<key>keychain-access-groups</key>
<array>
<string>apple</string>
+ <string>com.apple.certificates</string>
<string>com.apple.identities</string>
</array>
<key>seatbelt-profiles</key>
#endif
#ifdef HAVE_OPENSSL
-/* Define to 1 if you have the <openssl/aes.h> header file. */
-#define HAVE_OPENSSL_AES_H 1
/* Define to 1 if you have the <openssl/engine.h> header file. */
#define HAVE_OPENSSL_ENGINE_H 1
-/* Define to 1 if you have the <openssl/idea.h> header file. */
-#undef HAVE_OPENSSL_IDEA_H
-
-/* Define to 1 if you have the <openssl/rc5.h> header file. */
-#define HAVE_OPENSSL_RC5_H 1
#endif
/* Define to 1 if you have the `pam_start' function. */
#endif /* !_KERNEL */
#include "config.h"
+#include "var.h"
#include "libpfkey.h"
static void kdebug_sadb_prop __P((struct sadb_ext *));
static void kdebug_sadb_session_id __P((struct sadb_ext *));
static void kdebug_sadb_sastat __P((struct sadb_ext *));
static void kdebug_sadb_x_policy __P((struct sadb_ext *ext));
-static void kdebug_sockaddr __P((struct sockaddr *addr));
+static void kdebug_sockaddr __P((struct sockaddr_storage *addr));
#ifdef SADB_X_EXT_NAT_T_TYPE
static void kdebug_sadb_x_nat_t_type __P((struct sadb_ext *ext));
kdebug_sadb_session_id(ext)
struct sadb_ext *ext;
{
- struct sadb_session_id *p = (__typeof__(p))ext;
+ struct sadb_session_id *p = ALIGNED_CAST(__typeof__(p))ext; // Wcast-align fix (void*) - sadb structs come from and aligned buffer
/* sanity check */
if (ext == NULL) {
kdebug_sadb_sastat(ext)
struct sadb_ext *ext;
{
- struct sadb_sastat *p = (__typeof__(p))ext;
+ struct sadb_sastat *p = ALIGNED_CAST(__typeof__(p))ext; // Wcast-align fix (void*) - sadb structs come from and aligned buffer
struct sastat *stats;
int i;
struct sadb_ext *ext;
{
struct sadb_x_policy *xpl = (void *)ext;
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
/* sanity check */
if (ext == NULL)
addr = (void *)(xisr + 1);
kdebug_sockaddr(addr);
addr = (void *)((caddr_t)(void *)addr
- + sysdep_sa_len(addr));
+ + sysdep_sa_len((struct sockaddr *)addr));
kdebug_sockaddr(addr);
}
static void
kdebug_sockaddr(addr)
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
{
struct sockaddr_in *sin4;
#ifdef INET6
panic("kdebug_sockaddr: NULL pointer was passed.\n");
/* NOTE: We deal with port number as host byte order. */
- printf("sockaddr{ len=%u family=%u", sysdep_sa_len(addr), addr->sa_family);
+ printf("sockaddr_storage{ len=%u family=%u", sysdep_sa_len((struct sockaddr *)addr), addr->ss_family);
- switch (addr->sa_family) {
+ switch (addr->ss_family) {
case AF_INET:
sin4 = (void *)addr;
printf(" port=%u\n", ntohs(sin4->sin_port));
extern void pfkey_spdump __P((struct sadb_msg *));
extern void pfkey_spdump_withports __P((struct sadb_msg *));
-struct sockaddr;
+struct sockaddr_storage;
struct sadb_alg;
/* Accomodate different prototypes in <netinet6/ipsec.h> */
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
-int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
-int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
+int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
+int pfkey_send_update __P((int, u_int, u_int, struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t, u_int16_t));
-int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int,
+int pfkey_send_add __P((int, u_int, u_int, struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t, u_int16_t));
int pfkey_send_delete __P((int, u_int, u_int,
- struct sockaddr *, struct sockaddr *, u_int32_t));
+ struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t));
int pfkey_send_delete_all __P((int, u_int, u_int,
- struct sockaddr *, struct sockaddr *));
+ struct sockaddr_storage *, struct sockaddr_storage *));
int pfkey_send_get __P((int, u_int, u_int,
- struct sockaddr *, struct sockaddr *, u_int32_t));
+ struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_set_supported __P((struct sadb_msg *, int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
-int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
-int pfkey_send_spdadd2 __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+int pfkey_send_spdadd __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdadd2 __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
-int pfkey_send_spdupdate __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
-int pfkey_send_spdupdate2 __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+int pfkey_send_spdupdate __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdupdate2 __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t,
caddr_t, int, u_int32_t));
-int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spddelete __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete2 __P((int, u_int32_t));
int pfkey_send_spdget __P((int, u_int32_t));
-int pfkey_send_spdsetidx __P((int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
+int pfkey_send_spdsetidx __P((int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
#include <sys/param.h>
#include <sys/socket.h>
#include <System/net/pfkeyv2.h>
+#include <sys/sysctl.h>
#include <netinet/in.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
+#include <fcntl.h>
+#include "var.h"
#include "ipsec_strerror.h"
#include "libpfkey.h"
static int findsupportedmap __P((int));
static int setsupportedmap __P((struct sadb_supported *));
static struct sadb_alg *findsupportedalg __P((u_int, u_int));
-static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr *,
- struct sockaddr *, u_int32_t, u_int32_t, u_int, caddr_t,
+static int pfkey_send_x1 __P((int, u_int, u_int, u_int, struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int32_t, u_int32_t, u_int, caddr_t,
u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int32_t,
u_int32_t, u_int32_t, u_int32_t, u_int16_t));
static int pfkey_send_x2 __P((int, u_int, u_int, u_int,
- struct sockaddr *, struct sockaddr *, u_int32_t));
+ struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t));
static int pfkey_send_x3 __P((int, u_int, u_int));
-static int pfkey_send_x4 __P((int, u_int, struct sockaddr *, u_int,
- struct sockaddr *, u_int, u_int, u_int64_t, u_int64_t,
+static int pfkey_send_x4 __P((int, u_int, struct sockaddr_storage *, u_int,
+ struct sockaddr_storage *, u_int, u_int, u_int64_t, u_int64_t,
char *, int, u_int32_t));
static int pfkey_send_x5 __P((int, u_int, u_int32_t));
static caddr_t pfkey_setsadbsa __P((caddr_t, caddr_t, u_int32_t, u_int,
u_int, u_int, u_int32_t, u_int16_t));
static caddr_t pfkey_setsadbaddr __P((caddr_t, caddr_t, u_int,
- struct sockaddr *, u_int, u_int));
+ struct sockaddr_storage *, u_int, u_int));
static caddr_t pfkey_setsadbkey __P((caddr_t, caddr_t, u_int, caddr_t, u_int));
static caddr_t pfkey_setsadblifetime __P((caddr_t, caddr_t, u_int, u_int32_t,
u_int32_t, u_int32_t, u_int32_t));
};
static int
-findsupportedmap(satype)
- int satype;
+findsupportedmap(int satype)
{
int i;
}
static struct sadb_alg *
-findsupportedalg(satype, alg_id)
- u_int satype, alg_id;
+findsupportedalg(u_int satype, u_int alg_id)
{
int algno;
int tlen;
}
static int
-setsupportedmap(sup)
- struct sadb_supported *sup;
+setsupportedmap(struct sadb_supported *sup)
{
struct sadb_supported **ipsup;
* 0: valid.
*/
int
-ipsec_check_keylen(supported, alg_id, keylen)
- u_int supported;
- u_int alg_id;
- u_int keylen;
+ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen)
{
u_int satype;
* 0: valid.
*/
int
-ipsec_check_keylen2(satype, alg_id, keylen)
- u_int satype;
- u_int alg_id;
- u_int keylen;
+ipsec_check_keylen2(u_int satype, u_int alg_id, u_int keylen)
{
struct sadb_alg *alg;
* 0: valid.
*/
int
-ipsec_get_keylen(supported, alg_id, alg0)
- u_int supported, alg_id;
- struct sadb_alg *alg0;
+ipsec_get_keylen(u_int supported, u_int alg_id, struct sadb_alg *alg0)
{
struct sadb_alg *alg;
u_int satype;
static u_int soft_lifetime_usetime_rate = PFKEY_SOFT_LIFETIME_RATE;
u_int
-pfkey_set_softrate(type, rate)
- u_int type, rate;
+pfkey_set_softrate(u_int type, u_int rate)
{
__ipsec_errcode = EIPSEC_NO_ERROR;
* ATTENTION: ~0 is returned if invalid type was passed.
*/
u_int
-pfkey_get_softrate(type)
- u_int type;
+pfkey_get_softrate(u_int type)
{
switch (type) {
case SADB_X_LIFETIME_ALLOCATIONS:
* -1 : error occured, and set errno.
*/
int
-pfkey_send_getspi(so, satype, mode, src, dst, min, max, reqid, seq)
- int so;
- u_int satype, mode;
- struct sockaddr *src, *dst;
- u_int32_t min, max, reqid, seq;
+pfkey_send_getspi(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
+ u_int32_t min, u_int32_t max, u_int32_t reqid, u_int32_t seq)
{
struct sadb_msg *newmsg;
caddr_t ep;
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
__ipsec_errcode = EIPSEC_INVAL_SPI;
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_x_sa2)
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(dst));
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst));
if (min > 255 && max < (u_int)~0) {
need_spirange++;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_update(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq, port)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
- u_int16_t port;
+pfkey_send_update(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
+ u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen,
+ u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes,
+ u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port)
{
int len;
if ((len = pfkey_send_x1(so, SADB_UPDATE, satype, mode, src, dst, spi,
* -1 : error occured, and set errno.
*/
int
-pfkey_send_add(so, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq, port)
- int so;
- u_int satype, mode, wsize;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc;
- u_int64_t l_bytes, l_addtime, l_usetime;
- u_int32_t seq;
- u_int16_t port;
+pfkey_send_add(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst,
+ u_int32_t spi, u_int32_t reqid, u_int wsize, caddr_t keymat, u_int e_type, u_int e_keylen,
+ u_int a_type, u_int a_keylen, u_int flags, u_int32_t l_alloc, u_int64_t l_bytes,
+ u_int64_t l_addtime, u_int64_t l_usetime, u_int32_t seq, u_int16_t port)
{
int len;
if ((len = pfkey_send_x1(so, SADB_ADD, satype, mode, src, dst, spi,
pfkey_send_delete(so, satype, mode, src, dst, spi)
int so;
u_int satype, mode;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
u_int32_t spi;
{
int len;
*/
/*ARGSUSED*/
int
-pfkey_send_delete_all(so, satype, mode, src, dst)
- int so;
- u_int satype, mode;
- struct sockaddr *src, *dst;
+pfkey_send_delete_all(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst)
{
struct sadb_msg *newmsg;
int len;
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(dst));
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst));
if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
* -1 : error occured, and set errno.
*/
int
-pfkey_send_get(so, satype, mode, src, dst, spi)
- int so;
- u_int satype, mode;
- struct sockaddr *src, *dst;
- u_int32_t spi;
+pfkey_send_get(int so, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi)
{
int len;
if ((len = pfkey_send_x2(so, SADB_GET, satype, mode, src, dst, spi)) < 0)
* -1 : error occured, and set errno.
*/
int
-pfkey_send_register(so, satype)
- int so;
- u_int satype;
+pfkey_send_register(int so, u_int satype)
{
int len, algno;
* -1: error occured, and set errno.
*/
int
-pfkey_recv_register(so)
- int so;
+pfkey_recv_register(int so)
{
pid_t pid = getpid();
struct sadb_msg *newmsg;
* -1: error occured, and set errno.
*/
int
-pfkey_set_supported(msg, tlen)
- struct sadb_msg *msg;
- int tlen;
+pfkey_set_supported(struct sadb_msg *msg, int tlen)
{
struct sadb_supported *sup;
caddr_t p;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_flush(so, satype)
- int so;
- u_int satype;
+pfkey_send_flush(int so, u_int satype)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_dump(so, satype)
- int so;
- u_int satype;
+pfkey_send_dump(int so, u_int satype)
{
int len;
* algorithms is.
*/
int
-pfkey_send_promisc_toggle(so, flag)
- int so;
- int flag;
+pfkey_send_promisc_toggle(int so, int flag)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdadd(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spdadd(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
+ u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdadd2(so, src, prefs, dst, prefd, proto, ltime, vtime,
- policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- u_int64_t ltime, vtime;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spdadd2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime,
+ caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdupdate(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spdupdate(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
+ u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdupdate2(so, src, prefs, dst, prefd, proto, ltime, vtime,
- policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- u_int64_t ltime, vtime;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spdupdate2(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
+ u_int prefd, u_int proto, u_int64_t ltime, u_int64_t vtime,
+ caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spddelete(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spddelete(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
+ u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spddelete2(so, spid)
- int so;
- u_int32_t spid;
+pfkey_send_spddelete2(int so, u_int32_t spid)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdget(so, spid)
- int so;
- u_int32_t spid;
+pfkey_send_spdget(int so, u_int32_t spid)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdsetidx(so, src, prefs, dst, prefd, proto, policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int prefs, prefd, proto;
- caddr_t policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_spdsetidx(int so, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst,
+ u_int prefd, u_int proto, caddr_t policy, int policylen, u_int32_t seq)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spdflush(so)
- int so;
+pfkey_send_spdflush(int so)
{
int len;
* -1 : error occured, and set errno.
*/
int
-pfkey_send_spddump(so)
- int so;
+pfkey_send_spddump(int so)
{
int len;
/* sending SADB_ADD or SADB_UPDATE message to the kernel */
static int
-pfkey_send_x1(so, type, satype, mode, src, dst, spi, reqid, wsize,
- keymat, e_type, e_keylen, a_type, a_keylen, flags,
- l_alloc, l_bytes, l_addtime, l_usetime, seq, port)
- int so;
- u_int type, satype, mode;
- struct sockaddr *src, *dst;
- u_int32_t spi, reqid;
- u_int wsize;
- caddr_t keymat;
- u_int e_type, e_keylen, a_type, a_keylen, flags;
- u_int32_t l_alloc, l_bytes, l_addtime, l_usetime, seq;
- u_int16_t port;
+pfkey_send_x1(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src,
+ struct sockaddr_storage *dst, u_int32_t spi, u_int32_t reqid, u_int wsize,
+ caddr_t keymat, u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen, u_int flags,
+ u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port)
{
struct sadb_msg *newmsg;
int len;
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
+ sizeof(struct sadb_sa_2)
+ sizeof(struct sadb_x_sa2)
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(dst))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst))
+ sizeof(struct sadb_lifetime)
+ sizeof(struct sadb_lifetime);
/* sending SADB_DELETE or SADB_GET message to the kernel */
/*ARGSUSED*/
static int
-pfkey_send_x2(so, type, satype, mode, src, dst, spi)
- int so;
- u_int type, satype, mode;
- struct sockaddr *src, *dst;
- u_int32_t spi;
+pfkey_send_x2(int so, u_int type, u_int satype, u_int mode, struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int32_t spi)
{
struct sadb_msg *newmsg;
int len;
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_sa_2)
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(dst));
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst));
if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
* to the kernel
*/
static int
-pfkey_send_x3(so, type, satype)
- int so;
- u_int type, satype;
+pfkey_send_x3(int so, u_int type, u_int satype)
{
struct sadb_msg *newmsg;
int len;
/* sending SADB_X_SPDADD message to the kernel */
static int
-pfkey_send_x4(so, type, src, prefs, dst, prefd, proto,
- ltime, vtime, policy, policylen, seq)
- int so;
- struct sockaddr *src, *dst;
- u_int type, prefs, prefd, proto;
- u_int64_t ltime, vtime;
- char *policy;
- int policylen;
- u_int32_t seq;
+pfkey_send_x4(int so, u_int type, struct sockaddr_storage *src, u_int prefs, struct sockaddr_storage *dst, u_int prefd, u_int proto,
+ u_int64_t ltime, u_int64_t vtime, char *policy, int policylen, u_int32_t seq)
{
struct sadb_msg *newmsg;
int len;
__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
return -1;
}
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
case AF_INET:
plen = sizeof(struct in_addr) << 3;
break;
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_address)
- + PFKEY_ALIGN8(sysdep_sa_len(src))
+ + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)src))
+ sizeof(struct sadb_lifetime)
+ policylen;
/* sending SADB_X_SPDGET or SADB_X_SPDDELETE message to the kernel */
static int
-pfkey_send_x5(so, type, spid)
- int so;
- u_int type;
- u_int32_t spid;
+pfkey_send_x5(int so, u_int type, u_int32_t spid)
{
struct sadb_msg *newmsg;
struct sadb_x_policy xpl;
* -1: fail.
*/
void
-pfkey_close(so)
- int so;
+pfkey_close(int so)
{
(void)close(so);
* XXX should be rewritten to pass length explicitly
*/
struct sadb_msg *
-pfkey_recv(so)
- int so;
+pfkey_recv(int so)
{
struct sadb_msg buf, *newmsg;
- int len, reallen;
+ ssize_t len;
+ int reallen;
while ((len = recv(so, (void *)&buf, sizeof(buf), MSG_PEEK)) < 0) {
if (errno == EINTR)
* -1 : fail.
*/
int
-pfkey_send(so, msg, len)
- int so;
- struct sadb_msg *msg;
- int len;
+pfkey_send(int so, struct sadb_msg *msg, int len)
{
if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) {
__ipsec_set_strerror(strerror(errno));
* XXX should be rewritten to obtain length explicitly
*/
int
-pfkey_align(msg, mhp)
- struct sadb_msg *msg;
- caddr_t *mhp;
+pfkey_align(struct sadb_msg *msg, caddr_t *mhp)
{
struct sadb_ext *ext;
int i;
* 0: valid.
*/
int
-pfkey_check(mhp)
- caddr_t *mhp;
+pfkey_check(caddr_t * mhp)
{
struct sadb_msg *msg;
* `buf' must has been allocated sufficiently.
*/
static caddr_t
-pfkey_setsadbmsg(buf, lim, type, tlen, satype, seq, pid)
- caddr_t buf;
- caddr_t lim;
- u_int type, satype;
- u_int tlen;
- u_int32_t seq;
- pid_t pid;
+pfkey_setsadbmsg(caddr_t buf, caddr_t lim, u_int type, u_int tlen, u_int satype, u_int32_t seq, pid_t pid)
{
struct sadb_msg *p;
u_int len;
* `buf' must has been allocated sufficiently.
*/
static caddr_t
-pfkey_setsadbsa(buf, lim, spi, wsize, auth, enc, flags, port)
- caddr_t buf;
- caddr_t lim;
- u_int32_t spi, flags;
- u_int wsize, auth, enc;
- u_int16_t port;
+pfkey_setsadbsa(caddr_t buf, caddr_t lim, u_int32_t spi, u_int wsize, u_int auth, u_int enc, u_int32_t flags, u_int16_t port)
{
struct sadb_sa_2 *p;
u_int len;
* prefixlen is in bits.
*/
static caddr_t
-pfkey_setsadbaddr(buf, lim, exttype, saddr, prefixlen, ul_proto)
- caddr_t buf;
- caddr_t lim;
- u_int exttype;
- struct sockaddr *saddr;
- u_int prefixlen;
- u_int ul_proto;
+pfkey_setsadbaddr(caddr_t buf, caddr_t lim, u_int exttype, struct sockaddr_storage *saddr, u_int prefixlen, u_int ul_proto)
{
struct sadb_address *p;
u_int len;
p = (void *)buf;
- len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len(saddr));
+ len = sizeof(struct sadb_address) + PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)saddr));
if (buf + len > lim)
return NULL;
p->sadb_address_prefixlen = prefixlen;
p->sadb_address_reserved = 0;
- memcpy(p + 1, saddr, (size_t)sysdep_sa_len(saddr));
+ memcpy(p + 1, saddr, (size_t)sysdep_sa_len((struct sockaddr *)saddr));
return(buf + len);
}
* OUT: the pointer of buf + len.
*/
static caddr_t
-pfkey_setsadbkey(buf, lim, type, key, keylen)
- caddr_t buf;
- caddr_t lim;
- caddr_t key;
- u_int type, keylen;
+pfkey_setsadbkey(caddr_t buf, caddr_t lim, u_int type, caddr_t key, u_int keylen)
{
struct sadb_key *p;
u_int len;
* OUT: the pointer of buf + len.
*/
static caddr_t
-pfkey_setsadblifetime(buf, lim, type, l_alloc, l_bytes, l_addtime, l_usetime)
- caddr_t buf;
- caddr_t lim;
- u_int type;
- u_int32_t l_alloc, l_bytes, l_addtime, l_usetime;
+pfkey_setsadblifetime(caddr_t buf, caddr_t lim, u_int type, u_int32_t l_alloc,
+ u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime)
{
struct sadb_lifetime *p;
u_int len;
* `buf' must has been allocated sufficiently.
*/
static caddr_t
-pfkey_setsadbxsa2(buf, lim, mode0, reqid)
- caddr_t buf;
- caddr_t lim;
- u_int32_t mode0;
- u_int32_t reqid;
+pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid)
{
struct sadb_x_sa2 *p;
u_int8_t mode = mode0 & 0xff;
#ifdef SADB_X_EXT_NAT_T_TYPE
static caddr_t
-pfkey_set_natt_type(buf, lim, type, l_natt_type)
- caddr_t buf;
- caddr_t lim;
- u_int type;
- u_int8_t l_natt_type;
+pfkey_set_natt_type(caddr_t buf, caddr_t lim, u_int type, u_int8_t l_natt_type)
{
struct sadb_x_nat_t_type *p;
u_int len;
}
static caddr_t
-pfkey_set_natt_port(buf, lim, type, l_natt_port)
- caddr_t buf;
- caddr_t lim;
- u_int type;
- u_int16_t l_natt_port;
+pfkey_set_natt_port(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_port)
{
struct sadb_x_nat_t_port *p;
u_int len;
#ifdef SADB_X_EXT_NAT_T_FRAG
static caddr_t
-pfkey_set_natt_frag(buf, lim, type, l_natt_frag)
- caddr_t buf;
- caddr_t lim;
- u_int type;
- u_int16_t l_natt_frag;
+pfkey_set_natt_frag(caddr_t buf, caddr_t lim, u_int type, u_int16_t l_natt_frag)
{
struct sadb_x_nat_t_frag *p;
u_int len;
}
#endif
+
static caddr_t
pfkey_setsadbsession_id (caddr_t buf,
caddr_t lim,
if (!stats || !max_stats)
return NULL;
- p = (__typeof__(p))buf;
+ p = ALIGNED_CAST(__typeof__(p))buf; // Wcast-align fix - buffer passed to here is malloc'd message buffer
list_len = sizeof(*stats) * max_stats;
len = sizeof(*p) + PFKEY_ALIGN8(list_len);
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
- if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL,
+ if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL,
0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
sport = 0; /*XXX*/
else
switch (sa->sa_family) {
case AF_INET:
case AF_INET6:
- if (getnameinfo(sa, (socklen_t)sysdep_sa_len(sa), NULL,
+ if (getnameinfo(sa, (socklen_t)sysdep_sa_len((struct sockaddr *)sa), NULL,
0, pbuf, sizeof(pbuf), NI_NUMERICSERV) != 0)
dport = 0; /*XXX*/
else
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
+#include <string.h>
#ifdef HAVE_NETINET6_IPSEC
# include <netinet6/ipsec.h>
#include "ipsec_strerror.h"
int
-ipsec_get_policylen(policy)
- ipsec_policy_t policy;
+ipsec_get_policylen(ipsec_policy_t policy)
{
- return policy ? PFKEY_EXTLEN(policy) : -1;
+ u_int16_t aligned_len;
+
+ if (policy) {
+ memcpy(&aligned_len, policy, sizeof(u_int16_t));
+ return PFKEY_UNUNIT64(aligned_len);
+ } else
+ return -1;
}
#include <errno.h>
#include "config.h"
-
+#include "var.h"
#include "ipsec_strerror.h"
#include "libpfkey.h"
static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
static u_int32_t p_priority = 0;
static long p_priority_offset = 0;
-static struct sockaddr *p_src = NULL;
-static struct sockaddr *p_dst = NULL;
+static struct sockaddr_storage *p_src = NULL;
+static struct sockaddr_storage *p_dst = NULL;
struct _val;
extern void yyerror __P((char *msg));
-static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf,
+static struct sockaddr_storage *parse_sockaddr __P((struct _val *addrbuf,
struct _val *portbuf));
static int rule_check __P((void));
static int init_x_policy __P((void));
-static int set_x_request __P((struct sockaddr *, struct sockaddr *));
-static int set_sockaddr __P((struct sockaddr *));
+static int set_x_request __P((struct sockaddr_storage *, struct sockaddr_storage *));
+static int set_sockaddr __P((struct sockaddr_storage *));
static void policy_parse_request_init __P((void));
static void *policy_parse __P((const char *, int));
return;
}
-static struct sockaddr *
+static struct sockaddr_storage *
parse_sockaddr(addrbuf, portbuf)
struct _val *addrbuf;
struct _val *portbuf;
char *addr;
char *serv = NULL;
int error;
- struct sockaddr *newaddr = NULL;
+ struct sockaddr_storage *newaddr = NULL;
int addr_len;
int serv_len;
return -1;
}
}
- else if (p_src->sa_family != p_dst->sa_family) {
+ else if (p_src->ss_family != p_dst->ss_family) {
__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
return -1;
}
tlen = sizeof(struct sadb_x_policy);
memset(pbuf, 0, tlen);
- p = (struct sadb_x_policy *)pbuf;
+ p = ALIGNED_CAST(struct sadb_x_policy *)pbuf;
p->sadb_x_policy_len = 0; /* must update later */
p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
p->sadb_x_policy_type = p_type;
static int
set_x_request(src, dst)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
{
struct sadb_x_ipsecrequest *p;
int reqlen;
u_int8_t *n;
reqlen = sizeof(*p)
- + (src ? sysdep_sa_len(src) : 0)
- + (dst ? sysdep_sa_len(dst) : 0);
+ + (src ? sysdep_sa_len((struct sockaddr *)src) : 0)
+ + (dst ? sysdep_sa_len((struct sockaddr *)dst) : 0);
tlen += reqlen; /* increment to total length */
n = realloc(pbuf, tlen);
}
pbuf = n;
- p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
+ p = ALIGNED_CAST(struct sadb_x_ipsecrequest *)&pbuf[offset]; // Wcast-align fix - malloc'd buffer/offset 64 bit multiple
p->sadb_x_ipsecrequest_len = reqlen;
p->sadb_x_ipsecrequest_proto = p_protocol;
p->sadb_x_ipsecrequest_mode = p_mode;
static int
set_sockaddr(addr)
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
{
if (addr == NULL) {
__ipsec_errcode = EIPSEC_NO_ERROR;
/* tlen has already incremented */
- memcpy(&pbuf[offset], addr, sysdep_sa_len(addr));
+ memcpy(&pbuf[offset], addr, sysdep_sa_len((struct sockaddr *)addr));
- offset += sysdep_sa_len(addr);
+ offset += sysdep_sa_len((struct sockaddr *)addr);
__ipsec_errcode = EIPSEC_NO_ERROR;
return 0;
}
/* update total length */
- ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
+ (ALIGNED_CAST(struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
__ipsec_errcode = EIPSEC_NO_ERROR;
free(m);
printf("spdsetidx()\n");
- if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spdsetidx(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdupdate()\n");
- if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spdupdate(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
sleep(4);
printf("spddelete()\n");
- if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spddelete(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, sp1, splen1, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
m = pfkey_recv(so);
free(m);
printf("spdadd()\n");
- if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spdadd(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
free(m);
printf("spdadd() with lifetime's 10(s)\n");
- if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spdadd2(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, 0, 10, sp2, splen2, 0) < 0)
errx(1, "ERROR: %s", ipsec_strerror());
spid = test2sub(so);
/* expecting failure */
printf("spdupdate()\n");
- if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
- (struct sockaddr *)addr, 128,
+ if (pfkey_send_spdupdate(so, (struct sockaddr_storage *)addr, 128,
+ (struct sockaddr_storage *)addr, 128,
255, sp2, splen2, 0) == 0) {
warnx("ERROR: expecting failure.");
}
lifetime time 1 min; # sec,min,hour
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
{
pfs_group 1;
lifetime time 60 sec;
- encryption_algorithm 3des, cast128, blowfish 448, des ;
+ encryption_algorithm 3des, aes ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#ifdef ENABLE_HYBRID
#include <resolv.h>
#endif
+#include <fcntl.h>
#include "var.h"
#include "misc.h"
char *combuf = NULL;
int len, error = -1;
- so2 = accept(lcconf->sock_admin, (struct sockaddr *)&from, &fromlen);
+ so2 = accept(lcconf->sock_admin, (struct sockaddr_storage *)&from, &fromlen);
if (so2 < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to accept admin command: %s\n",
case ADMIN_DELETE_SA: {
struct ph1handle *iph1;
- struct sockaddr *dst;
- struct sockaddr *src;
+ struct sockaddr_storage *dst;
+ struct sockaddr_storage *src;
char *loc, *rem;
- src = (struct sockaddr *)
+ src = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
- dst = (struct sockaddr *)
+ dst = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
case ADMIN_DELETE_ALL_SA_DST: {
struct ph1handle *iph1;
- struct sockaddr *dst;
+ struct sockaddr_storage *dst;
char *loc, *rem;
- dst = (struct sockaddr *)
+ dst = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
{
struct admin_com_psk *acp;
char *data;
- struct sockaddr *dst;
+ struct sockaddr_storage *dst;
struct bound_addr *target;
com->ac_errno = -1;
data = (char *)(data + acp->id_len);
memcpy(key->v, data, key->l);
- dst = (struct sockaddr *)
+ dst = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
/* FALLTHROUGH */
case ADMIN_ESTABLISH_SA:
{
- struct sockaddr *dst;
- struct sockaddr *src;
- src = (struct sockaddr *)
+ struct sockaddr_storage *dst;
+ struct sockaddr_storage *src;
+ src = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->src;
- dst = (struct sockaddr *)
+ dst = (struct sockaddr_storage *)
&((struct admin_com_indexes *)
((caddr_t)com + sizeof(*com)))->dst;
switch (com->ac_proto) {
case ADMIN_PROTO_ISAKMP: {
struct remoteconf *rmconf;
- struct sockaddr *remote = NULL;
- struct sockaddr *local = NULL;
+ struct sockaddr_storage *remote = NULL;
+ struct sockaddr_storage *local = NULL;
u_int16_t port;
com->ac_errno = -1;
if ((remote = dupsaddr(dst)) == NULL)
goto out1;
- switch (remote->sa_family) {
+ switch (remote->ss_family) {
case AF_INET:
((struct sockaddr_in *)remote)->sin_port =
((struct sockaddr_in *)rmconf->remote)->sin_port;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n",
- remote->sa_family);
+ remote->ss_family);
com->ac_errno = -1;
break;
}
return -1;
}
+ if (fcntl(lcconf->sock_admin, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put admin socket in non-blocking mode\n");
+ }
+
unlink(sunaddr.sun_path);
- if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr,
+ if (bind(lcconf->sock_admin, (struct sockaddr_storage *)&sunaddr,
sizeof(sunaddr)) != 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind(sockname:%s): %s\n",
{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8,
eay_des_encrypt, eay_des_decrypt,
eay_des_weakkey, eay_des_keylen, },
-#ifdef HAVE_OPENSSL
-#ifdef HAVE_OPENSSL_IDEA_H
-{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8,
- eay_idea_encrypt, eay_idea_decrypt,
- eay_idea_weakkey, eay_idea_keylen, },
-#endif
-{ "blowfish", algtype_blowfish, OAKLEY_ATTR_ENC_ALG_BLOWFISH, 8,
- eay_bf_encrypt, eay_bf_decrypt,
- eay_bf_weakkey, eay_bf_keylen, },
-#ifdef HAVE_OPENSSL_RC5_H
-{ "rc5", algtype_rc5, OAKLEY_ATTR_ENC_ALG_RC5, 8,
- eay_rc5_encrypt, eay_rc5_decrypt,
- eay_rc5_weakkey, eay_rc5_keylen, },
-#endif
-#endif
{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8,
eay_3des_encrypt, eay_3des_decrypt,
eay_3des_weakkey, eay_3des_keylen, },
-#ifdef HAVE_OPENSSL
-{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8,
- eay_cast_encrypt, eay_cast_decrypt,
- eay_cast_weakkey, eay_cast_keylen, },
-#endif
{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
eay_aes_encrypt, eay_aes_decrypt,
eay_aes_weakkey, eay_aes_keylen, },
{ "3des", algtype_3des, IPSECDOI_ESP_3DES, 8,
NULL, NULL,
NULL, eay_3des_keylen, },
-#ifdef HAVE_OPENSSL
-#ifdef HAVE_OPENSSL_RC5_H
-{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8,
- NULL, NULL,
- NULL, eay_rc5_keylen, },
-#endif
-{ "cast", algtype_cast128, IPSECDOI_ESP_CAST, 8,
- NULL, NULL,
- NULL, eay_cast_keylen, },
-{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8,
- NULL, NULL,
- NULL, eay_bf_keylen, },
-#endif
{ "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8,
NULL, NULL,
NULL, eay_des_keylen, },
{ "aes", algtype_aes, IPSECDOI_ESP_AES, 16,
NULL, NULL,
NULL, eay_aes_keylen, },
-#ifdef HAVE_OPENSSL
-{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
- NULL, NULL,
- NULL, eay_twofish_keylen, },
-#ifdef HAVE_OPENSSL_IDEA_H
-{ "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-{ "idea", algtype_idea, IPSECDOI_ESP_IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-#endif
-{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
- NULL, NULL,
- NULL, NULL, },
-#endif
};
static struct hmac_algorithm ipsec_hmacdef[] = {
NULL, NULL,
NULL, eay_sha1_hashlen,
NULL, },
-#ifdef HAVE_OPENSSL
-{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK,
- NULL, NULL,
- NULL, eay_kpdk_hashlen,
- NULL, },
-#endif
{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE,
NULL, NULL,
NULL, eay_null_hashlen,
time_t created, current;
char *p, *q;
u_int satype, mode;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
u_int32_t spi, reqid;
caddr_t keymat;
size_t keymatlen;
#include "isakmp.h"
#include "nattraversal.h"
#include "isakmp_frag.h"
+#include "session.h"
#ifdef ENABLE_HYBRID
#include "resolv.h"
#include "isakmp_unity.h"
#include "gssapi.h"
#endif
#include "vendorid.h"
-#ifdef HAVE_OPENSSL
-#include "rsalist.h"
-#endif
#include "ipsecConfigTracer.h"
#include "ipsecMessageTracer.h"
OAKLEY_ATTR_GRP_DESC_MODP8192
};
+struct remote_index_val {
+ int prefix;
+ struct sockaddr_storage *addr;
+};
+
static struct remoteconf *cur_rmconf;
static int tmpalgtype[MAXALGCLASS];
static struct sainfo *cur_sainfo;
static void clean_tmpalgtype __P((void));
static int expand_isakmpspec __P((int, int, int *,
int, int, time_t, int, int, int, char *, struct remoteconf *));
-static int listen_addr __P((struct sockaddr *addr, int udp_encap));
+static int listen_addr __P((struct sockaddr_storage *addr, int udp_encap));
void freeetypes (struct etypes **etypes);
unsigned long num;
vchar_t *val;
struct remoteconf *rmconf;
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
struct sainfoalg *alg;
+ struct remote_index_val *rmidx;
}
/* privsep */
%type <num> unittype_time unittype_byte
%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
%type <val> identifierstring
-%type <saddr> remote_index ike_addrinfo_port
+%type <saddr> ike_addrinfo_port
%type <alg> algorithm
%type <num> dpd_algo_type
%type <num> idle_dir_type
+%type <rmidx> remote_index ike_addrinfo_prefix_port
%%
struct passwd *pw;
if ((pw = getpwnam($2->v)) == NULL) {
- yyerror("unknown user \"%s\"", $2->v);
+ racoon_yyerror("unknown user \"%s\"", $2->v);
return -1;
}
lcconf->uid = pw->pw_uid;
struct group *gr;
if ((gr = getgrnam($2->v)) == NULL) {
- yyerror("unknown group \"%s\"", $2->v);
+ racoon_yyerror("unknown group \"%s\"", $2->v);
return -1;
}
lcconf->gid = gr->gr_gid;
: PATH PATHTYPE QUOTEDSTRING
{
if ($2 >= LC_PATHTYPE_MAX) {
- yyerror("invalid path type %d", $2);
+ racoon_yyerror("invalid path type %d", $2);
return -1;
}
: GSS_ID_ENC GSS_ID_ENCTYPE EOS
{
if ($2 >= LC_GSSENC_MAX) {
- yyerror("invalid GSS ID encoding %d", $2);
+ racoon_yyerror("invalid GSS ID encoding %d", $2);
return -1;
}
lcconf->gss_id_enc = $2;
$2->l--; /* nuke '\0' */
lcconf->ident[$1] = $2;
if (lcconf->ident[$1] == NULL) {
- yyerror("failed to set my ident: %s",
+ racoon_yyerror("failed to set my ident: %s",
strerror(errno));
return -1;
}
* XXX ignore it because this specification
* will be obsoleted.
