]> git.saurik.com Git - apple/ipsec.git/commitdiff
projects / apple / ipsec.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c8d8bee)
ipsec-292.40.4.tar.gz os-x-10114 os-x-10115 os-x-10116 v292.40.4
authorApple <opensource@apple.com>
Wed, 13 Jul 2016 22:45:27 +0000 (22:45 +0000)
committerApple <opensource@apple.com>
Wed, 13 Jul 2016 22:45:27 +0000 (22:45 +0000)
21 files changed:
ipsec-tools/Common/pfkey.c patch | blob | blame | history
ipsec-tools/racoon/fsm.c patch | blob | blame | history
ipsec-tools/racoon/handler.c patch | blob | blame | history
ipsec-tools/racoon/handler.h patch | blob | blame | history
ipsec-tools/racoon/ike_session.c patch | blob | blame | history
ipsec-tools/racoon/ike_session.h patch | blob | blame | history
ipsec-tools/racoon/ipsec_doi.c patch | blob | blame | history
ipsec-tools/racoon/isakmp.c patch | blob | blame | history
ipsec-tools/racoon/isakmp_inf.c patch | blob | blame | history
ipsec-tools/racoon/isakmp_var.h patch | blob | blame | history
ipsec-tools/racoon/isakmp_xauth.c patch | blob | blame | history
ipsec-tools/racoon/localconf.h patch | blob | blame | history
ipsec-tools/racoon/oakley.c patch | blob | blame | history
ipsec-tools/racoon/pfkey_racoon.c patch | blob | blame | history
ipsec-tools/racoon/remoteconf.c patch | blob | blame | history
ipsec-tools/racoon/sockmisc.c patch | blob | blame | history
ipsec-tools/racoon/vpn.c patch | blob | blame | history
ipsec-tools/racoon/vpn_control.c patch | blob | blame | history
ipsec-tools/racoon/vpn_control.h patch | blob | blame | history
ipsec-tools/racoon/vpn_control_var.h patch | blob | blame | history
ipsec.xcodeproj/project.pbxproj patch | blob | blame | history

diff --git a/ipsec-tools/Common/pfkey.c b/ipsec-tools/Common/pfkey.c
index 409333d2a9791c580db7cf5562d8d2e0f55c6237..2a8a765d2e720844f19fe4ce290787c95c886a31 100644 (file)
--- a/ipsec-tools/Common/pfkey.c
+++ b/ipsec-tools/Common/pfkey.c
@@ -1612,7 +1612,7 @@ pfkey_open()
 {
        int so;
        int bufsiz = 0; /* Max allowed by default */
-       const unsigned long newbufk = 1536;
+       const unsigned long newbufk = 2176;
        unsigned long oldmax;
        size_t  oldmaxsize = sizeof(oldmax);
        unsigned long newmax = newbufk * (1024 + 128);
diff --git a/ipsec-tools/racoon/fsm.c b/ipsec-tools/racoon/fsm.c
index ea5802b42dc60602c21e03945664fc540ffe0d00..8ff862cc96d57267ffaef12257a5f292643cf6a5 100644 (file)
--- a/ipsec-tools/racoon/fsm.c
+++ b/ipsec-tools/racoon/fsm.c
@@ -247,13 +247,7 @@ fsm_ikev1_phase1_send_response(phase1_handle_t *iph1, vchar_t *msg)
     }
     
     if (error) {
-        u_int32_t address;
-        if (iph1->remote->ss_family == AF_INET)
-            address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
-        else {
-            address = 0;
-        }
-        vpncontrol_notify_ike_failed(error, FROM_LOCAL, address, 0, NULL);
+        vpncontrol_notify_ike_failed(error, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL);
     }
     
     return error;
diff --git a/ipsec-tools/racoon/handler.c b/ipsec-tools/racoon/handler.c
index df3380dcddb536a9e71c3c8123af1ccc80f2812e..6fe8e4667945749ee5f52d0504b4bfdaf1daf902 100644 (file)
--- a/ipsec-tools/racoon/handler.c
+++ b/ipsec-tools/racoon/handler.c
@@ -241,10 +241,19 @@ sike_session_getph1bydstaddrwop(ike_session_t *session, struct sockaddr_storage
        phase1_handle_t *p = NULL;
            
     LIST_FOREACH(p, &session->ph1tree, ph1ofsession_chain) {
-        if (FSM_STATE_IS_EXPIRED(p->status))
+               if (FSM_STATE_IS_EXPIRED(p->status)) {
             continue;
-        if (cmpsaddrwop(remote, p->remote) == 0)
+               }
+               if (remote->ss_family == AF_INET &&
+                       p->nat64_prefix.length) {
+                       struct in_addr address;
+                       nw_nat64_extract_v4(&p->nat64_prefix, &((struct sockaddr_in6 *)p->remote)->sin6_addr, &address);
+                       if (((struct sockaddr_in *)remote)->sin_addr.s_addr == address.s_addr) {
+                               return p;
+                       }
+               } else if (cmpsaddrwop(remote, p->remote) == 0) {
             return p;
+               }
     }
     
     return NULL;
@@ -1568,3 +1577,41 @@ sweep_sleepwake(void)
        // do the ike_session last
        ike_session_sweep_sleepwake();
 }
+
+uint32_t
+iph1_get_remote_v4_address(phase1_handle_t *iph1)
+{
+       uint32_t address = 0;
+       if (iph1->remote->ss_family == AF_INET) {
+               address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
+       } else if (iph1->remote->ss_family == AF_INET6 &&
+                          iph1->nat64_prefix.length) {
+               if (!nw_nat64_extract_v4(&iph1->nat64_prefix, &((struct sockaddr_in6 *)iph1->remote)->sin6_addr, (struct in_addr *)&address)) {
+                       plog(ASL_LEVEL_ERR, "Failed to extract IPv4 from Phase 1 IPv6 address.\n");
+               }
+       } else {
+               plog(ASL_LEVEL_ERR, "Failed to get IPv4 address for Phase 1 (family=%u, NAT64Prefix=%u)\n",
+                        iph1->remote->ss_family,
+                        iph1->nat64_prefix.length);
+       }
+       return address;
+}
+
+uint32_t
+iph2_get_remote_v4_address(phase2_handle_t *iph2)
+{
+       uint32_t address = 0;
+       if (iph2->dst->ss_family == AF_INET) {
+               address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
+       } else if (iph2->dst->ss_family == AF_INET6 &&
+                          iph2->nat64_prefix.length) {
+               if (!nw_nat64_extract_v4(&iph2->nat64_prefix, &((struct sockaddr_in6 *)iph2->dst)->sin6_addr, (struct in_addr *)&address)) {
+                       plog(ASL_LEVEL_ERR, "Failed to extract IPv4 from Phase 2 IPv6 address.\n");
+               }
+       } else {
+               plog(ASL_LEVEL_ERR, "Failed to get IPv4 address for Phase 2 (family=%u, NAT64Prefix=%u)\n",
+                        iph2->dst->ss_family,
+                        iph2->nat64_prefix.length);
+       }
+       return address;
+}
diff --git a/ipsec-tools/racoon/handler.h b/ipsec-tools/racoon/handler.h
index 2b8f0563fcb06f2104b4b6e36a76dadb904b5c07..172b72ad38cdec5a395bdbd9f4150719e55f0879 100644 (file)
--- a/ipsec-tools/racoon/handler.h
+++ b/ipsec-tools/racoon/handler.h
@@ -52,6 +52,7 @@
 #include <sys/socket.h>
 
