]> git.saurik.com Git - apple/ipsec.git/commitdiff
ipsec-286.1.1.tar.gz os-x-1010 os-x-10101 os-x-10102 os-x-10103 os-x-10104 os-x-10105 v286.1.1
authorApple <opensource@apple.com>
Fri, 24 Oct 2014 18:05:41 +0000 (18:05 +0000)
committerApple <opensource@apple.com>
Fri, 24 Oct 2014 18:05:41 +0000 (18:05 +0000)
56 files changed:
entitlements-mac.plist [new file with mode: 0644]
entitlements.plist
ipsec-tools/Common/config.h
ipsec-tools/Common/key_debug.c
ipsec-tools/Common/pfkey.c
ipsec-tools/Common/pfkey_dump.c
ipsec-tools/racoon/algorithm.c
ipsec-tools/racoon/algorithm.h
ipsec-tools/racoon/algorithm_types.h
ipsec-tools/racoon/api_support.h
ipsec-tools/racoon/cfparse.y
ipsec-tools/racoon/cftoken.l
ipsec-tools/racoon/eap.c [deleted file]
ipsec-tools/racoon/eap.h [deleted file]
ipsec-tools/racoon/eap_aka.c [deleted file]
ipsec-tools/racoon/eap_sim.c [deleted file]
ipsec-tools/racoon/eap_sim.h [deleted file]
ipsec-tools/racoon/fsm.c
ipsec-tools/racoon/fsm.h
ipsec-tools/racoon/grabmyaddr.c
ipsec-tools/racoon/handler.c
ipsec-tools/racoon/handler.h
ipsec-tools/racoon/ike_session.c
ipsec-tools/racoon/ike_session.h
ipsec-tools/racoon/ikev2_ike_sa_rfc.c [deleted file]
ipsec-tools/racoon/ikev2_ike_sa_rfc.h [deleted file]
ipsec-tools/racoon/ikev2_info_rfc.c [deleted file]
ipsec-tools/racoon/ikev2_info_rfc.h [deleted file]
ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c [deleted file]
ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h [deleted file]
ipsec-tools/racoon/ikev2_rfc.c [deleted file]
ipsec-tools/racoon/ikev2_rfc.h [deleted file]
ipsec-tools/racoon/ikev2_sessresume_rfc.c [deleted file]
ipsec-tools/racoon/ikev2_sessresume_rfc.h [deleted file]
ipsec-tools/racoon/ipsec_doi.c
ipsec-tools/racoon/ipsec_interface.c [deleted file]
ipsec-tools/racoon/ipsec_interface.h [deleted file]
ipsec-tools/racoon/isakmp.c
ipsec-tools/racoon/isakmp_cfg.c
ipsec-tools/racoon/isakmp_inf.c
ipsec-tools/racoon/main.c
ipsec-tools/racoon/oakley.c
ipsec-tools/racoon/oakley.h
ipsec-tools/racoon/pfkey_racoon.c
ipsec-tools/racoon/plog.c
ipsec-tools/racoon/proposal.c
ipsec-tools/racoon/proposal.h
ipsec-tools/racoon/racoon_types.h
ipsec-tools/racoon/remoteconf.c
ipsec-tools/racoon/remoteconf.h
ipsec-tools/racoon/session.c
ipsec-tools/racoon/strnames.c
ipsec-tools/racoon/vpn.c
ipsec-tools/racoon/vpn_control.c
ipsec.xcodeproj/project.pbxproj
racoon.sb

diff --git a/entitlements-mac.plist b/entitlements-mac.plist
new file mode 100644 (file)
index 0000000..4651ae6
--- /dev/null
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>com.apple.private.nehelper.privileged</key>
+       <true/>
+</dict>
+</plist>
index a40c33f66bfe44ffb52759f0c1d0acffb0b95123..bb6a89a0491c98f54f24cfe4a305e68f99d4a90f 100644 (file)
@@ -4,6 +4,8 @@
 <dict>
        <key>com.apple.coretelephony.SimAuthentication.allow</key>
        <true/>
+       <key>com.apple.coretelephony.Identity.get</key>
+       <true/>
        <key>keychain-access-groups</key>
        <array>
                <string>apple</string>
@@ -14,5 +16,7 @@
        <array>
                <string>racoon</string>
        </array>
+       <key>com.apple.private.nehelper.privileged</key>
+       <true/>
 </dict>
 </plist>
index b17213100b0c3d95a118d7dd6d1a83cd6991ed91..cd9cb9291190ac983574cae3db32f025a5be0c90 100644 (file)
@@ -47,6 +47,9 @@
 /* Enable samode-unspec */
 #undef ENABLE_SAMODE_UNSPECIFIED
 
+/* Enable no SA flush */
+#define ENABLE_NO_SA_FLUSH 1
+
 /* Enable statictics */
 /* #define ENABLE_STATS 1*/      /* causes too many logs to syslog */
 
index e1bec2684862c4957a02edd9f4877b5262794bdf..8b03d7e126af71c5a0ce5f00a9558b71b4c63fac 100644 (file)
@@ -82,7 +82,7 @@ static void kdebug_sadb_session_id (struct sadb_ext *);
 static void kdebug_sadb_sastat (struct sadb_ext *);
 static void kdebug_sadb_x_policy (struct sadb_ext *ext);
 static void kdebug_sockaddr (struct sockaddr_storage *addr);
-
+static void kdebug_sadb_x_ipsecif (struct sadb_ext *ext);
 #ifdef SADB_X_EXT_NAT_T_TYPE
 static void kdebug_sadb_x_nat_t_type (struct sadb_ext *ext);
 static void kdebug_sadb_x_nat_t_port (struct sadb_ext *ext);
@@ -185,6 +185,7 @@ kdebug_sadb(base)
             kdebug_sadb_sastat(ext);
             break;
         case SADB_X_EXT_IPSECIF:
+            kdebug_sadb_x_ipsecif(ext);
             break;
 #ifdef SADB_X_EXT_NAT_T_TYPE
                case SADB_X_EXT_NAT_T_TYPE:
@@ -455,6 +456,20 @@ struct sadb_ext *ext;
            p->sadb_session_id_v[1]);
 }
 
+static void
+kdebug_sadb_x_ipsecif(struct sadb_ext *ext)
+{
+       struct sadb_x_ipsecif *p = ALIGNED_CAST(__typeof__(p))ext;
+
+       if (ext == NULL) {
+               printf("sadb_x_ipsecif: NULL pointer was passed.\n");
+               return;
+       }
+
+       printf("sadb_x_ipsec_if{ ipsecif=%s outgoing=%s\n", p->sadb_x_ipsecif_ipsec_if, p->sadb_x_ipsecif_outgoing_if);
+       printf("  internal=%s disabled=%d }\n", p->sadb_x_ipsecif_internal_if, p->sadb_x_ipsecif_init_disabled);
+}
+
 static void
 kdebug_sadb_sastat(ext)
 struct sadb_ext *ext;
index 2e7b5269ed764134502108daae08ebcf499d38a4..409333d2a9791c580db7cf5562d8d2e0f55c6237 100644 (file)
@@ -2189,7 +2189,10 @@ pfkey_setsadbxsa2(caddr_t buf, caddr_t lim, u_int32_t mode0, u_int32_t reqid, u_
        p->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
        p->sadb_x_sa2_mode = mode;
        p->sadb_x_sa2_reqid = reqid;
-    p->sadb_x_sa2_alwaysexpire = always_expire;
+       p->sadb_x_sa2_alwaysexpire = always_expire;
+#ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH
+       p->sadb_x_sa2_flags |= SADB_X_EXT_SA2_DELETE_ON_DETACH;
+#endif /* SADB_X_EXT_SA2_DELETE_ON_DETACH */
 
        return(buf + len);
 }
index ecfa1a0c3f5bd2ab4d5dbeeb18d00797e0d146f5..28335448dbc4a1fe7f72224bd72d9b4f70526de6 100644 (file)
@@ -251,6 +251,7 @@ pfkey_sadump1(m, withports)
 
        int use_natt = 0;
 #endif
+       struct sadb_x_ipsecif *m_ipif = NULL;
        struct sockaddr *sa;
 
        /* check pfkey message. */
@@ -289,6 +290,7 @@ pfkey_sadump1(m, withports)
        if (natt_type && natt_type->sadb_x_nat_t_type_type)
                use_natt = 1;
 #endif
+       m_ipif = (void *)mhp[SADB_X_EXT_IPSECIF];
        /* source address */
        if (m_saddr == NULL) {
                printf("no ADDRESS_SRC extension.\n");
@@ -387,11 +389,27 @@ pfkey_sadump1(m, withports)
                m_sa->sadb_sa_replay,
                m_sa->sadb_sa_flags);
 
+#ifdef SADB_X_EXT_SA2_DELETE_ON_DETACH
+       printf("flags2=0x%08x ",
+                  m_sa2->sadb_x_sa2_flags);
+#endif
+
        /* state */
        printf("state=");
        GETMSGSTR(str_state, m_sa->sadb_sa_state);
        printf("\n");
 
+       if (m_ipif) {
+               printf("\t");
+               if (m_ipif->sadb_x_ipsecif_internal_if[0])
+                       printf("internal_if: %s  ", m_ipif->sadb_x_ipsecif_internal_if);
+               if (m_ipif->sadb_x_ipsecif_outgoing_if[0])
+                       printf("outgoing_if: %s  ", m_ipif->sadb_x_ipsecif_outgoing_if);
+               if (m_ipif->sadb_x_ipsecif_ipsec_if[0])
+                       printf("ipsec_if: %s  ", m_ipif->sadb_x_ipsecif_ipsec_if);
+               printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled);
+       }
+
        /* lifetime */
        if (m_lftc != NULL) {
                time_t tmp_time = time(0);
@@ -639,17 +657,17 @@ int withports;
                (u_long)m_lfth->sadb_lifetime_usetime);
        }
     
-    if (m_ipif) {
-        printf("\t");
-        if (m_ipif->sadb_x_ipsecif_internal_if[0])
-            printf("Internal interface: %s  ", m_ipif->sadb_x_ipsecif_internal_if);
-        if (m_ipif->sadb_x_ipsecif_outgoing_if[0])
-            printf("Outgoing interface: %s  ", m_ipif->sadb_x_ipsecif_outgoing_if);
-        if (m_ipif->sadb_x_ipsecif_ipsec_if[0])
-            printf("IPSec interface: %s  ", m_ipif->sadb_x_ipsecif_ipsec_if);
-        printf("Disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled);
-    }
-    
+       if (m_ipif) {
+               printf("\t");
+               if (m_ipif->sadb_x_ipsecif_internal_if[0])
+                       printf("internal_if: %s  ", m_ipif->sadb_x_ipsecif_internal_if);
+               if (m_ipif->sadb_x_ipsecif_outgoing_if[0])
+                       printf("outgoing_if: %s  ", m_ipif->sadb_x_ipsecif_outgoing_if);
+               if (m_ipif->sadb_x_ipsecif_ipsec_if[0])
+                       printf("ipsec_if: %s  ", m_ipif->sadb_x_ipsecif_ipsec_if);
+               printf("disabled: %d\n", m_ipif->sadb_x_ipsecif_init_disabled);
+       }
+
        printf("\tspid=%ld seq=%ld pid=%ld\n",
            (u_long)m_xpl->sadb_x_policy_id,
            (u_long)m->sadb_msg_seq,
index 31291b5a7a72e634f9271f610bba9ccb80a277a2..4aaa0eaebe9291a9d7e1760360182c0fb12e5529 100644 (file)
@@ -50,7 +50,6 @@
 #include "ipsec_doi.h"
 #include "gcmalloc.h"
 
-
 static struct hash_algorithm oakley_hashdef[] = {
 { "md5",       algtype_md5,            OAKLEY_ATTR_HASH_ALG_MD5,
                eay_md5_init,           eay_md5_update,
@@ -736,7 +735,6 @@ alg_oakley_authdef_name (doi)
        return "*UNKNOWN*";
 }
 
-
 /*
  * give the default key length
  * OUT:        -1:             NG
@@ -882,7 +880,6 @@ algtype2doi(class, type)
        return res;
 }
 
-
 /*
  * convert algorithm class to DOI value.
  * OUT -1   : NG
index c6acef45f826c950a53d23f428d974409fdc0804..a81cf7fa827b2b411eceece095251b94abdc645b 100644 (file)
@@ -122,5 +122,4 @@ extern const char *alg_oakley_hashdef_name (int);
 extern const char *alg_oakley_dhdef_name (int);
 extern const char *alg_oakley_authdef_name (int);
 
-
 #endif /* _ALGORITHM_H */
index b5cd55e325ba22b40a3b49eccb5b5202378d2b93..61b58f5e7b325725ba7eaab42050630453ac6fdb 100644 (file)
@@ -42,9 +42,7 @@ enum {
        algclass_isakmp_hash,
        algclass_isakmp_dh,
        algclass_isakmp_ameth,  /* authentication method. */
-    algclass_ikev2_prf,
-    algclass_ikev2_integ,
-#define MAXALGCLASS 9
+#define MAXALGCLASS 7
 };
 
 #define ALG_DEFAULT_KEYLEN     64
index 7b028d2083f6267d6f05c0f0e549484353843320..6143116330a74e9ec6b4b99683cda86cc3246583 100644 (file)
 #include "racoon_types.h"
 #include <sys/socket.h>
 #include <SNIPSecIKEDefinitions.h>
-#include <SNIPSecDBDefinitions.h>
 #include <SNIPSecIKE.h>
-#include <SNIPSecDB.h>
-
-struct isakmp_cfg_state;
-struct ikev2_traffic_selector;
-
-#define kSNIPSecDBSrcRangeEndAddress        CFSTR("SrcRangeEndAddress")     /* CFString */
-#define kSNIPSecDBDstRangeEndAddress        CFSTR("DstRangeEndAddress")     /* CFString */
-#define kSNIPSecDBSrcRangeEndPort                      CFSTR("SrcRangeEndPort")                /* CFNumber */
-#define kSNIPSecDBDstRangeEndPort                      CFSTR("DstRangeEndPort")                /* CFNumber */
-
-#define kSNIPSecDBPolicyID                  CFSTR("PolicyID")          /* CFNumber */
-
-#define kSNIPSecDBPolicyType                CFSTR("PolicyType")     /* CFString */
-#define kSNIPSecDBValPolicyTypeDiscard      CFSTR("Discard")
-#define kSNIPSecDBValPolicyTypeNone         CFSTR("None")
-#define kSNIPSecDBValPolicyTypeIPSec        CFSTR("IPSec")
-#define kSNIPSecDBValPolicyTypeEntrust      CFSTR("Entrust")
-#define kSNIPSecDBValPolicyTypeBypass       CFSTR("Bypass")
-#define kSNIPSecDBValPolicyTypeGenerate     CFSTR("Generate")
-
-#define kSNIPSecDBSACreateTime         CFSTR("CreateTime")
-#define kSNIPSecDBSACurrentTime         CFSTR("CurrentTime")
-#define kSNIPSecDBSADiffTime         CFSTR("DiffTime")
-#define kSNIPSecDBSAHardLifetime         CFSTR("HardLifetime")
-#define kSNIPSecDBSASoftLifetime         CFSTR("SoftLifetime")
-#define kSNIPSecDBSALastUseTime         CFSTR("LastUseTime")
-#define kSNIPSecDBSAHardUseTime         CFSTR("HardUseTime")
-#define kSNIPSecDBSASoftUseTime         CFSTR("SoftUseTime")
-#define kSNIPSecDBSACurrentBytes        CFSTR("CurrentBytes")
-#define kSNIPSecDBSAHardBytes           CFSTR("HardBytes")
-#define kSNIPSecDBSASoftBytes           CFSTR("SoftBytes")
-#define kSNIPSecDBSACurrentAllocations  CFSTR("CurrentAllocations")
-#define kSNIPSecDBSAHardAllocations     CFSTR("HardAllocations")
-#define kSNIPSecDBSASoftAllocations     CFSTR("SoftAllocations")
-
-#define kSNIPSecDBSAState              CFSTR("State")
-#define kSNIPSecDBValSAStateLarval     CFSTR("Larval")
-#define kSNIPSecDBValSAStateMature     CFSTR("Mature")
-#define kSNIPSecDBValSAStateDying      CFSTR("Dying")
-#define kSNIPSecDBValSAStateDead       CFSTR("Dead")
-
-#define kSNIPSecIKEAssignedPCSCFIPv6Address CFSTR("AssignedPCSCFIPv6Address")
 
 typedef uint32_t InternalSessionRef;
 typedef uint32_t InternalItemRef;
 
-/* IPSec DB API Types */
-typedef InternalSessionRef InternalDBRef;
-typedef InternalItemRef InternalDBSARef;
-typedef InternalItemRef InternalDBPolicyRef;
-typedef InternalItemRef InternalDBInterfaceRef;
-#define kInternalDBRefInvalid 0
-#define kInternalDBSARefInvalid 0
-#define kInternalDBPolicyRefInvalid 0
-#define kInternalDBInterfaceRefInvalid 0
-
 /* IKE API Types */
 typedef InternalSessionRef InternalIKESARef;
-typedef InternalItemRef InternalChildSARef;
 #define kInternalIKESARefInvalid 0
-#define kInternalChildSARefInvalid 0
-
-/* Internal support functions -- Dictionaries should be verified for required keys and valid types before calling these */
-void ASSendXPCReply (InternalSessionRef sessionRef, InternalItemRef objRef, int callType, void *retVal, Boolean success);
-void ASSendXPCMessage(uint32_t message, void *messageobj, uint32_t sessionID, uint32_t itemID);
-
-/* IPSec DB API Functions */
-InternalDBRef ASDBCreate (void);
-InternalDBSARef ASDBGetSPI (InternalDBRef ref, CFDictionaryRef sadata);
-InternalDBSARef ASDBCreateSA (InternalDBRef ref, CFDictionaryRef sadata);
-Boolean ASDBUpdateSA (InternalDBRef ref, InternalDBSARef saref, CFDictionaryRef sadata);
-Boolean ASDBDeleteSA (InternalDBRef ref, InternalDBSARef saref);
-Boolean ASDBCopySA (InternalDBRef ref, InternalDBSARef saref);
-Boolean ASDBFlushSA (InternalDBRef ref, Boolean *blockForResponse);
-CFArrayRef ASDBCopySAIDs (InternalDBRef ref);
-InternalDBPolicyRef ASDBAddPolicy (InternalDBRef ref, CFDictionaryRef spdata);
-Boolean ASDBDeletePolicy (InternalDBRef ref, InternalDBPolicyRef policyref);
-Boolean ASDBCopyPolicy (InternalDBRef ref, InternalDBPolicyRef policyref);
-Boolean ASDBFlushPolicy (InternalDBRef ref, Boolean *blockForResponse);
-CFArrayRef ASDBCopyPolicyIDs (InternalDBRef ref);
-Boolean ASDBFlushAll (InternalDBRef ref, Boolean *blockForResponse);
-Boolean ASDBDispose (InternalDBRef ref, Boolean *blockForResponse);
 
