0c, 0x33, 0x60, 0x89, 0xfe, 0xc4, 0x25, 0x81, 0xbd, 0xe9, 0xdc,
+ 0x1e, 0x72, 0x33, 0xd1, 0x6d, 0xc9, 0x49, 0x1b, 0xc1, 0xa7, 0xcf, 0x3c,
+ 0x50, 0x89, 0x1a, 0x53, 0x70, 0xc4, 0xcd, 0x41, 0x75, 0x02, 0x03, 0x01,
+ 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x00, 0x62,
+ 0x9d, 0x3d, 0x0f, 0xbf, 0x75, 0x39, 0x5d, 0x06, 0xd3, 0xc9, 0x6b, 0xa4,
+ 0xd1, 0xbb, 0xb2, 0xc7, 0x55, 0xac, 0xb1, 0x74, 0xa3, 0xd9, 0x30, 0x85,
+ 0x90, 0xd6, 0xfd, 0xe1, 0x28, 0x6e, 0x2c, 0x86, 0x4c, 0xa1, 0xf5, 0x31,
+ 0xac, 0x53, 0xc5, 0x06, 0x85, 0x26, 0x15, 0xd0, 0x35, 0xce, 0x81, 0x02,
+ 0xeb, 0x20, 0xc9, 0x91, 0xda, 0xc6, 0x56, 0x89, 0x58, 0x77, 0x0a, 0xc8,
+ 0xc0, 0x4c, 0x72, 0x1a, 0xfa, 0xb1, 0xd5, 0x29, 0x97, 0xdc, 0x2f, 0xe9,
+ 0xf1, 0x87, 0xdf, 0x92, 0x67, 0x8a, 0x4c, 0x4d, 0x04, 0xaa, 0xde, 0xb9,
+ 0x8d, 0xe5, 0x6e, 0x1a, 0xe8, 0x92, 0x51, 0x42, 0x6f, 0x4f, 0xab, 0xb0,
+ 0xf9, 0x77, 0x12, 0xbc, 0x66, 0x2d, 0xc8, 0xe5, 0xee, 0xaa, 0x42, 0x47,
+ 0x5e, 0x9a, 0x9a, 0xd5, 0xf7, 0xbb, 0x08, 0x98, 0xdc, 0x58, 0xfd, 0x24,
+ 0x8c, 0xa6, 0xd1, 0x2f, 0xe9, 0xb5, 0xed, 0xce, 0xeb, 0xae, 0x1a, 0x1a,
+ 0xce, 0x80, 0xab, 0x88, 0x9e, 0x0f, 0x4d, 0xe4, 0x22, 0x26, 0x5b, 0x9b,
+ 0x6c, 0xd5, 0x0b, 0x6e, 0x99, 0xa9, 0x3b, 0xd9, 0x63, 0x5e, 0xa9, 0x44,
+ 0x71, 0x3a, 0x76, 0x24, 0x1e, 0x99, 0xff, 0xf9, 0x4d, 0x85, 0x61, 0x81,
+ 0xc7, 0x05, 0x96, 0xad, 0xf9, 0x3e, 0xa4, 0xbb, 0x30, 0xb0, 0x5d, 0x70,
+ 0xf4, 0xa3, 0xe1, 0x4e, 0xaf, 0xef, 0xe4, 0x82, 0x43, 0x49, 0xda, 0x04,
+ 0x4d, 0x51, 0xec, 0x3c, 0x5e, 0xed, 0x24, 0x26, 0x4d, 0xd1, 0x3a, 0x4c,
+ 0x85, 0x3b, 0xdb, 0x6d, 0xc7, 0xd8, 0x7c, 0x62, 0x6b, 0x18, 0x03, 0x05,
+ 0xc6, 0x22, 0xec, 0xb9, 0x71, 0xe1, 0x98, 0xb0, 0x4f, 0xd5, 0x52, 0x14,
+ 0x5e, 0x90, 0x10, 0x8f, 0xd1, 0x00, 0xbb, 0x55, 0x15, 0x27, 0x77, 0xe9,
+ 0xe9, 0x4c, 0x9d, 0xc1, 0xb2, 0xd9, 0xc4, 0xce, 0xfe, 0x97, 0x04, 0xbd,
+ 0x5d, 0x13
+};
+
+#endif /* certs_data_h */
--- /dev/null
+//
+// racoon_test.c
+// ipsec
+//
+// Copyright (c) 2017 Apple Inc. All rights reserved.