 #include <schedule.h>
+#include <network/nat64.h>
 
 /* About address semantics in each case.
  *                     initiator(addr=I)       responder(addr=R)
@@ -79,9 +80,10 @@ struct phase1handle {
        int status;                     /* status of this SA */
        int side;                       /* INITIATOR or RESPONDER */
        int started_by_api;             /* connection started by VPNControl API */
-    
-       struct sockaddr_storage *remote;        /* remote address to negosiate ph1 */
-       struct sockaddr_storage *local;         /* local address to negosiate ph1 */
+
+       nw_nat64_prefix_t nat64_prefix;         /* nat64 prefix to apply to addresses. */
+       struct sockaddr_storage *remote;        /* remote address to negotiate ph1 */
+       struct sockaddr_storage *local;         /* local address to negotiate ph1 */
     /* XXX copy from rmconf due to anonymous configuration.
      * If anonymous will be forbidden, we do delete them. */
     
@@ -195,7 +197,8 @@ struct phase1handle {
 struct phase2handle {
        struct sockaddr_storage *src;           /* my address of SA. */
        struct sockaddr_storage *dst;           /* peer's address of SA. */
-    
+    nw_nat64_prefix_t nat64_prefix;            /* nat64 prefix to apply to addresses. */
+
     /*
      * copy ip address from ID payloads when ID type is ip address.
      * In other case, they must be null.
@@ -446,4 +449,8 @@ extern void                 ike_session_init_recvdpkt (void);
 
 extern void                 sweep_sleepwake (void);
 
+extern uint32_t             iph1_get_remote_v4_address(phase1_handle_t *iph1);
+
+extern uint32_t             iph2_get_remote_v4_address(phase2_handle_t *iph2);
+
 #endif /* _HANDLER_H */
diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c
index e40f89882c3105b0097616d8f4e8bd2195057db2..184fbc870b4a375dd581b300bbbd2b522c0316ba 100644 (file)
--- a/ipsec-tools/racoon/ike_session.c
+++ b/ipsec-tools/racoon/ike_session.c
@@ -1143,6 +1143,22 @@ ike_sessions_stopped_by_controller (struct sockaddr_storage *remote,
        }
 }
 
+void
+ike_session_purge_ph1s_by_session (ike_session_t *session)
+{
+       phase1_handle_t *iph1;
+       phase1_handle_t *next_iph1 = NULL;
+
+       LIST_FOREACH_SAFE(iph1, &session->ph1tree, ph1ofsession_chain, next_iph1) {
+               plog(ASL_LEVEL_DEBUG, "deleteallph1 of given session: got a ph1 handler...\n");
+
+               vpncontrol_notify_ike_failed(VPNCTL_NTYPE_NO_PROPOSAL_CHOSEN, FROM_REMOTE,
+                                           iph1_get_remote_v4_address(iph1), 0, NULL);
+
+               ike_session_unlink_phase1(iph1);
+       }
+}
+
 void
 ike_session_purge_ph2s_by_ph1 (phase1_handle_t *iph1)
 {
diff --git a/ipsec-tools/racoon/ike_session.h b/ipsec-tools/racoon/ike_session.h
index 9fe7510676dc42d9aa5b249cd23818a30afe69ac..2aa10761135c35ea2233484716cbfe03139b5fd4 100644 (file)
--- a/ipsec-tools/racoon/ike_session.h
+++ b/ipsec-tools/racoon/ike_session.h
@@ -149,6 +149,7 @@ extern void               ike_session_cleanup_other_established_ph2s (ike_sessio
 extern void                              ike_session_stopped_by_controller (ike_session_t *, const char *);
 extern void                              ike_sessions_stopped_by_controller (struct sockaddr_storage *, int, const char *);
 extern void               ike_session_purge_ph2s_by_ph1 (phase1_handle_t *);
+extern void               ike_session_purge_ph1s_by_session (ike_session_t *session);
 extern phase1_handle_t  * ike_session_get_established_ph1 (ike_session_t *);
 extern phase1_handle_t *  ike_session_get_established_or_negoing_ph1 (ike_session_t *);
 extern void               ike_session_update_ph2_ports (phase2_handle_t *);
diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c
index 2fc1c2274ccba0273ff58b0845cb8013f7554dc4..0de36fd55fa0ec84a7e25909c93fe321dad0510e 100644 (file)
--- a/ipsec-tools/racoon/ipsec_doi.c
+++ b/ipsec-tools/racoon/ipsec_doi.c
@@ -3667,6 +3667,7 @@ ipsecdoi_setid1(iph1)
        vchar_t *ret = NULL;
        struct ipsecdoi_id_b id_b;
        vchar_t *ident = NULL;
+       struct sockaddr_in v4_address;
        struct sockaddr_storage *ipid = NULL;
 
        /* init */
@@ -3748,6 +3749,19 @@ ipsecdoi_setid1(iph1)
                if (ipid == NULL)
                        ipid = iph1->local;
 
+               {
+                       if (ipid->ss_family == AF_INET6 &&
+                               iph1->nat64_prefix.length) {
+                               memset(&v4_address, 0, sizeof(v4_address));
+                               v4_address.sin_len = sizeof(struct sockaddr_in);
+                               v4_address.sin_family = AF_INET;
+                               v4_address.sin_port = ((struct sockaddr_in6 *)ipid)->sin6_port;
+                               v4_address.sin_addr.s_addr = 0;
+
+                               ipid = ALIGNED_CAST(struct sockaddr_storage *)&v4_address;
+                       }
+               }
+
                /* use IP address */
                switch (ipid->ss_family) {
                case AF_INET:
@@ -3976,8 +3990,22 @@ ipsecdoi_setid2(iph2)
                return -1;
        }
 
-       iph2->id = ipsecdoi_sockaddr2id(&sp->spidx.src,
-                                       sp->spidx.prefs, sp->spidx.ul_proto);
+       struct sockaddr_in local_v4_address;
+       struct sockaddr_storage *srcaddr = &sp->spidx.src;
+       u_int8_t prefs = sp->spidx.prefs;
+       if (sp->spidx.dst.ss_family == AF_INET6 &&
+               iph2->nat64_prefix.length) {
+               memset(&local_v4_address, 0, sizeof(local_v4_address));
+               local_v4_address.sin_len = sizeof(struct sockaddr_in);
+               local_v4_address.sin_family = AF_INET;
+               local_v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.src)->sin6_port;
+               local_v4_address.sin_addr.s_addr = 0;
+
+               srcaddr = ALIGNED_CAST(struct sockaddr_storage *)&local_v4_address;
+               prefs = 32;
+       }
+       iph2->id = ipsecdoi_sockaddr2id(srcaddr,
+                                       prefs, sp->spidx.ul_proto);
        if (iph2->id == NULL) {
                plog(ASL_LEVEL_ERR, 
                        "failed to get ID for %s\n",
@@ -4000,8 +4028,22 @@ ipsecdoi_setid2(iph2)
                         s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id->v)->type));
 