-/* IPSec DB Interface Functions */
-InternalDBInterfaceRef ASDBCreateIPSecInterface (InternalDBRef ref, struct sockaddr_storage *address, struct sockaddr_storage *netmask, struct sockaddr_storage *v6address, int v6prefix);
-Boolean ASDBFlushInterfaces (InternalDBRef ref);
-
-/* IKE API Functions */
-InternalIKESARef ASIKECreate (CFDictionaryRef ikedata, CFDictionaryRef childData);
-InternalChildSARef ASIKEStartConnection (InternalIKESARef ref);
-Boolean ASIKEStopConnection (InternalIKESARef ref);
-InternalChildSARef ASIKEStartChildSA (InternalIKESARef ref, CFDictionaryRef ikechilddata);
-Boolean ASIKEStopChildSA (InternalIKESARef ref, InternalChildSARef childref);
-SNIPSecIKEStatus ASIKEGetConnectionStatus (InternalIKESARef ref);
-SNIPSecIKEStatus ASIKEGetChildStatus (InternalIKESARef ref, InternalChildSARef childref);
-Boolean ASIKEDispose (InternalIKESARef ref, Boolean *blockForResponse);
-Boolean ASIKEEnableAll (InternalIKESARef ref);
-Boolean ASIKEDisableAll (InternalIKESARef ref);
-
-/* Functions to support racoon */
-InternalDBSARef ASDBGetSPIFromIKE (InternalDBRef ref, phase2_handle_t *phase2);
-Boolean ASDBAddSAFromIKE (InternalDBRef ref, phase2_handle_t *phase2, Boolean update);
-Boolean ASDBDeleteSAFromIKE (InternalDBRef ref, struct sockaddr_storage *dst, uint32_t spi, int ipsecProtocol);
-Boolean ASDBFlushAllForIKEChildSA (InternalDBRef ref, InternalChildSARef childRef);
-InternalDBPolicyRef ASDBAddPolicyFromIKE (InternalDBRef ref, phase2_handle_t *phase2);
-Boolean ASDBReceivePFKeyMessage (caddr_t *message, int array_size); /* Returns TRUE if handled message */
-Boolean ASDBGetIPSecInterfaceName (InternalDBRef ref, char *buf, int bufLen);
-Boolean ASIKEConnectionAddChildSAFromIKE (InternalIKESARef ref, phase2_handle_t *childSA);
-Boolean ASIKEConnectionSwapChildSAs (InternalIKESARef ref, InternalChildSARef oldChildSA, InternalChildSARef newChildSA);
-void ASIKEConnectionExpireChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef);
 Boolean ASHasValidSessions (void);
-void ASIKEUpdateLocalAddressesFromIKE (void);
-void ASIKEUpdateStatusFromIKE (InternalIKESARef ref, InternalChildSARef childRef, uint32_t status, uint32_t reason);
-phase2_handle_t *ASIKEConnectionGetChildSAFromIKE (InternalIKESARef ref, InternalChildSARef childSARef);
-void ASIKEUpdateConfigurationFromIKE (InternalIKESARef ref, struct isakmp_cfg_state *config);
-void ASIKEUpdateTrafficSelectorsFromIKE (InternalIKESARef ref, InternalChildSARef childRef, struct ikev2_traffic_selector *local, struct ikev2_traffic_selector *remote);
-void ASIKEStopConnectionFromIKE (InternalIKESARef ref);
+
+InternalIKESARef ASIKECreate (CFDictionaryRef ikeData, CFDictionaryRef childData);
+Boolean ASIKEDispose(InternalIKESARef ref, Boolean *blockForResponse);
 
 #endif
index 74aa04037e0312dcc399b2f4553a1b787a95d9d4..bd811841c78812038b8834c3dde77a515c8d66a5 100644 (file)
@@ -188,6 +188,7 @@ static int fix_lifebyte (u_long);
 %token VERIFY_CERT SEND_CERT SEND_CR
 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 
 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
+%token LOCAL_ADDRESS
 %token SHARED_SECRET SECRETTYPE
 %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
 %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
@@ -203,7 +204,6 @@ static int fix_lifebyte (u_long);
 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM
 %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION
 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
-%token EAP_TYPE EAP_TYPES EAP_OPTIONS
 
 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
@@ -223,7 +223,7 @@ static int fix_lifebyte (u_long);
 %type <num> ALGORITHMTYPE STRENGTHTYPE
 %type <num> PREFIX prefix PORT port ike_port
 %type <num> ul_proto UL_PROTO
-%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE EAP_TYPE
+%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
 %type <num> VERIFICATION_MODULE VERIFICATION_OPTION
 %type <num> unittype_time unittype_byte
@@ -1405,9 +1405,8 @@ remote_specs_block
                        if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
                                return -1;
 
-                       /* DH group settting if aggressive mode or IKEv2. */
-                       if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL
-                ) {
+                       /* DH group setting if aggressive mode or IKEv2. */
+                       if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
                                struct isakmpsa *p;
                                int b = 0;
 
@@ -1591,6 +1590,15 @@ remote_spec
                }
                EOS
        |       VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
+       |       LOCAL_ADDRESS ADDRSTRING
+               {
+                       struct sockaddr_storage *saddr;
+                       saddr = str2saddr($2->v, NULL);
+                       vfree($2);
+                       if (saddr == NULL)
+                       return -1;
+                       cur_rmconf->forced_local = saddr;
+               } EOS
        |       SHARED_SECRET SECRETTYPE QUOTEDSTRING 
                {
                        cur_rmconf->secrettype = $2; 
@@ -1628,32 +1636,6 @@ remote_spec
        |       WEAK_PHASE1_CHECK SWITCH {
                        cur_rmconf->weak_phase1_check = $2;
                } EOS
-    |   EAP_TYPES { cur_rmconf->eap_types = NULL; } eap_types EOS
-    |  EAP_OPTIONS QUOTEDSTRING {
-        vchar_t *options_path = $2;
-        cur_rmconf->eap_options = NULL;
-        if (options_path) {
-            CFStringRef option_path_str = CFStringCreateWithCString(kCFAllocatorDefault, options_path->v, kCFStringEncodingASCII);
-            if (option_path_str) {
-                CFURLRef plist_url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, option_path_str, kCFURLPOSIXPathStyle, false);
-                if (plist_url) {
-                    CFReadStreamRef read_stream = CFReadStreamCreateWithFile(kCFAllocatorDefault, plist_url);
-                    if (read_stream) {
-                        CFReadStreamOpen (read_stream);
-                        cur_rmconf->eap_options = CFPropertyListCreateWithStream(kCFAllocatorDefault, read_stream, 0, kCFPropertyListImmutable, NULL, NULL);
-                        CFRelease (read_stream);
-                    }
-                    CFRelease (plist_url);
-                } else {
-                    racoon_yywarn("eap_options must contain a path to a property list");
-                }
-                CFRelease(option_path_str);
-            } else {
-                racoon_yywarn("eap_options string could not be processed");
-            }
-            vfree(options_path);
-        }
-    } EOS
        |       GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
        |       GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
        |       SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
@@ -1795,30 +1777,6 @@ exchange_types
                        }
                }
        ;
-eap_types
-    :  /* nothing */
-    |  eap_types EAP_TYPE
-        {
-            struct etypes *new_eaps;
-            new_eaps = racoon_malloc(sizeof(struct etypes));
-            if (new_eaps == NULL) {
-                               racoon_yyerror("failed to allocate etypes");
-                               return -1;
-                       }
-                       new_eaps->type = $2;
-                       new_eaps->next = NULL;
-                       if (cur_rmconf->eap_types == NULL)
-                cur_rmconf->eap_types = new_eaps;
-                       else {
-                               struct etypes *p;
-                               for (p = cur_rmconf->eap_types;
-                     p->next != NULL;
-                     p = p->next)
-                    ;
-                               p->next = new_eaps;
-                       }
-               }
-    ;
 cert_spec
        :       CERT_X509 IN_KEYCHAIN
                {
index 5428f9717807da69c4b81405e6fa7a7455d6962e..a5c4a8f93fa97c1e01f5de2822fdf8fe6dcdd210 100644 (file)
@@ -88,7 +88,6 @@
 #endif
 
 #include "y.tab.h"
-#include "eap_sim.h"
 
 int yyerrorcount = 0;
 