+//
+
+#include "oakley.h"
+#include "crypto_cssm.h"
+#include "racoon_certs_data.h"
+
+#include <TargetConditionals.h>
+#include <Security/SecCertificate.h>
+#include <sysexits.h>
+#include <getopt.h>
+
+#define racoon_test_pass 0
+#define racoon_test_failure 1
+
+static struct option long_options[] =
+{
+ {"unit_test", no_argument, 0, 'u'},
+ {"help" , no_argument, 0, 'h'}
+};
+
+static void
+print_usage(char *name)
+{
+ printf("Usage: %s\n", name);
+ printf(" -unit_test\n");
+}
+
+static int
+racoon_cert_validity_test(void)
+{
+ int result = racoon_test_pass;
+#ifndef HAVE_OPENSSL
+ /*
+ * Below tests are applicable only for embedded
+ * because the crypto_cssm_check_x509cert_dates()
+ * does nothing on osx.
+ */
+ cert_status_t cert_status;
+
+ fprintf(stdout, "[TEST] RacoonCertValidity\n");
+
+ // For certificate info, look at past_cert.der
+ fprintf(stdout, "[BEGIN] ExpiredCertTest\n");
+ CFDataRef past_cert_data = CFDataCreate(kCFAllocatorDefault, past_cert_der, sizeof(past_cert_der));
+ SecCertificateRef past_cert_ref = SecCertificateCreateWithData(NULL, past_cert_data);
+ cert_status = crypto_cssm_check_x509cert_dates (past_cert_ref);
+ if (cert_status != CERT_STATUS_EXPIRED) {
+ fprintf(stdout, "[FAIL] ExpiredCertTest\n");
+ result = racoon_test_failure;
+ } else {
+ fprintf(stdout, "[PASS] ExpiredCertTest\n");
+ }
+
+ // For certificate info, look at future_cert.der
+ fprintf(stdout, "[BEGIN] PrematureCertTest\n");
+ CFDataRef future_cert_data = CFDataCreate(kCFAllocatorDefault, future_cert_der, sizeof(future_cert_der));
+ SecCertificateRef future_cert_ref = SecCertificateCreateWithData(NULL, future_cert_data);
+ cert_status = crypto_cssm_check_x509cert_dates (future_cert_ref);
+ if (cert_status != CERT_STATUS_PREMATURE) {
+ fprintf(stdout, "[FAIL] PrematureCertTest\n");
+ result = racoon_test_failure;
+ } else {
+ fprintf(stdout, "[PASS] PrematureCertTest\n");
+ }
+
+
+ // For certificate info, look at valid_cert.der
+ fprintf(stdout, "[BEGIN] ValidCertTest\n");
+ CFDataRef valid_cert_data = CFDataCreate(kCFAllocatorDefault, valid_cert_der, sizeof(valid_cert_der));
+ SecCertificateRef valid_cert_ref = SecCertificateCreateWithData(NULL, valid_cert_data);
+ cert_status = crypto_cssm_check_x509cert_dates (valid_cert_ref);
+ if (cert_status != CERT_STATUS_OK) {
+ fprintf(stdout, "[FAIL] ValidCertTest\n");
+ result = racoon_test_failure;
+ } else {
+ fprintf(stdout, "[PASS] ValidCertTest\n");
+ }
+#endif // HAVE_OPENSSL
+ return result;
+}
+
+static void
+racoon_unit_test(void)
+{
+ int result = racoon_test_pass;
+
+ if (racoon_cert_validity_test() == racoon_test_failure) {
+ result = racoon_test_failure;
+ }
+
+ if (result == racoon_test_pass) {
+ fprintf(stdout, "\nAll Tests Passed\n\n");
+ }
+}
+
+int
+main(int argc, char *argv[])
+{
+ int opt = 0;
+ int opt_index = 0;
+
+ if (argc < 2) {
+ print_usage(argv[0]);
+ return (0);
+ }
+
+ while ((opt = getopt_long_only(argc, argv, "", long_options, &opt_index)) != -1) {
+ switch (opt) {
+ case 'u':
+ {
+ racoon_unit_test();
+ break;
+ }
+ case 'h':
+ default:
+ {
+ print_usage(argv[0]);
+ exit(EXIT_FAILURE);
+ }
+ }
+ }
+
+ return (0);
+}
72B3C21E16850D1E004E4548 /* CopyFiles */,
);
dependencies = (
+ 69983DBD1E7B3D30007683BF /* PBXTargetDependency */,
72B3C2101684F5E1004E4548 /* PBXTargetDependency */,
72B3C20E1684F5DE004E4548 /* PBXTargetDependency */,
);
buildPhases = (
);
dependencies = (
+ 69983DBF1E7B4DE4007683BF /* PBXTargetDependency */,
812531110D3FEA28006BDF4F /* PBXTargetDependency */,
81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */,
81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */,
25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; };
25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; };
25DE2DE90A8BD40E0010A46D /* vpn_control.c in Sources */ = {isa = PBXBuildFile; fileRef = 25DE2DE60A8BD40E0010A46D /* vpn_control.c */; };
- 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; };