*/
- yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
+ racoon_yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
vfree($1);
}
| LOGLEV
#ifdef ENABLE_NATT
listen_addr ($2, 1);
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
}
EOS
| X_ADMIN
{
- yyerror("admin directive is obsoleted.");
+ racoon_yyerror("admin directive is obsoleted.");
}
PORT EOS
| ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
#ifdef ENABLE_ADMINPORT
adminsock_conf($2, $3, $4, $5);
#else
- yywarn("admin port support not compiled in");
+ racoon_yywarn("admin port support not compiled in");
#endif
}
EOS
#ifdef ENABLE_ADMINPORT
adminsock_conf($2, NULL, NULL, -1);
#else
- yywarn("admin port support not compiled in");
+ racoon_yywarn("admin port support not compiled in");
#endif
}
EOS
#ifdef ENABLE_ADMINPORT
adminsock_path = NULL;
#else
- yywarn("admin port support not compiled in");
+ racoon_yywarn("admin port support not compiled in");
#endif
}
EOS
return -1;
}
;
+ike_addrinfo_prefix_port
+ : ADDRSTRING prefix ike_port
+ {
+ char portbuf[10];
+ struct remote_index_val *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL) {
+ racoon_yyerror("failed to allocate remote index struct");
+ vfree($1);
+ return -1;
+ }
+ snprintf(portbuf, sizeof(portbuf), "%ld", $3);
+ new->addr = str2saddr($1->v, portbuf);
+ vfree($1);
+ if (!new->addr) {
+ racoon_yyerror("failed to allocate sockaddr storage");
+ return -1;
+ }
+ new->prefix = $2;
+ $$ = new;
+ }
+ ;
ike_port
: /* nothing */ { $$ = PORT_ISAKMP; }
| PORT { $$ = $1; }
#ifdef ENABLE_HYBRID
if (inet_pton(AF_INET, $2->v,
&isakmp_cfg_config.network4) != 1)
- yyerror("bad IPv4 network address.");
+ racoon_yyerror("bad IPv4 network address.");
vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
if (inet_pton(AF_INET, $2->v,
&isakmp_cfg_config.netmask4) != 1)
- yyerror("bad IPv4 netmask address.");
+ racoon_yyerror("bad IPv4 netmask address.");
vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
| CFG_SPLIT_DNS splitdnslist
{
#ifndef ENABLE_HYBRID
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
$2->v, sizeof(isakmp_cfg_config.default_domain));
vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef HAVE_LIBRADIUS
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
+ racoon_yyerror("racoon not configured with --with-libradius");
#endif /* HAVE_LIBRADIUS */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef HAVE_LIBPAM
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
+ racoon_yyerror("racoon not configured with --with-libpam");
#endif /* HAVE_LIBPAM */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef HAVE_LIBLDAP
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
+ racoon_yyerror("racoon not configured with --with-libldap");
#endif /* HAVE_LIBLDAP */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_AUTH_GROUPS authgrouplist
{
#ifndef ENABLE_HYBRID
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef HAVE_LIBLDAP
isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
+ racoon_yyerror("racoon not configured with --with-libldap");
#endif /* HAVE_LIBLDAP */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef HAVE_LIBRADIUS
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
+ racoon_yyerror("racoon not configured with --with-libradius");
#endif /* HAVE_LIBRADIUS */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef HAVE_LIBPAM
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
+ racoon_yyerror("racoon not configured with --with-libpam");
#endif /* HAVE_LIBPAM */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
{
#ifdef ENABLE_HYBRID
if (isakmp_cfg_resize_pool($2) != 0)
- yyerror("cannot allocate memory for pool");
+ racoon_yyerror("cannot allocate memory for pool");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifndef HAVE_OPENSSL
if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
&& isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
- yyerror("PFS group must be 2 or 5");
+ racoon_yyerror("PFS group must be 2 or 5");
return -1;
}
#endif
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.save_passwd = $2;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.auth_throttle = $2;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef HAVE_LIBRADIUS
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
+ racoon_yyerror("racoon not configured with --with-libradius");
#endif /* HAVE_LIBRADIUS */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef HAVE_LIBLDAP
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
+ racoon_yyerror("racoon not configured with --with-libldap");
#endif /* HAVE_LIBLDAP */
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd));
vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
if (icc->dns4_index > MAXNS)
- yyerror("No more than %d DNS", MAXNS);
+ racoon_yyerror("No more than %d DNS", MAXNS);
if (inet_pton(AF_INET, $1->v,
&icc->dns4[icc->dns4_index++]) != 1)
- yyerror("bad IPv4 DNS address.");
+ racoon_yyerror("bad IPv4 DNS address.");
vfree($1);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
;
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
if (icc->nbns4_index > MAXWINS)
- yyerror("No more than %d WINS", MAXWINS);
+ racoon_yyerror("No more than %d WINS", MAXWINS);
if (inet_pton(AF_INET, $1->v,
&icc->nbns4[icc->nbns4_index++]) != 1)
- yyerror("bad IPv4 WINS address.");
+ racoon_yyerror("bad IPv4 WINS address.");
vfree($1);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
;
struct unity_network network;
if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
- yyerror("bad IPv4 SPLIT address.");
+ racoon_yyerror("bad IPv4 SPLIT address.");
/* Turn $2 (the prefix) into a subnet mask */
network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
/* add the network to our list */
if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
- yyerror("Unable to allocate split network");
+ racoon_yyerror("Unable to allocate split network");
vfree($1);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
;
grouplist = racoon_realloc(icc->grouplist,
sizeof(char**)*(icc->groupcount+1));
if (grouplist == NULL)
- yyerror("unable to allocate auth group list");
+ racoon_yyerror("unable to allocate auth group list");
groupname = racoon_malloc($1->l+1);
if (groupname == NULL)
- yyerror("unable to allocate auth group name");
+ racoon_yyerror("unable to allocate auth group name");
memcpy(groupname,$1->v,$1->l);
groupname[$1->l]=0;
vfree($1);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
;
{
icc->splitdns_list = racoon_malloc($1->l);
if(icc->splitdns_list == NULL)
- yyerror("error allocating splitdns list buffer");
+ racoon_yyerror("error allocating splitdns list buffer");
memcpy(icc->splitdns_list,$1->v,$1->l);
icc->splitdns_len = $1->l;
}
int len = icc->splitdns_len + $1->l + 1;
icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
if(icc->splitdns_list == NULL)
- yyerror("error allocating splitdns list buffer");
+ racoon_yyerror("error allocating splitdns list buffer");
icc->splitdns_list[icc->splitdns_len] = ',';
memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
icc->splitdns_len = len;
}
vfree($1);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
;
#ifdef ENABLE_NATT
lcconf->natt_ka_interval = $2 * $3;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
}
EOS
{
cur_sainfo = newsainfo();
if (cur_sainfo == NULL) {
- yyerror("failed to allocate sainfo");
+ racoon_yyerror("failed to allocate sainfo");
return -1;
}
}
/* default */
if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
- yyerror("no encryption algorithm at %s",
+ racoon_yyerror("no encryption algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
- yyerror("no authentication algorithm at %s",
+ racoon_yyerror("no authentication algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
- yyerror("no compression algorithm at %s",
+ racoon_yyerror("no compression algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
cur_sainfo->iddst,
cur_sainfo->id_i, 0);
if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
- yyerror("duplicated sainfo: %s",
+ racoon_yyerror("duplicated sainfo: %s",
sainfo2str(cur_sainfo));
return -1;
}
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
{
char portbuf[10];
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
&& ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
- yyerror("port number must be \"any\".");
+ racoon_yyerror("port number must be \"any\".");
return -1;
}
if (saddr == NULL)
return -1;
- switch (saddr->sa_family) {
+ switch (saddr->ss_family) {
case AF_INET:
if ($5 == IPPROTO_ICMPV6) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
racoon_free(saddr);
return -1;
}
#ifdef INET6
case AF_INET6:
if ($5 == IPPROTO_ICMP) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
racoon_free(saddr);
return -1;
}
break;
#endif
default:
- yyerror("invalid family: %d", saddr->sa_family);
+ racoon_yyerror("invalid family: %d", saddr->ss_family);
$$ = NULL;
break;
}
| IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
{
char portbuf[10];
- struct sockaddr *laddr = NULL, *haddr = NULL;
- char *cur = NULL;
+ struct sockaddr_storage *laddr = NULL, *haddr = NULL;
if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
&& ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
- yyerror("port number must be \"any\".");
+ racoon_yyerror("port number must be \"any\".");
return -1;
}
}
vfree($3);
- switch (laddr->sa_family) {
+ switch (laddr->ss_family) {
case AF_INET:
if ($6 == IPPROTO_ICMPV6) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
if (laddr)
racoon_free(laddr);
if (haddr)
#ifdef INET6
case AF_INET6:
if ($6 == IPPROTO_ICMP) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
if (laddr)
racoon_free(laddr);
if (haddr)
break;
#endif
default:
- yyerror("invalid family: %d", laddr->sa_family);
+ racoon_yyerror("invalid family: %d", laddr->ss_family);
$$ = NULL;
break;
}
struct ipsecdoi_id_b *id_b;
if ($1 == IDTYPE_ASN1DN) {
- yyerror("id type forbidden: %d", $1);
+ racoon_yyerror("id type forbidden: %d", $1);
$$ = NULL;
return -1;
}
$$ = vmalloc(sizeof(*id_b) + $2->l);
if ($$ == NULL) {
- yyerror("failed to allocate identifier");
+ racoon_yyerror("failed to allocate identifier");
return -1;
}
- id_b = (struct ipsecdoi_id_b *)$$->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)$$->v;
id_b->type = idtype2doi($1);
id_b->proto_id = 0;
vchar_t *idv;
if (set_identifier(&idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
return -1;
}
cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
if (cur_sainfo->id_i == NULL) {
- yyerror("failed to allocate identifier");
+ racoon_yyerror("failed to allocate identifier");
return -1;
}
- id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
id_b->type = idtype2doi($2);
id_b->proto_id = 0;
{
#ifdef ENABLE_HYBRID
if ((cur_sainfo->group = vdup($2)) == NULL) {
- yyerror("failed to set sainfo xauth group.\n");
+ racoon_yyerror("failed to set sainfo xauth group.\n");
return -1;
}
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
return -1;
#endif
}
#ifndef HAVE_OPENSSL
if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
&& cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
- yyerror("PFS group must be 2 or 5");
+ racoon_yyerror("PFS group must be 2 or 5");
return -1;
}
#endif
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated");
+ racoon_yyerror("byte lifetime support is deprecated");
return -1;
#else
cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
algorithms EOS
| IDENTIFIER IDENTIFIERTYPE
{
- yyerror("it's deprecated to specify a identifier in phase 2");
+ racoon_yyerror("it's deprecated to specify a identifier in phase 2");
}
EOS
| MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
{
- yyerror("it's deprecated to specify a identifier in phase 2");
+ racoon_yyerror("it's deprecated to specify a identifier in phase 2");
}
EOS
;
$$ = newsainfoalg();
if ($$ == NULL) {
- yyerror("failed to get algorithm allocation");
+ racoon_yyerror("failed to get algorithm allocation");
return -1;
}
$$->alg = algtype2doi(cur_algclass, $1);
if ($$->alg == -1) {
- yyerror("algorithm mismatched");
+ racoon_yyerror("algorithm mismatched");
racoon_free($$);
$$ = NULL;
return -1;
defklen = default_keylen(cur_algclass, $1);
if (defklen == 0) {
if ($2) {
- yyerror("keylen not allowed");
+ racoon_yyerror("keylen not allowed");
racoon_free($$);
$$ = NULL;
return -1;
}
} else {
if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
- yyerror("invalid keylen %d", $2);
+ racoon_yyerror("invalid keylen %d", $2);
racoon_free($$);
$$ = NULL;
return -1;
int b = algtype2doi(cur_algclass, $1);
if (a == IPSECDOI_ATTR_AUTH)
a = IPSECDOI_PROTO_IPSEC_AH;
- yyerror("algorithm %s not supported by the kernel (missing module?)",
+ racoon_yyerror("algorithm %s not supported by the kernel (missing module?)",
s_ipsecdoi_trns(a, b));
racoon_free($$);
$$ = NULL;
struct remoteconf *new;
struct proposalspec *prspec;
- new = copyrmconf($4);
+ new = copyrmconf($4->addr);
if (new == NULL) {
- yyerror("failed to get remoteconf for %s.", saddr2str ($4));
+ racoon_yyerror("failed to get remoteconf for %s.", saddr2str((struct sockaddr *)$4));
+ racoon_free($2->addr);
+ racoon_free($2);
+ racoon_free($4->addr);
+ racoon_free($4);
return -1;
}
- new->remote = $2;
- new->inherited_from = getrmconf_strict($4, 1);
+ new->remote = $2->addr;
+ new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix);
+ new->inherited_from = getrmconf_strict($4->addr, 1);
new->proposal = NULL;
new->prhead = NULL;
cur_rmconf = new;
+ racoon_free($2);
+ racoon_free($4->addr);
+ racoon_free($4);
prspec = newprspec();
if (prspec == NULL || !cur_rmconf->inherited_from
new = newrmconf();
if (new == NULL) {
- yyerror("failed to get new remoteconf.");
+ racoon_yyerror("failed to get new remoteconf.");
+ racoon_free($2->addr);
+ racoon_free($2);
return -1;
}
-
- new->remote = $2;
+ new->remote = $2->addr;
+ new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix);
cur_rmconf = new;
+ racoon_free($2);
prspec = newprspec();
if (prspec == NULL)
{
/* check a exchange mode */
if (cur_rmconf->etypes == NULL) {
- yyerror("no exchange mode specified.\n");
+ racoon_yyerror("no exchange mode specified.\n");
return -1;
}
|| cur_rmconf->identity_in_keychain)
{
if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
+ racoon_yywarn("Both CERT and ASN1 ID "
"are set. Hope this is OK.\n");
/* TODO: Preparse the DN here */
} else if (cur_rmconf->idv) {
/* OK, using asn1dn without X.509. */
} else {
- yyerror("ASN1 ID not specified "
+ racoon_yyerror("ASN1 ID not specified "
"and no CERT defined!\n");
return -1;
}
if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
struct genlist_entry *gpb;
if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) {
- yyerror("peers_identifier required for specified certificate "
+ racoon_yyerror("peers_identifier required for specified certificate "
"verification option.\n");
return -1;
}
b = p->dh_group;
continue;
}
- yyerror("DH group must be equal "
+ racoon_yyerror("DH group must be equal "
"in all proposals "
"when aggressive mode is "
"used.\n");
cur_rmconf->dh_group = b;
if (cur_rmconf->dh_group == 0) {
- yyerror("DH group must be set in the proposal.\n");
+ racoon_yyerror("DH group must be set in the proposal.\n");
return -1;
}
/* DH group settting if PFS is required. */
if (oakley_setdhgroup(cur_rmconf->dh_group,
&cur_rmconf->dhgrp) < 0) {
- yyerror("failed to set DH value.\n");
+ racoon_yyerror("failed to set DH value.\n");
return -1;
}
}
remote_index
: ANONYMOUS ike_port
{
- $$ = newsaddr(sizeof(struct sockaddr));
- $$->sa_family = AF_UNSPEC;
- ((struct sockaddr_in *)$$)->sin_port = htons($2);
- }
- | ike_addrinfo_port
+
+ struct remote_index_val *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL) {
+ racoon_yyerror("failed to allocate remote index struct");
+ return -1;
+ }
+ new->addr = newsaddr(sizeof(struct sockaddr_storage));
+ if (new->addr == NULL) {
+ racoon_yyerror("failed to allocate sockaddr storage");
+ racoon_free(new);
+ return -1;
+ }
+ new->addr->ss_family = AF_UNSPEC;
+ (ALIGNED_CAST(struct sockaddr_in *)new->addr)->sin_port = htons($2);
+ new->prefix = ~0;
+ $$ = new;
+ }
+ | ike_addrinfo_prefix_port
{
$$ = $1;
if ($$ == NULL) {
- yyerror("failed to allocate sockaddr");
+ racoon_yyerror("failed to allocate sockaddr_storage");
return -1;
}
}
| PEERS_CERTFILE QUOTEDSTRING
{
#ifdef HAVE_OPENSSL
- yywarn("This directive without certtype will be removed!\n");
- yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
+ racoon_yywarn("This directive without certtype will be removed!\n");
+ racoon_yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
if (cur_rmconf->peerscertfile != NULL)
STRDUP_FATAL(cur_rmconf->peerscertfile);
vfree($2);
#else
- yyerror("cert files not supported.\n");
+ racoon_yyerror("cert files not supported.\n");
return -1;
#endif
}
STRDUP_FATAL(cur_rmconf->cacertfile);
vfree($3);
#else
- yyerror("cert files not supported.\n");
+ racoon_yyerror("cert files not supported.\n");
return -1;
#endif
STRDUP_FATAL(cur_rmconf->peerscertfile);
vfree($3);
#else
- yyerror("cert files not supported.\n");
+ racoon_yyerror("cert files not supported.\n");
return -1;
#endif
EOS
| PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
{
-#ifdef HAVE_OPENSSL
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $3->v);
- vfree($3);
-
- if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
- yyerror("Different peers_certfile method "
- "already defined: %d!\n",
- cur_rmconf->getcert_method);
- return -1;
- }
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
-#else
- yyerror("plainrsa not supported.\n");
+ racoon_yyerror("plainrsa not supported.\n");
return -1;
-#endif
}
EOS
| PEERS_CERTFILE DNSSEC
{
if (cur_rmconf->getcert_method) {
- yyerror("Different peers_certfile method already defined!\n");
+ racoon_yyerror("Different peers_certfile method already defined!\n");
return -1;
}
cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
#if HAVE_OPENDIR
cur_rmconf->open_dir_auth_group = $2;
#else
- yyerror("Apple specific features not compiled in.");
+ racoon_yyerror("Apple specific features not compiled in.");
return -1;
#endif
} EOS
| MY_IDENTIFIER IDENTIFIERTYPE identifierstring
{
if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
vfree($3); //%%% BUG FIX - memory leak
return -1;
}
| MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
{
if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
return -1;
}
cur_rmconf->idvtype = $2;
#ifdef ENABLE_HYBRID
/* formerly identifier type login */
if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
- yyerror("failed to allocate xauth state\n");
+ racoon_yyerror("failed to allocate xauth state\n");
return -1;
}
if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
return -1;
}
vfree($2); //%%% BUG FIX - memory leak
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
struct idspec *id;
id = newidspec();
if (id == NULL) {
- yyerror("failed to allocate idspec");
+ racoon_yyerror("failed to allocate idspec");
return -1;
}
if (set_identifier(&id->id, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
racoon_free(id);
vfree($3); //%%% BUG FIX - memory leak
return -1;
struct idspec *id;
id = newidspec();
if (id == NULL) {
- yyerror("failed to allocate idspec");
+ racoon_yyerror("failed to allocate idspec");
return -1;
}
if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
racoon_free(id);
return -1;
}
| SHARED_SECRET SECRETTYPE
{
if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) {
- yyerror("shared secret value missing.\n");
+ racoon_yyerror("shared secret value missing.\n");
return -1;
}
cur_rmconf->secrettype = $2;
| NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
| DH_GROUP
{
- yyerror("dh_group cannot be defined here.");
+ racoon_yyerror("dh_group cannot be defined here.");
return -1;
}
dh_group_num EOS
if (libipsec_opt & LIBIPSEC_OPT_FRAG)
cur_rmconf->esp_frag = $2;
else
- yywarn("libipsec lacks IKE frag support");
+ racoon_yywarn("libipsec lacks IKE frag support");
#else
- yywarn("Your kernel does not support esp_frag");
+ racoon_yywarn("Your kernel does not support esp_frag");
#endif
} EOS
| SCRIPT QUOTEDSTRING PHASE1_UP {
#ifdef ENABLE_NATT
cur_rmconf->nat_traversal = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
#ifdef ENABLE_NATT
cur_rmconf->nat_traversal = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL_MULTI_USER SWITCH
#ifdef ENABLE_NATT
cur_rmconf->natt_multiple_user = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL_KEEPALIVE SWITCH
#ifdef ENABLE_NATT
cur_rmconf->natt_keepalive = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| DPD SWITCH
#ifdef ENABLE_DPD
cur_rmconf->dpd = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
} EOS
| DPD_DELAY NUMBER
#ifdef ENABLE_DPD
cur_rmconf->dpd_interval = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
#ifdef ENABLE_DPD
cur_rmconf->dpd_retry = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
#ifdef ENABLE_DPD
cur_rmconf->dpd_maxfails = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
#ifdef ENABLE_DPD
cur_rmconf->dpd_algo = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated in Phase1");
+ racoon_yyerror("byte lifetime support is deprecated in Phase1");
return -1;
#else
- yywarn("the lifetime of bytes in phase 1 "
+ racoon_yywarn("the lifetime of bytes in phase 1 "
"will be ignored at the moment.");
cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
if (cur_rmconf->prhead->lifebyte == 0)
struct etypes *new;
new = racoon_malloc(sizeof(struct etypes));
if (new == NULL) {
- yyerror("failed to allocate etypes");
+ racoon_yyerror("failed to allocate etypes");
return -1;
}
new->type = $2;
;
| CERT_PLAINRSA QUOTEDSTRING
{
-#ifdef HAVE_OPENSSL
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $2->v);
- vfree($2);
-
- cur_rmconf->certtype = $1;
- cur_rmconf->send_cr = FALSE;
- cur_rmconf->send_cert = FALSE;
- cur_rmconf->verify_cert = FALSE;
- if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
-#else
- yyerror("plainrsa not supported.\n");
- return -1;
-#endif
+ racoon_yyerror("plainrsa not supported.\n");
+ return -1;
}
EOS
;
{
$$ = algtype2doi(algclass_isakmp_dh, $1);
if ($$ == -1) {
- yyerror("must be DH group");
+ racoon_yyerror("must be DH group");
return -1;
}
#ifndef HAVE_OPENSSL
if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
- yyerror("DH group must be 2 or 5");
+ racoon_yyerror("DH group must be 2 or 5");
return -1;
}
#endif
if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
$$ = num2dhgroup[$1];
} else {
- yyerror("must be DH group");
+ racoon_yyerror("must be DH group");
$$ = 0;
return -1;
}
#ifndef HAVE_OPENSSL
if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
- yyerror("DH group must be 2 or 5");
+ racoon_yyerror("DH group must be 2 or 5");
return -1;
}
#endif
isakmpproposal_spec
: STRENGTH
{
- yyerror("strength directive is obsoleted.");
+ racoon_yyerror("strength directive is obsoleted.");
} STRENGTHTYPE EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
{
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated");
+ racoon_yyerror("byte lifetime support is deprecated");
return -1;
#else
cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
| GSS_ID QUOTEDSTRING
{
if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
- yyerror("wrong Vendor ID for gssapi_id");
+ racoon_yyerror("wrong Vendor ID for gssapi_id");
return -1;
}
if (cur_rmconf->prhead->spspec->gssid != NULL)
doi = algtype2doi($1, $2);
if (doi == -1) {
- yyerror("algorithm mismatched 1");
+ racoon_yyerror("algorithm mismatched 1");
return -1;
}
switch ($1) {
case algclass_isakmp_enc:
/* reject suppressed algorithms */
-#ifndef HAVE_OPENSSL_RC5_H
- if ($2 == algtype_rc5) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-#ifndef HAVE_OPENSSL_IDEA_H
- if ($2 == algtype_idea) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
defklen = default_keylen($1, $2);
if (defklen == 0) {
if ($3) {
- yyerror("keylen not allowed");
+ racoon_yyerror("keylen not allowed");
return -1;
}
} else {
if ($3 && check_keylen($1, $2, $3) < 0) {
- yyerror("invalid keylen %d", $3);
+ racoon_yyerror("invalid keylen %d", $3);
return -1;
}
}
case algtype_gssapikrb:
if (cur_rmconf->prhead->spspec->vendorid !=
VENDORID_UNKNOWN) {
- yyerror("Vendor ID mismatch "
+ racoon_yyerror("Vendor ID mismatch "
"for auth method");
return -1;
}
cur_rmconf->prhead->spspec->vendorid =
VENDORID_GSSAPI;
break;
-#ifdef HAVE_OPENSSL
- case algtype_rsasig:
- if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
- if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
- yyerror ("Private PlainRSA key not set. "
- "Use directive 'certificate_type plainrsa ...'\n");
- return -1;
- }
- if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
- yyerror ("Public PlainRSA keys not set. "
- "Use directive 'peers_certfile plainrsa ...'\n");
- return -1;
- }
- }
- break;
-#endif
default:
break;
}
break;
default:
- yyerror("algorithm mismatched 2");
+ racoon_yyerror("algorithm mismatched 2");
return -1;
}
}
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
- yyerror("failed to allocate proposal");
+ racoon_yyerror("failed to allocate proposal");
return new;
}
new = racoon_calloc(1, sizeof(*new));
if (new == NULL) {
- yyerror("failed to allocate spproto");
+ racoon_yyerror("failed to allocate spproto");
return NULL;
}
/* mandatory check */
if (p->spspec == NULL) {
- yyerror("no remote specification found: %s.\n",
- saddr2str(rmconf->remote));
+ racoon_yyerror("no remote specification found: %s.\n",
+ saddr2str((struct sockaddr *)rmconf->remote));
return -1;
}
for (s = p->spspec; s != NULL; s = s->next) {
/* XXX need more to check */
if (s->algclass[algclass_isakmp_enc] == 0) {
- yyerror("encryption algorithm required.");
+ racoon_yyerror("encryption algorithm required.");
return -1;
}
if (s->algclass[algclass_isakmp_hash] == 0) {
- yyerror("hash algorithm required.");
+ racoon_yyerror("hash algorithm required.");
return -1;
}
if (s->algclass[algclass_isakmp_dh] == 0) {
- yyerror("DH group required.");
+ racoon_yyerror("DH group required.");
return -1;
}
if (s->algclass[algclass_isakmp_ameth] == 0) {
- yyerror("authentication method required.");
+ racoon_yyerror("authentication method required.");
return -1;
}
}
|| types[algclass_isakmp_ameth] == 0
|| types[algclass_isakmp_hash] == 0
|| types[algclass_isakmp_dh] == 0) {
- yyerror("few definition of algorithm "
+ racoon_yyerror("few definition of algorithm "
"enc=%s ameth=%s hash=%s dhgroup=%s.\n",
TMPALGTYPE2STR(enc),
TMPALGTYPE2STR(ameth),
/* set new sa */
new = newisakmpsa();
if (new == NULL) {
- yyerror("failed to allocate isakmp sa");
+ racoon_yyerror("failed to allocate isakmp sa");
return -1;
}
new->prop_no = prop_no;
if (gssid != NULL) {
if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
racoon_free(new);
- yyerror("failed to allocate gssid");
+ racoon_yyerror("failed to allocate gssid");
return -1;
}
memcpy(new->gssid->v, gssid, new->gssid->l);
}
static int
-listen_addr (struct sockaddr *addr, int udp_encap)
+listen_addr (struct sockaddr_storage *addr, int udp_encap)
{
struct myaddrs *p;
p = newmyaddr();
if (p == NULL) {
- yyerror("failed to allocate myaddrs");
+ racoon_yyerror("failed to allocate myaddrs");
return -1;
}
p->addr = addr;
if (p->addr == NULL) {
- yyerror("failed to copy sockaddr ");
+ racoon_yyerror("failed to copy sockaddr_storage ");
delmyaddr(p);
return -1;
}
unsigned long t;
{
if (t < 1024) {
- yyerror("byte size should be more than 1024B.");
+ racoon_yyerror("byte size should be more than 1024B.");
return 0;
}
uid = atoi(owner->v);
isnum = !errno;
if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
- yyerror("User \"%s\" does not exist", owner->v);
+ racoon_yyerror("User \"%s\" does not exist", owner->v);
if (pw)
adminsock_owner = pw->pw_uid;
gid = atoi(group->v);
isnum = !errno;
if (((gr = getgrnam(group->v)) == NULL) && !isnum)
- yyerror("Group \"%s\" does not exist", group->v);
+ racoon_yyerror("Group \"%s\" does not exist", group->v);
if (gr)
adminsock_group = gr->gr_gid;
return;
if (mode_dec > 777)
- yyerror("Mode 0%03o is invalid", mode_dec);
+ racoon_yyerror("Mode 0%03o is invalid", mode_dec);
if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
if (mode_dec > 77)
- yyerror("Mode 0%03o is invalid", mode_dec);
+ racoon_yyerror("Mode 0%03o is invalid", mode_dec);
if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
if (mode_dec > 7)
- yyerror("Mode 0%03o is invalid", mode_dec);
+ racoon_yyerror("Mode 0%03o is invalid", mode_dec);
if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
<S_INI>include { YYDB; return(INCLUDE); }
/* self information */
-<S_INI>identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
+<S_INI>identifier { BEGIN S_INF; YYDB; racoon_yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
<S_INF>{semi} { BEGIN S_INI; return(EOS); }
/* special */
<S_LOG>info { YYD; yylval.num = LLV_INFO; return(LOGLEV); }
<S_LOG>debug { YYD; yylval.num = LLV_DEBUG; return(LOGLEV); }
<S_LOG>debug2 { YYD; yylval.num = LLV_DEBUG2; return(LOGLEV); }
-<S_LOG>debug3 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
-<S_LOG>debug4 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
+<S_LOG>debug3 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
+<S_LOG>debug4 { YYD; racoon_yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
<S_LOG>{semi} { BEGIN S_INI; return(EOS); }
/* padding */
<S_SAINFS>{ecl} { BEGIN S_INI; return(EOC); }
<S_SAINFS>pfs_group { YYD; return(PFS_GROUP); }
<S_SAINFS>remoteid { YYD; return(REMOTEID); }
-<S_SAINFS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
+<S_SAINFS>identifier { YYD; racoon_yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
<S_SAINFS>my_identifier { YYD; return(MY_IDENTIFIER); }
<S_SAINFS>lifetime { YYD; return(LIFETIME); }
<S_SAINFS>time { YYD; return(LIFETYPE_TIME); }
<S_RMTS>identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); }
<S_RMTS>secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); }
<S_RMTS>integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); }
-<S_RMTS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
+<S_RMTS>identifier { YYD; racoon_yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
<S_RMTS>my_identifier { YYD; return(MY_IDENTIFIER); }
<S_RMTS>xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
<S_RMTS>peers_identifier { YYD; return(PEERS_IDENTIFIER); }
<S_RMTS>ca_type { YYD; return(CA_TYPE); }
<S_RMTS>x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); }
<S_RMTS>plain_rsa {
-#ifdef HAVE_OPENSSL
- YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA);
-#else
- yyerror("plainrsa not supported.");
-#endif
+ racoon_yyerror("plainrsa not supported.");
}
<S_RMTS>open_dir_auth_group {
#if HAVE_OPENDIR
YYD;
return(OPEN_DIR_AUTH_GROUP);
#else
- yyerror("Apple specific features not compiled in.");
+ racoon_yyerror("Apple specific features not compiled in.");
#endif
}
<S_RMTS>shared_secret {
<S_RMTS>dh_group { YYD; return(DH_GROUP); }
<S_RMTS>nonce_size { YYD; return(NONCE_SIZE); }
<S_RMTS>generate_policy { YYD; return(GENERATE_POLICY); }
-<S_RMTS>support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); }
+<S_RMTS>support_mip6 { YYD; racoon_yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); }
<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
yytext++;
yylval.val = vmalloc(yyleng + 1);
if (yylval.val == NULL) {
- yyerror("vmalloc failed");
+ racoon_yyerror("vmalloc failed");
return -1;
}
memcpy(yylval.val->v, yytext, yylval.val->l);
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_rsa_s; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_dss_server {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_dss_s; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_rsa_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_rsa_c; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
hybrid_dss_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_hybrid_dss_c; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_xauth_psk_s; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
xauth_psk_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_xauth_psk_c; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
xauth_rsa_server {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_xauth_rsa_s; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
xauth_rsa_client {
#ifdef ENABLE_HYBRID
YYD; yylval.num = algtype_xauth_rsa_c; return(ALGORITHMTYPE);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
/* identifier type */
-vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); }
+vendor_id { YYD; racoon_yywarn("it is obsoleted."); return(VENDORID); }
user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); }
fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }
address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); }
subnet { YYD; yylval.num = IDTYPE_SUBNET; return(IDENTIFIERTYPE); }
asn1dn { YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
-certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
+certname { YYD; racoon_yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
/* shared secret type */
use {
yylval.num = SECRETTYPE_KEYCHAIN;
return(SECRETTYPE);
#else
- yyerror("Apple specific features not compiled in.");
+ racoon_yyerror("Apple specific features not compiled in.");
#endif
}
keychain_by_id {
YYD;
yylval.val = vmalloc(yyleng + (yyleng & 1) + 1);
if (yylval.val == NULL) {
- yyerror("vmalloc failed");
+ racoon_yyerror("vmalloc failed");
return -1;
}
yylval.val = vmalloc(yyleng - 1);
if (yylval.val == NULL) {
- yyerror("vmalloc failed");
+ racoon_yyerror("vmalloc failed");
return -1;
}
memcpy(yylval.val->v, &yytext[1], yylval.val->l);
yylval.val = vmalloc(yyleng + 1);
if (yylval.val == NULL) {
- yyerror("vmalloc failed");
+ racoon_yyerror("vmalloc failed");
return -1;
}
memcpy(yylval.val->v, yytext, yylval.val->l);
%%
void
-yyerror(char *s, ...)
+yyerror(const char *msg)
{
- char fmt[512];
-
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
- incstack[incstackp].path, incstack[incstackp].lineno,
- yytext, s);
- plogv(LLV_ERROR, LOCATION, NULL, fmt, &ap);
- va_end(ap);
-
+ plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg);
yyerrorcount++;
}
void
-yywarn(char *s, ...)
+yywarn(const char *msg)
{
- char fmt[512];
+ plog(LLV_ERROR, LOCATION, NULL, "%s:%d: %s\n", incstack[incstackp].path, incstack[incstackp].lineno, msg);
+}
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
- incstack[incstackp].path, incstack[incstackp].lineno,
- yytext, s);
- plogv(LLV_WARNING, LOCATION, NULL, fmt, &ap);
- va_end(ap);
+void
+racoon_yyerror(const char *fmt, ...)
+{
+ va_list ap;
+ char msg[512];
+
+ va_start(ap, fmt);
+ vsnprintf(msg, sizeof(msg), fmt, ap);
+ va_end(ap);
+
+ yyerror(msg);
+}
+
+void
+racoon_yywarn(const char *fmt, ...)
+{
+ va_list ap;
+ char msg[512];
+
+ va_start(ap, fmt);
+ vsnprintf(msg, sizeof(msg), fmt, ap);
+ va_end(ap);
+
+ yywarn(msg);
}
int
extern int yyerrorcount;
extern int yylex __P((void));
-extern void yyerror __P((char *, ...));
-extern void yywarn __P((char *, ...));
+extern void yyerror __P((const char *));
+extern void yywarn __P((const char *));
+extern void racoon_yyerror __P((const char *, ...));
+extern void racoon_yywarn __P((const char *, ...));
extern int yycf_switch_buffer __P((char *));
extern int yycf_set_buffer __P((char *));
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>Label</key>
- <string>com.apple.racoon</string>
- <key>Program</key>
- <string>/usr/sbin/racoon</string>
- <key>RunAtLoad</key>
- <false/>
- <key>KeepAlive</key>
- <false/>
- <key>UserName</key>
- <string>root</string>
- <key>Sockets</key>
- <dict>
- <key>Listeners</key>
- <dict>
- <key>SockFamily</key>
- <string>Unix</string>
- <key>SockPathMode</key>
- <integer>384</integer>
- <key>SockPathName</key>
- <string>/tmp/racoon/vpncontrol.sock</string>
- </dict>
- </dict>
-</dict>
-</plist>
#include <Security/SecTrust.h>
#include <Security/SecKey.h>
#include <Security/SecIdentity.h>
-
+#include <Security/SecItem.h>
#include <TargetConditionals.h>
#if TARGET_OS_EMBEDDED
-#include <Security/SecItem.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecCertificatePriv.h>
#include "crypto_cssm.h"
-#if TARGET_OS_EMBEDDED
+
static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef);
-#else
-static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef);
-#endif
#if !TARGET_OS_EMBEDDED
static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef);
static SecPolicyRef
crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname)
{
- OSStatus status;
SecPolicyRef policyRef = NULL;
#if !TARGET_OS_EMBEDDED
+ OSStatus status;
CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC;
// get our policy object
SecCertificateRef
crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert)
{
- OSStatus status;
SecCertificateRef certRef = NULL;
-#if !TARGET_OS_EMBEDDED
- CSSM_DATA certData;
- // create cert ref
- certData.Length = cert->l;
- certData.Data = (uint8 *)cert->v;
- status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
- &certRef);
- if (status != noErr && status != -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "error %d %s.\n", status, GetSecurityErrorString(status));
- }
-#else
CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull);
if (cert_data) {
certRef = SecCertificateCreateWithData(NULL, cert_data);
CFRelease(cert_data);
}
-#endif
+
if (certRef == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to create a certRef.\n");
/*
* Verify cert using security framework
*/
-#if TARGET_OS_EMBEDDED
int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef)
-#else
-int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname)
-#endif
{
cert_t *p;
cert_status_t certStatus = 0;
}
// evaluate cert
-#if TARGET_OS_EMBEDDED
status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef, publicKeyRef);
-#else
- status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef);
-#endif
while (certArrayRefNumValues) {
CFRelease(certArrayRef[--certArrayRefNumValues]);
}
-#if TARGET_OS_EMBEDDED
+
int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature)
{
return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l);
}
-#endif
/*
* Encrypt a hash via CSSM using the private key in the keychain
SecKeyRef privateKeyRef = NULL;
vchar_t *sig = NULL;
-#if !TARGET_OS_EMBEDDED
- CSSM_SIZE bytesEncrypted = 0;
- SecCertificateRef certificateRef = NULL;
- SecIdentitySearchRef idSearchRef = NULL;
- SecKeychainRef keychainRef = NULL;
- const CSSM_KEY *cssmKey = NULL;
- CSSM_CSP_HANDLE cspHandle = nil;
- CSSM_CC_HANDLE cssmContextHandle = nil;
- const CSSM_ACCESS_CREDENTIALS *credentials = NULL;
- CSSM_DATA clearData;
- CSSM_DATA cipherData;
- CSSM_DATA remData;
- CSSM_CONTEXT_ATTRIBUTE newAttr;
-
- remData.Length = 0;
- remData.Data = 0;
-
- if (persistentCertRef) {
- // get cert from keychain
- status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
- if (status != noErr)
- goto end;
-
- // get keychain ref where cert is contained
- status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef);
- if (status != noErr)
- goto end;
-
- // get identity from the certificate
- status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef);
- if (status != noErr)
- goto end;
-
- } else {
-
- // copy system keychain
- status = CopySystemKeychain(&keychainRef);
- if (status != noErr)
- goto end;
-
- // serach for first identity in system keychain
- status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
- if (status != noErr)
- goto end;
-
- status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
- if (status != noErr)
- goto end;
-
- // get certificate from identity
- status = SecIdentityCopyCertificate(identityRef, &certificateRef);
- if (status != noErr)
- goto end;
- }
-
- // get private key from identity
- status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef);
- if (status != noErr)
- goto end;
-
- // get CSSM_KEY pointer from key ref
- status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey);
- if (status != noErr)
- goto end;
-
- // get CSSM CSP handle
- status = SecKeychainGetCSPHandle(keychainRef, &cspHandle);
- if (status != noErr)
- goto end;
-
- // create CSSM credentials to unlock private key for encryption - no UI to be used
- status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT,
- kSecCredentialTypeNoUI, &credentials);
- if (status != noErr)
- goto end;
-
- // create asymmetric context for encryption
- status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey,
- CSSM_PADDING_PKCS1, &cssmContextHandle);
- if (status != noErr)
- goto end;
-
- // add mode attribute to use private key for encryption
- newAttr.AttributeType = CSSM_ATTRIBUTE_MODE;
- newAttr.AttributeLength = sizeof(uint32);
- newAttr.Attribute.Data = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY;
- status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr);
- if(status != noErr)
- goto end;
-
- // and finally - encrypt data
- clearData.Length = hash->l;
- clearData.Data = (uint8 *)hash->v;
- cipherData.Length = 0;
- cipherData.Data = NULL;
- status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted,
- &remData);
- if (status != noErr)
- goto end;
-
- if (remData.Length != 0) { // something didn't go right - should be zero
- status = -1;
- plog(LLV_ERROR, LOCATION, NULL,
- "unencrypted data remaining after encrypting hash.\n");
- goto end;
- }
-
- // alloc buffer for result
- sig = vmalloc(0);
- if (sig == NULL)
- goto end;
-
- sig->l = cipherData.Length;
- sig->v = (caddr_t)cipherData.Data;
-
-#else
CFDictionaryRef persistFind = NULL;
- const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef };
- const void *values_persist[] = { kCFBooleanTrue, persistentCertRef };
-
- #define SIG_BUF_SIZE 1024
+ const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass};
+ const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity};
+
+#define SIG_BUF_SIZE 1024
/* find identity by persistent ref */
persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist,
- (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL);
+ (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL);
if (persistFind == NULL)
goto end;
goto end;
status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, hash->v,
- hash->l, sig->v, &sig->l);
-
-#endif
+ hash->l, sig->v, &sig->l);
end:
if (privateKeyRef)
CFRelease(privateKeyRef);
-#if !TARGET_OS_EMBEDDED
- if (certificateRef)
- CFRelease(certificateRef);
- if (keychainRef)
- CFRelease(keychainRef);
- if (idSearchRef)
- CFRelease(idSearchRef);
- if (cssmContextHandle)
- CSSM_DeleteContext(cssmContextHandle);
-#else
if (persistFind)
CFRelease(persistFind);
-#endif
if (status != noErr) {
if (sig) {
/*
* Evaluate the trust of a cert using the policy provided
*/
-#if TARGET_OS_EMBEDDED
static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef)
-#else
-static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef)
-
-#endif
{
OSStatus status;
SecTrustRef trustRef = 0;
SecTrustResultType evalResult;
-#if TARGET_OS_EMBEDDED
CFArrayRef errorStrings;
-#else
- CSSM_TP_APPLE_EVIDENCE_INFO *statusChain;
- CFArrayRef certChain;
-#endif
CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, evalCertArrayNumValues,
&kCFTypeArrayCallBacks);
case kSecTrustResultProceed:
plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultProceed.\n");
break;
- case kSecTrustResultConfirm:
- plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultConfirm.\n");
- break;
case kSecTrustResultDeny:
plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultDeny.\n");
break;
break;
}
-
-#if TARGET_OS_EMBEDDED
errorStrings = SecTrustCopyProperties(trustRef);
if (errorStrings) {
plog(LLV_ERROR, LOCATION, NULL, "-----------------------------------------------------.\n");
CFRelease(errorStrings);
}
-
-#else
- SecTrustGetResult(trustRef, &evalResult, &certChain, &statusChain);
- plog(LLV_ERROR, LOCATION, NULL, "Cert status bits = 0x%x.\n", statusChain->StatusBits);
- plog(LLV_ERROR, LOCATION, NULL, "Cert status NumStatusCodes = 0x%x.\n", statusChain->NumStatusCodes);
- {
- int i;
- for (i = 0; i < statusChain->NumStatusCodes; i++)
- plog(LLV_ERROR, LOCATION, NULL, "Cert status code i = 0x%x %d.\n", *(statusChain->StatusCodes + i), *(statusChain->StatusCodes + i));
- }
- plog(LLV_ERROR, LOCATION, NULL, "Cert status Index = %d.\n", statusChain->Index);
- CFRelease(certChain);
-#endif
-
+
status = -1;
goto end;
}
-
-#if TARGET_OS_EMBEDDED
/* get and return the public key */
*publicKeyRef = SecTrustCopyPublicKey(trustRef);
-#endif
end:
if (cfCertRef)
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecBase.h>
-#if TARGET_OS_EMBEDDED
+
extern int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef);
extern int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature);
-#else
-extern int crypto_cssm_check_x509cert(cert_t *hostcert, cert_t *certchain, CFStringRef hostname);
-#endif
extern SecCertificateRef crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert);
extern vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash);
extern vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, cert_status_t *certStatus);
#include <openssl/blowfish.h>
#include <openssl/cast.h>
#include <openssl/err.h>
-#ifdef HAVE_OPENSSL_RC5_H
-#include <openssl/rc5.h>
-#endif
-#ifdef HAVE_OPENSSL_IDEA_H
-#include <openssl/idea.h>
-#endif
-#if defined(HAVE_OPENSSL_AES_H)
-#include <openssl/aes.h>
-#elif defined(HAVE_OPENSSL_RIJNDAEL_H)
-#include <openssl/rijndael.h>
-#endif
#else /* HAVE_OPENSSL */
#include <Security/SecDH.h>
#include <Security/SecRandom.h>
return kCCKeySizeDES << 3;
}
-#ifdef HAVE_OPENSSL_IDEA_H
-/*
- * IDEA-CBC
- */
-vchar_t *
-eay_idea_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- IDEA_KEY_SCHEDULE ks;
-
- idea_set_encrypt_key(key->v, &ks);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- idea_cbc_encrypt(data->v, res->v, data->l,
- &ks, iv->v, IDEA_ENCRYPT);
-
- return res;
-}
-
-vchar_t *
-eay_idea_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- IDEA_KEY_SCHEDULE ks, dks;
-
- idea_set_encrypt_key(key->v, &ks);