@@ -306,6 +305,7 @@ hexstring   0x{hexdigit}+
 <S_RMTS>xauth_login    { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
 <S_RMTS>peers_identifier       { YYD; return(PEERS_IDENTIFIER); }
 <S_RMTS>verify_identifier      { YYD; return(VERIFY_IDENTIFIER); }
+<S_RMTS>local_address  { YYD; return(LOCAL_ADDRESS); }
 <S_RMTS>certificate_type       { YYD; return(CERTIFICATE_TYPE); }
 <S_RMTS>ca_type                { YYD; return(CA_TYPE); }
 <S_RMTS>x509           { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); }
@@ -375,11 +375,6 @@ hexstring  0x{hexdigit}+
 <S_RMTS>esp_frag       { YYD; return(ESP_FRAG); }
 <S_RMTS>mode_cfg       { YYD; return(MODE_CFG); }
 <S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
-<S_RMTS>eap_types      { YYD; return(EAP_TYPES); }
-<S_RMTS>eap_any     { YYD; yylval.num = EAP_TYPE_NONE; return(EAP_TYPE); }
-<S_RMTS>eap_sim     { YYD; yylval.num = EAP_TYPE_SIM; return(EAP_TYPE); }
-<S_RMTS>eap_aka     { YYD; yylval.num = EAP_TYPE_AKA; return(EAP_TYPE); }
-<S_RMTS>eap_options    { YYD; return(EAP_OPTIONS); }
        /* remote proposal */
 <S_RMTS>proposal       { BEGIN S_RMTP; YYDB; return(PROPOSAL); }
 <S_RMTP>{bcl}          { return(BOC); }
@@ -390,8 +385,6 @@ hexstring   0x{hexdigit}+
 <S_RMTP>encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); }
 <S_RMTP>authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); }
 <S_RMTP>hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); }
-<S_RMTP>prf_algorithm  { YYD; yylval.num = algclass_ikev2_prf; return(ALGORITHM_CLASS); }
-<S_RMTP>integ_algorithm        { YYD; yylval.num = algclass_ikev2_integ; return(ALGORITHM_CLASS); }
 <S_RMTP>dh_group       { YYD; return(DH_GROUP); }
 <S_RMTP>gss_id         { YYD; return(GSS_ID); }
 <S_RMTP>gssapi_id      { YYD; return(GSS_ID); } /* for back compatibility */
diff --git a/ipsec-tools/racoon/eap.c b/ipsec-tools/racoon/eap.c
deleted file mode 100644 (file)
index d1bc6a5..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- * 
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-/*
- * eap.c - Extensible Authentication Protocol.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by Gregory M. Christy.  The name of the author may not be used to
- * endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#define RCSID  "$Id: eap.c,v 1.25 2005/12/13 06:30:15 lindak Exp $"
-
-#include "config.h"
diff --git a/ipsec-tools/racoon/eap.h b/ipsec-tools/racoon/eap.h
deleted file mode 100644 (file)
index eff068a..0000000
+++ /dev/null
@@ -1,245 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- * 
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-/*
- * eap.h - Extensible Authentication Protocol definitions.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the author.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * $Id: eap.h,v 1.7 2004/08/03 23:11:15 lindak Exp $
- */
-
-#ifndef __EAP_H__
-#define __EAP_H__
-
-#include "vmbuf.h"
-#include <CoreFoundation/CoreFoundation.h>
-
-/*
- *  Challenge lengths (for challenges we send) and other limits.
- */
-#define MAX_EAP_RESPONSE_LENGTH        1024    /* Max len for the EAP data part */
-#define MAX_NAME_LENGTH                256
-
-/* Code + ID + length */
-#define EAP_HEADERLEN          4
-
-/*
- * EAP codes.
- */
-
-/* support for request types 1..4 is mandatory */
-#define EAP_TYPE_NONE       0  /* No EAP type */
-#define EAP_TYPE_IDENTITY      1       /* request for identity */
-#define EAP_TYPE_NOTIFICATION  2       /* notification message */
-#define EAP_TYPE_NAK           3       /* nak (response only) */
-#define EAP_TYPE_MD5CHALLENGE  4       /* password MD5 coded */
-
-#define EAP_TYPE_OTP           5       /* One Time Password (OTP) */
-#define EAP_TYPE_TOKEN         6       /* Generic Token Card */
-
-#define EAP_TYPE_RSA           9       /* RSA Public Key Authentication */
-#define EAP_TYPE_DSS           10      /* DSS Unilateral */
-#define EAP_TYPE_KEA           11      /* KEA */
-#define EAP_TYPE_KEA_VALIDATE  12      /* KEA-VALIDATE */
-#define EAP_TYPE_TLS           13      /* EAP-TLS */
-#define EAP_TYPE_AXENT         14      /* Defender Token (AXENT) */
-#define EAP_TYPE_RSA_SECURID   15      /* RSA Security SecurID EAP */
-#define EAP_TYPE_ARCOT         16      /* Arcot Systems EAP */
-#define EAP_TYPE_CISCO         17      /* EAP-Cisco Wireless */
-#define EAP_TYPE_SIM           18      /* EAP-SIM */
-#define EAP_TYPE_SRP_SHA1_1    19      /* SRP-SHA1 Part 1 */
-#define EAP_TYPE_SRP_SHA1_2    20      /* SRP-SHA1 Part 2 */
-#define EAP_TYPE_TTLS          21      /* EAP-TTLS */
-#define EAP_TYPE_RAS           22      /* Remote Access Service */
-#define EAP_TYPE_AKA           23      /* EAP-AKA */
-#define EAP_TYPE_3COM          24      /* EAP-3Com Wireless */
-#define EAP_TYPE_PEAP          25      /* PEAP */
-#define EAP_TYPE_MS            26      /* MS-EAP-Authentication */
-#define EAP_TYPE_MAKE          27      /* Mutual Authentication w/Key Exchange (MAKE) */
-#define EAP_TYPE_CRYPTO                28      /* CRYPTOCard */
-#define EAP_TYPE_MSCHAP_V2     29      /* EAP-MSCHAP-V2 */
-#define EAP_TYPE_DYNAM_ID      30      /* DynamID */
-#define EAP_TYPE_ROB           31      /* Rob EAP */
-#define EAP_TYPE_SECUR_ID      32      /* SecurID EAP */
-#define EAP_TYPE_MS_TLV                33      /* MS-Authentication-TLV  */
-#define EAP_TYPE_SENTRINET     34      /* SentriNET */
-#define EAP_TYPE_ACTIONTEC     35      /* EAP-Actiontec Wireless */
-#define EAP_TYPE_COGENT                36      /* Cogent Systems Biometrics Authentication EAP */
-
-#define kEAPPropertiesTypeEAPSIM        CFSTR("EAPSIMProperties")
-#define kEAPPropertiesTypeEAPAKA        CFSTR("EAPAKAProperties")
-
-#define EAP_REQUEST            1
-#define EAP_RESPONSE           2
-#define EAP_SUCCESS            3
-#define EAP_FAILURE                    4
-
-
-struct EAP_Packet
-{
-       u_int8_t    code;               // packet type : 1 = Request, 2 = Response, 3 = Success, 4 = Failure
-       u_int8_t    id;                 // packet id
-       u_int16_t   len;                // packet len (network order)
-       u_int8_t    data[1];            // packet data
-} __attribute__((__packed__));
-
-#define EAP_NOTIFICATION_NONE          0
-#define EAP_NOTIFICATION_START         1
-#define EAP_NOTIFICATION_RESTART       2
-#define EAP_NOTIFICATION_SUCCESS       3
-#define EAP_NOTIFICATION_PACKET                4
-#define EAP_NOTIFICATION_DATA_FROM_UI  5
-#define EAP_NOTIFICATION_TIMEOUT       6
-
-typedef struct EAP_Input {
-       u_int16_t       size;           // size of the structure (for future extension)
-       u_int8_t        mode;           // 0 for client, 1 for server
-       u_int8_t        initial_id;     // initial EAP ID
-       u_int16_t       mtu;            // mtu wll determine the maximum packet size to send
-       u_int16_t       notification;   // notification the EAP engine sends to the module
-       u_int16_t       data_len;       // len of the data
-       void    *data;          // data to be consumed depending on the notification
-       char    *identity;      // authenticatee identity
-       char    *username;      // authenticatee user name
-       char    *password;      // authenticatee password
-} EAP_Input_t;
-
-#define EAP_ACTION_NONE                        0
-#define EAP_ACTION_SEND                        1
-#define EAP_ACTION_INVOKE_UI           2
-#define EAP_ACTION_ACCESS_GRANTED      3
-#define EAP_ACTION_ACCESS_DENIED       4
-#define EAP_ACTION_SEND_WITH_TIMEOUT   5
-#define EAP_ACTION_SEND_AND_DONE       6
-#define EAP_ACTION_CANCEL              7
-
-
-typedef struct EAP_Output {
-       u_int16_t       size;           // size of the structure (for future extension)
-       u_int16_t       action;         // action the EAP engine needs to perform
-       u_int16_t       data_len;       // len of the data
-       void    *data;          // data to be consumed depending on the action
-       char    *username;      // authenticatee user name (useful in server mode)
-} EAP_Output_t;
-
-enum {
-       EAP_NO_ERROR = 0,
-       EAP_ERROR_GENERIC,
-       EAP_ERROR_INVALID_PACKET
-};
-
-/* attribute information returned upon successful authentication */
-
-#define EAP_ATTRIBUTE_NONE             0
-#define EAP_ATTRIBUTE_MPPE_SEND_KEY    1
-#define EAP_ATTRIBUTE_MPPE_RECV_KEY    2
-
-typedef struct EAP_Attribute {
-       u_int16_t       type;           // type of the attribute
-       u_int16_t       data_len;       // len of the data
-       void    *data;          // data to be consumed depending on the type
-       /* data follow according to the size */
-} __attribute__((__packed__)) EAP_Attribute_t;
-
-/*
- * Extension structure for eap types.
- */
-
-#define EAP_EXT_CLIENT         0x1     // support client mode  
-
-typedef struct eap_ext {
-    struct eap_ext     *next;          // next extensiopn structure
-    u_int8_t           type;           // eap type
-    char               *name;          // extension name
-    u_int32_t          flags;          // support flags
-    void               *plugin;        // used to keep ref of the plugin
-    int (*init) (EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
-    //int (*reinit) (void *context);
-    int (*dispose) (void *context);
-    int (*process) (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
-    int (*free) (void *context, EAP_Output_t *eap_out);
-    int (*attribute) (void *context, EAP_Attribute_t *eap_attr);
-    int (*identity) (char *identity, int maxlen);
-       
-} eap_ext_t;
-
-typedef struct eap_state {
-    int clientstate;           /* Client state */
-       
-    char *our_identity;                /* Our identity name */
-    char *username;            /* the user name (only for client mode) */
-    char *password;            /* the password (only for client mode) */
-    char peer_identity[MAX_NAME_LENGTH];       /* peer name discovered with identity request */
-       
-    u_char req_id;             /* ID of last challenge */
-    u_char resp_id;            /* ID of last response */
-    u_char req_type;           /* last request type  */
-       vchar_t *rcvd_msg;
-    vchar_t *send_key;
-    vchar_t *recv_key;
-    
-    eap_ext_t *client_ext;     /* client eap extension */
-    void *client_ext_ctx;      /* client eap extension context */
-    EAP_Input_t *client_ext_input;     /* client eap extension input structure */
-    EAP_Output_t *client_ext_output;   /* client eap extension output structure */
-    
-    struct etypes *supported_eap_types;
-    CFDictionaryRef extra_options;
-} eap_state_t;
-
-#define MPPE_MAX_KEY_LEN        16      /* largest key length (128-bit) */
-
-int EapExtAdd(eap_ext_t *newext);
-
-/*
- * Client (peer) states.
- */
-#define EAPCS_INITIAL          0       /* Lower layer down, not opened */
-#define EAPCS_CLOSED           1       /* Lower layer up, not opened */
-#define EAPCS_PENDING          2       /* Auth us to peer when lower up */
-#define EAPCS_LISTEN           3       /* Listening for a challenge */
-#define EAPCS_OPEN             4       /* We've received Success */
-
-int EapAuthWithPeer (eap_state_t *, vchar_t *, vchar_t *);
-void EapLostFailure (eap_state_t *state);
-
-int EAPLoad(eap_state_t *cstate);
-
-void EapInit(eap_state_t *cstate);
-
-void EapStart(eap_state_t *cstate, int);
-
-void EapStop(eap_state_t *cstate);
-
-int EapInput(eap_state_t *cstate, u_char *inpacket, int packet_len);
-
-#endif
diff --git a/ipsec-tools/racoon/eap_aka.c b/ipsec-tools/racoon/eap_aka.c
deleted file mode 100644 (file)
index ff314ab..0000000
+++ /dev/null
@@ -1,340 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <sys/fcntl.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <CoreFoundation/CFBundle.h>
-#include <mach/mach.h>
-#include <EAP8021X/EAP.h>
-#include <EAP8021X/EAPClientModule.h>
-#include <EAP8021X/EAPClientProperties.h>
-#if !TARGET_OS_EMBEDDED        // This file is not built for Embedded
-#include <Security/SecKeychain.h>
-#include <Security/SecKeychainSearch.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecIdentity.h>
-#endif /* TARGET_OS_EMBEDDED */
-#include <SystemConfiguration/SCNetworkConnection.h>
-#include "plog.h"
-#include "eap.h"
-#include "eap_sim.h"
-
-/*---------------------------------------------------------------------------
- ** Internal routines
- **---------------------------------------------------------------------------
- */
-
-static CFBundleRef     bundle = 0;             /* our bundle ref */
-static char                    eapaka_unique[17];
-
-static EAPClientModuleRef  eapRef = NULL;
-static EAPClientPluginData eapData;
-static CFMutableDictionaryRef eapProperties = NULL;
-static CFDictionaryRef eapOptions = NULL;
-static struct EAP_Packet       *eapSavePacket = NULL;
-
-extern EAPClientPluginFuncRef
-eapaka_introspect(EAPClientPluginFuncName name);
-
-/* ------------------------------------------------------------------------------------
- get the EAP dictionary from the options
- ------------------------------------------------------------------------------------ */
-static void
-EAPAKAGetOptions (void)
-{
-       if (eapOptions)
-               return;
-       
-       // no option, use empty dictionary
-       if (!eapOptions)
-               eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-static int
-EAPAKALoad (void)
-{
-    EAPClientModuleStatus status;
-       
-       if (eapRef)
-               return EAP_NO_ERROR;
-       
-       status = EAPClientModuleAddBuiltinModule(eapaka_introspect);
-       if (status != kEAPClientModuleStatusOK) {
-               plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientAddBuiltinModule(eapaka) failed %d\n", status);
-               return EAP_ERROR_GENERIC;
-       }
-       
-       eapRef = EAPClientModuleLookup(kEAPTypeEAPAKA);
-       if (eapRef == NULL) {
-               plog(ASL_LEVEL_INFO, "EAP-AKA: EAPClientModuleLookup(eapaka) failed\n");
-               return EAP_ERROR_GENERIC;
-       }
-       
-       return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-int EAPAKAIdentity (char *identity, int maxlen)
-{
-    CFStringRef                        identRef = NULL;
-       int                                     error;
-       int                                     ret = EAP_ERROR_GENERIC;
-       
-       error = EAPAKALoad();
-       if (error)
-               return error;
-       
-       EAPAKAGetOptions();
-       if (eapOptions == NULL)
-               return ret;
-       
-       identRef = EAPClientModulePluginUserName(eapRef, eapOptions);
-    if (identRef) {
-               if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8))
-                       ret = EAP_NO_ERROR;
-               CFRelease(identRef);
-       }
-       
-       return ret;
-}
-
-/* ------------------------------------------------------------------------------------
- Init routine called by the EAP engine when it needs the module.
- Identity of the peer is known at this point.
- mode is 0 for client, 1 for server.
- cookie is the EAP engine context, to pass to subsequent calls to EAP.
- context is EAP module context, that will be passed to subsequent calls to the module
- ------------------------------------------------------------------------------------ */
-int
-EAPAKAInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions)
-{
-       int error;
-    EAPClientModuleStatus status;
-       int ret = EAP_ERROR_GENERIC;
-    
-       error = EAPAKALoad();
-       if (error)
-               return error;
-       
-       bundle = (CFBundleRef)eap_in->data;
-    if (bundle)
-               CFRetain(bundle);
-       
-       EAPAKAGetOptions();
-       
-       bzero(&eapData, sizeof(eapData));
-       
-       /* remaining fields are read-only: */
-       uint32_t username_len = strlen(eap_in->username);
-       eapData.username = (uint8_t *)strndup(eap_in->username, username_len);
-       memcpy((void*)&eapData.username_length, &username_len, sizeof(uint32_t));
-       *((bool *)&eapData.log_enabled) = 1;
-       *((uint32_t *)&eapData.log_level) = LOG_NOTICE;
-       *((uint32_t *)&eapData.mtu) = eap_in->mtu;
-       *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */
-    
-       arc4random_buf(eapaka_unique, sizeof(eapaka_unique) - 1);
-       eapaka_unique[sizeof(eapaka_unique)-1] = 0;
-       
-    eapData.unique_id = eapaka_unique;  /* used for TLS session resumption??? */
-       *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id);
-    
-       if (eapOptions) {
-        CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPAKA);
-        if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) {
-            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value);
-        } else {
-            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions);
-        }
-       } else
-               eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-       if (eapProperties == NULL) {
-               plog(ASL_LEVEL_ERR, "EAP-AKA: Cannot allocate memory\n");
-               goto failed;
-       }
-    
-       *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties;
-    
-       status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error);
-       if (status != kEAPClientStatusOK) {
-               plog(ASL_LEVEL_ERR, "EAP-AKA: EAPClientPluginInit(eapaka) failed, error %d\n", status);
-               goto failed;
-       }
-       
-       eapSavePacket = NULL;
-       
-    return EAP_NO_ERROR;
-       
-failed:
-       
-    return ret;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-int EAPAKADispose (void *context)
-{
-       
-       EAPClientModulePluginFree(eapRef, &eapData);
-       eapRef = 0;
-       
-       if (bundle) {
-               CFRelease(bundle);
-               bundle = 0;
-       }
-       
-       if (eapOptions) {
-               CFRelease(eapOptions);
-               eapOptions = 0;
-       }
-       
-       if (eapProperties) {
-               CFRelease(eapProperties);
-               eapProperties = 0;
-       }
-       
-       if (eapSavePacket) {
-               free(eapSavePacket);
-               eapSavePacket = 0;
-       }
-       
-    return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-int
-EAPAKAProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out)
-{
-    struct EAP_Packet *pkt_in = NULL;
-    struct EAP_Packet *pkt_out = NULL;
-       EAPClientStatus status;
-       EAPClientState  state;
-       EAPClientDomainSpecificError error;
-       int do_process = 0;
-       
-       // by default, ignore the message
-       eap_out->action = EAP_ACTION_NONE;
-       eap_out->data = 0;
-       eap_out->data_len = 0;
-       
-       switch (eap_in->notification) {
-            
-               case EAP_NOTIFICATION_DATA_FROM_UI:
-                       plog(ASL_LEVEL_ERR, "unexpected EAP UI event");
-                       break;
-            
-               case EAP_NOTIFICATION_PACKET:
-                       
-                       pkt_in = (struct EAP_Packet *)eap_in->data;
-                       do_process = 1;
-                       break;
-       }
-       
-       if (do_process) {
-               
-               state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error);
-               switch(state) {
-                       case kEAPClientStateAuthenticating:
-                               switch (status) {
-                                               
-                                       case kEAPClientStatusOK:
-                                               eap_out->data = pkt_out;
-                                               eap_out->data_len = ntohs(pkt_out->len);
-                                               eap_out->action = EAP_ACTION_SEND;
-                                               break;
-                                               
-                                       case kEAPClientStatusUserInputRequired:
-                                               plog(ASL_LEVEL_ERR, "unsupported EAP UI input");
-                                       default:
-                                               eap_out->action = EAP_ACTION_ACCESS_DENIED;
-                               }
-                               break;
-                               
-                       case kEAPClientStateSuccess:
-                               eap_out->action = EAP_ACTION_ACCESS_GRANTED;
-                               break;
-                               
-                       default:
-                       case kEAPClientStateFailure:
-                               eap_out->action = EAP_ACTION_ACCESS_DENIED;
-                               break;
-               }
-       }
-       
-       if (eapSavePacket) {
-               free(eapSavePacket);
-               eapSavePacket = 0;
-       }
-       
-    return 0;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-int
-EAPAKAFree (void *context, EAP_Output_t *eap_out)
-{
-       
-       EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data);
-    return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */
-int
-EAPAKAGetAttribute (void *context, EAP_Attribute_t *eap_attr)
-{
-       void *data = NULL;
-       int len = 0;
-       
-       eap_attr->data = 0;
-       
-    switch (eap_attr->type) {
-                       
-        case EAP_ATTRIBUTE_MPPE_SEND_KEY:
-            data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len);
-            break;
-        case EAP_ATTRIBUTE_MPPE_RECV_KEY:
-            data = EAPClientModulePluginServerKey(eapRef, &eapData, &len);
-            break;
-    }
-       
-       if (data == NULL)
-               return -1;
-       
-       eap_attr->data = data;
-    if (len == 32)
-        eap_attr->data_len = 64;
-    else
-        eap_attr->data_len = len;
-    return 0;
-}
diff --git a/ipsec-tools/racoon/eap_sim.c b/ipsec-tools/racoon/eap_sim.c
deleted file mode 100644 (file)
index 2e276d5..0000000
+++ /dev/null
@@ -1,336 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- * 
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <sys/fcntl.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <CoreFoundation/CFBundle.h>
-#include <mach/mach.h>
-#include <EAP8021X/EAP.h>
-#include <EAP8021X/EAPClientModule.h>
-#include <EAP8021X/EAPClientProperties.h>
-#if !TARGET_OS_EMBEDDED        // This file is not built for Embedded
-#include <Security/SecKeychain.h>
-#include <Security/SecKeychainSearch.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecIdentity.h>
-#endif /* TARGET_OS_EMBEDDED */
-#include <SystemConfiguration/SCNetworkConnection.h>
-#include "plog.h"
-#include "eap.h"
-#include "eap_sim.h"
-
-/*---------------------------------------------------------------------------
- ** Internal routines 
- **---------------------------------------------------------------------------
- */
-
-static CFBundleRef     bundle = 0;             /* our bundle ref */
-static char                    eapsim_unique[17];
-
-static EAPClientModuleRef  eapRef = NULL;
-static EAPClientPluginData eapData;    
-static CFMutableDictionaryRef eapProperties = NULL;
-static CFDictionaryRef eapOptions = NULL;
-static struct EAP_Packet       *eapSavePacket = NULL;
-
-extern EAPClientPluginFuncRef eapsim_introspect(EAPClientPluginFuncName name);
-
-/* ------------------------------------------------------------------------------------
- get the EAP dictionary from the options
- ------------------------------------------------------------------------------------ */ 
-static void
-EAPSIMGetOptions (void)
-{      
-       if (eapOptions)
-               return;
-       
-       // no option, use empty dictionary
-       if (!eapOptions)
-               eapOptions = CFDictionaryCreate(0, 0, 0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);  
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-static int
-EAPSIMLoad (void)
-{      
-    EAPClientModuleStatus status;
-       
-       if (eapRef)
-               return EAP_NO_ERROR;
-       
-       status = EAPClientModuleAddBuiltinModule(eapsim_introspect);
-       if (status != kEAPClientModuleStatusOK) {
-               plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientAddBuiltinModule(eapsim) failed %d\n", status);
-               return EAP_ERROR_GENERIC;
-       }
-       
-       eapRef = EAPClientModuleLookup(kEAPTypeEAPSIM);
-       if (eapRef == NULL) {
-               plog(ASL_LEVEL_INFO, "EAP-SIM: EAPClientModuleLookup(eapsim) failed\n");
-               return EAP_ERROR_GENERIC;
-       }
-       
-       return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-int EAPSIMIdentity (char *identity, int maxlen)
-{      
-    CFStringRef                        identRef = NULL;
-       int                                     error;
-       int                                     ret = EAP_ERROR_GENERIC;
-       
-       error = EAPSIMLoad();
-       if (error)
-               return error;
-       
-       EAPSIMGetOptions();
-       if (eapOptions == NULL)
-               return ret;
-       
-       identRef = EAPClientModulePluginUserName(eapRef, eapOptions);
-    if (identRef) {
-               if (CFStringGetCString(identRef, identity, maxlen, kCFStringEncodingUTF8))
-                       ret = EAP_NO_ERROR;
-               CFRelease(identRef);
-       }
-       
-       return ret;
-}
-
-/* ------------------------------------------------------------------------------------
- Init routine called by the EAP engine when it needs the module.
- Identity of the peer is known at this point.
- mode is 0 for client, 1 for server.
- cookie is the EAP engine context, to pass to subsequent calls to EAP.
- context is EAP module context, that will be passed to subsequent calls to the module
- ------------------------------------------------------------------------------------ */ 
-int
-EAPSIMInit (EAP_Input_t *eap_in, void **context, CFDictionaryRef eapOptions)
-{      
-       int error;
-    EAPClientModuleStatus status;
-       int ret = EAP_ERROR_GENERIC;
-
-       error = EAPSIMLoad();
-       if (error)
-               return error;
-       
-       bundle = (CFBundleRef)eap_in->data;
-    if (bundle)
-               CFRetain(bundle);
-       
-       EAPSIMGetOptions();
-       
-       bzero(&eapData, sizeof(eapData));
-       
-    /* remaining fields are read-only: */
-       *((bool *)&eapData.log_enabled) = 1;
-       *((uint32_t *)&eapData.log_level) = LOG_NOTICE;
-       *((uint32_t *)&eapData.mtu) = eap_in->mtu;
-       *((uint32_t *)&eapData.generation) = 0;/* changed when user updates */
-
-       arc4random_buf(eapsim_unique, sizeof(eapsim_unique) - 1);
-       eapsim_unique[sizeof(eapsim_unique)-1] = 0;
-       
-    eapData.unique_id = eapsim_unique;  /* used for TLS session resumption??? */
-       *((uint32_t *)&eapData.unique_id_length) = strlen(eapData.unique_id);
-
-       if (eapOptions) {
-        CFTypeRef value = CFDictionaryGetValue(eapOptions, kEAPPropertiesTypeEAPSIM);
-        if (value && CFGetTypeID(value) == CFDictionaryGetTypeID()) {
-            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, (CFDictionaryRef)value);
-        } else {
-            eapProperties = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, eapOptions);
-        }
-       } else
-               eapProperties = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); 
-       if (eapProperties == NULL) {
-               plog(ASL_LEVEL_ERR, "EAP-SIM: Cannot allocate memory\n");
-               goto failed;
-       }
-
-       *((CFDictionaryRef *)&eapData.properties) = (CFDictionaryRef)eapProperties;
-
-       status = EAPClientModulePluginInit(eapRef, &eapData, NULL, &error);
-       if (status != kEAPClientStatusOK) {
-               plog(ASL_LEVEL_ERR, "EAP-SIM: EAPClientPluginInit(eapsim) failed, error %d\n", status);
-               goto failed;
-       }
-       
-       eapSavePacket = NULL;
-       
-    return EAP_NO_ERROR;
-       
-failed:
-       
-    return ret;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-int EAPSIMDispose (void *context)
-{
-       
-       EAPClientModulePluginFree(eapRef, &eapData);
-       eapRef = 0;
-       
-       if (bundle) {
-               CFRelease(bundle);
-               bundle = 0;
-       }
-       
-       if (eapOptions) {
-               CFRelease(eapOptions);
-               eapOptions = 0;
-       }
-       
-       if (eapProperties) {
-               CFRelease(eapProperties);
-               eapProperties = 0;
-       }
-       
-       if (eapSavePacket) {
-               free(eapSavePacket);
-               eapSavePacket = 0;
-       }
-       
-    return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-int
-EAPSIMProcess (void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out)
-{
-    struct EAP_Packet *pkt_in = NULL;
-    struct EAP_Packet *pkt_out = NULL;
-       EAPClientStatus status;
-       EAPClientState  state;
-       EAPClientDomainSpecificError error;
-       int do_process = 0;
-       
-       // by default, ignore the message
-       eap_out->action = EAP_ACTION_NONE;
-       eap_out->data = 0;
-       eap_out->data_len = 0;
-       
-       switch (eap_in->notification) {
-
-               case EAP_NOTIFICATION_DATA_FROM_UI:
-                       plog(ASL_LEVEL_ERR, "unexpected EAP UI event");
-                       break;
-
-               case EAP_NOTIFICATION_PACKET:
-                       
-                       pkt_in = (struct EAP_Packet *)eap_in->data;
-                       do_process = 1;
-                       break;
-       }
-       
-       if (do_process) {
-               
-               state = EAPClientModulePluginProcess(eapRef, &eapData, (EAPPacketRef)pkt_in, (EAPPacketRef*)&pkt_out, &status, &error);
-               switch(state) {
-                       case kEAPClientStateAuthenticating:
-                               switch (status) {
-                                               
-                                       case kEAPClientStatusOK:
-                                               eap_out->data = pkt_out;
-                                               eap_out->data_len = ntohs(pkt_out->len);
-                                               eap_out->action = EAP_ACTION_SEND;
-                                               break;
-                                               
-                                       case kEAPClientStatusUserInputRequired:
-                                               plog(ASL_LEVEL_ERR, "unsupported EAP UI input");
-                                       default:
-                                               eap_out->action = EAP_ACTION_ACCESS_DENIED;                     
-                               }
-                               break;
-                               
-                       case kEAPClientStateSuccess:
-                               eap_out->action = EAP_ACTION_ACCESS_GRANTED;
-                               break;
-                               
-                       default:
-                       case kEAPClientStateFailure:
-                               eap_out->action = EAP_ACTION_ACCESS_DENIED;
-                               break;
-               }
-       }
-       
-       if (eapSavePacket) {
-               free(eapSavePacket);
-               eapSavePacket = 0;
-       }       
-       
-    return 0;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-int
-EAPSIMFree (void *context, EAP_Output_t *eap_out)
-{
-       
-       EAPClientModulePluginFreePacket(eapRef, &eapData, eap_out->data);
-    return EAP_NO_ERROR;
-}
-
-/* ------------------------------------------------------------------------------------
- ------------------------------------------------------------------------------------ */ 
-int
-EAPSIMGetAttribute (void *context, EAP_Attribute_t *eap_attr)
-{
-       void *data = NULL;
-       int len = 0;
-       
-       eap_attr->data = 0;
-       
-    switch (eap_attr->type) {
-                       
-        case EAP_ATTRIBUTE_MPPE_SEND_KEY:
-            data = EAPClientModulePluginSessionKey(eapRef, &eapData, &len);
-            break;
-        case EAP_ATTRIBUTE_MPPE_RECV_KEY:
-            data = EAPClientModulePluginServerKey(eapRef, &eapData, &len);
-            break;
-    }
-       
-       if (data == NULL)
-               return -1;
-       
-       eap_attr->data = data;
-    if (len == 32)
-        eap_attr->data_len = 64;
-    else
-        eap_attr->data_len = len;
-    return 0;
-}
diff --git a/ipsec-tools/racoon/eap_sim.h b/ipsec-tools/racoon/eap_sim.h
deleted file mode 100644 (file)
index 536c6d4..0000000
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- * 
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-/*
- * eap_plugin.h - Extensible Authentication Protocol Plugin API.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the author.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * $Id: eap_plugin.h,v 1.4 2003/08/14 00:00:29 callie Exp $
- */
-
-/* ----------------------------------------------------------------------
- IMPORTANT: EAP Plugin API is not stable.
- The API will change in the upcoming releases
- ---------------------------------------------------------------------- */
-
-#ifndef __EAP_SIM__
-#define __EAP_SIM__
-
-#include "eap.h"
-
-/* EAP-AKA Subtypes */
-#define EAP_AKA_SUBTYPE_CHALLENGE           1
-#define EAP_AKA_SUBTYPE_AUTH_REJECT         2
-#define EAP_AKA_SUBTYPE_SYNC_FAIL           4
-#define EAP_AKA_SUBTYPE_IDENTITY            5
-#define EAP_AKA_SUBTYPE_NOTIFICATION        12
-#define EAP_AKA_SUBTYPE_REAUTH              13
-#define EAP_AKA_SUBTYPE_CLIENT_ERROR        14
-
-/* EAP-SIM Subtypes */
-#define EAP_SIM_SUBTYPE_START               10
-#define EAP_SIM_SUBTYPE_CHALLENGE           11
-#define EAP_SIM_SUBTYPE_NOTIFICATION        12
-#define EAP_SIM_SUBTYPE_REAUTH              13
-#define EAP_SIM_SUBTYPE_CLIENT_ERROR        14
-
-/* Non-skippable attributes */
-#define EAP_AT_RAND                         1
-#define EAP_AT_AUTN                         2
-#define EAP_AT_RES                          3
-#define EAP_AT_AUTS                         4
-#define EAP_AT_PADDING                      6
-#define EAP_AT_NONCE_MT                     7
-#define EAP_AT_PERMANENT_ID_REQ             10
-#define EAP_AT_MAC                          11
-#define EAP_AT_NOTIFICATION                 12
-#define EAP_AT_ANY_ID_REQ                   13
-#define EAP_AT_IDENTITY                     14
-#define EAP_AT_VERSION_LIST                 15
-#define EAP_AT_SELECTED_VERSION             16
-#define EAP_AT_FULL_AUTH_ID_REQ             17
-#define EAP_AT_COUNTER                      19
-#define EAP_AT_COUNTER_TOO_SMALL            20
-#define EAP_AT_NONCE_S                      21
-#define EAP_AT_CLIENT_ERROR_CODE            22
-#define EAP_AT_KDF_INPUT                    23
-#define EAP_AT_KDF                          24
-
-/* Skippable attributes */
-#define EAP_AT_IV                           129
-#define EAP_AT_ENCR_DATA                    130
-#define EAP_AT_NEXT_PSEUDONYM               132
-#define EAP_AT_NEXT_REAUTH_ID               133
-#define EAP_AT_CHECKCODE                    134
-#define EAP_AT_RESULT_IND                   135
-#define EAP_AT_BIDDING                      136
-#define EAP_AT_IPMS_IND                     137
-#define EAP_AT_IPMS_RES                     138
-#define EAP_AT_TRUST_IND                    139
-
-/* Attribute notification values */
-#define EAP_AT_NOTIFICATION_GEN_FAIL_POST_AUTH  0       /* General failure after authentication */
-#define EAP_AT_NOTIFICATION_USER_DENIED         1026    /* User has been temporarily denied access */
-#define EAP_AT_NOTIFICATION_NOT_SUBSCRIBED      1031    /* User has not subscribed to the requested service */
-#define EAP_AT_NOTIFICATION_GEN_FAIL            16384   /* General failure */
-#define EAP_AT_NOTIFICATION_SUCCESS             32768   /* Success */
-
-#define EAP_SIM_VERSION_1                       1
-
-typedef struct eap_sim_hdr {
-    u_int8_t             eap_type;           /* Must be EAP-SIM, 18 */
-    u_int8_t             eap_subtype;
-    u_int16_t            reserved;
-} __attribute__((__packed__)) eap_sim_hdr_t;
-
-typedef struct eap_sim_attribute {
-    u_int8_t             at_type;
-    u_int8_t             at_len;
-    u_int16_t            at_value;
-    /* Followed by variable-length value */
-} __attribute__((__packed__)) eap_sim_attr_t;
-
-typedef struct eap_sim_msg {
-    eap_sim_hdr_t       eap_hdr;
-    eap_sim_attr_t      payload[0];         /* Multiple attributes */
-} __attribute__((__packed__)) eap_sim_t;
-
-int EAPSIMIdentity(char *identity, int maxlen);
-int EAPSIMInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
-int EAPSIMDispose(void *context);
-int EAPSIMProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
-int EAPSIMFree(void *context, EAP_Output_t *eap_out);
-int EAPSIMGetAttribute(void *context, EAP_Attribute_t *eap_attr);
-
-int EAPAKAIdentity(char *identity, int maxlen);
-int EAPAKAInit(EAP_Input_t *eap_in, void **context, CFDictionaryRef options);
-int EAPAKADispose(void *context);
-int EAPAKAProcess(void *context, EAP_Input_t *eap_in, EAP_Output_t *eap_out);
-int EAPAKAFree(void *context, EAP_Output_t *eap_out);
-int EAPAKAGetAttribute(void *context, EAP_Attribute_t *eap_attr);
-
-#endif
index 5e5a05460c893e1f27fb9c62348bb8f3c6e4c8d4..ea5802b42dc60602c21e03945664fc540ffe0d00 100644 (file)
@@ -389,4 +389,3 @@ fsm_ikev1_phase2_send_response(phase2_handle_t *iph2, vchar_t *msg)
     return error;
     