- 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; };
25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87609D87A770042CC7F /* libiconv.dylib */; };
25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE8C009D87B080042CC7F /* CoreFoundation.framework */; };
25EAE8C609D87B990042CC7F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; };
25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; };
25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
+ 6912CB6E1E78D94B00631D9A /* crypto_cssm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B70988657000D15623 /* crypto_cssm.c */; };
+ 6912CB701E78D96900631D9A /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB6F1E78D96900631D9A /* Security.framework */; };
+ 6912CB721E78D97200631D9A /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB711E78D97200631D9A /* CoreFoundation.framework */; };
+ 6912CB731E78D9A900631D9A /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
+ 6912CB741E78D9D800631D9A /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; };
+ 6912CB761E78DD7100631D9A /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */; };
+ 6912CB771E78DD8800631D9A /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; };
72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; };
723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; };
724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
+ 7253CC651E7B3F4600B2DDF5 /* racoon_test.c in Sources */ = {isa = PBXBuildFile; fileRef = 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */; };
72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; };
72F5C72E1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; };
72F5C72F1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
+ 69983DBC1E7B3D30007683BF /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 23D2D790087071FC00C51098 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 69BB7E331E777E3C009EE2BA;
+ remoteInfo = racoon_test;
+ };
+ 69983DBE1E7B4DE4007683BF /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 23D2D790087071FC00C51098 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 69BB7E331E777E3C009EE2BA;
+ remoteInfo = racoon_test;
+ };
724ED875168515A7008F2EBD /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
);
runOnlyForDeploymentPostprocessing = 1;
};
+ 69BB7E321E777E3C009EE2BA /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = /usr/share/man/man1/;
+ dstSubfolderSpec = 0;
+ files = (
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
72265DD80F818ED700730A7D /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
25F259270988657000D15623 /* vmbuf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vmbuf.h; sourceTree = "<group>"; };
25F777B909ABE3E100C99783 /* key_debug.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = key_debug.c; path = Common/key_debug.c; sourceTree = "<group>"; };
25F777ED09ABE58400C99783 /* pfkey_dump.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey_dump.c; path = Common/pfkey_dump.c; sourceTree = "<group>"; };
+ 6912CB6F1E78D96900631D9A /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; };
+ 6912CB711E78D97200631D9A /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/CoreFoundation.framework; sourceTree = DEVELOPER_DIR; };
+ 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/SystemConfiguration.framework; sourceTree = DEVELOPER_DIR; };
+ 69BB7E341E777E3C009EE2BA /* racoon_test */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon_test; sourceTree = BUILT_PRODUCTS_DIR; };
+ 69BB7E351E777E3D009EE2BA /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
72265DDB0F818F9300730A7D /* ipsec.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; path = ipsec.plist; sourceTree = "<group>"; };
723B6A2F162F7BE300895EE5 /* xpc_racoon.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = xpc_racoon.c; sourceTree = "<group>"; };
723B6A33162F7C1100895EE5 /* ipsec_xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsec_xpc.h; sourceTree = "<group>"; };