- idea_set_decrypt_key(&ks, &dks);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- idea_cbc_encrypt(data->v, res->v, data->l,
- &dks, iv->v, IDEA_DECRYPT);
-
- return res;
-}
-
-int
-eay_idea_weakkey(key)
- vchar_t *key;
-{
- return 0; /* XXX */
-}
-
-int
-eay_idea_keylen(len)
- int len;
-{
- if (len != 0 && len != 128)
- return -1;
- return 128;
-}
-#endif
-
-#ifdef HAVE_OPENSSL
-/*
- * BLOWFISH-CBC
- */
-vchar_t *
-eay_bf_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_bf_cbc(), 1);
-}
-
-vchar_t *
-eay_bf_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_bf_cbc(), 0);
-}
-
-int
-eay_bf_weakkey(key)
- vchar_t *key;
-{
- return 0; /* XXX to be done. refer to RFC 2451 */
-}
-
-int
-eay_bf_keylen(len)
- int len;
-{
- if (len == 0)
- return 448;
- if (len < 40 || len > 448)
- return -1;
- return len;
-}
-#endif
-
-#ifdef HAVE_OPENSSL_RC5_H
-/*
- * RC5-CBC
- */
-vchar_t *
-eay_rc5_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- RC5_32_KEY ks;
-
- /* in RFC 2451, there is information about the number of round. */
- RC5_32_set_key(&ks, key->l, key->v, 16);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- RC5_32_cbc_encrypt(data->v, res->v, data->l,
- &ks, iv->v, RC5_ENCRYPT);
-
- return res;
-}
-
-vchar_t *
-eay_rc5_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- RC5_32_KEY ks;
-
- /* in RFC 2451, there is information about the number of round. */
- RC5_32_set_key(&ks, key->l, key->v, 16);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- RC5_32_cbc_encrypt(data->v, res->v, data->l,
- &ks, iv->v, RC5_DECRYPT);
-
- return res;
-}
-
-int
-eay_rc5_weakkey(key)
- vchar_t *key;
-{
- return 0; /* No known weak keys when used with 16 rounds. */
-
-}
-
-int
-eay_rc5_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len < 40 || len > 2040)
- return -1;
- return len;
-}
-#endif
-
/*
* 3DES-CBC
*/
eay_3des_weakkey(key)
vchar_t *key;
{
-#ifdef HAVE_OPENSSL
-#ifdef USE_NEW_DES_API
- return (DES_is_weak_key((void *)key->v) ||
- DES_is_weak_key((void *)(key->v + 8)) ||
- DES_is_weak_key((void *)(key->v + 16)));
-#else
- if (key->l < 24)
- return 0;
-
- return (des_is_weak_key((void *)key->v) ||
- des_is_weak_key((void *)(key->v + 8)) ||
- des_is_weak_key((void *)(key->v + 16)));
-#endif
-#else /* HAVE_OPENSSL */
return 0;
-#endif
-
}
int
return kCCKeySize3DES << 3;
}
-#ifdef HAVE_OPENSSL
-/*
- * CAST-CBC
- */
-vchar_t *
-eay_cast_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_cast5_cbc(), 1);
-}
-
-vchar_t *
-eay_cast_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_cast5_cbc(), 0);
-}
-
-int
-eay_cast_weakkey(key)
- vchar_t *key;
-{
- return 0; /* No known weak keys. */
-}
-
-int
-eay_cast_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len < 40 || len > 128)
- return -1;
- return len;
-}
-#endif
-
/*
* AES(RIJNDAEL)-CBC
*/
return 0;
}
-#ifdef HAVE_OPENSSL
-int
-eay_kpdk_hashlen()
-{
- return 0;
-}
-
-int
-eay_twofish_keylen(len)
- int len;
-{
- if (len < 0 || len > 256)
- return -1;
- return len;
-}
-#endif
-
int
eay_null_keylen(len)
int len;
caddr_t c;
vchar_t *data;
{
- CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
+ CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l);
}
vchar_t *
if ((res = vmalloc(CC_SHA512_DIGEST_LENGTH)) == 0)
return NULL;
- CCHmacFinal((CCHmacContext *)c, res->v);
+ CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v);
res->l = CC_SHA512_DIGEST_LENGTH;
(void)racoon_free(c);
caddr_t c;
vchar_t *data;
{
- CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
+ CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l);
}
vchar_t *
if ((res = vmalloc(CC_SHA384_DIGEST_LENGTH)) == 0)
return NULL;
- CCHmacFinal((CCHmacContext *)c, res->v);
+ CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v);
res->l = CC_SHA384_DIGEST_LENGTH;
(void)racoon_free(c);
caddr_t c;
vchar_t *data;
{
- CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
+ CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l);
}
vchar_t *
if ((res = vmalloc(CC_SHA256_DIGEST_LENGTH)) == 0)
return NULL;
- CCHmacFinal((CCHmacContext *)c, res->v);
+ CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v);
res->l = CC_SHA256_DIGEST_LENGTH;
(void)racoon_free(c);
caddr_t c;
vchar_t *data;
{
- CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
+ CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l);
}
vchar_t *
if ((res = vmalloc(CC_SHA1_DIGEST_LENGTH)) == 0)
return NULL;
- CCHmacFinal((CCHmacContext *)c, res->v);
+ CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v);
res->l = CC_SHA1_DIGEST_LENGTH;
(void)racoon_free(c);
caddr_t c;
vchar_t *data;
{
- CCHmacUpdate((CCHmacContext *)c, data->v, data->l);
+ CCHmacUpdate(ALIGNED_CAST(CCHmacContext *)c, data->v, data->l);
}
vchar_t *
if ((res = vmalloc(CC_MD5_DIGEST_LENGTH)) == 0)
return NULL;
- CCHmacFinal((CCHmacContext *)c, res->v);
+ CCHmacFinal(ALIGNED_CAST(CCHmacContext *)c, res->v);
res->l = CC_MD5_DIGEST_LENGTH;
(void)racoon_free(c);
caddr_t c;
vchar_t *data;
{
- SHA512_Update((SHA512_CTX *)c, (unsigned char *) data->v, data->l);
+ SHA512_Update(ALIGNED_CAST(SHA512_CTX *)c, (unsigned char *) data->v, data->l);
return;
}
if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
return(0);
- SHA512_Final((unsigned char *) res->v, (SHA512_CTX *)c);
+ SHA512_Final((unsigned char *) res->v, ALIGNED_CAST(SHA512_CTX *)c);
(void)racoon_free(c);
return(res);
caddr_t c;
vchar_t *data;
{
- SHA384_Update((SHA384_CTX *)c, (unsigned char *) data->v, data->l);
+ SHA384_Update(ALIGNED_CAST(SHA384_CTX *)c, (unsigned char *) data->v, data->l);
return;
}
if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
return(0);
- SHA384_Final((unsigned char *) res->v, (SHA384_CTX *)c);
+ SHA384_Final((unsigned char *) res->v, ALIGNED_CAST(SHA384_CTX *)c);
(void)racoon_free(c);
return(res);
caddr_t c;
vchar_t *data;
{
- SHA256_Update((SHA256_CTX *)c, (unsigned char *) data->v, data->l);
+ SHA256_Update(ALIGNED_CAST(SHA256_CTX *)c, (unsigned char *) data->v, data->l);
return;
}
if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
return(0);
- SHA256_Final((unsigned char *) res->v, (SHA256_CTX *)c);
+ SHA256_Final((unsigned char *) res->v, ALIGNED_CAST(SHA256_CTX *)c);
(void)racoon_free(c);
return(res);
caddr_t c;
vchar_t *data;
{
- SHA1_Update((SHA_CTX *)c, data->v, data->l);
+ SHA1_Update(ALIGNED_CAST(SHA_CTX *)c, data->v, data->l);
return;
}
if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
return(0);
- SHA1_Final((unsigned char *) res->v, (SHA_CTX *)c);
+ SHA1_Final((unsigned char *) res->v, ALIGNED_CAST(SHA_CTX *)c);
(void)racoon_free(c);
return(res);
caddr_t c;
vchar_t *data;
{
- MD5_Update((MD5_CTX *)c, data->v, data->l);
+ MD5_Update(ALIGNED_CAST(MD5_CTX *)c, data->v, data->l);
return;
}
if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
return(0);
- MD5_Final((unsigned char *) res->v, (MD5_CTX *)c);
+ MD5_Final((unsigned char *) res->v, ALIGNED_CAST(MD5_CTX *)c);
(void)racoon_free(c);
return(res);
extern int eay_des_weakkey __P((vchar_t *));
extern int eay_des_keylen __P((int));
-#ifdef HAVE_OPENSSL
-/* IDEA */
-extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_idea_weakkey __P((vchar_t *));
-extern int eay_idea_keylen __P((int));
-
-/* blowfish */
-extern vchar_t *eay_bf_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_bf_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_bf_weakkey __P((vchar_t *));
-extern int eay_bf_keylen __P((int));
-
-/* RC5 */
-extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_rc5_weakkey __P((vchar_t *));
-extern int eay_rc5_keylen __P((int));
-#endif /* HAVE_OPENSSL */
-
/* 3DES */
extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern int eay_3des_weakkey __P((vchar_t *));
extern int eay_3des_keylen __P((int));
-#ifdef HAVE_OPENSSL
-/* CAST */
-extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_cast_weakkey __P((vchar_t *));
-extern int eay_cast_keylen __P((int));
-#endif
-
/* AES(RIJNDAEL) */
extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
int namelen;
int error;
- id_b = (struct ipsecdoi_id_b *)id->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v;
namelen = id->l - sizeof(*id_b);
name = racoon_malloc(namelen + 1);
extern int isakmp_dump_open __P((char *));
extern int isakmp_dump_close __P((void));
-extern int isakmp_dump __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+extern int isakmp_dump __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *));
#endif /* _DUMP_H */
void
evt_push(src, dst, type, optdata)
- struct sockaddr *src;
- struct sockaddr *dst;
+ struct sockaddr_storage *src;
+ struct sockaddr_storage *dst;
int type;
vchar_t *optdata;
{
}
if (src)
- memcpy(&evtdump->src, src, sysdep_sa_len(src));
+ memcpy(&evtdump->src, src, sysdep_sa_len((struct sockaddr *)src));
if (dst)
- memcpy(&evtdump->dst, dst, sysdep_sa_len(dst));
+ memcpy(&evtdump->dst, dst, sysdep_sa_len((struct sockaddr *)dst));
evtdump->len = len;
evtdump->type = type;
time(&evtdump->timestamp);
#ifdef ENABLE_ADMINPORT
struct evtdump *evt_pop(void);
vchar_t *evt_dump(void);
-void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *);
+void evt_push(struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *);
#endif
#ifdef ENABLE_ADMINPORT
#include <strings.h>
#endif
+#include "var.h"
#include "netdb_dnssec.h"
/* XXX should it use ci_errno to hold errno instead of h_errno ? */
/* parse CERT RR */
eom = answer + anslen;
- hp = (HEADER *)answer;
+ hp = ALIGNED_CAST(HEADER *)answer;
qdcount = ntohs(hp->qdcount);
ancount = ntohs(hp->ancount);
#include <ifaddrs.h>
#include <net/if.h>
#endif
+#include <fcntl.h>
#include "var.h"
#include "misc.h"
if (q->udp_encap && !udp_encap
|| !q->udp_encap && udp_encap)
continue;
- if (addr->sa_family != q->addr->sa_family)
+ if (addr->sa_family != q->addr->ss_family)
continue;
- if (getnameinfo(q->addr, sysdep_sa_len(q->addr), h2, sizeof(h2),
+ if (getnameinfo((struct sockaddr *)q->addr, sysdep_sa_len((struct sockaddr *)q->addr), h2, sizeof(h2),
NULL, 0, NI_NUMERICHOST | niflags) != 0)
return NULL;
if (strcmp(h1, h2) == 0)
#ifdef HAVE_GETIFADDRS
struct myaddrs *p, *q;
struct ifaddrs *ifa0, *ifap;
-#ifdef INET6
- struct sockaddr_in6 *sin6;
-#endif
char addr1[NI_MAXHOST];
p->sock = -1;
p->in_use = 1;
- if (getnameinfo(p->addr, p->addr->sa_len,
+ if (getnameinfo((struct sockaddr *)p->addr, p->addr->ss_len,
addr1, sizeof(addr1),
NULL, 0,
NI_NUMERICHOST | niflags))
return 0;
}
+ if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put IPv6 socket in non-blocking mode\n");
+ }
+
memset(&ifr6, 0, sizeof(ifr6));
strlcpy(ifr6.ifr_name, ifname, sizeof(ifr6.ifr_name));
- ifr6.ifr_addr = *(const struct sockaddr_in6 *)ifaddr;
+ memcpy(&ifr6.ifr_addr, ifaddr, sizeof(struct sockaddr_in6)); // Wcast-align fix - copy instread of assign with cast
if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
int
update_myaddrs()
-{
- char msg[BUFSIZ];
+{
+ struct rtmessage { // Wcast-align fix - force alignment
+ struct rt_msghdr rtm;
+ char discard[BUFSIZ];
+ } msg;
+
int len;
- struct rt_msghdr *rtm;
- len = read(lcconf->rtsock, msg, sizeof(msg));
- if (len < 0) {
+ while((len = read(lcconf->rtsock, &msg, sizeof(msg))) < 0) {
+ if (errno == EINTR)
+ continue;
plog(LLV_ERROR, LOCATION, NULL,
"read(PF_ROUTE) failed: %s\n",
strerror(errno));
return 0;
}
- rtm = (struct rt_msghdr *)msg;
- if (len < rtm->rtm_msglen) {
+ if (len < msg.rtm.rtm_msglen) {
plog(LLV_ERROR, LOCATION, NULL,
"read(PF_ROUTE) short read\n");
return 0;
}
- if (rtm->rtm_version != RTM_VERSION) {
+ if (msg.rtm.rtm_version != RTM_VERSION) {
plog(LLV_ERROR, LOCATION, NULL,
"routing socket version mismatch\n");
close(lcconf->rtsock);
lcconf->rtsock = -1;
return 0;
}
- switch (rtm->rtm_type) {
+ switch (msg.rtm.rtm_type) {
case RTM_NEWADDR:
case RTM_DELADDR:
case RTM_DELETE:
/* ignore this message silently */
return 0;
default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "msg %d not interesting\n", rtm->rtm_type);
+ //plog(LLV_DEBUG, LOCATION, NULL,
+ // "msg %d not interesting\n", msg.rtm.rtm_type);
return 0;
}
/* XXX more filters here? */
- plog(LLV_DEBUG, LOCATION, NULL,
- "caught rtm:%d, need update interface address list\n",
- rtm->rtm_type);
+ //plog(LLV_DEBUG, LOCATION, NULL,
+ // "caught rtm:%d, need update interface address list\n",
+ // msg.rtm.rtm_type);
return 1;
}
*/
u_short
getmyaddrsport(local)
- struct sockaddr *local;
+ struct sockaddr_storage *local;
{
struct myaddrs *p, *bestmatch = NULL;
u_short bestmatch_port = PORT_ISAKMP;
continue;
}
- switch (p->addr->sa_family) {
+ switch (p->addr->ss_family) {
case AF_INET:
if (((struct sockaddr_in *)p->addr)->sin_port == PORT_ISAKMP) {
bestmatch = p;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "unsupported AF %d\n", p->addr->sa_family);
+ "unsupported AF %d\n", p->addr->ss_family);
continue;
}
}
/* Copy the whole structure and set the differences. */
memcpy (new, old, sizeof (*new));
- new->addr = dupsaddr (old->addr);
+ new->addr = dupsaddr ((struct sockaddr *)old->addr);
if (new->addr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer for duplicate addr.\n");
strerror(errno));
return -1;
}
+
+ if (fcntl(lcconf->rtsock, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put PF_ROUTE socket in non-blocking mode\n");
+ }
if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) {
grab_myaddrs();
for (p = lcconf->myaddrs; p; p = p->next) {
if (p->addr == NULL)
continue;
- if (my->sa_family == p->addr->sa_family) {
+ if (my->sa_family == p->addr->ss_family) {
lastresort = p;
} else continue;
- if (sysdep_sa_len(my) == sysdep_sa_len(p->addr)
+ if (sysdep_sa_len(my) == sysdep_sa_len((struct sockaddr *)p->addr)
&& memcmp(my, p->addr, sysdep_sa_len(my)) == 0) {
break;
}
struct myaddrs {
struct myaddrs *next;
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
int sock;
int udp_encap;
int in_use;
extern void grab_myaddrs __P((void));
extern int update_myaddrs __P((void));
extern int autoconf_myaddrsport __P((void));
-extern u_short getmyaddrsport __P((struct sockaddr *));
+extern u_short getmyaddrsport __P((struct sockaddr_storage *));
extern struct myaddrs *newmyaddr __P((void));
extern struct myaddrs *dupmyaddr __P((struct myaddrs *));
extern void insmyaddr __P((struct myaddrs *, struct myaddrs **));
gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
{
char name[NI_MAXHOST];
- struct sockaddr *sa;
+ struct sockaddr_storage *sa;
char* buf = NULL;
gss_buffer_desc name_token;
OM_uint32 min_stat, maj_stat;
sa = remote ? iph1->remote : iph1->local;
- if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
+ if (getnameinfo(sa, sysdep_sa_len((struct sockaddr *)sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
return -1;
name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name);
*/
struct ph1handle *
getph1byaddr(local, remote)
- struct sockaddr *local, *remote;
+ struct sockaddr_storage *local, *remote;
{
struct ph1handle *p;
plog(LLV_DEBUG2, LOCATION, NULL, "getph1byaddr: start\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str(local));
- plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str(remote));
+ plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str((struct sockaddr *)local));
+ plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str((struct sockaddr *)remote));
LIST_FOREACH(p, &ph1tree, chain) {
if (p->status == PHASE1ST_EXPIRED)
continue;
- plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local));
- plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote));
+ plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str((struct sockaddr *)p->local));
+ plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str((struct sockaddr *)p->remote));
if (CMPSADDR(local, p->local) == 0
&& CMPSADDR(remote, p->remote) == 0){
plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
struct ph1handle *
getph1byaddrwop(local, remote)
- struct sockaddr *local, *remote;
+ struct sockaddr_storage *local, *remote;
{
struct ph1handle *p;
*/
struct ph1handle *
getph1bydstaddrwop(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
struct ph1handle *p;
"failed to get buffer\n");
return NULL;
}
- pd = (struct ph1dump *)buf->v;
+ pd = ALIGNED_CAST(struct ph1dump *)buf->v;
LIST_FOREACH(iph1, &ph1tree, chain) {
memcpy(&pd->index, &iph1->index, sizeof(iph1->index));
pd->status = iph1->status;
pd->side = iph1->side;
- memcpy(&pd->remote, iph1->remote, sysdep_sa_len(iph1->remote));
- memcpy(&pd->local, iph1->local, sysdep_sa_len(iph1->local));
+ memcpy(&pd->remote, iph1->remote, sysdep_sa_len((struct sockaddr *)iph1->remote));
+ memcpy(&pd->local, iph1->local, sysdep_sa_len((struct sockaddr *)iph1->local));
pd->version = iph1->version;
pd->etype = iph1->etype;
pd->created = iph1->created;
struct ph2handle *
getph2byid(src, dst, spid)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
u_int32_t spid;
{
struct ph2handle *p;
struct ph2handle *
getph2bysaddr(src, dst)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
{
struct ph2handle *p;
*/
struct ph2handle *
getph2bysaidx(src, dst, proto_id, spi)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
u_int proto_id;
u_int32_t spi;
{
/* clear the generated policy */
if (iph2->spidx_gen) {
- delsp_bothdir((struct policyindex *)iph2->spidx_gen);
+ delsp_bothdir(iph2->spidx_gen);
racoon_free(iph2->spidx_gen);
iph2->spidx_gen = NULL;
}
*/
void
deleteallph2(src, dst, proto_id)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
u_int proto_id;
{
struct ph2handle *iph2, *next;
*/
void
deleteallph1(src, dst)
-struct sockaddr *src, *dst;
+struct sockaddr_storage *src, *dst;
{
struct ph1handle *iph1, *next;
*/
struct contacted *
getcontacted(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
struct contacted *p;
*/
int
inscontacted(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
struct contacted *new;
if (new == NULL)
return -1;
- new->remote = dupsaddr(remote);
+ new->remote = dupsaddr((struct sockaddr *)remote);
if (new->remote == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
*/
int
check_recvdpkt(remote, local, rbuf)
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
vchar_t *rbuf;
{
vchar_t *hash;
if (t - r->time_send < 1) {
plog(LLV_WARNING, LOCATION, NULL,
"the packet retransmitted in a short time from %s\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
/*XXX should it be error ? */
}
/* select the socket to be sent */
- s = getsockmyaddr(r->local);
+ s = getsockmyaddr((struct sockaddr *)r->local);
if (s == -1)
return -1;
del_recvdpkt(r);
plog(LLV_DEBUG, LOCATION, NULL,
"deleted the retransmission packet to %s.\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
} else {
r->time_send = t;
r->retry_interval = get_exp_retx_interval((lcconf->retry_counter - r->retry_counter),
*/
int
add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags)
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
vchar_t *sbuf, *rbuf;
size_t non_esp;
u_int32_t frag_flags;
del_recvdpkt(new);
return -1;
}
- new->remote = dupsaddr(remote);
+ new->remote = dupsaddr((struct sockaddr *)remote);
if (new->remote == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
- new->local = dupsaddr(local);
+ new->local = dupsaddr((struct sockaddr *)local);
if (new->local == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
del_recvdpkt(new);
return -1;
}
- *(u_int32_t *)new->sendbuf->v = 0;
+ *ALIGNED_CAST(u_int32_t *)new->sendbuf->v = 0;
memcpy(new->sendbuf->v + non_esp, sbuf->v, sbuf->l);
} else {
new->sendbuf = vdup(sbuf);
*/
int
exclude_cfg_addr(addr)
- const struct sockaddr *addr;
+ const struct sockaddr_storage *addr;
{
struct ph1handle *p;
struct sockaddr_in *sin;
LIST_FOREACH(p, &ph1tree, chain) {
if ((p->mode_cfg != NULL) &&
(p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) &&
- (addr->sa_family == AF_INET)) {
+ (addr->ss_family == AF_INET)) {
sin = (struct sockaddr_in *)addr;
if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr)
return 0;
int
purgephXbydstaddrwop(remote)
-struct sockaddr *remote;
+struct sockaddr_storage *remote;
{
int found = 0;
struct ph1handle *p;
struct ph2handle *p2;
LIST_FOREACH(p2, &ph2tree, chain) {
+ if (p2->is_dying || p2->status == PHASE2ST_EXPIRED) {
+ continue;
+ }
if (cmpsaddrwop(remote, p2->dst) == 0) {
plog(LLV_WARNING, LOCATION, NULL,
"in %s... purging phase2s\n", __FUNCTION__);
if (p2->status == PHASE2ST_ESTABLISHED)
isakmp_info_send_d2(p2);
- if (p2->status < PHASE2ST_EXPIRED) {
- isakmp_ph2expire(p2);
- } else {
- isakmp_ph2delete(p2);
- }
+ isakmp_ph2expire(p2);
found++;
}
}
LIST_FOREACH(p, &ph1tree, chain) {
+ if (p->is_dying || p->status == PHASE1ST_EXPIRED) {
+ continue;
+ }
if (cmpsaddrwop(remote, p->remote) == 0) {
plog(LLV_WARNING, LOCATION, NULL,
"in %s... purging phase1 and related phase2s\n", __FUNCTION__);
#ifdef ENABLE_DPD
int
-ph1_force_dpd (struct sockaddr *remote)
+ph1_force_dpd (struct sockaddr_storage *remote)
{
int status = -1;
struct ph1handle *p;
int side; /* INITIATOR or RESPONDER */
int started_by_api; /* connection started by VPNControl API */
- struct sockaddr *remote; /* remote address to negosiate ph1 */
- struct sockaddr *local; /* local address to negosiate ph1 */
+ struct sockaddr_storage *remote; /* remote address to negosiate ph1 */
+ struct sockaddr_storage *local; /* local address to negosiate ph1 */
/* XXX copy from rmconf due to anonymous configuration.
* If anonymous will be forbidden, we do delete them. */
cert_t *cert_p; /* peer's CERT minus general header */
cert_t *crl_p; /* peer's CRL minus general header */
cert_t *cr_p; /* peer's CR not including general */
-#ifdef HAVE_OPENSSL
- RSA *rsa; /* my RSA key */
- RSA *rsa_p; /* peer's RSA key */
- struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
-#endif
vchar_t *id; /* ID minus gen header */
vchar_t *id_p; /* partner's ID minus general header */
/* i.e. struct ipsecdoi_id_b*. */
#define PHASE2ST_MAX 11
struct ph2handle {
- struct sockaddr *src; /* my address of SA. */
- struct sockaddr *dst; /* peer's address of SA. */
+ struct sockaddr_storage *src; /* my address of SA. */
+ struct sockaddr_storage *dst; /* peer's address of SA. */
/*
* copy ip address from ID payloads when ID type is ip address.
* In other case, they must be null.
*/
- struct sockaddr *src_id;
- struct sockaddr *dst_id;
+ struct sockaddr_storage *src_id;
+ struct sockaddr_storage *dst_id;
u_int32_t spid; /* policy id by kernel */
struct sainfo *sainfo; /* place holder of sainfo */
struct saprop *proposal; /* SA(s) proposal. */
struct saprop *approval; /* SA(s) approved. */
- caddr_t spidx_gen; /* policy from peer's proposal */
+ struct policyindex * spidx_gen; /* policy from peer's proposal */
#ifndef HAVE_OPENSSL
SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
* for handling initial contact.
*/
struct contacted {
- struct sockaddr *remote; /* remote address to negotiate ph1 */
+ struct sockaddr_storage *remote; /* remote address to negotiate ph1 */
LIST_ENTRY(contacted) chain;
};
* for checking if a packet is retransmited.
*/
struct recvdpkt {
- struct sockaddr *remote; /* the remote address */
- struct sockaddr *local; /* the local address */
+ struct sockaddr_storage *remote; /* the remote address */
+ struct sockaddr_storage *local; /* the local address */
vchar_t *hash; /* hash of the received packet */
vchar_t *sendbuf; /* buffer for the response */
int retry_counter; /* how many times to send */
int ph2cnt;
};
-struct sockaddr;
+struct sockaddr_storage;
struct ph1handle;
struct ph2handle;
struct policyindex;
extern struct ph1handle *getph1byindex __P((isakmp_index *));
extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
-extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
- struct sockaddr *));
-extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
- struct sockaddr *));
-extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
+extern struct ph1handle *getph1byaddr __P((struct sockaddr_storage *,
+ struct sockaddr_storage *));
+extern struct ph1handle *getph1byaddrwop __P((struct sockaddr_storage *,
+ struct sockaddr_storage *));
+extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr_storage *));
extern int islast_ph1 __P((struct ph1handle *));
struct ph1handle *ph1;
#ifdef ENABLE_HYBRID
struct ph1handle *getph1bylogin __P((char *));
int purgeph1bylogin __P((char *));
#endif
-extern int purgephXbydstaddrwop __P((struct sockaddr *));
+extern int purgephXbydstaddrwop __P((struct sockaddr_storage *));
extern void purgephXbyspid __P((u_int32_t, int));
extern vchar_t *dumpph1 __P((void));
extern struct ph2handle *getph2byspidx __P((struct policyindex *));
extern struct ph2handle *getph2byspid __P((u_int32_t));
extern struct ph2handle *getph2byseq __P((u_int32_t));
-extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
- struct sockaddr *));
+extern struct ph2handle *getph2bysaddr __P((struct sockaddr_storage *,
+ struct sockaddr_storage *));
extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
-extern struct ph2handle *getph2byid __P((struct sockaddr *,
- struct sockaddr *, u_int32_t));
-extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
- struct sockaddr *, u_int, u_int32_t));
+extern struct ph2handle *getph2byid __P((struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int32_t));
+extern struct ph2handle *getph2bysaidx __P((struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int, u_int32_t));
extern struct ph2handle *newph2 __P((void));
extern void initph2 __P((struct ph2handle *));
extern void delph2 __P((struct ph2handle *));
extern int insph2 __P((struct ph2handle *));
extern void remph2 __P((struct ph2handle *));
extern void flushph2 __P((int));
-extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
-extern void deleteallph1 __P((struct sockaddr *, struct sockaddr *));
+extern void deleteallph2 __P((struct sockaddr_storage *, struct sockaddr_storage *, u_int));
+extern void deleteallph1 __P((struct sockaddr_storage *, struct sockaddr_storage *));
extern void initph2tree __P((void));
extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
extern void unbindph12 __P((struct ph2handle *));
extern void rebindph12 __P((struct ph1handle *, struct ph2handle *));
-extern struct contacted *getcontacted __P((struct sockaddr *));
-extern int inscontacted __P((struct sockaddr *));
+extern struct contacted *getcontacted __P((struct sockaddr_storage *));
+extern int inscontacted __P((struct sockaddr_storage *));
extern void clear_contacted __P((void));
extern void initctdtree __P((void));
extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval));
-extern int check_recvdpkt __P((struct sockaddr *,
- struct sockaddr *, vchar_t *));
-extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
+extern int check_recvdpkt __P((struct sockaddr_storage *,
+ struct sockaddr_storage *, vchar_t *));
+extern int add_recvdpkt __P((struct sockaddr_storage *, struct sockaddr_storage *,
vchar_t *, vchar_t *, size_t, u_int32_t));
extern void clear_recvdpkt __P((void));
extern void init_recvdpkt __P((void));
#ifdef ENABLE_HYBRID
-extern int exclude_cfg_addr __P((const struct sockaddr *));
+extern int exclude_cfg_addr __P((const struct sockaddr_storage *));
#endif
#ifdef ENABLE_DPD
-extern int ph1_force_dpd __P((struct sockaddr *));
+extern int ph1_force_dpd __P((struct sockaddr_storage *));
#endif
extern void sweep_sleepwake __P((void));
#include "localconf.h"
#include "remoteconf.h"
#include "vpn_control.h"
+#include "vpn_control_var.h"
#include "proposal.h"
#include "sainfo.h"
#include "power_mgmt.h"
} while(0);
const char *ike_session_stopped_by_vpn_disconnect = "Stopped by VPN disconnect";
+const char *ike_session_stopped_by_controller_comm_lost = "Stopped by loss of controller communication";
const char *ike_session_stopped_by_flush = "Stopped by Flush";
const char *ike_session_stopped_by_idle = "Stopped by Idle";
const char *ike_session_stopped_by_xauth_timeout = "Stopped by XAUTH timeout";
gettimeofday(&session->stop_timestamp, NULL);
}
if (session->term_reason != ike_session_stopped_by_vpn_disconnect ||
+ session->term_reason != ike_session_stopped_by_controller_comm_lost ||
session->term_reason != ike_session_stopped_by_flush ||
session->term_reason != ike_session_stopped_by_idle) {
is_failure = FALSE;
// TODO: optimize this mess later
ike_session_t *
-ike_session_get_session (struct sockaddr *local,
- struct sockaddr *remote,
+ike_session_get_session (struct sockaddr_storage *local,
+ struct sockaddr_storage *remote,
int alloc_if_absent)
{
ike_session_t *p;
bzero(&id_default, sizeof(id_default));
bzero(&id_floated_default, sizeof(id_floated_default));
bzero(&id_wop, sizeof(id_wop));
- if (local->sa_family == AF_INET) {
+ if (local->ss_family == AF_INET) {
memcpy(&id.local, local, sizeof(struct sockaddr_in));
memcpy(&id_default.local, local, sizeof(struct sockaddr_in));
memcpy(&id_floated_default.local, local, sizeof(struct sockaddr_in));
memcpy(&id_wop.local, local, sizeof(struct sockaddr_in));
- } else if (local->sa_family == AF_INET6) {
+ } else if (local->ss_family == AF_INET6) {
memcpy(&id.local, local, sizeof(struct sockaddr_in6));
memcpy(&id_default.local, local, sizeof(struct sockaddr_in6));
memcpy(&id_floated_default.local, local, sizeof(struct sockaddr_in6));
memcpy(&id_wop.local, local, sizeof(struct sockaddr_in6));
}
- set_port((struct sockaddr *)&id_default.local, PORT_ISAKMP);
- set_port((struct sockaddr *)&id_floated_default.local, PORT_ISAKMP_NATT);
- set_port((struct sockaddr *)&id_wop.local, 0);
- if (remote->sa_family == AF_INET) {
+ set_port(&id_default.local, PORT_ISAKMP);
+ set_port(&id_floated_default.local, PORT_ISAKMP_NATT);
+ set_port(&id_wop.local, 0);
+ if (remote->ss_family == AF_INET) {
memcpy(&id.remote, remote, sizeof(struct sockaddr_in));
memcpy(&id_default.remote, remote, sizeof(struct sockaddr_in));
memcpy(&id_floated_default.remote, remote, sizeof(struct sockaddr_in));
memcpy(&id_wop.remote, remote, sizeof(struct sockaddr_in));
- } else if (remote->sa_family == AF_INET6) {
+ } else if (remote->ss_family == AF_INET6) {
memcpy(&id.remote, remote, sizeof(struct sockaddr_in6));
memcpy(&id_default.remote, remote, sizeof(struct sockaddr_in6));
memcpy(&id_floated_default.remote, remote, sizeof(struct sockaddr_in6));
memcpy(&id_wop.remote, remote, sizeof(struct sockaddr_in6));
}
- set_port((struct sockaddr *)&id_default.remote, PORT_ISAKMP);
- set_port((struct sockaddr *)&id_floated_default.remote, PORT_ISAKMP_NATT);
- set_port((struct sockaddr *)&id_wop.remote, 0);
+ set_port(&id_default.remote, PORT_ISAKMP);
+ set_port(&id_floated_default.remote, PORT_ISAKMP_NATT);
+ set_port(&id_wop.remote, 0);
plog(LLV_DEBUG, LOCATION, local,
"start search for IKE-Session. target %s.\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
for (p = LIST_FIRST(&ike_session_tree); p; p = LIST_NEXT(p, chain)) {
plog(LLV_DEBUG, LOCATION, local,
if (memcmp(&p->session_id, &id, sizeof(id)) == 0) {
plog(LLV_DEBUG, LOCATION, local,
"Pre-existing IKE-Session to %s. case 1.\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
return p;
} else if (is_isakmp_remote_port && memcmp(&p->session_id, &id_default, sizeof(id_default)) == 0) {
plog(LLV_DEBUG, LOCATION, local,
"Pre-existing IKE-Session to %s. case 2.\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
return p;
} else if (is_isakmp_remote_port && p->ports_floated && memcmp(&p->session_id, &id_floated_default, sizeof(id_floated_default)) == 0) {
plog(LLV_DEBUG, LOCATION, local,
"Pre-existing IKE-Session to %s. case 3.\n",
- saddr2str(remote));
+ saddr2str((struct sockaddr *)remote));
return p;
} else if (is_isakmp_remote_port && memcmp(&p->session_id, &id_wop, sizeof(id_wop)) == 0) {
best_match = p;
int
ike_session_link_ph2_to_session (struct ph2handle *iph2)
{
- struct sockaddr *local;
- struct sockaddr *remote;
+ struct sockaddr_storage *local;
+ struct sockaddr_storage *remote;
ike_session_t *session;
if (!iph2) {
void
ike_session_ikev1_float_ports (struct ph1handle *iph1)
{
- struct sockaddr *local, *remote;
+ struct sockaddr_storage *local, *remote;
struct ph2handle *p;
if (iph1->parent_session) {
- local = (struct sockaddr *)&iph1->parent_session->session_id.local;
- remote = (struct sockaddr *)&iph1->parent_session->session_id.remote;
+ local = &iph1->parent_session->session_id.local;
+ remote = &iph1->parent_session->session_id.remote;
set_port(local, extract_port(iph1->local));
set_port(remote, extract_port(iph1->remote));
p->is_dying = 1;
//log deletion
- local = racoon_strdup(saddr2str(p->local));
- remote = racoon_strdup(saddr2str(p->remote));
+ local = racoon_strdup(saddr2str((struct sockaddr *)p->local));
+ remote = racoon_strdup(saddr2str((struct sockaddr *)p->remote));
STRDUP_FATAL(local);
STRDUP_FATAL(remote);
plog(LLV_DEBUG, LOCATION, NULL,
}
void
-ike_sessions_stopped_by_controller (struct sockaddr *remote,
+ike_sessions_stopped_by_controller (struct sockaddr_storage *remote,
int withport,
const char *reason)
{
void
ike_session_update_ph2_ports (struct ph2handle *iph2)
{
- struct sockaddr *local;
- struct sockaddr *remote;
+ struct sockaddr_storage *local;
+ struct sockaddr_storage *remote;
if (iph2->parent_session) {
- local = (struct sockaddr *)&iph2->parent_session->session_id.local;
- remote = (struct sockaddr *)&iph2->parent_session->session_id.remote;
+ local = &iph2->parent_session->session_id.local;
+ remote = &iph2->parent_session->session_id.remote;
set_port(iph2->src, extract_port(local));
set_port(iph2->dst, extract_port(remote));
}
// send ipsecManager a notification
- if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect) {
+ if (session->is_cisco_ipsec && reason && reason != ike_session_stopped_by_vpn_disconnect
+ && reason != ike_session_stopped_by_controller_comm_lost) {
u_int32_t address;
- if (((struct sockaddr *)&session->session_id.remote)->sa_family == AF_INET) {
+ if ((&session->session_id.remote)->ss_family == AF_INET) {
address = ((struct sockaddr_in *)&session->session_id.remote)->sin_addr.s_addr;
} else {
address = 0;
} *id_ptr;
/* ignore protocol and port */
- id_ptr = (struct id *)ext_id->v;
+ id_ptr = ALIGNED_CAST(struct id *)ext_id->v;
if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR &&
id_ptr->addr == 0) {
return 1;
} *id_ptr;
/* ignore addr */
- id_ptr = (struct id *)ext_id->v;
+ id_ptr = ALIGNED_CAST(struct id *)ext_id->v;
if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR &&
id_ptr->port == 0) {
return 1;
} *id_ptr;
/* ignore addr */
- id_ptr = (struct id *)ext_id->v;
+ id_ptr = ALIGNED_CAST(struct id *)ext_id->v;
if (id_ptr->type == IPSECDOI_ID_IPV4_ADDR) {
id_ptr->port = 0;
return;
ike_session_cmp_ph2_ids(iph2, p) == 0) {
plog(LLV_DEBUG2, LOCATION, NULL, "candidate ph2 matched in %s.\n", __FUNCTION__);
iph2->sainfo = p->sainfo;
+ if (iph2->sainfo) {
+ if (link_sainfo_to_ph2(iph2->sainfo) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to link sainfo\n");
+ iph2->sainfo = NULL;
+ return -1;
+ }
+ }
if (!iph2->spid) {
iph2->spid = p->spid;
} else {
}
int
-ike_session_assert (struct sockaddr *local,
- struct sockaddr *remote)
+ike_session_assert (struct sockaddr_storage *local,
+ struct sockaddr_storage *remote)
{
ike_session_t *sess;
} ike_session_rekey_type_t;
extern const char * ike_session_stopped_by_vpn_disconnect;
+extern const char * ike_session_stopped_by_controller_comm_lost;
extern const char * ike_session_stopped_by_flush;
extern const char * ike_session_stopped_by_sleepwake;
extern const char * ike_session_stopped_by_assert;
extern void ike_session_init __P((void));
-extern ike_session_t * ike_session_get_session __P((struct sockaddr *, struct sockaddr *, int));
+extern ike_session_t * ike_session_get_session __P((struct sockaddr_storage *, struct sockaddr_storage *, int));
extern u_int ike_session_get_rekey_lifetime __P((int, u_int));
extern void ike_session_update_mode __P((struct ph2handle *iph2));
extern int ike_session_link_ph1_to_session __P((struct ph1handle *));
extern void ike_session_cleanup_other_established_ph1s __P((ike_session_t *, struct ph1handle *));
extern void ike_session_cleanup_other_established_ph2s __P((ike_session_t *, struct ph2handle *));
extern void ike_session_stopped_by_controller __P((ike_session_t *, const char *));
-extern void ike_sessions_stopped_by_controller __P((struct sockaddr *, int, const char *));
+extern void ike_sessions_stopped_by_controller __P((struct sockaddr_storage *, int, const char *));
extern void ike_session_purge_ph2s_by_ph1 __P((struct ph1handle *));
extern struct ph1handle * ike_session_get_established_ph1 __P((ike_session_t *));
extern void ike_session_update_ph2_ports __P((struct ph2handle *));
extern int ike_session_get_natt_version __P((struct ph1handle *));
extern int ike_session_drop_rekey __P((ike_session_t *, ike_session_rekey_type_t));
extern void ike_session_sweep_sleepwake __P((void));
-extern int ike_session_assert __P((struct sockaddr *, struct sockaddr *));
+extern int ike_session_assert __P((struct sockaddr_storage *, struct sockaddr_storage *));
extern int ike_session_assert_session __P((ike_session_t *));
extern void ike_session_ph2_retransmits __P((struct ph2handle *));
extern void ike_session_ph1_retransmits __P((struct ph1handle *));
#include "sainfo.h"
#include "proposal.h"
#include "crypto_openssl.h"
+#include "crypto_cssm.h"
#include "strnames.h"
#include "gcmalloc.h"
/* key length must not be specified on some algorithms */
if (keylen) {
if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
-#ifdef HAVE_OPENSSL_IDEA_H
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
-#endif
|| sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
plog(LLV_ERROR, LOCATION, NULL,
"keylen must not be specified "
int tlen;
caddr_t bp;
int i;
- struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v;
+ struct ipsecdoi_sa_b *sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)sa->v;
plog(LLV_DEBUG, LOCATION, NULL, "total SA len=%zu\n", sa->l);
plogdump(LLV_DEBUG, sa->v, sa->l);
if (pbuf == NULL)
goto bad;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
/* check the value of next payload */
/* check and get transform for use */
num_t = 0;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
((struct isakmp_gen *)bp)->len = htons(newtlen);
/* update some of values in SA header */
- ((struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype);
- ((struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype);
+ (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype);
+ (ALIGNED_CAST(struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype);
bp += sizeof(struct ipsecdoi_sa_b);
/* create proposal payloads */
switch (buf->l) {
case 2:
- ld = ntohs(*(u_int16_t *)buf->v);
+ ld = ntohs(*ALIGNED_CAST(u_int16_t *)buf->v);
break;
case 4:
- ld = ntohl(*(u_int32_t *)buf->v);
+ ld = ntohl(*ALIGNED_CAST(u_int32_t *)buf->v);
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
/* create SA payload */
/* not including isakmp general header */
- ((struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype);
- ((struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype);
+ (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype);
+ (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype);
(void)setph1prop(props, mysa->v + sizeof(struct ipsecdoi_sa_b));
}
/* create SA payload */
- sab = (struct ipsecdoi_sa_b *)iph2->sa->v;
+ sab = ALIGNED_CAST(struct ipsecdoi_sa_b *)iph2->sa->v;
sab->doi = htonl(IPSEC_DOI);
sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */
if (subnet->l != (sizeof(struct in_addr)*2))
return 1;
- mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
+ mask = ALIGNED_CAST(struct in_addr*)(subnet->v + sizeof(struct in_addr));
if (mask->s_addr!=0xffffffff)
return 1;
if (subnet->l != (sizeof(struct in6_addr)*2))
return 1;
- mask = (struct in6_addr*)(subnet->v + sizeof(struct in6_addr));
+ mask = ALIGNED_CAST(struct in6_addr*)(subnet->v + sizeof(struct in6_addr));
for (i=0; i<16; i++)
if(mask->s6_addr[i]!=0xff)
struct ph1handle *iph1;
{
struct ipsecdoi_id_b *id_b;
- struct sockaddr *sa;
+ struct sockaddr_storage *sa;
caddr_t sa1, sa2;
if (iph1->id_p == NULL) {
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
/* In main mode with pre-shared key, only address type can be used.
* If NAT Traversal being used and peer is behind nat and
u_int16_t port;
- switch (iph1->remote->sa_family) {
+ switch (iph1->remote->ss_family) {
case AF_INET:
port = ((struct sockaddr_in *)iph1->remote)->sin_port;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n",
- iph1->remote->sa_family);
+ iph1->remote->ss_family);
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
if (ntohs(id_b->port) != port) {
/* compare with the ID if specified. */
if (genlist_next(iph1->rmconf->idvl_p, 0)) {
vchar_t *ident0 = NULL;
+#ifdef HAVE_OPENSSL
vchar_t ident;
+#endif
struct idspec *id;
struct genlist_entry *gpb;
#endif
break;
case IDTYPE_ADDRESS:
- sa = (struct sockaddr *)ident0->v;
+ sa = ALIGNED_CAST(struct sockaddr_storage *)ident0->v;
sa2 = (caddr_t)(id_b + 1);
- switch (sa->sa_family) {
+ switch (sa->ss_family) {
case AF_INET:
if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in_addr))
continue; /* ID value mismatch */
vchar_t *ret = NULL;
struct ipsecdoi_id_b id_b;
vchar_t *ident = NULL;
- struct sockaddr *ipid = NULL;
+ struct sockaddr_storage *ipid = NULL;
/* init */
id_b.proto_id = 0;
* ip address by using ike negotiation.
*/
if (iph1->rmconf->idv)
- ipid = (struct sockaddr *)iph1->rmconf->idv->v;
+ ipid = ALIGNED_CAST(struct sockaddr_storage *)iph1->rmconf->idv->v;
/*FALLTHROUGH*/
default:
{
ipid = iph1->local;
/* use IP address */
- switch (ipid->sa_family) {
+ switch (ipid->ss_family) {
case AF_INET:
id_b.type = IPSECDOI_ID_IPV4_ADDR;
l = sizeof(struct in_addr);
break;
case IDTYPE_ADDRESS: {
- struct sockaddr *sa;
+ struct sockaddr_storage *sa;
/* length is adjusted since QUOTEDSTRING teminates NULL. */
if (value->l == 0)
return -1;
}
- new = vmalloc(sysdep_sa_len(sa));
+ new = vmalloc(sysdep_sa_len((struct sockaddr *)sa));
if (new == NULL) {
racoon_free(sa);
return -1;
return -1;
}
- iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
+ iph2->id = ipsecdoi_sockaddr2id(&sp->spidx.src,
sp->spidx.prefs, sp->spidx.ul_proto);
if (iph2->id == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
spidx2str(&sp->spidx));
return -1;
}
- if ((((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR ||
- ((struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) &&
+ if (((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR ||
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type == IPSECDOI_ID_IPV4_ADDR_SUBNET) &&
iph2->side == RESPONDER &&
iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED_ME) &&
lcconf->ext_nat_id) {
}
}
plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n",
- s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
+ s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type));
plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
/* remote side */
- iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
+ iph2->id_p = ipsecdoi_sockaddr2id(&sp->spidx.dst,
sp->spidx.prefd, sp->spidx.ul_proto);
if (iph2->id_p == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
}
plog(LLV_DEBUG, LOCATION, NULL,
"use remote ID type %s\n",
- s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type));
+ s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type));
plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
return 0;
*/
vchar_t *
ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto)
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
u_int prefixlen;
u_int ul_proto;
{
* Q. When type is SUBNET, is it allowed to be ::1/128.
* A. Yes. (consensus at bake-off)
*/
- switch (saddr->sa_family) {
+ switch (saddr->ss_family) {
case AF_INET:
len1 = sizeof(struct in_addr);
if (prefixlen == (sizeof(struct in_addr) << 3)) {
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d.\n", saddr->sa_family);
+ "invalid family: %d.\n", saddr->ss_family);
return NULL;
}
memset(new->v, 0, new->l);
/* set the part of header. */
- ((struct ipsecdoi_id_b *)new->v)->type = type;
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type;
/* set ul_proto and port */
/*
* NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
* because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
*/
- ((struct ipsecdoi_id_b *)new->v)->proto_id =
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id =
ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
- ((struct ipsecdoi_id_b *)new->v)->port =
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port =
port == IPSEC_PORT_ANY ? 0 : port;
memcpy(new->v + sizeof(struct ipsecdoi_id_b), sa, len1);
vchar_t *
ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
- struct sockaddr *laddr, *haddr;
+ struct sockaddr_storage *laddr, *haddr;
u_int ul_proto;
{
vchar_t *new;
int type, len1, len2;
u_short port;
- if (laddr->sa_family != haddr->sa_family) {
+ if (laddr->ss_family != haddr->ss_family) {
plog(LLV_ERROR, LOCATION, NULL, "Address family mismatch\n");
return NULL;
}
- switch (laddr->sa_family) {
+ switch (laddr->ss_family) {
case AF_INET:
type = IPSECDOI_ID_IPV4_ADDR_RANGE;
len1 = sizeof(struct in_addr);
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d.\n", laddr->sa_family);
+ "invalid family: %d.\n", laddr->ss_family);
return NULL;
}
memset(new->v, 0, new->l);
/* set the part of header. */
- ((struct ipsecdoi_id_b *)new->v)->type = type;
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->type = type;
/* set ul_proto and port */
/*
* NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
* because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
*/
- ((struct ipsecdoi_id_b *)new->v)->proto_id =
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->proto_id =
ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
port = ((struct sockaddr_in *)(laddr))->sin_port;
- ((struct ipsecdoi_id_b *)new->v)->port =
+ (ALIGNED_CAST(struct ipsecdoi_id_b *)new->v)->port =
port == IPSEC_PORT_ANY ? 0 : port;
memcpy(new->v + sizeof(struct ipsecdoi_id_b),
(caddr_t)&((struct sockaddr_in *)(laddr))->sin_addr,
/*
- * create sockaddr structure from ID payload (buf).