        /* remote side */
-       iph2->id_p = ipsecdoi_sockaddr2id(&sp->spidx.dst,
-                               sp->spidx.prefd, sp->spidx.ul_proto);
+       struct sockaddr_in v4_address;
+       struct sockaddr_storage *dstaddr = &sp->spidx.dst;
+       u_int8_t prefd = sp->spidx.prefd;
+       if (sp->spidx.dst.ss_family == AF_INET6 &&
+               iph2->nat64_prefix.length) {
+               memset(&v4_address, 0, sizeof(v4_address));
+               v4_address.sin_len = sizeof(struct sockaddr_in);
+               v4_address.sin_family = AF_INET;
+               v4_address.sin_port = ((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_port;
+               nw_nat64_extract_v4(&iph2->nat64_prefix, &((struct sockaddr_in6 *)&sp->spidx.dst)->sin6_addr, &v4_address.sin_addr);
+
+               dstaddr = ALIGNED_CAST(struct sockaddr_storage *)&v4_address;
+               prefd = 32;
+       }
+       iph2->id_p = ipsecdoi_sockaddr2id(dstaddr,
+                                                                         prefd, sp->spidx.ul_proto);
        if (iph2->id_p == NULL) {
                plog(ASL_LEVEL_ERR, 
                        "failed to get ID for %s\n",
@@ -4009,7 +4051,7 @@ ipsecdoi_setid2(iph2)
                VPTRINIT(iph2->id);
                return -1;
        }
-       plogdump(ASL_LEVEL_DEBUG, iph2->id->v, iph2->id->l, "use remote ID type %s\n",
+       plogdump(ASL_LEVEL_DEBUG, iph2->id_p->v, iph2->id_p->l, "use remote ID type %s\n",
                         s_ipsecdoi_ident((ALIGNED_CAST(struct ipsecdoi_id_b *)iph2->id_p->v)->type));
 
        return 0;
diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c
index 8a4090542b423126c560e01fee4f1b75479c38a0..d7d69417c2e58200f95ec85c2b0f3274da279695 100644 (file)
--- a/ipsec-tools/racoon/isakmp.c
+++ b/ipsec-tools/racoon/isakmp.c
@@ -715,7 +715,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka
 /* new negotiation of phase 1 for initiator */
 int
 ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct sockaddr_storage *remote, 
-                 struct sockaddr_storage *local, int started_by_api)
+                 struct sockaddr_storage *local, int started_by_api, nw_nat64_prefix_t *nat64_prefix)
 {
 
        phase1_handle_t *iph1;
@@ -740,6 +740,9 @@ ikev1_ph1begin_i(ike_session_t *session, struct remoteconf *rmconf, struct socka
     retain_rmconf(iph1->rmconf);
        iph1->side = INITIATOR;
        iph1->started_by_api = started_by_api;
+       if (nat64_prefix != NULL) {
+               memcpy(&iph1->nat64_prefix, nat64_prefix, sizeof(*nat64_prefix));
+       }
        iph1->version = ISAKMP_VERSION_NUMBER_IKEV1;
        iph1->msgid = 0;
        iph1->flags = 0;
@@ -978,6 +981,7 @@ ikev1_ph2begin_i(phase1_handle_t *iph1, phase2_handle_t *iph2)
 #endif
 
        iph2->is_dying = 0;
+       memcpy(&iph2->nat64_prefix, &iph1->nat64_prefix, sizeof(iph2->nat64_prefix));
        fsm_set_state(&iph2->status, IKEV1_STATE_QUICK_I_START);
 
        IPSECLOGASLMSG("IPSec Phase 2 started (Initiated by me).\n");
@@ -1080,6 +1084,7 @@ ikev1_ph2begin_r(phase1_handle_t *iph1, vchar_t *msg)
        if (ike_session_link_ph2_to_ph1(iph1, iph2))
         return -1;    
        iph2->is_dying = 0;
+       memcpy(&iph2->nat64_prefix, &iph1->nat64_prefix, sizeof(iph2->nat64_prefix));
 
        plog(ASL_LEVEL_DEBUG, "===\n");
     {
@@ -1476,7 +1481,16 @@ isakmp_open(void)
 
                /* receive my interface address on inbound packets. */
                switch (p->addr->ss_family) {
-               case AF_INET:
+               case AF_INET: {
+                       int ifindex = if_nametoindex(p->ifname);
+                       if (ifindex != 0 &&
+                               setsockopt(p->sock, IPPROTO_IP,
+                                                  IP_BOUND_IF, &ifindex, sizeof(ifindex)) < 0) {
+                               plog(ASL_LEVEL_ERR,
+                                        "setsockopt IP_BOUND_IF (%s)\n",
+                                        strerror(errno));
+                               goto err_and_next;
+                       }
                        if (setsockopt(p->sock, IPPROTO_IP,
                                       IP_RECVDSTADDR,
                                        (const void *)&yes, sizeof(yes)) < 0) {
@@ -1486,13 +1500,23 @@ isakmp_open(void)
                                goto err_and_next;
                        }
                        break;
+               }
 #ifdef INET6
-               case AF_INET6:
+               case AF_INET6: {
 #ifdef INET6_ADVAPI
                        pktinfo = IPV6_RECVPKTINFO;
 #else
                        pktinfo = IPV6_RECVDSTADDR;
 #endif
+                       int ifindex = if_nametoindex(p->ifname);
+                       if (ifindex != 0 &&
+                               setsockopt(p->sock, IPPROTO_IPV6,
+                                                  IPV6_BOUND_IF, &ifindex, sizeof(ifindex)) < 0) {
+                                       plog(ASL_LEVEL_ERR,
+                                                "setsockopt IPV6_BOUND_IF (%s)\n",
+                                                strerror(errno));
+                                       goto err_and_next;
+                               }
                        if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
                                        (const void *)&yes, sizeof(yes)) < 0)
                        {
@@ -1502,6 +1526,7 @@ isakmp_open(void)
                                goto err_and_next;
                        }
                        break;
+               }
 #endif
                }
 
@@ -2084,7 +2109,7 @@ int               ignore_sess_drop_policy;
         plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n");
 
                /* start phase 1 negotiation as a initiator. */
-               if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) {
+               if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) {
                        plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n");
                }
                iph1->is_rekey = TRUE;
@@ -2154,7 +2179,7 @@ phase1_handle_t *iph1;
                plog(ASL_LEVEL_DEBUG, "begin Phase 1 rekey retry.\n");
 