724F99500E3672FD00C56897 /* com.apple.racoon.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.racoon.plist; sourceTree = "<group>"; };
+ 7253CC601E7B3EAB00B2DDF5 /* racoon_certs_data.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = racoon_certs_data.h; path = "ipsec-tools/racoon_test/racoon_certs_data.h"; sourceTree = SOURCE_ROOT; };
+ 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = racoon_test.c; path = "ipsec-tools/racoon_test/racoon_test.c"; sourceTree = SOURCE_ROOT; };
+ 7253CC621E7B3EB700B2DDF5 /* future_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = future_cert.der; path = "ipsec-tools/racoon_test/future_cert.der"; sourceTree = SOURCE_ROOT; };
+ 7253CC631E7B3EB700B2DDF5 /* past_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = past_cert.der; path = "ipsec-tools/racoon_test/past_cert.der"; sourceTree = SOURCE_ROOT; };
+ 7253CC641E7B3EB700B2DDF5 /* valid_cert.der */ = {isa = PBXFileReference; lastKnownFileType = file; name = valid_cert.der; path = "ipsec-tools/racoon_test/valid_cert.der"; sourceTree = SOURCE_ROOT; };
72F5C72D1607A1AE004C192F /* api_support.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = api_support.c; sourceTree = "<group>"; };
72F5C7311607A1DD004C192F /* api_support.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = api_support.h; sourceTree = "<group>"; };
7822D11D188DB07300874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = ../../../../../System/Library/Frameworks/NetworkExtension.framework; sourceTree = "<group>"; };
25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */,
8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */,
2537A1C709E49D0600D0ECDA /* libipsec.A.dylib in Frameworks */,
- 25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */,
- 25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */,
25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */,
81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */,
BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
+ 69BB7E311E777E3C009EE2BA /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 6912CB761E78DD7100631D9A /* SystemConfiguration.framework in Frameworks */,
+ 6912CB721E78D97200631D9A /* CoreFoundation.framework in Frameworks */,
+ 6912CB701E78D96900631D9A /* Security.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
812530F40D3FE9DC006BDF4F /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
8125310A0D3FE9DC006BDF4F /* racoon */,
81DDFDAA0D622C1700C5CB87 /* setkey */,
81DDFDCD0D622C2700C5CB87 /* libipsec.A.dylib */,
+ 69BB7E341E777E3C009EE2BA /* racoon_test */,
);
name = Products;
sourceTree = "<group>";
25D3DB4C098998230025F703 /* Frameworks */ = {
isa = PBXGroup;
children = (
+ 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */,
+ 6912CB711E78D97200631D9A /* CoreFoundation.framework */,
+ 6912CB6F1E78D96900631D9A /* Security.framework */,
7822D11F188DB07C00874E91 /* NetworkExtension.framework */,
7822D11D188DB07300874E91 /* NetworkExtension.framework */,
81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */,
25EAE83709D875BF0042CC7F /* DirectoryService.framework */,
25EAE8C009D87B080042CC7F /* CoreFoundation.framework */,
BA48611B109C2BBA00545E19 /* IOKit.framework */,
+ 69BB7E351E777E3D009EE2BA /* Foundation.framework */,
);
name = Frameworks;
sourceTree = "<group>";
25D3DB1B098996310025F703 /* libipsec */,
25F258000987FB1600D15623 /* racoon */,
25F257FF0987FB0E00D15623 /* setkey */,
+ 69BB7E2F1E777DEB009EE2BA /* Tests */,
);
path = "ipsec-tools";
sourceTree = "<group>";
path = Sample;
sourceTree = "<group>";
};
+ 69983DB81E7B1BC6007683BF /* Source */ = {
+ isa = PBXGroup;
+ children = (
+ 7253CC601E7B3EAB00B2DDF5 /* racoon_certs_data.h */,
+ 7253CC611E7B3EAB00B2DDF5 /* racoon_test.c */,
+ );
+ path = Source;
+ sourceTree = "<group>";
+ };
+ 69983DB91E7B1BCE007683BF /* Support */ = {
+ isa = PBXGroup;
+ children = (
+ 7253CC621E7B3EB700B2DDF5 /* future_cert.der */,