 }
-
index 4a43c0d8639bf487756a9b470d870e77b378c62c..b5f5f1008fd3be9e8e458cb8e4b31898c6527936 100644 (file)
 #define IKEV1_STATE_QUICK_R_COMMIT      (IKEV1_STATE_RESPONDER_QUICK | 4)
 #define IKEV1_STATE_QUICK_R_ADDSA       (IKEV1_STATE_RESPONDER_QUICK | IKEV1_STATE_FLAG_VALUE_ADDSA)
 
-
 extern void fsm_set_state(int *var, int state);
 //================================
 // Version Agnostic Events
index c8bcaeebaaf50fc26a9f905da8bbe721961f3f27..3d584c18c548a4f9ac71ad33a2948bf575afe04b 100644 (file)
@@ -498,7 +498,6 @@ update_myaddrs(void *unused)
     isakmp_close_unused();
     autoconf_myaddrsport();
     isakmp_open();
-    ASIKEUpdateLocalAddressesFromIKE();
 }
 
 
index e2871452dc4001cd31af0c642d76a1b6f2b40117..df3380dcddb536a9e71c3c8123af1ccc80f2812e 100644 (file)
@@ -81,7 +81,6 @@
 
 #include "power_mgmt.h"
 
-
 extern LIST_HEAD(_ike_session_tree_, ike_session) ike_session_tree;
 static LIST_HEAD(_ctdtree_, contacted) ctdtree;
 static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
@@ -382,8 +381,6 @@ ike_session_delph1(phase1_handle_t *iph1)
        VPTRINIT(iph1->skeyid_a_p);
        VPTRINIT(iph1->skeyid_e);
     VPTRINIT(iph1->skeyid_e_p);
-    VPTRINIT(iph1->skeyid_p);
-    VPTRINIT(iph1->skeyid_p_p);
        VPTRINIT(iph1->key);
     VPTRINIT(iph1->key_p);
        VPTRINIT(iph1->hash);
@@ -526,7 +523,7 @@ ike_session_getph2bymsgid(phase1_handle_t *iph1, u_int32_t msgid)
        phase2_handle_t *p;
     
        LIST_FOREACH(p, &iph1->parent_session->ph2tree, ph2ofsession_chain) {
-               if (p->msgid == msgid)
+               if (p->msgid == msgid && !p->is_defunct)
                        return p;
        }
     
@@ -800,7 +797,6 @@ ike_session_delph2(phase2_handle_t *iph2)
     if (iph2->scr)
         SCHED_KILL(iph2->scr);
     
-    
        racoon_free(iph2);
 }
 
@@ -1322,8 +1318,7 @@ ike_session_expire_session(ike_session_t *session)
             continue;
         }
 
-        if (FSM_STATE_IS_ESTABLISHED(p2->status))
-            isakmp_info_send_d2(p2);
+        // Don't send a delete, since the ph1 implies the removal of ph2s
         isakmp_ph2expire(p2);
         found++;
     }
index 2f4dd3127de98ed27d2d7070f0c79d915837f27c..2b8f0563fcb06f2104b4b6e36a76dadb904b5c07 100644 (file)
@@ -53,7 +53,6 @@
 
 #include <schedule.h>
 
-
 /* About address semantics in each case.
  *                     initiator(addr=I)       responder(addr=R)
  *                     src     dst             src     dst
@@ -128,8 +127,6 @@ struct phase1handle {
        vchar_t *skeyid_a_p;    /* SKEYID_a_p, i.e. integrity protection */
        vchar_t *skeyid_e;              /* SKEYID_e, i.e. encryption */
     vchar_t *skeyid_e_p;       /* peer's SKEYID_e, i.e. encryption */
-       vchar_t *skeyid_p;              /* SKEYID_p, i.e. for IKEv2 */
-    vchar_t *skeyid_p_p;       /* peer's SKEYID_p, i.e. for IKEv2 */
        vchar_t *key;                   /* cipher key */
     vchar_t *key_p;         /* peer's cipher key */
        vchar_t *hash;                  /* HASH minus general header */
@@ -186,10 +183,8 @@ struct phase1handle {
        ike_session_t                           *parent_session;
        LIST_HEAD(_ph2ofph1_, phase2handle)     bound_ph2tree;
        LIST_ENTRY(phase1handle)                ph1ofsession_chain;
-
 };
 
-
 #define PHASE2_TYPE_SA          0
 #define PHASE2_TYPE_INFO        1
 #define PHASE2_TYPE_CFG         2
@@ -279,12 +274,12 @@ struct phase2handle {
        struct phase1handle *ph1;       /* back pointer to isakmp status */
        int                    is_rekey:1;
        int                    is_dying:1;
+       int                    is_defunct:1;
        ike_session_t         *parent_session;
        vchar_t               *ext_nat_id;
        vchar_t               *ext_nat_id_p;
        LIST_ENTRY(phase2handle)    ph2ofsession_chain; 
        LIST_ENTRY(phase2handle)    ph1bind_chain;      /* chain to ph1handle */
-
 };
 
 /*
index c1e77189997237b15ba8af844ab0bf79dcec75b0..e40f89882c3105b0097616d8f4e8bd2195057db2 100644 (file)
@@ -266,7 +266,7 @@ ike_session_get_session (struct sockaddr_storage *local,
                                 p->ikev1_state.active_ph1cnt, p->ikev1_state.active_ph2cnt);
                        continue;
                }
-               
+
                // Skip if the spi doesn't match
                if (optionalIndex != NULL && ike_session_getph1byindex(p, optionalIndex) == NULL) {
                        continue;
@@ -359,9 +359,7 @@ ike_session_update_mode (phase2_handle_t *iph2)
        }
     if (iph2->phase2_type != PHASE2_TYPE_SA)
         return;
-       if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV2) {
-               return; // for now
-       }
+       
        // exit early if we already detected cisco-ipsec
        if (iph2->parent_session->is_cisco_ipsec) {
                return;
@@ -927,7 +925,7 @@ ike_session_replace_other_ph1 (phase1_handle_t *new_iph1,
        /*
         * if we are responder, then we should wait until the server sends a delete notification.
         */
-       if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) &&
+       if (session->is_client &&
                new_iph1->side == RESPONDER) {
                return;
        }
@@ -975,7 +973,7 @@ ike_session_cleanup_other_established_ph1s (ike_session_t    *session,
        /*
         * if we are responder, then we should wait until the server sends a delete notification.
         */
-       if ((new_iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 || session->is_client) &&
+       if (session->is_client &&
                new_iph1->side == RESPONDER) {
                return;
        }
index 4fa60798cf6b337fc1c751eeb179a8cfca992f06..9fe7510676dc42d9aa5b249cd23818a30afe69ac 100644 (file)
@@ -69,7 +69,6 @@ typedef struct ike_session_sastats {
     struct sastat                        out_last_poll[8];
 } ike_sesssion_sastats_t;
 
-
 struct ike_session {
        u_int8_t                                             mode;                      /* mode of protocol, see ipsec.h */
        u_int16_t                            proto;                     /* IPPROTO_ESP or IPPROTO_AH */
@@ -110,7 +109,6 @@ struct ike_session {
     LIST_HEAD(_ph2tree_, phase2handle)   ph2tree;
 
        LIST_ENTRY(ike_session)              chain;
-
 };
 
 typedef enum ike_session_rekey_type {
diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.c b/ipsec-tools/racoon/ikev2_ike_sa_rfc.c
deleted file mode 100644 (file)
index d88c3ac..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "config.h"
-
diff --git a/ipsec-tools/racoon/ikev2_ike_sa_rfc.h b/ipsec-tools/racoon/ikev2_ike_sa_rfc.h
deleted file mode 100644 (file)
index 71e63d7..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
diff --git a/ipsec-tools/racoon/ikev2_info_rfc.c b/ipsec-tools/racoon/ikev2_info_rfc.c
deleted file mode 100644 (file)
index 0887408..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-#include "config.h"
diff --git a/ipsec-tools/racoon/ikev2_info_rfc.h b/ipsec-tools/racoon/ikev2_info_rfc.h
deleted file mode 100644 (file)
index 71e63d7..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.c
deleted file mode 100644 (file)
index 5dd0807..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (c) 2012, 2013 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "config.h"
diff --git a/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h b/ipsec-tools/racoon/ikev2_ipsec_sa_rfc.h
deleted file mode 100644 (file)
index 71e63d7..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
diff --git a/ipsec-tools/racoon/ikev2_rfc.c b/ipsec-tools/racoon/ikev2_rfc.c
deleted file mode 100644 (file)
index 64751fe..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "config.h"
diff --git a/ipsec-tools/racoon/ikev2_rfc.h b/ipsec-tools/racoon/ikev2_rfc.h
deleted file mode 100644 (file)
index da4ea49..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * (RFC4306)
- * http://www.iana.org/assignments/ikev2-parameters
- */
-
diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.c b/ipsec-tools/racoon/ikev2_sessresume_rfc.c
deleted file mode 100644 (file)
index 64751fe..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "config.h"
diff --git a/ipsec-tools/racoon/ikev2_sessresume_rfc.h b/ipsec-tools/racoon/ikev2_sessresume_rfc.h
deleted file mode 100644 (file)
index 71e63d7..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
- */
-
index 8fe1460b81510892746a85bf33216dcdbae96280..2fc1c2274ccba0273ff58b0845cb8013f7554dc4 100644 (file)
@@ -86,7 +86,6 @@
 #ifdef ENABLE_NATT
 #include "nattraversal.h"
 #endif
-#include "ikev2_rfc.h"
 
 #ifdef ENABLE_HYBRID
 static int switch_authmethod(int);
@@ -372,7 +371,6 @@ get_ph1approvalx(p, proposal, sap, check_level)
                    tsap->encklen == s->encklen &&
                        tsap->version == s->version) {
                        switch(check_level) {
-                       case PROP_CHECK_IKEV2:
                        case PROP_CHECK_OBEY:
                                goto found;
                                break;
@@ -1074,11 +1072,17 @@ get_ph2approvalx(iph2, pp)
        }
        /* no proposal matching */
 err:
-       flushsaprop(pr0);
+       if (pr0 != NULL) {
+               flushsaprop(pr0);
+               pr0 = NULL;
+       }
        return NULL;
 
 found:
-       flushsaprop(pr0);
+       if (pr0 != NULL) {
+               flushsaprop(pr0);
+               pr0 = NULL;
+       }
        plog(ASL_LEVEL_DEBUG, "matched\n");
        iph2->approval = pr;
 
@@ -2567,8 +2571,6 @@ ipsecdoi_setph1proposal (phase1_handle_t *iph1)
                (ALIGNED_CAST(struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype);
         
                (void)setph1prop(iph1, mysa->v + sizeof(struct ipsecdoi_sa_b));
-       } else {
-               (void)setph1prop(iph1, mysa->v);
        }
     
        return mysa;
@@ -2579,7 +2581,6 @@ setph1prop (phase1_handle_t *iph1,
                        caddr_t buf)
 {
     struct isakmpsa *props = iph1->rmconf->proposal;
-    unsigned int version = iph1->version;
     
        struct isakmp_pl_p *prop = NULL;
        struct isakmpsa *s = NULL;
@@ -2587,10 +2588,7 @@ setph1prop (phase1_handle_t *iph1,
        u_int8_t *np_t; /* pointer next trns type in previous header */
        int trns_num;
        caddr_t p = buf;
-       u_int16_t tmplen;
     int spi_size = 0;
-    cookie_t *my_cookie = (iph1->side == INITIATOR) ? &iph1->index.i_ck : &iph1->index.r_ck;
-    
 
        proplen = sizeof(*prop) + spi_size;
        if (buf) {
@@ -2965,7 +2963,6 @@ setph2proposal0(iph2, pp, pr)
        return p;
 }
 
-
 /*
  * create phase2 proposal from policy configuration.
  * NOT INCLUDING isakmp general header of SA payload.
@@ -3007,13 +3004,11 @@ ipsecdoi_setph2proposal(phase2_handle_t *iph2, int return_sa)
        for (a = proposal; a; a = a->next) {
                for (b = a->head; b; b = b->next) {
             if (b->proto_id == IPSECDOI_PROTO_IPCOMP) {
-                // %%%%% todo - IKEv2 uses ipcomp notification
                 // skip this - not specified in the SA
                 // Need to set this in iph2 ???
                 continue;
             }
             // IKEv1 sends encode mode in SA - uses diferent codes when NATT being used
-            // IKEv2 does not send encode mode in SA
 #ifdef ENABLE_NATT
             if (iph2->ph1->natt_flags & NAT_DETECTED) {
                 plog (ASL_LEVEL_INFO, "NAT detected -> UDP encapsulation\n");
diff --git a/ipsec-tools/racoon/ipsec_interface.c b/ipsec-tools/racoon/ipsec_interface.c
deleted file mode 100644 (file)
index 70866a1..0000000
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "config.h"
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <sys/kern_control.h>
-#include <sys/sys_domain.h>
-#include "racoon_types.h"
-#include "plog.h"
-#include <net/if.h>
-#include <netinet6/in6_var.h>
-#include <netinet6/nd6.h>
-
-#include "var.h"
-
-int ipsec_interface_create(char *name, int name_max_len, int *index, int flags)
-{
-    
-       struct ctl_info kernctl_info;
-       struct sockaddr_ctl kernctl_addr;
-       u_int32_t optlen;
-       int tunsock = -1;
-    
-       tunsock = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
-       if (tunsock == -1) {
-               plog(ASL_LEVEL_ERR, "create_ipsec_interface: cannot create kernel control socket (errno = %d)", errno);
-               goto fail;
-       }
-    
-       bzero(&kernctl_info, sizeof(kernctl_info));
-    strlcpy(kernctl_info.ctl_name, "com.apple.net.ipsec_control", sizeof(kernctl_info.ctl_name));
-       if (ioctl(tunsock, CTLIOCGINFO, &kernctl_info)) {
-               plog(ASL_LEVEL_ERR, "create_ipsec_interface: ioctl failed on kernel control socket (errno = %d)", errno);
-               goto fail;
-       }
-       
-       bzero(&kernctl_addr, sizeof(kernctl_addr)); // sets the sc_unit field to 0
-       kernctl_addr.sc_len = sizeof(kernctl_addr);
-       kernctl_addr.sc_family = AF_SYSTEM;
-       kernctl_addr.ss_sysaddr = AF_SYS_CONTROL;
-       kernctl_addr.sc_id = kernctl_info.ctl_id;
-       kernctl_addr.sc_unit = 0; // we will get the unit number from getpeername
-       if (connect(tunsock, (struct sockaddr *)&kernctl_addr, sizeof(kernctl_addr))) {
-               plog(ASL_LEVEL_ERR, "create_ipsec_interface: connect failed on kernel control socket (errno = %d)", errno);
-               goto fail;
-       }
-    
-       optlen = name_max_len;
-       if (getsockopt(tunsock, SYSPROTO_CONTROL, 2, name, &optlen)) {
-               plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt ifname failed on kernel control socket (errno = %d)", errno);
-               goto fail;
-       }
-    
-       *index = if_nametoindex(name);
-    
-       if (flags) {
-               int optflags = 0;
-               optlen = sizeof(u_int32_t);
-               if (getsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, &optlen)) {
-                       plog(ASL_LEVEL_ERR, "create_ipsec_interface: getsockopt flags failed on kernel control socket (errno = %d)", errno);
-                       goto fail;
-               }
-        
-               optflags |= flags;
-               optlen = sizeof(u_int32_t);
-               if (setsockopt(tunsock, SYSPROTO_CONTROL, 1, &optflags, optlen)) {
-                       plog(ASL_LEVEL_ERR, "create_ipsec_interface: setsockopt flags failed on kernel control socket (errno = %d)", errno);
-                       goto fail;
-               }
-       }
-    
-       return tunsock;
-       
-fail:
-    if (tunsock != -1)
-        close(tunsock);
-       return -1;
-       
-}
-
-int ipsec_interface_set_mtu(char *ifname, int mtu)
-{
-    struct ifreq ifr;
-       int ip_sockfd;
-       
-    ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-    if (ip_sockfd < 0) {
-               plog(ASL_LEVEL_ERR, "sifmtu: cannot create ip socket, %s", strerror(errno));
-               return 0;
-       }
-    
-    strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
-    ifr.ifr_mtu = mtu;
-    ioctl(ip_sockfd, SIOCSIFMTU, (caddr_t) &ifr);
-    
-       close(ip_sockfd);
-       return 1;
-}
-
-void
-in6_len2mask(struct in6_addr *mask, int len)
-{
-    int i;
-    bzero(mask, sizeof(*mask));
-    for (i = 0; i < len / 8; i++)
-        mask->s6_addr[i] = 0xff;
-    if (len % 8)
-        mask->s6_addr[i] = (0xff00 >> (len % 8)) & 0xff;
-}
-
-#define SET_SA_FAMILY(addr, family)            \
-bzero((char *) &(addr), sizeof(addr)); \
-addr.sa_family = (family);                     \
-addr.sa_len = sizeof(addr);
-int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix)
-{
-       int ip_sockfd;
-    
-    int family = address->ss_family;
-    
-    if (family == AF_INET) {
-        struct ifaliasreq ifra __attribute__ ((aligned (4)));   // Wcast-align fix - force alignment
-        ip_sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-        if (ip_sockfd < 0) {
-            plog(ASL_LEVEL_ERR, "Cannot create ip socket, %s", strerror(errno));
-            return 0;
-        }
-        
-        strlcpy(ifra.ifra_name, ifname, sizeof(ifra.ifra_name));
-        
-        SET_SA_FAMILY(ifra.ifra_addr, AF_INET);
-        (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_addr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr;
-        
-        SET_SA_FAMILY(ifra.ifra_broadaddr, AF_INET);
-        (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_broadaddr)->sin_addr.s_addr = ((struct sockaddr_in*)address)->sin_addr.s_addr;
-        
-        if (netmask != 0) {
-            SET_SA_FAMILY(ifra.ifra_mask, AF_INET);
-            (ALIGNED_CAST(struct sockaddr_in *) &ifra.ifra_mask)->sin_addr.s_addr = ((struct sockaddr_in*)netmask)->sin_addr.s_addr;
-        }
-        else
-            bzero(&ifra.ifra_mask, sizeof(ifra.ifra_mask));
-        
-        if (ioctl(ip_sockfd, SIOCAIFADDR, (caddr_t) &ifra) < 0) {
-            if (errno != EEXIST) {
-                plog(ASL_LEVEL_ERR, "Couldn't set interface address");
-                close(ip_sockfd);
-                return 0;
-            }
-            plog(ASL_LEVEL_ERR, "Couldn't set interface address, already exists");
-        }
-        close(ip_sockfd);
-    } else if (family == AF_INET6) {
-        struct in6_aliasreq addreq6;
-        struct in6_addr mask;
-        struct in6_addr *addr6 = &((struct sockaddr_in6*)address)->sin6_addr;
-        
-        ip_sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
-        if (ip_sockfd < 0) {
-            plog(ASL_LEVEL_ERR, "Cannot create IPv6 socket, %s", strerror(errno));
-            return 0;
-        }
-        
-        memset(&addreq6, 0, sizeof(addreq6));
-        strlcpy(addreq6.ifra_name, ifname, sizeof(addreq6.ifra_name));
-        /* my addr */
-        addreq6.ifra_addr.sin6_family = AF_INET6;
-        addreq6.ifra_addr.sin6_len = sizeof(struct sockaddr_in6);
-        memcpy(&addreq6.ifra_addr.sin6_addr, addr6, sizeof(struct in6_addr));
-        
-        /* prefix mask: 128bit */
-        addreq6.ifra_prefixmask.sin6_family = AF_INET6;
-        addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6);
-        in6_len2mask(&mask, prefix);
-        memcpy(&addreq6.ifra_prefixmask.sin6_addr, &mask, sizeof(struct in6_addr));
-        
-        /* address lifetime (infty) */
-        addreq6.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME;
-        addreq6.ifra_lifetime.ia6t_vltime = ND6_INFINITE_LIFETIME;
-        if (IN6_IS_ADDR_LINKLOCAL(addr6)) {
-            if (ioctl(ip_sockfd, SIOCLL_START, &addreq6) < 0) {
-                plog(ASL_LEVEL_ERR, "Couldn't set link-local IPv6 address, %s", strerror(errno));
-                close(ip_sockfd);
-                return 0;
-            }
-        } else {
-            if (ioctl(ip_sockfd, SIOCAIFADDR_IN6, &addreq6) < 0) {
-               plog(ASL_LEVEL_ERR, "Couldn't set IPv6 address, %s", strerror(errno));
-                close(ip_sockfd);
-                return 0;
-            }
-        }
-        close(ip_sockfd);
-    } else {
-        return 0;
-    }
-
-       return 1;
-}
diff --git a/ipsec-tools/racoon/ipsec_interface.h b/ipsec-tools/racoon/ipsec_interface.h
deleted file mode 100644 (file)
index 020528c..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (c) 2012 Apple Computer, Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#ifndef __IPSEC_INTERFACE__
-#define __IPSEC_INTERFACE__
-
-int ipsec_interface_create(char *name, int name_max_len, int *index, int flags);
-int ipsec_interface_set_mtu(char *ifname, int mtu);
-int ipsec_interface_set_addr(char *ifname, struct sockaddr_storage *address, struct sockaddr_storage *netmask, int prefix);
-
-#endif
index 8133c954d8f13787d929b5578198e13c10418d78..8a4090542b423126c560e01fee4f1b75479c38a0 100644 (file)
 #include "ipsecMessageTracer.h"
 #include "power_mgmt.h"
 