+ * create sockaddr_storage structure from ID payload (buf).
* buffers (saddr, prefixlen, ul_proto) must be allocated.
* see, RFC2407 4.6.2.1
*/
int
ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto)
vchar_t *buf;
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
u_int8_t *prefixlen;
u_int16_t *ul_proto;
{
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v;
+ struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v;
u_int plen = 0;
/*
switch (id_b->type) {
case IPSECDOI_ID_IPV4_ADDR:
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- saddr->sa_len = sizeof(struct sockaddr_in);
- saddr->sa_family = AF_INET;
+ saddr->ss_len = sizeof(struct sockaddr_in);
+ saddr->ss_family = AF_INET;
((struct sockaddr_in *)saddr)->sin_port =
(id_b->port == 0
? IPSEC_PORT_ANY
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- saddr->sa_len = sizeof(struct sockaddr_in6);
- saddr->sa_family = AF_INET6;
+ saddr->ss_len = sizeof(struct sockaddr_in6);
+ saddr->ss_family = AF_INET6;
((struct sockaddr_in6 *)saddr)->sin6_port =
(id_b->port == 0
? IPSEC_PORT_ANY
int len = 0;
char *dat;
static char buf[BUFLEN];
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
+ struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)id->v;
struct sockaddr_storage saddr;
u_int plen = 0;
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
case IPSECDOI_ID_IPV4_ADDR_RANGE:
- ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in);
- ((struct sockaddr *)&saddr)->sa_family = AF_INET;
+ saddr.ss_len = sizeof(struct sockaddr_in);
+ saddr.ss_family = AF_INET;
((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
id->v + sizeof(*id_b), sizeof(struct in_addr));
case IPSECDOI_ID_IPV6_ADDR:
case IPSECDOI_ID_IPV6_ADDR_SUBNET:
case IPSECDOI_ID_IPV6_ADDR_RANGE:
- ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6);
- ((struct sockaddr *)&saddr)->sa_family = AF_INET6;
+ saddr.ss_len = sizeof(struct sockaddr_in6);
+ saddr.ss_family = AF_INET6;
((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
id->v + sizeof(*id_b), sizeof(struct in6_addr));
((struct sockaddr_in6 *)&saddr)->sin6_scope_id =
(IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr)
- ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id
: 0);
break;
#endif
len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
- ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in);
- ((struct sockaddr *)&saddr)->sa_family = AF_INET;
+ saddr.ss_len = sizeof(struct sockaddr_in);
+ saddr.ss_family = AF_INET;
((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
id->v + sizeof(*id_b) + sizeof(struct in_addr),
len = snprintf( buf, sizeof(buf), "%s-", saddrwop2str((struct sockaddr *)&saddr));
- ((struct sockaddr *)&saddr)->sa_len = sizeof(struct sockaddr_in6);
- ((struct sockaddr *)&saddr)->sa_family = AF_INET6;
+ saddr.ss_len = sizeof(struct sockaddr_in6);
+ saddr.ss_family = AF_INET6;
((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
id->v + sizeof(*id_b) + sizeof(struct in6_addr),
sizeof(struct in6_addr));
((struct sockaddr_in6 *)&saddr)->sin6_scope_id =
(IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)&saddr)->sin6_addr)
- ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
+ ? (ALIGNED_CAST(struct sockaddr_in6 *)id_b)->sin6_scope_id
: 0);
if (len >= 0) {
extern int set_identifier __P((vchar_t **, int, vchar_t *));
extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
extern int ipsecdoi_setid2 __P((struct ph2handle *));
-extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
-extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
+extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr_storage *, u_int, u_int));
+extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr_storage *,
u_int8_t *, u_int16_t *));
extern char *ipsecdoi_id2str __P((const vchar_t *));
-extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *,
- struct sockaddr *, u_int));
+extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr_storage *,
+ struct sockaddr_storage *, u_int));
extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
+static int isakmp_main __P((vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *));
static int ph1_main __P((struct ph1handle *, vchar_t *));
static int quick_main __P((struct ph2handle *, vchar_t *));
static int isakmp_ph1begin_r __P((vchar_t *,
- struct sockaddr *, struct sockaddr *, u_int8_t));
+ struct sockaddr_storage *, struct sockaddr_storage *, u_int8_t));
static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
static int etypesw1 __P((int));
static int etypesw2 __P((int));
#ifdef ENABLE_FRAG
static int frag_handler(struct ph1handle *,
- vchar_t *, struct sockaddr *, struct sockaddr *);
+ vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *);
#endif
/*
{
struct isakmp isakmp;
union {
+ u_int64_t force_align; // Wcast-align fix - force alignment
char buf[sizeof (isakmp) + 4];
u_int32_t non_esp[2];
char lbuf[sizeof(struct udphdr) +
struct sockaddr_storage local;
unsigned int remote_len = sizeof(remote);
unsigned int local_len = sizeof(local);
- int len = 0, extralen = 0;
+ ssize_t len = 0;
+ int extralen = 0;
u_short port;
vchar_t *buf = NULL, *tmpbuf = NULL;
int error = -1;
/* read message by MSG_PEEK */
while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
- MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
- (struct sockaddr *)&local, &local_len)) < 0) {
+ MSG_PEEK, &remote, &remote_len, &local, &local_len)) < 0) {
if (errno == EINTR)
continue;
plog(LLV_ERROR, LOCATION, NULL,
struct udphdr *udp;
struct ip *ip;
- udp = (struct udphdr *)&x.lbuf[0];
+ udp = ALIGNED_CAST(struct udphdr *)&x.lbuf[0];
if (ntohs(udp->uh_dport) == 501) {
- ip = (struct ip *)(x.lbuf + sizeof(*udp));
+ ip = ALIGNED_CAST(struct ip *)(x.lbuf + sizeof(*udp));
extralen += sizeof(*udp) + ip->ip_hl;
}
}
/* check isakmp header length, as well as sanity of header length */
if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
+ plog(LLV_ERROR, LOCATION, &remote,
"packet shorter than isakmp header size (%u, %u, %zu)\n",
len, ntohl(isakmp.len), sizeof(isakmp));
/* dummy receive */
}
while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
- 0, (struct sockaddr *)&remote, &remote_len,
- (struct sockaddr *)&local, &local_len)) < 0) {
+ 0, &remote, &remote_len, &local, &local_len)) < 0) {
if (errno == EINTR)
continue;
plog(LLV_ERROR, LOCATION, NULL,
len -= extralen;
if (len != buf->l) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
- "received invalid length (%d != %zu), why ?\n",
+ plog(LLV_ERROR, LOCATION, &remote, "received invalid length (%d != %zu), why ?\n",
len, buf->l);
goto end;
}
goto end;
}
if (port == 0) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
+ plog(LLV_ERROR, LOCATION, &remote,
"src port == 0 (valid as UDP but not with IKE)\n");
goto end;
}
/* XXX: I don't know how to check isakmp half connection attack. */
/* simply reply if the packet was processed. */
- if (check_recvdpkt((struct sockaddr *)&remote,
- (struct sockaddr *)&local, buf)) {
+ if (check_recvdpkt(&remote, &local, buf)) {
IPSECLOGASLMSG("Received retransmitted packet from %s.\n",
saddr2str((struct sockaddr *)&remote));
}
/* isakmp main routine */
- if (isakmp_main(buf, (struct sockaddr *)&remote,
- (struct sockaddr *)&local) != 0) goto end;
+ if (isakmp_main(buf, &remote, &local) != 0) goto end;
error = 0;
static int
isakmp_main(msg, remote, local)
vchar_t *msg;
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
{
struct isakmp *isakmp = (struct isakmp *)msg->v;
isakmp_index *index = (isakmp_index *)isakmp;
iph1->local = NULL;
/* copy-in new addresses */
- iph1->remote = dupsaddr(remote);
+ iph1->remote = dupsaddr((struct sockaddr *)remote);
if (iph1->remote == NULL) {
IPSECSESSIONTRACEREVENT(iph1->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
delph1(iph1);
return -1;
}
- iph1->local = dupsaddr(local);
+ iph1->local = dupsaddr((struct sockaddr *)local);
if (iph1->local == NULL) {
IPSECSESSIONTRACEREVENT(iph1->parent_session,
IPSECSESSIONEVENTCODE_IKE_PACKET_RX_FAIL,
/* print some neat info */
plog (LLV_INFO, LOCATION, NULL,
"NAT-T: ports changed to: %s\n",
- saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
+ saddr2str_fromto("%s<->%s", (struct sockaddr *)iph1->remote, (struct sockaddr *)iph1->local));
}
#endif
/* must be same addresses in one stream of a phase at least. */
if (cmpsaddrstrict(iph1->remote, remote) != 0) {
char *saddr_db, *saddr_act;
- saddr_db = racoon_strdup(saddr2str(iph1->remote));
- saddr_act = racoon_strdup(saddr2str(remote));
+ saddr_db = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
+ saddr_act = racoon_strdup(saddr2str((struct sockaddr *)remote));
STRDUP_FATAL(saddr_db);
STRDUP_FATAL(saddr_act);
plog(LLV_WARNING, LOCATION, remote,
"remote address mismatched. "
"db=%s\n",
- saddr2str(iph1->remote));
+ saddr2str((struct sockaddr *)iph1->remote));
}
}
plog(LLV_ERROR, LOCATION, NULL,
"mode config %d from %s, "
"but we have no ISAKMP-SA.\n",
- isakmp->etype, saddr2str(remote));
+ isakmp->etype, saddr2str((struct sockaddr *)remote));
return -1;
}
if (iph1->status != PHASE1ST_ESTABLISHED) {
plog(LLV_ERROR, LOCATION, NULL,
"mode config %d from %s, "
"but ISAKMP-SA %s isn't established.\n",
- isakmp->etype, saddr2str(remote),
+ isakmp->etype, saddr2str((struct sockaddr *)remote),
isakmp_pindex(&iph1->index, iph1->msgid));
return -1;
}
default:
plog(LLV_ERROR, LOCATION, NULL,
"Invalid exchange type %d from %s.\n",
- isakmp->etype, saddr2str(remote));
+ isakmp->etype, saddr2str((struct sockaddr *)remote));
return -1;
}
#ifdef ENABLE_VPNCONTROL_PORT
if (iph1->side == RESPONDER &&
- iph1->local->sa_family == AF_INET) {
+ iph1->local->ss_family == AF_INET) {
struct redirect *addr;
int
isakmp_ph1begin_i(rmconf, remote, local, started_by_api)
struct remoteconf *rmconf;
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
int started_by_api;
{
struct ph1handle *iph1;
{
char *a;
- a = racoon_strdup(saddr2str(iph1->local));
+ a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
STRDUP_FATAL(a);
plog(LLV_INFO, LOCATION, NULL,
"initiate new phase 1 negotiation: %s<=>%s\n",
- a, saddr2str(iph1->remote));
+ a, saddr2str((struct sockaddr *)iph1->remote));
racoon_free(a);
}
plog(LLV_INFO, LOCATION, NULL,
static int
isakmp_ph1begin_r(msg, remote, local, etype)
vchar_t *msg;
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
u_int8_t etype;
{
struct isakmp *isakmp = (struct isakmp *)msg->v;
{
char *a;
- a = racoon_strdup(saddr2str(iph1->local));
+ a = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
STRDUP_FATAL(a);
plog(LLV_INFO, LOCATION, NULL,
"respond new phase 1 negotiation: %s<=>%s\n",
- a, saddr2str(iph1->remote));
+ a, saddr2str((struct sockaddr *)iph1->remote));
racoon_free(a);
}
plog(LLV_INFO, LOCATION, NULL,
plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
{
char *a;
- a = racoon_strdup(saddr2str(iph2->src));
+ a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
STRDUP_FATAL(a);
plog(LLV_INFO, LOCATION, NULL,
"initiate new phase 2 negotiation: %s<=>%s\n",
- a, saddr2str(iph2->dst));
+ a, saddr2str((struct sockaddr *)iph2->dst));
racoon_free(a);
}
delph2(iph2);
return -1;
}
- iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
+ iph2->dst = dupsaddr((struct sockaddr *)iph1->remote); /* XXX should be considered */
if (iph2->dst == NULL) {
delph2(iph2);
return -1;
}
- switch (iph2->dst->sa_family) {
+ switch (iph2->dst->ss_family) {
case AF_INET:
#ifndef ENABLE_NATT
((struct sockaddr_in *)iph2->dst)->sin_port = 0;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->dst->sa_family);
+ "invalid family: %d\n", iph2->dst->ss_family);
delph2(iph2);
return -1;
}
- iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
+ iph2->src = dupsaddr((struct sockaddr *)iph1->local); /* XXX should be considered */
if (iph2->src == NULL) {
delph2(iph2);
return -1;
}
- switch (iph2->src->sa_family) {
+ switch (iph2->src->ss_family) {
case AF_INET:
#ifndef ENABLE_NATT
((struct sockaddr_in *)iph2->src)->sin_port = 0;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->src->sa_family);
+ "invalid family: %d\n", iph2->src->ss_family);
delph2(iph2);
return -1;
}
{
char *a;
- a = racoon_strdup(saddr2str(iph2->src));
+ a = racoon_strdup(saddr2str((struct sockaddr *)iph2->src));
STRDUP_FATAL(a);
plog(LLV_INFO, LOCATION, NULL,
"respond new phase 2 negotiation: %s<=>%s\n",
- a, saddr2str(iph2->dst));
+ a, saddr2str((struct sockaddr *)iph2->dst));
racoon_free(a);
}
plog(LLV_ERROR, LOCATION, NULL,
"failed to get buffer.\n");
return NULL;
- }
- p = (struct isakmp_parse_t *)result->v;
- ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
+ }
+ // Wcast-align fix (void*) - result = aligned buffer of struct isakmp_parse_t
+ p = ALIGNED_CAST(struct isakmp_parse_t *)result->v;
+ ep = ALIGNED_CAST(struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
tlen = len;
if (ep <= p) {
int off;
- off = p - (struct isakmp_parse_t *)result->v;
+ off = p - ALIGNED_CAST(struct isakmp_parse_t *)result->v;
result = vrealloc(result, result->l * 2);
if (result == NULL) {
plog(LLV_DEBUG, LOCATION, NULL,
vfree(result);
return NULL;
}
- ep = (struct isakmp_parse_t *)
+ ep = ALIGNED_CAST(struct isakmp_parse_t *)
(result->v + result->l - sizeof(*ep));
- p = (struct isakmp_parse_t *)result->v;
+ p = ALIGNED_CAST(struct isakmp_parse_t *)result->v;
p += off;
}
}
/* warn if wildcard address - should we forbid this? */
- switch (p->addr->sa_family) {
+ switch (p->addr->ss_family) {
case AF_INET:
if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
plog(LLV_WARNING, LOCATION, NULL,
}
#ifdef INET6
- if (p->addr->sa_family == AF_INET6 &&
+ if (p->addr->ss_family == AF_INET6 &&
IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
p->addr)->sin6_addr))
{
plog(LLV_DEBUG, LOCATION, NULL,
"Ignoring multicast address %s\n",
- saddr2str(p->addr));
+ saddr2str((struct sockaddr *)p->addr));
racoon_free(p->addr);
p->addr = NULL;
continue;
}
#endif
- if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
+ if ((p->sock = socket(p->addr->ss_family, SOCK_DGRAM, 0)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket (%s)\n", strerror(errno));
goto err_and_next;
}
if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
- plog(LLV_WARNING, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"failed to put socket in non-blocking mode\n");
/* receive my interface address on inbound packets. */
- switch (p->addr->sa_family) {
+ switch (p->addr->ss_family) {
case AF_INET:
if (setsockopt(p->sock, IPPROTO_IP,
IP_RECVDSTADDR,
}
#ifdef IPV6_USE_MIN_MTU
- if (p->addr->sa_family == AF_INET6 &&
+ if (p->addr->ss_family == AF_INET6 &&
setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
}
#endif
- if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
+ if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0)
goto err_and_next;
if (extract_port(p->addr) == PORT_ISAKMP) {
}
}
- if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
+ if (bind(p->sock, (struct sockaddr *)p->addr, sysdep_sa_len((struct sockaddr *)p->addr)) < 0) {
int tmp_errno = errno;
plog(LLV_ERROR, LOCATION, p->addr,
"failed to bind to address %s (%s).\n",
- saddr2str(p->addr), strerror(tmp_errno));
+ saddr2str((struct sockaddr *)p->addr), strerror(tmp_errno));
#ifdef INET6
// if bind failed b/c of a tentative v6 address, try again later
- if (tmp_errno == EADDRNOTAVAIL && p->addr->sa_family == AF_INET6) {
+ if (tmp_errno == EADDRNOTAVAIL && p->addr->ss_family == AF_INET6) {
struct in6_ifreq ifr6;
bzero(&ifr6, sizeof(ifr6));
// address may have been tentantive... invalidate sock but leave address around for another try later
plog(LLV_ERROR, LOCATION, p->addr,
"failed to bind to address %s: because interface address is/was not ready (flags %x).\n",
- saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6);
+ saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6);
close(p->sock);
p->sock = -1;
if (tentative_failures) {
} else {
plog(LLV_ERROR, LOCATION, p->addr,
"failed to bind to address %s: because of interface address error, flags %x.\n",
- saddr2str(p->addr), ifr6.ifr_ifru.ifru_flags6);
+ saddr2str((struct sockaddr *)p->addr), ifr6.ifr_ifru.ifru_flags6);
}
} else {
plog(LLV_ERROR, LOCATION, p->addr,
"failed to bind to address %s: can't read interface address flags.\n",
- saddr2str(p->addr));
+ saddr2str((struct sockaddr *)p->addr));
}
}
#endif
plog(LLV_INFO, LOCATION, NULL,
"%s used as isakmp port (fd=%d)\n",
- saddr2str(p->addr), p->sock);
+ saddr2str((struct sockaddr *)p->addr), p->sock);
continue;
err_and_next:
"vbuf allocation failed\n");
return -1;
}
- *(u_int32_t *)vbuf->v = 0;
+ *ALIGNED_CAST(u_int32_t *)vbuf->v = 0;
memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
sbuf = vbuf;
}
#endif
/* select the socket to be sent */
- s = getsockmyaddr(iph1->local);
+ s = getsockmyaddr((struct sockaddr *)iph1->local);
if (s == -1){
if ( vbuf != NULL )
vfree(vbuf);
}
plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
- saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
+ saddr2str_fromto("from %s to %s", (struct sockaddr *)iph1->local, (struct sockaddr *)iph1->remote));
#ifdef ENABLE_FRAG
if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
#endif
if(iph1->status != PHASE1ST_EXPIRED){
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
+ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
+ dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
return;
}
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
+ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
+ dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
} else {
plog(LLV_ERROR, LOCATION, NULL,
"Phase1 rekey failed: no configuration found for %s.\n",
- saddrwop2str(iph1->remote));
+ saddrwop2str((struct sockaddr *)iph1->remote));
}
}
// this code path is meant for floated ph1 rekeys that are failing on the first message
if (iph1->sce != NULL ||
iph1->sce_rekey != NULL ||
- (iph1->status != PHASE1ST_MSG1SENT || (iph1->natt_flags & NAT_PORTS_CHANGED == 0)) ||
+ (iph1->status != PHASE1ST_MSG1SENT || ((iph1->natt_flags & NAT_PORTS_CHANGED) == 0)) ||
(extract_port(iph1->local) != PORT_ISAKMP_NATT && extract_port(iph1->remote) != PORT_ISAKMP_NATT) ||
iph1->is_dying) {
return -1;
}
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
+ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
+ dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
} else {
plog(LLV_ERROR, LOCATION, NULL,
"Phase1 rekey retry failed: no configuration found for %s.\n",
- saddrwop2str(iph1->remote));
+ saddrwop2str((struct sockaddr *)iph1->remote));
return -1;
}
return 0;
/* don't re-negosiation when the phase 1 SA expires. */
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
+ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
+ dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
SCHED_KILL(iph2->sce);
- src = racoon_strdup(saddrwop2str(iph2->src));
- dst = racoon_strdup(saddrwop2str(iph2->dst));
+ src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src));
+ dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
SCHED_KILL(iph2->sce);
- src = racoon_strdup(saddrwop2str(iph2->src));
- dst = racoon_strdup(saddrwop2str(iph2->dst));
+ src = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->src));
+ dst = racoon_strdup(saddrwop2str((struct sockaddr *)iph2->dst));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found for %s.\n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
"because of passive mode, "
"ignore the acquire message for %s.\n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
return 0;
}
plog(LLV_INFO, LOCATION, NULL,
"IPsec-SA request for %s queued "
"due to no phase1 found.\n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
// exit if there is another ph1 that is established (with a pending rekey timer)
if (ike_session_has_negoing_ph1(iph2->parent_session)) {
/* found isakmp-sa */
plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
- plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
+ plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str((struct sockaddr *)iph1->local));
+ plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str((struct sockaddr *)iph1->remote));
plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst));
set_port(iph2->src, extract_port(iph1->local));
set_port(iph2->dst, extract_port(iph1->remote));
plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)iph2->src));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst));
/* begin quick mode */
if (isakmp_ph2begin_i(iph1, iph2)) {
int
isakmp_newcookie(place, remote, local)
caddr_t place;
- struct sockaddr *remote;
- struct sockaddr *local;
+ struct sockaddr_storage *remote;
+ struct sockaddr_storage *local;
{
vchar_t *buf = NULL, *buf2 = NULL;
char *p;
u_short port;
- if (remote->sa_family != local->sa_family) {
+ if (remote->ss_family != local->ss_family) {
plog(LLV_ERROR, LOCATION, NULL,
"address family mismatch, remote:%d local:%d\n",
- remote->sa_family, local->sa_family);
+ remote->ss_family, local->ss_family);
goto end;
}
- switch (remote->sa_family) {
+ switch (remote->ss_family) {
case AF_INET:
alen = sizeof(struct in_addr);
sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", remote->sa_family);
+ "invalid family: %d\n", remote->ss_family);
goto end;
}
blen = (alen + sizeof(u_short)) * 2
addr.sin_len = sizeof(struct sockaddr_in);
addr.sin_family = AF_INET;
memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
- if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
+ if (getnameinfo(&addr, sizeof(addr),
ntop_buf, sizeof(ntop_buf), NULL, 0,
NI_NUMERICHOST | niflags))
strlcpy(ntop_buf, "?", sizeof(ntop_buf));
addr.sin6_len = sizeof(struct sockaddr_in6);
addr.sin6_family = AF_INET6;
memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
- if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
+ if (getnameinfo(&addr, addr.sin6_len,
ntop_buf, sizeof(ntop_buf), NULL, 0,
NI_NUMERICHOST | niflags))
strlcpy(ntop_buf, "?", sizeof(ntop_buf));
void
isakmp_printpacket(msg, from, my, decoded)
vchar_t *msg;
- struct sockaddr *from;
- struct sockaddr *my;
+ struct sockaddr_storage *from;
+ struct sockaddr_storage *my;
int decoded;
{
#ifdef YIPS_DEBUG
printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
if (from) {
- if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
+ if (getnameinfo(from, sysdep_sa_len((struct sockaddr *)from), hostbuf, sizeof(hostbuf),
portbuf, sizeof(portbuf),
NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
strlcpy(hostbuf, "?", sizeof(hostbuf));
printf("?");
printf(" -> ");
if (my) {
- if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
+ if (getnameinfo(my, sysdep_sa_len((struct sockaddr *)my), hostbuf, sizeof(hostbuf),
portbuf, sizeof(portbuf),
NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
strlcpy(hostbuf, "?", sizeof(hostbuf));
copy_ph1addresses(iph1, rmconf, remote, local)
struct ph1handle *iph1;
struct remoteconf *rmconf;
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
{
u_short *port = NULL;
/* address portion must be grabbed from real remote address "remote" */
- iph1->remote = dupsaddr(remote);
+ iph1->remote = dupsaddr((struct sockaddr *)remote);
if (iph1->remote == NULL) {
delph1(iph1);
return -1;
* if remote has port # (in case of responder - from recvfrom(2))
* respect content of "remote".
*/
- switch (iph1->remote->sa_family) {
+ switch (iph1->remote->ss_family) {
case AF_INET:
port = &((struct sockaddr_in *)iph1->remote)->sin_port;
if (*port)
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
+ "invalid family: %d\n", iph1->remote->ss_family);
delph1(iph1);
return -1;
}
if (local == NULL)
- iph1->local = getlocaladdr(iph1->remote);
+ iph1->local = getlocaladdr((struct sockaddr *)iph1->remote);
else
- iph1->local = dupsaddr(local);
+ iph1->local = dupsaddr((struct sockaddr *)local);
if (iph1->local == NULL) {
delph1(iph1);
return -1;
}
port = NULL;
- switch (iph1->local->sa_family) {
+ switch (iph1->local->ss_family) {
case AF_INET:
port = &((struct sockaddr_in *)iph1->local)->sin_port;
if (*port)
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->local->sa_family);
+ "invalid family: %d\n", iph1->local->ss_family);
delph1(iph1);
return -1;
}
{
char *src, *dst;
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
+ src = racoon_strdup(saddr2str((struct sockaddr *)iph1->local));
+ dst = racoon_strdup(saddr2str((struct sockaddr *)iph1->remote));
STRDUP_FATAL(src);
STRDUP_FATAL(dst);
frag_handler(iph1, msg, remote, local)
struct ph1handle *iph1;
vchar_t *msg;
- struct sockaddr *remote;
- struct sockaddr *local;
+ struct sockaddr_storage *remote;
+ struct sockaddr_storage *local;
{
vchar_t *newmsg;
+ int result;
if (isakmp_frag_extract(iph1, msg) == 1) {
if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
}
/* simply reply if the packet was processed. */
- if (check_recvdpkt((struct sockaddr *)remote,
- (struct sockaddr *)local, newmsg) > 0) {
+ if (check_recvdpkt(remote, local, newmsg) > 0) {
IPSECLOGASLMSG("Received (reassembled) retransmitted packet from %s.\n",
saddr2str((struct sockaddr *)remote));
plog(LLV_NOTIFY, LOCATION, NULL,
"the reassembled packet is retransmitted by %s.\n",
saddr2str((struct sockaddr *)remote));
+ vfree(newmsg);
return 0;
}
- return isakmp_main(newmsg, remote, local);
+ result = isakmp_main(newmsg, remote, local);
+ vfree(newmsg);
+ return result;
}
return 0;
vchar_t *buf = NULL;
struct sadb_msg *msg, *next, *end;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
caddr_t mhp[SADB_EXT_MAX + 1];
u_int proto_id;
struct ph2handle *iph2;
return;
}
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
+ msg = ALIGNED_CAST(struct sadb_msg *)buf->v;
+ end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l);
while (msg < end) {
if ((msg->sadb_msg_len << 3) < sizeof(*msg))
break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
+ next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
if (msg->sadb_msg_type != SADB_DUMP) {
msg = next;
continue;
continue;
}
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]);
if (!sa ||
!mhp[SADB_EXT_ADDRESS_SRC] ||
!mhp[SADB_EXT_ADDRESS_DST]) {
msg = next;
continue;
}
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
sa->sadb_sa_state != SADB_SASTATE_MATURE &&
/* Delete the SPD entry if we generated it
*/
if (iph2->generated_spidx) {
- struct policyindex spidx;
+ union {
+ u_int64_t force_align; // Wcast-align fix - force alignment
+ struct policyindex spidx;
+ } u;
struct sockaddr_storage addr;
u_int8_t pref;
- struct sockaddr *src = iph2->src;
- struct sockaddr *dst = iph2->dst;
+ struct sockaddr_storage *src = iph2->src;
+ struct sockaddr_storage *dst = iph2->dst;
int error;
int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
plog(LLV_INFO, LOCATION, NULL,
"generated policy, deleting it.\n");
- memset(&spidx, 0, sizeof(spidx));
- iph2->spidx_gen = (caddr_t )&spidx;
+ memset(&u.spidx, 0, sizeof(u.spidx));
+ iph2->spidx_gen = &u.spidx;
/* make inbound policy */
iph2->src = dst;
iph2->dst = src;
- spidx.dir = IPSEC_DIR_INBOUND;
- spidx.ul_proto = 0;
+ u.spidx.dir = IPSEC_DIR_INBOUND;
+ u.spidx.ul_proto = 0;
/*
* Note: code from get_proposal_r
*/
-#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
+#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
/*
* make destination address in spidx from either ID payload
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
/* get a destination address of a policy */
- error = ipsecdoi_id2sockaddr(iph2->id,
- (struct sockaddr *)&spidx.dst,
- &spidx.prefd, &spidx.ul_proto);
+ error = ipsecdoi_id2sockaddr(iph2->id, &u.spidx.dst,
+ &u.spidx.prefd, &u.spidx.ul_proto);
if (error)
goto purge;
*/
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
if ((error =
- setscopeid((struct sockaddr *)&spidx.dst,
- iph2->src)) != 0)
+ setscopeid(&u.spidx.dst, iph2->src)) != 0)
goto purge;
}
#endif
* DESTINATION address of the key to search the
* SPD because the direction of policy is inbound.
*/
- memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
- switch (spidx.dst.ss_family) {
+ memcpy(&u.spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
+ switch (u.spidx.dst.ss_family) {
case AF_INET:
- spidx.prefd =
+ u.spidx.prefd =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
- spidx.prefd =
+ u.spidx.prefd =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
- spidx.prefd = 0;
+ u.spidx.prefd = 0;
break;
}
}
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
/* get a source address of inbound SA */
- error = ipsecdoi_id2sockaddr(iph2->id_p,
- (struct sockaddr *)&spidx.src,
- &spidx.prefs, &spidx.ul_proto);
+ error = ipsecdoi_id2sockaddr(iph2->id_p, &u.spidx.src,
+ &u.spidx.prefs, &u.spidx.ul_proto);
if (error)
goto purge;
*/
if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
error =
- setscopeid((struct sockaddr *)&spidx.src,
- iph2->dst);
+ setscopeid(&u.spidx.src, iph2->dst);
if (error)
goto purge;
}
/* make id[src,dst] if both ID types are IP address and same */
if (_XIDT(iph2->id_p) == idi2type
- && spidx.dst.ss_family == spidx.src.ss_family) {
+ && u.spidx.dst.ss_family == u.spidx.src.ss_family) {
iph2->src_id =
- dupsaddr((struct sockaddr *)&spidx.dst);
+ dupsaddr((struct sockaddr *)&u.spidx.dst);
iph2->dst_id =
- dupsaddr((struct sockaddr *)&spidx.src);
+ dupsaddr((struct sockaddr *)&u.spidx.src);
}
} else {
"OR because ID type is not address.\n");
/* see above comment. */
- memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
- switch (spidx.src.ss_family) {
+ memcpy(&u.spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
+ switch (u.spidx.src.ss_family) {
case AF_INET:
- spidx.prefs =
+ u.spidx.prefs =
sizeof(struct in_addr) << 3;
break;
#ifdef INET6
case AF_INET6:
- spidx.prefs =
+ u.spidx.prefs =
sizeof(struct in6_addr) << 3;
break;
#endif
default:
- spidx.prefs = 0;
+ u.spidx.prefs = 0;
break;
}
}
plog(LLV_DEBUG, LOCATION, NULL,
"get a src address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.src),
- spidx.prefs, spidx.ul_proto);
+ saddr2str((struct sockaddr *)&u.spidx.src),
+ u.spidx.prefs, u.spidx.ul_proto);
plog(LLV_DEBUG, LOCATION, NULL,
"get dst address from ID payload "
"%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.dst),
- spidx.prefd, spidx.ul_proto);
+ saddr2str((struct sockaddr *)&u.spidx.dst),
+ u.spidx.prefd, u.spidx.ul_proto);
/*
* convert the ul_proto if it is 0
* because 0 in ID payload means a wild card.
*/
- if (spidx.ul_proto == 0)
- spidx.ul_proto = IPSEC_ULPROTO_ANY;
+ if (u.spidx.ul_proto == 0)
+ u.spidx.ul_proto = IPSEC_ULPROTO_ANY;
#undef _XIDT
#ifdef HAVE_POLICY_FWD
/* make forward policy if required */
if (tunnel_mode_prop(iph2->approval)) {
- spidx.dir = IPSEC_DIR_FWD;
+ u.spidx.dir = IPSEC_DIR_FWD;
if (pk_sendspddelete(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"pfkey spddelete(forward) failed.\n");
/* make outbound policy */
iph2->src = src;
iph2->dst = dst;
- spidx.dir = IPSEC_DIR_OUTBOUND;
- addr = spidx.src;
- spidx.src = spidx.dst;
- spidx.dst = addr;
- pref = spidx.prefs;
- spidx.prefs = spidx.prefd;
- spidx.prefd = pref;
+ u.spidx.dir = IPSEC_DIR_OUTBOUND;
+ addr = u.spidx.src;
+ u.spidx.src = u.spidx.dst;
+ u.spidx.dst = addr;
+ pref = u.spidx.prefs;
+ u.spidx.prefs = u.spidx.prefd;
+ u.spidx.prefd = pref;
if (pk_sendspddelete(iph2) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
#ifdef INET6
u_int32_t
setscopeid(sp_addr0, sa_addr0)
- struct sockaddr *sp_addr0, *sa_addr0;
+ struct sockaddr_storage *sp_addr0, *sa_addr0;
{
struct sockaddr_in6 *sp_addr, *sa_addr;
int error = -1;
int vid_numeric;
int ptype;
-#ifdef ENABLE_HYBRID
- vchar_t *unity_vid;
- vchar_t *xauth_vid;
-#endif
#ifdef HAVE_GSSAPI
vchar_t *gsstoken = NULL;
#endif
"failed to parse msg");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
iph1->pl_hash = NULL;
plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
goto end;
}
/* old Apple version sends natd payloads in the wrong order */
"failed to parse msg");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* SA payload is fixed postion */
if (pa->type != ISAKMP_NPTYPE_SA) {
plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
goto end;
}
}
iph1->pl_hash = NULL;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
vchar_t *satmp = NULL;
int error = -1;
int vid_numeric;
-#ifdef ENABLE_HYBRID
- vchar_t *unity_vid;
- vchar_t *xauth_vid;
-#endif
/* validity check */
if (iph1->status != PHASE1ST_MSG1SENT) {
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* SA payload is fixed postion */
if (pa->type != ISAKMP_NPTYPE_SA) {
plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
goto end;
}
if (pbuf == NULL)
goto end;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
pbuf = isakmp_parse(msg);
if (pbuf == NULL)
goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* check the position of SA payload */
if (pa->type != ISAKMP_NPTYPE_SA) {
iph1->pl_hash = NULL;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
goto end;
}
{
int type;
int confsource;
- in_addr_t addr4;
type = ntohs(attr->type);
goto end;
}
- iph2->dst = dupsaddr(iph1->remote);
+ iph2->dst = dupsaddr((struct sockaddr *)iph1->remote);
if (iph2->dst == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to duplicate remote address");
delph2(iph2);
goto end;
}
- iph2->src = dupsaddr(iph1->local);
+ iph2->src = dupsaddr((struct sockaddr *)iph1->local);
if (iph2->src == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to duplicate local address");
goto end;
}
- switch (iph1->remote->sa_family) {
+ switch (iph1->remote->ss_family) {
case AF_INET:
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
((struct sockaddr_in *)iph2->dst)->sin_port = 0;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
+ "invalid family: %d\n", iph1->remote->ss_family);
delph2(iph2);
goto end;
}
int
isakmp_cfg_accounting_system(port, raddr, usr, inout)
int port;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
char *usr;
int inout;
{
- int error = 0;
struct utmpx ut;
char term[_UTX_LINESIZE];
char addr[NI_MAXHOST];
strlcpy(ut.ut_line, term, sizeof(ut.ut_line));
- GETNAMEINFO_NULL(raddr, addr);
+ GETNAMEINFO_NULL((struct sockaddr *)raddr, addr);
strlcpy(ut.ut_host, addr, sizeof(ut.ut_host));
ut.ut_pid = getpid();
len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
if (iph1->started_by_api) {
- if (iph1->remote->sa_family == AF_INET) {
+ if (iph1->remote->ss_family == AF_INET) {
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
u_int32_t address;
return;
}
- addr = (in_addr_t *)(attr + 1);
+ addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t
ip->s_addr = *addr;
return;
return;
}
- addr = (in_addr_t *)(attr + 1);
+ addr = ALIGNED_CAST(in_addr_t *)(attr + 1); // Wcast-align fix (void*) - attr comes from packet data in a vchar_t
ip->s_addr = *addr;
(*num)++;
char defdom[MAXPATHLEN + 1];
int cidr, tmp;
char cidrstr[4];
- int i, p;
- int test;
plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
int cold;
{
int i;
+#if 0
int error;
+#endif
isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
void cleanup_pam(int);
#endif
-int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int);
+int isakmp_cfg_accounting_system(int, struct sockaddr_storage *, char *, int);
#include "nattraversal.h"
#include "grabmyaddr.h"
#include "localconf.h"
+#include "crypto_openssl.h"
int
isakmp_sendfrags(iph1, buf)
size_t max_datalen;
size_t fraglen;
vchar_t *frag;
- unsigned int trailer;
unsigned int fragnum = 0;
size_t len;
int etype;
/* select the socket to be sent */
- s = getsockmyaddr(iph1->local);
+ s = getsockmyaddr((struct sockaddr *)iph1->local);
if (s == -1){
return -1;
}
vfree(frag);
return -1;
}
- *(u_int32_t *)vbuf->v = 0; // non-esp marker
+ *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; // non-esp marker
memcpy(vbuf->v + extralen, frag->v, frag->l);
vfree(frag);
frag = vbuf;
int *hp;
int hashlen_bytes = eay_md5_hashlen() >> 3;
- hp = (int *)(gen + 1);
+ hp = ALIGNED_CAST(int *)(gen + 1);
return ntohl(hp[hashlen_bytes / sizeof(*hp)]);
}
struct isakmp_frag *frag;
struct isakmp_frag_item *item;
vchar_t *buf;
- size_t len;
int last_frag = 0;
char *data;
int i;
vchar_t *buf;
int cap;
{
- int *capp;
+ int val, *capp;
size_t len;
int hashlen_bytes = eay_md5_hashlen() >> 3;
"Cannot allocate memory\n");
return NULL;
}
- capp = (int *)(buf->v + len);
- *capp = htonl(0);
- }
-
- capp = (int *)(buf->v + hashlen_bytes);
- *capp |= htonl(cap);
-
+ val = 0;
+ memcpy(buf->v + len, &val, sizeof(val)); // Wcast_lign fix - copy instead of assign for unaligned move
+ }
+ capp = (int *)(void*)(buf->v + hashlen_bytes); // Wcast_lign fix - copy instead of assign for unaligned move
+ memcpy(&val, capp, sizeof(val));
+ val |= htonl(cap);
+ memcpy(capp, &val, sizeof(val));
+
return buf;
}
sendfragsfromto(s, buf, local, remote, count_persend, frag_flags)
int s;
vchar_t *buf;
- struct sockaddr *local;
- struct sockaddr *remote;
+ struct sockaddr_storage *local;
+ struct sockaddr_storage *remote;
int count_persend;
u_int32_t frag_flags;
{
size_t max_datalen;
size_t fraglen;
vchar_t *frag;
- unsigned int trailer;
unsigned int fragnum = 0;
size_t len;
#ifdef ENABLE_NATT
vfree(frag);
return -1;
}
- *(u_int32_t *)vbuf->v = 0; // non-esp marker
+ *ALIGNED_CAST(u_int32_t *)vbuf->v = 0; // non-esp marker
memcpy(vbuf->v + extralen, frag->v, frag->l);
vfree(frag);
frag = vbuf;
int isakmp_frag_extract(struct ph1handle *, vchar_t *);
vchar_t *isakmp_frag_reassembly(struct ph1handle *);
vchar_t *isakmp_frag_addcap(vchar_t *, int);
-int sendfragsfromto(int s, vchar_t *, struct sockaddr *, struct sockaddr *, int, u_int32_t);
+int sendfragsfromto(int s, vchar_t *, struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t);
#endif /* _ISAKMP_FRAG_H */
"failed to parse msg");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* SA payload is fixed postion */
if (pa->type != ISAKMP_NPTYPE_SA) {
goto end;
}
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
iph1->pl_hash = NULL;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
"failed to parse msg");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* check the position of SA payload */
if (pa->type != ISAKMP_NPTYPE_SA) {
goto end;
}
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
switch (pa->type) {
iph1->pl_hash = NULL;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
{
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
+ "NAT-D hashing failed for %s\n", saddr2str((struct sockaddr *)iph1->local));
goto end;
}
static int isakmp_info_recv_lb __P((struct ph1handle *, struct isakmp_pl_lb *lb, int));
#endif
-static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
+//static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
static void info_recv_initialcontact __P((struct ph1handle *));
static int
int error = -1;
struct isakmp *isakmp;
struct isakmp_gen *gen;
- struct isakmp_parse_t *pa, *pap;
+ struct isakmp_parse_t *pa;
void *p;
vchar_t *hash, *payload;
struct isakmp_gen *nd;
}
error = 0;
- for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) {
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v; pa->type; pa++) { // Wcast-align fix (void*) - aligned buffer of aligned (unpacked) structs
switch (pa->type) {
case ISAKMP_NPTYPE_HASH:
/* Handled above */
int encrypted;
{
u_int type;
- vchar_t *pbuf;
vchar_t *ndata;
char *nraw;
size_t l;
u_int32_t fail_reason;
/* notify the API that we have received the delete */
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
else
address = 0;
int encrypted;
{
int tlen, num_spi;
- vchar_t *pbuf;
- int protected = 0;
struct ph1handle *del_ph1;
- struct ph2handle *iph2;
union {
u_int32_t spi32;
u_int16_t spi16[2];
EVT_PUSH(iph1->local, iph1->remote,
EVTT_PEER_DELETE, NULL);
purge_ipsec_spi(iph1->remote, delete->proto_id,
- (u_int32_t *)(delete + 1), num_spi);
+ ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi); // Wcast-align fix (void*) - delete payload is aligned
break;
case IPSECDOI_PROTO_IPCOMP:
int
isakmp_info_send_nx(isakmp, remote, local, type, data)
struct isakmp *isakmp;
- struct sockaddr *remote, *local;
+ struct sockaddr_storage *remote, *local;
int type;
vchar_t *data;
{
n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
n->spi_size = pr->spisize;
n->type = htons(type);
- *(u_int32_t *)(n + 1) = pr->spi;
+ memcpy(n + 1, &pr->spi, sizeof(u_int32_t)); // Wcast-align fix - copy instead of assign
if (data)
memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
goto end;
}
- iph2->dst = dupsaddr(iph1->remote);
+ iph2->dst = dupsaddr((struct sockaddr *)iph1->remote);
if (iph2->dst == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to duplicate remote address");
delph2(iph2);
goto end;
}
- iph2->src = dupsaddr(iph1->local);
+ iph2->src = dupsaddr((struct sockaddr *)iph1->local);
if (iph2->src == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to duplicate local address");
delph2(iph2);
goto end;
}
- switch (iph1->remote->sa_family) {
+ switch (iph1->remote->ss_family) {
case AF_INET:
#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
((struct sockaddr_in *)iph2->dst)->sin_port = 0;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
+ "invalid family: %d\n", iph1->remote->ss_family);
delph2(iph2);
goto end;
}
n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
n->spi_size = pr->spisize;
n->type = htons(type);
- *(u_int32_t *)(n + 1) = pr->spi; /* XXX */
+ memcpy(n + 1, &pr->spi, sizeof(u_int32_t)); // Wcast-align fix - copy instead of assign with cast
if (data)
memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
return buf;
}
+#if 0
static void
purge_isakmp_spi(proto, spi, n)
int proto;
iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
}
}
-
+#endif
void
purge_ipsec_spi(dst0, proto, spi, n)
- struct sockaddr *dst0;
+ struct sockaddr_storage *dst0;
int proto;
u_int32_t *spi; /*network byteorder*/
size_t n;
struct sadb_msg *msg, *next, *end;
struct sadb_sa *sa;
struct sadb_lifetime *lt;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
struct ph2handle *iph2;
u_int64_t created;
size_t i;
plog(LLV_DEBUG2, LOCATION, NULL,
"purge_ipsec_spi:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str((struct sockaddr *)dst0));
plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0]));
plog(LLV_DEBUG2, LOCATION, NULL, "num SPI: %d\n", n);
return;
}
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
+ msg = ALIGNED_CAST(struct sadb_msg *)buf->v;
+ end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l);
while (msg < end) {
if ((msg->sadb_msg_len << 3) < sizeof(*msg))
break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
+ next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
if (msg->sadb_msg_type != SADB_DUMP) {
msg = next;
continue;
continue;
}
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); // Wcast-align fix (void*) - buffer of pointers to aligned structs
if (!sa
|| !mhp[SADB_EXT_ADDRESS_SRC]
|| !mhp[SADB_EXT_ADDRESS_DST]) {
msg = next;
continue;
}
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
+ src = ALIGNED_CAST(struct sockaddr_storage*)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); // Wcast-align fix (void*) - buffer of pointers to aligned structs
+ dst = ALIGNED_CAST(struct sockaddr_storage*)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ lt = ALIGNED_CAST(struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
if(lt != NULL)
created = lt->sadb_lifetime_addtime;
else
msg = next;
continue;
}
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst));
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
if (CMPSADDR2(dst0, dst)) {
- plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str(dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "skipped dst: %s\n", saddr2str((struct sockaddr *)dst));
msg = next;
continue;
}
vchar_t *buf = NULL;
struct sadb_msg *msg, *next, *end;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
caddr_t mhp[SADB_EXT_MAX + 1];
int proto_id, i;
struct ph2handle *iph2;
return;
}
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
+ msg = ALIGNED_CAST(struct sadb_msg *)buf->v;
+ end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l);
while (msg < end) {
if ((msg->sadb_msg_len << 3) < sizeof(*msg))
break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
+ next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
if (msg->sadb_msg_type != SADB_DUMP) {
msg = next;
continue;
msg = next;
continue;
}
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]; // Wcast-align fix (void*) - buffer of pointers to aligned structs
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
if (sa->sadb_sa_state != SADB_SASTATE_MATURE
&& sa->sadb_sa_state != SADB_SASTATE_DYING) {
"LOAD-BALANCE notification ignored - we are not the initiator.\n");
return 0;
}
- if (iph1->remote->sa_family != AF_INET) {
+ if (iph1->remote->ss_family != AF_INET) {
plog(LLV_DEBUG, LOCATION, NULL,
"LOAD-BALANCE notification ignored - only supported for IPv4.\n");
return 0;
CONSTSTR("maxed-out of DPD requests without receiving an ack"));
EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL);
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
else
address = 0;
extern int isakmp_info_send_d1 __P((struct ph1handle *));
extern int isakmp_info_send_d2 __P((struct ph2handle *));
extern int isakmp_info_send_nx __P((struct isakmp *,
- struct sockaddr *, struct sockaddr *, int, vchar_t *));
+ struct sockaddr_storage *, struct sockaddr_storage *, int, vchar_t *));
extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *));
extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *));
extern int isakmp_info_send_common __P((struct ph1handle *,
extern void isakmp_info_send_r_u __P((void *));
#endif
-extern void purge_ipsec_spi __P((struct sockaddr *, int, u_int32_t *, size_t));
+extern void purge_ipsec_spi __P((struct sockaddr_storage *, int, u_int32_t *, size_t));
extern int tunnel_mode_prop __P((struct saprop *));
#endif /* _ISAKMP_INF_H */
* - id payload suggests to encrypt all the traffic (no specific
* protocol type)
*/
- id = (struct ipsecdoi_id_b *)iph2->id->v;
- id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
+ id = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v;
+ id_p = ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v;
if (id->proto_id == 0
&& id_p->proto_id == 0
&& iph2->ph1->rmconf->support_proxy == 0
char *p;
int tlen;
int error = ISAKMP_INTERNAL_ERROR;
- struct sockaddr *natoa_i = NULL;
- struct sockaddr *natoa_r = NULL;
+ struct sockaddr_storage *natoa_i = NULL;
+ struct sockaddr_storage *natoa_r = NULL;
/* validity check */
if (iph2->status != PHASE2ST_MSG1SENT) {
"failed to parse msg");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* HASH payload is fixed postion */
if (pa->type != ISAKMP_NPTYPE_HASH) {
* RFC 2407 says that the protocol and port fields should be ignored
* if they are zero, therefore they need to be checked individually.