                /* start phase 1 negotiation as a initiator. */
-               if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) {
+               if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0, &iph1->nat64_prefix) < 0) {
                        plog(ASL_LEVEL_DEBUG, "Phase 1 rekey retry Failed.\n");
                        return -1;
                }
@@ -2368,7 +2393,7 @@ isakmp_post_acquire(phase2_handle_t *iph2)
                        return 0;
                }
                
-               if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
+               if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, &iph2->nat64_prefix) < 0) {
                        plog(ASL_LEVEL_INFO,
                                 "Request for Phase 1 failed. Will try later.\n");
                }
@@ -2519,7 +2544,7 @@ isakmp_chkph1there(iph2)
                struct remoteconf *rmconf = getrmconf(iph2->dst);
                /* start phase 1 negotiation as a initiator. */
                if (rmconf) {
-                       if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
+                       if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0, iph1 != NULL ? &iph1->nat64_prefix : NULL) < 0) {
                                plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
                        }
                } else if (rmconf == NULL) {
diff --git a/ipsec-tools/racoon/isakmp_inf.c b/ipsec-tools/racoon/isakmp_inf.c
index f90ac07da7a8df262bf63e97a2d418c74b255e2b..ea0e34bae95527e944c02a82f9363a051879929a 100644 (file)
--- a/ipsec-tools/racoon/isakmp_inf.c
+++ b/ipsec-tools/racoon/isakmp_inf.c
@@ -198,6 +198,7 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0)
        u_int8_t np;
        int encrypted;
        int flag = 0;
+       int disconnect = 0;
 
        plog(ASL_LEVEL_DEBUG, "receive Information.\n");
 
@@ -348,6 +349,7 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0)
                  (iph1->side == RESPONDER && iph1->status == IKEV1_STATE_AGG_R_MSG3RCVD))) {
                     break;
                 }
+                       /*FALLTHRU*/
                case ISAKMP_ETYPE_IDENT:
             if (!FSM_STATE_IS_ESTABLISHED(iph1->status) &&
                 ((iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_IDENT_I_MSG5SENT
@@ -357,9 +359,16 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0)
                        }
                        /*FALLTHRU*/
                default:
+            if ((np == ISAKMP_NPTYPE_NONE) && 
+                !FSM_STATE_IS_ESTABLISHED(iph1->status) &&
+                (iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_AGG_I_MSG1SENT))) {
+                // proposal rejected by peer, terminate now.
+                disconnect = 1;
+            }
                        plog(ASL_LEVEL_ERR,
-                               "%s message must be encrypted\n",
-                               s_isakmp_nptype(np));
+                               "%s message must be encrypted, status 0x%x, side %d\n",
+                               s_isakmp_nptype(np), iph1->status, iph1->side);
                        error = 0;
                        goto end;
                }
@@ -379,6 +388,16 @@ isakmp_info_recv(phase1_handle_t *iph1, vchar_t *msg0)
                        /* Handled above */
                        break;
                case ISAKMP_NPTYPE_N:
+                       if ((ntohs(((struct isakmp_pl_n *)pa->ptr)->type) == ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN) &&
+                           !FSM_STATE_IS_ESTABLISHED(iph1->status) &&
+                           (iph1->side == INITIATOR && (iph1->status == IKEV1_STATE_AGG_I_MSG1SENT))) {
+                               // proposal rejected by peer, terminate now.
+                               disconnect = 1;
+                               plog(ASL_LEVEL_ERR,
+                                    "%s message with %s notification receveid, status 0x%x, side %d\n",
+                                    s_isakmp_nptype(np), s_isakmp_notify_msg(ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN), iph1->status, iph1->side);
+                               break;
+                       }
                        error = isakmp_info_recv_n(iph1,
                                (struct isakmp_pl_n *)pa->ptr,
                                msgid, encrypted);
@@ -424,6 +443,17 @@ end:
                vfree(msg);
        if (pbuf != NULL)
                vfree(pbuf);
+       if (disconnect) {
+               ike_session_t *session = NULL;
+
+               if (session = iph1->parent_session) {
+                       gettimeofday(&session->stop_timestamp, NULL);
+                       if (!session->term_reason) {
+                               session->term_reason = ike_session_stopped_by_peer;
+                       }
+                       ike_session_purge_ph1s_by_session(session);
+               }
+       }
        return error;
 }
 
@@ -556,15 +586,11 @@ isakmp_info_recv_n(phase1_handle_t *iph1, struct isakmp_pl_n *notify, u_int32_t
 static void
 isakmp_info_vpncontrol_notify_ike_failed (phase1_handle_t *iph1, int isakmp_info_initiator, int type, vchar_t *data)
 {
-       u_int32_t address;
+       u_int32_t address = iph1_get_remote_v4_address(iph1);
        u_int32_t fail_reason;
 
        /* notify the API that we have received the delete */
-       if (iph1->remote->ss_family == AF_INET)
-               address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
-       else
-               address = 0;
-       
+
        if (isakmp_info_initiator == FROM_REMOTE) {
                int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
                int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
@@ -1839,11 +1865,6 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted
                        "LOAD-BALANCE notification ignored - we are not the initiator.\n");
                return 0;
        }
-       if (iph1->remote->ss_family != AF_INET) {
-               plog(ASL_LEVEL_DEBUG, 
-                       "LOAD-BALANCE notification ignored - only supported for IPv4.\n");
-               return 0;
-       }
        if (!encrypted) {
                plog(ASL_LEVEL_DEBUG, 
                        "LOAD-BALANCE notification ignored - not protected.\n");
@@ -1853,9 +1874,10 @@ isakmp_info_recv_lb(phase1_handle_t *iph1, struct isakmp_pl_lb *n, int encrypted
                plog(ASL_LEVEL_DEBUG, 
                        "Invalid length of payload\n");
                return -1;
-       }       
+       }
+
        vpncontrol_notify_ike_failed(ISAKMP_NTYPE_LOAD_BALANCE, FROM_REMOTE,
-               ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 4, (u_int8_t*)(&(n->address)));
+               iph1_get_remote_v4_address(iph1), 4, (u_int8_t*)(&(n->address)));
        
        plog(ASL_LEVEL_NOTICE,
                        "Received LOAD_BALANCE notification.\n");
@@ -2011,18 +2033,12 @@ isakmp_info_send_r_u(void *arg)
     }
 
        if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
-               u_int32_t address;
-
                IPSECSESSIONTRACEREVENT(iph1->parent_session,
                                                                IPSECSESSIONEVENTCODE_IKEV1_DPD_MAX_RETRANSMIT,
                                                                CONSTSTR("DPD maximum retransmits"),
                                                                CONSTSTR("maxed-out of DPD requests without receiving an ack"));
 