-
 extern caddr_t val2str (const char *, size_t);
 u_char i_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the i_ck. */
 u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
@@ -367,8 +366,7 @@ isakmp_main(vchar_t *msg, struct sockaddr_storage *remote,  struct sockaddr_stor
         * I think it may no be here because the version depends
         * on exchange status.
         */
-       if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1 &&
-        ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV2) {        
+       if (ISAKMP_GETMAJORV(isakmp_version) != ISAKMP_MAJOR_VERSION_IKEV1) {
                        plog(ASL_LEVEL_ERR, "invalid major version %d.\n", isakmp_version);
                        return;
     }
@@ -387,14 +385,14 @@ isakmp_main(vchar_t *msg, struct sockaddr_storage *remote,  struct sockaddr_stor
     if (isakmp_version == ISAKMP_VERSION_NUMBER_IKEV1) {
                /* check the Flags field. */
                /* XXX How is the exclusive check, E and A ? */
-               if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { //%%%%%%%%%%%% any other flags for IKEv2 ?????
+               if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
                        plog(ASL_LEVEL_ERR, "invalid flag 0x%02x.\n", isakmp->flags);
                        return;
                }
 
                /* ignore commit bit. */
                if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
-                       if (isakmp->msgid == 0) {                   //%%%%% does this apply to V2
+                       if (isakmp->msgid == 0) {
                                isakmp_info_send_nx(isakmp, remote, local,
                                                                        ISAKMP_NTYPE_INVALID_FLAGS, NULL);
                                plog(ASL_LEVEL_ERR, "Commit bit on Phase 1 forbidden.\n");
@@ -450,7 +448,7 @@ ikev1_received_packet(vchar_t *msg, struct sockaddr_storage *local, struct socka
                    ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
                    ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
                    (cmpsaddrstrict(iph1->local, local) != 0)))
-               {     //%%%%%%%%%%%%%%%%%%%% make this a separate function - ikev2 needs it      
+               {
                        /* prevent memory leak */
                        racoon_free(iph1->remote);
                        racoon_free(iph1->local);
@@ -1241,7 +1239,6 @@ ikev1_phase1_established(phase1_handle_t *iph1)
     return 0;
 }
 
-
 /*
  * parse ISAKMP payloads, without ISAKMP base header.
  */
@@ -1522,6 +1519,16 @@ isakmp_open(void)
                if (setsockopt_bypass(p->sock, p->addr->ss_family) < 0)
                        goto err_and_next;
 
+               if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEADDR, (const void *)&yes, sizeof(yes)) < 0) {
+                       plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEADDR (%s)\n", strerror(errno));
+                       goto err_and_next;
+               }
+               
+               if (setsockopt(p->sock, SOL_SOCKET, SO_REUSEPORT, (const void *)&yes, sizeof(yes)) < 0) {
+                       plog(ASL_LEVEL_ERR, "setsockopt SO_REUSEPORT (%s)\n", strerror(errno));
+                       goto err_and_next;
+               }
+               
                if (extract_port(p->addr) == PORT_ISAKMP) {
                        if (setsockopt(p->sock, SOL_SOCKET, SO_NOTIFYCONFLICT, 
                                (void *)&yes, sizeof(yes)) < 0) {
@@ -1706,6 +1713,7 @@ isakmp_send(iph1, sbuf)
        int len = 0;
        int s;
        vchar_t *vbuf = NULL;
+       
 #ifdef ENABLE_NATT
        size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
 
@@ -1799,7 +1807,6 @@ isakmp_ph1resend(iph1)
        phase1_handle_t *iph1;
 {
        time_t retry_interval;
-       
     
        // make sure there is a buffer to send
        // isakmp_plist_set_all() could have returned NULL
@@ -1888,7 +1895,6 @@ isakmp_ph2resend(iph2)
                        "Internal error - attempt to re-send Phase 2 with no Phase 1 bound.\n");
                return -1;
        }
-
     
        if (FSM_STATE_IS_EXPIRED(iph2->ph1->status)){
                IPSECSESSIONTRACEREVENT(iph2->ph1->parent_session,
@@ -1954,7 +1960,6 @@ isakmp_ph2resend(iph2)
        return 0;
 }
 
-
 /* called from scheduler */
 void
 isakmp_ph1expire_stub(p)
@@ -1999,7 +2004,6 @@ isakmp_ph1expire(iph1)
                iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
                return;
        }
-    
 
        iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
 }
@@ -2048,11 +2052,9 @@ int               ignore_sess_drop_policy;
                 isakmp_pindex(&iph1->index, 0));
        racoon_free(src);
        racoon_free(dst);
-
-    {
-        if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
-            return;
-        }
+       
+       if (!ignore_sess_drop_policy && ike_session_drop_rekey(iph1->parent_session, IKE_SESSION_REKEY_TYPE_PH1)) {
+               return;
        }
 
        // exit if there is another ph1 that is established (with a pending rekey timer)
@@ -2082,12 +2084,10 @@ int               ignore_sess_drop_policy;
         plog(ASL_LEVEL_DEBUG, "Begin Phase 1 rekey.\n");
 
                /* start phase 1 negotiation as a initiator. */
-        {
-                       if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) {
-                               plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n");
-                       }
-            iph1->is_rekey = TRUE;
+               if (ikev1_ph1begin_i(iph1->parent_session, rmconf, iph1->remote, iph1->local, 0) < 0) {
+                       plog(ASL_LEVEL_DEBUG, "Phase 1 rekey Failed.\n");
                }
+               iph1->is_rekey = TRUE;
        } else {
                plog(ASL_LEVEL_ERR,
                         "Phase1 rekey failed: no configuration found for %s.\n",
@@ -2260,12 +2260,13 @@ isakmp_ph2expire(iph2)
                                                                  ipsecdoi2pfkey_proto(pr->proto_id),
                                                                  IPSEC_MODE_ANY,
                                                                  iph2->src, iph2->dst, pr->spi_p /* pr->reqid_out */);
+                       }
                }
        }
     if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1)
         fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED);
        iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
-
+               
        return;
 }
 
@@ -2348,37 +2349,32 @@ isakmp_post_acquire(phase2_handle_t *iph2)
     }
     if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1)
         iph1 = ike_session_update_ph2_ph1bind(iph2);
-       else
-               iph1 = ike_session_get_established_or_negoing_ph1(iph2->parent_session);
 
        /* no IKE-SA found. */
        if (iph1 == NULL) {
                iph2->retry_checkph1 = lcconf->retry_checkph1;
         
                /* start phase 1 negotiation as a initiator. */
-        {
-            sched_new(1, isakmp_chkph1there_stub, iph2);
-            
-            plog(ASL_LEVEL_INFO,
-                 "IPsec-SA request for %s queued due to no Phase 1 found.\n",
-                 saddrwop2str((struct sockaddr *)iph2->dst));
-            
-            // exit if there is another ph1 that is established (with a pending rekey timer)
-            if (ike_session_has_negoing_ph1(iph2->parent_session)) {
-                plog(ASL_LEVEL_INFO,
-                     "Request for Phase 1 was ignored due to another negotiating Phase 1.\n");
-                return 0;
-            }
-            
-                       if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
-                               plog(ASL_LEVEL_INFO,
-                                        "Request for Phase 1 failed. Will try later.\n");
-                       }
+               sched_new(1, isakmp_chkph1there_stub, iph2);
+               
+               plog(ASL_LEVEL_INFO,
+                        "IPsec-SA request for %s queued due to no Phase 1 found.\n",
+                        saddrwop2str((struct sockaddr *)iph2->dst));
+               
+               // exit if there is another ph1 that is established (with a pending rekey timer)
+               if (ike_session_has_negoing_ph1(iph2->parent_session)) {
+                       plog(ASL_LEVEL_INFO,
+                                "Request for Phase 1 was ignored due to another negotiating Phase 1.\n");
+                       return 0;
+               }
+               
+               if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
+                       plog(ASL_LEVEL_INFO,
+                                "Request for Phase 1 failed. Will try later.\n");
                }
                return 0;
                /*NOTREACHED*/
        }
-    
 
        /* found ISAKMP-SA, but on negotiation. */
        if (!FSM_STATE_IS_ESTABLISHED(iph1->status)) {
@@ -2395,11 +2391,9 @@ isakmp_post_acquire(phase2_handle_t *iph2)
        /* found ISAKMP-SA. */
 
        /* begin quick mode */
-    {
-               plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n");
-               if (ikev1_ph2begin_i(iph1, iph2))
-                       return -1;
-       }
+       plog(ASL_LEVEL_DEBUG, "Begin QUICK mode.\n");
+       if (ikev1_ph2begin_i(iph1, iph2))
+               return -1;
        return 0;
 }
 
@@ -2516,10 +2510,8 @@ isakmp_chkph1there(iph2)
                plog(ASL_LEVEL_DEBUG, "dst: %s\n", saddr2str((struct sockaddr *)iph2->dst));
 
                /* begin quick mode */
-        {
-                       if (ikev1_ph2begin_i(iph1, iph2)) {
-                               ike_session_unlink_phase2(iph2);
-                       }
+               if (ikev1_ph2begin_i(iph1, iph2)) {
+                       ike_session_unlink_phase2(iph2);
                }
                return;
        }
@@ -2527,11 +2519,9 @@ isakmp_chkph1there(iph2)
                struct remoteconf *rmconf = getrmconf(iph2->dst);
                /* start phase 1 negotiation as a initiator. */
                if (rmconf) {
-            {
-                               if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
-                                       plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
-                               }
-                       }                       
+                       if (ikev1_ph1begin_i(iph2->parent_session, rmconf, iph2->dst, iph2->src, 0) < 0) {
+                               plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no established/negoing ph1 handler found... failed to initiate new one\n");
+                       }
                } else if (rmconf == NULL) {
                        plog(ASL_LEVEL_DEBUG, "CHKPH1THERE: no remoteconf found... failed to initiate new one\n");
                }
index 6d0af820087abd66a59302eeaa2257732c4a3af7..fbf4b9ab9776b821457654bcb36618273457a1d7 100644 (file)
@@ -1346,7 +1346,6 @@ isakmp_cfg_rmstate(phase1_handle_t *iph1)
 {
        struct isakmp_cfg_state **state = &iph1->mode_cfg;
     
-    
     if (*state == NULL)
         return;
     
index 487c5ba975e4034d6a7fb592c40ed2af12598f69..f90ac07da7a8df262bf63e97a2d418c74b255e2b 100644 (file)
@@ -92,7 +92,6 @@
 #include "isakmp_cfg.h" 
 #endif
 #include "isakmp_inf.h"
-#include "ikev2_info_rfc.h"
 #include "oakley.h"
 #include "ipsec_doi.h"
 #include "crypto_openssl.h"
@@ -680,7 +679,9 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t
             if (del_ph1->sce_rekey &&
                 del_ph1->parent_session &&
                 del_ph1->parent_session->is_client &&
-                del_ph1->parent_session->established) {
+                del_ph1->parent_session->established &&
+               !(del_ph1->rmconf->natt_multiple_user &&
+                 del_ph1->parent_session->is_l2tpvpn_ipsec)) {
                 isakmp_ph1rekeyexpire(del_ph1, FALSE);
             }
             
@@ -700,7 +701,7 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t
 #endif
                        if (del_ph1->rmconf->natt_multiple_user &&
                                del_ph1->parent_session->is_l2tpvpn_ipsec) {
-                               plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n");
+                               plog(ASL_LEVEL_DEBUG, "Ignoring IKE delete from peer for L2TP server\n");
                                break;
                        }
                        isakmp_ph1expire(del_ph1);
@@ -718,8 +719,14 @@ isakmp_info_recv_d(phase1_handle_t *iph1, struct isakmp_pl_d *delete, u_int32_t
                }
                if (iph1->rmconf->natt_multiple_user &&
                        iph1->parent_session->is_l2tpvpn_ipsec) {
-                       plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n");
-                       break;
+                       uint32_t *ph2_spi = ALIGNED_CAST(u_int32_t *)(delete + 1);
+                       phase2_handle_t *iph2 = ike_session_getph2bysaidx(iph1->local, iph1->remote, delete->proto_id, ph2_spi[0]);
+                       
+                       if (iph2 != NULL) {
+                               iph2->is_defunct = 1;
+                               plog(ASL_LEVEL_DEBUG, "Ignoring SA delete from peer for L2TP server\n");
+                               break;
+                       }
                }
                purge_ipsec_spi(iph1->remote, delete->proto_id,
                    ALIGNED_CAST(u_int32_t *)(delete + 1), num_spi, NULL, NULL);     // Wcast-align fix (void*) - delete payload is aligned
@@ -827,7 +834,7 @@ isakmp_info_send_d2(phase2_handle_t *iph2)
 
        if (!FSM_STATE_IS_ESTABLISHED(iph2->status))
                return 0;
-
+       
        /*
         * don't send delete information if there is no phase 1 handler.
         * It's nonsensical to negotiate phase 1 to send the information.
index 9b45afd6f7874889b4749c5e7e4b062c417759cb..631b86c9828dbe93b7a5507ff80b27633507ded0 100644 (file)
@@ -82,9 +82,6 @@
 #include "vendorid.h"
 
 #include <CoreFoundation/CoreFoundation.h>
-#ifndef TARGET_OS_EMBEDDED
-#include <sandbox.h>
-#endif // !TARGET_OS_EMBEDDED
 #include "power_mgmt.h"
 #include "preferences.h"
 
@@ -152,9 +149,6 @@ main(ac, av)
        char **av;
 {
        int error;
-#ifndef TARGET_OS_EMBEDDED
-       char *sb_errorbuf = NULL;
-#endif // !TARGET_OS_EMBEDDED
 
        /*
         * Check IPSec plist
@@ -162,17 +156,10 @@ main(ac, av)
        prefsinit();
        ploginit();
 
-#ifndef TARGET_OS_EMBEDDED
-       if (sandbox_init("racoon", SANDBOX_NAMED, &sb_errorbuf) == -1) {
-               if (sb_errorbuf) {
-                       plog(ASL_LEVEL_ERR, "sandbox_init failed: %s\n", sb_errorbuf);
-                       sandbox_free_error(sb_errorbuf);
-                       sb_errorbuf = NULL;
-               } else {
-                       plog(ASL_LEVEL_ERR, "sandbox_init failed\n");
-               }
-       }
-#endif // !TARGET_OS_EMBEDDED
+       /* 
+        * racoon is not sandboxed on Mac OS.
+        * On embedded, racoon is sandboxed with a seatbelt-profiles entitlement.
+        */
 
        if (geteuid() != 0) {
                errx(1, "must be root to invoke this program.");
index d2dab6be6edd1b15cd255bb0b9ab7f3163610017..6fbd8329bb936466ffa911adfe8784a43451776b 100644 (file)
 #include <Security/SecCertificatePriv.h>
 #endif
 #include "vpn_control_var.h"
-#include "ikev2_rfc.h"
 #include "extern.h"
 
 #define OUTBOUND_SA    0
@@ -151,11 +150,9 @@ struct dhgroup dh_modp8192;
 
 static int oakley_check_dh_pub (vchar_t *, vchar_t **);
 static int oakley_compute_keymat_x (phase2_handle_t *, int, int);
-static int oakley_compute_ikev2_keymat_x (phase2_handle_t *);
 static int get_cert_fromlocal (phase1_handle_t *, int);
 static int oakley_check_certid (phase1_handle_t *iph1);
 static int oakley_check_certid_1 (vchar_t *, int, int, void*, cert_status_t *certStatus);
-static vchar_t * oakley_prf_plus (vchar_t *, vchar_t *, int, phase1_handle_t *iph1);
 #ifdef HAVE_OPENSSL
 static int check_typeofcertname (int, int);
 #endif
@@ -536,7 +533,7 @@ vchar_t *
 oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1)
 {
        vchar_t *res = NULL;
-       int type;
+       int type = OAKLEY_ATTR_HASH_ALG_MD5;
 
        if (iph1->approval == NULL) {
                if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
@@ -545,8 +542,6 @@ oakley_prf(vchar_t *key, vchar_t *buf, phase1_handle_t *iph1)
                         * We use md5 as default.
                         */
                        type = OAKLEY_ATTR_HASH_ALG_MD5;
-               } else {
-                       type = OAKLEY_ATTR_HASH_ALG_SHA;                        
                }
        } else
     {
@@ -569,7 +564,7 @@ vchar_t *
 oakley_hash(vchar_t *buf, phase1_handle_t *iph1)
 {
        vchar_t *res = NULL;
-       int type;
+       int type = OAKLEY_ATTR_HASH_ALG_MD5;
 
        if (iph1->approval == NULL) {
                if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
@@ -578,14 +573,10 @@ oakley_hash(vchar_t *buf, phase1_handle_t *iph1)
                         * We use md5 as default.
                         */
                        type = OAKLEY_ATTR_HASH_ALG_MD5;
-               } else {
-                       type = OAKLEY_ATTR_HASH_ALG_SHA;                        
                }
        } else {
         if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
             type = iph1->approval->hashtype;
-        } else {
-            type = OAKLEY_ATTR_HASH_ALG_SHA;
         }
     }
 