*/
- struct ipsecdoi_id_b *id_ptr = (struct ipsecdoi_id_b *)vp->v;
+ struct ipsecdoi_id_b *id_ptr = ALIGNED_CAST(struct ipsecdoi_id_b *)vp->v;
struct ipsecdoi_pl_id *idp_ptr = (struct ipsecdoi_pl_id *)pa->ptr;
if (id_ptr->type != idp_ptr->b.type
case ISAKMP_NPTYPE_NATOA_RFC:
{
vchar_t *vp = NULL;
- struct sockaddr *daddr;
+ struct sockaddr_storage *daddr;
isakmp_p2ph(&vp, pa->ptr);
if (natoa_i == NULL) {
natoa_i = daddr;
plog(LLV_DEBUG, LOCATION, NULL, "initiaor rcvd NAT-OA i: %s\n",
- saddr2str(natoa_i));
+ saddr2str((struct sockaddr *)natoa_i));
} else if (natoa_r == NULL) {
natoa_r = daddr;
plog(LLV_DEBUG, LOCATION, NULL, "initiator rcvd NAT-OA r: %s\n",
- saddr2str(natoa_r));
+ saddr2str((struct sockaddr *)natoa_r));
} else {
racoon_free(daddr);
}
goto end;
}
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
int tlen;
int f_id_order; /* for ID payload detection */
int error = ISAKMP_INTERNAL_ERROR;
- struct sockaddr *natoa_i = NULL;
- struct sockaddr *natoa_r = NULL;
+ struct sockaddr_storage *natoa_i = NULL;
+ struct sockaddr_storage *natoa_r = NULL;
/* validity check */
if (iph2->status != PHASE2ST_START) {
"failed to parse msg\n");
goto end;
}
- pa = (struct isakmp_parse_t *)pbuf->v;
+ pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
/* HASH payload is fixed postion */
if (pa->type != ISAKMP_NPTYPE_HASH) {
case ISAKMP_NPTYPE_NATOA_RFC:
{
vchar_t *vp = NULL;
- struct sockaddr *daddr;
+ struct sockaddr_storage *daddr;
isakmp_p2ph(&vp, pa->ptr);
if (natoa_i == NULL) {
natoa_i = daddr;
plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA i: %s\n",
- saddr2str(natoa_i));
+ saddr2str((struct sockaddr *)natoa_i));
} else if (natoa_r == NULL) {
natoa_r = daddr;
plog(LLV_DEBUG, LOCATION, NULL, "responder rcvd NAT-OA r: %s\n",
- saddr2str(natoa_r));
+ saddr2str((struct sockaddr *)natoa_r));
} else {
racoon_free(daddr);
}
goto end;
}
- for (pa = (struct isakmp_parse_t *)pbuf->v;
+ for (pa = ALIGNED_CAST(struct isakmp_parse_t *)pbuf->v;
pa->type != ISAKMP_NPTYPE_NONE;
pa++) {
struct policyindex *spidx;
struct sockaddr_storage addr;
u_int8_t pref;
- struct sockaddr *src = iph2->src;
- struct sockaddr *dst = iph2->dst;
+ struct sockaddr_storage *src = iph2->src;
+ struct sockaddr_storage *dst = iph2->dst;
/* make inbound policy */
iph2->src = dst;
plog(LLV_DEBUG, LOCATION, NULL,
"pfkey spdupdate2(inbound) sent.\n");
- spidx = (struct policyindex *)iph2->spidx_gen;
+ spidx = iph2->spidx_gen;
#ifdef HAVE_POLICY_FWD
/* make forward policy if required */
if (tunnel_mode_prop(iph2->approval)) {
"pfkey spdupdate2(outbound) sent.\n");
/* spidx_gen is unnecessary any more */
- delsp_bothdir((struct policyindex *)iph2->spidx_gen);
+ delsp_bothdir(iph2->spidx_gen);
racoon_free(iph2->spidx_gen);
iph2->spidx_gen = NULL;
iph2->generated_spidx=1;
struct sainfo *anonymous = NULL;
if (iph2->id == NULL) {
- switch (iph2->src->sa_family) {
+ switch (iph2->src->ss_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->src->sa_family);
+ "invalid family: %d\n", iph2->src->ss_family);
goto end;
}
idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
}
if (iph2->id_p == NULL) {
- switch (iph2->dst->sa_family) {
+ switch (iph2->dst->ss_family) {
case AF_INET:
prefixlen = sizeof(struct in_addr) << 3;
break;
break;
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->dst->sa_family);
+ "invalid family: %d\n", iph2->dst->ss_family);
goto end;
}
iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
memset(&spidx, 0, sizeof(spidx));
-#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
-
+#define _XIDT(d) (ALIGNED_CAST(struct ipsecdoi_id_b *)((d)->v))->type
/* make a spidx; a key to search SPD */
spidx.dir = IPSEC_DIR_INBOUND;
spidx.ul_proto = 0;
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
/* get a destination address of a policy */
- error = ipsecdoi_id2sockaddr(iph2->id,
- (struct sockaddr *)&spidx.dst,
+ error = ipsecdoi_id2sockaddr(iph2->id, &spidx.dst,
&spidx.prefd, &spidx.ul_proto);
if (error)
return error;
* because rcoon is responder.
*/
if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
- error = setscopeid((struct sockaddr *)&spidx.dst,
- iph2->src);
+ error = setscopeid(&spidx.dst, iph2->src);
if (error)
return error;
}
* of the key to search the SPD because the direction of policy
* is inbound.
*/
- memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
+ memcpy(&spidx.dst, iph2->src, sysdep_sa_len((struct sockaddr *)iph2->src));
switch (spidx.dst.ss_family) {
case AF_INET:
{
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
|| _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
/* get a source address of inbound SA */
- error = ipsecdoi_id2sockaddr(iph2->id_p,
- (struct sockaddr *)&spidx.src,
+ error = ipsecdoi_id2sockaddr(iph2->id_p, &spidx.src,
&spidx.prefs, &spidx.ul_proto);
if (error)
return error;
* for more detail, see above of this function.
*/
if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
- error = setscopeid((struct sockaddr *)&spidx.src,
- iph2->dst);
+ error = setscopeid(&spidx.src, iph2->dst);
if (error)
return error;
}
"OR because ID type is not address.\n");
/* see above comment. */
- memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
+ memcpy(&spidx.src, iph2->dst, sysdep_sa_len((struct sockaddr *)iph2->dst));
switch (spidx.src.ss_family) {
case AF_INET:
{
"no policy found, "
"try to generate the policy : %s\n",
spidx2str(&spidx));
- iph2->spidx_gen = racoon_malloc(sizeof(spidx));
+ iph2->spidx_gen = (struct policyindex *)racoon_malloc(sizeof(spidx));
if (!iph2->spidx_gen) {
plog(LLV_ERROR, LOCATION, NULL,
"buffer allocation failed.\n");
struct isakmp_gen;
struct sched;
-struct sockaddr;
+struct sockaddr_storage;
struct ph1handle;
struct ph2handle;
struct remoteconf;
struct isakmp_pl_nonce; /* XXX */
extern int isakmp_handler __P((int));
-extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *,
- struct sockaddr *, int));
+extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr_storage *,
+ struct sockaddr_storage *, int));
extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int));
extern vchar_t *isakmp_parse __P((vchar_t *));
extern vchar_t *isakmp_add_attr_v __P((vchar_t *, int, caddr_t, int));
extern vchar_t *isakmp_add_attr_l __P((vchar_t *, int, u_int32_t));
-extern int isakmp_newcookie __P((caddr_t, struct sockaddr *, struct sockaddr *));
+extern int isakmp_newcookie __P((caddr_t, struct sockaddr_storage *, struct sockaddr_storage *));
extern int isakmp_p2ph __P((vchar_t **, struct isakmp_gen *));
struct payload_list *));
#ifdef HAVE_PRINT_ISAKMP_C
-extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *,
- struct sockaddr *, int));
+extern void isakmp_printpacket __P((vchar_t *, struct sockaddr_storage *,
+ struct sockaddr_storage *, int));
#endif
extern int copy_ph1addresses __P(( struct ph1handle *,
- struct remoteconf *, struct sockaddr *, struct sockaddr *));
+ struct remoteconf *, struct sockaddr_storage *, struct sockaddr_storage *));
extern void log_ph1established __P((const struct ph1handle *));
extern void script_hook __P((struct ph1handle *, int));
void purge_remote __P((struct ph1handle *));
void delete_spd __P((struct ph2handle *));
#ifdef INET6
-u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
+u_int32_t setscopeid __P((struct sockaddr_storage *, struct sockaddr_storage *));
#endif
#endif /* _ISAKMP_VAR_H */
if (throttle_delay > 0) {
char *str;
- str = saddrwop2str(iph1->remote);
+ str = saddrwop2str((struct sockaddr *)iph1->remote);
plog(LLV_ERROR, LOCATION, NULL,
"Throttling in action for %s: delay %lds\n",
int
xauth_login_pam(port, raddr, usr, pwd)
int port;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
char *usr;
char *pwd;
{
{
int type;
vchar_t *buffer = NULL;
- char *data;
struct xauth_state *xst;
size_t dlen = 0;
char* mraw = NULL;
#endif
#ifdef HAVE_LIBPAM
-int xauth_login_pam(int, struct sockaddr *, char *, char *);
+int xauth_login_pam(int, struct sockaddr_storage *, char *, char *);
#endif
#ifdef HAVE_LIBLDAP
int
com_init()
{
- struct sockaddr_un name;
-
- memset(&name, 0, sizeof(name));
- name.sun_family = AF_UNIX;
- snprintf(name.sun_path, sizeof(name.sun_path),
+ union { // Wcast-align fix - force alignment of sockaddr_un
+ struct sockaddr_storage ss;
+ struct sockaddr_un name;
+ } u;
+
+ memset(&u, 0, sizeof(struct sockaddr_un));
+ u.name.sun_family = AF_UNIX;
+ snprintf(u.name.sun_path, sizeof(u.name.sun_path),
"%s", adminsock_path);
so = socket(AF_UNIX, SOCK_STREAM, 0);
if (so < 0)
return -1;
- if (connect(so, (struct sockaddr *)&name, sizeof(name)) < 0) {
+ if (connect(so, (struct sockaddr *)&u.ss, sizeof(struct sockaddr_un)) < 0) {
(void)close(so);
return -1;
}
com_recv(combufp)
vchar_t **combufp;
{
- struct admin_com h, *com;
- caddr_t buf;
+ struct admin_com h;
int len;
int l = 0;
caddr_t p;
* Dumb plog functions (used by sockmisc.c)
*/
void
-plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
+plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...)
{
va_list ap;
*/
vchar_t *
getpskbyaddr(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
vchar_t *key = NULL;
char addr[NI_MAXHOST], port[NI_MAXSERV];
plog(LLV_DEBUG, LOCATION, NULL, "Getting pre-shared key by addr.\n");
- GETNAMEINFO(remote, addr, port);
+ GETNAMEINFO((struct sockaddr *)remote, addr, port);
#ifdef HAVE_OPENSSL
key = privsep_getpsk(addr, strlen(addr));
extern void initlcconf __P((void));
extern void flushlcconf __P((void));
extern vchar_t *getpskbyname __P((vchar_t *));
-extern vchar_t *getpskbyaddr __P((struct sockaddr *));
+extern vchar_t *getpskbyaddr __P((struct sockaddr_storage *));
#if HAVE_KEYCHAIN
extern vchar_t *getpskfromkeychain __P((const char *, u_int8_t, int, vchar_t *));
#endif
static int log_flush (struct log *p, int newbytes)
{
struct stat st;
- int good = 0;
if (!p || !p->fp) {
return -1;
static void save_params __P((void));
static void saverestore_params __P((int));
static void cleanup_pidfile __P((void));
+#if 0 // <rdar://problem/9286626>
int launchedbylaunchd __P((void));
+#endif
pid_t racoon_pid = 0;
+int launchdlaunched = 0;
int print_pid = 1; /* for racoon only */
char logFileStr[MAXPATHLEN+1];
void
usage()
{
- printf("usage: racoon [-BdFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
+ printf("usage: racoon [-BdDFvs%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
#ifdef INET6
"46",
#else
printf(" -B: install SA to the kernel from the file "
"specified by the configuration file.\n");
printf(" -d: debug level, more -d will generate more debug message.\n");
+ printf(" -D: started by LaunchD (implies daemon mode).\n");
printf(" -C: dump parsed config file.\n");
printf(" -L: include location in debug messages\n");
printf(" -F: run in foreground, do not become daemon.\n");
ploginit();
- plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d\n", getpid(), getppid());
+ plog(LLV_INFO, LOCATION, NULL, "***** racoon started: pid=%d started by: %d, launchdlaunched %d\n", getpid(), getppid(), launchdlaunched);
plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
#ifdef HAVE_OPENSSL
plog(LLV_INFO, LOCATION, NULL, "@(#)"
if (f_foreground)
close(0);
else {
- if ( !exec_done && launchedbylaunchd() ){
+ if ( !exec_done && launchdlaunched ){
plog(LLV_INFO, LOCATION, NULL,
"racoon launched by launchd.\n");
exec_done = 1;
exit(0);
}
-
+#if 0 // <rdar://problem/9286626>
int
launchedbylaunchd(){
- int launchdlaunched = 1;
launch_data_t checkin_response = NULL;
- launch_data_t checkin_request = NULL;
-
- /* check in with launchd */
- if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "launch_data_new_string fails.\n");
- launchdlaunched = 0;
- goto done;
- }
- if ((checkin_response = launch_msg(checkin_request)) == NULL) {
+
+ if ((checkin_response = launch_socket_service_check_in()) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "launch_msg fails.\n");
+ "launch_socket_service_check_in fails.\n");
launchdlaunched = 0;
goto done;
}
launchdlaunched = 0;
goto done;
}
-
+ launchdlaunched = 1;
done:
/* clean up before we leave */
- if ( checkin_request )
- launch_data_free(checkin_request);
if ( checkin_response )
launch_data_free(checkin_response);
return launchdlaunched;
}
+#endif
static void
cleanup_pidfile()
plogset("/tmp/racoon.log");
#endif
- while ((c = getopt(ac, av, "dLFp:P:a:f:l:vsZBCx"
+ while ((c = getopt(ac, av, "dDLFp:P:a:f:l:vsZBCx"
#ifdef YYDEBUG
"y"
#endif
case 'd':
loglevel++;
break;
+ case 'D':
+ if (f_foreground) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
+ launchdlaunched = 1;
+ break;
case 'L':
print_location = 1;
break;
case 'F':
+ if (launchdlaunched) {
+ fprintf(stderr, "-D and -F are mutually exclusive\n");
+ exit(1);
+ }
printf("Foreground mode.\n");
f_foreground = 1;
break;
#include "ike_session.h"
struct natt_ka_addrs {
- struct sockaddr *src;
- struct sockaddr *dst;
+ struct sockaddr_storage *src;
+ struct sockaddr_storage *dst;
unsigned in_use;
TAILQ_ENTRY(natt_ka_addrs) chain;
};
-static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree;
-
/*
* check if the given vid is NAT-T.
*/
}
vchar_t *
-natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr)
+natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr)
{
vchar_t *natd;
vchar_t *buf;
size_t buf_size, addr_size;
plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n",
- saddr2str(addr), iph1->approval->hashtype,
+ saddr2str((struct sockaddr *)addr), iph1->approval->hashtype,
(iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":"");
- if (addr->sa_family == AF_INET) {
+ if (addr->ss_family == AF_INET) {
addr_size = sizeof (struct in_addr); /* IPv4 address */
addr_ptr = &((struct sockaddr_in *)addr)->sin_addr;
addr_port = &((struct sockaddr_in *)addr)->sin_port;
}
- else if (addr->sa_family == AF_INET6) {
+ else if (addr->ss_family == AF_INET6) {
addr_size = sizeof (struct in6_addr); /* IPv6 address */
addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr;
addr_port = &((struct sockaddr_in6 *)addr)->sin6_port;
}
else {
- plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family);
+ plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->ss_family);
return NULL;
}
vchar_t *i;
vchar_t *r;
u_int8_t *p;
- struct sockaddr *i_addr;
- struct sockaddr *r_addr;
+ struct sockaddr_storage *i_addr;
+ struct sockaddr_storage *r_addr;
size_t i_size;
size_t r_size;
r_addr = iph2->src;
}
- switch (i_addr->sa_family) {
+ switch (i_addr->ss_family) {
case AF_INET:
i_size = sizeof(in_addr_t);
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid address family: %d\n", i_addr->sa_family);
+ "invalid address family: %d\n", i_addr->ss_family);
return -1;
}
- switch (r_addr->sa_family) {
+ switch (r_addr->ss_family) {
case AF_INET:
r_size = sizeof(in_addr_t);
break;
#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
- "invalid address family: %d\n", r_addr->sa_family);
+ "invalid address family: %d\n", r_addr->ss_family);
return -1;
}
/* copy src address */
p = (__typeof__(p))i->v;
- switch (i_addr->sa_family) {
+ switch (i_addr->ss_family) {
case AF_INET:
*p = IPSECDOI_ID_IPV4_ADDR;
bcopy(&(((struct sockaddr_in *)i_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), i_size);
/* copy dst address */
p = (__typeof__(p))r->v;
- switch (r_addr->sa_family) {
+ switch (r_addr->ss_family) {
case AF_INET:
*p = IPSECDOI_ID_IPV4_ADDR;
bcopy(&(((struct sockaddr_in *)r_addr)->sin_addr.s_addr), p + sizeof(u_int32_t), r_size);
return natoa_type;
}
-struct sockaddr *
+struct sockaddr_storage *
process_natoa_payload(vchar_t *buf)
{
- struct sockaddr *saddr = NULL;
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v;
+ struct sockaddr_storage *saddr = NULL;
+ struct ipsecdoi_id_b *id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)buf->v;
switch (id_b->type) {
case IPSECDOI_ID_IPV4_ADDR:
"error allocating addr for NAT-OA payload\n");
return NULL;
}
- saddr->sa_len = sizeof(struct sockaddr_in);
- saddr->sa_family = AF_INET;
+ saddr->ss_len = sizeof(struct sockaddr_in);
+ saddr->ss_family = AF_INET;
((struct sockaddr_in *)saddr)->sin_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in *)saddr)->sin_addr,
buf->v + sizeof(*id_b), sizeof(struct in_addr));
"error allocating addr for NAT-OA payload\n");
return NULL;
}
- saddr->sa_len = sizeof(struct sockaddr_in6);
- saddr->sa_family = AF_INET6;
+ saddr->ss_len = sizeof(struct sockaddr_in6);
+ saddr->ss_family = AF_INET6;
((struct sockaddr_in6 *)saddr)->sin6_port = IPSEC_PORT_ANY;
memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr,
buf->v + sizeof(*id_b), sizeof(struct in6_addr));
u_int8_t type;
u_int16_t sport;
u_int16_t dport;
- struct sockaddr *oa;
+ struct sockaddr_storage *oa;
u_int16_t frag;
};
int natt_vendorid (int vid);
-vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr);
+vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr_storage *addr);
int natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, int natd_seq);
int natt_udp_encap (int encmode);
int natt_fill_options (struct ph1natt_options *opts, int version);
void natt_float_ports (struct ph1handle *iph1);
void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric);
int create_natoa_payloads(struct ph2handle *iph2, vchar_t **, vchar_t **);
-struct sockaddr * process_natoa_payload(vchar_t *buf);
+struct sockaddr_storage * process_natoa_payload(vchar_t *buf);
struct payload_list *
isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]);
#include "sockmisc.h"
#include "strnames.h"
#include "gcmalloc.h"
-#ifdef HAVE_OPENSSL
-#include "rsalist.h"
-#endif
#include <CoreFoundation/CoreFoundation.h>
#include "remoteconf.h"
#include "vpn_control.h"
static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
static int get_cert_fromlocal __P((struct ph1handle *, int));
-#ifdef HAVE_OPENSSL
-static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
-#endif
static int oakley_check_certid __P((struct ph1handle *iph1, int));
static int oakley_check_certid_1 __P((vchar_t *, int, int, void*, cert_status_t *certStatus));
static int check_typeofcertname __P((int, int));
*pub = NULL;
switch (dh->type) {
case OAKLEY_ATTR_GRP_TYPE_MODP:
+#define SECDH_MODP_GENERATOR OAKLEY_ATTR_GRP_DESC_MODP1024
if (dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1024 && dh->desc != OAKLEY_ATTR_GRP_DESC_MODP1536) {
plog(LLV_ERROR, LOCATION, NULL, "Invalid dh group.\n");
goto fail;
}
- if (SecDHCreate(dh->desc, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) {
+ if (SecDHCreate(SECDH_MODP_GENERATOR, dh->prime->v, dh->prime->l, 0, NULL, 0, dhC)) {
plog(LLV_ERROR, LOCATION, NULL, "failed to create dh context.\n");
goto fail;
}
return error;
}
-#if notyet
-/*
- * NOTE: Must terminate by NULL.
- */
-vchar_t *
-oakley_compute_hashx(struct ph1handle *iph1, ...)
-{
- vchar_t *buf, *res;
- vchar_t *s;
- caddr_t p;
- int len;
-
- va_list ap;
-
- /* get buffer length */
- va_start(ap, iph1);
- len = 0;
- while ((s = va_arg(ap, vchar_t *)) != NULL) {
- len += s->l
- }
- va_end(ap);
-
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- return NULL;
- }
-
- /* set buffer */
- va_start(ap, iph1);
- p = buf->v;
- while ((s = va_arg(ap, char *)) != NULL) {
- memcpy(p, s->v, s->l);
- p += s->l;
- }
- va_end(ap);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(iph1->skeyid_a, buf, iph1);
- vfree(buf);
- if (res == NULL)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
- return res;
-}
-#endif
/*
* compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
}
#endif /* HAVE_OPENDIR */
-#ifdef HAVE_OPENSSL
-static int
-oakley_verify_x509sign(certchain, my_hash, my_sig)
- cert_t *certchain;
- vchar_t *my_hash;
- vchar_t *my_sig;
-{
- cert_t *p;
- int result = -1;
-
- for (p = certchain; p; p = p->chain) {
- if ((result = eay_check_x509sign(my_hash,
- my_sig,
- &p->cert)) == 0) {
- break;
- }
- }
- return result;
-}
-#endif
#ifdef HAVE_OPENSSL
static int
oakley_check_x509cert(certchain, capath, cafile, local)
#ifdef ENABLE_STATS
struct timeval start, end;
#endif
-#if TARGET_OS_EMBEDDED
SecKeyRef publicKeyRef;
-#endif
#ifdef ENABLE_STATS
gettimeofday(&start, NULL);
error = get_cert_fromlocal(iph1, 0);
break;
- case ISAKMP_CERT_PLAINRSA:
- error = get_plainrsa_fromlocal(iph1, 0);
- break;
}
if (error)
return ISAKMP_INTERNAL_ERROR;
#endif
switch (certtype) {
case ISAKMP_CERT_X509SIGN:
-
-#if TARGET_OS_EMBEDDED
{
/* use ID from remote configuration */
/* check each ID in list */
if (iph1->rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
id_spec = genlist_next(iph1->rmconf->idvl_p, &gpb); /* expect only one id */
if (id_spec->idtype == IDTYPE_ADDRESS) {
- switch (((struct sockaddr *)(id_spec->id->v))->sa_family) {
+ switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) {
case AF_INET:
- peers_id = inet_ntoa(((struct sockaddr_in *)(id_spec->id->v))->sin_addr);
+ peers_id = inet_ntoa((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr);
hostname = CFStringCreateWithCString(NULL, peers_id, kCFStringEncodingUTF8);
break;
#ifdef INET6
if (hostname)
CFRelease(hostname);
}
-
-#else /* TARGET_OS_EMBEDDED */
- if (iph1->rmconf->cert_verification == VERIFICATION_MODULE_SEC_FRAMEWORK)
- error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1),
- iph1->cert_p,
- NULL);
- else
- {
- char path[MAXPATHLEN];
- char *ca;
-
- if (iph1->rmconf->cacertfile != NULL) {
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT,
- iph1->rmconf->cacertfile);
- ca = path;
- } else {
- ca = NULL;
- }
-
- error = oakley_check_x509cert(iph1->cert_p,
- lcconf->pathinfo[LC_PATHTYPE_CERT],
- ca, 0);
- }
-#endif /* TARGET_OS_EMBEDDED */
- break;
+ break;
default:
plog(LLV_ERROR, LOCATION, NULL,
switch (certtype) {
case ISAKMP_CERT_X509SIGN:
case ISAKMP_CERT_DNS:
-#if TARGET_OS_EMBEDDED
+ if (publicKeyRef == NULL)
+ plog(LLV_ERROR, LOCATION, NULL, "@@@@@@ publicKeyRef is NULL\n");
error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p);
if (error)
plog(LLV_ERROR, LOCATION, NULL, "error verifying signature %s\n", GetSecurityErrorString(error));
CFRelease(publicKeyRef);
-#else
- error = oakley_verify_x509sign(iph1->cert_p, my_hash, iph1->sig_p);
-#endif
break;
-#ifdef HAVE_OPENSSL
- case ISAKMP_CERT_PLAINRSA:
- iph1->rsa_p = rsa_try_check_rsasign(my_hash,
- iph1->sig_p, iph1->rsa_candidates);
- error = iph1->rsa_p ? 0 : -1;
- break;
-#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"no supported certtype %d\n",
u_int32_t address;
u_int32_t fail_reason;
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
else
address = 0;
struct ph1handle *iph1;
{
int err;
- u_int32_t address;
switch (iph1->rmconf->certtype) {
case ISAKMP_CERT_X509SIGN:
}
}
return err;
-#ifdef HAVE_OPENSSL
- case ISAKMP_CERT_PLAINRSA:
- if (iph1->rsa)
- return 0;
- return get_plainrsa_fromlocal(iph1, 1);
-#endif
+
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
struct ph1handle *iph1;
int my;
{
+#ifdef HAVE_OPENSSL
char path[MAXPATHLEN];
+#endif
vchar_t *cert = NULL;
cert_t **certpl;
char *certfile;
return error;
}
-#ifdef HAVE_OPENSSL
-static int
-get_plainrsa_fromlocal(iph1, my)
- struct ph1handle *iph1;
- int my;
-{
- char path[MAXPATHLEN];
- vchar_t *cert = NULL;
- char *certfile;
- int error = -1;
-
- iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
- if (!iph1->rsa_candidates ||
- rsa_list_count(iph1->rsa_candidates) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s RSA key not found for %s\n",
- my ? "Private" : "Public",
- saddr2str_fromto("%s <-> %s",
- iph1->local, iph1->remote));
- goto end;
- }
-
- if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "More than one (=%lu) private "
- "PlainRSA key found for %s\n",
- rsa_list_count(iph1->rsa_candidates),
- saddr2str_fromto("%s <-> %s",
- iph1->local, iph1->remote));
- plog(LLV_WARNING, LOCATION, NULL,
- "This may have unpredictable results, "
- "i.e. wrong key could be used!\n");
- plog(LLV_WARNING, LOCATION, NULL,
- "Consider using only one single private "
- "key for all peers...\n");
- }
- if (my) {
- iph1->rsa = ((struct rsa_key *)
- genlist_next(iph1->rsa_candidates, NULL))->rsa;
-
- genlist_free(iph1->rsa_candidates, NULL);
- iph1->rsa_candidates = NULL;
-
- if (iph1->rsa == NULL)
- goto end;
- }
-
- error = 0;
-
-end:
- return error;
-}
-#endif
/* get signature */
int
oakley_getsign(iph1)
struct ph1handle *iph1;
{
+#ifdef HAVE_OPENSSL
char path[MAXPATHLEN];
+#endif
vchar_t *privkey = NULL;
int error = -1;
CFRelease(dataRef);
break;
} // else fall thru
-#ifdef HAVE_OPENSSL
- case ISAKMP_CERT_DNS:
- if (iph1->rmconf->myprivfile == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
- goto end;
- }
-
- /* make private file name */
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT,
- iph1->rmconf->myprivfile);
- privkey = privsep_eay_get_pkcs1privkey(path);
- if (privkey == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get private key.\n");
- goto end;
- }
- plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
- plogdump(LLV_DEBUG2, privkey->v, privkey->l);
-
- iph1->sig = eay_get_x509sign(iph1->hash, privkey);
- break;
- case ISAKMP_CERT_PLAINRSA:
- iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
- break;
-#endif
default:
plog(LLV_ERROR, LOCATION, NULL,
"Unknown certtype #%d\n",
return iph1->cert_p;
}
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
peers_id = id_b + 1;
idlen = iph1->id_p->l - sizeof(*id_b);
for (p = iph1->cert_p; p; p = p->chain) {
plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)iph1->id_p->v;
doi_type = id_b->type;
peers_id = id_b + 1;
idlen = iph1->id_p->l - sizeof(*id_b);
for (id_spec = genlist_next (iph1->rmconf->idvl_p, &gpb); id_spec; id_spec = genlist_next (0, &gpb)) {
if (id_spec->idtype == IDTYPE_ADDRESS) {
- switch (((struct sockaddr *)(id_spec->id->v))->sa_family) {
+ switch ((ALIGNED_CAST(struct sockaddr_storage *)(id_spec->id->v))->ss_family) {
case AF_INET:
doi_type = IPSECDOI_ID_IPV4_ADDR;
idlen = sizeof(struct in_addr);
- peers_id = &(((struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr);
+ peers_id = &((ALIGNED_CAST(struct sockaddr_in *)(id_spec->id->v))->sin_addr.s_addr);
break;
#ifdef INET6
case AF_INET6:
doi_type = IPSECDOI_ID_IPV6_ADDR;
idlen = sizeof(struct in6_addr);
- peers_id = &(((struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr);
+ peers_id = &((ALIGNED_CAST(struct sockaddr_in6 *)(id_spec->id->v))->sin6_addr.s6_addr);
break;
#endif
default:
cert_status_t *certStatus;
{
- vchar_t *name = NULL;
- char *altname = NULL;
- int type, len;
+ int len;
int error;
+#if !TARGET_OS_EMBEDDED
+ int type;
+ vchar_t *name = NULL;
+ char *altname = NULL;
+#endif
+
switch (idtype) {
case IPSECDOI_ID_DER_ASN1_DN:
#if TARGET_OS_EMBEDDED
CFRelease(subject);
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
+ CFRelease(certificate);
+ CFRelease(subject);
}
#else
name = eay_get_x509asn1subjectname(cert);
CFIndex pos, count;
SecCertificateRef certificate;
CFArrayRef addresses;
+#define ADDRESS_BUF_SIZE 64
certificate = crypto_cssm_x509cert_get_SecCertificateRef(cert);
if (certificate == NULL) {
addressLen = CFStringGetLength(address);
if (addressLen == 0)
continue;
- addressBuf = racoon_malloc(addressLen + 1);
+ addressBuf = racoon_malloc(ADDRESS_BUF_SIZE);
if (addressBuf == NULL) {
plog(LLV_ERROR, LOCATION, NULL, "out of memory\n");
+ CFRelease(addresses);
+ CFRelease(certificate);
return -1;
}
- if (CFStringGetCString(address, addressBuf, addressLen + 1, kCFStringEncodingUTF8) == TRUE) {
+ if (CFStringGetCString(address, addressBuf, ADDRESS_BUF_SIZE, kCFStringEncodingUTF8) == TRUE) {
result = inet_pton(idtype == IPSECDOI_ID_IPV4_ADDR ? AF_INET : AF_INET6, addressBuf, numAddress);
racoon_free(addressBuf);
if (result == 0)
continue; // wrong type or invalid address
- if (memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ?
+ if (!memcmp(id, numAddress, idtype == IPSECDOI_ID_IPV4_ADDR ? 32 : 128) == 0) { // found a match ?
CFRelease(addresses);
CFRelease(certificate);
return 0;
/*NOTREACHED*/
}
+vchar_t *
+oakley_getpskall(iph1)
+struct ph1handle *iph1;
+{
+ vchar_t *secret = NULL;
+
+ if (iph1->rmconf->shared_secret) {
+
+ switch (iph1->rmconf->secrettype) {
+ case SECRETTYPE_KEY:
+ /* in psk file - use KEY from remote configuration to locate it */
+ secret = getpsk(iph1->rmconf->shared_secret->v, iph1->rmconf->shared_secret->l-1);
+ break;
+#if HAVE_KEYCHAIN
+ case SECRETTYPE_KEYCHAIN:
+ /* in the system keychain */
+ secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, NULL);
+ break;
+ case SECRETTYPE_KEYCHAIN_BY_ID:
+ /* in the system keychain - use peer id */
+ secret = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p);
+ break;
+#endif // HAVE_KEYCHAIN
+ case SECRETTYPE_USE:
+ /* in the remote configuration */
+ default:
+ /* rmconf->shared_secret is a string and contains a NULL character that must be removed */
+ secret = vmalloc(iph1->rmconf->shared_secret->l - 1);
+ if (secret == NULL) {
+ plog(LLV_ERROR, LOCATION, iph1->remote, "memory error.\n");
+ goto end;
+ }
+ memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l);
+ }
+ } else {
+ secret = getpskbyname(iph1->id_p);
+ if (!secret) {
+ if (iph1->rmconf->verify_identifier) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "couldn't find the Hybrid pskey.\n");
+ goto end;
+ }
+ }
+ }
+ if (!secret) {
+ plog(LLV_NOTIFY, LOCATION, iph1->remote,
+ "couldn't find the Hybrid pskey, "
+ "try to get one by the peer's address.\n");
+ secret = getpskbyaddr(iph1->remote);
+ }
+
+end:
+ return secret;
+}
+
/*
* compute SKEYID
* see seciton 5. Exchanges in RFC 2409
/* in the system keychain - use peer id */
iph1->authstr = getpskfromkeychain(iph1->rmconf->shared_secret->v, iph1->etype, iph1->rmconf->secrettype, iph1->id_p);
break;
-#endif HAVE_KEYCHAIN
+#endif // HAVE_KEYCHAIN
case SECRETTYPE_USE:
/* in the remote configuration */
default:
if (iph1->authstr == NULL) {
plog(LLV_ERROR, LOCATION, iph1->remote,
"couldn't find the pskey for %s.\n",
- saddrwop2str(iph1->remote));
+ saddrwop2str((struct sockaddr *)iph1->remote));
goto end;
}
}
extern int oakley_savecert __P((struct ph1handle *, struct isakmp_gen *));
extern int oakley_savecr __P((struct ph1handle *, struct isakmp_gen *));
+extern vchar_t * oakley_getpskall __P((struct ph1handle *));
extern int oakley_skeyid __P((struct ph1handle *));
extern int oakley_skeyid_dae __P((struct ph1handle *));
u_int *, u_int *, u_int *, u_int *, u_int *));
extern u_int32_t pk_getseq __P((void));
extern const char *sadbsecas2str
- __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int));
+ __P((struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t, int));
#endif /* _PFKEY_H */
static int pk_recvspddump __P((caddr_t *));
static int pk_recvspdflush __P((caddr_t *));
static int pk_recvgetsastat __P((caddr_t *));
-static struct sadb_msg *pk_recv __P((int, int *));
+static struct sadb_msg *pk_recv __P((int, ssize_t *));
static int (*pkrecvf[]) __P((caddr_t *)) = {
NULL,
caddr_t mhp[SADB_EXT_MAX + 1];
int error = -1;
- plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n",
- s_pfkey_type(msg->sadb_msg_type));
- plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
+ //plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n",
+ // s_pfkey_type(msg->sadb_msg_type));
+ //plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
/* validity check */
if (msg->sadb_msg_errno) {
ipsec_strerror());
goto end;
}
- msg = (struct sadb_msg *)mhp[0];
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
/* safety check */
if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
pfkey_handler()
{
struct sadb_msg *msg;
- int len;
+ ssize_t len;
if (slept_at || woke_at) {
plog(LLV_DEBUG, LOCATION, NULL,
return -1;
} else {
/* short message - msg not ready */
+ plog(LLV_ERROR, LOCATION, NULL,
+ "recv short message from pfkey\n");
return 0;
}
}
if (slept_at || woke_at) {
plog(LLV_DEBUG, LOCATION, NULL,
"ignoring (saved) pfkey messages until power-mgmt event is handled.\n");
- return 0;
+ return;
}
TAILQ_FOREACH_SAFE(elem, &lcconf->saved_msg_queue, chain, elem_tmp) {
pid_t pid = getpid();
struct sadb_msg *msg = NULL;
size_t bl, ml;
- int len;
+ ssize_t len;
if ((s = privsep_pfkey_open()) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
{
plog(LLV_ERROR, LOCATION, NULL,
"%s give up to get IPsec-SA due to time up to wait.\n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
SCHED_KILL(iph2->sce);
/* If initiator side, send error to kernel by SADB_ACQUIRE. */
pk_sendgetspi(iph2)
struct ph2handle *iph2;
{
- struct sockaddr *src = NULL, *dst = NULL;
+ struct sockaddr_storage *src = NULL, *dst = NULL;
u_int satype, mode;
struct saprop *pp;
struct saproto *pr;
struct sadb_msg *msg;
struct sadb_sa *sa;
struct ph2handle *iph2;
- struct sockaddr *dst;
+ struct sockaddr_storage *dst;
int proto_id;
int allspiok, notfound;
struct saprop *pp;
"inappropriate sadb getspi message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
/* the message has to be processed or not ? */
if (msg->sadb_msg_pid != getpid()) {
if (!ike_session_update_ph2_ph1bind(iph2)) {
plog(LLV_ERROR, LOCATION, NULL,
"can't proceed with getspi for %s. no suitable ISAKMP-SA found \n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
if (notfound) {
plog(LLV_ERROR, LOCATION, NULL,
"get spi for unknown address %s\n",
- saddrwop2str(iph2->dst));
+ saddrwop2str((struct sockaddr *)iph2->dst));
unbindph12(iph2);
remph2(iph2);
delph2(iph2);
struct ph2handle *iph2;
{
struct saproto *pr;
- struct sockaddr *src = NULL, *dst = NULL;
+ struct sockaddr_storage *src = NULL, *dst = NULL;
u_int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
} else {
if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
mode == IPSEC_MODE_TRANSPORT &&
- src->sa_family == AF_INET) {
+ src->ss_family == AF_INET) {
flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
}
if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
* But it is impossible because there is not key in the
* information from the kernel.
*/
- if (backupsa_to_file(satype, mode, dst, src,
+ if (backupsa_to_file(satype, mode, (struct sockaddr *)dst, (struct sockaddr *)src,
pr->spi, pr->reqid_in, 4,
pr->keymat->v,
e_type, e_keylen, a_type, a_keylen, flags,
{
struct sadb_msg *msg;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
struct ph2handle *iph2;
u_int proto_id, encmode, sa_mode;
int incomplete = 0;
"inappropriate sadb update message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
sa_mode = mhp[SADB_X_EXT_SA2] == NULL
? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
+ : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
/* the message has to be processed or not ? */
if (msg->sadb_msg_pid != getpid()) {
struct ph2handle *iph2;
{
struct saproto *pr;
- struct sockaddr *src = NULL, *dst = NULL;
+ struct sockaddr_storage *src = NULL, *dst = NULL;
u_int e_type, e_keylen, a_type, a_keylen, flags;
u_int satype, mode;
u_int64_t lifebyte = 0;
} else {
if (iph2->ph1->rmconf->natt_multiple_user == TRUE &&
mode == IPSEC_MODE_TRANSPORT &&
- dst->sa_family == AF_INET) {
+ dst->ss_family == AF_INET) {
flags |= SADB_X_EXT_NATT_MULTIPLEUSERS;
}
if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
* But it is impossible because there is not key in the
* information from the kernel.