-               if (iph1->remote->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
-               else
-                       address = 0;
-               (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, address, 0, NULL);
+               (void)vpncontrol_notify_ike_failed(VPNCTL_NTYPE_PEER_DEAD, FROM_LOCAL, iph1_get_remote_v4_address(iph1), 0, NULL);
 
                purge_remote(iph1);
                plog(ASL_LEVEL_DEBUG,
diff --git a/ipsec-tools/racoon/isakmp_var.h b/ipsec-tools/racoon/isakmp_var.h
index d3d60a53af9b9e0f29a04bf75679db75d49494a3..8a4993dd9391639a49215a6bdbb36fe98518b2f6 100644 (file)
--- a/ipsec-tools/racoon/isakmp_var.h
+++ b/ipsec-tools/racoon/isakmp_var.h
@@ -35,6 +35,7 @@
 #include "vmbuf.h"
 #include "racoon_types.h"
 #include <schedule.h>
+#include <network/nat64.h>
 
 #define PORT_ISAKMP 500
 #define PORT_ISAKMP_NATT 4500
@@ -62,7 +63,7 @@ struct isakmp_pl_nonce;       /* XXX */
 
 extern void isakmp_handler (int);
 extern int ikev1_ph1begin_i (ike_session_t *session, struct remoteconf *, struct sockaddr_storage *,
-       struct sockaddr_storage *, int);
+       struct sockaddr_storage *, int, nw_nat64_prefix_t *);
 extern int get_sainfo_r (phase2_handle_t *);
 extern int get_proposal_r (phase2_handle_t *);
 
diff --git a/ipsec-tools/racoon/isakmp_xauth.c b/ipsec-tools/racoon/isakmp_xauth.c
index ab4855f172ac19ff2a9514b55b7004ae02e1521e..d2e8d02d4ae0037b19b09ed1d591185922b5b972 100644 (file)
--- a/ipsec-tools/racoon/isakmp_xauth.c
+++ b/ipsec-tools/racoon/isakmp_xauth.c
@@ -816,9 +816,9 @@ isakmp_xauth_set(iph1, attr)
                                                                        CONSTSTR("Xauth Failed (status not ok)"));
                        plog(ASL_LEVEL_ERR, 
                            "Xauth authentication failed\n");
-                               
+
                        vpncontrol_notify_ike_failed(VPNCTL_NTYPE_AUTHENTICATION_FAILED, FROM_LOCAL,
-                               ((struct sockaddr_in*)iph1->remote)->sin_addr.s_addr, 0, NULL);
+                               iph1_get_remote_v4_address(iph1), 0, NULL);
 
                        iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
 
diff --git a/ipsec-tools/racoon/localconf.h b/ipsec-tools/racoon/localconf.h
index c2284daa7574255748a9d2fde18eb6a08c56719a..e1489cc8a48b46d1ee3e7bd4dd1a72aa4685c2c3 100644 (file)
--- a/ipsec-tools/racoon/localconf.h
+++ b/ipsec-tools/racoon/localconf.h
@@ -36,6 +36,7 @@
 #include <vproc.h>
 #endif
 #include <dispatch/dispatch.h>
+#include <network/nat64.h>
 #include "vmbuf.h"
 #include "ipsec_doi.h"
 
@@ -83,6 +84,7 @@ struct vpnctl_socket_elem {
 struct bound_addr {
        LIST_ENTRY(bound_addr) chain;
        u_int32_t       address;
+       nw_nat64_prefix_t nat64_prefix;
        vchar_t         *user_id;
        vchar_t         *user_pw;
        vchar_t         *version;       /* our version string - if present */
diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c
index 6fbd8329bb936466ffa911adfe8784a43451776b..dc9f4fed7ca98a8b4dd9092dbb7af3af61f68486 100644 (file)
--- a/ipsec-tools/racoon/oakley.c
+++ b/ipsec-tools/racoon/oakley.c
@@ -1626,19 +1626,14 @@ oakley_vpncontrol_notify_ike_failed_if_mycert_invalid (phase1_handle_t *iph1, in
        int premature = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_PREMATURE);
        int expired = oakley_find_status_in_certchain(iph1->cert, CERT_STATUS_EXPIRED);
        if (premature || expired) {
-               u_int32_t address;
                u_int32_t fail_reason;
 
-               if (iph1->remote->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)(iph1->remote))->sin_addr.s_addr;
-               else
-                       address = 0;
                if (premature) {
                        fail_reason = VPNCTL_NTYPE_LOCAL_CERT_PREMATURE;
                } else {
                        fail_reason = VPNCTL_NTYPE_LOCAL_CERT_EXPIRED;
                }
-               vpncontrol_notify_ike_failed(fail_reason, notify_initiator, address, 0, NULL);
+               vpncontrol_notify_ike_failed(fail_reason, notify_initiator, iph1_get_remote_v4_address(iph1), 0, NULL);
                return -1;
        }
 #endif /* TARGET_OS_EMBEDDED */
diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c
index 63c61dd94dc897e203f7745e19378bf780dfa4e0..009acf020bd0c3d13fb9e91e301a2c8e13aa94b6 100644 (file)
--- a/ipsec-tools/racoon/pfkey_racoon.c
+++ b/ipsec-tools/racoon/pfkey_racoon.c
@@ -1618,12 +1618,6 @@ pk_recvadd(mhp)
        
 #ifdef ENABLE_VPNCONTROL_PORT
                {
-                       u_int32_t address;
-                       
-                       if (iph2->dst->ss_family == AF_INET)
-                               address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
-                       else
-                               address = 0;
                        vpncontrol_notify_phase_change(0, FROM_LOCAL, NULL, iph2);
                }       
 #endif
@@ -1904,6 +1898,7 @@ pk_recvacquire(mhp)
 
        iph2->satype = msg->sadb_msg_satype;
        iph2->seq = msg->sadb_msg_seq;
+       vpncontrol_set_nat64_prefix(&iph2->nat64_prefix);
        /* set end addresses of SA */
                                                 // Wcast_align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer
        iph2->src = dupsaddr(ALIGNED_CAST(struct sockaddr_storage *)PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
diff --git a/ipsec-tools/racoon/remoteconf.c b/ipsec-tools/racoon/remoteconf.c
index aea9b0b09ea6397c5cf56fe2ccfce441aef5297d..3fca30285587707d0d727affdc4b841760a1535c 100644 (file)
--- a/ipsec-tools/racoon/remoteconf.c
+++ b/ipsec-tools/racoon/remoteconf.c
@@ -80,6 +80,7 @@
 #include "nattraversal.h"
 #include "isakmp_frag.h"
 #include "genlist.h"
+#include "vpn_control_var.h"
 
 static TAILQ_HEAD(_rmtree, remoteconf) rmtree;
 