+ 7253CC631E7B3EB700B2DDF5 /* past_cert.der */,
+ 7253CC641E7B3EB700B2DDF5 /* valid_cert.der */,
+ );
+ path = Support;
+ sourceTree = "<group>";
+ };
+ 69BB7E2F1E777DEB009EE2BA /* Tests */ = {
+ isa = PBXGroup;
+ children = (
+ 69BB7E371E777E3D009EE2BA /* racoon_test */,
+ );
+ path = Tests;
+ sourceTree = "<group>";
+ };
+ 69BB7E371E777E3D009EE2BA /* racoon_test */ = {
+ isa = PBXGroup;
+ children = (
+ 69983DB81E7B1BC6007683BF /* Source */,
+ 69983DB91E7B1BCE007683BF /* Support */,
+ );
+ name = racoon_test;
+ path = ../../racoon_test;
+ sourceTree = "<group>";
+ };
818710380D5BE15400C7B441 /* Sample */ = {
isa = PBXGroup;
children = (
productReference = 25F2580A0987FC1500D15623 /* setkey */;
productType = "com.apple.product-type.tool";
};
+ 69BB7E331E777E3C009EE2BA /* racoon_test */ = {
+ isa = PBXNativeTarget;
+ buildConfigurationList = 69BB7E3C1E777E3D009EE2BA /* Build configuration list for PBXNativeTarget "racoon_test" */;
+ buildPhases = (
+ 69BB7E301E777E3C009EE2BA /* Sources */,
+ 69BB7E311E777E3C009EE2BA /* Frameworks */,
+ 69BB7E321E777E3C009EE2BA /* CopyFiles */,
+ );
+ buildRules = (
+ );
+ dependencies = (
+ );
+ name = racoon_test;
+ productName = racoon_test;
+ productReference = 69BB7E341E777E3C009EE2BA /* racoon_test */;
+ productType = "com.apple.product-type.tool";
+ };
812530BA0D3FE9DC006BDF4F /* racoon Embedded */ = {
isa = PBXNativeTarget;
buildConfigurationList = 812531050D3FE9DC006BDF4F /* Build configuration list for PBXNativeTarget "racoon Embedded" */;
isa = PBXProject;
attributes = {
LastUpgradeCheck = 0430;
+ TargetAttributes = {
+ 69BB7E331E777E3C009EE2BA = {
+ CreatedOnToolsVersion = 9.0;
+ ProvisioningStyle = Automatic;
+ };
+ };
};
buildConfigurationList = 25D3DACC098952B20025F703 /* Build configuration list for PBXProject "ipsec" */;
compatibilityVersion = "Xcode 3.2";
812530BA0D3FE9DC006BDF4F /* racoon Embedded */,
81DDFD970D622C1700C5CB87 /* setkey Embedded */,
81DDFDB80D622C2700C5CB87 /* libipsec Embedded */,
+ 69BB7E331E777E3C009EE2BA /* racoon_test */,
);
};
/* End PBXProject section */
);
runOnlyForDeploymentPostprocessing = 0;
};
+ 69BB7E301E777E3C009EE2BA /* Sources */ = {
+ isa = PBXSourcesBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 7253CC651E7B3F4600B2DDF5 /* racoon_test.c in Sources */,
+ 6912CB771E78DD8800631D9A /* Preferences.c in Sources */,
+ 6912CB741E78D9D800631D9A /* plog.c in Sources */,
+ 6912CB731E78D9A900631D9A /* vmbuf.c in Sources */,
+ 6912CB6E1E78D94B00631D9A /* crypto_cssm.c in Sources */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
812530BF0D3FE9DC006BDF4F /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
+ 69983DBD1E7B3D30007683BF /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = 69BB7E331E777E3C009EE2BA /* racoon_test */;
+ targetProxy = 69983DBC1E7B3D30007683BF /* PBXContainerItemProxy */;
+ };
+ 69983DBF1E7B4DE4007683BF /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = 69BB7E331E777E3C009EE2BA /* racoon_test */;
+ targetProxy = 69983DBE1E7B4DE4007683BF /* PBXContainerItemProxy */;
+ };
724ED876168515A7008F2EBD /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 72B3C21116850B87004E4548 /* ipsec_libraries */;
};
name = Default;
};
+ 69BB7E3D1E777E3D009EE2BA /* Development */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ APPLY_RULES_IN_COPY_FILES = YES;
+ CLANG_ANALYZER_NONNULL = YES;
+ CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
+ CLANG_CXX_LANGUAGE_STANDARD = "c++14";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = NO;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INFINITE_RECURSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_SUSPICIOUS_MOVE = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-";
+ COPY_PHASE_STRIP = NO;
+ DEBUG_INFORMATION_FORMAT = dwarf;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_C_LANGUAGE_STANDARD = c11;
+ GCC_DYNAMIC_NO_PIC = NO;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_OPTIMIZATION_LEVEL = 0;