*/
- if (backupsa_to_file(satype, mode, src, dst,
+ if (backupsa_to_file(satype, mode, (struct sockaddr *)src, (struct sockaddr *)dst,
pr->spi_p, pr->reqid_out, 4,
pr->keymat_p->v,
e_type, e_keylen, a_type, a_keylen, flags,
{
struct sadb_msg *msg;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
struct ph2handle *iph2;
u_int sa_mode;
"inappropriate sadb add message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
sa_mode = mhp[SADB_X_EXT_SA2] == NULL
? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
+ : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
/* the message has to be processed or not ? */
if (msg->sadb_msg_pid != getpid()) {
{
u_int32_t address;
- if (iph2->dst->sa_family == AF_INET)
+ if (iph2->dst->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
else
address = 0;
{
struct sadb_msg *msg;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
struct ph2handle *iph2;
u_int proto_id, sa_mode;
"inappropriate sadb expire message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
sa_mode = mhp[SADB_X_EXT_SA2] == NULL
? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
+ : (ALIGNED_CAST(struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
if (proto_id == ~0) {
struct secpolicy *sp_out = NULL, *sp_in = NULL;
#define MAXNESTEDSA 5 /* XXX */
struct ph2handle *iph2[MAXNESTEDSA];
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
int n; /* # of phase 2 handler */
/* ignore this message because of local test mode. */
"inappropriate sadb acquire message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
/* ignore if type is not IPSEC_POLICY_IPSEC */
if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
/* ignore it if src is multicast address */
{
- struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- if ((sa->sa_family == AF_INET
+ if ((sa->ss_family == AF_INET
&& IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr)))
#ifdef INET6
- || (sa->sa_family == AF_INET6
+ || (sa->ss_family == AF_INET6
&& IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr))
#endif
) {
plog(LLV_DEBUG, LOCATION, NULL,
"ignore due to multicast address: %s.\n",
- saddrwop2str(sa));
+ saddrwop2str((struct sockaddr *)sa));
return 0;
}
}
* than one in the policy, so kernel will drop them;
* => therefore this acquire is not for us! --Aidas
*/
- struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ struct sockaddr_storage *sa = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
struct myaddrs *p;
int do_listen = 0;
for (p = lcconf->myaddrs; p; p = p->next) {
if (!do_listen) {
plog(LLV_DEBUG, LOCATION, NULL,
"ignore because do not listen on source address : %s.\n",
- saddrwop2str(sa));
+ saddrwop2str((struct sockaddr *)sa));
return 0;
}
}
iph2[n]->status = PHASE2ST_STATUS2;
/* set end addresses of SA */
- iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
+ // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ iph2[n]->dst = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
if (iph2[n]->dst == NULL) {
delph2(iph2[n]);
return -1;
}
- iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
+ iph2[n]->src = dupsaddr(ALIGNED_CAST(struct sockaddr *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
if (iph2[n]->src == NULL) {
delph2(iph2[n]);
return -1;
{
vchar_t *idsrc, *iddst;
- idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
+ idsrc = ipsecdoi_sockaddr2id(&sp_out->spidx.src,
sp_out->spidx.prefs, sp_out->spidx.ul_proto);
if (idsrc == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
delph2(iph2[n]);
return -1;
}
- iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
+ iddst = ipsecdoi_sockaddr2id(&sp_out->spidx.dst,
sp_out->spidx.prefd, sp_out->spidx.ul_proto);
if (iddst == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
{
struct sadb_msg *msg;
struct sadb_sa *sa;
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
struct ph2handle *iph2 = NULL;
u_int proto_id;
"inappropriate sadb delete message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA];
+ src = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
+ dst = ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
/* the message has to be processed or not ? */
if (msg->sadb_msg_pid == getpid()) {
}
plog(LLV_DEBUG2, LOCATION, NULL, "SADB delete message: proto-id %d\n", proto_id);
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
+ plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str((struct sockaddr *)src));
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str((struct sockaddr *)dst));
if (!sa) {
deleteallph2(src, dst, proto_id);
int *policylen0, type;
struct ph2handle *iph2;
{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
+ struct policyindex *spidx = iph2->spidx_gen;
struct sadb_x_policy *xpl;
struct sadb_x_ipsecrequest *xisr;
struct saproto *pr;
for (pr = iph2->approval->head; pr; pr = pr->next) {
xisrlen = sizeof(*xisr);
if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
- xisrlen += (sysdep_sa_len(iph2->src)
- + sysdep_sa_len(iph2->dst));
+ xisrlen += (sysdep_sa_len((struct sockaddr *)iph2->src)
+ + sysdep_sa_len((struct sockaddr *)iph2->dst));
}
policylen += PFKEY_ALIGN8(xisrlen);
return -1;
}
- xpl = (struct sadb_x_policy *)policy;
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)policy;
xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
int src_len, dst_len;
- src_len = sysdep_sa_len(iph2->src);
- dst_len = sysdep_sa_len(iph2->dst);
+ src_len = sysdep_sa_len((struct sockaddr *)iph2->src);
+ dst_len = sysdep_sa_len((struct sockaddr *)iph2->dst);
xisrlen += src_len + dst_len;
memcpy(p, iph2->src, src_len);
pk_sendspdupdate2(iph2)
struct ph2handle *iph2;
{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
+ struct policyindex *spidx = iph2->spidx_gen;
caddr_t policy = NULL;
int policylen = 0;
u_int64_t ltime, vtime;
if (pfkey_send_spdupdate2(
lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
+ &spidx->src,
spidx->prefs,
- (struct sockaddr *)&spidx->dst,
+ &spidx->dst,
spidx->prefd,
spidx->ul_proto,
ltime, vtime,
"inappropriate sadb spdupdate message passed.\n");
return -1;
}
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
#ifdef HAVE_PFKEY_POLICY_PRIORITY
KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
pk_sendspdadd2(iph2)
struct ph2handle *iph2;
{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
+ struct policyindex *spidx = iph2->spidx_gen;
caddr_t policy = NULL;
int policylen = 0;
u_int64_t ltime, vtime;
if (pfkey_send_spdadd2(
lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
+ &spidx->src,
spidx->prefs,
- (struct sockaddr *)&spidx->dst,
+ &spidx->dst,
spidx->prefd,
spidx->ul_proto,
ltime, vtime,
"inappropriate sadb spdadd message passed.\n");
return -1;
}
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
#ifdef HAVE_PFKEY_POLICY_PRIORITY
KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
pk_sendspddelete(iph2)
struct ph2handle *iph2;
{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
+ struct policyindex *spidx = iph2->spidx_gen;
caddr_t policy = NULL;
int policylen;
if (pfkey_send_spddelete(
lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
+ &spidx->src,
spidx->prefs,
- (struct sockaddr *)&spidx->dst,
+ &spidx->dst,
spidx->prefd,
spidx->ul_proto,
policy, policylen, 0) < 0) {
"inappropriate sadb spddelete message passed.\n");
return -1;
}
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
#ifdef HAVE_PFKEY_POLICY_PRIORITY
KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
"inappropriate sadb spdexpire message passed.\n");
return -1;
}
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
#ifdef HAVE_PFKEY_POLICY_PRIORITY
KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
"inappropriate sadb spddump message passed.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
if (saddr == NULL || daddr == NULL || xpl == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"inappropriate sadb getsastat response.\n");
return -1;
}
- msg = (struct sadb_msg *)mhp[0];
- session_id = (ike_session_t *)mhp[SADB_EXT_SESSION_ID];
- stat_resp = (struct sadb_sastat *)mhp[SADB_EXT_SASTAT];
+ msg = ALIGNED_CAST(struct sadb_msg *)mhp[0]; // Wcast-align fix (void*) - mhp contains pointers to structs in an aligned buffer
+ session_id = ALIGNED_CAST(struct sadb_session_id *)mhp[SADB_EXT_SESSION_ID];
+ stat_resp = ALIGNED_CAST(struct sadb_sastat *)mhp[SADB_EXT_SASTAT];
/* the message has to be processed or not ? */
if (msg->sadb_msg_pid != getpid()) {
s_pfkey_type(msg->sadb_msg_type));
return -1;
}
- session = (__typeof__(session))session_id->sadb_session_id_v[0];
+ session = ALIGNED_CAST(__typeof__(session))session_id->sadb_session_id_v[0];
if (!stat_resp->sadb_sastat_list_len) {
plog(LLV_DEBUG, LOCATION, NULL,
sup = SADB_EXT_SUPPORTED_AUTH;
break;
case IPSECDOI_PROTO_IPCOMP:
- plog(LLV_DEBUG, LOCATION, NULL,
- "compression algorithm can not be checked "
- "because sadb message doesn't support it.\n");
+ //plog(LLV_DEBUG, LOCATION, NULL,
+ // "compression algorithm can not be checked "
+ // "because sadb message doesn't support it.\n");
return 0;
default:
plog(LLV_ERROR, LOCATION, NULL,
static struct sadb_msg *
pk_recv(so, lenp)
int so;
- int *lenp;
+ ssize_t *lenp;
{
struct sadb_msg *newmsg;
int reallen = 0;
if ((newmsg = racoon_calloc(1, reallen)) == NULL)
return NULL;
- *lenp = recv(so, (caddr_t)newmsg, reallen, 0);
+ while ((*lenp = recv(so, (caddr_t)newmsg, reallen, 0)) < 0) {
+ if (errno == EINTR)
+ continue;
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to recv pfkey message: %s\n", strerror(errno));
+ break;
+ }
if (*lenp < 0) {
racoon_free(newmsg);
return NULL; /*fatal*/
return -1;
}
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
+ saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
+ daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
+ xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
new = newsp();
if (new == NULL) {
"becoming tlen < 0\n");
}
- xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr = ALIGNED_CAST(struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
}
}
/* proto/mode/src->dst spi */
const char *
sadbsecas2str(src, dst, proto, spi, mode)
- struct sockaddr *src, *dst;
+ struct sockaddr_storage *src, *dst;
int proto;
u_int32_t spi;
int mode;
p += i;
blen -= i;
- i = snprintf(p, blen, "%s->", saddr2str(src));
+ i = snprintf(p, blen, "%s->", saddr2str((struct sockaddr *)src));
if (i < 0 || i >= blen)
return NULL;
p += i;
blen -= i;
- i = snprintf(p, blen, "%s ", saddr2str(dst));
+ i = snprintf(p, blen, "%s ", saddr2str((struct sockaddr *)dst));
if (i < 0 || i >= blen)
return NULL;
p += i;
}
void
-plog_func(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
+plog_func(int pri, const char *func, struct sockaddr_storage *sa, const char *fmt, ...)
{
va_list ap;
}
void
-plogv(int pri, const char *func, struct sockaddr *sa,
+plogv(int pri, const char *func, struct sockaddr_storage *sa,
const char *fmt, va_list *ap)
{
char *newfmt;
extern int f_foreground;
extern int print_location;
-struct sockaddr;
-extern void plog_func __P((int, const char *, struct sockaddr *, const char *, ...))
+struct sockaddr_storage;
+extern void plog_func __P((int, const char *, struct sockaddr_storage *, const char *, ...))
__attribute__ ((__format__ (__printf__, 4, 5)));
-extern void plogv __P((int, const char *, struct sockaddr *,
+extern void plogv __P((int, const char *, struct sockaddr_storage *,
const char *, va_list *));
extern void plogdump __P((int, void *, size_t));
extern void ploginit __P((void));
// for tunnel mode: verify the outer ip addresses match the phase2's addresses
if (spidx->dir == IPSEC_DIR_INBOUND) {
// TODO: look out for wildcards
- if (!cmpsaddrwop(iph2->dst, (struct sockaddr *)&isr->saidx.src) &&
- !cmpsaddrwop(iph2->src, (struct sockaddr *)&isr->saidx.dst)) {
+ if (!cmpsaddrwop(iph2->dst, &isr->saidx.src) &&
+ !cmpsaddrwop(iph2->src, &isr->saidx.dst)) {
plog(LLV_DEBUG2, LOCATION, NULL, "%s, inbound policy outer addresses matched phase2's addresses\n",
__FUNCTION__);
return p;
}
} else if (spidx->dir == IPSEC_DIR_OUTBOUND) {
// TODO: look out for wildcards
- if (!cmpsaddrwop(iph2->src, (struct sockaddr *)&isr->saidx.src) &&
- !cmpsaddrwop(iph2->dst, (struct sockaddr *)&isr->saidx.dst)) {
+ if (!cmpsaddrwop(iph2->src, &isr->saidx.src) &&
+ !cmpsaddrwop(iph2->dst, &isr->saidx.dst)) {
plog(LLV_DEBUG2, LOCATION, NULL, "%s, outbound policy outer addresses matched phase2's addresses\n",
__FUNCTION__);
return p;
plog(LLV_DEBUG2, LOCATION, NULL, "%s, policy outer addresses matched phase2's addresses: dir %d\n",
__FUNCTION__, spidx->dir);
plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n",
- saddr2str(iph2->src));
+ saddr2str((struct sockaddr *)iph2->src));
plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
saddr2str((struct sockaddr *)&isr->saidx.src));
plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
- saddr2str(iph2->dst));
+ saddr2str((struct sockaddr *)iph2->dst));
plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
saddr2str((struct sockaddr *)&isr->saidx.dst));
}
plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n",
saddr2str(iph2->src));
plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
- saddr2str((struct sockaddr *)&spidx->src));
- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
+ saddr2str(&spidx->src));
+ if (cmpsaddrwop(iph2->src, &spidx->src)
|| spidx->prefs != prefixlen)
return NULL;
plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
saddr2str(iph2->dst));
plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
- saddr2str((struct sockaddr *)&spidx->dst));
- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
+ saddr2str(&spidx->dst));
+ if (cmpsaddrwop(iph2->dst, &spidx->dst)
|| spidx->prefd != prefixlen)
return NULL;
cmpspidxstrict(a, b)
struct policyindex *a, *b;
{
- plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
- plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b));
+ //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
+ //plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b));
/* XXX don't check direction now, but it's to be checked carefully. */
if (a->dir != b->dir
|| a->ul_proto != b->ul_proto)
return 1;
- if (cmpsaddrstrict((struct sockaddr *)&a->src,
- (struct sockaddr *)&b->src))
+ if (cmpsaddrstrict(&a->src, &b->src))
return 1;
- if (cmpsaddrstrict((struct sockaddr *)&a->dst,
- (struct sockaddr *)&b->dst))
+ if (cmpsaddrstrict(&a->dst, &b->dst))
return 1;
return 0;
{
struct sockaddr_storage sa1, sa2;
- plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
- plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b));
+ //plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
+ //plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b));
if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir))
return 1;
a->src.ss_len, b->src.ss_len);
return 1;
}
- mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src,
- b->prefs);
- mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src,
- b->prefs);
+ mask_sockaddr(&sa1, &a->src, b->prefs);
+ mask_sockaddr(&sa2, &b->src, b->prefs);
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
a, b->prefs, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefs, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddrwild(&sa1, &sa2))
return 1;
/* compare dst address */
plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n");
exit(1);
}
- mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst,
- b->prefd);
- mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst,
- b->prefd);
+ mask_sockaddr(&sa1, &a->dst, b->prefd);
+ mask_sockaddr(&sa2, &b->dst, b->prefd);
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
a, b->prefd, saddr2str((struct sockaddr *)&sa1));
plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
b, b->prefd, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
+ if (cmpsaddrwild(&sa1, &sa2))
return 1;
return 0;
int pool_size;
int port;
int inout;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
if (safety_check(combuf, 0) != 0)
break;
break;
memcpy(&port, bufs[0], sizeof(port));
- raddr = (struct sockaddr *)bufs[1];
+ raddr = (struct sockaddr_storage *)bufs[1];
bufs[2][combuf->bufs.buflen[2] - 1] = '\0';
memcpy(&inout, bufs[3], sizeof(port));
case PRIVSEP_XAUTH_LOGIN_PAM: {
int port;
int pool_size;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
if (safety_check(combuf, 0) != 0)
break;
memcpy(&port, bufs[0], sizeof(port));
memcpy(&pool_size, bufs[1], sizeof(pool_size));
- raddr = (struct sockaddr *)bufs[2];
+ raddr = (struct sockaddr_storage *)bufs[2];
bufs[3][combuf->bufs.buflen[3] - 1] = '\0';
bufs[4][combuf->bufs.buflen[4] - 1] = '\0';
int
privsep_accounting_system(port, raddr, usr, inout)
int port;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
char *usr;
int inout;
{
int
privsep_xauth_login_pam(port, raddr, usr, pwd)
int port;
- struct sockaddr *raddr;
+ struct sockaddr_storage *raddr;
char *usr;
char *pwd;
{
int privsep_xauth_login_system __P((char *, char *));
#ifdef HAVE_LIBPAM
int privsep_accounting_pam __P((int, int));
-int privsep_xauth_login_pam __P((int, struct sockaddr *, char *, char *));
+int privsep_xauth_login_pam __P((int, struct sockaddr_storage *, char *, char *));
void privsep_cleanup_pam __P((int));
#endif
-int privsep_accounting_system __P((int, struct sockaddr *, char *, int));
+int privsep_accounting_system __P((int, struct sockaddr_storage *, char *, int));
#endif /* _PRIVSEP_H */
.El
.El
.\"
-.Ss Miscellaneous Global Parameters
-.Bl -tag -width Ds -compact
-.It Ic gss_id_enc Ar enctype ;
-Older versions of
-.Xr racoon 8
-used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
-For interoperability with Microsoft Windows' GSS-API authentication
-scheme, the default encoding has been changed to UTF-16LE.
-The
-.Ic gss_id_enc
-parameter allows
-.Xr racoon 8
-to be configured to use the old encoding for compatibility with existing
-.Xr racoon 8
-installations.
-The following are valid values for
-.Ar enctype :
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic utf-16le
-Use UTF-16LE to encode the GSS-API identifier attribute.
-This is the default encoding.
-This encoding is compatible with Microsoft Windows.
-.It Ic latin1
-Use ISO-Latin-1 to encode the GSS-API identifier attribute.
-This is the encoding used by older versions of
-.Xr racoon 8 .
-.El
-.El
-.\"
.Ss Remote Nodes Specifications
.Bl -tag -width Ds -compact
.It Xo
This directive must be defined.
.Ar algorithm
is one of following:
-.Ic des, 3des, blowfish, cast128, aes, camellia
-.\".Ic rc5 , idea
+.Ic des, 3des, aes
for Oakley.
For other transforms, this statement should not be used.
.\"
This directive must be defined.
.Ar type
is one of:
-.Ic pre_shared_key , rsasig
-(for plain RSA authentication),
-.Ic gssapi_krb , hybrid_rsa_server ,
+.Ic pre_shared_key,
+.Ic hybrid_rsa_server ,
.Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
or
.Ic xauth_psk_client .
This directive must be defined.
.Ar group
is one of following:
-.Ic modp768 , modp1024 , modp1536 ,
-.Ic modp2048 , modp3072 , modp4096 ,
-.Ic modp6144 , modp8192 .
-Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
+.Ic modp1024 , modp1536 .
+Or you can define 2 or 5 as the DH group number.
When you want to use aggressive mode,
you must define the same DH group in each proposal.
.It Ic lifetime time Ar number Ar timeunit ;
directive defined in the
.Ic remote
directive.
-.It Ic gss_id Ar string ;
-Defines the GSS-API endpoint name, to be included as an attribute in the SA,
-if the
-.Ic gssapi_krb
-authentication method is used.
-If this is not defined, the default value of
-.Ql host/hostname
-is used, where hostname is the value returned by the
-.Xr hostname 1
-command.
-.El
.El
.El
.\"
Any proposal will be accepted if you do not specify one.
.Ar group
is one of following:
-.Ic modp768 , modp1024 , modp1536 ,
-.Ic modp2048 , modp3072 , modp4096 ,
-.Ic modp6144 , modp8192 .
-Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
+.Ic modp1024 , modp1536 .
+Or you can define 2 or 5 as the DH group number.
.\"
.It Ic lifetime time Ar number Ar timeunit ;
define how long an IPsec-SA will be used, in timeunits.
.Bl -tag -width Ds -compact
.It Ic encryption_algorithm Ar algorithms ;
.Ic des , 3des , des_iv64 , des_iv32 ,
-.Ic rc5 , rc4 , idea , 3idea ,
-.Ic cast128 , blowfish , null_enc ,
-.Ic twofish , rijndael , aes , camellia
+.Ic null_enc ,rijndael , aes
.Pq used with ESP
.\"
.It Ic authentication_algorithm Ar algorithms ;
char *inet = "inet";
char *srcaddr;
struct addrinfo hints, *res;
- struct sockaddr *src;
+ struct sockaddr_storage *src;
char *idx;
if (ac < 1)
char *inet = "inet";
char *srcaddr;
struct addrinfo hints, *res;
- struct sockaddr *src;
+ struct sockaddr_storage *src;
char *idx;
if (ac < 1)
struct admin_com_indexes *ci;
char *p_name = NULL, *p_port = NULL;
char *p_prefs = NULL, *p_prefd = NULL;
- struct sockaddr *src = NULL, *dst = NULL;
+ struct sockaddr_storage *src = NULL, *dst = NULL;
int ulproto;
if (ac != 2 && ac != 3) {
while (len-- > 0) {
/* source address */
if (long_format >= 2) {
- GETNAMEINFO((struct sockaddr *)&pd->local, _addr1_, _addr2_);
+ GETNAMEINFO((struct sockaddr_storage *)&pd->local, _addr1_, _addr2_);
switch (long_format) {
case 0:
break;
}
/* destination address */
- GETNAMEINFO((struct sockaddr *)&pd->remote, _addr1_, _addr2_);
+ GETNAMEINFO((struct sockaddr_storage *)&pd->remote, _addr1_, _addr2_);
switch (long_format) {
case 0:
case 1:
int tlen;
{
struct ph2handle *iph2;
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
/*
short header;
while (tlen > 0) {
iph2 = (struct ph2handle *)buf;
- addr = (struct sockaddr *)(++iph2);
+ addr = (struct sockaddr_storage *)(++iph2);
GETNAMEINFO(addr, _addr1_, _addr2_);
printf("%s ", long_format ?
else
printf("%s : ", evtmsg[i].msg);
- if ((srcstr = saddr2str((struct sockaddr *)&evtdump->src)) == NULL)
+ if ((srcstr = saddr2str((struct sockaddr_storage *)&evtdump->src)) == NULL)
printf("unknown");
else
printf("%s", srcstr);
printf(" -> ");
- if ((dststr = saddr2str((struct sockaddr *)&evtdump->dst)) == NULL)
+ if ((dststr = saddr2str((struct sockaddr_storage *)&evtdump->dst)) == NULL)
printf("unknown");
else
printf("%s", dststr);
#include "nattraversal.h"
#include "isakmp_frag.h"
#include "genlist.h"
-#ifdef HAVE_OPENSSL
-#include "rsalist.h"
-#endif
static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
*/
struct remoteconf *
getrmconf_strict(remote, allow_anon)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
int allow_anon;
{
struct remoteconf *p;
struct remoteconf *p_withport_besteffort = NULL;
+ struct remoteconf *p_with_prefix = NULL;
+ struct remoteconf *p_with_prefix_besteffort = NULL;
+ int last_prefix = 0;
struct remoteconf *anon = NULL;
+
int withport;
char buf[NI_MAXHOST + NI_MAXSERV + 10];
char addr[NI_MAXHOST], port[NI_MAXSERV];
* In an ideal world, we would be able to have remote conf with
* port, and the port could be a wildcard. That test could be used.
*/
- switch (remote->sa_family) {
+ switch (remote->ss_family) {
case AF_INET:
if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY)
withport = 1;
default:
plog(LLV_ERROR2, LOCATION, NULL,
- "invalid ip address family: %d\n", remote->sa_family);
+ "invalid ip address family: %d\n", remote->ss_family);
return NULL;
}
- if (remote->sa_family == AF_UNSPEC)
+ if (remote->ss_family == AF_UNSPEC)
snprintf (buf, sizeof(buf), "%s", "anonymous");
else {
- GETNAMEINFO(remote, addr, port);
+ GETNAMEINFO((struct sockaddr *)remote, addr, port);
snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
withport ? "[" : "",
withport ? port : "",
if (p->to_delete || p->to_remove) {
continue;
}
- if ((remote->sa_family == AF_UNSPEC
- && remote->sa_family == p->remote->sa_family)
- || (!withport && cmpsaddrwop(remote, p->remote) == 0)
- || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "configuration found for %s.\n", buf);
+
+ if (remote->ss_family == AF_UNSPEC
+ && remote->ss_family == p->remote->ss_family) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "configuration found for %s.\n", buf);
return p;
- } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
- // for withport: save the pointer for the best-effort search
- p_withport_besteffort = p;
- }
+ }
+ if (p->remote_prefix == 0) {
+ if ((!withport && cmpsaddrwop(remote, p->remote) == 0)
+ || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "configuration found for %s.\n", buf);
+ return p;
+ } else if (withport && cmpsaddrwop(remote, p->remote) == 0) {
+ // for withport: save the pointer for the best-effort search
+ p_withport_besteffort = p;
+ }
+ } else {
+ if ((!withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0)
+ || (withport && cmpsaddrstrict_withprefix(remote, p->remote, p->remote_prefix) == 0)) {
+ if (p->remote_prefix >= last_prefix) {
+ p_with_prefix = p;
+ last_prefix = p->remote_prefix;
+ }
+ } else if (withport && cmpsaddrwop_withprefix(remote, p->remote, p->remote_prefix) == 0) {
+ if (p->remote_prefix >= last_prefix) {
+ p_with_prefix_besteffort = p;
+ last_prefix = p->remote_prefix;
+ }
+ }
+ }
/* save the pointer to the anonymous configuration */
- if (p->remote->sa_family == AF_UNSPEC)
+ if (p->remote->ss_family == AF_UNSPEC)
anon = p;
}
"configuration found for %s.\n", buf);
return p_withport_besteffort;
}
-
+ if (p_with_prefix) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "configuration found for %s.\n", buf);
+ return p_with_prefix;
+ }
+ if (p_with_prefix_besteffort) {
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "configuration found for %s.\n", buf);
+ return p_with_prefix_besteffort;
+ }
if (allow_anon && anon != NULL) {
plog(LLV_DEBUG, LOCATION, NULL,
"anonymous configuration selected for %s.\n", buf);
TAILQ_FOREACH(p, &rmtree, chain) {
if (ignore_anonymous) {
- if (p->remote->sa_family == AF_UNSPEC) /* anonymous */
+ if (p->remote->ss_family == AF_UNSPEC) /* anonymous */
continue;
}
#if !TARGET_OS_EMBEDDED
// ignore the default btmm ipv6 config thats always present in racoon.conf
- if (p->remote->sa_family == AF_INET6 &&
+ if (p->remote->ss_family == AF_INET6 &&
p->idvtype == IDTYPE_USERFQDN &&
p->idv != NULL &&
p->idv->l == default_idv_len &&
struct remoteconf *
getrmconf(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
return getrmconf_strict(remote, 1);
}
new->idvl_p = genlist_init();
new->nonce_size = DEFAULT_NONCE_SIZE;
new->passive = FALSE;
- new->ike_frag = FALSE;
+ new->ike_frag = ISAKMP_FRAG_FORCE;
new->esp_frag = IP_MAXPACKET;
new->ini_contact = TRUE;
new->mode_cfg = FALSE;
new->to_remove = FALSE;
new->to_delete = FALSE;
new->linked_to_ph1 = 0;
-#ifdef HAVE_OPENSSL
- new->rsa_private = genlist_init();
- new->rsa_public = genlist_init();
-#endif
new->idv = NULL;
new->key = NULL;
struct remoteconf *
copyrmconf(remote)
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
{
struct remoteconf *new, *old;
if (old == NULL) {
plog (LLV_ERROR, LOCATION, NULL,
"Remote configuration for '%s' not found!\n",
- saddr2str (remote));
+ saddr2str((struct sockaddr *)remote));
return NULL;
}
struct remoteconf *rmconf;
{
struct remoteconf *new;
+ int i;
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
return NULL;
memcpy (new, rmconf, sizeof (*new));
- // FIXME: We should duplicate the proposal as well.
+ // FIXME: We should duplicate remote, proposal, etc.
// This is now handled in the cfparse.y
// new->proposal = ...;
-
+
+ // zero-out pointers
+ new->remote = NULL;
+ new->keychainCertRef = NULL; /* peristant keychain ref for cert */
+ new->shared_secret = NULL; /* shared secret */
+ new->open_dir_auth_group = NULL; /* group to be used to authorize user */
+ new->proposal = NULL;
+ new->cacertfile = NULL;
+ for (i = 0; i <= SCRIPT_MAX; i++)
+ new->script[i] = NULL;
+ new->to_remove = FALSE;
+ new->to_delete = FALSE;
+ new->linked_to_ph1 = 0;
+ new->idv = NULL;
+ new->key = NULL;
+#ifdef ENABLE_HYBRID
+ new->xauth = NULL;
+#endif
+
/* duplicate dynamic structures */
if (new->etypes)
new->etypes=dupetypes(new->etypes);
racoon_free(rmconf->cacertfile);
if (rmconf->prhead)
proposalspec_free(rmconf->prhead);
-#ifdef HAVE_OPENSSL
- if (rmconf->rsa_private)
- genlist_free(rmconf->rsa_private, rsa_key_free);
- if (rmconf->rsa_public)
- genlist_free(rmconf->rsa_public, rsa_key_free);
-#endif
if (rmconf->shared_secret)
vfree(rmconf->shared_secret);
if (rmconf->keychainCertRef)
char buf[1024], *pbuf;
pbuf = buf;
- pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str(p->remote));
+ if (p->remote_prefix)
+ pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s",
+ saddr2str_with_prefix((struct sockaddr *)p->remote, p->remote_prefix));
+ else
+ pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "remote %s", saddr2str((struct sockaddr *)p->remote));
if (p->inherited_from)
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), " inherit %s",
- saddr2str(p->inherited_from->remote));
+ saddr2str((struct sockaddr *)p->inherited_from->remote));
plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
pbuf = buf;
pbuf += snprintf(pbuf, sizeof(buf) - (pbuf - buf), "\texchange_type ");
plog(LLV_INFO, LOCATION, NULL,
"\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
prop->prop_no, prop->trns_no,
- saddr2str(prop->rmconf->remote));
+ saddr2str((struct sockaddr *)prop->rmconf->remote));
plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
(long)prop->lifetime);
{
char *script_dir;
vchar_t *new_path;
- vchar_t *new_storage;
- vchar_t **sp;
size_t len;
- size_t size;
script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
}
-#ifdef HAVE_OPENSSL
-void
-rsa_key_free(void *entry)
-{
- struct rsa_key *key = (struct rsa_key *)entry;
-
- if (key->src)
- free(key->src);
- if (key->dst)
- free(key->dst);
- if (key->rsa)
- RSA_free(key->rsa);
- free(key);
-}
-#endif
\ No newline at end of file
int encmode; /* for ipsec */
int vendorid; /* for isakmp */
char *gssid;
- struct sockaddr *remote;
+ struct sockaddr_storage *remote;
int algclass[MAXALGCLASS];
struct secprotospec *next; /* the tail is the most prefiered. */
extern char *script_names[SCRIPT_MAX + 1];
struct remoteconf {
- struct sockaddr *remote; /* remote IP address */
+ struct sockaddr_storage *remote; /* remote IP address */
+ int remote_prefix; /* allows subnet for remote address */
/* if family is AF_UNSPEC, that is
* for anonymous configuration. */
from which this one
was inherited */
struct proposalspec *prhead;
-#ifdef HAVE_OPENSSL
- struct genlist *rsa_private, /* lists of PlainRSA keys to use */
- *rsa_public;
-#endif
#ifdef ENABLE_HYBRID
struct xauth_rmconf *xauth;
typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);
-extern struct remoteconf *getrmconf __P((struct sockaddr *));
+extern struct remoteconf *getrmconf __P((struct sockaddr_storage *));
extern struct remoteconf *getrmconf_strict
- __P((struct sockaddr *remote, int allow_anon));
+ __P((struct sockaddr_storage *remote, int allow_anon));
extern int link_rmconf_to_ph1 __P((struct remoteconf *));
extern int unlink_rmconf_from_ph1 __P((struct remoteconf *));
extern int no_remote_configs __P((int));
-extern struct remoteconf *copyrmconf __P((struct sockaddr *));
+extern struct remoteconf *copyrmconf __P((struct sockaddr_storage *));
extern struct remoteconf *newrmconf __P((void));
extern struct remoteconf *duprmconf __P((struct remoteconf *));
extern void delrmconf __P((struct remoteconf *));
if (use_nat_addr && lcconf->ext_nat_id == NULL)
return NULL;
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - src id:\n");
- if (src != NULL)
- plogdump(LLV_DEBUG2, src->v, src->l);
- else
- plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - dst id:\n");
- if (dst != NULL)
- plogdump(LLV_DEBUG2, dst->v, dst->l);
- else
- plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n");
+ //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - src id:\n");
+ //if (src != NULL)
+ // plogdump(LLV_DEBUG2, src->v, src->l);
+ //else
+ // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n");
+ //plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - dst id:\n");
+ //if (dst != NULL)
+ // plogdump(LLV_DEBUG2, dst->v, dst->l);
+ //else
+ // plog(LLV_DEBUG2, LOCATION, NULL, " anonymous\n");
if (peer == NULL)
pass = 2;
again:
if (s->to_delete || s->to_remove) {
continue;
}
- if (s->idsrc != NULL) {
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n");
- plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l);
- plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l);
- } else {
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id = anonymous\n");
- }
+ //if (s->idsrc != NULL) {
+ // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id - src & dst:\n");
+ // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l);
+ // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l);
+ //} else {
+ // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo - sainfo id = anonymous\n");
+ //}
if (s->id_i != NULL) {
if (pass == 2)
continue;
if (s->to_delete || s->to_remove) {
continue;
}
- if (s->idsrc != NULL) {
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id - src & dst:\n");
- plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l);
- plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l);
- } else {
- plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id = anonymous\n");
- }
+ //if (s->idsrc != NULL) {
+ // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id - src & dst:\n");
+ // plogdump(LLV_DEBUG2, s->idsrc->v, s->idsrc->l);
+ // plogdump(LLV_DEBUG2, s->iddst->v, s->iddst->l);
+ //} else {
+ // plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id = anonymous\n");
+ //}
if (s->id_i != NULL) {
plog(LLV_DEBUG2, LOCATION, NULL, "getsainfo_by_dst_id - sainfo id_i:\n");
plogdump(LLV_DEBUG2, s->id_i->v, s->id_i->l);
caddr_t *buf;
int *len;
{
- caddr_t new;
+ struct scheddump *new;
struct sched *p;
struct scheddump *dst;
int cnt = 0;
*len = cnt * sizeof(*dst);
- new = racoon_malloc(*len);
+ new = (struct scheddump *)racoon_malloc(*len);
if (new == NULL)
return -1;
- dst = (struct scheddump *)new;
+ dst = new;
p = TAILQ_FIRST(&sctree);
while (p) {
dst++;
}
- *buf = new;
+ *buf = (caddr_t)new;
return 0;
}
extern pid_t racoon_pid;
extern char logFileStr[];
-extern int launchedbylaunchd(void);
+extern int launchdlaunched;
static void close_session __P((void));
static void check_rtsock __P((void *));
static void initfds __P((void));
int64_t
launchd_update_racoon_keepalive (Boolean enabled)
{
- if (launchedbylaunchd()) {
+ if (launchdlaunched) {
vproc_t vp = vprocmgr_lookup_vproc("com.apple.racoon");
if (vp) {
int64_t val = (__typeof__(val))enabled;
return;
}
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
+ msg = ALIGNED_CAST(struct sadb_msg *)buf->v;
+ end = ALIGNED_CAST(struct sadb_msg *)(buf->v + buf->l);
/* counting SA except of dead one. */
n = 0;
while (msg < end) {
if (PFKEY_UNUNIT64(msg->sadb_msg_len) < sizeof(*msg))
break;
- next = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len));
+ next = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); // Wcast-align fix (void*) - aligned buffer + multiple of 64
if (msg->sadb_msg_type != SADB_DUMP) {
msg = next;
continue;
continue;
}
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
+ sa = ALIGNED_CAST(struct sadb_sa *)(mhp[SADB_EXT_SA]); // Wcast-align fix (void*) - mhp contains pointers to aligned structs
if (!sa) {
msg = next;
continue;
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
+#include <fcntl.h>
#include "var.h"
#include "misc.h"
*/
int
cmpsaddrwop(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
+ const struct sockaddr_storage *addr1;
+ const struct sockaddr_storage *addr2;
{
caddr_t sa1, sa2;
if (addr1 == 0 || addr2 == 0)
return 1;
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
+ if (addr1->ss_len != addr2->ss_len
+ || addr1->ss_family != addr2->ss_family)
return 1;
- switch (addr1->sa_family) {
+ switch (addr1->ss_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
return 0;
}
+/*
+ * compare two sockaddr without port number using prefix.
+ * OUT: 0: equal.
+ * 1: not equal.
+ */
+int
+cmpsaddrwop_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
+{
+ u_int32_t mask;
+ int i;
+
+ if (addr1 == 0 && addr2 == 0)
+ return 0;
+ if (addr1 == 0 || addr2 == 0)
+ return 1;
+
+ if (addr1->ss_len != addr2->ss_len
+ || addr1->ss_family != addr2->ss_family)
+ return 1;
+ switch (addr1->ss_family) {
+ case AF_INET:
+ mask = ~0;
+ mask <<= 32-prefix;
+ if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
+ (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
+ return 1;
+ break;
+#ifdef INET6
+ case AF_INET6:
+ for (i = 0; i < 4; i++) {
+ if (prefix >= 32) {
+ mask = ~0;
+ prefix -= 32;
+ } else if (prefix == 0)
+ mask = 0;
+ else {
+ mask = ~0;
+ mask <<= 32-prefix;
+ prefix = 0;
+ }
+ if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
+ (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
+ return 1;
+ }
+ if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
+ ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
+ return 1;
+ break;
+#endif
+ default:
+ return 1;
+ }
+
+ return 0;
+}
+
+
/*
* compare two sockaddr with port, taking care wildcard.
* addr1 is a subject address, addr2 is in a database entry.
*/
int
cmpsaddrwild(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
+ const struct sockaddr_storage *addr1;
+ const struct sockaddr_storage *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
if (addr1 == 0 || addr2 == 0)
return 1;
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
+ if (addr1->ss_len != addr2->ss_len
+ || addr1->ss_family != addr2->ss_family)
return 1;
- switch (addr1->sa_family) {
+ switch (addr1->ss_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
*/
int
cmpsaddrstrict(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
+ const struct sockaddr_storage *addr1;
+ const struct sockaddr_storage *addr2;
{
caddr_t sa1, sa2;
u_short port1, port2;
if (addr1 == 0 || addr2 == 0)
return 1;
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
+ if (addr1->ss_len != addr2->ss_len
+ || addr1->ss_family != addr2->ss_family)
return 1;
- switch (addr1->sa_family) {
+ switch (addr1->ss_family) {
case AF_INET:
sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
return 0;
}
+/*
+ * compare two sockaddr with strict match on port using prefix.
+ * OUT: 0: equal.
+ * 1: not equal.
+ */
+int
+cmpsaddrstrict_withprefix(const struct sockaddr_storage *addr1, const struct sockaddr_storage *addr2, int prefix)
+{
+ u_short port1, port2;
+ u_int32_t mask;
+ int i;
+
+ if (addr1 == 0 && addr2 == 0)
+ return 0;
+ if (addr1 == 0 || addr2 == 0)
+ return 1;
+
+ if (addr1->ss_len != addr2->ss_len
+ || addr1->ss_family != addr2->ss_family)
+ return 1;
+
+ switch (addr1->ss_family) {
+ case AF_INET:
+ port1 = ((struct sockaddr_in *)addr1)->sin_port;
+ port2 = ((struct sockaddr_in *)addr2)->sin_port;
+ if (port1 != port2)
+ return 1;
+ mask = ~0;
+ mask <<= 32-prefix;
+ if ((((struct sockaddr_in *)addr1)->sin_addr.s_addr & htonl(mask)) !=
+ (((struct sockaddr_in *)addr2)->sin_addr.s_addr & htonl(mask)))
+ return 1;
+ break;
+#ifdef INET6
+ case AF_INET6:
+ port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
+ port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
+ if (port1 != port2)
+ return 1;
+ for (i = 0; i < 4; i++) {
+ if (prefix >= 32) {
+ mask = ~0;
+ prefix -= 32;
+ } else if (prefix == 0)
+ mask = 0;
+ else {
+ mask = ~0;
+ mask <<= 32-prefix;
+ prefix = 0;
+ }
+ if ((((struct sockaddr_in6 *)addr1)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)) !=
+ (((struct sockaddr_in6 *)addr2)->sin6_addr.__u6_addr.__u6_addr32[i] & htonl(mask)))
+ return 1;
+ }
+ if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
+ ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
+ return 1;
+ break;
+#endif
+ default:
+ return 1;
+ }
+
+ return 0;
+}
+
+
/* get local address against the destination. */
-struct sockaddr *
+struct sockaddr_storage *
getlocaladdr(remote)
struct sockaddr *remote;
{
- struct sockaddr *local;
- u_int local_len = sizeof(struct sockaddr_storage);
+ struct sockaddr_storage *local;
+ u_int local_len = sizeof(struct sockaddr);
int s; /* for dummy connection */
/* allocate buffer */
goto err;
}
+ if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put localaddr socket in non-blocking mode\n");
+ }
+
setsockopt_bypass(s, remote->sa_family);
if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
goto err;
}
- if (getsockname(s, local, &local_len) < 0) {
+ if (getsockname(s, (struct sockaddr *)local, &local_len) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"getsockname (%s)\n", strerror(errno));
close(s);
void *buf;
size_t buflen;
int flags;
- struct sockaddr *from;
+ struct sockaddr_storage *from;
socklen_t *fromlen;
- struct sockaddr *to;
+ struct sockaddr_storage *to;
u_int *tolen;
{
int otolen;
- u_int len;
+ ssize_t len;
struct sockaddr_storage ss;
struct msghdr m;
struct cmsghdr *cm, *cm_prev;
struct iovec iov[2];
- u_char cmsgbuf[256];
+ u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
#if defined(INET6) && defined(INET6_ADVAPI)
struct in6_pktinfo *pi;
#endif /*INET6_ADVAPI*/
cm = (struct cmsghdr *)cmsgbuf;
m.msg_control = (caddr_t)cm;
m.msg_controllen = sizeof(cmsgbuf);
- if ((len = recvmsg(s, &m, flags)) < 0) {
+ while ((len = recvmsg(s, &m, flags)) < 0) {
+ if (errno == EINTR)
+ continue;
plog(LLV_ERROR, LOCATION, NULL,
"recvmsg (%s)\n", strerror(errno));
return -1;
- } else if (len == 0) {
- return 0;
+ }
+ if (len == 0) {
+ return 0;
}
*fromlen = m.msg_namelen;
&& cm->cmsg_level == IPPROTO_IPV6
&& cm->cmsg_type == IPV6_PKTINFO
&& otolen >= sizeof(*sin6)) {
- pi = (struct in6_pktinfo *)(CMSG_DATA(cm));
+ pi = ALIGNED_CAST(struct in6_pktinfo *)(CMSG_DATA(cm));
*tolen = sizeof(*sin6);
sin6 = (struct sockaddr_in6 *)to;
memset(sin6, 0, sizeof(*sin6));
int s, cnt;
const void *buf;
size_t buflen;
- struct sockaddr *src;
- struct sockaddr *dst;
+ struct sockaddr_storage *src;
+ struct sockaddr_storage *dst;
{
struct sockaddr_storage ss;
int len;
int i;
- if (src->sa_family != dst->sa_family) {
+ if (src->ss_family != dst->ss_family) {
plog(LLV_ERROR, LOCATION, NULL,
"address family mismatch\n");
return -1;
plog(LLV_DEBUG, LOCATION, NULL,
"sockname %s\n", saddr2str((struct sockaddr *)&ss));
plog(LLV_DEBUG, LOCATION, NULL,
- "send packet from %s\n", saddr2str(src));
+ "send packet from %s\n", saddr2str((struct sockaddr *)src));
plog(LLV_DEBUG, LOCATION, NULL,
- "send packet to %s\n", saddr2str(dst));
+ "send packet to %s\n", saddr2str((struct sockaddr *)dst));
- if (src->sa_family != ss.ss_family) {
+ if (src->ss_family != ss.ss_family) {
plog(LLV_ERROR, LOCATION, NULL,
"address family mismatch\n");
return -1;
}
- switch (src->sa_family) {
+ switch (src->ss_family) {
#if defined(INET6) && defined(INET6_ADVAPI)
-// XXX: This block wasn't compiled on Linux - does it work?
case AF_INET6:
{
struct msghdr m;
struct cmsghdr *cm;
struct iovec iov[2];
- u_char cmsgbuf[256];
+ u_int32_t cmsgbuf[256/sizeof(u_int32_t)]; // Wcast-align fix - force 32 bit alignment
struct in6_pktinfo *pi;
int ifindex;
struct sockaddr_in6 src6, dst6;
cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
cm->cmsg_level = IPPROTO_IPV6;
cm->cmsg_type = IPV6_PKTINFO;
- pi = (struct in6_pktinfo *)CMSG_DATA(cm);
+ pi = ALIGNED_CAST(struct in6_pktinfo *)CMSG_DATA(cm);
memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
pi->ipi6_ifindex = ifindex;
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
- i + 1, len, saddr2str(dst));
+ i + 1, len, saddr2str((struct sockaddr *)dst));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
int needclose = 0;
int sendsock;
- if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) {
+ if (ss.ss_family == src->ss_family && memcmp(&ss, src, sysdep_sa_len((struct sockaddr *)src)) == 0) {
sendsock = s;
needclose = 0;
} else {
* Better approach is to prepare bind'ed udp sockets for
* each of the interface addresses.