@@ -244,7 +245,28 @@ struct remoteconf *
 getrmconf(remote)
        struct sockaddr_storage *remote;
 {
-       return getrmconf_strict(remote, 1);
+       struct remoteconf *rmconf = getrmconf_strict(remote, 1);
+       if (rmconf != NULL) {
+               return rmconf;
+       }
+       if (remote->ss_family == AF_INET6) {
+               struct sockaddr_in v4dst;
+               v4dst.sin_family = AF_INET;
+               v4dst.sin_len = sizeof(struct sockaddr_in);
+               v4dst.sin_port = 0;
+
+               nw_nat64_prefix_t nat64_prefix;
+               if (vpncontrol_set_nat64_prefix(&nat64_prefix)) {
+                       nw_nat64_extract_v4(&nat64_prefix, &((struct sockaddr_in6 *)remote)->sin6_addr, &v4dst.sin_addr);
+
+                       rmconf = getrmconf(ALIGNED_CAST(struct sockaddr_storage *)&v4dst);
+                       if (rmconf != NULL) {
+                               return rmconf;
+                       }
+               }
+       }
+
+       return NULL;
 }
 
 struct remoteconf *
diff --git a/ipsec-tools/racoon/sockmisc.c b/ipsec-tools/racoon/sockmisc.c
index 33222c5c800bede98dcdaf33ebccbbadaae4e0e6..2bb1bef7c4bf6f9e2925f5e5703adc5d192c1f3c 100644 (file)
--- a/ipsec-tools/racoon/sockmisc.c
+++ b/ipsec-tools/racoon/sockmisc.c
@@ -363,7 +363,7 @@ struct sockaddr_storage *
 getlocaladdr(struct sockaddr *remote)
 {
        struct sockaddr_storage *local;
-       u_int local_len = sizeof(struct sockaddr);
+       u_int local_len = sizeof(struct sockaddr_storage);
        int s;  /* for dummy connection */
 
        /* allocate buffer */
diff --git a/ipsec-tools/racoon/vpn.c b/ipsec-tools/racoon/vpn.c
index 29f6aef174de4ac0aa475d8862962486570f0b8a..054842946783148685f3bba09e821e9b77c0ddd5 100644 (file)
--- a/ipsec-tools/racoon/vpn.c
+++ b/ipsec-tools/racoon/vpn.c
@@ -132,7 +132,7 @@ vpn_connect(struct bound_addr *srv, int oper)
                goto out;
        ((struct sockaddr_in *)(dst))->sin_len = sizeof(struct sockaddr_in);
        ((struct sockaddr_in *)(dst))->sin_family = AF_INET;
-       ((struct sockaddr_in *)(dst))->sin_port = 500;
+       ((struct sockaddr_in *)(dst))->sin_port = PORT_ISAKMP;
        ((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address;
 
        /* find appropreate configuration */
@@ -156,7 +156,15 @@ vpn_connect(struct bound_addr *srv, int oper)
                plog(ASL_LEVEL_ERR, "cannot get local address\n");
                goto out1;
        }
-       
+
+       if (srv->nat64_prefix.length > 0) {
+               memset(dst, 0, sizeof(*dst));
+               ((struct sockaddr_in6 *)(dst))->sin6_len = sizeof(struct sockaddr_in6);
+               ((struct sockaddr_in6 *)(dst))->sin6_family = AF_INET6;
+               ((struct sockaddr_in6 *)(dst))->sin6_port = PORT_ISAKMP;
+               nw_nat64_synthesize_v6(&srv->nat64_prefix, (struct in_addr *)&srv->address, &((struct sockaddr_in6 *)(dst))->sin6_addr);
+       }
+
        /* get remote IP address and port number. */
        if ((remote = dupsaddr(dst)) == NULL) {
                plog(ASL_LEVEL_ERR, 
@@ -193,7 +201,7 @@ vpn_connect(struct bound_addr *srv, int oper)
 
        IPSECLOGASLMSG("IPSec connecting to server %s\n",
                                   saddrwop2str((struct sockaddr *)remote));
-       if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0)
+       if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper, &srv->nat64_prefix) < 0)
                goto out1;
        error = 0;
 
@@ -262,7 +270,7 @@ vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt)
        saddr.sin_addr.s_addr = addr->address;
        saddr.sin_port = 0;
        saddr.sin_family = AF_INET;
-       ph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr));
+       ph1 = ike_session_getph1bydstaddrwop(NULL, ALIGNED_CAST(struct sockaddr_storage *)(&saddr));
        if (ph1 == NULL) {
                plog(ASL_LEVEL_ERR,
                        "Cannot start Phase 2 - no Phase 1 found.\n");
@@ -445,11 +453,11 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s
        *msg = NULL;
        msize = 0;
        
-       if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) {
+       /*if (((struct sockaddr_in *)iph1->local)->sin_family != AF_INET) {
                plog(ASL_LEVEL_ERR, 
                        "IPv6 not supported for mode config.\n");
                return -1;
-       }
+       }*/
        
        if (iph1->mode_cfg->attr_list == NULL)
                return 1;       /* haven't received configuration yet */
@@ -474,7 +482,9 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s
        
        (*msg)->hdr.flags = htons(VPNCTL_FLAG_MODECFG_USED);
        params = (struct vpnctl_modecfg_params *)(*msg + 1);
-       params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr;
+       if (((struct sockaddr_in *)iph1->local)->sin_family == AF_INET) {
+               params->outer_local_addr = ((struct sockaddr_in *)iph1->local)->sin_addr.s_addr;
+       }
        params->outer_remote_port = htons(0);
        params->outer_local_port = htons(0);
        ifname_len = strlen(myaddr->ifname);
@@ -509,7 +519,7 @@ vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len)
        saddr.sin_addr.s_addr = address;
        saddr.sin_port = 0;
        saddr.sin_family = AF_INET;
-       iph1 = ike_session_getph1bydstaddrwop(NULL, (struct sockaddr_storage *)(&saddr));
+       iph1 = ike_session_getph1bydstaddrwop(NULL, ALIGNED_CAST(struct sockaddr_storage *)(&saddr));
        if (iph1 == NULL) {
                plog(ASL_LEVEL_ERR, 
                        "Cannot reply to xauth request - no ph1 found.\n");
diff --git a/ipsec-tools/racoon/vpn_control.c b/ipsec-tools/racoon/vpn_control.c
index c26b310c8ac3bb554338157c6e87b7388edf68c9..35be49158c2f3c716f7374be117a8d976f973ee7 100644 (file)
--- a/ipsec-tools/racoon/vpn_control.c
+++ b/ipsec-tools/racoon/vpn_control.c
@@ -445,7 +445,21 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf)
                                }
                        }
                        break;
-                               
+
+               case VPNCTL_CMD_SET_NAT64_PREFIX:
+                       {
+                               struct vpnctl_cmd_set_nat64_prefix *pkt = ALIGNED_CAST(struct vpnctl_cmd_set_nat64_prefix *)combuf;
+                               struct bound_addr *addr;
+                               struct bound_addr *t_addr;
+
+                               plog(ASL_LEVEL_DEBUG,
+                                               "received set v6 prefix of len %u command on vpn control socket, adding to all addresses.\n", pkt->nat64_prefix.length);
+                               LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
+                                       memcpy(&addr->nat64_prefix, &pkt->nat64_prefix, sizeof(addr->nat64_prefix));
+                               }
+                       }
+                       break;
+
                case VPNCTL_CMD_CONNECT:
                        {
                                struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
@@ -550,7 +564,7 @@ vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf)
                                                daddr.sin_port = 0;
                                                daddr.sin_family = AF_INET;
 