@@ -632,7 +623,6 @@ end:
        return error;
 }
 
-
 /*
  * compute KEYMAT.
  * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
@@ -1366,8 +1356,6 @@ oakley_validate_auth(phase1_handle_t *iph1)
                                         "invalid etype %d\n", iph1->etype);
                                return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
                        }
-               } else {
-                       my_hash = oakley_ph1hash_common(iph1, VALIDATE);                        
                }
                if (my_hash == NULL)
                        return ISAKMP_INTERNAL_ERROR;
@@ -1520,10 +1508,6 @@ oakley_validate_auth(phase1_handle_t *iph1)
                                         "invalid etype %d\n", iph1->etype);
                                return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
                        }
-               } else {
-                       vchar_t *octets = NULL;
-                       octets = ikev2_ike_sa_auth_get_octets(iph1, (iph1->side == INITIATOR)? FALSE : TRUE);
-                       my_hash = alg_oakley_hashdef_one(OAKLEY_ATTR_HASH_ALG_SHA, octets);
                }
                if (my_hash == NULL)
                        return ISAKMP_INTERNAL_ERROR;
@@ -1547,8 +1531,6 @@ oakley_validate_auth(phase1_handle_t *iph1)
                                }
                                if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
                                        error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, FALSE);
-                               } else {
-                                       error = crypto_cssm_verify_x509sign(publicKeyRef, my_hash, iph1->sig_p, TRUE);
                                }
                                if (error) {
                                        plog(ASL_LEVEL_ERR, "error verifying signature %s\n", GetSecurityErrorString(error));
@@ -1951,7 +1933,9 @@ oakley_check_certid_1(vchar_t *cert, int idtype, int idlen, void *id, cert_statu
             }
         }
         CFRelease(certificate);
-        CFRelease(subject);
+        if (subject != NULL) {
+            CFRelease(subject);
+        }
         return 0;
     }
     break;
@@ -2573,8 +2557,7 @@ oakley_getpskall(phase1_handle_t *iph1)
                                }
                                memcpy(secret->v, iph1->rmconf->shared_secret->v, secret->l);
                }
-       } else if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2 ||
-                  iph1->etype != ISAKMP_ETYPE_IDENT) {
+       } else if (iph1->etype != ISAKMP_ETYPE_IDENT) {
                secret = getpskbyname(iph1->id_p);
                if (!secret) {
                        if (iph1->rmconf->verify_identifier) {
@@ -2613,8 +2596,7 @@ oakley_skeyid(phase1_handle_t *iph1)
        char *p;
        int len;
        int error = -1;
-    
-    
+       
        /* SKEYID */
        switch (AUTHMETHOD(iph1)) {
         case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
@@ -2719,97 +2701,13 @@ end:
        return error;
 }
 
-static vchar_t *
-oakley_prf_plus (vchar_t *key, vchar_t *buf, int result_len, phase1_handle_t *iph1)
-{
-       vchar_t *t = 0;
-       uint8_t byte_value;
-       vchar_t *result = 0;
-       uint8_t *p;
-       vchar_t *bp;
-       int      bp_len;
-       uint8_t *tmp;
-       vchar_t *prf;
-
-       /*                                                                                                                                                                                                      
-        * (draft-17)                                                                                                                                                                                           
-        prf+ (K,S) = T1 | T2 | T3 | T4 | ...                                                                                                                                                                   
-        
-        where:                                                                                                                                                                                                 
-        T1 = prf (K, S | 0x01)                                                                                                                                                                                 
-        T2 = prf (K, T1 | S | 0x02)                                                                                                                                                                            
-        T3 = prf (K, T2 | S | 0x03)                                                                                                                                                                            
-        T4 = prf (K, T3 | S | 0x04)                                                                                                                                                                            
-        */
-
-       if (!(result = vmalloc(result_len))) {
-               return NULL;
-       }
-
-       /*                                                                                                                                                                                                      
-        * initial T0 = empty                                                                                                                                                                                   
-        */
-       t = 0;
-       p = (uint8_t *)result->v;
-       for (byte_value = 1; result_len > 0; ++byte_value) {
-               /*                                                                                                                                                                                              
-                * prf_output = prf(K, Ti-1 | S | byte)                                                                                                                                                         
-                */
-               bp_len  = buf->l + sizeof(byte_value);
-               if (t) {
-                       bp_len += t->l;
-               }
-               bp = vmalloc(bp_len);
-               if (!bp) {
-                       return NULL;
-               }
-               tmp = (__typeof__(tmp))bp->v;
-               
-               if (t) {
-                       memcpy(tmp, t->v, t->l);
-                       tmp += t->l;
-               }
-               memcpy(tmp, buf->v, buf->l);
-               tmp += buf->l;
-               memcpy(tmp, &byte_value, sizeof(byte_value));
-               tmp += sizeof(byte_value);
-
-               if (!(prf = oakley_prf(key, bp, iph1))) {
-            VPTRINIT(bp);
-                       return (vchar_t *)-1;
-               }
-        VPTRINIT(bp);
-
-               /*                                                                                                                                                                                              
-                * concat prf_output                                                                                                                                          
-                */
-               memcpy(p, prf->v, prf->l > (size_t)result_len ? (size_t)result_len : prf->l);
-               p += prf->l;
-               result_len -= prf->l;
-               
-               /*                                                                                                                                                                                              
-                * Ti = prf_output                                                                                                                                                                              
-                */
-               if (t) {
-                       bzero(t->v, t->l);
-                       vfree(t);
-               }
-               t = prf;
-       }
-       if (t) {
-               bzero(t->v, t->l);
-               vfree(t);
-       }
-       return result;
-}
-
 /*
  * compute SKEYID_[dae]
  */
 int
 oakley_skeyid_dae(phase1_handle_t *iph1)
 {
-       vchar_t *buf = NULL, *bp = NULL;
+       vchar_t *buf = NULL;
        char *p;
        int len;
        int error = -1;
@@ -2818,6 +2716,7 @@ oakley_skeyid_dae(phase1_handle_t *iph1)
                plog(ASL_LEVEL_ERR, "no SKEYID found.\n");
                goto end;
        }
+       
        /*
         * see seciton 5. Exchanges in RFC 2409
         * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
@@ -2942,43 +2841,6 @@ oakley_compute_enckey(phase1_handle_t *iph1)
                        "failed to get key buffer\n");
                goto end;
        }
-       if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) {
-               iph1->key_p = vmalloc(keylen >> 3);
-               if (iph1->key_p == NULL) {
-                       plog(ASL_LEVEL_ERR, 
-                                "failed to get key buffer\n");
-                       goto end;
-               }
-
-               if (iph1->key->l <= iph1->skeyid_e->l) {
-                       plog(ASL_LEVEL_DEBUG,
-                                "%s setting key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key->l, (int)iph1->skeyid_e->v[0], iph1->skeyid_e->l);
-                       /*
-                        * if length(Ka) <= length(SKEYID_e)
-                        *      Ka = first length(K) bit of SKEYID_e
-                        */
-                       memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l);
-               } else {
-                       plog(ASL_LEVEL_ERR, 
-                                "unexpected key length error (exp %zd, got %zd)",
-                                iph1->key->l, iph1->skeyid_e->l);
-                       goto end;
-               }
-               if (iph1->key_p->l <= iph1->skeyid_e_p->l) {
-                       plog(ASL_LEVEL_DEBUG, 
-                                "%s setting peer key len %zd, val %d (len %zd)", __FUNCTION__, iph1->key_p->l, (int)iph1->skeyid_e_p->v[0], iph1->skeyid_e_p->l);
-                       /*
-                        * if length(Ka) <= length(SKEYID_e)
-                        *      Ka = first length(K) bit of SKEYID_e
-                        */
-                       memcpy(iph1->key_p->v, iph1->skeyid_e_p->v, iph1->key_p->l);
-               } else {
-                       plog(ASL_LEVEL_ERR, 
-                                "unexpected peer key length error (exp %zd, got %zd)",
-                                iph1->key_p->l, iph1->skeyid_e_p->l);
-                       goto end;
-               }
-       }
 
        /* set prf length */
        prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
@@ -3001,12 +2863,6 @@ oakley_compute_enckey(phase1_handle_t *iph1)
                int cplen;
                int subkey;
 
-               if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV2) {
-                       plog(ASL_LEVEL_ERR, 
-                                "invalid key len (got %zu, expected %zu.\n", iph1->key->l, iph1->skeyid_e->l);
-                       goto end;
-               }
-
                /*
                 * otherwise,
                 *      Ka = K1 | K2 | K3
@@ -3304,64 +3160,6 @@ end:
        return newivm;
 }
 
-/*
- * Compute unpredictable IV for IKEv2.
- */
-int
-oakley_newiv_ikev2(phase1_handle_t * iph1)
-{
-       struct isakmp_ivm *newivm = NULL;    
-    int iv_length;
-    
-    /* Get IV length */
-    iv_length = alg_oakley_encdef_blocklen(iph1->approval->enctype);
-    if (iv_length == -1) {
-        plog(ASL_LEVEL_ERR, "Invalid encryption algorithm %d.\n", iph1->approval->enctype);
-    }
-    
-       /* Allocate IV Manager */
-       newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
-       if (newivm == NULL) {
-               plog(ASL_LEVEL_ERR, "Failed to allocate IV buffer.\n");
-               return -1;
-       }
-    
-       /* Compute IV */
-    /* There are two recommended methods for generating unpredictable IVs. The first method is to apply the forward cipher function, under the same key that is used for the encryption of the plaintext, to a nonce. The nonce must be a data block that is unique to each execution of the encryption operation. For example, the nonce may be a counter, as described in Appendix B, or a message number. The second method is to generate a random data block using a FIPS- approved random number generator. 
-     [National Institute of Standards and Technology, U.S.
-     Department of Commerce, "Recommendation for Block Cipher
-     Modes of Operation", SP 800-38A, 2001.]
-    */
-    /* Currently, we implement the second scheme, which uses a random block */
-    newivm->iv = eay_set_random(iv_length);
-    if (newivm->iv == NULL) {
-               oakley_delivm(newivm);
-               return -1;
-       }
-    
-       /* Adjust length of IV */
-    if (newivm->iv->l != iv_length) {
-        plog(ASL_LEVEL_WARNING, "IV length was adjusted.\n");
-        newivm->iv->l = iv_length;
-    }
-    
-       /* Make copy of IV in IVe */
-       if ((newivm->ive = vdup(newivm->iv)) == NULL) {
-               plog(ASL_LEVEL_ERR, "vdup (%s)\n", strerror(errno));
-               oakley_delivm(newivm);
-               return -1;
-       }
-
-    /* Delete old IV if there is one */
-       if (iph1->ivm != NULL)
-               oakley_delivm(iph1->ivm);
-    
-       iph1->ivm = newivm;
-    
-       return 0;
-}
-
-
 void
 oakley_delivm(struct isakmp_ivm *ivm)
 {
@@ -3498,6 +3296,7 @@ oakley_do_decrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivdp, vchar_t *i
        if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
                return(oakley_do_ikev1_decrypt(iph1, msg, ivdp, ivep));
        }
+       
        plog(ASL_LEVEL_ERR, "Failed to decrypt invalid IKE version");
        return NULL;
 }
@@ -3608,7 +3407,6 @@ end:
        return buf;
 }
 
-
 /*
  * encrypt packet.
  */
@@ -3618,6 +3416,7 @@ oakley_do_encrypt(phase1_handle_t *iph1, vchar_t *msg, vchar_t *ivep, vchar_t *i
        if (iph1->version == ISAKMP_VERSION_NUMBER_IKEV1) {
                return(oakley_do_ikev1_encrypt(iph1, msg, ivep, ivp));          
        }
+
        plog(ASL_LEVEL_ERR, "Failed to encrypt invalid IKE version");
        return NULL;
 }
index 026b05cf8b54e663c432b0dc08add5f480a3284b..597e1327d3e778e684728b7d2bda6b3de08a9f35 100644 (file)
@@ -222,7 +222,6 @@ extern vchar_t *oakley_prf (vchar_t *, vchar_t *, phase1_handle_t *);
 extern vchar_t *oakley_hash (vchar_t *, phase1_handle_t *);
 
 extern int oakley_compute_keymat (phase2_handle_t *, int);
-extern int oakley_compute_ikev2_keymat (phase2_handle_t *);
 
 #if notyet
 extern vchar_t *oakley_compute_hashx (void);
@@ -255,7 +254,6 @@ extern cert_t *oakley_newcert (void);
 extern void oakley_delcert (cert_t *);
 extern int oakley_newiv (phase1_handle_t *);
 extern struct isakmp_ivm *oakley_newiv2 (phase1_handle_t *, u_int32_t);
-extern int oakley_newiv_ikev2(phase1_handle_t *iph1);
 extern void oakley_delivm (struct isakmp_ivm *);
 extern vchar_t *oakley_do_decrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *);
 extern vchar_t *oakley_do_encrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *);
index f977c029b251a73444a4dd2664a7999b47dd54d6..665f69e6f3648b532b38696695d26dbaf1483a2e 100644 (file)
 #include "ipsecMessageTracer.h"
 #include "power_mgmt.h"
 #include "session.h"
-#include "ikev2_rfc.h"
-#include "api_support.h"
 
 #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
 #define SADB_X_EALG_AESCBC  SADB_X_EALG_RIJNDAELCBC
@@ -234,7 +232,6 @@ pfkey_process(msg)
                        strerror(msg->sadb_msg_errno));
                goto end;
        }
-
     
        /* safety check */
        if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
@@ -794,6 +791,7 @@ pfkey_convertfromipsecdoi(iph2, proto_id, t_id, hashtype,
                if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
                        goto bad;
                *a_keylen >>= 3;
+                       
                if (*e_type == SADB_EALG_NONE) {
                        plog(ASL_LEVEL_ERR, "no ESP algorithm.\n");
                        goto bad;
@@ -1096,7 +1094,6 @@ pk_sendupdate(iph2)
        u_int wsize = 4;  /* XXX static size of window */ 
        int proxy = 0;
        struct ph2natt natt;
-    struct satrns *tr;
     int authtype;
 
        /* sanity check */
@@ -1296,7 +1293,6 @@ pk_recvupdate(mhp)
                         iph2->status);
                return -1;
        }
-    //%%%% fix for IKEv2
        if (iph2->status != IKEV1_STATE_QUICK_I_ADDSA &&
         iph2->status != IKEV1_STATE_QUICK_R_ADDSA) {
                plog(ASL_LEVEL_ERR,
@@ -1409,7 +1405,6 @@ pk_sendadd(iph2)
        u_int wsize = 4; /* XXX static size of window */ 
        int proxy = 0;
        struct ph2natt natt;
-    struct satrns *tr;
     int authtype;
 
        /* sanity check */
@@ -1709,31 +1704,29 @@ pk_recvexpire(mhp)
 
        /* turn off the timer for calling isakmp_ph2expire() */ 
        SCHED_KILL(iph2->sce);
+       
+       fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED);
+       
+       /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */
+       /* allocate buffer for status management of pfkey message */
+       if (iph2->side == INITIATOR &&
+               !ike_session_has_other_established_ph2(iph2->parent_session, iph2) &&
+               !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) {
+
+               ike_session_initph2(iph2);
+
+               /* start isakmp initiation by using ident exchange */
+               if (isakmp_post_acquire(iph2) < 0) {
+                       plog(ASL_LEVEL_ERR,
+                               "failed to begin ipsec sa "
+                               "re-negotiation.\n");
+                       ike_session_unlink_phase2(iph2);
+                       return -1;
+               }
 
-               fsm_set_state(&iph2->status, IKEV1_STATE_PHASE2_EXPIRED);
-
-    {
-        /* INITIATOR, begin phase 2 exchange only if there's no other established ph2. */
-        /* allocate buffer for status management of pfkey message */
-        if (iph2->side == INITIATOR &&
-            !ike_session_has_other_established_ph2(iph2->parent_session, iph2) &&
-            !ike_session_drop_rekey(iph2->parent_session, IKE_SESSION_REKEY_TYPE_PH2)) {
-
-            ike_session_initph2(iph2);
-
-            /* start isakmp initiation by using ident exchange */
-            if (isakmp_post_acquire(iph2) < 0) {
-                plog(ASL_LEVEL_ERR,
-                    "failed to begin ipsec sa "
-                    "re-negotiation.\n");
-                ike_session_unlink_phase2(iph2);
-                return -1;
-            }
-
-            return 0;
-            /*NOTREACHED*/
-        }
-    }
+               return 0;
+               /*NOTREACHED*/
+       }
 
 
        /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
index e3d33a31d3e50948d8a5b275e96295c89e1c6d91..93ad3526531c4fe2b16f4e6e9723054498858df8 100644 (file)
@@ -258,7 +258,7 @@ plogsetfile(file)
        }
        logfile = racoon_strdup(file);
        STRDUP_FATAL(logfile);
-       if ((logfile_fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND | O_NOFOLLOW, 0)) >= 0) {
+       if ((logfile_fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND | O_NOFOLLOW, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) >= 0) {
                asl_add_log_file(logRef, logfile_fd);
        } else {
                syslog(LOG_NOTICE, "%s: failed to add racoon log file: %s. error %d\n", __FUNCTION__, file? file:"bad file path", errno);
index abb5a4c897f65e333150680b1919e6433ad5fd32..62d3db6486a7669046a635f0823a6a5c42affcc4 100644 (file)
@@ -72,7 +72,6 @@
 #ifdef ENABLE_NATT
 #include "nattraversal.h"
 #endif
-#include "ikev2_rfc.h"
 
 /* %%%
  * modules for ipsec sa spec
@@ -640,7 +639,7 @@ set_satrnsbysainfo(struct saproto *pr, struct sainfo *sainfo, u_int8_t ike_versi
                        }
 
                        newtr->trns_no = t++;
-                newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg);   // IKEv1 only
+                       newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg);   // IKEv1 only
                        newtr->authtype = a->alg;
 
                        inssatrns(pr, newtr);
@@ -703,7 +702,7 @@ set_satrnsbysainfo(struct saproto *pr, struct sainfo *sainfo, u_int8_t ike_versi
                        "unknown proto_id (%d).\n", pr->proto_id);
                goto err;
        }
-    
+       
        /* no proposal found */
        if (pr->head == NULL) {
                plog(ASL_LEVEL_ERR, "no algorithms found.\n");
@@ -1050,8 +1049,6 @@ set_proposal_from_policy(iph2, sp_main, sp_sub)
        }
 
     skip1:
-    //%%%%%%s IKEv2 - no support for bundle - fix this - return error if bundle ???
-    // %%%% need special handling for ipcomp
        for (req = sp_main->req; req; req = req->next) {
                struct saproto *newpr;
                caddr_t paddr = NULL;
@@ -1153,13 +1150,14 @@ set_proposal_from_proposal(iph2)
 {
         struct saprop *newpp = NULL, *pp0, *pp_peer = NULL;
        struct saproto *newpr = NULL, *pr;
-       struct prop_pair **pair;
+       struct prop_pair **pair = NULL;
        int error = -1;
        int i;
 
        /* get proposal pair */
        if (iph2->version == ISAKMP_VERSION_NUMBER_IKEV1)
                pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
+               
        if (pair == NULL)
                goto end;
 