*/
- sendsock = socket(src->sa_family, SOCK_DGRAM, 0);
+ sendsock = socket(src->ss_family, SOCK_DGRAM, 0);
if (sendsock < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"socket (%s)\n", strerror(errno));
return -1;
}
+ if (fcntl(sendsock, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put sendsock socket in non-blocking mode\n");
+ }
if (setsockopt(sendsock, SOL_SOCKET,
SO_REUSEPORT,
(void *)&yes, sizeof(yes)) < 0) {
return -1;
}
#ifdef IPV6_USE_MIN_MTU
- if (src->sa_family == AF_INET6 &&
+ if (src->ss_family == AF_INET6 &&
setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
(void *)&yes, sizeof(yes)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
return -1;
}
#endif
- if (setsockopt_bypass(sendsock, src->sa_family) < 0) {
+ if (setsockopt_bypass(sendsock, src->ss_family) < 0) {
close(sendsock);
return -1;
}
- if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len(src)) < 0) {
+ if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len((struct sockaddr *)src)) < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"bind 1 (%s)\n", strerror(errno));
close(sendsock);
}
for (i = 0; i < cnt; i++) {
- len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst));
+ len = sendto(sendsock, buf, buflen, 0, (struct sockaddr *)dst, sysdep_sa_len((struct sockaddr *)dst));
if (len < 0) {
plog(LLV_ERROR, LOCATION, NULL,
"sendto (%s)\n", strerror(errno));
plog(LLV_DEBUG, LOCATION, NULL,
"%d times of %d bytes message will be sent "
"to %s\n",
- i + 1, len, saddr2str(dst));
+ i + 1, len, saddr2str((struct sockaddr *)dst));
}
plogdump(LLV_DEBUG, (char *)buf, buflen);
return 0;
}
-struct sockaddr *
+struct sockaddr_storage *
newsaddr(len)
int len;
{
- struct sockaddr *new;
+ struct sockaddr_storage *new;
if ((new = racoon_calloc(1, len)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
goto out;
}
/* initial */
- new->sa_len = len;
+ new->ss_len = len;
out:
return new;
}
-struct sockaddr *
+struct sockaddr_storage *
dupsaddr(src)
struct sockaddr *src;
{
- struct sockaddr *dst;
+ struct sockaddr_storage *dst;
dst = racoon_calloc(1, sysdep_sa_len(src));
if (dst == NULL) {
return buf;
}
+char *
+saddr2str_with_prefix(saddr, prefix)
+const struct sockaddr *saddr;
+int prefix;
+{
+ static char buf[NI_MAXHOST + NI_MAXSERV + 10];
+ char addr[NI_MAXHOST], port[NI_MAXSERV];
+
+ if (saddr == NULL) {
+ buf[0] = '\0';
+ return buf;
+ }
+
+ if (saddr->sa_family == AF_UNSPEC)
+ snprintf (buf, sizeof(buf), "%s", "anonymous");
+ else {
+ GETNAMEINFO(saddr, addr, port);
+ snprintf(buf, sizeof(buf), "%s/%d[%s]", addr, prefix, port);
+ }
+
+ return buf;
+}
+
+
char *
saddrwop2str(saddr)
const struct sockaddr *saddr;
if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
snprintf(buf, sizeof(buf), "%s", "any");
else {
- snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa));
+ snprintf(buf, sizeof(buf), "%s", saddrwop2str((struct sockaddr *)&naddr->sa.sa));
snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
}
return buf;
return buf;
}
-struct sockaddr *
+struct sockaddr_storage *
str2saddr(host, port)
char *host;
char *port;
{
struct addrinfo hints, *res;
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
int error;
memset(&hints, 0, sizeof(hints));
"taking the first one\n",
host, port ? "," : "", port ? port : "");
}
- saddr = racoon_malloc(res->ai_addrlen);
+ saddr = newsaddr(sizeof(*saddr));
if (saddr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to allocate buffer.\n");
void
mask_sockaddr(a, b, l)
- struct sockaddr *a;
- const struct sockaddr *b;
+ struct sockaddr_storage *a;
+ const struct sockaddr_storage *b;
size_t l;
{
size_t i;
u_int8_t *p, alen;
- switch (b->sa_family) {
+ switch (b->ss_family) {
case AF_INET:
alen = sizeof(struct in_addr);
p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
#endif
default:
plog(LLV_ERROR2, LOCATION, NULL,
- "invalid address family: %d\n", b->sa_family);
+ "invalid address family: %d\n", b->ss_family);
exit(1);
}
if ((alen << 3) < l) {
plog(LLV_ERROR2, LOCATION, NULL,
- "unexpected inconsistency: %d %zu\n", b->sa_family, l);
+ "unexpected inconsistency: %d %zu\n", b->ss_family, l);
exit(1);
}
- memcpy(a, b, sysdep_sa_len(b));
+ memcpy(a, b, sysdep_sa_len((struct sockaddr *)b));
p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
for (i = l / 8 + 1; i < alen; i++)
p[i] = 0x00;
* 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
*/
int
-naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
+naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr)
{
static const struct netaddr naddr_any; /* initialized to all-zeros */
- struct sockaddr sa;
+ struct sockaddr_storage sa;
u_int16_t naddr_port, saddr_port;
int port_score;
return 0;
/* If families don't match we really can't do much... */
- if (naddr->sa.sa.sa_family != saddr->sa_family)
+ if (naddr->sa.sa.ss_family != saddr->ss_family)
return -1;
/* If port check fail don't bother to check addresses. */
if (loglevel >= LLV_DEBUG) { /* debug only */
char *a1, *a2, *a3;
a1 = racoon_strdup(naddrwop2str(naddr));
- a2 = racoon_strdup(saddrwop2str(saddr));
- a3 = racoon_strdup(saddrwop2str(&sa));
+ a2 = racoon_strdup(saddrwop2str((struct sockaddr *)saddr));
+ a3 = racoon_strdup(saddrwop2str((struct sockaddr *)&sa));
STRDUP_FATAL(a1);
STRDUP_FATAL(a2);
STRDUP_FATAL(a3);
return -1;
}
-/* Some usefull functions for sockaddr port manipulations. */
+/* Some usefull functions for sockaddr_storage port manipulations. */
u_int16_t
-extract_port (const struct sockaddr *addr)
+extract_port (const struct sockaddr_storage *addr)
{
u_int16_t port = -1;
if (!addr)
return port;
- switch (addr->sa_family) {
+ switch (addr->ss_family) {
case AF_INET:
port = ((struct sockaddr_in *)addr)->sin_port;
break;
port = ((struct sockaddr_in6 *)addr)->sin6_port;
break;
default:
- plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
+ plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family);
break;
}
}
u_int16_t *
-get_port_ptr (struct sockaddr *addr)
+get_port_ptr (struct sockaddr_storage *addr)
{
u_int16_t *port_ptr;
if (!addr)
return NULL;
- switch (addr->sa_family) {
+ switch (addr->ss_family) {
case AF_INET:
port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
break;
port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
break;
default:
- plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
+ plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->ss_family);
return NULL;
break;
}
}
u_int16_t *
-set_port (struct sockaddr *addr, u_int16_t new_port)
+set_port (struct sockaddr_storage *addr, u_int16_t new_port)
{
u_int16_t *port_ptr;
struct netaddr {
union {
- struct sockaddr sa;
+ struct sockaddr_storage sa;
struct sockaddr_in sin;
struct sockaddr_in6 sin6;
} sa;
extern const int niflags;
-extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
+extern int cmpsaddrwop __P((const struct sockaddr_storage *, const struct sockaddr_storage *));
+extern int cmpsaddrwop_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int);
+
+extern int cmpsaddrwild __P((const struct sockaddr_storage *, const struct sockaddr_storage *));
+extern int cmpsaddrstrict __P((const struct sockaddr_storage *, const struct sockaddr_storage *));
+extern int cmpsaddrstrict_withprefix(const struct sockaddr_storage *, const struct sockaddr_storage *, int);
#ifdef ENABLE_NATT
#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
#define CMPSADDR2(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
#endif
-extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
+extern struct sockaddr_storage *getlocaladdr __P((struct sockaddr *));
extern int recvfromto __P((int, void *, size_t, int,
- struct sockaddr *, socklen_t *, struct sockaddr *, unsigned int *));
+ struct sockaddr_storage *, socklen_t *, struct sockaddr_storage *, unsigned int *));
extern int sendfromto __P((int, const void *, size_t,
- struct sockaddr *, struct sockaddr *, int));
+ struct sockaddr_storage *, struct sockaddr_storage *, int));
extern int setsockopt_bypass __P((int, int));
-extern struct sockaddr *newsaddr __P((int));
-extern struct sockaddr *dupsaddr __P((struct sockaddr *));
+extern struct sockaddr_storage *newsaddr __P((int));
+extern struct sockaddr_storage *dupsaddr __P((struct sockaddr *));
extern char *saddr2str __P((const struct sockaddr *));
+extern char *saddr2str_with_prefix __P((const struct sockaddr *, int));
extern char *saddrwop2str __P((const struct sockaddr *));
extern char *saddr2str_fromto __P((const char *format,
const struct sockaddr *saddr,
const struct sockaddr *daddr));
-extern struct sockaddr *str2saddr __P((char *, char *));
-extern void mask_sockaddr __P((struct sockaddr *, const struct sockaddr *,
+extern struct sockaddr_storage *str2saddr __P((char *, char *));
+extern void mask_sockaddr __P((struct sockaddr_storage *, const struct sockaddr_storage *,
size_t));
/* struct netaddr functions */
extern char *naddrwop2str __P((const struct netaddr *naddr));
extern char *naddrwop2str_fromto __P((const char *format, const struct netaddr *saddr,
const struct netaddr *daddr));
-extern int naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr);
+extern int naddr_score(const struct netaddr *naddr, const struct sockaddr_storage *saddr);
/* Some usefull functions for sockaddr port manipulations. */
-extern u_int16_t extract_port __P((const struct sockaddr *addr));
-extern u_int16_t *set_port __P((struct sockaddr *addr, u_int16_t new_port));
-extern u_int16_t *get_port_ptr __P((struct sockaddr *addr));
+extern u_int16_t extract_port __P((const struct sockaddr_storage *addr));
+extern u_int16_t *set_port __P((struct sockaddr_storage *addr, u_int16_t new_port));
+extern u_int16_t *get_port_ptr __P((struct sockaddr_storage *addr));
#endif /* _SOCKMISC_H */
struct throttle_entry *
throttle_add(addr)
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
{
struct throttle_entry *te;
size_t len;
len = sizeof(*te)
- sizeof(struct sockaddr_storage)
- + sysdep_sa_len(addr);
+ + sysdep_sa_len((struct sockaddr *)addr);
if ((te = racoon_malloc(len)) == NULL)
return NULL;
te->penalty = time(NULL) + isakmp_cfg_config.auth_throttle;
- memcpy(&te->host, addr, sysdep_sa_len(addr));
+ memcpy(&te->host, addr, sysdep_sa_len((struct sockaddr *)addr));
TAILQ_INSERT_HEAD(&throttle_list, te, next);
return te;
int
throttle_host(addr, authfail)
- struct sockaddr *addr;
+ struct sockaddr_storage *addr;
int authfail;
{
struct throttle_entry *te;
goto restart;
}
- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
+ if (cmpsaddrwop(addr, (struct sockaddr_storage *)&te->host) == 0) {
found = 1;
break;
}
#define THROTTLE_PENALTY 1
#define THROTTLE_PENALTY_MAX 10
-struct throttle_entry *throttle_add(struct sockaddr *);
-int throttle_host(struct sockaddr *, int);
+struct throttle_entry *throttle_add(struct sockaddr_storage *);
+int throttle_host(struct sockaddr_storage *, int);
#endif /* _THROTTLE_H */
#define GETNAMEINFO(x, y, z) \
do { \
- if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), (z), sizeof(z), \
+ if (getnameinfo((x), sysdep_sa_len((struct sockaddr *)x), (y), sizeof(y), (z), sizeof(z), \
NIFLAGS) != 0) { \
if (y != NULL) \
strlcpy((y), "(invalid)", sizeof(y)); \
#define GETNAMEINFO_NULL(x, y) \
do { \
- if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), NULL, 0, \
+ if (getnameinfo((x), sysdep_sa_len((struct sockaddr *)x), (y), sizeof(y), NULL, 0, \
NIFLAGS) != 0) { \
if (y != NULL) \
strlcpy((y), "(invalid)", sizeof(y)); \
#include "gcmalloc.h"
+/* For casting away alignment warnings when casting a ptr to a known aligned buffer */
+#define ALIGNED_CAST(type) (type)(void *)
+
#endif /*!defined(_VAR_H_)*/
#endif /* _VAR_H */
lookup_vendor_id_by_hash (const char *hash)
{
int i;
- unsigned char *h = (unsigned char *)hash;
for (i = 0; i < NUMVENDORIDS; i++)
if (strncmp(all_vendor_ids[i].hash->v, hash,
set_vendorid(int vendorid)
{
struct vendor_id *current;
- vchar_t vid, *new;
if (vendorid == VENDORID_UNKNOWN) {
/*
int
check_vendorid(struct isakmp_gen *gen)
{
- vchar_t vid, *vidhash;
- int i, vidlen;
+ int vidlen;
struct vendor_id *current;
if (gen == NULL)
vpn_connect(struct bound_addr *srv, int oper)
{
int error = -1;
- struct sockaddr *dst;
+ struct sockaddr_storage *dst;
struct remoteconf *rmconf;
- struct sockaddr *remote = NULL;
- struct sockaddr *local = NULL;
+ struct sockaddr_storage *remote = NULL;
+ struct sockaddr_storage *local = NULL;
u_int16_t port;
- dst = racoon_calloc(1, sizeof(struct sockaddr)); // this should come from the bound_addr parameter
+ dst = racoon_calloc(1, sizeof(struct sockaddr_storage)); // this should come from the bound_addr parameter
if (dst == NULL)
goto out;
((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in);
/*
* Find the source address
*/
- if ((local = getlocaladdr(dst)) == NULL) {
+ if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot get local address\n");
goto out1;
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found "
- "for %s\n", saddrwop2str(dst));
+ "for %s\n", saddrwop2str((struct sockaddr *)dst));
goto out1;
}
/* get remote IP address and port number. */
- if ((remote = dupsaddr(dst)) == NULL) {
+ if ((remote = dupsaddr((struct sockaddr *)dst)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"failed to duplicate address\n");
goto out1;
}
- switch (remote->sa_family) {
+ switch (remote->ss_family) {
case AF_INET:
((struct sockaddr_in *)remote)->sin_port =
((struct sockaddr_in *)rmconf->remote)->sin_port;
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid family: %d\n",
- remote->sa_family);
+ remote->ss_family);
goto out1;
break;
}
plog(LLV_INFO, LOCATION, NULL,
"accept a request to establish IKE-SA: "
- "%s\n", saddrwop2str(remote));
+ "%s\n", saddrwop2str((struct sockaddr *)remote));
IPSECLOGASLMSG("IPSec connecting to server %s\n",
- saddrwop2str(remote));
+ saddrwop2str((struct sockaddr *)remote));
/* begin ident mode */
if (isakmp_ph1begin_i(rmconf, remote, local, oper) < 0)
}
int
-vpn_disconnect(struct bound_addr *srv)
+vpn_disconnect(struct bound_addr *srv, const char *reason)
{
- struct sockaddr_in saddr;
+ union { // Wcast-align fix - force alignment
+ struct sockaddr_storage ss;
+ struct sockaddr_in saddr;
+ } u;
- bzero(&saddr, sizeof(saddr));
- saddr.sin_len = sizeof(saddr);
- saddr.sin_addr.s_addr = srv->address;
- saddr.sin_port = 0;
- saddr.sin_family = AF_INET;
+ bzero(&u.saddr, sizeof(u.saddr));
+ u.saddr.sin_len = sizeof(u.saddr);
+ u.saddr.sin_addr.s_addr = srv->address;
+ u.saddr.sin_port = 0;
+ u.saddr.sin_family = AF_INET;
IPSECLOGASLMSG("IPSec disconnecting from server %s\n",
- saddrwop2str(&saddr));
+ saddrwop2str((struct sockaddr *)&u.ss));
- ike_sessions_stopped_by_controller(&saddr,
+ ike_sessions_stopped_by_controller(&u.ss,
0,
- ike_session_stopped_by_vpn_disconnect);
- if (purgephXbydstaddrwop((struct sockaddr *)(&saddr)) > 0) {
+ reason);
+ if (purgephXbydstaddrwop(&u.ss) > 0) {
return 0;
} else {
return -1;
saddr.sin_addr.s_addr = addr->address;
saddr.sin_port = 0;
saddr.sin_family = AF_INET;
- ph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
+ ph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr));
if (ph1 == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot start phase2 - no phase1 found.\n");
goto fail;
}
- id_ptr = (struct id *)new_sainfo->idsrc->v;
+ id_ptr = ALIGNED_CAST(struct id *)new_sainfo->idsrc->v;
if (ntohl(selector_ptr->src_tunnel_mask) == 0xFFFFFFFF)
id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
else {
id_ptr->port = selector_ptr->src_tunnel_port;
id_ptr->proto_id = selector_ptr->ul_protocol;
- id_ptr = (struct id *)new_sainfo->iddst->v;
+ id_ptr = ALIGNED_CAST(struct id *)new_sainfo->iddst->v;
if (selector_ptr->dst_tunnel_mask == 0xFFFFFFFF)
id_ptr->type = IPSECDOI_ID_IPV4_ADDR;
else {
plog(LLV_ERROR, LOCATION, NULL,"duplicated sainfo: %s\n", sainfo2str(new_sainfo));
goto fail;
}
- plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo));
+ //plog(LLV_DEBUG2, LOCATION, NULL, "create sainfo: %s\n", sainfo2str(new_sainfo));
inssainfo(new_sainfo);
new_sainfo = NULL;
}
fail:
if (new_sainfo)
delsainfo(new_sainfo);
- flushsainfo_dynamic(addr);
+ flushsainfo_dynamic((u_int32_t)addr->address);
return -1;
}
if (iph1->mode_cfg->attr_list == NULL)
return 1; /* haven't received configuration yet */
- myaddr = find_myaddr(iph1->local, 0);
+ myaddr = find_myaddr((struct sockaddr *)iph1->local, 0);
if (myaddr == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"unable to find address structure.\n");
saddr.sin_addr.s_addr = address;
saddr.sin_port = 0;
saddr.sin_family = AF_INET;
- iph1 = getph1bydstaddrwop((struct sockaddr *)(&saddr));
+ iph1 = getph1bydstaddrwop((struct sockaddr_storage *)(&saddr));
if (iph1 == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"cannot reply to xauth request - no ph1 found.\n");
}
int
-vpn_assert(struct sockaddr *src_addr, struct sockaddr *dst_addr)
+vpn_assert(struct sockaddr_storage *src_addr, struct sockaddr_storage *dst_addr)
{
if (ike_session_assert(src_addr, dst_addr)) {
plog(LLV_ERROR, LOCATION, NULL,
#include <unistd.h>
#endif
#include <launch.h>
+#include <launch_priv.h>
+#include <fcntl.h>
#include "var.h"
#include "misc.h"
#include "session.h"
#include "gcmalloc.h"
#include "isakmp_cfg.h"
+#include "sainfo.h"
#ifdef ENABLE_VPNCONTROL_PORT
char *vpncontrolsock_path = VPNCONTROLSOCK_PATH;
checklaunchd()
{
launch_data_t checkin_response = NULL;
- launch_data_t checkin_request = NULL;
launch_data_t sockets_dict, listening_fd_array;
launch_data_t listening_fd;
struct sockaddr_storage fdsockaddr;
int fd;
/* check in with launchd */
- if ((checkin_request = launch_data_new_string(LAUNCH_KEY_CHECKIN)) == NULL) {
+ if ((checkin_response = launch_socket_service_check_in()) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "failed to launch_data_new_string.\n");
- goto done;
- }
- if ((checkin_response = launch_msg(checkin_request)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to launch_msg.\n");
+ "failed to launch_socket_service_check_in.\n");
goto done;
}
if (LAUNCH_DATA_ERRNO == launch_data_get_type(checkin_response)) {
for (i = 0; i < listenerct; i++) {
listening_fd = launch_data_array_get_index(listening_fd_array, i);
fd = launch_data_get_fd( listening_fd );
- if ( getsockname( fd , (struct sockaddr*)&fdsockaddr, &fdsockaddrlen)){
+ if ( getsockname( fd , (struct sockaddr *)&fdsockaddr, &fdsockaddrlen)){
continue;
}
/* Is this the VPN control socket? */
- if ( (((struct sockaddr*)&fdsockaddr)->sa_family) == AF_UNIX &&
+ if ( fdsockaddr.ss_family == AF_UNIX &&
(!(strcmp(vpncontrolsock_path, ((struct sockaddr_un *)&fdsockaddr)->sun_path))))
{
plog(LLV_INFO, LOCATION, NULL,
}
done:
- if (checkin_request)
- launch_data_free(checkin_request);
if (checkin_response)
launch_data_free(checkin_response);
return(returnval);
{
struct vpnctl_hdr hdr;
char *combuf = NULL;
- int len;
+ ssize_t len;
/* get buffer length */
while ((len = recv(elem->sock, (char *)&hdr, sizeof(hdr), MSG_PEEK)) < 0) {
if (len == 0) {
plog(LLV_DEBUG, LOCATION, NULL,
"vpn_control socket closed by peer.\n");
+ /* kill all related connections */
+ vpncontrol_disconnect_all(elem, ike_session_stopped_by_controller_comm_lost);
vpncontrol_close_comm(elem);
return -1;
}
vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf)
{
u_int16_t error = 0;
- struct vpnctl_hdr *hdr = (struct vpnctl_hdr *)combuf;
+ struct vpnctl_hdr *hdr = ALIGNED_CAST(struct vpnctl_hdr *)combuf;
switch (ntohs(hdr->msg_type)) {
case VPNCTL_CMD_BIND:
{
- struct vpnctl_cmd_bind *pkt = (struct vpnctl_cmd_bind *)combuf;
+ struct vpnctl_cmd_bind *pkt = ALIGNED_CAST(struct vpnctl_cmd_bind *)combuf;
struct bound_addr *addr;
plog(LLV_DEBUG, LOCATION, NULL,
case VPNCTL_CMD_UNBIND:
{
- struct vpnctl_cmd_unbind *pkt = (struct vpnctl_cmd_unbind *)combuf;
+ struct vpnctl_cmd_unbind *pkt = ALIGNED_CAST(struct vpnctl_cmd_unbind *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_REDIRECT:
{
- struct vpnctl_cmd_redirect *redirect_msg = (struct vpnctl_cmd_redirect *)combuf;
+ struct vpnctl_cmd_redirect *redirect_msg = ALIGNED_CAST(struct vpnctl_cmd_redirect *)combuf;
struct redirect *raddr;
struct redirect *t_raddr;
int found = 0;
case VPNCTL_CMD_XAUTH_INFO:
{
- struct vpnctl_cmd_xauth_info *pkt = (struct vpnctl_cmd_xauth_info *)combuf;
+ struct vpnctl_cmd_xauth_info *pkt = ALIGNED_CAST(struct vpnctl_cmd_xauth_info *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
void *attr_list;
case VPNCTL_CMD_CONNECT:
{
- struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf;
+ struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_DISCONNECT:
{
- struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf;
+ struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
/* stop the connection */
- error = vpn_disconnect(addr);
+ error = vpn_disconnect(addr, ike_session_stopped_by_vpn_disconnect);
break;
}
}
case VPNCTL_CMD_START_PH2:
{
- struct vpnctl_cmd_start_ph2 *pkt = (struct vpnctl_cmd_start_ph2 *)combuf;
+ struct vpnctl_cmd_start_ph2 *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_ph2 *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_START_DPD:
{
- struct vpnctl_cmd_start_dpd *pkt = (struct vpnctl_cmd_start_dpd *)combuf;
+ struct vpnctl_cmd_start_dpd *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_dpd *)combuf;
struct bound_addr *srv;
struct bound_addr *t_addr;
"received start_dpd command on vpn control socket.\n");
LIST_FOREACH_SAFE(srv, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == srv->address) {
- struct sockaddr_in daddr;
+ union { // Wcast-align fix - force alignment
+ struct sockaddr_storage ss;
+ struct sockaddr_in addr_in;
+ } daddr;
- bzero(&daddr, sizeof(daddr));
- daddr.sin_len = sizeof(daddr);
- daddr.sin_addr.s_addr = srv->address;
- daddr.sin_port = 0;
- daddr.sin_family = AF_INET;
+ bzero(&daddr, sizeof(struct sockaddr_in));
+ daddr.addr_in.sin_len = sizeof(struct sockaddr_in);
+ daddr.addr_in.sin_addr.s_addr = srv->address;
+ daddr.addr_in.sin_port = 0;
+ daddr.addr_in.sin_family = AF_INET;
/* start the dpd */
- error = ph1_force_dpd(&daddr);
+ error = ph1_force_dpd(&daddr.ss);
break;
}
}
case VPNCTL_CMD_ASSERT:
{
- struct vpnctl_cmd_assert *pkt = (struct vpnctl_cmd_assert *)combuf;
+ struct vpnctl_cmd_assert *pkt = ALIGNED_CAST(struct vpnctl_cmd_assert *)combuf;
// struct bound_addr *addr;
// struct bound_addr *t_addr;
struct sockaddr_in saddr;
daddr.sin_port = 0;
daddr.sin_family = AF_INET;
- error = vpn_assert((struct sockaddr *)&saddr, (struct sockaddr *)&daddr);
+ error = vpn_assert((struct sockaddr_storage *)&saddr, (struct sockaddr_storage *)&daddr);
break;
// }
// }
case VPNCTL_CMD_RECONNECT:
{
- struct vpnctl_cmd_connect *pkt = (struct vpnctl_cmd_connect *)combuf;
+ struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
static int
vpncontrol_reply(int so, char *combuf)
{
- size_t tlen;
+ ssize_t tlen;
tlen = send(so, combuf, sizeof(struct vpnctl_hdr), 0);
if (tlen < 0) {
struct vpnctl_status_need_authinfo *msg = NULL;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
- size_t tlen, msg_size;
+ size_t msg_size;
+ ssize_t tlen;
u_int32_t address;
void *ptr;
}
msg->hdr.flags = 0;
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
else
goto end; // for now
struct vpnctl_status_failed *msg = NULL;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
- size_t tlen, len;
+ size_t len;
+ ssize_t tlen;
len = sizeof(struct vpnctl_status_failed) + data_len;
struct vpnctl_status_phase_change *msg;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
- size_t tlen, msg_size;
+ ssize_t tlen;
+ size_t msg_size;
u_int32_t address;
plog(LLV_DEBUG, LOCATION, NULL,
return -1;
}
if (iph1) {
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
else
goto end; // for now
(from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER)
: VPNCTL_STATUS_PH1_ESTABLISHED);
} else {
- if (iph2->dst->sa_family == AF_INET)
+ if (iph2->dst->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
else
goto end; // for now
struct vpnctl_status_peer_resp msg;
struct vpnctl_socket_elem *sock_elem;
struct bound_addr *bound_addr;
- size_t tlen;
+ ssize_t tlen;
int rc = -1;
bzero(&msg, sizeof(msg));
int rc;
if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) {
- if (iph1->remote->sa_family == AF_INET)
+ if (iph1->remote->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
else
address = 0;
int rc;
if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) {
- if (iph2->dst->sa_family == AF_INET)
+ if (iph2->dst->ss_family == AF_INET)
address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
else
address = 0;
return -1;
}
+ if (fcntl(lcconf->sock_vpncontrol, F_SETFL, O_NONBLOCK) == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to put VPN-Control socket in non-blocking mode\n");
+ }
+
unlink(sunaddr.sun_path);
if (bind(lcconf->sock_vpncontrol, (struct sockaddr *)&sunaddr,
sizeof(sunaddr)) != 0) {
}
}
+void
+vpncontrol_disconnect_all(struct vpnctl_socket_elem *elem, const char *reason)
+{
+ struct bound_addr *addr;
+ struct bound_addr *t_addr;
+
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "received disconnect all command.\n");
+
+ LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
+ /* stop any connections */
+ vpn_disconnect(addr, reason);
+ }
+}
+
void
vpncontrol_close()
extern void vpncontrol_close __P((void));
extern int vpn_control_connected __P((void));
extern int vpn_connect __P((struct bound_addr *, int));
-extern int vpn_disconnect __P((struct bound_addr *));
+extern int vpn_disconnect __P((struct bound_addr *, const char *));
+extern void vpncontrol_disconnect_all __P((struct vpnctl_socket_elem *, const char *));
extern int vpn_start_ph2 __P((struct bound_addr *, struct vpnctl_cmd_start_ph2 *));
extern int vpncontrol_notify_need_authinfo __P((struct ph1handle *, void*, size_t));
extern int vpncontrol_notify_peer_resp_ph1 __P((u_int16_t, struct ph1handle*));
extern int vpncontrol_notify_peer_resp_ph2 __P((u_int16_t, struct ph2handle*));
-extern int vpn_assert __P((struct sockaddr *, struct sockaddr *));
+extern int vpn_assert __P((struct sockaddr_storage *, struct sockaddr_storage *));
#endif /* _VPN_CONTROL_VAR_H */
#include <errno.h>
#include <stdlib.h>
+#include "var.h"
#include "libpfkey.h"
#include "vchar.h"
#include "extern.h"
int dplen;
{
struct sadb_msg *msg;
- char buf[BUFSIZ];
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ char buf[BUFSIZ];
+ } u_buf;
int l, l0;
struct sadb_address m_addr;
struct addrinfo *s, *d;
int saved_level, saved_id = 0;
#endif
- msg = (struct sadb_msg *)buf;
+ msg = (struct sadb_msg *)&u_buf;
if (!srcs || !dsts)
return -1;
setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
l = sizeof(struct sadb_msg);
- sp = (struct sadb_x_policy*) (buf + l);
- memcpy(buf + l, policy->buf, policy->len);
+ sp = ALIGNED_CAST(struct sadb_x_policy*)(u_buf.buf + l);
+ memcpy(u_buf.buf + l, policy->buf, policy->len);
l += policy->len;
l0 = l;
(splen >= 0 ? splen : plen);
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), (caddr_t)sa, salen);
/* set dst */
(dplen >= 0 ? dplen : plen);
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), sa, salen);
msg->sadb_msg_len = PFKEY_UNIT64(l);
- sendkeymsg(buf, l);
+ sendkeymsg(u_buf.buf, l);
#ifdef HAVE_POLICY_FWD
/* create extra call for FWD policy */
vchar_t *policy;
{
struct sadb_msg *msg;
- char buf[BUFSIZ];
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ char buf[BUFSIZ];
+ } u_buf;
int l, l0;
#ifdef SADB_X_EXT_TAG
struct sadb_x_tag m_tag;
#endif
int n;
- msg = (struct sadb_msg *)buf;
+ msg = (struct sadb_msg *)&u_buf;
/* fix up length afterwards */
setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
l = sizeof(struct sadb_msg);
- memcpy(buf + l, policy->buf, policy->len);
+ memcpy(u_buf.buf + l, policy->buf, policy->len);
l += policy->len;
l0 = l;
msg->sadb_msg_len = PFKEY_UNIT64(l);
- sendkeymsg(buf, l);
+ sendkeymsg(u_buf.buf, l);
return 0;
}
int no_spi;
{
struct sadb_msg *msg;
- char buf[BUFSIZ];
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ char buf[BUFSIZ];
+ } u_buf;
int l, l0, len;
struct sadb_sa m_sa;
struct sadb_x_sa2 m_sa2;
struct sockaddr *sa;
int salen;
- msg = (struct sadb_msg *)buf;
+ msg = (struct sadb_msg *)&u_buf;
if (!srcs || !dsts)
return -1;
m_sa.sadb_sa_encrypt = p_alg_enc;
m_sa.sadb_sa_flags = p_ext;
- memcpy(buf + l, &m_sa, len);
+ memcpy(u_buf.buf + l, &m_sa, len);
l += len;
len = sizeof(struct sadb_x_sa2);
m_sa2.sadb_x_sa2_mode = p_mode;
m_sa2.sadb_x_sa2_reqid = p_reqid;
- memcpy(buf + l, &m_sa2, len);
+ memcpy(u_buf.buf + l, &m_sa2, len);
l += len;
}
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), sa, salen);
/* set dst */
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), sa, salen);
msg->sadb_msg_len = PFKEY_UNIT64(l);
- sendkeymsg(buf, l);
+ sendkeymsg(u_buf.buf, l);
n++;
}
#ifdef SADB_X_EXT_NAT_T_TYPE
static u_int16_t get_port (struct addrinfo *addr)
{
- struct sockaddr *s = addr->ai_addr;
+ struct sockaddr_storage *s = addr->ai_addr;
u_int16_t port = 0;
switch (s->sa_family) {
struct addrinfo *dsts;
{
struct sadb_msg *msg;
- char buf[BUFSIZ];
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ char buf[BUFSIZ];
+ } u_buf;
int l, l0, len;
struct sadb_sa m_sa;
struct sadb_x_sa2 m_sa2;
struct sockaddr *sa;
int salen;
- msg = (struct sadb_msg *)buf;
+ msg = (struct sadb_msg *)&u_buf;
if (!srcs || !dsts)
return -1;
m.key.sadb_key_bits = p_key_enc_len * 8;
m.key.sadb_key_reserved = 0;
- setvarbuf(buf, &l, &m.ext, sizeof(m.key),
+ setvarbuf(u_buf.buf, &l, &m.ext, sizeof(m.key),
p_key_enc, p_key_enc_len);
}
m.key.sadb_key_bits = p_key_auth_len * 8;
m.key.sadb_key_reserved = 0;
- setvarbuf(buf, &l, &m.ext, sizeof(m.key),
+ setvarbuf(u_buf.buf, &l, &m.ext, sizeof(m.key),
p_key_auth, p_key_auth_len);
}
m_lt.sadb_lifetime_addtime = p_lt_hard;
m_lt.sadb_lifetime_usetime = 0;
- memcpy(buf + l, &m_lt, slen);
+ memcpy(u_buf.buf + l, &m_lt, slen);
l += slen;
}
m_lt.sadb_lifetime_addtime = p_lt_soft;
m_lt.sadb_lifetime_usetime = 0;
- memcpy(buf + l, &m_lt, slen);
+ memcpy(u_buf.buf + l, &m_lt, slen);
l += slen;
}
m_sa.sadb_sa_encrypt = p_alg_enc;
m_sa.sadb_sa_flags = p_ext;
- memcpy(buf + l, &m_sa, len);
+ memcpy(u_buf.buf + l, &m_sa, len);
l += len;
len = sizeof(struct sadb_x_sa2);
m_sa2.sadb_x_sa2_mode = p_mode;
m_sa2.sadb_x_sa2_reqid = p_reqid;
- memcpy(buf + l, &m_sa2, len);
+ memcpy(u_buf.buf + l, &m_sa2, len);
l += len;
#ifdef SADB_X_EXT_NAT_T_TYPE
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), sa, salen);
/* set dst */
m_addr.sadb_address_prefixlen = plen;
m_addr.sadb_address_reserved = 0;
- setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
+ setvarbuf(u_buf.buf, &l, (struct sadb_ext *)&m_addr,
sizeof(m_addr), sa, salen);
#ifdef SADB_X_EXT_NAT_T_TYPE
#endif
msg->sadb_msg_len = PFKEY_UNIT64(l);
- sendkeymsg(buf, l);
+ sendkeymsg(u_buf.buf, l);
n++;
}
#endif
#include "config.h"
+#include "var.h"
#include "libpfkey.h"
//#include "package_version.h"
#define extern /* so that variables in extern.h are not extern... */
promisc()
{
struct sadb_msg msg;
- u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
+ } u_buf;
ssize_t l;
msg.sadb_msg_version = PF_KEY_V2;
while (1) {
struct sadb_msg *base;
- if ((l = recv(so, rbuf, sizeof(*base), MSG_PEEK)) < 0) {
+ if ((l = recv(so, u_buf.rbuf, sizeof(*base), MSG_PEEK)) < 0) {
err(1, "recv");
/*NOTREACHED*/
}
if (l != sizeof(*base))
continue;
- base = (struct sadb_msg *)rbuf;
- if ((l = recv(so, rbuf, PFKEY_UNUNIT64(base->sadb_msg_len),
+ base = (struct sadb_msg *)&u_buf;
+ if ((l = recv(so, u_buf.rbuf, PFKEY_UNUNIT64(base->sadb_msg_len),
0)) < 0) {
err(1, "recv");
/*NOTREACHED*/
for (i = 0; i < l; i++) {
if (i % 16 == 0)
printf("%08x: ", i);
- printf("%02x ", rbuf[i] & 0xff);
+ printf("%02x ", u_buf.rbuf[i] & 0xff);
if (i % 16 == 15)
printf("\n");
}
char *buf;
size_t len;
{
- u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
+ union { // Wcast-align fix - force alignment
+ u_int64_t force_align;
+ u_char rbuf[1024 * 32]; /* XXX: Enough ? Should I do MSG_PEEK ? */
+ } u_buf;
ssize_t l;
struct sadb_msg *msg;
shortdump_hdr();
again:
if (f_verbose) {
- kdebug_sadb((struct sadb_msg *)buf);
+ kdebug_sadb(ALIGNED_CAST(struct sadb_msg *)buf); // Wcast-align fix - aligned message buffer
printf("\n");
}
if (f_hexdump) {
goto end;
}
- msg = (struct sadb_msg *)rbuf;
+ msg = (struct sadb_msg *)&u_buf;
do {
- if ((l = recv(so, rbuf, sizeof(rbuf), 0)) < 0) {
+ if ((l = recv(so, u_buf.rbuf, sizeof(u_buf.rbuf), 0)) < 0) {
perror("recv");
goto end;
}
}
if (f_verbose) {
- kdebug_sadb((struct sadb_msg *)rbuf);
+ kdebug_sadb((struct sadb_msg *)&u_buf);
printf("\n");
}
if (postproc(msg, l) < 0)
struct sadb_sa *sa;
pfkey_align(msg, mhp);
pfkey_check(mhp);
- if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
+ if ((sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) { // Wcast-align (void*) - buffer of pointers to aligned structs in malloc'd buffer
if (sa->sadb_sa_state == SADB_SASTATE_DEAD)
break;
}
else
pfkey_sadump(msg);
}
- msg = (struct sadb_msg *)((caddr_t)msg +
- PFKEY_UNUNIT64(msg->sadb_msg_len));
+ msg = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg +
+ PFKEY_UNUNIT64(msg->sadb_msg_len)); // Wcast-align fix (void*) - aligned msg buffer passed into function
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
printf("\n");
else
pfkey_spdump(msg);
if (msg->sadb_msg_seq == 0) break;
- msg = (struct sadb_msg *)((caddr_t)msg +
+ msg = ALIGNED_CAST(struct sadb_msg *)((caddr_t)msg + // Wcast-align fix (void*) - aligned msg buffer passed into function
PFKEY_UNUNIT64(msg->sadb_msg_len));
if (f_verbose) {
kdebug_sadb((struct sadb_msg *)msg);
ep = rbuf + l;
while (p < ep) {
- msg = (struct sadb_msg *)p;
+ msg = ALIGNED_CAST(struct sadb_msg *)p;
len = PFKEY_UNUNIT64(msg->sadb_msg_len);
postproc(msg, len);
p += len;
}
-
+
return (0);
}
printf(" %-3s", STR_OR_ID(msg->sadb_msg_satype, satype));
- if ((sa = (struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
+ if ((sa = ALIGNED_CAST(struct sadb_sa *)mhp[SADB_EXT_SA]) != NULL) {
printf(" %-1s", STR_OR_ID(sa->sadb_sa_state, sastate));
printf(" %08x", (u_int32_t)ntohl(sa->sadb_sa_spi));
} else
printf("%-1s %-8s", "?", "?");
- lts = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
- lth = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
- ltc = (struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
+ lts = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_SOFT];
+ lth = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_HARD];
+ ltc = ALIGNED_CAST(struct sadb_lifetime *)mhp[SADB_EXT_LIFETIME_CURRENT];
if (lts && lth && ltc) {
if (ltc->sadb_lifetime_addtime == 0)
t = (u_long)0;
printf(" ");
- if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) {
+ if ((saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]) != NULL) {
if (saddr->sadb_address_proto)
printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto));
- s = (struct sockaddr *)(saddr + 1);
- getnameinfo(s, sysdep_sa_len(s), buf, sizeof(buf),
+ s = (struct sockaddr *)(saddr + 1);
+ getnameinfo(s, sysdep_sa_len((struct sockaddr *)s), buf, sizeof(buf),
pbuf, sizeof(pbuf), NI_NUMERICHOST|NI_NUMERICSERV);
if (strcmp(pbuf, "0") != 0)
printf("%s[%s]", buf, pbuf);
printf(" -> ");
- if ((saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) {
+ if ((saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]) != NULL) {
if (saddr->sadb_address_proto)
printf("%s ", STR_OR_ID(saddr->sadb_address_proto, ipproto));
isa = PBXAggregateTarget;
buildConfigurationList = 25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */;
buildPhases = (
- 72265DD80F818ED700730A7D /* CopyFiles */,
- BAA6806112B17CF900ACF6D3 /* CopyFiles */,
);
dependencies = (
- 25D3DDE30989AFDE0025F703 /* PBXTargetDependency */,
- 25D3DDE50989AFE50025F703 /* PBXTargetDependency */,
- 25D3DDE70989AFE90025F703 /* PBXTargetDependency */,
- 254347D109DCBAF8007943DE /* PBXTargetDependency */,
- 25DE3DB609EC27B900147420 /* PBXTargetDependency */,
+ 815C35FB152520C000502220 /* PBXTargetDependency */,
+ 815C35F9152520BC00502220 /* PBXTargetDependency */,
);
name = "IPSec (Aggregate)";
productName = "IPSec (Aggregate)";
name = "IPSec Embedded (Aggregate)";
productName = "IPSec (Aggregate) Embedded";
};
+ 815C35E61525201900502220 /* Project_base */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */;
+ buildPhases = (
+ 815C35FC152522A900502220 /* CopyFiles */,
+ 815C35FD152522AC00502220 /* CopyFiles */,
+ );
+ dependencies = (
+ 815C35F11525208900502220 /* PBXTargetDependency */,
+ );
+ name = Project_base;
+ productName = Project_base;
+ };
+ 815C35EB1525203F00502220 /* Project_executables */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */;
+ buildPhases = (
+ );
+ dependencies = (
+ 815C35F71525209800502220 /* PBXTargetDependency */,
+ 815C35F51525209400502220 /* PBXTargetDependency */,
+ 815C35F31525209000502220 /* PBXTargetDependency */,
+ );
+ name = Project_executables;
+ productName = Project_executables;
+ };
/* End PBXAggregateTarget section */
/* Begin PBXBuildFile section */
2543476409DCB396007943DE /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; };
2543476709DCB400007943DE /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; };
2543476909DCB420007943DE /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
- 2543477109DCB492007943DE /* plainrsa-gen.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FC0988657000D15623 /* plainrsa-gen.c */; };
- 2543478A09DCB49C007943DE /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; };
- 2543478C09DCB4A6007943DE /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; };
- 254347A909DCB6C8007943DE /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
- 254347AB09DCB6D6007943DE /* str2val.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591D0988657000D15623 /* str2val.c */; };
- 254347B809DCB84D007943DE /* test-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 252DF9610989B4EE00E5B678 /* test-policy.c */; };
- 254347C809DCBA1B007943DE /* test-pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 254347C709DCBA1B007943DE /* test-pfkey.c */; };
258CF2CB0A19197400166B38 /* setkey.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F258890988648C00D15623 /* setkey.8 */; };
258CF2CD0A1919A800166B38 /* ipsec_set_policy.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9540989B4EE00E5B678 /* ipsec_set_policy.3 */; };
258CF2CE0A1919AF00166B38 /* ipsec_strerror.3 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 252DF9550989B4EE00E5B678 /* ipsec_strerror.3 */; };
258CF2D20A191A0600166B38 /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; };
- 258CF2D40A191A5000166B38 /* plainrsa-gen.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F258FB0988657000D15623 /* plainrsa-gen.8 */; };
258CF2E10A191A9200166B38 /* racoon.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F259090988657000D15623 /* racoon.8 */; };
258CF2E40A191AD500166B38 /* racoon.conf.5 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590A0988657000D15623 /* racoon.conf.5 */; };
- 25BC48740A0BC7B000A181A0 /* eaytest.c in Sources */ = {isa = PBXBuildFile; fileRef = 25BC48730A0BC7B000A181A0 /* eaytest.c */; };
- 25BE7E0109E5D3F4009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
- 25BE7E1209E5D550009B6B84 /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; };
- 25BE7E1309E5D555009B6B84 /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; };
- 25BE7E1B09E5D5D9009B6B84 /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; };
- 25BE7E2E09E5D709009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
- 25BE7E3809E5D80E009B6B84 /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; };
- 25BE7E3E09E5D906009B6B84 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; };
- 25BE7E4009E5D92C009B6B84 /* logger.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EB0988657000D15623 /* logger.c */; };
- 25BE7E5709E5DC4D009B6B84 /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; };
- 25BE7E5A09E5DCBD009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
- 25BE7E5E09E5DCF5009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
- 25BE7E6009E5DD04009B6B84 /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; };
- 25BE7E6309E5DD38009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
- 25BE7E7609E5DDBA009B6B84 /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; };
- 25BE7E7709E5DDBE009B6B84 /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; };
- 25BE7E7F09E5DE4C009B6B84 /* pfkey_dump.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777ED09ABE58400C99783 /* pfkey_dump.c */; };
- 25BE7E8209E5DE8D009B6B84 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
- 25BE7E8809E5E499009B6B84 /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
- 25BE7E8A09E5E4A6009B6B84 /* key_debug.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F777B909ABE3E100C99783 /* key_debug.c */; };
- 25BE7E8E09E5E5BE009B6B84 /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; };
- 25BE7E9009E5E61F009B6B84 /* misc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258EE0988657000D15623 /* misc.c */; };
- 25BE7E9209E5E635009B6B84 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
- 25DC9EC909DB0FBB00C89F86 /* rsalist.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259100988657000D15623 /* rsalist.c */; };
25DC9ED409DB16F300C89F86 /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; };
25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E10988657000D15623 /* isakmp_unity.c */; };
25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258E40988657000D15623 /* isakmp_xauth.c */; };
- 25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */ = {isa = PBXBuildFile; fileRef = 25E08C9A09D9E64A001A11CF /* rsaparse.o */; };
25DE2DE90A8BD40E0010A46D /* vpn_control.c in Sources */ = {isa = PBXBuildFile; fileRef = 25DE2DE60A8BD40E0010A46D /* vpn_control.c */; };
- 25E08C9E09D9E681001A11CF /* prsa_par.y in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBA809D8B727002DC960 /* prsa_par.y */; };
- 25E08C9F09D9E682001A11CF /* prsa_tok.l in Sources */ = {isa = PBXBuildFile; fileRef = 2589CBAA09D8B727002DC960 /* prsa_tok.l */; };