-                                               error = vpn_assert((struct sockaddr_storage *)&saddr, (struct sockaddr_storage *)&daddr);
+                                               error = vpn_assert(ALIGNED_CAST(struct sockaddr_storage *)&saddr, ALIGNED_CAST(struct sockaddr_storage *)&daddr);
                                                break;
 //                                     }
 //                             }
@@ -606,6 +620,23 @@ vpncontrol_reply(int so, char *combuf)
        return 0;
 }
 
+bool
+vpncontrol_set_nat64_prefix(nw_nat64_prefix_t *prefix)
+{
+       struct vpnctl_socket_elem *sock_elem;
+       struct bound_addr *bound_addr;
+
+       LIST_FOREACH(sock_elem, &lcconf->vpnctl_comm_socks, chain) {
+               LIST_FOREACH(bound_addr, &sock_elem->bound_addresses, chain) {
+                       if (bound_addr->nat64_prefix.length != 0) {
+                               memcpy(prefix, &bound_addr->nat64_prefix, sizeof(*prefix));
+                               return true;
+                       }
+               }
+       }
+       return false;
+}
+
 int
 vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len)
 {
@@ -630,11 +661,11 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a
                return -1;
        }
        msg->hdr.flags = 0;
-                               
-       if (iph1->remote->ss_family == AF_INET)
-               address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
-       else
-               goto end;               // for now              
+
+       address = iph1_get_remote_v4_address(iph1);
+       if (address == 0) {
+               goto end;
+       }
 
        msg->hdr.cookie = msg->hdr.reserved = msg->hdr.result = 0;
        msg->hdr.len = htons((msg_size) - sizeof(struct vpnctl_hdr));   
@@ -643,7 +674,7 @@ vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t a
        } else {
                msg->hdr.msg_type = htons(VPNCTL_STATUS_NEED_REAUTHINFO);
        }
-       msg->address = address;
+       msg->address = iph1_get_remote_v4_address(iph1);
        ptr = msg + 1;
        memcpy(ptr, attr_list, attr_len);
 
@@ -767,19 +798,21 @@ vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1,
                return -1;
        }
        if (iph1) {
-               if (iph1->remote->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
-               else
-                       goto end;               // for now              
+               address = iph1_get_remote_v4_address(iph1);
+               if (address == 0) {
+                       plog(ASL_LEVEL_ERR, "bad address for ph1 status change.\n");
+                       goto end;
+               }
                msg->hdr.msg_type = htons(start ? 
                        (from == FROM_LOCAL ? VPNCTL_STATUS_PH1_START_US : VPNCTL_STATUS_PH1_START_PEER) 
                        : VPNCTL_STATUS_PH1_ESTABLISHED);
                // TODO: indicate version
        } else {
-               if (iph2->dst->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
-               else
-                       goto end;               // for now
+               address = iph2_get_remote_v4_address(iph2);
+               if (address == 0) {
+                       plog(ASL_LEVEL_ERR, "bad address for ph2 status change.\n");
+                       goto end;
+               }
                msg->hdr.msg_type = htons(start ? VPNCTL_STATUS_PH2_START : VPNCTL_STATUS_PH2_ESTABLISHED);
                // TODO: indicate version
        }
@@ -851,43 +884,29 @@ vpncontrol_notify_peer_resp (u_int16_t notify_code, u_int32_t address)
 int
 vpncontrol_notify_peer_resp_ph1 (u_int16_t notify_code, phase1_handle_t *iph1)
 {
-       u_int32_t address;
-       int       rc;
-
        if (iph1 && iph1->parent_session && iph1->parent_session->controller_awaiting_peer_resp) {
-               if (iph1->remote->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)iph1->remote)->sin_addr.s_addr;
-               else
-                       address = 0;
+               int rc;
+               if ((rc = vpncontrol_notify_peer_resp(notify_code, iph1_get_remote_v4_address(iph1))) == 0) {
+                       iph1->parent_session->controller_awaiting_peer_resp = 0;
+               }
+               return rc;
        } else {
                return 0;
        }
-
-       if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) {
-               iph1->parent_session->controller_awaiting_peer_resp = 0;
-       }
-       return rc;
 }
        
 int
 vpncontrol_notify_peer_resp_ph2 (u_int16_t notify_code, phase2_handle_t *iph2)
 {
-       u_int32_t address;
-       int       rc;
-
        if (iph2 && iph2->parent_session && iph2->parent_session->controller_awaiting_peer_resp) {
-               if (iph2->dst->ss_family == AF_INET)
-                       address = ((struct sockaddr_in *)iph2->dst)->sin_addr.s_addr;
-               else
-                       address = 0;
+               int rc;
+               if ((rc = vpncontrol_notify_peer_resp(notify_code, iph2_get_remote_v4_address(iph2))) == 0) {
+                       iph2->parent_session->controller_awaiting_peer_resp = 0;
+               }
+               return rc;
        } else {
                return 0;
        }
-
-       if ((rc = vpncontrol_notify_peer_resp(notify_code, address)) == 0) {
-               iph2->parent_session->controller_awaiting_peer_resp = 0;
-       }
-       return rc;
 }
 
 int
diff --git a/ipsec-tools/racoon/vpn_control.h b/ipsec-tools/racoon/vpn_control.h
index 54144e5bc1633e9aa78d883644c78d9175d8d8e9..33c18a23092777eb4f3b3a986574c932ca638da2 100644 (file)
--- a/ipsec-tools/racoon/vpn_control.h
+++ b/ipsec-tools/racoon/vpn_control.h
@@ -56,6 +56,7 @@
 
 #include "algorithm_types.h"
 #include <net/if.h>
+#include <network/nat64.h>
 
 #define VPNCONTROLSOCK_PATH ADMINPORTDIR "/vpncontrol.sock"
 
@@ -83,6 +84,7 @@ extern mode_t vpncontrolsock_mode;
 #define VPNCTL_CMD_START_DPD                   0x0015
 #define VPNCTL_CMD_ASSERT                              0x0016
 #define VPNCTL_CMD_RECONNECT                   0x0017
+#define VPNCTL_CMD_SET_NAT64_PREFIX            0x0018
 #define VPNCTL_STATUS_IKE_FAILED               0x8001
 #define VPNCTL_STATUS_PH1_START_US             0x8011
 #define VPNCTL_STATUS_PH1_START_PEER   0x8012
@@ -201,11 +203,16 @@ struct vpnctl_cmd_unbind {
 
 
 /* connect to specified address */
-struct vpnctl_cmd_connect{
+struct vpnctl_cmd_connect {
        struct vpnctl_hdr               hdr;
        u_int32_t                               address;
 };
 