@@ -1266,7 +1264,6 @@ dupsatrns_1(struct satrns *tr)
        if (newtr == NULL)
                return NULL;
     newtr->trns_no = tr->trns_no;
-    newtr->trns_type = tr->trns_type;
     newtr->trns_id = tr->trns_id;
     newtr->encklen = tr->encklen;
     newtr->authtype = tr->authtype;
@@ -1285,7 +1282,6 @@ dupsatrns(newpr, head)
                newtr = newsatrns();
                if (newtr) {
                        newtr->trns_no = p->trns_no;
-            newtr->trns_type = p->trns_type;
                        newtr->trns_id = p->trns_id;
                        newtr->encklen = p->encklen;
                        newtr->authtype = p->authtype;
index 381b43d5dd905471c81d7ab9a0a575ce83235bea..85eadbdc5def720c1674fdc479257c972e7c5eef 100644 (file)
@@ -93,7 +93,6 @@ struct saproto {
 /* SA algorithm specification */
 struct satrns {
        int trns_no;
-       int trns_type;          /* IKEv2 only - transform type */
     int trns_id;                       /* transform id */
        int encklen;                    /* key length of encryption algorithm */
        int authtype;                   /* authentication algorithm if ESP */
@@ -177,7 +176,6 @@ struct prop_pair {
 #define PROP_CHECK_STRICT      2
 #define PROP_CHECK_CLAIM       3
 #define PROP_CHECK_EXACT       4
-#define PROP_CHECK_IKEV2       5
 
 struct sainfo;
 struct secpolicy;
index bf1cbbdc4964ae4ac760b15f28c2e53600e182b3..ea8d017143be673dc5e62251218428bff16270b5 100644 (file)
@@ -28,5 +28,4 @@
 typedef struct ike_session ike_session_t;
 typedef struct phase1handle phase1_handle_t;
 typedef struct phase2handle phase2_handle_t;
-typedef struct ikev2_ike_sa_window ikev2_ike_sa_window_t;
 #endif /* _RACOON_TYPES_H */
index 09139c669a629c8e7f441b931341764dc992fea3..aea9b0b09ea6397c5cf56fe2ccfce441aef5297d 100644 (file)
@@ -358,6 +358,7 @@ duprmconf (struct remoteconf *rmconf)
 
     // zero-out pointers
     new->remote = NULL;
+    new->forced_local = NULL;
     new->keychainCertRef = NULL;       /* peristant keychain ref for cert */
     new->shared_secret = NULL; /* shared secret */
     new->open_dir_auth_group = NULL;   /* group to be used to authorize user */
@@ -420,6 +421,8 @@ delrmconf(struct remoteconf *rmconf)
 {
        if (rmconf->remote)
                racoon_free(rmconf->remote);
+       if (rmconf->forced_local)
+               racoon_free(rmconf->forced_local);
 #ifdef ENABLE_HYBRID
        if (rmconf->xauth)
                xauth_rmconf_delete(&rmconf->xauth);
@@ -444,13 +447,6 @@ delrmconf(struct remoteconf *rmconf)
                vfree(rmconf->keychainCertRef);
        if (rmconf->open_dir_auth_group)
                vfree(rmconf->open_dir_auth_group);
-    
-    if (rmconf->eap_options)
-        CFRelease(rmconf->eap_options);
-    if (rmconf->eap_types)
-        deletypes(rmconf->eap_types);
-    if (rmconf->ikev2_cfg_request)
-        CFRelease(rmconf->ikev2_cfg_request);
 
        racoon_free(rmconf);
 }
index aef7e768c4857dc3e84231b70d41ff2f1e72d8bb..7eed12f0139596ddec20f05454e2491d56fb894c 100644 (file)
@@ -168,11 +168,8 @@ struct remoteconf {
     int in_list;            // in the linked list
     int refcount;           // ref count - in use
     int ike_version;
-
-       // IKEV2 configs
-    struct etypes *eap_types;
-    CFDictionaryRef eap_options;
-    CFDictionaryRef ikev2_cfg_request;
+    
+    struct sockaddr_storage *forced_local;     /* forced local IP address */
 
        TAILQ_ENTRY(remoteconf) chain;  /* next remote conf */
 };
index f5610768bffb12243e52ed86140db37a003c5415..694ca2fab461251d38091e30b331dfcbabcb9195 100644 (file)
 #include "sainfo.h"
 #include "power_mgmt.h"
 
+#include <NetworkExtension/NEPolicy.h>
+#include <sys/proc_info.h>
+#include <libproc.h>
 
 
 extern pid_t racoon_pid;
@@ -124,6 +127,8 @@ static int64_t racoon_keepalive = -1;
 
 dispatch_queue_t main_queue;
 
+static NEPolicySessionRef policySession = NULL;
+
 /*
  * This is used to (manually) update racoon's launchd keepalive, which is needed because racoon is (mostly) 
  * launched on demand and for <rdar://problem/8768510> requires a keepalive on dirty/failure exits.
@@ -146,6 +151,85 @@ launchd_update_racoon_keepalive (Boolean enabled)
        return racoon_keepalive;
 }
 
+static CFUUIDRef
+copy_racoon_proc_uuid(void)
+{
+       struct proc_uniqidentifierinfo procu;
+       CFUUIDBytes uuidBytes;
+       int size = 0;
+
+       memset(&procu, 0, sizeof(procu));
+       size = proc_pidinfo(getpid(), PROC_PIDUNIQIDENTIFIERINFO, 1, &procu, PROC_PIDUNIQIDENTIFIERINFO_SIZE);
+       if (size != PROC_PIDUNIQIDENTIFIERINFO_SIZE) {
+               return (NULL);
+       }
+
+       memcpy(&uuidBytes, procu.p_uuid, sizeof(CFUUIDBytes));
+       return CFUUIDCreateFromUUIDBytes(kCFAllocatorDefault, uuidBytes);
+}
+
+static bool
+policy_session_init(void)
+{
+       bool success = true;
+       policySession = NEPolicyCreateSession(kCFAllocatorDefault, CFSTR("racoon"), NULL, NULL);
+       if (policySession == NULL) {
+               return false;
+       }
+       
+       CFUUIDRef proc_uuid = copy_racoon_proc_uuid();
+       if (proc_uuid == NULL) {
+               return false;
+       }
+       
+       CFMutableArrayRef conditions = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+       if (conditions) {
+               CFMutableDictionaryRef uuidCondition = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+               if (uuidCondition) {
+                       CFDictionarySetValue(uuidCondition, kNEPolicyConditionType, kNEPolicyValPolicyConditionTypeApplication);
+                       CFDictionarySetValue(uuidCondition, kNEPolicyApplicationUUID, proc_uuid);
+                       CFArrayAppendValue(conditions, uuidCondition);
+                       CFRelease(uuidCondition);
+               } else {
+                       success = false;
+               }
+               
+               CFMutableDictionaryRef interfacesCondition = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+               if (interfacesCondition) {
+                       CFDictionarySetValue(interfacesCondition, kNEPolicyConditionType, kNEPolicyValPolicyConditionTypeAllInterfaces);
+                       CFArrayAppendValue(conditions, interfacesCondition);
+                       CFRelease(interfacesCondition);
+               } else {
+                       success = false;
+               }
+       } else {
+               success = false;
+       }
+       
+       CFMutableDictionaryRef result = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+       if (result) {
+               CFDictionaryAddValue(result, kNEPolicyResult, kNEPolicyValPolicyResultPass);
+       } else {
+               success = false;
+       }
+       
+       if (success) {
+               success = (NEPolicyAdd(policySession, 0, conditions, result, NULL) != kNEPolicyIDInvalid);
+       }
+       
+       if (result) {
+               CFRelease(result);
+       }
+       if (conditions) {
+               CFRelease(conditions);
+       }
+       if (proc_uuid) {
+               CFRelease(proc_uuid);
+       }
+       
+       return (success && NEPolicyApply(policySession));
+}
+
 //
 // Session
 // 
@@ -176,6 +260,11 @@ session(void)
             plog(ASL_LEVEL_ERR, "failed to initialize route socket.\n");
             exit(1);
         }
+       
+       if (!policy_session_init()) {
+               plog(ASL_LEVEL_ERR, "failed to initialize NEPolicy session.\n");
+       }
+       
     if (initmyaddr()) {
         plog(ASL_LEVEL_ERR, "failed to initialize listening addresses.\n");
         exit(1);
@@ -343,9 +432,13 @@ auto_exit_do(void *p)
 {
        plog(ASL_LEVEL_DEBUG, 
                                "performing auto exit\n");
+#if ENABLE_NO_SA_FLUSH
+       close_session(0);
+#else
        pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC);
        sched_new(1, check_flushsa_stub, NULL);
        dying();
+#endif /* ENABLE_NO_SA_FLUSH */
 }
 
 void
@@ -439,13 +532,17 @@ check_sigreq()
                                            
 #if TARGET_OS_EMBEDDED
                 if (no_remote_configs(TRUE)) {
+#if ENABLE_NO_SA_FLUSH
+                    close_session(0);
+#else
                     pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC);
 #ifdef ENABLE_FASTQUIT
                     close_session(0);
 #else
                     sched_new(1, check_flushsa_stub, NULL);
-#endif
+#endif /* ENABLE_FASTQUIT */
                     dying();
+#endif /* ENABLE_NO_SA_FLUSH */
                 }
 #endif
 
@@ -455,7 +552,10 @@ check_sigreq()
             case SIGTERM:                      
                 plog(ASL_LEVEL_INFO, 
                      "caught signal %d\n", sig);
-                pfkey_send_flush(lcconf->sock_pfkey, 
+#if ENABLE_NO_SA_FLUSH
+                close_session(0);
+#else
+                pfkey_send_flush(lcconf->sock_pfkey,
                                  SADB_SATYPE_UNSPEC);
                 if ( sig == SIGTERM ){
                     terminated = 1;                    /* in case if it hasn't been set yet */
@@ -465,6 +565,7 @@ check_sigreq()
                     sched_new(1, check_flushsa_stub, NULL);
                 
                                dying();
+#endif /* ENABLE_NO_SA_FLUSH */
                 break;
                 
             default:
index 7f6733f6235a4edbd085f6b20956c27156fd5969..1987a378a1be9667c489c80059b8a273299b0b16 100644 (file)
@@ -70,7 +70,6 @@
 #include "pfkey.h"
 #include "strnames.h"
 #include "algorithm.h"
-#include "ikev2_rfc.h"
 
 struct ksmap {
        int key;
index 11adf7c25f91765c3c79ce37fbfec66cb3b97304..29f6aef174de4ac0aa475d8862962486570f0b8a 100644 (file)
@@ -135,15 +135,6 @@ vpn_connect(struct bound_addr *srv, int oper)
        ((struct sockaddr_in *)(dst))->sin_port = 500;
        ((struct sockaddr_in *)(dst))->sin_addr.s_addr = srv->address;
 
-       /*
-        * Find the source address
-        */      
-       if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) {
-               plog(ASL_LEVEL_ERR, 
-                       "cannot get local address\n");
-               goto out1;
-       }
-
        /* find appropreate configuration */
        rmconf = getrmconf(dst);
        if (rmconf == NULL) {
@@ -152,7 +143,20 @@ vpn_connect(struct bound_addr *srv, int oper)
                        "for %s\n", saddrwop2str((struct sockaddr *)dst));
                goto out1;
        }
-
+       
+       /*
+        * Find the source address
+        */
+       if (rmconf->forced_local != NULL) {
+               if ((local = dupsaddr(rmconf->forced_local)) == NULL) {
+                       plog(ASL_LEVEL_ERR, "failed to duplicate local address\n");
+                       goto out1;
+               }
+       } else if ((local = getlocaladdr((struct sockaddr *)dst)) == NULL) {
+               plog(ASL_LEVEL_ERR, "cannot get local address\n");
+               goto out1;
+       }
+       
        /* get remote IP address and port number. */
        if ((remote = dupsaddr(dst)) == NULL) {
                plog(ASL_LEVEL_ERR, 
@@ -189,10 +193,8 @@ vpn_connect(struct bound_addr *srv, int oper)
 
        IPSECLOGASLMSG("IPSec connecting to server %s\n",
                                   saddrwop2str((struct sockaddr *)remote));
-    {
-               if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0)
-                       goto out1;
-       }
+       if (ikev1_ph1begin_i(NULL, rmconf, remote, local, oper) < 0)
+               goto out1;
        error = 0;
 
 out1:
@@ -487,7 +489,6 @@ vpn_get_config(phase1_handle_t *iph1, struct vpnctl_status_phase_change **msg, s
        return 0;
 }
 
-
 int
 vpn_xauth_reply(u_int32_t address, void *attr_list, size_t attr_len)
 {
index 39c20a99fe778d3a7276a682cf5a4438e38099ac..c26b310c8ac3bb554338157c6e87b7388edf68c9 100644 (file)
@@ -222,6 +222,7 @@ vpncontrol_handler(void *unused)
     int sock;
 
        struct vpnctl_socket_elem *sock_elem;
+
        
     sock_elem = racoon_malloc(sizeof(struct vpnctl_socket_elem));
        if (sock_elem == NULL) {
@@ -1021,6 +1022,7 @@ vpncontrol_close_comm(struct vpnctl_socket_elem *elem)
        }
        racoon_free(elem);
        check_auto_exit();
+
 }
 
 int
index 64d7e29aa0c9dafe1c1b4db642a68d51c49b33f5..33ec9e6ce0f8630b9bcd5552a8acfb3e39be76a1 100644 (file)
                        name = ipsec_libraries;
                        productName = ipsec_libraries;
                };
+               78C83A04189841E800DB2F64 /* ipsec_libraries_embedded */ = {
+                       isa = PBXAggregateTarget;
+                       buildConfigurationList = 78C83A08189841E800DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_libraries_embedded" */;
+                       buildPhases = (
+                       );
+                       dependencies = (
+                               78C83A131898421900DB2F64 /* PBXTargetDependency */,
+                       );
+                       name = ipsec_libraries_embedded;
+                       productName = ipsec_libraries_embedded;
+               };
+               78C83A09189841FA00DB2F64 /* ipsec_executables_embedded */ = {
+                       isa = PBXAggregateTarget;
+                       buildConfigurationList = 78C83A0A189841FA00DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_executables_embedded" */;
+                       buildPhases = (
+                       );
+                       dependencies = (
+                               78C83A111898421300DB2F64 /* PBXTargetDependency */,
+                               78C83A0F1898421100DB2F64 /* PBXTargetDependency */,
+                       );
+                       name = ipsec_executables_embedded;
+                       productName = ipsec_executables_embedded;
+               };
                812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */ = {
                        isa = PBXAggregateTarget;
                        buildConfigurationList = 812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */;
                25F259610988657000D15623 /* throttle.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259210988657000D15623 /* throttle.c */; };
                25F259620988657000D15623 /* vendorid.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259240988657000D15623 /* vendorid.c */; };
                25F259630988657000D15623 /* vmbuf.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F259260988657000D15623 /* vmbuf.c */; };
-               72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */ = {isa = PBXBuildFile; fileRef = 72171DAE166443AB0050B3B9 /* eap_aka.c */; };
                72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
                723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; };
                723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; };
                724ED87916851AAC008F2EBD /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
                724ED87A16851AB6008F2EBD /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; };
-               727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; };
-               727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FA35F163A1A24000A3986 /* ipsec_interface.c */; };
                72B433770E3677D800D67508 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; };
                72F5C72E1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; };
                72F5C72F1607A1AE004C192F /* api_support.c in Sources */ = {isa = PBXBuildFile; fileRef = 72F5C72D1607A1AE004C192F /* api_support.c */; };
+               7822D11E188DB07300874E91 /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7822D11D188DB07300874E91 /* NetworkExtension.framework */; };
+               7822D120188DB07C00874E91 /* NetworkExtension.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7822D11F188DB07C00874E91 /* NetworkExtension.framework */; };
                812530C30D3FE9DC006BDF4F /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; };
                812530C50D3FE9DC006BDF4F /* cfparse.y in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B40988657000D15623 /* cfparse.y */; };
                812530C60D3FE9DC006BDF4F /* cftoken.l in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B60988657000D15623 /* cftoken.l */; };
                834072A90EDCC5AC00B6CCE8 /* com.apple.racoon.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 724F99500E3672FD00C56897 /* com.apple.racoon.plist */; };
                8D5B16750E5F7F4E00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; };
                8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 8D5B16230E5F7E9300E72675 /* libresolv.dylib */; };
-               BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA04622A1562E6E400EF348A /* EAP8021X.framework */; };
                BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; };
                BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */ = {isa = PBXBuildFile; fileRef = BA485FA1109C1ECA00545E19 /* power_mgmt.c */; };
                BA48611C109C2BBA00545E19 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BA48611B109C2BBA00545E19 /* IOKit.framework */; };
                BA5B6F310EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
                BA5B6F320EC19F80003774E7 /* ipsecPolicyTracer.c in Sources */ = {isa = PBXBuildFile; fileRef = BA5B6F300EC19F80003774E7 /* ipsecPolicyTracer.c */; };
                BA64A934114EFE8C00F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; };
-               BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = BA64A933114EFE5C00F3574C /* racoon.sb */; };
                BA6F109B0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
                BA6F109C0EA1DEC200546773 /* ike_session.c in Sources */ = {isa = PBXBuildFile; fileRef = BA6F109A0EA1DEC200546773 /* ike_session.c */; };
                BA7777A11107EBCE00DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
                BA7777A21107EBF600DD87E1 /* isakmp_frag.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D70988657000D15623 /* isakmp_frag.c */; };
-               BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */ = {isa = PBXBuildFile; fileRef = BA8BE71615655D360068DEB9 /* eap_sim.c */; };
-               BA952E79156704DF00B07934 /* eap.c in Sources */ = {isa = PBXBuildFile; fileRef = BA952E77156704DF00B07934 /* eap.c */; };
-               BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; };
-               BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */; };
-               BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; };
-               BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */; };
-               BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; };
-               BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BAC2E172146DFD05009D4506 /* ikev2_rfc.c */; };
                BACBF18C10290AE000BBFC85 /* ipsec.txt in CopyFiles */ = {isa = PBXBuildFile; fileRef = BACBF18B10290AE000BBFC85 /* ipsec.txt */; };
                BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; };
                BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; };
-               BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; };
-               BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */; };
-               BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; };
-               BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */ = {isa = PBXBuildFile; fileRef = BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
                        remoteGlobalIDString = 72B3C2081684F5C4004E4548;
                        remoteInfo = ipsec_executables;
                };
-               812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = {
+               78C83A0E1898421100DB2F64 /* PBXContainerItemProxy */ = {
                        isa = PBXContainerItemProxy;
                        containerPortal = 23D2D790087071FC00C51098 /* Project object */;
                        proxyType = 1;
                        remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F;
-                       remoteInfo = "racoon arm";
+                       remoteInfo = "racoon Embedded";
                };
-               81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = {
+               78C83A101898421300DB2F64 /* PBXContainerItemProxy */ = {
                        isa = PBXContainerItemProxy;
                        containerPortal = 23D2D790087071FC00C51098 /* Project object */;
                        proxyType = 1;
-                       remoteGlobalIDString = 81DDFDB80D622C2700C5CB87;
-                       remoteInfo = "libipsec Embedded";
+                       remoteGlobalIDString = 81DDFD970D622C1700C5CB87;
+                       remoteInfo = "setkey Embedded";
                };
-               81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */ = {
+               78C83A121898421900DB2F64 /* PBXContainerItemProxy */ = {
                        isa = PBXContainerItemProxy;
                        containerPortal = 23D2D790087071FC00C51098 /* Project object */;
                        proxyType = 1;
                        remoteGlobalIDString = 81DDFDB80D622C2700C5CB87;
                        remoteInfo = "libipsec Embedded";
                };
-               81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */ = {
+               812531100D3FEA28006BDF4F /* PBXContainerItemProxy */ = {
+                       isa = PBXContainerItemProxy;
+                       containerPortal = 23D2D790087071FC00C51098 /* Project object */;
+                       proxyType = 1;
+                       remoteGlobalIDString = 812530BA0D3FE9DC006BDF4F;
+                       remoteInfo = "racoon arm";
+               };
+               81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */ = {
                        isa = PBXContainerItemProxy;
                        containerPortal = 23D2D790087071FC00C51098 /* Project object */;
                        proxyType = 1;
                        );
                        runOnlyForDeploymentPostprocessing = 1;
                };
-               BA64A932114EFE4400F3574C /* CopyFiles */ = {
-                       isa = PBXCopyFilesBuildPhase;
-                       buildActionMask = 8;
-                       dstPath = /usr/local/share/sandbox/profiles/embedded/builtin;
-                       dstSubfolderSpec = 0;
-                       files = (
-                               BA64A935114EFE9900F3574C /* racoon.sb in CopyFiles */,
-                       );
-                       runOnlyForDeploymentPostprocessing = 1;
-               };
                BAA6806112B17CF900ACF6D3 /* CopyFiles */ = {
                        isa = PBXCopyFilesBuildPhase;
                        buildActionMask = 8;
                25F259270988657000D15623 /* vmbuf.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = vmbuf.h; sourceTree = "<group>"; };
                25F777B909ABE3E100C99783 /* key_debug.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = key_debug.c; path = Common/key_debug.c; sourceTree = "<group>"; };
                25F777ED09ABE58400C99783 /* pfkey_dump.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = pfkey_dump.c; path = Common/pfkey_dump.c; sourceTree = "<group>"; };
-               72171DAE166443AB0050B3B9 /* eap_aka.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_aka.c; sourceTree = "<group>"; };
                72265DDB0F818F9300730A7D /* ipsec.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist; path = ipsec.plist; sourceTree = "<group>"; };
                723B6A2F162F7BE300895EE5 /* xpc_racoon.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = xpc_racoon.c; sourceTree = "<group>"; };
                723B6A33162F7C1100895EE5 /* ipsec_xpc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ipsec_xpc.h; sourceTree = "<group>"; };
                724F99500E3672FD00C56897 /* com.apple.racoon.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.racoon.plist; sourceTree = "<group>"; };
-               727FA35F163A1A24000A3986 /* ipsec_interface.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ipsec_interface.c; sourceTree = "<group>"; };
-               727FA362163A1A43000A3986 /* ipsec_interface.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipsec_interface.h; sourceTree = "<group>"; };
                72F5C72D1607A1AE004C192F /* api_support.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = api_support.c; sourceTree = "<group>"; };
                72F5C7311607A1DD004C192F /* api_support.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = api_support.h; sourceTree = "<group>"; };
+               7822D11D188DB07300874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = ../../../../../System/Library/Frameworks/NetworkExtension.framework; sourceTree = "<group>"; };
+               7822D11F188DB07C00874E91 /* NetworkExtension.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = NetworkExtension.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.0.Internal.sdk/System/Library/Frameworks/NetworkExtension.framework; sourceTree = DEVELOPER_DIR; };
                8125310A0D3FE9DC006BDF4F /* racoon */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = racoon; sourceTree = BUILT_PRODUCTS_DIR; };
                812A64EC0D4AA082004CB7EB /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = SDKs/Purple/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; };
                81657D551457582300B8A054 /* racoon_types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = racoon_types.h; sourceTree = "<group>"; };
                81EDB0670B5D8D7000840BC7 /* ipsec_dump_policy.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_dump_policy.3; path = libipsec/ipsec_dump_policy.3; sourceTree = "<group>"; };
                81EDB0680B5D8D8900840BC7 /* ipsec_get_policylen.3 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; name = ipsec_get_policylen.3; path = libipsec/ipsec_get_policylen.3; sourceTree = "<group>"; };
                8D5B16230E5F7E9300E72675 /* libresolv.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libresolv.dylib; path = /usr/lib/libresolv.dylib; sourceTree = "<absolute>"; };
-               BA04622A1562E6E400EF348A /* EAP8021X.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = EAP8021X.framework; path = System/Library/PrivateFrameworks/EAP8021X.framework; sourceTree = SDKROOT; };
                BA485FA1109C1ECA00545E19 /* power_mgmt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = power_mgmt.c; sourceTree = "<group>"; };
                BA485FA6109C243900545E19 /* power_mgmt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = power_mgmt.h; sourceTree = "<group>"; };
                BA48611B109C2BBA00545E19 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; };
                BA64A933114EFE5C00F3574C /* racoon.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = racoon.sb; sourceTree = "<group>"; };
                BA6F10940EA1D67700546773 /* ike_session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ike_session.h; sourceTree = "<group>"; };
                BA6F109A0EA1DEC200546773 /* ike_session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ike_session.c; sourceTree = "<group>"; };
-               BA8BE71615655D360068DEB9 /* eap_sim.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap_sim.c; sourceTree = "<group>"; };
-               BA8BE71715655D360068DEB9 /* eap_sim.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap_sim.h; sourceTree = "<group>"; };
-               BA952E77156704DF00B07934 /* eap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = eap.c; sourceTree = "<group>"; };
-               BA952E78156704DF00B07934 /* eap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = eap.h; sourceTree = "<group>"; };
-               BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ike_sa_rfc.c; sourceTree = "<group>"; };
-               BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ike_sa_rfc.h; sourceTree = "<group>"; };
-               BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_info_rfc.h; sourceTree = "<group>"; };
-               BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_ipsec_sa_rfc.c; sourceTree = "<group>"; };
-               BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_ipsec_sa_rfc.h; sourceTree = "<group>"; };
-               BAC2E172146DFD05009D4506 /* ikev2_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_rfc.c; sourceTree = "<group>"; };
-               BAC2E173146DFD06009D4506 /* ikev2_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_rfc.h; sourceTree = "<group>"; };
-               BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ikev2_sessresume_rfc.h; sourceTree = "<group>"; };
                BACBF18B10290AE000BBFC85 /* ipsec.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = ipsec.txt; sourceTree = "<group>"; };
                BACD8C681496A50C0042DEA1 /* Preferences.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = Preferences.c; sourceTree = "<group>"; };
                BACD8C691496A50C0042DEA1 /* Preferences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Preferences.h; sourceTree = "<group>"; };
-               BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_info_rfc.c; sourceTree = "<group>"; };
-               BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ikev2_sessresume_rfc.c; sourceTree = "<group>"; };
                C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenSDK.xcconfig; path = AppleInternal/XcodeConfig/AspenSDK.xcconfig; sourceTree = DEVELOPER_DIR; };
 /* End PBXFileReference section */
 