25EAE84809D879700042CC7F /* libssl.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84709D879700042CC7F /* libssl.dylib */; };
25EAE84B09D879DE0042CC7F /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE84A09D879DE0042CC7F /* libcrypto.dylib */; };
25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 25EAE87609D87A770042CC7F /* libiconv.dylib */; };
25F258900988648C00D15623 /* parse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258870988648C00D15623 /* parse.y */; };
25F258910988648C00D15623 /* setkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588A0988648C00D15623 /* setkey.c */; };
25F258940988648C00D15623 /* token.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F2588D0988648C00D15623 /* token.l */; };
- 25F258A80988651000D15623 /* rijndael-alg-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A10988651000D15623 /* rijndael-alg-fst.c */; };
- 25F258A90988651000D15623 /* rijndael-api-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A30988651000D15623 /* rijndael-api-fst.c */; };
25F259280988657000D15623 /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; };
25F259290988657000D15623 /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; };
25F2592A0988657000D15623 /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; };
25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; };
25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; };
25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
- 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; };
- 812530C00D3FE9DC006BDF4F /* rijndael-alg-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A10988651000D15623 /* rijndael-alg-fst.c */; };
- 812530C10D3FE9DC006BDF4F /* rijndael-api-fst.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258A30988651000D15623 /* rijndael-api-fst.c */; };
812530C20D3FE9DC006BDF4F /* admin.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AC0988657000D15623 /* admin.c */; };
812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; };
812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B10988657000D15623 /* backupsa.c */; };
8125311E0D3FEA33006BDF4F /* pfkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 25D949A209A6AAD700CA0F24 /* pfkey.c */; };
812531220D3FEA33006BDF4F /* racoonctl.8 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 25F2590B0988657000D15623 /* racoonctl.8 */; };
812A64ED0D4AA082004CB7EB /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 812A64EC0D4AA082004CB7EB /* Security.framework */; };
+ 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
+ 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
8167917B0D650BAA006B523F /* racoon.conf in CopyFiles */ = {isa = PBXBuildFile; fileRef = 8187103A0D5BE18800C7B441 /* racoon.conf */; };
8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8176A6B80D45661700BC5251 /* libldap.dylib */; };
817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */; };
BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
- BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
remoteInfo = libipsec;
};
- 254347D009DCBAF8007943DE /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 2543476E09DCB477007943DE;
- remoteInfo = "plainrsa-gen";
- };
- 25BE7E0309E5D3FE009B6B84 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
- remoteInfo = libipsec;
- };
- 25BE7E2F09E5D710009B6B84 /* PBXContainerItemProxy */ = {
+ 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
- remoteInfo = libipsec;
+ remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F;
+ remoteInfo = "racoon arm";
};
- 25BE7E5B09E5DCC5009B6B84 /* PBXContainerItemProxy */ = {
+ 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
- remoteInfo = libipsec;
+ remoteGlobalIDString = 812531120D3FEA33006BDF4F;
+ remoteInfo = "racoonctl arm";
};
- 25BE7E7B09E5DE28009B6B84 /* PBXContainerItemProxy */ = {
+ 815C35F01525208900502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
remoteInfo = libipsec;
};
- 25D3DDE20989AFDE0025F703 /* PBXContainerItemProxy */ = {
+ 815C35F21525209000502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
remoteGlobalIDString = 25F258040987FBFA00D15623;
remoteInfo = racoon;
};
- 25D3DDE40989AFE50025F703 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 25F258090987FC1500D15623;
- remoteInfo = setkey;
- };
- 25D3DDE60989AFE90025F703 /* PBXContainerItemProxy */ = {
+ 815C35F41525209400502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
remoteGlobalIDString = 25F2580E0987FC3400D15623;
remoteInfo = racoonctl;
};
- 25DE3DB509EC27B900147420 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 23D2D790087071FC00C51098 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 2537A1A709E4864800D0ECDA;
- remoteInfo = libipsec;
- };
- 25E08CE909D9F0A2001A11CF /* PBXContainerItemProxy */ = {
+ 815C35F61525209800502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 25E08C9909D9E64A001A11CF;
- remoteInfo = rsaparse;
+ remoteGlobalIDString = 25F258090987FC1500D15623;
+ remoteInfo = setkey;
};
- 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = {
+ 815C35F8152520BC00502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F;
- remoteInfo = "racoon arm";
+ remoteGlobalIDString = 815C35E61525201900502220;
+ remoteInfo = Project_base;
};
- 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */ = {
+ 815C35FA152520C000502220 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 23D2D790087071FC00C51098 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 812531120D3FEA33006BDF4F;
- remoteInfo = "racoonctl arm";
+ remoteGlobalIDString = 815C35EB1525203F00502220;
+ remoteInfo = Project_executables;
};
81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
);
runOnlyForDeploymentPostprocessing = 1;
};
- 258CF2D60A191A6E00166B38 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /usr/share/man/man8;
- dstSubfolderSpec = 0;
- files = (
- 258CF2D40A191A5000166B38 /* plainrsa-gen.8 in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
258CF2E20A191AB000166B38 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
);
runOnlyForDeploymentPostprocessing = 1;
};
- 72265DD80F818ED700730A7D /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /usr/local/OpenSourceVersions/;
- dstSubfolderSpec = 0;
- files = (
- 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
724A38A20E3676FB00F6B25F /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
);
runOnlyForDeploymentPostprocessing = 1;
};
+ 815C35FC152522A900502220 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/OpenSourceVersions/;
+ dstSubfolderSpec = 0;
+ files = (
+ 815C35FE152522CE00502220 /* ipsec.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ 815C35FD152522AC00502220 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/OpenSourceLicenses;
+ dstSubfolderSpec = 0;
+ files = (
+ 815C35FF152522EB00502220 /* ipsec.txt in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
81DDFDA30D622C1700C5CB87 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
);
runOnlyForDeploymentPostprocessing = 1;
};
- BAA6806112B17CF900ACF6D3 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /usr/local/OpenSourceLicenses;
- dstSubfolderSpec = 0;
- files = (
- BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
252DF9600989B4EE00E5B678 /* policy_token.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; name = policy_token.l; path = libipsec/policy_token.l; sourceTree = "<group>"; };
252DF9610989B4EE00E5B678 /* test-policy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = "test-policy.c"; path = "libipsec/test-policy.c"; sourceTree = "<group>"; };
2537A1A809E4864800D0ECDA /* libipsec.A.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libipsec.A.dylib; sourceTree = BUILT_PRODUCTS_DIR; };
- 2543476F09DCB477007943DE /* plainrsa-gen */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "plainrsa-gen"; sourceTree = BUILT_PRODUCTS_DIR; };
- 2543479309DCB57E007943DE /* eaytest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = eaytest; sourceTree = BUILT_PRODUCTS_DIR; };
- 254347B609DCB839007943DE /* test-policy */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "test-policy"; sourceTree = BUILT_PRODUCTS_DIR; };
- 254347C509DCBA07007943DE /* test-pfkey */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "test-pfkey"; sourceTree = BUILT_PRODUCTS_DIR; };
254347C709DCBA1B007943DE /* test-pfkey.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "test-pfkey.c"; sourceTree = "<group>"; };
- 2589CBA809D8B727002DC960 /* prsa_par.y */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.yacc; path = prsa_par.y; sourceTree = "<group>"; };
- 2589CBAA09D8B727002DC960 /* prsa_tok.l */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.lex; path = prsa_tok.l; sourceTree = "<group>"; };
- 25BC48730A0BC7B000A181A0 /* eaytest.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = eaytest.c; sourceTree = "<group>"; };
25D9499F09A6AAD700CA0F24 /* config.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = config.h; path = Common/config.h; sourceTree = "<group>"; };
25D949A109A6AAD700CA0F24 /* libpfkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = libpfkey.h; path = Common/libpfkey.h; sourceTree = "<group>"; };
25D949A209A6AAD700CA0F24 /* pfkey.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey.c; path = Common/pfkey.c; sourceTree = "<group>"; };
25DE2DE50A8BD40E0010A46D /* vpn_control_var.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vpn_control_var.h; sourceTree = "<group>"; };
25DE2DE60A8BD40E0010A46D /* vpn_control.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = vpn_control.c; sourceTree = "<group>"; };
25DE2DE70A8BD40E0010A46D /* vpn_control.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vpn_control.h; sourceTree = "<group>"; };
- 25E08C9A09D9E64A001A11CF /* rsaparse.o */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.objfile"; includeInIndex = 0; path = rsaparse.o; sourceTree = BUILT_PRODUCTS_DIR; };
25EAE83109D875790042CC7F /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = /System/Library/Frameworks/Security.framework; sourceTree = "<absolute>"; };
25EAE83709D875BF0042CC7F /* DirectoryService.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = DirectoryService.framework; path = /System/Library/Frameworks/DirectoryService.framework; sourceTree = "<absolute>"; };
25EAE84709D879700042CC7F /* libssl.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libssl.dylib; path = /usr/lib/libssl.dylib; sourceTree = "<absolute>"; };
25F258F60988657000D15623 /* open_dir.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = open_dir.h; sourceTree = "<group>"; };
25F258F80988657000D15623 /* pfkey_racoon.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = pfkey_racoon.c; sourceTree = "<group>"; };
25F258F90988657000D15623 /* pfkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = pfkey.h; sourceTree = "<group>"; };
- 25F258FB0988657000D15623 /* plainrsa-gen.8 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = "plainrsa-gen.8"; sourceTree = "<group>"; };
- 25F258FC0988657000D15623 /* plainrsa-gen.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "plainrsa-gen.c"; sourceTree = "<group>"; };
25F258FD0988657000D15623 /* plog.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = plog.c; sourceTree = "<group>"; };
25F258FE0988657000D15623 /* plog.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = plog.h; sourceTree = "<group>"; };
25F258FF0988657000D15623 /* policy.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = policy.c; sourceTree = "<group>"; };
25F2590D0988657000D15623 /* racoonctl.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = racoonctl.h; sourceTree = "<group>"; };
25F2590E0988657000D15623 /* remoteconf.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = remoteconf.c; sourceTree = "<group>"; };
25F2590F0988657000D15623 /* remoteconf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = remoteconf.h; sourceTree = "<group>"; };
- 25F259100988657000D15623 /* rsalist.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = rsalist.c; sourceTree = "<group>"; };
- 25F259110988657000D15623 /* rsalist.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = rsalist.h; sourceTree = "<group>"; };
25F259120988657000D15623 /* safefile.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = safefile.c; sourceTree = "<group>"; };
25F259130988657000D15623 /* safefile.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = safefile.h; sourceTree = "<group>"; };
25F259140988657000D15623 /* sainfo.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = sainfo.c; sourceTree = "<group>"; };
);
runOnlyForDeploymentPostprocessing = 0;
};
- 2543476D09DCB477007943DE /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 25BE7E8209E5DE8D009B6B84 /* libipsec.A.dylib in Frameworks */,
- 25BE7E7609E5DDBA009B6B84 /* libssl.dylib in Frameworks */,
- 25BE7E7709E5DDBE009B6B84 /* libcrypto.dylib in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 2543479109DCB57E007943DE /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 25BE7E2E09E5D709009B6B84 /* libipsec.A.dylib in Frameworks */,
- 25BE7E1209E5D550009B6B84 /* libssl.dylib in Frameworks */,
- 25BE7E1309E5D555009B6B84 /* libcrypto.dylib in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 254347B409DCB839007943DE /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 25BE7E0109E5D3F4009B6B84 /* libipsec.A.dylib in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 254347C309DCBA07007943DE /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 25BE7E5A09E5DCBD009B6B84 /* libipsec.A.dylib in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 25E08C9809D9E64A001A11CF /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
25F258030987FBFA00D15623 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
81C387890D4524F600975D5E /* libgssapi_krb5.dylib in Frameworks */,
81C3877A0D4524E700975D5E /* libpam.dylib in Frameworks */,
25EAE87709D87A770042CC7F /* libiconv.dylib in Frameworks */,
- 25DC9ED709DB170800C89F86 /* rsaparse.o in Frameworks */,
8176A6B90D45661700BC5251 /* libldap.dylib in Frameworks */,
81C9645F0DA2CC2D00257BC8 /* SystemConfiguration.framework in Frameworks */,
BA486225109C2BF500545E19 /* IOKit.framework in Frameworks */,
25F258050987FBFA00D15623 /* racoon */,
25F2580A0987FC1500D15623 /* setkey */,
25F2580F0987FC3400D15623 /* racoonctl */,
- 25E08C9A09D9E64A001A11CF /* rsaparse.o */,
- 2543476F09DCB477007943DE /* plainrsa-gen */,
- 2543479309DCB57E007943DE /* eaytest */,
- 254347B609DCB839007943DE /* test-policy */,
- 254347C509DCBA07007943DE /* test-pfkey */,
2537A1A809E4864800D0ECDA /* libipsec.A.dylib */,
8125310A0D3FE9DC006BDF4F /* racoon */,
812531290D3FEA33006BDF4F /* racoonctl */,
BA5B6F370EC1A03C003774E7 /* ipsecSessionTracer.h */,
BA6F109A0EA1DEC200546773 /* ike_session.c */,
BA6F10940EA1D67700546773 /* ike_session.h */,
- 2589CBA809D8B727002DC960 /* prsa_par.y */,
- 2589CBAA09D8B727002DC960 /* prsa_tok.l */,
25F258AB0988657000D15623 /* admin_var.h */,
25F258AC0988657000D15623 /* admin.c */,
25F258AD0988657000D15623 /* admin.h */,
25F258BE0988657000D15623 /* dnssec.c */,
25F258BF0988657000D15623 /* dnssec.h */,
25F258C00988657000D15623 /* dump.h */,
- 25BC48730A0BC7B000A181A0 /* eaytest.c */,
25F258C20988657000D15623 /* evt.c */,
25F258C30988657000D15623 /* evt.h */,
25F258C40988657000D15623 /* gcmalloc.h */,
25F258F60988657000D15623 /* open_dir.h */,
25F258F80988657000D15623 /* pfkey_racoon.c */,
25F258F90988657000D15623 /* pfkey.h */,
- 25F258FB0988657000D15623 /* plainrsa-gen.8 */,
- 25F258FC0988657000D15623 /* plainrsa-gen.c */,
25F258FD0988657000D15623 /* plog.c */,
25F258FE0988657000D15623 /* plog.h */,
25F258FF0988657000D15623 /* policy.c */,
25F2590D0988657000D15623 /* racoonctl.h */,
25F2590E0988657000D15623 /* remoteconf.c */,
25F2590F0988657000D15623 /* remoteconf.h */,
- 25F259100988657000D15623 /* rsalist.c */,
- 25F259110988657000D15623 /* rsalist.h */,
25F259120988657000D15623 /* safefile.c */,
25F259130988657000D15623 /* safefile.h */,
25F259140988657000D15623 /* sainfo.c */,
productReference = 2537A1A809E4864800D0ECDA /* libipsec.A.dylib */;
productType = "com.apple.product-type.library.dynamic";
};
- 2543476E09DCB477007943DE /* plainrsa-gen */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 2543478609DCB494007943DE /* Build configuration list for PBXNativeTarget "plainrsa-gen" */;
- buildPhases = (
- 2543476C09DCB477007943DE /* Sources */,
- 2543476D09DCB477007943DE /* Frameworks */,
- 258CF2D60A191A6E00166B38 /* CopyFiles */,
- 258CF3220A19439000166B38 /* ShellScript */,
- );
- buildRules = (
- );
- dependencies = (
- 25BE7E7C09E5DE28009B6B84 /* PBXTargetDependency */,
- );
- name = "plainrsa-gen";
- productName = "plainrsa-gen";
- productReference = 2543476F09DCB477007943DE /* plainrsa-gen */;
- productType = "com.apple.product-type.tool";
- };
- 2543479209DCB57E007943DE /* eaytest */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 2543479909DCB596007943DE /* Build configuration list for PBXNativeTarget "eaytest" */;
- buildPhases = (
- 2543479009DCB57E007943DE /* Sources */,
- 2543479109DCB57E007943DE /* Frameworks */,
- );
- buildRules = (
- );
- dependencies = (
- 25BE7E3009E5D710009B6B84 /* PBXTargetDependency */,
- );
- name = eaytest;
- productName = eaytest;
- productReference = 2543479309DCB57E007943DE /* eaytest */;
- productType = "com.apple.product-type.tool";
- };
- 254347B509DCB839007943DE /* test-policy */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 254347BD09DCB851007943DE /* Build configuration list for PBXNativeTarget "test-policy" */;
- buildPhases = (
- 254347B309DCB839007943DE /* Sources */,
- 254347B409DCB839007943DE /* Frameworks */,
- );
- buildRules = (
- );
- dependencies = (
- 25BE7E0409E5D3FE009B6B84 /* PBXTargetDependency */,
- );
- name = "test-policy";
- productName = "test-policy";
- productReference = 254347B609DCB839007943DE /* test-policy */;
- productType = "com.apple.product-type.tool";
- };
- 254347C409DCBA07007943DE /* test-pfkey */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 254347C909DCBA1B007943DE /* Build configuration list for PBXNativeTarget "test-pfkey" */;
- buildPhases = (
- 254347C209DCBA07007943DE /* Sources */,
- 254347C309DCBA07007943DE /* Frameworks */,
- );
- buildRules = (
- );
- dependencies = (
- 25BE7E5C09E5DCC5009B6B84 /* PBXTargetDependency */,
- );
- name = "test-pfkey";
- productName = "test-pfkey";
- productReference = 254347C509DCBA07007943DE /* test-pfkey */;
- productType = "com.apple.product-type.tool";
- };
- 25E08C9909D9E64A001A11CF /* rsaparse */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 25E08CA209D9E6A4001A11CF /* Build configuration list for PBXNativeTarget "rsaparse" */;
- buildPhases = (
- 25E08C9709D9E64A001A11CF /* Sources */,
- 25E08C9809D9E64A001A11CF /* Frameworks */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = rsaparse;
- productName = rsaparse;
- productReference = 25E08C9A09D9E64A001A11CF /* rsaparse.o */;
- productType = "com.apple.product-type.objfile";
- };
25F258040987FBFA00D15623 /* racoon */ = {
isa = PBXNativeTarget;
buildConfigurationList = 25D3DABC098952B20025F703 /* Build configuration list for PBXNativeTarget "racoon" */;
buildRules = (
);
dependencies = (
- 25E08CEA09D9F0A2001A11CF /* PBXTargetDependency */,
2537A1C909E49D1400D0ECDA /* PBXTargetDependency */,
);
name = racoon;
projectRoot = "";
targets = (
23B20D2F0871D62A00A3B0FC /* IPSec (Aggregate) */,
+ 815C35E61525201900502220 /* Project_base */,
+ 815C35EB1525203F00502220 /* Project_executables */,
25F258040987FBFA00D15623 /* racoon */,
25F2580E0987FC3400D15623 /* racoonctl */,
25F258090987FC1500D15623 /* setkey */,
- 25E08C9909D9E64A001A11CF /* rsaparse */,
- 2543476E09DCB477007943DE /* plainrsa-gen */,
- 2543479209DCB57E007943DE /* eaytest */,
- 254347B509DCB839007943DE /* test-policy */,
- 254347C409DCBA07007943DE /* test-pfkey */,
2537A1A709E4864800D0ECDA /* libipsec */,
812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */,
812530BA0D3FE9DC006BDF4F /* racoon Embedded */,
shellPath = /bin/sh;
shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/setkey.8";
};
- 258CF3220A19439000166B38 /* ShellScript */ = {
- isa = PBXShellScriptBuildPhase;
- buildActionMask = 8;
- files = (
- );
- inputPaths = (
- );
- outputPaths = (
- );
- runOnlyForDeploymentPostprocessing = 1;
- shellPath = /bin/sh;
- shellScript = "/bin/chmod 444 $DSTROOT/usr/share/man/man8/plainrsa-gen.8";
- };
258CF3240A1943DE00166B38 /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 8;
);
runOnlyForDeploymentPostprocessing = 0;
};
- 2543476C09DCB477007943DE /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 2543477109DCB492007943DE /* plainrsa-gen.c in Sources */,
- 2543478A09DCB49C007943DE /* plog.c in Sources */,
- 2543478C09DCB4A6007943DE /* logger.c in Sources */,
- 25BE7E7F09E5DE4C009B6B84 /* pfkey_dump.c in Sources */,
- 25BE7E8809E5E499009B6B84 /* pfkey.c in Sources */,
- 25BE7E8A09E5E4A6009B6B84 /* key_debug.c in Sources */,
- 25BE7E8E09E5E5BE009B6B84 /* crypto_openssl.c in Sources */,
- 25BE7E9009E5E61F009B6B84 /* misc.c in Sources */,
- 25BE7E9209E5E635009B6B84 /* vmbuf.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 2543479009DCB57E007943DE /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 254347A909DCB6C8007943DE /* vmbuf.c in Sources */,
- 254347AB09DCB6D6007943DE /* str2val.c in Sources */,
- 25BE7E1B09E5D5D9009B6B84 /* plog.c in Sources */,
- 25BE7E3809E5D80E009B6B84 /* crypto_openssl.c in Sources */,
- 25BE7E3E09E5D906009B6B84 /* misc.c in Sources */,
- 25BE7E4009E5D92C009B6B84 /* logger.c in Sources */,
- 25BC48740A0BC7B000A181A0 /* eaytest.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 254347B309DCB839007943DE /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 254347B809DCB84D007943DE /* test-policy.c in Sources */,
- 25BE7E6309E5DD38009B6B84 /* pfkey.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 254347C209DCBA07007943DE /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 254347C809DCBA1B007943DE /* test-pfkey.c in Sources */,
- 25BE7E5709E5DC4D009B6B84 /* pfkey_dump.c in Sources */,
- 25BE7E5E09E5DCF5009B6B84 /* pfkey.c in Sources */,
- 25BE7E6009E5DD04009B6B84 /* key_debug.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 25E08C9709D9E64A001A11CF /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 25E08C9E09D9E681001A11CF /* prsa_par.y in Sources */,
- 25E08C9F09D9E682001A11CF /* prsa_tok.l in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
25F258020987FBFA00D15623 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- 25F258A80988651000D15623 /* rijndael-alg-fst.c in Sources */,
- 25F258A90988651000D15623 /* rijndael-api-fst.c in Sources */,
25F259280988657000D15623 /* admin.c in Sources */,
25F259290988657000D15623 /* algorithm.c in Sources */,
25F2592A0988657000D15623 /* backupsa.c in Sources */,
25F259630988657000D15623 /* vmbuf.c in Sources */,
25078AE509D37570005F3F63 /* nattraversal.c in Sources */,
25EAE8C609D87B990042CC7F /* pfkey.c in Sources */,
- 25DC9EC909DB0FBB00C89F86 /* rsalist.c in Sources */,
25DC9ED409DB16F300C89F86 /* isakmp_cfg.c in Sources */,
25DC9ED509DB16F800C89F86 /* isakmp_unity.c in Sources */,
25DC9ED609DB16FA00C89F86 /* isakmp_xauth.c in Sources */,
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- 812530C00D3FE9DC006BDF4F /* rijndael-alg-fst.c in Sources */,
- 812530C10D3FE9DC006BDF4F /* rijndael-api-fst.c in Sources */,
812530C20D3FE9DC006BDF4F /* admin.c in Sources */,
812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */,
812530C40D3FE9DC006BDF4F /* backupsa.c in Sources */,
target = 2537A1A709E4864800D0ECDA /* libipsec */;
targetProxy = 2537A1CC09E49D5C00D0ECDA /* PBXContainerItemProxy */;
};
- 254347D109DCBAF8007943DE /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 2543476E09DCB477007943DE /* plainrsa-gen */;
- targetProxy = 254347D009DCBAF8007943DE /* PBXContainerItemProxy */;
- };
- 25BE7E0409E5D3FE009B6B84 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 2537A1A709E4864800D0ECDA /* libipsec */;
- targetProxy = 25BE7E0309E5D3FE009B6B84 /* PBXContainerItemProxy */;
- };
- 25BE7E3009E5D710009B6B84 /* PBXTargetDependency */ = {
+ 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 2537A1A709E4864800D0ECDA /* libipsec */;
- targetProxy = 25BE7E2F09E5D710009B6B84 /* PBXContainerItemProxy */;
+ target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */;
+ targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */;
};
- 25BE7E5C09E5DCC5009B6B84 /* PBXTargetDependency */ = {
+ 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 2537A1A709E4864800D0ECDA /* libipsec */;
- targetProxy = 25BE7E5B09E5DCC5009B6B84 /* PBXContainerItemProxy */;
+ target = 812531120D3FEA33006BDF4F /* racoonctl Embedded */;
+ targetProxy = 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */;
};
- 25BE7E7C09E5DE28009B6B84 /* PBXTargetDependency */ = {
+ 815C35F11525208900502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 2537A1A709E4864800D0ECDA /* libipsec */;
- targetProxy = 25BE7E7B09E5DE28009B6B84 /* PBXContainerItemProxy */;
+ targetProxy = 815C35F01525208900502220 /* PBXContainerItemProxy */;
};
- 25D3DDE30989AFDE0025F703 /* PBXTargetDependency */ = {
+ 815C35F31525209000502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 25F258040987FBFA00D15623 /* racoon */;
- targetProxy = 25D3DDE20989AFDE0025F703 /* PBXContainerItemProxy */;
+ targetProxy = 815C35F21525209000502220 /* PBXContainerItemProxy */;
};
- 25D3DDE50989AFE50025F703 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 25F258090987FC1500D15623 /* setkey */;
- targetProxy = 25D3DDE40989AFE50025F703 /* PBXContainerItemProxy */;
- };
- 25D3DDE70989AFE90025F703 /* PBXTargetDependency */ = {
+ 815C35F51525209400502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 25F2580E0987FC3400D15623 /* racoonctl */;
- targetProxy = 25D3DDE60989AFE90025F703 /* PBXContainerItemProxy */;
- };
- 25DE3DB609EC27B900147420 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 2537A1A709E4864800D0ECDA /* libipsec */;
- targetProxy = 25DE3DB509EC27B900147420 /* PBXContainerItemProxy */;
+ targetProxy = 815C35F41525209400502220 /* PBXContainerItemProxy */;
};
- 25E08CEA09D9F0A2001A11CF /* PBXTargetDependency */ = {
+ 815C35F71525209800502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 25E08C9909D9E64A001A11CF /* rsaparse */;
- targetProxy = 25E08CE909D9F0A2001A11CF /* PBXContainerItemProxy */;
+ target = 25F258090987FC1500D15623 /* setkey */;
+ targetProxy = 815C35F61525209800502220 /* PBXContainerItemProxy */;
};
- 812531110D3FEA28006BDF4F /* PBXTargetDependency */ = {
+ 815C35F9152520BC00502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */;
- targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */;
+ target = 815C35E61525201900502220 /* Project_base */;
+ targetProxy = 815C35F8152520BC00502220 /* PBXContainerItemProxy */;
};
- 8125312C0D3FEA44006BDF4F /* PBXTargetDependency */ = {
+ 815C35FB152520C000502220 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 812531120D3FEA33006BDF4F /* racoonctl Embedded */;
- targetProxy = 8125312B0D3FEA44006BDF4F /* PBXContainerItemProxy */;
+ target = 815C35EB1525203F00502220 /* Project_executables */;
+ targetProxy = 815C35FA152520C000502220 /* PBXContainerItemProxy */;
};
81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
SKIP_INSTALL = YES;
- VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
COPY_PHASE_STRIP = NO;
CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
DYLIB_CURRENT_VERSION = 300;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "i386 x86_64";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
name = Default;
};
- 2543478709DCB494007943DE /* Development */ = {
+ 25D3DAB9098952B20025F703 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_GROUP = wheel;
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = root;
- INSTALL_PATH = /usr/sbin;
- PREBINDING = NO;
- PRODUCT_NAME = "plainrsa-gen";
- SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Development;
- };
- 2543478809DCB494007943DE /* Deployment */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_GROUP = wheel;
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = root;
- INSTALL_PATH = /usr/sbin;
- PREBINDING = NO;
- PRODUCT_NAME = "plainrsa-gen";
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 2543478909DCB494007943DE /* Default */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_GROUP = wheel;
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = root;
- INSTALL_PATH = /usr/sbin;
- PREBINDING = NO;
- PRODUCT_NAME = "plainrsa-gen";
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Default;
- };
- 2543479A09DCB596007943DE /* Development */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- INSTALL_GROUP = "$(inherited)";
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = "$(inherited)";
- INSTALL_PATH = "";
- OTHER_CFLAGS = (
- "$(OTHER_CFLAGS)",
- "-DEAYDEBUG",
- "-DNOUSE_PLOG",
- );
- PREBINDING = NO;
- PRODUCT_NAME = eaytest;
- SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Development;
- };
- 2543479B09DCB596007943DE /* Deployment */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
- GCC_MODEL_TUNING = G5;
- INSTALL_GROUP = "$(inherited)";
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = "$(inherited)";
- INSTALL_PATH = "";
- OTHER_CFLAGS = (
- "$(OTHER_CFLAGS)",
- "-DEAYDEBUG",
- "-DNOUSE_PLOG",
- );
- PREBINDING = NO;
- PRODUCT_NAME = eaytest;
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 2543479C09DCB596007943DE /* Default */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_MODEL_TUNING = G5;
- INSTALL_GROUP = "$(inherited)";
- INSTALL_MODE_FLAG = 555;
- INSTALL_OWNER = "$(inherited)";
- INSTALL_PATH = "";
- OTHER_CFLAGS = (
- "$(OTHER_CFLAGS)",
- "-DEAYDEBUG",
- "-DNOUSE_PLOG",
- );
- PREBINDING = NO;
- PRODUCT_NAME = eaytest;
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Default;
- };
- 254347BE09DCB851007943DE /* Development */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-policy";
- SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Development;
- };
- 254347BF09DCB851007943DE /* Deployment */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-policy";
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 254347C009DCB851007943DE /* Default */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1",
- "$(inherited)",
- );
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-policy";
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Default;
- };
- 254347CA09DCBA1B007943DE /* Development */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1";
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-pfkey";
- SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Development;
- };
- 254347CB09DCBA1B007943DE /* Deployment */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = YES;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1";
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-pfkey";
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 254347CC09DCBA1B007943DE /* Default */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
- GCC_MODEL_TUNING = G5;
- GCC_PREPROCESSOR_DEFINITIONS = "HAVE_CONFIG_H=1";
- INSTALL_MODE_FLAG = 555;
- INSTALL_PATH = "$(HOME)/bin";
- PREBINDING = NO;
- PRODUCT_NAME = "test-pfkey";
- SKIP_INSTALL = YES;
- STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
- ZERO_LINK = NO;
- };
- name = Default;
- };
- 25D3DAB9098952B20025F703 /* Development */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DABA098952B20025F703 /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DABB098952B20025F703 /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
+ ARCHS = "";
+ "ARCHS[arch=*]" = "";
COPY_PHASE_STRIP = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
PRODUCT_NAME = "IPSec (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
COPY_PHASE_STRIP = NO;
DSTROOT = "/tmp/$(PROJECT_NAME).dst";
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
COPY_PHASE_STRIP = NO;
DSTROOT = "/tmp/$(PROJECT_NAME).dst";
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DAC1098952B20025F703 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
+ ALTERNATE_PERMISSIONS_FILES = "";
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DAC2098952B20025F703 /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
+ ALTERNATE_PERMISSIONS_FILES = "";
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
COPY_PHASE_STRIP = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
25D3DAC3098952B20025F703 /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
+ ALTERNATE_PERMISSIONS_FILES = "";
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "i386 x86_64";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
COPY_PHASE_STRIP = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_GROUP = "$(inherited)";
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
- ARCHS = (
- x86_64,
- i386,
- );
+ ARCHS = "$(ARCHS_STANDARD_64_BIT)";
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "x86_64 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
- ARCHS = (
- armv6,
- i386,
- armv7,
- x86_64,
- );
- VALID_ARCHS = "armv6 x86_64 i386 armv7";
+ ARCHS = "$(ARCHS_STANDARD_32_BIT)";
};
name = Development;
};
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
- ARCHS = (
- armv6,
- i386,
- armv7,
- x86_64,
- );
- VALID_ARCHS = "armv6 x86_64 i386 armv7";
+ ARCHS = "$(ARCHS_STANDARD_32_BIT)";
};
name = Deployment;
};
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ADDITIONAL_SDKS = "";
- ARCHS = (
- armv6,
- i386,
- armv7,
- x86_64,
- );
- VALID_ARCHS = "armv6 armv7 x86_64 i386";
- };
- name = Default;
- };
- 25E08CA309D9E6A4001A11CF /* Development */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = NO;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
- GCC_MODEL_TUNING = G5;
- GCC_OPTIMIZATION_LEVEL = 0;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 x86_64";
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
- };
- name = Development;
- };
- 25E08CA409D9E6A4001A11CF /* Deployment */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- x86_64,
- i386,
- );
- COPY_PHASE_STRIP = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = NO;
- GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
- GCC_MODEL_TUNING = G5;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 x86_64";
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
- ZERO_LINK = NO;
- };
- name = Deployment;
- };
- 25E08CA509D9E6A4001A11CF /* Default */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ARCHS = (
- i386,
- x86_64,
- );
- COPY_PHASE_STRIP = NO;
- GCC_MODEL_TUNING = G5;
- INSTALL_PATH = "";
- LEXFLAGS = "$(LEXFLAGS) -Pprsa";
- PREBINDING = NO;
- PRODUCT_NAME = rsaparse;
- SKIP_INSTALL = NO;
- VALID_ARCHS = "i386 x86_64";
- YACCFLAGS = "$(YACCFLAGS) -pprsa";
+ ARCHS = "$(ARCHS_STANDARD_32_BIT)";
};
name = Default;
};
buildSettings = {
ADDITIONAL_SDKS = "";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
PRODUCT_NAME = "IPSec Embedded (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
buildSettings = {
ADDITIONAL_SDKS = "";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
isa = XCBuildConfiguration;
buildSettings = {
ADDITIONAL_SDKS = "";
- ARCHS = (
- armv6,
+ ARCHS = "";
+ "ARCHS[arch=*]" = (
armv7,
);
COPY_PHASE_STRIP = NO;
PRODUCT_NAME = "IPSec Embedded (Aggregate)";
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
YACCFLAGS = "$(YACCFLAGS) -d";
YACC_GENERATE_DEBUGGING_DIRECTIVES = NO;
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
YACCFLAGS = "$(YACCFLAGS) -d";
};
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
PREBINDING = NO;
PRODUCT_NAME = racoon;
SECTORDER_FLAGS = "";
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
YACCFLAGS = "$(YACCFLAGS) -d";
};
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
};
name = Development;
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = YES;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
};
name = Deployment;
ALTERNATE_MODE = "$(inherited)";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
PRODUCT_NAME = racoonctl;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 i386";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
};
name = Default;
};
+ 815C35E81525201900502220 /* Development */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ TARGETED_DEVICE_FAMILY = "";
+ };
+ name = Development;
+ };
+ 815C35E91525201900502220 /* Deployment */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ TARGETED_DEVICE_FAMILY = "";
+ };
+ name = Deployment;
+ };
+ 815C35EA1525201900502220 /* Default */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ TARGETED_DEVICE_FAMILY = "";
+ };
+ name = Default;
+ };
+ 815C35ED1525203F00502220 /* Development */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Development;
+ };
+ 815C35EE1525203F00502220 /* Deployment */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Deployment;
+ };
+ 815C35EF1525203F00502220 /* Default */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Default;
+ };
81DDFDA70D622C1700C5CB87 /* Development */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_MODEL_TUNING = G5;
GCC_PREPROCESSOR_DEFINITIONS = (
- "HAVE_CONFIG_H=1\nHAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
+ "HAVE_CONFIG_H=1",
"$(GCC_PREPROCESSOR_DEFINITIONS)",
);
HEADER_SEARCH_PATHS = (
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
SKIP_INSTALL = YES;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
YACCFLAGS = "";
};
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = YES;
SECTORDER_FLAGS = "";
SKIP_INSTALL = NO;
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 armv7";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
};
name = Deployment;
baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
buildSettings = {
ARCHS = (
- armv6,
armv7,
);
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
PRODUCT_NAME = setkey;
SECTORDER_FLAGS = "";
STRIP_INSTALLED_PRODUCT = YES;
- VALID_ARCHS = "armv6 armv7 ";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
+ "-Wcast-align",
);
};
name = Default;
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
SKIP_INSTALL = YES;
- VALID_ARCHS = "armv6 armv7";
+ WARNING_CFLAGS = "-Wcast-align";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "armv6 armv7";
+ WARNING_CFLAGS = "-Wcast-align";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
ALTERNATE_MODE = "";
ALTERNATE_OWNER = "$(inherited)";
ARCHS = (
- armv6,
armv7,
);
COPY_PHASE_STRIP = NO;
LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
PREBINDING = NO;
PRODUCT_NAME = ipsec.A;
- VALID_ARCHS = "armv6 i386";
+ WARNING_CFLAGS = "-Wcast-align";
YACCFLAGS = "$(YACCFLAGS) -d -p__libipsec";
ZERO_LINK = YES;
};
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Deployment;
};
- 2543478609DCB494007943DE /* Build configuration list for PBXNativeTarget "plainrsa-gen" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 2543478709DCB494007943DE /* Development */,
- 2543478809DCB494007943DE /* Deployment */,
- 2543478909DCB494007943DE /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
- 2543479909DCB596007943DE /* Build configuration list for PBXNativeTarget "eaytest" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 2543479A09DCB596007943DE /* Development */,
- 2543479B09DCB596007943DE /* Deployment */,
- 2543479C09DCB596007943DE /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
- 254347BD09DCB851007943DE /* Build configuration list for PBXNativeTarget "test-policy" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 254347BE09DCB851007943DE /* Development */,
- 254347BF09DCB851007943DE /* Deployment */,
- 254347C009DCB851007943DE /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
- 254347C909DCBA1B007943DE /* Build configuration list for PBXNativeTarget "test-pfkey" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 254347CA09DCBA1B007943DE /* Development */,
- 254347CB09DCBA1B007943DE /* Deployment */,
- 254347CC09DCBA1B007943DE /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
25D3DAB8098952B20025F703 /* Build configuration list for PBXAggregateTarget "IPSec (Aggregate)" */ = {
isa = XCConfigurationList;
buildConfigurations = (
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Deployment;
};
- 25E08CA209D9E6A4001A11CF /* Build configuration list for PBXNativeTarget "rsaparse" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 25E08CA309D9E6A4001A11CF /* Development */,
- 25E08CA409D9E6A4001A11CF /* Deployment */,
- 25E08CA509D9E6A4001A11CF /* Default */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Deployment;
- };
812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = {
isa = XCConfigurationList;
buildConfigurations = (
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Deployment;
};
+ 815C35E71525201900502220 /* Build configuration list for PBXAggregateTarget "Project_base" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ 815C35E81525201900502220 /* Development */,
+ 815C35E91525201900502220 /* Deployment */,
+ 815C35EA1525201900502220 /* Default */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Deployment;
+ };
+ 815C35EC1525203F00502220 /* Build configuration list for PBXAggregateTarget "Project_executables" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ 815C35ED1525203F00502220 /* Development */,
+ 815C35EE1525203F00502220 /* Deployment */,
+ 815C35EF1525203F00502220 /* Default */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Deployment;
+ };
81DDFDA60D622C1700C5CB87 /* Build configuration list for PBXNativeTarget "setkey Embedded" */ = {
isa = XCConfigurationList;
buildConfigurations = (
;; OriginatingProject: ipsec
(version 1)
(deny default)
+
+(import "system.sb")
+
(allow system-socket sysctl-read sysctl-write)
(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
(allow mach-lookup
(global-name "com.apple.securityd")
(global-name "com.apple.bsd.dirhelper")
- (global-name "com.apple.system.DirectoryService.libinfo_v1")
- (global-name "com.apple.system.DirectoryService.membership_v1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
projects / apple / ipsec.git / commitdiff