+ GCC_PREPROCESSOR_DEFINITIONS = (
+ "DEBUG=1",
+ "$(inherited)",
+ );
+ GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ GCC_WARN_UNUSED_VARIABLE = YES;
+ IPHONEOS_DEPLOYMENT_TARGET = 11.0;
+ MACOSX_DEPLOYMENT_TARGET = 10.13;
+ MTL_ENABLE_DEBUG_INFO = YES;
+ ONLY_ACTIVE_ARCH = NO;
+ OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS";
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ SDKROOT = iphoneos.internal;
+ STRIP_INSTALLED_PRODUCT = NO;
+ SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator";
+ TVOS_DEPLOYMENT_TARGET = 11.0;
+ VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386";
+ VERSIONING_SYSTEM = "apple-generic";
+ };
+ name = Development;
+ };
+ 69BB7E3E1E777E3D009EE2BA /* Deployment */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ APPLY_RULES_IN_COPY_FILES = YES;
+ CLANG_ANALYZER_NONNULL = YES;
+ CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
+ CLANG_CXX_LANGUAGE_STANDARD = "c++14";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = NO;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INFINITE_RECURSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_SUSPICIOUS_MOVE = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-";
+ COPY_PHASE_STRIP = YES;
+ DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = NO;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_C_LANGUAGE_STANDARD = c11;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ GCC_WARN_UNUSED_VARIABLE = YES;
+ IPHONEOS_DEPLOYMENT_TARGET = 11.0;
+ MACOSX_DEPLOYMENT_TARGET = 10.13;
+ MTL_ENABLE_DEBUG_INFO = NO;
+ OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS";
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ SDKROOT = iphoneos.internal;
+ SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator";
+ TVOS_DEPLOYMENT_TARGET = 11.0;
+ VALIDATE_PRODUCT = YES;
+ VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386";
+ VERSIONING_SYSTEM = "apple-generic";
+ };
+ name = Deployment;
+ };
+ 69BB7E3F1E777E3D009EE2BA /* Default */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ APPLY_RULES_IN_COPY_FILES = YES;
+ CLANG_ANALYZER_NONNULL = YES;
+ CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
+ CLANG_CXX_LANGUAGE_STANDARD = "c++14";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = NO;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INFINITE_RECURSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_SUSPICIOUS_MOVE = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-";
+ COPY_PHASE_STRIP = YES;
+ DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = NO;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_C_LANGUAGE_STANDARD = c11;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ GCC_WARN_UNUSED_VARIABLE = YES;
+ IPHONEOS_DEPLOYMENT_TARGET = 11.0;
+ MACOSX_DEPLOYMENT_TARGET = 10.13;
+ MTL_ENABLE_DEBUG_INFO = NO;
+ OTHER_CFLAGS = "-DUSE_SYSTEMCONFIGURATION_PRIVATE_HEADERS";
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ SDKROOT = iphoneos.internal;
+ SUPPORTED_PLATFORMS = "macosx iphonesimulator iphoneos appletvos appletvsimulator";
+ TVOS_DEPLOYMENT_TARGET = 11.0;
+ VALIDATE_PRODUCT = YES;
+ VALID_ARCHS = "arm64 arm64_32 arm64e armv4t armv5 armv6 armv6m armv7 armv7em armv7f armv7k armv7m armv7s xscale x86_64h x86_64 i386";
+ VERSIONING_SYSTEM = "apple-generic";
+ };
+ name = Default;
+ };
72B3C2091684F5C4004E4548 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Default;
};
+ 69BB7E3C1E777E3D009EE2BA /* Build configuration list for PBXNativeTarget "racoon_test" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ 69BB7E3D1E777E3D009EE2BA /* Development */,
+ 69BB7E3E1E777E3D009EE2BA /* Deployment */,
+ 69BB7E3F1E777E3D009EE2BA /* Default */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Default;
+ };
72B3C20C1684F5C4004E4548 /* Build configuration list for PBXAggregateTarget "ipsec_executables" */ = {
isa = XCConfigurationList;
buildConfigurations = (
projects / apple / ipsec.git / commitdiff