+struct vpnctl_cmd_set_nat64_prefix {
+       struct vpnctl_hdr               hdr;
+       nw_nat64_prefix_t               nat64_prefix;
+};
+
 struct vpnctl_sa_selector {
        u_int32_t               src_tunnel_address;
        u_int32_t               src_tunnel_mask;
diff --git a/ipsec-tools/racoon/vpn_control_var.h b/ipsec-tools/racoon/vpn_control_var.h
index e5b681c2870b99cb1be0908b92bd8598462a9a97..ee9b47fc73e9d94f5885c80cfcb3bad5dc97e8dc 100644 (file)
--- a/ipsec-tools/racoon/vpn_control_var.h
+++ b/ipsec-tools/racoon/vpn_control_var.h
@@ -79,5 +79,6 @@ extern int vpncontrol_notify_need_authinfo (phase1_handle_t *, void*, size_t);
 extern int vpncontrol_notify_peer_resp_ph1 (u_int16_t, phase1_handle_t*);
 extern int vpncontrol_notify_peer_resp_ph2 (u_int16_t, phase2_handle_t*);
 extern int vpn_assert (struct sockaddr_storage *, struct sockaddr_storage *);
+extern bool vpncontrol_set_nat64_prefix(nw_nat64_prefix_t *prefix);
 
 #endif /* _VPN_CONTROL_VAR_H */
diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj
index 1aa91c10cd88b56eb1359875816f39b77cd7b95f..44cb4da3a7ba8d0926d20f7ea709f3a5d09f529b 100644 (file)
--- a/ipsec.xcodeproj/project.pbxproj
+++ b/ipsec.xcodeproj/project.pbxproj
@@ -1560,7 +1560,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
                                COPY_PHASE_STRIP = NO;
                                CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
@@ -1580,7 +1579,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
@@ -1595,7 +1593,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
                                COPY_PHASE_STRIP = NO;
                                CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
@@ -1613,7 +1610,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
@@ -1627,7 +1623,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
                                COPY_PHASE_STRIP = NO;
                                CURRENT_PROJECT_VERSION = "$(CURRENT_PROJECT_VERSION)";
@@ -1644,7 +1639,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
@@ -1729,7 +1723,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LEXFLAGS = "";
                                OTHER_CFLAGS = (
@@ -1744,6 +1737,7 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = macosx.internal;
                                SECTORDER_FLAGS = "";
                                SKIP_INSTALL = YES;
                                WARNING_CFLAGS = (
@@ -1786,7 +1780,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                OTHER_CFLAGS = (
                                        "$(OTHER_CFLAGS_QUOTED_1)",
@@ -1800,6 +1793,7 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = macosx.internal;
                                SECTORDER_FLAGS = "";
                                WARNING_CFLAGS = (
                                        "-Wmost",
@@ -1840,7 +1834,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                OTHER_CFLAGS = (
                                        "$(OTHER_CFLAGS_QUOTED_1)",
@@ -1854,6 +1847,7 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = macosx.internal;
                                SECTORDER_FLAGS = "";
                                WARNING_CFLAGS = (
                                        "-Wmost",
@@ -1884,7 +1878,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -1922,7 +1915,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -1959,7 +1951,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -2019,6 +2010,7 @@
                        buildSettings = {
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = macosx.internal;
                        };
                        name = Development;
                };
@@ -2027,6 +2019,7 @@
                        buildSettings = {
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = macosx.internal;
                        };
                        name = Deployment;
                };
@@ -2035,6 +2028,7 @@
                        buildSettings = {
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = macosx.internal;
                        };
                        name = Default;
                };
@@ -2087,6 +2081,7 @@
                        isa = XCBuildConfiguration;
                        buildSettings = {
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = iphoneos.internal;
                        };
                        name = Development;
                };
@@ -2094,6 +2089,7 @@
                        isa = XCBuildConfiguration;
                        buildSettings = {
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = iphoneos.internal;
                        };
                        name = Deployment;
                };
@@ -2101,6 +2097,7 @@
                        isa = XCBuildConfiguration;
                        buildSettings = {
                                PRODUCT_NAME = "$(TARGET_NAME)";
+                               SDKROOT = iphoneos.internal;
                        };
                        name = Default;
                };
@@ -2121,6 +2118,7 @@
                                PRODUCT_NAME = "IPSec Embedded (Aggregate)";
                                SECTORDER_FLAGS = "";
                                SKIP_INSTALL = NO;
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2146,6 +2144,7 @@
                                PRODUCT_NAME = "IPSec Embedded (Aggregate)";
                                SECTORDER_FLAGS = "";
                                SKIP_INSTALL = NO;
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2171,6 +2170,7 @@
                                PRODUCT_NAME = "IPSec Embedded (Aggregate)";
                                SECTORDER_FLAGS = "";
                                SKIP_INSTALL = NO;
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2184,8 +2184,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "$(inherited)";
-                               ALTERNATE_OWNER = "$(inherited)";
-                               ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2207,7 +2205,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LEXFLAGS = "";
                                OTHER_CFLAGS = (
@@ -2223,8 +2220,10 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = iphoneos.internal;
                                SECTORDER_FLAGS = "";
                                SKIP_INSTALL = YES;
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2241,8 +2240,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "$(inherited)";
-                               ALTERNATE_OWNER = "$(inherited)";
-                               ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2264,7 +2261,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                OTHER_CFLAGS = (
                                        "$(OTHER_CFLAGS_QUOTED_1)",
@@ -2279,7 +2275,9 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = iphoneos.internal;
                                SECTORDER_FLAGS = "";
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2295,8 +2293,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "$(inherited)";
-                               ALTERNATE_OWNER = "$(inherited)";
-                               ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements.plist";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2318,7 +2314,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                OTHER_CFLAGS = (
                                        "$(OTHER_CFLAGS_QUOTED_1)",
@@ -2333,7 +2328,9 @@
                                OTHER_LDFLAGS = "";
                                OTHER_REZFLAGS = "";
                                PRODUCT_NAME = racoon;
+                               SDKROOT = iphoneos.internal;
                                SECTORDER_FLAGS = "";
+                               SUPPORTED_PLATFORMS = "iphonesimulator iphoneos";
                                WARNING_CFLAGS = (
                                        "-Wmost",
                                        "-Wno-four-char-constants",
@@ -2365,7 +2362,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -2406,7 +2402,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -2446,7 +2441,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/sbin;
                                LIBRARY_SEARCH_PATHS = "";
                                MACH_O_TYPE = mh_execute;
@@ -2471,7 +2465,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2493,7 +2486,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
@@ -2509,7 +2501,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2529,7 +2520,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
@@ -2544,7 +2534,6 @@
                        buildSettings = {
                                ALTERNATE_GROUP = "$(inherited)";
                                ALTERNATE_MODE = "";
-                               ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_32_BIT)";
                                CODE_SIGN_IDENTITY = "";
                                COPY_PHASE_STRIP = NO;
@@ -2563,7 +2552,6 @@
                                );
                                INSTALL_GROUP = wheel;
                                INSTALL_MODE_FLAG = 555;
-                               INSTALL_OWNER = root;
                                INSTALL_PATH = /usr/lib;
                                LEXFLAGS = "$(LEXFLAGS) -P__libipsec";
                                PRODUCT_NAME = ipsec.A;
mirror of ipsec