                        isa = PBXFrameworksBuildPhase;
                        buildActionMask = 2147483647;
                        files = (
+                               7822D11E188DB07300874E91 /* NetworkExtension.framework in Frameworks */,
                                81C387570D45208700975D5E /* DirectoryService.framework in Frameworks */,
                                81C387560D45208700975D5E /* Security.framework in Frameworks */,
                                25EAE8C109D87B080042CC7F /* CoreFoundation.framework in Frameworks */,
                        isa = PBXFrameworksBuildPhase;
                        buildActionMask = 2147483647;
                        files = (
-                               BA04622B1562E6E400EF348A /* EAP8021X.framework in Frameworks */,
+                               7822D120188DB07C00874E91 /* NetworkExtension.framework in Frameworks */,
                                8D5B167D0E5F7F9F00E72675 /* libresolv.dylib in Frameworks */,
                                817FFC4E0D6134A7004A8DD8 /* libipsec.A.dylib in Frameworks */,
                                812530F80D3FE9DC006BDF4F /* libiconv.dylib in Frameworks */,
                23D2D78C087071FC00C51098 = {
                        isa = PBXGroup;
                        children = (
-                               BA04622A1562E6E400EF348A /* EAP8021X.framework */,
                                BA64A933114EFE5C00F3574C /* racoon.sb */,
                                BACBF18B10290AE000BBFC85 /* ipsec.txt */,
                                72265DDB0F818F9300730A7D /* ipsec.plist */,
                25D3DB4C098998230025F703 /* Frameworks */ = {
                        isa = PBXGroup;
                        children = (
+                               7822D11F188DB07C00874E91 /* NetworkExtension.framework */,
+                               7822D11D188DB07300874E91 /* NetworkExtension.framework */,
                                81C964580DA2CBEF00257BC8 /* SystemConfiguration.framework */,
                                81C9645D0DA2CC2D00257BC8 /* SystemConfiguration.framework */,
                                812A64EC0D4AA082004CB7EB /* Security.framework */,
                                25F258CE0988657000D15623 /* handler.h */,
                                BA6F109A0EA1DEC200546773 /* ike_session.c */,
                                BA6F10940EA1D67700546773 /* ike_session.h */,
-                               BAC2E16C146DFD05009D4506 /* ikev2_ike_sa_rfc.c */,
-                               BAC2E16D146DFD05009D4506 /* ikev2_ike_sa_rfc.h */,
-                               BAC2E16E146DFD05009D4506 /* ikev2_info_rfc.h */,
-                               BACF4E5E146F909E008F04FC /* ikev2_info_rfc.c */,
-                               BAC2E16F146DFD05009D4506 /* ikev2_ipsec_sa_rfc.c */,
-                               BAC2E170146DFD05009D4506 /* ikev2_ipsec_sa_rfc.h */,
-                               BAC2E172146DFD05009D4506 /* ikev2_rfc.c */,
-                               BAC2E173146DFD06009D4506 /* ikev2_rfc.h */,
-                               BAC2E174146DFD06009D4506 /* ikev2_sessresume_rfc.h */,
-                               BACF4E621470E394008F04FC /* ikev2_sessresume_rfc.c */,
                                25F258CF0988657000D15623 /* ipsec_doi.c */,
                                25F258D00988657000D15623 /* ipsec_doi.h */,
                                BA5B6F280EC19F40003774E7 /* ipsecConfigTracer.c */,
                                25DE2DE60A8BD40E0010A46D /* vpn_control.c */,
                                25DE2DE70A8BD40E0010A46D /* vpn_control.h */,
                                81CA08910CE3BC870055C0AF /* vpn.c */,
-                               BA8BE71615655D360068DEB9 /* eap_sim.c */,
-                               72171DAE166443AB0050B3B9 /* eap_aka.c */,
-                               BA8BE71715655D360068DEB9 /* eap_sim.h */,
-                               BA952E77156704DF00B07934 /* eap.c */,
-                               BA952E78156704DF00B07934 /* eap.h */,
                                BA5B6F4F0EC1A136003774E7 /* vpn.h */,
-                               727FA35F163A1A24000A3986 /* ipsec_interface.c */,
-                               727FA362163A1A43000A3986 /* ipsec_interface.h */,
                                72F5C72D1607A1AE004C192F /* api_support.c */,
                                72F5C7311607A1DD004C192F /* api_support.h */,
                                723B6A2F162F7BE300895EE5 /* xpc_racoon.c */,
                                812530FF0D3FE9DC006BDF4F /* CopyFiles */,
                                812531020D3FE9DC006BDF4F /* CopyFiles */,
                                725F453B0E36A15C005BB55C /* CopyFiles */,
-                               BA64A932114EFE4400F3574C /* CopyFiles */,
                                812531040D3FE9DC006BDF4F /* ShellScript */,
                                834072BB0EDCC5C400B6CCE8 /* CopyFiles */,
                        );
                        buildRules = (
                        );
                        dependencies = (
-                               81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */,
                        );
                        name = "racoon Embedded";
                        productName = racoon;
                        buildRules = (
                        );
                        dependencies = (
-                               81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */,
                        );
                        name = "setkey Embedded";
                        productName = setkey;
                                25F258090987FC1500D15623 /* setkey */,
                                2537A1A709E4864800D0ECDA /* libipsec */,
                                812530AA0D3FE994006BDF4F /* IPSec Embedded (Aggregate) */,
+                               78C83A09189841FA00DB2F64 /* ipsec_executables_embedded */,
+                               78C83A04189841E800DB2F64 /* ipsec_libraries_embedded */,
                                812530BA0D3FE9DC006BDF4F /* racoon Embedded */,
                                81DDFD970D622C1700C5CB87 /* setkey Embedded */,
                                81DDFDB80D622C2700C5CB87 /* libipsec Embedded */,
                                BA5B6F2B0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
                                BA485FA2109C1ECA00545E19 /* power_mgmt.c in Sources */,
                                81CBCFE91447A1C20000D6E6 /* fsm.c in Sources */,
-                               BAC2E175146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */,
-                               BAC2E177146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */,
-                               BAC2E179146DFD06009D4506 /* ikev2_rfc.c in Sources */,
-                               BACF4E5F146F909E008F04FC /* ikev2_info_rfc.c in Sources */,
-                               BACF4E631470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */,
                                BACD8C6A1496A50C0042DEA1 /* Preferences.c in Sources */,
                                72F5C72E1607A1AE004C192F /* api_support.c in Sources */,
                                723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */,
-                               727FA360163A1A25000A3986 /* ipsec_interface.c in Sources */,
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                };
                                BA5B6F2C0EC19F40003774E7 /* ipsecConfigTracer.c in Sources */,
                                BA5B6F2D0EC19F40003774E7 /* ipsecSessionTracer.c in Sources */,
                                BA485FA3109C1ECA00545E19 /* power_mgmt.c in Sources */,
-                               BAC2E176146DFD06009D4506 /* ikev2_ike_sa_rfc.c in Sources */,
-                               BAC2E178146DFD06009D4506 /* ikev2_ipsec_sa_rfc.c in Sources */,
-                               BAC2E17A146DFD06009D4506 /* ikev2_rfc.c in Sources */,
-                               BACF4E60146F909E008F04FC /* ikev2_info_rfc.c in Sources */,
-                               BACF4E641470E394008F04FC /* ikev2_sessresume_rfc.c in Sources */,
                                BACD8C6B1496A50C0042DEA1 /* Preferences.c in Sources */,
-                               BA8BE71815655D360068DEB9 /* eap_sim.c in Sources */,
-                               BA952E79156704DF00B07934 /* eap.c in Sources */,
                                72F5C72F1607A1AE004C192F /* api_support.c in Sources */,
                                723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */,
-                               727FA361163A1A25000A3986 /* ipsec_interface.c in Sources */,
-                               72171DAF166443AB0050B3B9 /* eap_aka.c in Sources */,
                        );
                        runOnlyForDeploymentPostprocessing = 0;
                };
                        target = 72B3C2081684F5C4004E4548 /* ipsec_executables */;
                        targetProxy = 72B3C21816850CC5004E4548 /* PBXContainerItemProxy */;
                };
-               812531110D3FEA28006BDF4F /* PBXTargetDependency */ = {
+               78C83A0F1898421100DB2F64 /* PBXTargetDependency */ = {
                        isa = PBXTargetDependency;
                        target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */;
-                       targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */;
+                       targetProxy = 78C83A0E1898421100DB2F64 /* PBXContainerItemProxy */;
                };
-               81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = {
+               78C83A111898421300DB2F64 /* PBXTargetDependency */ = {
                        isa = PBXTargetDependency;
-                       target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
-                       targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */;
+                       target = 81DDFD970D622C1700C5CB87 /* setkey Embedded */;
+                       targetProxy = 78C83A101898421300DB2F64 /* PBXContainerItemProxy */;
                };
-               81DDFDDF0D622D1700C5CB87 /* PBXTargetDependency */ = {
+               78C83A131898421900DB2F64 /* PBXTargetDependency */ = {
                        isa = PBXTargetDependency;
                        target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
-                       targetProxy = 81DDFDDE0D622D1700C5CB87 /* PBXContainerItemProxy */;
+                       targetProxy = 78C83A121898421900DB2F64 /* PBXContainerItemProxy */;
+               };
+               812531110D3FEA28006BDF4F /* PBXTargetDependency */ = {
+                       isa = PBXTargetDependency;
+                       target = 812530BA0D3FE9DC006BDF4F /* racoon Embedded */;
+                       targetProxy = 812531100D3FEA28006BDF4F /* PBXContainerItemProxy */;
                };
-               81DDFDE40D622D8C00C5CB87 /* PBXTargetDependency */ = {
+               81DDFDD90D622C4E00C5CB87 /* PBXTargetDependency */ = {
                        isa = PBXTargetDependency;
                        target = 81DDFDB80D622C2700C5CB87 /* libipsec Embedded */;
-                       targetProxy = 81DDFDE30D622D8C00C5CB87 /* PBXContainerItemProxy */;
+                       targetProxy = 81DDFDD80D622C4E00C5CB87 /* PBXContainerItemProxy */;
                };
                81DDFDF10D627DE300C5CB87 /* PBXTargetDependency */ = {
                        isa = PBXTargetDependency;
                                ALTERNATE_MODE = "$(inherited)";
                                ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
+                               CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist";
+                               CODE_SIGN_IDENTITY = "-";
                                COPY_PHASE_STRIP = NO;
                                FRAMEWORK_SEARCH_PATHS = "";
                                GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
                                ALTERNATE_MODE = "$(inherited)";
                                ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
+                               CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist";
+                               CODE_SIGN_IDENTITY = "-";
                                COPY_PHASE_STRIP = NO;
                                DSTROOT = "/tmp/$(PROJECT_NAME).dst";
                                FRAMEWORK_SEARCH_PATHS = "";
                                ALTERNATE_MODE = "$(inherited)";
                                ALTERNATE_OWNER = "$(inherited)";
                                ARCHS = "$(ARCHS_STANDARD_64_BIT)";
+                               CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/entitlements-mac.plist";
+                               CODE_SIGN_IDENTITY = "-";
                                COPY_PHASE_STRIP = NO;
                                DSTROOT = "/tmp/$(PROJECT_NAME).dst";
                                FRAMEWORK_SEARCH_PATHS = "";
                        };
                        name = Default;
                };
+               78C83A05189841E800DB2F64 /* Development */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Development;
+               };
+               78C83A06189841E800DB2F64 /* Deployment */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Deployment;
+               };
+               78C83A07189841E800DB2F64 /* Default */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Default;
+               };
+               78C83A0B189841FA00DB2F64 /* Development */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Development;
+               };
+               78C83A0C189841FA00DB2F64 /* Deployment */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Deployment;
+               };
+               78C83A0D189841FA00DB2F64 /* Default */ = {
+                       isa = XCBuildConfiguration;
+                       buildSettings = {
+                               PRODUCT_NAME = "$(TARGET_NAME)";
+                       };
+                       name = Default;
+               };
                812530B60D3FE994006BDF4F /* Development */ = {
                        isa = XCBuildConfiguration;
                        baseConfigurationReference = C172BD980E6369BE0030F8EB /* AspenSDK.xcconfig */;
                        defaultConfigurationIsVisible = 0;
                        defaultConfigurationName = Default;
                };
+               78C83A08189841E800DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_libraries_embedded" */ = {
+                       isa = XCConfigurationList;
+                       buildConfigurations = (
+                               78C83A05189841E800DB2F64 /* Development */,
+                               78C83A06189841E800DB2F64 /* Deployment */,
+                               78C83A07189841E800DB2F64 /* Default */,
+                       );
+                       defaultConfigurationIsVisible = 0;
+                       defaultConfigurationName = Default;
+               };
+               78C83A0A189841FA00DB2F64 /* Build configuration list for PBXAggregateTarget "ipsec_executables_embedded" */ = {
+                       isa = XCConfigurationList;
+                       buildConfigurations = (
+                               78C83A0B189841FA00DB2F64 /* Development */,
+                               78C83A0C189841FA00DB2F64 /* Deployment */,
+                               78C83A0D189841FA00DB2F64 /* Default */,
+                       );
+                       defaultConfigurationIsVisible = 0;
+                       defaultConfigurationName = Default;
+               };
                812530B50D3FE994006BDF4F /* Build configuration list for PBXAggregateTarget "IPSec Embedded (Aggregate)" */ = {
                        isa = XCConfigurationList;
                        buildConfigurations = (
index 8aefd9cb9f8bed66c2a49cb061f873d140dd5690..ec523137f423882d3f832e0ea9409f2918f69c6c 100644 (file)
--- a/racoon.sb
+++ b/racoon.sb
@@ -23,7 +23,9 @@
     (subpath "/Library/Managed\ Preferences")
     (subpath "/Library/Preferences")
     (subpath "/private/var/root")
-    (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+    (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
+    (literal "/private/var/db/mds/messages/se_SecurityMessages")
+    (literal "/private/var/db/icu"))
 
 (allow file-write*
     (literal "/private/var/run/racoon.sock")
 (allow mach-lookup
     (global-name "com.apple.SecurityServer")
     (global-name "com.apple.SystemConfiguration.configd")
-    (global-name "com.apple.ocspd"))
+    (global-name "com.apple.ocspd")
+    (global-name "com.apple.commcenter.xpc")
+    (global-name "com.apple.aggregated")
+    (global-name "com.apple.cfprefsd.daemon")
+    (global-name "com.apple.cfprefsd.agent")
+    (local-name "com.apple.cfprefsd.agent")
+    (global-name "com.apple.nehelper"))
+       
+(allow ipc-posix-shm-read*
+    (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
 
 ;;;;;; Common system sandbox rules
 ;;;;;;